Edit tour

Windows Analysis Report
9ISNeRdj1B.exe

Overview

General Information

Sample Name:	9ISNeRdj1B.exe
Analysis ID:	698745
MD5:	82abb3648ac3b46ce91801ae3d7bb2bc
SHA1:	52fd2d372bc658b40d87ea78d8eb3844128d022f
SHA256:	4acdef5bab397d24a91955f07803c10089bf24d570159f779284408f3a2d1141
Tags:	CyberGateexe
Infos:

Detection

Score:	37
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Sample or dropped binary is a compiled AutoHotkey binary

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Entry point lies outside standard sections

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Uses a known web browser user agent for HTTP communication

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

PE / OLE file has an invalid certificate

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality for read data from the clipboard

Classification

Analysis Advice

Sample searches for specific file, try point organization specific fake files to the analysis machine

Contains functionality to modify the execution of threads in other processes

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

9ISNeRdj1B.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\9ISNeRdj1B.exe" MD5: 82ABB3648AC3B46CE91801AE3D7BB2BC)

FME.exe (PID: 6736 cmdline: .\FME.exe MD5: FAF97B20932D084C24A9A8FEDBE7C411)

7zS01A5A97E.exe (PID: 6888 cmdline: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe" "C:\Users\user\AppData\Local\Temp\7zS01A5A97E MD5: B54DB15D63A62135E062D1FE6C976E48)

FME.exe (PID: 4972 cmdline: C:\Users\user\AppData\Roaming\FMEV2\FME.exe" /f "\\.\pipe\AHKANEKMCKF" "C:\Users\user\AppData\Local\Temp\7zS01A5A97E MD5: FAF97B20932D084C24A9A8FEDBE7C411)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 9ISNeRdj1B.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00404B47 FindFirstFileW,	1_2_00404B47
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400B8140 FindFirstFileW,FindClose,FindFirstFileW,FindClose,	2_2_00000001400B8140
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014008C940 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,	2_2_000000014008C940
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140072F50 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	2_2_0000000140072F50
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400B8040 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00000001400B8040
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140073290 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,	2_2_0000000140073290
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140049610 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	2_2_0000000140049610
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400738E0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,	2_2_00000001400738E0

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 185.199.108.133 185.199.108.133

Source: global traffic

HTTP traffic detected: GET /HexVexRtx/FME/main/file HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: raw.githubusercontent.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: 9ISNeRdj1B.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 9ISNeRdj1B.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 9ISNeRdj1B.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: FME.exe, 00000002.00000002.348655301.00000000066F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 9ISNeRdj1B.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 9ISNeRdj1B.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 9ISNeRdj1B.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 9ISNeRdj1B.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 9ISNeRdj1B.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 9ISNeRdj1B.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 9ISNeRdj1B.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: 9ISNeRdj1B.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: FME.exe, FME.exe, 00000002.00000000.328286935.00000001400EC000.00000002.00000001.01000000.00000004.sdmp, FME.exe, 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmp, 7zS01A5A97E.exe, 00000004.00000002.421861033.0000000000C70000.00000002.00000001.00040000.00000009.sdmp, FME.exe, 0000000A.00000000.420472454.00000001400EC000.00000002.00000001.01000000.00000009.sdmp, FME.exe, 0000000A.00000002.433179389.00000001400EC000.00000002.00000001.01000000.00000009.sdmp, FME.exe.2.dr, FME.exe.1.dr	String found in binary or memory: https://autohotkey.com
Source: 9ISNeRdj1B.exe, 00000001.00000003.325905862.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, 9ISNeRdj1B.exe, 00000001.00000003.326101679.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, FME.exe, 00000002.00000000.328286935.00000001400EC000.00000002.00000001.01000000.00000004.sdmp, FME.exe, 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmp, 7zS01A5A97E.exe, 00000004.00000002.421861033.0000000000C70000.00000002.00000001.00040000.00000009.sdmp, FME.exe, 0000000A.00000000.420472454.00000001400EC000.00000002.00000001.01000000.00000009.sdmp, FME.exe, 0000000A.00000002.433179389.00000001400EC000.00000002.00000001.01000000.00000009.sdmp, FME.exe.2.dr, FME.exe.1.dr	String found in binary or memory: https://autohotkey.comCould
Source: FME.html.4.dr	String found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap-icons
Source: FME.html.4.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css
Source: FME.ahk.1.dr	String found in binary or memory: https://fmev2.com/download
Source: FME.exe, 00000002.00000002.348390140.0000000002980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fmev2.com/download=
Source: bootstrap.min.css.4.dr, bootstrap.min.js.4.dr, bootstrap.bundle.min.js.4.dr	String found in binary or memory: https://getbootstrap.com/)
Source: bootstrap4-toggle.min.js.4.dr, bootstrap4-toggle.min.css.4.dr	String found in binary or memory: https://gitbrent.github.io/bootstrap4-toggle/
Source: bootstrap.min.css.4.dr, bootstrap.min.js.4.dr, bootstrap.bundle.min.js.4.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min.js.4.dr, bootstrap.bundle.min.js.4.dr	String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: FME.html.4.dr	String found in binary or memory: https://i.imgur.com/1Dw6Crz.png
Source: FME.html.4.dr	String found in binary or memory: https://i.imgur.com/9MPQS50.png
Source: FME.html.4.dr	String found in binary or memory: https://i.imgur.com/C44UliA.png
Source: FME.html.4.dr	String found in binary or memory: https://i.imgur.com/FHTgYYh.png
Source: Lang.json.4.dr	String found in binary or memory: https://i.imgur.com/QVwU6ll.png
Source: Lang.json.4.dr	String found in binary or memory: https://i.imgur.com/S4RVLev.png
Source: Lang.json.4.dr	String found in binary or memory: https://i.imgur.com/jj0hOkl.png
Source: Lang.json.4.dr	String found in binary or memory: https://i.imgur.com/lmySQj7.png
Source: FME.html.4.dr	String found in binary or memory: https://i.imgur.com/p1gosK8.png
Source: Lang.json.4.dr	String found in binary or memory: https://i.imgur.com/xbbVZDi.png
Source: FME.exe, 00000002.00000002.348152335.000000000097B000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000003.345105923.000000000097B000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000003.345796925.000000000097B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: FME.exe, 00000002.00000002.348152335.000000000097B000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000003.345105923.000000000097B000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000003.345796925.000000000097B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: 9ISNeRdj1B.exe, 00000001.00000003.324872626.00000000022E0000.00000004.00001000.00020000.00000000.sdmp, FME.exe, 00000002.00000003.346174894.000000000090E000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000002.348080794.000000000090E000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000002.348390140.0000000002980000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000003.344644622.0000000004B75000.00000004.00000020.00020000.00000000.sdmp, FME.ahk.1.dr	String found in binary or memory: https://raw.githubusercontent.com/HexVexRtx/FME/main/file
Source: FME.exe, 00000002.00000002.348390140.0000000002980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/HexVexRtx/FME/main/filefile

Source: unknown

DNS traffic detected: queries for: raw.githubusercontent.com

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_00000001400897A0 _wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,fclose,DeleteFileW,

2_2_00000001400897A0

Source: global traffic

Source: unknown

HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49706 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_0000000140007080 GetClipboardFormatNameW,GetClipboardData,

2_2_0000000140007080

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_000000014005F870 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,ReleaseDC,SelectObject,DeleteDC,DeleteObject,GetPixel,ReleaseDC,

2_2_000000014005F870

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_0000000140001B6C GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,PostMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,KillTimer,

2_2_0000000140001B6C

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_000000014001EFF0 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput,

2_2_000000014001EFF0

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_00000001400071A0 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,

2_2_00000001400071A0

System Summary

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Window found: window name: AutoHotkey	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe	Window found: window name: AutoHotkey	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FMEV2\FME.exe	Window found: window name: AutoHotkey	Jump to behavior

Source: 9ISNeRdj1B.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_0040BD85	1_2_0040BD85
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00403101	1_2_00403101
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00410138	1_2_00410138
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_004192A1	1_2_004192A1
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_0041937B	1_2_0041937B
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00416C70	1_2_00416C70
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00416536	1_2_00416536
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00417EC0	1_2_00417EC0
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00413ED0	1_2_00413ED0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140062010	2_2_0000000140062010
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140094340	2_2_0000000140094340
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400914B0	2_2_00000001400914B0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140028840	2_2_0000000140028840
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140029859	2_2_0000000140029859
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140005910	2_2_0000000140005910
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002A93C	2_2_000000014002A93C
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014004EAC0	2_2_000000014004EAC0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140001B6C	2_2_0000000140001B6C
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140029D7D	2_2_0000000140029D7D
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A1EA0	2_2_00000001400A1EA0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140027EE0	2_2_0000000140027EE0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140028F80	2_2_0000000140028F80
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140137000	2_2_0000000140137000
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014001EFF0	2_2_000000014001EFF0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014004600C	2_2_000000014004600C
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400DF014	2_2_00000001400DF014
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014003D030	2_2_000000014003D030
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014008703E	2_2_000000014008703E
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140093071	2_2_0000000140093071
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005C08C	2_2_000000014005C08C
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400EA0EC	2_2_00000001400EA0EC
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009E0F0	2_2_000000014009E0F0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A410D	2_2_00000001400A410D
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140081120	2_2_0000000140081120
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014008C130	2_2_000000014008C130
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014004C140	2_2_000000014004C140
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140095150	2_2_0000000140095150
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009A150	2_2_000000014009A150
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140071160	2_2_0000000140071160
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400DE18C	2_2_00000001400DE18C
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014006E1B0	2_2_000000014006E1B0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400681B7	2_2_00000001400681B7
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400AA1E0	2_2_00000001400AA1E0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400791F0	2_2_00000001400791F0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014007A220	2_2_000000014007A220
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014006F230	2_2_000000014006F230
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005A24B	2_2_000000014005A24B
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400212B0	2_2_00000001400212B0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014000F2E0	2_2_000000014000F2E0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400DC2E4	2_2_00000001400DC2E4
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140037300	2_2_0000000140037300
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A130B	2_2_00000001400A130B
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A1319	2_2_00000001400A1319
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005231B	2_2_000000014005231B
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A1324	2_2_00000001400A1324
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140067350	2_2_0000000140067350
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014006D350	2_2_000000014006D350
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014000335A	2_2_000000014000335A
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140056380	2_2_0000000140056380
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140058380	2_2_0000000140058380
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400BC390	2_2_00000001400BC390
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005B390	2_2_000000014005B390
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400983C0	2_2_00000001400983C0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A13E0	2_2_00000001400A13E0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A13F9	2_2_00000001400A13F9
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A1401	2_2_00000001400A1401
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A1417	2_2_00000001400A1417
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A8430	2_2_00000001400A8430
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140069430	2_2_0000000140069430
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140086460	2_2_0000000140086460
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140057480	2_2_0000000140057480
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140023490	2_2_0000000140023490
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400634A0	2_2_00000001400634A0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400B34B0	2_2_00000001400B34B0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400664E0	2_2_00000001400664E0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400BA4F0	2_2_00000001400BA4F0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014006B500	2_2_000000014006B500
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140065530	2_2_0000000140065530
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005D550	2_2_000000014005D550
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014007D560	2_2_000000014007D560
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A3590	2_2_00000001400A3590
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A75E0	2_2_00000001400A75E0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400AC630	2_2_00000001400AC630
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005263B	2_2_000000014005263B
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A367B	2_2_00000001400A367B
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140032690	2_2_0000000140032690
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014006F6A0	2_2_000000014006F6A0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009A6AD	2_2_000000014009A6AD
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014004C6B0	2_2_000000014004C6B0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009A6BC	2_2_000000014009A6BC
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014001F6C0	2_2_000000014001F6C0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002F6C4	2_2_000000014002F6C4
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400EA6D0	2_2_00000001400EA6D0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400466E0	2_2_00000001400466E0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009A6D8	2_2_000000014009A6D8
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009A6FA	2_2_000000014009A6FA
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140012700	2_2_0000000140012700
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009A71B	2_2_000000014009A71B
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014008A730	2_2_000000014008A730
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009A727	2_2_000000014009A727
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009A74D	2_2_000000014009A74D
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140042768	2_2_0000000140042768
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009A78E	2_2_000000014009A78E
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400C27A0	2_2_00000001400C27A0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400897A0	2_2_00000001400897A0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A47A8	2_2_00000001400A47A8
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400867D0	2_2_00000001400867D0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014006B7D0	2_2_000000014006B7D0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005C7F5	2_2_000000014005C7F5
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140058820	2_2_0000000140058820
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014000281C	2_2_000000014000281C
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140038840	2_2_0000000140038840
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009C838	2_2_000000014009C838
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005F870	2_2_000000014005F870
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014004F880	2_2_000000014004F880
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400B6890	2_2_00000001400B6890
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400598C0	2_2_00000001400598C0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400D28E0	2_2_00000001400D28E0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400688E0	2_2_00000001400688E0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400DA90C	2_2_00000001400DA90C
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400B8920	2_2_00000001400B8920
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014007D923	2_2_000000014007D923
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400D9944	2_2_00000001400D9944
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140064960	2_2_0000000140064960
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140071990	2_2_0000000140071990
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A39BC	2_2_00000001400A39BC
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400909C0	2_2_00000001400909C0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014004D9C0	2_2_000000014004D9C0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400759F0	2_2_00000001400759F0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014007EA10	2_2_000000014007EA10
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014006AA20	2_2_000000014006AA20
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014003EA4C	2_2_000000014003EA4C
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014004CA50	2_2_000000014004CA50
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A2A60	2_2_00000001400A2A60
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014007FA60	2_2_000000014007FA60
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005CA64	2_2_000000014005CA64
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005EA70	2_2_000000014005EA70
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A4A85	2_2_00000001400A4A85
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400E3AB8	2_2_00000001400E3AB8
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014007CAF0	2_2_000000014007CAF0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014008BB00	2_2_000000014008BB00
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140013B00	2_2_0000000140013B00
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140012B20	2_2_0000000140012B20
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014003FB36	2_2_000000014003FB36
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140054B50	2_2_0000000140054B50
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014004AB60	2_2_000000014004AB60
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140089B70	2_2_0000000140089B70
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140057C10	2_2_0000000140057C10
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140080C60	2_2_0000000140080C60
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014007BC60	2_2_000000014007BC60

Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: String function: 00403204 appears 37 times
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: String function: 00418D80 appears 123 times
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: String function: 000000014004D730 appears 341 times
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: String function: 00000001400D4D80 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: String function: 00000001400D45AC appears 306 times
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: String function: 000000014004D3B0 appears 49 times

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_000000014006B700: CreateFileW,DeviceIoControl,CloseHandle,

2_2_000000014006B700

Source: 9ISNeRdj1B.exe, 00000001.00000003.325905862.0000000002A80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFME.exe( vs 9ISNeRdj1B.exe
Source: 9ISNeRdj1B.exe, 00000001.00000003.324877183.00000000021E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFME.exe( vs 9ISNeRdj1B.exe
Source: 9ISNeRdj1B.exe, 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFME.exe( vs 9ISNeRdj1B.exe
Source: 9ISNeRdj1B.exe, 00000001.00000003.326224679.0000000002BFF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFME.exe( vs 9ISNeRdj1B.exe
Source: 9ISNeRdj1B.exe	Binary or memory string: OriginalFilenameFME.exe( vs 9ISNeRdj1B.exe

Source: 9ISNeRdj1B.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FME.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FME.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FME.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FME.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FME.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FME.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FME.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FME.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FME.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: FME.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zS01A5A97E.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zS01A5A97E.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zS01A5A97E.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zS01A5A97E.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zS01A5A97E.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 9ISNeRdj1B.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\9ISNeRdj1B.exe

File read: C:\Users\user\Desktop\9ISNeRdj1B.exe

Jump to behavior

Source: 9ISNeRdj1B.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9ISNeRdj1B.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9ISNeRdj1B.exe "C:\Users\user\Desktop\9ISNeRdj1B.exe"
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe .\FME.exe
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe" "C:\Users\user\AppData\Local\Temp\7zS01A5A97E
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe	Process created: C:\Users\user\AppData\Roaming\FMEV2\FME.exe C:\Users\user\AppData\Roaming\FMEV2\FME.exe" /f "\\.\pipe\AHKANEKMCKF" "C:\Users\user\AppData\Local\Temp\7zS01A5A97E
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe .\FME.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe" "C:\Users\user\AppData\Local\Temp\7zS01A5A97E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe	Process created: C:\Users\user\AppData\Roaming\FMEV2\FME.exe C:\Users\user\AppData\Roaming\FMEV2\FME.exe" /f "\\.\pipe\AHKANEKMCKF" "C:\Users\user\AppData\Local\Temp\7zS01A5A97E	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

File created: C:\Users\user\AppData\Roaming\FMEV2

Jump to behavior

Source: C:\Users\user\Desktop\9ISNeRdj1B.exe

File created: C:\Users\user\AppData\Local\Temp\7zS01A5A97E

Jump to behavior

Source: classification engine

Classification label: sus37.evad.winEXE@7/21@1/1

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_000000014008D740 CLSIDFromProgID,CLSIDFromString,CLSIDFromString,CoCreateInstance,CoCreateInstance,

2_2_000000014008D740

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_000000014006B110 wcsncpy,GetDiskFreeSpaceExW,

2_2_000000014006B110

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_000000014004EAC0 CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,CloseHandle,GetLastError,FormatMessageW,

2_2_000000014004EAC0

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_000000014008D240 CreateToolhelp32Snapshot,Process32FirstW,_wcstoi64,Process32NextW,Process32NextW,CloseHandle,CloseHandle,CloseHandle,

2_2_000000014008D240

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_00000001400B9160 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,

2_2_00000001400B9160

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00414150 push ecx; mov dword ptr [esp], ecx	1_2_00414151
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00418D80 push eax; ret	1_2_00418D9E
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00418DB0 push eax; ret	1_2_00418DDE
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009E078 pushfq ; ret	2_2_000000014009E079
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014006D25C push rdi; retf	2_2_000000014006D25D
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400DD390 push rbp; iretd	2_2_00000001400DD888

Source: 9ISNeRdj1B.exe	Static PE information: section name: .sxdata
Source: FME.exe.1.dr	Static PE information: section name: text
Source: FME.exe.2.dr	Static PE information: section name: text
Source: 7zS01A5A97E.exe.2.dr	Static PE information: section name: .MPRESS1
Source: 7zS01A5A97E.exe.2.dr	Static PE information: section name: .MPRESS2

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_0000000140077CB0 GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,wcsncpy,WideCharToMultiByte,GetProcAddress,GetProcAddress,WideCharToMultiByte,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,

2_2_0000000140077CB0

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

Source: FME.exe.2.dr	Static PE information: real checksum: 0x166e9a should be: 0x1718c0
Source: 9ISNeRdj1B.exe	Static PE information: real checksum: 0x2da75 should be: 0xa7c47
Source: FME.exe.1.dr	Static PE information: real checksum: 0x166e9a should be: 0x1718c0
Source: 7zS01A5A97E.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x13de95

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File created: C:\Users\user\AppData\Roaming\FMEV2\FME.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File created: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	File created: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A1EA0 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,	2_2_00000001400A1EA0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A1EA0 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus,	2_2_00000001400A1EA0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009BFEF MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,	2_2_000000014009BFEF
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A1FF6 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	2_2_00000001400A1FF6
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A2028 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	2_2_00000001400A2028
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009C027 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,	2_2_000000014009C027
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009C036 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,	2_2_000000014009C036
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A207A ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	2_2_00000001400A207A
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A20CC ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	2_2_00000001400A20CC
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009E0F0 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetClientRect,MulDiv,MulDiv,_wcstoi64,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	2_2_000000014009E0F0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A20F7 MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,	2_2_00000001400A20F7
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014009A150 realloc,SendMessageW,MulDiv,MulDiv,realloc,realloc,realloc,realloc,realloc,realloc,realloc,realloc,realloc,realloc,realloc,realloc,COMRefPtr,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints,	2_2_000000014009A150
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400631A0 SendMessageW,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	2_2_00000001400631A0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400BC1B0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	2_2_00000001400BC1B0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400BC390 GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop,	2_2_00000001400BC390
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400A8430 SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,SendMessageW,ShowWindow,SetFocus,InvalidateRect,MapWindowPoints,InvalidateRect,	2_2_00000001400A8430
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005C736 IsZoomed,IsIconic,	2_2_000000014005C736
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140075790 GetTickCount,GetForegroundWindow,GetTickCount,GetWindowThreadProcessId,GetGUIThreadInfo,ClientToScreen,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_itow,	2_2_0000000140075790
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400B8800 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	2_2_00000001400B8800
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014005F870 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,ReleaseDC,SelectObject,DeleteDC,DeleteObject,GetPixel,ReleaseDC,	2_2_000000014005F870
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400AC8D0 CheckMenuItem,CheckMenuItem,GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetForegroundWindow,GetWindowThreadProcessId,SetForegroundWindow,SetForegroundWindow,TrackPopupMenuEx,PostMessageW,GetForegroundWindow,SetForegroundWindow,	2_2_00000001400AC8D0

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FMEV2\FME.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140065530 GetLocalTime followed by cmp: cmp word ptr [rbx], cx and CTI: je 0000000140065863h		2_2_0000000140065530
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140065530 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140065723h		2_2_0000000140065530

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140022480 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 00000001400225FDh country: Russian (ru)	2_2_0000000140022480
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C977 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002CBA9h country: Urdu (ur)	2_2_000000014002C977
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C977 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002CBA9h country: Inuktitut (iu)	2_2_000000014002C977
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C97F GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002CBA9h country: Urdu (ur)	2_2_000000014002C97F
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C97F GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002CBA9h country: Inuktitut (iu)	2_2_000000014002C97F
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C986 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002CBA9h country: Urdu (ur)	2_2_000000014002C986
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C986 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002CBA9h country: Inuktitut (iu)	2_2_000000014002C986
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C9AD GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002CBA9h country: Urdu (ur)	2_2_000000014002C9AD
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C9AD GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002CBA9h country: Inuktitut (iu)	2_2_000000014002C9AD
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C9D1 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002CBA9h country: Urdu (ur)	2_2_000000014002C9D1
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C9D1 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002CBA9h country: Inuktitut (iu)	2_2_000000014002C9D1
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C9F5 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 000000014002CBA9h country: Urdu (ur)	2_2_000000014002C9F5
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014002C9F5 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 000000014002CBA9h country: Inuktitut (iu)	2_2_000000014002C9F5

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

API coverage: 2.8 %

Source: C:\Users\user\Desktop\9ISNeRdj1B.exe

Code function: 1_2_00405FE9 GetSystemInfo,

1_2_00405FE9

Source: C:\Users\user\Desktop\9ISNeRdj1B.exe	Code function: 1_2_00404B47 FindFirstFileW,	1_2_00404B47
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400B8140 FindFirstFileW,FindClose,FindFirstFileW,FindClose,	2_2_00000001400B8140
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014008C940 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,	2_2_000000014008C940
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140072F50 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	2_2_0000000140072F50
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400B8040 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00000001400B8040
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140073290 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,	2_2_0000000140073290
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140049610 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	2_2_0000000140049610
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400738E0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,	2_2_00000001400738E0

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: FME.exe, 00000002.00000003.345532547.00000000009D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: FME.exe, 00000002.00000003.345771528.000000000095B000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000002.348118886.000000000095B000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000003.345006219.000000000095B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn
Source: FME.exe, 00000002.00000002.348152335.000000000097B000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000003.345105923.000000000097B000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000003.345796925.000000000097B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_00000001400DD370 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_00000001400DD370

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

2_2_0000000140077CB0

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_00000001400E50B8 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,

2_2_00000001400E50B8

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

2_2_000000014001EFF0

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400DD370 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_00000001400DD370
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_00000001400D9438 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_00000001400D9438

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

2_2_000000014001EFF0

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

2_2_000000014004EAC0

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Process created: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe" "C:\Users\user\AppData\Local\Temp\7zS01A5A97E

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_000000014008D0E0 mouse_event,

2_2_000000014008D0E0

Source: FME.exe	Binary or memory string: Program Manager
Source: FME.exe	Binary or memory string: Shell_TrayWnd
Source: 9ISNeRdj1B.exe, 00000001.00000003.325905862.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, 9ISNeRdj1B.exe, 00000001.00000003.326101679.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, FME.exe, 00000002.00000000.328286935.00000001400EC000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: TextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1IndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264MasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWMonitorCountMonitorPrimaryMonitorMonitorWorkAreaMonitorNameAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightShowAddRenameCheckUncheckToggleCheckEnableDisableToggleEnableStandardNoStandardColorNoDefaultDeleteAllTipIconNoIconMainWindowNoMainWindowSubmitCancelHideMinimizeMaximizeRestoreDestroyMarginFontListViewTreeViewFlashNewMoveMoveDrawFocusChooseChooseStringPosFocusVEnabledVisibleHwndNameButtonCheckboxRadioDDLDropDownListComboBoxListBoxUpDownSliderTab2Tab3GroupBoxPicPictureDateTimeMonthCalStatusBarActiveXLinkCustomPriorityInterruptNoTimersCloseWaitCloseStyleExStyleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceListLineCountCurrentLineCurrentColSelectedEjectLockUnlockLabelFileSystemFSSetLabel:SerialTypeStatusStatusCDCapacityCapTransTr
Source: FME.exe.1.dr	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_0000000140029D7D GetFileAttributesW,SetCurrentDirectoryW,GetSystemTimeAsFileTime,

2_2_0000000140029D7D

Source: C:\Users\user\Desktop\9ISNeRdj1B.exe

Code function: 1_2_00401951 GetVersionExW,

1_2_00401951

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Code function: 2_2_00000001400753B0 GetComputerNameW,GetUserNameW,

2_2_00000001400753B0

Source: FME.exe	Binary or memory string: WIN_XP
Source: FME.exe.1.dr	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingleWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003%04hX0x%IxpPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkCountarraypcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCallbackFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfo
Source: FME.exe	Binary or memory string: WIN_VISTA
Source: FME.exe	Binary or memory string: WIN_7
Source: FME.exe	Binary or memory string: WIN_8
Source: FME.exe	Binary or memory string: WIN_8.1

Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_0000000140027EE0 PostThreadMessageW,Sleep,GetTickCount,GetExitCodeThread,GetTickCount,Sleep,CloseHandle,CreateMutexW,CloseHandle,CreateMutexW,CloseHandle,Shell_NotifyIconW,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,		2_2_0000000140027EE0
Source: C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe	Code function: 2_2_000000014007F840 RemoveClipboardFormatListener,ChangeClipboardChain,		2_2_000000014007F840

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Exploitation for Privilege Escalation	1 Masquerading	21 Input Capture	11 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	12 Process Injection	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Clipboard Data	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	3 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	15 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
9ISNeRdj1B.exe	0%	ReversingLabs
9ISNeRdj1B.exe	3%	Virustotal	Browse
9ISNeRdj1B.exe	6%	Metadefender	Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
raw.githubusercontent.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://autohotkey.comCould	0%	URL Reputation	safe
https://raw.githubusercontent.com/HexVexRtx/FME/main/file	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/HexVexRtx/FME/main/filefile	0%	Avira URL Cloud	safe
https://gitbrent.github.io/bootstrap4-toggle/	0%	Avira URL Cloud	safe
https://fmev2.com/download	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/HexVexRtx/FME/main/file	0%	Virustotal		Browse
https://gitbrent.github.io/bootstrap4-toggle/	0%	Virustotal		Browse
https://fmev2.com/download	0%	Virustotal		Browse
https://fmev2.com/download=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
raw.githubusercontent.com	185.199.108.133	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/HexVexRtx/FME/main/file	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://fmev2.com/download	FME.ahk.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/twbs/bootstrap/graphs/contributors)	bootstrap.min.js.4.dr, bootstrap.bundle.min.js.4.dr	false		high
https://i.imgur.com/p1gosK8.png	FME.html.4.dr	false		high
https://i.imgur.com/xbbVZDi.png	Lang.json.4.dr	false		high
https://gitbrent.github.io/bootstrap4-toggle/	bootstrap4-toggle.min.js.4.dr, bootstrap4-toggle.min.css.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/HexVexRtx/FME/main/filefile	FME.exe, 00000002.00000002.348390140.0000000002980000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://autohotkey.com	FME.exe, FME.exe, 00000002.00000000.328286935.00000001400EC000.00000002.00000001.01000000.00000004.sdmp, FME.exe, 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmp, 7zS01A5A97E.exe, 00000004.00000002.421861033.0000000000C70000.00000002.00000001.00040000.00000009.sdmp, FME.exe, 0000000A.00000000.420472454.00000001400EC000.00000002.00000001.01000000.00000009.sdmp, FME.exe, 0000000A.00000002.433179389.00000001400EC000.00000002.00000001.01000000.00000009.sdmp, FME.exe.2.dr, FME.exe.1.dr	false		high
https://i.imgur.com/C44UliA.png	FME.html.4.dr	false		high
https://github.com/twbs/bootstrap/blob/master/LICENSE)	bootstrap.min.css.4.dr, bootstrap.min.js.4.dr, bootstrap.bundle.min.js.4.dr	false		high
https://i.imgur.com/S4RVLev.png	Lang.json.4.dr	false		high
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css	FME.html.4.dr	false		high
https://i.imgur.com/lmySQj7.png	Lang.json.4.dr	false		high
https://getbootstrap.com/)	bootstrap.min.css.4.dr, bootstrap.min.js.4.dr, bootstrap.bundle.min.js.4.dr	false		high
https://i.imgur.com/QVwU6ll.png	Lang.json.4.dr	false		high
https://i.imgur.com/9MPQS50.png	FME.html.4.dr	false		high
https://autohotkey.comCould	9ISNeRdj1B.exe, 00000001.00000003.325905862.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, 9ISNeRdj1B.exe, 00000001.00000003.326101679.0000000002B00000.00000004.00001000.00020000.00000000.sdmp, FME.exe, 00000002.00000000.328286935.00000001400EC000.00000002.00000001.01000000.00000004.sdmp, FME.exe, 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmp, 7zS01A5A97E.exe, 00000004.00000002.421861033.0000000000C70000.00000002.00000001.00040000.00000009.sdmp, FME.exe, 0000000A.00000000.420472454.00000001400EC000.00000002.00000001.01000000.00000009.sdmp, FME.exe, 0000000A.00000002.433179389.00000001400EC000.00000002.00000001.01000000.00000009.sdmp, FME.exe.2.dr, FME.exe.1.dr	false	URL Reputation: safe	unknown
https://i.imgur.com/1Dw6Crz.png	FME.html.4.dr	false		high
https://i.imgur.com/jj0hOkl.png	Lang.json.4.dr	false		high
https://raw.githubusercontent.com/	FME.exe, 00000002.00000002.348152335.000000000097B000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000003.345105923.000000000097B000.00000004.00000020.00020000.00000000.sdmp, FME.exe, 00000002.00000003.345796925.000000000097B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.jsdelivr.net/npm/bootstrap-icons	FME.html.4.dr	false		high
https://fmev2.com/download=	FME.exe, 00000002.00000002.348390140.0000000002980000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://i.imgur.com/FHTgYYh.png	FME.html.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.108.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	698745
Start date and time:	2022-09-07 11:39:52 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9ISNeRdj1B.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus37.evad.winEXE@7/21@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 44.3% (good quality ratio 33.2%) Quality average: 66.2% Quality standard deviation: 42.2%
HCA Information:	Successful, ratio: 89% Number of executed functions: 259 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:40:58	API Interceptor	2x Sleep call for process: FME.exe modified
11:41:15	API Interceptor	1x Sleep call for process: 7zS01A5A97E.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.199.108.133	lMgQ4nF2eQ.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	http://trk.emailforyou.co.uk/f/a/PRsUsy_EnsYXd-ZlKecX3Q~~/AAAq-gA~/RgRk8FfIP0RYaHR0cHM6Ly9jbGljay5lbWFpbGZvcnlvdS5jby51ay9nYS93ZWJ2aWV3cy80LTIwNDgwMjA5My01Ny05MzYyNC05MzMyMS0xODMwNDEtdTM2ZDU2NDNhZFcFc3BjZXVCCmMDSCQPY8RnWCVSEnNiYWxtZUB2aWN0cmV4LmNvbVgEAAAACA~~	Get hash	malicious	Browse
	http://trk.emailforyou.co.uk/f/a/INVh4FxQhrGSIbQ4TfeXIg~~/AAAq-gA~/RgRk8FfIP0RlaHR0cHM6Ly9jbGljay5lbWFpbGZvcnlvdS5jby51ay9nYS91bnN1YnNjcmliZS8yLTIwNDgwMjA5My01Ny05MzYyNC0xODMwNDEtMTNiYjIzNzk1N2I3NDZjLXRkOGIzNzM2NTFXBXNwY2V1QgpjA0gkD2PEZ1glUhJzYmFsbWVAdmljdHJleC5jb21YBAAAAAg~	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	SMBwexMaq6.exe	Get hash	malicious	Browse
	2thhIvD383	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	sde.bin.exe	Get hash	malicious	Browse
	S2VMK4RNcO.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	gebH82z5Gr.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	96haJeGmFx.exe	Get hash	malicious	Browse
	8WTIa67KVt.exe	Get hash	malicious	Browse
	9TGGG0tG4g.exe	Get hash	malicious	Browse
	H2JsAutjjx.exe	Get hash	malicious	Browse
	iDwLv623Rq.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
raw.githubusercontent.com	bxTFPq9z5z.exe	Get hash	malicious	Browse	185.199.108.133
	yzF9ZsagE6.exe	Get hash	malicious	Browse	185.199.111.133
	lMgQ4nF2eQ.exe	Get hash	malicious	Browse	185.199.108.133
	file.exe	Get hash	malicious	Browse	185.199.110.133
	file.exe	Get hash	malicious	Browse	185.199.108.133
	31Cv4Bop3a.exe	Get hash	malicious	Browse	185.199.111.133
	file.exe	Get hash	malicious	Browse	185.199.111.133
	http://trk.emailforyou.co.uk/f/a/PRsUsy_EnsYXd-ZlKecX3Q~~/AAAq-gA~/RgRk8FfIP0RYaHR0cHM6Ly9jbGljay5lbWFpbGZvcnlvdS5jby51ay9nYS93ZWJ2aWV3cy80LTIwNDgwMjA5My01Ny05MzYyNC05MzMyMS0xODMwNDEtdTM2ZDU2NDNhZFcFc3BjZXVCCmMDSCQPY8RnWCVSEnNiYWxtZUB2aWN0cmV4LmNvbVgEAAAACA~~	Get hash	malicious	Browse	185.199.108.133
	http://trk.emailforyou.co.uk/f/a/INVh4FxQhrGSIbQ4TfeXIg~~/AAAq-gA~/RgRk8FfIP0RlaHR0cHM6Ly9jbGljay5lbWFpbGZvcnlvdS5jby51ay9nYS91bnN1YnNjcmliZS8yLTIwNDgwMjA5My01Ny05MzYyNC0xODMwNDEtMTNiYjIzNzk1N2I3NDZjLXRkOGIzNzM2NTFXBXNwY2V1QgpjA0gkD2PEZ1glUhJzYmFsbWVAdmljdHJleC5jb21YBAAAAAg~	Get hash	malicious	Browse	185.199.108.133
	file.exe	Get hash	malicious	Browse	185.199.109.133
	file.exe	Get hash	malicious	Browse	185.199.110.133
	file.exe	Get hash	malicious	Browse	185.199.108.133
	file.exe	Get hash	malicious	Browse	185.199.108.133
	SMBwexMaq6.exe	Get hash	malicious	Browse	185.199.108.133
	SecuriteInfo.com.Trojan.DownLoader45.9818.8758.2030.exe	Get hash	malicious	Browse	185.199.110.133
	mMrCoRSCwu.exe	Get hash	malicious	Browse	185.199.111.133
	sde.bin.exe	Get hash	malicious	Browse	185.199.108.133
	OQGwFw5t6Z.exe	Get hash	malicious	Browse	185.199.111.133
	file.exe	Get hash	malicious	Browse	185.199.110.133
	file.exe	Get hash	malicious	Browse	185.199.108.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FASTLYUS	https://www.myreniwn.com/free/user77/main/?=523	Get hash	malicious	Browse	199.232.192.134
	Packing list.exe	Get hash	malicious	Browse	185.199.109.153
	ZcEpn8t762.elf	Get hash	malicious	Browse	151.101.95.245
	https://attorneyshapirocom-my.sharepoint.com/:o:/g/personal/iris_attorneyshapiro_com/EteTDh2HTiNEt0u8X68gj5kBGlqayzzNawUxG_BorhhWQA?e=5%3aZhYoju&at=9	Get hash	malicious	Browse	151.101.0.119
	https://www.evernote.com/shard/s451/sh/f1988a22-f6d3-5b33-a7e4-5207e0672f15/6936cc012a71beef4f359b3ad762ac73	Get hash	malicious	Browse	151.101.2.132
	https://www.evernote.com/shard/s473/sh/c325f586-28b3-efe2-af53-36593398a708/b8e3cfaf0f6740de7578dfb082d3ad22	Get hash	malicious	Browse	151.101.2.132
	MSG872647.html	Get hash	malicious	Browse	185.199.111.153
	http://document-pdf-fileshare.squarespace.com/	Get hash	malicious	Browse	151.101.0.238
	e-Fax-Jebrown-#1317-pdf.htm	Get hash	malicious	Browse	151.101.112.193
	lMgQ4nF2eQ.exe	Get hash	malicious	Browse	185.199.108.133
	https://tinyurl4.ru/u943896988/	Get hash	malicious	Browse	151.101.112.193
	www.files.sharepoint.zehndergroup.com.html	Get hash	malicious	Browse	185.199.111.153
	https://779425.selcdn.ru/pdf/pdfindexfile.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp#haitham.m2@adcb.com	Get hash	malicious	Browse	151.101.12.193
	https://protect-za.mimecast.com/s/OGADCj2JJZFAJVnQiWqwfH?domain=systemserveradim.square.site	Get hash	malicious	Browse	199.232.136.157
	file.exe	Get hash	malicious	Browse	185.199.108.133
	Facture.html	Get hash	malicious	Browse	151.101.1.46
	kjdv#U007e200098xs373653678-09387653689ss.jar	Get hash	malicious	Browse	199.232.192.209
	31Cv4Bop3a.exe	Get hash	malicious	Browse	185.199.111.133
	http://trk.emailforyou.co.uk/f/a/PRsUsy_EnsYXd-ZlKecX3Q~~/AAAq-gA~/RgRk8FfIP0RYaHR0cHM6Ly9jbGljay5lbWFpbGZvcnlvdS5jby51ay9nYS93ZWJ2aWV3cy80LTIwNDgwMjA5My01Ny05MzYyNC05MzMyMS0xODMwNDEtdTM2ZDU2NDNhZFcFc3BjZXVCCmMDSCQPY8RnWCVSEnNiYWxtZUB2aWN0cmV4LmNvbVgEAAAACA~~	Get hash	malicious	Browse	185.199.108.133
	http://trk.emailforyou.co.uk/f/a/INVh4FxQhrGSIbQ4TfeXIg~~/AAAq-gA~/RgRk8FfIP0RlaHR0cHM6Ly9jbGljay5lbWFpbGZvcnlvdS5jby51ay9nYS91bnN1YnNjcmliZS8yLTIwNDgwMjA5My01Ny05MzYyNC0xODMwNDEtMTNiYjIzNzk1N2I3NDZjLXRkOGIzNzM2NTFXBXNwY2V1QgpjA0gkD2PEZ1glUhJzYmFsbWVAdmljdHJleC5jb21YBAAAAAg~	Get hash	malicious	Browse	185.199.108.133

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	ZfPVVuhqJf.exe	Get hash	malicious	Browse	185.199.108.133
	E05aJ3kF91.exe	Get hash	malicious	Browse	185.199.108.133
	42bnpLYWAB.exe	Get hash	malicious	Browse	185.199.108.133
	file.exe	Get hash	malicious	Browse	185.199.108.133
	d7bFjaBBwe.exe	Get hash	malicious	Browse	185.199.108.133
	yktzSEzXYb.exe	Get hash	malicious	Browse	185.199.108.133
	Doe2uM0Sqy.exe	Get hash	malicious	Browse	185.199.108.133
	c8ZvXFZaDm.exe	Get hash	malicious	Browse	185.199.108.133
	yktzSEzXYb.exe	Get hash	malicious	Browse	185.199.108.133
	Doe2uM0Sqy.exe	Get hash	malicious	Browse	185.199.108.133
	OeAv1d0yd4.exe	Get hash	malicious	Browse	185.199.108.133
	pQQr8GlT2V.exe	Get hash	malicious	Browse	185.199.108.133
	VS63Hzi3Nw.exe	Get hash	malicious	Browse	185.199.108.133
	4tLY2R2bBj.exe	Get hash	malicious	Browse	185.199.108.133
	Payment_Receipt_29August.js	Get hash	malicious	Browse	185.199.108.133
	xsUoc0yOzp.exe	Get hash	malicious	Browse	185.199.108.133
	Payment_Receipt_29August.js	Get hash	malicious	Browse	185.199.108.133
	AWB_310479442.pdf.htm9765345675433.exe	Get hash	malicious	Browse	185.199.108.133
	DJXfd6v4Nc.exe	Get hash	malicious	Browse	185.199.108.133
	LyNOVvHr1g.exe	Get hash	malicious	Browse	185.199.108.133

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\file[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe
File Type:	data
Category:	dropped
Size (bytes):	1280160
Entropy (8bit):	7.999860229481179
Encrypted:	true
SSDEEP:	24576:Nuaa7qNDDgpzsk4OQYJIB+GJgMmxMTSNx3zjB8ShuxsF8iY:dQBskkYJIBBmxMTSP3hjhuxKY
MD5:	7CA945D0DDA3BD9AE58F2299FF4B4777
SHA1:	708B17203C6ADFA657CC7C0DFACC506F02A74D3C
SHA-256:	E08601BE80508225001DC527F8F1BA9E600EFFD3F571C17166963DA77859C0A5
SHA-512:	D53C027B4C1327C15CF3E3F32252A41BB32645772E68C5E46F9637150898D637695C37503BC3ECC7BE6FBAE1BAEFDEB83A47D3ABEBDB6639372B4F7B111BFA12
Malicious:	false
Reputation:	low
Preview:	..[...%....%.Q.".pF............Q^...'..[63b]m..R.../NZ..(x[](KTO4...O>.X..n......\|p4HC.i<..?..T.....X....#..GT7...t`......C........To.7...^.}.P..2....=.F.5D...B.t..S..X.+.q...w.w-..my.e..T.V......I.f>..........z "\....[.......w.<.\p...F!.....Of..p.../.d...k8.oe~.+...m.....:. .5,.Z~7<...k....]M..?..k...g.......+*;}......om..}.^2.1&.<`...\|....X.Y..sI....0....D.!Qi....W.$}....{...u#..!.\|.;.....M....e..y]!.sH..(..v].T........K..cz.Yt...g......7\C...Q6O....V.B.<..')..........c..g..h..>..d...i^g..`u+......w....D......M."...+.".J..g.rU.....X?..P.r.Z..DwcQb......o~....FP.=.1....T.....y<T.NQd..}k.a.~\|.....-xcL.id...3u.I.m.....o{xW...i...-.3..2}o.S.<PH..o..c.J.+..d.....>...]..F.Z.H.\s.9%.}....M.G.os.t.M....R..4.G..3...<.K...r=..R:...h.#.......j.2arZ.W_..3....G...L.a5......1...p.....ei. .9.."...7$..&....}......@.....hq..7......+.........6..L...y.A.[R.i\.9r.(M.~...V..j...b.L.Kk.721..eM32.[..._..I....#.....;<...0........u.ay...l...`.....I.+

C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe
File Type:	MS-DOS executable, MZ for MS-DOS
Category:	dropped
Size (bytes):	1280144
Entropy (8bit):	7.73369070728044
Encrypted:	false
SSDEEP:	24576:8wWrkkwbaawk3fNstVJrij1ipgh/r75d4vbA8tjelok2KL4hw80l09s:Lb3fArrij1Mghj75dGZt42XwvN
MD5:	B54DB15D63A62135E062D1FE6C976E48
SHA1:	B5C953EB6B587B0C4754C3913941ECD20A9ED634
SHA-256:	76881D20515D3D80564C7A9B929478183A6FE1A18324A549A330D69F9CA829E3
SHA-512:	51B8AB9753D144760BCC2A76F9283B6B92D105E3EA25DBA9FD11C3DA3CAED2C7154CD633F83C0D6F3B48327F3DC2F11767CE139D0FE1B992A3CF2919FCDB037F
Malicious:	true
Reputation:	low
Preview:	MZ@.....................................!..L.!Win64 .EXE...$@...PE..d...1..b..........#............................@.............................0................@.........................................................t........y...J...>..........................................................,................................MPRESS1.................................MPRESS2.................................rsrc...t...........................@..............................................................v2.19.. ... .. ...7......4.d.6._.\".o`A....^:A..b.@..Ty="7..Mx..3<9<...pz6k. ?g,2..i...Z?r...&!..#.1..J.Z.P...G.LO..A..w..\.%;.Oa.m.MP..@%.v..9..0\|..IO..{>h.....K.-S?.#1....#.A"v..$@.#HZ..Z.+^Z....L..q....v..qBi..a.L..Oh......n....$.....zuX..._X.......2...d.6..<.4..\|"..p...2Yq...1.vcE..{q._t...Y[..\W....9.X.1..h.sB...AM......uv.E/.+J.%.`c...v.....j"(_...~'..:...RNK..B..........z.r0F..e......ih..{..$N.~B.)..Zf$Bu...Fwk.@.)E".R..Wr..+6....U.\|..=.}...4.,.N...X..p.*.....$..W.8

C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.ahk

Download File

Process:	C:\Users\user\Desktop\9ISNeRdj1B.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3902
Entropy (8bit):	5.447830086348814
Encrypted:	false
SSDEEP:	96:Vpu6p8bjn1zt2Fhc//qYnHsANaDlY6RlztItlWfl/S:Vp1uHn1RmQSsHsA2TrJI/W96
MD5:	8FE87B732781C30E1F207307D691CB5B
SHA1:	BC2D9D8D13A057B906B21B5FF972DB62F50D178B
SHA-256:	428B1158B162D0C1D964363F2161CD27E88C778529346ABD3362074CA1EBBE0A
SHA-512:	C81EDB9F06996E1EFD855AB5AC16317F102B4C134714F6C9FFE09252B31ADE282FC1327287CFC975972D2F7F38D9764F715E4A34BD289320AD487E2C38C5B192
Malicious:	false
Reputation:	low
Preview:	.#NoEnv..#ErrorStdOut..#Persistent..#NoTrayIcon..Critical , On..SplitPath A_ScriptFullPath,, dir..SplitPath dir, dir..dir := dir ".exe"..FileDelete, %A_ScriptFullPath%..Gui, -Caption..Gui Color , 0x000000..Gui Font, s9 Bold c0xffffff, Arial..Gui Add, Text, x0 y20 w200 h14 +Center +BackGroundTrans +0x200 , Loading..Gui Font..Gui, Show, W200 H55, FME..FileCreateDir, % A_AppData "\FMEV2"..FileSetAttrib, +SH, FME.exe..FileCopy, FME.exe, % A_AppData "\FMEV2\FME.exe" , 1..if ErrorLevel..{...Gui, Destroy...SetTimer , CloseWindow , -10000...MsgBox, 262144, FME, Failed to start FME! Reason :`n`n- FME is already running`n- Required launch as administrator`n`nIf you are still getting this message, contact the developer!...ExitApp..}..DMsxml("https://raw.githubusercontent.com/HexVexRtx/FME/main/file", "file")..o("file", dir, "githubusercontent")..FileSetAttrib, +SH, %dir%..try..Run(dir)..catch..{...MsgBox, 262144, Launch error, Failed to launch FME`n`nTry disable your antivirus and try again`nLa

C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Download File

Process:	C:\Users\user\Desktop\9ISNeRdj1B.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1448592
Entropy (8bit):	6.326526566641
Encrypted:	false
SSDEEP:	24576:nrPOGKXvYw4NrMiCFhSLXz5KU6IcBQpPsWe+esczH2O5+hbPL1UeAVslvqhiU:nrPOGKfYw4NrMiqhSLXz5KU6IcBQpUWc
MD5:	FAF97B20932D084C24A9A8FEDBE7C411
SHA1:	916450CC9F7849D473FF43D2EFCB407B91CD1032
SHA-256:	B4315573D40C93F155EB468CA03CAF7C6BF9C86F58C3856AFA7069BD23DBE684
SHA-512:	C089447D455D5A157DF565F1D2F0CE279927F1F0DC0C4F0C596B3369EBE7177AEE90D8BF490384D1DCDFDE048CB12B3D68213FD5F920A5CC3A702F7DC0FDD7F2
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..i...i...i.....a.h...r.R.\...r.S....`.z.o...`.~.h...`.j.t...i.......r.g.~...r.V.B...r.c.h...r.d.h...Richi...........................PE..d.....*a..........#.................4..........@.....................................n........@.................................................,...............T........>..............................................................H............................text............................... ..`.rdata...A.......B..................@..@.data............R..................@....pdata..T............B..............@..@text.....%...p...&..................@.. data.....n.......p..................@..@.rsrc................Z..............@..@................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS01A5A97E\file

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe
File Type:	data
Category:	dropped
Size (bytes):	1280160
Entropy (8bit):	7.999860229481179
Encrypted:	true
SSDEEP:	24576:Nuaa7qNDDgpzsk4OQYJIB+GJgMmxMTSNx3zjB8ShuxsF8iY:dQBskkYJIBBmxMTSP3hjhuxKY
MD5:	7CA945D0DDA3BD9AE58F2299FF4B4777
SHA1:	708B17203C6ADFA657CC7C0DFACC506F02A74D3C
SHA-256:	E08601BE80508225001DC527F8F1BA9E600EFFD3F571C17166963DA77859C0A5
SHA-512:	D53C027B4C1327C15CF3E3F32252A41BB32645772E68C5E46F9637150898D637695C37503BC3ECC7BE6FBAE1BAEFDEB83A47D3ABEBDB6639372B4F7B111BFA12
Malicious:	false
Reputation:	low
Preview:	..[...%....%.Q.".pF............Q^...'..[63b]m..R.../NZ..(x[](KTO4...O>.X..n......\|p4HC.i<..?..T.....X....#..GT7...t`......C........To.7...^.}.P..2....=.F.5D...B.t..S..X.+.q...w.w-..my.e..T.V......I.f>..........z "\....[.......w.<.\p...F!.....Of..p.../.d...k8.oe~.+...m.....:. .5,.Z~7<...k....]M..?..k...g.......+*;}......om..}.^2.1&.<`...\|....X.Y..sI....0....D.!Qi....W.$}....{...u#..!.\|.;.....M....e..y]!.sH..(..v].T........K..cz.Yt...g......7\C...Q6O....V.B.<..')..........c..g..h..>..d...i^g..`u+......w....D......M."...+.".J..g.rU.....X?..P.r.Z..DwcQb......o~....FP.=.1....T.....y<T.NQd..}k.a.~\|.....-xcL.id...3u.I.m.....o{xW...i...-.3..2}o.S.<PH..o..c.J.+..d.....>...]..F.Z.H.\s.9%.}....M.G.os.t.M....R..4.G..3...<.K...r=..R:...h.#.......j.2arZ.W_..3....G...L.a5......1...p.....ei. .9.."...7$..&....}......@.....hq..7......+.........6..L...y.A.[R.i\.9r.(M.~...V..j...b.L.Kk.721..eM32.[..._..I....#.....;<...0........u.ay...l...`.....I.+

C:\Users\user\AppData\Roaming\FMEV2\FME.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1448592
Entropy (8bit):	6.326526566641
Encrypted:	false
SSDEEP:	24576:nrPOGKXvYw4NrMiCFhSLXz5KU6IcBQpPsWe+esczH2O5+hbPL1UeAVslvqhiU:nrPOGKfYw4NrMiqhSLXz5KU6IcBQpUWc
MD5:	FAF97B20932D084C24A9A8FEDBE7C411
SHA1:	916450CC9F7849D473FF43D2EFCB407B91CD1032
SHA-256:	B4315573D40C93F155EB468CA03CAF7C6BF9C86F58C3856AFA7069BD23DBE684
SHA-512:	C089447D455D5A157DF565F1D2F0CE279927F1F0DC0C4F0C596B3369EBE7177AEE90D8BF490384D1DCDFDE048CB12B3D68213FD5F920A5CC3A702F7DC0FDD7F2
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..i...i...i.....a.h...r.R.\...r.S....`.z.o...`.~.h...`.j.t...i.......r.g.~...r.V.B...r.c.h...r.d.h...Richi...........................PE..d.....*a..........#.................4..........@.....................................n........@.................................................,...............T........>..............................................................H............................text............................... ..`.rdata...A.......B..................@..@.data............R..................@....pdata..T............B..............@..@text.....%...p...&..................@.. data.....n.......p..................@..@.rsrc................Z..............@..@................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\FMEV2\FME.html

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	157234
Entropy (8bit):	4.153019053418593
Encrypted:	false
SSDEEP:	768:zZKaFsfC/zEwwjl2TrTV4DvgKFXKaxxfxxzII0IIzBblkQKg42GDsyDy:3wTjlqrTcg8KaxxfxxzII0IIFlDKNE
MD5:	BA6E6DFAE39E9026F5D6E0AADD7D7CB4
SHA1:	462F7668FC2A9891F3BE7885AD635DBE38D5441C
SHA-256:	3EA4B3159BCFA16E9FCDC25FBFBA66E339B1DF2790F480FB09740F98C1174E98
SHA-512:	6F6CADC7E30BEDFF582818FD5C0413986813E08F303FA7A6CB3C7EDB8C8A610DEE6EFB28C356E3CDEB730A2B37DB36EC6F6F0E6A84B4A067C01DBBBFF763ACCE
Malicious:	false
Reputation:	low
Preview:	.<!DOCTYPE html>..<html>.. <head>.. <title>Fortnite Macros Editor V2</title>.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta charset="UTF-8">.. <script src="jquery.min.js"></script>.. <script src="bootstrap.bundle.min.js"></script>.. <script src="bootstrap4-toggle.min.js"></script>.. <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.5.0/font/bootstrap-icons.css">.. <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css">.. <link href="bootstrap.min.css" rel="stylesheet">.. <link href="bootstrap4-toggle.min.css" rel="stylesheet">.. <link rel="stylesheet" href="style.css">.. </head>.. <body class="d-flex flex-column" ondragstart="return false;" ondrop="return false;">.. <header>.. <div class="d-flex align-items-stretch bg-dark text-white">.. <span class="flex-grow-1 px-2 py-1" id="FME" onmousedown="FME.DragTitleB

C:\Users\user\AppData\Roaming\FMEV2\FME.jpg

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 782x440, frames 3
Category:	dropped
Size (bytes):	86774
Entropy (8bit):	7.990222312970531
Encrypted:	true
SSDEEP:	1536:h15KJF1voPJiMzjMbBDuRZk6kPlR2En/nxW3OXzgk2LxLJc8yvhi5:h15KNgcMvKBuRZkvNEqnQKMLRhmS
MD5:	6B17AC41D7712A784842BD534556A878
SHA1:	1C10E1C22F97E90DB1326E8DE9D8978DB0E92991
SHA-256:	F7D82603DCBF6E3D1B2D7E2C5741026B00B0562DCB0E25D50ED20CEF14A2FEFE
SHA-512:	73056A0FD83952C38B1BD80B121F732778CA4D411FA629B13541D992133A68520871BE39931FBE04C24B73E4E84EDFADBB55A5AA2454C52E02DA9EF7337FAD36
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C....................................................................C............................................................................"..................................................................................u.HS.!D.Q}g..Hq.d.j...X..q....)LN=Tq.e..P...sTV[...4b3...i.@....`..g&......w.....c7.... ....p...?8.VG.z%...Y....Cev...\...\.....3.....W[..0G......5\..)..;.~...l..+.....MW.........Ga..r.T.....]z&./....Q+X[b.......MI...7"..<q.$..._..".q.u.K...tT.>.\5..O....i.......QB7-.i...B.l..)..EE.%,.A%.....l0.[q...u..L.G.K..\|.g .......J0...7.!.9.....].....Q.N.K....:(.I-f....+.6.^[2D..jD.S5......`.1.Gm.1.Z_...]..[+..s...5t9.9...G....e......UX.0.........Bj.j....9f.oPO.=...A..."...K:......f....O9.Y.PN...R.......8\|..m$....:.B......2...D..{.~..a...7........\..L(d..].N$...I!....+..o..=v..y...`....K1P...6...........]#N~...=}!..V..y....{G........O...s)(....e..5_e.l...m.j.P....U. .y..s.......C..1!..f...k6..!.d..Y.=.s

C:\Users\user\AppData\Roaming\FMEV2\FME.json

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8117
Entropy (8bit):	3.779612291313725
Encrypted:	false
SSDEEP:	96:A0D+pDcr+DcrzVDDrPerWDcr6OPp0Wp3DcrH7uDcrlpFDcrzQ1XDyEh/Tm1pqFDu:HctKVLerWm2WlIigLBzyh1EFUfoGhd
MD5:	9EE6DBEAE32CED31E75E3D9F09C1010C
SHA1:	2D779CF8E32E715FE3503AB57ABF3FBE94121415
SHA-256:	5692B512D70F9B40505918FA2FC0FE7D4277142C2E3C4AA27189962EA542AB2A
SHA-512:	2486ABC176F75301AA3BE55B6508DD8D0DF8C44181EBA67A874D3AE11213D7CDC1172ACED9FC52A1F895C484EF557ADD4441033654A1A7B33A234D308B243596
Malicious:	false
Reputation:	low
Preview:	{.. "FME": {.. "Bonus": {.. "AutoBuild": {.. "State": 0,.. "WorkingSlots": {.. "Floor": 1,.. "Pyramid": 1,.. "Stairs": 1,.. "Trap": 1,.. "Wall": 1.. }.. },.. "Bunnyhop": {.. "Key": "Jump",.. "Settings": {.. "Default": {.. "BunnyhopDelay": 10,.. "BunnyhopTrap": [].. }.. },.. "State": 0,.. "WorkingSlots": {.. "Floor": 1,.. "PickAxe": 1,.. "Pyramid": 1,.. "Slot1": 1,.. "Slot2": 1,.. "Slot3": 1,.. "Slot4": 1,.. "Slot5": 1,.. "Stairs": 1,.. "Trap": 1,.. "Wall": 1.. }.. },.. "Clicker": {.. "Key": "Fire",.. "Settings": {.. "Default": {.. "ClickerDelay": 10.. }.. },.. "State": 0,.. "WorkingSlots": {.. "Floor": 1,.. "PickAxe": 1,.. "P

C:\Users\user\AppData\Roaming\FMEV2\Lang.json

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	83718
Entropy (8bit):	3.9701251789832823
Encrypted:	false
SSDEEP:	1536:QWtIbYBZKbMSE9ZKbMGegc5VTNPriHS7/WmLzKub71jjoZLReN:UbWZKbMSE9ZKbMGJcrZPOWfjb71jUTa
MD5:	B1B5E18E249C4589C0BC168F43A3255B
SHA1:	0DBA775EE1F979FB50398FC3FBC26E62F952C21C
SHA-256:	6EDC22B1D71621F7D2B49B50EED1ED6D5FE3C2F88A600A34FFF3B18D7F3E0C76
SHA-512:	301438B467BD3FFBDE5B2465A2732AA16F75238B80695073FDE8BA20CD83838CD41C5A4163EDFE5BCE3C3AC0250C8F558EF831FEC9BDB154BD39679F288A2C04
Malicious:	false
Reputation:	low
Preview:	..{..... . .".E.N.G.".:. .{..... . . . .".M.a.i.n.".:. .{..... . . . . . ."...y.e.s.-.n.o.".:. .[..... . . . . . . . .".s.w.i.t.c.h.".,..... . . . . . . . .".Y.e.s.".,..... . . . . . . . .".N.o."..... . . . . . .].,..... . . . . . ."...r.e.t.a.k.e.m.o.d.e.".:. .[..... . . . . . . . .".s.w.i.t.c.h.".,..... . . . . . . . .".A.u.t.o.".,..... . . . . . . . .".D.e.f.a.u.l.t."..... . . . . . .].,..... . . . . . ."...e.n.a.b.l.e.d.-.d.i.s.a.b.l.e.d.".:. .[..... . . . . . . . .".s.w.i.t.c.h.".,..... . . . . . . . .".E.n.a.b.l.e.d.".,..... . . . . . . . .".D.i.s.a.b.l.e.d."..... . . . . . .].,..... . . . . . ."...h.o.l.d.-.a.u.t.o.".:. .[..... . . . . . . . .".s.w.i.t.c.h.".,..... . . . . . . . .".H.o.l.d.".,..... . . . . . . . .".A.u.t.o."..... . . . . . .].,..... . . . . . ."...A.c.t.i.v.e.S.l.o.t.s.".:. .".A.c.t.i.v.e. .S.l.o.t.s.".,..... . . . . . ."...k.i.n.p.u.t.".:. .[..... . . . . . . . .".p.l.a.c.e.h.o.l.d.e.r.".,..... . . . . . . . .".N.o.n.e."..... . . . . . .].,..... . . . . . .".#.

C:\Users\user\AppData\Roaming\FMEV2\bootstrap.bundle.min.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	78641
Entropy (8bit):	5.2646136588317844
Encrypted:	false
SSDEEP:	768:BUYDXypxHVIg3Xeh2p0NH04UX+TG9qTXAdQ+fZMQnOwkqUNFJUIU7lW0+YVxiM+F:BUYeHqTEZChY223CzWpV0ea7IM
MD5:	B41FE9374205BD087A4D4F0AB5A195BE
SHA1:	FF398162CF8CBDBAA30110512524ECCE2CA040BE
SHA-256:	5D97E438677A16E845F3C8791A0126448A576E6FA1064168EF8C980CF639ADBC
SHA-512:	5EA6FB309C0D1B03F13AFE2BDA21BDECFFF3F7A43F0A3AAF5172D0BD978DFED41C9EDE4C8A3440EC1C654D13CFB6BE230180602DC49338450BB7D2A9A1226C86
Malicious:	false
Reputation:	low
Preview:	/!.. Bootstrap v4.3.1 (https://getbootstrap.com/).. * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors).. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE).. */..!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("jquery")):"function"==typeof define&&define.amd?define(["exports","jquery"],e):e((t=t\|\|self).bootstrap={},t.jQuery)}(this,function(t,p){"use strict";function i(t,e){for(var n=0;n<e.length;n++){var i=e[n];i.enumerable=i.enumerable\|\|!1,i.configurable=!0,"value"in i&&(i.writable=!0),Object.defineProperty(t,i.key,i)}}function s(t,e,n){return e&&i(t.prototype,e),n&&i(t,n),t}function l(o){for(var t=1;t<arguments.length;t++){var r=null!=arguments[t]?arguments[t]:{},e=Object.keys(r);"function"==typeof Object.getOwnPropertySymbols&&(e=e.concat(Object.getOwnPropertySymbols(r).filter(function(t){return Object.getOwnPropertyDescriptor(r,t).enumerable}))),e.forEach(function

C:\Users\user\AppData\Roaming\FMEV2\bootstrap.min.css

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	200244
Entropy (8bit):	4.940871685355487
Encrypted:	false
SSDEEP:	1536:sOUqIYGPNMOEmPvr2JBFR+gnOWofMIQ2MAESt8gMc1/Eopd01FWkpV51k/NL6ANY:2qRjvk/NL6AN36d
MD5:	886C8F9B9C3EBC4C8696B841450871CC
SHA1:	56B46F9B4A49ED90138529DB67E144B785379644
SHA-256:	867D87F7BD16F810EB0146546B571D5008555F24735B06AF175BD7FCDE5A64EA
SHA-512:	61167927B3C634E36A324E765BBAA1DB988C003D87DFFEBB5FCDEEFC247027063E8F1AFA1B8F305B094FFA11F8FBAA25F88197A70BA0764B571F7E5139914EBC
Malicious:	false
Preview:	/! Bootstrap v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors * Copyright 2011-2019 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */..:root{.. --blue:#007bff;.. --indigo:#6610f2;.. --purple:#6f42c1;.. --pink:#e83e8c;.. --red:#dc3545;.. --orange:#fd7e14;.. --yellow:#ffc107;.. --green:#28a745;.. --teal:#20c997;.. --cyan:#17a2b8;.. --white:#fff;.. --gray:#6c757d;.. --gray-dark:#343a40;.. --primary:#007bff;.. --secondary:#6c757d;.. --success:#28a745;.. --info:#17a2b8;.. --warning:#ffc107;.. --danger:#dc3545;.. --light:#f8f9fa;.. --dark:#343a40;.. --breakpoint-xs:0;.. --breakpoint-sm:576px;.. --breakpoint-md:768px;.. --breakpoint-lg:992px;.. --breakpoint-xl:1200px;.. --font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI S

C:\Users\user\AppData\Roaming\FMEV2\bootstrap.min.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	58078
Entropy (8bit):	5.248934854412323
Encrypted:	false
SSDEEP:	768:BwYyDyKAmHVaS3m3Dqp0NwCkXDtdFDLmTV+miDNJcJiQMRqyPiYtB6UvcCg8YGxV:BwTKktDLmTF8yJL45XtHjoGL
MD5:	0A958254DB529F99F475080FE2A6DCDB
SHA1:	EEBC17246F2BEDA813DD3372593CC54A152F9CB4
SHA-256:	3BCD802E9F77849E7C1E93C87279FBBB04D45949D2BE79B03566CEACDE29B158
SHA-512:	327BF409CDD167171A300EF7F95FAC5CBC802320B2872EA845EC434FF7987A21CB0F0346A8EB3CB891447B98E2E622C3D721BC295BF4F26E763659DBB8A09940
Malicious:	false
Preview:	/!.. Bootstrap v4.3.1 (https://getbootstrap.com/).. * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors).. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE).. */..!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?e(exports,require("jquery"),require("popper.js")):"function"==typeof define&&define.amd?define(["exports","jquery","popper.js"],e):e((t=t\|\|self).bootstrap={},t.jQuery,t.Popper)}(this,function(t,g,u){"use strict";function i(t,e){for(var n=0;n<e.length;n++){var i=e[n];i.enumerable=i.enumerable\|\|!1,i.configurable=!0,"value"in i&&(i.writable=!0),Object.defineProperty(t,i.key,i)}}function s(t,e,n){return e&&i(t.prototype,e),n&&i(t,n),t}function l(o){for(var t=1;t<arguments.length;t++){var r=null!=arguments[t]?arguments[t]:{},e=Object.keys(r);"function"==typeof Object.getOwnPropertySymbols&&(e=e.concat(Object.getOwnPropertySymbols(r).filter(function(t){return Object.getOwnPropertyDescr

C:\Users\user\AppData\Roaming\FMEV2\bootstrap4-toggle.min.css

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	2805
Entropy (8bit):	4.965892565179449
Encrypted:	false
SSDEEP:	48:EnAjasPtuSAFf6UNVeH8epDms13J5nFBcj8okK+JrNKJEnwKk:TPM1HNVPiPnBcj8ohWrNKJEnwKk
MD5:	610E300328A2179D3E576F37F4977B7A
SHA1:	CA88E4A151A0A440F6713FEED773F129F5050370
SHA-256:	0E574AF86FE2AAFDD061259D7669C9DDB8A9C0EA03D4010FDBF0EAFD0F6F33EC
SHA-512:	EDDCA0CFA3FA81E0F0626F5FD40DB48ABDC886F0E12710D98A5D5673E79D8C79794B5E459CC40B62FA63C0F3DDE952AC818FF16B8570E6461AE202765E15032D
Malicious:	false
Preview:	/\..\|\| ========================================================================..\|\| Bootstrap Toggle: bootstrap4-toggle.css v3.6.1..\|\| https://gitbrent.github.io/bootstrap4-toggle/..\|\| ========================================================================..\|\| Copyright 2018-2019 Brent Ely..\|\| Licensed under MIT..\|\| ========================================================================..\*/...btn-group-xs>.btn,.btn-xs{padding:.35rem .4rem .25rem .4rem;font-size:.875rem;line-height:.5;border-radius:.2rem}.checkbox label .toggle,.checkbox-inline .toggle{margin-left:-1.25rem;margin-right:.35rem}.toggle{position:relative;overflow:hidden}.toggle.btn.btn-light,.toggle.btn.btn-outline-light{border-color:rgba(0,0,0,.15)}.toggle input[type=checkbox]{display:none}.toggle-group{position:absolute;width:200%;top:0;bottom:0;left:0;transition:left .35s;-webkit-transition:left .35s;-moz-user-select:none;-webkit-user-select:none}.toggle-group label,.toggle-group span{cursor:pointer}.toggle.o

C:\Users\user\AppData\Roaming\FMEV2\bootstrap4-toggle.min.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4442
Entropy (8bit):	5.112177964967584
Encrypted:	false
SSDEEP:	96:w2KSDMEu5jINZTYoabtF2tMTs//sycZyzyuRCpRv:wRSDMEu5jINZTYoabtF2njUXv
MD5:	AFC8D535DAF4AFA7CAF480EDFA166934
SHA1:	F87E43823EF622C005DC9CC15AB4E86DDD287378
SHA-256:	5BA8DAF88FDC5E3D5174819552B2B0CC41C1E7625CD60084F8D8922CFF277464
SHA-512:	26C26943C5CB4AE21365D28ADF9B3284D9358ADAF7C1AE9F9D530FBA40BB6629690EEEFAE488AD9023D752183FF7D9C3EEDE6C9E39E60A7A4438E0E987854394
Malicious:	false
Preview:	/\..\|\| ========================================================================..\|\| Bootstrap Toggle: bootstrap4-toggle.js v3.6.1..\|\| https://gitbrent.github.io/bootstrap4-toggle/..\|\| ========================================================================..\|\| Copyright 2018-2019 Brent Ely..\|\| Licensed under MIT..\|\| ========================================================================..\*/..!function(a){"use strict";function l(t,e){this.$element=a(t),this.options=a.extend({},this.defaults(),e),this.render()}l.VERSION="3.6.0",l.DEFAULTS={on:"On",off:"Off",onstyle:"primary",offstyle:"light",size:"normal",style:"",width:null,height:null},l.prototype.defaults=function(){return{on:this.$element.attr("data-on")\|\|l.DEFAULTS.on,off:this.$element.attr("data-off")\|\|l.DEFAULTS.off,onstyle:this.$element.attr("data-onstyle")\|\|l.DEFAULTS.onstyle,offstyle:this.$element.attr("data-offstyle")\|\|l.DEFAULTS.offstyle,size:this.$element.attr("data-size")\|\|l.DEFAULTS.size,style:this.$element.attr(

C:\Users\user\AppData\Roaming\FMEV2\changelog.json

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	59537
Entropy (8bit):	4.8869655100970055
Encrypted:	false
SSDEEP:	768:qGgoghfHXMWbth8zXme+CdOEVLskGt9WjzrsWS:qGgNtMUGdOEpUArsR
MD5:	8D4EEF1FCDB78047407A4CD90C889A6B
SHA1:	19FB5ECE371BDC524873F0F31E1F05ADA83D30A0
SHA-256:	821DA2FDAFE351C565EDB4A34BD7FF27015094F55C9E99DC24C06A17CA208B84
SHA-512:	5370914DD5229CCB8FDF631C351793FB002A27657FE44FE886DF78FBD2F8439ADCB24E23A1A19CCCB20D07A053402F07F62A2C9CC31A6F1D76F3995395E8622C
Malicious:	false
Preview:	.{.. "ChangeLog": [.. {.. "Version": "2.1.7.7",.. "Date": "20220904092733",.. "Changes": {.. "RUS": [.. "... (HEX) ...... .......... ...... . .. ...... ......... .. ....",.. "...... ..... .......... ..... ... .... ..........",.. ".... .......... ......... . .... ........... .........",.. ".......... ...... . ........ ...... .... ........",.... "......... ..... '.....' . ..... '............ .. ....' ... ....... ....... ......".. ],.. "ENG": [.... "Aim (HEX) now ignores crosshairs and won't aim at them",.. "Removed Instant Mode option for Crouch Spam",.. "Crouch spam rewritten and allow sliding",.. "Bug fixes and improved performance of a

C:\Users\user\AppData\Roaming\FMEV2\crosshair.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2461
Entropy (8bit):	6.7608792710779735
Encrypted:	false
SSDEEP:	48:thuQVB5QQ/6+MYL4knA9WIYkuBmtw3A6t2NG4f4GS3ZhWHny3w3xIHcLS3eK0:thuQ5xSzYkknmWIYkuBme3Ak2NG04Guc
MD5:	D47B9AD4D275545C086998635A1F837D
SHA1:	56DE8D00327C226C6A8F47DBB47CB3D96AC7746A
SHA-256:	9DBE55F92C01B7AC2B38607C0CBB3A4F1F79FEBB68AF9324A41470BFC2B18E54
SHA-512:	1D4BAB9BC3E2B544F80BB192032E87DFA0597A800294359D136B34C8E18E6EB5A591619AFD7375F1164557B559F4A1B9975C62A9530CFA8E1482288E80C261F0
Malicious:	false
Preview:	.PNG........IHDR...2...2......?.....7iCCPAdobe RGB (1998)..(....J.P....E.V...p'QPl...I[. X.C..IC.b.n.....n.\.}.'G.A..\|...C........9....b..Q..X.v......f...N..v.u..'q.......M..4...2..J.#`..e!.....1...j....N.5.O@....P.r..J..\|._..s=..9..r_.L.]k.Z...Y.T.eY..&A$.....3....J...Q....`1.l7..V......=...en.G.@,=.YAx...U.;..b.p...azTd.7p....E.Z...<.....O..S?.....pHYs................oiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CC 2019 (Windows)" xmp:CreateDate="2020-05-09T00:16:1

C:\Users\user\AppData\Roaming\FMEV2\jquery.min.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	89478
Entropy (8bit):	5.2899182577550565
Encrypted:	false
SSDEEP:	1536:/jExXUqrnxDjoXEZxkMV4SYSt0zvDD6ip3h8cApwEjOPrBeU6QLiTFbc0QlQvaks:/Yh8eip3huuf6IidlrvakdtQ47GK8
MD5:	B61AA6E2D68D21B3546B5B418BF0E9C3
SHA1:	9C1398F0DE4C869DACB1C9AB1A8CC327F5421FF7
SHA-256:	F36844906AD2309877AAE3121B87FB15B9E09803CB4C333ADC7E1E35AC92E14B
SHA-512:	5882735D9A0239C5C63C5C87B81618E3C8DC09D7D743C3444C535B9547B9B65DEFA509D7804552C581CB84B61DD1225E2ADD5DCA6B120868EC201FA979504F4B
Malicious:	false
Preview:	/! jQuery v3.5.1 \| (c) JS Foundation and other contributors \| jquery.org/license /..!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n\|\|E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]\|\|t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"

C:\Users\user\AppData\Roaming\FMEV2\pro.svg

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	4216
Entropy (8bit):	5.255747169066751
Encrypted:	false
SSDEEP:	48:/GJ+lkvJqkYxsRYODytJqkYxsRYO4ytJqkYxsRYOJytJqkYxsRYOcv9pO7eCothq:eJz3gPO+HDtGcyvtbGzG0Gi6
MD5:	528C7EDB05D700BC65AB59105E12938B
SHA1:	95090C8E4A1E145079AD3A96A6D25F26A1A6165D
SHA-256:	B2496B7628759B1F61FEE470393CB0922E4650A1147818B1FD99C0B5CF9FDB6A
SHA-512:	839EB0D257BC0BFEA35536677A5C4B1D21379B9AC18E46229D7B2730800E495786918152E9ADFD47391576D19DA97291B0A7D2B5ED5080CBF1CD448108927038
Malicious:	false
Preview:	<svg baseProfile="tiny" width="17" height="17" version="1.1" viewBox="0 0 512 512" preserveAspectRatio="none" xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">...<g>....<linearGradient spreadMethod="pad" id="Gradient1" x1="0%" y1="0%" x2="0%" y2="100%">.....<stop offset="0%" style="stop-color:rgb(102, 74, 9);stop-opacity:1;" />.....<stop offset="9%" style="stop-color:rgb(165, 128, 13);stop-opacity:1;" />.....<stop offset="49%" style="stop-color:rgb(252, 228, 98);stop-opacity:1;" />.....<stop offset="88%" style="stop-color:rgb(157, 122, 11);stop-opacity:1;" />.....<stop offset="100%" style="stop-color:rgb(102, 74, 9);stop-opacity:1;" />....</linearGradient>....<linearGradient id="Gradient2" x1="0" x2="0" y1="0" y2="1">.....<stop offset="0%" style="stop-color:rgb(102, 74, 9);stop-opacity:1;" />.....<stop offset="9%" style="stop-color:rgb(165, 128, 13);stop-opacity:1;" />.....<stop offset="49%" style="stop-color:rgb(252, 228, 98);stop-opac

C:\Users\user\AppData\Roaming\FMEV2\script.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15017
Entropy (8bit):	5.209500201704424
Encrypted:	false
SSDEEP:	192:E4EMyzW0VORujw74FpcMT5rXlYMAYXWtn8ngrRV62YNcqglgtftf/LtDSOfOFaha:VATAtLLwtDtD9h+3
MD5:	9A674C85F0970BB26B39EACCF4FED69A
SHA1:	8DE14C0EF79C30AE189973C364DD3F3E798BCC47
SHA-256:	46E8F8A8A4336E10E2E0173CFFD9C8EE230AB8298A40E3C9F1BEF3660E67AB1B
SHA-512:	84ACAE58C99D7FF0D12B213FD3CFC5093C9340569DF88720601878BC91DCD8CF5DF2AD35B88C2589A85E60682102BECF9A70857AA43376356D64B4821F3CE69D
Malicious:	false
Preview:	$(function() {...var Sleep;...var Block;......function disableF5(e) { if (e.which == 116) e.preventDefault(); };......$(document).bind("keydown", disableF5);......window.onerror = function (e,u,l) {... ahk.JSError(e,u,l);...} ......$('[data-toggle="tooltip"]').tooltip()...$( ".kinput" ).keydown(function(e) {.... var HotkeyName = $(this).attr("name");... var HotkeyClass = this.className... if (e.key == "Backspace")... {....this.value = "";... }... else if (e.key == "Spacebar")... {....this.value = "Space";... }... else if (e.key == "PageDown")... {....this.value = "PgDn";... }... else if (e.key == "PageUp")... {....this.value = "PgUp";... }... else... {.... this.value = e.key;... }... ahk.HotkeyBind(this.value,this.id,HotkeyName,HotkeyClass);... this.blur();...});.....$( ".kinput" ).keypress(function(e) { ... var HotkeyName = $(this).attr("name");... var HotkeyClass = this.className... if (e.key == "&")... {....this.value = "Mouse 5";... }... else if (e.key == "

C:\Users\user\AppData\Roaming\FMEV2\style.css

Download File

Process:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15915
Entropy (8bit):	5.13872569588246
Encrypted:	false
SSDEEP:	192:HlfSvhqac0hmckYNpPArAfKvHCJXrGXyDYJE9KTjrBoKCRjqYYPpYgxFl75V/+/8:HBQkHkW/7CR6YgxXVcUIEVijaP
MD5:	68124BFA8FACC0D5ADCDDC262DED8A51
SHA1:	77092535C41689370184268A25ED46E5A4700839
SHA-256:	8A8A773E98F390E316FBB521BC3763E368990D6E7E6404543BA77D76E3974EC6
SHA-512:	EAF9BF2750F257C756387ED1F2B1A9A268A61AF823B4FCF6819FF7CB16D8A22DCFEEE030A22FA528580E13DCFA4B99BFC9C38D17E79B8E9A0864372B513A2569
Malicious:	false
Preview:	html,body..{...width: 100%;...height: 100%;...-ms-overflow-style: none;...background-image: url("FME.jpg");...background-size: cover;..}.....hwrap..{.. overflow: hidden;..}.....warnwindow..{...background-color: rgba(23,25,27,.9900) !important;...color: #fff;...text-align: center; ...border-radius: 15px; ...padding: 25px;...width: 95%;...position: absolute;...z-index: 1055;...top: 25%;...left: 2.5%;..}.....parent {.. border: 1px solid black;.. margin: 1rem;.. padding: 2rem 2rem;.. text-align: center;..}...child {.. display: inline-block;.. border: 1px solid red;.. .. vertical-align: middle;..}...inline {.. display: inline-block;..}.....hmove { display: flex; }.....hitem {.. flex-shrink: 0;.. width: 60%;.. font-size: 10pt;.. box-sizing: border-box;.. padding: 10px;.. text-align: center;..}....@keyframes tickerh {.. 0% { transform: translate3d(-5%, 0, 0); }.... 100% { transform: translate3d(105%, 0, 0); }..}...hmove { animation: tickerh linear 3s infinite; }...hmove:hover

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.785825140172241
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9ISNeRdj1B.exe
File size:	664115
MD5:	82abb3648ac3b46ce91801ae3d7bb2bc
SHA1:	52fd2d372bc658b40d87ea78d8eb3844128d022f
SHA256:	4acdef5bab397d24a91955f07803c10089bf24d570159f779284408f3a2d1141
SHA512:	3b2685509eeb8ef519fc04ead0ce9c7c195ebb4d6e688bf057e9356650299063af94eb94db5cf93fe946dd79c47d46e86ce286a55bce0d89d0036b49f389ca26
SSDEEP:	12288:nTcFngzqfSbTPw9/A813WS8UgjCSxAO9nax5+4LFJswwwUkVDTOQe:TcVkKSbTI948dWS81VaD5+KJswwwUkV6
TLSH:	84E4126236EA84F6D15221708644FF7550B5DF544B381EFB33C0FD1FBB3A982A12A299
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B...]...B...^...B...]...B...]...B...J...B...B...B...J...B...d...B...d...B....6..B.......B..]D...B..Rich.B.........

File Icon


Icon Hash:	8e333b3b3b3be69a

Static PE Info

General

Entrypoint:	0x41910c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x5C6ECB00 [Thu Feb 21 16:00:00 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	32569d67dc210c5cb9a759b08da2bdb3

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	7/2/2021 2:00:00 AM 7/11/2024 1:59:59 AM
Subject Chain	CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
Version:	3
Thumbprint MD5:	DC429A22AA63D23DB8E84F53D05D1D48
Thumbprint SHA-1:	2673EA6CC23BEFFDA49AC715B121544098A1284C
Thumbprint SHA-256:	7D3D117664F121E592EF897973EF9C159150E3D736326E9CD2755F71E0FEBC0C
Serial:	0E4418E2DEDE36DD2974C3443AFB5CE5

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041C298h
push 00419106h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0041B0E8h]
pop ecx
or dword ptr [004213E4h], FFFFFFFFh
or dword ptr [004213E8h], FFFFFFFFh
call dword ptr [0041B0ECh]
mov ecx, dword ptr [0041F3C8h]
mov dword ptr [eax], ecx
call dword ptr [0041B0F0h]
mov ecx, dword ptr [0041F3C4h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0041B0F4h]
mov eax, dword ptr [eax]
mov dword ptr [004213ECh], eax
call 00007F02E895D951h
cmp dword ptr [0041F150h], ebx
jne 00007F02E895D83Eh
push 00419294h
call dword ptr [0041B0F8h]
pop ecx
call 00007F02E895D923h
push 0041F038h
push 0041F034h
call 00007F02E895D90Eh
mov eax, dword ptr [0041F3C0h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0041F3BCh]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041B100h]
push 0041F030h
push 0041F000h
call 00007F02E895D8DBh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[ C ] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e1bc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x8591	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9fea3	0x2390
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1b000	0x1b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19745	0x19800	False	0.5834386488970589	DOS executable (COM)	6.630138428396258	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1b000	0x3a98	0x3c00	False	0.3345703125	data	4.393187661848544	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x23f0	0x200	False	0.369140625	data	3.3002286379266064	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sxdata	0x22000	0x4	0x200	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x8591	0x8600	False	0.2001515858208955	data	3.4585437671592194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x232b0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4292467161, next used block 4292467161	English	United States
RT_ICON	0x274d8	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4288782753, next used block 4288914339	English	United States
RT_ICON	0x29a80	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294506744, next used block 4294506744	English	United States
RT_ICON	0x2ab28	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x2af90	0xb8	data	English	United States
RT_STRING	0x2b048	0x60	data	English	United States
RT_STRING	0x2b0a8	0x54	data	English	United States
RT_STRING	0x2b0fc	0x34	data	English	United States
RT_GROUP_ICON	0x2b130	0x3e	data	English	United States
RT_VERSION	0x2b170	0x2a4	data	English	United States
RT_MANIFEST	0x2b414	0x17d	XML 1.0 document text

Imports

DLL	Import
OLEAUT32.dll	SysStringLen, SysAllocStringLen, VariantClear
USER32.dll	DialogBoxParamW, SetWindowLongW, GetWindowLongW, GetDlgItem, LoadStringW, CharUpperW, DestroyWindow, EndDialog, PostMessageW, SetWindowTextW, ShowWindow, MessageBoxW, SendMessageW, LoadIconW, KillTimer, SetTimer
SHELL32.dll	ShellExecuteExW
MSVCRT.dll	_controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ?terminate@@YAXXZ, ??1type_info@@UAE@XZ, _except_handler3, _beginthreadex, memset, wcsstr, free, malloc, memcpy, _CxxThrowException, _purecall, memmove, memcmp, wcscmp, __CxxFrameHandler
KERNEL32.dll	WaitForSingleObject, GetStartupInfoA, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, lstrlenW, lstrcatW, VirtualFree, VirtualAlloc, Sleep, WaitForMultipleObjects, GetFileInformationByHandle, GetStdHandle, GlobalMemoryStatus, GetSystemInfo, GetCurrentProcess, GetProcessAffinityMask, SetEndOfFile, WriteFile, ReadFile, SetFilePointer, GetFileSize, GetFileAttributesW, GetModuleHandleA, FindNextFileW, FindFirstFileW, FindClose, GetCurrentThreadId, GetTickCount, GetCurrentProcessId, GetTempPathW, GetCurrentDirectoryW, SetCurrentDirectoryW, SetLastError, DeleteFileW, CreateDirectoryW, GetModuleHandleW, GetProcAddress, RemoveDirectoryW, SetFileAttributesW, CreateFileW, SetFileTime, GetSystemDirectoryW, FormatMessageW, LocalFree, GetModuleFileNameW, LoadLibraryExW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, GetVersionExW, GetCommandLineW, CreateProcessW, CloseHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 7, 2022 11:41:00.049474955 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.049531937 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.049627066 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.102921963 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.102950096 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.151287079 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.151412010 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.581254959 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.581304073 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.581922054 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.582006931 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.585386992 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.627366066 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.789716005 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.790641069 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.791836023 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.791865110 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.791886091 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.791961908 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.791980028 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.792012930 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.792052031 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.795068026 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.795095921 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.795188904 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.795205116 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.795309067 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.806741953 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.806771994 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.806926966 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.806950092 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.806996107 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.808331013 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.808357000 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.808464050 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.808485031 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.808522940 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.810544968 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.810571909 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.810692072 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.810710907 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.810754061 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.810779095 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.812418938 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.812439919 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.812505007 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.812524080 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.812557936 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.812582970 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.823435068 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.823461056 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.823546886 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.823565960 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.823607922 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.825742006 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.825771093 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.825845957 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.825855970 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.825887918 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.825903893 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.826543093 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.826570988 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.826633930 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.826642036 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.826685905 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.828747988 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.828778028 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.828835011 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.828869104 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.828881979 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.828892946 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.828922987 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.828953028 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.829127073 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.829148054 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.829217911 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.829226017 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.829236031 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.829262018 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.836440086 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.836466074 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.836548090 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.836565018 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.836575985 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.836605072 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.839050055 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.839075089 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.839184046 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.839201927 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.839215994 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.839252949 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.839750051 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.839795113 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.839833975 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.839842081 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.839881897 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.839898109 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.840503931 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.840529919 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.840591908 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.840599060 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.840642929 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.841100931 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.841123104 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.841182947 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.841188908 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.841216087 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.841233015 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.842014074 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.842036009 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.842092037 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.842097044 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.842128038 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.842149019 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.842627048 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.842647076 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.842691898 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.842698097 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.842726946 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.842746973 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.843478918 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.843507051 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.843668938 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.843676090 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.843682051 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.843714952 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.843879938 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.843910933 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.843945980 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.843951941 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.843983889 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.844001055 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.844762087 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.844793081 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.844856024 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.844862938 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.844901085 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.844921112 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.845648050 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.845685005 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.845753908 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.845769882 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.845781088 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.845812082 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.845932961 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.846002102 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.846004963 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.846026897 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.846102953 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.846594095 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.846617937 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.846677065 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.846683025 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.846708059 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.846748114 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.851988077 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.852014065 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.852152109 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.852164030 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.852212906 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.852260113 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.852283001 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.852346897 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.852355003 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.852389097 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.852605104 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.852627039 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.852653980 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.852660894 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.852670908 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.852746010 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.854666948 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.854698896 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.854815960 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.854827881 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.854895115 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.854899883 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.855417013 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.855447054 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.855535984 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.855549097 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.855588913 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.855614901 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.855691910 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.855727911 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.855777979 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.855789900 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.855830908 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.855849028 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.855931044 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.855969906 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.856086969 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.856096983 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.856106997 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.856146097 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.856153011 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.856281996 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.856312990 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.856379986 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.856395006 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.856465101 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.856487989 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.856935024 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.856975079 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.857088089 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.857095003 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.857131958 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.857140064 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.857155085 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.857160091 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.857204914 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.857233047 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.857356071 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.857469082 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.857669115 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.857681990 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.857793093 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.857794046 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.857822895 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.857903004 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.857912064 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.857940912 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.857950926 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.857981920 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.858093977 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.858100891 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.858107090 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.858149052 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.858156919 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.858274937 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.858983040 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859014988 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859126091 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859142065 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859189034 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859205008 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859277010 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859380007 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859417915 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859481096 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859497070 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859534025 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859549999 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859553099 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859570980 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859621048 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859627962 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859709978 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859720945 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859731913 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859766960 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859781027 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859791994 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859886885 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859889984 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859914064 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859925032 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.859986067 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.859994888 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.860004902 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.860017061 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.860066891 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.860084057 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.860095024 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.860160112 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.860311031 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.860502958 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.860544920 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.860615015 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.860626936 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.860639095 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.860686064 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.860768080 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.860805035 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.860861063 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.860876083 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.860918999 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.860934973 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.861053944 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.861103058 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.861156940 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.861166000 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.861210108 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.861219883 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.861323118 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.861341000 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.861383915 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.861449003 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.861459017 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.861486912 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.861562967 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.861902952 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.861970901 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.862055063 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.862066031 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.862160921 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.862170935 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.862179041 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.862186909 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.862251043 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.862262011 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.862276077 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.862287998 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.862340927 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.862508059 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.862689018 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.862721920 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.862808943 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.862819910 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.862879992 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.862891912 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.863004923 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.863034964 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.863132954 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.863147974 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.863208055 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.863251925 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.864068985 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.866288900 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869123936 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869147062 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869265079 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869277000 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869298935 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869313002 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869322062 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869335890 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869342089 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869378090 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869420052 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869518995 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869538069 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869587898 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869596004 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869611979 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869637966 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869718075 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869740009 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869790077 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869801044 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.869833946 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869853973 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.869960070 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870016098 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870023966 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.870042086 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870095968 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.870172024 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870191097 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870255947 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.870264053 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870296955 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.870316029 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.870629072 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870678902 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870712042 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.870722055 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870776892 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.870796919 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.870841026 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870861053 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870922089 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.870929956 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.870966911 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.870990992 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.872850895 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.872878075 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873095989 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873141050 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.873162031 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873182058 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.873248100 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873265982 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.873272896 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873339891 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.873383999 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.873445034 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873466969 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873542070 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.873552084 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873585939 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.873615980 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.873737097 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873756886 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873929024 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.873986959 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.873999119 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.874039888 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.874072075 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.874100924 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.874140024 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.874187946 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.874195099 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.874223948 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.874229908 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.874598980 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.874620914 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.874701023 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.874711037 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.874737024 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.874752998 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.874780893 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.874802113 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.874854088 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.874861956 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.874893904 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.874905109 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875200033 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875222921 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875309944 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875324011 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875375986 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875482082 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875504971 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875557899 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875567913 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875602007 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875612974 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875693083 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875746012 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875762939 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875775099 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875806093 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875828028 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875859022 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875880957 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875936985 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875948906 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.875965118 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.875988007 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.876172066 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.876271963 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.876332045 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.876351118 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.876364946 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.876394987 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.876420021 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.876552105 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.876573086 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.876625061 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.876635075 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.876663923 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.876694918 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.876810074 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.876832962 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.876889944 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.876902103 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.876923084 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.876955032 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877053022 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877079010 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877208948 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877223969 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877278090 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877300024 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877326965 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877383947 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877396107 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877409935 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877440929 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877510071 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877568007 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877589941 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877590895 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877605915 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877652884 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877661943 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877666950 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877672911 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877721071 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.877724886 CEST	443	49706	185.199.108.133	192.168.2.4
Sep 7, 2022 11:41:00.877764940 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.884516001 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.910048962 CEST	49706	443	192.168.2.4	185.199.108.133
Sep 7, 2022 11:41:00.910095930 CEST	443	49706	185.199.108.133	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 7, 2022 11:41:00.014105082 CEST	56572	53	192.168.2.4	8.8.8.8
Sep 7, 2022 11:41:00.033258915 CEST	53	56572	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 7, 2022 11:41:00.014105082 CEST	192.168.2.4	8.8.8.8	0xe405	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 7, 2022 11:41:00.033258915 CEST	8.8.8.8	192.168.2.4	0xe405	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)
Sep 7, 2022 11:41:00.033258915 CEST	8.8.8.8	192.168.2.4	0xe405	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)
Sep 7, 2022 11:41:00.033258915 CEST	8.8.8.8	192.168.2.4	0xe405	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)
Sep 7, 2022 11:41:00.033258915 CEST	8.8.8.8	192.168.2.4	0xe405	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

raw.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49706	185.199.108.133	443	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-07 09:41:00 UTC	0	OUT	GET /HexVexRtx/FME/main/file HTTP/1.1 Accept: / Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: raw.githubusercontent.com Connection: Keep-Alive
2022-09-07 09:41:00 UTC	0	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1280160 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "20cc632be3d167100a79789463a0312796278a7129c5ed0f2f2780cc5b2dc216" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 5A14:5C81:1A9F5D:1DCE78:6318672C Accept-Ranges: bytes Date: Wed, 07 Sep 2022 09:41:00 GMT Via: 1.1 varnish X-Served-By: cache-mxp6952-MXP X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1662543661.589195,VS0,VE188 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: c5849d9f78ffea68f4e225d9d6e554b5bab78cdd Expires: Wed, 07 Sep 2022 09:46:00 GMT Source-Age: 0
2022-09-07 09:41:00 UTC	1	IN	Data Raw: 01 17 5b cc ff d8 25 e4 fd 93 9d 25 e3 ae 51 e6 96 22 c8 70 46 18 c0 8a c0 a0 9c 02 c0 f7 0f 13 f8 51 5e 17 b8 9d 27 b4 ac 5b 36 33 62 5d 6d b0 f6 52 af d9 fa 2f 4e 5a 8f e3 8a a0 28 78 5b 5d 28 4b 54 4f 34 b1 80 87 4f 3e c2 58 fd b5 6e 06 2e e7 86 b4 e5 1b 98 7c 70 34 48 43 b7 69 3c e3 f1 3f ca fb 54 f2 d3 ad d4 02 ee 58 a5 81 92 f4 23 f6 df a8 47 54 37 89 07 ee b9 74 60 a4 fa 05 10 b1 e3 43 ca 07 ba 09 9d e1 d8 8f cf 54 6f a9 37 1f e7 04 5e 83 7d cb 8d 50 bb e9 32 03 90 f8 83 3d 1c 46 8a 35 44 c9 b4 df f3 bd 42 bd 74 d6 82 dc 53 08 db 58 e8 2b ef 71 e2 a8 ef 1e 77 85 77 2d d4 e8 6d 79 cb 65 a0 d9 54 16 56 d6 01 2e 90 fd a3 49 d7 66 3e eb 1b bd 1b 90 e8 e9 14 a9 d2 7a 20 22 5c c6 e1 f0 2a 0e 5b ec f0 d3 c3 1c ef 13 77 04 3c 0c 5c 70 8f a5 a2 46 21 df fa Data Ascii: [%%Q"pFQ^'[63b]mR/NZ(x[](KTO4O>Xn.\|p4HCi<?TX#GT7t`CTo7^}P2=F5DBtSX+qww-myeTV.If>z "\*[w<\pF!
2022-09-07 09:41:00 UTC	17	IN	Data Raw: c7 b8 99 b6 58 85 29 82 08 8f ed 16 3f 8e 4f 0d 37 7e cd 0f 77 8e 4d bb d5 e1 a1 96 81 42 0e b0 b1 37 5d 87 e4 2e 13 aa 80 c9 03 dc 17 f5 04 0c 2a bf 82 b0 b7 73 2f 45 61 c2 02 5b 84 ee 97 c8 ec c8 42 85 1c 27 bc 67 db 86 06 02 45 b5 41 0f 11 6d 8d d1 59 04 da 89 3c 5f d2 d9 02 2a 28 8f a4 99 1d 53 37 b9 8f a6 2b 5f a1 6d 4c 8a ae eb 83 25 37 33 9a dc 1e 3a 61 50 ef c6 d3 6b c9 fa 53 d7 68 fd dd 95 53 dc e7 ae 74 d3 82 97 57 64 a2 50 7f 40 7a df 58 f1 9a b0 ac 09 39 71 5d ca 94 b8 85 27 f3 9f ff 16 69 55 82 d2 cf 17 54 2b 79 12 b4 60 e5 58 1c 94 d5 13 c4 1b 6f 6a 1c a0 31 fa 68 a4 ec 70 0c 2c 39 37 7a 7c 86 af fd 65 a7 26 90 69 0f d0 0f 1b 0c 8c e1 3c 7c f3 90 17 c1 6a 44 e1 7a fa 7a 72 fb 20 bc 5a ac 80 6b 9e fd a2 24 27 40 db a0 26 86 e3 b3 99 56 1a 8e Data Ascii: X)?O7~wMB7].s/Ea[B'gEAmY<_(S7+_mL%73:aPkShStWdP@zX9q]'iUT+y`Xoj1hp,97z\|e&i<\|jDzzr Zk$'@&V
2022-09-07 09:41:00 UTC	33	IN	Data Raw: bc 4c 47 ab 43 a8 be 5e b5 01 1b b2 e0 e1 f1 f6 d2 f1 d7 f2 f5 45 83 19 11 58 08 65 11 06 98 cd 0c 6a 21 9e b1 16 3a 2c 77 97 c4 9e 55 5d b5 ca e7 ba 01 62 c5 a3 df 4c f2 54 03 cd 2c 91 ea 99 67 b8 a8 56 ca 49 7e 33 a1 af 2c 77 93 37 e0 2e ad 54 f9 21 79 06 71 b3 be 14 c4 7e 04 e0 f1 97 d5 8c db de eb 35 89 53 f7 f9 0b a0 3b 8e 8d e6 53 9d 2f 84 b2 0e 6f 9a 1f 8d 99 67 22 9a 6a d7 e7 e0 ba 5f 66 8d fe 75 ab 1d dc 1d d4 2e ab 01 13 ed b6 67 b0 dc 9a 8b ca 4f 0f f8 18 48 cf c0 04 64 fa 0e b7 36 37 df 5b 27 15 d3 6b 8f c9 bc 73 2a 10 e4 f0 7c 60 5a bb 44 9d 4f 95 10 65 7a 0b f9 bf e2 cb ea a8 a3 f8 3d f5 51 fe 17 dc de 36 57 2c f2 67 b9 55 56 57 da ab 3d 05 d7 e1 d1 a3 78 26 11 05 e9 5b 4f fe b1 14 56 48 9d 9c ed b2 d0 48 e6 6b 91 f0 77 46 d4 c0 26 b9 23 4e Data Ascii: LGC^EXej!:,wU]bLT,gVI~3,w7.T!yq~5S;S/og"j_fu.gOHd67['ks*\|`ZDOez=Q6W,gUVW=x&[OVHHkwF&#N
2022-09-07 09:41:00 UTC	49	IN	Data Raw: bc bd c6 e8 64 7d e0 3c d8 49 9f af d9 13 62 7c f7 d6 9b 2b 0b ba 71 d9 45 ca 05 6d 46 7a 84 e1 6e bf 9a fc fc 75 89 38 43 41 21 1f 48 64 de 68 ba ef cd 22 72 65 7c c7 79 72 a4 8e f0 87 87 6a 6a 73 e8 46 fa 84 69 0a 99 3e 16 d7 a8 75 6c ff 90 af 47 95 14 1d 59 41 2e 92 65 f9 52 5f 08 f9 65 95 2b f9 a7 bd 8b fb d9 fc 2f c5 46 8d a3 61 a8 3e 41 83 85 b5 dc 4e c6 a5 84 aa 0f f2 d4 82 27 b8 bf ae 74 27 0c a0 d3 ab 69 80 9a e9 2b 47 c0 e6 fa d9 b0 11 f6 33 b2 27 9f d6 cb 7f 38 b3 ff a6 3e 99 c1 78 ba 58 7d 5c d5 60 2f a2 81 a4 d5 9b b0 49 22 c5 ad ce 2c 7a 44 c2 62 cf 22 95 aa 2a cb 6a 72 6c e6 1a 48 4f b3 ef 3b 07 89 25 7f ce 30 f8 48 93 31 f2 72 bf c7 60 e1 62 0c 61 93 ca 45 6a 2a 58 5c 61 bc 88 39 7f d2 21 2d 09 72 7c 05 9c 58 b9 60 f9 3f ba 70 d5 68 a9 97 Data Ascii: d}<Ib\|+qEmFznu8CA!Hdh"re\|yrjjsFi>ulGYA.eR_e+/Fa>AN't'i+G3'8>xX}\`/I",zDb"jrlHO;%0H1r`baEjX\a9!-r\|X`?ph
2022-09-07 09:41:00 UTC	65	IN	Data Raw: 90 ad c2 d0 d9 af 32 a2 9c 98 89 86 3e f1 d2 2d 25 0e e9 d6 95 2a e7 23 2c 39 05 53 a0 3c e6 8a 0c 56 b0 d6 ed 9c a3 32 9c 10 01 4f f3 89 f5 b9 17 fa 68 9b c2 2a 25 b4 8e a6 c9 8d 15 7d a4 ce 23 31 95 23 0c 2a c3 11 46 7c 3d 76 d7 97 b4 68 ca c8 29 b1 79 1f 8b 4b 2a 3a df 55 89 a6 15 ee cd 7e a4 bb aa 15 cc 3f d3 a5 b7 2d 36 24 76 29 24 d8 cc ce 18 f9 c1 58 a6 b0 0e 7c b8 21 69 c8 d2 3a 9d 11 2e d5 b9 03 4c bc 9f 1a be c1 da e5 b7 d8 7b e7 59 f3 62 11 b6 ef a9 7b da 29 55 db 9d b3 fc d7 98 d4 9e d8 a5 22 b4 08 45 ea 5d 3c d8 1b 6a 94 a8 c0 1a 69 4d 86 51 67 eb 01 49 04 fa 22 40 1d 83 5a 6f 96 98 d1 2a 02 86 82 5d 6d ce ea af 89 aa cf 1e 20 6a e8 53 0d ad 5a 0c 29 5f 43 c7 24 83 5f ce f4 b1 62 40 b9 85 61 19 15 57 0b 67 cd bf 86 ca f0 eb 3d 1d 6f fb 5f 5f Data Ascii: 2>-%#,9S<V2Oh%}#1#F\|=vh)yK:U~?-6$v)$X\|!i:.L{Yb{)U"E]<jiMQgI"@Zo*]m jSZ)_C$_b@aWg=o__
2022-09-07 09:41:00 UTC	81	IN	Data Raw: 8e 9e 52 03 5e 10 11 5b be 33 67 dc ac 82 3a 10 89 0c 21 d8 ff 67 e4 55 c1 8b 83 56 34 83 45 fe 6f b9 28 43 1b fb 33 3b 7a 14 c2 ad 1f 17 35 9a 2e c9 67 f6 76 94 7a 9d 4b 5e d0 d9 ec 77 71 36 9b 3a 38 00 3d e8 0d 1f 80 93 2d d4 14 3d 71 6c 1d 00 29 9a 30 64 59 b9 9c 32 58 b1 b1 10 49 1d 68 82 6d 65 c6 8e 31 c1 14 5d 0f 16 19 e2 3e 2e d9 b9 a1 07 92 9b ab 7e 78 f8 b2 bf f1 47 60 e8 4b 91 45 29 8b 72 e7 37 aa 6a 73 94 b3 91 12 86 6d cc c1 7e 4a 7f f0 b5 a5 0b 2a 8d 43 c9 43 81 7c 58 a6 4d 31 be 8e a0 37 4e 16 51 ea 81 be 51 d6 8d d5 08 75 94 ff d3 85 ee d5 19 12 32 51 2f b6 32 86 19 50 c9 bf 1f 66 02 05 be 1e b5 d1 85 93 56 4c ec 0e 4c 5a 6d 91 b8 1a 17 ae f2 09 49 9c d9 15 39 92 e8 2d 7e 29 60 ba 1a 71 66 b5 93 9b 18 67 df d4 40 14 52 52 ff 3f 0c dd 49 76 Data Ascii: R^[3g:!gUV4Eo(C3;z5.gvzK^wq6:8=-=ql)0dY2XIhme1]>.~xG`KE)r7jsm~J*CC\|XM17NQQu2Q/2PfVLLZmI9-~)`qfg@RR?Iv
2022-09-07 09:41:00 UTC	97	IN	Data Raw: 1d e0 0e e9 69 7c fa 90 79 d8 eb d6 07 81 1f 9a 55 85 93 ec 0e cc 6b 93 9b 69 87 36 33 00 ed 5a ba ad 51 f5 1c 83 1e 4c 2e 52 2b f7 04 9c 4b a1 45 0d 24 82 24 d2 66 f3 11 d7 7a 39 d6 65 24 f3 0a b5 72 b8 e1 0d dc 7a a3 fc b8 c5 ff 39 3b f0 0e 45 5f f1 71 a0 cd d3 ab b9 d6 f1 be 8f 4d d3 5b 66 95 da 8a 4a 4a e9 ce 8b 78 51 19 61 b3 ee 5b 8b 74 78 7e ec b5 9c 9a d5 b5 64 81 5b 3e 26 3a 87 79 07 58 af 09 97 4a 98 c9 c5 8e 57 b1 d8 88 21 c3 93 c4 ce 5a ec 23 9b 63 22 88 4e 37 18 d3 f9 85 d2 dc 1f da b7 8e 58 af 91 61 95 fb 2f d1 fe f1 d2 e1 15 93 81 86 f2 1f 74 b3 b6 db bb e9 69 28 7a b6 31 ca 8b 11 4f 5c 90 80 18 0c 86 8f d4 21 80 87 34 0b 1c f9 c2 f9 c3 c5 09 2e 48 33 59 2e 71 94 d9 b2 5f ce 7c 7d 08 d4 fb 51 3d 5e 46 15 45 d5 2e 11 db a7 85 02 11 85 7b 2c Data Ascii: i\|yUki63ZQL.R+KE$$fz9e$rz9;E_qM[fJJxQa[tx~d[>&:yXJW!Z#c"N7Xa/ti(z1O\!4.H3Y.q_\|}Q=^FE.{,
2022-09-07 09:41:00 UTC	113	IN	Data Raw: f0 e0 d7 f9 51 32 68 d8 c2 c7 70 81 14 4e 6c 11 54 35 ab 2e cb e9 96 70 cb e3 f4 fe 7f 12 e0 d1 5c 0a 0c 19 48 45 67 33 a4 c8 32 67 17 08 97 c6 97 3d c4 69 f1 3e 58 e8 a9 cf 94 94 8d b0 e4 54 ed a5 86 33 ad 5b 44 ce 96 ef 0a ba 7c ef c0 26 4b 5b f6 f9 b9 22 fb 24 04 be 14 52 79 44 a7 c0 44 fc 24 a7 d2 57 01 54 73 d3 45 90 38 ac a4 42 40 38 99 5a 14 ef 62 19 1a 3d c5 3a 54 2a 30 b2 d9 49 38 7c 3e f8 f5 9e 52 9a 87 00 1a 2a df 4e 4e cd 4b f0 42 0f e5 f9 28 25 15 81 a7 21 2b 77 02 d6 88 0d 9c 04 fc a2 a4 b4 71 b7 d3 5b 62 c5 cc 8a 5e 11 70 25 b2 51 6b 44 6e c3 79 de 90 0b ca 27 0d 96 a3 6a af c8 35 da 75 86 d4 8f ca 0f 07 8c 45 b9 d5 d7 e1 4a 3b 20 24 1f 08 f4 2d 53 45 44 49 ff 43 b1 e9 e1 a7 55 80 b4 1b af c8 ff a4 c2 ce e9 c7 70 06 1a ea cd 26 6a 37 7a 92 Data Ascii: Q2hpNlT5.p\HEg32g=i>XT3[D\|&K["$RyDD$WTsE8B@8Zb=:T0I8\|>RNNKB(%!+wq[b^p%QkDny'j5uEJ; $-SEDICUp&j7z
2022-09-07 09:41:00 UTC	129	IN	Data Raw: cb 67 bc 14 14 15 03 76 14 2a 05 d7 1c 36 a6 aa 9f 51 95 60 33 80 03 3e 48 8e 48 4f c3 77 54 95 bf 2d 0e 9c d0 96 6a 55 e9 fa 88 25 95 84 da 3d 07 b5 d5 17 18 6d 54 5f 5b d2 3d 7f f2 df 68 ab 15 9a 64 50 93 91 f5 9d f6 9d 15 09 cf ef 83 14 a4 50 27 a3 6d 7d 54 64 8c a5 7b 56 bd 8d 54 e1 4b d4 36 12 d8 cc 35 89 14 44 56 ec 2e e9 24 d1 c2 d9 8a e1 d2 3b b8 7c c9 fa d2 7c f7 ac 50 8b e9 66 96 e2 58 98 e9 4a b4 0e 67 8f 41 f5 9b 3f 83 cf 41 7a b2 7c 5a 35 d1 bc 70 5e 7c 21 f1 20 50 4f fe b0 18 ed 64 fd b7 1c 38 5e 19 9f 93 ba aa 68 0a 31 c7 0f 7a 40 3e 68 96 84 1d 2e 41 fd 39 00 fc 8f 3b 86 45 36 ac 35 87 58 51 c8 f9 c1 1c 82 7e 58 ac f6 3b 85 2f dd 73 02 62 69 9c e8 30 45 1c 55 75 a1 81 29 3c 1d 6b e4 90 e3 0b 98 46 d6 85 10 84 94 68 b0 e2 0f 7f 16 59 69 dc Data Ascii: gv*6Q`3>HHOwT-jU%=mT_[=hdPP'm}Td{VTK65DV.$;\|\|PfXJgA?Az\|Z5p^\|! POd8^h1z@>h.A9;E65XQ~X;/sbi0EUu)<kFhYi
2022-09-07 09:41:00 UTC	145	IN	Data Raw: 1d e1 0d 42 e9 ac c7 4a 4c 3e 12 af 9c 8d 65 ad b3 39 e0 23 e8 0e f4 a9 b8 78 35 b0 37 4c 4d 17 c5 f9 aa 9a 8d 4a d4 ce 57 3d 2d 11 0e a0 27 74 56 f1 b9 9b 57 72 57 24 0a 4a 5f f9 10 8f a9 7a eb be 4c 44 5b cc 4e 31 40 23 28 b0 03 86 1b 64 4a dd 2d e3 d9 b3 91 8f b7 2b e8 a1 60 e7 94 6b c9 4b b2 cf 9c c6 71 df 90 a9 b4 ff cd f9 da 79 d2 ea 08 91 f6 99 33 5a 05 62 cc 2d 66 9a 67 ac bd 51 f4 79 ab 77 af 93 41 3b f0 be 46 46 8e 70 26 23 df f2 54 3d 34 6e b4 9b 04 47 a6 28 25 30 cc b1 7a 8a 32 12 73 7f 71 d8 28 71 c2 a0 70 2a 55 20 e0 de 09 4f a5 53 b0 ed 02 07 81 ec fe f3 4e cb ef d7 ca ad ac a7 00 84 61 75 0c f5 86 15 1c 7a ed 9b 32 ac 99 03 dc ce ba c0 5b 70 5a ad 95 f1 a5 7e 74 2c d5 bb 27 3f 24 48 a7 bc 62 0d 83 5d 5e 89 47 6c 10 53 03 14 3c 96 71 1f 40 Data Ascii: BJL>e9#x57LMJW=-'tVWrW$J_zLD[N1@#(dJ-+`kKqy3Zb-fgQywA;FFp&#T=4nG(%0z2sq(qp*U OSNauz2[pZ~t,'?$Hb]^GlS<q@
2022-09-07 09:41:00 UTC	161	IN	Data Raw: 6f 54 33 ff 88 78 ba 82 99 d9 4f 57 19 e2 96 23 79 bf 72 b2 62 1d 5e fd f3 4c d5 35 bc 48 43 65 cb a1 df 7c 08 db 7d 38 57 47 bf 61 ad 55 15 f5 76 ac 11 28 c2 96 3d cf 08 5f 93 2b a6 63 87 6b 30 17 79 f1 0a 6c f9 71 f4 6f e4 87 a9 09 27 68 71 d4 cd 09 a5 0a 26 32 bb f3 18 40 1b 6a 1b d0 ee 89 60 9e 49 98 5f 6f de 76 31 86 79 64 ac b3 e8 c4 c3 a0 57 b1 1f c9 e0 88 25 84 a6 15 dd 0b 46 d1 ea 9e de ca da 48 f5 96 0b e1 59 57 a0 e7 08 99 48 46 80 eb 2d f4 b2 e9 95 12 b7 c8 23 72 7b 21 46 ef b9 c1 cc 98 06 f8 c4 e0 c8 c2 0d 5a 3d 1f 79 db ba c2 cc 69 aa cd ed a9 26 f7 09 65 98 7b 27 0e 40 c1 6b e9 8d d7 1c 1a 30 09 ab cb b5 08 10 4a b8 6c e1 c5 7c cd 3d c4 d4 23 92 99 d0 e9 55 44 7c 27 24 dd 92 58 67 a7 ee 8a 00 56 9e 4d 1e f5 3e 22 72 4f 42 28 8d 88 5f 54 b9 Data Ascii: oT3xOW#yrb^L5HCe\|}8WGaUv(=_+ck0ylqo'hq&2@j`I_ov1ydW%FHYWHF-#r{!FZ=yi&e{'@k0Jl\|=#UD\|'$XgVM>"rOB(_T
2022-09-07 09:41:00 UTC	177	IN	Data Raw: 1c f3 be b2 b3 4e 0a fc 8a 31 fb 9a 60 c9 24 68 3e 31 7c c5 ff 37 25 45 20 00 a0 01 b2 40 45 5b d6 8a 80 92 a9 41 7c a4 6b 44 43 83 5e 9c fd fc 22 0d b5 be 38 be 00 92 77 4d 48 0a 96 81 dc 4b 11 fc bc a5 7f ff 55 06 c5 5f 8b 77 50 5c 37 bf 09 30 77 aa ee a9 30 96 0d 2a 29 2d fe e3 f0 02 b1 9b 0c c2 e2 ac 53 37 11 dd 15 7b 91 07 c4 e5 b5 f7 d2 61 3a 12 de e0 ef 0d 1e 87 fe da df 72 68 06 3d 66 39 bc 14 43 52 4a ad 42 92 8b 8a 15 a0 dd f6 be c1 07 d6 3b c4 91 f8 3b c9 3f e7 d5 99 a9 27 71 5c e7 47 90 e6 eb 7b af 56 3c fc ad ee f6 7c 2f ae 2d 9f bb 1a 76 c4 8a f9 57 7e 76 06 ac 28 01 c2 bb 11 f6 ff f2 00 d4 1f 3e 43 1d 76 14 e4 c7 16 7b 42 f1 44 f9 f6 3a 12 96 4c 5b bb 26 51 19 60 f1 51 d0 58 8e 23 cc c1 49 0b be c7 2b 21 eb c0 bc 93 bc 5b 14 a7 f9 f5 c5 c8 Data Ascii: N1`$h>1\|7%E @E[A\|kDC^"8wMHKU_wP\70w0*)-S7{a:rh=f9CRJB;;?'q\G{V<\|/-vW~v(>Cv{BD:L[&Q`QX#I+![
2022-09-07 09:41:00 UTC	193	IN	Data Raw: a9 c1 a1 d0 ff e2 a0 5b 15 5c 72 ca e9 a8 eb cb 10 a4 4a 03 9c 4c d6 2e 22 a0 35 68 8b c3 87 68 cc 82 6a 63 25 dc 23 b7 83 a3 d5 11 f3 33 3c 46 70 dc cd 6c 24 05 6b 2b 04 9c f9 93 94 26 6f 4c 4b 08 18 be 7f f2 6b 74 32 d9 25 c3 e2 90 d8 1b 3e 61 8b 98 5b d9 40 6a 77 e5 9f 3c 91 0f 07 36 36 67 7b b4 dd 17 a6 51 dd c7 b9 09 ff e6 fe f5 d6 a8 a2 b7 4c 9f df 35 20 57 a7 77 12 a5 38 47 f1 8b 1f 78 90 03 f8 8f 34 7d 77 60 8d 24 57 a4 5c f6 b3 ec 95 bf 37 9f 0b 9d 99 e4 68 08 0a 17 95 1a 14 d9 85 0a fc 3b 85 53 66 0c b3 b3 e5 b3 1f 40 85 9b 86 17 41 2c b6 1f 86 dd 17 0f 17 a5 d4 d6 4b 4f f8 d0 45 4c 5e fc c6 c2 2a 60 ba 17 1c 98 66 d4 ec 84 12 25 7a 3e 77 03 27 75 cc 55 00 bb bd e1 41 c0 21 64 d0 86 b5 10 87 b5 84 4b 37 86 de b9 d0 c6 92 a8 ea f3 92 53 43 81 cf Data Ascii: [\rJL."5hhjc%#3<Fpl$k+&oLKkt2%>a[@jw<66g{QL5 Ww8Gx4}w`$W\7h;Sf@A,KOEL^*`f%z>w'uUA!dK7SC
2022-09-07 09:41:00 UTC	209	IN	Data Raw: 82 1b e0 e4 ac 6a aa 01 76 ed 88 c5 37 92 6f f3 0e 3b 0a e8 58 a9 b4 a0 4e c0 4b 54 18 fe 59 b2 db 93 81 5e 52 11 dd d9 4c da 47 c5 79 95 69 ed ec 5a f3 14 74 67 dd b1 22 0a d8 36 52 c6 04 22 65 15 e9 72 a4 8c d4 f1 fd 3e dc 4c a7 62 5c 0b 8a d1 d0 a5 d7 2f 2f 4a e5 54 6c 7e b8 63 af e0 d0 0a e7 f0 c3 77 09 3b 2b 25 5d fb 11 71 ed 8c 8d ed ce 1c f5 c1 bf 12 f0 e2 8c 00 1c de 31 c1 5d 63 60 7a 3b 72 3a f5 43 c9 01 a7 49 5a 46 7c 84 7a fa e8 4c 2f d8 e9 fa 59 bd 46 b1 a0 ac f1 b7 4e bb f3 11 35 8b df fd 5b 64 ae 34 86 98 ad 20 5b e7 81 58 93 8b 30 d9 a8 bc f9 74 03 a4 ab 3d f6 31 0a 83 c4 ee 7a 67 73 a4 ac 07 3e bf d8 c2 56 38 22 5a 38 48 07 05 fc 6e 6b 50 e2 a1 54 75 49 8e 26 c3 90 ba 77 31 0f a2 a4 e4 c5 d4 b7 72 56 c8 5a 7a 01 02 a2 7d ad 5f f1 0e 99 7e Data Ascii: jv7o;XNKTY^RLGyiZtg"6R"er>Lb\//JTl~cw;+%]q1]c`z;r:CIZF\|zL/YFN5[d4 [X0t=1zgs>V8"Z8HnkPTuI&w1rVZz}_~
2022-09-07 09:41:00 UTC	225	IN	Data Raw: 54 72 4e 50 d6 dd 1a 7b 9e 7b 79 ac 06 c6 5b 9a e5 3c d4 55 9b ff 90 df 9e ff 68 a4 e8 ad c9 d5 11 07 0a b8 17 eb 5e 9c 91 36 ce cc ab ab 34 30 54 16 e1 9f df f2 e7 e6 55 38 76 3c 1c 65 a7 96 cd f1 49 5b 19 65 4b 79 48 5e 00 01 9c 2e aa 5d 3b ba c3 f0 08 f4 d2 98 2d aa 7e 58 63 cb 83 7e 38 ba 99 66 3b a3 8b d6 3e 0b 04 f3 be 3f 91 0e ed 8d 52 b9 7b 1d 1f 62 a3 81 16 fe 36 5b 03 dc e6 08 f4 6d d1 2b 6a 22 c8 04 8a 71 a6 49 df 52 d1 31 8b af 68 1c f8 5d 4a f6 18 c5 d5 c4 e7 16 83 20 ec b7 37 a7 1a 4c 6e 56 e6 6d ce ee bf e0 18 74 ee bf da 61 8e f7 b1 a9 33 76 9a 48 1a 4c f9 25 78 7c f2 b6 89 bb b3 e5 6d 62 ec a0 1e 6d 04 37 1b 87 4e 86 10 ff c2 db 7e 3a ba ea de 29 c7 08 3b de bd c1 01 f1 44 99 dc da f8 ec 1f 81 26 57 f3 a6 96 f8 4d e5 a8 0a 9d d4 6e 74 3d Data Ascii: TrNP{{y[<Uh^640TU8v<eI[eKyH^.];-~Xc~8f;>?R{b6[m+j"qIR1h]J 7LnVmta3vHL%x\|mbm7N~:);D&WMnt=
2022-09-07 09:41:00 UTC	241	IN	Data Raw: 9e 59 84 b4 28 56 62 2a da 4f 67 2e 30 87 e4 db 49 48 74 15 ff e0 bb 6a e5 03 83 69 e3 ee 34 f2 3f d3 37 2f 2d 67 cc 76 fd 29 d9 7b 05 a7 6f 69 eb 0d 94 9f 01 b9 8c e3 20 7c 73 8f f6 90 55 53 14 46 1b ab 2e 2b c3 3a 3d 85 a3 8d e8 e0 d1 00 04 95 8b 6e d1 5a 60 02 34 b1 0e a7 64 92 1f be c7 e3 ed fd 82 88 8e a2 e8 13 ba 7f 35 cb fa e0 b5 df 95 96 13 10 11 f9 88 ee 9f de 76 32 c1 d7 74 bf fa 72 ae e5 b1 95 f2 79 fc c1 15 ed 60 48 73 ee ff 1b 45 08 4f 99 0f 26 91 a6 54 fb d6 0e 29 d9 06 d3 a7 ff ad 87 12 e3 a5 5a ff 68 c4 7a f9 9f 4e ba 25 07 7e 4c be e1 f8 85 7d 60 99 60 fb 69 c2 6e 09 7a fd a4 d6 ab 88 07 f7 e3 27 cf 27 44 e4 fa 7e 60 fc 56 d9 47 c7 42 18 8d 7c 10 29 c9 81 6b 43 0d 9a 74 14 fd cf d0 b4 99 ce ed 16 fd 96 c1 3a 80 93 49 cc 84 3f 47 b9 1e c6 Data Ascii: Y(Vb*Og.0IHtji4?7/-gv){oi \|sUSF.+:=nZ`4d5v2try`HsEO&T)ZhzN%~L}``inz''D~`VGB\|)kCt:I?G
2022-09-07 09:41:00 UTC	257	IN	Data Raw: e8 b8 00 06 41 8d 82 97 eb d5 da 68 28 c5 5e d5 98 30 5f f5 02 b0 fe 99 32 39 11 59 e0 fd 64 d2 40 18 e5 10 12 c4 7e 42 fb a6 d9 75 08 fe 00 93 74 f2 db a5 f4 79 df ad 91 0b 29 92 5d 87 11 40 5d 16 24 9c f9 cc 02 73 53 b1 c6 11 8d 87 a3 00 87 bc fd 9f 02 83 f7 46 91 a2 bd f3 d7 53 a7 91 f8 eb 7a 00 e4 b0 81 b0 bd 83 a5 6b de 98 e1 0f 7d 8f b1 1d 62 70 4e 14 c8 97 57 66 6f 4b 5c 0f 07 94 5f b9 4e 20 83 93 81 79 6a 2f d6 b9 46 50 9d a4 05 aa c7 de d7 fb a3 68 46 c7 0c 6e 89 28 36 f5 2d 69 76 18 bf 53 43 e6 05 d5 7a 87 f0 c3 7a ae 6f 70 6d a0 cd fc 2f f0 c6 67 05 76 35 ad 9c d1 df 87 d5 42 c9 53 a0 4f 59 db 21 cf 45 7a 9a 7d 1c 09 8b 08 a3 d8 a6 33 27 f4 ca da 47 fa e8 81 43 6b 62 04 a9 b5 27 c7 be 3c 9d 2c 60 60 28 0c f1 e5 92 56 57 12 35 9f 53 db 24 d1 c1 Data Ascii: Ah(^0_29Yd@~Buty)]@]$sSFSzk}bpNWfoK\_N yj/FPhFn(6-ivSCzzopm/gv5BSOY!Ez}3'GCkb'<,``(VW5S$
2022-09-07 09:41:00 UTC	273	IN	Data Raw: b1 df fd 11 03 2d 86 ce e5 c5 0e 9d 9d 80 e7 22 a7 0e 79 f7 2a 86 6e 72 f3 00 e6 60 24 d0 a8 43 b2 10 9e d1 d0 b1 34 38 1a 63 ec 7f e2 37 23 04 7a e4 42 03 b2 b2 3f f4 f2 43 b2 59 fd 1b f7 f3 bc d8 a9 ef 8c 38 72 29 5c 2d ce e6 29 50 08 ab 54 55 26 5b 92 50 8b 20 9b 82 d5 2d 6d ab ce be f2 dc bc 51 63 65 24 a3 b5 93 cb 64 73 a9 70 59 a2 f9 03 0c e2 a9 4a de 3e 05 26 f9 78 a2 6e cb b9 42 39 8c 8a 7c 82 d1 8a ac 7a f4 1f ac 69 ad 8f d5 1f eb 3b 2e 5a 9b 50 b6 00 5b 30 74 e4 ff 3b 62 35 5d 06 dd 7c 8b 51 d6 a9 05 d4 e5 63 9f 4c 86 a9 32 94 07 68 41 ef c6 38 81 52 f7 c3 5a be 6e 7f f9 16 ee 0c 4a d0 39 04 0b 07 13 8f b8 b1 86 4a 05 b1 54 bc 05 d2 45 20 f6 09 eb 0e 05 47 9f a2 ab 5f 9e 80 94 7a 2a d2 31 07 13 c9 64 19 92 48 b3 fe f4 10 35 f1 7a a6 b5 6f f7 11 Data Ascii: -"ynr`$C48c7#zB?CY8r)\-)PTU&[P -mQce$dspYJ>&xnB9\|zi;.ZP[0t;b5]\|QcL2hA8RZnJ9JTE G_z1dH5zo
2022-09-07 09:41:00 UTC	289	IN	Data Raw: 96 5f b7 ec a2 08 88 b3 0a 08 d0 6e e2 3a 55 fd 47 12 a1 d2 8f 57 06 cd 29 85 e5 a1 eb 59 bc 23 f4 60 25 0f e1 e6 71 ff 4f 9c a5 e3 a1 a3 bf 27 92 b9 c6 ad ac 72 07 2c 53 54 44 63 51 e9 a5 49 9f 64 f8 d6 5a 90 b3 86 bd 81 d6 78 77 70 f9 1a 2b 4f 26 a2 c7 98 40 60 59 27 49 9a 73 0b a3 d8 2b b5 ab 5f 1b b6 79 34 0d f3 61 2e e7 3c f0 6b 28 af 9a db 26 00 66 95 24 5e 91 4a 8c cc f8 19 26 e9 7c 78 7d 9d 9c b3 1c ac 40 39 04 0b 26 41 13 b0 3f 38 5b ad 56 7a 09 43 bc 2f 26 db a9 55 95 c7 d8 8a 8f 6f 92 17 d0 48 56 bd 95 0b 2b 2d 90 d1 30 99 33 bb 5b 38 72 ab 8a 52 fe 56 aa bc 22 f5 b3 8d 42 e7 46 77 03 c0 b7 d8 f1 f6 8a 44 4b fc 0c d5 0b b3 2f 84 f8 78 b8 1f 43 64 62 91 cd 53 10 3e ec c5 9a d6 61 93 04 fb 75 cd 07 b8 19 e2 ae 4d fd 0e 7f 40 1b 07 d6 bd ff 21 91 Data Ascii: _n:UGW)Y#`%qO'r,STDcQIdZxwp+O&@`Y'Is+_y4a.<k(&f$^J&\|x}@9&A?8[VzC/&UoHV+-03[8rRV"BFwDK/xCdbS>auM@!
2022-09-07 09:41:00 UTC	305	IN	Data Raw: 83 8f 96 da 5f 46 77 6d cb cd af 54 a9 e0 cd b4 e1 5e 5a ce 40 a1 94 b6 d8 0e d4 ca 0e ea ff e8 99 7a e0 71 e4 45 90 28 82 2a 38 fc 2a 1a e5 fd 5e 55 e4 27 a1 5b de 08 3a a2 bb 0e 95 da 9c 86 b9 f7 45 31 f1 41 5a 1e df c0 5b 2c 20 a8 ae cf 9d 49 a6 25 34 2c 58 76 d7 fe bf ac 61 b8 04 6c 58 df 6a a7 4a 66 31 c4 12 93 09 67 d9 f3 85 06 ec 61 4c 8f ae c1 ff f0 ed 3e d9 00 7e fa 87 58 24 82 ee 5b a5 7e 39 06 e0 5c 83 40 97 f3 24 1c e1 a6 4f cb f0 3e 48 1e 7c e2 64 b6 58 46 87 0e 0b 55 61 5c 06 b0 1c f5 3a 94 60 6f eb f4 69 e4 6b b4 a5 80 25 e9 50 3c 69 e2 90 c9 a9 2a 11 d2 d4 6e 1f 9c c1 a0 d1 b4 ca 7f e0 35 7f 39 38 51 ad 0b f9 de 61 20 0c fb 58 97 ed c4 d9 d7 6e e5 37 91 d2 f7 dc 22 2c e7 ec 0e 0e 13 74 94 22 43 61 d6 d2 10 1e 55 70 dc 62 7e 5b d1 63 c0 08 Data Ascii: _FwmT^Z@zqE(8^U'[:E1AZ[, I%4,XvalXjJf1gaL>~X$[~9\@$O>H\|dXFUa\:`oik%P<i*n598Qa Xn7",t"CaUpb~[c
2022-09-07 09:41:00 UTC	321	IN	Data Raw: 98 09 95 bc c3 7b 9b 0d 89 35 8e 7a 5a 37 3a 0a 83 61 c5 07 b0 b8 2f 32 d6 9a 5c 6e ab f2 1a 21 79 a3 16 dc d7 93 25 93 09 6e 50 69 07 06 0b 24 86 6e 44 6f 4d a7 12 c3 e9 ce 86 14 7e 71 2e 71 38 fb 06 23 6c f5 f6 56 fb 3f 24 39 6d f8 25 11 6e 2e 8f ad c0 e2 33 71 12 19 68 a9 52 d5 b9 3a f2 aa 3a 5b 94 91 b7 32 f2 15 97 50 a9 c8 89 9f 44 d8 e1 35 fc 36 3e 44 61 8e 76 29 36 54 b1 24 24 69 e8 6f be ce 97 59 f6 a6 3f ba 67 a4 19 31 38 70 a0 c2 bf ef 91 94 86 88 0d fc b5 9b ab 21 40 72 f8 13 6b 1c 0b e7 5a 4f 2b b8 d2 b7 84 0d 24 24 64 da 6b 29 a2 5b bf 96 77 95 5e 80 db a6 5b 22 86 73 a7 37 5e df ae 3b 23 72 02 db 57 b2 72 95 20 e5 a8 e1 2d a8 2d 92 30 c0 3f 5c ac de 70 95 27 e0 8b e0 35 34 fb f0 76 c9 62 dc 79 e3 a9 9c 9e b9 f5 f0 4f f7 35 85 f0 23 b8 03 32 Data Ascii: {5zZ7:a/2\n!y%nPi$nDoM~q.q8#lV?$9m%n.3qhR::[2PD56>Dav)6T$$ioY?g18p!@rkZO+$$dk)[w^["s7^;#rWr --0?\p'54vbyO5#2
2022-09-07 09:41:00 UTC	337	IN	Data Raw: 60 07 3d 51 ab 5e fc bb 89 ad e6 c8 17 3f 01 09 70 d5 91 a3 f9 b9 a0 54 ed 5a 41 bf e0 30 c3 90 c6 6a a0 0d 44 e1 97 66 4e 2b 2b c6 84 07 29 b1 f4 e4 79 17 a5 d3 05 78 e9 d3 21 52 18 cf b8 79 17 6f b9 70 67 65 67 e2 01 e0 de c3 24 50 64 29 e4 99 0d d5 5a ed 31 47 7d f7 ef e8 71 22 f9 bc 65 ce fc 12 d7 b6 0d 31 68 a0 be aa 38 9d 15 dc 16 c2 8d 57 1f 75 f6 09 c8 dd 03 5c c7 5b b9 99 f1 aa 34 f0 e3 04 f8 45 b5 a0 06 ec ea c7 0b 73 ba 75 d2 7a bb 6f 81 62 e6 f3 e5 ba fe 52 95 90 d0 ae a9 2f 26 4d 9a f8 6c 77 45 84 b8 b2 55 37 db af de 03 ac ed a5 24 03 79 11 fb cf 9f 03 03 24 13 5c c1 c7 50 bc 36 61 9f 3e 6d 6e 60 fb 00 2e 91 ab a1 a2 33 8e c7 bb 44 eb c9 c1 0f 23 d9 ea d9 54 d3 9b 65 1f 76 77 fb 05 59 c9 b4 6d 26 64 29 e5 60 64 4a 05 06 d5 9c be 16 56 84 c9 Data Ascii: `=Q^?pTZA0jDfN++)yx!Ryopgeg$Pd)Z1G}q"e1h8Wu\[4EsuzobR/&MlwEU7$y$\P6a>mn`.3D#TevwYm&d)`dJV
2022-09-07 09:41:00 UTC	353	IN	Data Raw: da ce 25 79 41 45 a1 72 ad 0c 7a a9 0e 06 44 09 00 7a ce 3e 56 0a e9 d2 c6 f0 0c bb e5 26 03 0a f6 ed a0 4e d6 a1 c1 e5 6e 65 9e 34 e9 55 51 04 c6 34 7d 17 3e 37 91 23 c3 b0 cf 7a d7 f5 ae a6 b1 1e 38 af 7a 08 f9 2f 7e 88 58 be ea 60 cd 6b 41 07 2f a2 9c 8e d9 ba dc 61 a5 73 da 1a c0 71 b6 25 06 2b 50 7f ab 54 b2 52 94 a4 7e dc b5 8c 87 4e 21 a2 18 8c 5a 26 37 61 b6 16 91 1b b1 46 c8 3b bd fd ff 9b f9 3b 88 93 76 9d d9 5a 25 78 c5 a6 4d ea ab 55 3a 37 70 01 8c ec da 0f d8 83 02 8b 0f 45 26 f0 98 18 83 30 00 b6 0c 63 34 74 25 e6 5e 3d a7 ca 70 68 68 6e 3f 59 b1 cc 72 dd b3 85 dd 34 0e 7b 46 c1 63 7f 4c 59 b6 2c b6 b7 9a 47 5b a4 37 b9 6b f0 ef 72 4e 70 1e 15 cc 39 ac d6 c1 69 8d 12 49 01 29 b5 81 bd 09 24 96 b6 f9 b1 90 e1 d0 20 e9 c1 91 25 1b ab 9d f1 18 Data Ascii: %yAErzDz>V&Nne4UQ4}>7#z8z/~X`kA/asq%+PTR~N!Z&7aF;;vZ%xMU:7pE&0c4t%^=phhn?Yr4{FcLY,G[7krNp9iI)$ %
2022-09-07 09:41:00 UTC	369	IN	Data Raw: a3 45 7a 37 0d 58 8b 50 4e 1d c2 6c 18 5d 0d c5 d1 cf 97 2e fb fe d6 9d 12 7a 96 71 08 ae 92 14 85 8a 4e bf 2a 4a a1 3d 1b 7c a8 64 2f c7 bc fe cd 36 5a 85 9c b3 2a 7f 48 96 6c 82 2d 59 2a ea dd 1c b5 c4 88 42 c9 00 56 2c a4 31 b0 e2 1d e5 0a 6c 08 10 8d b5 f8 a7 82 8b cc 8e 11 1f e7 1c 10 96 c4 3a be 5b b2 51 6f d3 3c f8 07 c5 d8 9c 09 4f b6 2e c7 05 a4 ca 97 8f c6 7a 8e 94 a3 b6 63 fe 9f 00 4a cb 8f ca 8f 4b 20 8a fa 49 99 fc 4a 39 e5 e9 0c 0f 9b 78 8a 56 c4 1f c8 6b 92 9e 6e 31 78 96 8d 7c 15 c9 8a 6a a6 db 03 71 b6 4c b2 d2 4e 0b 28 46 22 82 c1 1e 0e fe fe 4c 0a 4b 22 64 ca 89 34 7a 4d 7a b3 a2 69 bd 16 01 51 f8 21 7c 22 73 f2 ff 7c 0f 9b 76 99 07 94 05 a7 8a ec da e4 7e ee 57 d5 e8 b3 99 52 41 c2 58 cf 33 37 a7 2a e0 05 81 e0 44 de df a2 72 ab 98 5c Data Ascii: Ez7XPNl].zqNJ=\|d/6ZHl-YBV,1l:[Qo<O.zcJK IJ9xVkn1x\|jqLN(F"LK"d4zMziQ!\|"s\|v~WRAX37Dr\
2022-09-07 09:41:00 UTC	385	IN	Data Raw: 52 5a b1 fd 38 82 9c 85 80 a2 e2 aa 1e 6c d5 1f 45 fb 10 ab 08 9b 59 bf 80 90 85 90 92 88 79 7d 5f b7 0c 98 f7 b9 47 6e 30 e2 d6 da dd d4 b0 32 27 c3 b5 cf d3 a9 0c e7 1e e4 e4 81 a2 d3 37 d8 e6 cf 1a 1c 19 32 7b f3 d0 1a 6d e1 cb 75 23 a0 43 47 ca d4 39 4c 36 3f 83 4c 3c d9 9d cc d9 90 53 8f f8 a0 57 99 c0 3b 08 8a 82 cb eb 95 38 30 c6 41 f9 16 c4 fb 08 79 d0 b9 f5 57 76 eb 44 f9 f4 64 5a d2 24 82 79 58 2e a2 54 4f 34 e6 9f f8 4d c1 5d 03 23 b0 af 46 2b a4 fc 9b cd 91 f6 5f 30 1e 7a 60 b7 77 a3 e2 2a 20 e4 b2 da 67 cd ab ee 7b 79 58 dd bb e9 2d d5 5b d8 46 d6 00 3c ac 31 ac 37 80 32 6d 20 6a 3f 58 43 32 ef 97 4f a7 f6 9a af 28 95 ac cf a1 12 4a 94 a0 fc e0 9a 3f 03 69 34 43 7b 92 28 30 65 19 5a 7f 1a 28 96 c5 5d 3b c3 a0 83 73 8a bf c4 72 65 5a 27 f5 61 Data Ascii: RZ8lEYy}_Gn02'72{mu#CG9L6?L<SW;80AyWvDdZ$yX.TO4M]#F+_0z`w* g{yX-[F<172m j?XC2O(J?i4C{(0eZ(];sreZ'a
2022-09-07 09:41:00 UTC	401	IN	Data Raw: 4d 4e bc 6e 26 86 29 01 83 77 38 f9 7a e7 64 f0 e2 53 51 b7 09 65 f5 be 15 fc c8 cb 20 1a 00 05 da 76 70 5a 97 e5 56 65 51 e5 e1 94 bb 29 79 8b 03 30 8e cb 9c 76 eb 63 af 6b a0 e2 73 03 f0 0a 97 60 a9 a6 2b 82 a1 23 70 15 72 c1 a1 49 5f ff a9 18 ef 42 37 f0 c8 04 96 4e e2 0d 74 c8 42 99 cd a3 cf 72 d9 8b a2 bf 51 15 f9 82 71 08 b3 c3 c3 4e 74 68 ce de e4 ee 5e 13 69 35 2e 78 a4 68 db da cd 77 ee e3 34 dd c7 9d ad 2f 8f fb 5e 75 9f 52 be e1 7d a2 6f d4 ed 9e 42 65 39 42 12 f1 cd aa a0 af 37 85 d0 6c 48 55 7b 12 d7 c2 ec 6e cc 0f ae a5 ff 1e fd 6b 25 11 c3 67 3c 29 4c c2 94 aa 95 30 6e 89 96 18 2d 48 fb e9 db 34 5a 76 03 c6 ad 8e 33 2a 76 fe 9b 83 01 6f ee 29 ce 04 3a 46 c7 35 b9 ed 8f be c7 dd ce 99 69 74 5d 73 b2 45 d7 20 54 c7 3c 32 1b 6d 66 5d 5e 93 96 Data Ascii: MNn&)w8zdSQe vpZVeQ)y0vcks`+#prI_B7NtBrQqNth^i5.xhw4/^uR}oBe9B7lHU{nk%g<)L0n-H4Zv3*vo):F5it]sE T<2mf]^
2022-09-07 09:41:00 UTC	417	IN	Data Raw: 38 0a 94 3a 85 a5 98 81 30 fa 3c ae 87 6b ed 07 ff 15 ff af f5 17 b0 d8 3f ed 01 f6 d4 f3 8b db 2f a4 b9 42 65 97 84 df 8a 83 79 69 97 5c cb 18 f0 68 a4 10 66 8a 9a a9 a1 67 d2 82 18 22 6d bf 15 0f fa 23 e3 d8 13 15 de 06 74 27 e4 e4 32 86 0e 41 ac a0 0c 56 c8 51 57 fe 16 51 9b e7 3a dc 16 0b 33 a6 1e 7a d6 e1 dd d3 85 55 3c 61 09 15 de aa 89 ff 5e 8b 53 40 e9 4a 61 39 26 b3 2b ca 05 50 53 a6 f4 fc 57 3d e9 c8 c9 4a 82 1b 4f c4 dd e2 3a 38 9e 13 27 9b a2 34 53 e9 f3 a5 8a 39 3c 56 00 60 70 5c 26 5b f2 5a 1f 3a 14 64 a5 00 90 70 a4 a1 d9 b1 16 6c 88 7e 2c 8f 49 2c 86 72 ee 22 a0 fc 60 2d 89 42 26 11 88 42 58 af 70 97 54 90 ab f8 c4 7d e7 e1 ac b3 05 9b 2c ff 4a 6e bf 3b c5 28 7d 1e 59 aa be b1 22 b1 74 85 c9 da 08 d8 ca 81 e6 6a 4b be 6f 78 83 e3 e4 a9 3a Data Ascii: 8:0<k?/Beyi\hfg"m#t'2AVQWQ:3zU<a^S@Ja9&+PSW=JO:8'4S9<V`p\&[Z:dpl~,I,r"`-B&BXpT},Jn;(}Y"tjKox:
2022-09-07 09:41:00 UTC	433	IN	Data Raw: f5 c0 c5 44 27 09 e9 06 84 da 62 3a d6 e1 ae b0 53 e5 50 32 c5 ef a5 0f a9 3d c1 86 89 1e 00 71 88 65 2f 43 20 d7 e9 b7 11 35 8d 5c 18 be cb c5 ee c6 10 97 b1 a4 59 e2 43 dc ef 9e 75 0a 10 be 6f 50 2b 95 7b 0e 13 20 b0 83 b0 18 47 10 8d 7a 0c 52 57 88 72 d9 58 70 d4 47 26 42 83 bc 80 c4 80 c1 03 8e 0d 62 bb d0 5c 80 c3 8e e1 8c 1e 4e 85 27 79 13 a9 ba aa 89 ec 6a 91 0a 58 4f a6 8e fb 09 23 c0 e3 3e 2b e1 c2 14 36 36 56 be 65 62 38 68 a3 a8 38 66 95 da 70 dc 0e d0 51 6e 79 a5 42 ac e1 5d c9 f2 cd dd 31 93 a2 57 aa 12 f1 d1 ea a9 6d 72 a3 7e 83 5b 97 0a 5b 94 55 2e 8f 57 8c 5b 3e 46 39 93 0e a0 0b 99 92 61 dc 3e 78 bf c9 ad 3e 26 03 2b 58 9b 61 fb 4a fc 76 89 55 40 ec bf 70 81 be 9c fd 33 41 23 9d 54 06 8c 88 28 b2 2d 05 61 a8 f8 bc 29 ae 7c 76 70 71 56 cc Data Ascii: D'b:SP2=qe/C 5\YCuoP+{ GzRWrXpG&Bb\N'yjXO#>+66Veb8h8fpQnyB]1Wmr~[[U.W[>F9a>x>&+XaJvU@p3A#T(-a)\|vpqV
2022-09-07 09:41:00 UTC	449	IN	Data Raw: 1d fd 98 83 44 2e 5c e2 28 ca ac a3 c1 31 ce af 5b 9a 23 f8 93 7e fa f8 0a 0b 98 18 b8 0d d2 be 96 f1 b2 98 ad f6 b9 5f db e0 7f 81 da 6e 3f 8b ec 2b 2f f0 9b 76 b0 8c f7 87 4c a8 30 ff 65 10 ba 58 21 1d 7a 50 43 60 e1 f0 b1 43 8f c1 24 d2 48 8b 9e ef b5 cd 87 4a 38 a6 3f e0 8e 25 43 a6 c5 0a 05 14 d5 3c 2b 90 2f 52 61 16 71 af 06 47 5f 96 7c fe 9b 9b 60 97 b4 d8 bc 97 3a 72 7b 23 ce 66 6c 36 06 84 fa c2 8b 33 7b 64 b7 27 88 00 bb 5f c4 69 7f e6 75 1e 53 35 19 0f cc bb 66 3c 4a 65 26 28 73 02 0f 96 e7 78 e9 1c d1 fa 1a ff 04 36 71 9c 71 03 26 a3 70 3c 39 eb 8d 44 be b6 19 ba 6e 3b ae bd 16 c5 5e 6c 80 97 72 7f f9 37 7f 73 ab bb 5a 38 17 89 6d 68 a8 c2 15 eb 57 4b c7 19 57 7b cc ae ae d8 56 dd 4e 5f 52 7b ae ce a7 03 c4 15 3d 3b 31 98 bb cc 4f 71 50 e3 04 Data Ascii: D.\(1[#~_n?+/vL0eX!zPC`C$HJ8?%C<+/RaqG_\|`:r{#fl63{d'_iuS5f<Je&(sx6qq&p<9Dn;^lr7sZ8mhWKW{VN_R{=;1OqP
2022-09-07 09:41:00 UTC	465	IN	Data Raw: 5d 05 26 5b 55 5e f5 5f 9e 3d d1 3f 89 7a 1d a0 16 c7 42 4b 77 a6 30 4f 1a 9f 49 ef d8 1d 09 24 d8 3f 31 e4 31 77 78 0c e2 fc e6 82 da c6 55 ce 01 12 48 82 d1 a9 99 89 98 2f 5c 0f ea 6f 09 d5 3c 0b ca 3c df 68 69 40 b8 02 4f 9c 1a 10 11 15 49 b4 b6 a1 46 f3 e6 6e 71 9a cd 57 13 67 e2 ea 9b 4e b4 e2 5a fa 71 cf 57 84 3e 5c 41 4d d2 04 a7 07 c8 60 30 8f f3 f1 4a 25 c6 b6 77 ae 43 f1 1b d5 ce bb 1a 71 05 fc b0 2c d3 4a 13 33 ef c0 15 9a 7d 55 3a 05 53 9f 48 ce 2f d7 8e 38 29 f9 9d 54 b0 36 19 d1 32 d3 6b 04 fa 87 68 40 81 3b f7 91 2a e6 20 95 1f e3 36 b5 3e d9 61 94 5f 65 8e eb 6c 0f 06 ff 1e 97 b8 5f 3f 5f 3b 88 19 62 9d 29 ae 3e 2f 88 49 24 f4 18 23 9d bd ab 7c 26 f1 88 00 31 76 1a 16 1a 73 4e 0d 1c f5 ff ba 75 39 a4 7c de b3 c6 3a ce aa 2d 9c e9 d7 01 07 Data Ascii: ]&[U^_=?zBKw0OI$?11wxUH/\o<<hi@OIFnqWgNZqW>\AM`0J%wCq,J3}U:SH/8)T62kh@;* 6>a_el_?_;b)>/I$#\|&1vsNu9\|:-
2022-09-07 09:41:00 UTC	481	IN	Data Raw: b7 90 c9 f1 cc 9f 64 bd d5 9d a7 93 e8 b7 67 ab 67 1d b3 e3 6b 95 ea d3 79 1b fb 9b 31 16 a8 24 a4 d2 d4 d9 69 ae 4a 1e 95 3d a9 4c 9d e5 af 34 d2 47 99 5c 6c d3 f8 6e 5f 32 4e b3 a1 44 50 61 10 70 c0 8a 18 c8 55 15 71 bb 34 52 ca e0 e7 eb 46 9b 9a 4b 18 23 e7 e5 c7 b2 06 8b 96 95 ad 64 db 8b 66 23 2b e9 22 7f f8 df 8a 9a da f4 94 c6 c9 bd 4a 82 f9 ff 1c c6 27 41 59 26 9b 6d 1f c3 e3 b5 13 87 d8 c4 80 dc 12 ea e2 7f 4c ba 59 33 77 de a5 7c 59 11 34 1b 82 76 d5 bb d8 40 ab 8e d2 c3 0f 34 9d ed c6 17 e8 3b 24 81 68 91 5f 84 ca 0e 35 0f 9d 88 58 c6 1c 5d 5c e2 f7 5f f0 56 67 95 73 4b 94 e2 fe 19 3d 5a b5 60 af 64 ce e1 1c 8c 8b 82 33 49 3e 3c 93 1a ac d8 f4 c1 50 b7 c1 80 94 34 8e 17 bb 29 5e ca ff 18 9b a3 64 d1 4c 80 fd 28 e1 7d 82 0d 9e ce ca 3b 47 02 50 Data Ascii: dggky1$iJ=L4G\ln_2NDPapUq4RFK#df#+"J'AY&mLY3w\|Y4v@4;$h_5X]\_VgsK=Z`d3I><P4)^dL(};GP
2022-09-07 09:41:00 UTC	497	IN	Data Raw: 82 40 3c 81 20 8e 1a 46 54 a0 7d 25 a4 a2 37 c4 41 81 71 3e 61 1c f3 9e e6 2c 50 85 62 d9 b1 81 16 ae 98 dd d0 c0 20 21 c1 5d 41 10 0a 64 e1 3d ee 01 82 0c 5a 54 63 92 62 51 b6 2c d7 60 c4 35 9a c9 25 ae d1 65 e1 03 87 62 26 86 ab 7b e9 63 84 0c 34 81 9b 10 83 a5 ab cd af 2b c9 5e 41 c9 b4 1e f0 45 a8 82 dd 59 a6 cc e5 45 94 a6 f3 9d 7b 0e cf 15 3a ee e7 b2 ff f9 2b 17 1f 1b 81 44 21 fb 2a 07 8b 2c f8 d2 28 72 be b4 46 66 33 c9 b2 a4 8e 5c da 59 e5 bd b0 85 82 c7 20 ef a1 61 ac 3b 14 d3 53 d5 98 65 09 ac a6 d1 0b ac 38 d7 5b 61 fd ba 97 a1 05 f9 4f f6 44 a7 06 3e f1 9a 7c c3 fc f2 ba 9d 98 30 53 f5 97 27 6c 99 4b 1e 08 ba 8e e6 3f 89 d4 08 34 1c 35 0a 4c 1f 22 af e3 d1 e0 e4 1a 1f 1d d0 0d 9e 0e 52 23 c6 cc a7 de 56 e6 0d f4 03 51 05 17 f4 90 bd f5 05 3b Data Ascii: @< FT}%7Aq>a,Pb !]Ad=ZTcbQ,`5%eb&{c4+^AEYE{:+D!*,(rFf3\Y a;Se8[aOD>\|0S'lK?45L"R#VQ;
2022-09-07 09:41:00 UTC	513	IN	Data Raw: 6e 7d af 11 aa 19 a9 1a 27 29 7f 56 bc cf 02 af e9 5f e1 21 28 58 15 40 45 9b ab ed 66 91 67 1d 38 57 13 45 ba 8c 74 1e c7 9b de 54 ec 95 4e 9e cd 27 07 28 57 55 d2 58 92 da a8 c5 7c df 24 d6 7a 61 81 e2 ea c8 70 db 89 13 1d cc 51 0f 3b ad b2 a2 e2 75 e2 cc 4f f5 ea a6 ea a5 bb c8 70 bf e7 66 26 45 1b 5f 26 f4 dd 50 f9 ac d8 89 cc c2 bc 3b 26 92 75 49 c5 e3 09 57 2a ab 6c a4 36 da 74 1c 79 ff b1 6a ea 7f e2 f9 be 0a ca 10 a6 56 e3 91 43 ad c8 2e 35 38 37 1a 5e c4 31 bb 68 3b 13 68 c5 13 78 ef 83 9d 91 6e c2 c7 9e 44 e8 77 e7 af f7 bb 73 23 32 77 92 c7 54 aa b8 a4 be be bd 9f 30 23 aa 0c af 43 6a 71 5c b2 48 75 b5 02 6f d0 bf ee 79 fa 7a cf 4c 16 e3 79 02 43 0b a2 3f 9e 7e dc fc 89 2f 91 7a de 09 b6 73 01 86 b9 c5 d0 de 5a 89 c6 c6 fb 6d a6 81 b2 b0 01 2a Data Ascii: n}')V_!(X@Efg8WEtTN'(WUX\|$zapQ;uOpf&E_&P;&uIWl6tyjVC.587^1h;hxnDws#2wT0#Cjq\HuoyzLyC?~/zsZm
2022-09-07 09:41:00 UTC	529	IN	Data Raw: 03 d2 cc d5 eb 52 ae a0 6b 06 ee 37 df 3c 4d f8 c7 06 56 e3 0f cb 09 94 05 5b 75 b8 88 0f 84 97 fb e0 cd 68 4b f2 e5 95 bf 1a ec 8e 3a d4 ec 1a 59 06 cf 1f 3e a1 62 43 4b cc 98 0f b4 14 3c 82 98 62 7e 36 25 7b 63 b8 95 08 44 eb f3 23 30 16 4d d3 5f 94 17 f2 8b d2 19 e0 2a 59 46 d2 23 26 fe 92 7b 8e 91 33 3a 7c 4c 94 7f 76 b4 fd c8 d1 c0 08 a7 12 44 d5 24 5e 37 9d 12 ba fc bc f3 bd ab 9b 1d 76 86 2f 36 3b 93 cf a3 73 c1 73 b4 2f 18 ba 99 7b 29 47 af 48 cd e8 3c 41 f2 f2 e2 8f 47 42 57 48 bd 50 b5 cd 45 d8 a4 df b3 e7 73 bc 54 62 19 55 24 c1 03 48 24 47 5e 95 80 ab bc cb 4b 57 1c 20 09 a1 c5 28 32 6d 12 57 8c 08 06 da d5 6f 93 a6 b8 91 56 30 8e 77 b7 cd a4 17 8f 57 6b c6 dc f9 37 b5 7f d6 17 2d b0 17 f9 b5 cc 4a a7 98 94 e3 9c a1 fb d0 14 ab 0e 0b fd ec f2 Data Ascii: Rk7<MV[uhK:Y>bCK<b~6%{cD#0M_*YF#&{3:\|LvD$^7v/6;ss/{)GH<AGBWHPEsTbU$H$G^KW (2mWoV0wWk7-J
2022-09-07 09:41:00 UTC	545	IN	Data Raw: f3 f5 2e 3a 93 be 56 54 cc e4 14 96 ad 33 db c1 b5 6f 0c 56 6f 25 2d 5f 00 60 c7 bf 70 ca 71 0f 19 e8 e0 53 29 e7 8d f2 6a be a6 4c 85 1b 25 3e 6e 18 39 09 ed 0e f6 13 cc 26 2b fe 7c d1 f8 75 ce b7 13 0f 39 5f c9 31 87 9b 79 d3 90 4c 85 52 80 b8 55 ab 15 76 98 da c8 38 50 bd 18 e1 70 02 46 cd de 10 b4 0f c0 e2 0c 3c 23 e4 49 80 7c 77 73 b6 d2 ac 88 a5 34 31 82 00 23 82 2d 66 77 0b 25 7d c5 ee 6c 5b 4e c0 76 25 b8 c8 ab b0 f2 4c f7 53 1a 70 3e 9c 8b 0d 52 77 bd 0c b9 a1 a7 c2 31 20 bf 9e b9 87 d1 86 70 e0 38 a9 ca bb 57 18 1c ab 5b bb 23 63 df 83 12 0e 16 fd 81 28 02 24 6f 11 68 75 f7 32 6d aa 35 49 59 41 15 5c 4e f5 55 25 de de 23 5f ee 99 a2 05 7f f4 2a 0b 02 b7 b1 d4 fd 3f c5 f0 74 d6 03 c9 4c 62 0e 59 ed 69 3f 2a 93 2a 55 f5 89 b4 59 71 f2 a9 9d ef 29 Data Ascii: .:VT3oVo%-_`pqS)jL%>n9&+\|u9_1yLRUv8PpF<#I\|ws41#-fw%}l[Nv%LSp>Rw1 p8W[#c($ohu2m5IYA\NU%#_?tLbYi?*UYq)
2022-09-07 09:41:00 UTC	561	IN	Data Raw: 7f 99 56 dc f0 7e d4 6a 93 01 59 bd 76 e5 33 02 77 48 9d d7 19 2e 9f 1d 0f 64 08 c3 0b a7 da 3c a1 86 0c 39 2c 60 9c a1 ce 82 85 19 c4 4d 9d e2 0d d8 a9 22 49 dc 06 8f f3 68 66 73 77 14 54 e9 82 88 c0 ad a7 b3 45 2d b4 7c 55 30 5f 62 50 82 62 1a c5 b1 61 15 50 24 50 ca d1 86 ca a3 c5 62 0a c0 b6 55 52 fe 4b 9f cc 51 f4 1a 71 fb eb 99 22 66 77 55 43 1e 5d 06 9d b4 e1 2a d7 6c 43 ac a9 bf 58 b4 8f b5 72 79 36 1f de 47 72 a1 1b 07 c6 6b 29 6e fa 1a ae 1f bb 28 86 66 55 16 a4 1a 1c c0 1d b7 8f 7f 5c 23 5d a2 6c 6f a2 bb df d8 99 e7 77 07 30 9b ad c0 99 70 3c 79 75 65 2f 99 b9 d3 da 05 f7 13 06 d5 3c 5c 4b 4f b3 3b 92 e9 66 c7 9d 09 62 14 22 65 95 63 c0 b2 7c ab 9a 20 8c 26 59 03 39 cf 75 02 c4 4b bf 71 22 bc 8e ad 18 22 ff 6e 96 31 79 a7 56 04 7a 26 4b 7a 3b Data Ascii: V~jYv3wH.d<9,`M"IhfswTE-\|U0_bPbaP$PbURKQq"fwUC]*lCXry6Grk)n(fU\#]low0p<yue/<\KO;fb"ec\| &Y9uKq""n1yVz&Kz;
2022-09-07 09:41:00 UTC	572	IN	Data Raw: 2b de 43 6d 79 4b 16 bf 24 8b 5f 0f 76 65 df a3 bf ed c6 d0 7d 52 3f 24 bf 6f d1 e2 90 3d 70 f9 88 1b a0 26 11 29 b6 4f d1 94 06 18 0d 26 7b f0 ac 5f d1 fd 03 39 41 44 85 3c 3c 71 1a 11 21 11 7d 9b 75 5a 64 97 e3 10 58 c2 e2 00 53 12 9a a3 9d e8 05 b5 d7 85 f0 9b 59 7a f9 85 20 0e 26 84 b8 b9 1f ed ec 53 08 98 0e 1b 89 58 05 5d b5 7a bc 44 23 e4 2c 0c 33 62 4b f1 65 01 e8 e8 79 df fe d8 35 0d 87 7f cd 91 36 52 b6 61 82 06 b8 2a a8 dc 24 e8 0f 8a e8 8c 4f 8a 51 4e 6a 4b 45 14 08 52 11 58 17 2f 1e 4f 4e 3d 1c 57 d8 0d ee c5 6e 7e 80 cb ce 61 4a ed 10 05 f0 45 53 a2 a3 d9 7a 04 0a 5f fa a9 28 ae 39 e6 d7 a9 35 27 9e ec e4 e5 70 d6 1d fa a3 6c e2 20 03 f3 6d 35 bc 77 97 09 5a 4d 74 41 f0 f3 60 a0 52 a6 c9 58 de a0 99 7a 61 5e 18 ed 57 a2 a6 35 14 b7 ac 81 87 Data Ascii: +CmyK$_ve}R?$o=p&)O&{_9AD<<q!}uZdXSYz &SX]zD#,3bKey56Ra*$OQNjKERX/ON=Wn~aJESz_(95'pl m5wZMtA`RXza^W5
2022-09-07 09:41:00 UTC	588	IN	Data Raw: 1a f6 50 90 5f 73 e0 5d 65 38 dd 7e 4f 4e a2 b8 7e 2c 4a 04 35 92 f7 12 49 62 61 8e ac 80 21 01 df f9 84 da a2 1a 9f 11 7b 29 9f ac bc cb fc 7b 35 70 29 24 27 45 6e f1 88 24 02 6e b8 62 78 f7 4b 8a 6a 6d 61 44 d0 17 46 74 4a ba b3 6d 7a d0 57 b2 05 3d fe 85 55 a8 34 ee 44 ec 68 a3 7f e3 03 2f 3e ad 91 28 96 02 66 2d 1c 72 8a 36 f0 8a 0e 11 e9 5f 0a 73 e8 89 f0 18 94 9e d0 71 6e 7e 41 a7 82 e8 8e a2 89 cc 12 7f 02 d7 b2 66 c3 17 99 36 29 ff 4c 89 5e 88 28 ac f8 c3 aa 9f 10 5e 6f fc a1 a0 63 f7 8c 9e 66 ba 28 7d 0d d3 18 48 be f4 0e 42 19 aa d2 2b a1 bd 8c 27 4a e0 de 93 50 03 29 4f 05 ba 52 c4 94 e3 2f 4a 95 22 60 4d d8 a7 78 07 4d fa f6 b5 53 9e 0f 2c ff 57 71 75 e4 86 25 86 24 55 7a ea 51 dc 06 fd 24 29 9c a0 e5 7a c4 4a 7c af 8c 45 4b 95 e2 8e 83 9c cb Data Ascii: P_s]e8~ON~,J5Iba!{){5p)$'En$nbxKjmaDFtJmzW=U4Dh/>(f-r6_sqn~Af6)L^(^ocf(}HB+'JP)OR/J"`MxMS,Wqu%$UzQ$)zJ\|EK
2022-09-07 09:41:00 UTC	604	IN	Data Raw: 63 32 30 a0 2c 1d f5 7f 64 d0 fa 8b 59 19 23 3a 08 74 ed 1a b1 77 6c e0 7a d4 19 47 e6 b7 78 21 42 9f 35 f0 3a 0f 75 2e 92 fd 60 9e 0d 3e ef f7 8f 65 19 0b 6d 86 9d c3 64 74 ec 5d 7c 40 88 e8 4e 0f 02 ea 76 31 03 90 d9 a4 e3 93 7d 6c 1c 90 e3 14 57 55 bf f3 7a 1c 9c 7e d2 6c 4c 75 fb be ad 20 c6 9c 55 c1 b3 e0 6d 90 13 87 56 ed 9a cc 47 28 cf 95 d9 37 b6 26 9d 35 dd 6f 15 5a 73 e4 ed 71 00 1e 7c 4a 32 5c fc a2 5b 23 7c c2 01 f1 3e bd 7c 69 05 8d 86 9b fc 33 e9 7b 07 e3 50 9c bd dd 78 54 aa e3 21 e8 81 26 46 f4 8c 46 c2 16 a9 1b f7 58 95 9d 85 a8 49 7b ef 29 70 a8 03 28 9f ad 8e d0 02 44 99 7a 0d 3e 84 6c a6 fc b3 ab 80 2e 8e c6 8c 80 28 a4 7b dd c5 73 39 dd 73 55 e0 84 3e 15 b8 03 65 72 f9 fb b3 e2 8f 59 02 b3 1a 4a ae ea 85 df 08 62 05 8a 41 8c 06 37 72 Data Ascii: c20,dY#:twlzGx!B5:u.`>emdt]\|@Nv1}lWUz~lLu UmVG(7&5oZsq\|J2\[#\|>\|i3{PxT!&FFXI{)p(Dz>l.({s9sU>erYJbA7r
2022-09-07 09:41:00 UTC	620	IN	Data Raw: 26 f6 d8 e0 71 0a 35 4d 1c b9 56 6d 9e 20 9a 7c a7 89 ed 70 f9 a7 1c fc be d4 05 95 3c 2f 6f b6 fd b3 07 87 78 74 6c 24 3d 1e 6d cd ca f4 f7 74 d4 f1 42 49 d3 af dd d7 fa e0 cc 43 f7 b1 1d 5f 0b b9 4c 7f a0 00 0c 2e f4 ea 7c 58 b3 f2 53 b7 55 07 f8 0e 74 19 02 7c 25 04 ed 1c 7a c6 1a c7 ac 38 c7 77 85 e2 de 6e 55 46 8e 3f c0 7b 07 90 df d9 64 46 8a 45 ee 8a ec bb 30 56 97 c4 c7 85 c1 7b 42 54 f3 9b e8 3c f9 19 50 85 e2 7c f8 41 05 d1 f4 2d 14 75 f8 67 e8 c1 5d f7 9e 1f 15 ec c0 52 f2 3b e3 82 ed 8f 2a 74 3d 5d b6 2c 06 87 99 d2 89 f1 f6 68 c9 5d 99 b9 f3 d0 a6 97 7e 52 85 00 6c b5 a5 11 01 80 56 1a a5 0c 6b 80 ca d3 ea 0a 97 cf 89 79 a6 ac 4d 55 d8 9c 71 05 b1 4b ae 95 5d 3f 8a e3 c9 f9 1b 7b 21 9f a1 ba 3b 77 6c 01 53 d2 cd d5 fd 9a 2c 2a 05 4f d0 6b 27 Data Ascii: &q5MVm \|p</oxtl$=mtBIC_L.\|XSUt\|%z8wnUF?{dFE0V{BT<P\|A-ug]R;t=],h]~RlVkyMUqK]?{!;wlS,Ok'
2022-09-07 09:41:00 UTC	636	IN	Data Raw: e9 10 98 68 7d b4 39 02 df c5 50 94 db f3 22 aa 6d 5b 42 2e 58 93 fb a8 fb e6 99 f2 f2 4d c6 74 c0 75 74 20 69 29 80 01 8c 9d c2 c1 73 52 75 d4 b5 83 de f0 71 60 2d e8 bb e7 0d b1 66 a8 5f f2 36 fc 68 53 cc 81 1a eb 04 e4 17 7d 61 02 7c 8a d4 03 6b ab 72 f5 f5 a9 d5 c3 92 e0 5c 32 b3 d1 aa 20 52 9a 26 9e 62 9e d7 a6 b6 db d7 d7 34 91 dc 80 b8 13 5d 5a a8 33 f0 ff 98 39 d0 81 1e e2 2f db ab 5e ce 43 8b 7d 10 61 d1 ac e7 43 9a 36 a2 61 00 6a 8b f4 26 17 f6 d7 4a b7 0c d9 30 63 cd e6 00 ee e5 e6 70 1e 87 84 5b c8 2a 8c 08 c1 f8 d5 11 69 07 a4 3a a8 db 35 49 06 d0 78 6d 00 9e b3 94 7d a4 b0 df 00 f4 d7 34 7a 27 0e bb 12 6c 4d 6b d4 81 0f ae 9b 90 91 da 26 0d 6f 82 39 e1 36 18 d4 b5 3d c7 89 c5 54 27 60 0d 29 ec 2c 81 f7 ef 27 8d 3c fb be e9 4a 70 85 c5 8d 0c Data Ascii: h}9P"m[B.XMtut i)sRuq`-f_6hS}a\|kr\2 R&b4]Z39/^C}aC6aj&J0cp[*i:5Ixm}4z'lMk&o96=T'`),'<Jp
2022-09-07 09:41:00 UTC	652	IN	Data Raw: 8e d3 0e 17 3d 6d d2 43 8f 5a b3 b3 98 ec bb 8d fc a6 c7 aa c7 13 a0 01 f1 29 c8 9f b7 db 69 98 ca d6 b8 8d d4 74 0b 5c 50 21 ff a8 ea 8a e3 ac 92 44 d5 33 f3 26 8a 7b 64 f1 e9 f3 95 db 49 1c b0 cd 9c bc 96 e8 3e ea 88 c9 73 e4 51 1d 91 c7 86 57 ca e3 d7 aa cd 23 44 d1 d7 f8 f7 b2 c0 e9 7c 9a e7 fb 73 a0 29 51 6f 5c 15 dd 18 73 c5 a5 f1 bb 04 4e fb 1c 54 53 b3 43 2f 84 af 16 1d 20 bb 90 73 4c 89 bf 24 ad ce 4a 6f fc 7f f1 9b 01 bd 32 25 ec 07 3f ef 2f 26 33 27 13 02 15 2a dd 1a 25 48 47 d8 17 8a fd 4d 43 46 7d 4a 71 26 0c df 43 f8 78 20 19 80 5a a1 9d ac 50 b6 8c 3a 5d b9 c0 53 9a 25 e1 45 60 70 50 01 c2 d0 fd c8 b0 91 bf e7 fb 66 00 d7 b0 3e c7 19 bc 8f b0 4a c4 66 0a 83 5d 3e ac ce 0a 50 de 1f e4 51 52 76 ef a4 67 e8 2d 67 90 40 85 49 2e ec e1 01 a7 8b Data Ascii: =mCZ)it\P!D3&{dI>sQW#D\|s)Qo\sNTSC/ sL$Jo2%?/&3'*%HGMCF}Jq&Cx ZP:]S%E`pPf>Jf]>PQRvg-g@I.
2022-09-07 09:41:00 UTC	668	IN	Data Raw: af 78 09 87 19 2d 2b b0 ec 7f 1e 63 41 00 49 8a 88 23 97 7f e8 76 9e 8e 96 17 af d0 4a f7 27 4d 5a 90 bf 5e 1a 1e b7 1f 6c d3 d0 26 ba f3 35 1a 0e 82 65 e1 ac 69 da cf 7c bc 86 6d d4 17 f5 9d f2 b2 0e fc 2b 13 4f 88 6d 40 b5 a5 cf c9 89 fc ca 5d 0a 6c f6 25 69 85 9f ea 47 62 e8 b4 d8 3b 5a fb 3a d3 b6 3e eb aa dd 17 9e 87 88 a8 98 e9 5f 45 72 5b fe 4d 02 84 09 d0 87 88 8c 49 ce 66 8e e4 8f ef 04 38 f5 49 38 bb 98 f8 fb f0 47 65 ea 56 89 70 d9 7a bc df 74 79 78 4b 82 7b ee 2f 24 3f b2 9c c4 d5 8d 1f 74 0b 1e 30 01 45 68 7e 6e e1 0c 51 bb ac 56 08 2b 2b 29 e7 60 1a fb f1 05 f6 9c 33 47 63 e5 51 30 cf 6e 8d a9 83 82 eb e2 2a 33 92 a2 fc 95 13 98 0a 00 ed dc 96 a9 a2 06 b5 48 06 cb 0b 5c 2d 84 99 d3 0d 72 c0 17 fa 82 58 fb c0 99 51 4a 27 08 d0 12 7d e4 47 9f Data Ascii: x-+cAI#vJ'MZ^l&5ei\|m+Om@]l%iGb;Z:>_Er[MIf8I8GeVpztyxK{/$?t0Eh~nQV++)`3GcQ0n*3H\-rXQJ'}G
2022-09-07 09:41:00 UTC	684	IN	Data Raw: 32 b0 54 da 07 35 5b a2 4d e2 dc ee cc ad cd b3 a6 7e 48 a5 16 04 44 3a 12 6e 3f 12 43 2e a3 87 be 8d cf ca 4c 7e fc 78 22 20 4a 02 69 6a 68 b6 38 3b fc 13 01 c8 f0 90 23 23 f5 78 59 91 ce 9f 07 91 4d 98 dd 0a c2 e1 ba 95 08 85 44 30 75 a1 0c bd 9d bd 54 08 c1 63 56 10 80 d3 6c d3 88 b7 c4 9b 2f 26 65 34 e2 10 67 e0 d9 3a 0b e8 a6 f5 95 26 a6 07 86 d3 a7 66 55 4d 81 88 b6 d0 c9 46 08 ad 3f 26 b9 8f 67 7a bc 7f 97 ba 4a 1e e9 ed 28 c0 d3 42 83 2d 6d d8 38 36 ba 22 8e 83 bd 6a b4 08 f6 61 d0 6b 83 97 90 03 f6 11 b3 fd dd cb 6a 83 44 98 76 ea 7b e9 37 d8 76 a9 47 a8 7f a2 31 63 44 f3 45 4c cf e9 57 59 ef 05 9b ae 59 ea d6 98 0f 71 b8 5b 74 3c 81 c7 c3 0f 31 91 e2 5c db 7a fb e7 f0 34 cf c2 1a 35 cc d6 b7 fb 76 2a d9 51 1d 48 1f 7b 7d df 59 65 9b a1 6a e8 e0 Data Ascii: 2T5[M~HD:n?C.L~x" Jijh8;##xYMD0uTcVl/&e4g:&fUMF?&gzJ(B-m86"jakjDv{7vG1cDELWYYq[t<1\z45v*QH{}Yej
2022-09-07 09:41:00 UTC	700	IN	Data Raw: 57 56 16 0d 10 12 66 d0 ca eb 11 c9 09 6b cc 57 20 d3 9c a5 57 65 c2 69 19 68 55 c1 93 7f 97 b9 da f0 89 01 61 74 8a 41 43 28 cd 64 1b 3d f8 d9 a3 7c 2e b8 82 59 cd 97 33 ff 4f 95 97 ed 6c 38 40 8f 5c 64 5c 05 24 fb 08 8a 35 b1 a3 a8 d0 a0 17 15 27 7d 91 38 d4 0b 6c 71 a1 12 44 6e 29 86 4e 0d ed 22 8a 8f 40 c1 f7 8c 02 0a 16 7d b6 e4 ec 4a 9f 79 7b 70 fa 5c 91 47 f2 75 47 75 e7 49 9e d0 59 67 e5 01 6e 86 24 1f a3 8e 3f fc 0e 4e d9 2f 74 f7 8b 4f eb 23 2f 2c 86 56 02 27 06 a5 41 f1 65 2e ff 16 e9 cd 60 19 a4 7b 5c b9 b9 b4 43 76 a5 a6 09 37 aa 21 62 64 c3 7b 7f ff 3b dc de 38 69 b9 55 50 85 d3 61 04 f5 78 54 52 80 d8 b8 86 70 b3 5f 6c 28 f4 50 c8 a4 fc 38 e7 91 a2 1c d1 ca 32 58 c8 48 d7 19 41 19 cb 1e c7 87 8e 98 b7 d2 87 f1 73 bb e5 c4 3f a8 76 28 b4 e0 Data Ascii: WVfkW WeihUatAC(d=\|.Y3Ol8@\d\$5'}8lqDn)N"@}Jy{p\GuGuIYgn$?N/tO#/,V'Ae.`{\Cv7!bd{;8iUPaxTRp_l(P82XHAs?v(
2022-09-07 09:41:00 UTC	716	IN	Data Raw: 72 7f 94 ea eb 6c b7 ab 4c b9 ef 88 a8 d8 cb 3f f6 1b 04 94 5e 6f a4 1d d1 c2 bf de 79 04 fb 3b d6 c5 28 be 76 d3 a9 36 55 a8 57 79 10 0d 18 c7 51 80 aa 21 ef cc 79 1f fd 22 30 ee 21 6c ea 1b 0b 23 54 0f ee ae 83 7c 47 ec 78 0c 95 82 6e b4 cc 52 51 82 27 ac ed bf de f0 9e 8c 8f 9e a3 03 3a 2e 40 58 11 08 c3 b1 62 3f d4 11 b1 ac cd 20 3f cc 81 4f ee 8d 86 31 52 6a 14 93 63 96 36 31 2a 9a 05 b8 54 be 4b 53 0c 70 8c 55 27 cd 34 3a 99 f7 72 e4 8d 99 05 21 d7 b5 ba dd 0b 63 8a 40 70 35 7a e8 1f 6a d6 9d c6 bb f5 74 b2 09 96 6a 22 f8 09 a6 1d 65 29 4a bf 28 f1 54 45 17 8b c8 f8 27 a8 ba 4c 41 59 05 7e 9f 9d b8 7b 94 91 9e 75 3c 02 eb de 11 f4 76 ed 42 26 f3 c3 87 b3 2e 37 4c ef 04 c7 91 6e f9 79 f1 45 ec 9b 26 f9 e2 8b e3 f0 f0 2d dc f0 e8 42 27 a9 70 3c ed 97 Data Ascii: rlL?^oy;(v6UWyQ!y"0!l#T\|GxnRQ':.@Xb? ?O1Rjc61*TKSpU'4:r!c@p5zjtj"e)J(TE'LAY~{u<vB&.7LnyE&-B'p<
2022-09-07 09:41:00 UTC	732	IN	Data Raw: 28 a9 3d 4c 23 28 3c 10 09 84 84 d8 8a 66 50 ba b8 64 ed fe 70 3e 2e ea 64 82 a6 eb 93 f4 47 fe 3c 45 23 20 dc e0 21 93 6a 7f ac 63 d8 a9 d1 5d 1d 95 ef 1c 2b 67 36 f3 18 60 f3 1c 82 a2 21 4c 89 54 57 b0 42 ec 13 30 86 7e 7b 98 eb ab 9b ba ab a5 f8 bf 9a 28 93 73 a6 7b 5a 50 62 cd 4d c3 49 7d e2 be 70 df 55 61 d8 e4 55 1b 81 d2 28 9f 8d 34 21 39 be ec 51 8f df 86 16 e5 f6 6f f1 7a 3c f3 6d 2e f5 e8 e9 3f ea 37 ac 57 29 f4 c1 f5 ac 5e cb 7c fb 9f ef a8 95 db cc d8 5c 75 e4 2b c5 8f 4a cc 91 84 56 28 87 e2 2d a2 99 23 1a a3 a4 13 73 99 5a be e9 c3 f0 9c 8b 69 af 7f da ad d7 87 81 96 53 c2 34 cc 0c ed 72 89 12 1d e9 a2 a2 4e 02 0b 70 c8 be a8 33 96 36 3b f9 5b e1 64 8b a6 4b b3 93 9f 9d 36 dd 66 f0 3d 8e 33 15 54 4a ee 4a 42 b2 87 74 54 d0 95 c1 dd 0c 64 5d Data Ascii: (=L#(<fPdp>.dG<E# !jc]+g6`!LTWB0~{(s{ZPbMI}pUaU(4!9Qoz<m.?7W)^\|\u+JV(-#sZiS4rNp36;[dK6f=3TJJBtTd]
2022-09-07 09:41:00 UTC	748	IN	Data Raw: 39 59 48 19 8b f4 76 f5 dd 6e 5f 93 4e a2 1e d5 ec 7a 90 d6 65 f8 d4 95 ce 70 5b 4d f7 14 15 4a 19 71 64 47 bb c9 07 89 02 fa 1c 77 4f 6c f7 3f e2 42 a5 36 7e 74 a0 0e b8 21 a0 9f 18 50 22 03 14 41 a5 70 7f 4f 69 0b f8 0a 4c 56 61 69 ba 71 c0 8f ad 5e 24 d8 e7 c7 11 d2 a9 44 8c 46 01 1e 36 55 b3 76 e8 82 21 f4 13 15 ee dc 2d 19 24 61 e8 5a 8c 49 1a 5e e4 e5 fd 12 d9 cf 28 de 77 11 29 dc f5 9e b6 cd 97 09 6b aa 43 5e 39 24 ec 29 37 f0 05 71 31 4f d6 6f 87 32 8d 29 f6 90 e5 82 fa 06 5f fb 03 c4 c9 fa 45 14 08 ce 3a 30 ab 04 af c4 34 96 9b 05 4a 61 89 d1 dc b9 71 86 36 b6 c8 69 68 26 b8 0f db 70 17 7e 28 63 a3 35 3c 49 66 c5 63 a1 4f 73 05 14 88 38 bc 1a 20 28 c8 bb a4 77 59 0d a4 8d 1c 9c fb db 97 a7 5f e9 ee 85 6a da 65 9b d0 fb cf dd 9d 49 cf 40 14 2b 44 Data Ascii: 9YHvn_Nzep[MJqdGwOl?B6~t!P"ApOiLVaiq^$DF6Uv!-$aZI^(w)kC^9$)7q1Oo2)_E:04Jaq6ih&p~(c5<IfcOs8 (wY_jeI@+D
2022-09-07 09:41:00 UTC	764	IN	Data Raw: 5c a3 7a 23 e2 d5 7d a2 d6 16 a1 13 ae 4e a7 ad 8a 89 8a 18 5b 94 82 99 d9 47 ea c2 a6 22 f4 c3 ca 0d e1 fd 01 43 12 ab 0b 1a 58 d8 1b 62 a8 85 c4 6f d4 96 d9 04 0d a4 be 9c 97 92 62 d2 b7 60 8e 21 b3 3a 06 dc de bc 57 d1 ab 89 3b 8d c4 2d d2 9e ac 0d 19 67 ba 06 56 8e 9f 63 aa 38 65 2e ea 15 95 33 16 f7 83 4a 96 53 de 0d 5c bc 1c 3a 8d c3 b6 2f ab 7b 42 05 f3 cf 19 3f eb da a2 e1 20 f2 18 fd b8 a2 31 54 c5 e2 d8 89 e7 de 95 cc 05 f4 46 6b e8 6c 77 fb bc 8c cb 85 85 7c 81 dd b8 f4 64 ef 98 e2 6b 05 7e e4 37 4b 86 45 06 be fa 25 90 4c 3d 50 8f de 10 ec 45 77 67 4e 5c c1 28 0a f7 1d fb 0b 90 dd 98 a3 ea 14 d6 0a 1e 62 bd ee ae 46 1a 1a 1f 90 ef c3 26 52 bb 69 dd 5f 81 a3 3f 24 cd 4f 26 ab e5 55 f3 84 8a cc ab cc e4 a4 ff e7 8d be 0e de 89 00 f7 29 6c 65 69 Data Ascii: \z#}N[G"CXbob`!:W;-gVc8e.3JS\:/{B? 1TFklw\|dk~7KE%L=PEwgN\(bF&Ri_?$O&U)lei
2022-09-07 09:41:00 UTC	780	IN	Data Raw: 5e 58 99 2c 91 49 70 6a 43 fa a1 e8 3f c1 1e b0 e3 fd db a8 f6 db 81 19 96 c8 4d ab 63 ab 27 69 5e e1 cf f1 f3 21 24 b0 ca 72 56 4b a1 2c 9d 62 61 bf da 77 13 c2 e2 c5 4e 47 0f c9 d0 a1 93 f0 57 87 2b 61 ba 9b ba 85 38 14 90 b1 a5 7d e2 95 fd 4b 48 f7 2d 88 e1 32 88 90 53 52 39 41 8d 55 48 6d 8f 08 ba ae 11 a9 c4 cd 8c cc 78 6d bc 2f 41 58 ac 9b 0d 46 d7 41 5d 51 a1 01 ef 82 26 7c 96 65 50 31 4c 9c ea 26 69 9c 11 4d ba 32 01 ee 52 36 34 dd f3 7d 0c 75 b7 19 0d b4 e7 e9 87 ab 0b 4a c5 9f c3 ba ca b3 10 1c 25 46 8c 99 e6 05 4a 62 ad 77 28 71 9a 62 40 31 6a c8 e3 cf 31 1f dc d3 0a d0 6c 33 2c 88 86 26 41 d8 9f c2 99 8a 17 b4 07 ea c1 1b 52 11 74 40 22 84 0a 09 48 1b f1 33 4a 03 06 2e c6 42 55 38 2c c5 20 d9 7a af 53 28 8c 3a d5 7b d7 03 ec 9d 66 c7 8b 99 0a Data Ascii: ^X,IpjC?Mc'i^!$rVK,bawNGW+a8}KH-2SR9AUHmxm/AXFA]Q&\|eP1L&iM2R64}uJ%FJbw(qb@1j1l3,&ARt@"H3J.BU8, zS(:{f
2022-09-07 09:41:00 UTC	786	IN	Data Raw: 8f da bc 98 86 00 33 3f b3 cc 4c af 7e 5a 8a a0 de 38 c6 fc 8e 4f 37 cc 90 a7 50 8c 06 f3 9e d5 81 3c 3f 03 b5 e3 1f b6 23 99 68 5d fb ec 6f e6 6e d3 ab 98 72 17 a7 93 aa 26 03 59 4a c0 9d 92 da 0c 0f 1b 13 36 c9 63 db 02 4e 2d a2 ae 48 bc 44 7d e4 da ce b0 6e e8 a4 82 f4 72 7c 76 b0 bf 49 7a 80 d0 04 47 60 58 f3 49 52 64 0c bc 3c c8 dd 62 55 65 7c 33 4a a1 46 02 30 64 a5 ea 8d 05 28 73 93 0a 4a 74 1e b1 1b 25 35 df 08 8d 3a e2 61 16 8b 04 70 ff 98 1a 70 96 27 2b af b3 1a 2a a0 5c 47 6c 29 a9 dd 14 c9 6b b1 98 13 82 9b 1d 26 57 1a 55 0e 33 c8 d9 41 fe 99 e1 93 15 e3 d0 27 1e e7 d2 c6 62 2f 6e 82 ed 66 f4 c7 1b 73 a5 6a e0 e9 60 c1 16 07 58 36 c6 49 92 00 cf bd 36 22 46 34 ca d2 99 d1 2b 36 70 aa 2f c9 32 2f 55 97 b4 14 cf 8a 77 1f 86 0d 7f 28 eb 07 c5 77 Data Ascii: 3?L~Z8O7P<?#h]onr&YJ6cN-HD}nr\|vIzG`XIRd<bUe\|3JF0d(sJt%5:app'+*\Gl)k&WU3A'b/nfsj`X6I6"F4+6p/2/Uw(w
2022-09-07 09:41:00 UTC	802	IN	Data Raw: c9 5e c8 78 29 c3 56 6b ac 7f 1a 56 24 91 23 f1 d7 15 fb 6b 2d 5a 13 b9 7d 20 b1 2d cc f3 cf d2 1a 56 98 20 b3 27 2b 6e e8 9c 00 42 90 97 99 2a 59 c7 5f c6 c7 d3 50 47 58 a5 d8 49 45 a6 48 9f 64 b4 dc 34 db 0c b7 74 ce b3 f3 b1 27 59 74 fe 5e 6c e4 7d a4 54 81 ff b0 8d 5e 9a c1 66 cd d2 13 55 ee a9 af 2f 6a ef 14 91 17 4d 94 0e 9a 95 03 1b ae e8 47 6f 82 b1 c0 f3 e7 4f d4 3a be 37 34 77 2d ba d0 86 81 10 ea 74 0b aa 06 26 ab 58 d8 65 0a 4d 1b 1e 2a 21 bf 68 0e 64 67 9b 8f 3f dd 7f d0 29 7c 83 d9 31 57 2e de 0e bd 13 45 0c 2d 63 1d ff cd 44 ae 43 17 04 a6 03 47 5f 36 01 8e ca 82 31 a0 cb 73 ca 8a 16 2b f2 37 af 8f 66 a1 1c 8d bc 44 06 4a 06 c7 64 78 60 1a 74 81 6c d0 fc 53 dc ea a4 f9 e2 da d5 13 ec 6b 3a 72 59 c6 bc 43 96 e2 70 e6 3f 1d 2a b8 12 69 0d 2d Data Ascii: ^x)VkV$#k-Z} -V '+nBY_PGXIEHd4t'Yt^l}T^fU/jMGoO:74w-t&XeM!hdg?)\|1W.E-cDCG_61s+7fDJdx`tlSk:rYCp?*i-
2022-09-07 09:41:00 UTC	818	IN	Data Raw: 8a f1 18 f8 01 57 2f 04 db cd 65 3e 1e cd 63 e9 69 01 13 44 e7 1e b5 0b 14 cb de aa 92 8c 31 0b 06 d5 32 00 19 95 de ed 25 01 e3 6a 28 42 e5 02 5a 61 08 4c 5f 9d 97 dd 9a 70 90 9d 53 c9 c7 42 82 17 b2 6e a8 be ba 57 b9 b4 3a 74 1a 89 9a b7 e1 ec e2 78 13 55 b8 ad 09 28 53 3c b9 c4 c4 d2 f7 c5 cf 43 d8 e3 49 61 c6 c1 c8 b5 13 c7 67 b6 61 ca 66 dd cc 36 ce b9 f4 4c 02 07 3c 5b da d4 99 8f ec 2c b2 2d 57 a3 4e 10 f1 04 45 c5 de 96 00 3b 6f dd b8 40 52 87 2d 38 c8 d4 1a 9c d9 02 4b 53 85 9c 46 c3 47 96 f9 ab a5 91 8d 79 00 c3 44 82 96 77 18 18 cd 1f e8 4f 5a a5 52 e4 ea 82 98 16 4a 49 0a 20 d0 6a f1 b4 53 52 8d c1 dd 2b 6e e2 c1 a6 51 a6 9f e2 21 d5 3a f9 ce 74 1d ed b9 92 8e c3 62 fd 0f 3d be 66 84 5f 64 27 ad fa f9 78 26 0f 55 e6 1f c4 e3 62 1a 5e 26 8d d3 Data Ascii: W/e>ciD12%j(BZaL_pSBnW:txU(S<CIagaf6L<[,-WNE;o@R-8KSFGyDwOZRJI jSR+nQ!:tb=f_d'x&Ub^&
2022-09-07 09:41:00 UTC	834	IN	Data Raw: 76 c6 08 4b 32 d2 85 ee 34 3e 4e 8c 56 a5 a3 c4 1d de d3 72 72 33 d0 7a d1 e4 e5 2d 24 dc 9f e2 1a 59 27 3d e1 c1 53 3d 43 0f 8f 5f 94 b7 6b b2 63 cb 13 df d9 f2 91 85 a4 c6 20 d4 91 27 7e db 81 1e fc 47 a3 53 89 a1 28 83 eb ef 3f 20 70 4b 98 ea 8d 9f 3b 25 3e 1f c3 9a f0 66 5f 21 13 3a 9c c8 fb f2 52 69 00 44 e9 58 12 44 e5 8e fd 51 8b 54 9c d5 1e 0e 70 d4 1b 9e d8 b9 f4 f3 5b 90 a8 7e 17 74 46 b0 c9 6d 8b f2 97 39 01 de d1 6e 9e 9b f5 c9 fa 98 53 7b ee 32 c9 f5 e4 4f 5d b2 f9 a4 52 42 dc 54 6d e8 93 b0 cc 34 c3 2a 45 30 5c c3 5c ac 79 0a 28 42 80 21 6d 54 cc 25 b3 8d 3b a0 86 c7 5b 01 f1 ef e4 0e db 87 5a 6f fd 82 6f 4f 9a a8 95 af 12 95 f6 c2 6b 3e 80 42 35 81 e1 b7 eb 22 1a 8d 24 c0 d5 f4 02 bd e9 03 65 89 16 02 6e 09 fc c6 50 4a f8 af 60 65 96 9d cc Data Ascii: vK24>NVrr3z-$Y'=S=C_kc '~GS(? pK;%>f_!:RiDXDQTp[~tFm9nS{2O]RBTm4*E0\\y(B!mT%;[ZooOk>B5"$enPJ`e
2022-09-07 09:41:00 UTC	850	IN	Data Raw: 77 53 0e d8 41 1d 94 34 9d e7 40 ec 00 76 2b 4d ca 21 b1 be 3b af 94 d8 3c fa af b8 62 db 88 36 68 cd 07 54 1d eb 10 a8 09 aa 76 db a4 94 d8 a9 08 f2 b5 46 6b 44 81 27 b9 76 cf aa 6b b7 eb 2c 5f c5 f2 d9 17 78 42 cd 61 68 94 c5 b1 cc dc c1 4b d3 3e 53 9f 8e 3c fb 6c ca d1 90 53 eb 44 80 67 17 40 4c 92 2d 35 89 39 b7 06 12 09 5e aa aa 0d 5b 1f ab 9b 03 1c 48 67 53 ea bd 5e b6 6b da 5f fd ca 19 d5 82 12 15 b7 59 cf b2 d9 33 e7 67 79 99 36 3b a7 29 40 df 03 91 ad a9 6e 36 29 21 d1 c1 2c 1b 01 9e f4 ea 24 65 0c 55 de 06 22 a2 ff e6 1a 48 02 19 43 d1 90 5b 92 c3 6b 6b 2c 57 d4 27 52 fd 88 7c 68 f5 cc 23 5c e8 82 94 0f d1 dd c9 c2 d6 3f 51 13 dd f8 3c ee 73 89 9c a2 de 33 ef 5a cd fd e9 4f 51 02 8f e7 12 94 2b 8d ee 91 b4 a7 e8 ca 6f 35 b9 1e b2 3e 05 67 bf 46 Data Ascii: wSA4@v+M!;<b6hTvFkD'vk,_xBahK>S<lSDg@L-59^[HgS^k_Y3gy6;)@n6)!,$eU"HC[kk,W'R\|h#\?Q<s3ZOQ+o5>gF
2022-09-07 09:41:00 UTC	866	IN	Data Raw: 25 60 73 2d 33 e4 db 71 7b 1d 43 68 66 24 ae 85 ca 3a da 5a c6 1c 76 2e 34 13 de 45 24 2b 55 3d ed 91 9a 0a 0d 0b 12 01 0c 12 1d a4 f1 6c 5b 99 48 5c a4 0a cb 4e 22 d4 63 07 20 1d 51 4b 94 b7 83 0d 00 6c df cd 3d 65 cd 5c c3 30 f6 e7 5a 88 50 78 31 49 92 3a 0c d8 f9 21 59 f8 9f dd f6 20 53 3b 58 d7 ae fa 0a ec ce 10 c5 18 b8 a1 39 e7 20 9e 8c c9 ea 3c 6e 24 1a 3c 73 84 64 ec 3d c6 f2 3c e3 b5 19 3a 11 b8 2d 2b 79 e2 08 24 6b 2e 37 ae 59 44 f8 e0 ce ad 62 52 d5 95 78 c8 9f 0e 89 08 32 67 fe af 15 c5 39 36 ef 9e 21 3b 2c 42 71 33 66 8a f8 28 c4 5f 0e 65 8a cc 16 cd 4b 79 83 f9 34 6b 3b 2f b2 ce 82 2e 7c ca d3 f6 28 6a a2 62 d1 6b 95 07 1e ea 7b a6 ac 4a 1e 97 0c dd 3e be 62 b5 37 07 7d 06 b2 41 25 69 87 91 7e 8f 1c 4e d9 f9 d8 5b 9f dc 4a 25 4f 10 a8 7d fc Data Ascii: %`s-3q{Chf$:Zv.4E$+U=l[H\N"c QKl=e\0ZPx1I:!Y S;X9 <n$<sd=<:-+y$k.7YDbRx2g96!;,Bq3f(_eKy4k;/.\|(jbk{J>b7}A%i~N[J%O}
2022-09-07 09:41:00 UTC	882	IN	Data Raw: 19 99 d5 63 2b 1d 76 db 67 51 f5 3c c7 6e 86 6f 1a 92 b2 d5 59 6d 4f 9b a6 87 87 8f ed 98 c4 8a 4a ef 89 cf a4 01 f0 6f 86 e8 ff 40 15 55 53 d9 c3 d6 19 c9 4d 93 78 bb 52 50 81 fe 54 6a 23 0c 7d 71 81 29 15 dd 9b 42 fe a4 23 e1 63 7d 2c 4b 1b 3e 16 4a d4 45 6d 00 44 4f f7 18 8d 3c 54 35 c1 f9 38 59 61 2e 9b a1 b8 90 8d ce b1 c2 73 6f ea a6 95 21 01 23 5a b3 74 4d 55 03 9e dd 60 13 d7 94 08 29 43 d5 d6 15 67 89 25 0d bd b4 5b 05 d4 b1 3a 8f 05 7b 59 79 61 b8 e0 7b fa 90 b1 86 49 bb 57 b9 d5 4e 73 19 e7 3e a2 86 ec 24 d8 c5 01 90 d1 f8 e4 6f d6 41 8b 52 05 58 4e 74 68 37 c6 f6 56 e9 19 b5 2e af 41 88 06 be 5a 05 91 ae 27 c0 0f 4c 13 88 73 46 61 4f 0d f6 d3 ee a9 aa 99 1b a3 f5 05 5a 8d c2 e1 5a 21 0e 7d 1f f8 70 b4 52 3c ea 9a 74 48 a3 90 52 2d 20 54 55 72 Data Ascii: c+vgQ<noYmOJo@USMxRPTj#}q)B#c},K>JEmDO<T58Ya.so!#ZtMU`)Cg%[:{Yya{IWNs>$oARXNth7V.AZ'LsFaOZZ!}pR<tHR- TUr
2022-09-07 09:41:00 UTC	898	IN	Data Raw: 41 4c ac 07 27 18 ed 0e 14 a2 da fe 3a dc a4 b6 1e c0 3f 8d a1 22 63 7e cc 28 fa 0e 1b 07 86 2e 92 f8 12 14 89 6b be 55 34 b7 ae c3 00 09 92 9a 56 42 cb 40 7b 87 74 91 0a b7 79 73 a9 7d 28 fd a2 ac f3 5b e9 f9 1a 64 da 49 3e e6 25 46 2f 1c d5 7f bd 53 ba 07 12 cf 80 57 98 a0 9d 37 e6 73 97 bf 56 03 5d 5a 2c de a9 b6 d4 b5 17 bd bf 71 8c 27 b0 fd a2 f4 9e b1 ce 0f a7 0c fb 04 cd 18 87 a3 8f 6a 8f a2 b2 3b 50 8b 04 69 37 c0 9a 09 39 af ef 10 3f 5b a3 25 c9 7b ba 36 21 15 5c 48 8b 3c 2f ee a0 c2 af 86 ca ae ba cf 67 cd 23 bd 55 0f 8b dd f0 30 98 35 78 e2 31 1a ab 4d 61 98 a1 38 8e 83 be f8 5a 8d 39 8e 59 0a 16 00 0e db 4c f4 41 e9 02 20 2d 63 b8 e8 32 03 54 0b 58 8a e0 5d 22 04 5c 2d 5b 42 e8 be fb 92 98 0b 35 fd 52 2a 15 bc 11 dd 80 58 ad a7 d1 b3 e4 a8 28 Data Ascii: AL':?"c~(.kU4VB@{tys}([dI>%F/SW7sV]Z,q'j;Pi79?[%{6!\H</g#U05x1Ma8Z9YLA -c2TX]"\-[B5R*X(
2022-09-07 09:41:00 UTC	914	IN	Data Raw: f7 6c 15 69 17 1e a1 7e 67 41 e3 d8 f9 45 24 d2 f1 b6 86 ad e8 71 5b cf 06 0a 43 de 20 8b 52 3e b3 9c 2f 3f 9e 90 79 52 b2 06 2f ca 8c ef b9 68 ad 6a d3 67 b5 3e 30 46 ea 55 24 b8 07 e7 c6 ba 60 03 87 86 f9 06 66 6c f0 42 2a a8 7f 54 eb ad 84 ae 90 de 1a b0 3d 33 e3 f7 4d 8b f3 f2 6b ec fb 90 ed 5c b0 93 07 f4 e5 99 4e a7 b2 d7 11 c1 ae ae 1c c4 0c 62 40 92 5a 72 af 65 ab 6f 80 f5 51 cf 49 20 6f 41 30 35 10 e1 a7 aa 50 61 a9 55 d9 eb 9c 7e 66 b8 53 68 a1 29 b9 65 21 ae a9 a4 0d 10 0f 7f cc 9d bf e6 59 ad e1 39 6a f6 9a 80 c7 eb df e4 2a 98 b0 dc a6 3a e2 5c 39 12 0e 7c db a0 44 f4 01 3b 3d 3b f4 13 be 3e 69 74 61 37 4e 76 93 12 e5 d0 0d 77 e5 46 89 09 c4 24 06 1b 43 f6 8c aa b2 66 74 c9 5a c8 3e e9 76 fb e2 06 6e 83 22 fc 3b 44 82 82 d6 7b 08 5c fe b9 cf Data Ascii: li~gAE$q[C R>/?yR/hjg>0FU$`flBT=3Mk\Nb@ZreoQI oA05PaU~fSh)e!Y9j:\9\|D;=;>ita7NvwF$CftZ>vn";D{\
2022-09-07 09:41:00 UTC	930	IN	Data Raw: cb 91 cc 15 09 66 17 e6 03 d4 97 dc a2 6d 9d 3c 7a 9e 31 81 c0 ff 5a bc 8a 03 e1 a6 cf ca 26 57 64 05 cf 4c 1c 72 63 0f 37 14 da e8 ab 51 52 88 8c f7 ec dc 4f 9d c6 05 df 58 58 72 c4 cf 7a b6 53 00 5a 36 89 9a 23 f2 15 9c c1 2f c6 2f f5 ca b2 23 17 28 2f 6f 80 42 c3 8d 3a 42 86 70 42 12 4f a3 ba a0 f0 e2 25 7e b8 98 43 7e a5 ae b3 61 d6 73 7e c5 8c 71 5c 22 98 04 fc 7f 87 34 35 5c 27 7e 8d 0e 00 bc ad 48 17 9e 71 38 7d 5f 43 d3 32 d6 05 c2 a3 77 76 06 31 e8 a4 08 2c 74 b5 ad 7d a8 3d 4d 27 27 65 19 e7 7f 05 13 43 84 46 7d 78 ba 0b 52 d2 31 c6 db 10 8d b4 b7 28 3e 86 22 5d 79 fe 45 c8 36 bf f1 51 e8 d1 b8 5c 9d d7 3c e0 16 ae c4 5f 24 e6 f0 a6 e5 e5 f7 43 5f 16 b3 16 ba ce 5b 41 6b e9 51 22 97 e4 84 95 65 fb 8b f5 78 0b 9b 29 2e 15 15 fc d1 73 5e 2e 8d 33 Data Ascii: fm<z1Z&WdLrc7QROXXrzSZ6#//#(/oB:BpBO%~C~as~q\"45\'~Hq8}_C2wv1,t}=M''eCF}xR1(>"]yE6Q\<_$C_[AkQ"ex).s^.3
2022-09-07 09:41:00 UTC	946	IN	Data Raw: 0a 05 f2 9f 8f 87 c4 cc dd cd 92 74 00 30 21 3b 1d 6c f1 28 f8 61 d8 02 f0 c4 e8 37 92 af 34 05 93 69 da d7 d1 22 e8 cc c7 33 6e d5 fb d5 dd 50 f5 05 32 3d c3 cd ab 73 d4 ec ef e0 c0 d5 29 21 41 7e dc 6e 21 32 77 13 76 bc 74 e0 71 28 ed 1b 17 e1 e5 f4 f0 f2 73 e6 ac 4a 2c a1 99 3f 5d d4 3e d2 f0 56 8c 1c 3a d8 75 63 5f 77 94 b1 84 88 5e 2b 7e 1a d1 45 7a 56 2d cc b1 04 76 3b 41 5e e3 79 46 6c a7 ed 19 4c fc 3a ad a8 53 02 65 72 9c 65 b0 a5 74 58 8c 16 3e b4 44 30 fb d8 15 c0 97 59 a6 21 87 a7 e8 42 90 5c bf 6c 70 7a b3 4f 94 5d 1f 81 ef 33 1f 00 3d 1c b9 49 6e f0 19 33 44 ee 15 96 a6 41 61 10 44 c2 d7 8e 80 ff e8 51 92 0b 97 46 e9 7e dd b5 7a af 5f 83 0b 96 4d d0 b4 04 12 57 b8 d6 ff d3 d7 0b fc 45 25 47 10 d7 0a 36 a0 a6 f4 bd d2 80 45 30 5c 7d 1c 1f f9 Data Ascii: t0!;l(a74i"3nP2=s)!A~n!2wvtq(sJ,?]>V:uc_w^+~EzV-v;A^yFlL:SeretX>D0Y!B\lpzO]3=In3DAaDQF~z_MWE%G6E0\}
2022-09-07 09:41:00 UTC	962	IN	Data Raw: e7 48 85 d0 39 b0 8f 1b 05 91 3a 62 b1 f7 4d 78 ae b3 34 b6 9e c2 31 07 52 ad 81 f3 9e 2f 99 44 ad d3 d7 1a 9e db 5b 17 e1 a2 79 85 bb 00 4d a5 3e 2e 93 d9 58 57 d2 15 23 8b ee d8 7f d1 a8 92 22 f6 0d 3b 86 6b 5a 63 f0 f5 14 e2 6f b5 e2 16 b5 36 21 da 33 53 98 1c 7c 17 b6 92 53 1c cd 20 f9 f5 5f 4d cb 0d 01 b3 43 54 9a 3f 9f e6 59 e0 5b 75 bc 80 83 d8 81 e2 d4 45 72 10 4e 8c ac e4 75 4d 57 63 ed be 40 79 89 38 f1 fc 9c 34 86 ef 8c a0 12 20 c4 ef 21 18 0f 91 14 d4 68 2d 31 db 1b de e2 17 32 57 e5 10 b0 a1 62 b3 a2 cf 60 92 75 2e 27 cb be b2 1a b3 9a d7 d1 82 54 21 8f 7d cd ac 3c cf 4b 2b 27 6a b0 c5 ee 02 25 ca e5 d6 fb b8 74 bd c8 f8 f8 3b 2c 39 fd 2b 85 79 ca 45 d3 34 2f 6d 41 b1 ae 54 84 76 83 d2 0e ea 14 32 8f 38 5c 61 9b 6f 36 eb 03 ab 1c 9f 62 0a 81 Data Ascii: H9:bMx41R/D[yM>.XW#";kZco6!3S\|S _MCT?Y[uErNuMWc@y84 !h-12Wb`u.'T!}<K+'j%t;,9+yE4/mATv28\ao6b
2022-09-07 09:41:00 UTC	978	IN	Data Raw: de 81 5e d7 48 c5 92 12 df 87 9c 38 24 51 7c 4c 63 0b b4 5a e6 7d 18 66 4e a2 d8 13 61 a3 3c 61 b4 21 10 60 f5 b8 69 8c 33 77 40 ef 07 64 64 f7 03 12 da b0 f1 89 06 e6 da 0f 07 48 12 17 ed 20 08 49 65 0a b9 4f b7 44 7d 31 dc fb e0 ef dd 81 ba c1 92 b6 e8 c3 f3 a9 89 91 6d 8d 68 0d b1 17 7e 53 48 87 c5 1d 40 98 46 2b 02 bb 0b 57 85 9f c3 c1 c7 cd 2f 56 b4 75 95 e2 b4 7b 51 5a 8a b6 11 7d 29 06 ef 21 fd 02 95 21 f9 b0 65 55 9a b1 db 7c 48 fd 0b 24 df 77 9a c3 e1 83 c9 ec 57 12 af ce 54 e4 72 15 77 23 5e 57 10 c4 d6 c5 6f 3b d5 64 4b 42 23 11 12 b5 85 3d e8 e1 e0 89 3d e5 a6 d8 09 5c 8d ad 5d 8b 34 21 5f c1 fa df 19 bc 51 cb 3d bc 1a 2f 44 62 54 92 cf db 87 51 f5 3b c3 cb e1 f9 31 23 f7 5b 8c b6 cb a1 60 b3 4e b4 f9 65 d6 fa f8 48 04 df ef fd 40 f1 ee d7 39 Data Ascii: ^H8$Q\|LcZ}fNa<a!`i3w@ddH IeOD}1mh~SH@F+W/Vu{QZ})!!eU\|H$wWTrw#^Wo;dKB#==\]4!_Q=/DbTQ;1#[`NeH@9
2022-09-07 09:41:00 UTC	994	IN	Data Raw: d7 fa 00 d7 c3 3e 13 6a 64 06 d9 7b 94 a8 f8 2e d9 15 df 30 9d 8c ac 56 cb e4 08 57 dd 3d e0 5a e1 b3 c6 02 ca 87 5c 7a b3 04 b6 2a cf 32 d8 71 d1 52 b0 2c 3b e7 90 52 04 6e ea 61 47 fd fe ff f1 a2 15 65 23 ea 39 96 ac d2 8f 53 1f 9d 73 d5 06 d0 85 7c e4 06 18 4a 5f 6d 7f 9d 87 9b d2 0f ce 6c c8 9d 1d a3 71 b6 61 14 47 86 b5 64 1f 1f f1 70 2c f1 5c ee dd a0 70 33 93 d8 c0 56 b3 e5 6b 4c 3e a8 c7 00 9e 55 6b 43 22 f1 6b f3 7a 84 90 f3 78 a0 51 3b d1 d4 dc c1 fa d7 1f ab 58 61 b3 e2 ab 91 9c df 79 95 2a b9 82 3b b3 d1 76 10 a1 3a 71 a7 a2 6d 00 03 53 fd 88 52 b2 3e 00 9b 1e 29 1c 49 10 63 d8 7f 0d 7c a8 1a 47 be 1b 48 53 c0 12 f8 8f 37 ea e9 8b 2d d9 2a fb 7a cd 43 d7 24 e6 b1 3b 5a 33 3b d3 3a 8c 63 e9 c8 3f 2f 80 1d 38 71 75 b2 bb d6 60 18 4e d2 85 79 a2 Data Ascii: >jd{.0VW=Z\z2qR,;RnaGe#9Ss\|J_mlqaGdp,\p3VkL>UkC"kzxQ;Xay;v:qmSR>)Ic\|GHS7-*zC$;Z3;:c?/8qu`Ny
2022-09-07 09:41:00 UTC	1010	IN	Data Raw: 1d 19 95 a1 e1 c4 36 6c 01 1a a8 ca 8d c4 dd d7 5d b7 47 78 77 1d 97 d2 43 65 78 25 50 79 89 8f 22 75 11 1b 86 79 91 c7 5b d9 e3 e2 bc d3 c0 06 ad 00 92 de 40 6b 74 c2 f8 4a 82 d1 d1 04 72 d8 c9 ce 44 fd 54 8b f9 d5 85 b6 29 41 80 b2 35 e2 2f 71 bf 7a 4c 3d 7f 96 6f 09 31 a2 d1 cf 41 33 0e 20 7f 94 d8 52 bf fe c0 f2 0b ad f0 b7 35 e2 1d f8 1b 42 fd ce 9e e8 e5 47 f8 06 2b b1 db a0 ff a2 13 f4 43 b9 bd b1 dd 8a 5c 3c 78 6d 06 80 7e 7a cf b9 4e f0 cf 37 30 4a f4 a3 7d 38 7f a4 f1 2f fb ec 26 3e 00 03 18 cf 7e 2e 8d 10 67 f7 53 ad 9e 70 3f db 2a 34 93 04 e7 4c de c4 7f fe 63 0a 24 12 e6 a7 4b 9b d8 fb 8a 0e fb 27 25 b4 ad 7d 4a 39 1c 15 b7 79 ce 36 c5 31 87 ca 98 b9 ff 07 92 79 77 10 19 eb 95 23 3f 0b 94 ba e9 21 d5 8c 10 75 c4 0a 06 86 4b a5 f2 dc a6 54 f1 Data Ascii: 6l]GxwCex%Py"uy[@ktJrDT)A5/qzL=o1A3 R5BG+C\<xm~zN70J}8/&>~.gSp?*4Lc$K'%}J9y61yw#?!uKT
2022-09-07 09:41:00 UTC	1026	IN	Data Raw: a8 90 ff 16 e2 f1 97 96 ec 68 89 d8 7a 8a 48 ec 33 2d 0d dc b1 19 be 77 79 da 82 53 a1 73 aa 72 d0 9e 08 91 21 52 98 b6 07 60 6b 45 25 71 ff b8 82 3b 55 9f 8d 9f 46 7d 2d c1 ce 99 f9 14 d0 7c 8d da 13 42 99 39 c8 23 52 db 3c 2a 51 91 fc b7 ea 43 7a 02 04 ba 91 01 0d e1 d4 37 98 4c 78 cc bf 4e 1f 87 6d 05 fa 3a cb e4 1e b2 0b 6e 3c ed f1 67 ab 84 f8 cd 5a 35 70 82 28 18 e3 be 67 a4 43 b2 f9 38 7a 7d 61 39 f9 68 3a 3c c0 d7 0d f5 41 54 03 3a 3a 52 04 b2 e9 c3 1e 8b ff 4d 3f e6 bb c3 6b b9 c0 e0 01 f6 c3 1c 9e b8 b2 75 59 17 dd 84 6e c0 fc e5 77 72 f8 83 6c e8 1a 42 47 ce cc d1 09 c8 0f 70 59 1e 1e 6e e1 6a ae 54 66 41 c7 f3 34 09 50 ed 07 fd 9b 07 5f 43 4c 49 da e3 24 32 fb 87 09 60 8d c7 30 80 c2 30 23 e0 80 7f 25 b4 ca f3 4c 2d 8c ff a5 b2 5b 1c 93 c7 fa Data Ascii: hzH3-wySsr!R`kE%q;UF}-\|B9#R<*QCz7LxNm:n<gZ5p(gC8z}a9h:<AT::RM?kuYnwrlBGpYnjTfA4P_CLI$2`00#%L-[
2022-09-07 09:41:00 UTC	1036	IN	Data Raw: ae 95 d6 98 2d 4e 78 a9 9c 87 83 4f a2 5c 4b c9 15 2a 37 19 43 41 db a6 bf f3 fd 49 2c a7 9a 7e 89 bf 30 33 7d c1 38 41 c1 75 fb 49 bb 86 23 77 1e 8b b0 93 35 55 e1 40 cd af 8e 45 74 f3 1e 0f 3b cc 01 fa 81 40 e3 45 07 08 89 46 f3 63 ff aa 74 d1 35 81 6d 3b 09 fb 49 c3 d8 31 32 58 d7 b6 eb 28 52 c4 e1 2c b5 85 da 1c 70 85 bc fc 6a f9 28 40 0e 65 e9 26 d9 8c 71 03 74 08 8a 01 a1 ef 68 10 7e 5c 40 c3 d2 c6 c2 d7 76 e7 3d c5 1d 51 fe da 1a 8e 77 3f 6b 05 b0 7f 40 e2 6a 4a 17 1d 1a 06 d9 a5 f6 20 5c 97 14 05 2e 21 ff 3f 32 ec b4 07 ad c1 98 50 10 91 b2 18 fe 73 9b 34 38 d9 b4 61 60 af 18 b1 0a cd 16 70 ae a6 be e7 46 d4 0f 3a 43 75 96 09 d2 17 d5 c9 ae 0b 3b 71 2c e9 e2 0d dc 00 64 cd e6 38 8a 96 f5 84 68 66 ec 20 3f 96 23 be 68 42 d1 ce de 0f cd 70 2c 36 02 Data Ascii: -NxO\K*7CAI,~03}8AuI#w5U@Et;@EFct5m;I12X(R,pj(@e&qth~\@v=Qw?k@jJ \.!?2Ps48a`pF:Cu;q,d8hf ?#hBp,6
2022-09-07 09:41:00 UTC	1052	IN	Data Raw: 64 cb 58 8b c3 ed 5c 8e 25 e2 23 90 de ab 45 b7 fb 72 b6 84 d4 87 3f b9 73 fc a8 57 e0 0f 68 1a 13 05 8c ac 48 2a 80 48 93 c2 1b a4 ac a4 ce 58 63 c3 3f dc 78 9e 98 81 30 9b 86 6d e0 ae 4d d3 23 7e 04 95 81 2b 45 3f d6 d9 ad 0e be e4 e0 42 c8 37 8c f9 cb 7c 6b 5c 0f 6b f9 80 89 eb 36 92 c0 61 c7 1a 13 90 78 3c a6 6b f1 09 55 06 e7 45 96 d2 58 25 d4 8c 98 c9 8e 5e 70 50 dd 0f 4a 82 64 6b f0 17 cc 90 a0 6c a7 f0 93 44 37 c7 95 03 7b b0 05 30 f7 6a 60 eb d5 b7 26 e1 81 18 2a f0 a3 99 33 8c e4 98 aa 98 e9 ad 44 a9 fc a9 4d 09 c6 04 17 e8 9b 25 ed e4 73 fd d6 11 88 99 6f 61 51 e6 85 fb 43 72 d6 c2 8e ba 74 08 2f 42 60 79 d8 4c 7a bf e7 ea f8 c0 0f 3b 11 89 7f 01 ab 90 f3 8a 67 ba 09 69 36 cd e4 5a 9d 29 d3 28 2b 1c a8 02 73 09 f1 2e 6c 73 54 7f 89 e1 03 69 ac Data Ascii: dX\%#Er?sWhHHXc?x0mM#~+E?B7\|k\k6ax<kUEX%^pPJdklD7{0j`&3DM%soaQCrt/B`yLz;gi6Z)(+s.lsTi
2022-09-07 09:41:00 UTC	1068	IN	Data Raw: 6f 22 9c 3a 4d 45 fd 89 f0 1a 7e 12 c3 bc 45 e7 70 1d a0 8a 1f e4 98 15 a3 34 5b d1 38 7a 47 cb bc 97 d8 b6 e1 22 d2 a1 78 42 af 5c ce d3 8e 4b f0 e5 1d 7c 28 fe 62 84 cc 45 4f 23 91 ec 74 70 56 50 d8 5d 70 7f ec 62 1f 69 f9 fe e5 6b 7c 8f 09 bd a0 cf 01 1a c4 ea 59 6b a2 5a af 26 33 00 f3 de f1 c9 88 38 57 ce 07 67 2a cb 5b 95 4a 35 25 b9 93 a6 37 62 3d a7 52 85 ca 34 73 29 a2 d2 26 ef 28 5b 07 ff f3 3a 81 a7 c7 3c 34 b7 4d 7f 9f 49 12 37 e4 ba 12 7a 1e 1f 89 70 4b a3 0f c1 c5 37 4e cd 63 e0 19 e2 7e 1d 0b 00 eb a4 6e c7 d3 0d 89 5f 99 31 ae b1 d4 31 21 b2 b0 cb c0 88 63 ae 1f 1a 34 9e 93 cd bf 42 4c fe b1 12 8b 58 f9 51 ef f5 da 06 81 b7 f8 12 6a c4 b2 23 11 e1 64 84 a0 2e 59 df c9 be 2a 96 60 c5 fb 02 f9 c6 42 77 d2 cd 93 ac f9 bb c8 9e f1 fd f9 fd bc Data Ascii: o":ME~Ep4[8zG"xB\K\|(bEO#tpVP]pbik\|YkZ&38Wg[J5%7b=R4s)&([:<4MI7zpK7Nc~n_11!c4BLXQj#d.Y`Bw
2022-09-07 09:41:00 UTC	1084	IN	Data Raw: f2 fc a0 d4 14 62 6e 39 df de 22 ef 75 4c 00 3d a2 5b 8f 1b f3 37 f8 34 26 c4 bd 09 ab 68 30 91 59 f5 2a 31 7e 7e 6c f5 48 0f 67 b4 3d e3 0d 71 c6 fa a6 19 42 e8 42 47 c9 f4 9c fc 2a db 05 ab e8 6d 0c f2 16 09 4e 90 0a 9e 93 af 67 20 d2 85 5f fd 23 46 ae 1d a1 52 52 a3 c0 ae 82 ed 0f 50 ba e7 cb 80 e1 a7 57 1c 0d 5f bd 8d 8f cf ff a7 5b ad 2f 9d 61 a0 c5 8d c3 7d 2d e2 b2 e2 c8 f0 fd b7 40 d6 d2 db 34 94 fe 5c 59 67 5d 78 63 b3 cf 4a 62 04 c9 98 67 c0 f5 af 94 38 02 57 51 64 cf 40 28 84 48 3c b8 7b 0d 77 20 ce 76 48 d6 1e b2 78 06 72 8f a8 88 68 8f f2 1c a6 86 0b 34 94 e9 28 a8 35 d5 6e d5 e5 2f 0f 0f 7e 79 b7 7f 24 fc d1 c7 0a b2 26 3a 48 67 2c 66 15 16 23 97 a5 47 44 dc 26 7c 81 3d 2d 08 4d 68 6d 18 ab 8f 2a ce 48 4b bd 07 92 c3 3a ab 41 50 34 a4 2a f0 Data Ascii: bn9"uL=[74&h0Y1~~lHg=qBBGmNg _#FRRPW_[/a}-@4\Yg]xcJbg8WQd@(H<{w vHxrh4(5n/~y$&:Hg,f#GD&\|=-MhmHK:AP4
2022-09-07 09:41:00 UTC	1100	IN	Data Raw: d3 ea 6a ff f7 30 e6 3f be 0b 05 c9 6d f5 02 84 5b ea b9 b7 2d 62 54 2d cc 54 c4 30 da ee d5 35 54 db a4 c1 dd eb 45 bc 5b ba ef d2 96 79 bd a4 6c ee 20 ed f5 05 d1 66 b4 19 fb 20 4b 62 5f 57 68 b6 8f 66 ca 60 03 85 57 48 7e 7c 20 56 a6 c1 a1 ad 34 1b a8 a5 db e8 4e f9 71 c8 2b fb 77 8b 84 6a 5f 0c 79 5c 04 8c ea 76 7f 09 79 7e 57 61 9c 61 38 75 c4 35 54 98 d1 f9 46 47 55 f0 4c b7 0b 9b 8a c3 09 b1 e1 c9 50 df 37 b7 1e 9c 86 8e 24 7c 82 f3 83 98 88 76 1c 74 34 ac 58 95 ba c2 44 bf 1f 11 60 06 c4 6a f0 0b 3b fb d1 80 9d e9 aa bc a6 4c fd 37 62 4e 18 b8 86 61 fe 51 49 4a 31 38 cf 83 03 ae 18 22 95 8e 7d 17 dc f2 cd f7 74 26 20 9b 9f 6d 5c 3b 08 c6 dc 2e 78 9b 7a e7 c4 ae 90 f9 56 be f3 d5 81 cd f5 43 d0 9d 19 cb f7 38 0b bd be 74 01 46 46 33 37 70 14 5c 29 Data Ascii: j0?m[-bT-T05TE[yl f Kb_Whf`WH~\| V4Nq+wj_y\vy~Waa8u5TFGULP7$\|vt4XD`j;L7bNaQIJ18"}t& m\;.xzVC8tFF37p\)
2022-09-07 09:41:00 UTC	1116	IN	Data Raw: f0 65 14 c8 7c 97 33 ef 36 10 87 89 83 05 ae 44 b5 27 d7 f0 ac a9 c6 f9 90 85 7b 02 41 02 3a b8 98 e4 01 5c f1 78 f9 d2 25 41 5e 97 47 ec a5 8e 85 b3 31 b4 0b bc c0 a5 35 50 ef 99 d1 3f eb 0e 54 25 5b 1a 32 c3 83 28 2b 7a b7 e1 95 83 85 bc 12 fc 84 d6 a6 b1 ab 4b e3 30 1e e1 ec bd 39 d1 41 1b a9 c0 6e dc 9f 40 6a 82 cc aa 71 cc 3b 72 85 4a f9 d7 85 14 30 89 68 2f 8d 85 8f 2f 49 84 87 13 65 c8 75 84 ca af 49 f4 06 20 e3 96 66 3d b1 4a 3d 01 6c a6 4e d2 c3 ed 2b ac 31 1c d2 8f a0 22 ea 42 64 95 76 6b a1 88 a6 7b 66 d3 32 b3 01 cd da 71 1b bb 71 c9 46 42 6f 3f 7f a7 3d 2b 2f 39 8b 73 b4 b0 a1 a5 90 57 cb 0d 8e 19 32 c6 97 fe f2 64 bb 13 a2 7e 94 92 af 96 a3 69 16 9c ff 23 14 17 da 95 f3 6c 17 9d 5a c6 d2 f4 97 3c a5 b4 69 be 85 3c f5 60 46 8c ac 56 ee 6b 23 Data Ascii: e\|36D'{A:\x%A^G15P?T%[2(+zK09An@jq;rJ0h//IeuI f=J=lN+1"Bdvk{f2qqFBo?=+/9sW2d~i#lZ<i<`FVk#
2022-09-07 09:41:00 UTC	1132	IN	Data Raw: c0 d7 4b 15 6e 2b c5 22 6a a9 7a 2e 97 a5 b4 0a 51 01 04 41 46 89 65 dc 07 23 af a5 85 13 e4 0c e9 0a ab cb 84 79 15 33 a9 23 6b a2 4d 9e 89 3b 89 0c 1d 10 c0 a3 fa ce 0b 3c d4 16 0d d0 d2 d5 42 06 12 bd 6f be d3 b2 d9 0d d6 35 e6 cc 68 91 1f bc 43 e6 52 c4 0f e6 e7 99 9f c4 3c ac 75 73 41 e6 97 ae 4b c0 a5 c3 16 0b 4b 4d b5 f2 97 a7 7c e6 f6 75 06 e8 fb de 63 9a 2c a3 d7 40 42 8e e4 2b d7 0a ec 7f 02 91 76 a6 81 be 83 a0 2f 0a 0f 49 d6 1c 3b 02 09 41 e4 ea a5 b0 d2 58 2f dd 64 11 b0 c0 b4 ce a1 14 46 1d eb 77 2a b1 a4 fa ae 13 4f 5d 1e e0 1d 88 24 90 6a 26 59 b8 72 20 b7 e4 8a 7f 5b 9d d4 32 0a 8b 08 8c df ef 06 b8 9c 09 a3 b5 90 67 c0 8b 20 d0 25 c6 42 1f 40 eb 02 31 a8 5f 09 6e b0 aa 2c dc 10 af 67 0d 65 84 70 d4 1c a4 d3 24 b6 ed 65 b3 29 e2 f8 14 23 Data Ascii: Kn+"jz.QAFe#y3#kM;<Bo5hCR<usAKKM\|uc,@B+v/I;AX/dFw*O]$j&Yr [2g %B@1_n,gep$e)#
2022-09-07 09:41:00 UTC	1148	IN	Data Raw: fc d9 b0 88 9d 8b a9 37 46 42 70 4c d9 5a b7 2b 9d 53 cd 26 e0 95 81 1f f5 cd e6 d1 1a e5 a3 fd 70 55 b5 f3 47 85 04 02 96 42 1c fb 57 c2 e1 51 b9 fc 42 7e 06 fc 3e 34 b3 fb c6 b1 73 4e dc 12 e4 9c eb 20 c6 90 50 63 5b 5c 53 f9 91 9e b0 40 32 72 94 cd d0 df 1d 27 2d 04 2a 9a d1 40 90 21 db c0 18 2f 80 b5 64 d8 01 6c 8e ba c4 1d ed d9 f3 1f a6 9b 3e 46 6b c4 0e 25 59 6b 8e 93 ec 91 96 f0 d7 03 65 17 b9 4f 6a 93 79 02 ad 8e e9 58 52 93 b2 3c f8 5e ce 21 4a 69 0f 62 4d de 1f 7f 1c 7c d1 30 f4 46 89 d5 26 59 14 91 56 b8 0f 93 7b b1 9b fa 75 1b f1 c1 0d 2a a1 7c 23 82 f8 04 60 7b a9 73 5a 1a a3 cd 33 b4 43 90 dd 71 91 75 47 77 84 ee e0 80 c6 f6 d4 2e 28 73 57 6f ff 92 5e 99 c1 87 45 7d 9c d6 ea 94 60 47 bc df e6 e7 03 22 85 06 10 f9 d2 77 59 46 ca 46 96 04 95 Data Ascii: 7FBpLZ+S&pUGBWQB~>4sN Pc[\S@2r'-@!/dl>Fk%YkeOjyXR<^!JibM\|0F&YV{u\|#`{sZ3CquGw.(sWo^E}`G"wYFF
2022-09-07 09:41:00 UTC	1164	IN	Data Raw: 49 4f 97 8b a8 85 12 ab 4d 2e ad c9 9d c6 31 fd 71 1a f2 9a 5c 0b ce f5 9c 89 43 9d b2 3f 0a fe f2 14 7e e4 e7 af b3 74 bf 8e 34 22 ea 40 be ff fc fb 0c 6b da 88 22 1c e3 b8 47 4e cb 7d 91 e7 e6 c3 1c b7 0a 03 8b 5b 0d 1e 25 3d f0 15 ad 6f 36 f2 e6 5a 45 13 23 dd 6d 38 2d 1f af f6 76 2a 3c d1 73 14 61 cd 71 47 f5 b9 24 a0 20 fc 48 5d 6d 5b 65 ea fd 10 84 c9 60 41 00 c1 5c 8e 84 63 78 70 5e 6e a9 69 c7 16 48 8d 4c e9 e6 9c a8 94 8e 25 e5 a2 31 9a c8 75 5f d3 c3 d4 4c 9d 6a 63 70 e3 32 e4 62 ee 56 12 af a2 bb 09 67 67 88 a8 0f 96 cf aa 02 14 79 a2 ed 2c b6 d6 cf 34 56 95 30 1f 16 0d 97 1c f6 e1 e6 3b b1 29 f6 bb 62 79 97 b0 d9 a1 c4 24 4e 48 c6 34 76 77 1a f2 15 79 b1 ff 2a f3 70 54 7a 8b 38 c6 74 71 62 af 37 d9 67 c2 bd d1 aa df 8f 8b b0 cb 27 d5 84 a2 e0 Data Ascii: IOM.1q\C?~t4"@k"GN}[%=o6ZE#m8-v<saqG$ H]m[e`A\cxp^niHL%1u_Ljcp2bVggy,4V0;)by$NH4vwypTz8tqb7g'
2022-09-07 09:41:00 UTC	1180	IN	Data Raw: 4b 88 d1 73 9f 8e c4 83 53 bf 93 2b 8b 94 f7 8b 22 cf ee 62 75 8d aa 81 ed 10 0f 1f 6f 92 5a 67 3d 1a 2f 76 be 61 20 3e 2f 5c a5 61 59 cd c4 b1 57 bd 2a 83 b3 0c 76 20 89 38 a2 4e 69 34 99 a0 2c 35 c0 40 03 f5 dd 6e 02 b4 91 8a 94 6c 08 2a 31 a6 3f 67 5f bd de 42 96 03 e3 cb 14 0a 4a 4c 24 3c 92 76 84 4e ff 58 30 0c b6 12 c5 eb 57 0b 64 1c 41 89 8b bd 06 9e 24 db 75 99 d7 33 2a e3 27 ba 0b 81 4e 17 13 2f e7 42 2f eb 5b ae 2a a9 2d d1 26 61 c0 3a df 87 d5 47 53 5e 0f db df 89 1b 03 fb 07 95 c9 26 e8 3f 6a 74 62 89 ff c8 05 1c a7 49 04 39 69 3e 81 4a 5f 04 3d b3 20 29 51 e6 02 58 26 9f 7c 82 21 c3 f5 0d 9b c3 3d f2 6d 0d ca a7 48 fa 22 43 f8 24 86 e7 37 82 c1 5f 3e 39 b7 99 5e a8 c8 13 15 8d fb c8 2a 2c 16 76 df c3 f2 ad d1 ee e5 5e 84 f1 26 fc e8 2f f4 36 Data Ascii: KsS+"buoZg=/va >/\aYWv 8Ni4,5@nl1?g_BJL$<vNX0WdA$u3'N/B/[-&a:GS^&?jtbI9i>J_= )QX&\|!=mH"C$7_>9^*,v^&/6
2022-09-07 09:41:00 UTC	1196	IN	Data Raw: 35 77 77 6c 5a b6 29 8f db a8 48 64 ce c3 68 5f 79 63 37 f1 cb 57 b5 7f 29 80 40 a0 39 b3 5b eb e9 a1 52 20 aa 18 6d 8f 9b 9a 66 b4 4d 61 55 8c 05 7c d9 74 d0 01 57 e1 e3 5f c8 ba 0c 3b a8 84 53 a8 8d 31 eb 0d 35 ed 76 d8 06 84 94 f8 b6 a3 7d b7 64 25 0c 59 b4 79 5c 34 78 7d 66 98 c5 b7 8f cb e6 82 07 85 3c 23 c1 e7 df 08 fe 64 26 3e 8a 89 ce 5b 13 28 8b 52 3f 11 84 36 82 63 8f a2 ac 60 e5 5f 16 1e b6 3b ef d6 25 fd 4d 52 51 4a 7e f3 64 2c 4e de bb cd ea 9a 22 9c fa b8 ca 4b 1f a0 96 43 65 76 f5 aa 7e 4f 71 69 4d 4a 94 55 ce e5 50 5e 9a da 7f e6 9d 8a a2 b5 67 1f 3a eb fc 2c bb 32 ad 8a e9 54 4c b7 47 77 98 d4 78 b2 3e 52 36 fe 6c c8 cc a2 01 dd 02 9d 1f 72 51 1c 27 6c 81 2f 0a 07 e7 96 be 6c 0b a1 e1 bf 5c c2 62 bf fa 34 44 fd 76 1c ce 0e 8a c6 f8 e1 44 Data Ascii: 5wwlZ)Hdh_yc7W)@9[R mfMaU\|tW_;S15v}d%Yy\4x}f<#d&>[(R?6c`_;%MRQJ~d,N"KCev~OqiMJUP^g:,2TLGwx>R6lrQ'l/l\b4DvD
2022-09-07 09:41:00 UTC	1212	IN	Data Raw: 12 da cb 0a 25 90 a1 48 16 98 b5 58 fb 5e 82 ed d1 bb 71 a4 48 01 48 1a 2a 7f 24 c4 1a 9f 3c c7 c7 12 58 ec a4 ef 6a 91 c7 b9 4d 18 5f 00 65 64 79 61 3a 99 c6 bf 78 b5 cf 7f a3 78 91 88 73 9b a9 d7 39 cf 23 4b f4 67 32 32 01 1a 46 d9 d7 22 e2 56 b6 ad 92 c4 ad 68 a6 29 50 e1 88 af f7 b1 94 7b 12 65 e9 d9 95 73 eb 3b 45 2c d9 a2 c8 db 85 39 c6 75 7a b8 19 dd a0 58 56 c7 21 b0 20 76 33 e2 2d e9 fc 32 c9 9c 99 44 1d 26 7f 2a a0 30 02 7c 35 a3 3f 19 5c b1 74 4d c0 d4 4e e7 f7 85 d1 fd f3 84 33 ea 8f 3c 40 ca cc a7 79 2e e3 d8 76 69 c1 6b 6e 1a 98 f6 f7 3e a3 5c e1 7b de 8e 48 8b bd f1 0a b1 47 77 b9 3d dd 4e 5b 73 96 ac 6c 1a 43 f5 d8 f3 a4 6c 67 91 ca 71 fa 63 7d da b1 aa 00 d7 7b fd e6 d0 90 ff 3c 54 1d ab 91 8a 18 d4 83 42 3b d6 b0 25 e8 da 13 95 44 d2 af Data Ascii: %HX^qHH$<XjM_edya:xxs9#Kg22F"Vh)P{es;E,9uzXV! v3-2D&0\|5?\tMN3<@y.vikn>\{HGw=N[slClgqc}{<TB;%D
2022-09-07 09:41:00 UTC	1228	IN	Data Raw: cd fc 4c 1c 1b f5 88 51 7d 0a ca c1 5c 42 5a 07 63 b1 c7 19 c3 a2 3a f1 a9 05 fb c6 8e 00 65 b7 b1 c1 6d 44 0e 66 7d 36 8d c9 b4 62 c6 7a c6 24 ee 6b f9 8c 6a ee f8 4d 8b 56 45 15 9e e5 8d 33 4d f6 22 74 e1 73 ed 05 d2 f9 84 5e 6b e4 a6 84 80 1a 32 9d 48 d3 27 6f bf 2e 85 12 5f 7b 71 cf 6a a8 0e c9 89 54 37 60 e8 27 d1 5d d1 fe 37 7a bf 01 29 de 90 e6 44 d9 c2 92 66 78 ce 84 e4 a1 0f 2e d1 ba 6e f1 31 9a 7a 43 0e a6 f8 fa 4c 18 e6 b9 76 71 51 f6 04 d5 a3 6e d9 1e 1f 03 81 8b 21 9a 0e 2d 8c 0f f6 8c c1 bf e6 7f 29 e7 1b 2f 71 8e 8e d3 12 cd 67 e4 e8 c5 e5 a5 43 09 9c a6 94 86 6b b2 4d af 01 80 a0 c1 f0 7f 3c 67 53 77 88 e4 55 bc 0c aa 3d f0 c0 e7 a8 67 ef 9f ce c9 c4 94 a5 a7 6a 58 1a 9f 46 30 c2 b6 43 41 c8 59 b2 70 e6 10 52 e7 61 ec 28 98 2a d0 df 78 48 Data Ascii: LQ}\BZc:emDf}6bz$kjMVE3M"ts^k2H'o._{qjT7`']7z)Dfx.n1zCLvqQn!-)/qgCkM<gSwU=gjXF0CAYpRa(*xH
2022-09-07 09:41:00 UTC	1244	IN	Data Raw: d5 6a 25 bb 36 da 09 44 3f 0f d0 51 6f 8e 02 20 f6 b5 d9 cc 6c f4 73 45 3f 0a 30 86 64 d5 eb a1 da 54 59 10 ee 81 79 3b c9 76 51 0f ef 10 e6 94 f3 8c ff 00 33 7e b6 65 c6 51 4a 4e 53 be ef 9c cd fc 36 9a 7d a6 59 d8 74 aa 01 bf 37 f9 2f 64 26 db cc 97 d2 6b df 2f 12 f4 3c 53 c7 cd 6e 2f 7a cf 8e c0 4f 48 2c df 3c d7 58 7f 7c 86 2d d4 5e 6f d2 5b 21 ee ea eb bc 9c 6b 88 e5 8f b4 55 82 56 de cc cf be bb 77 7b c8 bd 6c 43 55 2d a3 5a 54 59 ae 93 c8 c6 00 a3 ea 6d 86 88 64 3f 36 7f 8e cf d5 ff b4 25 93 aa c6 a9 24 e6 06 29 b2 df 80 8f 02 34 b6 98 f4 0a 7c 7a 5b 3f 0f bd 91 35 53 c6 4b 5e cd fe 17 e3 d8 89 82 eb b1 0e b7 96 95 54 98 5a 91 64 88 95 a9 59 b0 ee 27 b8 3b ce f9 8a 59 dd 1e d4 e8 d1 e2 b0 78 16 54 78 44 94 7a 72 9f 26 aa 2f 05 61 c0 ea c3 61 c6 c9 Data Ascii: j%6D?Qo lsE?0dTYy;vQ3~eQJNS6}Yt7/d&k/<Sn/zOH,<X\|-^o[!kUVw{lCU-ZTYmd?6%$)4\|z[?5SK^TZdY';YxTxDzr&/aa

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: 9ISNeRdj1B.exePID: 6672, Parent PID: 5432

General

Target ID:	1
Start time:	11:40:55
Start date:	07/09/2022
Path:	C:\Users\user\Desktop\9ISNeRdj1B.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9ISNeRdj1B.exe"
Imagebase:	0x400000
File size:	664115 bytes
MD5 hash:	82ABB3648AC3B46CE91801AE3D7BB2BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: FME.exePID: 6736, Parent PID: 6672

General

Target ID:	2
Start time:	11:40:57
Start date:	07/09/2022
Path:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe
Wow64 process (32bit):	false
Commandline:	.\FME.exe
Imagebase:	0x140000000
File size:	1448592 bytes
MD5 hash:	FAF97B20932D084C24A9A8FEDBE7C411
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: 7zS01A5A97E.exePID: 6888, Parent PID: 6736

General

Target ID:	4
Start time:	11:41:04
Start date:	07/09/2022
Path:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe" "C:\Users\user\AppData\Local\Temp\7zS01A5A97E
Imagebase:	0x140000000
File size:	1280144 bytes
MD5 hash:	B54DB15D63A62135E062D1FE6C976E48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: FME.exePID: 4972, Parent PID: 6888

General

Target ID:	10
Start time:	11:41:40
Start date:	07/09/2022
Path:	C:\Users\user\AppData\Roaming\FMEV2\FME.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\FMEV2\FME.exe" /f "\\.\pipe\AHKANEKMCKF" "C:\Users\user\AppData\Local\Temp\7zS01A5A97E
Imagebase:	0x140000000
File size:	1448592 bytes
MD5 hash:	FAF97B20932D084C24A9A8FEDBE7C411
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 9ISNeRdj1B.exePID: 6672, Parent PID: 5432COMMON

Execution Graph

Execution Coverage:	17.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	36

Executed Functions

Function 0040BD85 Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 864
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0040BD85(intOrPtr __ecx, void* __eflags) {
				void* __edi;
				signed int _t457;
				signed int _t461;
				intOrPtr _t462;
				intOrPtr _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t477;
				signed int _t478;
				signed int _t484;
				signed int _t487;
				void* _t489;
				signed int _t496;
				signed int _t497;
				signed int _t498;
				intOrPtr _t500;
				signed int _t502;
				signed int _t503;
				signed int _t507;
				signed int _t508;
				signed int _t514;
				signed int _t516;
				signed int _t518;
				signed int _t519;
				signed int _t528;
				signed int _t536;
				signed int* _t540;
				signed int _t545;
				void* _t548;
				signed int _t552;
				intOrPtr* _t558;
				signed int _t559;
				signed int _t560;
				signed int _t562;
				signed int _t563;
				signed char _t567;
				signed int _t569;
				signed int _t577;
				signed int _t579;
				signed int _t580;
				signed int _t586;
				signed int _t588;
				signed int _t589;
				signed int _t594;
				void* _t597;
				signed int _t608;
				signed int _t610;
				signed int _t613;
				signed int _t614;
				signed int _t615;
				intOrPtr _t616;
				intOrPtr _t632;
				signed int _t636;
				intOrPtr* _t637;
				signed int _t644;
				signed int _t685;
				signed int _t694;
				signed int _t698;
				intOrPtr* _t699;
				signed int _t746;
				signed int _t747;
				intOrPtr* _t752;
				intOrPtr _t757;
				signed int _t759;
				intOrPtr _t760;
				signed int _t763;
				signed int _t765;
				signed int _t766;
				signed int _t767;
				signed int _t768;
				signed int _t769;
				signed int _t771;
				signed int _t772;
				char* _t774;
				signed int* _t775;
				char* _t776;
				signed int _t777;
				signed int _t778;
				intOrPtr _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				intOrPtr* _t787;
				intOrPtr _t788;
				void* _t789;
				void* _t790;
				void* _t795;

				_t795 = __eflags;
				E00418D80(E0041A180, _t790);
				_t610 =  *(_t790 + 0x14);
				_t771 =  *(_t790 + 0x18);
				 *( *(_t790 + 0x2c)) =  *( *(_t790 + 0x2c)) & 0x00000000;
				 *((intOrPtr*)(_t790 - 0x14)) = __ecx;
				_t763 = _t771 << 2;
				 *(_t790 - 0x2c) =  *((intOrPtr*)(_t610 + 8)) +  *(_t763 +  *((intOrPtr*)(_t610 + 0x30))) * 8;
				E0040CA12(_t790 - 0x4c);
				 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
				E0040F0A2(_t610, _t795, _t771, _t790 - 0x4c);
				 *(_t790 - 0x34) =  *( *((intOrPtr*)(_t610 + 0x34)) + _t771) & 0x000000ff;
				if( *(_t790 - 0x48) <= 0x20) {
					E0040BC96(_t790 - 0xc4);
					 *(_t790 - 4) = 1;
					E0040E83C(_t790 - 0x84);
					 *(_t790 - 4) = 2;
					E0040CB0A(_t790 - 0x4c, _t790 - 0xc4, __eflags);
					_t457 = E00407F05(_t790 - 0xc4, _t763, __eflags);
					__eflags = _t457;
					if(_t457 == 0) {
						L118:
						_t772 = 0x80004001;
						L172:
						_t437 = _t790 - 4;
						 *_t437 =  *(_t790 - 4) & 0x00000000;
						__eflags =  *_t437;
						E00403204(_t457,  *((intOrPtr*)(_t790 - 0x84)));
						E0040C85F(_t790 - 0xc4);
						goto L173;
					}
					_t462 =  *((intOrPtr*)(_t610 + 0x28));
					 *(_t790 + 0x17) = 1;
					_t746 = ( *( *((intOrPtr*)(_t610 + 0x34)) + _t771) & 0x000000ff) +  *(_t763 +  *((intOrPtr*)(_t610 + 0x2c)));
					__eflags =  *(_t790 + 0x1c);
					_t632 =  *((intOrPtr*)(_t462 + _t746 * 8));
					_t457 =  *(_t462 + 4 + _t746 * 8);
					if( *(_t790 + 0x1c) == 0) {
						L13:
						_t774 =  *((intOrPtr*)(_t790 - 0x14));
						__eflags =  *_t774;
						if( *_t774 == 0) {
							L15:
							_t463 =  *((intOrPtr*)(_t790 - 0x14));
							_t775 = _t463 + 0x5c;
							_t464 =  *(_t463 + 0x5c);
							__eflags = _t464;
							if(_t464 != 0) {
								 *((intOrPtr*)( *_t464 + 8))(_t464);
								 *_t775 =  *_t775 & 0x00000000;
								__eflags =  *_t775;
							}
							_push(0x84);
							_t465 = E004031DD();
							 *(_t790 + 0x18) = _t465;
							__eflags = _t465;
							 *(_t790 - 4) = 3;
							if(__eflags == 0) {
								_t466 = 0;
								__eflags = 0;
							} else {
								_t466 = E0040C88E(_t465, __eflags, 0);
							}
							 *(_t790 - 4) = 2;
							 *( *((intOrPtr*)(_t790 - 0x14)) + 0x54) = _t466;
							E004063E5(_t775, _t466);
							_t636 =  *( *((intOrPtr*)(_t790 - 0x14)) + 0x54);
							__eflags = _t636;
							if(_t636 == 0) {
								_t637 = 0;
								__eflags = 0;
							} else {
								_t637 = _t636 + 4;
							}
							_t776 =  *((intOrPtr*)(_t790 - 0x14));
							_t747 = _t790 - 0xc4;
							 *((intOrPtr*)(_t776 + 0x58)) = _t637;
							_t457 =  *((intOrPtr*)( *_t637))(_t747);
							__eflags = _t457;
							if(_t457 == 0) {
								__eflags =  *(_t790 - 0x48);
								 *(_t790 - 0x18) = 0;
								if(__eflags <= 0) {
									L35:
									E00408339(_t776 + 4, __eflags, _t790 - 0xc4);
									E0040CE11(_t776 + 0x44, _t790 - 0x84);
									 *_t776 = 1;
									_t774 =  *((intOrPtr*)(_t790 - 0x14));
									L36:
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t774 + 0x58)))) + 0x10))();
									 *(_t790 + 0x1b) =  *(_t790 + 0x1b) & 0;
									__eflags =  *(_t790 - 0x48);
									_t477 =  *(_t763 +  *((intOrPtr*)(_t610 + 0x2c)));
									 *((intOrPtr*)(_t790 - 0x30)) = 0;
									 *(_t790 - 0x78) = _t477;
									 *((intOrPtr*)(_t790 - 0x1c)) = 0;
									if( *(_t790 - 0x48) <= 0) {
										L100:
										_t777 =  *(_t790 - 0x2c);
										__eflags =  *(_t790 + 0x20);
										if( *(_t790 + 0x20) != 0) {
											__eflags =  *(_t790 + 0x17);
											_t268 =  *(_t790 + 0x17) == 0;
											__eflags = _t268;
											 *((intOrPtr*)( *( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58)) + 0xc))(_t747 & 0xffffff00 | _t268);
										}
										 *((intOrPtr*)(_t790 - 0x70)) = 0;
										 *(_t790 - 0x6c) = 0;
										 *((intOrPtr*)(_t790 - 0x68)) = 0;
										_push(0x30);
										 *(_t790 - 4) = 0xf;
										_t478 = E004031DD();
										 *(_t790 + 0x30) = _t478;
										__eflags = _t478;
										 *(_t790 - 4) = 0x10;
										if(_t478 == 0) {
											_t765 = 0;
											__eflags = 0;
										} else {
											_t765 = E0040CD3D(_t478);
										}
										__eflags = _t765;
										 *(_t790 + 0x30) = _t765;
										 *(_t790 - 4) = 0xf;
										 *(_t790 + 0x34) = _t765;
										if(_t765 != 0) {
											 *((intOrPtr*)( *_t765 + 4))(_t765);
										}
										__eflags =  *(_t790 - 0x38) - 1;
										_t613 =  *(_t790 + 8);
										 *(_t790 - 4) = 0x11;
										if( *(_t790 - 0x38) <= 1) {
											L128:
											 *(_t790 + 0x18) =  *(_t790 + 0x18) & 0x00000000;
											__eflags =  *(_t790 - 0x38);
											if( *(_t790 - 0x38) <= 0) {
												L144:
												_t479 =  *(_t790 - 0x6c);
												_t778 = 0;
												__eflags = _t479;
												_t614 = _t479;
												 *(_t790 + 0x1c) = 0;
												if(_t479 != 0) {
													__eflags = _t479 - 0x3fffffff;
													if(_t479 > 0x3fffffff) {
														_t479 = 0x3fffffff;
													}
													_t502 = _t479 << 2;
													__eflags = _t502;
													_push(_t502);
													_t778 = E004031DD();
													 *(_t790 + 0x1c) = _t778;
												}
												_t644 = 0;
												__eflags = _t614;
												if(_t614 <= 0) {
													L150:
													__eflags =  *(_t790 + 0x20);
													if( *(_t790 + 0x20) == 0) {
														E00403204(_t479, _t778);
														__eflags = _t765;
														 *(_t790 - 4) = 0xf;
														if(_t765 != 0) {
															 *((intOrPtr*)( *_t765 + 8))(_t765);
														}
														_t772 = 0x80004005;
														goto L171;
													}
													 *(_t790 + 0x30) = 0;
													__eflags =  *(_t790 + 0x24);
													 *(_t790 - 4) = 0x14;
													if( *(_t790 + 0x24) != 0) {
														_push(( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58))[0x18]);
														_t496 = E004080CE( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58));
														__eflags = _t496;
														if(_t496 == 0) {
															_push(0xc);
															_t497 = E004031DD();
															 *(_t790 + 0x14) = _t497;
															__eflags = _t497;
															 *(_t790 - 4) = 0x15;
															if(_t497 == 0) {
																_t498 = 0;
																__eflags = 0;
															} else {
																_push( *(_t790 + 0x24));
																_t498 = E0040CA28(_t497);
															}
															 *(_t790 - 4) = 0x14;
															E004063E5(_t790 + 0x30, _t498);
														}
													}
													 *(_t790 + 8) =  *(_t790 + 0x20);
													_t484 =  *(_t790 + 0x30);
													__eflags = _t484;
													if(_t484 == 0) {
														_t484 =  *(_t790 + 0x24);
													}
													_t615 =  *((intOrPtr*)( *( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58)) + 0x18))(_t778, _t790 + 8, _t484,  *(_t790 + 0x2c));
													_t487 =  *(_t790 + 0x30);
													__eflags = _t487;
													 *(_t790 - 4) = 0x13;
													if(_t487 != 0) {
														_t487 =  *((intOrPtr*)( *_t487 + 8))(_t487);
													}
													E00403204(_t487, _t778);
													__eflags = _t765;
													 *(_t790 - 4) = 0xf;
													if(_t765 != 0) {
														 *((intOrPtr*)( *_t765 + 8))(_t765);
													}
													 *(_t790 - 4) = 2;
													_t489 = E0040CE6F(_t790 - 0x70, _t765);
													 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
													E00403204(_t489,  *((intOrPtr*)(_t790 - 0x84)));
													E0040C85F(_t790 - 0xc4);
													 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
													E0040CDED(_t790 - 0x4c);
													_t461 = _t615;
													goto L174;
												} else {
													do {
														_t500 =  *((intOrPtr*)(_t790 - 0x70));
														_t479 =  *( *(_t500 + _t644 * 4));
														 *(_t778 + _t644 * 4) =  *( *(_t500 + _t644 * 4));
														_t644 = _t644 + 1;
														__eflags = _t644 - _t614;
													} while (_t644 < _t614);
													goto L150;
												}
											}
											_t765 = _t777;
											do {
												 *(_t790 + 0x1c) =  *(_t790 + 0x1c) & 0x00000000;
												_t616 =  *((intOrPtr*)(_t765 + 4));
												_t780 =  *_t765 +  *((intOrPtr*)(_t790 + 0xc));
												 *(_t790 - 4) = 0x12;
												asm("adc ebx, [ebp+0x10]");
												__eflags =  *(_t790 - 0x38) - 1;
												if( *(_t790 - 0x38) != 1) {
													_push(0x20);
													_t503 = E004031DD();
													__eflags = _t503;
													if(_t503 == 0) {
														_t350 = _t790 + 0x14;
														 *_t350 =  *(_t790 + 0x14) & 0x00000000;
														__eflags =  *_t350;
													} else {
														 *(_t503 + 4) =  *(_t503 + 4) & 0x00000000;
														 *(_t503 + 0x18) =  *(_t503 + 0x18) & 0x00000000;
														 *_t503 = 0x41bbfc;
														 *(_t790 + 0x14) = _t503;
													}
													E004063E5(_t790 + 0x1c,  *(_t790 + 0x14));
													_t356 =  *(_t790 + 0x14) + 0x18; // 0x18
													E004063E5(_t356,  *(_t790 + 0x30));
													_t507 =  *(_t790 + 0x14);
													 *((intOrPtr*)(_t507 + 0x10)) = _t780;
													 *(_t507 + 8) =  *(_t790 + 0x30);
													 *((intOrPtr*)(_t507 + 0x14)) = _t616;
													goto L137;
												}
												_t516 =  *(_t790 + 8);
												_t772 =  *((intOrPtr*)( *_t516 + 0x10))(_t516, _t780, _t616, 0, 0);
												__eflags = _t772;
												if(_t772 != 0) {
													_t518 =  *(_t790 + 0x1c);
													 *(_t790 - 4) = 0x11;
													__eflags = _t518;
													if(_t518 != 0) {
														 *((intOrPtr*)( *_t518 + 8))(_t518);
													}
													_t519 =  *(_t790 + 0x30);
													 *(_t790 - 4) = 0xf;
													__eflags = _t519;
													if(_t519 != 0) {
														 *((intOrPtr*)( *_t519 + 8))(_t519);
													}
													goto L171;
												}
												E004063E5(_t790 + 0x1c,  *(_t790 + 8));
												L137:
												_push(0x28);
												_t508 = E004031DD();
												__eflags = _t508;
												if(_t508 == 0) {
													_t781 = 0;
													__eflags = 0;
												} else {
													 *((intOrPtr*)(_t508 + 4)) = 0;
													 *((intOrPtr*)(_t508 + 8)) = 0;
													 *_t508 = 0x41bbec;
													_t781 = _t508;
												}
												E004063E5(E0040895D(_t790 - 0x70), _t781);
												_t366 = _t781 + 8; // 0x8
												E004063E5(_t366,  *(_t790 + 0x1c));
												 *(_t790 - 4) = 0x11;
												asm("sbb ecx, [edi+0x4]");
												 *(_t781 + 0x20) =  *(_t781 + 0x20) & 0x00000000;
												 *((intOrPtr*)(_t781 + 0x10)) =  *(_t765 + 8) -  *_t765;
												 *((intOrPtr*)(_t781 + 0x18)) = 0;
												 *((intOrPtr*)(_t781 + 0x14)) =  *((intOrPtr*)(_t765 + 0xc));
												 *((intOrPtr*)(_t781 + 0x1c)) = 0;
												_t514 =  *(_t790 + 0x1c);
												__eflags = _t514;
												if(_t514 != 0) {
													 *((intOrPtr*)( *_t514 + 8))(_t514);
												}
												 *(_t790 + 0x18) =  *(_t790 + 0x18) + 1;
												_t765 = _t765 + 8;
												__eflags =  *(_t790 + 0x18) -  *(_t790 - 0x38);
											} while ( *(_t790 + 0x18) <  *(_t790 - 0x38));
											_t765 =  *(_t790 + 0x30);
											goto L144;
										} else {
											asm("adc edx, [ebp+0x10]");
											_t765 =  *((intOrPtr*)( *_t613 + 0x10))(_t613,  *_t777 +  *((intOrPtr*)(_t790 + 0xc)),  *((intOrPtr*)(_t777 + 4)), 0,  *(_t790 + 0x30) + 0x10);
											__eflags = _t765;
											if(_t765 == 0) {
												E004063E5( *(_t790 + 0x30) + 8, _t613);
												_t765 =  *(_t790 + 0x30);
												goto L128;
											}
											_t528 =  *(_t790 + 0x30);
											 *(_t790 - 4) = 0xf;
											__eflags = _t528;
											if(_t528 != 0) {
												 *((intOrPtr*)( *_t528 + 8))(_t528);
											}
											_t772 = _t765;
											L171:
											 *(_t790 - 4) = 2;
											_t457 = E0040CE6F(_t790 - 0x70, _t765);
											goto L172;
										}
									}
									_t536 = _t477 << 3;
									__eflags = _t536;
									 *((intOrPtr*)(_t790 - 0x54)) = 0;
									 *(_t790 - 0x50) = _t536;
									do {
										_t782 =  *((intOrPtr*)(_t790 - 0x54)) +  *((intOrPtr*)(_t790 - 0x4c));
										 *(_t790 - 0x24) = _t782;
										_t540 =  *((intOrPtr*)( *( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58)) + 8))( *((intOrPtr*)(_t790 - 0x1c)));
										_t685 =  *_t540;
										__eflags = _t685;
										_t766 = _t685;
										if(_t685 == 0) {
											_t766 = _t540[1];
										}
										__eflags =  *(_t790 + 0x1b);
										if( *(_t790 + 0x1b) != 0) {
											L52:
											 *(_t790 - 0x10) =  *(_t790 - 0x10) & 0x00000000;
											 *(_t790 - 4) = 0xb;
											 *((intOrPtr*)( *_t766))(_t766, 0x41b300, _t790 - 0x10);
											_t457 =  *(_t790 - 0x10);
											__eflags = _t457;
											if(_t457 == 0) {
												L58:
												__eflags = _t457;
												 *(_t790 - 4) = 2;
												if(_t457 != 0) {
													 *((intOrPtr*)( *_t457 + 8))(_t457);
												}
												 *(_t790 - 0x74) =  *(_t790 - 0x74) & 0x00000000;
												 *(_t790 - 0x10) =  *(_t790 - 0x10) & 0x00000000;
												 *(_t790 - 4) = 0xc;
												 *((intOrPtr*)( *_t766))(_t766, 0x41b2d0, _t790 - 0x10);
												_t767 =  *(_t790 - 0x10);
												__eflags = _t767;
												if(_t767 == 0) {
													L63:
													__eflags = _t767;
													 *(_t790 - 4) = 2;
													if(_t767 != 0) {
														 *((intOrPtr*)( *_t767 + 8))(_t767);
													}
													_t783 =  *(_t782 + 0x10);
													 *(_t790 - 0x18) =  *(_t790 - 0x18) & 0x00000000;
													__eflags = _t783;
													 *(_t790 - 0x28) = _t783;
													if(_t783 != 0) {
														_t562 = 0x1fffffff;
														__eflags = _t783 - 0x1fffffff;
														if(_t783 <= 0x1fffffff) {
															_t562 = _t783;
														}
														_t563 = _t562 << 3;
														__eflags = _t563;
														_push(_t563);
														 *(_t790 - 0x18) = E004031DD();
													}
													 *(_t790 - 0x20) =  *(_t790 - 0x20) & 0x00000000;
													 *(_t790 - 4) = 0xd;
													__eflags = _t783;
													if(_t783 != 0) {
														_t559 = 0x3fffffff;
														__eflags = _t783 - 0x3fffffff;
														if(_t783 <= 0x3fffffff) {
															_t559 = _t783;
														}
														_t560 = _t559 << 2;
														__eflags = _t560;
														_push(_t560);
														 *(_t790 - 0x20) = E004031DD();
													}
													 *(_t790 - 0x24) =  *(_t790 - 0x24) & 0x00000000;
													 *(_t790 - 4) = 0xe;
													__eflags = _t783;
													if(_t783 <= 0) {
														L96:
														_t545 =  *(_t790 + 0x1c);
														__eflags = _t545;
														if(_t545 == 0) {
															L98:
															_t545 =  *((intOrPtr*)(_t610 + 0x28)) +  *(_t790 - 0x50);
															__eflags = _t545;
															goto L99;
														}
														__eflags =  *((intOrPtr*)(_t790 - 0x1c)) -  *((intOrPtr*)(_t790 - 0xa0));
														if( *((intOrPtr*)(_t790 - 0x1c)) ==  *((intOrPtr*)(_t790 - 0xa0))) {
															goto L99;
														}
														goto L98;
													} else {
														_t768 =  *(_t790 - 0x18);
														_t784 =  *(_t790 - 0x2c);
														 *(_t790 - 0x10) =  *(_t790 - 0x20);
														do {
															_t752 =  *((intOrPtr*)(_t790 - 0x44));
															_t694 = 0;
															__eflags =  *(_t790 - 0x40);
															if( *(_t790 - 0x40) <= 0) {
																L85:
																_t694 = _t694 | 0xffffffff;
																__eflags = _t694;
																L86:
																__eflags = _t694;
																if(_t694 < 0) {
																	_t552 = 0;
																	__eflags =  *(_t790 - 0x38);
																	if( *(_t790 - 0x38) <= 0) {
																		L92:
																		_t552 = _t552 | 0xffffffff;
																		__eflags = _t552;
																		L93:
																		__eflags = _t552;
																		if(_t552 < 0) {
																			_t457 = E00403204(E00403204(_t552,  *(_t790 - 0x20)),  *(_t790 - 0x18));
																			goto L118;
																		}
																		_t698 =  *((intOrPtr*)(_t784 + 8 + _t552 * 8)) -  *((intOrPtr*)(_t784 + _t552 * 8));
																		__eflags = _t698;
																		asm("sbb edx, [esi+eax*8+0x4]");
																		 *_t768 = _t698;
																		 *((intOrPtr*)(_t768 + 4)) =  *((intOrPtr*)(_t784 + 0xc + _t552 * 8));
																		 *( *(_t790 - 0x10)) = _t768;
																		goto L95;
																	}
																	_t699 =  *((intOrPtr*)(_t790 - 0x3c));
																	while(1) {
																		__eflags =  *_t699 -  *((intOrPtr*)(_t790 - 0x30));
																		if( *_t699 ==  *((intOrPtr*)(_t790 - 0x30))) {
																			goto L93;
																		}
																		_t552 = _t552 + 1;
																		_t699 = _t699 + 4;
																		__eflags = _t552 -  *(_t790 - 0x38);
																		if(_t552 <  *(_t790 - 0x38)) {
																			continue;
																		}
																		goto L92;
																	}
																	goto L93;
																}
																 *( *(_t790 - 0x10)) =  *((intOrPtr*)(_t610 + 0x28)) + ( *((intOrPtr*)(_t752 + 4 + _t694 * 8)) +  *(_t790 - 0x78)) * 8;
																goto L95;
															}
															_t558 = _t752;
															while(1) {
																__eflags =  *_t558 -  *((intOrPtr*)(_t790 - 0x30));
																if( *_t558 ==  *((intOrPtr*)(_t790 - 0x30))) {
																	break;
																}
																_t694 = _t694 + 1;
																_t558 = _t558 + 8;
																__eflags = _t694 -  *(_t790 - 0x40);
																if(_t694 <  *(_t790 - 0x40)) {
																	continue;
																}
																_t784 =  *(_t790 - 0x2c);
																goto L85;
															}
															_t784 =  *(_t790 - 0x2c);
															goto L86;
															L95:
															 *(_t790 - 0x24) =  *(_t790 - 0x24) + 1;
															 *(_t790 - 0x10) =  *(_t790 - 0x10) + 4;
															_t768 = _t768 + 8;
															 *((intOrPtr*)(_t790 - 0x30)) =  *((intOrPtr*)(_t790 - 0x30)) + 1;
															__eflags =  *(_t790 - 0x24) -  *(_t790 - 0x28);
														} while ( *(_t790 - 0x24) <  *(_t790 - 0x28));
														goto L96;
													}
												} else {
													_t567 =  *(_t790 + 0x17);
													 *(_t790 - 0x74) = _t567;
													__eflags = _t567;
													_t769 =  *((intOrPtr*)( *_t767 + 0xc))(_t767, 0 | _t567 != 0x00000000);
													__eflags = _t769;
													if(_t769 != 0) {
														_t569 =  *(_t790 - 0x10);
														 *(_t790 - 4) = 2;
														__eflags = _t569;
														if(_t569 != 0) {
															_t569 =  *((intOrPtr*)( *_t569 + 8))(_t569);
														}
														 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
														E00403204(_t569,  *((intOrPtr*)(_t790 - 0x84)));
														E0040C85F(_t790 - 0xc4);
														 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
														E0040CDED(_t790 - 0x4c);
														_t461 = _t769;
														goto L174;
													}
													_t767 =  *(_t790 - 0x10);
													goto L63;
												}
											}
											_t757 =  *((intOrPtr*)(_t782 + 0xc));
											__eflags = _t757 - 0xffffffff;
											if(_t757 > 0xffffffff) {
												__eflags = _t457;
												 *(_t790 - 4) = 2;
												if(_t457 != 0) {
													_t457 =  *((intOrPtr*)( *_t457 + 8))(_t457);
												}
												goto L118;
											}
											_t772 =  *((intOrPtr*)( *_t457 + 0xc))(_t457,  *((intOrPtr*)(_t782 + 8)), _t757);
											__eflags = _t772 - 0x80070057;
											if(_t772 == 0x80070057) {
												_t772 = 0x80004001;
											}
											__eflags = _t772;
											if(_t772 != 0) {
												_t457 =  *(_t790 - 0x10);
												 *(_t790 - 4) = 2;
												__eflags = _t457;
												if(_t457 != 0) {
													_t457 =  *((intOrPtr*)( *_t457 + 8))(_t457);
												}
												goto L172;
											} else {
												_t457 =  *(_t790 - 0x10);
												_t782 =  *(_t790 - 0x24);
												goto L58;
											}
										} else {
											__eflags =  *(_t790 + 0x30);
											if( *(_t790 + 0x30) == 0) {
												L47:
												 *(_t790 - 0x10) =  *(_t790 - 0x10) & 0x00000000;
												 *(_t790 - 4) = 0xa;
												 *((intOrPtr*)( *_t766))(_t766, 0x41b2b0, _t790 - 0x10);
												_t577 =  *(_t790 - 0x10);
												__eflags = _t577;
												if(_t577 == 0) {
													L50:
													__eflags = _t577;
													 *(_t790 - 4) = 2;
													if(_t577 != 0) {
														 *((intOrPtr*)( *_t577 + 8))(_t577);
													}
													goto L52;
												}
												 *(_t790 + 0x1b) = 1;
												_t579 =  *((intOrPtr*)( *_t577 + 0xc))(_t577,  *((intOrPtr*)(_t790 + 0x38)),  *((intOrPtr*)(_t790 + 0x3c)));
												__eflags = _t579;
												 *(_t790 - 0x28) = _t579;
												if(_t579 != 0) {
													_t580 =  *(_t790 - 0x10);
													 *(_t790 - 4) = 2;
													__eflags = _t580;
													if(_t580 != 0) {
														_t580 =  *((intOrPtr*)( *_t580 + 8))(_t580);
													}
													 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
													E00403204(_t580,  *((intOrPtr*)(_t790 - 0x84)));
													E0040C85F(_t790 - 0xc4);
													 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
													E0040CDED(_t790 - 0x4c);
													_t461 =  *(_t790 - 0x28);
													goto L174;
												}
												_t577 =  *(_t790 - 0x10);
												goto L50;
											}
											 *(_t790 - 0x10) =  *(_t790 - 0x10) & 0x00000000;
											 *(_t790 - 4) = 9;
											 *((intOrPtr*)( *_t766))(_t766, 0x41b2e0, _t790 - 0x10);
											_t586 =  *(_t790 - 0x10);
											__eflags = _t586;
											if(_t586 == 0) {
												L45:
												__eflags = _t586;
												 *(_t790 - 4) = 2;
												if(_t586 != 0) {
													 *((intOrPtr*)( *_t586 + 8))(_t586);
												}
												goto L47;
											}
											 *(_t790 + 0x1b) = 1;
											_t588 =  *((intOrPtr*)( *_t586 + 0xc))(_t586,  *(_t790 + 0x34));
											__eflags = _t588;
											 *(_t790 - 0x28) = _t588;
											if(_t588 != 0) {
												_t589 =  *(_t790 - 0x10);
												 *(_t790 - 4) = 2;
												__eflags = _t589;
												if(_t589 != 0) {
													_t589 =  *((intOrPtr*)( *_t589 + 8))(_t589);
												}
												 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
												E00403204(_t589,  *((intOrPtr*)(_t790 - 0x84)));
												E0040C85F(_t790 - 0xc4);
												 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
												E0040CDED(_t790 - 0x4c);
												_t461 =  *(_t790 - 0x28);
												goto L174;
											}
											_t586 =  *(_t790 - 0x10);
											goto L45;
										}
										L99:
										_t747 =  *( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58));
										_t548 = E00403204( *((intOrPtr*)(_t747 + 0x14))( *((intOrPtr*)(_t790 - 0x1c)), _t545,  *(_t790 - 0x20),  *(_t790 - 0x74)),  *(_t790 - 0x20));
										 *(_t790 - 4) = 2;
										E00403204(_t548,  *(_t790 - 0x18));
										 *((intOrPtr*)(_t790 - 0x1c)) =  *((intOrPtr*)(_t790 - 0x1c)) + 1;
										 *(_t790 - 0x50) =  *(_t790 - 0x50) + 8;
										 *((intOrPtr*)(_t790 - 0x54)) =  *((intOrPtr*)(_t790 - 0x54)) + 0x18;
										__eflags =  *((intOrPtr*)(_t790 - 0x1c)) -  *(_t790 - 0x48);
									} while ( *((intOrPtr*)(_t790 - 0x1c)) <  *(_t790 - 0x48));
									goto L100;
								}
								 *(_t790 + 0x18) = 0;
								while(1) {
									 *(_t790 - 0x64) =  *(_t790 - 0x64) & 0x00000000;
									 *(_t790 - 0x60) =  *(_t790 - 0x60) & 0x00000000;
									_t787 =  *(_t790 + 0x18) +  *((intOrPtr*)(_t790 - 0x4c));
									_push( *((intOrPtr*)(_t787 + 4)));
									 *(_t790 - 4) = 4;
									_push( *_t787);
									_t594 = E00406310(0, _t790 - 0x64, __eflags);
									__eflags = _t594;
									if(_t594 != 0) {
										break;
									}
									_t788 =  *((intOrPtr*)(_t787 + 0x10));
									__eflags = _t788 - 1;
									if(_t788 != 1) {
										__eflags =  *(_t790 - 0x60);
										if( *(_t790 - 0x60) == 0) {
											L83:
											 *(_t790 - 4) = 7;
											E0040B44C(_t790 - 0x60);
											 *(_t790 - 4) = 2;
											_t597 = E0040B44C(_t790 - 0x64);
											 *(_t790 - 4) =  *(_t790 - 4) & 0x00000000;
											E00403204(_t597,  *((intOrPtr*)(_t790 - 0x84)));
											E0040C85F(_t790 - 0xc4);
											 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
											E0040CDED(_t790 - 0x4c);
											_t461 = 0x80004001;
											goto L174;
										}
										__eflags =  *((intOrPtr*)(_t790 - 0x58)) - _t788;
										if( *((intOrPtr*)(_t790 - 0x58)) != _t788) {
											goto L83;
										}
										L33:
										_t747 = _t790 - 0x64;
										 *((intOrPtr*)( *( *( *((intOrPtr*)(_t790 - 0x14)) + 0x58)) + 4))(_t747);
										 *(_t790 - 4) = 8;
										E0040B44C(_t790 - 0x60);
										 *(_t790 - 4) = 2;
										E0040B44C(_t790 - 0x64);
										 *(_t790 - 0x18) =  *(_t790 - 0x18) + 1;
										 *(_t790 + 0x18) =  *(_t790 + 0x18) + 0x18;
										__eflags =  *(_t790 - 0x18) -  *(_t790 - 0x48);
										if(__eflags < 0) {
											continue;
										}
										_t776 =  *((intOrPtr*)(_t790 - 0x14));
										goto L35;
									}
									__eflags =  *(_t790 - 0x64) - _t594;
									if( *(_t790 - 0x64) == _t594) {
										 *(_t790 - 4) = 6;
										_t772 = 0x80004001;
										L82:
										E0040B44C(_t790 - 0x60);
										 *(_t790 - 4) = 2;
										_t457 = E0040B44C(_t790 - 0x64);
										goto L172;
									}
									goto L33;
								}
								 *(_t790 - 4) = 5;
								_t772 = _t594;
								goto L82;
							} else {
								_t772 = _t457;
								goto L172;
							}
						}
						_t747 = _t774 + 4;
						_t608 = E0040CBF8(_t790 - 0xc4, _t747);
						__eflags = _t608;
						if(_t608 != 0) {
							goto L36;
						}
						goto L15;
					}
					_t759 =  *(_t790 + 0x1c);
					_t789 =  *_t759;
					_t760 =  *((intOrPtr*)(_t759 + 4));
					__eflags = _t760 - _t457;
					if(__eflags < 0) {
						__eflags = _t789 - _t632;
						L9:
						if(__eflags != 0) {
							L12:
							_t41 = _t790 + 0x17;
							 *_t41 =  *(_t790 + 0x17) & 0x00000000;
							__eflags =  *_t41;
							goto L13;
						}
						__eflags = _t760 - _t457;
						if(_t760 != _t457) {
							goto L12;
						} else {
							 *(_t790 + 0x17) = 1;
							goto L13;
						}
					}
					if(__eflags > 0) {
						L7:
						_t772 = 0x80004005;
						goto L172;
					}
					__eflags = _t789 - _t632;
					if(__eflags <= 0) {
						goto L9;
					}
					goto L7;
				} else {
					_t772 = 0x80004001;
					L173:
					 *(_t790 - 4) =  *(_t790 - 4) | 0xffffffff;
					E0040CDED(_t790 - 0x4c);
					_t461 = _t772;
					L174:
					 *[fs:0x0] =  *((intOrPtr*)(_t790 - 0xc));
					return _t461;
				}
			}

0x0040bd85
0x0040bd8a
0x0040bd99
0x0040bd9d
0x0040bda0
0x0040bda7
0x0040bdaf
0x0040bdbb
0x0040bdbe
0x0040bdc3
0x0040bdce
0x0040bdde
0x0040bde1
0x0040bdf3
0x0040bdfe
0x0040be02
0x0040be10
0x0040be14
0x0040be1f
0x0040be24
0x0040be26
0x0040c494
0x0040c494
0x0040c789
0x0040c78f
0x0040c78f
0x0040c78f
0x0040c793
0x0040c79f
0x00000000
0x0040c79f
0x0040be32
0x0040be35
0x0040be3d
0x0040be40
0x0040be44
0x0040be47
0x0040be4b
0x0040be7b
0x0040be7b
0x0040be7e
0x0040be81
0x0040be99
0x0040be99
0x0040be9c
0x0040be9f
0x0040bea2
0x0040bea4
0x0040bea9
0x0040beac
0x0040beac
0x0040beac
0x0040beaf
0x0040beb4
0x0040beba
0x0040bebd
0x0040bebf
0x0040bec3
0x0040bed0
0x0040bed0
0x0040bec5
0x0040bec9
0x0040bec9
0x0040bed6
0x0040beda
0x0040bedf
0x0040bee7
0x0040beea
0x0040beec
0x0040bef3
0x0040bef3
0x0040beee
0x0040beee
0x0040beee
0x0040bef5
0x0040bef8
0x0040beff
0x0040bf04
0x0040bf08
0x0040bf0a
0x0040bf13
0x0040bf16
0x0040bf19
0x0040bfb1
0x0040bfbb
0x0040bfca
0x0040bfcf
0x0040bfd2
0x0040bfd5
0x0040bfda
0x0040bfe2
0x0040bfe5
0x0040bfe8
0x0040bfeb
0x0040bfee
0x0040bff1
0x0040bff4
0x0040c34b
0x0040c34b
0x0040c350
0x0040c353
0x0040c358
0x0040c35e
0x0040c35e
0x0040c364
0x0040c364
0x0040c367
0x0040c36a
0x0040c36d
0x0040c370
0x0040c372
0x0040c376
0x0040c37c
0x0040c37f
0x0040c381
0x0040c385
0x0040c49e
0x0040c49e
0x0040c38b
0x0040c392
0x0040c392
0x0040c4a0
0x0040c4a2
0x0040c4a5
0x0040c4a9
0x0040c4ac
0x0040c4b1
0x0040c4b1
0x0040c4b4
0x0040c4b8
0x0040c4bb
0x0040c4bf
0x0040c50a
0x0040c50a
0x0040c50e
0x0040c512
0x0040c620
0x0040c620
0x0040c623
0x0040c625
0x0040c627
0x0040c629
0x0040c62c
0x0040c633
0x0040c635
0x0040c637
0x0040c637
0x0040c639
0x0040c639
0x0040c63c
0x0040c642
0x0040c645
0x0040c645
0x0040c64a
0x0040c64c
0x0040c64e
0x0040c660
0x0040c660
0x0040c663
0x0040c764
0x0040c769
0x0040c76c
0x0040c770
0x0040c775
0x0040c775
0x0040c778
0x00000000
0x0040c778
0x0040c669
0x0040c66c
0x0040c66f
0x0040c673
0x0040c67b
0x0040c67e
0x0040c683
0x0040c685
0x0040c687
0x0040c689
0x0040c68f
0x0040c692
0x0040c694
0x0040c698
0x0040c6d1
0x0040c6d1
0x0040c69a
0x0040c69a
0x0040c69f
0x0040c69f
0x0040c6d7
0x0040c6db
0x0040c6db
0x0040c685
0x0040c6e3
0x0040c6e6
0x0040c6e9
0x0040c6eb
0x0040c6ed
0x0040c6ed
0x0040c704
0x0040c706
0x0040c709
0x0040c70b
0x0040c70f
0x0040c714
0x0040c714
0x0040c718
0x0040c71d
0x0040c720
0x0040c724
0x0040c729
0x0040c729
0x0040c72f
0x0040c733
0x0040c73e
0x0040c742
0x0040c74e
0x0040c753
0x0040c75a
0x0040c75f
0x00000000
0x0040c650
0x0040c650
0x0040c650
0x0040c656
0x0040c658
0x0040c65b
0x0040c65c
0x0040c65c
0x00000000
0x0040c650
0x0040c64e
0x0040c518
0x0040c51a
0x0040c51a
0x0040c520
0x0040c523
0x0040c526
0x0040c52a
0x0040c52d
0x0040c531
0x0040c559
0x0040c55b
0x0040c560
0x0040c563
0x0040c578
0x0040c578
0x0040c578
0x0040c565
0x0040c565
0x0040c569
0x0040c56d
0x0040c573
0x0040c573
0x0040c582
0x0040c58d
0x0040c590
0x0040c595
0x0040c59b
0x0040c59e
0x0040c5a1
0x00000000
0x0040c5a1
0x0040c533
0x0040c542
0x0040c544
0x0040c546
0x0040c6a6
0x0040c6a9
0x0040c6ad
0x0040c6af
0x0040c6b4
0x0040c6b4
0x0040c6b7
0x0040c6ba
0x0040c6be
0x0040c6c0
0x0040c6c9
0x0040c6c9
0x00000000
0x0040c6c0
0x0040c552
0x0040c5a4
0x0040c5a4
0x0040c5a6
0x0040c5ae
0x0040c5b0
0x0040c5c2
0x0040c5c2
0x0040c5b2
0x0040c5b2
0x0040c5b5
0x0040c5b8
0x0040c5be
0x0040c5be
0x0040c5cf
0x0040c5d7
0x0040c5da
0x0040c5e7
0x0040c5eb
0x0040c5ee
0x0040c5f2
0x0040c5f5
0x0040c5f8
0x0040c5fb
0x0040c5fe
0x0040c601
0x0040c603
0x0040c608
0x0040c608
0x0040c60b
0x0040c611
0x0040c614
0x0040c614
0x0040c61d
0x00000000
0x0040c4c1
0x0040c4d4
0x0040c4dd
0x0040c4df
0x0040c4e1
0x0040c502
0x0040c507
0x00000000
0x0040c507
0x0040c4e3
0x0040c4e6
0x0040c4ea
0x0040c4ec
0x0040c4f1
0x0040c4f1
0x0040c4f4
0x0040c77d
0x0040c780
0x0040c784
0x00000000
0x0040c784
0x0040c4bf
0x0040bffa
0x0040bffa
0x0040bffd
0x0040c000
0x0040c003
0x0040c00c
0x0040c012
0x0040c01a
0x0040c01d
0x0040c01f
0x0040c021
0x0040c023
0x0040c025
0x0040c025
0x0040c028
0x0040c02c
0x0040c0c7
0x0040c0c7
0x0040c0d7
0x0040c0db
0x0040c0dd
0x0040c0e0
0x0040c0e2
0x0040c118
0x0040c118
0x0040c11a
0x0040c11e
0x0040c123
0x0040c123
0x0040c126
0x0040c12a
0x0040c13a
0x0040c13e
0x0040c140
0x0040c143
0x0040c145
0x0040c168
0x0040c168
0x0040c16a
0x0040c16e
0x0040c173
0x0040c173
0x0040c176
0x0040c179
0x0040c17d
0x0040c17f
0x0040c182
0x0040c184
0x0040c189
0x0040c18b
0x0040c18d
0x0040c18d
0x0040c18f
0x0040c18f
0x0040c192
0x0040c199
0x0040c199
0x0040c19c
0x0040c1a0
0x0040c1a4
0x0040c1a6
0x0040c1a8
0x0040c1ad
0x0040c1af
0x0040c1b1
0x0040c1b1
0x0040c1b3
0x0040c1b3
0x0040c1b6
0x0040c1bd
0x0040c1bd
0x0040c1c0
0x0040c1c4
0x0040c1c8
0x0040c1ca
0x0040c2ef
0x0040c2ef
0x0040c2f2
0x0040c2f4
0x0040c301
0x0040c307
0x0040c307
0x00000000
0x0040c307
0x0040c2f9
0x0040c2ff
0x00000000
0x00000000
0x00000000
0x0040c1d0
0x0040c1d3
0x0040c1d6
0x0040c1d9
0x0040c1dc
0x0040c1dc
0x0040c1df
0x0040c1e1
0x0040c1e4
0x0040c27d
0x0040c27d
0x0040c27d
0x0040c280
0x0040c280
0x0040c282
0x0040c298
0x0040c29a
0x0040c29d
0x0040c2b2
0x0040c2b2
0x0040c2b2
0x0040c2b5
0x0040c2b5
0x0040c2b7
0x0040c48d
0x00000000
0x0040c493
0x0040c2c5
0x0040c2c5
0x0040c2c8
0x0040c2cf
0x0040c2d1
0x0040c2d4
0x00000000
0x0040c2d4
0x0040c29f
0x0040c2a2
0x0040c2a5
0x0040c2a7
0x00000000
0x00000000
0x0040c2a9
0x0040c2aa
0x0040c2ad
0x0040c2b0
0x00000000
0x00000000
0x00000000
0x0040c2b0
0x00000000
0x0040c2a2
0x0040c294
0x00000000
0x0040c294
0x0040c1ea
0x0040c1ec
0x0040c1ee
0x0040c1f1
0x00000000
0x00000000
0x0040c1f7
0x0040c1f8
0x0040c1fb
0x0040c1fe
0x00000000
0x00000000
0x0040c200
0x00000000
0x0040c200
0x0040c278
0x00000000
0x0040c2d6
0x0040c2d6
0x0040c2d9
0x0040c2e0
0x0040c2e3
0x0040c2e6
0x0040c2e6
0x00000000
0x0040c1dc
0x0040c147
0x0040c147
0x0040c14e
0x0040c151
0x0040c15b
0x0040c15d
0x0040c15f
0x0040c443
0x0040c446
0x0040c44a
0x0040c44c
0x0040c451
0x0040c451
0x0040c45a
0x0040c45e
0x0040c46a
0x0040c46f
0x0040c476
0x0040c47b
0x00000000
0x0040c47b
0x0040c165
0x00000000
0x0040c165
0x0040c145
0x0040c0e4
0x0040c0e7
0x0040c0ea
0x0040c419
0x0040c41b
0x0040c41f
0x0040c424
0x0040c424
0x00000000
0x0040c41f
0x0040c0fb
0x0040c0fd
0x0040c103
0x0040c105
0x0040c105
0x0040c10a
0x0040c10c
0x0040c429
0x0040c42c
0x0040c430
0x0040c432
0x0040c43b
0x0040c43b
0x00000000
0x0040c112
0x0040c112
0x0040c115
0x00000000
0x0040c115
0x0040c032
0x0040c032
0x0040c036
0x0040c07e
0x0040c07e
0x0040c08e
0x0040c092
0x0040c094
0x0040c097
0x0040c099
0x0040c0b9
0x0040c0b9
0x0040c0bb
0x0040c0bf
0x0040c0c4
0x0040c0c4
0x00000000
0x0040c0bf
0x0040c0a0
0x0040c0a8
0x0040c0ab
0x0040c0ad
0x0040c0b0
0x0040c3d9
0x0040c3dc
0x0040c3e0
0x0040c3e2
0x0040c3e7
0x0040c3e7
0x0040c3f0
0x0040c3f4
0x0040c400
0x0040c405
0x0040c40c
0x0040c411
0x00000000
0x0040c411
0x0040c0b6
0x00000000
0x0040c0b6
0x0040c038
0x0040c048
0x0040c04c
0x0040c04e
0x0040c051
0x0040c053
0x0040c070
0x0040c070
0x0040c072
0x0040c076
0x0040c07b
0x0040c07b
0x00000000
0x0040c076
0x0040c05a
0x0040c05f
0x0040c062
0x0040c064
0x0040c067
0x0040c399
0x0040c39c
0x0040c3a0
0x0040c3a2
0x0040c3a7
0x0040c3a7
0x0040c3b0
0x0040c3b4
0x0040c3c0
0x0040c3c5
0x0040c3cc
0x0040c3d1
0x00000000
0x0040c3d1
0x0040c06d
0x00000000
0x0040c06d
0x0040c309
0x0040c315
0x0040c321
0x0040c329
0x0040c32d
0x0040c332
0x0040c335
0x0040c33c
0x0040c340
0x0040c344
0x00000000
0x0040c003
0x0040bf1f
0x0040bf22
0x0040bf28
0x0040bf2c
0x0040bf30
0x0040bf33
0x0040bf3b
0x0040bf3f
0x0040bf41
0x0040bf46
0x0040bf48
0x00000000
0x00000000
0x0040bf4e
0x0040bf51
0x0040bf54
0x0040bf61
0x0040bf65
0x0040c22f
0x0040c232
0x0040c236
0x0040c23e
0x0040c242
0x0040c24d
0x0040c251
0x0040c25d
0x0040c262
0x0040c269
0x0040c26e
0x00000000
0x0040c26e
0x0040bf6b
0x0040bf6e
0x00000000
0x00000000
0x0040bf74
0x0040bf77
0x0040bf80
0x0040bf86
0x0040bf8a
0x0040bf92
0x0040bf96
0x0040bf9b
0x0040bfa1
0x0040bfa5
0x0040bfa8
0x00000000
0x00000000
0x0040bfae
0x00000000
0x0040bfae
0x0040bf56
0x0040bf59
0x0040c20d
0x0040c211
0x0040c216
0x0040c219
0x0040c221
0x0040c225
0x00000000
0x0040c225
0x00000000
0x0040bf5f
0x0040c205
0x0040c209
0x00000000
0x0040bf0c
0x0040bf0c
0x00000000
0x0040bf0c
0x0040bf0a
0x0040be83
0x0040be8c
0x0040be91
0x0040be93
0x00000000
0x00000000
0x00000000
0x0040be93
0x0040be4d
0x0040be50
0x0040be52
0x0040be55
0x0040be57
0x0040be69
0x0040be6b
0x0040be6b
0x0040be77
0x0040be77
0x0040be77
0x0040be77
0x00000000
0x0040be77
0x0040be6d
0x0040be6f
0x00000000
0x0040be71
0x0040be71
0x00000000
0x0040be71
0x0040be6f
0x0040be59
0x0040be5f
0x0040be5f
0x00000000
0x0040be5f
0x0040be5b
0x0040be5d
0x00000000
0x00000000
0x00000000
0x0040bde3
0x0040bde3
0x0040c7a4
0x0040c7a4
0x0040c7ab
0x0040c7b0
0x0040c7b2
0x0040c7b8
0x0040c7c0
0x0040c7c0

APIs

__EH_prolog.LIBCMT ref: 0040BD8A

Part of subcall function 0040F0A2: _CxxThrowException.MSVCRT(?,0041C760), ref: 0040F0EB

Strings

, xrefs: 0040BDD6

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ExceptionH_prologThrow
String ID:
API String ID: 461045715-3916222277
Opcode ID: 055ae584b20e1ea3af66418b54e75253f7de4b866fd1f42a9a4958f33cabfb67
Instruction ID: 9dd891245016f0e6c4d5ed255e412f020d35e1d655fa0f2a31f40bb369a830a0
Opcode Fuzzy Hash: 055ae584b20e1ea3af66418b54e75253f7de4b866fd1f42a9a4958f33cabfb67
Instruction Fuzzy Hash: 91827E31900259DFDB14DFA4C884BAEBBB0BF05314F2442AEE815BB2D2D778AD45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00404B47 Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B47(void** __ecx, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				struct _WIN32_FIND_DATAW _v596;
				void* _t8;
				void** _t14;

				_t14 = __ecx;
				if(E00404B27(__ecx) == 0) {
					L2:
					return 0;
				}
				_t8 = FindFirstFileW(_a4,  &_v596); // executed
				 *_t14 = _t8;
				if(_t8 != 0xffffffff) {
					E00404B8C( &_v596, _a8, __eflags);
					return 1;
				}
				goto L2;
			}

0x00404b51
0x00404b5a
0x00404b73
0x00000000
0x00404b73
0x00404b66
0x00404b6f
0x00404b71
0x00404b80
0x00000000
0x00404b85
0x00000000

APIs

Part of subcall function 00404B27: FindClose.KERNELBASE(00000000,000000FF,00404B58), ref: 00404B32

FindFirstFileW.KERNELBASE(?,?), ref: 00404B66

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 71d3481ca684b1bef4711d28faad769efb473fbe63790087f208eb28159082e8
Instruction ID: 8d5b1ebed930f7aebe848b96ddff61a25dc6a55b7fd75e971453d958bc1fd6fb
Opcode Fuzzy Hash: 71d3481ca684b1bef4711d28faad769efb473fbe63790087f208eb28159082e8
Instruction Fuzzy Hash: D7E092B000010456CF20AF24CC45AEA37BCAF91328F1041BAA960772D0DB38F94ACB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401014 Relevance: 49.6, APIs: 8, Strings: 20, Instructions: 609
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00401014(void* __eflags, intOrPtr _a4, signed int _a7) {
				signed int _v5;
				signed int _v16;
				WCHAR* _v20;
				signed int _v28;
				char _v32;
				WCHAR* _v44;
				signed int _v52;
				char _v56;
				signed int _v64;
				signed int _v68;
				char _v80;
				char _v92;
				char _v104;
				char _v116;
				char _v120;
				signed int _v128;
				char _v132;
				char _v144;
				signed int _v152;
				char _v156;
				char _v160;
				char _v172;
				char _v184;
				WCHAR* _v196;
				char _v200;
				char _v212;
				struct _STARTUPINFOW _v280;
				struct _PROCESS_INFORMATION _v296;
				void* __ebp;
				signed int _t244;
				signed int _t247;
				signed int _t251;
				signed int _t252;
				signed int _t260;
				signed int _t264;
				signed int _t287;
				int _t288;
				void* _t289;
				void* _t291;
				void* _t321;
				int _t339;
				signed int _t379;
				signed int _t383;
				signed int _t384;
				int _t398;
				void* _t491;
				void* _t530;
				void* _t547;
				intOrPtr _t548;
				signed int _t549;
				char** _t550;

				 *0x41f158 = _a4;
				if(E00401951() != 0) {
					E004143E0();
					E0040368D( &_v184);
					E0040368D( &_v32);
					E0040368D( &_v132);
					E0040368D( &_v104);
					E004036B0( &_v44, GetCommandLineW());
					E00403204(E00403000( &_v44,  &_v184,  &_v32), _v44);
					E0040368D( &_v144);
					E004042C1( &_v144);
					E00403AFE( &_v32);
					E00403AB3( &_v32);
					_a7 = 0;
					_t244 = E00403270( &_v32, "-y");
					__eflags = _t244;
					if(_t244 != 0) {
						__eflags = _v32 + 4;
						_a7 = 1;
						E0040376E( &_v32, _v32 + 4);
						E00403AFE( &_v32);
						E00403AB3( &_v32);
					}
					E004033AD( &_v156);
					_push( &_v156);
					_push(";!@InstallEnd@!");
					_t247 = E004019F5(_v144, ";!@Install@!UTF-8!", __eflags); // executed
					__eflags = _t247;
					if(_t247 != 0) {
						E004036F3( &_v172, ".\\");
						E0040368D( &_v56);
						__eflags = _v152;
						_v160 = 1;
						if(_v152 == 0) {
							L23:
							_v120 = 0;
							E0040368D( &_v116);
							_push( *0x41b1b0);
							_t251 = E00404A40( &_v120, __eflags); // executed
							__eflags = _t251;
							if(_t251 != 0) {
								_push(0x18);
								_t252 = E004031DD();
								__eflags = _t252;
								if(_t252 == 0) {
									_t549 = 0;
									__eflags = 0;
								} else {
									_t549 = E00401987(_t252);
								}
								__eflags = _t549;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t549 + 4))(_t549);
								}
								__eflags = E0040930E(_t549, __eflags);
								if(__eflags == 0) {
									E00403740( &_v92, __eflags,  &_v116);
									_v5 = 0;
									E0040368D( &_v20);
									_push( &_v20);
									_push( &_v5);
									_push(_v160);
									_push( &_v92); // executed
									_t260 = E004024DB(_t549,  &_v144, __eflags); // executed
									__eflags = _t260;
									if(_t260 == 0) {
										E00403204(_t260, _v20);
										E0040368D( &_v212);
										_v200 = 1;
										E00404834( &_v212);
										_t264 = E00404826(_v92);
										__eflags = _t264;
										if(_t264 != 0) {
											__eflags = _v128;
											if(__eflags == 0) {
												__eflags = _v52;
												if(__eflags != 0) {
													L62:
													E00403740( &_v44, __eflags,  &_v92);
													E004055BC( &_v44);
													E004036B0( &_v20, L"%%T\\");
													E00403204(E00403204(E00403B7D( &_v56,  &_v20,  &_v44), _v20), _v44);
													E00403740( &_v68, __eflags,  &_v56);
													E004036B0( &_v44, "%%T");
													E00403204(E00403B7D( &_v56,  &_v44,  &_v92), _v44);
													__eflags = _v28;
													if(__eflags != 0) {
														E0040393C();
														E0040399C( &_v56, __eflags,  &_v32);
													}
													_v280.cb = 0x44;
													_v280.lpReserved = 0;
													_v280.lpDesktop.cbSize = 0;
													_v280.lpTitle = 0;
													_v280.dwFlags = 0;
													_v280.cbReserved2 = 0;
													_v280.lpReserved2 = 0;
													E00403204(E00403740( &_v196, __eflags, E00403632( &_v80,  &_v172,  &_v56)), _v80);
													_t287 = CreateProcessW(0, _v196, 0, 0, 0, 0, 0, 0,  &_v280,  &_v296); // executed
													__eflags = _t287;
													if(_t287 != 0) {
														_t288 = CloseHandle(_v296.hThread);
														_t547 = _v296.hProcess;
														_t289 = E00403204(_t288, _v196);
														_push(_v68);
														L74:
														E00403204(_t289);
														__eflags = _t547;
														if(_t547 != 0) {
															WaitForSingleObject(_t547, 0xffffffff);
															CloseHandle(_t547);
														}
														_t291 = E004018CA( &_v212); // executed
														E00403204(_t291, _v92);
														__eflags = _t549;
														if(_t549 != 0) {
															 *((intOrPtr*)( *_t549 + 8))(_t549);
														}
														goto L78;
													} else {
														__eflags = _a7;
														if(__eflags == 0) {
															_t287 = E00401BAE( &_v68, __eflags);
														}
														E00403204(E00403204(_t287, _v196), _v68);
														L68:
														E00403204(E004018CA( &_v212), _v92);
														L69:
														__eflags = _t549;
														if(_t549 != 0) {
															 *((intOrPtr*)( *_t549 + 8))(_t549);
														}
														E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00404ACE( &_v120), _v116), _v56), _v172), _v156), _v144), _v104), _v132), _v32), _v184);
														goto L72;
													}
												}
												E0040376E( &_v56, L"setup.exe");
												__eflags = E00405155(_v56, __eflags);
												if(__eflags != 0) {
													goto L62;
												}
												__eflags = _a7;
												if(_a7 == 0) {
													E0040B77A(0, L"Can not find setup.exe");
												}
												goto L68;
											}
											E00403740( &_v44, __eflags,  &_v132);
											__eflags = _v28;
											_v280.lpDesktop.cbSize = 0x3c;
											_v280.lpTitle = 0x140;
											_v280.dwX = 0;
											_v280.dwY = 0;
											_v280.dwXSize = _v44;
											if(__eflags != 0) {
												E00403944( &_v104);
												E0040399C( &_v104, __eflags,  &_v32);
											}
											E00403740( &_v68, __eflags,  &_v104);
											asm("sbb eax, eax");
											_t548 = 1;
											_v280.dwXCountChars = 0;
											_v280.dwYCountChars = _t548;
											_v280.hStdError = 0;
											_v280.dwYSize =  ~_v64 & _v68;
											_t339 = ShellExecuteExW( &(_v280.lpDesktop));
											__eflags = _v280.dwFillAttribute - 0x20;
											if(_v280.dwFillAttribute > 0x20) {
												_t547 = _v280.hStdError;
												_t289 = E00403204(_t339, _v68);
												_push(_v44);
												goto L74;
											} else {
												__eflags = _a7;
												if(_a7 == 0) {
													__eflags = 0;
													_t339 = E0040B77A(0, L"Can not open file");
												}
												E00403204(E00403204(_t339, _v68), _v44);
												E00403204(E004018CA( &_v212), _v92);
												__eflags = _t549;
												if(_t549 != 0) {
													 *((intOrPtr*)( *_t549 + 8))(_t549);
												}
												E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00404ACE( &_v120), _v116), _v56), _v172), _v156), _v144), _v104), _v132), _v32), _v184);
												return _t548;
											}
										}
										E00403204(E004018CA( &_v212), _v92);
										goto L46;
									}
									__eflags = _a7;
									if(_a7 != 0) {
										L43:
										E00403204(E00403204(_t260, _v20), _v92);
										goto L69;
									}
									__eflags = _t260 - 1;
									if(_t260 == 1) {
										L38:
										_t491 = 8;
										E00405FAD(_t491,  &_v20);
										_t260 = 0x80004005;
										L39:
										__eflags = _t260 - 0x80004004;
										if(_t260 != 0x80004004) {
											__eflags = _v16;
											if(__eflags == 0) {
												E00403204(E004037D2( &_v20, E00404319( &_v80, _t260, __eflags)), _v80);
											}
											_t530 = 7;
											_t260 = E00403204(MessageBoxW(0, _v20,  *(E00405E4F( &_v80, _t530)), 0x10), _v80);
										}
										goto L43;
									}
									__eflags = _v5;
									if(_v5 == 0) {
										goto L39;
									}
									goto L38;
								} else {
									E0040B77A(0, L"Can not load codecs");
									L46:
									__eflags = _t549;
									if(_t549 != 0) {
										 *((intOrPtr*)( *_t549 + 8))(_t549);
									}
									L26:
									_push(1);
									_pop(0);
									L78:
									_t247 = E00403204(E00403204(E00403204(E00404ACE( &_v120), _v116), _v56), _v172);
									_t550 =  &(_t550[3]);
									L79:
									E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(_t247, _v156), _v144), _v104), _v132), _v32), _v184);
									L80:
									return 0;
								}
							}
							__eflags = _a7;
							if(_a7 == 0) {
								__eflags = 0;
								E0040B77A(0, L"Can not create temp folder archive");
							}
							goto L26;
						}
						E0040E83C( &_v20);
						_t379 = E00403C57( &_v156,  &_v20, __eflags); // executed
						__eflags = _t379;
						if(_t379 != 0) {
							E00403F77( &_v44,  &_v20, "Title");
							E00403F77( &_v68,  &_v20, "BeginPrompt");
							E00403F77( &_v196,  &_v20, "Progress");
							_t383 = E004032CE(_v196, "no");
							__eflags = _t383;
							if(_t383 != 0) {
								_v160 = 0;
							}
							_t384 = E00403F46( &_v20, "Directory");
							__eflags = _t384;
							if(_t384 >= 0) {
								__eflags =  *((intOrPtr*)(_v20 + _t384 * 4)) + 0xc;
								E004037D2( &_v172,  *((intOrPtr*)(_v20 + _t384 * 4)) + 0xc);
							}
							__eflags = _v64;
							if(_v64 == 0) {
								L22:
								E00403204(E004037D2( &_v56, E00403F77( &_v80,  &_v20, "RunProgram")), _v80);
								 *_t550 = "ExecuteFile";
								E00403204(E004037D2( &_v132, E00403F77( &_v80,  &_v20)), _v80);
								 *_t550 = "ExecuteParameters";
								E00403204(E00403204(E00403204(E00403204(E004037D2( &_v104, E00403F77( &_v80,  &_v20)), _v80), _v196), _v68), _v44);
								_t550 =  &(_t550[4]);
								E00401C64( &_v20);
								goto L23;
							} else {
								__eflags = _a7;
								if(_a7 != 0) {
									goto L22;
								}
								_t398 = MessageBoxW(0, _v68, _v44, 0x24);
								__eflags = _t398 - 6;
								if(_t398 == 6) {
									goto L22;
								}
								E00403204(E00403204(E00403204(_t398, _v196), _v68), _v44);
								_t550 =  &(_t550[3]);
								L21:
								E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00403204(E00401C64( &_v20), _v56), _v172), _v156), _v144), _v104), _v132), _v32), _v184);
								goto L80;
							}
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = 0;
							E0040B77A(0, L"Config failed");
						}
						_push(1);
						_pop(0);
						goto L21;
					}
					__eflags = _a7;
					if(_a7 == 0) {
						__eflags = 0;
						_t247 = E0040B77A(0, L"Can\'t load config info");
					}
					_push(1);
					_pop(0);
					goto L79;
				} else {
					E0040B77A(0, L"Unsupported Windows version");
					L72:
					_t321 = 1;
					return _t321;
				}
			}

0x00401023
0x0040102f
0x00401042
0x0040104d
0x00401055
0x0040105d
0x00401065
0x00401074
0x0040108e
0x0040109a
0x004010a5
0x004010ad
0x004010b5
0x004010c4
0x004010c7
0x004010cc
0x004010ce
0x004010d6
0x004010d9
0x004010de
0x004010e6
0x004010ee
0x004010ee
0x004010f9
0x0040110a
0x0040110b
0x00401115
0x0040111a
0x0040111c
0x00401142
0x0040114a
0x0040114f
0x0040115b
0x00401162
0x00401337
0x0040133a
0x0040133d
0x00401342
0x0040134b
0x00401350
0x00401352
0x0040136d
0x0040136f
0x00401374
0x00401377
0x00401384
0x00401384
0x00401379
0x00401380
0x00401380
0x00401386
0x00401388
0x0040138d
0x0040138d
0x00401397
0x00401399
0x004013b3
0x004013bb
0x004013be
0x004013cc
0x004013d0
0x004013d4
0x004013dc
0x004013dd
0x004013e2
0x004013e4
0x00401465
0x00401471
0x0040147c
0x00401483
0x0040148b
0x00401490
0x00401492
0x004014bb
0x004014be
0x0040161a
0x0040161d
0x00401652
0x00401659
0x00401661
0x0040166e
0x0040168e
0x0040169c
0x004016a9
0x004016c1
0x004016c6
0x004016ca
0x004016cf
0x004016db
0x004016db
0x004016ed
0x004016f7
0x004016fd
0x00401703
0x00401709
0x0040170f
0x00401716
0x00401730
0x00401751
0x00401757
0x00401759
0x0040180c
0x00401818
0x0040181e
0x00401823
0x00401826
0x00401826
0x0040182c
0x0040182f
0x00401834
0x0040183b
0x0040183b
0x00401847
0x0040184f
0x00401854
0x00401857
0x0040185c
0x0040185c
0x00000000
0x0040175f
0x0040175f
0x00401762
0x00401767
0x00401767
0x0040177a
0x00401781
0x0040178f
0x00401794
0x00401794
0x00401797
0x0040179c
0x0040179c
0x004017f6
0x00000000
0x004017fb
0x00401759
0x00401627
0x00401634
0x00401636
0x00000000
0x00000000
0x00401638
0x0040163b
0x00401648
0x00401648
0x00000000
0x0040163b
0x004014cb
0x004014d3
0x004014d6
0x004014e0
0x004014ea
0x004014f0
0x004014f6
0x004014fc
0x00401501
0x0040150d
0x0040150d
0x00401519
0x00401525
0x00401527
0x0040152b
0x00401531
0x00401537
0x0040153d
0x0040154a
0x00401550
0x00401557
0x00401607
0x0040160d
0x00401612
0x00000000
0x0040155d
0x0040155d
0x00401560
0x00401567
0x00401569
0x00401569
0x00401579
0x0040158e
0x00401593
0x00401596
0x0040159b
0x0040159b
0x004015f5
0x00000000
0x004015fd
0x00401557
0x004014a2
0x00000000
0x004014a7
0x004013e6
0x004013e9
0x0040144c
0x00401457
0x00000000
0x0040145c
0x004013eb
0x004013ee
0x004013f5
0x004013fa
0x004013fb
0x00401400
0x00401405
0x00401405
0x0040140a
0x0040140c
0x0040140f
0x00401427
0x0040142c
0x00401432
0x00401446
0x0040144b
0x00000000
0x0040140a
0x004013f0
0x004013f3
0x00000000
0x00000000
0x00000000
0x0040139b
0x004013a2
0x004014a8
0x004014a8
0x004014aa
0x004014b3
0x004014b3
0x00401365
0x00401365
0x00401367
0x0040185f
0x0040187d
0x00401882
0x00401885
0x004018b9
0x004018c1
0x00000000
0x004018c1
0x00401399
0x00401354
0x00401357
0x0040135e
0x00401360
0x00401360
0x00000000
0x00401357
0x0040116b
0x00401179
0x0040117e
0x00401180
0x004011a6
0x004011b6
0x004011c9
0x004011d9
0x004011de
0x004011e0
0x004011e2
0x004011e2
0x004011f0
0x004011f5
0x004011f7
0x00401205
0x00401209
0x00401209
0x0040120e
0x00401211
0x004012aa
0x004012c6
0x004012d1
0x004012e9
0x004012f4
0x00401327
0x0040132c
0x00401332
0x00000000
0x00401217
0x00401217
0x0040121a
0x00000000
0x00000000
0x00401229
0x0040122b
0x0040122e
0x00000000
0x00000000
0x00401246
0x0040124b
0x0040124e
0x0040129d
0x00000000
0x004012a2
0x00401211
0x00401182
0x00401185
0x0040118c
0x0040118e
0x0040118e
0x00401193
0x00401195
0x00000000
0x00401195
0x0040111e
0x00401121
0x00401128
0x0040112a
0x0040112a
0x0040112f
0x00401131
0x00000000
0x00401031
0x00401038
0x004017fe
0x00401800
0x00000000
0x00401800

APIs

Part of subcall function 00401951: GetVersionExW.KERNEL32(?), ref: 0040196B

GetCommandLineW.KERNEL32(?,?,00000000), ref: 0040106A

Part of subcall function 0040B77A: MessageBoxW.USER32(00000000,?,7-Zip,00000010), ref: 0040B783

Strings

%%T, xrefs: 004016A1
Can't load config info, xrefs: 00401123
D, xrefs: 004016ED
Can not find setup.exe, xrefs: 00401641
Directory, xrefs: 004011E8
Config failed, xrefs: 00401187
%%T\, xrefs: 00401666
BeginPrompt, xrefs: 004011AB
Title, xrefs: 0040119B
Unsupported Windows version, xrefs: 00401031
;!@InstallEnd@!, xrefs: 0040110B
RunProgram, xrefs: 004012AA
Can not load codecs, xrefs: 0040139B
setup.exe, xrefs: 0040161F
;!@Install@!UTF-8!, xrefs: 00401110
<, xrefs: 004014D6
Progress, xrefs: 004011BB
Can not create temp folder archive, xrefs: 00401359
Can not open file, xrefs: 00401562
, xrefs: 00401550

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: CommandLineMessageVersion
String ID: $%%T$%%T\$;!@Install@!UTF-8!$;!@InstallEnd@!$<$BeginPrompt$Can not create temp folder archive$Can not find setup.exe$Can not load codecs$Can not open file$Can't load config info$Config failed$D$Directory$Progress$RunProgram$Title$Unsupported Windows version$setup.exe
API String ID: 1181637900-2745836148
Opcode ID: ec7ecb58216214b09ea9710f76f04f9cb8237cb4ba440b2ee37f70f34a2c058d
Instruction ID: 78f7f2e9f043a6e6e6b7956f289dc4eafbfd083bebb4df73e2f95e0f672d6238
Opcode Fuzzy Hash: ec7ecb58216214b09ea9710f76f04f9cb8237cb4ba440b2ee37f70f34a2c058d
Instruction Fuzzy Hash: 6F320971800119AACF15BFA2CC52AEDBF39AF04319F1084BFE515761E2DB395A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041910C Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				void* _t27;
				void _t29;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x41c298);
				_push(0x419106);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x4213e4 =  *0x4213e4 | 0xffffffff;
				 *0x4213e8 =  *0x4213e8 | 0xffffffff;
				_t23 = __p__fmode();
				_t46 =  *0x41f3c8; // 0x0
				 *_t23 = _t46;
				_t24 = __p__commode();
				_t47 =  *0x41f3c4; // 0x0
				 *_t24 = _t47;
				 *0x4213ec = _adjust_fdiv;
				_t27 = E00419297( *_adjust_fdiv);
				_t61 =  *0x41f150; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00419294);
				}
				E00419282(_t27);
				_push(0x41f038);
				_push(0x41f034);
				L0041927C();
				_t29 =  *0x41f3c0; // 0x0
				_v112 = _t29;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x41f3bc,  &_v112);
				_push(0x41f030);
				_push(0x41f000);
				L0041927C();
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while(1) {
						__eflags =  *_t55 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				L7:
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t69 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00401014(_t69, GetModuleHandleA(0), 0, _t55, _t38); // executed
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00419276();
				return _t41;
			}

0x0041910f
0x00419111
0x00419116
0x00419121
0x00419122
0x0041912f
0x00419134
0x00419139
0x00419140
0x00419147
0x0041914e
0x00419154
0x0041915a
0x0041915c
0x00419162
0x00419168
0x00419171
0x00419176
0x0041917b
0x00419181
0x00419188
0x0041918e
0x0041918f
0x00419194
0x00419199
0x0041919e
0x004191a3
0x004191a8
0x004191c1
0x004191c7
0x004191cc
0x004191d1
0x004191de
0x004191e0
0x004191e6
0x00419222
0x00419222
0x00419225
0x00000000
0x00000000
0x00419227
0x00419228
0x00419228
0x004191e8
0x004191e8
0x004191e8
0x004191e9
0x004191ec
0x004191ee
0x004191f9
0x004191fb
0x004191fb
0x004191fc
0x004191fc
0x004191f9
0x004191ff
0x004191ff
0x00419203
0x00000000
0x00000000
0x00419209
0x00419210
0x00419216
0x0041921a
0x0041922f
0x0041921c
0x0041921c
0x0041921c
0x0041923b
0x00419240
0x00419244
0x0041924a
0x0041924f
0x00419251
0x00419254
0x00419255
0x00419256
0x0041925d

APIs

__set_app_type.MSVCRT ref: 00419139
__p__fmode.MSVCRT ref: 0041914E
__p__commode.MSVCRT ref: 0041915C
__setusermatherr.MSVCRT ref: 00419188
_initterm.MSVCRT ref: 0041919E
__getmainargs.MSVCRT ref: 004191C1
_initterm.MSVCRT ref: 004191D1
GetStartupInfoA.KERNEL32(?), ref: 00419210
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00419234
exit.KERNELBASE ref: 00419244
_XcptFilter.MSVCRT ref: 00419256

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 953566137ff324d2cc08c920b6bee47bf00e17c29684309f18a3ad35c9c7aab9
Instruction ID: 00b1766c458623f5937beb69801fb3c22a2eab9a989783d6d676752ba79aceb1
Opcode Fuzzy Hash: 953566137ff324d2cc08c920b6bee47bf00e17c29684309f18a3ad35c9c7aab9
Instruction Fuzzy Hash: 7041AD71940358BFDB24CFA4DC99AEA7BB8EB09710F20456FE852933A1D7384C81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040492E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040492E(intOrPtr __ecx, void* __edx, signed short** _a4, signed char _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v28;
				void* __ebp;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				void* _t25;
				signed char _t26;
				long _t28;
				signed int _t34;
				signed char _t35;
				void* _t40;
				void* _t42;
				void* _t49;
				unsigned int _t53;
				signed short** _t54;
				unsigned int _t59;
				void* _t60;

				_t42 = __edx;
				_v12 = __ecx;
				_t21 = GetCurrentThreadId();
				_t22 = GetTickCount();
				_t23 = GetCurrentProcessId();
				_t54 = _a4;
				_t59 = (_t21 << 0x00000002 ^ _t22) << 0x0000000c ^ _t23;
				_v8 = _v8 & 0x00000000;
				do {
					E0040376E(_t54, _v12);
					if(_t42 == 0) {
						L12:
						_t69 = _a8;
						_t42 = 1;
						if(_a8 != 0) {
							E004039D8(_t54, ".tmp");
						}
						_t25 = E004051AE( *_t54, _t69); // executed
						if(_t25 == 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								_t26 = E0040447D( *_t54);
							} else {
								_t26 = E00405489( *_t54, 0);
							}
							__eflags = _t26;
							if(_t26 != 0) {
								return 1;
							} else {
								_t28 = GetLastError();
								__eflags = _t28 - 0x50;
								if(_t28 == 0x50) {
									goto L22;
								}
								__eflags = _t28 - 0xb7;
								if(_t28 != 0xb7) {
									break;
								}
								goto L22;
							}
						} else {
							SetLastError(0xb7);
							goto L22;
						}
					}
					_t53 = _t59;
					_t49 = 0;
					do {
						_t34 = _t53 & 0x0000000f;
						_t53 = _t53 >> 4;
						if(_t34 >= 0xa) {
							_t35 = _t34 + 0x37;
							__eflags = _t35;
						} else {
							_t35 = _t34 + 0x30;
						}
						 *(_t60 + _t49 - 0x18) = _t35;
						_t49 = _t49 + 1;
					} while (_t49 < 8);
					 *(_t60 + _t49 - 0x18) =  *(_t60 + _t49 - 0x18) & 0x00000000;
					if(_a8 != 0) {
						E00401EF8(_t54, 0x2e);
					}
					E004039D8(_t54,  &_v28);
					_t40 = GetTickCount() + 2;
					if(_t40 == 0) {
						_t40 = 1;
					}
					_t59 = _t59 + _t40;
					goto L12;
					L22:
					_v8 = _v8 + 1;
				} while (_v8 < 0x64);
				_t54[1] = _t54[1] & 0x00000000;
				 *( *_t54) =  *( *_t54) & 0x00000000;
				return 0;
			}

0x00404937
0x00404939
0x0040493c
0x00404947
0x00404952
0x00404958
0x0040495b
0x0040495d
0x00404961
0x00404966
0x0040496d
0x004049c0
0x004049c0
0x004049c4
0x004049c6
0x004049cf
0x004049cf
0x004049d6
0x004049dd
0x004049ef
0x004049f1
0x00404a01
0x004049f3
0x004049f8
0x004049f8
0x00404a06
0x00404a08
0x00000000
0x00404a0a
0x00404a0a
0x00404a10
0x00404a13
0x00000000
0x00000000
0x00404a15
0x00404a1a
0x00000000
0x00000000
0x00000000
0x00404a1a
0x004049df
0x004049e4
0x00000000
0x004049e4
0x004049dd
0x0040496f
0x00404971
0x00404973
0x00404975
0x00404978
0x0040497e
0x00404985
0x00404985
0x00404980
0x00404980
0x00404980
0x00404988
0x0040498c
0x0040498d
0x00404992
0x0040499b
0x004049a1
0x004049a1
0x004049ac
0x004049b8
0x004049b9
0x004049bd
0x004049bd
0x004049be
0x00000000
0x00404a1c
0x00404a1c
0x00404a1f
0x00404a2b
0x00404a2f
0x00000000

APIs

GetCurrentThreadId.KERNEL32 ref: 0040493C
GetTickCount.KERNEL32 ref: 00404947
GetCurrentProcessId.KERNEL32(?,00000000,00404A99,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000), ref: 00404952
GetTickCount.KERNEL32 ref: 004049B1
SetLastError.KERNEL32(000000B7,00000000,?,00000000,00404A99,?,00000000), ref: 004049E4
GetLastError.KERNEL32(00000000,?,00000000,00404A99,?,00000000), ref: 00404A0A

Part of subcall function 0040447D: CreateDirectoryW.KERNELBASE(00000000,00000000,00404A06,00000000,?,00000000,00404A99,?,00000000), ref: 00404480

Strings

d, xrefs: 00404A1F
.tmp, xrefs: 004049C8

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: CountCurrentErrorLastTick$CreateDirectoryProcessThread
String ID: .tmp$d
API String ID: 3074393274-2797371523
Opcode ID: f19ce56c7826e0bf107473bc8c697ce6a70b0feafaf69e5a630db6a82c9332e3
Instruction ID: 18cd839078860563eabca9c9166aecfd8bb13a7da93ccbaeff0eff10b9c7e743
Opcode Fuzzy Hash: f19ce56c7826e0bf107473bc8c697ce6a70b0feafaf69e5a630db6a82c9332e3
Instruction Fuzzy Hash: D331EDF2A402049BDB14ABB4D84A7AF7B65ABD1319F14413BEA42B72C1D73C8C418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00406018 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406018(intOrPtr* __ecx) {
				struct _MEMORYSTATUS _v36;
				signed int _v56;
				intOrPtr _v60;
				struct _MEMORYSTATUSEX _v100;
				_Unknown_base(*)()* _t20;
				intOrPtr _t22;
				intOrPtr _t24;
				signed int _t27;
				intOrPtr* _t28;
				void* _t31;

				_t28 = __ecx;
				 *__ecx = 0x80000000;
				 *(__ecx + 4) =  *(__ecx + 4) & 0x00000000;
				_v100.dwLength = 0x40;
				_t20 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GlobalMemoryStatusEx");
				if(_t20 == 0) {
					L8:
					_v36.dwLength = 0x20;
					GlobalMemoryStatus( &_v36);
					_t22 = _v36.dwTotalVirtual;
					if(_t22 >= _v36.dwTotalPhys) {
						_t22 = _v36.dwTotalPhys;
					}
					 *_t28 = _t22;
					 *(_t28 + 4) =  *(_t28 + 4) & 0x00000000;
				} else {
					GlobalMemoryStatusEx( &_v100); // executed
					if(_t20 == 0) {
						goto L8;
					} else {
						_t27 = _v56;
						_t24 = _v100.ullTotalPhys;
						_t31 = _t27 - _v100.ullAvailPhys;
						if(_t31 > 0 || _t31 >= 0 && _v60 >= _t24) {
							_t27 = _v100.ullAvailPhys;
						} else {
							_t24 = _v60;
						}
						 *_t28 = _t24;
						 *(_t28 + 4) = _t27;
					}
				}
				return 1;
			}

0x0040601f
0x0040602b
0x00406031
0x00406035
0x00406043
0x0040604b
0x00406078
0x0040607b
0x00406083
0x00406089
0x0040608f
0x00406091
0x00406091
0x00406094
0x00406096
0x0040604d
0x00406051
0x00406055
0x00000000
0x00406057
0x00406057
0x0040605a
0x0040605d
0x00406060
0x0040606e
0x00406069
0x00406069
0x00406069
0x00406071
0x00406073
0x00406073
0x00406055
0x0040609e

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040603C
GetProcAddress.KERNEL32(00000000), ref: 00406043
GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00406051
GlobalMemoryStatus.KERNEL32 ref: 00406083

Strings

kernel32.dll, xrefs: 00406026
, xrefs: 0040607B
GlobalMemoryStatusEx, xrefs: 00406021
@, xrefs: 00406035

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: GlobalMemoryStatus$AddressHandleModuleProc
String ID: $@$GlobalMemoryStatusEx$kernel32.dll
API String ID: 180289352-802862622
Opcode ID: 3e885fa00bb47ba29b610c8aff3464296625ee5c326c36c9750f9013a6749dc4
Instruction ID: 6939841f741f7d36a15a20a0e3427741af3cfa69e4de5986cbad5950b484ded2
Opcode Fuzzy Hash: 3e885fa00bb47ba29b610c8aff3464296625ee5c326c36c9750f9013a6749dc4
Instruction Fuzzy Hash: A9115B749403099BDF10DFA4C949BAEBBF5EB04705F11442EE546B7280D778A894CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A53F Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0040A53F(void* __ecx) {
				signed char _t119;
				signed int _t120;
				signed int _t121;
				signed char _t122;
				signed int _t126;
				signed int _t127;
				void* _t136;
				void* _t139;
				void* _t144;
				void* _t145;
				void* _t150;
				signed int _t158;
				signed int _t159;
				signed int _t164;
				signed int _t170;
				long _t172;
				signed int _t173;
				signed int _t174;
				intOrPtr* _t178;
				signed char _t183;
				void* _t185;
				signed int _t233;
				void* _t236;
				signed char _t238;
				void* _t239;

				E00418D80(E00419E42, _t239);
				_t236 = __ecx;
				 *(_t239 - 0x10) = 0;
				 *(_t239 - 4) = 0;
				 *(_t239 - 0x14) = 0;
				_t233 =  *(_t239 + 8);
				 *(_t239 - 4) = 1;
				 *(_t239 - 0x18) = 0;
				if( *((intOrPtr*)(_t233 + 0x40)) == 0) {
					__eflags =  *(_t233 + 0x30);
					if( *(_t233 + 0x30) != 0) {
						goto L16;
					} else {
						_push(0x24);
						_t164 = E004031DD();
						 *(_t239 + 8) = _t164;
						__eflags = _t164;
						 *(_t239 - 4) = 2;
						if(_t164 == 0) {
							 *(_t239 + 8) = 0;
						} else {
							 *(_t239 + 8) = E004065B9(_t164);
						}
						 *(_t239 - 4) = 1;
						 *(_t239 - 0x18) =  *(_t239 + 8);
						E004063E5(_t239 - 0x10,  *(_t239 + 8));
						E004037D2(_t236 + 0x70, _t236 + 0x7c);
						_t170 = E004053B3( *((intOrPtr*)(_t236 + 0x70)));
						__eflags = _t170;
						if(_t170 != 0) {
							 *(_t233 + 0x30) =  *(_t239 - 0x10);
							 *(_t236 + 0xdf) = 1;
							goto L16;
						} else {
							_t172 = GetLastError();
							 *(_t239 - 4) =  *(_t239 - 4) & 0x00000000;
							_t238 = _t172;
							_t173 =  *(_t239 - 0x14);
							__eflags = _t173;
							if(_t173 != 0) {
								 *((intOrPtr*)( *_t173 + 8))(_t173);
							}
							_t174 =  *(_t239 - 0x10);
							 *(_t239 - 4) =  *(_t239 - 4) | 0xffffffff;
							__eflags = _t174;
							if(_t174 != 0) {
								 *((intOrPtr*)( *_t174 + 8))(_t174);
							}
							_t122 = _t238;
						}
					}
				} else {
					_push(8);
					_t178 = E004031DD();
					if(_t178 == 0) {
						_t178 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t178 + 4)) = 0;
						 *_t178 = 0x41bb0c;
					}
					E004063E5(_t239 - 0x14, _t178);
					 *(_t233 + 0x34) =  *(_t239 - 0x14);
					L16:
					_push(_t233);
					_t119 = E0040A2C8(_t236); // executed
					 *(_t236 + 0xdf) =  *(_t236 + 0xdf) & 0x00000000;
					_t183 = _t119;
					if(_t183 != 1 ||  *(_t239 - 0x18) == 0 ||  *((intOrPtr*)(_t233 + 0x3c)) == 0 ||  *((char*)(_t236 + 0x43)) != 0 && ( *(_t236 + 0x44) & _t119) == 0) {
						_t120 =  *(_t239 - 0x14);
						 *(_t239 - 4) =  *(_t239 - 4) & 0x00000000;
						__eflags = _t120;
						if(_t120 != 0) {
							 *((intOrPtr*)( *_t120 + 8))(_t120);
						}
						_t121 =  *(_t239 - 0x10);
						 *(_t239 - 4) =  *(_t239 - 4) | 0xffffffff;
						__eflags = _t121;
						if(_t121 != 0) {
							 *((intOrPtr*)( *_t121 + 8))(_t121);
						}
						_t122 = _t183;
					} else {
						if( *(_t236 + 0x80) <= 4) {
							L32:
							_t126 =  *(_t239 - 0x14);
							 *(_t239 - 4) =  *(_t239 - 4) & 0x00000000;
							if(_t126 != 0) {
								 *((intOrPtr*)( *_t126 + 8))(_t126);
							}
							_t127 =  *(_t239 - 0x10);
							 *(_t239 - 4) =  *(_t239 - 4) | 0xffffffff;
							if(_t127 != 0) {
								 *((intOrPtr*)( *_t127 + 8))(_t127);
							}
							_t122 = 1;
						} else {
							_t185 = _t236 + 0x7c;
							if(E004032CE( *((intOrPtr*)(_t236 + 0x7c)) +  *(_t236 + 0x80) * 2 - 8, ".exe") == 0) {
								goto L32;
							} else {
								E00409111(_t185, _t239 - 0x30,  *(_t236 + 0x80) + 0xfffffffc);
								_t136 =  *_t233;
								 *(_t239 + 8) =  *(_t239 + 8) & 0x00000000;
								 *(_t239 - 4) = 3;
								if( *((intOrPtr*)(_t136 + 0xc)) <= 0) {
									L31:
									E00403204(_t136,  *((intOrPtr*)(_t239 - 0x30)));
									goto L32;
								} else {
									do {
										_t186 =  *((intOrPtr*)( *((intOrPtr*)(_t136 + 8)) +  *(_t239 + 8) * 4));
										_t139 = E004032CE( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t136 + 8)) +  *(_t239 + 8) * 4)) + 0xc)), "Split");
										_t254 = _t139;
										if(_t139 != 0) {
											goto L30;
										} else {
											E00403740(_t239 - 0x24, _t254, _t239 - 0x30);
											 *(_t239 - 4) = 4;
											E00401EF8(_t239 - 0x24, 0x2e);
											_t144 = E0040A8B7(_t186, _t239 - 0x3c);
											 *(_t239 - 4) = 5;
											_t145 = E0040399C(_t239 - 0x24, _t254, _t144);
											 *(_t239 - 4) = 4;
											E00403204(_t145,  *((intOrPtr*)(_t239 - 0x3c)));
											_t187 = _t236 + 0x70;
											E004037D2(_t236 + 0x70, _t239 - 0x24);
											E004039D8(_t236 + 0x70, ".001");
											_t150 = E0040A891( *((intOrPtr*)(_t233 + 0x3c)), _t254,  *(_t236 + 0x70));
											_t255 = _t150;
											if(_t150 != 0) {
												L27:
												if(E004053B3( *_t187) == 0) {
													goto L29;
												} else {
													 *(_t233 + 0x30) =  *(_t239 - 0x10);
													 *(_t236 + 0x4c) =  *(_t236 + 0x4c) | 0xffffffff;
													E00409944(_t236 + 0x40);
													_push(_t233);
													if(E0040A2C8(_t236) == 0) {
														E00403204(E00403204(_t152,  *((intOrPtr*)(_t239 - 0x24))),  *((intOrPtr*)(_t239 - 0x30)));
														_t158 =  *(_t239 - 0x14);
														 *(_t239 - 4) =  *(_t239 - 4) & 0x00000000;
														__eflags = _t158;
														if(_t158 != 0) {
															 *((intOrPtr*)( *_t158 + 8))(_t158);
														}
														_t159 =  *(_t239 - 0x10);
														 *(_t239 - 4) =  *(_t239 - 4) | 0xffffffff;
														__eflags = _t159;
														if(_t159 != 0) {
															 *((intOrPtr*)( *_t159 + 8))(_t159);
														}
														_t122 = 0;
													} else {
														goto L29;
													}
												}
											} else {
												E004037D2(_t187, _t239 - 0x24);
												if(E0040A891( *((intOrPtr*)(_t233 + 0x3c)), _t255,  *_t187) == 0) {
													L29:
													 *(_t239 - 4) = 3;
													E00403204(_t152,  *((intOrPtr*)(_t239 - 0x24)));
													goto L30;
												} else {
													goto L27;
												}
											}
										}
										goto L47;
										L30:
										 *(_t239 + 8) =  *(_t239 + 8) + 1;
										_t136 =  *_t233;
									} while ( *(_t239 + 8) <  *((intOrPtr*)(_t136 + 0xc)));
									goto L31;
								}
							}
						}
					}
				}
				L47:
				 *[fs:0x0] =  *((intOrPtr*)(_t239 - 0xc));
				return _t122;
			}

0x0040a544
0x0040a551
0x0040a553
0x0040a556
0x0040a559
0x0040a55c
0x0040a55f
0x0040a563
0x0040a569
0x0040a598
0x0040a59b
0x00000000
0x0040a5a1
0x0040a5a1
0x0040a5a3
0x0040a5a9
0x0040a5ac
0x0040a5ae
0x0040a5b2
0x0040a5c0
0x0040a5b4
0x0040a5bb
0x0040a5bb
0x0040a5ca
0x0040a5ce
0x0040a5d1
0x0040a5df
0x0040a5ec
0x0040a5f1
0x0040a5f3
0x0040a629
0x0040a62c
0x00000000
0x0040a5f5
0x0040a5f5
0x0040a5fb
0x0040a5ff
0x0040a601
0x0040a604
0x0040a606
0x0040a60b
0x0040a60b
0x0040a60e
0x0040a611
0x0040a615
0x0040a617
0x0040a61c
0x0040a61c
0x0040a61f
0x0040a61f
0x0040a5f3
0x0040a56b
0x0040a56b
0x0040a56d
0x0040a575
0x0040a582
0x0040a582
0x0040a577
0x0040a577
0x0040a57a
0x0040a57a
0x0040a588
0x0040a590
0x0040a633
0x0040a633
0x0040a636
0x0040a63b
0x0040a642
0x0040a647
0x0040a81d
0x0040a820
0x0040a824
0x0040a826
0x0040a82b
0x0040a82b
0x0040a82e
0x0040a831
0x0040a835
0x0040a837
0x0040a83c
0x0040a83c
0x0040a83f
0x0040a670
0x0040a679
0x0040a7be
0x0040a7be
0x0040a7c1
0x0040a7c7
0x0040a7cc
0x0040a7cc
0x0040a7cf
0x0040a7d2
0x0040a7d8
0x0040a7dd
0x0040a7dd
0x0040a7e2
0x0040a67f
0x0040a688
0x0040a69b
0x00000000
0x0040a6a1
0x0040a6b1
0x0040a6b6
0x0040a6b8
0x0040a6bc
0x0040a6c4
0x0040a7b5
0x0040a7b8
0x00000000
0x0040a6ca
0x0040a6ca
0x0040a6d5
0x0040a6db
0x0040a6e0
0x0040a6e2
0x00000000
0x0040a6e8
0x0040a6ef
0x0040a6f9
0x0040a6fd
0x0040a708
0x0040a711
0x0040a715
0x0040a71d
0x0040a721
0x0040a727
0x0040a730
0x0040a73c
0x0040a746
0x0040a74b
0x0040a74d
0x0040a768
0x0040a777
0x00000000
0x0040a779
0x0040a77f
0x0040a782
0x0040a786
0x0040a78b
0x0040a795
0x0040a7f0
0x0040a7f5
0x0040a7f8
0x0040a7fd
0x0040a800
0x0040a805
0x0040a805
0x0040a808
0x0040a80b
0x0040a80f
0x0040a811
0x0040a816
0x0040a816
0x0040a819
0x00000000
0x00000000
0x00000000
0x0040a795
0x0040a74f
0x0040a755
0x0040a766
0x0040a797
0x0040a79a
0x0040a79e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a766
0x0040a74d
0x00000000
0x0040a7a4
0x0040a7a4
0x0040a7a7
0x0040a7ac
0x00000000
0x0040a6ca
0x0040a6c4
0x0040a69b
0x0040a679
0x0040a647
0x0040a841
0x0040a847
0x0040a84f

APIs

__EH_prolog.LIBCMT ref: 0040A544
GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 0040A5F5

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Part of subcall function 0040A2C8: __EH_prolog.LIBCMT ref: 0040A2CD

Strings

.exe, xrefs: 0040A68B
.001, xrefs: 0040A735
Split, xrefs: 0040A6D0

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$ErrorExceptionLastThrowmalloc
String ID: .001$.exe$Split
API String ID: 1950902910-1819480430
Opcode ID: 40e0a1c049dffc22ef6c31dc722d256896a467ab8b19deacad4b6d2a47c80568
Instruction ID: fbde023dd8d3616a20bf780c395040672d5308453d4d409ddda090532e3e46f0
Opcode Fuzzy Hash: 40e0a1c049dffc22ef6c31dc722d256896a467ab8b19deacad4b6d2a47c80568
Instruction Fuzzy Hash: 21A18030A003099FCB14EFA5C585AAEBBB4BF04318F14846EE856BB2D1CB39DE55CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA18 Relevance: 7.6, APIs: 5, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040BA18(void* __ecx, void* __edx) {
				void* _t47;
				int _t54;
				void* _t55;
				signed int _t59;
				intOrPtr _t60;
				void* _t74;
				void* _t77;
				struct _CRITICAL_SECTION* _t80;
				signed int _t81;
				void* _t83;

				_t74 = __edx;
				E00418D80(E0041A0A4, _t83);
				_t77 = __ecx;
				_t80 = __ecx + 0x40;
				if(E0040B871(_t80) == 0) {
					E0040BC1B(__ecx);
					EnterCriticalSection(_t80);
					_t59 =  *(_t80 + 0x20);
					 *(_t83 - 0x10) =  *(_t80 + 0x24);
					 *((intOrPtr*)(_t83 - 0x20)) =  *((intOrPtr*)(_t80 + 0x28));
					 *((intOrPtr*)(_t83 - 0x1c)) =  *((intOrPtr*)(_t80 + 0x2c));
					LeaveCriticalSection(_t80);
					if(_t59 !=  *((intOrPtr*)(_t77 + 0x28)) ||  *(_t83 - 0x10) !=  *((intOrPtr*)(_t77 + 0x2c))) {
						E0040B92C(_t77, _t59,  *(_t83 - 0x10));
					}
					E0040B99F(_t77,  *((intOrPtr*)(_t83 - 0x20)),  *((intOrPtr*)(_t83 - 0x1c))); // executed
					_t81 = 0;
					if((_t59 |  *(_t83 - 0x10)) == 0) {
						 *(_t83 - 0x10) = _t81;
						_t59 = 1;
					}
					_t60 = E00418F90(E004190A0( *((intOrPtr*)(_t83 - 0x20)),  *((intOrPtr*)(_t83 - 0x1c)), 0x64, _t81), _t74, _t59,  *(_t83 - 0x10));
					if(_t60 !=  *((intOrPtr*)(_t77 + 0x34))) {
						asm("cdq");
						E0040315D(_t83 - 0xa4, _t46, _t74);
						E004036B0(_t83 - 0x18, _t83 - 0xa4);
						 *(_t83 - 4) = _t81;
						E004039D8(_t83 - 0x18, "% ");
						_t54 = SetWindowTextW( *(_t77 + 4),  *(E00403632(_t83 - 0x24, _t83 - 0x18, _t77 + 0xc))); // executed
						_t55 = E00403204(_t54,  *((intOrPtr*)(_t83 - 0x24)));
						 *((intOrPtr*)(_t77 + 0x34)) = _t60;
						E00403204(_t55,  *((intOrPtr*)(_t83 - 0x18)));
					}
					_t47 = 1;
				} else {
					_t47 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return _t47;
			}

0x0040ba18
0x0040ba1d
0x0040ba2a
0x0040ba2c
0x0040ba38
0x0040ba44
0x0040ba4a
0x0040ba53
0x0040ba56
0x0040ba5c
0x0040ba63
0x0040ba66
0x0040ba6f
0x0040ba7f
0x0040ba7f
0x0040ba8c
0x0040ba98
0x0040ba99
0x0040ba9d
0x0040baa0
0x0040baa0
0x0040baba
0x0040babf
0x0040bac1
0x0040baca
0x0040bad9
0x0040bae6
0x0040bae9
0x0040bb02
0x0040bb0b
0x0040bb13
0x0040bb16
0x0040bb1c
0x0040bb1d
0x0040ba3a
0x0040ba3a
0x0040ba3a
0x0040bb25
0x0040bb2d

APIs

__EH_prolog.LIBCMT ref: 0040BA1D

Part of subcall function 0040B871: EnterCriticalSection.KERNEL32(?,?,?,0040BB91), ref: 0040B876
Part of subcall function 0040B871: LeaveCriticalSection.KERNEL32(?,?,?,0040BB91), ref: 0040B880

EnterCriticalSection.KERNEL32(?), ref: 0040BA4A
LeaveCriticalSection.KERNEL32(?), ref: 0040BA66
__aulldiv.LIBCMT ref: 0040BAB5
SetWindowTextW.USER32(?,00000000), ref: 0040BB02

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: CriticalSection$EnterLeave$H_prologTextWindow__aulldiv
String ID:
API String ID: 729368748-0
Opcode ID: dae6ce3810544a55a0cadaf366efc3d68dae998be2ac9b3ae07b387af689c148
Instruction ID: cd95b3165d2d8f135bb25e3b680c2f95c897e520c5a9096d40279e617bd503f6
Opcode Fuzzy Hash: dae6ce3810544a55a0cadaf366efc3d68dae998be2ac9b3ae07b387af689c148
Instruction Fuzzy Hash: CB313075A00219AFCB11EFA5CC419EEBBB9FF48314F00442AF515B3691C739A955CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B88B Relevance: 7.5, APIs: 5, Instructions: 37
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040B88B(void* __ecx) {
				int _t20;
				long _t25;
				void* _t30;

				_t30 = __ecx;
				 *(__ecx + 0x28) =  *(__ecx + 0x28) | 0xffffffff;
				 *(__ecx + 0x2c) =  *(__ecx + 0x2c) | 0xffffffff;
				 *(__ecx + 0x34) =  *(__ecx + 0x34) | 0xffffffff;
				 *((char*)(__ecx + 0x38)) = 1;
				E00418AC0(__ecx + 0x3c);
				 *((intOrPtr*)(_t30 + 0x30)) = GetDlgItem( *(__ecx + 4), 0x64);
				if( *(_t30 + 0x70) >= 0) {
					_t25 = LoadIconW( *0x41f158,  *(_t30 + 0x70) & 0x0000ffff); // executed
					SendMessageW( *(_t30 + 4), 0x80, 1, _t25); // executed
				}
				_t20 = SetTimer( *(_t30 + 4), 3, 0x64, 0); // executed
				 *(_t30 + 8) = _t20;
				SetWindowTextW( *(_t30 + 4),  *(_t30 + 0xc)); // executed
				E0040BC1B(_t30);
				return 1;
			}

0x0040b88c
0x0040b88e
0x0040b892
0x0040b896
0x0040b89d
0x0040b8a1
0x0040b8b5
0x0040b8b8
0x0040b8c5
0x0040b8d6
0x0040b8d6
0x0040b8e5
0x0040b8ee
0x0040b8f4
0x0040b8fc
0x0040b904

APIs

Part of subcall function 00418AC0: SetEvent.KERNEL32(?,00407A1F), ref: 00418AC3

GetDlgItem.USER32 ref: 0040B8AB
LoadIconW.USER32 ref: 0040B8C5
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0040B8D6
SetTimer.USER32(?,00000003,00000064,00000000), ref: 0040B8E5
SetWindowTextW.USER32(?,?), ref: 0040B8F4

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: EventIconItemLoadMessageSendTextTimerWindow
String ID:
API String ID: 2712766465-0
Opcode ID: 699a61a99574d7652e0115c874616cdfe84062a62bf2c7ffebd4a9624ea64153
Instruction ID: e294c04aeed814171d4adbec44afb40f75d5ab8e46fef825956d7cc37fe38289
Opcode Fuzzy Hash: 699a61a99574d7652e0115c874616cdfe84062a62bf2c7ffebd4a9624ea64153
Instruction Fuzzy Hash: D9011A30040B40AFE7215B21DD5ABA6BBA1FB05720F008A2DFAA7959F0C775B852CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00404DAF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00404DAF(intOrPtr* __ecx, void* __eflags) {
				signed int _t129;
				signed int _t130;
				intOrPtr _t131;
				signed int _t132;
				char _t133;
				char _t135;
				signed int _t140;
				signed char _t141;
				signed int _t148;
				intOrPtr _t155;
				intOrPtr _t156;
				void* _t162;
				intOrPtr _t163;
				signed int _t164;
				signed int _t182;
				signed int _t192;
				char _t194;
				signed char _t196;
				void* _t197;
				signed char _t198;
				signed char _t199;
				intOrPtr* _t204;
				void* _t215;
				signed int _t241;
				intOrPtr* _t253;
				short _t255;
				intOrPtr* _t257;
				intOrPtr* _t259;
				void* _t260;

				E00418D80(E0041998C, _t260);
				_t253 =  *((intOrPtr*)(_t260 + 8));
				_t257 = __ecx;
				_t192 = E00405780(_t253, __eflags);
				if(_t192 < 0 ||  *((short*)(_t253 + 2 + _t192 * 2)) == 0) {
					L28:
					 *(_t260 - 0x10) =  *(_t260 - 0x10) | 0xffffffff;
					 *(_t260 - 4) = 5;
					_t129 = E00405719(_t253);
					__eflags = _t129;
					if(_t129 != 0) {
						_push(4);
						_pop(0);
					}
					 *((intOrPtr*)(_t260 + 8)) = _t253;
					_t130 = E004055DE(_t253);
					__eflags = _t130;
					if(_t130 == 0) {
						L37:
						_t131 =  *_t253;
						__eflags = _t131 - 0x5c;
						if(_t131 == 0x5c) {
							L39:
							__eflags =  *((short*)(_t253 + 2));
							_t204 = _t253;
							if( *((short*)(_t253 + 2)) != 0) {
								_t132 = E00405693(_t204);
								__eflags = _t132;
								if(__eflags <= 0) {
									goto L54;
								}
								__eflags =  *((short*)(_t253 + _t132 * 2));
								_t208 = _t253 + _t132 * 2;
								 *((intOrPtr*)(_t260 - 0x14)) = _t253 + _t132 * 2;
								if(__eflags == 0) {
									goto L54;
								}
								__eflags = E00405596(_t208);
								if(__eflags >= 0) {
									goto L54;
								}
								E004036B0(_t260 - 0x38, _t253);
								 *(_t260 - 4) = 6;
								E00401EF8(_t260 - 0x38, 0x5c);
								E00401EF8(_t260 - 0x38, 0x2a);
								 *(_t260 + 0xb) =  *(_t260 + 0xb) & 0x00000000;
								_t140 = E00404B47(_t260 - 0x10, __eflags,  *((intOrPtr*)(_t260 - 0x38)), _t257);
								__eflags = _t140;
								if(_t140 == 0) {
									L50:
									_t141 = E00404DA0(_t253);
									__eflags =  *(_t260 + 0xb);
									_t196 = _t141;
									if( *(_t260 + 0xb) != 0) {
										L58:
										E00404D7D(_t257);
										__eflags = _t196 - 0xffffffff;
										if(_t196 == 0xffffffff) {
											 *(_t257 + 0x20) = 0x10;
										} else {
											 *(_t257 + 0x20) = _t196;
										}
										_push( *((intOrPtr*)(_t260 - 0x14)));
										_t215 = _t257 + 0x28;
										L62:
										E00403204(E0040376E(_t215),  *((intOrPtr*)(_t260 - 0x38)));
										E00404B27(_t260 - 0x10);
										_t135 = 1;
										goto L57;
									}
									__eflags = _t196 - 0xffffffff;
									if(__eflags == 0) {
										L53:
										 *(_t260 - 4) = 5;
										E00403204(_t141,  *((intOrPtr*)(_t260 - 0x38)));
										goto L54;
									}
									__eflags = _t196 & 0x00000010;
									if(__eflags != 0) {
										goto L58;
									}
									goto L53;
								}
								_t197 = _t257 + 0x28;
								_t148 = wcscmp( *(_t257 + 0x28), 0x41b778);
								__eflags = _t148;
								if(_t148 != 0) {
									 *(_t260 + 0xb) = 1;
									goto L50;
								}
								_push( *((intOrPtr*)(_t260 - 0x14)));
								_t215 = _t197;
								goto L62;
							}
							_t198 = E00404DA0(_t204);
							__eflags = _t198 - 0xffffffff;
							if(__eflags == 0) {
								goto L54;
							}
							__eflags = _t198 & 0x00000010;
							if(__eflags == 0) {
								goto L54;
							}
							E00404D7D(_t257);
							 *(_t257 + 0x2c) =  *(_t257 + 0x2c) & 0x00000000;
							 *( *(_t257 + 0x28)) =  *( *(_t257 + 0x28)) & 0x00000000;
							 *(_t257 + 0x20) = _t198;
							goto L36;
						}
						__eflags = _t131 - 0x2f;
						if(__eflags != 0) {
							goto L54;
						}
						goto L39;
					} else {
						__eflags =  *((short*)(_t253 + 6));
						if( *((short*)(_t253 + 6)) != 0) {
							goto L37;
						}
						_t199 = E00404DA0(_t253);
						__eflags = _t199 - 0xffffffff;
						if(__eflags == 0) {
							L54:
							_t133 = E00404B47(_t260 - 0x10, __eflags, _t253, _t257); // executed
							_t194 = _t133;
							L55:
							E00404B27(_t260 - 0x10);
							goto L56;
						}
						__eflags = _t199 & 0x00000010;
						if(__eflags == 0) {
							goto L54;
						}
						E00404D7D(_t257);
						 *(_t257 + 0x20) = _t199;
						_t259 = _t257 + 0x28;
						E0040376E(_t259,  *((intOrPtr*)(_t260 + 8)));
						_t155 = 2;
						__eflags =  *((intOrPtr*)(_t259 + 4)) - _t155;
						if( *((intOrPtr*)(_t259 + 4)) > _t155) {
							 *((intOrPtr*)(_t259 + 4)) = _t155;
							_t156 =  *_t259;
							_t86 = _t156 + 4;
							 *_t86 =  *(_t156 + 4) & 0x00000000;
							__eflags =  *_t86;
						}
						L36:
						_t194 = 1;
						goto L55;
					}
				} else {
					E004036B0(_t260 - 0x2c, _t253 + _t192 * 2);
					 *(_t260 - 4) =  *(_t260 - 4) & 0x00000000;
					E004036B0(_t260 - 0x20, _t253);
					 *(_t260 - 4) = 1;
					if(_t192 <  *(_t260 - 0x1c)) {
						 *(_t260 - 0x1c) = _t192;
						 *( *((intOrPtr*)(_t260 - 0x20)) + _t192 * 2) =  *( *((intOrPtr*)(_t260 - 0x20)) + _t192 * 2) & 0x00000000;
					}
					_t160 =  *(_t260 - 0x28);
					if( *(_t260 - 0x28) <= 6 || E004032CE( *((intOrPtr*)(_t260 - 0x2c)) + _t160 * 2 - 0xc, ":$DATA") == 0) {
						E004039D8(_t260 - 0x2c, ":$DATA");
					}
					_t162 = E004056F0( *((intOrPtr*)(_t260 - 0x20)));
					_t163 =  *((intOrPtr*)(_t260 - 0x20));
					if(_t162 == 0 || _t192 != 2 && (_t192 != 3 ||  *((short*)(_t163 + 4)) != 0x5c)) {
						_t164 = E00404DAF(_t257, __eflags, _t163);
						__eflags = _t164;
						if(_t164 == 0) {
							E00403204(E00403204(_t164,  *((intOrPtr*)(_t260 - 0x20))),  *((intOrPtr*)(_t260 - 0x2c)));
							goto L28;
						}
						_t255 = 0;
						__eflags = 0;
						goto L15;
					} else {
						E00404D7D(_t257);
						_t247 = _t257 + 0x28;
						_t255 = 0;
						 *((intOrPtr*)(_t257 + 0x2c)) = 0;
						 *( *(_t257 + 0x28)) = 0;
						if(_t192 == 2) {
							E004037D2(_t247, _t260 - 0x20);
						}
						L15:
						 *(_t257 + 0x20) =  *(_t257 + 0x20) & 0x0000fbef;
						 *(_t260 - 0x3c) =  *(_t260 - 0x3c) | 0xffffffff;
						 *_t257 = _t255;
						 *((intOrPtr*)(_t257 + 4)) = _t255;
						 *(_t260 - 4) = 2;
						E00403740(_t260 - 0x38,  *(_t260 - 0x3c), _t260 - 0x20);
						 *(_t260 - 4) = 3;
						E0040368D(_t260 - 0x54);
						while(1) {
							 *(_t260 - 4) = 4;
							if(E00404D3D(_t260 - 0x3c, _t260 - 0x54, _t260 + 0xb) == 0) {
								break;
							}
							if( *(_t260 + 0xb) == 0) {
								SetLastError(2);
								break;
							}
							if(E00403210( *((intOrPtr*)(_t260 - 0x54)),  *((intOrPtr*)(_t260 - 0x2c))) != 0) {
								_t241 =  *(_t260 - 0x50);
								__eflags = _t241 - 7;
								if(__eflags > 0) {
									_t182 = _t241 - 6;
									__eflags = _t182 - _t241;
									if(__eflags < 0) {
										 *(_t260 - 0x50) = _t182;
										 *((short*)( *((intOrPtr*)(_t260 - 0x54)) + _t182 * 2)) = _t255;
									}
								}
								E0040399C(_t257 + 0x28, __eflags, _t260 - 0x54);
								 *((char*)(_t257 + 0x24)) = 1;
								 *_t257 =  *((intOrPtr*)(_t260 - 0x44));
								_t172 =  *((intOrPtr*)(_t260 - 0x40));
								 *((intOrPtr*)(_t257 + 4)) =  *((intOrPtr*)(_t260 - 0x40));
								_t194 = 1;
								L26:
								E00403204(E00403204(_t172,  *((intOrPtr*)(_t260 - 0x54))),  *((intOrPtr*)(_t260 - 0x38)));
								E00403204(E00403204(E00404B27(_t260 - 0x3c),  *((intOrPtr*)(_t260 - 0x20))),  *((intOrPtr*)(_t260 - 0x2c)));
								L56:
								_t135 = _t194;
								L57:
								 *[fs:0x0] =  *((intOrPtr*)(_t260 - 0xc));
								return _t135;
							}
							 *(_t260 - 4) = 3;
							E00403204(_t178,  *((intOrPtr*)(_t260 - 0x54)));
							E0040368D(_t260 - 0x54);
						}
						_t194 = 0;
						goto L26;
					}
				}
			}

0x00404db4
0x00404dbf
0x00404dc2
0x00404dcb
0x00404dcf
0x00404f83
0x00404f83
0x00404f89
0x00404f92
0x00404f97
0x00404f99
0x00404f9b
0x00404f9d
0x00404f9d
0x00404fa1
0x00404fa4
0x00404fa9
0x00404fab
0x00405000
0x00405000
0x00405003
0x00405007
0x00405013
0x00405013
0x00405018
0x0040501a
0x0040504c
0x00405051
0x00405053
0x00000000
0x00000000
0x00405059
0x0040505e
0x00405061
0x00405064
0x00000000
0x00000000
0x0040506f
0x00405071
0x00000000
0x00000000
0x00405077
0x00405081
0x00405085
0x0040508f
0x00405094
0x0040509f
0x004050a4
0x004050a6
0x004050cb
0x004050cd
0x004050d2
0x004050d6
0x004050d8
0x00405118
0x0040511a
0x0040511f
0x00405122
0x00405129
0x00405124
0x00405124
0x00405124
0x00405130
0x00405133
0x00405136
0x0040513e
0x00405147
0x0040514c
0x00000000
0x0040514c
0x004050da
0x004050dd
0x004050e4
0x004050e7
0x004050eb
0x00000000
0x004050f0
0x004050df
0x004050e2
0x00000000
0x00000000
0x00000000
0x004050e2
0x004050ab
0x004050b4
0x004050bb
0x004050be
0x004050c7
0x00000000
0x004050c7
0x004050c0
0x004050c3
0x00000000
0x004050c3
0x00405021
0x00405023
0x00405026
0x00000000
0x00000000
0x0040502c
0x0040502f
0x00000000
0x00000000
0x00405037
0x0040503f
0x00405043
0x00405047
0x00000000
0x00405047
0x00405009
0x0040500d
0x00000000
0x00000000
0x00000000
0x00404fad
0x00404fad
0x00404fb3
0x00000000
0x00000000
0x00404fbc
0x00404fbe
0x00404fc1
0x004050f1
0x004050f6
0x004050fb
0x004050fd
0x00405100
0x00000000
0x00405100
0x00404fc7
0x00404fca
0x00000000
0x00000000
0x00404fd2
0x00404fda
0x00404fdd
0x00404fe2
0x00404fe9
0x00404fea
0x00404fed
0x00404fef
0x00404ff2
0x00404ff4
0x00404ff4
0x00404ff4
0x00404ff4
0x00404ff9
0x00404ff9
0x00000000
0x00404ff9
0x00404de1
0x00404de8
0x00404ded
0x00404df5
0x00404dfd
0x00404e01
0x00404e06
0x00404e09
0x00404e09
0x00404e0e
0x00404e14
0x00404e33
0x00404e33
0x00404e3b
0x00404e42
0x00404e45
0x00404e80
0x00404e85
0x00404e87
0x00404f7c
0x00000000
0x00404f82
0x00404e8d
0x00404e8d
0x00000000
0x00404e58
0x00404e5a
0x00404e62
0x00404e65
0x00404e6a
0x00404e6d
0x00404e70
0x00404e76
0x00404e76
0x00404e8f
0x00404e8f
0x00404e95
0x00404e99
0x00404e9b
0x00404ea5
0x00404ea9
0x00404eb1
0x00404eb5
0x00404eba
0x00404ec5
0x00404ed0
0x00000000
0x00000000
0x00404ed6
0x00404f00
0x00000000
0x00404f00
0x00404ee5
0x00404f0a
0x00404f0d
0x00404f10
0x00404f12
0x00404f15
0x00404f17
0x00404f1c
0x00404f1f
0x00404f1f
0x00404f17
0x00404f2a
0x00404f32
0x00404f36
0x00404f38
0x00404f3b
0x00404f3e
0x00404f40
0x00404f4b
0x00404f65
0x00405105
0x00405105
0x00405107
0x0040510d
0x00405115
0x00405115
0x00404eea
0x00404eee
0x00404ef7
0x00404ef7
0x00404f06
0x00000000
0x00404f06
0x00404e45

APIs

__EH_prolog.LIBCMT ref: 00404DB4
SetLastError.KERNEL32(00000002,?,?,?,:$DATA,?,00000000,?,?,00000001), ref: 00404F00
wcscmp.MSVCRT ref: 004050B4

Strings

:$DATA, xrefs: 00404E19, 00404E2B

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ErrorH_prologLastwcscmp
String ID: :$DATA
API String ID: 161073058-2587938151
Opcode ID: 5f020bb28cd8117265225efec81bdc0651470f94f3d0112356166a414e1d72bb
Instruction ID: da1b248e0d231fcc0c283d7306f0842e77f2967e3c74f92a20ef298db707ecaa
Opcode Fuzzy Hash: 5f020bb28cd8117265225efec81bdc0651470f94f3d0112356166a414e1d72bb
Instruction Fuzzy Hash: 8EB1D2719006059ACF24EFA5C841AEEBBB4EF54318F10813FE552772E2DB3D5A49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBB1 Relevance: 6.2, APIs: 4, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040EBB1(void* __ecx, void* __eflags) {
				signed int _t46;
				void* _t48;
				intOrPtr* _t50;
				signed int _t51;
				void* _t53;
				signed int _t56;
				intOrPtr* _t60;
				void* _t64;
				void* _t67;
				signed int _t73;
				signed int _t77;
				void* _t83;
				signed int _t88;
				signed int _t89;
				signed int _t93;
				void* _t95;
				signed int _t97;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t104;

				E00418D80(E0041A4C4, _t99);
				_t102 = _t101 - 0x1c;
				_t95 = __ecx;
				_t64 = __ecx + 0x50;
				_t46 = E00407B3A(__eflags, 0x20); // executed
				if(_t46 == 0) {
					if(E0040ED43(_t64) == 0) {
						_t88 =  *(_t99 + 0xc);
						__eflags = _t88;
						if(_t88 == 0) {
							L6:
							_push(0x8000); // executed
							_t48 = E004031DD(); // executed
							 *(_t99 - 0x10) = _t48;
							 *(_t99 - 0x18) = _t48;
							 *(_t99 - 4) =  *(_t99 - 4) & 0x00000000;
							memcpy(_t48, _t64, 0x20);
							 *(_t99 - 0x20) =  *(_t99 - 0x20) & 0x00000000;
							_t104 = _t102 + 0x10;
							_t11 = _t99 - 0x1c;
							 *_t11 =  *(_t99 - 0x1c) & 0x00000000;
							__eflags =  *_t11;
							while(1) {
								__eflags = _t88;
								_t73 = 0x7fe0;
								if(_t88 == 0) {
									goto L11;
								}
								_t51 =  *_t88 -  *(_t99 - 0x20);
								__eflags = _t51;
								asm("sbb edx, [ebp-0x1c]");
								 *(_t99 - 0x24) =  *(_t88 + 4);
								if(_t51 != 0) {
									goto L11;
								} else {
									__eflags = _t51 - 0x7fe0;
									if(_t51 >= 0x7fe0) {
										goto L11;
									} else {
										__eflags = _t51;
										_t73 = _t51;
										if(_t51 == 0) {
											L27:
											_t97 = 1;
										} else {
											goto L11;
										}
									}
								}
								L30:
								E00403204(_t51,  *(_t99 - 0x10));
								_t46 = _t97;
								goto L31;
								L11:
								_t50 =  *((intOrPtr*)(_t99 + 8));
								_t89 = 0;
								 *(_t99 - 0x14) = 0;
								_t51 =  *((intOrPtr*)( *_t50 + 0xc))(_t50,  *(_t99 - 0x10) + 0x20, _t73, _t99 - 0x14);
								__eflags = _t51;
								if(_t51 != 0) {
									L29:
									_t97 = _t51;
								} else {
									_t77 =  *(_t99 - 0x14);
									__eflags = _t77;
									if(_t77 == 0) {
										goto L27;
									} else {
										while(1) {
											_t53 =  *(_t99 - 0x10);
											_t67 = _t53 + _t89 + 1;
											_t83 = _t53 + _t77;
											__eflags = _t67 - _t83;
											if(_t67 > _t83) {
												break;
											} else {
												goto L14;
											}
											while(1) {
												L14:
												__eflags =  *_t67 - 0x37;
												if( *_t67 == 0x37) {
													break;
												}
												__eflags =  *(_t67 + 1) - 0x37;
												if( *(_t67 + 1) == 0x37) {
													_t67 = _t67 + 1;
												} else {
													__eflags =  *((char*)(_t67 + 2)) - 0x37;
													if( *((char*)(_t67 + 2)) == 0x37) {
														_t67 = _t67 + 2;
													} else {
														__eflags =  *(_t67 + 3) - 0x37;
														if( *(_t67 + 3) == 0x37) {
															_t67 = _t67 + 3;
															__eflags = _t67;
														} else {
															_t67 = _t67 + 4;
															__eflags = _t67 - _t83;
															if(_t67 <= _t83) {
																continue;
															} else {
															}
														}
													}
												}
												break;
											}
											__eflags = _t67 - _t83;
											if(_t67 > _t83) {
												break;
											} else {
												_t89 = _t67 -  *(_t99 - 0x10);
												_t56 = E0040ED43(_t67);
												__eflags = _t56;
												if(_t56 != 0) {
													memcpy(_t95 + 0x50, _t67, 0x20);
													asm("adc eax, [ebp-0x1c]");
													 *((intOrPtr*)(_t95 + 0x40)) =  *((intOrPtr*)(_t95 + 0x40)) + _t89 +  *(_t99 - 0x20);
													asm("adc [esi+0x44], eax");
													_t60 =  *((intOrPtr*)(_t99 + 8));
													_t93 =  *((intOrPtr*)(_t95 + 0x40)) + 0x20;
													__eflags = _t93;
													asm("adc esi, ecx");
													_t51 =  *((intOrPtr*)( *_t60 + 0x10))(_t60, _t93,  *((intOrPtr*)(_t95 + 0x44)), 0, 0);
													goto L29;
												} else {
													_t77 =  *(_t99 - 0x14);
													continue;
												}
											}
											goto L30;
										}
										 *(_t99 - 0x20) =  *(_t99 - 0x20) + _t77;
										asm("adc dword [ebp-0x1c], 0x0");
										memmove(_t53, _t53 + _t77, 0x20);
										_t88 =  *(_t99 + 0xc);
										_t104 = _t104 + 0xc;
										continue;
									}
								}
								goto L30;
							}
						} else {
							__eflags =  *_t88 |  *(_t88 + 4);
							if(( *_t88 |  *(_t88 + 4)) != 0) {
								goto L6;
							} else {
								_t46 = 1;
							}
						}
					} else {
						_t46 = 0;
					}
				}
				L31:
				 *[fs:0x0] =  *((intOrPtr*)(_t99 - 0xc));
				return _t46;
			}

0x0040ebb6
0x0040ebbb
0x0040ebc0
0x0040ebc8
0x0040ebcd
0x0040ebd4
0x0040ebe3
0x0040ebec
0x0040ebef
0x0040ebf1
0x0040ec02
0x0040ec02
0x0040ec07
0x0040ec0c
0x0040ec0f
0x0040ec12
0x0040ec1a
0x0040ec1f
0x0040ec23
0x0040ec26
0x0040ec26
0x0040ec26
0x0040ec2a
0x0040ec2a
0x0040ec2c
0x0040ec31
0x00000000
0x00000000
0x0040ec38
0x0040ec38
0x0040ec3b
0x0040ec3e
0x0040ec41
0x00000000
0x0040ec43
0x0040ec43
0x0040ec45
0x00000000
0x0040ec47
0x0040ec47
0x0040ec49
0x0040ec4b
0x0040ece9
0x0040eceb
0x00000000
0x00000000
0x00000000
0x0040ec4b
0x0040ec45
0x0040ed27
0x0040ed2a
0x0040ed30
0x00000000
0x0040ec51
0x0040ec51
0x0040ec61
0x0040ec65
0x0040ec68
0x0040ec6b
0x0040ec6d
0x0040ed25
0x0040ed25
0x0040ec73
0x0040ec73
0x0040ec76
0x0040ec78
0x00000000
0x0040ec7a
0x0040ec7a
0x0040ec7a
0x0040ec7d
0x0040ec81
0x0040ec84
0x0040ec86
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ec88
0x0040ec88
0x0040ec88
0x0040ec8b
0x00000000
0x00000000
0x0040ec8d
0x0040ec91
0x0040eca8
0x0040ec93
0x0040ec93
0x0040ec97
0x0040ecac
0x0040ec99
0x0040ec99
0x0040ec9d
0x0040ecaf
0x0040ecaf
0x0040ec9f
0x0040ec9f
0x0040eca2
0x0040eca4
0x00000000
0x00000000
0x0040eca6
0x0040eca4
0x0040ec9d
0x0040ec97
0x00000000
0x0040ec91
0x0040ecb2
0x0040ecb4
0x00000000
0x0040ecb6
0x0040ecba
0x0040ecbd
0x0040ecc2
0x0040ecc4
0x0040ecf5
0x0040ed02
0x0040ed05
0x0040ed08
0x0040ed11
0x0040ed16
0x0040ed16
0x0040ed1c
0x0040ed22
0x00000000
0x0040ecc6
0x0040ecc6
0x00000000
0x0040ecc6
0x0040ecc4
0x00000000
0x0040ecb4
0x0040eccb
0x0040ecd0
0x0040ecd8
0x0040ecde
0x0040ece1
0x00000000
0x0040ece1
0x0040ec78
0x00000000
0x0040ec6d
0x0040ebf3
0x0040ebf5
0x0040ebf8
0x00000000
0x0040ebfa
0x0040ebfc
0x0040ebfc
0x0040ebf8
0x0040ebe5
0x0040ebe5
0x0040ebe5
0x0040ebe3
0x0040ed32
0x0040ed38
0x0040ed40

APIs

__EH_prolog.LIBCMT ref: 0040EBB6

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 68bf076e82ed216c2d90b0a62dc1d87e492efa2da63e9caa6d91a42ed1f732e9
Instruction ID: c12524c289feaf3e84e46ecd753a7b8664c50a4f4eb467be383fba77f0e1be85
Opcode Fuzzy Hash: 68bf076e82ed216c2d90b0a62dc1d87e492efa2da63e9caa6d91a42ed1f732e9
Instruction Fuzzy Hash: 8D51E071A042069BEB24DF56C885BAEB3B5FF44304F18493AE401B73C1D77DAD558B58

Uniqueness

Uniqueness Score: -1.00%

Function 004019F5 Relevance: 6.1, APIs: 4, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004019F5(void* __ecx, intOrPtr __edx, void* __eflags) {
				signed char** _t60;
				signed int _t64;
				char* _t65;
				void* _t70;
				intOrPtr _t72;
				void* _t73;
				void* _t74;
				void* _t79;
				char _t80;
				signed int _t85;
				signed int _t86;
				void* _t87;
				signed int _t97;
				int _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t87 = __ecx;
				E00418D80(E004194A4, _t104);
				E00418DB0(0x1024, __ecx);
				_t60 =  *(_t104 + 0xc);
				_t97 = 0;
				_t60[1] = 0;
				 *( *_t60) =  *( *_t60) & 0x00000000;
				 *(_t104 - 0x1c) =  *(_t104 - 0x1c) | 0xffffffff;
				 *((intOrPtr*)(_t104 - 0x30)) = __edx;
				 *((intOrPtr*)(_t104 - 4)) = 0;
				if(E004053B3(_t87) == 0) {
					L25:
					E00405298(_t104 - 0x1c);
					_t64 = 0;
				} else {
					 *((intOrPtr*)(_t104 - 0x14)) = 0;
					if( *((char*)(__edx)) != 0) {
						do {
							 *((intOrPtr*)(_t104 - 0x14)) =  *((intOrPtr*)(_t104 - 0x14)) + 1;
						} while ( *((char*)( *((intOrPtr*)(_t104 - 0x14)) + __edx)) != 0);
					}
					_t65 =  *((intOrPtr*)(_t104 + 8));
					 *((intOrPtr*)(_t104 - 0x18)) = _t97;
					if( *_t65 != 0) {
						do {
							 *((intOrPtr*)(_t104 - 0x18)) =  *((intOrPtr*)(_t104 - 0x18)) + 1;
						} while ( *((char*)( *((intOrPtr*)(_t104 - 0x18)) + _t65)) != 0);
					}
					_t102 = 0;
					 *(_t104 - 0xd) =  *(_t104 - 0xd) & 0x00000000;
					 *((intOrPtr*)(_t104 - 0x24)) = _t97;
					 *((intOrPtr*)(_t104 - 0x20)) = _t97;
					while(1) {
						L7:
						_t70 = E00405410(_t104 - 0x1c, _t104 + _t102 - 0x1030, 0x1000 - _t102, _t104 - 0x28); // executed
						if(_t70 == 0) {
							break;
						}
						_t72 =  *((intOrPtr*)(_t104 - 0x28));
						if(_t72 == _t97) {
							L24:
							_t85 = 1;
							goto L22;
						} else {
							_t103 = _t102 + _t72;
							_t86 = _t104 - 0x1030;
							while(1) {
								_t73 = _t103;
								if( *(_t104 - 0xd) != 0) {
								}
								L11:
								_t79 = _t73 -  *((intOrPtr*)(_t104 - 0x18));
								if(_t97 > _t79) {
									L19:
									_t102 = _t103 - _t97;
									 *((intOrPtr*)(_t104 - 0x24)) =  *((intOrPtr*)(_t104 - 0x24)) + _t97;
									asm("adc dword [ebp-0x20], 0x0");
									memmove(_t104 - 0x1030, _t104 + _t97 - 0x1030, _t102);
									_t106 = _t106 + 0xc;
									if( *((intOrPtr*)(_t104 - 0x20)) > 0 ||  *((intOrPtr*)(_t104 - 0x24)) > 0x100000) {
										_t85 = _t86 & 0xffffff00 | ( *(_t104 + 0xc))[1] == 0x00000000;
										L22:
										E00405298(_t104 - 0x1c);
										_t64 = _t85;
									} else {
										_t97 = 0;
										goto L7;
									}
								} else {
									_push( *((intOrPtr*)(_t104 - 0x18)));
									_push( *((intOrPtr*)(_t104 + 8)));
									_push(_t86);
									L00418DA0();
									_t106 = _t106 + 0xc;
									if(_t79 == 0) {
										goto L24;
									} else {
										_t80 =  *_t86;
										 *((char*)(_t104 - 0x2c)) = _t80;
										if(_t80 == 0) {
											goto L25;
										} else {
											E00401B7E( *(_t104 + 0xc),  *((intOrPtr*)(_t104 - 0x2c)));
											L15:
											_t97 = _t97 + 1;
											_t86 = _t86 + 1;
											while(1) {
												_t73 = _t103;
												if( *(_t104 - 0xd) != 0) {
												}
												goto L16;
											}
											goto L11;
										}
									}
								}
								goto L26;
								L16:
								_t74 = _t73 -  *((intOrPtr*)(_t104 - 0x14));
								if(_t97 > _t74) {
									goto L19;
								} else {
									_push( *((intOrPtr*)(_t104 - 0x14)));
									_push( *((intOrPtr*)(_t104 - 0x30)));
									_push(_t86);
									L00418DA0();
									_t106 = _t106 + 0xc;
									if(_t74 != 0) {
										goto L15;
									} else {
										_t97 = _t97 +  *((intOrPtr*)(_t104 - 0x14));
										_t86 = _t86 +  *((intOrPtr*)(_t104 - 0x14));
										 *(_t104 - 0xd) = 1;
										continue;
									}
									L27:
								}
								goto L26;
							}
						}
						goto L26;
					}
					_t85 = 0;
					goto L22;
				}
				L26:
				 *[fs:0x0] =  *((intOrPtr*)(_t104 - 0xc));
				return _t64;
				goto L27;
			}

0x004019f5
0x004019fa
0x00401a04
0x00401a09
0x00401a0f
0x00401a11
0x00401a18
0x00401a1b
0x00401a1f
0x00401a26
0x00401a30
0x00401b63
0x00401b66
0x00401b6b
0x00401a36
0x00401a39
0x00401a3c
0x00401a3e
0x00401a3e
0x00401a44
0x00401a3e
0x00401a4a
0x00401a4d
0x00401a53
0x00401a55
0x00401a55
0x00401a5b
0x00401a55
0x00401a61
0x00401a63
0x00401a67
0x00401a6a
0x00401a71
0x00401a71
0x00401a88
0x00401a8f
0x00000000
0x00000000
0x00401a95
0x00401a9a
0x00401b5f
0x00401b5f
0x00000000
0x00401aa0
0x00401aa0
0x00401aa2
0x00401aa8
0x00401aac
0x00401aae
0x00401aae
0x00401ab0
0x00401ab0
0x00401ab5
0x00401b10
0x00401b10
0x00401b12
0x00401b24
0x00401b29
0x00401b2f
0x00401b36
0x00401b4c
0x00401b4f
0x00401b52
0x00401b57
0x00401a6f
0x00401a6f
0x00000000
0x00401a6f
0x00401ab7
0x00401ab7
0x00401aba
0x00401abd
0x00401abe
0x00401ac3
0x00401ac8
0x00000000
0x00401ace
0x00401ace
0x00401ad2
0x00401ad5
0x00000000
0x00401adb
0x00401ae1
0x00401ae6
0x00401ae6
0x00401ae7
0x00401aa8
0x00401aac
0x00401aae
0x00401aae
0x00000000
0x00401aae
0x00000000
0x00401aa8
0x00401ad5
0x00401ac8
0x00000000
0x00401aea
0x00401aea
0x00401aef
0x00000000
0x00401af1
0x00401af1
0x00401af4
0x00401af7
0x00401af8
0x00401afd
0x00401b02
0x00000000
0x00401b04
0x00401b04
0x00401b07
0x00401b0a
0x00000000
0x00401b0a
0x00000000
0x00401b02
0x00000000
0x00401aef
0x00401aa8
0x00000000
0x00401a9a
0x00401b5b
0x00000000
0x00401b5b
0x00401b6d
0x00401b73
0x00401b7b
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004019FA
memcmp.MSVCRT ref: 00401ABE
memcmp.MSVCRT ref: 00401AF8
memmove.MSVCRT ref: 00401B29

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: memcmp$H_prologmemmove
String ID:
API String ID: 1585842370-0
Opcode ID: 53a639813324c0e6f53735f609cf536863337ed91f2060eb649b985a43864c96
Instruction ID: 38dfcbe944138311f729fb0dfaf23ea4560b4517be3ec0a244e0583db9330822
Opcode Fuzzy Hash: 53a639813324c0e6f53735f609cf536863337ed91f2060eb649b985a43864c96
Instruction Fuzzy Hash: E241AC72D002499BCF11DFA4C840BEEBBB5AF45384F14416AE855772E2E3389A85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00409DAD Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00409DAD(intOrPtr* __ecx) {
				intOrPtr* _t205;
				signed int _t206;
				signed int _t207;
				signed int _t213;
				void* _t214;
				signed int _t215;
				void* _t216;
				signed int _t218;
				intOrPtr* _t219;
				signed int _t226;
				intOrPtr* _t229;
				intOrPtr* _t230;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				signed int _t236;
				signed int _t242;
				signed int _t243;
				signed int _t245;
				intOrPtr* _t252;
				signed int _t256;
				void* _t257;
				signed int _t259;
				signed int _t275;
				intOrPtr* _t331;
				signed int _t334;
				void* _t336;

				E00418D80(E00419DC8, _t336);
				_t331 = __ecx;
				_t275 = 0;
				_t205 =  *__ecx;
				if(_t205 != 0) {
					 *((intOrPtr*)( *_t205 + 8))(_t205);
					 *__ecx = 0;
				}
				_t206 =  *(_t331 + 8);
				if(_t206 != _t275) {
					 *((intOrPtr*)( *_t206 + 8))(_t206);
					 *(_t331 + 8) = _t275;
				}
				_t207 =  *(_t331 + 0xc);
				if(_t207 != _t275) {
					 *((intOrPtr*)( *_t207 + 8))(_t207);
					 *(_t331 + 0xc) = _t275;
				}
				E00409944(_t331 + 0x10);
				 *(_t331 + 0x1c) =  *(_t331 + 0x1c) | 0xffffffff;
				 *(_t331 + 0xd0) = _t275;
				 *(_t331 + 0xd8) = _t275;
				 *(_t331 + 0xd4) = _t275;
				E0040429A(_t331 + 0x70);
				 *(_t336 - 4) = _t275;
				E0040368D(_t336 - 0x54);
				 *(_t336 - 4) = 1;
				if(E00403A5B(_t336 - 0x60, 0x2e) >= _t275) {
					E0040376E(_t336 - 0x54,  *((intOrPtr*)(_t336 - 0x60)) + 2 + _t211 * 2);
				}
				 *(_t336 - 0x48) = _t275;
				 *(_t336 - 0x44) = _t275;
				 *(_t336 - 0x40) = _t275;
				_t334 =  *(_t336 + 8);
				 *(_t336 - 4) = 2;
				 *(_t336 - 0x14) = _t275;
				_t213 =  *( *_t334 + 0xc);
				if(_t213 != _t275) {
					if(_t213 > 0xffffffff) {
						_t213 = _t213 | 0xffffffff;
					}
					_push(_t213);
					 *(_t336 - 0x14) = E004031DD();
				}
				_t214 = 0;
				 *(_t336 - 4) = 3;
				if( *( *_t334 + 0xc) <= _t275) {
					L14:
					if( *((intOrPtr*)(_t334 + 0x1d)) == _t275) {
						 *((intOrPtr*)(_t336 - 0x34)) = 0x800000;
						 *(_t336 - 0x30) = _t275;
					} else {
						 *((intOrPtr*)(_t336 - 0x34)) =  *((intOrPtr*)(_t334 + 0x20));
						 *(_t336 - 0x30) =  *(_t334 + 0x24);
					}
					_t215 =  *(_t334 + 8);
					 *(_t336 - 0x18) = _t215;
					if(_t215 < _t275) {
						_t216 =  *_t334;
						 *(_t336 - 0x10) = _t275;
						 *(_t336 + 8) = _t275;
						__eflags =  *((intOrPtr*)(_t216 + 0xc)) - _t275;
						if( *((intOrPtr*)(_t216 + 0xc)) <= _t275) {
							L28:
							__eflags =  *((intOrPtr*)(_t334 + 0x30)) - _t275;
							if( *((intOrPtr*)(_t334 + 0x30)) != _t275) {
								L32:
								 *(_t336 - 0x1c) =  *(_t336 - 0x44);
								_t218 =  *(_t336 - 0x10);
								__eflags = _t218 - _t275;
								if(_t218 != _t275) {
									 *(_t336 - 0x1c) = _t218;
								}
								goto L34;
							}
							_t221 = 1;
							__eflags =  *(_t336 - 0x10) - _t221;
							if( *(_t336 - 0x10) == _t221) {
								 *(_t336 - 0x44) = _t221;
								goto L32;
							}
							_t275 = 0x80004001;
							goto L67;
						} else {
							goto L20;
						}
						do {
							L20:
							__eflags =  *((intOrPtr*)(_t331 + 0xdf)) - _t275;
							 *(_t336 - 0x24) =  *( *((intOrPtr*)(_t216 + 8)) +  *(_t336 + 8) * 4);
							if( *((intOrPtr*)(_t331 + 0xdf)) != _t275) {
								L22:
								_t256 = E004032CE( *((intOrPtr*)( *(_t336 - 0x24) + 0xc)), "Split");
								__eflags = _t256;
								if(_t256 != 0) {
									goto L27;
								}
								L23:
								_t257 = E0040B70B( *((intOrPtr*)(_t334 + 0x2c)),  *(_t336 + 8), _t275,  *((intOrPtr*)( *((intOrPtr*)(_t334 + 0x2c)) + 4)));
								__eflags = _t257 - _t275;
								if(_t257 < _t275) {
									_t259 = E00409144( *(_t336 - 0x24), _t336 - 0x54);
									__eflags = _t259;
									if(_t259 < 0) {
										E004088FD(_t336 - 0x48,  *(_t336 + 8));
									} else {
										 *(_t336 - 0x10) =  *(_t336 - 0x10) + 1;
										E0040B406(_t336 - 0x48,  *(_t336 - 0x10),  *(_t336 + 8));
										 *((char*)( *(_t336 + 8) +  *(_t336 - 0x14))) = 1;
									}
								}
								goto L27;
							}
							__eflags =  *((intOrPtr*)(_t334 + 0x19)) - _t275;
							if( *((intOrPtr*)(_t334 + 0x19)) != _t275) {
								goto L23;
							}
							goto L22;
							L27:
							 *(_t336 + 8) =  *(_t336 + 8) + 1;
							_t216 =  *_t334;
							__eflags =  *(_t336 + 8) -  *((intOrPtr*)(_t216 + 0xc));
						} while ( *(_t336 + 8) <  *((intOrPtr*)(_t216 + 0xc)));
						goto L28;
					} else {
						E004088FD(_t336 - 0x48, _t215);
						 *(_t336 - 0x1c) = 1;
						 *((char*)( *(_t336 - 0x18) +  *(_t336 - 0x14))) = 1;
						L34:
						_t219 =  *((intOrPtr*)(_t334 + 0x30));
						 *(_t336 - 0x2c) = _t275;
						 *(_t336 - 0x28) = _t275;
						if(_t219 == _t275) {
							L37:
							 *(_t331 + 0xc0) =  *(_t336 - 0x2c);
							_t221 =  *(_t336 - 0x28);
							 *(_t331 + 0xc4) =  *(_t336 - 0x28);
							if( *((intOrPtr*)(_t334 + 0x19)) == _t275) {
								L65:
								if( *_t331 != _t275) {
									L67:
									E00403204(E00403204(E00403204(E00403204(_t221,  *(_t336 - 0x14)),  *(_t336 - 0x48)),  *((intOrPtr*)(_t336 - 0x54))),  *((intOrPtr*)(_t336 - 0x60)));
									_t226 = _t275;
									L68:
									 *[fs:0x0] =  *((intOrPtr*)(_t336 - 0xc));
									return _t226;
								}
								L66:
								_t275 = 1;
								goto L67;
							}
							_t221 =  *(_t336 - 0x44);
							 *(_t336 - 0x24) =  *(_t336 - 0x44);
							if( *(_t336 - 0x18) >= _t275) {
								_t221 =  *(_t336 - 0x1c);
								 *(_t336 - 0x24) =  *(_t336 - 0x1c);
							}
							 *(_t336 - 0x18) = _t275;
							if( *(_t336 - 0x24) > _t275) {
								do {
									 *(_t331 + 0x94) =  *( *(_t336 - 0x48) +  *(_t336 - 0x18) * 4);
									_t229 =  *((intOrPtr*)(_t334 + 0x38));
									if(_t229 == _t275) {
										L43:
										_t230 =  *((intOrPtr*)(_t334 + 0x30));
										if(_t230 == _t275) {
											L45:
											 *(_t336 - 0x10) = _t275;
											 *(_t336 - 4) = 4;
											_t232 = E00409D49(_t334,  *(_t331 + 0x94), _t336 - 0x10);
											 *(_t336 + 8) = _t232;
											if(_t232 != _t275) {
												_t221 =  *(_t336 - 0x10);
												 *(_t336 - 4) = 3;
												__eflags = _t221 - _t275;
												if(_t221 != _t275) {
													_t221 =  *((intOrPtr*)( *_t221 + 8))(_t221);
												}
												_t275 =  *(_t336 + 8);
												goto L67;
											}
											_t233 =  *(_t336 - 0x10);
											if(_t233 != _t275) {
												__eflags =  *((intOrPtr*)(_t334 + 0x30)) - _t275;
												if(__eflags == 0) {
													 *(_t336 - 0x20) = _t275;
													 *(_t336 - 4) = 5;
													 *((intOrPtr*)( *_t233))(_t233, 0x41b1c0, _t336 - 0x20);
													_t235 =  *(_t336 - 0x20);
													__eflags = _t235 - _t275;
													if(_t235 == _t275) {
														_t236 =  *(_t336 - 0x10);
														 *(_t336 - 4) = 3;
														__eflags = _t236 - _t275;
														if(_t236 != _t275) {
															_t236 =  *((intOrPtr*)( *_t236 + 8))(_t236);
														}
														E00403204(E00403204(E00403204(E00403204(_t236,  *(_t336 - 0x14)),  *(_t336 - 0x48)),  *((intOrPtr*)(_t336 - 0x54))),  *((intOrPtr*)(_t336 - 0x60)));
														_t226 = 0x80004001;
														goto L68;
													}
													 *(_t336 + 8) =  *((intOrPtr*)( *_t235 + 0xc))(_t235,  *((intOrPtr*)(_t334 + 0x34)));
													_t242 =  *(_t336 - 0x20);
													__eflags = _t242 - _t275;
													 *(_t336 - 4) = 4;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t242 + 8))(_t242);
													}
													L53:
													_t243 = E00409970(_t331, __eflags,  *(_t336 - 0x10), _t275, _t275,  *(_t336 + 8));
													__eflags = _t243 - _t275;
													 *(_t336 - 0x20) = _t243;
													if(_t243 != _t275) {
														_t221 =  *(_t336 - 0x10);
														 *(_t336 - 4) = 3;
														__eflags = _t221 - _t275;
														if(_t221 != _t275) {
															_t221 =  *((intOrPtr*)( *_t221 + 8))(_t221);
														}
														_t275 =  *(_t336 - 0x20);
														goto L67;
													}
													__eflags =  *(_t336 + 8) - 1;
													if( *(_t336 + 8) != 1) {
														__eflags =  *(_t336 + 8) - _t275;
														if( *(_t336 + 8) == _t275) {
															E004063E5(_t331,  *(_t336 - 0x10));
															_t221 =  *(_t336 - 0x10);
															 *(_t336 - 4) = 3;
															__eflags = _t221 - _t275;
															if(_t221 != _t275) {
																_t221 =  *((intOrPtr*)( *_t221 + 8))(_t221);
															}
														} else {
															_t221 =  *(_t336 - 0x10);
															 *(_t336 - 4) = 3;
															__eflags = _t221 - _t275;
															if(_t221 != _t275) {
																_t221 =  *((intOrPtr*)( *_t221 + 8))(_t221);
															}
															_t275 =  *(_t336 + 8);
														}
														goto L67;
													}
													__eflags =  *((intOrPtr*)(_t331 + 0x13)) - _t275;
													if( *((intOrPtr*)(_t331 + 0x13)) == _t275) {
														L57:
														 *(_t336 + 0xb) = _t275;
														L58:
														__eflags =  *(_t336 - 0x18) - _t275;
														if( *(_t336 - 0x18) != _t275) {
															L62:
															_t245 =  *(_t336 - 0x10);
															 *(_t336 - 4) = 3;
															__eflags = _t245 - _t275;
															if(_t245 != _t275) {
																 *((intOrPtr*)( *_t245 + 8))(_t245);
															}
															goto L64;
														}
														__eflags =  *(_t336 - 0x1c) - 1;
														if( *(_t336 - 0x1c) != 1) {
															goto L62;
														}
														 *(_t331 + 0x1c) =  *(_t331 + 0x94);
														E0040A26D(_t331 + 0x40, _t331 + 0x10);
														__eflags =  *((intOrPtr*)(_t334 + 0x1a)) - _t275;
														if( *((intOrPtr*)(_t334 + 0x1a)) != _t275) {
															goto L62;
														}
														__eflags =  *(_t336 + 0xb) - _t275;
														if( *(_t336 + 0xb) != _t275) {
															_t221 =  *(_t336 - 0x10);
															 *(_t336 - 4) = 3;
															__eflags = _t221 - _t275;
															if(_t221 != _t275) {
																_t221 =  *((intOrPtr*)( *_t221 + 8))(_t221);
															}
															goto L66;
														}
														goto L62;
													}
													__eflags =  *(_t331 + 0x14) & 0x00000001;
													 *(_t336 + 0xb) = 1;
													if(( *(_t331 + 0x14) & 0x00000001) == 0) {
														goto L58;
													}
													goto L57;
												}
												 *((intOrPtr*)(_t336 - 0x3c)) =  *((intOrPtr*)(_t336 - 0x34));
												 *(_t336 - 0x38) =  *(_t336 - 0x30);
												 *(_t336 + 8) =  *((intOrPtr*)( *_t233 + 0xc))(_t233,  *((intOrPtr*)(_t334 + 0x30)), _t336 - 0x3c,  *((intOrPtr*)(_t334 + 0x38)));
												goto L53;
											}
											 *(_t336 - 4) = 3;
											goto L64;
										}
										_t221 =  *((intOrPtr*)( *_t230 + 0x10))(_t230, _t275, _t275, _t275, _t275);
										if(_t221 != _t275) {
											L69:
											_t275 = _t221;
											goto L67;
										}
										goto L45;
									}
									_t221 =  *((intOrPtr*)( *_t229 + 0xc))(_t229, _t275, _t336 - 0x2c);
									if(_t221 != _t275) {
										goto L69;
									}
									goto L43;
									L64:
									 *(_t336 - 0x18) =  *(_t336 - 0x18) + 1;
									_t221 =  *(_t336 - 0x18);
								} while ( *(_t336 - 0x18) <  *(_t336 - 0x24));
							}
							goto L65;
						}
						_t221 =  *((intOrPtr*)( *_t219 + 0x10))(_t219, _t275, _t275, 2, _t336 - 0x2c);
						if(_t221 != _t275) {
							goto L69;
						}
						_t252 =  *((intOrPtr*)(_t334 + 0x30));
						_t221 =  *((intOrPtr*)( *_t252 + 0x10))(_t252, _t275, _t275, _t275, _t275);
						if(_t221 != _t275) {
							goto L69;
						}
						goto L37;
					}
				} else {
					goto L13;
				}
				do {
					L13:
					 *(_t214 +  *(_t336 - 0x14)) = _t275;
					_t214 = _t214 + 1;
				} while (_t214 <  *( *_t334 + 0xc));
				goto L14;
			}

0x00409db2
0x00409dbd
0x00409dbf
0x00409dc1
0x00409dc5
0x00409dca
0x00409dcd
0x00409dcd
0x00409dcf
0x00409dd4
0x00409dd9
0x00409ddc
0x00409ddc
0x00409ddf
0x00409de4
0x00409de9
0x00409dec
0x00409dec
0x00409df2
0x00409df7
0x00409dfb
0x00409e07
0x00409e0d
0x00409e13
0x00409e1b
0x00409e1e
0x00409e28
0x00409e33
0x00409e40
0x00409e40
0x00409e45
0x00409e48
0x00409e4b
0x00409e4e
0x00409e51
0x00409e55
0x00409e5a
0x00409e5f
0x00409e64
0x00409e66
0x00409e66
0x00409e69
0x00409e70
0x00409e70
0x00409e75
0x00409e77
0x00409e7e
0x00409e8e
0x00409e91
0x00409ea1
0x00409ea8
0x00409e93
0x00409e96
0x00409e9c
0x00409e9c
0x00409eab
0x00409eb0
0x00409eb3
0x00409ed4
0x00409ed6
0x00409ed9
0x00409edc
0x00409edf
0x00409f6f
0x00409f6f
0x00409f72
0x00409f89
0x00409f8c
0x00409f8f
0x00409f92
0x00409f94
0x00409f96
0x00409f96
0x00000000
0x00409f94
0x00409f76
0x00409f77
0x00409f7a
0x00409f86
0x00000000
0x00409f86
0x00409f7c
0x00000000
0x00000000
0x00000000
0x00000000
0x00409ee5
0x00409ee5
0x00409eeb
0x00409ef4
0x00409ef7
0x00409efe
0x00409f09
0x00409f0e
0x00409f10
0x00000000
0x00000000
0x00409f12
0x00409f1c
0x00409f21
0x00409f23
0x00409f2c
0x00409f31
0x00409f33
0x00409f59
0x00409f35
0x00409f3b
0x00409f42
0x00409f4d
0x00409f4d
0x00409f33
0x00000000
0x00409f23
0x00409ef9
0x00409efc
0x00000000
0x00000000
0x00000000
0x00409f5e
0x00409f5e
0x00409f61
0x00409f66
0x00409f66
0x00000000
0x00409eb5
0x00409eb9
0x00409ec4
0x00409ecb
0x00409f99
0x00409f99
0x00409f9c
0x00409fa1
0x00409fa4
0x00409fd1
0x00409fd4
0x00409fda
0x00409fdd
0x00409fe6
0x0040a166
0x0040a168
0x0040a16d
0x0040a188
0x0040a190
0x0040a192
0x0040a198
0x0040a1a0
0x0040a1a0
0x0040a16a
0x0040a16c
0x00000000
0x0040a16c
0x00409fec
0x00409ff2
0x00409ff5
0x00409ff7
0x00409ffa
0x00409ffa
0x0040a000
0x0040a003
0x0040a009
0x0040a012
0x0040a018
0x0040a01d
0x0040a032
0x0040a032
0x0040a037
0x0040a04b
0x0040a04b
0x0040a054
0x0040a05f
0x0040a066
0x0040a069
0x0040a1a7
0x0040a1aa
0x0040a1ae
0x0040a1b0
0x0040a1b5
0x0040a1b5
0x0040a1b8
0x00000000
0x0040a1b8
0x0040a06f
0x0040a074
0x0040a07f
0x0040a082
0x0040a0a5
0x0040a0b4
0x0040a0b8
0x0040a0ba
0x0040a0bd
0x0040a0bf
0x0040a1bd
0x0040a1c0
0x0040a1c4
0x0040a1c6
0x0040a1cb
0x0040a1cb
0x0040a1e9
0x0040a1f1
0x00000000
0x0040a1f1
0x0040a0ce
0x0040a0d1
0x0040a0d4
0x0040a0d6
0x0040a0da
0x0040a0df
0x0040a0df
0x0040a0e2
0x0040a0ec
0x0040a0f1
0x0040a0f3
0x0040a0f6
0x0040a1f8
0x0040a1fb
0x0040a1ff
0x0040a201
0x0040a206
0x0040a206
0x0040a209
0x00000000
0x0040a209
0x0040a0fc
0x0040a100
0x0040a22b
0x0040a22e
0x0040a24e
0x0040a253
0x0040a256
0x0040a25a
0x0040a25c
0x0040a265
0x0040a265
0x0040a230
0x0040a230
0x0040a233
0x0040a237
0x0040a239
0x0040a23e
0x0040a23e
0x0040a241
0x0040a241
0x00000000
0x0040a22e
0x0040a106
0x0040a109
0x0040a115
0x0040a115
0x0040a118
0x0040a118
0x0040a11b
0x0040a146
0x0040a146
0x0040a149
0x0040a14d
0x0040a14f
0x0040a154
0x0040a154
0x00000000
0x0040a14f
0x0040a11d
0x0040a121
0x00000000
0x00000000
0x0040a12c
0x0040a133
0x0040a138
0x0040a13b
0x00000000
0x00000000
0x0040a13d
0x0040a140
0x0040a211
0x0040a214
0x0040a218
0x0040a21a
0x0040a223
0x0040a223
0x00000000
0x0040a21a
0x00000000
0x0040a140
0x0040a10b
0x0040a10f
0x0040a113
0x00000000
0x00000000
0x00000000
0x0040a113
0x0040a08d
0x0040a097
0x0040a0a0
0x00000000
0x0040a0a0
0x0040a076
0x00000000
0x0040a076
0x0040a040
0x0040a045
0x0040a1a3
0x0040a1a3
0x00000000
0x0040a1a3
0x00000000
0x0040a045
0x0040a027
0x0040a02c
0x00000000
0x00000000
0x00000000
0x0040a157
0x0040a157
0x0040a15a
0x0040a15d
0x0040a009
0x00000000
0x0040a003
0x00409fb1
0x00409fb6
0x00000000
0x00000000
0x00409fbc
0x00409fc6
0x00409fcb
0x00000000
0x00000000
0x00000000
0x00409fcb
0x00000000
0x00000000
0x00000000
0x00409e80
0x00409e80
0x00409e83
0x00409e88
0x00409e89
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00409DB2

Strings

Split, xrefs: 00409F01

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID: Split
API String ID: 3519838083-1882502421
Opcode ID: 194c36b4b70ddd0ddf39ecdeccd330cae3a4039afe243862eb5f2672bc401e5d
Instruction ID: 09c5a0370ad5ed14047af77479f4839a91d55b5c5a0b00876ef22aa24b9ab58f
Opcode Fuzzy Hash: 194c36b4b70ddd0ddf39ecdeccd330cae3a4039afe243862eb5f2672bc401e5d
Instruction Fuzzy Hash: 98022A70A00249EFCB10DFA5C8849AEBBB5BF48304F14847EE516EB392C739AE55CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004026C1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E004026C1(intOrPtr* __ecx, void* __eflags) {
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t87;
				void* _t89;
				intOrPtr* _t93;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t103;
				void* _t146;
				intOrPtr* _t147;
				intOrPtr* _t150;
				void* _t152;
				void* _t159;

				_t159 = __eflags;
				E00418D80(E004195EF, _t152);
				_t150 = __ecx;
				E00404D7D(_t152 - 0x74);
				E0040368D(_t152 - 0x4c);
				_t146 = __ecx + 4;
				 *((intOrPtr*)(_t152 - 4)) = 0;
				_t72 = E00404DAF(_t152 - 0x74, _t159,  *((intOrPtr*)(__ecx + 4))); // executed
				if(_t72 != 0) {
					E0040E83C(_t152 - 0x30);
					 *((intOrPtr*)(_t152 - 0x24)) = 0;
					 *((intOrPtr*)(_t152 - 0x20)) = 0;
					 *((intOrPtr*)(_t152 - 0x1c)) = 0;
					 *((char*)(_t152 - 4)) = 2;
					E004028C3(_t152 - 0xc4);
					 *((intOrPtr*)(_t152 - 0xc4)) =  *_t150;
					 *((intOrPtr*)(_t152 - 0x9c)) = _t152 - 0x30;
					 *((char*)(_t152 - 4)) = 3;
					 *((intOrPtr*)(_t152 - 0x98)) = _t152 - 0x24;
					E004037D2(_t152 - 0x80, _t146);
					_t79 =  *((intOrPtr*)(_t150 + 0x1c));
					__eflags = _t79;
					if(_t79 == 0) {
						_t80 = 0;
						__eflags = 0;
					} else {
						_t80 = _t79 + 4;
					}
					_push(_t80);
					_t147 = _t150 + 0x28;
					_push(_t152 - 0xc4); // executed
					_t82 = E0040AFA7(_t147); // executed
					__eflags = _t82;
					 *((intOrPtr*)(_t150 + 0x88)) = _t82;
					if(__eflags == 0) {
						E00403740(_t152 - 0x18, __eflags, _t150 + 0x10);
						 *((char*)(_t152 - 4)) = 4;
						E004055BC(_t152 - 0x18);
						_t86 = E0040448C( *((intOrPtr*)(_t152 - 0x18)), __eflags); // executed
						__eflags = _t86;
						if(_t86 != 0) {
							_t87 = E004036F3(_t152 - 0x3c, "Default");
							 *((char*)(_t152 - 4)) = 6;
							_t89 = E00401D71( *((intOrPtr*)(_t150 + 0x1c)),  *((intOrPtr*)( *((intOrPtr*)( *_t147 +  *(_t147 + 4) * 4 - 4)))), _t152 - 0x18, _t87, _t152 - 0x5c, 0);
							 *((char*)(_t152 - 4)) = 4;
							E00403204(_t89,  *((intOrPtr*)(_t152 - 0x3c)));
							_t93 =  *((intOrPtr*)( *((intOrPtr*)( *_t147 +  *(_t147 + 4) * 4 - 4))));
							 *((intOrPtr*)(_t150 + 0x88)) =  *((intOrPtr*)( *_t93 + 0x1c))(_t93, 0, 0xffffffff, 0,  *((intOrPtr*)(_t150 + 0x20)));
							E00403204(E00403204(E00403204(_t94,  *((intOrPtr*)(_t152 - 0x18))),  *((intOrPtr*)(_t152 - 0x80))),  *((intOrPtr*)(_t152 - 0x24)));
						} else {
							_push(_t152 - 0x18);
							_t101 = E0040B7FD(_t152 - 0x3c);
							 *((char*)(_t152 - 4)) = 5;
							_t103 = E00403204(E004037D2(_t150 + 0x8c, _t101),  *((intOrPtr*)(_t152 - 0x3c)));
							 *((intOrPtr*)(_t150 + 0x88)) = 0x80004005;
							E00403204(E00403204(E00403204(_t103,  *((intOrPtr*)(_t152 - 0x18))),  *((intOrPtr*)(_t152 - 0x80))),  *((intOrPtr*)(_t152 - 0x24)));
						}
					} else {
						E00403204(E00403204(E004038D0(_t150 + 0x8c,  *0x41b620),  *((intOrPtr*)(_t152 - 0x80))),  *((intOrPtr*)(_t152 - 0x24)));
					}
					 *((char*)(_t152 - 4)) = 0;
					_t98 = E00402F4A(_t152 - 0x30);
				} else {
					_t98 = E004038D0(__ecx + 0x8c,  *0x41b61c);
					 *((intOrPtr*)(__ecx + 0x88)) = 0x80004005;
				}
				_t99 = E00403204(_t98,  *((intOrPtr*)(_t152 - 0x4c)));
				 *[fs:0x0] =  *((intOrPtr*)(_t152 - 0xc));
				return _t99;
			}

0x004026c1
0x004026c6
0x004026d3
0x004026d9
0x004026e1
0x004026e9
0x004026f1
0x004026f4
0x004026fb
0x00402720
0x00402725
0x00402728
0x0040272b
0x00402734
0x00402738
0x00402740
0x00402749
0x00402755
0x00402759
0x0040275f
0x00402764
0x00402767
0x00402769
0x00402770
0x00402770
0x0040276b
0x0040276b
0x0040276b
0x00402772
0x00402773
0x0040277e
0x0040277f
0x00402784
0x00402786
0x0040278c
0x004027bd
0x004027c5
0x004027c9
0x004027d1
0x004027d6
0x004027d8
0x00402832
0x0040283d
0x00402854
0x0040285c
0x00402860
0x00402874
0x00402882
0x00402898
0x004027da
0x004027e2
0x004027e6
0x004027f2
0x004027fe
0x00402806
0x00402820
0x00402825
0x0040278e
0x004027aa
0x004027b0
0x004028a3
0x004028a6
0x004026fd
0x00402709
0x0040270e
0x0040270e
0x004028ae
0x004028ba
0x004028c2

APIs

__EH_prolog.LIBCMT ref: 004026C6

Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4

Strings

Default, xrefs: 0040282A

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID: Default
API String ID: 3519838083-753088835
Opcode ID: 292ea48c8768a95794b35225bdc2b66726df2df7c89ab67701c3af441bcaefd0
Instruction ID: a54c0451a2b32841cee07a3996f3f819ed4c8f4dfc8041cf4803658e5a70c8e5
Opcode Fuzzy Hash: 292ea48c8768a95794b35225bdc2b66726df2df7c89ab67701c3af441bcaefd0
Instruction Fuzzy Hash: 84515171800109ABDB11EFA5C981EDDFBB9BF14308F1085AEE515B32D2DB786A09CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE8A Relevance: 3.2, APIs: 2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040FE8A(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t116;
				void* _t117;
				intOrPtr _t122;
				intOrPtr _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr* _t139;
				intOrPtr _t144;
				signed int _t145;
				void* _t150;
				signed int _t185;
				void* _t190;
				signed int _t191;
				intOrPtr _t193;
				intOrPtr* _t195;
				void* _t197;
				void* _t204;

				_t204 = __eflags;
				E00418D80(E0041A566, _t197);
				_t195 = __ecx;
				_push(_t190);
				 *((intOrPtr*)(_t197 - 0x1c)) = __ecx;
				E0040E063(_t197 - 0xa0);
				 *(_t197 - 4) = 0;
				 *((intOrPtr*)(_t197 - 0x2c)) = 0;
				 *((intOrPtr*)(_t197 - 0x28)) = 0;
				 *((intOrPtr*)(_t197 - 0x24)) = 0;
				 *(_t197 - 4) = 1;
				E0040E83C(_t197 - 0x44);
				 *(_t197 - 4) = 2;
				E0040E83C(_t197 - 0x38);
				 *(_t197 - 4) = 3;
				E0040FC2A(0, __ecx, __edx, _t190, __ecx, _t204, 0,  *((intOrPtr*)(_t197 + 0x10)), _t197 - 0xa0, _t197 - 0x2c, _t197 - 0x44);
				E0040BC60(_t197 - 0x100, _t204,  *((intOrPtr*)(_t195 + 0x78)));
				_t191 = 0;
				 *(_t197 - 4) = 4;
				 *(_t197 - 0x14) = 0;
				if( *((intOrPtr*)(_t197 - 0x9c)) <= 0) {
					L21:
					_t116 =  *((intOrPtr*)(_t197 - 0x98));
					if(_t116 != 0) {
						 *((intOrPtr*)(_t195 + 0x70)) =  *((intOrPtr*)(_t195 + 0x70)) +  *((intOrPtr*)(_t116 +  *(_t197 - 0xa0) * 8));
						asm("adc [esi+0x74], eax");
					}
					 *(_t197 - 4) = 3;
					_t117 = E0040DC5D(_t197 - 0x100); // executed
					E00403204(E00403204(E00403204(_t117,  *((intOrPtr*)(_t197 - 0x38))),  *((intOrPtr*)(_t197 - 0x44))),  *((intOrPtr*)(_t197 - 0x2c)));
					 *(_t197 - 4) =  *(_t197 - 4) | 0xffffffff;
					E0040DF15(_t197 - 0xa0);
					_t122 = 0;
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t197 - 0xc));
					return _t122;
				}
				while(1) {
					_t124 = E00410D82( *((intOrPtr*)(_t197 + 0x14)));
					_t169 = _t124;
					 *((intOrPtr*)(_t197 - 0x18)) = _t124;
					_t185 = ( *( *((intOrPtr*)(_t197 - 0x6c)) + _t191) & 0x000000ff) +  *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x74)) + _t191 * 4));
					_t127 =  *((intOrPtr*)(_t197 - 0x78));
					_t193 =  *((intOrPtr*)(_t127 + _t185 * 8));
					_t128 =  *((intOrPtr*)(_t127 + 4 + _t185 * 8));
					if(_t193 != _t193 || 0 != _t128) {
						break;
					}
					E00407AB8(_t169, _t193);
					_push(0x14);
					_t139 = E004031DD();
					if(_t139 == 0) {
						_t195 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t139 + 4)) = 0;
						 *_t139 = 0x41bd38;
						_t195 = _t139;
					}
					_t209 = _t195;
					 *((intOrPtr*)(_t197 - 0x48)) = _t195;
					if(_t195 != 0) {
						 *((intOrPtr*)( *_t195 + 4))(_t195);
					}
					 *((intOrPtr*)(_t195 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x18))));
					 *((intOrPtr*)(_t195 + 0x10)) = 0;
					 *((intOrPtr*)(_t195 + 0xc)) = _t193;
					 *(_t197 - 4) = 5;
					 *((char*)(_t197 - 0xd)) = 0;
					asm("adc ecx, [ebp+0xc]");
					_t144 = E0040BD85(_t197 - 0x100, _t209,  *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x1c)))),  *((intOrPtr*)( *((intOrPtr*)(_t197 + 0x10)))) +  *((intOrPtr*)(_t197 + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t197 + 0x10)) + 4)), _t197 - 0xa0,  *(_t197 - 0x14), 0, _t195, 0, 0, _t197 - 0xd, 0, 1, 0, 0); // executed
					 *((intOrPtr*)(_t197 - 0x20)) = _t144;
					if(_t144 != 0) {
						L26:
						__eflags = _t195;
						 *(_t197 - 4) = 4;
						if(_t195 != 0) {
							 *((intOrPtr*)( *_t195 + 8))(_t195);
						}
						 *(_t197 - 4) = 3;
						E00403204(E00403204(E00403204(E0040DC5D(_t197 - 0x100),  *((intOrPtr*)(_t197 - 0x38))),  *((intOrPtr*)(_t197 - 0x44))),  *((intOrPtr*)(_t197 - 0x2c)));
						 *(_t197 - 4) =  *(_t197 - 4) | 0xffffffff;
						E0040DF15(_t197 - 0xa0);
						_t122 =  *((intOrPtr*)(_t197 - 0x20));
						goto L24;
					} else {
						if( *((intOrPtr*)(_t197 - 0xd)) != 0) {
							 *((char*)( *((intOrPtr*)(_t197 - 0x1c)) + 0x3c)) = 1;
						}
						_t145 =  *(_t197 - 0x14);
						if(_t145 <  *((intOrPtr*)(_t197 - 0x90)) &&  *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x94)) + _t145)) != 0) {
							 *((intOrPtr*)(_t197 - 0x18)) =  *((intOrPtr*)(_t197 - 0x88)) + _t145 * 4;
							_t150 = E00418C10( *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x18)))), _t193);
							_t181 =  *((intOrPtr*)(_t197 - 0x18));
							if(_t150 !=  *((intOrPtr*)( *((intOrPtr*)(_t197 - 0x18))))) {
								E0040E966(_t181);
							}
						}
						 *(_t197 - 4) = 4;
						if(_t195 != 0) {
							 *((intOrPtr*)( *_t195 + 8))(_t195);
						}
						 *(_t197 - 0x14) =  *(_t197 - 0x14) + 1;
						if( *(_t197 - 0x14) <  *((intOrPtr*)(_t197 - 0x9c))) {
							_t191 =  *(_t197 - 0x14);
							continue;
						} else {
							_t195 =  *((intOrPtr*)(_t197 - 0x1c));
							goto L21;
						}
					}
				}
				_push(0x41de18);
				_push(_t197 + 0x13);
				L00418E02();
				goto L26;
			}

0x0040fe8a
0x0040fe8f
0x0040fe9c
0x0040fe9e
0x0040fea5
0x0040fea8
0x0040feaf
0x0040feb2
0x0040feb5
0x0040feb8
0x0040febe
0x0040fec2
0x0040feca
0x0040fece
0x0040fee4
0x0040feec
0x0040fefb
0x0040ff00
0x0040ff08
0x0040ff0c
0x0040ff0f
0x0041003d
0x0041003d
0x00410045
0x00410054
0x00410057
0x00410057
0x00410060
0x00410064
0x0041007c
0x00410081
0x0041008e
0x00410093
0x00410095
0x0041009b
0x004100a3
0x004100a3
0x0040ff1a
0x0040ff1d
0x0040ff22
0x0040ff27
0x0040ff31
0x0040ff34
0x0040ff37
0x0040ff3c
0x0040ff40
0x00000000
0x00000000
0x0040ff4f
0x0040ff54
0x0040ff56
0x0040ff5e
0x0040ff6d
0x0040ff6d
0x0040ff60
0x0040ff60
0x0040ff63
0x0040ff69
0x0040ff69
0x0040ff6f
0x0040ff71
0x0040ff74
0x0040ff79
0x0040ff79
0x0040ff97
0x0040ffa1
0x0040ffa4
0x0040ffb1
0x0040ffb5
0x0040ffb8
0x0040ffc4
0x0040ffcb
0x0040ffce
0x004100ba
0x004100ba
0x004100bc
0x004100c0
0x004100c5
0x004100c5
0x004100ce
0x004100ea
0x004100ef
0x004100fc
0x00410101
0x00000000
0x0040ffd4
0x0040ffd7
0x0040ffdc
0x0040ffdc
0x0040ffe0
0x0040ffe9
0x00410006
0x00410009
0x0041000e
0x00410013
0x00410015
0x00410015
0x00410013
0x0041001c
0x00410020
0x00410025
0x00410025
0x00410028
0x00410034
0x0040ff17
0x00000000
0x0041003a
0x0041003a
0x00000000
0x0041003a
0x00410034
0x0040ffce
0x004100a9
0x004100b4
0x004100b5
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0040FE8F
_CxxThrowException.MSVCRT(?,0041DE18), ref: 004100B5

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ExceptionThrow$H_prologmalloc
String ID:
API String ID: 3044594480-0
Opcode ID: 3d6fd14ed535950da227749563d5e7bcc11e15d91ee31bef63e9bdc9bbde4a1b
Instruction ID: 88fd23d13b2165b9f29fbfc804bd3c55ab1378a3526c832d929a2e01daa6a8e0
Opcode Fuzzy Hash: 3d6fd14ed535950da227749563d5e7bcc11e15d91ee31bef63e9bdc9bbde4a1b
Instruction Fuzzy Hash: 5B814E71D002499FCB21DFA9C881AEEBBB4AF09304F1480AEE555B7292C7785E85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00404678 Relevance: 3.1, APIs: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00404678(intOrPtr* __ecx, void* __eflags) {
				void* _t63;
				signed char _t65;
				signed char _t67;
				signed int _t69;
				void* _t70;
				signed int _t79;
				signed int _t88;
				intOrPtr _t92;
				signed char _t94;
				intOrPtr* _t124;
				signed int _t128;
				void* _t129;
				void* _t134;

				_t134 = __eflags;
				E00418D80(E0041992B, _t129);
				_t124 = __ecx;
				_t94 = 1;
				 *(_t129 - 0xd) = _t94;
				E00404D7D(_t129 - 0x9c);
				E0040368D(_t129 - 0x74);
				 *(_t129 - 4) =  *(_t129 - 4) & 0x00000000;
				_t63 = E00404DAF(_t129 - 0x9c, _t134,  *__ecx); // executed
				if(_t63 != 0) {
					_t65 =  *(_t129 - 0x7c) >> 4;
					__eflags = _t94 & _t65;
					if((_t94 & _t65) != 0) {
						_t67 =  *(_t129 - 0x7c) >> 0xa;
						__eflags = _t94 & _t67;
						if((_t94 & _t67) != 0) {
							_t14 = _t129 - 0xd;
							 *_t14 =  *(_t129 - 0xd) & 0x00000000;
							__eflags =  *_t14;
						}
						 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
						E00403204(_t67,  *((intOrPtr*)(_t129 - 0x74)));
						__eflags =  *(_t129 - 0xd);
						if(__eflags == 0) {
							L19:
							_t69 = E00404462( *_t124, 0);
							__eflags = _t69;
							if(_t69 != 0) {
								_t70 = E00404470( *_t124);
							} else {
								goto L20;
							}
						} else {
							E00403740(_t129 - 0x1c, __eflags, _t124);
							 *(_t129 - 4) = _t94;
							E00401EF8(_t129 - 0x1c, 0x5c);
							_t128 =  *(_t129 - 0x18);
							_t24 = _t129 - 0x2c;
							 *_t24 =  *(_t129 - 0x2c) | 0xffffffff;
							__eflags =  *_t24;
							 *(_t129 - 4) = 2;
							E0040368D(_t129 - 0x28);
							 *(_t129 - 4) = 3;
							E004051F7(_t129 - 0x2c, _t129 - 0x1c);
							E00404D7D(_t129 - 0x64);
							E0040368D(_t129 - 0x3c);
							 *(_t129 - 4) = 4;
							while(1) {
								_t79 = E00405233(_t129 - 0x2c, _t129 - 0x64);
								__eflags = _t79;
								if(_t79 == 0) {
									break;
								}
								__eflags = _t128 -  *(_t129 - 0x18);
								if(__eflags < 0) {
									_t92 =  *((intOrPtr*)(_t129 - 0x1c));
									 *(_t129 - 0x18) = _t128;
									_t39 = _t92 + _t128 * 2;
									 *_t39 =  *(_t92 + _t128 * 2) & 0x00000000;
									__eflags =  *_t39;
								}
								E0040399C(_t129 - 0x1c, __eflags, _t129 - 0x3c);
								__eflags = _t94 &  *(_t129 - 0x44) >> 0x00000004;
								if(__eflags == 0) {
									_t88 = E00404643( *((intOrPtr*)(_t129 - 0x1c)), __eflags);
								} else {
									_t88 = E00404678(_t129 - 0x1c, __eflags);
								}
								__eflags = _t88;
								if(_t88 == 0) {
									E00403204(E00403204(_t88,  *((intOrPtr*)(_t129 - 0x3c))),  *((intOrPtr*)(_t129 - 0x28)));
									_t65 = E00404B27(_t129 - 0x2c);
									_push( *((intOrPtr*)(_t129 - 0x1c)));
									goto L2;
								} else {
									continue;
								}
								goto L22;
							}
							E00403204(E00403204(_t79,  *((intOrPtr*)(_t129 - 0x3c))),  *((intOrPtr*)(_t129 - 0x28)));
							E00403204(E00404B27(_t129 - 0x2c),  *((intOrPtr*)(_t129 - 0x1c)));
							goto L19;
						}
					} else {
						SetLastError(0x10b);
						goto L1;
					}
				} else {
					L1:
					_push( *((intOrPtr*)(_t129 - 0x74)));
					L2:
					E00403204(_t65);
					L20:
					_t70 = 0;
				}
				L22:
				 *[fs:0x0] =  *((intOrPtr*)(_t129 - 0xc));
				return _t70;
			}

0x00404678
0x0040467d
0x0040468d
0x0040468f
0x00404696
0x00404699
0x004046a1
0x004046a8
0x004046b2
0x004046b9
0x004046cc
0x004046cf
0x004046d1
0x004046e3
0x004046e6
0x004046e8
0x004046ea
0x004046ea
0x004046ea
0x004046ea
0x004046f1
0x004046f5
0x004046fa
0x004046ff
0x004047e5
0x004047e9
0x004047ee
0x004047f0
0x004047f8
0x00000000
0x00000000
0x00000000
0x00404705
0x00404709
0x00404713
0x00404716
0x0040471b
0x0040471e
0x0040471e
0x0040471e
0x00404725
0x00404729
0x00404735
0x00404739
0x00404741
0x00404749
0x0040474e
0x00404752
0x00404759
0x0040475e
0x00404760
0x00000000
0x00000000
0x00404762
0x00404765
0x00404767
0x0040476a
0x0040476d
0x0040476d
0x0040476d
0x0040476d
0x00404779
0x00404784
0x00404786
0x00404799
0x00404788
0x0040478b
0x0040478b
0x00404790
0x00404792
0x004047ab
0x004047b5
0x004047ba
0x00000000
0x00404794
0x00000000
0x00404794
0x00000000
0x00404792
0x004047cd
0x004047df
0x00000000
0x004047e4
0x004046d3
0x004046d8
0x00000000
0x004046d8
0x004046bb
0x004046bb
0x004046bb
0x004046be
0x004046be
0x004047f2
0x004047f2
0x004047f2
0x004047fd
0x00404803
0x0040480b

APIs

__EH_prolog.LIBCMT ref: 0040467D

Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4

SetLastError.KERNEL32(0000010B,?,776382C0,?,00000000), ref: 004046D8

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$ErrorLast
String ID:
API String ID: 2901101390-0
Opcode ID: 898bcb3355352a636011a3579ef66ddfafa831f9b504ef7429c9327cc1ab5d0d
Instruction ID: 7e41f2cfff906f94df3d93499aef528f4dd0a588830c47bb788408f42dae3ac8
Opcode Fuzzy Hash: 898bcb3355352a636011a3579ef66ddfafa831f9b504ef7429c9327cc1ab5d0d
Instruction Fuzzy Hash: 8D416C71C002089ADF14EBA6D442AEDBB74AF45318F2080BEE661731D2DB3D6A09DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040B290 Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E0040B290(void* __ecx, void* __eflags) {
				intOrPtr* _t23;
				signed char _t24;
				void* _t26;
				void* _t46;
				void* _t48;
				void* _t53;

				_t53 = __eflags;
				E00418D80(E00419F70, _t48);
				_t46 = __ecx;
				E004037D2(__ecx + 0x10,  *((intOrPtr*)(_t48 + 8)));
				_t23 = E00403632(_t48 - 0x18, __ecx + 0x10,  *((intOrPtr*)(_t48 + 0xc)));
				 *(_t48 - 4) = 0;
				_t24 = E00404DAF(__ecx + 0x20, _t53,  *_t23); // executed
				asm("sbb bl, bl");
				 *(_t48 - 4) =  *(_t48 - 4) | 0xffffffff;
				E00403204(_t24,  *((intOrPtr*)(_t48 - 0x18)));
				if( ~_t24 + 1 != 0) {
					_push(0x41c760);
					_push(_t48 + 8);
					 *((intOrPtr*)(_t48 + 8)) = 0x133061e;
					L00418E02();
				}
				_t26 = E004030D0(_t46 + 0x68);
				 *((intOrPtr*)(_t46 + 0x78)) = 0;
				 *((intOrPtr*)(_t46 + 0x84)) = 0;
				 *(_t46 + 0x58) =  *(_t46 + 0x58) & 0x00000000;
				 *(_t46 + 0x8c) =  *(_t46 + 0x8c) & 0x00000000;
				 *[fs:0x0] =  *((intOrPtr*)(_t48 - 0xc));
				return _t26;
			}

0x0040b290
0x0040b295
0x0040b29f
0x0040b2aa
0x0040b2b7
0x0040b2c3
0x0040b2c6
0x0040b2d2
0x0040b2d4
0x0040b2da
0x0040b2e2
0x0040b2e7
0x0040b2ec
0x0040b2ed
0x0040b2f4
0x0040b2f4
0x0040b2fc
0x0040b304
0x0040b307
0x0040b30d
0x0040b311
0x0040b31b
0x0040b323

APIs

__EH_prolog.LIBCMT ref: 0040B295

Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

_CxxThrowException.MSVCRT(?,0041C760), ref: 0040B2F4

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfree
String ID:
API String ID: 1371406966-0
Opcode ID: ec4d247574fff5ead4947f581fa00135c9d74d8b5b33173528e34598dd795744
Instruction ID: 3991b56aa772d61d3444a8cef0fd9670766af5abd261621a3301c4c09fd1f304
Opcode Fuzzy Hash: ec4d247574fff5ead4947f581fa00135c9d74d8b5b33173528e34598dd795744
Instruction Fuzzy Hash: 11012175640204AAC725EF22C451BDEBFF4EF80314F00852FE892A32E1CB786A49CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00405303 Relevance: 3.0, APIs: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00405303(void** __ecx, long _a4, signed int _a8, long _a12, intOrPtr* _a16) {
				long _v8;
				signed int _t9;
				long _t11;
				void* _t12;
				intOrPtr* _t14;
				void* _t15;
				signed int _t21;
				long _t23;

				_push(__ecx);
				_t9 = _a8;
				_v8 = _t9;
				_t21 = _t9 >> 0x1f;
				_t11 = SetFilePointer( *__ecx, _a4,  &_v8, _a12); // executed
				_t23 = _t11;
				if(_t23 != 0xffffffff || GetLastError() == 0) {
					_t12 = E004190A0(_v8, 0, 0, 1);
					asm("adc edx, eax");
					_t14 = _a16;
					 *_t14 = _t12 + _t23;
					 *(_t14 + 4) = _t21;
					_t15 = 1;
				} else {
					_t15 = 0;
				}
				return _t15;
			}

0x00405306
0x00405307
0x00405310
0x0040531a
0x0040531f
0x00405325
0x0040532a
0x00405343
0x0040534e
0x00405350
0x00405353
0x00405355
0x00405358
0x00405336
0x00405336
0x00405336
0x0040535c

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 0040531F
GetLastError.KERNEL32(?,?,?,?), ref: 0040532C

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: e5f51623b6d1066f15c38e0f7a766acb83092e1d779a669a0f1b84784c969e98
Instruction ID: 9124dc6d7053f8d6efb0d5dd32d4d25d1ca9512a9ee8f9f64a9de147337f6b78
Opcode Fuzzy Hash: e5f51623b6d1066f15c38e0f7a766acb83092e1d779a669a0f1b84784c969e98
Instruction Fuzzy Hash: 11F04971600208ABCB11DF69DC05BDB3BE5EB49354F108165F915E72A0E6759D10AAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410B21 Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00410B21(void* __ecx) {
				void* _t15;
				intOrPtr _t25;
				void* _t30;
				intOrPtr _t32;

				E00418D80(E0041A5F8, _t30);
				_push(__ecx);
				_push(__ecx);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				_t25 =  *((intOrPtr*)(_t30 + 8));
				 *((intOrPtr*)(_t30 - 0x10)) = _t32;
				_push(_t25); // executed
				_t15 = E00410864(__ecx); // executed
				if( *((char*)(__ecx + 0x3c)) != 0) {
					 *((char*)(_t25 + 0x14a)) = 1;
				}
				if(_t15 != 0x80004001) {
					 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
					return _t15;
				} else {
					_push(0x41de18);
					 *((char*)(_t30 - 0x11)) =  *((intOrPtr*)(_t30 + 0xb));
					_push(_t30 - 0x11);
					L00418E02();
					 *((char*)( *((intOrPtr*)(_t30 + 8)) + 0x14e)) = 1;
					return E00410B8A;
				}
			}

0x00410b26
0x00410b2b
0x00410b2c
0x00410b2d
0x00410b34
0x00410b37
0x00410b3c
0x00410b3d
0x00410b46
0x00410b48
0x00410b48
0x00410b54
0x00410b92
0x00410b9b
0x00410b56
0x00410b59
0x00410b5e
0x00410b64
0x00410b65
0x00410b6d
0x00410b79
0x00410b79

APIs

__EH_prolog.LIBCMT ref: 00410B26

Part of subcall function 00410864: __EH_prolog.LIBCMT ref: 00410869

_CxxThrowException.MSVCRT(?,0041DE18), ref: 00410B65

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 8af01c6eb10b9063be972fec532e90461c8519683e3f33f3519498f04b14a68e
Instruction ID: 66cfeec8bba6f5a58313027dc29a8bde198ffc6f74079f781ea7209b80be1e28
Opcode Fuzzy Hash: 8af01c6eb10b9063be972fec532e90461c8519683e3f33f3519498f04b14a68e
Instruction Fuzzy Hash: 86F0FC71548344AEDB11DB98C4457EEBBA4EB55318F04405FF0449B241C7FCB9C487A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040264D Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040264D(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v16;
				void* _t26;

				_t26 = __ecx;
				_t25 = __ecx + 0x68;
				E004037D2(__ecx + 0x74, _a4);
				E004061F9(_t25, 0x61, 0);
				E00418A70( *_a8);
				E00403204(SetWindowTextW( *(__ecx + 0x6c),  *(E004026AE())), _v16);
				ShowWindow( *(_t26 + 0x6c), 1); // executed
				return 0;
			}

0x00402654
0x0040265a
0x00402660
0x0040266b
0x00402675
0x00402695
0x004026a0
0x004026ab

APIs

Part of subcall function 004061F9: DialogBoxParamW.USER32 ref: 0040620D

Part of subcall function 00418A70: WaitForSingleObject.KERNEL32(?,000000FF,0040267A,00000061,00000000,00000000,?,00000000,776382C0,00000000,00000000), ref: 00418A73

SetWindowTextW.USER32(?,00000000), ref: 0040268C

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

ShowWindow.USER32(?,00000001,?,00000000,776382C0,00000000,00000000), ref: 004026A0

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: Window$DialogObjectParamShowSingleTextWaitfree
String ID:
API String ID: 104635807-0
Opcode ID: 6674452503a26a7a8754b7cfc1eb90645af53cf7d05e055e45dff84495ee339c
Instruction ID: f209a93877da6c0e9dfedf233186af25da3bb68def068462b6c52060b6a34cc7
Opcode Fuzzy Hash: 6674452503a26a7a8754b7cfc1eb90645af53cf7d05e055e45dff84495ee339c
Instruction Fuzzy Hash: ECF09031200104BFDB10BB11EC06E9E7B66FF40314F10843EF5426A2F1DBB5A925DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00418A80 Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418A80(intOrPtr* __ecx, void* __edx, char _a4) {
				char* _t3;
				long _t4;
				void* _t10;

				_t3 =  &_a4;
				__imp___beginthreadex(0, 0, __edx, _a4, 0, _t3, _t10); // executed
				 *__ecx = _t3;
				if(_t3 == 0) {
					_t4 = GetLastError();
					if(_t4 == 0) {
						return 1;
					}
					return _t4;
				} else {
					return 0;
				}
			}

0x00418a81
0x00418a94
0x00418a9d
0x00418aa2
0x00418aa9
0x00418ab1
0x00000000
0x00418ab3
0x00418ab8
0x00418aa4
0x00418aa6
0x00418aa6

APIs

_beginthreadex.MSVCRT ref: 00418A94
GetLastError.KERNEL32(?,?,776382C0,00000000,00000000), ref: 00418AA9

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ErrorLast_beginthreadex
String ID:
API String ID: 4034172046-0
Opcode ID: c548e9af719ead334f14ed1d54a67b1793e344066bbd5669ca46e26d0f3a0ecb
Instruction ID: 70daae52a94726005310dc0db4673b1cb6198bfb299c528c22bbb718e3dc4f27
Opcode Fuzzy Hash: c548e9af719ead334f14ed1d54a67b1793e344066bbd5669ca46e26d0f3a0ecb
Instruction Fuzzy Hash: D2E0E6B12052026FE3109B64DC15FA77698EF94781F44847EB545D6280EB749850C7B9

Uniqueness

Uniqueness Score: -1.00%

Function 00418A40 Relevance: 3.0, APIs: 2, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00418A40(void** __ecx) {
				void* _t1;
				int _t3;
				long _t4;
				intOrPtr* _t7;

				_t7 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0) {
					L5:
					return 0;
				}
				_t3 = FindCloseChangeNotification(_t1); // executed
				if(_t3 != 0) {
					 *_t7 = 0;
					goto L5;
				}
				_t4 = GetLastError();
				if(_t4 != 0) {
					return _t4;
				} else {
					return 1;
				}
			}

0x00418a41
0x00418a43
0x00418a47
0x00418a6b
0x00000000
0x00418a6b
0x00418a4a
0x00418a52
0x00418a65
0x00000000
0x00418a65
0x00418a54
0x00418a5c
0x00418a6e
0x00418a5e
0x00418a64
0x00418a64

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,004025E4,?,00000000,?,00000000,?,?,776382C0,00000000,00000000), ref: 00418A4A
GetLastError.KERNEL32(?,776382C0,00000000,00000000), ref: 00418A54

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 0433229ef2530785905c04bfe02dbd6fb0e4ed519826bd7185666009005914ad
Instruction ID: 7535ee298610e88dfaab19b27145df70c5ba92bd44e4c2e9d74370dd166c20af
Opcode Fuzzy Hash: 0433229ef2530785905c04bfe02dbd6fb0e4ed519826bd7185666009005914ad
Instruction Fuzzy Hash: EDD09E316141118FEB705F79BC087D726D8AF04791F15846FB450C2344EF68CDC146A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405FD6 Relevance: 3.0, APIs: 2, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FD6(DWORD* __ecx) {
				int _t4;

				_t4 = GetProcessAffinityMask(GetCurrentProcess(), __ecx,  &(__ecx[1])); // executed
				return _t4;
			}

0x00405fe2
0x00405fe8

APIs

GetCurrentProcess.KERNEL32(?,?,00405FF7), ref: 00405FDB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00405FE2

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 07db69285f0a9f4bd27611239e22615ac5e837d892164ec821e022bab2d23e48
Instruction ID: 732ff7f231baee20a9cffd8d9fa0ed88e0eff740d633cb47fb09654a2f39704a
Opcode Fuzzy Hash: 07db69285f0a9f4bd27611239e22615ac5e837d892164ec821e022bab2d23e48
Instruction Fuzzy Hash: 80B092B1400104ABCE009BA0DE0C86B3E2CEA0C2013048468B215C1012DB3AC0018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004031DD Relevance: 2.5, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004031DD(int _a4, char _a7) {
				void* _t5;
				char* _t7;

				_t5 = malloc(_a4); // executed
				if(_t5 == 0) {
					_push(0x41c8c8);
					_t7 =  &_a7;
					_push(_t7);
					L00418E02();
					return _t7;
				}
				return _t5;
			}

0x004031e3
0x004031ec
0x004031f1
0x004031f9
0x004031fc
0x004031fd
0x00000000
0x004031fd
0x00403203

APIs

malloc.MSVCRT ref: 004031E3
_CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ExceptionThrowmalloc
String ID:
API String ID: 2436765578-0
Opcode ID: a06ede8ce10373c961941a0e1058ae9254320e152fb985f8e6ab7cb75a938dad
Instruction ID: 21ad3b6c62fa819954115c8b0a5ff63e7c490964cbfc0d860bfe7ccd9a4adc8e
Opcode Fuzzy Hash: a06ede8ce10373c961941a0e1058ae9254320e152fb985f8e6ab7cb75a938dad
Instruction Fuzzy Hash: D9D0A73114434C7ACF016FE19C059CA3F5C9901671B00D46BF8588E116D634D3844758

Uniqueness

Uniqueness Score: -1.00%

Function 0040D4B4 Relevance: 2.0, APIs: 1, Instructions: 536
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040D4B4() {
				signed int _t311;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t331;
				signed int _t332;
				signed int _t334;
				signed int _t335;
				signed int _t340;
				signed int _t342;
				signed int _t343;
				signed int _t347;
				signed int _t349;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				intOrPtr _t358;
				signed int _t360;
				signed int _t361;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t377;
				signed int _t378;
				signed int _t380;
				signed int _t393;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t405;
				signed int _t407;
				intOrPtr _t408;
				signed int _t410;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t428;
				intOrPtr _t453;
				signed int _t459;
				signed int _t472;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t488;
				signed int _t494;
				void* _t496;
				void* _t498;

				E00418D80(E0041A39B, _t496);
				_t483 =  *(_t496 + 0x18);
				_t400 = _t483;
				 *((intOrPtr*)(_t496 - 0x10)) = _t498 - 0x9c;
				 *(_t496 - 4) = 0;
				 *(_t496 - 0x1c) = _t400;
				if(_t483 != 0) {
					 *((intOrPtr*)( *_t483 + 4))(_t483);
				}
				 *((intOrPtr*)(_t496 - 0x34)) = 0;
				 *(_t496 - 0x30) = 0;
				_t494 =  *(_t496 + 8);
				 *(_t496 + 0x1b) =  *((intOrPtr*)(_t496 + 0x10)) == 0xffffffff;
				 *(_t496 - 4) = 1;
				if( *(_t496 + 0x1b) != 0) {
					 *((intOrPtr*)(_t496 + 0x10)) =  *((intOrPtr*)(_t494 + 0x8c));
				}
				if( *((intOrPtr*)(_t496 + 0x10)) != 0) {
					_t484 = _t483 | 0xffffffff;
					__eflags = _t484;
					 *(_t496 + 8) = 0;
					while(1) {
						__eflags =  *(_t496 + 8) -  *((intOrPtr*)(_t496 + 0x10));
						if( *(_t496 + 8) >=  *((intOrPtr*)(_t496 + 0x10))) {
							break;
						}
						__eflags =  *(_t496 + 0x1b);
						if( *(_t496 + 0x1b) == 0) {
							_t393 =  *( *((intOrPtr*)(_t496 + 0xc)) +  *(_t496 + 8) * 4);
						} else {
							_t393 =  *(_t496 + 8);
						}
						_t472 =  *( *((intOrPtr*)(_t494 + 0x164)) + _t393 * 4);
						__eflags = _t472 - 0xffffffff;
						if(_t472 == 0xffffffff) {
							L20:
							 *(_t496 + 8) =  *(_t496 + 8) + 1;
							continue;
						} else {
							__eflags = _t472 - _t484;
							if(_t472 != _t484) {
								L15:
								_t477 =  *( *((intOrPtr*)(_t494 + 0x160)) + _t472 * 4);
								L16:
								 *(_t496 - 0x20) = _t477;
								while(1) {
									__eflags =  *(_t496 - 0x20) - _t393;
									if( *(_t496 - 0x20) > _t393) {
										break;
									}
									_t400 =  *(_t496 - 0x1c);
									 *((intOrPtr*)(_t496 - 0x34)) =  *((intOrPtr*)(_t496 - 0x34)) +  *((intOrPtr*)(( *(_t496 - 0x20) << 4) +  *((intOrPtr*)(_t494 + 0x88))));
									asm("adc [ebp-0x30], edx");
									 *(_t496 - 0x20) =  *(_t496 - 0x20) + 1;
								}
								_t44 = _t393 + 1; // 0x1
								_t477 = _t44;
								_t484 = _t472;
								goto L20;
							}
							__eflags = _t393 - _t477;
							if(_t393 >= _t477) {
								goto L16;
							}
							goto L15;
						}
					}
					_t485 =  *((intOrPtr*)( *_t400 + 0xc))(_t400,  *((intOrPtr*)(_t496 - 0x34)),  *(_t496 - 0x30));
					__eflags = _t485;
					if(_t485 == 0) {
						_push(0x38);
						_t410 = E004031DD();
						 *(_t496 + 8) = _t410;
						__eflags = _t410;
						 *(_t496 - 4) = 2;
						if(_t410 == 0) {
							_t486 = 0;
							__eflags = 0;
						} else {
							_t486 = E0040765F(_t410);
						}
						__eflags = _t486;
						 *(_t496 - 0x30) = _t486;
						 *(_t496 - 4) = 1;
						 *(_t496 - 0x24) = _t486;
						if(_t486 != 0) {
							 *((intOrPtr*)( *_t486 + 4))(_t486);
						}
						 *(_t496 - 4) = 3;
						E004076F5(_t486, _t400);
						E0040BC60(_t496 - 0xa8, __eflags, 1);
						 *(_t496 - 0x14) =  *(_t496 - 0x14) & 0x00000000;
						 *(_t496 - 4) = 5;
						 *((intOrPtr*)( *_t400))(_t400, 0x41b230, _t496 - 0x14, 0);
						_push(0x38);
						_t415 = E004031DD();
						 *(_t496 + 8) = _t415;
						__eflags = _t415;
						 *(_t496 - 4) = 6;
						if(_t415 == 0) {
							_t401 = 0;
							__eflags = 0;
						} else {
							_t401 = E0040DB8E(_t415);
						}
						__eflags = _t401;
						 *(_t496 - 4) = 5;
						 *(_t496 - 0x2c) = _t401;
						 *(_t496 - 0x18) = _t401;
						if(_t401 != 0) {
							 *((intOrPtr*)( *_t401 + 4))(_t401);
						}
						_t73 = _t401 + 0x30; // 0x30
						_t416 = _t73;
						 *(_t496 - 4) = 7;
						 *((intOrPtr*)(_t401 + 0x2c)) = _t494 + 0x30;
						E004063E5(_t416,  *(_t496 - 0x1c));
						__eflags =  *(_t496 + 0x14);
						 *(_t496 - 0x20) = 0;
						_t417 = _t416 & 0xffffff00 |  *(_t496 + 0x14) != 0x00000000;
						 *(_t401 + 0xc) = _t417;
						__eflags =  *(_t494 + 0x180);
						_t83 =  *(_t494 + 0x180) != 0;
						__eflags = _t83;
						 *((char*)(_t401 + 0xd)) = _t417 & 0xffffff00 | _t83;
						while(1) {
							_t402 = E004077D1(_t486);
							__eflags = _t402;
							if(_t402 != 0) {
								break;
							}
							_t474 =  *(_t496 - 0x20);
							__eflags = _t474 -  *((intOrPtr*)(_t496 + 0x10));
							if(_t474 <  *((intOrPtr*)(_t496 + 0x10))) {
								__eflags =  *(_t496 + 0x1b);
								 *((intOrPtr*)(_t496 - 0x3c)) = 0;
								 *((intOrPtr*)(_t496 - 0x38)) = 0;
								 *((intOrPtr*)(_t496 - 0x48)) = 0;
								 *((intOrPtr*)(_t496 - 0x44)) = 0;
								if( *(_t496 + 0x1b) == 0) {
									_t474 =  *( *((intOrPtr*)(_t496 + 0xc)) + _t474 * 4);
								}
								 *(_t496 - 0x40) = 1;
								_t488 =  *( *((intOrPtr*)(_t494 + 0x164)) + _t474 * 4);
								__eflags = _t488 - 0xffffffff;
								 *(_t496 + 0x14) = _t488;
								if(_t488 == 0xffffffff) {
									L67:
									_t403 =  *(_t496 - 0x20);
									asm("sbb eax, eax");
									_t311 = E0040D16C( *(_t496 - 0x2c), _t474,  !( ~( *(_t496 + 0x1b))) &  *((intOrPtr*)(_t496 + 0xc)) + _t403 * 0x00000004,  *(_t496 - 0x40));
									 *(_t496 + 0x14) = _t311;
									__eflags = _t311;
									 *(_t496 - 0x20) = _t403 +  *(_t496 - 0x40);
									if(_t311 == 0) {
										__eflags =  *( *(_t496 - 0x2c) + 0x24);
										if(__eflags == 0) {
											L123:
											_t486 =  *(_t496 - 0x30);
											 *((intOrPtr*)(_t486 + 0x28)) =  *((intOrPtr*)(_t486 + 0x28)) +  *((intOrPtr*)(_t496 - 0x3c));
											asm("adc [edi+0x2c], ecx");
											 *((intOrPtr*)(_t486 + 0x20)) =  *((intOrPtr*)(_t486 + 0x20)) +  *((intOrPtr*)(_t496 - 0x48));
											asm("adc [edi+0x24], eax");
											continue;
										}
										_push( *((intOrPtr*)(_t494 + 0x1c)));
										 *(_t496 + 0xb) =  *(_t496 + 0xb) & 0x00000000;
										_push( *((intOrPtr*)(_t494 + 0x18)));
										 *(_t496 - 4) = 8;
										_push( *((intOrPtr*)(_t494 + 0x10)));
										_t405 = 1;
										_push(_t405);
										_push(_t496 + 0xb);
										_push(0);
										_push( *(_t496 - 0x24));
										_push( *(_t496 - 0x18));
										_push(_t496 - 0x3c);
										_push(_t488);
										_push(_t494 + 0x30);
										_push( *((intOrPtr*)(_t494 + 0x144)));
										_push( *((intOrPtr*)(_t494 + 0x140)));
										_push( *((intOrPtr*)(_t494 + 0x28))); // executed
										_t317 = E0040BD85(_t496 - 0xa8, __eflags); // executed
										__eflags = _t317 - _t405;
										 *(_t496 + 0x14) = _t317;
										if(_t317 == _t405) {
											L92:
											_t428 =  *(_t496 - 0x2c);
											 *(_t496 - 0x28) = 2;
											__eflags =  *(_t428 + 0x24);
											 *((char*)(_t496 + 0x17)) =  *(_t428 + 0x24) == 0;
											__eflags = _t317 - _t405;
											if(_t317 != _t405) {
												__eflags = _t317 - 0x80004001;
												if(_t317 != 0x80004001) {
													__eflags =  *((char*)(_t496 + 0x17));
													if( *((char*)(_t496 + 0x17)) != 0) {
														__eflags =  *(_t496 + 0xb);
														if( *(_t496 + 0xb) != 0) {
															 *(_t496 - 0x28) = 6;
														}
													}
												} else {
													 *(_t496 - 0x28) = _t405;
												}
											}
											_t402 = E0040D47F( *(_t496 - 0x2c), _t496,  *(_t496 - 0x28));
											__eflags = _t402;
											if(_t402 == 0) {
												__eflags =  *((char*)(_t496 + 0x17));
												if( *((char*)(_t496 + 0x17)) == 0) {
													L122:
													 *(_t496 - 4) = 7;
													goto L123;
												}
												_t319 =  *(_t496 - 0x14);
												__eflags = _t319;
												if(_t319 == 0) {
													goto L122;
												}
												_t320 =  *((intOrPtr*)( *_t319 + 0x14))(_t319, 2, _t488,  *(_t496 - 0x28));
												L112:
												_t485 = _t320;
												__eflags = _t485;
												if(_t485 == 0) {
													goto L122;
												}
												_t321 =  *(_t496 - 0x18);
												 *(_t496 - 4) = 5;
												__eflags = _t321;
												if(_t321 != 0) {
													 *((intOrPtr*)( *_t321 + 8))(_t321);
												}
												_t322 =  *(_t496 - 0x14);
												 *(_t496 - 4) = 4;
												__eflags = _t322;
												if(_t322 != 0) {
													 *((intOrPtr*)( *_t322 + 8))(_t322);
												}
												 *(_t496 - 4) = 3;
												E0040DC5D(_t496 - 0xa8);
												_t324 =  *(_t496 - 0x24);
												 *(_t496 - 4) = 1;
												__eflags = _t324;
												if(_t324 != 0) {
													 *((intOrPtr*)( *_t324 + 8))(_t324);
												}
												_t325 =  *(_t496 - 0x1c);
												 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
												__eflags = _t325;
												if(_t325 != 0) {
													 *((intOrPtr*)( *_t325 + 8))(_t325);
												}
												L121:
												_t326 = _t485;
											} else {
												_t331 =  *(_t496 - 0x18);
												 *(_t496 - 4) = 5;
												__eflags = _t331;
												if(_t331 != 0) {
													 *((intOrPtr*)( *_t331 + 8))(_t331);
												}
												_t332 =  *(_t496 - 0x14);
												 *(_t496 - 4) = 4;
												__eflags = _t332;
												if(_t332 != 0) {
													 *((intOrPtr*)( *_t332 + 8))(_t332);
												}
												 *(_t496 - 4) = 3;
												E0040DC5D(_t496 - 0xa8);
												_t334 =  *(_t496 - 0x24);
												 *(_t496 - 4) = 1;
												__eflags = _t334;
												if(_t334 != 0) {
													 *((intOrPtr*)( *_t334 + 8))(_t334);
												}
												_t335 =  *(_t496 - 0x1c);
												 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
												__eflags = _t335;
												L106:
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t335 + 8))(_t335);
												}
												_t326 = _t402;
											}
											goto L124;
										}
										__eflags = _t317 - 0x80004001;
										if(_t317 == 0x80004001) {
											goto L92;
										}
										__eflags =  *(_t496 + 0xb);
										if( *(_t496 + 0xb) != 0) {
											goto L92;
										}
										__eflags = _t317;
										if(_t317 == 0) {
											_t320 = E0040D47F( *(_t496 - 0x2c), _t496, 2);
											goto L112;
										}
										__eflags =  *(_t496 - 0x18);
										 *(_t496 - 4) = 5;
										if( *(_t496 - 0x18) != 0) {
											_t347 =  *(_t496 - 0x18);
											 *((intOrPtr*)( *_t347 + 8))(_t347);
										}
										_t340 =  *(_t496 - 0x14);
										 *(_t496 - 4) = 4;
										__eflags = _t340;
										if(_t340 != 0) {
											 *((intOrPtr*)( *_t340 + 8))(_t340);
										}
										 *(_t496 - 4) = 3;
										E0040DC5D(_t496 - 0xa8);
										_t342 =  *(_t496 - 0x24);
										 *(_t496 - 4) = 1;
										__eflags = _t342;
										if(_t342 != 0) {
											 *((intOrPtr*)( *_t342 + 8))(_t342);
										}
										_t343 =  *(_t496 - 0x1c);
										 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
										__eflags = _t343;
										if(_t343 != 0) {
											 *((intOrPtr*)( *_t343 + 8))(_t343);
										}
										_t326 =  *(_t496 + 0x14);
										goto L124;
									}
									_t349 =  *(_t496 - 0x18);
									 *(_t496 - 4) = 5;
									__eflags = _t349;
									if(_t349 != 0) {
										 *((intOrPtr*)( *_t349 + 8))(_t349);
									}
									_t350 =  *(_t496 - 0x14);
									 *(_t496 - 4) = 4;
									__eflags = _t350;
									if(_t350 != 0) {
										 *((intOrPtr*)( *_t350 + 8))(_t350);
									}
									 *(_t496 - 4) = 3;
									E0040DC5D(_t496 - 0xa8);
									_t352 =  *(_t496 - 0x24);
									 *(_t496 - 4) = 1;
									__eflags = _t352;
									if(_t352 != 0) {
										 *((intOrPtr*)( *_t352 + 8))(_t352);
									}
									_t353 =  *(_t496 - 0x1c);
									 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
									__eflags = _t353;
									if(_t353 != 0) {
										 *((intOrPtr*)( *_t353 + 8))(_t353);
									}
									_t326 =  *(_t496 + 0x14);
									goto L124;
								} else {
									_t453 =  *((intOrPtr*)(_t494 + 0x60));
									_t358 =  *((intOrPtr*)(_t494 + 0x38));
									_t407 =  *(_t453 + 4 + _t488 * 4);
									 *((intOrPtr*)(_t496 - 0x48)) =  *((intOrPtr*)(_t358 + _t407 * 8)) -  *((intOrPtr*)(_t358 +  *(_t453 + _t488 * 4) * 8));
									asm("sbb ecx, [eax+edi*8+0x4]");
									_t488 =  *(_t496 + 0x14);
									_t475 = _t474 + 1;
									__eflags = _t475;
									 *(_t496 - 0x28) = _t475;
									 *((intOrPtr*)(_t496 - 0x44)) =  *((intOrPtr*)(_t358 + 4 + _t407 * 8));
									_t474 =  *( *((intOrPtr*)(_t494 + 0x160)) + _t488 * 4);
									_t360 =  *(_t496 - 0x20);
									while(1) {
										_t360 = _t360 + 1;
										__eflags = _t360 -  *((intOrPtr*)(_t496 + 0x10));
										if(_t360 >=  *((intOrPtr*)(_t496 + 0x10))) {
											break;
										}
										__eflags =  *(_t496 + 0x1b);
										if( *(_t496 + 0x1b) == 0) {
											_t459 =  *( *((intOrPtr*)(_t496 + 0xc)) + _t360 * 4);
										} else {
											_t459 = _t360;
										}
										_t408 =  *((intOrPtr*)(_t494 + 0x164));
										__eflags =  *((intOrPtr*)(_t408 + _t459 * 4)) - _t488;
										if( *((intOrPtr*)(_t408 + _t459 * 4)) != _t488) {
											break;
										} else {
											__eflags = _t459 -  *(_t496 - 0x28);
											if(_t459 <  *(_t496 - 0x28)) {
												break;
											}
											 *(_t496 - 0x28) = _t459 + 1;
											continue;
										}
									}
									_t361 = _t360 -  *(_t496 - 0x20);
									__eflags = _t361;
									 *(_t496 + 0x14) = _t474;
									 *(_t496 - 0x40) = _t361;
									while(1) {
										__eflags =  *(_t496 + 0x14) -  *(_t496 - 0x28);
										if( *(_t496 + 0x14) >=  *(_t496 - 0x28)) {
											goto L67;
										}
										 *((intOrPtr*)(_t496 - 0x3c)) =  *((intOrPtr*)(_t496 - 0x3c)) +  *((intOrPtr*)(( *(_t496 + 0x14) << 4) +  *((intOrPtr*)(_t494 + 0x88))));
										asm("adc [ebp-0x38], eax");
										 *(_t496 + 0x14) =  *(_t496 + 0x14) + 1;
									}
									goto L67;
								}
							}
							_t368 =  *(_t496 - 0x18);
							 *(_t496 - 4) = 5;
							__eflags = _t368;
							if(_t368 != 0) {
								 *((intOrPtr*)( *_t368 + 8))(_t368);
							}
							_t369 =  *(_t496 - 0x14);
							 *(_t496 - 4) = 4;
							__eflags = _t369;
							if(_t369 != 0) {
								 *((intOrPtr*)( *_t369 + 8))(_t369);
							}
							 *(_t496 - 4) = 3;
							E0040DC5D(_t496 - 0xa8); // executed
							_t371 =  *(_t496 - 0x24);
							 *(_t496 - 4) = 1;
							__eflags = _t371;
							if(_t371 != 0) {
								 *((intOrPtr*)( *_t371 + 8))(_t371);
							}
							_t372 =  *(_t496 - 0x1c);
							 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
							__eflags = _t372;
							if(_t372 != 0) {
								 *((intOrPtr*)( *_t372 + 8))(_t372);
							}
							goto L52;
						}
						_t377 =  *(_t496 - 0x18);
						 *(_t496 - 4) = 5;
						__eflags = _t377;
						if(_t377 != 0) {
							 *((intOrPtr*)( *_t377 + 8))(_t377);
						}
						_t378 =  *(_t496 - 0x14);
						 *(_t496 - 4) = 4;
						__eflags = _t378;
						if(_t378 != 0) {
							 *((intOrPtr*)( *_t378 + 8))(_t378);
						}
						 *(_t496 - 4) = 3;
						E0040DC5D(_t496 - 0xa8);
						_t380 =  *(_t496 - 0x24);
						 *(_t496 - 4) = 1;
						__eflags = _t380;
						if(_t380 != 0) {
							 *((intOrPtr*)( *_t380 + 8))(_t380);
						}
						_t335 =  *(_t496 - 0x1c);
						 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
						__eflags = _t335;
						goto L106;
					}
					 *(_t496 - 4) =  *(_t496 - 4) & 0x00000000;
					__eflags = _t400;
					if(_t400 != 0) {
						 *((intOrPtr*)( *_t400 + 8))(_t400);
					}
					goto L121;
				} else {
					 *(_t496 - 4) =  *(_t496 - 4) & 0;
					if(_t483 != 0) {
						 *((intOrPtr*)( *_t483 + 8))(_t483);
					}
					L52:
					_t326 = 0;
					L124:
					 *[fs:0x0] =  *((intOrPtr*)(_t496 - 0xc));
					return _t326;
				}
			}

0x0040d4b9
0x0040d4c7
0x0040d4cc
0x0040d4d0
0x0040d4d3
0x0040d4d6
0x0040d4d9
0x0040d4de
0x0040d4de
0x0040d4e5
0x0040d4e8
0x0040d4eb
0x0040d4ee
0x0040d4f6
0x0040d4fa
0x0040d502
0x0040d502
0x0040d50a
0x0040d522
0x0040d522
0x0040d525
0x0040d528
0x0040d52b
0x0040d52e
0x00000000
0x00000000
0x0040d530
0x0040d534
0x0040d541
0x0040d536
0x0040d536
0x0040d536
0x0040d54a
0x0040d54d
0x0040d550
0x0040d58f
0x0040d58f
0x00000000
0x0040d552
0x0040d552
0x0040d554
0x0040d55a
0x0040d560
0x0040d563
0x0040d563
0x0040d566
0x0040d566
0x0040d569
0x00000000
0x00000000
0x0040d56e
0x0040d57c
0x0040d582
0x0040d585
0x0040d585
0x0040d58a
0x0040d58a
0x0040d58d
0x00000000
0x0040d58d
0x0040d556
0x0040d558
0x00000000
0x00000000
0x00000000
0x0040d558
0x0040d550
0x0040d5a0
0x0040d5a2
0x0040d5a4
0x0040d5bd
0x0040d5c5
0x0040d5c7
0x0040d5ca
0x0040d5cc
0x0040d5d0
0x0040d5db
0x0040d5db
0x0040d5d2
0x0040d5d7
0x0040d5d7
0x0040d5dd
0x0040d5df
0x0040d5e2
0x0040d5e6
0x0040d5e9
0x0040d5ee
0x0040d5ee
0x0040d5f6
0x0040d5fa
0x0040d607
0x0040d60c
0x0040d61c
0x0040d620
0x0040d622
0x0040d62a
0x0040d62c
0x0040d62f
0x0040d631
0x0040d635
0x0040d640
0x0040d640
0x0040d637
0x0040d63c
0x0040d63c
0x0040d642
0x0040d644
0x0040d648
0x0040d64b
0x0040d64e
0x0040d653
0x0040d653
0x0040d65c
0x0040d65c
0x0040d65f
0x0040d663
0x0040d666
0x0040d66d
0x0040d670
0x0040d673
0x0040d676
0x0040d679
0x0040d67f
0x0040d67f
0x0040d682
0x0040d685
0x0040d68c
0x0040d690
0x0040d692
0x00000000
0x00000000
0x0040d6e4
0x0040d6e7
0x0040d6ea
0x0040d746
0x0040d74a
0x0040d74d
0x0040d750
0x0040d753
0x0040d756
0x0040d75b
0x0040d75b
0x0040d764
0x0040d76b
0x0040d76e
0x0040d771
0x0040d774
0x0040d807
0x0040d80d
0x0040d815
0x0040d823
0x0040d82b
0x0040d82e
0x0040d830
0x0040d833
0x0040d893
0x0040d897
0x0040da83
0x0040da83
0x0040da8c
0x0040da92
0x0040da95
0x0040da9b
0x00000000
0x0040da9b
0x0040d89d
0x0040d8a6
0x0040d8aa
0x0040d8ad
0x0040d8b1
0x0040d8b6
0x0040d8b7
0x0040d8b8
0x0040d8b9
0x0040d8be
0x0040d8c1
0x0040d8c4
0x0040d8c8
0x0040d8c9
0x0040d8ca
0x0040d8d6
0x0040d8dc
0x0040d8dd
0x0040d8e2
0x0040d8e4
0x0040d8e7
0x0040d966
0x0040d966
0x0040d969
0x0040d970
0x0040d974
0x0040d978
0x0040d97a
0x0040d97c
0x0040d981
0x0040d988
0x0040d98c
0x0040d98e
0x0040d992
0x0040d994
0x0040d994
0x0040d992
0x0040d983
0x0040d983
0x0040d983
0x0040d981
0x0040d9a6
0x0040d9a8
0x0040d9aa
0x0040da06
0x0040da0a
0x0040da7f
0x0040da7f
0x00000000
0x0040da7f
0x0040da0c
0x0040da0f
0x0040da11
0x00000000
0x00000000
0x0040da1c
0x0040da1f
0x0040da1f
0x0040da21
0x0040da23
0x00000000
0x00000000
0x0040da25
0x0040da28
0x0040da2c
0x0040da2e
0x0040da33
0x0040da33
0x0040da36
0x0040da39
0x0040da3d
0x0040da3f
0x0040da44
0x0040da44
0x0040da4d
0x0040da51
0x0040da56
0x0040da59
0x0040da5d
0x0040da5f
0x0040da64
0x0040da64
0x0040da67
0x0040da6a
0x0040da6e
0x0040da70
0x0040da75
0x0040da75
0x0040da78
0x0040da78
0x0040d9ac
0x0040d9ac
0x0040d9af
0x0040d9b3
0x0040d9b5
0x0040d9ba
0x0040d9ba
0x0040d9bd
0x0040d9c0
0x0040d9c4
0x0040d9c6
0x0040d9cb
0x0040d9cb
0x0040d9d4
0x0040d9d8
0x0040d9dd
0x0040d9e0
0x0040d9e4
0x0040d9e6
0x0040d9eb
0x0040d9eb
0x0040d9ee
0x0040d9f1
0x0040d9f5
0x0040d9f7
0x0040d9f7
0x0040d9fc
0x0040d9fc
0x0040d9ff
0x0040d9ff
0x00000000
0x0040d9aa
0x0040d8e9
0x0040d8ee
0x00000000
0x00000000
0x0040d8f0
0x0040d8f4
0x00000000
0x00000000
0x0040d8f6
0x0040d8f8
0x0040d95c
0x00000000
0x0040d95c
0x0040d8fa
0x0040d8fe
0x0040d902
0x0040d904
0x0040d90a
0x0040d90a
0x0040d90d
0x0040d910
0x0040d914
0x0040d916
0x0040d91b
0x0040d91b
0x0040d924
0x0040d928
0x0040d92d
0x0040d930
0x0040d934
0x0040d936
0x0040d93b
0x0040d93b
0x0040d93e
0x0040d941
0x0040d945
0x0040d947
0x0040d94c
0x0040d94c
0x0040d94f
0x00000000
0x0040d94f
0x0040d835
0x0040d838
0x0040d83c
0x0040d83e
0x0040d843
0x0040d843
0x0040d846
0x0040d849
0x0040d84d
0x0040d84f
0x0040d854
0x0040d854
0x0040d85d
0x0040d861
0x0040d866
0x0040d869
0x0040d86d
0x0040d86f
0x0040d874
0x0040d874
0x0040d877
0x0040d87a
0x0040d87e
0x0040d880
0x0040d885
0x0040d885
0x0040d888
0x00000000
0x0040d77a
0x0040d77a
0x0040d77d
0x0040d780
0x0040d78d
0x0040d794
0x0040d79e
0x0040d7a1
0x0040d7a1
0x0040d7a2
0x0040d7a5
0x0040d7a8
0x0040d7ab
0x0040d7ae
0x0040d7ae
0x0040d7af
0x0040d7b2
0x00000000
0x00000000
0x0040d7b4
0x0040d7b8
0x0040d7c1
0x0040d7ba
0x0040d7ba
0x0040d7ba
0x0040d7c4
0x0040d7ca
0x0040d7cd
0x00000000
0x0040d7cf
0x0040d7cf
0x0040d7d2
0x00000000
0x00000000
0x0040d7d5
0x00000000
0x0040d7d5
0x0040d7cd
0x0040d7da
0x0040d7da
0x0040d7dd
0x0040d7e0
0x0040d7e3
0x0040d7e6
0x0040d7e9
0x00000000
0x00000000
0x0040d7fc
0x0040d7ff
0x0040d802
0x0040d802
0x00000000
0x0040d7e3
0x0040d774
0x0040d6ec
0x0040d6ef
0x0040d6f3
0x0040d6f5
0x0040d6fa
0x0040d6fa
0x0040d6fd
0x0040d700
0x0040d704
0x0040d706
0x0040d70b
0x0040d70b
0x0040d714
0x0040d718
0x0040d71d
0x0040d720
0x0040d724
0x0040d726
0x0040d72b
0x0040d72b
0x0040d72e
0x0040d731
0x0040d735
0x0040d737
0x0040d73c
0x0040d73c
0x00000000
0x0040d737
0x0040d694
0x0040d697
0x0040d69b
0x0040d69d
0x0040d6a2
0x0040d6a2
0x0040d6a5
0x0040d6a8
0x0040d6ac
0x0040d6ae
0x0040d6b3
0x0040d6b3
0x0040d6bc
0x0040d6c0
0x0040d6c5
0x0040d6c8
0x0040d6cc
0x0040d6ce
0x0040d6d3
0x0040d6d3
0x0040d6d6
0x0040d6d9
0x0040d6dd
0x00000000
0x0040d6dd
0x0040d5a6
0x0040d5aa
0x0040d5ac
0x0040d5b5
0x0040d5b5
0x00000000
0x0040d50c
0x0040d50c
0x0040d511
0x0040d51a
0x0040d51a
0x0040d73f
0x0040d73f
0x0040db7d
0x0040db82
0x0040db8b
0x0040db8b

APIs

__EH_prolog.LIBCMT ref: 0040D4B9

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 715101c0f51baa4ed254e5e66865ecf1f7658e5da35ee5518a4d48abc4aa7e73
Instruction ID: f668b284c9a992d87cd6d5ed2065a62fb7c1b42155693d61c0c1031baec4afb4
Opcode Fuzzy Hash: 715101c0f51baa4ed254e5e66865ecf1f7658e5da35ee5518a4d48abc4aa7e73
Instruction Fuzzy Hash: 9F327F70E04249DFDF11CFE8C984BAEBBB5AF49304F1440AAE845A7391C779AE49CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0040A90A Relevance: 2.0, APIs: 1, Instructions: 486
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040A90A(signed int __ecx, void* __eflags) {
				void* _t241;
				void* _t244;
				signed int _t245;
				signed int _t246;
				signed int* _t247;
				signed int _t248;
				signed int* _t252;
				signed int* _t255;
				signed int _t256;
				signed int _t257;
				signed int _t259;
				signed int _t260;
				void* _t262;
				signed int* _t263;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr* _t284;
				void* _t288;
				void*** _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t335;
				signed int _t341;
				intOrPtr* _t356;
				signed int _t360;
				signed int _t362;
				signed int _t365;
				signed int _t381;
				void** _t418;
				signed int _t420;
				signed int _t421;
				signed int _t424;
				signed int _t426;
				void*** _t434;
				signed int _t441;
				signed int** _t459;
				signed int _t460;
				signed int _t461;
				intOrPtr _t465;
				void* _t469;
				void* _t471;
				void* _t472;
				void* _t474;

				E00418D80(E00419E9D, _t469);
				_t472 = _t471 - 0x290;
				 *(_t469 - 0x1c) = __ecx;
				E0040A8E3(__ecx, __eflags);
				_t356 =  *((intOrPtr*)(_t469 + 8));
				if(( *(_t356 + 0x28))[1] < 0x20) {
					while(1) {
						 *(_t469 - 0x20) =  *(_t469 - 0x20) & 0x00000000;
						_t241 = E004028F5(_t469 - 0x29c);
						_t360 = 8;
						_t244 = memcpy(_t356 + 8, _t241, _t360 << 2);
						_t472 = _t472 + 0xc;
						__eflags =  *_t244 - 1;
						if( *_t244 < 1) {
							goto L7;
						}
						L3:
						E004028F5(_t469 - 0xbc);
						_t434 =  *(_t356 + 0x28);
						_t465 =  *((intOrPtr*)( *(_t469 - 0x1c) + 4));
						_t418 = _t434[1];
						__eflags = _t465 - _t418;
						if(_t465 >= _t418) {
							_t420 = 8;
							memcpy(_t469 - 0xbc,  *( *_t434), _t420 << 2);
							_t474 = _t472 + 0xc;
							_t362 = 0;
							__eflags =  *((char*)(_t469 - 0xac));
							if( *((char*)(_t469 - 0xac)) == 0) {
								goto L63;
							}
							goto L6;
						} else {
							_t424 = 8;
							memcpy(_t469 - 0xbc,  *( *_t434 + (_t418 - _t465) * 4 - 4), _t424 << 2);
							_t474 = _t472 + 0xc;
							L6:
							_t421 = 8;
							_t244 = memcpy(_t356 + 8, _t469 - 0xbc, _t421 << 2);
							_t472 = _t474 + 0xc;
							L8:
							_t426 =  *(_t469 - 0x1c);
							_t441 = 0;
							_t365 =  *(_t426 + 4);
							__eflags = _t365;
							if(_t365 != 0) {
								__eflags =  *_t244 - _t365;
								_t459 =  *( *_t426 + _t365 * 4 - 4);
								 *(_t469 - 0x4c) = _t459;
								if( *_t244 > _t365) {
									 *(_t469 - 0x20) = 0x80004001;
								}
								 *(_t469 - 0x44) = _t441;
								 *(_t469 - 0x42) = _t441;
								 *(_t469 - 0x3c) = _t441;
								_t247 =  *_t459;
								 *(_t469 - 4) = 1;
								_t248 =  *((intOrPtr*)( *_t247 + 0x20))(_t247, 1, _t469 - 0x44);
								__eflags = _t248 - _t441;
								if(_t248 != _t441) {
									L42:
									_t460 = _t248;
									E00405DEF(_t469 - 0x44);
									L72:
									_t246 = _t460;
									goto L65;
								}
								__eflags =  *(_t469 - 0x44) - 0x13;
								if( *(_t469 - 0x44) != 0x13) {
									_t362 = _t469 - 0x44;
									L84:
									E00405DEF(_t362);
									L64:
									_t245 =  *(_t469 - 0x1c);
									__eflags =  *((intOrPtr*)(_t245 + 4)) - _t441;
									_t205 =  *((intOrPtr*)(_t245 + 4)) != _t441;
									__eflags = _t205;
									 *((char*)(_t245 + 0x20)) = _t362 & 0xffffff00 | _t205;
									_t246 =  *(_t469 - 0x20);
									goto L65;
								}
								 *(_t469 - 0x24) =  *(_t469 - 0x3c);
								_t252 =  *_t459;
								_t248 =  *((intOrPtr*)( *_t252 + 0x14))(_t252, _t469 - 0x48);
								__eflags = _t248 - _t441;
								if(_t248 != _t441) {
									goto L42;
								}
								_t362 = _t469 - 0x44;
								__eflags =  *(_t469 - 0x24) -  *((intOrPtr*)(_t469 - 0x48));
								if( *(_t469 - 0x24) >=  *((intOrPtr*)(_t469 - 0x48))) {
									goto L84;
								}
								E00405DEF(_t362);
								 *(_t469 - 0x10) = _t441;
								_t255 =  *_t459;
								_t362 =  *_t255;
								 *(_t469 - 4) = 2;
								_t256 =  *_t362(_t255, 0x41b210, _t469 - 0x10);
								__eflags = _t256;
								_t257 =  *(_t469 - 0x10);
								if(_t256 != 0) {
									L82:
									 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
									L79:
									__eflags = _t257 - _t441;
									if(_t257 != _t441) {
										_t362 =  *_t257;
										 *((intOrPtr*)(_t362 + 8))(_t257);
									}
									goto L64;
								}
								__eflags = _t257 - _t441;
								if(_t257 == _t441) {
									goto L82;
								}
								 *(_t469 - 0x14) = _t441;
								_t362 =  *_t257;
								 *(_t469 - 4) = 3;
								_t259 =  *((intOrPtr*)(_t362 + 0xc))(_t257,  *(_t469 - 0x24), _t469 - 0x14);
								__eflags = _t259;
								_t260 =  *(_t469 - 0x14);
								if(_t259 != 0) {
									L81:
									 *(_t469 - 4) = 2;
									L76:
									__eflags = _t260 - _t441;
									if(_t260 != _t441) {
										_t362 =  *_t260;
										 *((intOrPtr*)(_t362 + 8))(_t260);
									}
									_t228 = _t469 - 4;
									 *_t228 =  *(_t469 - 4) | 0xffffffff;
									__eflags =  *_t228;
									_t257 =  *(_t469 - 0x10);
									goto L79;
								}
								__eflags = _t260 - _t441;
								if(_t260 == _t441) {
									goto L81;
								}
								 *(_t469 - 0x18) = _t441;
								_t362 =  *_t260;
								 *(_t469 - 4) = 4;
								_t262 =  *_t362(_t260, 0x41b390, _t469 - 0x18);
								__eflags = _t262 - _t441;
								_t263 =  *(_t469 - 0x18);
								if(_t262 != _t441) {
									L73:
									__eflags = _t263 - _t441;
									 *(_t469 - 4) = 3;
									if(_t263 != _t441) {
										_t362 =  *_t263;
										 *((intOrPtr*)(_t362 + 8))(_t263);
									}
									_t260 =  *(_t469 - 0x14);
									 *(_t469 - 4) = 2;
									goto L76;
								}
								__eflags = _t263 - _t441;
								if(_t263 == _t441) {
									goto L73;
								}
								E0040AF06(_t469 - 0x19c);
								 *(_t469 - 4) = 5;
								_t267 = E00409683(_t459,  *(_t469 - 0x24), _t469 - 0x12c);
								__eflags = _t267 - _t441;
								 *(_t469 - 0x20) = _t267;
								if(_t267 != _t441) {
									 *(_t469 - 4) = 4;
									E00402F6E(_t469 - 0x19c);
									_t269 =  *(_t469 - 0x18);
									 *(_t469 - 4) = 3;
									__eflags = _t269 - _t441;
									if(_t269 != _t441) {
										 *((intOrPtr*)( *_t269 + 8))(_t269);
									}
									_t270 =  *(_t469 - 0x14);
									 *(_t469 - 4) = 2;
									__eflags = _t270 - _t441;
									if(_t270 != _t441) {
										 *((intOrPtr*)( *_t270 + 8))(_t270);
									}
									_t271 =  *(_t469 - 0x10);
									 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
									__eflags = _t271 - _t441;
									if(_t271 != _t441) {
										 *((intOrPtr*)( *_t271 + 8))(_t271);
									}
									_t246 =  *(_t469 - 0x20);
									goto L65;
								}
								_t461 =  *(_t469 - 0x24);
								_t276 = E00409616( *_t459, _t461, 0x56, _t469 + 0xb);
								__eflags = _t276 - _t441;
								 *(_t469 - 0x20) = _t276;
								if(_t276 != _t441) {
									 *(_t469 - 4) = 4;
									E00402F6E(_t469 - 0x19c);
									_t278 =  *(_t469 - 0x18);
									 *(_t469 - 4) = 3;
									__eflags = _t278 - _t441;
									if(_t278 != _t441) {
										 *((intOrPtr*)( *_t278 + 8))(_t278);
									}
									_t279 =  *(_t469 - 0x14);
									 *(_t469 - 4) = 2;
									__eflags = _t279 - _t441;
									if(_t279 != _t441) {
										 *((intOrPtr*)( *_t279 + 8))(_t279);
									}
									_t280 =  *(_t469 - 0x10);
									 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
									__eflags = _t280 - _t441;
									if(_t280 != _t441) {
										 *((intOrPtr*)( *_t280 + 8))(_t280);
									}
									_t246 =  *(_t469 - 0x20);
									goto L65;
								}
								_t284 =  *((intOrPtr*)(_t356 + 0x38));
								__eflags = _t284 - _t441;
								if(_t284 != _t441) {
									 *(_t469 - 0x28) = _t441;
									 *(_t469 - 4) = 6;
									 *((intOrPtr*)( *_t284))(_t284, 0x41b200, _t469 - 0x28);
									_t335 =  *(_t469 - 0x28);
									__eflags = _t335 - _t441;
									if(_t335 != _t441) {
										 *((intOrPtr*)( *_t335 + 0xc))(_t335,  *((intOrPtr*)(_t469 - 0x12c)));
										_t335 =  *(_t469 - 0x28);
									}
									__eflags = _t335 - _t441;
									 *(_t469 - 4) = 5;
									if(_t335 != _t441) {
										 *((intOrPtr*)( *_t335 + 8))(_t335);
									}
								}
								 *(_t469 - 0x104) = _t461;
								 *(_t469 - 0x34) = _t441;
								 *(_t469 - 0x30) = _t441;
								 *(_t469 - 0x2c) = _t441;
								 *(_t469 - 4) = 7;
								E004028C3(_t469 - 0x9c);
								 *((intOrPtr*)(_t469 - 0x9c)) =  *_t356;
								_t381 = 8;
								 *(_t469 - 4) = 8;
								_t288 = memcpy(_t469 - 0x94, _t356 + 8, _t381 << 2);
								_t472 = _t472 + 0xc;
								 *(_t469 - 0x80) = _t288;
								 *(_t469 - 0x5c) =  *(_t469 - 0x5c) & 0x00000000;
								 *((intOrPtr*)(_t469 - 0x70)) = _t469 - 0x34;
								 *(_t469 - 0x6c) =  *(_t469 - 0x18);
								E004037D2(_t469 - 0x58, _t469 - 0x12c);
								 *((intOrPtr*)(_t469 - 0x64)) =  *((intOrPtr*)(_t356 + 0x38));
								 *((intOrPtr*)(_t469 - 0x60)) =  *((intOrPtr*)(_t356 + 0x3c));
								_push(_t469 - 0x9c);
								_t460 = E0040A2C8(_t469 - 0x19c);
								_t297 =  *(_t356 + 0x28);
								_t298 = _t297[1];
								_t297[1] = _t460 - 1;
								 *(_t469 - 0x20) = 0 | _t297[1] != 0x00000000;
								if(_t460 == 1) {
									E0040A26D( *(_t469 - 0x1c) + 0x30, _t469 - 0x18c);
									E00403204(E00403204(E004037D2( *(_t469 - 0x1c) + 0x24, _t469 - 0x12c),  *((intOrPtr*)(_t469 - 0x58))),  *(_t469 - 0x34));
									 *(_t469 - 4) = 4;
									_t362 = _t469 - 0x19c;
									E00402F6E(_t362);
									_t306 =  *(_t469 - 0x18);
									 *(_t469 - 4) = 3;
									__eflags = _t306;
									if(_t306 != 0) {
										_t362 =  *_t306;
										 *((intOrPtr*)(_t362 + 8))(_t306);
									}
									_t307 =  *(_t469 - 0x14);
									 *(_t469 - 4) = 2;
									__eflags = _t307;
									if(_t307 != 0) {
										_t362 =  *_t307;
										 *((intOrPtr*)(_t362 + 8))(_t307);
									}
									_t308 =  *(_t469 - 0x10);
									 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
									__eflags = _t308;
									if(_t308 != 0) {
										_t362 =  *_t308;
										 *((intOrPtr*)(_t362 + 8))(_t308);
									}
									L63:
									_t441 = 0;
									__eflags = 0;
									goto L64;
								} else {
									__eflags = _t460;
									if(_t460 != 0) {
										L66:
										E00403204(E00403204(_t298,  *((intOrPtr*)(_t469 - 0x58))),  *(_t469 - 0x34));
										 *(_t469 - 4) = 4;
										E00402F6E(_t469 - 0x19c);
										_t315 =  *(_t469 - 0x18);
										 *(_t469 - 4) = 3;
										__eflags = _t315;
										if(_t315 != 0) {
											 *((intOrPtr*)( *_t315 + 8))(_t315);
										}
										_t316 =  *(_t469 - 0x14);
										 *(_t469 - 4) = 2;
										__eflags = _t316;
										if(_t316 != 0) {
											 *((intOrPtr*)( *_t316 + 8))(_t316);
										}
										_t317 =  *(_t469 - 0x10);
										 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
										__eflags = _t317;
										if(_t317 != 0) {
											 *((intOrPtr*)( *_t317 + 8))(_t317);
										}
										goto L72;
									}
									_t460 = E00409863( *(_t469 - 0x4c),  *(_t469 - 0x24), _t469 - 0x100, _t469 - 0xf8);
									__eflags = _t460;
									if(_t460 != 0) {
										goto L66;
									}
									_push(_t469 - 0x19c);
									E00403204(E00403204(E0040B397( *(_t469 - 0x1c)),  *((intOrPtr*)(_t469 - 0x58))),  *(_t469 - 0x34));
									 *(_t469 - 4) = 4;
									E00402F6E(_t469 - 0x19c);
									_t328 =  *(_t469 - 0x18);
									 *(_t469 - 4) = 3;
									__eflags = _t328;
									if(_t328 != 0) {
										 *((intOrPtr*)( *_t328 + 8))(_t328);
									}
									_t329 =  *(_t469 - 0x14);
									 *(_t469 - 4) = 2;
									__eflags = _t329;
									if(_t329 != 0) {
										 *((intOrPtr*)( *_t329 + 8))(_t329);
									}
									_t330 =  *(_t469 - 0x10);
									 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
									__eflags = _t330;
									if(_t330 != 0) {
										 *((intOrPtr*)( *_t330 + 8))(_t330);
									}
									continue;
								}
							}
							E0040AF06(_t469 - 0x27c);
							 *(_t469 - 4) = 0;
							E004037D2(_t469 - 0x200, _t356 + 0x44);
							E004037D2(_t469 - 0x20c, _t356 + 0x44);
							 *(_t469 - 0x1e4) =  *(_t469 - 0x1e4) | 0xffffffff;
							_t341 = E0040A53F(_t469 - 0x27c, _t356); // executed
							_t460 = _t341;
							__eflags = _t460;
							if(_t460 != 0) {
								__eflags = _t460 - 1;
								if(_t460 == 1) {
									E0040A26D( *(_t469 - 0x1c) + 0x30, _t469 - 0x23c);
									E004037D2( *(_t469 - 0x1c) + 0x24, _t469 - 0x20c);
								}
								 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
								E00402F6E(_t469 - 0x27c);
								goto L72;
							} else {
								_push(_t469 - 0x27c);
								E0040B397( *(_t469 - 0x1c));
								 *(_t469 - 4) =  *(_t469 - 4) | 0xffffffff;
								E00402F6E(_t469 - 0x27c);
								 *(_t469 - 0x20) =  *(_t469 - 0x20) & 0x00000000;
								_t241 = E004028F5(_t469 - 0x29c);
								_t360 = 8;
								_t244 = memcpy(_t356 + 8, _t241, _t360 << 2);
								_t472 = _t472 + 0xc;
								__eflags =  *_t244 - 1;
								if( *_t244 < 1) {
									goto L7;
								}
								goto L3;
							}
						}
						L7:
						_t362 =  *(_t469 - 0x1c);
						__eflags =  *((intOrPtr*)(_t362 + 4)) - 0x20;
						if( *((intOrPtr*)(_t362 + 4)) >= 0x20) {
							goto L63;
						}
						goto L8;
					}
				} else {
					_t246 = 0x80004001;
					L65:
					 *[fs:0x0] =  *((intOrPtr*)(_t469 - 0xc));
					return _t246;
				}
			}

0x0040a90f
0x0040a914
0x0040a91d
0x0040a920
0x0040a925
0x0040a931
0x0040a93d
0x0040a93d
0x0040a94a
0x0040a959
0x0040a95a
0x0040a95a
0x0040a95c
0x0040a95f
0x00000000
0x00000000
0x0040a961
0x0040a967
0x0040a96f
0x0040a972
0x0040a975
0x0040a97b
0x0040a97d
0x0040a9a0
0x0040a9a1
0x0040a9a1
0x0040a9a1
0x0040a9a3
0x0040a9aa
0x00000000
0x00000000
0x00000000
0x0040a97f
0x0040a98f
0x0040a990
0x0040a990
0x0040a9b0
0x0040a9b8
0x0040a9bc
0x0040a9bc
0x0040a9cd
0x0040a9cd
0x0040a9d0
0x0040a9d2
0x0040a9d5
0x0040a9d7
0x0040aa44
0x0040aa46
0x0040aa4a
0x0040aa4d
0x0040aa4f
0x0040aa4f
0x0040aa56
0x0040aa5a
0x0040aa5e
0x0040aa61
0x0040aa6c
0x0040aa73
0x0040aa76
0x0040aa78
0x0040ad22
0x0040ad25
0x0040ad27
0x0040aeb0
0x0040aeb0
0x00000000
0x0040aeb0
0x0040aa7e
0x0040aa83
0x0040aef9
0x0040aefc
0x0040aefc
0x0040ae3c
0x0040ae3c
0x0040ae3f
0x0040ae42
0x0040ae42
0x0040ae45
0x0040ae48
0x00000000
0x0040ae48
0x0040aa8f
0x0040aa92
0x0040aa98
0x0040aa9b
0x0040aa9d
0x00000000
0x00000000
0x0040aaa6
0x0040aaa9
0x0040aaac
0x00000000
0x00000000
0x0040aab2
0x0040aab7
0x0040aaba
0x0040aac5
0x0040aac8
0x0040aacf
0x0040aad1
0x0040aad3
0x0040aad6
0x0040aef3
0x0040aef3
0x0040aeda
0x0040aeda
0x0040aedc
0x0040aee2
0x0040aee5
0x0040aee5
0x00000000
0x0040aedc
0x0040aadc
0x0040aade
0x00000000
0x00000000
0x0040aae4
0x0040aae7
0x0040aaed
0x0040aaf5
0x0040aaf8
0x0040aafa
0x0040aafd
0x0040aeed
0x0040aeed
0x0040aec9
0x0040aec9
0x0040aecb
0x0040aecd
0x0040aed0
0x0040aed0
0x0040aed3
0x0040aed3
0x0040aed3
0x0040aed7
0x00000000
0x0040aed7
0x0040ab03
0x0040ab05
0x00000000
0x00000000
0x0040ab0b
0x0040ab0e
0x0040ab1a
0x0040ab1e
0x0040ab20
0x0040ab22
0x0040ab25
0x0040aeb4
0x0040aeb4
0x0040aeb6
0x0040aeba
0x0040aebc
0x0040aebf
0x0040aebf
0x0040aec2
0x0040aec5
0x00000000
0x0040aec5
0x0040ab2b
0x0040ab2d
0x00000000
0x00000000
0x0040ab39
0x0040ab47
0x0040ab4e
0x0040ab53
0x0040ab55
0x0040ab58
0x0040ad37
0x0040ad3b
0x0040ad40
0x0040ad43
0x0040ad47
0x0040ad49
0x0040ad4e
0x0040ad4e
0x0040ad51
0x0040ad54
0x0040ad58
0x0040ad5a
0x0040ad5f
0x0040ad5f
0x0040ad62
0x0040ad65
0x0040ad69
0x0040ad6b
0x0040ad70
0x0040ad70
0x0040ad73
0x00000000
0x0040ad73
0x0040ab60
0x0040ab6b
0x0040ab70
0x0040ab72
0x0040ab75
0x0040ad81
0x0040ad85
0x0040ad8a
0x0040ad8d
0x0040ad91
0x0040ad93
0x0040ad98
0x0040ad98
0x0040ad9b
0x0040ad9e
0x0040ada2
0x0040ada4
0x0040ada9
0x0040ada9
0x0040adac
0x0040adaf
0x0040adb3
0x0040adb5
0x0040adba
0x0040adba
0x0040adbd
0x00000000
0x0040adbd
0x0040ab7b
0x0040ab7e
0x0040ab80
0x0040ab82
0x0040ab91
0x0040ab95
0x0040ab97
0x0040ab9a
0x0040ab9c
0x0040aba7
0x0040abaa
0x0040abaa
0x0040abad
0x0040abaf
0x0040abb3
0x0040abb8
0x0040abb8
0x0040abb3
0x0040abbb
0x0040abc1
0x0040abc4
0x0040abc7
0x0040abd0
0x0040abd4
0x0040abdd
0x0040abe6
0x0040abf0
0x0040abf4
0x0040abf4
0x0040abf6
0x0040abfc
0x0040ac00
0x0040ac09
0x0040ac13
0x0040ac21
0x0040ac27
0x0040ac30
0x0040ac36
0x0040ac38
0x0040ac3d
0x0040ac45
0x0040ac48
0x0040ac4b
0x0040add2
0x0040adf1
0x0040adf7
0x0040adfc
0x0040ae02
0x0040ae07
0x0040ae0a
0x0040ae0e
0x0040ae10
0x0040ae12
0x0040ae15
0x0040ae15
0x0040ae18
0x0040ae1b
0x0040ae1f
0x0040ae21
0x0040ae23
0x0040ae26
0x0040ae26
0x0040ae29
0x0040ae2c
0x0040ae30
0x0040ae32
0x0040ae34
0x0040ae37
0x0040ae37
0x0040ae3a
0x0040ae3a
0x0040ae3a
0x00000000
0x0040ac51
0x0040ac51
0x0040ac53
0x0040ae5c
0x0040ae67
0x0040ae6d
0x0040ae78
0x0040ae7d
0x0040ae80
0x0040ae84
0x0040ae86
0x0040ae8b
0x0040ae8b
0x0040ae8e
0x0040ae91
0x0040ae95
0x0040ae97
0x0040ae9c
0x0040ae9c
0x0040ae9f
0x0040aea2
0x0040aea6
0x0040aea8
0x0040aead
0x0040aead
0x00000000
0x0040aea8
0x0040ac72
0x0040ac74
0x0040ac76
0x00000000
0x00000000
0x0040ac85
0x0040ac96
0x0040ac9c
0x0040aca7
0x0040acac
0x0040acaf
0x0040acb3
0x0040acb5
0x0040acba
0x0040acba
0x0040acbd
0x0040acc0
0x0040acc4
0x0040acc6
0x0040accb
0x0040accb
0x0040acce
0x0040acd1
0x0040acd5
0x0040acd7
0x0040ace0
0x0040ace0
0x00000000
0x0040acd7
0x0040ac4b
0x0040a9df
0x0040a9ee
0x0040a9f1
0x0040a9fd
0x0040aa02
0x0040aa10
0x0040aa15
0x0040aa17
0x0040aa19
0x0040ace8
0x0040aceb
0x0040acfa
0x0040ad09
0x0040ad09
0x0040ad0e
0x0040ad18
0x00000000
0x0040aa1f
0x0040aa28
0x0040aa29
0x0040aa2e
0x0040aa38
0x0040a93d
0x0040a94a
0x0040a959
0x0040a95a
0x0040a95a
0x0040a95c
0x0040a95f
0x00000000
0x00000000
0x00000000
0x0040a95f
0x0040aa19
0x0040a9c0
0x0040a9c0
0x0040a9c3
0x0040a9c7
0x00000000
0x00000000
0x00000000
0x0040a9c7
0x0040a933
0x0040a933
0x0040ae4b
0x0040ae51
0x0040ae59
0x0040ae59

APIs

__EH_prolog.LIBCMT ref: 0040A90F

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 03cf4591cf909b2d04c6413f81e879f8fbbf87ed20dd82c53fd02e17f46b7009
Instruction ID: 25566729ef2c52a6845be5edffbec3a608f7ce3cf95c208b8dc0a298da87cac0
Opcode Fuzzy Hash: 03cf4591cf909b2d04c6413f81e879f8fbbf87ed20dd82c53fd02e17f46b7009
Instruction Fuzzy Hash: 24128E71900209DFCF10DFA4C888ADEBBB5AF48314F2485AAE459BB2D1D738AE45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00401F26 Relevance: 1.8, APIs: 1, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401F26() {
				void* __ebx;
				signed int _t153;
				intOrPtr* _t155;
				signed int _t156;
				signed int _t163;
				intOrPtr* _t164;
				signed int _t165;
				signed int _t166;
				intOrPtr* _t167;
				intOrPtr* _t171;
				signed int _t172;
				intOrPtr* _t174;
				signed int _t175;
				signed int _t177;
				signed int _t185;
				signed int _t192;
				signed int _t193;
				signed int _t194;
				void* _t197;
				signed int _t207;
				void* _t209;
				signed int _t230;
				WCHAR* _t270;
				signed int _t289;
				signed int* _t291;
				signed int _t292;
				signed int _t294;
				intOrPtr* _t296;
				signed int _t297;
				void* _t298;

				E00418D80(E00419577, _t298);
				_t294 =  *(_t298 + 8);
				if(E004023F0(_t294 + 0xa8) == 0) {
					_t153 =  *(_t294 + 0x4c);
					__eflags = _t153;
					if(_t153 != 0) {
						 *((intOrPtr*)( *_t153 + 8))(_t153);
						 *(_t294 + 0x4c) = 0;
					}
					E0040368D(_t298 - 0x28);
					 *((intOrPtr*)(_t298 - 4)) = 0;
					 *(_t298 - 0x1c) = 0;
					 *((short*)(_t298 - 0x1a)) = 0;
					 *(_t298 - 0x14) = 0;
					_t155 =  *((intOrPtr*)(_t294 + 0xc));
					_t289 =  *(_t298 + 0xc);
					 *((char*)(_t298 - 4)) = 1;
					_t156 =  *((intOrPtr*)( *_t155 + 0x18))(_t155, _t289, 3, _t298 - 0x1c);
					__eflags = _t156;
					if(_t156 == 0) {
						__eflags =  *(_t298 - 0x1c);
						if( *(_t298 - 0x1c) != 0) {
							__eflags =  *(_t298 - 0x1c) - 8;
							if( *(_t298 - 0x1c) == 8) {
								E0040387D(_t156, _t298 - 0x28,  *(_t298 - 0x14));
								L12:
								E004037D2(_t294 + 0x1c, _t298 - 0x28);
								 *((char*)(_t298 - 4)) = 0;
								E00405DEF(_t298 - 0x1c);
								__eflags =  *(_t298 + 0x14);
								if( *(_t298 + 0x14) != 0) {
									_t161 =  *(_t298 + 0x10);
									 *( *(_t298 + 0x10)) = 0;
									L60:
									E00403204(_t161,  *((intOrPtr*)(_t298 - 0x28)));
									_t163 = 0;
									__eflags = 0;
									goto L61;
								}
								 *(_t298 - 0x1c) = 0;
								 *((short*)(_t298 - 0x1a)) = 0;
								 *(_t298 - 0x14) = 0;
								_t164 =  *((intOrPtr*)(_t294 + 0xc));
								 *((char*)(_t298 - 4)) = 2;
								_t165 =  *((intOrPtr*)( *_t164 + 0x18))(_t164, _t289, 9, _t298 - 0x1c);
								__eflags = _t165;
								if(_t165 == 0) {
									__eflags =  *(_t298 - 0x1c);
									if( *(_t298 - 0x1c) != 0) {
										__eflags =  *(_t298 - 0x1c) - 0x13;
										if( *(_t298 - 0x1c) == 0x13) {
											_t166 =  *(_t298 - 0x14);
											L20:
											 *(_t294 + 0x44) = _t166;
											_t167 =  *((intOrPtr*)(_t294 + 0xc));
											_t165 =  *((intOrPtr*)( *_t167 + 0x18))(_t167, _t289, 6, _t298 - 0x1c);
											__eflags = _t165;
											if(_t165 != 0) {
												goto L14;
											}
											__eflags =  *(_t298 - 0x14);
											 *(_t298 + 0xb) = 0;
											 *((short*)(_t298 - 0x50)) = 0;
											 *((short*)(_t298 - 0x4e)) = 0;
											 *(_t294 + 0x40) = _t165 & 0xffffff00 |  *(_t298 - 0x14) != 0x00000000;
											 *(_t298 - 0x48) = 0;
											_t171 =  *((intOrPtr*)(_t294 + 0xc));
											 *((char*)(_t298 - 4)) = 3;
											_t172 =  *((intOrPtr*)( *_t171 + 0x18))(_t171, _t289, 0x15, _t298 - 0x50);
											__eflags = _t172;
											 *(_t298 + 0xc) = _t172;
											if(_t172 == 0) {
												__eflags =  *((short*)(_t298 - 0x50)) - 0xb;
												if( *((short*)(_t298 - 0x50)) == 0xb) {
													__eflags =  *(_t298 - 0x48);
													_t63 = _t298 + 0xb;
													 *_t63 =  *(_t298 - 0x48) != 0;
													__eflags =  *_t63;
												}
												 *((char*)(_t298 - 4)) = 2;
												E00405DEF(_t298 - 0x50);
												_t174 =  *((intOrPtr*)(_t294 + 0xc));
												_t165 =  *((intOrPtr*)( *_t174 + 0x18))(_t174, _t289, 0xc, _t298 - 0x1c);
												__eflags = _t165;
												if(_t165 != 0) {
													goto L14;
												} else {
													_t175 =  *(_t298 - 0x1c) & 0x0000ffff;
													__eflags = _t175;
													if(__eflags == 0) {
														_t291 = _t294 + 0x38;
														 *_t291 =  *(_t294 + 0x5c);
														_t177 =  *(_t294 + 0x60);
														L30:
														_t291[1] = _t177;
														 *((intOrPtr*)(_t298 - 0x34)) = 0;
														 *(_t298 - 0x30) = 0;
														 *((intOrPtr*)(_t298 - 0x2c)) = 0;
														 *((char*)(_t298 - 4)) = 4;
														E004041F8(_t298 - 0x28, _t298 - 0x34, __eflags);
														__eflags =  *(_t298 - 0x30);
														if(__eflags != 0) {
															E00403740(_t298 - 0x5c, __eflags, _t298 - 0x28);
															__eflags =  *(_t294 + 0x40);
															 *((char*)(_t298 - 4)) = 5;
															if( *(_t294 + 0x40) == 0) {
																E004024B5(_t298 - 0x34);
															}
															__eflags =  *(_t298 - 0x30);
															if( *(_t298 - 0x30) != 0) {
																__eflags =  *(_t298 + 0xb);
																if(__eflags == 0) {
																	_push(_t298 - 0x34);
																	E00401E92(_t294, __eflags);
																}
															}
															E00403632(_t298 - 0x40, _t294 + 0x10, _t298 - 0x5c);
															__eflags =  *(_t294 + 0x40);
															 *((char*)(_t298 - 4)) = 6;
															if( *(_t294 + 0x40) == 0) {
																E00404D7D(_t298 - 0x94);
																E0040368D(_t298 - 0x6c);
																 *((char*)(_t298 - 4)) = 7;
																_t185 = E00404DAF(_t298 - 0x94, __eflags,  *((intOrPtr*)(_t298 - 0x40))); // executed
																__eflags = _t185;
																if(__eflags == 0) {
																	L47:
																	__eflags =  *(_t298 + 0xb);
																	if( *(_t298 + 0xb) != 0) {
																		L58:
																		E00403204(E00403204(E00403204(E004037D2(_t294 + 0x28, _t298 - 0x40),  *((intOrPtr*)(_t298 - 0x6c))),  *((intOrPtr*)(_t298 - 0x40))),  *((intOrPtr*)(_t298 - 0x5c)));
																		 *((char*)(_t298 - 4)) = 2;
																		E00410DA8(0, _t298 - 0x34);
																		_t161 = E00405DEF(_t298 - 0x1c);
																		goto L60;
																	}
																	_push(0x18);
																	_t192 = E004031DD();
																	__eflags = _t192;
																	if(_t192 == 0) {
																		_t292 = 0;
																		__eflags = 0;
																	} else {
																		 *((intOrPtr*)(_t192 + 4)) = 0;
																		 *(_t192 + 8) =  *(_t192 + 8) | 0xffffffff;
																		 *_t192 = 0x41b600;
																		_t292 = _t192;
																	}
																	__eflags = _t292;
																	 *(_t294 + 0x48) = _t292;
																	 *(_t298 + 8) = _t292;
																	if(_t292 != 0) {
																		 *((intOrPtr*)( *_t292 + 4))(_t292);
																	}
																	_t193 =  *(_t294 + 0x48);
																	 *((intOrPtr*)(_t193 + 0x10)) = 0;
																	 *((char*)(_t298 - 4)) = 8;
																	 *((intOrPtr*)(_t193 + 0x14)) = 0;
																	_t194 = E00405489( *((intOrPtr*)(_t298 - 0x40)), 1);
																	__eflags = _t194;
																	if(_t194 != 0) {
																		E004063E5(_t294 + 0x4c, _t292);
																		 *((char*)(_t298 - 4)) = 7;
																		 *( *(_t298 + 0x10)) = _t292;
																		goto L58;
																	} else {
																		_t197 = E004038D0(_t294 + 0xe4,  *0x41b5ac);
																		__eflags = _t292;
																		 *((char*)(_t298 - 4)) = 7;
																		if(_t292 != 0) {
																			_t197 =  *((intOrPtr*)( *_t292 + 8))(_t292);
																		}
																		E00403204(E00403204(E00403204(_t197,  *((intOrPtr*)(_t298 - 0x6c))),  *((intOrPtr*)(_t298 - 0x40))),  *((intOrPtr*)(_t298 - 0x5c)));
																		 *((char*)(_t298 - 4)) = 2;
																		E00410DA8(0, _t298 - 0x34);
																		E00403204(E00405DEF(_t298 - 0x1c),  *((intOrPtr*)(_t298 - 0x28)));
																		_t163 = 0x80004005;
																		goto L61;
																	}
																}
																_t207 = E00404643( *((intOrPtr*)(_t298 - 0x40)), __eflags);
																__eflags = _t207;
																if(_t207 != 0) {
																	goto L47;
																}
																_t209 = E00403204(E004038D0(_t294 + 0xe4,  *0x41b5a8),  *((intOrPtr*)(_t298 - 0x6c)));
																_t230 = 0x80004005;
																goto L44;
															} else {
																_t296 = _t294 + 0x28;
																E004037D2(_t296, _t298 - 0x40);
																__eflags =  *(_t298 + 0xb);
																_t270 =  *_t296;
																if( *(_t298 + 0xb) == 0) {
																	_t209 = E00404419(_t270, 0, 0, _t291);
																} else {
																	_t209 = E00404470(_t270);
																}
																L44:
																E00403204(E00403204(_t209,  *((intOrPtr*)(_t298 - 0x40))),  *((intOrPtr*)(_t298 - 0x5c)));
																L45:
																 *((char*)(_t298 - 4)) = 2;
																E00410DA8(_t230, _t298 - 0x34);
																L46:
																E00403204(E00405DEF(_t298 - 0x1c),  *((intOrPtr*)(_t298 - 0x28)));
																_t163 = _t230;
																goto L61;
															}
														}
														_t230 = 0x80004005;
														goto L45;
													}
													__eflags = _t175 - 0x40;
													if(__eflags != 0) {
														goto L18;
													}
													_t291 = _t294 + 0x38;
													 *_t291 =  *(_t298 - 0x14);
													_t177 =  *(_t298 - 0x10);
													goto L30;
												}
											}
											E00405DEF(_t298 - 0x50);
											E00403204(E00405DEF(_t298 - 0x1c),  *((intOrPtr*)(_t298 - 0x28)));
											_t163 =  *(_t298 + 0xc);
											goto L61;
										}
										L18:
										_t230 = 0x80004005;
										goto L46;
									}
									_t166 =  *(_t294 + 0x64);
									goto L20;
								}
								L14:
								_t230 = _t165;
								goto L46;
							}
							_t297 = 0x80004005;
							goto L10;
						}
						E004037D2(_t298 - 0x28, _t294 + 0x50);
						goto L12;
					} else {
						_t297 = _t156;
						L10:
						E00403204(E00405DEF(_t298 - 0x1c),  *((intOrPtr*)(_t298 - 0x28)));
						_t163 = _t297;
						goto L61;
					}
				} else {
					_t163 = 0x80004004;
					L61:
					 *[fs:0x0] =  *((intOrPtr*)(_t298 - 0xc));
					return _t163;
				}
			}

0x00401f2b
0x00401f38
0x00401f49
0x00401f55
0x00401f5a
0x00401f5c
0x00401f61
0x00401f64
0x00401f64
0x00401f6a
0x00401f6f
0x00401f72
0x00401f76
0x00401f7a
0x00401f7d
0x00401f80
0x00401f86
0x00401f91
0x00401f94
0x00401f96
0x00401f9c
0x00401fa0
0x00401fb0
0x00401fb5
0x00401fda
0x00401fdf
0x00401fe6
0x00401fee
0x00401ff1
0x00401ff6
0x00401ff9
0x00402338
0x0040233b
0x0040233d
0x00402340
0x00402346
0x00402346
0x00000000
0x00402346
0x00401fff
0x00402003
0x00402007
0x0040200a
0x00402017
0x0040201b
0x0040201e
0x00402020
0x00402029
0x0040202d
0x00402034
0x00402039
0x00402045
0x00402048
0x00402048
0x0040204b
0x00402058
0x0040205b
0x0040205d
0x00000000
0x00000000
0x0040205f
0x00402063
0x00402066
0x0040206a
0x00402071
0x00402074
0x00402077
0x00402084
0x00402088
0x0040208b
0x0040208d
0x00402090
0x004020b3
0x004020b8
0x004020ba
0x004020be
0x004020be
0x004020be
0x004020be
0x004020c5
0x004020c9
0x004020ce
0x004020db
0x004020de
0x004020e0
0x00000000
0x004020e6
0x004020e6
0x004020ea
0x004020ec
0x00402107
0x0040210a
0x0040210c
0x0040210f
0x0040210f
0x00402112
0x00402115
0x00402118
0x00402121
0x00402125
0x0040212a
0x0040212d
0x00402140
0x00402145
0x00402148
0x0040214c
0x00402151
0x00402151
0x00402156
0x00402159
0x0040215b
0x0040215e
0x00402165
0x00402166
0x00402166
0x0040215e
0x00402175
0x0040217a
0x0040217d
0x00402181
0x004021b0
0x004021b8
0x004021c6
0x004021ca
0x004021cf
0x004021d1
0x00402234
0x00402234
0x00402237
0x004022fb
0x0040231a
0x00402325
0x00402329
0x00402331
0x00000000
0x00402331
0x0040223d
0x0040223f
0x00402244
0x00402247
0x0040225a
0x0040225a
0x00402249
0x00402249
0x0040224c
0x00402250
0x00402256
0x00402256
0x0040225c
0x0040225e
0x00402261
0x00402264
0x00402269
0x00402269
0x0040226f
0x00402275
0x0040227b
0x0040227f
0x00402282
0x00402287
0x00402289
0x004022ed
0x004022f5
0x004022f9
0x00000000
0x0040228b
0x00402297
0x0040229c
0x0040229e
0x004022a2
0x004022a7
0x004022a7
0x004022bd
0x004022c8
0x004022cc
0x004022dc
0x004022e2
0x00000000
0x004022e2
0x00402289
0x004021d6
0x004021db
0x004021dd
0x00000000
0x00000000
0x004021f3
0x004021f9
0x00000000
0x00402183
0x00402183
0x0040218c
0x00402191
0x00402194
0x00402196
0x004021a3
0x00402198
0x00402198
0x00402198
0x004021fe
0x00402209
0x00402210
0x00402213
0x00402217
0x0040221c
0x00402227
0x0040222d
0x00000000
0x0040222d
0x00402181
0x0040212f
0x00000000
0x0040212f
0x004020ee
0x004020f1
0x00000000
0x00000000
0x004020fa
0x004020fd
0x004020ff
0x00000000
0x004020ff
0x004020e0
0x00402095
0x004020a5
0x004020aa
0x00000000
0x004020ad
0x0040203b
0x0040203b
0x00000000
0x0040203b
0x0040202f
0x00000000
0x0040202f
0x00402022
0x00402022
0x00000000
0x00402022
0x00401fb7
0x00000000
0x00401fb7
0x00401fa9
0x00000000
0x00401f98
0x00401f98
0x00401fbc
0x00401fc7
0x00401fcd
0x00000000
0x00401fcd
0x00401f4b
0x00401f4b
0x00402348
0x0040234e
0x00402356
0x00402356

APIs

__EH_prolog.LIBCMT ref: 00401F2B

Part of subcall function 004023F0: EnterCriticalSection.KERNEL32(?,?,?,0040B84D), ref: 004023F5
Part of subcall function 004023F0: LeaveCriticalSection.KERNEL32(?,?,?,?,0040B84D), ref: 004023FF

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: CriticalSection$EnterH_prologLeave
String ID:
API String ID: 367238759-0
Opcode ID: c98dd72ca9a408a897e4c4eb090a232a339a1033bd389715e9476c7bcdf9f8f6
Instruction ID: 9aea0566c9c0e61cfee338e95f65c5ac720cc4bbfeed0489b5d27597e260e310
Opcode Fuzzy Hash: c98dd72ca9a408a897e4c4eb090a232a339a1033bd389715e9476c7bcdf9f8f6
Instruction Fuzzy Hash: 62D19E7090020ADFCF10EFA5C9849EEBBB5AF54308F14846FE506B72D1DB786A46CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00410864 Relevance: 1.7, APIs: 1, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00410864(intOrPtr* __ecx) {
				void* __ebx;
				char* _t105;
				signed char _t106;
				signed int _t107;
				intOrPtr* _t111;
				signed char _t113;
				void* _t114;
				void* _t117;
				signed char _t121;
				void* _t127;
				void* _t139;
				signed char _t140;
				intOrPtr _t151;
				void* _t154;
				signed int _t176;
				signed char _t178;
				intOrPtr _t180;
				intOrPtr* _t183;
				signed char _t185;
				void* _t186;
				signed int _t192;
				void* _t194;

				E00418D80(E0041A5EC, _t186);
				_t180 =  *((intOrPtr*)(_t186 + 8));
				_t183 = __ecx;
				E0040E6A5(_t180);
				 *((intOrPtr*)(_t180 + 0x100)) =  *((intOrPtr*)(__ecx + 0x40));
				 *((intOrPtr*)(_t180 + 0x104)) =  *((intOrPtr*)(__ecx + 0x44));
				_t105 = _t180 + 0xf8;
				 *_t105 =  *((intOrPtr*)(__ecx + 0x56));
				 *((char*)(_t180 + 0xf9)) =  *((intOrPtr*)(__ecx + 0x57));
				if( *_t105 != 0) {
					L16:
					_t106 = 1;
					L17:
					 *[fs:0x0] =  *((intOrPtr*)(_t186 - 0xc));
					return _t106;
				}
				 *(_t186 - 0x18) =  *(__ecx + 0x60);
				 *(_t186 - 0x14) =  *(__ecx + 0x64);
				_t107 =  *(__ecx + 0x5c);
				 *(_t186 - 0x10) =  *(__ecx + 0x68);
				 *((intOrPtr*)(_t186 + 8)) =  *((intOrPtr*)(__ecx + 0x6c));
				_t151 = 0x20;
				 *(_t186 - 0x1c) = _t107;
				 *((intOrPtr*)(_t180 + 0x140)) = _t151;
				asm("adc ebx, 0x0");
				 *((intOrPtr*)(_t180 + 0x108)) =  *((intOrPtr*)(__ecx + 0x40)) + _t151;
				 *((intOrPtr*)(_t180 + 0x10c)) =  *((intOrPtr*)(__ecx + 0x44));
				 *(_t180 + 0x148) =  *(_t180 + 0x148) & 0;
				_t192 =  *(_t186 - 0x18);
				 *(_t180 + 0x144) = 0;
				if(_t192 < 0 || _t192 <= 0 && _t107 < 0) {
					goto L16;
				} else {
					_t194 =  *(_t186 - 0x10) - 0x40000000;
					if(_t194 > 0 || _t194 >= 0 &&  *(_t186 - 0x14) > 0) {
						goto L16;
					} else {
						if(( *(_t186 - 0x14) |  *(_t186 - 0x10)) != 0) {
							__eflags =  *((char*)(_t180 + 0x14c));
							if( *((char*)(_t180 + 0x14c)) == 0) {
								 *(_t180 + 0x148) = 1;
							}
							asm("adc ebx, 0x0");
							 *((intOrPtr*)(_t183 + 0x70)) =  *((intOrPtr*)(_t183 + 0x70)) +  *(_t186 - 0x14) + _t151;
							_t176 =  *(_t186 - 0x10);
							asm("adc [esi+0x74], ebx");
							_t139 =  *(_t186 - 0x14) + _t107;
							asm("adc edx, [ebp-0x18]");
							 *((intOrPtr*)(_t180 + 0x140)) = _t139 + _t151;
							asm("adc ecx, 0x0");
							 *(_t180 + 0x144) = _t176;
							_t154 =  *((intOrPtr*)(_t183 + 0x48)) -  *((intOrPtr*)(_t180 + 0x108));
							asm("sbb eax, [edi+0x10c]");
							__eflags =  *((intOrPtr*)(_t183 + 0x4c)) - _t176;
							if(__eflags > 0) {
								L18:
								_t111 =  *_t183;
								_t106 =  *((intOrPtr*)( *_t111 + 0x10))(_t111,  *(_t186 - 0x1c),  *(_t186 - 0x18), 1, 0);
								__eflags = _t106;
								if(_t106 != 0) {
									goto L17;
								}
								_t140 =  *(_t186 - 0x14);
								__eflags = _t140 - _t140;
								if(_t140 != _t140) {
									L21:
									_t106 = 0x8007000e;
									goto L17;
								}
								__eflags = _t106 -  *(_t186 - 0x10);
								if(_t106 ==  *(_t186 - 0x10)) {
									 *(_t186 - 0x24) =  *(_t186 - 0x24) & 0x00000000;
									 *(_t186 - 0x20) =  *(_t186 - 0x20) & 0x00000000;
									_push(_t140);
									 *(_t186 - 0x24) = E004031DD();
									 *(_t186 - 0x20) = _t140;
									 *(_t186 - 4) =  *(_t186 - 4) & 0x00000000;
									_t113 = E00407B3A(__eflags, _t140);
									__eflags = _t113;
									if(_t113 == 0) {
										_t158 =  *(_t186 - 0x24);
										_t178 = _t140;
										_t114 = E00418C10( *(_t186 - 0x24), _t178);
										__eflags = _t114 -  *((intOrPtr*)(_t186 + 8));
										if(_t114 !=  *((intOrPtr*)(_t186 + 8))) {
											E0040E966(_t158);
										}
										__eflags =  *((char*)(_t180 + 0x14c));
										if( *((char*)(_t180 + 0x14c)) == 0) {
											 *((char*)(_t180 + 0x149)) = 1;
										}
										 *(_t186 - 0x28) =  *(_t186 - 0x28) & 0x00000000;
										 *(_t186 - 0x27) =  *(_t186 - 0x27) & 0x00000000;
										 *(_t186 - 4) = 1;
										E0040E8FC(_t183, _t186 - 0x24);
										 *((intOrPtr*)(_t186 - 0x38)) = 0;
										 *(_t186 - 0x34) = 0;
										 *((intOrPtr*)(_t186 - 0x30)) = 0;
										_t160 =  *((intOrPtr*)(_t183 + 0x38));
										 *(_t186 - 4) = 2;
										_t117 = E0040EA46( *((intOrPtr*)(_t183 + 0x38)));
										__eflags = _t117 - 1;
										if(_t117 != 1) {
											L30:
											__eflags = _t117 - 0x17;
											if(_t117 != 0x17) {
												L32:
												E0040E966(_t160);
												L33:
												_t161 = _t183;
												_t121 = E0040FE8A(_t183, _t178, __eflags,  *((intOrPtr*)(_t180 + 0x108)),  *((intOrPtr*)(_t180 + 0x10c)), _t180 + 0x118, _t186 - 0x38); // executed
												__eflags = _t121;
												if(_t121 != 0) {
													goto L42;
												}
												__eflags =  *(_t186 - 0x34);
												if( *(_t186 - 0x34) != 0) {
													__eflags =  *(_t186 - 0x34) - 1;
													if( *(_t186 - 0x34) > 1) {
														E0040E966(_t161);
													}
													E0040E883(_t186 - 0x2c);
													E0040E8FC(_t183,  *((intOrPtr*)( *((intOrPtr*)(_t186 - 0x38)))));
													_t167 =  *((intOrPtr*)(_t183 + 0x38));
													_t127 = E0040EA46( *((intOrPtr*)(_t183 + 0x38)));
													__eflags = _t127 - 1;
													if(_t127 != 1) {
														L40:
														E0040E966(_t167);
														goto L41;
													}
													__eflags = _t178;
													if(__eflags == 0) {
														goto L41;
													}
													goto L40;
												}
												_t185 = 0;
												goto L43;
											}
											__eflags = _t178;
											if(__eflags == 0) {
												goto L33;
											}
											goto L32;
										} else {
											__eflags = _t178;
											if(__eflags == 0) {
												L41:
												 *(_t180 + 0x148) = 1;
												 *((intOrPtr*)(_t180 + 0x138)) =  *((intOrPtr*)(_t183 + 0x70));
												 *((intOrPtr*)(_t180 + 0x13c)) =  *((intOrPtr*)(_t183 + 0x74));
												_t121 = E00410138(_t183, _t178, __eflags, _t180);
												L42:
												_t185 = _t121;
												L43:
												 *(_t186 - 4) = 1;
												E00410DA8(0, _t186 - 0x38);
												_t96 = _t186 - 4;
												 *_t96 =  *(_t186 - 4) & 0x00000000;
												__eflags =  *_t96;
												_t113 = E0040E883(_t186 - 0x2c);
												L44:
												E00403204(_t113,  *(_t186 - 0x24));
												_t106 = _t185;
												goto L17;
											}
											goto L30;
										}
									}
									_t185 = _t113;
									goto L44;
								}
								goto L21;
							} else {
								if(__eflags < 0) {
									L15:
									 *((char*)(_t180 + 0x14b)) = 1;
									goto L16;
								}
								__eflags = _t154 - _t139;
								if(_t154 >= _t139) {
									goto L18;
								}
								goto L15;
							}
						}
						if((_t107 |  *(_t186 - 0x18)) != 0) {
							goto L16;
						}
						 *(_t180 + 0x148) = 1;
						_t106 = 0;
						goto L17;
					}
				}
			}

0x00410869
0x00410874
0x00410877
0x0041087b
0x00410883
0x0041088c
0x00410895
0x0041089b
0x004108a3
0x004108a9
0x0041099e
0x004109a0
0x004109a1
0x004109a7
0x004109af
0x004109af
0x004108b5
0x004108bb
0x004108c4
0x004108c7
0x004108cf
0x004108d2
0x004108d3
0x004108d8
0x004108de
0x004108e1
0x004108e9
0x004108ef
0x004108f5
0x004108f8
0x004108fe
0x00000000
0x0041090e
0x0041090e
0x00410915
0x00000000
0x00410922
0x00410928
0x0041093a
0x00410941
0x00410943
0x00410943
0x00410952
0x00410955
0x00410958
0x0041095b
0x00410961
0x00410963
0x0041096c
0x00410972
0x00410975
0x0041097e
0x00410987
0x0041098d
0x0041098f
0x004109b2
0x004109b2
0x004109c1
0x004109c4
0x004109c6
0x00000000
0x00000000
0x004109c8
0x004109cb
0x004109cd
0x004109d4
0x004109d4
0x00000000
0x004109d4
0x004109cf
0x004109d2
0x004109db
0x004109df
0x004109e3
0x004109ea
0x004109ed
0x004109f2
0x004109f9
0x004109fe
0x00410a00
0x00410a09
0x00410a0c
0x00410a0e
0x00410a13
0x00410a16
0x00410a18
0x00410a18
0x00410a1d
0x00410a24
0x00410a26
0x00410a26
0x00410a2d
0x00410a31
0x00410a3d
0x00410a41
0x00410a48
0x00410a4b
0x00410a4e
0x00410a51
0x00410a54
0x00410a58
0x00410a5d
0x00410a60
0x00410a66
0x00410a66
0x00410a69
0x00410a6f
0x00410a6f
0x00410a74
0x00410a77
0x00410a8d
0x00410a92
0x00410a94
0x00000000
0x00000000
0x00410a96
0x00410a99
0x00410a9f
0x00410aa3
0x00410aa5
0x00410aa5
0x00410aad
0x00410abb
0x00410ac0
0x00410ac3
0x00410ac8
0x00410acb
0x00410ad1
0x00410ad1
0x00000000
0x00410ad1
0x00410acd
0x00410acf
0x00000000
0x00000000
0x00000000
0x00410acf
0x00410a9b
0x00000000
0x00410a9b
0x00410a6b
0x00410a6d
0x00000000
0x00000000
0x00000000
0x00410a62
0x00410a62
0x00410a64
0x00410ad6
0x00410ad6
0x00410ae0
0x00410aec
0x00410af2
0x00410af7
0x00410af7
0x00410af9
0x00410afc
0x00410b00
0x00410b05
0x00410b05
0x00410b05
0x00410b0c
0x00410b11
0x00410b14
0x00410b1a
0x00000000
0x00410b1a
0x00000000
0x00410a64
0x00410a60
0x00410a02
0x00000000
0x00410a02
0x00000000
0x00410991
0x00410991
0x00410997
0x00410997
0x00000000
0x00410997
0x00410993
0x00410995
0x00000000
0x00000000
0x00000000
0x00410995
0x0041098f
0x0041092d
0x00000000
0x00000000
0x0041092f
0x00410936
0x00000000
0x00410936
0x00410915

APIs

__EH_prolog.LIBCMT ref: 00410869

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b5cc35a2c58265fee19c36632372959ba17ac50ae5207827a12774cad0544b01
Instruction ID: 45b12642a324e08f911b4fbefe6149a1cb9296f609db2837831a0bfb9efd5dc6
Opcode Fuzzy Hash: b5cc35a2c58265fee19c36632372959ba17ac50ae5207827a12774cad0544b01
Instruction Fuzzy Hash: 34917DB0A007459BDB24DBA5C4907EEFBF1BF59314F14452EE489A3352C7B869C0CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2C8 Relevance: 1.7, APIs: 1, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040A2C8(intOrPtr* __ecx) {
				signed int _t58;
				signed int _t59;
				signed int _t60;
				intOrPtr* _t61;
				intOrPtr* _t63;
				signed int _t81;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				signed int* _t97;
				intOrPtr _t115;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t132;
				void* _t133;
				signed int* _t139;
				intOrPtr* _t142;
				signed int _t144;
				intOrPtr _t145;
				void* _t147;

				E00418D80(E00419E04, _t147);
				_t142 = __ecx;
				_t58 = E00409DAD(__ecx,  *((intOrPtr*)(_t147 + 8))); // executed
				if(_t58 != 0) {
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0xc));
					return _t58;
				}
				if( *__ecx == _t58) {
					L21:
					_t58 = 0;
					goto L22;
				}
				_t59 =  *(__ecx + 8);
				_t97 = __ecx + 8;
				if(_t59 != 0) {
					 *((intOrPtr*)( *_t59 + 8))(_t59);
					 *_t97 =  *_t97 & 0x00000000;
				}
				_t60 =  *(_t142 + 0xc);
				_t139 = _t142 + 0xc;
				if(_t60 != 0) {
					 *((intOrPtr*)( *_t60 + 8))(_t60);
					 *_t139 =  *_t139 & 0x00000000;
				}
				_t61 =  *_t142;
				 *((intOrPtr*)( *_t61))(_t61, 0x41b1e0, _t97);
				_t63 =  *_t142;
				 *((intOrPtr*)( *_t63))(_t63, 0x41b1d0, _t139);
				_push(_t142 + 0xd9);
				_t128 = 0x42;
				_t58 = E0040A4E3( *_t142, _t128);
				if(_t58 != 0) {
					goto L22;
				} else {
					_push(_t142 + 0xdb);
					_t129 = 0x41;
					_t58 = E0040A4E3( *_t142, _t129);
					if(_t58 != 0) {
						goto L22;
					}
					_push(_t142 + 0xdc);
					_t130 = 0x3f;
					_t58 = E0040A4E3( *_t142, _t130);
					if(_t58 != 0) {
						goto L22;
					}
					_push(_t142 + 0xdd);
					_t131 = 0x40;
					_t58 = E0040A4E3( *_t142, _t131);
					if(_t58 != 0) {
						goto L22;
					}
					_push(_t142 + 0xde);
					_t132 = 0x5b;
					_t58 = E0040A4E3( *_t142, _t132);
					if(_t58 != 0) {
						goto L22;
					}
					_push(_t142 + 0xda);
					_t133 = 0x5d;
					_t58 = E0040A4E3( *_t142, _t133);
					if(_t58 != 0) {
						goto L22;
					}
					E0040429A(_t142 + 0x70);
					 *((intOrPtr*)(_t147 - 4)) = 0;
					E0040368D(_t147 - 0x24);
					 *((char*)(_t147 - 4)) = 1;
					if(E00403A5B(_t147 - 0x18, 0x2e) >= 0) {
						E0040376E(_t147 - 0x24,  *((intOrPtr*)(_t147 - 0x18)) + 2 + _t73 * 2);
					}
					_t74 =  *((intOrPtr*)(_t142 + 0x88));
					_t140 = _t142 + 0x88;
					 *((intOrPtr*)(_t142 + 0x8c)) = 0;
					 *((short*)( *((intOrPtr*)(_t142 + 0x88)))) = 0;
					_t144 =  *(_t142 + 0x94);
					if(_t144 >= 0) {
						_t145 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t147 + 8)))) + 8)) + _t144 * 4));
						if( *((intOrPtr*)(_t145 + 0x1c)) != 0) {
							_t81 = E00409144(_t145, _t147 - 0x24);
							if(_t81 < 0) {
								_t81 = 0;
							}
							_t115 =  *((intOrPtr*)(_t145 + 0x18));
							_t49 =  *((intOrPtr*)(_t115 + _t81 * 4)) + 0xc; // 0xc
							_push( *((intOrPtr*)(_t115 + _t81 * 4)));
							_t83 = E00408FCD(_t147 - 0x48, _t147 - 0x18);
							 *((char*)(_t147 - 4)) = 5;
							_t74 = E00403204(E004037D2(_t140, _t83),  *((intOrPtr*)(_t147 - 0x48)));
						} else {
							_t85 = E0040368D(_t147 - 0x48);
							 *((char*)(_t147 - 4)) = 2;
							_t86 = E0040368D(_t147 - 0x3c);
							_push(_t85);
							_push(_t86);
							 *((char*)(_t147 - 4)) = 3;
							_t87 = E00408FCD(_t147 - 0x30, _t147 - 0x18);
							 *((char*)(_t147 - 4)) = 4;
							_t74 = E00403204(E00403204(E00403204(E004037D2(_t140, _t87),  *((intOrPtr*)(_t147 - 0x30))),  *((intOrPtr*)(_t147 - 0x3c))),  *((intOrPtr*)(_t147 - 0x48)));
						}
					}
					E00403204(E00403204(_t74,  *((intOrPtr*)(_t147 - 0x24))),  *((intOrPtr*)(_t147 - 0x18)));
					goto L21;
				}
			}

0x0040a2cd
0x0040a2d8
0x0040a2dd
0x0040a2e4
0x0040a4d2
0x0040a4d8
0x0040a4e0
0x0040a4e0
0x0040a2ec
0x0040a4d0
0x0040a4d0
0x00000000
0x0040a4d0
0x0040a2f2
0x0040a2f5
0x0040a2fa
0x0040a2ff
0x0040a302
0x0040a302
0x0040a305
0x0040a308
0x0040a30d
0x0040a312
0x0040a315
0x0040a315
0x0040a318
0x0040a323
0x0040a325
0x0040a330
0x0040a33a
0x0040a33d
0x0040a33e
0x0040a347
0x00000000
0x0040a34d
0x0040a355
0x0040a358
0x0040a359
0x0040a360
0x00000000
0x00000000
0x0040a36e
0x0040a371
0x0040a372
0x0040a379
0x00000000
0x00000000
0x0040a387
0x0040a38a
0x0040a38b
0x0040a392
0x00000000
0x00000000
0x0040a3a0
0x0040a3a3
0x0040a3a4
0x0040a3ab
0x00000000
0x00000000
0x0040a3b9
0x0040a3bc
0x0040a3bd
0x0040a3c4
0x00000000
0x00000000
0x0040a3d0
0x0040a3d8
0x0040a3db
0x0040a3e5
0x0040a3f0
0x0040a3fd
0x0040a3fd
0x0040a402
0x0040a408
0x0040a40e
0x0040a411
0x0040a414
0x0040a41c
0x0040a42a
0x0040a430
0x0040a488
0x0040a48f
0x0040a491
0x0040a491
0x0040a493
0x0040a49c
0x0040a4a0
0x0040a4a4
0x0040a4ac
0x0040a4b8
0x0040a432
0x0040a435
0x0040a43f
0x0040a443
0x0040a448
0x0040a449
0x0040a450
0x0040a454
0x0040a45c
0x0040a478
0x0040a47d
0x0040a430
0x0040a4c9
0x00000000
0x0040a4cf

APIs

__EH_prolog.LIBCMT ref: 0040A2CD

Part of subcall function 00409DAD: __EH_prolog.LIBCMT ref: 00409DB2

Part of subcall function 00408FCD: __EH_prolog.LIBCMT ref: 00408FD2

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 55abee7260f8abe240855f7b25643b941ebcc1b184b95c31af575d9cb9fe0adf
Instruction ID: 9e12673def2b6459cc981bd691141fc0cb4a79b6ab5f4124fe6ffa379ca14ef1
Opcode Fuzzy Hash: 55abee7260f8abe240855f7b25643b941ebcc1b184b95c31af575d9cb9fe0adf
Instruction Fuzzy Hash: 6A618375600205AFCB20EF61C885EAEBBB8EF44308F10447FE545B72D1DAB8AD55CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00403C57 Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00403C57(intOrPtr* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* _t70;
				signed int _t71;
				intOrPtr _t86;
				signed int _t87;
				char _t97;
				char _t115;
				void* _t135;
				intOrPtr* _t138;
				void* _t140;

				E00418D80(E0041986C, _t140);
				_t135 = __edx;
				_t138 = __ecx;
				E00404015(__edx);
				 *(_t140 - 0x10) =  *(_t140 - 0x10) & 0x00000000;
				while(1) {
					L1:
					_t70 = E00403EC8(_t138, _t140 - 0x10);
					_t149 = _t70;
					if(_t70 == 0) {
						break;
					}
					E0040368D(_t140 - 0x48);
					 *(_t140 - 4) =  *(_t140 - 4) & 0x00000000;
					E0040368D(_t140 - 0x3c);
					_push(_t140 - 0x18);
					 *(_t140 - 4) = 1;
					E00403E47(_t140 - 0x30,  *_t138 +  *(_t140 - 0x10), _t149); // executed
					 *(_t140 - 4) = 2;
					if(E00404045(_t140 - 0x30, _t140 - 0x48) == 0) {
						L26:
						E00403204(E00403204(E00403204(_t76,  *((intOrPtr*)(_t140 - 0x30))),  *((intOrPtr*)(_t140 - 0x3c))),  *((intOrPtr*)(_t140 - 0x48)));
						goto L29;
					} else {
						_t76 =  *((intOrPtr*)(_t140 - 0x18));
						if(_t76 == 0) {
							goto L26;
						} else {
							 *(_t140 - 0x10) =  *(_t140 - 0x10) + _t76;
							if(E00403EC8(_t138, _t140 - 0x10) == 0) {
								goto L26;
							} else {
								_t76 =  *_t138;
								if( *((char*)( *_t138 +  *(_t140 - 0x10))) != 0x3d) {
									goto L26;
								} else {
									 *(_t140 - 0x10) =  *(_t140 - 0x10) + 1;
									if(E00403EC8(_t138, _t140 - 0x10) == 0) {
										goto L26;
									} else {
										_t76 =  *_t138;
										if( *((char*)( *_t138 +  *(_t140 - 0x10))) != 0x22) {
											goto L26;
										} else {
											 *(_t140 - 0x10) =  *(_t140 - 0x10) + 1;
											E004033AD(_t140 - 0x24);
											 *(_t140 - 4) = 3;
											while(1) {
												_t81 =  *((intOrPtr*)(_t138 + 4));
												if( *(_t140 - 0x10) >=  *((intOrPtr*)(_t138 + 4))) {
													break;
												}
												_t86 =  *_t138;
												_t115 =  *((intOrPtr*)(_t86 +  *(_t140 - 0x10)));
												 *(_t140 - 0x10) =  *(_t140 - 0x10) + 1;
												 *((char*)(_t140 - 0x14)) = _t115;
												if(_t115 == 0x22) {
													_t87 = E00404045(_t140 - 0x24, _t140 - 0x3c);
													__eflags = _t87;
													if(_t87 == 0) {
														E00403204(E00403204(_t87,  *((intOrPtr*)(_t140 - 0x24))),  *((intOrPtr*)(_t140 - 0x30)));
														_t63 = _t140 - 4;
														 *_t63 =  *(_t140 - 4) | 0xffffffff;
														__eflags =  *_t63;
														E00401D5B(_t140 - 0x48);
														L29:
														_t71 = 0;
														__eflags = 0;
													} else {
														_push(_t140 - 0x48);
														E00403204(E00403204(E00403FB4(_t135, _t135),  *((intOrPtr*)(_t140 - 0x24))),  *((intOrPtr*)(_t140 - 0x30)));
														 *(_t140 - 4) =  *(_t140 - 4) | 0xffffffff;
														E00401D5B(_t140 - 0x48);
														goto L1;
													}
												} else {
													if(_t115 != 0x5c) {
														L17:
														_push( *((intOrPtr*)(_t140 - 0x14)));
													} else {
														_t97 =  *((intOrPtr*)(_t86 +  *(_t140 - 0x10)));
														 *(_t140 - 0x10) =  *(_t140 - 0x10) + 1;
														 *((char*)(_t140 - 0x14)) = _t97;
														if(_t97 == 0x22) {
															_push(0x22);
														} else {
															if(_t97 == 0x5c) {
																_push(0x5c);
															} else {
																if(_t97 == 0x6e) {
																	_push(0xa);
																} else {
																	if(_t97 == 0x74) {
																		_push(9);
																	} else {
																		E00401B7E(_t140 - 0x24, 0x5c);
																		goto L17;
																	}
																}
															}
														}
													}
													E00401B7E(_t140 - 0x24);
													continue;
												}
												goto L30;
											}
											E00403204(E00403204(E00403204(E00403204(_t81,  *((intOrPtr*)(_t140 - 0x24))),  *((intOrPtr*)(_t140 - 0x30))),  *((intOrPtr*)(_t140 - 0x3c))),  *((intOrPtr*)(_t140 - 0x48)));
											goto L29;
										}
									}
								}
							}
						}
					}
					L30:
					 *[fs:0x0] =  *((intOrPtr*)(_t140 - 0xc));
					return _t71;
				}
				_t71 = 1;
				goto L30;
			}

0x00403c5c
0x00403c66
0x00403c68
0x00403c6c
0x00403c71
0x00403c75
0x00403c75
0x00403c7a
0x00403c7f
0x00403c81
0x00000000
0x00000000
0x00403c8a
0x00403c8f
0x00403c96
0x00403ca0
0x00403ca4
0x00403cb1
0x00403cbc
0x00403cc7
0x00403dd7
0x00403dea
0x00000000
0x00403ccd
0x00403ccd
0x00403cd2
0x00000000
0x00403cd8
0x00403cd8
0x00403ce7
0x00000000
0x00403ced
0x00403ced
0x00403cf6
0x00000000
0x00403cfc
0x00403cfc
0x00403d0b
0x00000000
0x00403d11
0x00403d11
0x00403d1a
0x00000000
0x00403d20
0x00403d20
0x00403d26
0x00403d2b
0x00403d2f
0x00403d2f
0x00403d35
0x00000000
0x00000000
0x00403d3b
0x00403d40
0x00403d43
0x00403d49
0x00403d4c
0x00403d9c
0x00403da1
0x00403da3
0x00403e24
0x00403e29
0x00403e29
0x00403e29
0x00403e32
0x00403e37
0x00403e37
0x00403e37
0x00403da5
0x00403daa
0x00403dbb
0x00403dc0
0x00403dc9
0x00000000
0x00403dc9
0x00403d4e
0x00403d51
0x00403d79
0x00403d79
0x00403d53
0x00403d56
0x00403d59
0x00403d5e
0x00403d61
0x00403d8a
0x00403d63
0x00403d65
0x00403d86
0x00403d67
0x00403d69
0x00403d82
0x00403d6b
0x00403d6d
0x00403d7e
0x00403d6f
0x00403d74
0x00000000
0x00403d74
0x00403d6d
0x00403d69
0x00403d65
0x00403d61
0x00403d8f
0x00000000
0x00403d8f
0x00000000
0x00403d4c
0x00403e0f
0x00000000
0x00403e14
0x00403d1a
0x00403d0b
0x00403cf6
0x00403ce7
0x00403cd2
0x00403e39
0x00403e3e
0x00403e46
0x00403e46
0x00403dd3
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00403C5C

Part of subcall function 00403E47: __EH_prolog.LIBCMT ref: 00403E4C

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0b3ca25be2cab55319a66938d4e789a792046ebafb06ba863b11b6f18645ef8d
Instruction ID: 62711b22f829848c6225802ca1be1f26c4d3f143e04fa4970c83603acd48c4fb
Opcode Fuzzy Hash: 0b3ca25be2cab55319a66938d4e789a792046ebafb06ba863b11b6f18645ef8d
Instruction Fuzzy Hash: AE516F30900209AACF15EF95C841AEEBF79AF5130AF1445AFE551372E2DB391F0ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFA7 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040AFA7(signed int __ecx) {
				intOrPtr _t66;
				intOrPtr* _t72;
				intOrPtr* _t76;
				void* _t81;
				intOrPtr _t83;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int _t100;
				signed int _t124;
				intOrPtr* _t127;
				void* _t129;

				E00418D80(E00419F32, _t129);
				_t124 = __ecx;
				_push(0x98);
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				_t66 = E004031DD();
				 *((intOrPtr*)(_t129 - 0x10)) = _t66;
				 *(_t129 - 4) = 0;
				if(_t66 == 0) {
					_t127 = 0;
					__eflags = 0;
				} else {
					_t127 = E0040B121(_t66);
				}
				 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t129 - 0x10)) = _t127;
				if(_t127 != 0) {
					 *((intOrPtr*)( *_t127 + 4))(_t127);
				}
				 *(_t129 - 4) = 1;
				 *((intOrPtr*)(_t127 + 0x90)) =  *((intOrPtr*)(_t129 + 0xc));
				E0040368D(_t129 - 0x1c);
				 *(_t129 - 4) = 2;
				E0040368D(_t129 - 0x28);
				_t98 =  *((intOrPtr*)(_t129 + 8));
				 *(_t129 - 4) = 3;
				if( *((intOrPtr*)(_t98 + 0x30)) != 0) {
					L8:
					_t26 = _t127 + 8; // 0x8
					 *((intOrPtr*)( *((intOrPtr*)(_t127 + 8)) + 0xc))(_t26,  *((intOrPtr*)(_t98 + 0x44)));
				} else {
					_t137 =  *((char*)(_t98 + 0x40));
					if( *((char*)(_t98 + 0x40)) != 0) {
						goto L8;
					} else {
						E0040488C( *((intOrPtr*)(_t98 + 0x44)), _t129 - 0x1c, _t137, _t129 - 0x28);
						E0040B290(_t127, _t137, _t129 - 0x1c, _t129 - 0x28); // executed
					}
				}
				 *((intOrPtr*)(_t98 + 0x38)) = _t127;
				 *((intOrPtr*)(_t98 + 0x3c)) = _t127;
				_t72 = E0040A90A(_t124, _t137, _t98); // executed
				_t99 = _t72;
				_t73 =  *((intOrPtr*)(_t127 + 0x8c));
				 *((char*)(_t124 + 0x21)) =  *((intOrPtr*)(_t127 + 0x8c));
				if(_t99 == 0) {
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t127 + 0x78));
					if( *((intOrPtr*)(_t127 + 0x78)) > 0) {
						do {
							_t73 =  *((intOrPtr*)(_t127 + 0x74));
							__eflags =  *((char*)(_t73 + _t100));
							if( *((char*)(_t73 + _t100)) != 0) {
								_push(E00403632(_t129 - 0x34, _t129 - 0x1c,  *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x68)) + _t100 * 4))));
								 *(_t129 - 4) = 4;
								_t81 = E00403089(_t124 + 0xc);
								 *(_t129 - 4) = 3;
								E00403204(_t81,  *((intOrPtr*)(_t129 - 0x34)));
								_t83 =  *((intOrPtr*)(_t127 + 0x80));
								_t73 =  *((intOrPtr*)(_t83 + 4 + _t100 * 8));
								 *((intOrPtr*)(_t124 + 0x18)) =  *((intOrPtr*)(_t124 + 0x18)) +  *((intOrPtr*)(_t83 + _t100 * 8));
								asm("adc [edi+0x1c], eax");
							}
							_t100 = _t100 + 1;
							__eflags = _t100 -  *((intOrPtr*)(_t127 + 0x78));
						} while (_t100 <  *((intOrPtr*)(_t127 + 0x78)));
					}
					E00403204(E00403204(_t73,  *((intOrPtr*)(_t129 - 0x28))),  *((intOrPtr*)(_t129 - 0x1c)));
					 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
					__eflags = _t127;
					if(_t127 != 0) {
						 *((intOrPtr*)( *_t127 + 8))(_t127);
					}
					_t76 = 0;
					__eflags = 0;
				} else {
					E00403204(E00403204(_t73,  *((intOrPtr*)(_t129 - 0x28))),  *((intOrPtr*)(_t129 - 0x1c)));
					 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
					if(_t127 != 0) {
						 *((intOrPtr*)( *_t127 + 8))(_t127);
					}
					_t76 = _t99;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t129 - 0xc));
				return _t76;
			}

0x0040afac
0x0040afb7
0x0040afbb
0x0040afc0
0x0040afc3
0x0040afc6
0x0040afcc
0x0040afd1
0x0040afd4
0x0040afe1
0x0040afe1
0x0040afd6
0x0040afdd
0x0040afdd
0x0040afe3
0x0040afe9
0x0040afec
0x0040aff1
0x0040aff1
0x0040affa
0x0040b001
0x0040b007
0x0040b00f
0x0040b013
0x0040b018
0x0040b01b
0x0040b023
0x0040b04b
0x0040b051
0x0040b056
0x0040b025
0x0040b025
0x0040b029
0x00000000
0x0040b02b
0x0040b035
0x0040b044
0x0040b044
0x0040b029
0x0040b05c
0x0040b05f
0x0040b062
0x0040b067
0x0040b069
0x0040b071
0x0040b074
0x0040b09a
0x0040b09c
0x0040b09f
0x0040b0a1
0x0040b0a1
0x0040b0a4
0x0040b0a8
0x0040b0bb
0x0040b0bf
0x0040b0c3
0x0040b0cb
0x0040b0cf
0x0040b0d4
0x0040b0de
0x0040b0e2
0x0040b0e5
0x0040b0e5
0x0040b0e8
0x0040b0e9
0x0040b0e9
0x0040b0a1
0x0040b0f9
0x0040b0fe
0x0040b103
0x0040b106
0x0040b10b
0x0040b10b
0x0040b10e
0x0040b10e
0x0040b076
0x0040b081
0x0040b086
0x0040b08e
0x0040b093
0x0040b093
0x0040b096
0x0040b096
0x0040b116
0x0040b11e

APIs

__EH_prolog.LIBCMT ref: 0040AFAC

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Part of subcall function 0040B121: __EH_prolog.LIBCMT ref: 0040B126

Part of subcall function 00403089: __EH_prolog.LIBCMT ref: 0040308E

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$ExceptionThrowfreemalloc
String ID:
API String ID: 2423332413-0
Opcode ID: 72dfdc3ece159bb1c89044dbaf67c01c946df70ec191dec3c5cf43c1a4c47cf9
Instruction ID: f9ed70e7a4a1b4ee0be54417d9786138a5d8b1a5d5847858de7e9c53087b4eef
Opcode Fuzzy Hash: 72dfdc3ece159bb1c89044dbaf67c01c946df70ec191dec3c5cf43c1a4c47cf9
Instruction Fuzzy Hash: AB518371900609DFCB15EFA5C484A9EFBB4FF04314F10856FE565A72D2CB389A45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040814D Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040814D(intOrPtr __ecx) {
				intOrPtr _t69;
				signed int _t72;
				signed int _t73;
				intOrPtr* _t74;
				intOrPtr _t75;
				signed int _t76;
				intOrPtr* _t77;
				intOrPtr _t78;
				void* _t79;
				intOrPtr* _t88;
				intOrPtr _t92;
				signed int _t95;
				void* _t98;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr* _t115;
				intOrPtr _t119;
				void* _t121;

				E00418D80(E00419B4C, _t121);
				_t119 = __ecx;
				_t69 =  *((intOrPtr*)(__ecx + 0x68));
				_t92 = 1;
				if(_t69 == 0) {
					 *((intOrPtr*)(_t121 - 0x18)) =  *((intOrPtr*)(__ecx + 0x20));
				} else {
					 *((intOrPtr*)(_t121 - 0x18)) = _t92;
				}
				if(_t69 == 0) {
					 *((intOrPtr*)(_t121 - 0x14)) = _t92;
				} else {
					 *((intOrPtr*)(_t121 - 0x14)) =  *((intOrPtr*)(_t119 + 0x20));
				}
				_t115 = _t119 + 0x50;
				E0040891E(_t115,  *((intOrPtr*)(_t121 - 0x18)));
				_t88 = _t119 + 0x5c;
				E0040891E(_t88,  *((intOrPtr*)(_t121 - 0x14)));
				_t72 = 0;
				 *(_t121 - 0x10) = 0;
				if( *((intOrPtr*)(_t121 - 0x18)) > 0) {
					do {
						 *((intOrPtr*)( *_t115 +  *(_t115 + 4) * 4)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x70)) + _t72 * 4))));
						 *(_t115 + 4) =  *(_t115 + 4) + 1;
						_t72 =  *(_t121 - 0x10) + 1;
						 *(_t121 - 0x10) = _t72;
					} while (_t72 <  *((intOrPtr*)(_t121 - 0x18)));
				}
				_t73 = 0;
				 *(_t121 - 0x10) = 0;
				if( *((intOrPtr*)(_t121 - 0x14)) > 0) {
					do {
						 *((intOrPtr*)( *_t88 +  *(_t88 + 4) * 4)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x7c)) + _t73 * 4))));
						 *(_t88 + 4) =  *(_t88 + 4) + 1;
						_t73 =  *(_t121 - 0x10) + 1;
						 *(_t121 - 0x10) = _t73;
					} while (_t73 <  *((intOrPtr*)(_t121 - 0x14)));
				}
				 *((intOrPtr*)(_t121 - 0x1c)) = _t119;
				_t74 =  *((intOrPtr*)(_t119 + 0x18));
				 *(_t121 - 4) =  *(_t121 - 4) & 0x00000000;
				if(_t74 == 0) {
					_t75 =  *((intOrPtr*)(_t119 + 0x68));
					if(_t75 == 0) {
						_t95 = _t119 + 0x30;
					} else {
						_t95 =  *(_t119 + 0x40);
					}
					_t76 = _t119 + 0x30;
					if(_t75 == 0) {
						_t76 =  *(_t119 + 0x40);
					}
					 *(_t121 - 0x10) = _t76;
					_t77 =  *((intOrPtr*)(_t119 + 0x1c));
					_t78 =  *((intOrPtr*)( *_t77 + 0xc))(_t77,  *_t115,  *(_t121 - 0x10),  *((intOrPtr*)(_t121 - 0x18)),  *_t88, _t95,  *((intOrPtr*)(_t121 - 0x14)),  *((intOrPtr*)(_t121 + 8)));
				} else {
					_t108 =  *((intOrPtr*)(_t119 + 0x68));
					if(_t108 == 0) {
						_t98 =  *(_t119 + 0x30);
					} else {
						_t98 =  *( *(_t119 + 0x40));
					}
					if(_t108 == 0) {
						_t110 =  *( *(_t119 + 0x40));
					} else {
						_t110 =  *(_t119 + 0x30);
					}
					 *((intOrPtr*)(_t121 - 0x18)) = _t110;
					_t78 =  *((intOrPtr*)( *_t74 + 0xc))(_t74,  *((intOrPtr*)( *_t115)),  *((intOrPtr*)( *_t88)),  *((intOrPtr*)(_t121 - 0x18)), _t98,  *((intOrPtr*)(_t121 + 8)));
				}
				 *(_t121 - 4) =  *(_t121 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t119 + 0x6c)) = _t78;
				_t79 = E0040828D(_t119);
				 *[fs:0x0] =  *((intOrPtr*)(_t121 - 0xc));
				return _t79;
			}

0x00408152
0x0040815c
0x00408161
0x00408164
0x00408167
0x00408171
0x00408169
0x00408169
0x00408169
0x00408176
0x00408180
0x00408178
0x0040817b
0x0040817b
0x00408186
0x0040818b
0x00408193
0x00408198
0x0040819d
0x004081a2
0x004081a5
0x004081a7
0x004081b4
0x004081ba
0x004081bd
0x004081c1
0x004081c1
0x004081a7
0x004081c6
0x004081cb
0x004081ce
0x004081d0
0x004081dd
0x004081e3
0x004081e6
0x004081ea
0x004081ea
0x004081d0
0x004081ef
0x004081f2
0x004081f5
0x004081fb
0x00408236
0x0040823b
0x00408242
0x0040823d
0x0040823d
0x0040823d
0x00408247
0x0040824a
0x0040824c
0x0040824c
0x00408256
0x0040825c
0x0040826b
0x004081fd
0x004081fd
0x00408202
0x0040820b
0x00408204
0x00408207
0x00408207
0x00408210
0x0040821a
0x00408212
0x00408212
0x00408212
0x0040821f
0x00408231
0x00408231
0x0040826e
0x00408274
0x00408277
0x00408282
0x0040828a

APIs

__EH_prolog.LIBCMT ref: 00408152

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 24a827b9cdb5b55779f9b0c3580f6cfa755e67d35aad19e804106a0a0dbf1980
Instruction ID: 721722ad6bfc6db473f0c8284c9e3704a4f8c7709813c4cf0c375f626b677f65
Opcode Fuzzy Hash: 24a827b9cdb5b55779f9b0c3580f6cfa755e67d35aad19e804106a0a0dbf1980
Instruction Fuzzy Hash: B5515274A00A06DFCB14CFA4C5809AFFBB1FF49340B10496ED592AB791DB35A902CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D191 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040D191(void* __ecx) {
				intOrPtr _t58;
				intOrPtr* _t59;
				void* _t66;
				intOrPtr* _t67;
				void* _t68;
				intOrPtr _t70;
				intOrPtr* _t72;
				void* _t78;
				signed int _t81;
				intOrPtr _t85;
				signed int* _t87;
				signed int _t88;
				intOrPtr* _t95;
				void* _t98;
				intOrPtr* _t99;
				void* _t100;
				void* _t102;

				E00418D80(E0041A350, _t102);
				_push(__ecx);
				_t98 = __ecx;
				_t81 =  *(__ecx + 0x28);
				_t58 =  *((intOrPtr*)(__ecx + 0x2c));
				_t87 =  *(__ecx + 0x20);
				_t95 = (_t81 << 4) +  *((intOrPtr*)(_t58 + 0x58));
				if(_t87 == 0) {
					_t88 = _t81;
				} else {
					_t88 =  *_t87;
				}
				if(_t81 != _t88) {
					 *(_t102 - 0x10) = 2;
				} else {
					 *(_t102 - 0x10) = 0 |  *((intOrPtr*)(_t98 + 0xc)) != 0x00000000;
				}
				if( *((intOrPtr*)(_t102 + 8)) != 0 &&  *(_t102 - 0x10) == 0 && (_t81 >=  *((intOrPtr*)(_t58 + 0xe0)) ||  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xdc)) + _t81)) == 0) &&  *((intOrPtr*)(_t95 + 0xd)) == 0) {
					 *(_t102 - 0x10) = 1;
				}
				 *((intOrPtr*)(_t102 + 8)) = 0;
				_t59 =  *((intOrPtr*)(_t98 + 0x30));
				 *(_t102 - 4) = 0;
				_t78 =  *((intOrPtr*)( *_t59 + 0x14))(_t59, _t81, _t102 + 8,  *(_t102 - 0x10));
				if(_t78 == 0) {
					E004063E5(_t98 + 8,  *((intOrPtr*)(_t102 + 8)));
					 *(_t98 + 0x10) =  *(_t98 + 0x10) | 0xffffffff;
					if( *((char*)(_t98 + 0xd)) != 0 &&  *((char*)(_t95 + 0xe)) != 0 &&  *((char*)(_t95 + 0xd)) == 0) {
						_push(1);
						_pop(0);
					}
					 *((char*)(_t98 + 0xf)) = 0;
					 *((char*)(_t98 + 0xe)) = 1;
					 *((intOrPtr*)(_t98 + 0x18)) =  *_t95;
					 *((intOrPtr*)(_t98 + 0x1c)) =  *((intOrPtr*)(_t95 + 4));
					if( *(_t102 - 0x10) == 0 &&  *((intOrPtr*)(_t102 + 8)) == 0) {
						_t70 =  *((intOrPtr*)(_t98 + 0x2c));
						_t85 =  *((intOrPtr*)(_t98 + 0x28));
						if(_t85 >=  *((intOrPtr*)(_t70 + 0xe0)) ||  *((char*)( *((intOrPtr*)(_t70 + 0xdc)) + _t85)) == 0) {
							if( *((char*)(_t95 + 0xd)) == 0) {
								 *(_t102 - 0x10) = 2;
							}
						}
					}
					_t99 =  *((intOrPtr*)(_t98 + 0x30));
					_t66 =  *((intOrPtr*)( *_t99 + 0x18))(_t99,  *(_t102 - 0x10));
					 *(_t102 - 4) =  *(_t102 - 4) | 0xffffffff;
					_t100 = _t66;
					_t67 =  *((intOrPtr*)(_t102 + 8));
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 8))(_t67);
					}
					_t68 = _t100;
				} else {
					_t72 =  *((intOrPtr*)(_t102 + 8));
					 *(_t102 - 4) =  *(_t102 - 4) | 0xffffffff;
					if(_t72 != 0) {
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t68 = _t78;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t102 - 0xc));
				return _t68;
			}

0x0040d196
0x0040d19b
0x0040d19e
0x0040d1a3
0x0040d1a6
0x0040d1a9
0x0040d1b1
0x0040d1b6
0x0040d1bc
0x0040d1b8
0x0040d1b8
0x0040d1b8
0x0040d1c0
0x0040d1cf
0x0040d1c2
0x0040d1ca
0x0040d1ca
0x0040d1d9
0x0040d1f8
0x0040d1f8
0x0040d1ff
0x0040d205
0x0040d208
0x0040d216
0x0040d21a
0x0040d23a
0x0040d23f
0x0040d247
0x0040d255
0x0040d257
0x0040d257
0x0040d260
0x0040d263
0x0040d269
0x0040d26f
0x0040d272
0x0040d27a
0x0040d27d
0x0040d286
0x0040d298
0x0040d29a
0x0040d29a
0x0040d298
0x0040d286
0x0040d2a1
0x0040d2aa
0x0040d2ad
0x0040d2b1
0x0040d2b3
0x0040d2b8
0x0040d2bd
0x0040d2bd
0x0040d2c0
0x0040d21c
0x0040d21c
0x0040d21f
0x0040d225
0x0040d22a
0x0040d22a
0x0040d22d
0x0040d22d
0x0040d2c8
0x0040d2d0

APIs

__EH_prolog.LIBCMT ref: 0040D196

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 688431a7679907d68e44e8c85a409a014ac76cdf269a26074d0c41ebe40ab3a9
Instruction ID: 4a5508fcdcfeb9f530550f46dd1ec58a167ca447d216ffc80f9ca1221c3f6995
Opcode Fuzzy Hash: 688431a7679907d68e44e8c85a409a014ac76cdf269a26074d0c41ebe40ab3a9
Instruction Fuzzy Hash: 3B418D70A00345EFDB24CF94C484B6ABBA1BF45310F1486BED496AB691C778ED89CB84

Uniqueness

Uniqueness Score: -1.00%

Function 004024DB Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004024DB(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _t50;
				void* _t69;
				intOrPtr _t81;
				intOrPtr _t104;
				intOrPtr _t105;
				void* _t107;

				_t96 = __edx;
				E00418D80(E004195A9, _t107);
				 *((char*)( *((intOrPtr*)(_t107 + 0x10)))) = 0;
				E004029F9(_t107 - 0xb0, __eflags);
				 *(_t107 - 4) = 0;
				 *((intOrPtr*)(_t107 - 0xb0)) = __ecx;
				E004037D2(_t107 - 0xac, __edx);
				E004037D2(_t107 - 0xa0,  *((intOrPtr*)(_t107 + 8)));
				_push(0xf0);
				_t81 = E004031DD();
				 *((intOrPtr*)(_t107 + 8)) = _t81;
				_t113 = _t81;
				 *(_t107 - 4) = 1;
				if(_t81 == 0) {
					_t50 = 0;
					__eflags = 0;
				} else {
					_t50 = E00402BC1(_t81, _t96, _t113);
				}
				 *(_t107 - 4) = 0;
				 *((intOrPtr*)(_t107 - 0x94)) = _t50;
				E004063E5(_t107 - 0x90, _t50);
				if( *((intOrPtr*)(_t107 + 0xc)) == 0) {
					E004026C1(_t107 - 0xb0, __eflags);
					goto L8;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)(_t107 - 0x94)) + 0xd8)) = 1;
					 *((intOrPtr*)(_t107 + 0xc)) = 0;
					 *(_t107 - 4) = 2;
					_t105 = E00418A80(_t107 + 0xc, E00402957, _t107 - 0xb0);
					if(_t105 == 0) {
						E0040368D(_t107 - 0x18);
						 *(_t107 - 4) = 3;
						E00405FAD(0xce4, _t107 - 0x18);
						_t69 = E0040264D( *((intOrPtr*)(_t107 - 0x94)), _t107 - 0x18, _t107 + 0xc); // executed
						E00403204(_t69,  *((intOrPtr*)(_t107 - 0x18)));
						 *(_t107 - 4) = 0;
						E00418A40(_t107 + 0xc);
						L8:
						_t104 =  *((intOrPtr*)(_t107 + 0x14));
						E004037D2(_t104, _t107 - 0x24);
						__eflags =  *((intOrPtr*)(_t104 + 4));
						if(__eflags == 0) {
							__eflags =  *((intOrPtr*)(_t107 - 0x94)) + 0xe4;
							E004037D2(_t104,  *((intOrPtr*)(_t107 - 0x94)) + 0xe4);
						}
						_t105 =  *((intOrPtr*)(_t107 - 0x28));
						 *((char*)( *((intOrPtr*)(_t107 + 0x10)))) =  *((intOrPtr*)( *((intOrPtr*)(_t107 - 0x94)) + 0xe0));
					} else {
						E00418A40(_t107 + 0xc);
					}
				}
				 *(_t107 - 4) =  *(_t107 - 4) | 0xffffffff;
				E00402B65(_t107 - 0xb0,  *(_t107 - 4)); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t107 - 0xc));
				return _t105;
			}

0x004024db
0x004024e0
0x004024fd
0x004024ff
0x0040250b
0x0040250e
0x00402514
0x00402522
0x00402527
0x00402532
0x00402534
0x00402537
0x00402539
0x0040253d
0x00402546
0x00402546
0x0040253f
0x0040253f
0x0040253f
0x0040254f
0x00402552
0x00402558
0x00402560
0x004025ec
0x00000000
0x00402566
0x0040256c
0x00402576
0x00402588
0x00402591
0x00402595
0x004025a7
0x004025b4
0x004025b8
0x004025cb
0x004025d3
0x004025d9
0x004025df
0x004025f1
0x004025f1
0x004025fa
0x004025ff
0x00402602
0x0040260c
0x00402612
0x00402612
0x00402620
0x00402629
0x00402597
0x0040259a
0x0040259a
0x00402595
0x0040262b
0x00402635
0x00402642
0x0040264a

APIs

__EH_prolog.LIBCMT ref: 004024E0

Part of subcall function 004029F9: __EH_prolog.LIBCMT ref: 004029FE

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Part of subcall function 00402BC1: __EH_prolog.LIBCMT ref: 00402BC6

Part of subcall function 0040264D: SetWindowTextW.USER32(?,00000000), ref: 0040268C
Part of subcall function 0040264D: ShowWindow.USER32(?,00000001,?,00000000,776382C0,00000000,00000000), ref: 004026A0

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Part of subcall function 00418A40: FindCloseChangeNotification.KERNELBASE(00000000,00000000,004025E4,?,00000000,?,00000000,?,?,776382C0,00000000,00000000), ref: 00418A4A
Part of subcall function 00418A40: GetLastError.KERNEL32(?,776382C0,00000000,00000000), ref: 00418A54

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$Window$ChangeCloseErrorExceptionFindLastNotificationShowTextThrowfreemalloc
String ID:
API String ID: 2108476524-0
Opcode ID: 9c14bcbd44291848593e65f6f8e8200c5990d45aa8fba1ec8c0996e19c3a782d
Instruction ID: e4ab0e75387cb74cbe1b5fc93c7fe6c9256d258209eed3f76a342f3f4d07c0fd
Opcode Fuzzy Hash: 9c14bcbd44291848593e65f6f8e8200c5990d45aa8fba1ec8c0996e19c3a782d
Instruction Fuzzy Hash: 3F419D719002589BCB15EF65C995BEDBB74AF04318F0484AFE809B72C2DA785F45CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040E520 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040E520() {
				intOrPtr _t46;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr _t51;
				intOrPtr* _t55;
				intOrPtr* _t59;
				void* _t65;
				void* _t75;
				intOrPtr* _t76;
				void* _t78;
				intOrPtr* _t79;
				void* _t81;
				void* _t83;

				E00418D80(E0041A4A3, _t81);
				_t79 =  *((intOrPtr*)(_t81 + 8));
				 *((intOrPtr*)(_t81 - 0x10)) = _t83 - 0x88;
				 *((intOrPtr*)(_t81 - 4)) = 0;
				 *((intOrPtr*)( *_t79 + 0x10))(_t79, _t75, _t78, _t65);
				_t76 =  *((intOrPtr*)(_t81 + 0x14));
				 *((char*)(_t81 - 4)) = 1;
				_t86 = _t76;
				 *((intOrPtr*)(_t81 - 0x14)) = _t76;
				if(_t76 != 0) {
					 *((intOrPtr*)( *_t76 + 4))(_t76);
				}
				 *((intOrPtr*)(_t81 - 0x94)) = 0;
				 *((intOrPtr*)(_t81 - 0x90)) = 0;
				 *((char*)(_t81 - 0x1c)) = 1;
				_push( *((intOrPtr*)(_t81 + 0x10)));
				 *((char*)(_t81 - 4)) = 3;
				 *((char*)(_t79 + 0x178)) = 0;
				_t46 = E0040ED82(_t81 - 0x94, _t81, _t86,  *((intOrPtr*)(_t81 + 0xc)));
				 *((intOrPtr*)(_t81 + 0x14)) = _t46;
				if(_t46 == 0) {
					 *((char*)(_t79 + 0x178)) = 1;
					_t48 = E00410B21(_t81 - 0x94, _t79 + 0x30); // executed
					__eflags = _t48;
					 *((intOrPtr*)(_t81 + 0x14)) = _t48;
					if(_t48 == 0) {
						E004063E5(_t79 + 0x28,  *((intOrPtr*)(_t81 + 0xc)));
						_t50 =  *((intOrPtr*)(_t81 - 0x94));
						 *((char*)(_t81 - 4)) = 2;
						__eflags = _t50;
						if(_t50 != 0) {
							 *((intOrPtr*)( *_t50 + 8))(_t50);
						}
						__eflags = _t76;
						 *((char*)(_t81 - 4)) = 1;
						if(_t76 != 0) {
							 *((intOrPtr*)( *_t76 + 8))(_t76);
						}
						_t51 = 0;
					} else {
						_t55 =  *((intOrPtr*)(_t81 - 0x94));
						 *((char*)(_t81 - 4)) = 2;
						__eflags = _t55;
						if(_t55 != 0) {
							 *((intOrPtr*)( *_t55 + 8))(_t55);
						}
						__eflags = _t76;
						 *((char*)(_t81 - 4)) = 1;
						if(_t76 != 0) {
							 *((intOrPtr*)( *_t76 + 8))(_t76);
						}
						_t51 =  *((intOrPtr*)(_t81 + 0x14));
					}
				} else {
					_t59 =  *((intOrPtr*)(_t81 - 0x94));
					 *((char*)(_t81 - 4)) = 2;
					if(_t59 != 0) {
						 *((intOrPtr*)( *_t59 + 8))(_t59);
					}
					 *((char*)(_t81 - 4)) = 1;
					if(_t76 != 0) {
						 *((intOrPtr*)( *_t76 + 8))(_t76);
					}
					_t51 =  *((intOrPtr*)(_t81 + 0x14));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				return _t51;
			}

0x0040e525
0x0040e532
0x0040e536
0x0040e53e
0x0040e541
0x0040e544
0x0040e547
0x0040e54b
0x0040e54d
0x0040e550
0x0040e555
0x0040e555
0x0040e558
0x0040e55e
0x0040e564
0x0040e568
0x0040e571
0x0040e575
0x0040e57e
0x0040e585
0x0040e588
0x0040e5be
0x0040e5c5
0x0040e5ca
0x0040e5cc
0x0040e5cf
0x0040e5fe
0x0040e603
0x0040e609
0x0040e60d
0x0040e60f
0x0040e614
0x0040e614
0x0040e617
0x0040e619
0x0040e61d
0x0040e622
0x0040e622
0x0040e625
0x0040e5d1
0x0040e5d1
0x0040e5d7
0x0040e5db
0x0040e5dd
0x0040e5e2
0x0040e5e2
0x0040e5e5
0x0040e5e7
0x0040e5eb
0x0040e5f0
0x0040e5f0
0x0040e5f3
0x0040e5f3
0x0040e58a
0x0040e58a
0x0040e590
0x0040e596
0x0040e59b
0x0040e59b
0x0040e5a0
0x0040e5a4
0x0040e5a9
0x0040e5a9
0x0040e5ac
0x0040e5ac
0x0040e648
0x0040e651

APIs

__EH_prolog.LIBCMT ref: 0040E525

Part of subcall function 00410B21: __EH_prolog.LIBCMT ref: 00410B26
Part of subcall function 00410B21: _CxxThrowException.MSVCRT(?,0041DE18), ref: 00410B65

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$ExceptionThrow
String ID:
API String ID: 2366012087-0
Opcode ID: 90830b7693d5648a5944311c11a3abd2fc51c06453079e5404b3f0681c69fa04
Instruction ID: 710ff75e20c748aeae2c70901895ef3fcc3945575a6bdc354df96893f0d3ab55
Opcode Fuzzy Hash: 90830b7693d5648a5944311c11a3abd2fc51c06453079e5404b3f0681c69fa04
Instruction Fuzzy Hash: E8419130900149DFDB11CFA9C988B9DBBF4AF15308F5848AEE409A7382D779DE95CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0040B99F Relevance: 1.6, APIs: 1, Instructions: 51
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040B99F(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t16;
				long _t19;
				void* _t22;
				intOrPtr _t23;
				void* _t25;
				intOrPtr _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				void* _t39;

				_t33 = _a8;
				_t32 = __ecx;
				_t30 =  *((intOrPtr*)(__ecx + 0x2c));
				_t16 =  *((intOrPtr*)(__ecx + 0x28));
				_t35 = _t33 - _t30;
				if(_t35 > 0 || _t35 >= 0 && _a4 >= _t16) {
					L9:
					_t23 = _a4;
					_t34 = _a8;
					_t19 = SendMessageW( *(_t32 + 0x30), 0x402, E00419080(_t23,  *((intOrPtr*)(_t32 + 0x18)), _t34), 0); // executed
					 *((intOrPtr*)(_t32 + 0x20)) = _t23;
					 *((intOrPtr*)(_t32 + 0x24)) = _t34;
					return _t19;
				}
				_t28 =  *((intOrPtr*)(_t32 + 0x20));
				_t37 = _t33 -  *((intOrPtr*)(_t32 + 0x24));
				if(_t37 < 0 || _t37 <= 0 && _a4 <= _t28) {
					goto L9;
				}
				_t25 = _a4 - _t28;
				_t29 = 0xa;
				asm("sbb esi, eax");
				_t22 = E00419080( *((intOrPtr*)(_t32 + 0x28)), _t29, _t30);
				_t39 = _t33 - _t30;
				if(_t39 >= 0 && (_t39 > 0 || _t25 >= _t22)) {
					goto L9;
				}
				return _t22;
			}

0x0040b9a4
0x0040b9a8
0x0040b9aa
0x0040b9ad
0x0040b9b0
0x0040b9b2
0x0040b9e8
0x0040b9e8
0x0040b9eb
0x0040ba05
0x0040ba0b
0x0040ba0e
0x00000000
0x0040ba0e
0x0040b9be
0x0040b9c1
0x0040b9c3
0x00000000
0x00000000
0x0040b9d1
0x0040b9d3
0x0040b9d4
0x0040b9d9
0x0040b9de
0x0040b9e0
0x00000000
0x00000000
0x0040ba15

APIs

SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0040BA05

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0af3e11fcfd47e6371941a149de6c1f109858c1a710858ef4688ff05d9b21b82
Instruction ID: b638315945923fdcd1e1944e8eaf71f888e9001c5e9bfd7cd48093fce4f33d93
Opcode Fuzzy Hash: 0af3e11fcfd47e6371941a149de6c1f109858c1a710858ef4688ff05d9b21b82
Instruction Fuzzy Hash: 3901A172700212ABCB149E59D8C198AF7A5FB49750B008237EA58B7B80D734EC50CBCC

Uniqueness

Uniqueness Score: -1.00%

Function 00404A40 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404A40(char* __ecx, void* __eflags) {
				void* _t15;
				intOrPtr* _t18;
				signed char _t20;
				void* _t25;
				void* _t26;
				char* _t40;
				void* _t42;

				E00418D80(E00419948, _t42);
				_t40 = __ecx;
				_t15 = E00404ACE(__ecx);
				if(_t15 != 0) {
					E0040368D(_t42 - 0x18);
					 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
					if(E004048D6(_t42 - 0x18) != 0) {
						_t18 = E00403656(_t42 - 0x24, _t42 - 0x18,  *((intOrPtr*)(_t42 + 8)));
						 *(_t42 - 4) = 1;
						_t20 = E0040492E( *_t18, 1, _t40 + 4, 0); // executed
						asm("sbb bl, bl");
						_t25 =  ~_t20 + 1;
						_t17 = E00403204(_t20,  *((intOrPtr*)(_t42 - 0x24)));
						if(_t25 != 0) {
							goto L2;
						} else {
							 *_t40 = 1;
							_t26 = _t25 + 1;
						}
					} else {
						L2:
						_t26 = 0;
					}
					E00403204(_t17,  *((intOrPtr*)(_t42 - 0x18)));
					_t15 = _t26;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t15;
			}

0x00404a45
0x00404a4e
0x00404a50
0x00404a57
0x00404a5d
0x00404a62
0x00404a70
0x00404a7f
0x00404a90
0x00404a94
0x00404aa0
0x00404aa2
0x00404aa4
0x00404aac
0x00000000
0x00404aae
0x00404aae
0x00404ab1
0x00404ab1
0x00404a72
0x00404a72
0x00404a72
0x00404a72
0x00404ab6
0x00404abc
0x00404abe
0x00404ac3
0x00404acb

APIs

__EH_prolog.LIBCMT ref: 00404A45

Part of subcall function 004048D6: GetTempPathW.KERNEL32(00000105,00000000,?,00000000), ref: 00404901

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prologPathTemp
String ID:
API String ID: 2295663095-0
Opcode ID: a49cf9d5a64c2d9107d1a1b4841457935b9914ca147be5eea58a22da2a77a225
Instruction ID: 500e7c3c87435707449ca800f4b4260e57527cfcbd0d94049d93bf02f8690a9f
Opcode Fuzzy Hash: a49cf9d5a64c2d9107d1a1b4841457935b9914ca147be5eea58a22da2a77a225
Instruction Fuzzy Hash: 5201D2715801059ACF10EF65DA12BDDBBA4AF65308F04406FEA41732D2DB3E0A48CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF67 Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040CF67(signed int __ecx, void* __edi) {
				void* _t22;
				signed int _t35;
				void* _t38;

				E00418D80(E0041A2E8, _t38);
				_push(__ecx);
				_t35 = __ecx;
				 *((intOrPtr*)(_t38 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x41ba6c;
				 *(_t38 - 4) = 5;
				E00407C33(__ecx);
				 *(_t38 - 4) = 4;
				E0040D079(_t35 + 0x7c, __edi);
				 *(_t38 - 4) = 3;
				E00403204(E00403204(E0040CE6F(_t35 + 0x70, __edi),  *((intOrPtr*)(_t35 + 0x5c))),  *((intOrPtr*)(_t35 + 0x50)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				E0040CFE0(_t35);
				 *(_t38 - 4) =  *(_t38 - 4) | 0xffffffff;
				asm("sbb ecx, ecx");
				_t22 = E0040D028( ~_t35 & _t35 + 0x00000018); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t38 - 0xc));
				return _t22;
			}

0x0040cf6c
0x0040cf71
0x0040cf73
0x0040cf75
0x0040cf78
0x0040cf7e
0x0040cf85
0x0040cf8d
0x0040cf91
0x0040cf99
0x0040cfad
0x0040cfb2
0x0040cfba
0x0040cfbf
0x0040cfca
0x0040cfce
0x0040cfd7
0x0040cfdf

APIs

__EH_prolog.LIBCMT ref: 0040CF6C

Part of subcall function 0040D079: __EH_prolog.LIBCMT ref: 0040D07E

Part of subcall function 0040CE6F: __EH_prolog.LIBCMT ref: 0040CE74

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Part of subcall function 0040CFE0: __EH_prolog.LIBCMT ref: 0040CFE5

Part of subcall function 0040D028: __EH_prolog.LIBCMT ref: 0040D02D

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: c04d202dfaf42dce8f38389c920a9751c2b394dc520640e78194b7a5e7c61d27
Instruction ID: 790da130da96b865fcd1dde8fbfb491d557677c493d466ae6f611681a479457d
Opcode Fuzzy Hash: c04d202dfaf42dce8f38389c920a9751c2b394dc520640e78194b7a5e7c61d27
Instruction Fuzzy Hash: 26F0D671D14654DACB19EB69D41179DBBE09F0030CF10429EE052732C2CBBC1B048A4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF16 Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040CF16(void* __ebx, intOrPtr* __ecx) {
				void* __edi;
				void* _t10;
				void* _t11;
				intOrPtr* _t21;
				signed int _t24;
				void* _t26;

				_t9 = E00418D80(E0041A294, _t26);
				_push(__ecx);
				_t21 = __ecx;
				 *((intOrPtr*)(_t26 - 0x10)) = __ecx;
				_t24 =  *(__ecx + 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				if(_t24 != 0) {
					do {
						_t9 =  *_t21;
						_t24 = _t24 - 1;
						_t13 =  *((intOrPtr*)( *_t21 + _t24 * 4));
						if( *((intOrPtr*)( *_t21 + _t24 * 4)) != 0) {
							_t11 = E0040CF67(_t13, _t21); // executed
							_t9 = E00403204(_t11, _t13);
						}
					} while (_t24 != 0);
				}
				_t10 = E00403204(_t9,  *_t21);
				 *[fs:0x0] =  *((intOrPtr*)(_t26 - 0xc));
				return _t10;
			}

0x0040cf1b
0x0040cf20
0x0040cf23
0x0040cf25
0x0040cf28
0x0040cf2b
0x0040cf31
0x0040cf34
0x0040cf34
0x0040cf36
0x0040cf37
0x0040cf3c
0x0040cf40
0x0040cf46
0x0040cf4b
0x0040cf4c
0x0040cf50
0x0040cf53
0x0040cf5e
0x0040cf66

APIs

__EH_prolog.LIBCMT ref: 0040CF1B

Part of subcall function 0040CF67: __EH_prolog.LIBCMT ref: 0040CF6C

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 728656c154c79e3640467da3d1dd369a93413695509cfd56ac0ae59aba9a333c
Instruction ID: 9ff98c2d2858f5676d26b2fcb0e5ae345ac01743015ec23c8b6fe664862117fb
Opcode Fuzzy Hash: 728656c154c79e3640467da3d1dd369a93413695509cfd56ac0ae59aba9a333c
Instruction Fuzzy Hash: 47F0E9325012129BD711AF0AD481B9EF7A9EF14724F04417FE101772C2CB789C008989

Uniqueness

Uniqueness Score: -1.00%

Function 004051AE Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004051AE(void* __ecx, void* __eflags) {
				void* _t12;
				void* _t27;

				E00418D80(E004199B4, _t27);
				E00404D7D(_t27 - 0x44);
				E0040368D(_t27 - 0x1c);
				_t3 = _t27 - 4;
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				_t12 = E00404DAF(_t27 - 0x44,  *_t3, __ecx); // executed
				E00403204(_t12,  *((intOrPtr*)(_t27 - 0x1c)));
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return _t12;
			}

0x004051b3
0x004051c2
0x004051ca
0x004051cf
0x004051cf
0x004051d7
0x004051e1
0x004051ee
0x004051f6

APIs

__EH_prolog.LIBCMT ref: 004051B3

Part of subcall function 00404DAF: __EH_prolog.LIBCMT ref: 00404DB4

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$free
String ID:
API String ID: 2654054672-0
Opcode ID: 264148019a1cdb291cfcf2f50279c9645f2db8245b07abc43ab4fb8d1ae2bb0f
Instruction ID: 38aad06e79cda41a368b4c7dfbcb60c19aab280267c900351c7127d69cc129a5
Opcode Fuzzy Hash: 264148019a1cdb291cfcf2f50279c9645f2db8245b07abc43ab4fb8d1ae2bb0f
Instruction Fuzzy Hash: 98E09272C400049AC704FB55E852AECB778EF61319F10407FE412731D18B3C1F08CA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCA3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040DCA3(intOrPtr __ecx, void* __eflags) {
				void* _t27;

				E00418D80(E0041A402, _t27);
				_push(__ecx);
				 *((intOrPtr*)(_t27 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x41bd04;
				 *((intOrPtr*)(__ecx + 4)) = 0x41bce8;
				 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				E0040DD07(__eflags); // executed
				_t8 = __ecx + 0x28;
				 *(__ecx + 0x28) =  *(__ecx + 0x28) & 0x00000000;
				 *(_t27 - 4) = 1;
				E0040DF75(__ecx + 0x30,  *_t8);
				 *((intOrPtr*)(__ecx)) = 0x41bcb4;
				 *((intOrPtr*)(__ecx + 4)) = 0x41bc98;
				 *((intOrPtr*)(__ecx + 0x180)) = 4;
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return __ecx;
			}

0x0040dca8
0x0040dcad
0x0040dcb1
0x0040dcb4
0x0040dcba
0x0040dcc1
0x0040dcc5
0x0040dccc
0x0040dcd1
0x0040dcd1
0x0040dcd8
0x0040dcdc
0x0040dce4
0x0040dcea
0x0040dcf1
0x0040dcfe
0x0040dd06

APIs

__EH_prolog.LIBCMT ref: 0040DCA8

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 556981a7186a9669ba3390ac916edf3df05c09ea9c5c3581f725f413cec59042
Instruction ID: a9dd8ae4a789225e50b84d489bf84e0c6a5884a04ef7bcfbc1ff797b67dd35a1
Opcode Fuzzy Hash: 556981a7186a9669ba3390ac916edf3df05c09ea9c5c3581f725f413cec59042
Instruction Fuzzy Hash: 17F017B1921B54DBD724DF54D1047DABBF4FF14319F00891ED09653681DBB86988CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402965 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402965(intOrPtr* __ecx, void* __eflags) {
				void* _t14;
				void* _t26;
				void* _t28;

				E00418D80(E00419604, _t26);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				 *((intOrPtr*)(_t26 - 0x10)) = _t28 - 0xc;
				 *((intOrPtr*)(_t26 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t26 - 0x18)) =  *((intOrPtr*)(__ecx + 0x1c)) + 0x68;
				 *(_t26 - 4) = 1;
				E004026C1(__ecx, __eflags); // executed
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t14 = E004029BE( *((intOrPtr*)(__ecx + 0x1c)) + 0x68);
				 *[fs:0x0] =  *((intOrPtr*)(_t26 - 0xc));
				return _t14;
			}

0x0040296a
0x00402972
0x0040297f
0x00402982
0x00402985
0x00402988
0x0040298c
0x00402991
0x00402997
0x004029a1
0x004029aa

APIs

__EH_prolog.LIBCMT ref: 0040296A

Part of subcall function 004026C1: __EH_prolog.LIBCMT ref: 004026C6

Part of subcall function 004029BE: PostMessageW.USER32(00000000,00008001,00000000,00000000), ref: 004029DA

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$MessagePost
String ID:
API String ID: 2996832579-0
Opcode ID: 666fcb8ad03c7fcfadb71227545faa0fbbcbf76b8ad63286edccc36df171ed93
Instruction ID: 11ff760fa736db7d3783926612a292dfcf1a57dc1ad1d5e29cfb47934fdb99ec
Opcode Fuzzy Hash: 666fcb8ad03c7fcfadb71227545faa0fbbcbf76b8ad63286edccc36df171ed93
Instruction Fuzzy Hash: C1E092B2E14258EBCB01EB9896153DDBBB8EF45708F2440AFE44073282C7B95F0487E5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9A6 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040C9A6(void* __ebx, signed int __ecx) {
				void* _t13;
				void* _t26;

				E00418D80(E0041A1DF, _t26);
				_push(__ecx);
				 *((intOrPtr*)(_t26 - 0x10)) = __ecx;
				 *(_t26 - 4) = 2;
				E0040CF16(__ebx, __ecx + 0x78); // executed
				 *(_t26 - 4) = 1;
				E0040CEC5(__ebx, __ecx + 0x6c);
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				asm("sbb ecx, ecx");
				_t13 = E0040C9F3( ~__ecx & __ecx + 0x00000004);
				 *[fs:0x0] =  *((intOrPtr*)(_t26 - 0xc));
				return _t13;
			}

0x0040c9ab
0x0040c9b0
0x0040c9b4
0x0040c9ba
0x0040c9c1
0x0040c9c9
0x0040c9cd
0x0040c9d2
0x0040c9dd
0x0040c9e1
0x0040c9ea
0x0040c9f2

APIs

__EH_prolog.LIBCMT ref: 0040C9AB

Part of subcall function 0040CF16: __EH_prolog.LIBCMT ref: 0040CF1B

Part of subcall function 0040CEC5: __EH_prolog.LIBCMT ref: 0040CECA

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 60b1df6c3d2834dbf76d900981a7432336127acb7126d7a06376be963e88a761
Instruction ID: 26fffc1e8155d05b72e6de97fa5396bbbae1cf3f6b56db7a32a7b9711ce441f4
Opcode Fuzzy Hash: 60b1df6c3d2834dbf76d900981a7432336127acb7126d7a06376be963e88a761
Instruction Fuzzy Hash: 78E0E571900664DADB08EB58C4523DCB760EB05328F00436EA853B32C1CBB82B00C689

Uniqueness

Uniqueness Score: -1.00%

Function 00409D63 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409D63(void* __ecx) {
				void* _t28;
				intOrPtr _t30;

				E00418D80(E00419D8C, _t28);
				_push(__ecx);
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				 *((intOrPtr*)(_t28 - 0x10)) = _t30;
				E004063E5( *((intOrPtr*)(_t28 + 0xc)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) +  *(_t28 + 8) * 4)) + 4))());
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return 0;
			}

0x00409d68
0x00409d6d
0x00409d74
0x00409d7e
0x00409d88
0x00409da1
0x00409daa

APIs

__EH_prolog.LIBCMT ref: 00409D68

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 22b65b6785276599533fcaba3636d19bbd4ba6f6a0a11f096905abfa694f3633
Instruction ID: 924b7e828e2619065f90ec1c606901b0d7d869b936ff608bc391d1a571cd581b
Opcode Fuzzy Hash: 22b65b6785276599533fcaba3636d19bbd4ba6f6a0a11f096905abfa694f3633
Instruction Fuzzy Hash: 8AE0ED76614104EFC704EF99D855F9EB7B8EF49354F10846EF40A97281C7799900CA68

Uniqueness

Uniqueness Score: -1.00%

Function 0040525F Relevance: 1.5, APIs: 1, Instructions: 23
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040525F(void** __ecx, void* __eflags, WCHAR* _a4, long _a8, long _a12, long _a16, long _a20) {
				void* _t8;
				void* _t9;
				void** _t14;

				_t14 = __ecx;
				_t8 = E00405298(__ecx);
				if(_t8 != 0) {
					_t9 = CreateFileW(_a4, _a8, _a12, 0, _a16, _a20, 0); // executed
					 *_t14 = _t9;
					return 0 | _t9 != 0xffffffff;
				}
				return _t8;
			}

0x00405263
0x00405265
0x0040526c
0x00405281
0x0040528f
0x00000000
0x00405291
0x00405295

APIs

Part of subcall function 00405298: FindCloseChangeNotification.KERNELBASE(?,000000FF,0040526A,?,?,0040538F,?,80000000,00000000,00000000,00000000,004053B0,00000000,?,00000003,00000080), ref: 004052A3

CreateFileW.KERNELBASE(?,?,00000000,00000000,?,0041B558,00000000,?,?,0040538F,?,80000000,00000000,00000000,00000000,004053B0), ref: 00405281

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ChangeCloseCreateFileFindNotification
String ID:
API String ID: 727422849-0
Opcode ID: 9807379ff81c3d490cf68a83d96df0eb8ecc633cde6dd9f935d588c58eaabe44
Instruction ID: d556d6ed1a1370b11f352619dc192e4bd69da4566a87ece580b0bc5f49a6e668
Opcode Fuzzy Hash: 9807379ff81c3d490cf68a83d96df0eb8ecc633cde6dd9f935d588c58eaabe44
Instruction Fuzzy Hash: D0E04F360002196BCF115F64AC01BCE3B95EF19360F14452ABA24A62E0C7728461AF94

Uniqueness

Uniqueness Score: -1.00%

Function 00404643 Relevance: 1.5, APIs: 1, Instructions: 23
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404643(WCHAR* __ecx, void* __eflags) {
				signed int _t7;
				signed int _t8;
				void* _t10;
				WCHAR* _t15;

				_t15 = __ecx;
				_t7 = E00404DA0(__ecx);
				if(_t7 == 0xffffffff || (_t7 & 0x00000010) != 0 || (_t7 & 0x00000001) == 0) {
					L5:
					_t8 = DeleteFileW(_t15); // executed
					return _t8 & 0xffffff00 | _t8 != 0x00000000;
				} else {
					_t10 = E00404462(__ecx, _t7 & 0xfffffffe);
					if(_t10 != 0) {
						goto L5;
					} else {
						return _t10;
					}
				}
			}

0x00404644
0x00404646
0x0040464e
0x0040466a
0x0040466b
0x00404677
0x00404658
0x0040465f
0x00404666
0x00000000
0x00404669
0x00404669
0x00404669
0x00404666

APIs

Part of subcall function 00404DA0: GetFileAttributesW.KERNELBASE(?,004050D2,?,?,0000002A,0000005C,?,?,?,00000001), ref: 00404DA1

DeleteFileW.KERNELBASE(?,?,0040479E,?,?,?,0000005C,?,?,776382C0,?,00000000), ref: 0040466B

Part of subcall function 00404462: SetFileAttributesW.KERNELBASE(?,00000000,004047EE,?,776382C0,?,00000000), ref: 00404464

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: File$Attributes$Delete
String ID:
API String ID: 3735447641-0
Opcode ID: 4af3f9c4ac87f317a383e19ebbf4be1568d8f498abffe729fc2456daa46237b6
Instruction ID: c98f3abb563ab1bb48d32cbdf2bd3b216670aee835f997c4b583ea26d8f2b8e7
Opcode Fuzzy Hash: 4af3f9c4ac87f317a383e19ebbf4be1568d8f498abffe729fc2456daa46237b6
Instruction Fuzzy Hash: 50D02B61101120018DE0297C38057DB12050ED33347148B77FEA0F23D1EB7E8C83009C

Uniqueness

Uniqueness Score: -1.00%

Function 004054CD Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004054CD(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x41f0b8; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}

0x004054cd
0x004054d0
0x004054d1
0x004054d9
0x004054db
0x004054db
0x004054e4
0x004054f0
0x004054fe
0x00405504

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 004054F0

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8754c39352e6b572958dd94eb4906f8bfe997afb7bdf6dd0c5210f13dd38fcb2
Instruction ID: 32868f3a29a398ab14785254ccb1bf50569d93ec041cad7fd8186f98d882653d
Opcode Fuzzy Hash: 8754c39352e6b572958dd94eb4906f8bfe997afb7bdf6dd0c5210f13dd38fcb2
Instruction Fuzzy Hash: B7E0E579600208FFCB11CF95C801BCE7BFAEB08355F20C069F9189A260D339AA55DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB30 Relevance: 1.5, APIs: 1, Instructions: 21
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BB30(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t11;
				void* _t17;

				_t17 = __ecx;
				if(_a4 != 0x8001) {
					L3:
					_t11 = E0040609F(_t17, _a4, _a8, _a12); // executed
					return _t11;
				}
				KillTimer( *(__ecx + 4),  *(__ecx + 8));
				 *(_t17 + 8) =  *(_t17 + 8) & 0x00000000;
				if( *((char*)(_t17 + 0x3a)) == 0) {
					return E0040BC3C(_t17);
				}
				 *((char*)(_t17 + 0x3b)) = 1;
				goto L3;
			}

0x0040bb39
0x0040bb3b
0x0040bb57
0x0040bb65
0x00000000
0x0040bb65
0x0040bb43
0x0040bb49
0x0040bb51
0x00000000
0x0040bb6e
0x0040bb53
0x00000000

APIs

KillTimer.USER32(00008001,?), ref: 0040BB43

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: KillTimer
String ID:
API String ID: 729406807-0
Opcode ID: de12216b3b6b95bd4d2bcf31d459454511b6302c866eb31b9bba926d348123db
Instruction ID: 939c9fa67e3463908e7e7d002bbe55a1abdd8a910cefb51ae37e9c931f6263fc
Opcode Fuzzy Hash: de12216b3b6b95bd4d2bcf31d459454511b6302c866eb31b9bba926d348123db
Instruction Fuzzy Hash: AAE065311087419BDB229B11C504B5BBAE2FF40704F048C2EF0D6219F0CB796854D79E

Uniqueness

Uniqueness Score: -1.00%

Function 0040810E Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040810E(intOrPtr __ecx) {
				void* _t8;
				void* _t17;
				intOrPtr _t19;

				E00418D80(E00419B38, _t17);
				_push(__ecx);
				_push(__ecx);
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				 *((intOrPtr*)(_t17 - 0x10)) = _t19;
				 *((intOrPtr*)(_t17 - 0x14)) = __ecx;
				_t8 = E0040814D(__ecx, 0); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t17 - 0xc));
				return _t8;
			}

0x00408113
0x00408118
0x00408119
0x0040811a
0x00408121
0x00408126
0x00408129
0x00408133
0x0040813c

APIs

__EH_prolog.LIBCMT ref: 00408113

Part of subcall function 0040814D: __EH_prolog.LIBCMT ref: 00408152

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9eca010d204422902fe07f867e60df36874e4cd661f802f806a107c05fca104b
Instruction ID: 0ca9ab5b8f1d60bd9c73bc96d98377938e635d19cdb4d5b29e0664e23227e72b
Opcode Fuzzy Hash: 9eca010d204422902fe07f867e60df36874e4cd661f802f806a107c05fca104b
Instruction Fuzzy Hash: 9AD01271950208EBD7149B49E902BDEB778EB41758F10452FF00165180C7B95A008669

Uniqueness

Uniqueness Score: -1.00%

Function 004053C1 Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004053C1(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}

0x004053c4
0x004053cb
0x004053d7
0x004053e5
0x004053eb

APIs

ReadFile.KERNELBASE(000000FF,?,?,00000000,00000000,000000FF,?,0040540C,?,?,00000000,?,00405432,?,?,00000000), ref: 004053D7

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7680b6ca8a144e951c888a795149d2d53928818e18071b104f126b41f4adbd68
Instruction ID: bc519ebe3b5b6386e9621bf61f3413b29384c9a634b5b939dab0404262013cc0
Opcode Fuzzy Hash: 7680b6ca8a144e951c888a795149d2d53928818e18071b104f126b41f4adbd68
Instruction Fuzzy Hash: 76E0EC75200208FBCB01CF90CC01FCE7BB9FB49754F20C058E91596160D375AA14EB54

Uniqueness

Uniqueness Score: -1.00%

Function 004029BE Relevance: 1.5, APIs: 1, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004029BE(void* __ecx) {
				int _t7;

				E00418A70( *((intOrPtr*)(__ecx + 0x3c)));
				if( *((intOrPtr*)(__ecx + 0x38)) == 0) {
					 *((char*)(__ecx + 0x39)) = 1;
					return 0;
				} else {
					_t7 = PostMessageW( *(__ecx + 4), 0x8001, 0, 0); // executed
					return _t7;
				}
			}

0x004029c4
0x004029ce
0x004029e2
0x004029e7
0x004029d0
0x004029da
0x004029e1
0x004029e1

APIs

Part of subcall function 00418A70: WaitForSingleObject.KERNEL32(?,000000FF,0040267A,00000061,00000000,00000000,?,00000000,776382C0,00000000,00000000), ref: 00418A73

PostMessageW.USER32(00000000,00008001,00000000,00000000), ref: 004029DA

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: MessageObjectPostSingleWait
String ID:
API String ID: 1869837590-0
Opcode ID: 9d7d0303509dcc413e8a34a00beb061d438532f892d7b196070af7e067041d44
Instruction ID: eaa09ceaa3114435b048ba69c7f452b6de4dbba6593005c946b1345dbd8ce62d
Opcode Fuzzy Hash: 9d7d0303509dcc413e8a34a00beb061d438532f892d7b196070af7e067041d44
Instruction Fuzzy Hash: 6DD05E701146506EDBA0A734BE859E77ADAAF05310B45886FB483929A2CAA1BC808754

Uniqueness

Uniqueness Score: -1.00%

Function 00404BEE Relevance: 1.5, APIs: 1, Instructions: 17
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BEE(void** __ecx, intOrPtr _a4) {
				struct _WIN32_FIND_DATAW _v596;
				int _t5;

				_t5 = FindNextFileW( *__ecx,  &_v596); // executed
				if(_t5 != 0) {
					E00404B8C( &_v596, _a4, __eflags);
					return 1;
				}
				return 0;
			}

0x00404c00
0x00404c08
0x00404c17
0x00000000
0x00404c1c
0x00000000

APIs

FindNextFileW.KERNELBASE(000000FF,?), ref: 00404C00

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: c4609d8de41ccdaab4e1c7bc9efeac1eeb3cd6958e8da37b1abb75d29d41c6c1
Instruction ID: 6514850b34d96ac27011973a87a4576330e77776678e8d48275e438d2eb40076
Opcode Fuzzy Hash: c4609d8de41ccdaab4e1c7bc9efeac1eeb3cd6958e8da37b1abb75d29d41c6c1
Instruction Fuzzy Hash: FBD05B701041189BDB10DF60CC499AB777CABD1349F1040759A05E71A0D639D949DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00410E73 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00410E73(void* __ecx) {
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t12;

				E00418D80(E0041A622, _t12);
				_push(__ecx);
				_push(0x188);
				_t10 = E004031DD();
				 *((intOrPtr*)(_t12 - 0x10)) = _t10;
				_t7 = 0;
				_t15 = _t10;
				 *((intOrPtr*)(_t12 - 4)) = 0;
				if(_t10 != 0) {
					_t7 = E0040DCA3(_t10, _t15); // executed
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t12 - 0xc));
				return _t7;
			}

0x00410e78
0x00410e7d
0x00410e7e
0x00410e89
0x00410e8b
0x00410e8e
0x00410e90
0x00410e92
0x00410e95
0x00410e97
0x00410e97
0x00410e9f
0x00410ea7

APIs

__EH_prolog.LIBCMT ref: 00410E78

Part of subcall function 004031DD: malloc.MSVCRT ref: 004031E3
Part of subcall function 004031DD: _CxxThrowException.MSVCRT(?,0041C8C8), ref: 004031FD

Part of subcall function 0040DCA3: __EH_prolog.LIBCMT ref: 0040DCA8

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog$ExceptionThrowmalloc
String ID:
API String ID: 3744649731-0
Opcode ID: 3993f2473de03c3542c12ade1e304f3a179a5c2b310ffdd6f91d84c43b6e8bfc
Instruction ID: cba1e8ea3cc59bc4478667252af174c53adf0a6d33d98c46e50d2fdcf3a083dd
Opcode Fuzzy Hash: 3993f2473de03c3542c12ade1e304f3a179a5c2b310ffdd6f91d84c43b6e8bfc
Instruction Fuzzy Hash: 81D05E71F042849BCB08FFF994227AD76A0AB48348F00853FE012E67C0DFB85A808A19

Uniqueness

Uniqueness Score: -1.00%

Function 00402ED7 Relevance: 1.5, APIs: 1, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00402ED7(struct HWND__** __ecx) {
				struct HWND__* _t3;
				signed int _t4;
				signed int _t5;
				signed int* _t8;

				_t8 = __ecx;
				_t3 =  *__ecx;
				if(_t3 != 0) {
					_t4 = DestroyWindow(_t3); // executed
					_t5 = _t4 & 0xffffff00 | _t4 != 0x00000000;
					if(_t5 != 0) {
						 *_t8 =  *_t8 & 0x00000000;
						return _t5;
					}
					return _t5;
				} else {
					return 1;
				}
			}

0x00402ed8
0x00402eda
0x00402ede
0x00402ee5
0x00402eed
0x00402ef2
0x00402ef4
0x00000000
0x00402ef4
0x00402ef8
0x00402ee0
0x00402ee3
0x00402ee3

APIs

DestroyWindow.USER32(00000000,?,00402E70,?,?,00402E2F), ref: 00402EE5

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: c300da57ea769af538155befd0f13b17f58799c34e081a7a41eb466825c0bc5b
Instruction ID: 3861973e04faebb4a2542629753922d24fdd8f5835c20d6ccedf179154c89bc1
Opcode Fuzzy Hash: c300da57ea769af538155befd0f13b17f58799c34e081a7a41eb466825c0bc5b
Instruction Fuzzy Hash: 4BD0C93165421257DEB09E28B9087D263DDAF10261B16446AA880DB2C0DBB9CC82A698

Uniqueness

Uniqueness Score: -1.00%

Function 00405298 Relevance: 1.5, APIs: 1, Instructions: 16
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00405298(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x00405299
0x0040529b
0x004052a0
0x004052b4
0x004052b7
0x004052a2
0x004052a3
0x004052ab
0x004052b1
0x00000000
0x004052ad
0x004052b0
0x004052b0
0x004052ab

APIs

FindCloseChangeNotification.KERNELBASE(?,000000FF,0040526A,?,?,0040538F,?,80000000,00000000,00000000,00000000,004053B0,00000000,?,00000003,00000080), ref: 004052A3

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a70d0e270c00220fc0e1caf0f16e22cd4a5fb1ec1f3136ff0860332eb57d27a1
Instruction ID: 0e5df7a028251fcaba9f82fb0a08b03a75193d26b760c08bd3ff78e88b2aa95c
Opcode Fuzzy Hash: a70d0e270c00220fc0e1caf0f16e22cd4a5fb1ec1f3136ff0860332eb57d27a1
Instruction Fuzzy Hash: 46D0C93110556146DE646E3C78449C337999E0633432147AAF4B0E62E1D3748C835E94

Uniqueness

Uniqueness Score: -1.00%

Function 00404B27 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404B27(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindClose(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x00404b28
0x00404b2a
0x00404b2f
0x00404b43
0x00404b46
0x00404b31
0x00404b32
0x00404b3a
0x00404b40
0x00000000
0x00404b3c
0x00404b3f
0x00404b3f
0x00404b3a

APIs

FindClose.KERNELBASE(00000000,000000FF,00404B58), ref: 00404B32

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 2e7c38b74275a1d10db6fabc292f24c9b7c881a734d2f7bbb3c64b0cccd58694
Instruction ID: b412e42f3085da2f257a58cf6b4c1cc416868627b9fbf021317bc8eabdf38f56
Opcode Fuzzy Hash: 2e7c38b74275a1d10db6fabc292f24c9b7c881a734d2f7bbb3c64b0cccd58694
Instruction Fuzzy Hash: F4D0127150412147CA742E3CB845AC377E85A86330325176BF6B0E32E4D374DC834694

Uniqueness

Uniqueness Score: -1.00%

Function 004054A0 Relevance: 1.5, APIs: 1, Instructions: 9
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004054A0(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}

0x004054ae
0x004054b6
0x004054ba

APIs

SetFileTime.KERNELBASE(?,?,?,?,004054CA,00000000,00000000,?,00402482,?), ref: 004054AE

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: d00ba419ea0ae4e6e6213418fd014f6d5999ef0473a0d56b55522c41bf13b527
Instruction ID: 1917584adf27ce0176f88e11aa52cbd2cdf9234270b8d6b477bb5c626fe98c97
Opcode Fuzzy Hash: d00ba419ea0ae4e6e6213418fd014f6d5999ef0473a0d56b55522c41bf13b527
Instruction Fuzzy Hash: 56C04C36158205FF8F020F70CC04C1ABFE2EB99311F10C918B169C4070C7328024EB02

Uniqueness

Uniqueness Score: -1.00%

Function 004061F9 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061F9(long __ecx, WCHAR* _a4, struct HWND__* _a8) {
				int _t3;

				_t3 = DialogBoxParamW( *0x41f158, _a4, _a8, E0040617F, __ecx); // executed
				return _t3;
			}

0x0040620d
0x00406213

APIs

DialogBoxParamW.USER32 ref: 0040620D

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: DialogParam
String ID:
API String ID: 665744214-0
Opcode ID: e5afb946052b98de151572ca270f2b14382b3828008983094a63c69c2058dd15
Instruction ID: 346570c71dab3f0197063b91ea6ccd62886f4ee461fb2a9a3ea49f5ae03429c9
Opcode Fuzzy Hash: e5afb946052b98de151572ca270f2b14382b3828008983094a63c69c2058dd15
Instruction Fuzzy Hash: BBC04832404281BFCB02DF50DC29C6BBA72FBA5300B068829B19550174C3A2582AEB19

Uniqueness

Uniqueness Score: -1.00%

Function 00404826 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00404826(WCHAR* __ecx) {
				signed int _t1;

				_t1 = SetCurrentDirectoryW(__ecx); // executed
				asm("sbb eax, eax");
				return  ~( ~_t1);
			}

0x00404827
0x0040482f
0x00404833

APIs

SetCurrentDirectoryW.KERNELBASE(?,00401490,?,00000001,?,00419240,?,0041B524,;!@InstallEnd@!,?,0041B558,?,00000000,?,?,00000000), ref: 00404827

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: d57684e69020114d10183d2ca0050567171a42a80b8fd26bd4e5665bc9280296
Instruction ID: fec01ce8eb217bf0cfbecdd44f93909942d88e708ff386734e9f039800b2ffe1
Opcode Fuzzy Hash: d57684e69020114d10183d2ca0050567171a42a80b8fd26bd4e5665bc9280296
Instruction Fuzzy Hash: CCA002B07F511B468E241B34DD0986A39549555A037115B687157C50D4DF25C1045554

Uniqueness

Uniqueness Score: -1.00%

Function 00404462 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404462(WCHAR* __ecx, long __edx) {
				signed int _t3;

				_t3 = SetFileAttributesW(__ecx, __edx); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00404464
0x0040446f

APIs

SetFileAttributesW.KERNELBASE(?,00000000,004047EE,?,776382C0,?,00000000), ref: 00404464

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ed25a719a3732e43e41dd9887838c0a6c9a1d2c5f1583ac5206a53767c946853
Instruction ID: 98a8bcf7e5ee3235dfc47f65db57e9ddc409942bd55006f53268cdc163f6fd1c
Opcode Fuzzy Hash: ed25a719a3732e43e41dd9887838c0a6c9a1d2c5f1583ac5206a53767c946853
Instruction Fuzzy Hash: 02A002A02112099FA6145B315E09B6F29ADEDC9AD1745C96C7415C5060EB29C8509565

Uniqueness

Uniqueness Score: -1.00%

Function 0040447D Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040447D(WCHAR* __ecx) {
				signed int _t3;

				_t3 = CreateDirectoryW(__ecx, 0); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00404480
0x0040448b

APIs

CreateDirectoryW.KERNELBASE(00000000,00000000,00404A06,00000000,?,00000000,00404A99,?,00000000), ref: 00404480

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 083f4dbc4f2943f1dfb74f92bb0e451d38530cc52b4985dcc65b559a9f8fdd7c
Instruction ID: 34323f3862c9c6fd2d35131ea61d74e0925f70aef560595d1f96e53f70211f96
Opcode Fuzzy Hash: 083f4dbc4f2943f1dfb74f92bb0e451d38530cc52b4985dcc65b559a9f8fdd7c
Instruction Fuzzy Hash: 70A0223030030083E2200B300E0AB0F280CAF08AC0F00C0283208C80E0EB28C0200008

Uniqueness

Uniqueness Score: -1.00%

Function 00404DA0 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DA0(WCHAR* __ecx) {
				long _t1;

				_t1 = GetFileAttributesW(__ecx); // executed
				if(_t1 == 0xffffffff) {
					return _t1;
				}
				return _t1;
			}

0x00404da1
0x00404daa
0x00000000
0x00404dac
0x00404dae

APIs

GetFileAttributesW.KERNELBASE(?,004050D2,?,?,0000002A,0000005C,?,?,?,00000001), ref: 00404DA1

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 81aac6498f9a46e99a08266c3e76ab7939904c505e4d4e367c054e885d8591d5
Instruction ID: 591aceaef49bad6d6e0eb818f5c395ad730c6046851bbff497a631cd11e1eb05
Opcode Fuzzy Hash: 81aac6498f9a46e99a08266c3e76ab7939904c505e4d4e367c054e885d8591d5
Instruction Fuzzy Hash: 07A011A0820000828A2003302C8808A2A808882332B208B20E230C00E0CB38C800A2A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC3C Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BC3C(void* __ecx) {

				EndDialog( *(__ecx + 4), 0); // executed
				return 1;
			}

0x0040bc41
0x0040bc49

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 0040BC41

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1de13aa7809bb822d4691872271d1b3617444b8dd213628e48c3d5d056a78f23
Instruction ID: ec34284fb5e09ba96d8923433a6197e714bb6145d90309d1f0ddcfe40c435b5e
Opcode Fuzzy Hash: 1de13aa7809bb822d4691872271d1b3617444b8dd213628e48c3d5d056a78f23
Instruction Fuzzy Hash: C5A0223C080200BBCA000F00FC2AB803F20FB00B02FE0C0E0E800082B0C3238003EE88

Uniqueness

Uniqueness Score: -1.00%

Function 00406749 Relevance: 1.3, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406749(intOrPtr _a4, intOrPtr _a8, char _a12, intOrPtr* _a16) {
				void* _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr* _t19;
				signed int _t20;
				intOrPtr _t23;

				_t23 = _a4;
				_t11 = E004053EE(_a8, _a12,  &_a12); // executed
				_t19 = _a16;
				if(_t19 != 0) {
					 *_t19 = _a12;
				}
				if(_t11 != 0) {
					return 0;
				}
				_t12 = GetLastError();
				_t20 =  *(_t23 + 0x1c);
				__eflags = _t20;
				if(_t20 != 0) {
					return  *((intOrPtr*)( *_t20))( *((intOrPtr*)(_t23 + 0x20)), _t12);
				}
				__eflags = _t12;
				if(__eflags == 0) {
					return 0x80004005;
				}
				if(__eflags > 0) {
					_t14 = _t12 & 0x0000ffff | 0x80070000;
					__eflags = _t14;
					return _t14;
				}
				return _t12;
			}

0x00406750
0x0040675d
0x00406762
0x00406767
0x0040676c
0x0040676c
0x00406770
0x00000000
0x00406772
0x00406776
0x0040677c
0x0040677f
0x00406781
0x00000000
0x00406789
0x0040678d
0x0040678f
0x00000000
0x00406791
0x00406798
0x0040679f
0x0040679f
0x00000000
0x0040679f
0x004067a6

APIs

GetLastError.KERNEL32(?,?,?), ref: 00406776

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 437c8e8a398dd829b82ca88da42c9c2071027e39b4d4d6b72e10c2378126adce
Instruction ID: a9f0ad8659e0c22b9764d8725ef8c1a002e24048339c74b3f33957f6e1008843
Opcode Fuzzy Hash: 437c8e8a398dd829b82ca88da42c9c2071027e39b4d4d6b72e10c2378126adce
Instruction Fuzzy Hash: E6F03C392002069BDF249F64DC009BB77A9EF45318B11453AAC17EB294D37AE8219BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413803 Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00413803(void* __eax, void* __ebx, long __edx, void* __esi) {
				intOrPtr* _t2;
				void* _t3;

				asm("rol bl, 0x6a");
				_t2 = __eax + 0x68;
				 *_t2 =  *_t2 + __edx;
				 *_t2 =  *_t2 + _t2;
				_t3 = VirtualAlloc(0, __edx, ??, ??); // executed
				return _t3;
			}

0x00413805
0x00413808
0x0041380a
0x0041380c
0x00413811
0x00413817

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00413811

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 92735ca84e52f538702ecb6ec21f91555a91a8bffad8afd78f3bc7818ee4d028
Instruction ID: e03e2c2186c6dbf214b011caf4efa4a81c4bf758aef5a93a91a1cadcfefd29ca
Opcode Fuzzy Hash: 92735ca84e52f538702ecb6ec21f91555a91a8bffad8afd78f3bc7818ee4d028
Instruction Fuzzy Hash: 53C08CE1A4D2809FDF0213108C407703F308B8B300F0A00C1E9045B092C2000808C722

Uniqueness

Uniqueness Score: -1.00%

Function 00413760 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413760(int __ecx) {
				void* _t1;

				if(__ecx != 0) {
					_t1 = malloc(__ecx); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x00413762
0x00413768
0x00413771
0x00413764
0x00413766
0x00413766

APIs

malloc.MSVCRT ref: 00413768

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4e4b97c8df32ee9fc110583acaac8f3580eb89f53c0fc54fed573577a25b04ae
Instruction ID: e9a776f8b561c7906f99c97af60905b4207f6b767d51b374da93a018ac2131ba
Opcode Fuzzy Hash: 4e4b97c8df32ee9fc110583acaac8f3580eb89f53c0fc54fed573577a25b04ae
Instruction Fuzzy Hash: 3FB012F012114012EE1C17382D2819730407640A47BC08478B402C0120F719C114504E

Uniqueness

Uniqueness Score: -1.00%

Function 004137D0 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004137D0(int __edx) {
				void* _t1;

				if(__edx != 0) {
					_t1 = malloc(__edx); // executed
					return _t1;
				} else {
					return 0;
				}
			}

0x004137d2
0x004137d8
0x004137e1
0x004137d4
0x004137d6
0x004137d6

APIs

malloc.MSVCRT ref: 004137D8

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: ec48c67d9d884d5c2e1c8e50903b5e665513c9d58559f81f173c0722ca0cd9cf
Instruction ID: e1834bf87b784a365167bfedfb21307e6a78aa9792587d0fbed25970968ed474
Opcode Fuzzy Hash: ec48c67d9d884d5c2e1c8e50903b5e665513c9d58559f81f173c0722ca0cd9cf
Instruction Fuzzy Hash: C6B012E8A101C012DA040B342C081933062B6D0507BC4C4B5A40180124FB28D114604D

Uniqueness

Uniqueness Score: -1.00%

Function 00413823 Relevance: 1.3, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00413823(void* __edx) {
				int _t1;

				_push(cs);
				_t1 = VirtualFree(__edx, 0, 0x8000); // executed
				return _t1;
			}

0x00413823
0x0041382c
0x00413832

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0041382C

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2cf424f09b2a63611f94bf1ef2906656b3368afbdbde5470752f6eddb9b02e63
Instruction ID: 4548bb9808f7885787c00c4898e7365c481cb8737fbf7d0afeb7407147252edf
Opcode Fuzzy Hash: 2cf424f09b2a63611f94bf1ef2906656b3368afbdbde5470752f6eddb9b02e63
Instruction Fuzzy Hash: 5BA00278A8070476ED60A7306D4FFB63A25B78CF01F30C5947251690D0EAE460489A5C

Uniqueness

Uniqueness Score: -1.00%

Function 004137F0 Relevance: 1.3, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004137F0(void* __eax, void* __edx) {
				void* _t1;

				_t1 = __eax;
				free(__edx); // executed
				return _t1;
			}

0x004137f0
0x004137f1
0x004137f8

APIs

free.MSVCRT ref: 004137F1

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c4c572d9f57696b8c0e6e1de3699c55fb71bdc43637c77fb16101d20eef8a5fa
Instruction ID: 7c1fef89f0bccb1a01165ba8deb7b600c8a857a7521b8ae7fdf9e2709f779900
Opcode Fuzzy Hash: c4c572d9f57696b8c0e6e1de3699c55fb71bdc43637c77fb16101d20eef8a5fa
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00413780 Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT(?,?,?,00413148), ref: 00413781

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f7127e7e40eaa2db84907b96d6c7057def2c4eed74b735c5d7bd95b468904d09
Instruction ID: 082e6f8f9fdc4bbf4c0095df6602c445876609eb90aa96d1f6ec716ecc535606
Opcode Fuzzy Hash: f7127e7e40eaa2db84907b96d6c7057def2c4eed74b735c5d7bd95b468904d09
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00410138 Relevance: 3.5, APIs: 2, Instructions: 480
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00410138(void* __ecx, signed int __edx, void* __eflags) {
				intOrPtr __ebx;
				void* __edi;
				intOrPtr __esi;
				signed int _t289;
				signed int _t298;
				signed int _t300;
				signed int _t303;
				signed int _t304;
				signed int _t309;
				void* _t313;
				void* _t322;
				intOrPtr _t326;
				signed int _t329;
				signed int _t359;
				unsigned int _t367;
				signed int _t370;
				void* _t371;
				signed int _t374;
				void* _t375;
				intOrPtr* _t378;
				intOrPtr* _t379;
				intOrPtr _t390;
				signed char _t393;
				signed int _t394;
				signed int* _t400;
				unsigned int _t405;
				signed int _t439;
				signed int _t440;
				char _t441;
				signed int _t448;
				void* _t451;
				intOrPtr _t453;
				void* _t454;
				void* _t456;
				void* _t457;

				_t439 = __edx;
				E00418D80(E0041A5C9, _t454);
				_t457 = _t456 - 0x9c;
				_t451 = __ecx;
				_t289 = E0040EA46( *((intOrPtr*)(__ecx + 0x38)));
				_t448 =  *(_t454 + 8);
				 *(_t454 - 0x20) = _t289;
				 *(_t454 - 0x1c) = _t439;
				if(_t289 == 2) {
					_t462 = _t439;
					if(_t439 == 0) {
						E0040EE0F(__ecx, _t439, _t462, _t448 + 0xf8);
						 *(_t454 - 0x20) = E0040EA46( *((intOrPtr*)(_t451 + 0x38)));
						 *(_t454 - 0x1c) = _t439;
					}
				}
				_t367 = 0;
				 *((intOrPtr*)(_t454 - 0x38)) = 0;
				 *((intOrPtr*)(_t454 - 0x34)) = 0;
				 *((intOrPtr*)(_t454 - 0x30)) = 0;
				 *(_t454 - 4) = 0;
				if( *(_t454 - 0x20) != 3) {
					L8:
					 *(_t454 - 0x70) = _t367;
					 *(_t454 - 0x6c) = _t367;
					 *(_t454 - 0x68) = _t367;
					 *(_t454 - 0xa8) = _t367;
					 *(_t454 - 0xa4) = _t367;
					 *(_t454 - 0xa0) = _t367;
					 *(_t454 - 4) = 2;
					E0040E83C(_t454 - 0x9c);
					__eflags =  *(_t454 - 0x20) - 4;
					 *(_t454 - 4) = 3;
					if( *(_t454 - 0x20) == 4) {
						__eflags =  *(_t454 - 0x1c) - _t367;
						if(__eflags == 0) {
							_t378 = _t448 + 0x110;
							E0040FC2A(_t378, _t451, _t439, _t448, _t451, __eflags, _t454 - 0x38, _t378, _t448, _t454 - 0x70, _t454 - 0xa8);
							 *_t378 =  *_t378 +  *((intOrPtr*)(_t448 + 0x108));
							asm("adc [ebx+0x4], ecx");
							 *(_t454 - 0x20) = E0040EA46( *((intOrPtr*)(_t451 + 0x38)));
							 *(_t454 - 0x1c) = _t439;
							_t367 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t454 - 0x20) - 5;
					if(__eflags != 0) {
						L91:
						E00410785(_t448, __eflags);
						_t293 =  *(_t454 - 0x20) |  *(_t454 - 0x1c);
						__eflags =  *(_t454 - 0x20) |  *(_t454 - 0x1c);
						if(( *(_t454 - 0x20) |  *(_t454 - 0x1c)) != 0) {
							L93:
							 *((char*)(_t448 + 0x14d)) = 1;
							L94:
							E00403204(E00403204(E00403204(_t293,  *((intOrPtr*)(_t454 - 0x9c))),  *(_t454 - 0xa8)),  *(_t454 - 0x70));
							 *(_t454 - 4) =  *(_t454 - 4) | 0xffffffff;
							E00410DA8(_t367, _t454 - 0x38);
							_t298 = 0;
							__eflags = 0;
							L95:
							 *[fs:0x0] =  *((intOrPtr*)(_t454 - 0xc));
							return _t298;
						}
						_t453 =  *((intOrPtr*)(_t451 + 0x38));
						_t293 =  *((intOrPtr*)(_t453 + 4)) ==  *((intOrPtr*)(_t453 + 8));
						__eflags =  *((intOrPtr*)(_t453 + 4)) ==  *((intOrPtr*)(_t453 + 8));
						if( *((intOrPtr*)(_t453 + 4)) ==  *((intOrPtr*)(_t453 + 8))) {
							goto L94;
						}
						goto L93;
					} else {
						__eflags =  *(_t454 - 0x1c) - _t367;
						if(__eflags != 0) {
							goto L91;
						}
						_t300 = E0040EB3D( *((intOrPtr*)(_t451 + 0x38)), _t439, __eflags);
						_t369 = _t448 + 0x120;
						 *(_t454 + 8) = _t300;
						E00408F50(_t448 + 0x120, 9, 0);
						E00408F50(_t448 + 0x120, 6, 0);
						__eflags =  *(_t454 + 8);
						if( *(_t454 + 8) <= 0) {
							L16:
							_t303 = 0;
							__eflags = 0;
							L17:
							 *(_t454 - 0x50) = _t303;
							 *(_t454 - 0x4c) = _t303;
							 *(_t454 - 0x48) = _t303;
							 *(_t454 - 0x5c) = _t303;
							 *(_t454 - 0x58) = _t303;
							 *(_t454 - 0x54) = _t303;
							 *(_t454 - 0x44) = _t303;
							 *(_t454 - 0x40) = _t303;
							 *(_t454 - 0x3c) = _t303;
							 *(_t454 - 4) = 6;
							 *(_t454 - 0x18) = _t303;
							while(1) {
								_t304 = E0040EA46( *((intOrPtr*)(_t451 + 0x38)));
								_t390 =  *((intOrPtr*)(_t451 + 0x38));
								_t370 = _t304;
								__eflags = _t304 | _t439;
								 *(_t454 - 0x64) = _t370;
								 *(_t454 - 0x60) = _t439;
								if((_t304 | _t439) == 0) {
									break;
								}
								 *((intOrPtr*)(_t454 - 0x2c)) = E0040EA46(_t390);
								 *(_t454 - 0x28) = _t439;
								_t322 =  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 4)) -  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 8));
								__eflags = _t439;
								if(__eflags < 0) {
									L23:
									 *(_t454 - 0x8c) =  *(_t454 - 0x8c) & 0x00000000;
									 *(_t454 - 0x8b) =  *(_t454 - 0x8b) & 0x00000000;
									_push(1);
									 *(_t454 - 4) = 7;
									E0040E8D2(_t454 - 0x90, _t451,  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 8)) +  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)))),  *((intOrPtr*)(_t454 - 0x2c)));
									__eflags =  *(_t454 - 0x60);
									if(__eflags > 0) {
										L59:
										 *((char*)(_t448 + 0x14d)) = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 4));
										L60:
										_t326 =  *((intOrPtr*)(_t451 + 0x38));
										_t414 =  *((intOrPtr*)(_t326 + 4)) !=  *((intOrPtr*)(_t326 + 8));
										__eflags =  *((intOrPtr*)(_t326 + 4)) !=  *((intOrPtr*)(_t326 + 8));
										if( *((intOrPtr*)(_t326 + 4)) !=  *((intOrPtr*)(_t326 + 8))) {
											E0040E966(_t414);
										}
										 *(_t454 - 4) = 6;
										E0040E883(_t454 - 0x90);
										continue;
									}
									if(__eflags < 0) {
										L26:
										_t87 = _t370 - 0xe; // -14
										_t329 = _t87;
										__eflags = _t329 - 0xb;
										if(__eflags > 0) {
											goto L59;
										}
										switch( *((intOrPtr*)(_t329 * 4 +  &M00410755))) {
											case 0:
												__eax = __ebp - 0x50;
												__ecx = __esi;
												__eax = E0040FD4C(__esi, __edx,  *((intOrPtr*)(__ebp + 8)), __ebp - 0x50);
												__ecx = __ebp - 0x50;
												__eax = E0040E867(__ecx);
												 *(__ebp - 0x58) =  *(__ebp - 0x58) & 0x00000000;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *((intOrPtr*)(__ebp - 0x18)) = __eax;
												goto L40;
											case 1:
												__eax = __ebp - 0x5c;
												goto L44;
											case 2:
												__eax = __ebp - 0x44;
												L44:
												__ecx = __esi;
												__eax = E0040FD4C(__ecx, __edx,  *((intOrPtr*)(__ebp - 0x18)), __eax);
												goto L40;
											case 3:
												 *(_t454 - 0x7c) =  *(_t454 - 0x7c) & 0x00000000;
												 *(_t454 - 0x7b) =  *(_t454 - 0x7b) & 0x00000000;
												 *(_t454 - 4) = 8;
												E0040E913(_t454 - 0x80, __eflags, _t451, _t454 - 0x38);
												_t377 =  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 4)) -  *((intOrPtr*)( *((intOrPtr*)(_t451 + 0x38)) + 8));
												E00407AB8(_t448 + 0xe8, _t377);
												E0040E9D2( *((intOrPtr*)(_t451 + 0x38)),  *((intOrPtr*)(_t448 + 0xe8)), _t377);
												E00410D2E(_t448 + 0xf0,  *(_t454 + 8) + 1);
												__eflags =  *(_t454 + 8);
												 *(_t454 - 0x14) = 0;
												 *(_t454 - 0x24) = 0;
												if( *(_t454 + 8) <= 0) {
													L35:
													_t439 =  *(_t454 - 0x24);
													__eflags =  *(_t454 - 0x14) - _t377;
													 *( *((intOrPtr*)(_t448 + 0xf0)) + _t439 * 4) =  *(_t454 - 0x14) >> 1;
													if( *(_t454 - 0x14) != _t377) {
														 *((char*)(_t451 + 0x3c)) = 1;
													}
													 *(_t454 - 4) = 7;
													_t422 = _t454 - 0x80;
													goto L39;
												} else {
													goto L29;
												}
												do {
													L29:
													_t443 =  *(_t454 - 0x14);
													 *(_t454 - 0x10) = 0;
													_t425 =  *((intOrPtr*)(_t448 + 0xe8)) + _t443;
													_t345 = _t377 - _t443 >> 1;
													__eflags = _t345;
													if(_t345 == 0) {
														goto L32;
													} else {
														goto L30;
													}
													while(1) {
														L30:
														__eflags =  *_t425;
														if( *_t425 == 0) {
															goto L32;
														}
														 *(_t454 - 0x10) =  *(_t454 - 0x10) + 1;
														_t425 = _t425 + 2;
														__eflags =  *(_t454 - 0x10) - _t345;
														if( *(_t454 - 0x10) < _t345) {
															continue;
														}
														goto L32;
													}
													L32:
													__eflags =  *(_t454 - 0x10) - _t345;
													if( *(_t454 - 0x10) == _t345) {
														E0040E966(_t425);
													}
													_t426 =  *(_t454 - 0x24);
													 *( *((intOrPtr*)(_t448 + 0xf0)) + _t426 * 4) =  *(_t454 - 0x14) >> 1;
													_t427 = _t426 + 1;
													__eflags = _t427 -  *(_t454 + 8);
													 *(_t454 - 0x24) = _t427;
													 *(_t454 - 0x14) =  *(_t454 - 0x14) + 2 +  *(_t454 - 0x10) * 2;
												} while (_t427 <  *(_t454 + 8));
												goto L35;
											case 4:
												_push( *((intOrPtr*)(__ebp + 8)));
												__eax = __edi + 0x64;
												goto L49;
											case 5:
												_push( *((intOrPtr*)(__ebp + 8)));
												__eax = __edi + 0x7c;
												goto L49;
											case 6:
												_push( *((intOrPtr*)(__ebp + 8)));
												__eax = __edi + 0x94;
												goto L49;
											case 7:
												__ebx = __edi + 0xc4;
												__ecx = __esi;
												__eax = E0040FD9A(__esi, __edx, __eflags,  *((intOrPtr*)(__ebp + 8)), __ebx);
												 *(__ebp - 0x74) =  *(__ebp - 0x74) & 0x00000000;
												_t142 = __ebp - 0x73;
												 *_t142 =  *(__ebp - 0x73) & 0x00000000;
												__eflags =  *_t142;
												__eax = __ebp - 0x38;
												__ecx = __ebp - 0x78;
												 *((char*)(__ebp - 4)) = 9;
												__eax = E0040E913(__ebp - 0x78, __eflags, __esi, __ebp - 0x38);
												__ecx = __esi;
												__eax = E0040F19A(__esi, __eflags, __ebx);
												 *((char*)(__ebp - 4)) = 7;
												__ecx = __ebp - 0x78;
												L39:
												E0040E883(_t422);
												goto L40;
											case 8:
												goto L59;
											case 9:
												_push( *((intOrPtr*)(__ebp + 8)));
												__eax = __edi + 0xac;
												L49:
												_push(__eax);
												__eax = __ebp - 0x38;
												_push(__ebp - 0x38);
												__ecx = __esi;
												__eax = E0040FDF2(__ecx, __edx, __eflags);
												L40:
												E00408F50(_t448 + 0x120,  *(_t454 - 0x64),  *(_t454 - 0x60));
												goto L60;
											case 0xa:
												__ebx = 0;
												__eflags =  *(__ebp - 0x28);
												 *((intOrPtr*)(__ebp - 0x88)) = 0;
												if(__eflags < 0) {
													goto L60;
												}
												if(__eflags > 0) {
													goto L53;
													do {
														do {
															L53:
															__ecx =  *((intOrPtr*)(__esi + 0x38));
															__eax = E0040E9B4(__ecx);
															__eflags = __al;
															if(__al != 0) {
																 *((char*)(__esi + 0x3c)) = 1;
															}
															 *((intOrPtr*)(__ebp - 0x88)) =  *((intOrPtr*)(__ebp - 0x88)) + 1;
															asm("adc ebx, 0x0");
															__eflags = __ebx -  *(__ebp - 0x28);
														} while (__eflags < 0);
														if(__eflags > 0) {
															goto L60;
														}
														__eax =  *((intOrPtr*)(__ebp - 0x88));
														__eflags =  *((intOrPtr*)(__ebp - 0x88)) -  *(__ebp - 0x2c);
													} while ( *((intOrPtr*)(__ebp - 0x88)) <  *(__ebp - 0x2c));
													goto L60;
												}
												__eflags =  *(__ebp - 0x2c);
												if( *(__ebp - 0x2c) <= 0) {
													goto L60;
												}
												goto L53;
										}
									}
									__eflags = _t370 - 0x40000000;
									if(_t370 > 0x40000000) {
										goto L59;
									}
									goto L26;
								}
								if(__eflags > 0) {
									L22:
									E0040E966(0);
									goto L23;
								}
								__eflags =  *((intOrPtr*)(_t454 - 0x2c)) - _t322;
								if( *((intOrPtr*)(_t454 - 0x2c)) <= _t322) {
									goto L23;
								}
								goto L22;
							}
							 *(_t454 - 0x20) = E0040EA46(_t390);
							 *(_t454 - 0x1c) = _t439;
							__eflags =  *(_t454 + 8) -  *(_t454 - 0x18) -  *(_t454 - 0x6c);
							if( *(_t454 + 8) -  *(_t454 - 0x18) !=  *(_t454 - 0x6c)) {
								_push(0x41de18);
								_push(_t454 + 0xb);
								L00418E02();
							}
							 *(_t454 - 0x10) =  *(_t454 - 0x10) & 0x00000000;
							 *(_t454 - 0x18) =  *(_t454 - 0x18) & 0x00000000;
							_t309 = E0040E867(_t454 - 0x44);
							__eflags = _t309;
							 *(_t454 - 0x28) = _t309;
							if(_t309 != 0) {
								_t375 = _t448 + 0xdc;
								E00408B28(_t375,  *(_t454 + 8));
								 *(_t375 + 4) =  *(_t454 + 8);
							}
							_t371 = _t448 + 0x58;
							E00410E34(_t371,  *(_t454 + 8));
							_t311 =  *(_t454 + 8);
							 *(_t371 + 4) = _t311;
							_t367 = 0;
							__eflags = _t311;
							 *(_t454 - 0x14) = 0;
							if(__eflags <= 0) {
								L90:
								_t313 = E00403204(E00403204(_t311,  *(_t454 - 0x44)),  *(_t454 - 0x5c));
								 *(_t454 - 4) = 3;
								E00403204(_t313,  *(_t454 - 0x50));
								_t457 = _t457 + 0xc;
								goto L91;
							} else {
								_t214 = _t454 - 0x24;
								 *_t214 =  *(_t454 - 0x24) & 0;
								__eflags =  *_t214;
								do {
									_t440 =  *(_t454 - 0x10);
									_t311 =  *((intOrPtr*)(_t448 + 0x58)) +  *(_t454 - 0x24);
									_t311[2] = _t311[2] & 0x00000000;
									__eflags = _t367 -  *(_t454 - 0x4c);
									if(_t367 >=  *(_t454 - 0x4c)) {
										_t393 = 0;
										__eflags = 0;
									} else {
										_t393 =  *((intOrPtr*)(_t367 +  *(_t454 - 0x50)));
									}
									__eflags = _t393;
									if(_t393 != 0) {
										_t311[3] = _t311[3] & 0x00000000;
										__eflags = _t440 -  *(_t454 - 0x58);
										if(_t440 >=  *(_t454 - 0x58)) {
											_t394 = 0;
											__eflags = 0;
										} else {
											_t394 =  *((intOrPtr*)(_t440 +  *(_t454 - 0x5c)));
										}
										__eflags = _t394;
										_t311[3] = _t394 & 0xffffff00 | _t394 == 0x00000000;
										__eflags = _t440 -  *(_t454 - 0x40);
										if(_t440 >=  *(_t454 - 0x40)) {
											_t441 = 0;
											__eflags = 0;
										} else {
											_t441 =  *((intOrPtr*)( *(_t454 - 0x10) +  *(_t454 - 0x44)));
										}
										 *_t311 =  *_t311 & 0x00000000;
										 *(_t454 - 0x10) =  *(_t454 - 0x10) + 1;
										_t311[1] = _t311[1] & 0x00000000;
										_t261 =  &(_t311[3]);
										 *_t261 = _t311[3] & 0x00000000;
										__eflags =  *_t261;
									} else {
										_t311[3] = _t311[3] & _t393;
										_t311[3] = 1;
										_t441 = 0;
										_t400 =  *(_t454 - 0x70) +  *(_t454 - 0x18) * 8;
										 *_t311 =  *_t400;
										_t374 =  *(_t454 - 0x18);
										_t311[1] = _t400[1];
										__eflags = _t374 -  *(_t454 - 0xa4);
										if(_t374 >=  *(_t454 - 0xa4)) {
											L76:
											__eflags = 0;
											L77:
											__eflags = 0;
											_t311[3] = 0;
											if(0 != 0) {
												_t311[2] =  *( *((intOrPtr*)(_t454 - 0x9c)) + _t374 * 4);
											}
											 *(_t454 - 0x18) =  *(_t454 - 0x18) + 1;
											_t367 =  *(_t454 - 0x14);
											goto L87;
										}
										_t405 =  *(_t454 - 0xa8);
										__eflags =  *(_t374 + _t405);
										if( *(_t374 + _t405) == 0) {
											goto L76;
										}
										_push(1);
										_pop(0);
										goto L77;
									}
									L87:
									__eflags =  *(_t454 - 0x28);
									if( *(_t454 - 0x28) != 0) {
										_t311 =  *(_t448 + 0xdc);
										 *((char*)( *(_t448 + 0xdc) + _t367)) = _t441;
									}
									 *(_t454 - 0x24) =  *(_t454 - 0x24) + 0x10;
									_t367 = _t367 + 1;
									__eflags = _t367 -  *(_t454 + 8);
									 *(_t454 - 0x14) = _t367;
								} while (__eflags < 0);
								goto L90;
							}
						}
						_t303 = 0;
						__eflags =  *(_t454 - 0xa4);
						if( *(_t454 - 0xa4) == 0) {
							goto L17;
						}
						E00408F50(_t369, 0xa, 0);
						goto L16;
					}
				}
				_t464 =  *(_t454 - 0x1c);
				if( *(_t454 - 0x1c) != 0) {
					goto L8;
				}
				_t379 = _t448 + 0x118;
				_push(_t454 - 0x38);
				_push(_t379);
				_push( *((intOrPtr*)(_t448 + 0x10c)));
				_push( *((intOrPtr*)(_t448 + 0x108)));
				_t359 = E0040FE8A(_t451, _t439, _t464);
				 *(_t454 + 8) = _t359;
				if(_t359 == 0) {
					 *_t379 =  *_t379 +  *((intOrPtr*)(_t448 + 0x108));
					asm("adc [ebx+0x4], ecx");
					 *(_t454 - 0x20) = E0040EA46( *((intOrPtr*)(_t451 + 0x38)));
					 *(_t454 - 0x1c) = _t439;
					_t367 = 0;
					__eflags = 0;
					goto L8;
				}
				 *(_t454 - 4) =  *(_t454 - 4) | 0xffffffff;
				E00410DA8(_t379, _t454 - 0x38);
				_t298 =  *(_t454 + 8);
				goto L95;
			}

0x00410138
0x0041013d
0x00410142
0x0041014a
0x00410150
0x00410155
0x0041015b
0x0041015e
0x00410161
0x00410163
0x00410165
0x00410170
0x0041017d
0x00410180
0x00410180
0x00410165
0x00410183
0x00410185
0x00410188
0x0041018b
0x00410192
0x00410195
0x004101f6
0x004101f6
0x004101f9
0x004101fc
0x004101ff
0x00410205
0x0041020b
0x00410217
0x0041021b
0x00410220
0x00410224
0x00410228
0x0041022a
0x0041022d
0x00410235
0x00410248
0x00410259
0x0041025b
0x00410266
0x00410269
0x0041026c
0x0041026c
0x0041026c
0x0041022d
0x0041026e
0x00410272
0x004106f4
0x004106f6
0x004106fe
0x004106fe
0x00410701
0x0041070e
0x0041070e
0x00410715
0x0041072e
0x00410733
0x0041073d
0x00410742
0x00410742
0x00410744
0x0041074a
0x00410752
0x00410752
0x00410703
0x00410709
0x00410709
0x0041070c
0x00000000
0x00000000
0x00000000
0x00410278
0x00410278
0x0041027b
0x00000000
0x00000000
0x00410284
0x00410289
0x00410295
0x00410298
0x004102a3
0x004102a8
0x004102ac
0x004102c2
0x004102c2
0x004102c2
0x004102c4
0x004102c4
0x004102c7
0x004102ca
0x004102cd
0x004102d0
0x004102d3
0x004102d6
0x004102d9
0x004102dc
0x004102df
0x004102e3
0x004102e6
0x004102e9
0x004102ee
0x004102f1
0x004102f3
0x004102f5
0x004102f8
0x004102fb
0x00000000
0x00000000
0x00410309
0x0041030c
0x00410312
0x00410317
0x00410319
0x00410327
0x00410327
0x0041032e
0x00410338
0x0041033d
0x0041034e
0x00410353
0x00410357
0x00410558
0x00410558
0x00410565
0x00410568
0x00410568
0x0041056e
0x0041056e
0x00410571
0x00410573
0x00410573
0x0041057e
0x00410582
0x00000000
0x00410582
0x0041035d
0x0041036b
0x0041036b
0x0041036b
0x0041036e
0x00410371
0x00000000
0x00000000
0x00410377
0x00000000
0x004104ac
0x004104af
0x004104b5
0x004104ba
0x004104bd
0x004104c2
0x004104c6
0x004104ca
0x00000000
0x00000000
0x004104cf
0x00000000
0x00000000
0x004104d4
0x004104d7
0x004104d8
0x004104dd
0x00000000
0x00000000
0x0041037e
0x00410382
0x0041038e
0x00410392
0x004103a3
0x004103a7
0x004103b7
0x004103c7
0x004103ce
0x004103d1
0x004103d4
0x004103d7
0x00410435
0x0041043e
0x00410443
0x00410446
0x00410449
0x0041044b
0x0041044b
0x0041044f
0x00410453
0x00000000
0x00000000
0x00000000
0x00000000
0x004103d9
0x004103d9
0x004103d9
0x004103e4
0x004103ed
0x004103f0
0x004103f0
0x004103f2
0x00000000
0x00000000
0x00000000
0x00000000
0x004103f4
0x004103f4
0x004103f4
0x004103f8
0x00000000
0x00000000
0x004103fa
0x004103fe
0x004103ff
0x00410402
0x00000000
0x00000000
0x00000000
0x00410402
0x00410404
0x00410404
0x00410407
0x00410409
0x00410409
0x00410417
0x0041041c
0x00410425
0x00410426
0x00410429
0x00410430
0x00410430
0x00000000
0x00000000
0x004104ef
0x004104f2
0x00000000
0x00000000
0x004104f7
0x004104fa
0x00000000
0x00000000
0x004104ff
0x00410502
0x00000000
0x00000000
0x00410458
0x0041045e
0x00410464
0x00410469
0x0041046d
0x0041046d
0x0041046d
0x00410471
0x00410474
0x00410479
0x0041047d
0x00410483
0x00410485
0x0041048a
0x0041048e
0x00410491
0x00410491
0x00000000
0x00000000
0x00000000
0x00000000
0x004104e4
0x004104e7
0x00410508
0x00410508
0x00410509
0x0041050c
0x0041050d
0x0041050f
0x00410496
0x004104a2
0x00000000
0x00000000
0x00410516
0x00410518
0x0041051b
0x00410521
0x00000000
0x00000000
0x00410523
0x00000000
0x0041052a
0x0041052a
0x0041052a
0x0041052a
0x0041052d
0x00410532
0x00410534
0x00410536
0x00410536
0x0041053a
0x00410541
0x00410544
0x00410544
0x00410549
0x00000000
0x00000000
0x0041054b
0x00410551
0x00410551
0x00000000
0x00410556
0x00410525
0x00410528
0x00000000
0x00000000
0x00000000
0x00000000
0x00410377
0x0041035f
0x00410365
0x00000000
0x00000000
0x00000000
0x00410365
0x0041031b
0x00410322
0x00410322
0x00000000
0x00410322
0x0041031d
0x00410320
0x00000000
0x00000000
0x00000000
0x00410320
0x00410591
0x0041059a
0x0041059d
0x004105a0
0x004105a5
0x004105b0
0x004105b1
0x004105b1
0x004105b6
0x004105ba
0x004105c1
0x004105c6
0x004105c8
0x004105cb
0x004105d0
0x004105d8
0x004105e0
0x004105e0
0x004105e6
0x004105eb
0x004105f0
0x004105f3
0x004105f6
0x004105f8
0x004105fa
0x004105fd
0x004106d5
0x004106e0
0x004106e8
0x004106ec
0x004106f1
0x00000000
0x00410603
0x00410603
0x00410603
0x00410603
0x00410606
0x00410609
0x0041060c
0x0041060f
0x00410613
0x00410616
0x00410620
0x00410620
0x00410618
0x0041061b
0x0041061b
0x00410622
0x00410624
0x0041067a
0x0041067e
0x00410681
0x0041068b
0x0041068b
0x00410683
0x00410686
0x00410686
0x0041068d
0x00410692
0x00410695
0x00410698
0x004106a5
0x004106a5
0x0041069a
0x004106a0
0x004106a0
0x004106a7
0x004106aa
0x004106ad
0x004106b1
0x004106b1
0x004106b1
0x00410626
0x00410626
0x0041062c
0x00410633
0x00410635
0x0041063a
0x0041063c
0x00410642
0x00410645
0x0041064b
0x0041065d
0x0041065d
0x0041065f
0x0041065f
0x00410661
0x00410664
0x0041066f
0x0041066f
0x00410672
0x00410675
0x00000000
0x00410675
0x0041064d
0x00410653
0x00410656
0x00000000
0x00000000
0x00410658
0x0041065a
0x00000000
0x0041065a
0x004106b5
0x004106b5
0x004106b9
0x004106bb
0x004106c1
0x004106c1
0x004106c4
0x004106c8
0x004106c9
0x004106cc
0x004106cc
0x00000000
0x00410606
0x004105fd
0x004102ae
0x004102b0
0x004102b6
0x00000000
0x00000000
0x004102bd
0x00000000
0x004102bd
0x00410272
0x00410197
0x0041019a
0x00000000
0x00000000
0x0041019f
0x004101a5
0x004101a6
0x004101a7
0x004101af
0x004101b5
0x004101bc
0x004101bf
0x004101e1
0x004101e3
0x004101ee
0x004101f1
0x004101f4
0x004101f4
0x00000000
0x004101f4
0x004101c1
0x004101c8
0x004101cd
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0041013D

Part of subcall function 0040E966: _CxxThrowException.MSVCRT(?,0041DDD8), ref: 0040E979

Part of subcall function 0040E9D2: memcpy.MSVCRT ref: 0040E9F8

_CxxThrowException.MSVCRT(?,0041DE18), ref: 004105B1

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID:
API String ID: 3273695820-0
Opcode ID: 8608d0076eec31eca5f0e81755e1f876d4cdaf6c97ca9a4aa084ed0ad63cd1ce
Instruction ID: 1e1c7e61ba698c275f7f534d06f4bc4e9de0f72c169ee7f0706794f77a0469e0
Opcode Fuzzy Hash: 8608d0076eec31eca5f0e81755e1f876d4cdaf6c97ca9a4aa084ed0ad63cd1ce
Instruction Fuzzy Hash: E0225B70900209EFCB14DFA5C580BEEBBB1BF49304F14806EE449A7292DB78AAD5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00405FE9 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FE9() {
				char _v12;
				struct _SYSTEM_INFO _v48;

				if(E00405FD6( &_v12) == 0) {
					L3:
					GetSystemInfo( &_v48);
					return _v48.dwNumberOfProcessors;
				} else {
					_t10 = _v12;
					if(_v12 == 0) {
						goto L3;
					} else {
						return E00405FBE(_t10);
					}
				}
			}

0x00405ff9
0x00406009
0x0040600d
0x00406017
0x00405ffb
0x00405ffb
0x00406000
0x00000000
0x00406002
0x00406008
0x00406008
0x00406000

APIs

Part of subcall function 00405FD6: GetCurrentProcess.KERNEL32(?,?,00405FF7), ref: 00405FDB
Part of subcall function 00405FD6: GetProcessAffinityMask.KERNEL32(00000000), ref: 00405FE2

GetSystemInfo.KERNEL32(?), ref: 0040600D

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: Process$AffinityCurrentInfoMaskSystem
String ID:
API String ID: 3251479945-0
Opcode ID: 9638cc95e3299b83821e6c84bee8aa3ccb8c6e68d8bff0197413b8266dbdf947
Instruction ID: a595d45d0e218688a76e62c7e93015bc085ee55c95d1e1a04d1298ad9275ef66
Opcode Fuzzy Hash: 9638cc95e3299b83821e6c84bee8aa3ccb8c6e68d8bff0197413b8266dbdf947
Instruction Fuzzy Hash: F0D01230A0120A97DF04EBE6D4469EFB7789E4424CF04407ED902F21D1EB78D5448B65

Uniqueness

Uniqueness Score: -1.00%

Function 00401951 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401951() {
				struct _OSVERSIONINFOW _v280;
				void* _t7;

				_v280.dwOSVersionInfoSize = 0x114;
				if(GetVersionExW( &_v280) == 0 || _v280.dwPlatformId != 2) {
					return 0;
				} else {
					_t7 = 1;
					return _t7;
				}
			}

0x00401960
0x00401973
0x00401986
0x0040197e
0x00401980
0x00401982
0x00401982

APIs

GetVersionExW.KERNEL32(?), ref: 0040196B

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 3796a73e287461f867f45a08f1f6e5757d9a1514d5947a266d71f92e6a93000a
Instruction ID: 5ea60d680a3723cf7479c9b9c674eb7bbe69d84cac2f3f11a719c8fc44cf451d
Opcode Fuzzy Hash: 3796a73e287461f867f45a08f1f6e5757d9a1514d5947a266d71f92e6a93000a
Instruction Fuzzy Hash: F7D05EB0A0020C47DF349B20ED1B7CBB6E8A700F48F0041F19A05F22C0E6B8DA89CDA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417EC0 Relevance: .7, Instructions: 744
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00417EC0(signed int __ecx) {
				signed int _v4;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v68;
				signed int _v72;
				signed int _v76;
				void* _v80;
				intOrPtr _v84;
				void* _v88;
				void* _v92;
				char _v96;
				signed int _v100;
				void* _v104;
				signed int _v108;
				void* _v112;
				void* _v116;
				void* _v120;
				void* _v124;
				void* _v128;
				void* _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				void* _v176;
				void* _v180;
				signed int _v184;
				signed int _t368;
				void* _t370;
				signed int _t372;
				signed int _t377;
				signed int _t378;
				void* _t380;
				signed int _t382;
				signed int _t384;
				void* _t389;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t404;
				signed int _t408;
				signed int _t409;
				signed int _t412;
				signed int _t413;
				signed int _t415;
				signed int _t420;
				signed int _t422;
				void* _t432;
				void* _t433;
				intOrPtr* _t441;
				signed int* _t443;
				intOrPtr* _t445;
				intOrPtr _t448;
				signed int _t459;
				intOrPtr _t465;
				signed int _t471;
				void* _t478;
				signed int _t484;
				signed int _t488;
				signed int _t495;
				void* _t496;
				signed int _t498;
				signed int _t507;
				signed int _t508;
				signed int _t513;
				unsigned int _t516;
				signed int _t517;
				void* _t522;
				signed int _t525;
				signed int** _t532;
				signed int _t534;
				signed int _t535;
				void* _t543;
				void* _t544;
				intOrPtr _t554;
				char _t555;
				void* _t565;
				intOrPtr _t584;
				void* _t586;
				signed int _t596;
				intOrPtr _t597;
				signed int _t603;
				signed int _t628;
				signed int _t629;
				intOrPtr _t631;
				signed int _t633;
				void* _t636;
				void* _t638;
				void* _t639;
				void* _t643;
				void* _t646;
				void* _t647;
				signed int _t649;
				signed int _t650;
				void* _t658;
				signed int* _t659;

				_t659 =  &_v160;
				_t445 =  *__ecx;
				_v148 = __ecx;
				_v116 = 0;
				_v112 = 0;
				_v60 = 0;
				_v48 = 0;
				_v104 = 0;
				_t368 = E00418A70( *((intOrPtr*)(__ecx + 0x1c)));
				if(_t368 != 0) {
					L155:
					return _t368;
				} else {
					while(1) {
						_t596 = 0;
						if( *(_t445 + 0x24) != 0) {
							break;
						}
						_t448 =  *((intOrPtr*)(_t445 + 0x34));
						_t370 =  *((intOrPtr*)(_t445 + 0x30));
						asm("adc ecx, edi");
						 *((intOrPtr*)(_t445 + 0x30)) = _t370 + 1;
						 *((intOrPtr*)(_t445 + 0x34)) = _t448;
						_v88 = _t370;
						_v84 = _t448;
						_t372 = E004188F0(_t445,  &_v140, 0, 0, 0, 0, _t370, _t448);
						_v156 = _t372;
						_v184 =  *(_t445 + 0x70);
						_v132 = 0;
						_v88 = 0;
						_v92 = 0;
						_v68 = 0;
						_v124 = 0;
						_v180 = 0;
						_v176 = 0;
						if(_t372 == 0 && _v140 == 0) {
							_v128 = 0;
							_v136 =  *(_v148 + 8);
							_t638 =  *(_t445 + 0x64) -  *(_t445 + 0x60);
							_v124 = _t638;
							L5:
							while(1) {
								if(_v136 != _t596) {
									L10:
									_t565 = _v136 + 0x10;
									_v120 = _t565;
									_t658 = _t565;
									if(_t638 == _t596) {
										_v144 =  *_t445;
										_v136 = E00418840( *((intOrPtr*)(_t445 + 0xc)), _t565,  &_v144);
										_t420 = _v148;
										_v160 = _v160 + _t420;
										asm("adc edx, ecx");
										__eflags = _v132 - _t596;
										if(_v132 == _t596) {
											_v100 = _t420;
										}
										 *((intOrPtr*)(_t445 + 0x68)) =  *((intOrPtr*)(_t445 + 0x68)) + _t420;
										asm("adc edx, ecx");
										__eflags = _t420 -  *_t445;
										_t495 = 0 | _t420 !=  *_t445;
										__eflags = _t495 - _t596;
										_v160 = _t495;
										if(_t495 != _t596) {
											 *(_t445 + 0x70) = 1;
										}
										_t496 = _v132;
										__eflags = _t496 - _t596;
										if(_t496 != _t596) {
											 *((intOrPtr*)(_t445 + 0x48)) = _t496;
											 *(_t445 + 0x70) = 1;
											_v160 = 1;
											_v132 = _t596;
										}
										_t498 = _v156 - _v116;
										__eflags = _t498;
										asm("sbb edx, edi");
										_v4 = _v152;
										if(_t498 != 0) {
											L20:
											_t596 = 0;
											_t422 = E004188F0(_t445,  &_v140, 0, 0, 0, 0, _v88, _v84);
											__eflags = _t422;
											_v156 = _t422;
											if(_t422 == 0) {
												__eflags = _v140;
												if(_v140 != 0) {
													goto L53;
												} else {
													_v112 = _v152;
													_t420 = _v144;
													_v116 = _v156;
													goto L24;
												}
											}
										} else {
											__eflags = _t498 - 1;
											if(_t498 < 1) {
												_t596 = 0;
												__eflags = 0;
												goto L24;
											} else {
												goto L20;
											}
										}
									} else {
										_t420 = _t638;
										_v156 = _t638;
										_v152 = _t596;
										_v100 = _t638;
										_v144 = _t420;
										_t658 =  *((intOrPtr*)(_t445 + 0x5c)) +  *(_t445 + 0x60) + 0x10;
										L24:
										_v40 = 0 | _v128 == _t596;
										_v28 = _v160;
										_v32 = _t420;
										_v36 = _t658;
										_v20 = 1;
										 *((intOrPtr*)( *((intOrPtr*)(_t445 + 0x18))))( &_v40);
										_t584 = _v28;
										_v68 = 1;
										_v108 = _v24;
										if(_t584 == 1) {
											__eflags = _t638 - _t596;
											_v164 = 1;
											_v48 = 1;
											if(_t638 != _t596) {
												_t507 = _v148;
												_t639 = _t658;
												_t508 = _t507 >> 2;
												memcpy(_v124, _t639, _t508 << 2);
												memcpy(_t639 + _t508 + _t508, _t639, _t507 & 0x00000003);
												_t659 =  &(_t659[6]);
												_t596 = 0;
												__eflags = 0;
											}
											 *(_t445 + 0x60) = _t596;
											 *(_t445 + 0x64) = _t596;
											goto L53;
										} else {
											_t432 = _v36;
											if(_t638 != _t596) {
												_t534 = _t432;
												_t647 = _t658;
												_t535 = _t534 >> 2;
												memcpy(_v124, _t647, _t535 << 2);
												_t584 = _v28;
												_t432 = memcpy(_t647 + _t535 + _t535, _t647, _t534 & 0x00000003);
												_t659 =  &(_t659[6]);
												_t638 = _v128;
												_t596 = 0;
												 *(_t445 + 0x60) = _t432 +  *(_t445 + 0x60);
											}
											if(_t584 != _t596) {
												__eflags = _t584 - 3;
												if(_t584 == 3) {
													_v164 = 1;
												}
												goto L38;
											} else {
												if(_v164 != _t596) {
													L38:
													_t513 = _v148;
													_v112 = 1;
													__eflags = _t432 - _t513;
													if(_t432 != _t513) {
														__eflags = _t584 - 3;
														if(_t584 != 3) {
															__eflags = _t638 - _t596;
															if(_t638 == _t596) {
																_t433 = E004179B0(_t445);
																__eflags = _t433 - _t596;
																if(_t433 != _t596) {
																	_t586 = _v36;
																	_t516 = _v148 - _t586;
																	 *(_t445 + 0x64) = _t516;
																	_v160 = _v160 - _t516;
																	asm("sbb edi, esi");
																	 *(_t445 + 0x60) = 0;
																	_t643 = _t586 + _t658;
																	_t517 = _t516 >> 2;
																	memcpy(_t643 + _t517 + _t517, _t643, memcpy(_t433, _t643, _t517 << 2) & 0x00000003);
																	_t659 =  &(_t659[6]);
																	_t432 = _v36;
																	_t596 = 0;
																	__eflags = 0;
																	goto L50;
																} else {
																	goto L48;
																}
															} else {
																_v160 = _t432;
																_v156 = _t596;
																L50:
																__eflags = _v132 - _t596;
																if(_v132 == _t596) {
																	_v104 = _t432;
																}
																_v164 = _t596;
															}
														} else {
															__eflags = _t638 - _t596;
															 *(_t445 + 0x60) = _t596;
															 *(_t445 + 0x64) = _t596;
															if(_t638 != _t596) {
																_t646 = _t432 + _t658;
																_t525 = _t513 - _t432 >> 2;
																memcpy(_t646 + _t525 + _t525, _t646, memcpy(_t432 + _v124, _t646, _t525 << 2) & 0x00000003);
																_t659 =  &(_t659[6]);
																_t513 = _v148;
																_t432 = _v36;
																_t596 = 0;
																__eflags = 0;
															}
															_t522 = _t513 - _t432;
															_v64 = _t432 + _t658;
															_v52 = _t522;
															asm("sbb edx, edi");
															__eflags = _v132 - _t596;
															_v160 = _v160 - _t522;
															if(_v132 == _t596) {
																_v104 = _t432;
															}
														}
													} else {
														 *(_t445 + 0x60) = _t596;
														 *(_t445 + 0x64) = _t596;
													}
													goto L53;
												} else {
													if(_t432 != _v148) {
														_v136 = 0xb;
													} else {
														_t441 = _v140;
														_v132 = _t441;
														_v140 =  *_t441;
														if(_t638 != _t596) {
															_t638 = 0;
															 *(_t445 + 0x60) = _t596;
															_v128 = 0;
															 *(_t445 + 0x64) = _t596;
														}
														continue;
													}
												}
											}
										}
									}
								} else {
									_t443 =  *((intOrPtr*)( *((intOrPtr*)(_t445 + 0x14))))();
									_v136 = _t443;
									if(_t443 == _t596) {
										L48:
										_v164 = 1;
										_v72 = 1;
										L53:
										__eflags = _v132 - _t596;
										if(_v132 == _t596) {
											_v140 = E00418890(_t445,  &_v140, _v88, _v84);
										}
									} else {
										_t532 = _v128;
										 *_t443 = _t596;
										if(_t532 == _t596) {
											 *(_v148 + 8) = _t443;
										} else {
											 *_t532 = _t443;
										}
										goto L10;
									}
								}
								goto L55;
							}
						}
						L55:
						_v136 = _t596;
						__eflags = _v132 - _t596;
						if(_v132 != _t596) {
							L61:
							_v160 = 1;
						} else {
							__eflags = _v108 - _t596;
							if(_v108 == _t596) {
								L60:
								__eflags = _v140 - _t596;
								if(_v140 != _t596) {
									goto L61;
								}
							} else {
								__eflags = _v140 - _t596;
								if(_v140 != _t596) {
									goto L61;
								} else {
									_t415 =  *((intOrPtr*)( *((intOrPtr*)(_t445 + 0x18)) + 4))();
									__eflags = _t415 - _t596;
									_v136 = _t415;
									if(_t415 != _t596) {
										_v108 = _t596;
										_v160 = 1;
									}
									goto L60;
								}
							}
						}
						_v144 = _t596;
						__eflags = _v160 - _t596;
						_v128 = _t596;
						if(_v160 != _t596) {
							L71:
							_t543 = 0;
							_t649 = 0;
							__eflags = _v132;
							_v116 = 0;
							_v112 = 0;
							_v56 = 0;
							_v52 = 0;
							_v96 = 0;
							_v92 = 0;
							_v80 = 0;
							_v76 = 0;
							if(_v132 == 0) {
								__eflags = _v108;
								if(_v108 != 0) {
									__eflags = _v136;
									if(_v136 == 0) {
										_t393 = 1;
										_v120 =  *(_v148 + 8);
										while(1) {
											__eflags = _t393;
											if(_t393 == 0) {
												goto L77;
											}
											L76:
											_t633 = _v100;
											L81:
											_t555 = _t543 + _t633;
											asm("adc ebp, 0x0");
											_t395 = 1;
											__eflags = _t555 - _v156;
											_v96 = _t555;
											_v92 = _t649;
											_v124 = 1;
											if(_t555 != _v156) {
												L83:
												_t395 = 0;
												__eflags = 0;
											} else {
												__eflags = _t649 - _v152;
												if(_t649 != _v152) {
													goto L83;
												}
											}
											_t398 =  *((intOrPtr*)( *((intOrPtr*)(_t445 + 0x18)) + 8))(_v120 + 0x10, _t633, _t395,  &_v96,  &_v80,  &_v124);
											__eflags = _t398;
											_v160 = _t398;
											if(_t398 != 0) {
												E004189E0(_t445, _v112, _v108);
											} else {
												__eflags = _v148;
												if(_v148 == 0) {
													_t543 = _v120;
													_t649 = _v116;
													__eflags = _t543 - _v180;
													if(_t543 != _v180) {
														L88:
														_t403 = _t649;
														_t478 = _t543 - _v140;
														asm("sbb eax, esi");
														_t636 = _v104 - _v80;
														_t603 = _v100;
														asm("sbb edi, [esp+0x7c]");
														__eflags = _t649;
														if(__eflags > 0) {
															L93:
															_t404 = E004188F0(_t445,  &_v164, _t478, _t403, _t636, _t603, _v112, _v108);
															__eflags = _t404;
															_v180 = _t404;
															if(_t404 == 0) {
																__eflags = _v164;
																if(_v164 == 0) {
																	_t543 = _v120;
																	_t649 = _v116;
																	_v140 = _t543;
																	_v136 = _t649;
																	_v80 = _v104;
																	_v76 = _v100;
																	goto L96;
																}
															}
														} else {
															if(__eflags < 0) {
																L91:
																__eflags = _t603;
																if(_t603 > 0) {
																	goto L93;
																} else {
																	__eflags = _t636 - 1;
																	if(_t636 < 1) {
																		L96:
																		_t393 = 0;
																		_v144 =  *_v144;
																		__eflags = _t393;
																		if(_t393 == 0) {
																			goto L77;
																		}
																		goto L81;
																	} else {
																		goto L93;
																	}
																}
															} else {
																__eflags = _t478 - 1;
																if(_t478 >= 1) {
																	goto L93;
																} else {
																	goto L91;
																}
															}
														}
													} else {
														__eflags = _t649 - _v176;
														if(_t649 != _v176) {
															goto L88;
														}
													}
												}
											}
											goto L98;
											L77:
											_t633 =  *_t445;
											_t471 = _v156 - _t543;
											asm("sbb eax, ebp");
											__eflags = 0 - _v152;
											if(__eflags >= 0) {
												if(__eflags > 0) {
													L80:
													_t633 = _t471;
												} else {
													__eflags = _t633 - _t471;
													if(_t633 > _t471) {
														goto L80;
													}
												}
											}
											goto L81;
										}
									}
								}
							}
							L98:
							_t368 = E00418A70( *((intOrPtr*)(_v148 + 0x20)));
							_t650 = 0;
							__eflags = _t368;
							if(_t368 != 0) {
								goto L155;
							} else {
								_t597 = _v64;
								__eflags =  *(_t445 + 0x24);
								_v104 = 0;
								_v124 = 1;
								if( *(_t445 + 0x24) != 0) {
									break;
								} else {
									__eflags =  *(_t445 + 0x50);
									if( *(_t445 + 0x50) == 0) {
										_t377 = _v136;
										__eflags = _t377;
										if(_t377 == 0) {
											L104:
											_t378 = _v68;
										} else {
											 *(_t445 + 0x4c) = _t377;
											__eflags = _t377 - 2;
											 *(_t445 + 0x50) = 1;
											_t378 = 1;
											if(_t377 != 2) {
												goto L104;
											}
										}
										_t544 = _v128;
										__eflags = _t544 - _t650;
										if(_t544 != _t650) {
											 *(_t445 + 0x50) = 1;
											 *((intOrPtr*)(_t445 + 0x40)) = _t544;
											_t597 = 0;
											__eflags = 0;
										}
										__eflags = _t378 - _t650;
										if(_t378 != _t650) {
											 *(_t445 + 0x50) = 1;
											 *(_t445 + 0x38) = 1;
											_t597 = 0;
											__eflags = 0;
										}
										__eflags = _v44 - _t650;
										if(_v44 != _t650) {
											 *(_t445 + 0x50) = 1;
											 *(_t445 + 0x3c) = 1;
											_t597 = 0;
											__eflags = 0;
										}
									} else {
										_v140 = 1;
									}
									__eflags = _v108 - _t650;
									if(_v108 == _t650) {
										_t628 = _v132;
									} else {
										__eflags = _v140 - _t650;
										if(_v140 == _t650) {
											_t389 = _v92;
											_t465 = _v96;
											_t554 = _v76;
											_t631 = _v80;
										} else {
											_t465 = 0;
											_t389 = 0;
											_t631 = 0;
											_t554 = 0;
											_v96 = 0;
											_v92 = 0;
											_v80 = 0;
											_v76 = 0;
										}
										asm("sbb eax, ebp");
										asm("sbb edx, ebp");
										_t628 = E004178D0(_t445 + 0x98, _t465 - _v116, _t389, _t631 - _v56, _t554);
										_t650 = 0;
									}
									_v160 - _t650 = _v64 - _t650;
									_v72 = 0 | _v160 == _t650;
									if(_v64 != _t650) {
										__eflags = _t628 - _t650;
										if(_t628 != _t650) {
											L122:
											_t384 = 0;
											__eflags = 0;
										} else {
											__eflags = _t597 - _t650;
											if(_t597 == _t650) {
												goto L122;
											} else {
												__eflags = _v140 - _t650;
												if(_v140 != _t650) {
													goto L122;
												} else {
													_t384 = 1;
												}
											}
										}
										_t628 =  *((intOrPtr*)( *((intOrPtr*)(_t445 + 0x18)) + 0xc))(_t384, _v60, _v48,  &_v72,  &_v124);
										__eflags = _t628 - _t650;
										if(_t628 == _t650) {
											__eflags = _v92 - _t650;
											if(_v92 == _t650) {
												__eflags = _v180 - _t650;
												if(_v180 == _t650) {
													goto L127;
												}
											}
										} else {
											_v124 = 1;
											 *(_t445 + 0x50) = 1;
											L127:
											E004189E0(_t445, _v108, _v104);
										}
									}
									__eflags = _v124 - _t650;
									if(_v124 == _t650) {
										L142:
										_t629 = _v148;
										goto L143;
									} else {
										__eflags = _v108 - _t650;
										if(_v108 == _t650) {
											L136:
											__eflags =  *((intOrPtr*)(_t445 + 0x84)) - _t650;
											if( *((intOrPtr*)(_t445 + 0x84)) != _t650) {
												goto L138;
											} else {
												_t629 = _v148;
												 *((intOrPtr*)(_t445 + 0x80)) =  *((intOrPtr*)(_t629 + 4));
											}
											goto L139;
										} else {
											__eflags = _t628 - _t650;
											if(_t628 != _t650) {
												goto L136;
											} else {
												__eflags =  *(_t445 + 0x50) - _t650;
												if( *(_t445 + 0x50) != _t650) {
													goto L136;
												} else {
													__eflags = _v136 - _t650;
													if(_v136 != _t650) {
														goto L136;
													} else {
														__eflags = _v140 - _t650;
														if(_v140 != _t650) {
															goto L136;
														} else {
															__eflags =  *((intOrPtr*)(_t445 + 0x84)) - _t650;
															if( *((intOrPtr*)(_t445 + 0x84)) != _t650) {
																L138:
																_t629 = _v148;
																L139:
																_t382 = _v156;
																_t459 = _v152;
																__eflags = _t382 | _t459;
																if((_t382 | _t459) != 0) {
																	L141:
																	 *(_t629 + 0x10) = _t382;
																	 *(_t629 + 0xc) = _v100;
																	 *(_t629 + 0x14) = _t459;
																	 *((intOrPtr*)(_t445 + 0x84)) =  *((intOrPtr*)(_t445 + 0x84)) + 1;
																	L143:
																	__eflags = _v160 - _t650;
																	if(_v160 != _t650) {
																		goto L146;
																	} else {
																		_t356 = _v144 + 0x20; // 0x20
																		_t368 = E00418AC0(_t356);
																		__eflags = _t368 - _t650;
																		if(_t368 != _t650) {
																			goto L155;
																		} else {
																			goto L152;
																		}
																	}
																} else {
																	__eflags = _v160 - _t650;
																	if(_v160 != _t650) {
																		L146:
																		__eflags = _v72 - _t650;
																		if(_v72 == _t650) {
																			__eflags =  *((intOrPtr*)(_t629 + 4)) - _t650;
																			if( *((intOrPtr*)(_t629 + 4)) == _t650) {
																				break;
																			} else {
																				 *(_t445 + 0x24) = 1;
																				goto L151;
																			}
																		} else {
																			_t368 = E00418AC0(_t445 + 0xe8);
																			__eflags = _t368 - _t650;
																			if(_t368 != _t650) {
																				goto L155;
																			} else {
																				L151:
																				_t368 = E00418AC0(_t445 + 0xe4);
																				__eflags = _t368 - _t650;
																				if(_t368 != _t650) {
																					goto L155;
																				} else {
																					L152:
																					_v116 = _t650;
																					_v112 = _t650;
																					_v60 = _t650;
																					_v48 = _t650;
																					_v104 = _t650;
																					_t380 = E00418A70( *((intOrPtr*)(_t629 + 0x1c)));
																					__eflags = _t380 - _t650;
																					if(_t380 == _t650) {
																						continue;
																					} else {
																						return _t380;
																					}
																				}
																			}
																		}
																	} else {
																		goto L141;
																	}
																}
															} else {
																__eflags = _v104 - _t650;
																if(_v104 == _t650) {
																	goto L142;
																} else {
																	goto L136;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						} else {
							_t408 =  *(_t445 + 0x58);
							__eflags = _t408 -  *(_t445 + 0x54);
							if(_t408 >=  *(_t445 + 0x54)) {
								L70:
								_t409 = _v148;
								_t484 =  *((intOrPtr*)(_t409 + 4)) + 1;
								__eflags = _t484 -  *(_t445 + 0x58);
								asm("sbb eax, eax");
								_t412 = _t445 + ((_t409 & _t484) + 5 + ((_t409 & _t484) + 5) * 4) * 8;
								_v144 = _t412;
								_t215 = _t412 + 0x1c; // 0x17
								_t368 = E00418AC0(_t215);
								__eflags = _t368 - _t596;
								if(_t368 != _t596) {
									goto L155;
								} else {
									goto L71;
								}
							} else {
								__eflags = _v104 - _t596;
								if(_v104 == _t596) {
									goto L70;
								} else {
									_t413 = E00418800(_t445 + (_t408 + 0x19 + _t408 * 4) * 8);
									__eflags = _t413 - _t596;
									if(_t413 != _t596) {
										_t488 =  *(_t445 + 0x58);
										__eflags = _t488 - 1;
										if(_t488 != 1) {
											 *(_t445 + 0x54) = _t488;
											goto L70;
										} else {
											_v160 = _t488;
											_v108 = _t596;
											_v128 = _t413;
											goto L71;
										}
									} else {
										 *(_t445 + 0x58) =  *(_t445 + 0x58) + 1;
										goto L70;
									}
								}
							}
						}
						goto L156;
					}
					_t368 = 0;
					__eflags = 0;
					goto L155;
				}
				L156:
			}

0x00417ec0
0x00417ec7
0x00417ecb
0x00417ed5
0x00417ed9
0x00417edd
0x00417ee1
0x00417ee8
0x00417eec
0x00417ef3
0x004187f5
0x004187ff
0x00417ef9
0x00417ef9
0x00417efc
0x00417f00
0x00000000
0x00000000
0x00417f06
0x00417f09
0x00417f16
0x00417f18
0x00417f1c
0x00417f27
0x00417f2b
0x00417f2f
0x00417f39
0x00417f3d
0x00417f41
0x00417f45
0x00417f49
0x00417f4d
0x00417f54
0x00417f58
0x00417f5c
0x00417f60
0x00417f77
0x00417f7e
0x00417f85
0x00417f87
0x00000000
0x00417f8b
0x00417f8f
0x00417fbc
0x00417fc0
0x00417fc5
0x00417fc9
0x00417fcb
0x00417ff8
0x00418007
0x0041800b
0x00418011
0x00418019
0x00418023
0x00418025
0x00418027
0x00418027
0x00418030
0x00418036
0x0041803f
0x00418046
0x00418049
0x0041804b
0x0041804f
0x00418051
0x00418051
0x00418054
0x00418058
0x0041805a
0x0041805c
0x0041805f
0x00418062
0x00418066
0x00418066
0x00418076
0x00418076
0x0041807c
0x0041807e
0x00418085
0x0041808c
0x00418095
0x004180a2
0x004180a7
0x004180a9
0x004180ad
0x004180b3
0x004180b7
0x00000000
0x004180bd
0x004180c5
0x004180c9
0x004180cd
0x00000000
0x004180cd
0x004180b7
0x00418087
0x00418087
0x0041808a
0x004180d3
0x004180d3
0x00000000
0x00000000
0x00000000
0x00000000
0x0041808a
0x00417fcd
0x00417fd3
0x00417fd5
0x00417fd9
0x00417fdd
0x00417fe1
0x00417fe5
0x004180d5
0x004180e4
0x004180eb
0x004180fd
0x0041810e
0x00418115
0x00418120
0x00418122
0x00418133
0x0041813b
0x0041813f
0x004181b7
0x004181b9
0x004181bd
0x004181c4
0x004181c6
0x004181d0
0x004181d2
0x004181d5
0x004181dc
0x004181dc
0x004181de
0x004181de
0x004181de
0x004181e0
0x004181e3
0x00000000
0x00418141
0x00418141
0x0041814a
0x00418150
0x00418154
0x00418156
0x00418159
0x0041815d
0x00418167
0x00418167
0x0041816c
0x00418172
0x00418174
0x00418174
0x00418179
0x004181f8
0x004181fb
0x004181fd
0x004181fd
0x00000000
0x0041817b
0x0041817f
0x00418205
0x00418205
0x00418209
0x00418211
0x00418213
0x00418220
0x00418223
0x0041828c
0x0041828e
0x0041829c
0x004182a1
0x004182a3
0x004182b8
0x004182c7
0x004182cb
0x004182ce
0x004182d7
0x004182d9
0x004182e4
0x004182e7
0x004182f1
0x004182f1
0x004182f3
0x004182fa
0x004182fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00418290
0x00418290
0x00418294
0x004182fc
0x004182fc
0x00418300
0x00418302
0x00418302
0x00418306
0x00418306
0x00418225
0x00418225
0x00418227
0x0041822a
0x0041822d
0x00418235
0x0041823d
0x00418247
0x00418247
0x00418249
0x0041824d
0x00418254
0x00418254
0x00418254
0x0041825d
0x0041825f
0x00418267
0x00418274
0x00418276
0x00418278
0x00418280
0x00418286
0x00418286
0x00418280
0x00418215
0x00418215
0x00418218
0x00418218
0x00000000
0x00418185
0x00418189
0x004181eb
0x0041818b
0x0041818b
0x00418191
0x00418197
0x0041819b
0x004181a1
0x004181a3
0x004181a6
0x004181aa
0x004181aa
0x00000000
0x0041819b
0x00418189
0x0041817f
0x00418179
0x0041813f
0x00417f91
0x00417f99
0x00417f9d
0x00417fa1
0x004182a5
0x004182aa
0x004182ae
0x0041830a
0x0041830a
0x0041830e
0x00418325
0x00418325
0x00417fa7
0x00417fa7
0x00417fab
0x00417faf
0x00417fb9
0x00417fb1
0x00417fb1
0x00417fb1
0x00000000
0x00417faf
0x00417fa1
0x00000000
0x00417f8f
0x00417f8b
0x00418329
0x0041832d
0x00418331
0x00418333
0x0041836b
0x0041836b
0x00418335
0x00418335
0x00418339
0x00418365
0x00418365
0x00418369
0x00000000
0x00000000
0x0041833b
0x0041833b
0x0041833f
0x00000000
0x00418341
0x0041834e
0x00418351
0x00418353
0x00418357
0x00418359
0x0041835d
0x0041835d
0x00000000
0x00418357
0x0041833f
0x00418339
0x00418377
0x0041837b
0x0041837d
0x00418381
0x004183ef
0x004183f3
0x004183f5
0x004183f7
0x004183f9
0x004183fd
0x00418401
0x00418405
0x00418409
0x0041840d
0x00418411
0x00418415
0x00418419
0x00418423
0x00418425
0x0041842f
0x00418431
0x0041843b
0x00418443
0x00418447
0x00418447
0x00418449
0x00000000
0x00000000
0x0041844b
0x0041844b
0x0041846d
0x00418471
0x00418473
0x00418476
0x0041847b
0x0041847d
0x00418481
0x00418485
0x00418489
0x00418491
0x00418491
0x00418491
0x0041848b
0x0041848b
0x0041848f
0x00000000
0x00000000
0x0041848f
0x004184b9
0x004184bc
0x004184be
0x004184c2
0x0041858a
0x004184c8
0x004184cc
0x004184ce
0x004184d4
0x004184dc
0x004184e0
0x004184e2
0x004184ee
0x004184f8
0x004184fa
0x00418500
0x00418506
0x00418508
0x0041850c
0x00418510
0x00418512
0x00418524
0x00418538
0x0041853d
0x0041853f
0x00418543
0x00418549
0x0041854b
0x0041854d
0x00418551
0x0041855d
0x00418561
0x00418565
0x00418569
0x00000000
0x00418569
0x0041854b
0x00418514
0x00418514
0x0041851b
0x0041851b
0x0041851d
0x00000000
0x0041851f
0x0041851f
0x00418522
0x0041856d
0x00418573
0x00418575
0x00418447
0x00418449
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00418522
0x00418516
0x00418516
0x00418519
0x00000000
0x00000000
0x00000000
0x00000000
0x00418519
0x00418514
0x004184e4
0x004184e4
0x004184e8
0x00000000
0x00000000
0x004184e8
0x004184e2
0x004184ce
0x00000000
0x00418451
0x00418459
0x0041845b
0x0041845d
0x00418461
0x00418463
0x00418465
0x0041846b
0x0041846b
0x00418467
0x00418467
0x00418469
0x00000000
0x00000000
0x00418469
0x00418465
0x00000000
0x00418463
0x00418447
0x00418431
0x00418425
0x0041858f
0x00418596
0x0041859b
0x0041859d
0x0041859f
0x00000000
0x004185a5
0x004185a8
0x004185b1
0x004185b3
0x004185b7
0x004185bb
0x00000000
0x004185c1
0x004185c1
0x004185c4
0x004185cc
0x004185d0
0x004185d2
0x004185e1
0x004185e1
0x004185d4
0x004185d4
0x004185d7
0x004185da
0x004185dd
0x004185df
0x00000000
0x00000000
0x004185df
0x004185e5
0x004185e9
0x004185eb
0x004185ed
0x004185f0
0x004185f3
0x004185f3
0x004185f3
0x004185f5
0x004185f7
0x004185f9
0x004185fc
0x004185ff
0x004185ff
0x004185ff
0x00418601
0x00418608
0x0041860a
0x0041860d
0x00418610
0x00418610
0x00418610
0x004185c6
0x004185c6
0x004185c6
0x00418612
0x00418616
0x00418675
0x00418618
0x00418618
0x0041861c
0x00418638
0x0041863c
0x00418640
0x00418644
0x0041861e
0x0041861e
0x00418620
0x00418622
0x00418624
0x00418626
0x0041862a
0x0041862e
0x00418632
0x00418632
0x00418652
0x0041865e
0x0041866f
0x00418671
0x00418671
0x00418688
0x0041868a
0x0041868e
0x00418690
0x00418692
0x004186a5
0x004186a5
0x004186a5
0x00418694
0x00418694
0x00418696
0x00000000
0x00418698
0x00418698
0x0041869c
0x00000000
0x0041869e
0x0041869e
0x0041869e
0x0041869c
0x00418696
0x004186cf
0x004186d1
0x004186d3
0x004186e3
0x004186e7
0x004186e9
0x004186ed
0x00000000
0x00000000
0x004186ed
0x004186d5
0x004186da
0x004186de
0x004186ef
0x004186fb
0x004186fb
0x004186d3
0x00418700
0x00418704
0x00418773
0x00418773
0x00000000
0x00418706
0x00418706
0x0041870a
0x0041872f
0x0041872f
0x00418735
0x00000000
0x00418737
0x00418737
0x0041873e
0x0041873e
0x00000000
0x0041870c
0x0041870c
0x0041870e
0x00000000
0x00418710
0x00418710
0x00418713
0x00000000
0x00418715
0x00418715
0x00418719
0x00000000
0x0041871b
0x0041871b
0x0041871f
0x00000000
0x00418721
0x00418721
0x00418727
0x00418746
0x00418746
0x0041874a
0x0041874a
0x0041874e
0x00418754
0x00418756
0x0041875e
0x00418762
0x00418765
0x00418768
0x0041876b
0x00418777
0x00418777
0x0041877b
0x00000000
0x0041877d
0x00418781
0x00418784
0x00418789
0x0041878b
0x00000000
0x0041878d
0x00000000
0x0041878d
0x0041878b
0x00418758
0x00418758
0x0041875c
0x0041878f
0x0041878f
0x00418793
0x004187a6
0x004187a9
0x00000000
0x004187ab
0x004187ab
0x00000000
0x004187ab
0x00418795
0x0041879b
0x004187a0
0x004187a2
0x00000000
0x004187a4
0x004187b2
0x004187b8
0x004187bd
0x004187bf
0x00000000
0x004187c1
0x004187c1
0x004187c4
0x004187c8
0x004187cc
0x004187d0
0x004187d7
0x004187db
0x004187e0
0x004187e2
0x00000000
0x004187e8
0x004187f2
0x004187f2
0x004187e2
0x004187bf
0x004187a2
0x00000000
0x00000000
0x00000000
0x0041875c
0x00418729
0x00418729
0x0041872d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041872d
0x00418727
0x0041871f
0x00418719
0x00418713
0x0041870e
0x0041870a
0x00418704
0x004185bb
0x00418383
0x00418383
0x00418389
0x0041838b
0x004183c1
0x004183c1
0x004183cb
0x004183cc
0x004183ce
0x004183d8
0x004183db
0x004183df
0x004183e2
0x004183e7
0x004183e9
0x00000000
0x00000000
0x00000000
0x00000000
0x0041838d
0x0041838d
0x00418391
0x00000000
0x00418393
0x0041839a
0x0041839f
0x004183a1
0x004183a8
0x004183ab
0x004183ae
0x004183be
0x00000000
0x004183b0
0x004183b0
0x004183b4
0x004183b8
0x00000000
0x004183b8
0x004183a3
0x004183a3
0x00000000
0x004183a3
0x004183a1
0x00418391
0x0041838b
0x00000000
0x00418381
0x004187f3
0x004187f3
0x00000000
0x004187f3
0x00000000

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 4060455350-0
Opcode ID: d91d0f24886aa54881d1fee9411465e8b1a358461c2d41ae07dc7561fca3ab1c
Instruction ID: 0dc7357cac2cd79fa94644e9c2eba0aba47737fef7d268bb9f56e353bf7a9682
Opcode Fuzzy Hash: d91d0f24886aa54881d1fee9411465e8b1a358461c2d41ae07dc7561fca3ab1c
Instruction Fuzzy Hash: B962F471A083458FCB24DF19C4805ABFBE2BFC8744F244A6EE89987315DB75D885CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00416536 Relevance: .5, Instructions: 516
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00416536(unsigned int __eax, void* __ecx, signed int __edx, signed int __esi) {
				unsigned int _t495;
				unsigned int _t496;
				unsigned int _t497;
				unsigned int _t498;
				unsigned int _t499;
				unsigned int _t500;
				unsigned int _t501;
				unsigned int _t502;
				unsigned int _t508;
				unsigned int _t509;
				unsigned int _t510;
				unsigned int _t511;
				unsigned int _t512;
				unsigned int _t515;
				unsigned int _t516;
				unsigned int _t517;
				unsigned int _t518;
				unsigned int _t519;
				unsigned int _t520;
				unsigned int _t521;
				unsigned int _t522;
				unsigned int _t523;
				unsigned int _t524;
				unsigned int _t525;
				unsigned int _t526;
				unsigned int _t527;
				unsigned int _t528;
				unsigned int _t529;
				unsigned int _t530;
				unsigned int _t531;
				unsigned int _t532;
				unsigned int _t533;
				unsigned int _t534;
				unsigned int _t535;
				unsigned int _t536;
				unsigned int _t537;
				unsigned int _t538;
				unsigned int _t539;
				signed int _t542;
				signed int _t543;
				void* _t544;
				void* _t546;
				void* _t555;
				void* _t556;
				void* _t557;
				void* _t558;
				void* _t559;
				unsigned int _t562;
				unsigned int _t568;
				unsigned int _t571;
				unsigned int _t573;
				unsigned int _t575;
				unsigned int _t584;
				void* _t604;
				unsigned int _t607;
				void* _t622;
				unsigned int _t625;
				unsigned int _t648;
				signed int _t650;
				signed int _t651;
				unsigned int _t656;
				signed int _t660;
				unsigned int _t665;
				signed int _t669;
				unsigned int _t674;
				signed int _t678;
				unsigned int _t683;
				signed int _t687;
				unsigned int _t692;
				signed int _t727;
				void* _t728;
				void* _t729;
				void* _t730;
				void* _t731;
				void* _t732;
				void* _t733;
				unsigned int _t736;
				unsigned int _t739;
				signed int _t743;
				unsigned int _t746;
				unsigned int _t748;
				signed int _t750;
				signed int _t752;
				signed int _t755;
				signed int _t760;
				void* _t763;
				unsigned int _t764;
				signed int _t766;
				void* _t768;
				intOrPtr _t771;
				signed int _t775;
				void* _t776;
				signed int _t780;
				signed int _t783;
				signed char _t786;
				void* _t787;
				unsigned int _t788;
				signed int _t790;
				signed int _t791;
				signed int _t792;
				unsigned int _t795;
				signed int _t798;
				unsigned int _t799;
				signed char* _t806;
				signed char* _t808;
				unsigned int _t812;
				signed int _t815;
				unsigned int _t816;
				void* _t818;
				signed char* _t825;
				signed char* _t827;
				unsigned int _t831;
				signed int _t838;
				signed int _t846;
				signed int _t847;
				signed int _t852;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				unsigned int _t865;
				unsigned int _t870;
				signed int _t872;
				unsigned int _t873;
				unsigned int _t875;
				unsigned int _t877;
				unsigned int _t879;
				unsigned int _t881;
				unsigned int _t883;
				unsigned int _t885;
				signed int _t889;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				unsigned int _t902;
				signed int _t946;
				unsigned int _t948;
				unsigned int _t950;
				signed int _t954;
				signed int _t959;
				signed char* _t961;
				unsigned int _t967;
				unsigned int _t972;
				unsigned int _t977;
				unsigned int _t982;
				unsigned int _t987;
				unsigned int _t990;
				signed int _t996;
				signed int _t999;
				unsigned int _t1001;
				signed char* _t1028;
				unsigned int _t1035;
				unsigned int _t1039;
				unsigned int _t1042;
				unsigned int _t1051;
				unsigned int _t1055;
				unsigned int _t1058;
				unsigned int _t1073;
				signed int _t1076;
				signed short* _t1079;
				unsigned int _t1080;
				signed int _t1083;
				signed short* _t1084;
				unsigned int _t1085;
				signed int _t1088;
				signed short* _t1089;
				unsigned int _t1090;
				signed int _t1093;
				signed short* _t1094;
				unsigned int _t1095;
				signed int _t1098;
				signed short* _t1099;
				unsigned int _t1100;
				signed int _t1103;
				signed short* _t1104;
				unsigned int _t1105;
				signed int _t1111;
				unsigned int _t1114;
				signed char* _t1123;
				unsigned int _t1140;
				unsigned int _t1145;
				unsigned int _t1150;
				unsigned int _t1155;
				unsigned int _t1160;
				unsigned int _t1165;
				unsigned int _t1170;
				unsigned int _t1175;
				signed char* _t1184;
				signed int _t1222;
				unsigned int _t1227;
				unsigned int _t1230;
				unsigned int _t1234;
				unsigned int _t1239;
				signed int _t1245;
				void* _t1249;
				signed int _t1250;
				void* _t1252;
				unsigned int _t1253;
				signed int _t1255;
				unsigned int _t1256;
				unsigned int _t1258;
				unsigned int _t1260;
				unsigned int _t1262;
				void* _t1264;
				signed int _t1267;
				signed int _t1268;
				signed int _t1270;
				signed char* _t1275;
				signed char* _t1281;
				unsigned int _t1284;
				signed int _t1286;
				signed char* _t1292;
				void* _t1298;
				short* _t1299;
				signed int _t1300;
				signed int _t1302;
				signed int _t1304;
				signed int _t1306;
				signed char* _t1308;
				signed int _t1310;
				intOrPtr _t1312;
				char* _t1314;
				signed char* _t1315;
				signed char* _t1317;
				unsigned int _t1320;
				unsigned int _t1325;
				unsigned int _t1330;
				void* _t1350;
				intOrPtr _t1352;
				signed int _t1357;
				signed int _t1358;
				unsigned int _t1361;
				void* _t1365;
				void* _t1366;
				void* _t1367;
				void* _t1368;
				void* _t1369;
				void* _t1370;
				signed char* _t1377;
				char _t1378;
				void* _t1380;

				_t1222 = __esi;
				_t889 = __edx;
				_t495 = __eax;
				while(1) {
					L153:
					_t544 = _t763 + _t763;
					_t764 =  *(_t544 + _t1245 + 0x200) & 0x0000ffff;
					if(_t502 < 0x1000000) {
						_t502 = _t502 << 8;
						_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
						 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
					}
					_t954 = (_t502 >> 0xb) * _t764;
					if(_t889 >= _t954) {
						_t502 = _t502 - _t954;
						_t889 = _t889 - _t954;
						 *(_t544 + _t1245 + 0x200) = _t764 - (_t764 >> 5);
						_t763 = _t544 + 1;
					} else {
						_t502 = _t954;
						 *(_t544 + _t1245 + 0x200) = (0x800 - _t764 >> 5) + _t764;
						_t763 = _t544;
					}
					if(_t763 < 0x100) {
						continue;
					}
					L159:
					_t766 = _t763 - 0xf0;
					while(1) {
						 *(_t1380 + 0x30) = _t766;
						if( *(_t1380 + 0x14) < 0xc) {
							goto L231;
						}
						L161:
						if(_t766 >= 4) {
							_t766 = 3;
						}
						_t775 = _t766 + 1 << 7;
						_t1253 =  *(_t775 + _t1310 + 2) & 0x0000ffff;
						_t776 = _t775 + _t1310;
						if(_t502 < 0x1000000) {
							_t1028 =  *(_t1380 + 0x10);
							_t502 = _t502 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1028 & 0x000000ff;
							 *(_t1380 + 0x10) =  &(_t1028[1]);
						}
						_t967 = (_t502 >> 0xb) * _t1253;
						if(_t889 >= _t967) {
							_t508 = _t502 - _t967;
							_t889 = _t889 - _t967;
							 *((short*)(_t776 + 2)) = _t1253 - (_t1253 >> 5);
							_t1255 = 3;
						} else {
							_t508 = _t967;
							 *((short*)(_t776 + 2)) = (0x800 - _t1253 >> 5) + _t1253;
							_t1255 = 2;
						}
						_t1315 =  *(_t1380 + 0x10);
						_t556 = _t1255 + _t1255;
						_t1256 =  *(_t556 + _t776) & 0x0000ffff;
						if(_t508 < 0x1000000) {
							_t508 = _t508 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1315 & 0x000000ff;
							_t1315 =  &(_t1315[1]);
							 *(_t1380 + 0x10) = _t1315;
						}
						_t972 = (_t508 >> 0xb) * _t1256;
						if(_t889 >= _t972) {
							_t509 = _t508 - _t972;
							_t889 = _t889 - _t972;
							 *(_t556 + _t776) = _t1256 - (_t1256 >> 5);
							_t556 = _t556 + 1;
						} else {
							_t509 = _t972;
							 *(_t556 + _t776) = (0x800 - _t1256 >> 5) + _t1256;
						}
						_t557 = _t556 + _t556;
						_t1258 =  *(_t557 + _t776) & 0x0000ffff;
						if(_t509 < 0x1000000) {
							_t509 = _t509 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1315 & 0x000000ff;
							_t1315 =  &(_t1315[1]);
							 *(_t1380 + 0x10) = _t1315;
						}
						_t977 = (_t509 >> 0xb) * _t1258;
						if(_t889 >= _t977) {
							_t510 = _t509 - _t977;
							_t889 = _t889 - _t977;
							 *(_t557 + _t776) = _t1258 - (_t1258 >> 5);
							_t557 = _t557 + 1;
						} else {
							_t510 = _t977;
							 *(_t557 + _t776) = (0x800 - _t1258 >> 5) + _t1258;
						}
						_t558 = _t557 + _t557;
						_t1260 =  *(_t558 + _t776) & 0x0000ffff;
						if(_t510 < 0x1000000) {
							_t510 = _t510 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1315 & 0x000000ff;
							_t1315 =  &(_t1315[1]);
							 *(_t1380 + 0x10) = _t1315;
						}
						_t982 = (_t510 >> 0xb) * _t1260;
						if(_t889 >= _t982) {
							_t511 = _t510 - _t982;
							_t889 = _t889 - _t982;
							 *(_t558 + _t776) = _t1260 - (_t1260 >> 5);
							_t558 = _t558 + 1;
						} else {
							_t511 = _t982;
							 *(_t558 + _t776) = (0x800 - _t1260 >> 5) + _t1260;
						}
						_t559 = _t558 + _t558;
						_t1262 =  *(_t559 + _t776) & 0x0000ffff;
						if(_t511 < 0x1000000) {
							_t511 = _t511 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1315 & 0x000000ff;
							_t1315 =  &(_t1315[1]);
							 *(_t1380 + 0x10) = _t1315;
						}
						_t987 = (_t511 >> 0xb) * _t1262;
						if(_t889 >= _t987) {
							_t512 = _t511 - _t987;
							_t889 = _t889 - _t987;
							 *(_t559 + _t776) = _t1262 - (_t1262 >> 5);
							_t559 = _t559 + 1;
						} else {
							_t512 = _t987;
							 *(_t559 + _t776) = (0x800 - _t1262 >> 5) + _t1262;
						}
						_t1264 = _t559 + _t559;
						_t990 =  *(_t1264 + _t776) & 0x0000ffff;
						if(_t512 < 0x1000000) {
							_t512 = _t512 << 8;
							_t889 = _t889 << 0x00000008 |  *_t1315 & 0x000000ff;
							 *(_t1380 + 0x10) =  &(_t1315[1]);
						}
						_t562 = (_t512 >> 0xb) * _t990;
						if(_t889 >= _t562) {
							_t502 = _t512 - _t562;
							_t889 = _t889 - _t562;
							 *(_t1264 + _t776) = _t990 - (_t990 >> 5);
							_t1264 = _t1264 + 1;
						} else {
							_t502 = _t562;
							 *(_t1264 + _t776) = (0x800 - _t990 >> 5) + _t990;
						}
						_t1245 = _t1264 - 0x40;
						if(_t1245 < 4) {
							L228:
							 *(_t1380 + 0x48) =  *(_t1380 + 0x40);
							 *(_t1380 + 0x40) =  *(_t1380 + 0x3c);
							 *(_t1380 + 0x3c) =  *(_t1380 + 0x2c);
							_t436 = _t1245 + 1; // -60
							_t780 = _t436;
							 *(_t1380 + 0x2c) = _t780;
							asm("sbb ecx, ecx");
							 *(_t1380 + 0x14) = (_t780 & 0xfffffffd) + 0xa;
							_t783 =  *(_t1380 + 0x4c);
							if(_t783 == 0) {
								_t783 =  *(_t1380 + 0x28);
							}
							if(_t1245 >= _t783) {
								 *( *((intOrPtr*)(_t1380 + 0x60)) + 0x18) =  *(_t1380 + 0x1c);
								return 1;
							} else {
								goto L231;
							}
						} else {
							_t786 = (_t1245 >> 1) - 1;
							_t1267 = _t1245 & 0x00000001 | 0x00000002;
							if(_t1245 >= 0xe) {
								_t1317 =  *(_t1380 + 0x10);
								_t787 = _t786 - 4;
								do {
									if(_t502 < 0x1000000) {
										_t502 = _t502 << 8;
										_t889 = _t889 << 0x00000008 |  *_t1317 & 0x000000ff;
										_t1317 =  &(_t1317[1]);
									}
									_t502 = _t502 >> 1;
									_t902 = _t889 - _t502;
									_t996 =  ~(_t902 >> 0x1f);
									_t1267 = _t996 + 1 + _t1267 * 2;
									_t889 = _t902 + (_t996 & _t502);
									_t787 = _t787 - 1;
								} while (_t787 != 0);
								_t999 =  *(_t1380 + 0x44);
								_t788 =  *(_t999 + 2) & 0x0000ffff;
								_t1268 = _t1267 << 4;
								 *(_t1380 + 0x10) = _t1317;
								if(_t502 < 0x1000000) {
									_t502 = _t502 << 8;
									_t889 = _t889 << 0x00000008 |  *_t1317 & 0x000000ff;
									_t1317 =  &(_t1317[1]);
									 *(_t1380 + 0x10) = _t1317;
								}
								_t568 = (_t502 >> 0xb) * _t788;
								if(_t889 >= _t568) {
									_t515 = _t502 - _t568;
									_t889 = _t889 - _t568;
									 *(_t999 + 2) = _t788 - (_t788 >> 5);
									_t790 = 3;
								} else {
									_t515 = _t568;
									 *(_t999 + 2) = (0x800 - _t788 >> 5) + _t788;
									_t790 = 2;
								}
								_t571 =  *(_t999 + _t790 * 2) & 0x0000ffff;
								if(_t515 < 0x1000000) {
									_t515 = _t515 << 8;
									_t889 = _t889 << 0x00000008 |  *_t1317 & 0x000000ff;
									 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
								}
								_t1320 = (_t515 >> 0xb) * _t571;
								if(_t889 >= _t1320) {
									_t516 = _t515 - _t1320;
									_t889 = _t889 - _t1320;
									 *(_t999 + _t790 * 2) = _t571 - (_t571 >> 5);
									_t791 = _t790 + 4;
								} else {
									_t516 = _t1320;
									 *(_t999 + _t790 * 2) = (0x800 - _t571 >> 5) + _t571;
									_t791 = _t790 + 2;
								}
								_t573 =  *(_t999 + _t791 * 2) & 0x0000ffff;
								if(_t516 < 0x1000000) {
									_t516 = _t516 << 8;
									_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
									 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
								}
								_t1325 = (_t516 >> 0xb) * _t573;
								if(_t889 >= _t1325) {
									_t517 = _t516 - _t1325;
									_t889 = _t889 - _t1325;
									 *(_t999 + _t791 * 2) = _t573 - (_t573 >> 5);
									_t792 = _t791 + 8;
								} else {
									_t517 = _t1325;
									 *(_t999 + _t791 * 2) = (0x800 - _t573 >> 5) + _t573;
									_t792 = _t791 + 4;
								}
								_t575 =  *(_t999 + _t792 * 2) & 0x0000ffff;
								if(_t517 < 0x1000000) {
									_t517 = _t517 << 8;
									_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
									 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
								}
								_t1330 = (_t517 >> 0xb) * _t575;
								if(_t889 >= _t1330) {
									_t502 = _t517 - _t1330;
									_t889 = _t889 - _t1330;
									 *(_t999 + _t792 * 2) = _t575 - (_t575 >> 5);
								} else {
									_t502 = _t1330;
									 *(_t999 + _t792 * 2) = (0x800 - _t575 >> 5) + _t575;
									_t792 = _t792 - 8;
								}
								_t1245 = _t1268 | _t792;
								if(_t1245 == 0xffffffff) {
									 *(_t1380 + 0x14) =  *(_t1380 + 0x14) - 0xc;
									_t1250 = 0x112;
									L250:
									_t771 =  *((intOrPtr*)(_t1380 + 0x60));
									_t961 =  *(_t1380 + 0x10);
									if(_t502 < 0x1000000) {
										_t502 = _t502 << 8;
										_t889 = _t889 << 0x00000008 |  *_t961 & 0x000000ff;
										_t961 =  &(_t961[1]);
									}
									 *(_t771 + 0x24) = _t889;
									 *(_t771 + 0x20) = _t502;
									 *(_t771 + 0x18) =  *(_t1380 + 0x1c);
									 *(_t771 + 0x28) =  *(_t1380 + 0x28);
									 *(_t771 + 0x1c) = _t961;
									 *(_t771 + 0x30) =  *(_t1380 + 0x2c);
									 *(_t771 + 0x44) = _t1250;
									 *(_t771 + 0x34) =  *(_t1380 + 0x3c);
									 *(_t771 + 0x38) =  *(_t1380 + 0x3c);
									 *(_t771 + 0x3c) =  *(_t1380 + 0x44);
									 *((intOrPtr*)(_t771 + 0x40)) =  *((intOrPtr*)(_t1380 + 0xc));
									return 0;
								} else {
									goto L228;
								}
							} else {
								_t1350 = 1;
								_t1270 = (_t1267 << _t786) + 1;
								do {
									_t1001 =  *( *(_t1380 + 0x44) + _t1270 * 2 - 0xd00) & 0x0000ffff;
									if(_t502 < 0x1000000) {
										_t502 = _t502 << 8;
										_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
										 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
									}
									_t584 = (_t502 >> 0xb) * _t1001;
									if(_t889 >= _t584) {
										_t502 = _t502 - _t584;
										_t889 = _t889 - _t584;
										_t1350 = _t1350 + _t1350;
										 *( *(_t1380 + 0x44) + _t1270 * 2 - 0xd00) = _t1001 - (_t1001 >> 5);
										_t1270 = _t1270 + _t1350;
									} else {
										_t502 = _t584;
										 *( *(_t1380 + 0x44) + _t1270 * 2 - 0xd00) = (0x800 - _t1001 >> 5) + _t1001;
										_t1270 = _t1270 + _t1350;
										_t1350 = _t1350 + _t1350;
									}
									_t786 = _t786 - 1;
								} while (_t786 != 0);
								_t1245 = _t1270 - _t1350;
								goto L228;
							}
						}
						L253:
						L231:
						_t959 =  *(_t1380 + 0x1c);
						_t546 =  *(_t1380 + 0x30) + 2;
						_t768 =  *((intOrPtr*)(_t1380 + 0x64)) - _t959;
						if(_t768 == 0) {
							 *( *((intOrPtr*)(_t1380 + 0x60)) + 0x18) = _t959;
							return 1;
						} else {
							if(_t768 >= _t546) {
								_t768 = _t546;
							}
							asm("sbb esi, esi");
							 *(_t1380 + 0x28) =  *(_t1380 + 0x28) + _t768;
							 *(_t1380 + 0x30) = _t546 - _t768;
							_t1249 = (_t1245 &  *(_t1380 + 0x38)) -  *(_t1380 + 0x2c) + _t959;
							if(_t768 >  *(_t1380 + 0x38) - _t1249) {
								_t1312 =  *((intOrPtr*)(_t1380 + 0x34));
								do {
									 *((char*)(_t959 + _t1312)) =  *((intOrPtr*)(_t1249 + _t1312));
									_t1249 = _t1249 + 1;
									_t959 = _t959 + 1;
									if(_t1249 ==  *(_t1380 + 0x38)) {
										_t1249 = 0;
									}
									_t768 = _t768 - 1;
								} while (_t768 != 0);
								 *(_t1380 + 0x1c) = _t959;
							} else {
								_t1314 = _t959 +  *((intOrPtr*)(_t1380 + 0x34));
								_t1252 = _t1249 - _t959;
								_t555 = _t768 + _t1314;
								 *(_t1380 + 0x1c) = _t959 + _t768;
								do {
									 *_t1314 =  *((intOrPtr*)(_t1252 + _t1314));
									_t1314 = _t1314 + 1;
								} while (_t1314 != _t555);
								L243:
								while( *(_t1380 + 0x1c) <  *((intOrPtr*)(_t1380 + 0x64)) &&  *(_t1380 + 0x10) <  *((intOrPtr*)(_t1380 + 0x68))) {
									_t1222 =  *(_t1380 + 0x58);
									_t1310 =  *(_t1380 + 0x44);
									_t542 = ( *(_t1380 + 0x28) & _t1222) << 4;
									 *(_t1380 + 0x24) = _t542;
									_t543 = _t542 +  *(_t1380 + 0x14);
									_t736 =  *(_t1310 + _t543 * 2 - 0x200) & 0x0000ffff;
									if(_t495 < 0x1000000) {
										_t1308 =  *(_t1380 + 0x10);
										_t495 = _t495 << 8;
										_t889 = _t889 << 0x00000008 |  *_t1308 & 0x000000ff;
										 *(_t1380 + 0x10) =  &(_t1308[1]);
									}
									_t946 = (_t495 >> 0xb) * _t736;
									if(_t889 >= _t946) {
										 *(_t1310 + _t543 * 2 - 0x200) = _t736 - (_t736 >> 5);
										_t739 =  *(_t1310 + 0x20 +  *(_t1380 + 0x14) * 2) & 0x0000ffff;
										_t496 = _t495 - _t946;
										_t890 = _t889 - _t946;
										if(_t496 < 0x1000000) {
											_t1292 =  *(_t1380 + 0x10);
											_t496 = _t496 << 8;
											_t890 = _t890 << 0x00000008 |  *_t1292 & 0x000000ff;
											 *(_t1380 + 0x10) =  &(_t1292[1]);
										}
										_t1227 = (_t496 >> 0xb) * _t739;
										if(_t890 >= _t1227) {
											_t947 =  *(_t1380 + 0x14);
											_t497 = _t496 - _t1227;
											_t889 = _t890 - _t1227;
											 *((short*)(_t1310 + 0x20 + _t947 * 2)) = _t739 - (_t739 >> 5);
											_t1230 =  *(_t1310 + 0x38 + _t947 * 2) & 0x0000ffff;
											if(_t497 < 0x1000000) {
												_t497 = _t497 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t743 = (_t497 >> 0xb) * _t1230;
											if(_t889 >= _t743) {
												_t498 = _t497 - _t743;
												_t891 = _t889 - _t743;
												 *(_t1310 + 0x38 + _t947 * 2) = _t1230 - (_t1230 >> 5);
												_t746 =  *(_t1310 + 0x50 + _t947 * 2) & 0x0000ffff;
												if(_t498 < 0x1000000) {
													_t1281 =  *(_t1380 + 0x10);
													_t498 = _t498 << 8;
													_t891 = _t891 << 0x00000008 |  *_t1281 & 0x000000ff;
													 *(_t1380 + 0x10) =  &(_t1281[1]);
												}
												_t1234 = (_t498 >> 0xb) * _t746;
												if(_t891 >= _t1234) {
													_t499 = _t498 - _t1234;
													_t892 = _t891 - _t1234;
													 *(_t1310 + 0x50 + _t947 * 2) = _t746 - (_t746 >> 5);
													_t748 =  *(_t1310 + 0x68 + _t947 * 2) & 0x0000ffff;
													if(_t499 < 0x1000000) {
														_t1275 =  *(_t1380 + 0x10);
														_t499 = _t499 << 8;
														_t892 = _t892 << 0x00000008 |  *_t1275 & 0x000000ff;
														 *(_t1380 + 0x10) =  &(_t1275[1]);
													}
													_t1239 = (_t499 >> 0xb) * _t748;
													if(_t892 >= _t1239) {
														_t500 = _t499 - _t1239;
														_t892 = _t892 - _t1239;
														 *(_t1310 + 0x68 + _t947 * 2) = _t748 - (_t748 >> 5);
														_t750 =  *(_t1380 + 0x48);
														 *(_t1380 + 0x48) =  *(_t1380 + 0x40);
													} else {
														_t500 = _t1239;
														_t750 =  *(_t1380 + 0x40);
														 *(_t1310 + 0x68 + _t947 * 2) = (0x800 - _t748 >> 5) + _t748;
													}
													 *(_t1380 + 0x40) =  *(_t1380 + 0x3c);
												} else {
													_t500 = _t1234;
													_t750 =  *(_t1380 + 0x3c);
													 *(_t1310 + 0x50 + _t947 * 2) = (0x800 - _t746 >> 5) + _t746;
												}
												 *(_t1380 + 0x3c) =  *(_t1380 + 0x2c);
												 *(_t1380 + 0x2c) = _t750;
												goto L115;
											} else {
												_t947 =  *(_t1380 + 0x14);
												 *((short*)(_t1310 + 0x38 +  *(_t1380 + 0x14) * 2)) = (0x800 - _t1230 >> 5) + _t1230;
												_t1284 =  *(_t1310 + _t543 * 2 - 0xc00) & 0x0000ffff;
												_t524 = _t743;
												if(_t743 < 0x1000000) {
													_t524 = _t743 << 8;
													_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
													 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
												}
												_t831 = (_t524 >> 0xb) * _t1284;
												if(_t889 >= _t831) {
													_t500 = _t524 - _t831;
													_t892 = _t889 - _t831;
													_t750 = _t1284 >> 5;
													 *(_t1310 + _t543 * 2 - 0xc00) = _t1284 - _t750;
													L115:
													asm("sbb ecx, ecx");
													_t752 = (_t750 & 0xfffffffd) + 0xb;
													_t1245 = _t1310 - 0xa00;
													goto L116;
												} else {
													_t502 = _t831;
													_t1286 =  *(_t1380 + 0x1c);
													 *(_t1310 + _t543 * 2 - 0xc00) = (0x800 - _t1284 >> 5) + _t1284;
													_t1352 =  *((intOrPtr*)(_t1380 + 0x34));
													asm("sbb ebx, ebx");
													 *(_t1380 + 0x28) =  *(_t1380 + 0x28) + 1;
													_t838 =  *((_t543 &  *(_t1380 + 0x38)) -  *(_t1380 + 0x2c) + _t1286 + _t1352) & 0x000000ff;
													 *(_t1286 + _t1352) = _t838;
													asm("sbb ecx, ecx");
													 *(_t1380 + 0x1c) = _t1286 + 1;
													 *(_t1380 + 0x14) = (_t838 & 0xfffffffe) + 0xb;
													continue;
												}
											}
										} else {
											_t500 = _t1227;
											_t846 =  *(_t1380 + 0x14);
											 *((short*)(_t1310 + 0x20 + _t846 * 2)) = (0x800 - _t739 >> 5) + _t739;
											_t752 = _t846 + 0xc;
											_t1245 = _t1310 - 0x600;
											L116:
											_t948 =  *_t1245 & 0x0000ffff;
											 *(_t1380 + 0x14) = _t752;
											if(_t500 < 0x1000000) {
												_t827 =  *(_t1380 + 0x10);
												_t500 = _t500 << 8;
												_t892 = _t892 << 0x00000008 |  *_t827 & 0x000000ff;
												 *(_t1380 + 0x10) =  &(_t827[1]);
											}
											_t755 = (_t500 >> 0xb) * _t948;
											if(_t892 >= _t755) {
												_t501 = _t500 - _t755;
												_t893 = _t892 - _t755;
												 *_t1245 = _t948 - (_t948 >> 5);
												_t950 =  *(_t1245 + 0x10) & 0x0000ffff;
												if(_t501 < 0x1000000) {
													_t808 =  *(_t1380 + 0x10);
													_t501 = _t501 << 8;
													_t893 = _t893 << 0x00000008 |  *_t808 & 0x000000ff;
													 *(_t1380 + 0x10) =  &(_t808[1]);
												}
												_t760 = (_t501 >> 0xb) * _t950;
												if(_t893 >= _t760) {
													_t502 = _t501 - _t760;
													_t889 = _t893 - _t760;
													 *(_t1245 + 0x10) = _t950 - (_t950 >> 5);
													_t763 = 1;
													do {
														goto L153;
													} while (_t763 < 0x100);
													goto L159;
												} else {
													 *(_t1245 + 0x10) = (0x800 - _t950 >> 5) + _t950;
													_t1245 = _t1245 + 0x10 +  *(_t1380 + 0x24) * 2;
													_t1035 =  *(_t1245 + 2) & 0x0000ffff;
													_t518 = _t760;
													if(_t760 < 0x1000000) {
														_t518 = _t760 << 8;
														_t806 =  *(_t1380 + 0x10);
														_t893 = _t893 << 0x00000008 |  *_t806 & 0x000000ff;
														 *(_t1380 + 0x10) =  &(_t806[1]);
													}
													_t795 = (_t518 >> 0xb) * _t1035;
													if(_t893 >= _t795) {
														_t519 = _t518 - _t795;
														_t893 = _t893 - _t795;
														 *(_t1245 + 2) = _t1035 - (_t1035 >> 5);
														_t798 = 3;
													} else {
														_t519 = _t795;
														 *(_t1245 + 2) = (0x800 - _t1035 >> 5) + _t1035;
														_t798 = 2;
													}
													_t604 = _t798 + _t798;
													_t799 =  *(_t604 + _t1245) & 0x0000ffff;
													if(_t519 < 0x1000000) {
														_t519 = _t519 << 8;
														_t893 = _t893 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
														 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
													}
													_t1039 = (_t519 >> 0xb) * _t799;
													if(_t893 >= _t1039) {
														_t520 = _t519 - _t1039;
														_t889 = _t893 - _t1039;
														 *(_t604 + _t1245) = _t799 - (_t799 >> 5);
														_t604 = _t604 + 1;
													} else {
														_t520 = _t1039;
														 *(_t604 + _t1245) = (0x800 - _t799 >> 5) + _t799;
													}
													_t766 = _t604 + _t604;
													_t1042 =  *(_t766 + _t1245) & 0x0000ffff;
													if(_t520 < 0x1000000) {
														_t520 = _t520 << 8;
														_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
														 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
													}
													_t607 = (_t520 >> 0xb) * _t1042;
													if(_t889 >= _t607) {
														_t502 = _t520 - _t607;
														_t889 = _t889 - _t607;
														 *(_t766 + _t1245) = _t1042 - (_t1042 >> 5);
														_t766 = _t766 + 1;
													} else {
														_t502 = _t607;
														 *(_t766 + _t1245) = (0x800 - _t1042 >> 5) + _t1042;
													}
												}
											} else {
												 *_t1245 = (0x800 - _t948 >> 5) + _t948;
												_t1245 = _t1245 +  *(_t1380 + 0x24) * 2;
												_t1051 =  *(_t1245 + 2) & 0x0000ffff;
												_t521 = _t755;
												if(_t755 < 0x1000000) {
													_t521 = _t755 << 8;
													_t825 =  *(_t1380 + 0x10);
													_t892 = _t892 << 0x00000008 |  *_t825 & 0x000000ff;
													 *(_t1380 + 0x10) =  &(_t825[1]);
												}
												_t812 = (_t521 >> 0xb) * _t1051;
												if(_t892 >= _t812) {
													_t522 = _t521 - _t812;
													_t892 = _t892 - _t812;
													 *(_t1245 + 2) = _t1051 - (_t1051 >> 5);
													_t815 = 3;
												} else {
													_t522 = _t812;
													 *(_t1245 + 2) = (0x800 - _t1051 >> 5) + _t1051;
													_t815 = 2;
												}
												_t622 = _t815 + _t815;
												_t816 =  *(_t622 + _t1245) & 0x0000ffff;
												if(_t522 < 0x1000000) {
													_t522 = _t522 << 8;
													_t892 = _t892 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
													 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
												}
												_t1055 = (_t522 >> 0xb) * _t816;
												if(_t892 >= _t1055) {
													_t523 = _t522 - _t1055;
													_t889 = _t892 - _t1055;
													 *(_t622 + _t1245) = _t816 - (_t816 >> 5);
													_t622 = _t622 + 1;
												} else {
													_t523 = _t1055;
													 *(_t622 + _t1245) = (0x800 - _t816 >> 5) + _t816;
												}
												_t818 = _t622 + _t622;
												_t1058 =  *(_t818 + _t1245) & 0x0000ffff;
												if(_t523 < 0x1000000) {
													_t523 = _t523 << 8;
													_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
													 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
												}
												_t625 = (_t523 >> 0xb) * _t1058;
												if(_t889 >= _t625) {
													_t502 = _t523 - _t625;
													_t889 = _t889 - _t625;
													 *(_t818 + _t1245) = _t1058 - (_t1058 >> 5);
													_t766 = _t818 + 1 - 8;
												} else {
													_t502 = _t625;
													 *(_t818 + _t1245) = (0x800 - _t1058 >> 5) + _t1058;
													_t766 = _t818 - 8;
												}
												while(1) {
													 *(_t1380 + 0x30) = _t766;
													if( *(_t1380 + 0x14) < 0xc) {
														goto L231;
													}
													goto L161;
												}
											}
											 *(_t1380 + 0x30) = _t766;
											if( *(_t1380 + 0x14) < 0xc) {
												goto L231;
											}
										}
									} else {
										 *(_t1310 + _t543 * 2 - 0x200) = (0x800 - _t736 >> 5) + _t736;
										_t525 = _t946;
										_t1298 = _t1310 + 0x280;
										if( *(_t1380 + 0x28) != 0 ||  *(_t1380 + 0x4c) != 0) {
											_t847 =  *(_t1380 + 0x1c);
											if(_t847 == 0) {
												_t847 =  *(_t1380 + 0x38);
											}
											_t543 = (( *(_t847 +  *((intOrPtr*)(_t1380 + 0x34)) - 1) & 0x000000ff) + ( *(_t1380 + 0x28) << 0x00000008) &  *(_t1380 + 0x50)) <<  *(_t1380 + 0x54);
											_t1298 = _t1298 + (_t543 + _t543 * 2) * 2;
										}
										_t852 =  *(_t1380 + 0x14);
										 *(_t1380 + 0x28) =  *(_t1380 + 0x28) + 1;
										if(_t852 >= 7) {
											asm("sbb ebx, ebx");
											 *(_t1380 + 0x14) =  *(_t1380 + 0x14) - (_t543 & 0xfffffffd) + 6;
											asm("sbb ebp, ebp");
											_t1357 = ( *( *((intOrPtr*)(_t1380 + 0x34)) + (_t1310 &  *(_t1380 + 0x38)) -  *(_t1380 + 0x2c) +  *(_t1380 + 0x1c)) & 0x000000ff) + ( *( *((intOrPtr*)(_t1380 + 0x34)) + (_t1310 &  *(_t1380 + 0x38)) -  *(_t1380 + 0x2c) +  *(_t1380 + 0x1c)) & 0x000000ff);
											_t858 = _t1357 & 0x00000100;
											_t648 =  *(_t1298 + 0x202 + _t858 * 2) & 0x0000ffff;
											if(_t946 < 0x1000000) {
												_t525 = _t946 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t1073 = (_t525 >> 0xb) * _t648;
											if(_t889 >= _t1073) {
												_t526 = _t525 - _t1073;
												_t889 = _t889 - _t1073;
												 *(_t1298 + 0x202 + _t858 * 2) = _t648 - (_t648 >> 5);
												_t650 = 3;
											} else {
												_t526 = _t1073;
												 *(_t1298 + 0x202 + _t858 * 2) = (0x800 - _t648 >> 5) + _t648;
												_t650 = 2;
												_t858 = _t858 ^ 0x00000100;
											}
											_t1358 = _t1357 + _t1357;
											_t1076 = _t858;
											 *(_t1380 + 0x20) = _t1076;
											_t859 = _t858 & _t1358;
											_t1079 = _t1298 + (_t1076 + _t859 + _t650) * 2;
											 *(_t1380 + 0x18) = _t1079;
											_t1080 =  *_t1079 & 0x0000ffff;
											 *(_t1380 + 0x24) = _t1358;
											if(_t526 < 0x1000000) {
												_t526 = _t526 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t1361 = (_t526 >> 0xb) * _t1080;
											if(_t889 >= _t1361) {
												_t527 = _t526 - _t1361;
												_t889 = _t889 - _t1361;
												 *( *(_t1380 + 0x18)) = _t1080 - (_t1080 >> 5);
												_t108 = _t650 + 1; // 0x4
												_t1365 = _t650 + _t108;
											} else {
												_t527 = _t1361;
												_t859 = _t859 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1080 >> 5) + _t1080;
												_t1365 = _t650 + _t650;
											}
											_t1083 =  *(_t1380 + 0x24) +  *(_t1380 + 0x24);
											_t651 = _t859;
											_t860 = _t859 & _t1083;
											 *(_t1380 + 0x20) = _t651;
											 *(_t1380 + 0x24) = _t1083;
											_t1084 = _t1298 + (_t651 + _t860 + _t1365) * 2;
											 *(_t1380 + 0x18) = _t1084;
											_t1085 =  *_t1084 & 0x0000ffff;
											if(_t527 < 0x1000000) {
												_t527 = _t527 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t656 = (_t527 >> 0xb) * _t1085;
											if(_t889 >= _t656) {
												_t528 = _t527 - _t656;
												_t889 = _t889 - _t656;
												 *( *(_t1380 + 0x18)) = _t1085 - (_t1085 >> 5);
												_t1366 = _t1365 + _t1365 + 1;
											} else {
												_t528 = _t656;
												_t1366 = _t1365 + _t1365;
												_t860 = _t860 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1085 >> 5) + _t1085;
											}
											_t1088 =  *(_t1380 + 0x24) +  *(_t1380 + 0x24);
											_t660 = _t860;
											_t861 = _t860 & _t1088;
											 *(_t1380 + 0x20) = _t660;
											 *(_t1380 + 0x24) = _t1088;
											_t1089 = _t1298 + (_t660 + _t861 + _t1366) * 2;
											 *(_t1380 + 0x18) = _t1089;
											_t1090 =  *_t1089 & 0x0000ffff;
											if(_t528 < 0x1000000) {
												_t528 = _t528 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t665 = (_t528 >> 0xb) * _t1090;
											if(_t889 >= _t665) {
												_t529 = _t528 - _t665;
												_t889 = _t889 - _t665;
												 *( *(_t1380 + 0x18)) = _t1090 - (_t1090 >> 5);
												_t1367 = _t1366 + _t1366 + 1;
											} else {
												_t529 = _t665;
												_t1367 = _t1366 + _t1366;
												_t861 = _t861 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1090 >> 5) + _t1090;
											}
											_t1093 =  *(_t1380 + 0x24) +  *(_t1380 + 0x24);
											_t669 = _t861;
											_t862 = _t861 & _t1093;
											 *(_t1380 + 0x20) = _t669;
											 *(_t1380 + 0x24) = _t1093;
											_t1094 = _t1298 + (_t669 + _t862 + _t1367) * 2;
											 *(_t1380 + 0x18) = _t1094;
											_t1095 =  *_t1094 & 0x0000ffff;
											if(_t529 < 0x1000000) {
												_t529 = _t529 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t674 = (_t529 >> 0xb) * _t1095;
											if(_t889 >= _t674) {
												_t530 = _t529 - _t674;
												_t889 = _t889 - _t674;
												 *( *(_t1380 + 0x18)) = _t1095 - (_t1095 >> 5);
												_t1368 = _t1367 + _t1367 + 1;
											} else {
												_t530 = _t674;
												_t1368 = _t1367 + _t1367;
												_t862 = _t862 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1095 >> 5) + _t1095;
											}
											_t1098 =  *(_t1380 + 0x24) +  *(_t1380 + 0x24);
											_t678 = _t862;
											_t863 = _t862 & _t1098;
											 *(_t1380 + 0x20) = _t678;
											 *(_t1380 + 0x24) = _t1098;
											_t1099 = _t1298 + (_t678 + _t863 + _t1368) * 2;
											 *(_t1380 + 0x18) = _t1099;
											_t1100 =  *_t1099 & 0x0000ffff;
											if(_t530 < 0x1000000) {
												_t530 = _t530 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t683 = (_t530 >> 0xb) * _t1100;
											if(_t889 >= _t683) {
												_t531 = _t530 - _t683;
												_t889 = _t889 - _t683;
												 *( *(_t1380 + 0x18)) = _t1100 - (_t1100 >> 5);
												_t1369 = _t1368 + _t1368 + 1;
											} else {
												_t531 = _t683;
												_t1369 = _t1368 + _t1368;
												_t863 = _t863 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1100 >> 5) + _t1100;
											}
											_t1103 =  *(_t1380 + 0x24) +  *(_t1380 + 0x24);
											_t687 = _t863;
											_t864 = _t863 & _t1103;
											 *(_t1380 + 0x20) = _t687;
											 *(_t1380 + 0x24) = _t1103;
											_t1104 = _t1298 + (_t687 + _t864 + _t1369) * 2;
											 *(_t1380 + 0x18) = _t1104;
											_t1105 =  *_t1104 & 0x0000ffff;
											if(_t531 < 0x1000000) {
												_t531 = _t531 << 8;
												_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
												 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
											}
											_t692 = (_t531 >> 0xb) * _t1105;
											if(_t889 >= _t692) {
												_t532 = _t531 - _t692;
												_t889 = _t889 - _t692;
												 *( *(_t1380 + 0x18)) = _t1105 - (_t1105 >> 5);
												_t1370 = _t1369 + _t1369 + 1;
											} else {
												_t532 = _t692;
												_t1370 = _t1369 + _t1369;
												_t864 = _t864 ^  *(_t1380 + 0x20);
												 *( *(_t1380 + 0x18)) = (0x800 - _t1105 >> 5) + _t1105;
											}
											_t1111 = ( *(_t1380 + 0x24) +  *(_t1380 + 0x24) & _t864) + _t864 + _t1370;
											_t865 =  *(_t1298 + _t1111 * 2) & 0x0000ffff;
											_t1299 = _t1298 + _t1111 * 2;
											if(_t532 < 0x1000000) {
												_t1123 =  *(_t1380 + 0x10);
												_t532 = _t532 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1123 & 0x000000ff;
												 *(_t1380 + 0x10) =  &(_t1123[1]);
											}
											_t1114 = (_t532 >> 0xb) * _t865;
											if(_t889 >= _t1114) {
												_t502 = _t532 - _t1114;
												_t889 = _t889 - _t1114;
												 *_t1299 = _t865 - (_t865 >> 5);
												_t1300 =  *(_t1380 + 0x1c);
												 *((char*)(_t1300 +  *((intOrPtr*)(_t1380 + 0x34)))) = _t1370 + _t1370 + 1;
												 *(_t1380 + 0x1c) = _t1300 + 1;
											} else {
												_t502 = _t1114;
												 *_t1299 = (0x800 - _t865 >> 5) + _t865;
												_t1302 =  *(_t1380 + 0x1c);
												 *((char*)(_t1302 +  *((intOrPtr*)(_t1380 + 0x34)))) = _t1370 + _t1370;
												 *(_t1380 + 0x1c) = _t1302 + 1;
											}
										} else {
											_t727 = _t852;
											if(_t852 >= 4) {
												_t727 = 3;
											}
											_t1377 =  *(_t1380 + 0x10);
											 *(_t1380 + 0x14) = _t852 - _t727;
											_t870 =  *(_t1298 + 2) & 0x0000ffff;
											if(_t946 < 0x1000000) {
												_t525 = _t946 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1140 = (_t525 >> 0xb) * _t870;
											if(_t889 >= _t1140) {
												_t533 = _t525 - _t1140;
												_t889 = _t889 - _t1140;
												 *(_t1298 + 2) = _t870 - (_t870 >> 5);
												_t872 = 3;
											} else {
												_t533 = _t1140;
												 *(_t1298 + 2) = (0x800 - _t870 >> 5) + _t870;
												_t872 = 2;
											}
											_t728 = _t872 + _t872;
											_t873 =  *(_t728 + _t1298) & 0x0000ffff;
											if(_t533 < 0x1000000) {
												_t533 = _t533 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1145 = (_t533 >> 0xb) * _t873;
											if(_t889 >= _t1145) {
												_t534 = _t533 - _t1145;
												_t889 = _t889 - _t1145;
												 *(_t728 + _t1298) = _t873 - (_t873 >> 5);
												_t728 = _t728 + 1;
											} else {
												_t534 = _t1145;
												 *(_t728 + _t1298) = (0x800 - _t873 >> 5) + _t873;
											}
											_t729 = _t728 + _t728;
											_t875 =  *(_t729 + _t1298) & 0x0000ffff;
											if(_t534 < 0x1000000) {
												_t534 = _t534 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1150 = (_t534 >> 0xb) * _t875;
											if(_t889 >= _t1150) {
												_t535 = _t534 - _t1150;
												_t889 = _t889 - _t1150;
												 *(_t729 + _t1298) = _t875 - (_t875 >> 5);
												_t729 = _t729 + 1;
											} else {
												_t535 = _t1150;
												 *(_t729 + _t1298) = (0x800 - _t875 >> 5) + _t875;
											}
											_t730 = _t729 + _t729;
											_t877 =  *(_t730 + _t1298) & 0x0000ffff;
											if(_t535 < 0x1000000) {
												_t535 = _t535 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1155 = (_t535 >> 0xb) * _t877;
											if(_t889 >= _t1155) {
												_t536 = _t535 - _t1155;
												_t889 = _t889 - _t1155;
												 *(_t730 + _t1298) = _t877 - (_t877 >> 5);
												_t730 = _t730 + 1;
											} else {
												_t536 = _t1155;
												 *(_t730 + _t1298) = (0x800 - _t877 >> 5) + _t877;
											}
											_t731 = _t730 + _t730;
											_t879 =  *(_t731 + _t1298) & 0x0000ffff;
											if(_t536 < 0x1000000) {
												_t536 = _t536 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1160 = (_t536 >> 0xb) * _t879;
											if(_t889 >= _t1160) {
												_t537 = _t536 - _t1160;
												_t889 = _t889 - _t1160;
												 *(_t731 + _t1298) = _t879 - (_t879 >> 5);
												_t731 = _t731 + 1;
											} else {
												_t537 = _t1160;
												 *(_t731 + _t1298) = (0x800 - _t879 >> 5) + _t879;
											}
											_t732 = _t731 + _t731;
											_t881 =  *(_t732 + _t1298) & 0x0000ffff;
											if(_t537 < 0x1000000) {
												_t537 = _t537 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												_t1377 =  &(_t1377[1]);
												 *(_t1380 + 0x10) = _t1377;
											}
											_t1165 = (_t537 >> 0xb) * _t881;
											if(_t889 >= _t1165) {
												_t538 = _t537 - _t1165;
												_t889 = _t889 - _t1165;
												 *(_t732 + _t1298) = _t881 - (_t881 >> 5);
												_t732 = _t732 + 1;
											} else {
												_t538 = _t1165;
												 *(_t732 + _t1298) = (0x800 - _t881 >> 5) + _t881;
											}
											_t733 = _t732 + _t732;
											_t883 =  *(_t733 + _t1298) & 0x0000ffff;
											if(_t538 < 0x1000000) {
												_t538 = _t538 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1377 & 0x000000ff;
												 *(_t1380 + 0x10) =  &(_t1377[1]);
											}
											_t1170 = (_t538 >> 0xb) * _t883;
											if(_t889 >= _t1170) {
												_t539 = _t538 - _t1170;
												_t889 = _t889 - _t1170;
												 *(_t733 + _t1298) = _t883 - (_t883 >> 5);
												_t733 = _t733 + 1;
											} else {
												_t539 = _t1170;
												 *(_t733 + _t1298) = (0x800 - _t883 >> 5) + _t883;
											}
											_t1378 = _t733 + _t733;
											_t885 =  *(_t1298 + _t1378) & 0x0000ffff;
											if(_t539 < 0x1000000) {
												_t1184 =  *(_t1380 + 0x10);
												_t539 = _t539 << 8;
												_t889 = _t889 << 0x00000008 |  *_t1184 & 0x000000ff;
												 *(_t1380 + 0x10) =  &(_t1184[1]);
											}
											_t1175 = (_t539 >> 0xb) * _t885;
											if(_t889 >= _t1175) {
												_t502 = _t539 - _t1175;
												_t889 = _t889 - _t1175;
												 *(_t1298 + _t1378) = _t885 - (_t885 >> 5);
												_t1304 =  *(_t1380 + 0x1c);
												 *((char*)(_t1304 +  *((intOrPtr*)(_t1380 + 0x34)))) = _t1378 + 1;
												 *(_t1380 + 0x1c) = _t1304 + 1;
											} else {
												_t502 = _t1175;
												 *(_t1298 + _t1378) = (0x800 - _t885 >> 5) + _t885;
												_t1306 =  *(_t1380 + 0x1c);
												 *((char*)(_t1306 +  *((intOrPtr*)(_t1380 + 0x34)))) = _t1378;
												 *(_t1380 + 0x1c) = _t1306 + 1;
											}
										}
										continue;
									}
									goto L253;
								}
								_t1250 =  *(_t1380 + 0x30);
								goto L250;
							}
							goto L243;
						}
						goto L253;
					}
					L153:
					_t544 = _t763 + _t763;
					_t764 =  *(_t544 + _t1245 + 0x200) & 0x0000ffff;
					if(_t502 < 0x1000000) {
						_t502 = _t502 << 8;
						_t889 = _t889 << 0x00000008 |  *( *(_t1380 + 0x10)) & 0x000000ff;
						 *(_t1380 + 0x10) =  &(( *(_t1380 + 0x10))[1]);
					}
					_t954 = (_t502 >> 0xb) * _t764;
					if(_t889 >= _t954) {
						_t502 = _t502 - _t954;
						_t889 = _t889 - _t954;
						 *(_t544 + _t1245 + 0x200) = _t764 - (_t764 >> 5);
						_t763 = _t544 + 1;
					} else {
						_t502 = _t954;
						 *(_t544 + _t1245 + 0x200) = (0x800 - _t764 >> 5) + _t764;
						_t763 = _t544;
					}
				}
			}

0x00416536
0x00416536
0x00416536
0x00416540
0x00416540
0x00416540
0x00416543
0x00416550
0x0041655c
0x0041655f
0x00416561
0x00416561
0x0041656a
0x0041656f
0x0041658b
0x0041658d
0x00416596
0x0041659e
0x00416571
0x00416571
0x0041657f
0x00416587
0x00416587
0x004165a7
0x00000000
0x00000000
0x004165a9
0x004165a9
0x004165af
0x004165b4
0x004165b8
0x00000000
0x00000000
0x004165be
0x004165c1
0x004165c3
0x004165c3
0x004165c9
0x004165cc
0x004165d1
0x004165d8
0x004165da
0x004165e4
0x004165e7
0x004165ea
0x004165ea
0x004165f3
0x004165f8
0x00416613
0x00416615
0x0041661e
0x00416622
0x004165fa
0x004165fa
0x00416608
0x0041660c
0x0041660c
0x00416627
0x0041662b
0x0041662e
0x00416637
0x00416640
0x00416643
0x00416645
0x00416646
0x00416646
0x0041664f
0x00416654
0x0041666a
0x0041666c
0x00416675
0x00416679
0x00416656
0x00416656
0x00416664
0x00416664
0x0041667a
0x0041667c
0x00416685
0x0041668e
0x00416691
0x00416693
0x00416694
0x00416694
0x0041669d
0x004166a2
0x004166b8
0x004166ba
0x004166c3
0x004166c7
0x004166a4
0x004166a4
0x004166b2
0x004166b2
0x004166c8
0x004166ca
0x004166d3
0x004166dc
0x004166df
0x004166e1
0x004166e2
0x004166e2
0x004166eb
0x004166f0
0x00416706
0x00416708
0x00416711
0x00416715
0x004166f2
0x004166f2
0x00416700
0x00416700
0x00416716
0x00416718
0x00416721
0x0041672a
0x0041672d
0x0041672f
0x00416730
0x00416730
0x00416739
0x0041673e
0x00416754
0x00416756
0x0041675f
0x00416763
0x00416740
0x00416740
0x0041674e
0x0041674e
0x00416764
0x00416767
0x00416770
0x00416779
0x0041677c
0x0041677f
0x0041677f
0x00416788
0x0041678d
0x004167a3
0x004167a5
0x004167ae
0x004167b2
0x0041678f
0x0041678f
0x0041679d
0x0041679d
0x004167b3
0x004167b9
0x004169ea
0x004169f3
0x004169fb
0x00416a03
0x00416a07
0x00416a07
0x00416a0a
0x00416a0e
0x00416a16
0x00416a1a
0x00416a20
0x00416a22
0x00416a22
0x00416a28
0x00416ae1
0x00416aed
0x00000000
0x00000000
0x00000000
0x004167bf
0x004167c8
0x004167c9
0x004167cf
0x00416857
0x0041685b
0x00416860
0x00416865
0x0041686e
0x00416871
0x00416873
0x00416873
0x00416874
0x00416876
0x0041687d
0x0041687f
0x00416885
0x00416887
0x00416887
0x0041688a
0x0041688e
0x00416892
0x00416895
0x0041689e
0x004168a7
0x004168aa
0x004168ac
0x004168ad
0x004168ad
0x004168b6
0x004168bb
0x004168d6
0x004168d8
0x004168e1
0x004168e5
0x004168bd
0x004168bd
0x004168cb
0x004168cf
0x004168cf
0x004168ea
0x004168f3
0x004168fc
0x004168ff
0x00416901
0x00416901
0x0041690a
0x0041690f
0x00416928
0x0041692a
0x00416933
0x00416937
0x00416911
0x00416911
0x0041691f
0x00416923
0x00416923
0x0041693a
0x00416943
0x00416950
0x00416953
0x00416955
0x00416955
0x0041695e
0x00416963
0x0041697c
0x0041697e
0x00416987
0x0041698b
0x00416965
0x00416965
0x00416973
0x00416977
0x00416977
0x0041698e
0x00416997
0x004169a4
0x004169a7
0x004169a9
0x004169a9
0x004169b2
0x004169b7
0x004169d0
0x004169d2
0x004169db
0x004169b9
0x004169b9
0x004169c7
0x004169cb
0x004169cb
0x004169df
0x004169e4
0x00416aca
0x00416acf
0x00416b0a
0x00416b0a
0x00416b0e
0x00416b17
0x00416b1f
0x00416b22
0x00416b24
0x00416b24
0x00416b25
0x00416b2c
0x00416b33
0x00416b3a
0x00416b41
0x00416b45
0x00416b4c
0x00416b4f
0x00416b57
0x00416b5f
0x00416b62
0x00416b6b
0x00000000
0x00000000
0x00000000
0x004167d5
0x004167d7
0x004167dc
0x004167e0
0x004167e4
0x004167f1
0x004167fd
0x00416800
0x00416802
0x00416802
0x0041680b
0x00416810
0x00416832
0x00416834
0x00416841
0x00416843
0x0041684b
0x00416812
0x00416812
0x00416824
0x0041682c
0x0041682e
0x0041682e
0x0041684d
0x0041684d
0x00416850
0x00000000
0x00416850
0x004167cf
0x00000000
0x00416a2e
0x00416a36
0x00416a3a
0x00416a3d
0x00416a3f
0x00416af4
0x00416b03
0x00416a45
0x00416a47
0x00416a49
0x00416a49
0x00416a4f
0x00416a55
0x00416a5f
0x00416a67
0x00416a6d
0x00416a8e
0x00416a92
0x00416a95
0x00416a98
0x00416a99
0x00416a9e
0x00416aa0
0x00416aa0
0x00416aa2
0x00416aa2
0x00416aa5
0x00416a6f
0x00416a73
0x00416a76
0x00416a7a
0x00416a7d
0x00416a81
0x00416a84
0x00416a87
0x00416a88
0x00000000
0x00416aa9
0x00416abd
0x00416ac1
0x004158b6
0x004158b9
0x004158bd
0x004158c1
0x004158ce
0x004158d0
0x004158da
0x004158dd
0x004158e0
0x004158e0
0x004158e9
0x004158ee
0x0041602c
0x00416038
0x0041603d
0x0041603f
0x00416046
0x00416048
0x00416052
0x00416055
0x00416058
0x00416058
0x00416061
0x00416066
0x0041608d
0x00416091
0x00416093
0x0041609c
0x004160a1
0x004160ab
0x004160b7
0x004160ba
0x004160bc
0x004160bc
0x004160c5
0x004160ca
0x00416184
0x00416186
0x0041618f
0x00416194
0x0041619e
0x004161a0
0x004161aa
0x004161ad
0x004161b0
0x004161b0
0x004161b9
0x004161be
0x004161d9
0x004161db
0x004161e4
0x004161e9
0x004161f3
0x004161f5
0x004161ff
0x00416202
0x00416205
0x00416205
0x0041620e
0x00416213
0x0041622e
0x00416230
0x0041623d
0x00416242
0x00416246
0x00416215
0x00416215
0x00416223
0x00416227
0x00416227
0x0041624e
0x004161c0
0x004161c0
0x004161ce
0x004161d2
0x004161d2
0x00416256
0x0041625a
0x00000000
0x004160d0
0x004160de
0x004160e2
0x004160e7
0x004160ef
0x004160f7
0x004160fc
0x00416108
0x0041610a
0x0041610a
0x00416113
0x00416118
0x0041616c
0x0041616e
0x00416172
0x00416177
0x0041625e
0x00416261
0x00416266
0x00416269
0x00000000
0x0041611a
0x0041611a
0x00416128
0x0041612c
0x00416138
0x0041613e
0x00416144
0x0041614c
0x00416150
0x00416157
0x0041615f
0x00416163
0x00000000
0x00416163
0x00416118
0x00416068
0x00416068
0x00416076
0x0041607a
0x0041607f
0x00416082
0x0041626f
0x0041626f
0x00416272
0x0041627b
0x0041627d
0x00416287
0x0041628a
0x0041628d
0x0041628d
0x00416296
0x0041629b
0x004163c4
0x004163c6
0x004163cf
0x004163d2
0x004163db
0x004163dd
0x004163e7
0x004163ea
0x004163ed
0x004163ed
0x004163f6
0x004163fb
0x00416520
0x00416522
0x0041652b
0x0041652f
0x00416540
0x00000000
0x00000000
0x00000000
0x00416401
0x00416411
0x00416415
0x00416419
0x0041641d
0x00416425
0x0041642a
0x0041642c
0x00416436
0x00416439
0x00416439
0x00416442
0x00416447
0x00416462
0x00416464
0x0041646d
0x00416471
0x00416449
0x00416449
0x00416457
0x0041645b
0x0041645b
0x00416476
0x00416479
0x00416482
0x0041648e
0x00416491
0x00416493
0x00416493
0x0041649c
0x004164a1
0x004164b7
0x004164b9
0x004164c2
0x004164c6
0x004164a3
0x004164a3
0x004164b1
0x004164b1
0x004164c7
0x004164ca
0x004164d3
0x004164df
0x004164e2
0x004164e4
0x004164e4
0x004164ed
0x004164f2
0x0041650b
0x0041650d
0x00416516
0x0041651a
0x004164f4
0x004164f4
0x00416502
0x00416502
0x004164f2
0x004162a1
0x004162b1
0x004162b4
0x004162b7
0x004162bb
0x004162c3
0x004162c8
0x004162ca
0x004162d4
0x004162d7
0x004162d7
0x004162e0
0x004162e5
0x00416300
0x00416302
0x0041630b
0x0041630f
0x004162e7
0x004162e7
0x004162f5
0x004162f9
0x004162f9
0x00416314
0x00416317
0x00416320
0x0041632c
0x0041632f
0x00416331
0x00416331
0x0041633a
0x0041633f
0x00416355
0x00416357
0x00416360
0x00416364
0x00416341
0x00416341
0x0041634f
0x0041634f
0x00416365
0x00416368
0x00416371
0x0041637d
0x00416380
0x00416382
0x00416382
0x0041638b
0x00416390
0x004163ac
0x004163ae
0x004163b7
0x004163bc
0x00416392
0x00416392
0x004163a0
0x004163a4
0x004163a4
0x004165af
0x004165b4
0x004165b8
0x00000000
0x00000000
0x00000000
0x004165b8
0x004165af
0x004165b4
0x004165b8
0x00000000
0x00000000
0x004165b8
0x004158f4
0x00415905
0x0041590d
0x0041590f
0x00415915
0x0041591e
0x00415924
0x00415926
0x00415926
0x00415944
0x00415949
0x00415949
0x0041594c
0x00415950
0x00415957
0x00415c25
0x00415c33
0x00415c3d
0x00415c4f
0x00415c53
0x00415c59
0x00415c67
0x00415c6c
0x00415c78
0x00415c7a
0x00415c7a
0x00415c83
0x00415c88
0x00415cad
0x00415caf
0x00415cb8
0x00415cc0
0x00415c8a
0x00415c8a
0x00415c98
0x00415ca0
0x00415ca5
0x00415ca5
0x00415cc5
0x00415cc7
0x00415cc9
0x00415ccd
0x00415cd3
0x00415cd6
0x00415cda
0x00415cdd
0x00415ce6
0x00415cf3
0x00415cf6
0x00415cf8
0x00415cf8
0x00415d01
0x00415d06
0x00415d26
0x00415d28
0x00415d35
0x00415d39
0x00415d39
0x00415d08
0x00415d08
0x00415d1a
0x00415d1e
0x00415d21
0x00415d21
0x00415d41
0x00415d43
0x00415d45
0x00415d47
0x00415d4f
0x00415d53
0x00415d56
0x00415d5a
0x00415d62
0x00415d6e
0x00415d71
0x00415d73
0x00415d73
0x00415d7c
0x00415d81
0x00415da0
0x00415da2
0x00415daf
0x00415db2
0x00415d83
0x00415d83
0x00415d95
0x00415d97
0x00415d9b
0x00415d9b
0x00415dba
0x00415dbc
0x00415dbe
0x00415dc0
0x00415dc8
0x00415dcc
0x00415dcf
0x00415dd3
0x00415ddb
0x00415de7
0x00415dea
0x00415dec
0x00415dec
0x00415df5
0x00415dfa
0x00415e19
0x00415e1b
0x00415e28
0x00415e2b
0x00415dfc
0x00415dfc
0x00415e0e
0x00415e10
0x00415e14
0x00415e14
0x00415e33
0x00415e35
0x00415e37
0x00415e39
0x00415e41
0x00415e45
0x00415e48
0x00415e4c
0x00415e54
0x00415e60
0x00415e63
0x00415e65
0x00415e65
0x00415e6e
0x00415e73
0x00415e92
0x00415e94
0x00415ea1
0x00415ea4
0x00415e75
0x00415e75
0x00415e87
0x00415e89
0x00415e8d
0x00415e8d
0x00415eac
0x00415eae
0x00415eb0
0x00415eb2
0x00415eba
0x00415ebe
0x00415ec1
0x00415ec5
0x00415ecd
0x00415ed9
0x00415edc
0x00415ede
0x00415ede
0x00415ee7
0x00415eec
0x00415f0b
0x00415f0d
0x00415f1a
0x00415f1d
0x00415eee
0x00415eee
0x00415f00
0x00415f02
0x00415f06
0x00415f06
0x00415f25
0x00415f27
0x00415f29
0x00415f2b
0x00415f33
0x00415f37
0x00415f3a
0x00415f3e
0x00415f46
0x00415f52
0x00415f55
0x00415f57
0x00415f57
0x00415f60
0x00415f65
0x00415f84
0x00415f86
0x00415f93
0x00415f96
0x00415f67
0x00415f67
0x00415f79
0x00415f7b
0x00415f7f
0x00415f7f
0x00415fa4
0x00415fa6
0x00415faa
0x00415fb2
0x00415fb4
0x00415fbe
0x00415fc1
0x00415fc4
0x00415fc4
0x00415fcd
0x00415fd2
0x00415ffe
0x00416000
0x0041600d
0x00416010
0x00416018
0x0041601c
0x00415fd4
0x00415fd4
0x00415fe2
0x00415fe5
0x00415ff1
0x00415ff5
0x00415ff5
0x0041595d
0x0041595d
0x00415962
0x00415964
0x00415964
0x00415969
0x0041596f
0x00415973
0x0041597d
0x00415982
0x0041598b
0x0041598d
0x0041598e
0x0041598e
0x00415997
0x0041599c
0x004159b7
0x004159b9
0x004159c2
0x004159c6
0x0041599e
0x0041599e
0x004159ac
0x004159b0
0x004159b0
0x004159cb
0x004159ce
0x004159d7
0x004159e0
0x004159e3
0x004159e5
0x004159e6
0x004159e6
0x004159ef
0x004159f4
0x00415a0a
0x00415a0c
0x00415a15
0x00415a19
0x004159f6
0x004159f6
0x00415a04
0x00415a04
0x00415a1a
0x00415a1c
0x00415a25
0x00415a2e
0x00415a31
0x00415a33
0x00415a34
0x00415a34
0x00415a3d
0x00415a42
0x00415a58
0x00415a5a
0x00415a63
0x00415a67
0x00415a44
0x00415a44
0x00415a52
0x00415a52
0x00415a68
0x00415a6a
0x00415a73
0x00415a7c
0x00415a7f
0x00415a81
0x00415a82
0x00415a82
0x00415a8b
0x00415a90
0x00415aa6
0x00415aa8
0x00415ab1
0x00415ab5
0x00415a92
0x00415a92
0x00415aa0
0x00415aa0
0x00415ab6
0x00415ab8
0x00415ac1
0x00415aca
0x00415acd
0x00415acf
0x00415ad0
0x00415ad0
0x00415ad9
0x00415ade
0x00415af4
0x00415af6
0x00415aff
0x00415b03
0x00415ae0
0x00415ae0
0x00415aee
0x00415aee
0x00415b04
0x00415b06
0x00415b0f
0x00415b18
0x00415b1b
0x00415b1d
0x00415b1e
0x00415b1e
0x00415b27
0x00415b2c
0x00415b42
0x00415b44
0x00415b4d
0x00415b51
0x00415b2e
0x00415b2e
0x00415b3c
0x00415b3c
0x00415b52
0x00415b54
0x00415b5d
0x00415b66
0x00415b69
0x00415b6c
0x00415b6c
0x00415b75
0x00415b7a
0x00415b90
0x00415b92
0x00415b9b
0x00415b9f
0x00415b7c
0x00415b7c
0x00415b8a
0x00415b8a
0x00415ba0
0x00415ba3
0x00415bac
0x00415bae
0x00415bb8
0x00415bbb
0x00415bbe
0x00415bbe
0x00415bc7
0x00415bcc
0x00415bf7
0x00415bf9
0x00415c06
0x00415c0a
0x00415c11
0x00415c15
0x00415bce
0x00415bce
0x00415bdc
0x00415be0
0x00415bea
0x00415bee
0x00415bee
0x00415bcc
0x00000000
0x00415957
0x00000000
0x004158ee
0x00416b06
0x00000000
0x00416b06
0x00000000
0x00416a6d
0x00000000
0x00416a3f
0x00416540
0x00416540
0x00416543
0x00416550
0x0041655c
0x0041655f
0x00416561
0x00416561
0x0041656a
0x0041656f
0x0041658b
0x0041658d
0x00416596
0x0041659e
0x00416571
0x00416571
0x0041657f
0x00416587
0x00416587
0x004165a1

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2a2f0d0f42b76f4f6b833c13a8ac4c9f948a915a86b73f9f3c18f8ea78656a
Instruction ID: 92b0058b6c51223ae47e38f67aaa658f5591a3405ca94f54e0ce24afd9087662
Opcode Fuzzy Hash: 5e2a2f0d0f42b76f4f6b833c13a8ac4c9f948a915a86b73f9f3c18f8ea78656a
Instruction Fuzzy Hash: 5A021973A087508BD714CE19CD802A9B7E3FFD1390F6B462EE89647384DAB4D986C749

Uniqueness

Uniqueness Score: -1.00%

Function 00416C70 Relevance: .5, Instructions: 480
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00416C70(void* __eax, signed char* __ecx, signed char* _a4) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _t158;
				unsigned int _t162;
				signed int _t165;
				signed int _t166;
				intOrPtr _t167;
				signed int _t168;
				signed int _t169;
				signed char* _t170;
				signed int _t172;
				signed char* _t173;
				signed char* _t176;
				signed char* _t178;
				signed char* _t180;
				signed char _t191;
				signed int _t192;
				unsigned int _t198;
				signed char* _t199;
				signed int _t204;
				signed char* _t205;
				signed char* _t207;
				signed int _t213;
				signed short* _t214;
				signed int _t215;
				signed int _t222;
				signed char _t228;
				signed int _t229;
				signed int _t235;
				signed char* _t237;
				signed int _t240;
				signed int _t244;
				signed int _t247;
				signed int _t250;
				signed int _t253;
				signed int _t256;
				signed int _t259;
				signed char _t263;
				void* _t264;
				intOrPtr _t265;
				signed int _t267;
				signed char _t279;
				signed char _t284;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				signed char* _t297;
				intOrPtr _t298;
				signed char* _t299;
				signed short* _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed char* _t306;
				signed int _t309;
				signed int _t316;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t342;
				signed int _t343;
				signed char _t344;
				void* _t348;
				signed int _t349;

				_t297 = __ecx;
				_t342 =  *(__ecx + 0x40);
				_t288 =  *(__ecx + 0x20);
				_t323 =  *(__ecx + 0x24);
				_t158 =  *((intOrPtr*)(__ecx + 0xc));
				_v20 =  &(_a4[__eax]);
				_v16 = _t158;
				_t213 = ((0x00000001 <<  *(__ecx + 2)) - 0x00000001 &  *(__ecx + 0x28)) << 4;
				_t235 = 1 + _t342;
				_v4 = _t235;
				_v12 =  *(_t158 + _t235 * 2 - 0x200) & 0x0000ffff;
				if(_t288 >= 0x1000000) {
					L4:
					_t162 = (_t288 >> 0xb) * _v12;
					if(_t323 >= _t162) {
						_t298 = _v16;
						_t289 = _t288 - _t162;
						_t324 = _t323 - _t162;
						_v12 =  *(_t298 + 0x20 + _t342 * 2) & 0x0000ffff;
						_t237 = _a4;
						if(_t289 >= 0x1000000) {
							L39:
							_t165 = (_t289 >> 0xb) * _v12;
							if(_t324 >= _t165) {
								_t290 = _t289 - _t165;
								_t325 = _t324 - _t165;
								_t166 =  *(_t298 + 0x38 + _t342 * 2) & 0x0000ffff;
								_v8 = 3;
								if(_t290 >= 0x1000000) {
									L44:
									_t240 = (_t290 >> 0xb) * _t166;
									_t167 = _v16;
									if(_t325 >= _t240) {
										_t299 = _a4;
										_t291 = _t290 - _t240;
										_t326 = _t325 - _t240;
										_v12 =  *(_t167 + 0x50 + _t342 * 2) & 0x0000ffff;
										if(_t291 >= 0x1000000) {
											L55:
											_t244 = (_t291 >> 0xb) * _v12;
											if(_t326 >= _t244) {
												_t168 =  *(_t167 + 0x68 + _t342 * 2) & 0x0000ffff;
												_t292 = _t291 - _t244;
												_t325 = _t326 - _t244;
												if(_t292 >= 0x1000000) {
													L60:
													_t247 = (_t292 >> 0xb) * _t168;
													if(_t325 >= _t247) {
														goto L62;
													} else {
														_t293 = _t247;
													}
													goto L63;
												} else {
													if(_t299 >= _v20) {
														goto L2;
													} else {
														_t292 = _t292 << 8;
														_t325 = _t325 << 0x00000008 |  *_t299 & 0x000000ff;
														_a4 =  &(_t299[1]);
														goto L60;
													}
												}
											} else {
												_t293 = _t244;
												goto L63;
											}
										} else {
											if(_t299 >= _v20) {
												goto L2;
											} else {
												_t291 = _t291 << 8;
												_t326 = _t326 << 0x00000008 |  *_t299 & 0x000000ff;
												_t299 =  &(_t299[1]);
												_a4 = _t299;
												goto L55;
											}
										}
									} else {
										_t316 =  *(_t167 + _v4 * 2 - 0xc00) & 0x0000ffff;
										_t180 = _a4;
										_t292 = _t240;
										if(_t240 >= 0x1000000) {
											L48:
											_t247 = (_t292 >> 0xb) * _t316;
											if(_t325 >= _t247) {
												L62:
												_t293 = _t292 - _t247;
												_t325 = _t325 - _t247;
												L63:
												_t237 = _a4;
												_v4 = 0xc;
												_t301 = _v16 + 0xfffff600;
												goto L64;
											} else {
												if(_t247 >= 0x1000000 || _t180 < _v20) {
													return 3;
												} else {
													goto L2;
												}
											}
										} else {
											if(_t180 >= _v20) {
												goto L2;
											} else {
												_t292 = _t240 << 8;
												_t325 = _t325 << 0x00000008 |  *_t180 & 0x000000ff;
												_t180 =  &(_t180[1]);
												_a4 = _t180;
												goto L48;
											}
										}
									}
								} else {
									if(_t237 >= _v20) {
										goto L2;
									} else {
										_t290 = _t290 << 8;
										_t325 = _t325 << 0x00000008 |  *_t237 & 0x000000ff;
										_a4 =  &(_t237[1]);
										goto L44;
									}
								}
							} else {
								_t293 = _t165;
								_v4 = 0;
								_t301 = _t298 + 0xfffffa00;
								_v8 = 2;
								L64:
								_t169 =  *_t301 & 0x0000ffff;
								if(_t293 >= 0x1000000) {
									L67:
									_t250 = (_t293 >> 0xb) * _t169;
									_t170 = _a4;
									if(_t325 >= _t250) {
										_t343 = _t301[8] & 0x0000ffff;
										_t294 = _t293 - _t250;
										_t327 = _t325 - _t250;
										if(_t294 >= 0x1000000) {
											L72:
											_t253 = (_t294 >> 0xb) * _t343;
											if(_t327 >= _t253) {
												_t295 = _t294 - _t253;
												_t327 = _t327 - _t253;
												_t214 =  &(_t301[0x100]);
												_t344 = 0x10;
												_v12 = 0x100;
											} else {
												_t344 = 8;
												_t295 = _t253;
												_t214 = _t301 + 0x10 + _t213 * 2;
												_v12 = 8;
											}
											goto L75;
										} else {
											if(_t170 >= _v20) {
												goto L2;
											} else {
												_t294 = _t294 << 8;
												_t327 = _t327 << 0x00000008 |  *_t170 & 0x000000ff;
												_t170 =  &(_t170[1]);
												_a4 = _t170;
												goto L72;
											}
										}
									} else {
										_t295 = _t250;
										_t214 =  &(_t301[_t213]);
										_t344 = 0;
										_v12 = 8;
										L75:
										_t302 = 1;
										L76:
										while(1) {
											if(_t295 >= 0x1000000) {
												L79:
												_t256 = (_t295 >> 0xb) * (_t214[_t302] & 0x0000ffff);
												if(_t327 >= _t256) {
													_t295 = _t295 - _t256;
													_t327 = _t327 - _t256;
													_t302 = _t302 + _t302 + 1;
												} else {
													_t295 = _t256;
													_t302 = _t302 + _t302;
												}
												_t172 = _v12;
												if(_t302 >= _t172) {
													_t303 = _t302 + _t344 - _t172;
													if(_v4 >= 4) {
														goto L32;
													} else {
														if(_t303 >= 3) {
															_t303 = 3;
														}
														_t173 = _a4;
														_t129 = _t303 + 1; // 0x4
														_t348 = (_t129 << 7) + _v16;
														_t304 = 1;
														do {
															_t215 =  *(_t348 + _t304 * 2) & 0x0000ffff;
															if(_t295 >= 0x1000000) {
																goto L91;
															} else {
																_t176 = _a4;
																if(_t176 >= _v20) {
																	goto L2;
																} else {
																	_t295 = _t295 << 8;
																	_t327 = _t327 << 0x00000008 |  *_t176 & 0x000000ff;
																	_t173 =  &(_t176[1]);
																	_a4 = _t173;
																	goto L91;
																}
															}
															goto L113;
															L91:
															_t259 = (_t295 >> 0xb) * _t215;
															if(_t327 >= _t259) {
																_t295 = _t295 - _t259;
																_t327 = _t327 - _t259;
																_t304 = _t304 + _t304 + 1;
															} else {
																_t295 = _t259;
																_t304 = _t304 + _t304;
															}
														} while (_t304 < 0x40);
														_t305 = _t304 - 0x40;
														if(_t305 < 4) {
															goto L33;
														} else {
															_t263 = (_t305 >> 1) - 1;
															_v12 = _t263;
															if(_t305 >= 0xe) {
																_t306 = _v20;
																_t264 = _t263 - 4;
																do {
																	if(_t295 >= 0x1000000) {
																		goto L102;
																	} else {
																		if(_t173 >= _t306) {
																			goto L2;
																		} else {
																			_t295 = _t295 << 8;
																			_t327 = _t327 << 0x00000008 |  *_t173 & 0x000000ff;
																			_t173 =  &(_t173[1]);
																			goto L102;
																		}
																	}
																	goto L113;
																	L102:
																	_t295 = _t295 >> 1;
																	_t327 = _t327 - ((_t327 - _t295 >> 0x0000001f) - 0x00000001 & _t295);
																	_t264 = _t264 - 1;
																} while (_t264 != 0);
																_t265 = _v16;
																_a4 = _t173;
																_v12 = 4;
																goto L104;
															} else {
																_t265 = _v16 + ((_t305 & 0x00000001 | 0x00000002) << _t263) * 2 - 0xd00;
																L104:
																_t349 = 1;
																_v16 = _t265;
																_t222 = 1;
																do {
																	_t267 =  *(_v16 + _t349 * 2) & 0x0000ffff;
																	if(_t295 >= 0x1000000) {
																		goto L108;
																	} else {
																		if(_a4 >= _v20) {
																			goto L2;
																		} else {
																			_t178 = _a4;
																			_t295 = _t295 << 8;
																			_t327 = _t327 << 0x00000008 |  *_t178 & 0x000000ff;
																			_t173 =  &(_t178[1]);
																			_a4 = _t173;
																			goto L108;
																		}
																	}
																	goto L113;
																	L108:
																	_t309 = (_t295 >> 0xb) * _t267;
																	if(_t327 >= _t309) {
																		_t222 = _t222 + _t222;
																		_t295 = _t295 - _t309;
																		_t327 = _t327 - _t309;
																		_t349 = _t349 + _t222;
																	} else {
																		_t349 = _t349 + _t222;
																		_t295 = _t309;
																		_t222 = _t222 + _t222;
																	}
																	_t155 =  &_v12;
																	 *_t155 = _v12 - 1;
																} while ( *_t155 != 0);
																goto L33;
															}
														}
													}
												} else {
													_t170 = _a4;
													continue;
												}
											} else {
												if(_t170 >= _v20) {
													goto L2;
												} else {
													_t295 = _t295 << 8;
													_t327 = _t327 << 0x00000008 |  *_t170 & 0x000000ff;
													_a4 =  &(_t170[1]);
													goto L79;
												}
											}
											goto L113;
										}
									}
								} else {
									if(_t237 >= _v20) {
										goto L2;
									} else {
										_t293 = _t293 << 8;
										_t325 = _t325 << 0x00000008 |  *_t237 & 0x000000ff;
										_a4 =  &(_t237[1]);
										goto L67;
									}
								}
							}
						} else {
							if(_t237 >= _v20) {
								goto L2;
							} else {
								_t289 = _t289 << 8;
								_t324 = _t324 << 0x00000008 |  *_t237 & 0x000000ff;
								_t237 =  &(_t237[1]);
								_a4 = _t237;
								goto L39;
							}
						}
					} else {
						_t296 = _t162;
						_v16 = _v16 + 0x280;
						if(_t297[0x2c] != 0 || _t297[0x28] != 0) {
							_t279 = _t297[0x18];
							if(_t279 == 0) {
								_t279 = _t297[0x14];
							}
							_v16 = _v16 + ((( *(_t297[0x10] + _t279 - 1) & 0x000000ff) >> 8 - ( *_t297 & 0x000000ff)) + (((0x00000001 << _t297[1]) - 0x00000001 & _t297[0x28]) << ( *_t297 & 0x000000ff))) * 0x600;
						}
						if(_t342 >= 7) {
							_t284 = _t297[0x18];
							_t228 = _t297[0x30];
							if(_t284 >= _t228) {
								_t191 = 0;
							} else {
								_t191 = _t297[0x14];
							}
							_t229 =  *(_t297[0x10] - _t228 + _t284 + _t191) & 0x000000ff;
							_t321 = 0x100;
							_t285 = 1;
							do {
								_t192 = _t321;
								_t229 = _t229 + _t229;
								_v4 = _t192;
								_t321 = _t321 & _t229;
								_v12 =  *(_v16 + (_t192 + _t285 + _t321) * 2) & 0x0000ffff;
								if(_t296 >= 0x1000000) {
									goto L27;
								} else {
									_t199 = _a4;
									if(_t199 >= _v20) {
										goto L2;
									} else {
										_t296 = _t296 << 8;
										_t323 = _t323 << 0x00000008 |  *_t199 & 0x000000ff;
										_a4 =  &(_t199[1]);
										goto L27;
									}
								}
								goto L113;
								L27:
								_t198 = (_t296 >> 0xb) * _v12;
								if(_t323 >= _t198) {
									_t296 = _t296 - _t198;
									_t323 = _t323 - _t198;
									_t285 = _t285 + _t285 + 1;
								} else {
									_t285 = _t285 + _t285;
									_t321 = _t321 ^ _v4;
									_t296 = _t198;
								}
							} while (_t285 < 0x100);
							goto L31;
						} else {
							_t286 = 1;
							do {
								_t322 =  *(_v16 + _t286 * 2) & 0x0000ffff;
								if(_t296 >= 0x1000000) {
									goto L15;
								} else {
									_t205 = _a4;
									if(_t205 >= _v20) {
										goto L2;
									} else {
										_t296 = _t296 << 8;
										_t323 = _t323 << 0x00000008 |  *_t205 & 0x000000ff;
										_a4 =  &(_t205[1]);
										goto L15;
									}
								}
								goto L113;
								L15:
								_t204 = (_t296 >> 0xb) * _t322;
								if(_t323 >= _t204) {
									_t296 = _t296 - _t204;
									_t323 = _t323 - _t204;
									_t286 = _t286 + _t286 + 1;
								} else {
									_t296 = _t204;
									_t286 = _t286 + _t286;
								}
							} while (_t286 < 0x100);
							L31:
							_v8 = 1;
							L32:
							_t173 = _a4;
							L33:
							if(_t295 >= 0x1000000 || _t173 < _v20) {
								return _v8;
							} else {
								goto L2;
							}
						}
					}
				} else {
					_t207 = _a4;
					if(_t207 < _v20) {
						_t288 = _t288 << 8;
						_t323 = _t323 << 0x00000008 |  *_t207 & 0x000000ff;
						_a4 =  &(_t207[1]);
						goto L4;
					} else {
						L2:
						return 0;
					}
				}
				L113:
			}

0x00416c77
0x00416c7d
0x00416c80
0x00416c83
0x00416c88
0x00416c8b
0x00416c99
0x00416ca1
0x00416ca4
0x00416caf
0x00416cb3
0x00416cbd
0x00416ce5
0x00416cea
0x00416cf1
0x00416e75
0x00416e7e
0x00416e80
0x00416e82
0x00416e86
0x00416e90
0x00416eac
0x00416eb1
0x00416eb8
0x00416ed7
0x00416ed9
0x00416edb
0x00416ee0
0x00416eee
0x00416f0a
0x00416f0f
0x00416f12
0x00416f18
0x00416f81
0x00416f85
0x00416f87
0x00416f8e
0x00416f98
0x00416fb4
0x00416fb9
0x00416fc0
0x00416fc6
0x00416fcb
0x00416fcd
0x00416fd5
0x00416ff1
0x00416ff6
0x00416ffb
0x00000000
0x00416ffd
0x00416ffd
0x00416ffd
0x00000000
0x00416fd7
0x00416fdb
0x00000000
0x00416fe1
0x00416fe7
0x00416fea
0x00416fed
0x00000000
0x00416fed
0x00416fdb
0x00416fc2
0x00416fc2
0x00000000
0x00416fc2
0x00416f9a
0x00416f9e
0x00000000
0x00416fa4
0x00416faa
0x00416fad
0x00416faf
0x00416fb0
0x00000000
0x00416fb0
0x00416f9e
0x00416f1a
0x00416f1e
0x00416f26
0x00416f2a
0x00416f32
0x00416f50
0x00416f55
0x00416f5a
0x00417001
0x00417001
0x00417003
0x00417005
0x00417009
0x0041700d
0x00417015
0x00000000
0x00416f60
0x00416f66
0x00416f7e
0x00000000
0x00000000
0x00000000
0x00416f66
0x00416f34
0x00416f38
0x00000000
0x00416f3e
0x00416f41
0x00416f49
0x00416f4b
0x00416f4c
0x00000000
0x00416f4c
0x00416f38
0x00416f32
0x00416ef0
0x00416ef4
0x00000000
0x00416efa
0x00416f00
0x00416f03
0x00416f06
0x00000000
0x00416f06
0x00416ef4
0x00416eba
0x00416eba
0x00416ebc
0x00416ec4
0x00416eca
0x0041701b
0x0041701b
0x00417024
0x00417040
0x00417045
0x00417048
0x0041704e
0x00417061
0x00417065
0x00417067
0x0041706f
0x0041708b
0x00417090
0x00417095
0x004170a8
0x004170aa
0x004170ac
0x004170b2
0x004170b7
0x00417097
0x00417097
0x0041709c
0x0041709e
0x004170a2
0x004170a2
0x00000000
0x00417071
0x00417075
0x00000000
0x0041707b
0x00417081
0x00417084
0x00417086
0x00417087
0x00000000
0x00417087
0x00417075
0x00417050
0x00417050
0x00417052
0x00417055
0x00417057
0x004170bf
0x004170bf
0x00000000
0x004170c4
0x004170ca
0x004170e6
0x004170ef
0x004170f4
0x004170fc
0x004170fe
0x00417100
0x004170f6
0x004170f6
0x004170f8
0x004170f8
0x00417104
0x0041710a
0x00417114
0x0041711b
0x00000000
0x00417121
0x00417124
0x00417126
0x00417126
0x0041712b
0x0041712f
0x00417135
0x00417139
0x00417140
0x00417140
0x0041714b
0x00000000
0x0041714d
0x0041714d
0x00417155
0x00000000
0x0041715b
0x00417161
0x00417164
0x00417166
0x00417167
0x00000000
0x00417167
0x00417155
0x00000000
0x0041716b
0x00417170
0x00417175
0x0041717d
0x0041717f
0x00417181
0x00417177
0x00417177
0x00417179
0x00417179
0x00417185
0x0041718a
0x00417190
0x00000000
0x00417196
0x0041719a
0x0041719b
0x004171a2
0x004171b9
0x004171bd
0x004171c0
0x004171c6
0x00000000
0x004171c8
0x004171ca
0x00000000
0x004171d0
0x004171d6
0x004171d9
0x004171db
0x00000000
0x004171db
0x004171ca
0x00000000
0x004171dc
0x004171dc
0x004171e8
0x004171ea
0x004171ea
0x004171ed
0x004171f1
0x004171f5
0x00000000
0x004171a4
0x004171b0
0x004171fd
0x004171fd
0x00417202
0x00417206
0x00417210
0x00417214
0x0041721e
0x00000000
0x00417220
0x00417228
0x00000000
0x0041722e
0x0041722e
0x00417238
0x0041723b
0x0041723d
0x0041723e
0x00000000
0x0041723e
0x00417228
0x00000000
0x00417242
0x00417247
0x0041724c
0x00417256
0x00417258
0x0041725a
0x0041725c
0x0041724e
0x0041724e
0x00417250
0x00417252
0x00417252
0x0041725e
0x0041725e
0x0041725e
0x00000000
0x00417264
0x004171a2
0x00417190
0x0041710c
0x0041710c
0x00000000
0x0041710c
0x004170cc
0x004170d0
0x00000000
0x004170d6
0x004170dc
0x004170df
0x004170e2
0x00000000
0x004170e2
0x004170d0
0x00000000
0x004170ca
0x004170c4
0x00417026
0x0041702a
0x00000000
0x00417030
0x00417036
0x00417039
0x0041703c
0x00000000
0x0041703c
0x0041702a
0x00417024
0x00416e92
0x00416e96
0x00000000
0x00416e9c
0x00416ea2
0x00416ea5
0x00416ea7
0x00416ea8
0x00000000
0x00416ea8
0x00416e96
0x00416cf7
0x00416cf7
0x00416d06
0x00416d0a
0x00416d12
0x00416d17
0x00416d19
0x00416d19
0x00416d4b
0x00416d4b
0x00416d52
0x00416db5
0x00416db8
0x00416dbd
0x00416dc4
0x00416dbf
0x00416dbf
0x00416dbf
0x00416dcd
0x00416dd1
0x00416dd6
0x00416de0
0x00416de4
0x00416de6
0x00416de8
0x00416dee
0x00416df7
0x00416e01
0x00000000
0x00416e03
0x00416e03
0x00416e0b
0x00000000
0x00416e11
0x00416e17
0x00416e1a
0x00416e1d
0x00000000
0x00416e1d
0x00416e0b
0x00000000
0x00416e21
0x00416e26
0x00416e2d
0x00416e39
0x00416e3b
0x00416e3d
0x00416e2f
0x00416e2f
0x00416e31
0x00416e35
0x00416e35
0x00416e41
0x00000000
0x00416d54
0x00416d54
0x00416d60
0x00416d64
0x00416d6e
0x00000000
0x00416d70
0x00416d70
0x00416d78
0x00000000
0x00416d7e
0x00416d84
0x00416d87
0x00416d8a
0x00000000
0x00416d8a
0x00416d78
0x00000000
0x00416d8e
0x00416d93
0x00416d98
0x00416da0
0x00416da2
0x00416da4
0x00416d9a
0x00416d9a
0x00416d9c
0x00416d9c
0x00416da8
0x00416e49
0x00416e49
0x00416e51
0x00416e51
0x00416e55
0x00416e5b
0x00416e72
0x00000000
0x00000000
0x00000000
0x00416e5b
0x00416d52
0x00416cbf
0x00416cbf
0x00416cc7
0x00416cdb
0x00416cde
0x00416ce1
0x00000000
0x00416ccc
0x00416ccc
0x00416cd2
0x00416cd2
0x00416cc7
0x00000000

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ab2d6071ba4f626031de446fa0850a734d69f202f19f46ab4dd51ed20a1283
Instruction ID: 749a3237d7bda78a09f8de8b64832c24e1c15a66796a84742980e8518d2f9ae4
Opcode Fuzzy Hash: b5ab2d6071ba4f626031de446fa0850a734d69f202f19f46ab4dd51ed20a1283
Instruction Fuzzy Hash: F9021D72A083118BC709CE28C5802B9BBE2FBC5355F150B2FE49697754D778D8C9CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00413ED0 Relevance: .1, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00413ED0(intOrPtr __ecx, void* __edx, intOrPtr _a4, unsigned int* _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _t43;
				unsigned int _t44;
				signed int _t48;
				intOrPtr _t52;
				signed char _t63;
				signed int _t64;
				signed char _t77;
				signed int* _t81;
				unsigned int _t84;
				void* _t86;
				unsigned int _t88;
				signed int _t91;
				intOrPtr _t97;
				void* _t98;

				_t97 = __ecx;
				_t84 = 0;
				_t88 =  *_a8 & 0x00000007;
				_v8 = __ecx;
				if(__edx >= 5) {
					_a4 = _a4 + 5;
					_t52 = __edx - 4 + __ecx;
					_v4 = _t52;
					while(1) {
						_t81 = _t84 + _t97;
						if(_t81 >= _t52) {
							goto L7;
						}
						L5:
						while(( *_t81 & 0x000000fe) != 0xe8) {
							_t81 =  &(_t81[0]);
							if(_t81 < _t52) {
								continue;
							}
							goto L7;
						}
						L7:
						_t63 = _t81 - _t84 - _t97;
						_t86 = _t81 - _t97;
						if(_t81 < _t52) {
							if(_t63 <= 2) {
								_t91 = _t88 >> _t63;
								if(_t91 == 0 || _t91 <= 4 && _t91 != 3 && ((( &(_t81[0]))[_t91 >> 1] & 0x000000ff) + 0x00000001 & 0x000000fe) != 0) {
									goto L10;
								} else {
									_t88 = (_t91 | 0x00000008) >> 1;
									_t84 = _t86 + 1;
									continue;
								}
							} else {
								_t91 = 0;
								L10:
								_t64 = _t81[1] & 0x000000ff;
								if((_t64 + 0x00000001 & 0x000000fe) != 0) {
									_t97 = _v8;
									_t88 = (_t91 | 0x00000008) >> 1;
									_t84 = _t86 + 1;
								} else {
									_t43 = _t81[0] & 0x000000ff | ((_t64 << 0x00000008 | _t81[0] & 0x000000ff) << 0x00000008 | _t81[0] & 0x000000ff) << 0x00000008;
									_t98 = _t86 + _a4;
									_t84 = _t86 + 5;
									if(_a12 == 0) {
										_t44 = _t43 - _t98;
									} else {
										_t44 = _t43 + _t98;
									}
									if(_t91 != 0) {
										_t77 = (_t91 & 0x00000006) + (_t91 & 0x00000006) + (_t91 & 0x00000006) + (_t91 & 0x00000006);
										if(((_t44 >> _t77) + 0x00000001 & 0x000000fe) == 0) {
											_t48 = _t44 ^ (0x00000100 << _t77) - 0x00000001;
											if(_a12 == 0) {
												_t44 = _t48 - _t98;
											} else {
												_t44 = _t48 + _t98;
											}
										}
										_t52 = _v4;
										_t88 = 0;
									}
									_t97 = _v8;
									_t81[0] = _t44;
									_t81[0] = _t44 >> 8;
									_t81[0] = _t44 >> 0x10;
									_t81[1] =  ~(_t44 >> 0x00000018 & 0x00000001);
								}
								while(1) {
									_t81 = _t84 + _t97;
									if(_t81 >= _t52) {
										goto L7;
									}
									goto L5;
								}
							}
						}
						if(_t63 <= 2) {
							 *_a8 = _t88 >> _t63;
							return _t86;
						} else {
							 *_a8 = 0;
							return _t86;
						}
						goto L30;
					}
				} else {
					return 0;
				}
				L30:
			}

0x00413edc
0x00413ede
0x00413ee0
0x00413ee3
0x00413eea
0x00413ef7
0x00413f00
0x00413f02
0x00413f06
0x00413f06
0x00413f0b
0x00000000
0x00000000
0x00000000
0x00413f10
0x00413f1a
0x00413f1d
0x00000000
0x00000000
0x00000000
0x00413f1d
0x00413f1f
0x00413f25
0x00413f27
0x00413f2b
0x00413f34
0x00413f77
0x00413f7b
0x00000000
0x00413f95
0x00413f98
0x00413f9a
0x00000000
0x00413f9a
0x00413f36
0x00413f36
0x00413f38
0x00413f38
0x00413f41
0x00413ffc
0x00414003
0x00414005
0x00413f47
0x00413f60
0x00413f66
0x00413f69
0x00413f71
0x00413fa0
0x00413f73
0x00413f73
0x00413f73
0x00413fa4
0x00413faf
0x00413fb7
0x00413fc1
0x00413fc8
0x00413fce
0x00413fca
0x00413fca
0x00413fca
0x00413fc8
0x00413fd0
0x00413fd4
0x00413fd4
0x00413fd6
0x00413fdf
0x00413fe2
0x00413ff1
0x00413ff4
0x00413ff4
0x00413f06
0x00413f06
0x00413f0b
0x00000000
0x00000000
0x00000000
0x00413f0b
0x00413f06
0x00413f34
0x0041400f
0x0041402d
0x00414034
0x00414011
0x0041401a
0x00414021
0x00414021
0x00000000
0x0041400f
0x00413eee
0x00413ef4
0x00413ef4
0x00000000

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction ID: c73478d6d2dc94b6e0038562b2afcca53e437786cb5e4ec297cf3cc6dfcd3039
Opcode Fuzzy Hash: b31d452cf4fc038398579975b7917bb1ff375609163340ad82824380036c8528
Instruction Fuzzy Hash: F1416833E043224BC7148E1C48942BAFBA1ABD1326F09476FD99687381D2249E8EC3D5

Uniqueness

Uniqueness Score: -1.00%

Function 00403101 Relevance: .1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00403101() {
				void* _t43;
				void* _t45;
				unsigned int _t83;
				void* _t84;

				_t83 = 0;
				do {
					 *(0x41f3e0 + _t83 * 4) =  ~(( ~(( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) & 0x00000001) & 0xedb88320 ^ ( ~(_t83 & 0x00000001) & 0xedb88320 ^ _t83 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001;
					_t83 = _t83 + 1;
				} while (_t83 < 0x100);
				_t43 = 0x41f3e4;
				_t84 = 0x1c0;
				do {
					_t3 = _t43 - 4; // 0x0
					_t43 = _t43 + 0x10;
					 *(_t43 + 0x3ec) =  *_t3 >> 0x00000008 ^  *(0x41f3e0 + ( *_t3 & 0x000000ff) * 4);
					_t7 = _t43 - 0x10; // 0x0
					 *(_t43 + 0x3f0) =  *_t7 >> 0x00000008 ^  *(0x41f3e0 + ( *_t7 & 0x000000ff) * 4);
					_t11 = _t43 - 0xc; // 0x0
					 *(_t43 + 0x3f4) =  *_t11 >> 0x00000008 ^  *(0x41f3e0 + ( *_t11 & 0x000000ff) * 4);
					_t15 = _t43 - 8; // 0x4192a0
					_t84 = _t84 - 1;
					 *(_t43 + 0x3f8) =  *_t15 >> 0x00000008 ^  *(0x41f3e0 + ( *_t15 & 0x000000ff) * 4);
				} while (_t84 != 0);
				 *0x41f3d0 = 0x419380;
				 *0x4213e0 = 0x419380;
				 *0x41f3cc = 0x4192a0;
				_t45 = E00414210();
				if(_t45 == 0) {
					 *0x4213e0 = 0x4192a0;
				}
				return _t45;
			}

0x00418c30
0x00418c32
0x00418cb8
0x00418cbf
0x00418cc0
0x00418ccc
0x00418cd1
0x00418cd7
0x00418cd7
0x00418cec
0x00418cef
0x00418cf5
0x00418d0a
0x00418d10
0x00418d25
0x00418d2b
0x00418d40
0x00418d41
0x00418d41
0x00418d53
0x00418d58
0x00418d5d
0x00418d63
0x00418d6a
0x00418d6c
0x00418d6c
0x00418d73

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8ad514181f1392663617d37fa5aac287f30e1f120c9b56e1846f19667033fd
Instruction ID: 2418e866784658efeedf78a8b367f27fd94d949eb5011ce8ce344a4822a165bc
Opcode Fuzzy Hash: 7e8ad514181f1392663617d37fa5aac287f30e1f120c9b56e1846f19667033fd
Instruction Fuzzy Hash: 3A316177BA091A4BD70CCA28EC73AB96281E744345B88527EED5BCB3D1DF6C8841C64C

Uniqueness

Uniqueness Score: -1.00%

Function 004192A1 Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004192A1(signed char __ecx, signed int __edx, intOrPtr _a8, intOrPtr _a12) {
				signed char _t42;
				signed int _t44;
				signed int _t50;
				signed int _t51;
				unsigned int _t59;
				signed char _t60;
				signed int _t62;
				void* _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t69;
				signed int _t73;
				signed int _t83;
				intOrPtr _t86;

				_t62 = __edx;
				_t42 = __ecx;
				_t65 = _a8;
				_t86 = _a12;
				if(_t65 != 0) {
					while((_t62 & 0x00000007) != 0) {
						_t83 =  *_t62 & 0x000000ff;
						_t62 = _t62 + 1;
						_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t83 ^ _t42 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t67 = _t65 + _t62;
						_a8 = _t67;
						_t69 = _t67 - 0x00000008 & 0xfffffff8;
						_t63 = _t62 - _t69;
						_t44 = _t42 ^  *(_t63 + _t69);
						_t59 =  *(_t63 + _t69 + 4);
						do {
							_t50 = _t59 & 0x000000ff;
							_t51 = _t59 & 0x000000ff;
							_t60 = _t59 >> 0x10;
							_t59 =  *(_t63 + _t69 + 0xc);
							_t44 =  *(_t86 + 0x1000 + (_t44 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t63 + _t69 + 8) ^  *(_t86 + 0xc00 + _t50 * 4) ^  *(_t86 + 0x800 + _t51 * 4) ^  *(_t86 + 0x400 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + 0x1c00 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1800 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1400 + (_t44 >> 0x00000010 & 0x000000ff) * 4);
							_t63 = _t63 + 8;
						} while (_t63 != 0);
						_t42 = _t44 ^  *(_t63 + _t69);
						_t62 = _t69;
						_t65 = _a8 - _t62;
						L7:
						while(_t65 != 0) {
							_t73 =  *_t62 & 0x000000ff;
							_t62 = _t62 + 1;
							_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t73 ^ _t42 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t42;
					}
				}
				goto L7;
			}

0x004192a1
0x004192a4
0x004192a6
0x004192aa
0x004192b0
0x004192b6
0x004192be
0x004192c1
0x004192ca
0x004192ce
0x004192cf
0x00000000
0x00000000
0x00000000
0x004192cf
0x004192d4
0x004192da
0x004192dc
0x004192e3
0x004192e6
0x004192e8
0x004192eb
0x004192f0
0x004192f4
0x004192fe
0x00419308
0x0041931f
0x0041934b
0x0041934d
0x0041934d
0x00419352
0x00419355
0x0041935b
0x00000000
0x0041935d
0x00419361
0x00419364
0x0041936d
0x00419371
0x00419371
0x00419378
0x00419378
0x004192d4
0x00000000

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction ID: 6afb9c83622f7667f84253346451ad0de7d4bb496f1525738c8a557abb0a02b9
Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
Instruction Fuzzy Hash: E82107329006254BCB42CE6EE4845A7F3D2FBC536AF274B27ED9463291C638EC55C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041937B Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0041937B(signed char __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				signed char _t39;
				signed int _t41;
				signed int _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				signed int _t68;
				signed int _t70;
				signed int _t74;
				intOrPtr _t76;

				_t63 = __edx;
				_t39 = __ecx;
				_t65 = _a4;
				_t76 = _a8;
				if(_t65 != 0) {
					while((_t63 & 0x00000007) != 0) {
						_t74 =  *_t63 & 0x000000ff;
						_t63 = _t63 + 1;
						_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t74 ^ _t39 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t66 = _t65 + _t63;
						_a4 = _t66;
						_t68 = _t66 - 0x00000008 & 0xfffffff8;
						_t64 = _t63 - _t68;
						_t41 = _t39 ^  *(_t64 + _t68);
						do {
							_t41 =  *(_t76 + 0xc00 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t64 + _t68 + 8) ^  *(_t76 + 0x800 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t76 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4);
							_t64 = _t64 + 8;
						} while (_t64 != 0);
						_t39 = _t41 ^  *(_t64 + _t68);
						_t63 = _t68;
						_t65 = _a4 - _t63;
						L8:
						while(_t65 != 0) {
							_t70 =  *_t63 & 0x000000ff;
							_t63 = _t63 + 1;
							_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t70 ^ _t39 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t39;
					}
				}
				goto L8;
			}

0x0041937b
0x00419384
0x00419386
0x0041938a
0x00419390
0x00419396
0x0041939e
0x004193a1
0x004193aa
0x004193ae
0x004193af
0x00000000
0x00000000
0x00000000
0x004193af
0x004193b4
0x004193ba
0x004193bc
0x004193c3
0x004193c6
0x004193c8
0x004193d0
0x00419426
0x0041942d
0x0041942d
0x00419432
0x00419435
0x0041943b
0x00000000
0x0041943d
0x00419441
0x00419444
0x0041944d
0x00419451
0x00419451
0x00419458
0x00419458
0x004193b4
0x00000000

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction ID: 4a8f15c690feeceaa45f30d21297364ae44fa9dd8c83136557fcfb88ab79e8e9
Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
Instruction Fuzzy Hash: A521257251442987C301DF2DE4986B7B3E1FFD8319FA78A2AD8928B280C638DC85D690

Uniqueness

Uniqueness Score: -1.00%

Function 0040F30E Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 452
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040F30E(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _t255;
				signed int _t271;
				void* _t272;
				signed int _t278;
				intOrPtr _t282;
				signed int _t285;
				signed int _t304;
				signed int _t305;
				intOrPtr _t306;
				void* _t314;
				char* _t315;
				void* _t317;
				char* _t318;
				void* _t319;
				char* _t320;
				signed int _t322;
				signed int _t333;
				intOrPtr _t337;
				signed int _t342;
				signed int _t344;
				signed int _t349;
				void* _t354;
				int _t357;
				signed int _t358;
				intOrPtr* _t361;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				signed int _t373;
				intOrPtr _t391;
				signed int _t393;
				intOrPtr _t399;
				signed int _t401;
				signed int _t407;
				intOrPtr* _t415;
				intOrPtr _t417;
				intOrPtr* _t418;
				char _t420;
				void* _t425;
				signed int _t431;
				intOrPtr* _t436;
				void* _t441;
				void* _t443;

				E00418D80(E0041A4FC, _t443);
				_t441 = __ecx;
				E0040F16C(__ecx, __edx, _t443, __eflags, 0xb, 0);
				_t255 = E0040EB3D( *((intOrPtr*)(_t441 + 0x38)), __edx, __eflags);
				 *(_t443 - 0x4c) =  *(_t443 - 0x4c) & 0x00000000;
				 *(_t443 - 0x4b) =  *(_t443 - 0x4b) & 0x00000000;
				 *((intOrPtr*)(_t443 - 0x18)) = _t255;
				 *((intOrPtr*)(_t443 - 0x1c)) = 0;
				 *(_t443 - 4) = 0;
				E0040E913(_t443 - 0x50, __eflags, _t441,  *(_t443 + 8));
				_t436 =  *((intOrPtr*)(_t443 + 0xc));
				_t354 =  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38)) + 8)) +  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38))));
				 *((intOrPtr*)(_t436 + 4)) =  *((intOrPtr*)(_t443 - 0x18));
				 *(_t443 - 0x34) = _t354;
				E00410D2E(_t436 + 0x30,  *((intOrPtr*)(_t443 - 0x18)) + 1);
				E00410D5B(_t436 + 0x34,  *((intOrPtr*)(_t443 - 0x18)));
				E00410D2E(_t436 + 0x38,  *((intOrPtr*)(_t443 - 0x18)) + 1);
				E00410D2E(_t436 + 0x2c,  *((intOrPtr*)(_t443 - 0x18)) + 1);
				_t373 = 0;
				 *((intOrPtr*)(_t443 - 0x68)) = 0;
				 *((intOrPtr*)(_t443 - 0x64)) = 0;
				 *((intOrPtr*)(_t443 - 0x60)) = 0;
				 *(_t443 - 0x5c) = 0;
				 *((intOrPtr*)(_t443 - 0x58)) = 0;
				 *((intOrPtr*)(_t443 - 0x54)) = 0;
				_t450 =  *((intOrPtr*)(_t443 - 0x18));
				 *(_t443 - 4) = 2;
				 *((intOrPtr*)(_t443 - 0x30)) = 0;
				 *((intOrPtr*)(_t443 - 0x28)) =  *((intOrPtr*)(_t441 + 0x38));
				 *(_t443 - 0x2c) = 0;
				if( *((intOrPtr*)(_t443 - 0x18)) <= 0) {
					L63:
					_t357 =  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38)) + 8)) -  *(_t443 - 0x34) +  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38))));
					_t271 =  *(_t443 - 0x2c) << 2;
					 *((intOrPtr*)(_t271 +  *((intOrPtr*)(_t436 + 0x2c)))) =  *((intOrPtr*)(_t443 - 0x1c));
					 *((intOrPtr*)(_t271 +  *((intOrPtr*)(_t436 + 0x30)))) =  *((intOrPtr*)(_t443 - 0x30));
					_t431 =  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38)) + 8)) -  *(_t443 - 0x34) +  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38))));
					 *(_t271 +  *((intOrPtr*)(_t436 + 0x38))) = _t431;
					_t272 = E00407AB8(_t436 + 0x3c, _t357);
					_t476 = _t357;
					if(_t357 != 0) {
						_t272 = memcpy( *(_t436 + 0x3c),  *(_t443 - 0x34), _t357);
					}
					E00403204(E00403204(_t272,  *(_t443 - 0x5c)),  *((intOrPtr*)(_t443 - 0x68)));
					 *(_t443 - 4) =  *(_t443 - 4) | 0xffffffff;
					E0040E883(_t443 - 0x50);
					_t358 = 0;
					E0040F16C(_t441, _t431, _t443, _t476, 0xc, 0);
					E00410D01(_t436 + 0x28,  *((intOrPtr*)(_t443 - 0x1c)));
					if( *((intOrPtr*)(_t443 - 0x1c)) > 0) {
						do {
							_t282 = E0040EA46( *((intOrPtr*)(_t441 + 0x38)));
							_t391 =  *((intOrPtr*)(_t436 + 0x28));
							 *((intOrPtr*)(_t391 + _t358 * 8)) = _t282;
							_t358 = _t358 + 1;
							 *(_t391 + _t358 * 8 - 4) = _t431;
						} while (_t358 <  *((intOrPtr*)(_t443 - 0x1c)));
					}
					goto L67;
				} else {
					while(1) {
						 *(_t443 - 0x3c) = _t373;
						 *(_t443 - 0x14) = _t373;
						_t431 =  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38)) + 8)) - _t354 +  *((intOrPtr*)( *((intOrPtr*)(_t441 + 0x38))));
						 *( *((intOrPtr*)(_t436 + 0x38)) +  *(_t443 - 0x2c) * 4) = _t431;
						_t285 = E0040EB3D( *((intOrPtr*)(_t443 - 0x28)), _t431, _t450);
						 *(_t443 - 0x10) = _t285;
						if(_t285 == 0 || _t285 > 0x40) {
							break;
						}
						 *(_t443 - 0x38) =  *(_t443 - 0x38) & 0x00000000;
						if(_t285 <= 0) {
							_t361 =  *((intOrPtr*)(_t443 - 0x28));
							L37:
							_t393 = 1;
							if(_t285 != _t393 ||  *(_t443 - 0x14) != _t393) {
								_t431 =  *(_t443 - 0x14);
								__eflags = _t431 - _t285 - 1;
								if(_t431 < _t285 - 1) {
									L76:
									_push(0x41de18);
									_push(_t443 + 0xf);
									L00418E02();
									L77:
									_push(0x41de18);
									_push(_t443 + 0xf);
									L00418E02();
									L78:
									_push(0x41de18);
									_push(_t443 + 0xf);
									L00418E02();
									L79:
									_push(0x41de18);
									_push(_t443 + 0xf);
									L00418E02();
									L80:
									_push(0x41de18);
									_push(_t443 + 0xf);
									L00418E02();
									break;
								}
								E00407ECE(_t443 - 0x68, _t431);
								_t431 =  *(_t443 - 0x10);
								E00407ECE(_t443 - 0x5c, _t431);
								 *(_t443 + 8) =  *(_t443 + 8) & 0x00000000;
								__eflags =  *(_t443 - 0x10) - 1;
								if(__eflags <= 0) {
									L48:
									_t304 =  *(_t443 - 0x14) -  *(_t443 - 0x10) - 1;
									__eflags = _t304 - 1;
									 *(_t443 - 0x24) = _t304;
									if(_t304 == 1) {
										L53:
										_t305 = 0;
										__eflags = 0 -  *(_t443 - 0x10);
										if(__eflags >= 0) {
											L59:
											if(__eflags == 0) {
												goto L80;
											}
											goto L60;
										} else {
											goto L54;
										}
										while(1) {
											L54:
											_t401 =  *(_t443 - 0x5c);
											__eflags =  *((char*)(_t305 + _t401));
											if( *((char*)(_t305 + _t401)) == 0) {
												break;
											}
											_t305 = _t305 + 1;
											__eflags = _t305 -  *(_t443 - 0x10);
											if(_t305 <  *(_t443 - 0x10)) {
												continue;
											}
											L58:
											__eflags = _t305 -  *(_t443 - 0x10);
											goto L59;
										}
										 *(_t443 - 0x3c) = _t305;
										goto L58;
									}
									 *(_t443 + 8) =  *(_t443 + 8) & 0x00000000;
									__eflags = _t304;
									if(__eflags <= 0) {
										goto L53;
									} else {
										goto L50;
									}
									while(1) {
										L50:
										_t314 = E0040EB3D(_t361, _t431, __eflags);
										__eflags = _t314 -  *(_t443 - 0x14);
										if(_t314 >=  *(_t443 - 0x14)) {
											goto L79;
										}
										_t315 = _t314 +  *((intOrPtr*)(_t443 - 0x68));
										__eflags =  *_t315;
										if( *_t315 != 0) {
											goto L79;
										}
										 *(_t443 + 8) =  *(_t443 + 8) + 1;
										 *_t315 = 1;
										__eflags =  *(_t443 + 8) -  *(_t443 - 0x24);
										if(__eflags < 0) {
											continue;
										}
										goto L53;
									}
									goto L79;
								} else {
									goto L43;
								}
								while(1) {
									L43:
									_t317 = E0040EB3D( *((intOrPtr*)(_t441 + 0x38)), _t431, __eflags);
									__eflags = _t317 -  *(_t443 - 0x14);
									if(_t317 >=  *(_t443 - 0x14)) {
										goto L78;
									}
									_t318 = _t317 +  *((intOrPtr*)(_t443 - 0x68));
									__eflags =  *_t318;
									if(__eflags != 0) {
										goto L78;
									}
									 *_t318 = 1;
									_t319 = E0040EB3D( *((intOrPtr*)(_t441 + 0x38)), _t431, __eflags);
									_t407 =  *(_t443 - 0x10);
									__eflags = _t319 - _t407;
									if(_t319 >= _t407) {
										goto L77;
									}
									_t431 =  *(_t443 - 0x5c);
									_t320 = _t319 + _t431;
									__eflags =  *_t320;
									if( *_t320 != 0) {
										goto L77;
									}
									 *(_t443 + 8) =  *(_t443 + 8) + 1;
									 *_t320 = 1;
									__eflags =  *(_t443 + 8) - _t407 - 1;
									if(__eflags < 0) {
										continue;
									}
									goto L48;
								}
								goto L78;
							} else {
								 *(_t443 - 0x3c) =  *(_t443 - 0x3c) & 0x00000000;
								 *(_t443 - 0x24) = _t393;
								L60:
								_t362 =  *(_t443 - 0x2c);
								_t306 =  *((intOrPtr*)(_t443 - 0x1c));
								 *((intOrPtr*)( *((intOrPtr*)(_t436 + 0x2c)) + _t362 * 4)) = _t306;
								_t399 =  *((intOrPtr*)(_t443 - 0x30));
								 *((intOrPtr*)(_t443 - 0x1c)) = _t306 +  *(_t443 - 0x10);
								 *((intOrPtr*)( *((intOrPtr*)(_t436 + 0x30)) + _t362 * 4)) = _t399;
								if( *(_t443 - 0x24) >  *_t436 - _t399) {
									E0040E966(_t399);
								}
								 *((intOrPtr*)(_t443 - 0x30)) =  *((intOrPtr*)(_t443 - 0x30)) +  *(_t443 - 0x24);
								 *((char*)( *((intOrPtr*)(_t436 + 0x34)) + _t362)) =  *(_t443 - 0x3c);
								_t363 = _t362 + 1;
								 *(_t443 - 0x2c) = _t363;
								if(_t363 <  *((intOrPtr*)(_t443 - 0x18))) {
									_t354 =  *(_t443 - 0x34);
									_t373 = 0;
									__eflags = 0;
									continue;
								} else {
									goto L63;
								}
							}
						} else {
							goto L6;
						}
						while(1) {
							L6:
							_t361 =  *((intOrPtr*)(_t443 - 0x28));
							_t408 = _t361;
							_t322 = E0040E9B4(_t361);
							 *(_t443 + 0xb) = _t322;
							if((_t322 & 0x000000c0) != 0) {
								break;
							}
							_t333 = _t322 & 0x0000000f;
							 *(_t443 - 0x20) = _t333;
							if(_t333 > 8) {
								L72:
								_push(0x41de18);
								_push(_t443 + 0xf);
								L00418E02();
								goto L73;
							} else {
								if( *(_t443 - 0x20) >  *((intOrPtr*)(_t361 + 4)) -  *((intOrPtr*)(_t361 + 8))) {
									E0040E966(_t408);
								}
								_t337 =  *_t361 +  *((intOrPtr*)(_t361 + 8));
								 *((intOrPtr*)(_t443 - 0x40)) = _t337;
								 *(_t443 - 0x48) = 0;
								 *(_t443 - 0x44) = 0;
								 *(_t443 - 0x24) = 0;
								if( *(_t443 - 0x20) <= 0) {
									L15:
									 *((intOrPtr*)(_t361 + 8)) =  *((intOrPtr*)(_t361 + 8)) +  *(_t443 - 0x20);
									if( *((intOrPtr*)(_t436 + 0x50)) < 0x80) {
										E00410B9E(_t436 + 0x4c,  *(_t443 - 0x48),  *(_t443 - 0x44));
									}
									_t460 =  *(_t443 + 0xb) & 0x00000010;
									 *(_t443 - 0x24) = 1;
									if(( *(_t443 + 0xb) & 0x00000010) == 0) {
										L20:
										 *(_t443 - 0x14) =  *(_t443 - 0x14) +  *(_t443 - 0x24);
										if( *(_t443 - 0x14) > 0x40) {
											goto L75;
										}
										_t464 =  *(_t443 + 0xb) & 0x00000020;
										if(( *(_t443 + 0xb) & 0x00000020) != 0) {
											_t342 = E0040EB3D(_t361, _t431, _t464);
											 *(_t443 + 8) = _t342;
											_t414 =  *((intOrPtr*)(_t361 + 4)) -  *((intOrPtr*)(_t361 + 8));
											if(_t342 >  *((intOrPtr*)(_t361 + 4)) -  *((intOrPtr*)(_t361 + 8))) {
												E0040E966(_t414);
												_t342 =  *(_t443 + 8);
											}
											if( *(_t443 - 0x48) != 0x21 ||  *(_t443 - 0x44) != 0) {
												__eflags =  *(_t443 - 0x48) - 0x30101;
												if( *(_t443 - 0x48) == 0x30101) {
													__eflags =  *(_t443 - 0x44);
													if( *(_t443 - 0x44) == 0) {
														__eflags = _t342 - 5;
														if(_t342 == 5) {
															_t415 =  *((intOrPtr*)(_t441 + 0x38));
															_t431 =  *(_t415 + 8);
															_t417 =  *((intOrPtr*)(_t431 +  *_t415 + 1));
															__eflags =  *((intOrPtr*)(_t436 + 0x48)) - _t417;
															if( *((intOrPtr*)(_t436 + 0x48)) < _t417) {
																 *((intOrPtr*)(_t436 + 0x48)) = _t417;
															}
														}
													}
												}
											} else {
												if(_t342 == 1) {
													_t418 =  *((intOrPtr*)(_t441 + 0x38));
													_t431 =  *(_t418 + 8);
													_t420 =  *((intOrPtr*)(_t431 +  *_t418));
													if( *((intOrPtr*)(_t436 + 0x44)) < _t420) {
														 *((char*)(_t436 + 0x44)) = _t420;
													}
												}
											}
											 *((intOrPtr*)(_t361 + 8)) =  *((intOrPtr*)(_t361 + 8)) + _t342;
										}
										 *(_t443 - 0x38) =  *(_t443 - 0x38) + 1;
										if( *(_t443 - 0x38) <  *(_t443 - 0x10)) {
											continue;
										} else {
											_t285 =  *(_t443 - 0x10);
											goto L37;
										}
									} else {
										_t344 = E0040EB3D(_t361, _t431, _t460);
										_t461 = _t344 - 0x40;
										 *(_t443 - 0x24) = _t344;
										if(_t344 > 0x40) {
											L73:
											_push(0x41de18);
											_push(_t443 + 0xf);
											L00418E02();
											L74:
											_push(0x41de18);
											_push(_t443 + 0xf);
											L00418E02();
											L75:
											_push(0x41de18);
											_push(_t443 + 0xf);
											L00418E02();
											goto L76;
										}
										if(E0040EB3D(_t361, _t431, _t461) != 1) {
											goto L74;
										}
										goto L20;
									}
								} else {
									while(1) {
										asm("cdq");
										_t364 = _t431;
										_t431 =  *(_t443 - 0x44);
										_t425 = 8;
										_t349 = E004190E0( *(_t443 - 0x48), _t425, _t431);
										 *(_t443 - 0x24) =  *(_t443 - 0x24) + 1;
										 *(_t443 - 0x48) =  *( *(_t443 - 0x24) + _t337) & 0x000000ff | _t349;
										 *(_t443 - 0x44) = _t364 | _t431;
										if( *(_t443 - 0x24) >=  *(_t443 - 0x20)) {
											break;
										}
										_t337 =  *((intOrPtr*)(_t443 - 0x40));
									}
									_t436 =  *((intOrPtr*)(_t443 + 0xc));
									_t361 =  *((intOrPtr*)(_t443 - 0x28));
									goto L15;
								}
							}
						}
						_push(0x41de18);
						_push(_t443 + 0xf);
						L00418E02();
						goto L72;
					}
					_push(0x41de18);
					_push(_t443 + 0xf);
					L00418E02();
					L82:
					E0040EA33( *((intOrPtr*)(_t441 + 0x38)), _t431);
					while(1) {
						L67:
						_t278 = E0040EA46( *((intOrPtr*)(_t441 + 0x38)));
						if((_t278 | _t431) == 0) {
							break;
						}
						if(_t278 != 0xa || _t431 != 0) {
							goto L82;
						} else {
							E0040F1EC(_t441, _t431,  *((intOrPtr*)(_t443 - 0x18)), _t436 + 0xc);
							continue;
						}
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t443 - 0xc));
					return _t278;
				}
			}

0x0040f313
0x0040f321
0x0040f325
0x0040f32d
0x0040f332
0x0040f336
0x0040f33a
0x0040f33d
0x0040f346
0x0040f34a
0x0040f352
0x0040f35b
0x0040f360
0x0040f365
0x0040f368
0x0040f373
0x0040f380
0x0040f38d
0x0040f392
0x0040f394
0x0040f397
0x0040f39a
0x0040f39d
0x0040f3a0
0x0040f3a3
0x0040f3a9
0x0040f3ac
0x0040f3b0
0x0040f3b3
0x0040f3b6
0x0040f3b9
0x0040f6bd
0x0040f6cc
0x0040f6d1
0x0040f6d5
0x0040f6de
0x0040f6ea
0x0040f6ef
0x0040f6f5
0x0040f6fa
0x0040f6fc
0x0040f705
0x0040f70a
0x0040f718
0x0040f71d
0x0040f726
0x0040f72b
0x0040f732
0x0040f73d
0x0040f745
0x0040f747
0x0040f74a
0x0040f74f
0x0040f752
0x0040f755
0x0040f759
0x0040f759
0x0040f747
0x00000000
0x0040f3bf
0x0040f3c6
0x0040f3c9
0x0040f3cc
0x0040f3da
0x0040f3df
0x0040f3e2
0x0040f3e9
0x0040f3ec
0x00000000
0x00000000
0x0040f3fb
0x0040f401
0x0040f58e
0x0040f576
0x0040f578
0x0040f57b
0x0040f593
0x0040f597
0x0040f599
0x0040f7f6
0x0040f7f9
0x0040f804
0x0040f805
0x0040f80a
0x0040f80d
0x0040f818
0x0040f819
0x0040f81e
0x0040f821
0x0040f82c
0x0040f82d
0x0040f832
0x0040f835
0x0040f840
0x0040f841
0x0040f846
0x0040f849
0x0040f854
0x0040f855
0x00000000
0x0040f855
0x0040f5a2
0x0040f5a7
0x0040f5ad
0x0040f5b5
0x0040f5ba
0x0040f5bc
0x0040f60f
0x0040f616
0x0040f618
0x0040f61b
0x0040f61e
0x0040f654
0x0040f654
0x0040f656
0x0040f659
0x0040f672
0x0040f672
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f65b
0x0040f65b
0x0040f65b
0x0040f65e
0x0040f662
0x00000000
0x00000000
0x0040f664
0x0040f665
0x0040f668
0x00000000
0x00000000
0x0040f66f
0x0040f66f
0x00000000
0x0040f66f
0x0040f66c
0x00000000
0x0040f66c
0x0040f620
0x0040f624
0x0040f626
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f628
0x0040f628
0x0040f62a
0x0040f62f
0x0040f632
0x00000000
0x00000000
0x0040f63b
0x0040f63d
0x0040f640
0x00000000
0x00000000
0x0040f646
0x0040f649
0x0040f64f
0x0040f652
0x00000000
0x00000000
0x00000000
0x0040f652
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f5be
0x0040f5be
0x0040f5c1
0x0040f5c6
0x0040f5c9
0x00000000
0x00000000
0x0040f5d2
0x0040f5d4
0x0040f5d7
0x00000000
0x00000000
0x0040f5dd
0x0040f5e3
0x0040f5e8
0x0040f5eb
0x0040f5ed
0x00000000
0x00000000
0x0040f5f3
0x0040f5f6
0x0040f5f8
0x0040f5fb
0x00000000
0x00000000
0x0040f601
0x0040f604
0x0040f60a
0x0040f60d
0x00000000
0x00000000
0x00000000
0x0040f60d
0x00000000
0x0040f582
0x0040f582
0x0040f586
0x0040f678
0x0040f67b
0x0040f67e
0x0040f681
0x0040f687
0x0040f68a
0x0040f690
0x0040f69a
0x0040f69c
0x0040f69c
0x0040f6a7
0x0040f6ad
0x0040f6b0
0x0040f6b4
0x0040f6b7
0x0040f3c1
0x0040f3c4
0x0040f3c4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f6b7
0x00000000
0x00000000
0x00000000
0x0040f407
0x0040f407
0x0040f407
0x0040f40a
0x0040f40c
0x0040f413
0x0040f416
0x00000000
0x00000000
0x0040f41c
0x0040f422
0x0040f425
0x0040f7a6
0x0040f7a9
0x0040f7b4
0x0040f7b5
0x00000000
0x0040f42b
0x0040f434
0x0040f436
0x0040f436
0x0040f440
0x0040f447
0x0040f44a
0x0040f44d
0x0040f450
0x0040f453
0x0040f48f
0x0040f497
0x0040f4a1
0x0040f4ac
0x0040f4ac
0x0040f4b1
0x0040f4b5
0x0040f4bc
0x0040f4e1
0x0040f4e4
0x0040f4eb
0x00000000
0x00000000
0x0040f4f1
0x0040f4f5
0x0040f4f9
0x0040f501
0x0040f504
0x0040f509
0x0040f50b
0x0040f510
0x0040f510
0x0040f517
0x0040f539
0x0040f540
0x0040f542
0x0040f546
0x0040f548
0x0040f54b
0x0040f54d
0x0040f550
0x0040f555
0x0040f559
0x0040f55c
0x0040f55e
0x0040f55e
0x0040f55c
0x0040f54b
0x0040f546
0x0040f51f
0x0040f522
0x0040f524
0x0040f527
0x0040f52c
0x0040f532
0x0040f534
0x0040f534
0x0040f532
0x0040f522
0x0040f561
0x0040f561
0x0040f564
0x0040f56d
0x00000000
0x0040f573
0x0040f573
0x00000000
0x0040f573
0x0040f4be
0x0040f4c0
0x0040f4c5
0x0040f4c8
0x0040f4cb
0x0040f7ba
0x0040f7bd
0x0040f7c8
0x0040f7c9
0x0040f7ce
0x0040f7d1
0x0040f7dc
0x0040f7dd
0x0040f7e2
0x0040f7e5
0x0040f7f0
0x0040f7f1
0x00000000
0x0040f7f1
0x0040f4db
0x00000000
0x00000000
0x00000000
0x0040f4db
0x0040f455
0x0040f45a
0x0040f463
0x0040f469
0x0040f46b
0x0040f46e
0x0040f46f
0x0040f478
0x0040f47b
0x0040f481
0x0040f487
0x00000000
0x00000000
0x0040f457
0x0040f457
0x0040f489
0x0040f48c
0x00000000
0x0040f48c
0x0040f453
0x0040f425
0x0040f795
0x0040f7a0
0x0040f7a1
0x00000000
0x0040f7a1
0x0040f85d
0x0040f868
0x0040f869
0x0040f86e
0x0040f871
0x0040f75f
0x0040f75f
0x0040f762
0x0040f76b
0x00000000
0x00000000
0x0040f774
0x00000000
0x0040f782
0x0040f78b
0x00000000
0x0040f78b
0x0040f774
0x0040f881
0x0040f889
0x0040f889

APIs

__EH_prolog.LIBCMT ref: 0040F313

Part of subcall function 0040EB3D: _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EB60

memcpy.MSVCRT ref: 0040F705
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7A1
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7B5
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7C9
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7DD
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F7F1
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F805
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F819
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F82D
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F841
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F855
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F869

Part of subcall function 0040E966: _CxxThrowException.MSVCRT(?,0041DDD8), ref: 0040E979

Strings

@, xrefs: 0040F4E7
, xrefs: 0040F4F1
!, xrefs: 0040F513

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ExceptionThrow$H_prologmemcpy
String ID: $!$@
API String ID: 3273695820-2517134481
Opcode ID: 009ab704528832d8b16fb1e058230fc7f2265cacff4db05c787c47a6afb7277e
Instruction ID: a27f184481075ffe3955191de69d9ea92fdf604195ce2ec282d718430c25bf8c
Opcode Fuzzy Hash: 009ab704528832d8b16fb1e058230fc7f2265cacff4db05c787c47a6afb7277e
Instruction Fuzzy Hash: A5127074A01249EFCF24DFA5C5819EDBBB1BF09304F10847EE845AB792C738A995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004143E0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 81
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004143E0() {
				_Unknown_base(*)()* _t24;
				signed int _t25;
				intOrPtr _t26;
				struct HINSTANCE__* _t29;
				intOrPtr _t30;
				short* _t39;
				intOrPtr* _t46;
				signed int _t47;
				void* _t48;

				 *((intOrPtr*)(_t48 + 0xc)) = 0x114;
				if(GetVersionExW(_t48 + 4) == 0 ||  *((intOrPtr*)(_t48 + 0xc)) != 6 ||  *((intOrPtr*)(_t48 + 0x10)) != 0) {
					_t24 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetDefaultDllDirectories");
					if(_t24 == 0) {
						goto L5;
					} else {
						_t25 =  *_t24(0xc00);
						if(_t25 == 0) {
							goto L5;
						}
					}
				} else {
					L5:
					_t25 = GetSystemDirectoryW(_t48 + 0x11c, 0x106);
					if(_t25 != 0 && _t25 <= 0x104) {
						_t25 = lstrlenW(_t48 + 0x11c);
						_t47 = _t25;
						if( *((short*)(_t48 + 0x11a + _t47 * 2)) != 0x5c) {
							 *((short*)(_t48 + 0x11c + _t47 * 2)) = 0x5c;
							_t47 = _t47 + 1;
						}
						_t46 =  *0x41c1cc; // 0x41c1d0
						if( *_t46 != 0) {
							do {
								_t26 =  *_t46;
								_t46 = _t46 + 1;
								 *((short*)(_t48 + 0x124 + _t47 * 2)) = 0;
								if(_t26 == 0) {
									goto L14;
								}
								_t39 = _t48 + 0x126 + _t47 * 2;
								do {
									_t30 =  *_t46;
									_t46 = _t46 + 1;
									 *_t39 = 0;
									_t39 = _t39 + 2;
								} while (_t30 != 0);
								L14:
								lstrcatW(_t48 + 0x124, L".dll");
								_t29 = LoadLibraryExW(_t48 + 0x124, 0, 8);
							} while ( *_t46 != 0);
							return _t29;
						}
					}
				}
				return _t25;
			}

0x004143ed
0x004143fd
0x0041441f
0x00414427
0x00000000
0x00414429
0x0041442e
0x00414432
0x00000000
0x00000000
0x00414432
0x00414438
0x00414438
0x00414445
0x0041444d
0x00414466
0x0041446c
0x00414477
0x00414479
0x00414483
0x00414483
0x00414484
0x0041448d
0x0041449d
0x0041449d
0x004144a2
0x004144a7
0x004144af
0x00000000
0x00000000
0x004144b1
0x004144b8
0x004144b8
0x004144bf
0x004144c0
0x004144c3
0x004144c6
0x004144ca
0x004144d7
0x004144e5
0x004144e7
0x00000000
0x004144ed
0x0041448d
0x0041444d
0x004144f6

APIs

GetVersionExW.KERNEL32 ref: 004143F5
GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories), ref: 00414418
GetProcAddress.KERNEL32(00000000), ref: 0041441F
GetSystemDirectoryW.KERNEL32(?,00000106), ref: 00414445
lstrlenW.KERNEL32(?), ref: 00414466
lstrcatW.KERNEL32(?,.dll), ref: 004144D7
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,00000000), ref: 004144E5

Strings

kernel32.dll, xrefs: 00414413
\, xrefs: 0041446E
\, xrefs: 00414479
.dll, xrefs: 004144D1
SetDefaultDllDirectories, xrefs: 0041440E

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemVersionlstrcatlstrlen
String ID: .dll$SetDefaultDllDirectories$\$\$kernel32.dll
API String ID: 532070074-471922092
Opcode ID: ae18c3a299c0fc34f521af23ecae2155342ef2f81c69c2ab57d08f5bd9fad663
Instruction ID: d987fb0205f110b4e88cb17dd8f0118f17295e0edb0f928e64eab48f7225754e
Opcode Fuzzy Hash: ae18c3a299c0fc34f521af23ecae2155342ef2f81c69c2ab57d08f5bd9fad663
Instruction Fuzzy Hash: 46219E312443049BD7349B609C44BD777E8AB98710F10882EE68593290E77CD585CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406C96 Relevance: 13.9, APIs: 11, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00406C96(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t27;
				signed int _t30;
				intOrPtr* _t33;
				void* _t34;
				void* _t35;
				void* _t37;
				signed int _t38;
				signed int* _t40;
				intOrPtr _t41;
				signed int _t42;

				_t41 = _a8;
				_t40 = _a12;
				_t35 = 0x10;
				 *_t40 =  *_t40 & 0x00000000;
				_push(_t35);
				_push(0x41c24c);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					L1:
					_t42 = _a4;
					 *_t40 = _t42;
					L24:
					 *((intOrPtr*)(_t42 + 0x28)) =  *((intOrPtr*)(_t42 + 0x28)) + 1;
					return 0;
				}
				_push(_t35);
				_push(0x41b320);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					goto L1;
				}
				_push(_t35);
				_push(0x41b280);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 4;
					L23:
					asm("sbb eax, eax");
					 *_t40 =  ~_t30 & _t38;
					goto L24;
				}
				_push(_t35);
				_push(0x41b260);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 8;
					goto L23;
				}
				_push(_t35);
				_push(0x41b2a0);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0xc;
					goto L23;
				}
				_push(_t35);
				_push(0x41b3b0);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0x10;
					goto L23;
				}
				_push(_t35);
				_push(0x41b290);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0x14;
					goto L23;
				}
				_push(_t35);
				_push(0x41b3a0);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0x18;
					goto L23;
				}
				_push(_t35);
				_push(0x41b360);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0x1c;
					goto L23;
				}
				_push(_t35);
				_push(0x41b270);
				_push(_t41);
				L00418DA0();
				if(_t27 == 0) {
					_t42 = _a4;
					_t30 = _t42;
					_t38 = _t42 + 0x20;
					goto L23;
				}
				_push(_t35);
				_push(0x41b300);
				_push(_t41);
				L00418DA0();
				if(_t27 != 0) {
					return 0x80004002;
				}
				_t42 = _a4;
				_t37 = _t42 + 0x64;
				if( *((intOrPtr*)(_t42 + 0x64)) != _t27) {
					L22:
					_t30 = _t42;
					_t38 = _t42 + 0x24;
					goto L23;
				}
				_t33 =  *((intOrPtr*)(_t42 + 0x68));
				_t34 =  *((intOrPtr*)( *_t33))(_t33, 0x41b300, _t37);
				if(_t34 == 0) {
					goto L22;
				}
				return _t34;
			}

0x00406c9b
0x00406c9f
0x00406ca4
0x00406ca5
0x00406ca8
0x00406ca9
0x00406cae
0x00406caf
0x00406cb9
0x00406cbb
0x00406cbb
0x00406cbe
0x00406e09
0x00406e09
0x00000000
0x00406e0c
0x00406cc5
0x00406cc6
0x00406ccb
0x00406ccc
0x00406cd6
0x00000000
0x00000000
0x00406cd8
0x00406cd9
0x00406cde
0x00406cdf
0x00406ce9
0x00406ceb
0x00406cee
0x00406cf0
0x00406e01
0x00406e03
0x00406e07
0x00000000
0x00406e07
0x00406cf8
0x00406cf9
0x00406cfe
0x00406cff
0x00406d09
0x00406d0b
0x00406d0e
0x00406d10
0x00000000
0x00406d10
0x00406d18
0x00406d19
0x00406d1e
0x00406d1f
0x00406d29
0x00406d2b
0x00406d2e
0x00406d30
0x00000000
0x00406d30
0x00406d38
0x00406d39
0x00406d3e
0x00406d3f
0x00406d49
0x00406d4b
0x00406d4e
0x00406d50
0x00000000
0x00406d50
0x00406d58
0x00406d59
0x00406d5e
0x00406d5f
0x00406d69
0x00406d6b
0x00406d6e
0x00406d70
0x00000000
0x00406d70
0x00406d78
0x00406d79
0x00406d7e
0x00406d7f
0x00406d89
0x00406d8b
0x00406d8e
0x00406d90
0x00000000
0x00406d90
0x00406d95
0x00406d96
0x00406d9b
0x00406d9c
0x00406da6
0x00406da8
0x00406dab
0x00406dad
0x00000000
0x00406dad
0x00406db2
0x00406db3
0x00406db8
0x00406db9
0x00406dc3
0x00406dc5
0x00406dc8
0x00406dca
0x00000000
0x00406dca
0x00406dcf
0x00406dd5
0x00406dd6
0x00406dd7
0x00406de1
0x00000000
0x00406e10
0x00406de3
0x00406de9
0x00406dec
0x00406dfc
0x00406dfc
0x00406dfe
0x00000000
0x00406dfe
0x00406dee
0x00406df6
0x00406dfa
0x00000000
0x00000000
0x00406e19

APIs

memcmp.MSVCRT ref: 00406CAF
memcmp.MSVCRT ref: 00406CCC
memcmp.MSVCRT ref: 00406CDF

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 35e1d9353c972ffb1d5c621511119ceb4edb1679282bba52ecb09f52cd819193
Instruction ID: 51bef7657f4b217767cf2214e4817ef679418496c32ecdcb676d7bec614d087e
Opcode Fuzzy Hash: 35e1d9353c972ffb1d5c621511119ceb4edb1679282bba52ecb09f52cd819193
Instruction Fuzzy Hash: 12417575A00718ABE6105A11EC41AEB736CDE64758B11002AFC4BB7681EB38AEA486DD

Uniqueness

Uniqueness Score: -1.00%

Function 00404C22 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C22() {
				CHAR* _t7;

				_t7 = "kernel32.dll";
				 *0x41f16c = GetProcAddress(GetModuleHandleA(_t7), "FindFirstStreamW");
				 *0x41f168 = GetProcAddress(GetModuleHandleA(_t7), "FindNextStreamW");
				return 0x41f164;
			}

0x00404c3b
0x00404c59
0x00404c63
0x00404c6e

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,FindFirstStreamW), ref: 00404C48
GetProcAddress.KERNEL32(00000000), ref: 00404C51
GetModuleHandleA.KERNEL32(kernel32.dll,FindNextStreamW), ref: 00404C5E
GetProcAddress.KERNEL32(00000000), ref: 00404C61

Strings

kernel32.dll, xrefs: 00404C3B, 00404C47, 00404C58
FindFirstStreamW, xrefs: 00404C40
FindNextStreamW, xrefs: 00404C53

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
API String ID: 1646373207-4044117955
Opcode ID: a0e0ffeeea9361e73f572bd643a1eadea7e86d774db87774120aa9dc83c52679
Instruction ID: b848578b948c886adf4ab909bcc43a8b23ab1992de3229df41bf613d256c2862
Opcode Fuzzy Hash: a0e0ffeeea9361e73f572bd643a1eadea7e86d774db87774120aa9dc83c52679
Instruction Fuzzy Hash: 08E012B1A45318BA960067B9AC848A7BA9CD9D93623154437A214E3250D6F95C458BD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE2C Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 226
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040EE2C(signed int** __ecx, signed int __edx, void* __eflags, signed int* _a4, char _a7) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int** _v44;
				signed int _v48;
				void* __ebp;
				signed int* _t111;
				signed int* _t113;
				signed int* _t114;
				intOrPtr _t121;
				signed int _t123;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t134;
				signed int _t138;
				signed int _t145;
				signed int _t148;
				signed int** _t149;
				signed int _t157;
				signed int _t162;
				void* _t170;
				signed int** _t175;
				signed int _t177;
				intOrPtr* _t180;
				intOrPtr _t181;
				signed int _t182;
				intOrPtr* _t183;
				signed int* _t185;

				_t173 = __edx;
				_t175 = __ecx;
				_v44 = __ecx;
				_t148 = E0040EB3D(__ecx, __edx, __eflags);
				_v28 = _t148;
				if(_t148 == 0) {
					_push(0x41de18);
					_push( &_a7);
					L00418E02();
				}
				_push(_t148);
				E00410BF8(_a4);
				_v16 = 0;
				_v12 = 0;
				if(_t148 <= 0) {
					L22:
					_t111 = _a4;
					_t148 = _t148 - 1;
					_t66 = _t111 + 8; // 0x8
					_t180 = _t66;
					_v28 = _t180;
					E00410C85(_t180, _t148);
					_v12 = _v12 & 0x00000000;
					_t197 = _t148;
					if(_t148 > 0) {
						goto L27;
					}
				} else {
					_v24 = 0;
					while(1) {
						_t185 = _v24 +  *_a4;
						_t123 = E0040E9B4(_t175);
						_v5 = _t123;
						if((_t123 & 0x000000c0) != 0) {
							break;
						}
						_t162 = _t123 & 0x0000000f;
						_v40 = _t162;
						if(_t162 > 8) {
							L25:
							_push(0x41de18);
							_push( &_a7);
							L00418E02();
							L26:
							_t180 = _v28;
							L27:
							_t183 =  *_t180 + _v12 * 8;
							 *_t183 = E0040EB3D(_t175, _t173, _t197);
							_t121 = E0040EB3D(_t175, _t173, _t197);
							_v12 = _v12 + 1;
							 *((intOrPtr*)(_t183 + 4)) = _t121;
							if(_v12 < _t148) {
								goto L26;
							}
						} else {
							_t129 =  *((intOrPtr*)(_t175 + 8));
							_t173 =  *((intOrPtr*)(_t175 + 4)) - _t129;
							if(_t162 > _t173) {
								goto L25;
							} else {
								_t130 = _t129 +  *_t175;
								_t148 = 0;
								_v48 = _v48 & 0;
								_v20 = _v20 & 0;
								_v32 = _t130;
								if(_t162 > 0) {
									while(1) {
										asm("cdq");
										_t170 = 8;
										_v36 =  *(_v20 + _t130) & 0x000000ff;
										_t177 = _t173;
										_t173 = _v48;
										_t145 = E004190E0(_t148, _t170, _t173);
										_v20 = _v20 + 1;
										_t148 = _v36 | _t145;
										_t162 = _v40;
										_v48 = _t177 | _t173;
										if(_v20 >= _t162) {
											break;
										}
										_t130 = _v32;
									}
									_t175 = _v44;
								}
								_t194 = _v5 & 0x00000010;
								 *((intOrPtr*)(_t175 + 8)) =  *((intOrPtr*)(_t175 + 8)) + _t162;
								 *_t185 = _t148;
								_t185[1] = _v48;
								if((_v5 & 0x00000010) == 0) {
									_t185[4] = 1;
								} else {
									_t185[4] = E0040EB3D(_t175, _t173, _t194);
									E0040EB3D(_t175, _t173, _t194);
								}
								_t195 = _v5 & 0x00000020;
								if((_v5 & 0x00000020) == 0) {
									_t134 = _t185[2];
									__eflags = _t134;
									if(_t134 != 0) {
										E00403204(_t134, _t134);
										_t51 =  &(_t185[2]);
										 *_t51 = _t185[2] & 0x00000000;
										__eflags =  *_t51;
									}
									_t53 =  &(_t185[3]);
									 *_t53 = _t185[3] & 0x00000000;
									__eflags =  *_t53;
								} else {
									_t138 = E0040EB3D(_t175, _t173, _t195);
									_t148 =  &(_t185[2]);
									_v40 = _t138;
									E00407AB8(_t148, _t138);
									E0040E9D2(_t175,  *_t148, _v40);
								}
								_v24 = _v24 + 0x18;
								_v16 = _v16 + _t185[4];
								_v12 = _v12 + 1;
								if(_v12 < _v28) {
									continue;
								} else {
									_t148 = _v28;
									goto L22;
								}
							}
						}
						goto L28;
					}
					_push(0x41de18);
					_push( &_a7);
					L00418E02();
					goto L25;
				}
				L28:
				_t181 = _v16;
				if(_t181 < _t148) {
					_push(0x41de18);
					_push( &_a7);
					L00418E02();
				}
				_t113 = _a4;
				_t182 = _t181 - _t148;
				_t89 = _t113 + 0x10; // 0x10
				_t149 = _t89;
				_v44 = _t149;
				_t114 = E00410CC3(_t149, _t182);
				if(_t182 != 1) {
					L44:
					_v12 = _v12 & 0x00000000;
					_t209 = _t182;
					if(_t182 > 0) {
						while(1) {
							_t114 = E0040EB3D(_t175, _t173, _t209);
							_v12 = _v12 + 1;
							( *_t149)[_v12] = _t114;
							if(_v12 >= _t182) {
								goto L48;
							}
							_t149 = _v44;
						}
					}
				} else {
					_t173 = 0;
					if(_v16 > 0) {
						_t114 = _a4;
						_t182 = _t114[3];
						do {
							_t157 = 0;
							if(_t182 <= 0) {
								L37:
								_t157 = _t157 | 0xffffffff;
							} else {
								_t114 =  *_v28;
								while( *_t114 != _t173) {
									_t157 = _t157 + 1;
									_t114 =  &(_t114[2]);
									if(_t157 < _t182) {
										continue;
									} else {
										goto L37;
									}
									goto L38;
								}
							}
							L38:
							if(_t157 < 0) {
								_t114 =  *_t149;
								 *_t114 = _t173;
							} else {
								goto L39;
							}
							goto L42;
							L39:
							_t173 = _t173 + 1;
						} while (_t173 < _v16);
					}
					L42:
					if(_t173 == _v16) {
						_push(0x41de18);
						_t114 =  &_a7;
						_push(_t114);
						L00418E02();
						goto L44;
					}
				}
				L48:
				return _t114;
			}

0x0040ee2c
0x0040ee35
0x0040ee37
0x0040ee3f
0x0040ee45
0x0040ee48
0x0040ee4d
0x0040ee58
0x0040ee59
0x0040ee59
0x0040ee61
0x0040ee62
0x0040ee69
0x0040ee6c
0x0040ee6f
0x0040ef8a
0x0040ef8a
0x0040ef8d
0x0040ef8f
0x0040ef8f
0x0040ef94
0x0040ef97
0x0040ef9c
0x0040efa0
0x0040efa2
0x00000000
0x0040efa4
0x0040ee75
0x0040ee75
0x0040ee78
0x0040ee80
0x0040ee82
0x0040ee89
0x0040ee8c
0x00000000
0x00000000
0x0040ee95
0x0040ee9a
0x0040ee9d
0x0040efba
0x0040efbd
0x0040efc8
0x0040efc9
0x0040efce
0x0040efce
0x0040efd1
0x0040efd6
0x0040efe2
0x0040efe4
0x0040efe9
0x0040efec
0x0040eff2
0x00000000
0x00000000
0x0040eea3
0x0040eea3
0x0040eea9
0x0040eead
0x00000000
0x0040eeb3
0x0040eeb3
0x0040eeb5
0x0040eeb7
0x0040eeba
0x0040eebf
0x0040eec2
0x0040eec9
0x0040eed2
0x0040eed5
0x0040eed6
0x0040eed9
0x0040eedb
0x0040eee0
0x0040eeec
0x0040eeef
0x0040eef1
0x0040eef7
0x0040eefa
0x00000000
0x00000000
0x0040eec6
0x0040eec6
0x0040eefc
0x0040eefc
0x0040ef04
0x0040ef08
0x0040ef0e
0x0040ef10
0x0040ef13
0x0040ef28
0x0040ef15
0x0040ef1e
0x0040ef21
0x0040ef21
0x0040ef2f
0x0040ef33
0x0040ef58
0x0040ef5b
0x0040ef5d
0x0040ef60
0x0040ef65
0x0040ef65
0x0040ef65
0x0040ef69
0x0040ef6a
0x0040ef6a
0x0040ef6a
0x0040ef35
0x0040ef37
0x0040ef3c
0x0040ef42
0x0040ef45
0x0040ef51
0x0040ef51
0x0040ef71
0x0040ef75
0x0040ef78
0x0040ef81
0x00000000
0x0040ef87
0x0040ef87
0x00000000
0x0040ef87
0x0040ef81
0x0040eead
0x00000000
0x0040ee9d
0x0040efa9
0x0040efb4
0x0040efb5
0x00000000
0x0040efb5
0x0040eff4
0x0040eff4
0x0040eff9
0x0040effe
0x0040f009
0x0040f00a
0x0040f00a
0x0040f00f
0x0040f012
0x0040f015
0x0040f015
0x0040f01a
0x0040f01d
0x0040f025
0x0040f077
0x0040f077
0x0040f07b
0x0040f07d
0x0040f084
0x0040f088
0x0040f090
0x0040f096
0x0040f099
0x00000000
0x00000000
0x0040f081
0x0040f081
0x0040f084
0x0040f027
0x0040f027
0x0040f02c
0x0040f02e
0x0040f031
0x0040f034
0x0040f034
0x0040f038
0x0040f04b
0x0040f04b
0x0040f03a
0x0040f03d
0x0040f03f
0x0040f043
0x0040f044
0x0040f049
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f049
0x0040f03f
0x0040f04e
0x0040f050
0x0040f05a
0x0040f05c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f052
0x0040f052
0x0040f053
0x0040f058
0x0040f05e
0x0040f061
0x0040f066
0x0040f06e
0x0040f071
0x0040f072
0x00000000
0x0040f072
0x0040f061
0x0040f09f
0x0040f09f

APIs

Part of subcall function 0040EB3D: _CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EB60

_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EE59
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EFB5
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040EFC9
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F00A
_CxxThrowException.MSVCRT(?,0041DE18), ref: 0040F072

Part of subcall function 00403204: free.MSVCRT(00000000,004037A4,?,?,00000000,?,?,?,00403083,?,?,?,?,00000000,0040108B), ref: 00403208

Strings

, xrefs: 0040EF2F

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ExceptionThrow$free
String ID:
API String ID: 3129652135-3916222277
Opcode ID: e26337be683b5af4c30aef131a22ba05f72600e83a284499b723228e6f86e7e5
Instruction ID: b719d39ac1e1c0dfc465c254aa8864d8cdc5b6410d67c82479710a15fcd5db0f
Opcode Fuzzy Hash: e26337be683b5af4c30aef131a22ba05f72600e83a284499b723228e6f86e7e5
Instruction Fuzzy Hash: 7F918271E00309ABCF14DFA5C4815AEBBB5AF49314F10847FE855BB382C738AA958B94

Uniqueness

Uniqueness Score: -1.00%

Function 004065FE Relevance: 6.3, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E004065FE(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				signed int _t19;
				intOrPtr _t20;
				signed int* _t21;

				_t21 = _a12;
				_t20 = _a8;
				 *_t21 =  *_t21 & 0x00000000;
				_push(0x10);
				_push(0x41c24c);
				_push(_t20);
				L00418DA0();
				if(_t12 != 0) {
					_push(0x10);
					_push(0x41b390);
					_push(_t20);
					L00418DA0();
					if(_t12 == 0) {
						goto L1;
					}
					_push(0x10);
					_push(0x41b370);
					_push(_t20);
					L00418DA0();
					if(_t12 != 0) {
						_push(0x10);
						_push(0x41b350);
						_push(_t20);
						L00418DA0();
						if(_t12 != 0) {
							_push(0x10);
							_push(0x41b340);
							_push(_t20);
							L00418DA0();
							if(_t12 != 0) {
								return 0x80004002;
							}
							_t13 = _a4;
							_t16 = _t13;
							_t19 = _t13 + 0xc;
							L9:
							asm("sbb ecx, ecx");
							 *_t21 =  ~_t16 & _t19;
							L10:
							 *((intOrPtr*)(_t13 + 0x10)) =  *((intOrPtr*)(_t13 + 0x10)) + 1;
							return 0;
						}
						_t13 = _a4;
						_t16 = _t13;
						_t19 = _t13 + 8;
						goto L9;
					}
					_t13 = _a4;
					_t16 = _t13;
					_t19 = _t13 + 4;
					goto L9;
				}
				L1:
				_t13 = _a4;
				 *_t21 = _t13;
				goto L10;
			}

0x00406602
0x00406606
0x00406609
0x0040660c
0x0040660e
0x00406613
0x00406614
0x0040661e
0x00406627
0x00406629
0x0040662e
0x0040662f
0x00406639
0x00000000
0x00000000
0x0040663b
0x0040663d
0x00406642
0x00406643
0x0040664d
0x00406659
0x0040665b
0x00406660
0x00406661
0x0040666b
0x00406677
0x00406679
0x0040667e
0x0040667f
0x00406689
0x00000000
0x004066a2
0x0040668b
0x0040668e
0x00406690
0x00406693
0x00406695
0x00406699
0x0040669b
0x0040669b
0x00000000
0x0040669e
0x0040666d
0x00406670
0x00406672
0x00000000
0x00406672
0x0040664f
0x00406652
0x00406654
0x00000000
0x00406654
0x00406620
0x00406620
0x00406623
0x00000000

APIs

memcmp.MSVCRT ref: 00406614
memcmp.MSVCRT ref: 0040662F
memcmp.MSVCRT ref: 00406643

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: fc4689e578dc1cf89ed0c55786c74f8cf84f4324eb775046ffdacad481ac018b
Instruction ID: a37c9b6fd46fbe13aac1983c9063a21cde19e2a8279128ea102ca4b182acfc17
Opcode Fuzzy Hash: fc4689e578dc1cf89ed0c55786c74f8cf84f4324eb775046ffdacad481ac018b
Instruction Fuzzy Hash: 9411E931740304A7D7104F15EC02FEA73A89B94714F15483EFC4ABA3C2E67AF9A0969D

Uniqueness

Uniqueness Score: -1.00%

Function 00404C6F Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404C6F(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v604;
				intOrPtr _t8;
				intOrPtr* _t15;

				_t15 = __ecx;
				if(E00404B27(__ecx) == 0) {
					L6:
					return 0;
				}
				if( *0x41f16c != 0) {
					SetLastError(0);
					_t8 =  *0x41f16c(_a4, 0,  &_v604, 0);
					 *_t15 = _t8;
					if(_t8 != 0xffffffff || GetLastError() != 0x26) {
						if( *_t15 != 0xffffffff) {
							E00404CE3( &_v604, _a8);
							return 1;
						}
					}
					goto L6;
				}
				SetLastError(0x78);
				goto L6;
			}

0x00404c79
0x00404c82
0x00404cca
0x00000000
0x00404cca
0x00404c8b
0x00404c99
0x00404cad
0x00404cb6
0x00404cb8
0x00404cc8
0x00404cd7
0x00000000
0x00404cdc
0x00404cc8
0x00000000
0x00404cb8
0x00404c8f
0x00000000

APIs

Part of subcall function 00404B27: FindClose.KERNELBASE(00000000,000000FF,00404B58), ref: 00404B32

SetLastError.KERNEL32(00000078), ref: 00404C8F
SetLastError.KERNEL32(00000000), ref: 00404C99
FindFirstStreamW.KERNELBASE(?,00000000,?,00000000), ref: 00404CAD
GetLastError.KERNEL32 ref: 00404CBA

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: ErrorLast$Find$CloseFirstStream
String ID:
API String ID: 4071060300-0
Opcode ID: e8f944988b9cb325842934f4d91b529ed218fe4a6d3146ed212e3958b088d38e
Instruction ID: e0df3afe617d72e22a27f99f1303fe5809e056bbf20cba425ebf9683b02a63d2
Opcode Fuzzy Hash: e8f944988b9cb325842934f4d91b529ed218fe4a6d3146ed212e3958b088d38e
Instruction Fuzzy Hash: 05F0F970405605E7EB202F20DC0D79637249B91326F104336E665B72E0C7B89D8ACB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00409970(void* __ecx, void* __eflags) {
				intOrPtr* _t106;
				intOrPtr* _t110;
				signed int _t111;
				intOrPtr* _t114;
				signed int _t115;
				intOrPtr* _t118;
				signed int _t119;
				intOrPtr* _t121;
				signed int _t122;
				signed int _t126;
				signed int _t129;
				char* _t130;
				char* _t133;
				void* _t138;
				intOrPtr _t141;
				intOrPtr _t161;
				void* _t175;
				void* _t176;
				signed int _t180;
				void* _t181;
				intOrPtr* _t182;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t190;

				E00418D80(E00419D58, _t190);
				_t188 = __ecx;
				_t106 = __ecx + 0xb0;
				_t182 = __ecx + 0xa8;
				 *((char*)(__ecx + 0xb8)) = 0;
				 *_t106 = 0;
				 *((intOrPtr*)(_t106 + 4)) = 0;
				 *_t182 = 0;
				 *((intOrPtr*)(_t182 + 4)) = 0;
				asm("sbb ecx, [ebp+0x10]");
				 *((intOrPtr*)(__ecx + 0xc8)) =  *((intOrPtr*)(__ecx + 0xc0)) -  *((intOrPtr*)(_t190 + 0xc));
				 *((intOrPtr*)(__ecx + 0xcc)) =  *((intOrPtr*)(__ecx + 0xc4));
				E00409944(__ecx + 0x10);
				 *(_t190 - 0x24) = 0;
				 *((short*)(_t190 - 0x22)) = 0;
				 *(_t190 - 0x1c) = 0;
				_t110 =  *((intOrPtr*)(_t190 + 8));
				 *(_t190 - 4) = 0;
				_t111 =  *((intOrPtr*)( *_t110 + 0x20))(_t110, 0x47, _t190 - 0x24, _t181, _t187, _t138);
				 *(_t190 - 0x10) = _t111;
				if(_t111 == 0) {
					 *((intOrPtr*)(__ecx + 0x14)) = E00409903(_t190 - 0x24, __ecx + 0x13);
					E00405DEF(_t190 - 0x24);
					 *(_t190 - 0x24) = 0;
					 *((short*)(_t190 - 0x22)) = 0;
					 *(_t190 - 0x1c) = 0;
					_t114 =  *((intOrPtr*)(_t190 + 8));
					 *(_t190 - 4) = 1;
					_t115 =  *((intOrPtr*)( *_t114 + 0x20))(_t114, 0x48, _t190 - 0x24);
					__eflags = _t115;
					 *(_t190 - 0x10) = _t115;
					if(_t115 == 0) {
						 *((intOrPtr*)(__ecx + 0x18)) = E00409903(_t190 - 0x24, 0);
						E00405DEF(_t190 - 0x24);
						 *(_t190 - 0x24) = 0;
						 *((short*)(_t190 - 0x22)) = 0;
						 *(_t190 - 0x1c) = 0;
						_t118 =  *((intOrPtr*)(_t190 + 8));
						 *(_t190 - 4) = 2;
						_t119 =  *((intOrPtr*)( *_t118 + 0x20))(_t118, 0x37, _t190 - 0x24);
						__eflags = _t119;
						 *(_t190 - 0x10) = _t119;
						if(_t119 == 0) {
							__eflags =  *(_t190 - 0x24);
							if( *(_t190 - 0x24) != 0) {
								__eflags =  *(_t190 - 0x24) - 8;
								_t133 =  *(_t190 - 0x1c);
								if( *(_t190 - 0x24) != 8) {
									_t133 = L"Unknown error";
								}
								E0040376E(_t188 + 0x28, _t133);
							}
							E00405DEF(_t190 - 0x24);
							 *(_t190 - 0x24) = 0;
							 *((short*)(_t190 - 0x22)) = 0;
							 *(_t190 - 0x1c) = 0;
							_t121 =  *((intOrPtr*)(_t190 + 8));
							 *(_t190 - 4) = 3;
							_t122 =  *((intOrPtr*)( *_t121 + 0x20))(_t121, 0x49, _t190 - 0x24);
							__eflags = _t122;
							 *(_t190 - 0x10) = _t122;
							if(_t122 == 0) {
								__eflags =  *(_t190 - 0x24);
								if( *(_t190 - 0x24) != 0) {
									__eflags =  *(_t190 - 0x24) - 8;
									_t130 =  *(_t190 - 0x1c);
									if( *(_t190 - 0x24) != 8) {
										_t130 = L"Unknown warning";
									}
									E0040376E(_t188 + 0x34, _t130);
								}
								 *(_t190 - 4) =  *(_t190 - 4) | 0xffffffff;
								E00405DEF(_t190 - 0x24);
								__eflags =  *(_t190 + 0x14);
								if( *(_t190 + 0x14) == 0) {
									L19:
									_push(_t188 + 0xb8);
									_push(_t188 + 0xb0);
									_t175 = 0x2c;
									_t126 = E00409C0D( *((intOrPtr*)(_t190 + 8)), _t175);
									__eflags = _t126;
									if(_t126 == 0) {
										_push(_t190 + 0x17);
										_push(_t182);
										_t176 = 0x24;
										_t126 = E00409CAB( *((intOrPtr*)(_t190 + 8)), _t176);
										__eflags = _t126;
										if(_t126 == 0) {
											asm("adc eax, [edi+0x4]");
											 *((intOrPtr*)(_t190 + 0xc)) =  *((intOrPtr*)(_t190 + 0xc)) +  *_t182;
											_t161 =  *((intOrPtr*)(_t188 + 0xc0));
											_t129 =  *(_t188 + 0xc4);
											asm("sbb edi, [ebp+0x10]");
											__eflags =  *(_t188 + 0xb8);
											 *((intOrPtr*)(_t188 + 0xc8)) = _t161 -  *((intOrPtr*)(_t190 + 0xc));
											 *(_t188 + 0xcc) = _t129;
											if( *(_t188 + 0xb8) != 0) {
												_t141 =  *((intOrPtr*)(_t188 + 0xb0));
												_t180 =  *(_t188 + 0xb4);
												_t186 = _t141 +  *((intOrPtr*)(_t190 + 0xc));
												 *(_t190 - 0x10) = _t180;
												asm("adc edx, [ebp+0x10]");
												__eflags = _t180 - _t129;
												if(__eflags > 0) {
													L29:
													 *((char*)(_t188 + 0x11)) = 1;
												} else {
													if(__eflags < 0) {
														L25:
														 *((intOrPtr*)(_t188 + 0xc8)) = _t141;
														 *((intOrPtr*)(_t188 + 0x20)) = _t161 - _t186;
														asm("sbb eax, edx");
														 *(_t188 + 0xcc) =  *(_t190 - 0x10);
														 *((char*)(_t188 + 0x10)) = 1;
														 *(_t188 + 0x24) = _t129;
													} else {
														__eflags = _t186 - _t161;
														if(_t186 >= _t161) {
															__eflags = _t180 - _t129;
															if(__eflags >= 0) {
																if(__eflags > 0) {
																	goto L29;
																} else {
																	__eflags = _t186 - _t161;
																	if(_t186 > _t161) {
																		goto L29;
																	}
																}
															}
														} else {
															goto L25;
														}
													}
												}
											}
											goto L30;
										}
									}
								} else {
									__eflags =  *(_t188 + 0x13);
									if( *(_t188 + 0x13) == 0) {
										L30:
										_t126 = 0;
										__eflags = 0;
									} else {
										__eflags =  *(_t188 + 0x14) & 0x00000001;
										if(( *(_t188 + 0x14) & 0x00000001) != 0) {
											goto L30;
										} else {
											goto L19;
										}
									}
								}
							} else {
								E00405DEF(_t190 - 0x24);
								_t126 =  *(_t190 - 0x10);
							}
						} else {
							E00405DEF(_t190 - 0x24);
							_t126 =  *(_t190 - 0x10);
						}
					} else {
						E00405DEF(_t190 - 0x24);
						_t126 =  *(_t190 - 0x10);
					}
				} else {
					E00405DEF(_t190 - 0x24);
					_t126 =  *(_t190 - 0x10);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t190 - 0xc));
				return _t126;
			}

0x00409975
0x0040997f
0x00409984
0x00409990
0x00409996
0x0040999c
0x0040999e
0x004099a7
0x004099ac
0x004099af
0x004099b2
0x004099b8
0x004099c1
0x004099c6
0x004099ca
0x004099ce
0x004099d1
0x004099dd
0x004099e0
0x004099e5
0x004099e8
0x00409a08
0x00409a0b
0x00409a10
0x00409a14
0x00409a18
0x00409a1b
0x00409a27
0x00409a2e
0x00409a31
0x00409a33
0x00409a36
0x00409a55
0x00409a58
0x00409a5d
0x00409a61
0x00409a65
0x00409a68
0x00409a74
0x00409a7b
0x00409a7e
0x00409a80
0x00409a83
0x00409a95
0x00409a99
0x00409a9b
0x00409aa0
0x00409aa3
0x00409aa5
0x00409aa5
0x00409aae
0x00409aae
0x00409ab6
0x00409abb
0x00409abf
0x00409ac3
0x00409ac6
0x00409ad2
0x00409ad9
0x00409adc
0x00409ade
0x00409ae1
0x00409af3
0x00409af7
0x00409af9
0x00409afe
0x00409b01
0x00409b03
0x00409b03
0x00409b0c
0x00409b0c
0x00409b11
0x00409b18
0x00409b1d
0x00409b20
0x00409b35
0x00409b3e
0x00409b45
0x00409b48
0x00409b49
0x00409b4e
0x00409b50
0x00409b5c
0x00409b5d
0x00409b60
0x00409b61
0x00409b66
0x00409b68
0x00409b76
0x00409b79
0x00409b7c
0x00409b85
0x00409b92
0x00409b95
0x00409b9b
0x00409ba1
0x00409ba7
0x00409ba9
0x00409bb7
0x00409bba
0x00409bbd
0x00409bc0
0x00409bc3
0x00409bc5
0x00409bf6
0x00409bf6
0x00409bc7
0x00409bc7
0x00409bcd
0x00409bcf
0x00409bd8
0x00409bdb
0x00409bdd
0x00409be3
0x00409be7
0x00409bc9
0x00409bc9
0x00409bcb
0x00409bec
0x00409bee
0x00409bf0
0x00000000
0x00409bf2
0x00409bf2
0x00409bf4
0x00000000
0x00000000
0x00409bf4
0x00409bf0
0x00000000
0x00000000
0x00000000
0x00409bcb
0x00409bc7
0x00409bc5
0x00000000
0x00409ba7
0x00409b68
0x00409b22
0x00409b22
0x00409b25
0x00409bfa
0x00409bfa
0x00409bfa
0x00409b2b
0x00409b2b
0x00409b2f
0x00000000
0x00000000
0x00000000
0x00000000
0x00409b2f
0x00409b25
0x00409ae3
0x00409ae6
0x00409aeb
0x00409aeb
0x00409a85
0x00409a88
0x00409a8d
0x00409a8d
0x00409a38
0x00409a3b
0x00409a40
0x00409a40
0x004099ea
0x004099ed
0x004099f2
0x004099f2
0x00409c02
0x00409c0a

APIs

__EH_prolog.LIBCMT ref: 00409975

Strings

Unknown error, xrefs: 00409AA5, 00409AAA
Unknown warning, xrefs: 00409B03, 00409B08

Memory Dump Source

Source File: 00000001.00000002.365442937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.365397426.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365463897.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365471823.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.365479040.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_9ISNeRdj1B.jbxd

Similarity

API ID: H_prolog
String ID: Unknown error$Unknown warning
API String ID: 3519838083-4291957651
Opcode ID: 9dde15fecc67fda54480402201b2371ac7cafa8d569a837fbeba078dd26f7487
Instruction ID: 8ba015e8ed9162120bf5fc528179e89f7f943c1107267e4dc13521d9f15a9599
Opcode Fuzzy Hash: 9dde15fecc67fda54480402201b2371ac7cafa8d569a837fbeba078dd26f7487
Instruction Fuzzy Hash: DB915B71900209DBCB24DFA9C990AEEB7F1FF48304F10856EE45AA7291D734AE49CB58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: FME.exePID: 6736, Parent PID: 6672COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.7%
Total number of Nodes:	1765
Total number of Limit Nodes:	65

Executed Functions

Function 000000014002A93C Relevance: 93.8, APIs: 12, Strings: 40, Instructions: 2820
COMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E0000000114002A93C() {
				intOrPtr _t125;
				signed int _t130;
				void* _t132;
				signed int _t139;
				signed int _t146;
				signed short _t153;
				void* _t166;
				signed int _t169;
				signed int _t171;
				void* _t178;
				void* _t207;
				signed long long _t241;
				signed short* _t243;
				intOrPtr* _t244;
				signed long long _t245;
				signed long long _t246;
				intOrPtr _t250;
				void* _t251;
				signed long long _t253;
				signed short* _t254;
				signed short* _t255;
				signed long long _t274;
				char* _t280;
				signed long long _t286;
				signed long long _t296;
				signed short* _t307;
				void* _t316;
				signed long long _t321;
				signed long long _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				intOrPtr _t332;
				signed short* _t337;
				void* _t340;
				void* _t341;
				signed long long _t342;
				short* _t343;
				signed long long _t347;
				signed long long _t349;
				signed long long _t351;
				signed long long _t352;

				r9d = _t347 + 1;
				r8d = 0x4000;
				if (E000000011400B4BE0(_t166, _t316, _t329 + 0x1d0, _t331, _t340, _t347) != 0) goto 0x4002aa35;
				 *(_t329 + 0x1d0) = r13w;
				 *(_t330 + 0x58) = _t321 | 0xffffffff;
				r8d = 2;
				dil = E000000011400D73E8(_t331) == 0;
				 *((intOrPtr*)(_t330 + 0x41)) = dil;
				if (dil == 0) goto 0x4002a9a9;
				 *(_t329 + 0x1d0) = r13w;
				 *(_t330 + 0x58) = _t347;
				_t164 =  *(_t329 + 0x1c0e0);
				asm("xorpd xmm6, xmm6");
				 *(_t329 - 0x48) =  *(_t329 + 0x1c0e0);
				 *(_t329 - 0x3c) =  *(_t329 + 0x1c0e0);
				 *((char*)(_t329 + 0x1c0f8)) =  *(_t329 + 0x1c0e0) & 0x000000ff;
				 *((char*)(_t330 + 0x40)) =  *(_t329 + 0x1c0e0) & 0x000000ff;
				if (_t347 == 0xffffffff) goto 0x4002d7fa;
				_t125 = _t251 + 1;
				r8d = 0xc;
				 *(_t341 + 0x6a0) = _t347;
				 *((intOrPtr*)(_t341 + 0x2cc)) = _t125;
				0x400d4d80();
				if (_t125 != 0) goto 0x4002aa22;
				_t296 = _t352;
				0x4002dcc0();
				if (_t125 == 0) goto 0x4002d7b5;
				_t342 =  *((intOrPtr*)(_t330 + 0x68));
				 *((char*)(_t330 + 0x50)) = 0;
				 *((intOrPtr*)(_t329 - 0x58)) = r13d;
				goto 0x4002abf0;
				if ( *((short*)(_t329 + 0x1ce + _t296 * 2)) != 0xa) goto 0x4002aa43;
				 *(_t329 + 0x1d0 + (_t296 - 1) * 2) = r13w;
				E000000011400239B0(_t329 + 0x1d0, _t296 - 0x00000001 | 0xffffffff);
				E00000001140023AB0(_t329 + 0x1d0, _t241, _t316);
				_t332 =  *0x40122b48; // 0x1
				 *(_t330 + 0x58) = _t241;
				if (E000000011400D73E8(_t332) != 0) goto 0x4002aaa6;
				 *(_t329 + 0x1d0) = r13w;
				 *(_t330 + 0x58) = _t347;
				goto 0x4002a970;
				E000000011400D6988(_t128, _t329 + 0x1d0, 0x40122b28);
				_t252 = _t241;
				if (_t241 == 0) goto 0x4002ab88;
				asm("o16 nop [eax+eax]");
				_t36 = _t252 - 2; // -2
				_t337 = _t36;
				if (_t337 - _t329 + 0x1d0 < 0) goto 0x4002abc0;
				_t130 =  *_t337 & 0x0000ffff;
				if (_t130 == 0x20) goto 0x4002ab90;
				if (_t130 == 9) goto 0x4002ab90;
				_t169 =  *0x4012359c & 0x0000ffff;
				_t243 = _t337;
				if (_t337 - _t329 + 0x1d0 <= 0) goto 0x4002ab2d;
				if ( *_t243 != _t169) goto 0x4002ab2d;
				if ( *((intOrPtr*)(_t243 - 2)) != _t169) goto 0x4002ab2d;
				_t244 = _t243 - 4;
				if (_t244 - _t329 + 0x1d0 > 0) goto 0x4002ab12;
				_t266 = _t329 + 0x1d0;
				if (_t244 - _t329 + 0x1d0 < 0) goto 0x4002ab65;
				if ( *_t244 != _t169) goto 0x4002ab65;
				_t42 =  &(_t337[1]); // 0x0
				_t317 = _t42;
				asm("repne scasw");
				_t132 = E000000011400D5880( *(_t329 + 0x1c0e0),  *_t244 - _t169, _t337, _t42,  !(_t266 | 0xffffffff) +  !(_t266 | 0xffffffff));
				 *(_t330 + 0x58) = _t347 - 1;
				_t245 =  *0x40122b48; // 0x1
				E000000011400D6988(_t132, _t241 + _t245 * 2, 0x40122b28);
				_t253 = _t245;
				if (_t245 != 0) goto 0x4002aad0;
				goto 0x4002a970;
				 *_t337 = r13w;
				_t246 = _t329 + 0x1d0;
				E00000001140023AB0(_t329 + 0x1d0, _t337 - _t246 >> 1, _t42);
				 *(_t330 + 0x58) = _t246;
				goto 0x4002a970;
				_t328 = _t347;
				 *(_t329 + 0x1d0) = r13w;
				 *(_t330 + 0x58) = _t347;
				 *(_t330 + 0x58) = _t328;
				 *((intOrPtr*)(_t330 + 0x74)) =  *((intOrPtr*)(_t330 + 0x74)) + 1;
				E0000000114002DA90(r13d, _t253, _t342, _t317,  *((intOrPtr*)(_t329 + 0x1c0e8)), _t342); // executed
				 *(_t329 - 0x18) = _t246;
				if (_t246 == 0) goto 0x4002ad1f;
				if (_t246 == 0xffffffff) goto 0x4002ad1f;
				if (r13d != 0) goto 0x4002ad1f;
				r8d = _t347 + 2;
				if (E000000011400D73E8( *((intOrPtr*)(_t329 + 0x1c0e8))) != 0) goto 0x4002acf0;
				if (dil != 0) goto 0x4002ac61;
				if ( *((short*)(_t342 + 4)) != 0x3a) goto 0x4002ac61;
				if ( *((short*)(_t342 + 6)) == 0x3a) goto 0x4002acf9;
				_t349 = _t246 - 2;
				dil = 0;
				_t63 = _t349 + 2; // 0x0
				_t274 = _t342;
				 *((intOrPtr*)(_t330 + 0x41)) = dil;
				E000000011400D5880(_t164,  *((short*)(_t342 + 6)) - 0x3a, _t274, _t342 + 4, _t349 + _t63);
				if ( *_t342 != 0) goto 0x4002ac8e;
				r14d = 0;
				goto 0x4002acde;
				_t307 = _t342;
				_t139 =  *_t307 & 0x0000ffff;
				if (_t139 == 0x20) goto 0x4002aca0;
				_t207 = _t139 - 9;
				if (_t207 != 0) goto 0x4002aca6;
				goto 0x4002ac91;
				if (_t207 == 0) goto 0x4002acde;
				if (_t349 != 0xffffffff) goto 0x4002acce;
				asm("repne scasw");
				goto 0x4002acd1;
				_t351 =  !(_t274 | _t349) - 1 - ( &(_t307[1]) - _t342 >> 1);
				_t67 = _t351 + 2; // 0x0
				E000000011400D5880(_t164, _t349 - 0xffffffff, _t342,  &(_t307[1]), _t351 + _t67);
				 *(_t329 - 0x18) = _t351;
				if ( *_t342 == 0) goto 0x4002abf0;
				goto 0x4002acf9;
				if (dil != 0) goto 0x4002abf0;
				r8d = 2;
				if (E000000011400D73E8(_t351 + _t67) != 0) goto 0x4002ad1f;
				dil = 1;
				 *((intOrPtr*)(_t330 + 0x41)) = dil;
				goto 0x4002abf0;
				if (dil == 0) goto 0x4002add8;
				if (_t351 != 0xffffffff) goto 0x4002abf0;
				r14d = 0;
				_t343 =  *(_t329 + 0x1c0e0);
				if (_t328 == 0) goto 0x4002c095;
				if ( *((short*)(_t329 + 0x81e0)) == 0) goto 0x4002be44;
				 *((intOrPtr*)(_t343 + 0x2cc)) =  *((intOrPtr*)(_t329 - 0x44));
				if ( *_t352 == 0x7b) goto 0x4002bd2d;
				if ( *((char*)(_t330 + 0x42)) != 0) goto 0x4002bd2d;
				if ( *((intOrPtr*)(_t329 - 0x80)) != 0) goto 0x4002d696;
				if ( *((intOrPtr*)(_t343 + 0x80)) == 0) goto 0x4002adaa;
				_t250 =  *0x401235a8; // 0x2990b70
				if ( *((long long*)(_t250 + 0xd8)) == 0) goto 0x4002d664;
				 *(_t330 + 0x38) = _t351;
				 *(_t330 + 0x30) = _t351;
				r9d = 0;
				r8b = 3;
				 *(_t330 + 0x28) = _t351;
				 *(_t330 + 0x20) = _t351;
				0x4002f610();
				goto 0x4002bdc1;
				if (r13d != 0) goto 0x4002b30c;
				if (_t351 == 0xffffffff) goto 0x4002b01c;
				if ( *_t343 != 0x28) goto 0x4002b01c;
				_t254 = _t343 + 2;
				if ( *((short*)(_t343 + 2)) == 0x3a) goto 0x4002b018;
				if ( *((short*)(_t343 + _t351 * 2 - 2)) == 0x3a) goto 0x4002b018;
				r13d = 1;
				r14d = 0;
				 *((char*)(_t330 + 0x62)) =  *0x401295f7 & 0x000000ff;
				 *((intOrPtr*)(_t329 - 0x58)) = r13d;
				 *((intOrPtr*)(_t329 - 0x10)) = r14d;
				 *((intOrPtr*)(_t330 + 0x70)) = r13b;
				 *((intOrPtr*)(_t330 + 0x52)) = r14b;
				 *((intOrPtr*)(_t329 + 0x28)) = 0xa;
				 *((intOrPtr*)(_t330 + 0x61)) = r14b;
				 *((intOrPtr*)(_t330 + 0x53)) = r13b;
				 *(_t329 + 8) = _t347;
				_t146 =  *_t254 & 0x0000ffff;
				if (_t146 == 0x20) goto 0x4002ae61;
				if (_t146 != 9) goto 0x4002ae67;
				_t255 =  &(_t254[1]);
				goto 0x4002ae52;
				if ( *_t255 == r14w) goto 0x4002b00e;
				if (_t255 == 0) goto 0x4002aeb1;
				_t171 =  *_t255 & 0x0000ffff;
				if (_t171 == 0) goto 0x4002aeb1;
				_t280 = L" \t";
				if (_t171 == 0x20) goto 0x4002aec5;
				if (( *(_t280 + 2) & 0x0000ffff) != 0) goto 0x4002ae90;
				if ((_t255[1] & 0x0000ffff) != 0) goto 0x4002ae81;
				asm("repne scasw");
				_t101 =  !(_t280 + 0x00000002 | 0xffffffff) * 2; // 0x36
				r8d = 4;
				 *((intOrPtr*)(_t255 + _t101 - 2)) = r14w;
				0x400d4d80();
				if (0 != 0) goto 0x4002af25;
				_t103 =  &(_t255[4]); // 0x40
				_t104 = _t250 + 0xf; // 0xf
				r8d = _t104;
				_t105 = _t329 + 0x28; // 0x29
				E000000011400D8154(_t164, _t178, _t105, _t103, _t255, _t351 + _t67);
				_t106 = _t329 + 0x28; // 0x29
				_t286 = _t106;
				 *((intOrPtr*)(_t329 + 0x46)) = r14w;
				E000000011400B9880(1, _t255, _t286, _t328, _t329, _t340);
				asm("repne scasw");
				 *(_t329 + 8) =  !(_t286 | 0xffffffff) - 1;
				goto 0x4002afd4;
				r8d = 5;
				0x400d4d80();
				if (0 != 0) goto 0x4002af4d;
				 *((char*)(_t330 + 0x62)) = _t255[5] != 0x30;
				goto 0x4002afd4;
				r8d = 5;
				0x400d4d80();
				if (0 != 0) goto 0x4002af72;
				 *((char*)(_t330 + 0x70)) = _t255[5] != 0x30;
				goto 0x4002afd4;
				_t153 =  *_t255 & 0x0000ffff;
				if (_t153 == 0) goto 0x4002afd4;
				asm("o16 nop [eax+eax]");
				if ((_t153 & 0x0000ffff) + 0xffffffdb - 0x3e > 0) goto 0x4002afc7;
				goto __rcx;
			}

0x14002a93c
0x14002a947
0x14002a959
0x14002a95f
0x14002a96b
0x14002a97e
0x14002a98b
0x14002a98f
0x14002a997
0x14002a999
0x14002a9a4
0x14002a9af
0x14002a9b5
0x14002a9b9
0x14002a9c3
0x14002a9c6
0x14002a9d3
0x14002a9e0
0x14002a9e6
0x14002a9e9
0x14002a9f6
0x14002a9fe
0x14002aa06
0x14002aa0d
0x14002aa0f
0x14002aa15
0x14002aa1c
0x14002aa22
0x14002aa27
0x14002aa2c
0x14002aa30
0x14002aa3e
0x14002aa43
0x14002aa57
0x14002aa66
0x14002aa6b
0x14002aa83
0x14002aa8f
0x14002aa91
0x14002aa9c
0x14002aaa1
0x14002aab4
0x14002aab9
0x14002aabf
0x14002aac5
0x14002aad0
0x14002aad0
0x14002aade
0x14002aae4
0x14002aaec
0x14002aaf6
0x14002aafc
0x14002ab0a
0x14002ab10
0x14002ab15
0x14002ab1b
0x14002ab24
0x14002ab2b
0x14002ab2d
0x14002ab37
0x14002ab3c
0x14002ab42
0x14002ab48
0x14002ab4b
0x14002ab58
0x14002ab60
0x14002ab65
0x14002ab77
0x14002ab7c
0x14002ab82
0x14002ab8b
0x14002ab90
0x14002ab94
0x14002abab
0x14002abb6
0x14002abbb
0x14002abc0
0x14002abc3
0x14002abcb
0x14002abd7
0x14002abff
0x14002ac03
0x14002ac0b
0x14002ac12
0x14002ac1c
0x14002ac25
0x14002ac2b
0x14002ac40
0x14002ac49
0x14002ac52
0x14002ac5b
0x14002ac61
0x14002ac6a
0x14002ac6d
0x14002ac72
0x14002ac75
0x14002ac7a
0x14002ac85
0x14002ac89
0x14002ac8c
0x14002ac8e
0x14002ac91
0x14002ac98
0x14002ac9a
0x14002ac9e
0x14002aca4
0x14002acaf
0x14002acb5
0x14002acbf
0x14002accc
0x14002acce
0x14002acd1
0x14002acd9
0x14002ace4
0x14002ace8
0x14002acee
0x14002acf3
0x14002ad00
0x14002ad10
0x14002ad12
0x14002ad15
0x14002ad1a
0x14002ad22
0x14002ad2c
0x14002ad32
0x14002ad35
0x14002ad43
0x14002ad51
0x14002ad62
0x14002ad6f
0x14002ad7a
0x14002ad84
0x14002ad93
0x14002ad95
0x14002ada4
0x14002adaa
0x14002adaf
0x14002adbb
0x14002adbe
0x14002adc4
0x14002adc9
0x14002adce
0x14002add3
0x14002addb
0x14002ade5
0x14002adf1
0x14002adfe
0x14002ae03
0x14002ae10
0x14002ae1d
0x14002ae23
0x14002ae26
0x14002ae2f
0x14002ae33
0x14002ae37
0x14002ae3c
0x14002ae41
0x14002ae44
0x14002ae49
0x14002ae4e
0x14002ae52
0x14002ae59
0x14002ae5f
0x14002ae61
0x14002ae65
0x14002ae6b
0x14002ae77
0x14002ae79
0x14002ae7f
0x14002ae81
0x14002ae93
0x14002aea0
0x14002aeaf
0x14002aeba
0x14002aec0
0x14002aed1
0x14002aeda
0x14002aedf
0x14002aee6
0x14002aee8
0x14002aeec
0x14002aeec
0x14002aef0
0x14002aef4
0x14002aef9
0x14002aef9
0x14002aeff
0x14002af04
0x14002af13
0x14002af1c
0x14002af20
0x14002af2c
0x14002af35
0x14002af3c
0x14002af43
0x14002af48
0x14002af54
0x14002af5d
0x14002af64
0x14002af6b
0x14002af70
0x14002af72
0x14002af78
0x14002af7a
0x14002af89
0x14002afa6

Strings

Invalid single-line hotkey/hotstring., xrefs: 000000014002D71B
%s%s%s, xrefs: 000000014002CC98
%s::, xrefs: 000000014002C4EC
if not GetKeyState("%s"), xrefs: 000000014002C442
Set, xrefs: 000000014002BFDF
{LCtrl up}, xrefs: 000000014002C45D
Class, xrefs: 000000014002C176
& , xrefs: 000000014002B186, 000000014002CBE9
%s up::, xrefs: 000000014002C4C5
Continuation section too long., xrefs: 000000014002D653
Get, xrefs: 000000014002BFC6
{Blind}{%s Up}, xrefs: 000000014002D5B6
This hotstring is missing its abbreviation., xrefs: 000000014002D737
and, xrefs: 000000014002B265
<>=/|^,:*&~!()[]{}+-?."'\;`, xrefs: 000000014002C1C8
Missing "{", xrefs: 000000014002D66D, 000000014002D69D
Default, xrefs: 000000014002C7FA
RTrim, xrefs: 000000014002AF4D
LTrim, xrefs: 000000014002AF25
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout., xrefs: 000000014002D0A8
<>=/|^,:.+-*&!?~, xrefs: 000000014002B0A4
#CommentFlag, xrefs: 000000014002A9EC
This line does not contain a recognized action., xrefs: 000000014002D7C3
Hotkeys/hotstrings are not allowed inside functions., xrefs: 000000014002D78B
Join, xrefs: 000000014002AECA
Not a valid method, class or property definition., xrefs: 000000014002D674, 000000014002D6E0
Functions cannot contain functions., xrefs: 000000014002D6B8
Return, xrefs: 000000014002CD77
Duplicate label., xrefs: 000000014002D275
OnClipboardChange, xrefs: 000000014002D41D
<>=/|^,:, xrefs: 000000014002B2B8
IfWin should be #IfWin., xrefs: 000000014002D6F7
Out of memory., xrefs: 000000014002D446, 000000014002D76D, 000000014002D79F
Static, xrefs: 000000014002C368
{Blind}%s%s{%s DownR}, xrefs: 000000014002C46C
Duplicate hotkey., xrefs: 000000014002D74E
?*- , xrefs: 000000014002B116
{RCtrl up}, xrefs: 000000014002C111
Missing ")", xrefs: 000000014002D7E6
Not a valid property getter/setter., xrefs: 000000014002D6C9

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID:
String ID: <>=/|^,:*&~!()[]{}+-?."'\;`$ & $#CommentFlag$%s up::$%s%s%s$%s::$<>=/|^,:$<>=/|^,:.+-*&!?~$?*- $Class$Continuation section too long.$Default$Duplicate hotkey.$Duplicate label.$Functions cannot contain functions.$Get$Hotkeys/hotstrings are not allowed inside functions.$IfWin should be #IfWin.$Invalid single-line hotkey/hotstring.$Join$LTrim$Missing ")"$Missing "{"$Not a valid method, class or property definition.$Not a valid property getter/setter.$Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.$OnClipboardChange$Out of memory.$RTrim$Return$Set$Static$This hotstring is missing its abbreviation.$This line does not contain a recognized action.$and$if not GetKeyState("%s")${Blind}%s%s{%s DownR}${Blind}{%s Up}${LCtrl up}${RCtrl up}
API String ID: 0-2793573874
Opcode ID: 99f8faa7eb8d6d25e349569a1a669100b3c2a69f23b8c23d672612c95734a3ff
Instruction ID: d4c12c061ae056d8fbb2d79b8a1e9c12a4e82484e8af94e7090cc0e3ca9cdd60
Opcode Fuzzy Hash: 99f8faa7eb8d6d25e349569a1a669100b3c2a69f23b8c23d672612c95734a3ff
Instruction Fuzzy Hash: E643ED36614B8085EB629B2694047EE77A1FB4DBD8F94821AFF5907BE5EB78CD41C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062010 Relevance: 75.8, APIs: 38, Strings: 5, Instructions: 523
registrywindowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E00000001140062010(long long _a8, long long _a16, long long _a24) {
				char _v88;
				long long _v128;
				long long _v136;
				void* _t26;
				void* _t29;
				void* _t32;
				void* _t35;
				long long _t39;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t44;
				long long _t47;
				long long _t49;
				void* _t51;
				void* _t53;
				void* _t55;
				void* _t59;
				long long _t61;

				_a24 = _t47;
				r13d = _t26;
				if (( *0x4012c520 & 0x00000001) != 0) goto 0x40062058;
				 *0x4012c520 =  *0x4012c520 | 0x00000001;
				 *0x4012c51c = RegisterWindowMessageW(??);
				_t42 =  *0x401235a8; // 0x2990b70
				r15d = 0;
				_t29 =  *0x4012a570 - r15d; // 0x0
				if (_t29 == 0) goto 0x400620b9;
				if ( *((intOrPtr*)(_t42 + 0x128)) == r15b) goto 0x4006207d;
				if ( *((intOrPtr*)(_t42 + 0x124)) == r13d) goto 0x400620b9;
				_t32 =  *0x40123574 - r15d; // 0x0
				if (_t32 == 0) goto 0x400620b9;
				_v128 =  &_v88;
				_v136 = _t61;
				if (E00000001140004830(r13d, _t39, _t40, _t55, _t49, _t51, _t53, _t55) == 0) goto 0x400620b2;
				goto 0x40062bad;
				_t44 =  *0x401235a8; // 0x2990b70
				 *((intOrPtr*)(_t44 + 0x128)) = r15b;
				if (r13d != 0x44) goto 0x400620cc;
				r13d = r12d;
				_a8 = _t39;
				_a16 = _t49;
				_t35 = r13d - 0x111;
				if (_t35 > 0) goto 0x40062247;
				if (_t35 == 0) goto 0x40062229;
				if (_t59 - 1 - 0x2b > 0) goto 0x40062721;
				goto __rcx;
			}

0x140062010
0x140062034
0x14006203c
0x14006203e
0x140062052
0x140062058
0x14006205f
0x140062062
0x140062069
0x140062072
0x14006207b
0x14006207d
0x140062084
0x140062090
0x14006209b
0x1400620a7
0x1400620ad
0x1400620b2
0x1400620b9
0x1400620c4
0x1400620c6
0x1400620cc
0x1400620d4
0x1400620dc
0x1400620e3
0x1400620e9
0x1400620f6
0x140062115

APIs

RegisterWindowMessageW.USER32 ref: 000000014006204C

Strings

9000, xrefs: 0000000140062AFD
AHK_ATTACH_DEBUGGER, xrefs: 000000014006277F
localhost, xrefs: 0000000140062ADE
, xrefs: 00000001400624A4
TaskbarCreated, xrefs: 0000000140062045

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessageRegisterWindow
String ID: $9000$AHK_ATTACH_DEBUGGER$TaskbarCreated$localhost
API String ID: 1814269913-2055397393
Opcode ID: 0c995fcdd419c9ca6d3cff8618be4291655079af61b1521c2cdb01a58fbbde2c
Instruction ID: 4808ca76b994510e4ba1a89cf1ee538d7f96ddb32cfeb41b9b12ba79f57bed6b
Opcode Fuzzy Hash: 0c995fcdd419c9ca6d3cff8618be4291655079af61b1521c2cdb01a58fbbde2c
Instruction Fuzzy Hash: AE328A71210A408AEB26CF27E884BE977A2F74CBD4F644819EB4A53BB4DB3CD945C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A20F7 Relevance: 65.2, APIs: 34, Strings: 3, Instructions: 494windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D4D80: _errno.LIBCMT ref: 00000001400D4D9E
Part of subcall function 00000001400D4D80: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D4DA9

ShowWindow.USER32 ref: 00000001400A2276
IsIconic.USER32 ref: 00000001400A22C0
GetParent.USER32 ref: 00000001400A231A
GetWindowLongW.USER32 ref: 00000001400A232F
GetWindowRect.USER32 ref: 00000001400A2343
MapWindowPoints.USER32 ref: 00000001400A2359

Strings

Center, xrefs: 00000001400A20FB
Hide, xrefs: 00000001400A2149
Invalid option., xrefs: 00000001400A237D

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$IconicLongParentPointsRectShow_errno_invalid_parameter_noinfo
String ID: Center$Hide$Invalid option.
API String ID: 3524692820-3818780555
Opcode ID: a91e24d9aed0b4e4e6345b41e9e86beb3866a217eb93bdc744fdefda9c42b783
Instruction ID: 8ed7b3ac4a38133903cb62fe2789bac8c7586f163e067485b5865dff2fb90277
Opcode Fuzzy Hash: a91e24d9aed0b4e4e6345b41e9e86beb3866a217eb93bdc744fdefda9c42b783
Instruction Fuzzy Hash: 8C32BE727046419BFB26CB7AD4447ED37A1F36C788F004225EF1A57AA8DB78D895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A2028 Relevance: 59.9, APIs: 32, Strings: 2, Instructions: 427windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D4D80: _errno.LIBCMT ref: 00000001400D4D9E
Part of subcall function 00000001400D4D80: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D4DA9

ShowWindow.USER32 ref: 00000001400A2276
IsIconic.USER32 ref: 00000001400A22C0
GetParent.USER32 ref: 00000001400A231A
GetWindowLongW.USER32 ref: 00000001400A232F
GetWindowRect.USER32 ref: 00000001400A2343
MapWindowPoints.USER32 ref: 00000001400A2359

Strings

Minimize, xrefs: 00000001400A2028
Maximize, xrefs: 00000001400A204F

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$IconicLongParentPointsRectShow_errno_invalid_parameter_noinfo
String ID: Maximize$Minimize
API String ID: 3524692820-2654128540
Opcode ID: 4faea8774b7a8d6d03fdb7784007d909ee2668f0d1cdff77ff4de1d2111ff06b
Instruction ID: 1e2ddcc23d36498b3f8e188ca2fbffa5c1ae592fbce1dcba58dfb5e30bb51248
Opcode Fuzzy Hash: 4faea8774b7a8d6d03fdb7784007d909ee2668f0d1cdff77ff4de1d2111ff06b
Instruction Fuzzy Hash: 3112BE327106419BFB26CB7AC5547EC37A1F36CB88F004625EF1A57AA8DB78D895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A207A Relevance: 58.2, APIs: 32, Strings: 1, Instructions: 427windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D4D80: _errno.LIBCMT ref: 00000001400D4D9E
Part of subcall function 00000001400D4D80: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D4DA9

ShowWindow.USER32 ref: 00000001400A2276
IsIconic.USER32 ref: 00000001400A22C0
GetParent.USER32 ref: 00000001400A231A
GetWindowLongW.USER32 ref: 00000001400A232F
GetWindowRect.USER32 ref: 00000001400A2343
MapWindowPoints.USER32 ref: 00000001400A2359

Strings

NoActivate, xrefs: 00000001400A20A1

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$IconicLongParentPointsRectShow_errno_invalid_parameter_noinfo
String ID: NoActivate
API String ID: 3524692820-3390154882
Opcode ID: 575c9f19d1155e335017c6b393297fb3be5caf2badabde44651d0be12d82d72e
Instruction ID: bdc1fb24f81da51e075b594c190640b6b6e9c72c6ad9a8e4bd9f2abd14428ecd
Opcode Fuzzy Hash: 575c9f19d1155e335017c6b393297fb3be5caf2badabde44651d0be12d82d72e
Instruction Fuzzy Hash: EA12AD327106419BFB26CB7AC5447EC37A1F76CB88F004225EF1A57AA8DB78D895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A1FF6 Relevance: 58.2, APIs: 32, Strings: 1, Instructions: 420windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D4D80: _errno.LIBCMT ref: 00000001400D4D9E
Part of subcall function 00000001400D4D80: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D4DA9

ShowWindow.USER32 ref: 00000001400A2276
IsIconic.USER32 ref: 00000001400A22C0
GetParent.USER32 ref: 00000001400A231A
GetWindowLongW.USER32 ref: 00000001400A232F
GetWindowRect.USER32 ref: 00000001400A2343
MapWindowPoints.USER32 ref: 00000001400A2359

Strings

Center, xrefs: 00000001400A1FF6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$IconicLongParentPointsRectShow_errno_invalid_parameter_noinfo
String ID: Center
API String ID: 3524692820-1197272594
Opcode ID: 41d36d954f2820e8efbc10395d9e8cbb0664c12512294a47cd85ae443c9d9d4c
Instruction ID: d116a4381c5603d6576f30323c46c5b67c51092b0c4861230dcc908631b6160b
Opcode Fuzzy Hash: 41d36d954f2820e8efbc10395d9e8cbb0664c12512294a47cd85ae443c9d9d4c
Instruction Fuzzy Hash: 3712AF327106419BFB26CB7AC5547EC37A1F368B88F004625EF1A57AA4DB74D895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A20CC Relevance: 58.2, APIs: 32, Strings: 1, Instructions: 418windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D4D80: _errno.LIBCMT ref: 00000001400D4D9E
Part of subcall function 00000001400D4D80: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D4DA9

ShowWindow.USER32 ref: 00000001400A2276
IsIconic.USER32 ref: 00000001400A22C0
GetParent.USER32 ref: 00000001400A231A
GetWindowLongW.USER32 ref: 00000001400A232F
GetWindowRect.USER32 ref: 00000001400A2343
MapWindowPoints.USER32 ref: 00000001400A2359

Strings

Restore, xrefs: 00000001400A20CC

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$IconicLongParentPointsRectShow_errno_invalid_parameter_noinfo
String ID: Restore
API String ID: 3524692820-1214912099
Opcode ID: 9db7d646888b4763bec9ce0ca1f40f9a858a3db810e9b1b45d408ca931661448
Instruction ID: 4099d7b407ca9bf6274897da31cc2ee583908ccbdc7839bbb22c44d3818de832
Opcode Fuzzy Hash: 9db7d646888b4763bec9ce0ca1f40f9a858a3db810e9b1b45d408ca931661448
Instruction Fuzzy Hash: 8612AE327106419BFB26CB7AC5547EC37A1F36CB88F004625EF1A57AA8DB78D895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004EAC0 Relevance: 53.1, APIs: 12, Strings: 18, Instructions: 597
processlibraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E0000000114004EAC0(void* __rax, signed int __rbx, long long __rcx, signed short* __rdx, signed int __r8, void* __r9) {
				void* __rbp;
				void* __r12;
				void* __r14;
				void* __r15;
				void* _t166;
				void* _t184;
				signed int _t186;
				long _t191;
				signed int _t196;
				void* _t199;
				int _t207;
				signed int _t208;
				void* _t223;
				signed int _t227;
				signed int _t336;
				intOrPtr _t340;
				intOrPtr _t341;
				signed int _t342;
				signed int _t357;
				intOrPtr* _t363;
				intOrPtr _t364;
				long long* _t365;
				signed short* _t370;
				short* _t372;
				void* _t398;
				signed long long _t401;
				signed short* _t422;
				void* _t433;
				signed int _t437;
				intOrPtr _t439;
				intOrPtr _t441;
				signed int _t466;
				signed int* _t468;
				long long* _t470;
				struct _SECURITY_ATTRIBUTES* _t481;
				signed int _t487;
				signed int* _t492;
				signed int* _t495;
				struct _SECURITY_ATTRIBUTES* _t499;
				signed long long _t502;
				signed long long _t503;
				signed int _t510;
				int _t512;
				signed int* _t513;
				void* _t515;
				void* _t516;
				void* _t517;
				void* _t518;
				void* _t519;
				void* _t520;
				void* _t524;
				signed int _t539;
				signed int _t540;
				void* _t543;
				void* _t546;
				void* _t549;
				WCHAR* _t550;
				void* _t551;
				void* _t552;
				signed short* _t553;
				WCHAR* _t559;
				signed int _t562;
				void* _t564;
				signed int _t566;

				 *((long long*)(_t515 + 8)) = __rcx;
				E000000011400E12F0(0x1680, __rax, _t546, _t549);
				_t516 = _t515 - __rax;
				_t513 = _t516 + 0x50;
				_t513[0x5a0] = __rbx;
				_t336 =  !=  ? _t513[0x5a8] :  &(_t513[0x12]);
				r14d = 0;
				 *_t336 = _t562;
				_t513[6] = _t336;
				_t337 = _t513[0x5ae];
				_t370 = __rdx;
				if (_t513[0x5ae] == 0) goto 0x4004eb25;
				E00000001140023B70(_t513[0x5ae], __r8);
				if (__rdx == 0) goto 0x4004f415;
				_t227 =  *__rdx & 0x0000ffff;
				if (_t227 == 0) goto 0x4004f415;
				if (__r9 == 0) goto 0x4004eb47;
				_t566 =  ==  ? _t562 : __r9;
				_t513[4] = _t562;
				_t513[2] = __rdx;
				_t513[8] = _t562;
				if (__r8 == 0) goto 0x4004ec02;
				if (E000000011400D45AC(_t513[0x5ae], __rdx) == 0) goto 0x4004ebef;
				if (E000000011400D45AC(_t513[0x5ae], __rdx) == 0) goto 0x4004ebef;
				if (E000000011400D45AC(_t513[0x5ae], __rdx) == 0) goto 0x4004ebef;
				if (E000000011400D45AC(_t337, __rdx) == 0) goto 0x4004ebef;
				if (E000000011400D45AC(_t337, __rdx) == 0) goto 0x4004ebef;
				_t166 = E000000011400D45AC(_t337, __rdx);
				if (_t166 == 0) goto 0x4004ebef;
				_t513[8] = __r8;
				goto 0x4004ed24;
				_t513[4] = __rdx;
				_t513[2] = __r8;
				goto 0x4004ed24;
				if (_t227 == _t166) goto 0x4004ec39;
				if (( *(L" \t" + 2) & 0x0000ffff) != 0) goto 0x4004ec10;
				if (( *(__r8 + 2) & 0x0000ffff) != 0) goto 0x4004ec02;
				goto 0x4004ed21;
				_t551 = (__r8 + 2 - __rdx >> 1) + (__r8 + 2 - __rdx >> 1);
				if (_t551 + 0x11 - _t551 + 2 > 0) goto 0x4004ec54;
				E000000011400E12F0(0x20, 0xffffffffffffff0, _t546, _t549);
				_t517 = _t516 - 0xffffffffffffff0;
				_t524 = _t551;
				_t487 = _t517 + 0x50;
				E000000011400D5880(_t223, _t551 + 0x11 - _t551 + 2, _t487, __rdx, _t524);
				 *(_t551 + _t487) = r14w;
				if ( *_t487 != 0x2a) goto 0x4004ec87;
				goto 0x4004ecfc;
				if (E000000011400D45AC(0xffffffffffffff0, _t487) == 0) goto 0x4004ecf9;
				if (E000000011400D45AC(0xffffffffffffff0, _t487) == 0) goto 0x4004ecf9;
				if (E000000011400D45AC(0xffffffffffffff0, _t487) == 0) goto 0x4004ecf9;
				if (E000000011400D45AC(0xffffffffffffff0, _t487) == 0) goto 0x4004ecf9;
				if (E000000011400D45AC(0xffffffffffffff0, _t487) == 0) goto 0x4004ecf9;
				if (E000000011400D45AC(0xffffffffffffff0, _t487) != 0) goto 0x4004ed17;
				_t539 = _t487;
				_t513[4] = _t539;
				if (_t539 == 0) goto 0x4004ed21;
				_t513[2] = _t551 +  &(__rdx[1]);
				goto 0x4004ed24;
				_t502 = _t513[0x59c];
				_t540 = _t562;
				r8d = r14d;
				 *_t513 = r14b;
				_t513[0xa] = r14d;
				if (_t513[0x5ac] == r8b) goto 0x4004eda0;
				_t340 =  *((intOrPtr*)(_t502 + 0xbe0));
				if (_t340 == 0) goto 0x4004ed4a;
				if ( *((intOrPtr*)(_t340 + 0x10)) != _t524) goto 0x4004ed6e;
				_t341 =  *((intOrPtr*)(_t502 + 0xbf8));
				if (_t341 == 0) goto 0x4004ed5c;
				if ( *((intOrPtr*)(_t341 + 0x10)) != _t524) goto 0x4004ed6e;
				_t342 =  *((intOrPtr*)(_t502 + 0xc10));
				if (_t342 == 0) goto 0x4004eda0;
				if ( *((intOrPtr*)(_t342 + 0x10)) == _t524) goto 0x4004eda0;
				_t513[0x59e] = 1;
				if (_t540 == 0) goto 0x4004eda7;
				if (_t513[0x5a4] == r8b) goto 0x4004ed99;
				0x4004d730();
				goto 0x4004f41a;
				_t513[0x59e] = r8b;
				asm("repne scasw");
				_t398 =  !(_t502 | 0xffffffff) - 1;
				_t552 = _t398;
				if (_t398 - 0x4001 < 0) goto 0x4004ede7;
				if (_t513[0x5a4] == 0) goto 0x4004ede0;
				_t466 = L"String too long.";
				0x4004d730();
				goto 0x4004f41a;
				_t503 = _t513[0x5a6];
				r14d = 1;
				if (_t540 != 0) goto 0x4004eff8;
				_t41 = _t562 + 0x5f; // 0x5f
				r8d = _t41;
				E000000011400DB410(0, _t223, 0,  &(_t513[0x32]), _t466, 0x400ef524);
				_t513[0x30] = 0x68;
				_t513[0x3f] = r14d;
				if (_t503 == 0) goto 0x4004ee3c;
				if ( *_t503 == 0) goto 0x4004ee3c;
				_t401 = _t503;
				_t513[0x40] = E00000001140027570(_t342, _t401);
				goto 0x4004ee44;
				_t513[0x40] = r14w;
				_t513[0xc] = _t466;
				_t513[0xe] = _t342;
				_t513[0x10] = _t342;
				if (__r8 == 0) goto 0x4004eeb5;
				if ( *((intOrPtr*)(__r8)) == 0) goto 0x4004eeb5;
				asm("repne scasw");
				if ( !(_t401 | 0xffffffff) - 1 + _t552 +  !(_t401 | 0xffffffff) - 1 + _t552 + 0x14 + 0xf -  !(_t401 | 0xffffffff) - 1 + _t552 +  !(_t401 | 0xffffffff) - 1 + _t552 + 0x14 > 0) goto 0x4004ee8b;
				E000000011400E12F0(0, 0xffffffffffffff0, _t546, _t549);
				_t518 = _t517 - 0xfffffff0;
				_t184 = E000000011400D51D8(0xffffffffffffff0, _t518 + 0x50, L"%s %s", _t370, __r8, _t564, _t562);
				goto 0x4004ef01;
				if (_t552 + _t552 + 2 + 0xf - _t552 + _t552 + 2 > 0) goto 0x4004eecd;
				E000000011400E12F0(_t184, 0xfffffff0, _t546, _t549);
				_t519 = _t518 - 0xffffffffffffff0;
				_t492 = _t519 + 0x50;
				asm("o16 nop [eax+eax]");
				_t186 =  *_t370 & 0x0000ffff;
				 *(_t492 - _t370 +  &(_t370[1]) - 2) = _t186;
				if (_t186 != 0) goto 0x4004eef0;
				r13d = _t513[0x59e] & 0x000000ff;
				if (r13b == 0) goto 0x4004ef7f;
				r9d = _t513[0x5a4] & 0x000000ff;
				 *(_t519 + 0x48) =  &(_t513[0xa]);
				 *(_t519 + 0x40) = _t513[6];
				_t468 = _t492;
				 *(_t519 + 0x38) = _t513;
				 *(_t519 + 0x30) =  &(_t513[0xc]);
				 *((long long*)(_t519 + 0x28)) = _t513[0x5ae];
				 *((short*)(_t519 + 0x20)) = _t513[0x40] & 0x0000ffff;
				if (E000000011400858B0(_t513[0x5ae],  &(_t370[1]), _t513[0x59c], _t468, _t513, _t566, __r8, _t552) == 0) goto 0x4004ed99;
				if ( *_t513 != 0) goto 0x4004f295;
				r8d = _t513[0xa];
				goto 0x4004f000;
				r9d = 0;
				r8d = 0;
				 *(_t519 + 0x48) =  &(_t513[0xc]);
				 *(_t519 + 0x40) =  &(_t513[0x30]);
				 *(_t519 + 0x38) = _t566;
				 *(_t519 + 0x30) = _t468;
				 *((intOrPtr*)(_t519 + 0x28)) = 0;
				 *((intOrPtr*)(_t519 + 0x20)) = 0;
				if (CreateProcessW(_t559, _t550, _t481, _t499, _t512) == 0) goto 0x4004eff0;
				if (_t513[0xe] == 0) goto 0x4004efca;
				CloseHandle(??);
				_t470 = _t513[6];
				 *_t470 = _t513[0xc];
				if (_t513[0x5ae] == 0) goto 0x4004f299;
				goto 0x4004f28d;
				_t191 = GetLastError();
				goto 0x4004f009;
				r13d = _t513[0x59e] & 0x000000ff;
				if (r13b != 0) goto 0x4004f2d9;
				_t90 = _t470 + 0x6c; // 0x6c
				r8d = _t90;
				E000000011400DB410(_t191, 0, 0,  &(_t513[0x15]), _t470, _t566);
				_t513[0x14] = 0x70;
				_t513[0x15] = 0x440;
				_t513[0x1e] = _t566;
				if (_t503 == 0) goto 0x4004f045;
				if ( *_t503 == 0) goto 0x4004f045;
				_t513[0x20] = E00000001140027570(_t513[0x5ae], _t503);
				goto 0x4004f04c;
				_t513[0x20] = r14d;
				_t357 = _t513[4];
				if (_t357 == 0) goto 0x4004f070;
				_t513[0x18] = _t357;
				if (E000000011400D45AC(_t357, _t357) != 0) goto 0x4004f070;
				_t513[0x15] = _t513[0x15] | 0x0000000c;
				if (_t513[8] != 0) goto 0x4004f203;
				if (_t552 + _t552 + 2 + 0xf - _t552 + _t552 + 2 > 0) goto 0x4004f095;
				E000000011400E12F0(_t194, 0xfffffff0, _t546, _t549);
				_t553 = _t513[2];
				_t520 = _t519 - 0xffffffffffffff0;
				_t372 = _t520 + 0x50;
				_t422 = _t553;
				asm("o16 nop [eax+eax]");
				_t196 =  *_t422 & 0x0000ffff;
				 *( &(_t422[1]) + _t372 - _t553 - 2) = _t196;
				if (_t196 != 0) goto 0x4004f0c0;
				if ( *_t372 != 0x22) goto 0x4004f115;
				E000000011400D5BB4(_t196, 0x22, _t372 + 2);
				if (0xfffffff0 == 0) goto 0x4004f115;
				 *0xfffffff0 = 0;
				if ( *((intOrPtr*)(0xffffffffffffff2)) == 0) goto 0x4004f207;
				if ( *((short*)(0xffffffffffffff2)) != 0x20) goto 0x4004f207;
				goto 0x4004f207;
				if (_t566 == 0) goto 0x4004f123;
				_t199 = E000000011400D5BB4(SetCurrentDirectoryW(??), 0x20, _t372 + 2);
				if (0xfffffff0 == 0) goto 0x4004f1d5;
				if (0xfffffffffffffee - _t372 <= 0) goto 0x4004f16d;
				asm("o16 nop [eax+eax]");
				E000000011400D5BB4(_t199,  *0xFFFFFFFFFFFFFEE & 0x0000ffff, L"\\/.");
				if (0xfffffff0 != 0) goto 0x4004f16d;
				if (0xfffffffffffffec - _t372 > 0) goto 0x4004f150;
				if ( *((short*)(0xfffffffffffffec)) != 0x2e) goto 0x4004f1bc;
				 *0xfffffff0 = 0;
				if (4 != 8) goto 0x4004f19c;
				E000000011400B7530(L".exe.bat.com.cmd.hta", 0xfffffffffffffec, _t372 + 2, _t562, _t566);
				if (4 != 0) goto 0x4004f1cc;
				if ((GetFileAttributesW(??) & 0x00000010) == 0) goto 0x4004f1cc;
				 *0xfffffff0 = 0x20;
				goto 0x4004f12c;
				goto 0x4004f12c;
				goto 0x4004f1d9;
				if (_t566 == 0) goto 0x4004f207;
				_t363 =  *0x40125128; // 0x8919e0
				if (_t363 == 0) goto 0x4004f1fb;
				_t364 =  *_t363;
				_t433 =  !=  ? _t364 : 0x400ef524;
				SetCurrentDirectoryW(??);
				goto 0x4004f207;
				_t513[0x1a] = _t513[2];
				_t513[0x1c] = _t513[8];
				_t207 = ShellExecuteExW(??); // executed
				if (_t207 == 0) goto 0x4004f2ce;
				_t208 =  *0x4012c4e8;
				if ((r14b & _t208) != 0) goto 0x4004f25b;
				 *0x4012c4e8 = _t208 | r14d;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				 *0x4012c4e0 = _t364;
				goto 0x4004f262;
				_t365 =  *0x4012c4e0;
				_t437 = _t513[0x2e];
				 *(_t513[6]) = _t437;
				if (_t437 == 0) goto 0x4004f299;
				_t495 = _t513[0x5ae];
				if (_t495 == 0) goto 0x4004f299;
				if (_t365 == 0) goto 0x4004f299;
				 *_t365();
				r8b = 0x18;
				0x40001090();
				if (_t513[0x5aa] == 0) goto 0x4004f2ae;
				_t439 =  *0x401235a8; // 0x2990b70
				 *((intOrPtr*)(_t439 + 0x40)) = 0;
				if (_t513[0x5a8] != 0) goto 0x4004f2c6;
				if ( *(_t513[6]) == 0) goto 0x4004f2c6;
				CloseHandle(??);
				goto 0x4004f41a;
				r8d = GetLastError();
				goto 0x4004f2e1;
				_t510 = _t513[8];
				if (_t513[0x5aa] == 0) goto 0x4004f2f5;
				_t441 =  *0x401235a8; // 0x2990b70
				 *(_t441 + 0x40) = r8d;
				if (_t513[0x5a4] == 0) goto 0x4004f411;
				r9d = 0;
				 *(_t520 + 0x30) = _t495;
				 *((intOrPtr*)(_t520 + 0x28)) = 0x1ff;
				 *(_t520 + 0x20) =  &(_t513[0x8c]);
				FormatMessageW(??, ??, ??, ??, ??, ??, ??);
				if (_t513[4] == 0) goto 0x4004f350;
				E000000011400B70F0(0x80, 0, _t372,  &(_t513[0x4c]), L"\nVerb: <%s>", _t513[4]);
				goto 0x4004f357;
				_t513[0x4c] = 0;
				_t543 = L"...";
				_t531 =  !=  ? _t510 : 0x400ef524;
				asm("repne scasw");
				_t479 =  >  ? _t543 : 0x400ef524;
				asm("repne scasw");
				 *((long long*)(_t520 + 0x40)) =  >  ? _t543 : 0x400ef524;
				 *((long long*)(_t520 + 0x38)) =  !=  ? _t510 : 0x400ef524;
				_t548 =  >  ? _t543 : 0x400ef524;
				_t545 =  !=  ? L"Launch Error (possibly related to RunAs):" : L"Failed attempt to launch program or document:";
				 *(_t520 + 0x30) =  &(_t513[0x4c]);
				 *((long long*)(_t520 + 0x28)) =  >  ? _t543 : 0x400ef524;
				 *(_t520 + 0x20) = _t513[2];
				E000000011400B70F0(0x800, 0, _t372,  &(_t513[0x18c]), L"%s\nAction: <%-0.400s%s>%s\nParams: <%-0.400s%s>",  !=  ? L"Launch Error (possibly related to RunAs):" : L"Failed attempt to launch program or document:");
				0x4004d730();
				goto 0x4004f41a;
				return 1;
			}

0x14004eac0
0x14004ead5
0x14004eada
0x14004eadd
0x14004eaf3
0x14004eafd
0x14004eb01
0x14004eb07
0x14004eb0a
0x14004eb0e
0x14004eb15
0x14004eb1b
0x14004eb20
0x14004eb28
0x14004eb2e
0x14004eb34
0x14004eb3d
0x14004eb43
0x14004eb4a
0x14004eb51
0x14004eb55
0x14004eb6b
0x14004eb82
0x14004eb95
0x14004eba8
0x14004ebbb
0x14004ebce
0x14004ebda
0x14004ebe1
0x14004ebe3
0x14004ebea
0x14004ebf2
0x14004ebf9
0x14004ebfd
0x14004ec13
0x14004ec20
0x14004ec32
0x14004ec34
0x14004ec3f
0x14004ec4f
0x14004ec5b
0x14004ec60
0x14004ec63
0x14004ec66
0x14004ec71
0x14004ec76
0x14004ec7f
0x14004ec85
0x14004ec98
0x14004ecab
0x14004ecbe
0x14004ecd1
0x14004ece4
0x14004ecf7
0x14004ecf9
0x14004ed03
0x14004ed0a
0x14004ed11
0x14004ed15
0x14004ed17
0x14004ed1e
0x14004ed24
0x14004ed27
0x14004ed2b
0x14004ed36
0x14004ed38
0x14004ed42
0x14004ed48
0x14004ed4a
0x14004ed54
0x14004ed5a
0x14004ed5c
0x14004ed66
0x14004ed6c
0x14004ed6e
0x14004ed78
0x14004ed81
0x14004ed94
0x14004ed9b
0x14004eda0
0x14004edad
0x14004edb3
0x14004edb6
0x14004edc0
0x14004edc8
0x14004edd1
0x14004eddb
0x14004ede2
0x14004ede7
0x14004edee
0x14004edf7
0x14004edfd
0x14004edfd
0x14004ee0a
0x14004ee0f
0x14004ee19
0x14004ee23
0x14004ee29
0x14004ee2b
0x14004ee33
0x14004ee3a
0x14004ee3c
0x14004ee48
0x14004ee4c
0x14004ee50
0x14004ee57
0x14004ee5e
0x14004ee67
0x14004ee7f
0x14004ee8f
0x14004ee94
0x14004eeac
0x14004eeb3
0x14004eec1
0x14004eed4
0x14004eed9
0x14004eedc
0x14004eee7
0x14004eef0
0x14004eef7
0x14004eeff
0x14004ef01
0x14004ef0c
0x14004ef0e
0x14004ef21
0x14004ef2d
0x14004ef36
0x14004ef39
0x14004ef42
0x14004ef4e
0x14004ef5a
0x14004ef66
0x14004ef70
0x14004ef76
0x14004ef7a
0x14004ef83
0x14004ef86
0x14004ef89
0x14004ef97
0x14004ef9c
0x14004efa1
0x14004efa6
0x14004efaa
0x14004efb9
0x14004efc2
0x14004efc4
0x14004efce
0x14004efd2
0x14004efdf
0x14004efeb
0x14004eff0
0x14004eff6
0x14004eff8
0x14004f003
0x14004f00f
0x14004f00f
0x14004f013
0x14004f018
0x14004f01f
0x14004f026
0x14004f02d
0x14004f033
0x14004f03d
0x14004f043
0x14004f045
0x14004f04c
0x14004f053
0x14004f05f
0x14004f06a
0x14004f06c
0x14004f077
0x14004f089
0x14004f09c
0x14004f0a1
0x14004f0a5
0x14004f0a8
0x14004f0ad
0x14004f0b6
0x14004f0c0
0x14004f0c7
0x14004f0cf
0x14004f0d5
0x14004f0e0
0x14004f0e8
0x14004f0f0
0x14004f0f7
0x14004f106
0x14004f110
0x14004f118
0x14004f12c
0x14004f137
0x14004f144
0x14004f146
0x14004f15a
0x14004f162
0x14004f16b
0x14004f171
0x14004f175
0x14004f186
0x14004f192
0x14004f19a
0x14004f1a7
0x14004f1b2
0x14004f1b7
0x14004f1c7
0x14004f1d3
0x14004f1dc
0x14004f1de
0x14004f1ef
0x14004f1f1
0x14004f1f7
0x14004f1fb
0x14004f201
0x14004f20b
0x14004f20f
0x14004f213
0x14004f21b
0x14004f221
0x14004f22a
0x14004f236
0x14004f23c
0x14004f24c
0x14004f252
0x14004f259
0x14004f25b
0x14004f262
0x14004f26d
0x14004f273
0x14004f275
0x14004f27f
0x14004f284
0x14004f286
0x14004f28d
0x14004f290
0x14004f2a0
0x14004f2a2
0x14004f2ab
0x14004f2b6
0x14004f2be
0x14004f2c0
0x14004f2c9
0x14004f2d4
0x14004f2d7
0x14004f2d9
0x14004f2e8
0x14004f2ea
0x14004f2f1
0x14004f2fc
0x14004f30b
0x14004f30e
0x14004f31a
0x14004f322
0x14004f327
0x14004f334
0x14004f349
0x14004f34e
0x14004f350
0x14004f361
0x14004f36e
0x14004f37b
0x14004f38e
0x14004f396
0x14004f399
0x14004f39e
0x14004f3ca
0x14004f3d8
0x14004f3e3
0x14004f3e8
0x14004f3ed
0x14004f3f2
0x14004f40c
0x14004f413
0x14004f433

APIs

CreateProcessW.KERNEL32 ref: 000000014004EFB1
CloseHandle.KERNEL32(?,00000000,?,?,00000001400285AF), ref: 000000014004EFC4
GetLastError.KERNEL32(?,00000000,?,?,00000001400285AF), ref: 000000014004EFF0
SetCurrentDirectoryW.KERNEL32(00000001,00000000,00000000,?,00000000,?,?,00000001400285AF), ref: 000000014004F11D
GetFileAttributesW.KERNEL32(00000001,00000000,00000000,?,00000000,?,?,00000001400285AF), ref: 000000014004F19F
SetCurrentDirectoryW.KERNEL32(00000001,00000000,00000000,?,00000000,?,?,00000001400285AF), ref: 000000014004F1FB
ShellExecuteExW.SHELL32 ref: 000000014004F213
GetModuleHandleW.KERNEL32(?,00000000,?,?,00000001400285AF), ref: 000000014004F23C
GetProcAddress.KERNEL32(?,00000000,?,?,00000001400285AF), ref: 000000014004F24C
CloseHandle.KERNEL32 ref: 000000014004F2C0
GetLastError.KERNEL32(?,00000000,?,?,00000001400285AF), ref: 000000014004F2CE
FormatMessageW.KERNEL32 ref: 000000014004F327

Strings

properties, xrefs: 000000014004EBD0, 000000014004ECE6, 000000014004F055
GetProcessId, xrefs: 000000014004F242
Verb: <%s>, xrefs: 000000014004F336
edit, xrefs: 000000014004EBAA, 000000014004ECC0
%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>, xrefs: 000000014004F3AD
.exe.bat.com.cmd.hta, xrefs: 000000014004F188
System verbs unsupported with RunAs., xrefs: 000000014004ED8A
open, xrefs: 000000014004EB97, 000000014004ECAD
find, xrefs: 000000014004EB71, 000000014004EC87
explore, xrefs: 000000014004EB84, 000000014004EC9A
..., xrefs: 000000014004F361
Failed attempt to launch program or document:, xrefs: 000000014004F3CE
String too long., xrefs: 000000014004EDD1
Launch Error (possibly related to RunAs):, xrefs: 000000014004F3A6
%s %s, xrefs: 000000014004EE97
\/., xrefs: 000000014004F153
kernel32.dll, xrefs: 000000014004F22F
print, xrefs: 000000014004EBBD, 000000014004ECD3

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Handle$CloseCurrentDirectoryErrorLast$AddressAttributesCreateExecuteFileFormatMessageModuleProcProcessShell
String ID: Verb: <%s>$%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>$%s %s$...$.exe.bat.com.cmd.hta$Failed attempt to launch program or document:$GetProcessId$Launch Error (possibly related to RunAs):$String too long.$System verbs unsupported with RunAs.$\/.$edit$explore$find$kernel32.dll$open$print$properties
API String ID: 187721205-758568768
Opcode ID: c0dc10473760a55f72a069868dc5aa92023aacb5df5e40d9da98ee3a2b48216c
Instruction ID: 92d9f345e9ba11cd2ba66ef5489408927759c010627a36c71a9a93b8c9942be4
Opcode Fuzzy Hash: c0dc10473760a55f72a069868dc5aa92023aacb5df5e40d9da98ee3a2b48216c
Instruction Fuzzy Hash: 02427A72200B8085EB669F62E9503E923A1FB4CBE8F494225FF1947BF9EB78D545D304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001B6C Relevance: 51.4, APIs: 28, Strings: 1, Instructions: 620timewindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 0000000140001B9D
CloseClipboard.USER32 ref: 0000000140001BAA
SetTimer.USER32 ref: 0000000140001C5A
GetTickCount.KERNEL32 ref: 0000000140001D1F
GetTickCount.KERNEL32 ref: 0000000140001D7A
GetMessageW.USER32 ref: 0000000140001DBD
GetTickCount.KERNEL32 ref: 0000000140001DCC

Strings

#32770, xrefs: 0000000140002ABE

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessageTimerUnlock
String ID: #32770
API String ID: 1115112458-463685578
Opcode ID: da8610c00e07722383135ccb0a55e0561608f8f6d6b21126394b0d9dc65b61ba
Instruction ID: e17e3c420d967b3c914b32cf53d5bb0c7bb29f2b8314550a04559407241618d7
Opcode Fuzzy Hash: da8610c00e07722383135ccb0a55e0561608f8f6d6b21126394b0d9dc65b61ba
Instruction Fuzzy Hash: EF52A0B22056808AFB63CB27B8547E977A1F78DBD8F18401AFB49176B5DB38C881C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140028840 Relevance: 51.0, APIs: 20, Strings: 9, Instructions: 218
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400B9160: LoadLibraryExW.KERNEL32 ref: 00000001400B9193
Part of subcall function 00000001400B9160: FindResourceW.KERNEL32 ref: 00000001400B9218
Part of subcall function 00000001400B9160: LoadResource.KERNEL32 ref: 00000001400B922D
Part of subcall function 00000001400B9160: LockResource.KERNEL32 ref: 00000001400B923F
Part of subcall function 00000001400B9160: GetSystemMetrics.USER32 ref: 00000001400B925F
Part of subcall function 00000001400B9160: FindResourceW.KERNEL32 ref: 00000001400B92D5
Part of subcall function 00000001400B9160: LoadResource.KERNEL32 ref: 00000001400B92E9
Part of subcall function 00000001400B9160: LockResource.KERNEL32 ref: 00000001400B92F7

GetSystemMetrics.USER32 ref: 00000001400288D8

Part of subcall function 00000001400B9160: EnumResourceNamesW.KERNEL32 ref: 00000001400B91FB
Part of subcall function 00000001400B9160: SizeofResource.KERNEL32 ref: 00000001400B930B
Part of subcall function 00000001400B9160: CreateIconFromResourceEx.USER32 ref: 00000001400B932E

LoadCursorW.USER32 ref: 000000014002891A
RegisterClassExW.USER32 ref: 0000000140028945
RegisterClassExW.USER32 ref: 000000014002896C
GetForegroundWindow.USER32 ref: 00000001400289A3
GetClassNameW.USER32 ref: 00000001400289BF
CreateWindowExW.USER32 ref: 0000000140028A42
CreateWindowExW.USER32 ref: 0000000140028A9C
GetDC.USER32 ref: 0000000140028AF9
GetDeviceCaps.GDI32 ref: 0000000140028B23
MulDiv.KERNEL32 ref: 0000000140028B34
CreateFontW.GDI32 ref: 0000000140028B78
ReleaseDC.USER32 ref: 0000000140028B8F
SendMessageW.USER32 ref: 0000000140028BAA
SendMessageW.USER32 ref: 0000000140028BC2
ShowWindow.USER32 ref: 0000000140028BD1
ShowWindow.USER32 ref: 0000000140028BE0
ShowWindow.USER32 ref: 0000000140028BFF
SetWindowLongW.USER32 ref: 0000000140028C13
LoadAcceleratorsW.USER32 ref: 0000000140028C25

Strings

Lucida Console, xrefs: 0000000140028B06
Shell_TrayWnd, xrefs: 00000001400289C9
CreateWindow, xrefs: 0000000140028AB5
P, xrefs: 00000001400288B2
RegClass, xrefs: 000000014002897B
AutoHotkey, xrefs: 0000000140028887
Consolas, xrefs: 0000000140028B10
edit, xrefs: 0000000140028A66
AutoHotkey2, xrefs: 0000000140028950

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Resource$Window$Load$Create$ClassShow$FindLockMessageMetricsRegisterSendSystem$AcceleratorsCapsCursorDeviceEnumFontForegroundFromIconLibraryLongNameNamesReleaseSizeof
String ID: AutoHotkey$AutoHotkey2$Consolas$CreateWindow$Lucida Console$P$RegClass$Shell_TrayWnd$edit
API String ID: 2318086589-2636979444
Opcode ID: abe1fc9a570a8ee8867594f1d4202eb8db54adf1f911a1684ee0f7fe0e03ca12
Instruction ID: 7867bad904dd8d59a7f740d82e5e7fe60184268734ded33969439334e2aa112f
Opcode Fuzzy Hash: abe1fc9a570a8ee8867594f1d4202eb8db54adf1f911a1684ee0f7fe0e03ca12
Instruction Fuzzy Hash: 1AB16A3621AB8086E762CB22F854BDA73A4F78CB95F544119EB8A53B74DF3DC855CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005910 Relevance: 49.8, APIs: 13, Strings: 15, Instructions: 768
sleepwindowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E00000001140005910(long long __rbx, long long __rcx, signed int __rdx, long long __rdi, long long __rsi) {
				void* __rbp;
				signed char _t160;
				void* _t174;
				void* _t180;
				intOrPtr _t181;
				signed int _t182;
				void* _t215;
				void* _t216;
				intOrPtr _t226;
				signed int _t227;
				intOrPtr _t253;
				intOrPtr _t257;
				void* _t260;
				void* _t288;
				void* _t305;
				void* _t316;
				long long _t319;
				void* _t320;
				void* _t324;
				intOrPtr* _t332;
				long long _t333;
				intOrPtr _t334;
				intOrPtr* _t335;
				void* _t336;
				long long _t338;
				intOrPtr* _t343;
				intOrPtr _t345;
				long long _t346;
				intOrPtr* _t349;
				signed int _t351;
				signed long long _t360;
				long long _t372;
				intOrPtr _t409;
				intOrPtr _t448;
				void* _t452;
				intOrPtr* _t454;
				intOrPtr _t455;
				intOrPtr _t459;
				void* _t463;
				void* _t464;
				void* _t466;
				void* _t467;
				void* _t469;
				intOrPtr _t474;
				void* _t481;
				intOrPtr _t483;
				intOrPtr _t484;
				signed long long _t486;
				intOrPtr _t493;
				intOrPtr _t499;
				intOrPtr* _t501;
				int _t503;
				long long _t514;
				struct _CRITICAL_SECTION* _t516;

				 *((long long*)(_t466 + 0x20)) = __rdi;
				_t464 = _t466 - 0x1e0;
				_t467 = _t466 - 0x2e0;
				 *0x40128a78 = __rcx;
				InitializeCriticalSection(_t516);
				SetErrorMode(_t503); // executed
				0x4006fed0();
				_t332 =  *0x40125128; // 0x8919e0
				if (_t332 == 0) goto 0x40005970;
				_t333 =  *_t332;
				_t356 =  !=  ? _t333 : 0x400ef524;
				 *((long long*)(_t467 + 0x318)) = __rbx;
				 *((long long*)(_t467 + 0x320)) = __rsi;
				asm("movaps [esp+0x2d0], xmm6");
				asm("movaps [esp+0x2c0], xmm7");
				asm("inc esp"); // executed
				E000000011400B3F00(_t333, __rbx,  !=  ? _t333 : 0x400ef524, __rdx | 0xffffffff, __rsi);
				_t226 =  *0x40126184; // 0x1
				r14b = 0;
				r13d = 0;
				 *0x40129608 = _t333;
				 *(_t467 + 0x38) = 1;
				 *((intOrPtr*)(_t467 + 0x48)) = _t226;
				 *(_t467 + 0x30) = r14b;
				 *((long long*)(_t467 + 0x60)) = _t501;
				 *(_t464 + 0x210) = 0;
				r15d = 1;
				r12d = 1;
				 *((long long*)(_t467 + 0x40)) = __rdi;
				if (_t226 - 1 <= 0) goto 0x40006055;
				asm("movsd xmm7, [0x10a259]");
				asm("repne inc esp");
				asm("movsd xmm6, [0x10a278]");
				asm("o16 nop [eax+eax]");
				_t334 =  *0x40126190; // 0x892220
				_t459 =  *((intOrPtr*)(_t334 + _t486 * 8));
				if (0 == 0) goto 0x40005dcc;
				r8d = 1;
				_t450 = E000000011400D51D8(_t334, _t467 + 0x70, L"%d", _t469, _t481, _t501, _t486);
				if ( *((intOrPtr*)(_t467 + 0x70)) == r13w) goto 0x4000624b;
				_t335 = _t467 + 0x31;
				 *((long long*)(_t467 + 0x28)) = _t335;
				 *(_t467 + 0x20) = 3;
				E0000000114003B1F0(0x4012a580, _t467 + 0x70, _t151, _t467 + 0x34);
				if (_t335 != 0) goto 0x40005aa5;
				r9d =  *((intOrPtr*)(_t467 + 0x34));
				 *(_t467 + 0x20) = (r13d & 0xffffff00 |  *((intOrPtr*)(_t467 + 0x31)) != r13d) + 1;
				E0000000114003B4F0(0x4012a580, _t467 + 0x70, _t151);
				_t349 = _t335;
				if (_t349 == 0) goto 0x4000624b;
				_t227 =  *(_t349 + 0x23) & 0x000000ff;
				if (_t227 != 0) goto 0x40005add;
				_t360 =  *((intOrPtr*)(_t349 + 0x10));
				r9d = 0;
				 *(_t467 + 0x20) = 1;
				E000000011400BB210(_t349, _t360, _t459, _t450, _t450 | 0xffffffff);
				 *(_t467 + 0x38) =  *(_t467 + 0x38) + 1;
				goto 0x40006030;
				r8b = 1;
				if (_t459 != 0) goto 0x40005af4;
				r8b = 0;
				goto 0x40005b18;
				if ( *((intOrPtr*)(_t349 + 8)) != 0x400ef524) goto 0x40005b03;
				goto 0x40005b18;
				asm("repne scasw");
				_t336 =  !(_t360 | 0xffffffff) - 1 + 1;
				_t452 = _t336 + _t336;
				if (_t227 != 2) goto 0x40005b45;
				0x40006c80();
				 *(_t467 + 0x38) =  *(_t467 + 0x38) + 1;
				goto 0x40006030;
				_t483 =  *0x40123580; // 0x4000000
				if (_t452 - _t483 <= 0) goto 0x40005b85;
				if (_t452 -  *((intOrPtr*)(_t349 + 0x18)) <= 0) goto 0x40005b85;
				0x4004d730();
				 *(_t467 + 0x38) =  *(_t467 + 0x38) + 1;
				goto 0x40006030;
				if (_t336 - 2 >= 0) goto 0x40005bb6;
				r8d = 0;
				E000000011400BB8C0((r13d & 0xffffff00 | r8b != 0x00000000) + 3, _t349, _t349, 0x400ef524, _t464);
				_t493 =  *((intOrPtr*)(_t467 + 0x40));
				 *(_t467 + 0x38) =  *(_t467 + 0x38) + 1;
				goto 0x40006030;
				_t160 =  *(_t349 + 0x21) & 0x000000ff;
				if ((_t160 & 0x00000002) == 0) goto 0x40005bd3;
				 *(_t349 + 0x21) = _t160 & 0x0000003d;
				 *((intOrPtr*)( *((intOrPtr*)( *_t349)) + 0x10))();
				_t484 =  *0x40123580; // 0x4000000
				_t474 =  *((intOrPtr*)(_t349 + 0x18));
				 *(_t349 + 0x21) =  *(_t349 + 0x21) & 0x00000082;
				if (_t452 - _t474 <= 0) goto 0x40005d42;
				if (0 - 1 <= 0) goto 0x40005bfe;
				if (0 == 2) goto 0x40005c47;
				_t338 =  *((intOrPtr*)(_t467 + 0x58));
				goto 0x40005d36;
				if (_t452 - 0x80 > 0) goto 0x40005c47;
				if (_t452 - 8 > 0) goto 0x40005c15;
				r14d = 8;
				goto 0x40005c28;
				r14d = 0x80;
				r14d =  <=  ? 0x10 : r14d;
				E000000011400B3FC0( *(_t349 + 0x20) & 0x000000ff,  *(_t464 + 0x210));
				 *((long long*)(_t467 + 0x58)) = _t338;
				if (_t338 == 0) goto 0x40005d68;
				 *(_t349 + 0x20) = 1;
				goto 0x40005d36;
				if (_t452 - 0x20 >= 0) goto 0x40005c58;
				r14d = 0x20;
				goto 0x40005cf9;
				if (_t452 - 0x208 >= 0) goto 0x40005c6c;
				r14d = 0x208;
				goto 0x40005cf9;
				if (_t452 - 0x50000 >= 0) goto 0x40005cb5;
				asm("pxor xmm0, xmm0");
				asm("repne dec eax");
				_t288 = _t452;
				if (_t288 >= 0) goto 0x40005c87;
				asm("addsd xmm0, xmm7");
				asm("repne inc ecx");
				asm("comisd xmm0, xmm6");
				if (_t288 <= 0) goto 0x40005cab;
				asm("subsd xmm0, xmm6");
				asm("comisd xmm0, xmm6");
				if (_t288 >= 0) goto 0x40005cab;
				asm("repne dec esp");
				goto 0x40005cf9;
				if (_t452 - 0x320000 >= 0) goto 0x40005cc7;
				goto 0x40005cf9;
				if (_t452 - 0xc80000 >= 0) goto 0x40005cf2;
				goto 0x40005cf9;
				_t514 =  >  ? _t484 : _t452 + 0x20000;
				if (0 != 2) goto 0x40005d18;
				if (_t474 == 0) goto 0x40005d18;
				dil = 1;
				E000000011400D4AF8(0xe147ae15,  *((intOrPtr*)(_t349 + 8)));
				goto 0x40005d1b;
				dil = 0;
				if (_t514 < 0) goto 0x40005d7c;
				E000000011400D4A38(0xe147ae15, _t349, _t514, 0x400ef524, _t463);
				 *((long long*)(_t467 + 0x58)) = 0xe147ae15;
				if (0xe147ae15 == 0) goto 0x40005d7c;
				 *(_t349 + 0x20) = 2;
				 *(_t349 + 0x21) =  *(_t349 + 0x21) & 0x0000007f;
				 *((long long*)(_t349 + 8)) = 0xe147ae15;
				 *((long long*)(_t349 + 0x18)) = _t514;
				if ( *((intOrPtr*)(_t349 + 8)) == 0x400ef524) goto 0x40005d57;
				E000000011400D5880( *(_t349 + 0x20) & 0x000000ff,  *((intOrPtr*)(_t349 + 8)) - 0x400ef524,  *((intOrPtr*)(_t349 + 8)), 0x400ef524, _t493 + _t493);
				_t372 = _t493 + _t493;
				 *((intOrPtr*)(_t372 +  *((intOrPtr*)(_t349 + 8)))) = r13w;
				 *((long long*)(_t349 + 0x10)) = _t372;
				 *(_t467 + 0x38) =  *(_t467 + 0x38) + 1;
				goto 0x40006030;
				if (dil == 0) goto 0x40005d92;
				 *((long long*)(_t349 + 0x18)) = _t501;
				 *((long long*)(_t349 + 8)) = 0x4012a488;
				goto 0x40005d9a;
				_t343 =  *((intOrPtr*)(_t349 + 8));
				 *_t343 = r13w;
				 *((long long*)(_t349 + 0x10)) = _t501;
				0x4004d730();
				 *(_t467 + 0x38) =  *(_t467 + 0x38) + 1;
				goto 0x40006030;
				if (E000000011400D45AC(_t343, 0x400ef524) == 0) goto 0x4000602b;
				if (E000000011400D45AC(_t343, 0x400ef524) == 0) goto 0x4000602b;
				if (E000000011400D45AC(_t343, 0x400ef524) == 0) goto 0x40006022;
				_t174 = E000000011400D45AC(_t343, 0x400ef524);
				if (_t174 == 0) goto 0x40006022;
				r8d = 0xc;
				0x400d4d80();
				if (_t174 != 0) goto 0x40005e66;
				if ( *((short*)(L"InputHook")) == 0x3d) goto 0x40005e4f;
				 *0x4012b133 = 1;
				 *0x4012b134 = E000000011400278C0(_t501);
				goto 0x40006030;
				if (E000000011400D45AC(_t343, 0x400ef524) != 0) goto 0x40005f05;
				r15d = r15d + 1;
				_t305 = r15d -  *0x40126184; // 0x1
				if (_t305 >= 0) goto 0x4000624b;
				E000000011400D5334(_t343, 0x400ef524);
				if (_t343 == 0) goto 0x40005eaa;
				E000000011400057D0(_t343);
				goto 0x40005ead;
				_t454 = _t501;
				 *0x4012b138 = _t454;
				 *((intOrPtr*)(_t467 + 0x50)) = 0x15;
				_t345 =  *_t454;
				 *(_t454 + 0xc) = r13d;
				if ( *((intOrPtr*)(_t345 + 8))() == 0) goto 0x4000624b;
				r8d = 0xfde9;
				_t180 = E000000011400B4A60(_t345, _t349, _t454, _t467 + 0x50, 0x400ef524, _t464);
				if (_t180 == 0) goto 0x4000624b;
				goto 0x40006030;
				r8d = 3;
				0x400d4d80();
				if (_t180 != 0) goto 0x40005f32;
				_t181 = E00000001140005650(0x1400ef52a, L"/CP");
				 *0x40128a80 = _t181;
				goto 0x40006030;
				if ( *0x4012a4d0 != 0xffffffff) goto 0x4000600b;
				r8d = 6;
				0x400d4d80();
				if (_t181 != 0) goto 0x4000600b;
				_t182 =  *0x1400EF530 & 0x0000ffff;
				if (_t182 == 0) goto 0x40005f70;
				if (_t182 != 0x3d) goto 0x4000600b;
				if (_t182 != 0x3d) goto 0x40005fe3;
				E000000011400D53D8(0x3a, 0x1400ef532, _t467 + 0x50);
				_t455 = _t345;
				if (_t345 == 0) goto 0x40005fc1;
				_t480 = _t345 - 0x1400ef532 >> 1;
				E000000011400B44D0(0x1400ef532, 0x401250f0);
				_t102 = _t455 + 2; // 0x2
				r8d = r8d | 0xffffffff;
				E000000011400B44D0(_t102, 0x40125108);
				goto 0x40006030;
				r8d = r8d | 0xffffffff;
				E000000011400B44D0(_t102, 0x40125108);
				E00000001140006750(_t345, _t349, 0x40125108, "9000", 0x1400ef532, _t345 - 0x1400ef532 >> 1);
				goto 0x40006030;
				E00000001140006750(_t345, _t349, 0x401250f0, "localhost", 0x1400ef532, _t345 - 0x1400ef532 >> 1);
				E00000001140006750(_t345, _t349, 0x40125108, "9000", 0x1400ef532, _t345 - 0x1400ef532 >> 1);
				goto 0x40006030;
				_t105 = _t516 + 1; // 0x2
				 *((long long*)(_t467 + 0x60)) = 0x1400ef532;
				 *((intOrPtr*)(_t467 + 0x48)) = _t105;
				 *(_t464 + 0x210) = 1;
				goto 0x40006037;
				 *0x40128acb = 1;
				goto 0x40006030;
				 *(_t467 + 0x30) = 1;
				r15d = r15d + 1;
				_t316 = r15d -  *0x40126184; // 0x1
				 *((long long*)(_t467 + 0x40)) =  *((intOrPtr*)(_t467 + 0x40)) + 2;
				if (_t316 < 0) goto 0x40005a10;
				r14d =  *(_t467 + 0x30) & 0x000000ff;
				_t346 = _t464 + 0x210;
				 *((long long*)(_t467 + 0x28)) = _t346;
				r8d = 0;
				 *(_t467 + 0x20) = 3;
				E0000000114003B1F0(0x4012a580, "0", _t345 - 0x1400ef532 >> 1, _t467 + 0x34);
				if (_t346 != 0) goto 0x400060bc;
				r9d =  *((intOrPtr*)(_t467 + 0x34));
				r8d = 0;
				 *(_t467 + 0x20) = (r13d & 0xffffff00 |  *(_t464 + 0x210) != r13d) + 1;
				E0000000114003B4F0(0x4012a580, "0", _t345 - 0x1400ef532 >> 1); // executed
				_t319 = _t346;
				if (_t319 == 0) goto 0x4000624b;
				r8b = 0x18;
				0x40001090();
				r8d = 6;
				E000000011400D8154( *(_t464 + 0x210) & 0x000000ff, _t260, _t464 - 0x50, L"A_Args", _t455, _t480);
				 *((intOrPtr*)(_t464 - 0x44)) = r13w;
				if (_t319 < 0) goto 0x40006134;
				asm("cdq");
				_t320 = E000000011400D45AC(_t346, _t464 - 0x50);
				if (_t320 <= 0) goto 0x40006127;
				goto 0x40006130;
				if (_t320 >= 0) goto 0x40006292;
				if ((_t455 + 0x1400ef532 - 0x3a >> 1) + 1 - (_t455 + 0x1400ef532 - 0x3a >> 1) - 1 <= 0) goto 0x40006102;
				_t257 =  *0x4012a5d8; // 0x0
				_t499 =  *0x4012a5c8; // 0x0
				if (_t499 == 0) goto 0x40006182;
				if (_t257 - 1 < 0) goto 0x40006182;
				asm("cdq");
				_t351 = _t455 + 0x1400ef532 - 0x3a >> 1;
				_t324 = E000000011400D45AC(_t346, _t464 - 0x50);
				if (_t324 <= 0) goto 0x40006175;
				_t253 = _t351 + 1;
				goto 0x4000617e;
				if (_t324 >= 0) goto 0x40006292;
				if (_t253 - _t351 - 1 <= 0) goto 0x40006150;
				r9d = _t253;
				r8d = 6;
				 *(_t467 + 0x20) = (r13d & 0xffffff00 | 0 != 0x00000000) + 0x00000001 | 0x000000c0;
				E0000000114003B4F0(0x4012a580, L"A_Args", _t480);
				if (_t346 == 0) goto 0x4000624b;
				0x400aece0();
				if (_t346 == 0) goto 0x4000624b;
				E000000011400BB590(_t351, _t346, _t346, 0x1400ef532);
				E00000001140005490(_t467 + 0x34);
				r8d = r14b & 0xffffffff; // executed
				_t215 = E000000011400283E0(_t346, _t351, 0x4012a580,  *((intOrPtr*)(_t467 + 0x60)), 0x1400ef532); // executed
				if (_t215 != 1) goto 0x4000624b;
				_t448 =  *0x401235a8; // 0x2990b70
				r8d = 0x150;
				_t216 = E000000011400D5880(0, _t215 - 1, 0x40127520, _t448, _t480);
				0x40029d30(); // executed
				if (_t216 != 0xffffffff) goto 0x400062b1;
				_t409 =  *0x4012b138; // 0x0
				if (_t409 == 0) goto 0x4000624b;
				E000000011400056F0();
				asm("inc esp");
				asm("movaps xmm7, [esp+0x2c0]");
				asm("movaps xmm6, [esp+0x2d0]");
				return 2;
			}

0x140005910
0x14000591e
0x140005926
0x14000592d
0x14000593b
0x140005946
0x14000594e
0x140005953
0x140005964
0x140005966
0x14000596c
0x140005970
0x140005978
0x140005980
0x14000598c
0x140005994
0x14000599d
0x1400059a2
0x1400059ad
0x1400059b0
0x1400059b5
0x1400059bc
0x1400059c0
0x1400059c4
0x1400059c9
0x1400059ce
0x1400059d4
0x1400059d7
0x1400059da
0x1400059e1
0x1400059e7
0x1400059ef
0x1400059f8
0x140005a07
0x140005a10
0x140005a17
0x140005a1d
0x140005a2f
0x140005a37
0x140005a40
0x140005a46
0x140005a55
0x140005a64
0x140005a6c
0x140005a77
0x140005a79
0x140005a99
0x140005a9d
0x140005aa2
0x140005aa8
0x140005aae
0x140005ab4
0x140005ab6
0x140005aba
0x140005ac4
0x140005ac9
0x140005ad4
0x140005ad8
0x140005add
0x140005ae3
0x140005ae5
0x140005af2
0x140005af8
0x140005b01
0x140005b0c
0x140005b18
0x140005b1d
0x140005b24
0x140005b2c
0x140005b3c
0x140005b40
0x140005b45
0x140005b4f
0x140005b55
0x140005b6c
0x140005b7c
0x140005b80
0x140005b89
0x140005b97
0x140005b9d
0x140005ba6
0x140005bad
0x140005bb1
0x140005bb6
0x140005bbc
0x140005bc3
0x140005bc9
0x140005bcc
0x140005bd3
0x140005bd7
0x140005bde
0x140005bee
0x140005bf2
0x140005bf4
0x140005bf9
0x140005c05
0x140005c0b
0x140005c0d
0x140005c13
0x140005c15
0x140005c24
0x140005c2b
0x140005c30
0x140005c38
0x140005c3e
0x140005c42
0x140005c4b
0x140005c4d
0x140005c53
0x140005c5f
0x140005c61
0x140005c67
0x140005c73
0x140005c75
0x140005c79
0x140005c7e
0x140005c81
0x140005c83
0x140005c87
0x140005c8e
0x140005c92
0x140005c94
0x140005c98
0x140005c9c
0x140005cab
0x140005cb3
0x140005cbc
0x140005cc5
0x140005cce
0x140005cf0
0x140005cfc
0x140005d03
0x140005d08
0x140005d0e
0x140005d11
0x140005d16
0x140005d18
0x140005d1e
0x140005d23
0x140005d28
0x140005d30
0x140005d32
0x140005d36
0x140005d3a
0x140005d3e
0x140005d49
0x140005d52
0x140005d5b
0x140005d5f
0x140005d64
0x140005d73
0x140005d77
0x140005d7f
0x140005d88
0x140005d8c
0x140005d90
0x140005d92
0x140005d96
0x140005daf
0x140005db3
0x140005dc3
0x140005dc7
0x140005ddd
0x140005df4
0x140005e0b
0x140005e1b
0x140005e22
0x140005e2f
0x140005e38
0x140005e3f
0x140005e4a
0x140005e4f
0x140005e5b
0x140005e61
0x140005e77
0x140005e7d
0x140005e83
0x140005e8a
0x140005e93
0x140005e9b
0x140005ea0
0x140005ea8
0x140005eaa
0x140005eb4
0x140005ebb
0x140005ec7
0x140005ed2
0x140005edb
0x140005ee6
0x140005eef
0x140005ef6
0x140005f00
0x140005f0c
0x140005f15
0x140005f1c
0x140005f22
0x140005f27
0x140005f2d
0x140005f3a
0x140005f47
0x140005f50
0x140005f57
0x140005f5d
0x140005f64
0x140005f6a
0x140005f74
0x140005f82
0x140005f91
0x140005f97
0x140005f9f
0x140005fa2
0x140005fa7
0x140005fb2
0x140005fb6
0x140005fbf
0x140005fc1
0x140005fc5
0x140005fd8
0x140005fe1
0x140005ff1
0x140006004
0x140006009
0x14000600b
0x140006011
0x140006016
0x14000601a
0x140006020
0x140006022
0x140006029
0x14000602b
0x14000603a
0x14000603d
0x140006044
0x140006049
0x14000604f
0x140006055
0x140006068
0x140006074
0x140006077
0x14000607f
0x14000608a
0x14000608c
0x1400060ab
0x1400060b0
0x1400060b4
0x1400060bc
0x1400060bf
0x1400060c8
0x1400060ce
0x1400060de
0x1400060e4
0x1400060f8
0x140006100
0x140006109
0x14000611e
0x140006120
0x140006125
0x140006127
0x140006132
0x140006134
0x14000613a
0x140006146
0x14000614d
0x140006157
0x14000615c
0x14000616c
0x14000616e
0x140006170
0x140006173
0x140006175
0x140006180
0x14000619a
0x14000619f
0x1400061aa
0x1400061ae
0x1400061b9
0x1400061dc
0x1400061e4
0x1400061ec
0x1400061f1
0x140006202
0x140006206
0x14000620e
0x140006210
0x14000621e
0x140006224
0x140006230
0x140006238
0x14000623a
0x140006244
0x140006246
0x140006250
0x140006259
0x140006261
0x140006291

APIs

InitializeCriticalSection.KERNEL32 ref: 000000014000593B
SetErrorMode.KERNEL32 ref: 0000000140005946

Part of subcall function 000000014006FED0: GetCurrentDirectoryW.KERNEL32(?,0000000140005953), ref: 000000014006FEEC

wcsncpy.LIBCMT ref: 00000001400060E4
FindWindowW.USER32 ref: 000000014000632D
FindWindowW.USER32 ref: 000000014000639B
PostMessageW.USER32 ref: 00000001400063BF
Sleep.KERNEL32 ref: 00000001400063CD
IsWindow.USER32 ref: 00000001400063D6
Sleep.KERNEL32 ref: 0000000140006413
IsWindow.USER32 ref: 000000014000641C
Sleep.KERNEL32 ref: 000000014000642B
SystemParametersInfoW.USER32 ref: 0000000140006442
SystemParametersInfoW.USER32 ref: 0000000140006465

Strings

9000, xrefs: 0000000140005FCA, 0000000140005FF6
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 000000014000635A
localhost, xrefs: 0000000140005FE3
Memory limit reached (see #MaxMem in the help file)., xrefs: 0000000140005B5E
/restart, xrefs: 0000000140005DE3
/force, xrefs: 0000000140005E11
Out of memory., xrefs: 0000000140005DA1
/CP, xrefs: 0000000140005F05
A_Args, xrefs: 00000001400060D3, 0000000140006189
AutoHotkey, xrefs: 0000000140006326, 0000000140006394
Clipboard, xrefs: 000000014000654D, 000000014000658A
Could not close the previous instance of this script. Keep waiting?, xrefs: 00000001400063E8
/ErrorStdOut, xrefs: 0000000140005E28
/iLib, xrefs: 0000000140005E66
/Debug, xrefs: 0000000140005F40

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$Sleep$FindInfoParametersSystem$CriticalCurrentDirectoryErrorInitializeMessageModePostSectionwcsncpy
String ID: /CP$/Debug$/ErrorStdOut$/force$/iLib$/restart$9000$A_Args$An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$Clipboard$Could not close the previous instance of this script. Keep waiting?$Memory limit reached (see #MaxMem in the help file).$Out of memory.$localhost
API String ID: 1782978999-3467539290
Opcode ID: 78fd360f0a1e6b0823f41600728ad91d2124518e2e71bcde5aa7786e84982e5e
Instruction ID: e455b702d052cf4b9daeee7e62e5b3b7328f1e38bd1125076dac45505a115a33
Opcode Fuzzy Hash: 78fd360f0a1e6b0823f41600728ad91d2124518e2e71bcde5aa7786e84982e5e
Instruction Fuzzy Hash: A372AEB1205A4086FB23DB27F4503EA67A2FB8DBD4F540116FB4A676B5EB38C946C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000281C Relevance: 39.0, APIs: 20, Strings: 2, Instructions: 484
windowclipboardthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E0000000114000281C() {
				int _t236;
				int _t244;
				signed int _t264;
				intOrPtr _t267;
				intOrPtr _t270;
				void* _t275;
				long _t281;
				intOrPtr _t299;
				signed int _t308;
				signed int _t312;
				void* _t334;
				void* _t335;
				void* _t341;
				void* _t362;
				signed int _t392;
				void* _t407;
				void* _t423;
				signed long long _t454;
				signed long long _t455;
				intOrPtr* _t456;
				intOrPtr _t458;
				intOrPtr _t459;
				intOrPtr _t460;
				signed long long _t461;
				signed char* _t467;
				intOrPtr _t470;
				long long _t473;
				void* _t480;
				signed long long _t481;
				signed long long _t482;
				signed long long _t483;
				signed long long _t484;
				signed long long _t485;
				signed long long _t486;
				signed long long _t493;
				intOrPtr _t499;
				void* _t502;
				intOrPtr _t506;
				signed long long _t512;
				long long _t531;
				intOrPtr _t540;
				void* _t542;
				void* _t544;
				signed long long _t549;
				signed long long _t551;
				signed long long _t552;
				signed long long _t554;
				signed long long _t555;
				void* _t557;
				long long _t558;
				intOrPtr _t559;
				intOrPtr _t560;
				signed long long _t562;
				void* _t573;
				void* _t582;
				void* _t583;
				void* _t584;
				void* _t585;
				void* _t586;
				void* _t587;
				signed long long _t588;
				unsigned long long _t589;
				unsigned long long _t590;
				signed long long _t592;
				signed long long _t593;
				long long _t600;
				signed long long _t601;

				if (r9d <= 0) goto 0x40002a40;
				_t454 =  *((intOrPtr*)(_t585 + _t588 * 8));
				if ( *((intOrPtr*)(_t454 + 8)) == _t480) goto 0x40002849;
				if (r10d + 1 - r9d < 0) goto 0x40002830;
				goto 0x40002a40;
				 *(_t584 + 0x60) = _t454;
				if (_t454 == 0) goto 0x40002a78;
				 *(_t584 + 0x58) = _t592;
				_t308 = r12w & 0xffffffff;
				 *(_t584 + 0x54) = _t308;
				_t590 = _t589 >> 0x10;
				 *(_t583 - 0x38) = r12w & 0xffffffff;
				 *((intOrPtr*)(_t584 + 0x4c)) = r10d;
				if (_t308 != 8) goto 0x4000288a;
				 *(_t583 - 0x34) = r13d;
				 *(_t584 + 0x58) = _t454;
				 *(_t583 - 0x38) = 0x2af8;
				_t593 =  *(_t584 + 0x60);
				_t341 = 0x2af8 -  *((intOrPtr*)(_t593 + 0x20));
				if (_t341 >= 0) goto 0x400028a3;
				_t455 =  *((intOrPtr*)(_t593 + 0x28));
				goto 0x400028a6;
				_t562 = _t588;
				 *(_t583 - 0x68) = _t562;
				 *(_t583 - 0x20) = _t588;
				 *((intOrPtr*)(_t583 + 0x1428)) = r10b;
				if (_t341 == 0) goto 0x400029b3;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				if (_t341 == 0) goto 0x40002987;
				if (_t341 == 0) goto 0x40002974;
				if (_t341 == 0) goto 0x40002961;
				if (_t341 == 0) goto 0x4000294f;
				if (_t562 == 0) goto 0x40001d04;
				if ( *((intOrPtr*)(_t562 + 0x18)) != 0) goto 0x40002939;
				r15d =  *((intOrPtr*)(_t584 + 0x44));
				r14d =  *((intOrPtr*)(_t584 + 0x40));
				if (( *( *(_t583 - 0x68) + 9) & 0x00000001) == 0) goto 0x40001cd4;
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				if ( *((intOrPtr*)(_t593 + 8)) == 0) goto 0x40001d1f;
				ShowWindow(??, ??);
				goto 0x40003150;
				if (( *(_t588 + 9) & 0x00000004) != 0) goto 0x40001d04;
				 *((char*)(_t583 + 0x1428)) = 1;
				goto 0x40002a02;
				if ( *((intOrPtr*)(_t593 + 0x58)) == 0) goto 0x40001d04;
				goto 0x40002a02;
				if ( *((intOrPtr*)(_t593 + 0x48)) == 0) goto 0x40001d04;
				goto 0x40002998;
				if ( *((intOrPtr*)(_t593 + 0x40)) == 0) goto 0x40001d04;
				goto 0x40002998;
				if ( *((intOrPtr*)(_t593 + 0x38)) == 0) goto 0x40001d04;
				_t493 = _t593 + 0x60;
				 *(_t583 - 0x20) = _t493;
				if (_t493 == 0) goto 0x40002a02;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				if ( *_t493 != r10b) goto 0x40001d04;
				goto 0x40002a02;
				_t601 =  *(_t593 + 0xa0);
				if ( *((intOrPtr*)(_t593 + 0x50)) == 0) goto 0x40002a0a;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r14d =  *((intOrPtr*)(_t584 + 0x40));
				_t549 = _t588;
				if (_t601 == 0) goto 0x40001cc5;
				r9d = 0;
				r8d = 0;
				_t236 = DragQueryFileW(??, ??, ??, ??);
				 *(_t584 + 0x58) = _t549;
				if (_t236 == 0) goto 0x40002a0a;
				r14d =  *((intOrPtr*)(_t584 + 0x70));
				r10d = 0;
				r12d = r10d;
				goto 0x40003085;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r14d =  *((intOrPtr*)(_t584 + 0x40));
				if (_t601 == 0) goto 0x40001ccf;
				DragFinish(??);
				 *(_t593 + 0xa0) = _t549;
				goto 0x40003150;
				 *(_t584 + 0x60) = _t588;
				if (_t590 == 0) goto 0x40002be6;
				E00000001140096150(_t590);
				 *(_t584 + 0x60) = _t455;
				if (_t455 != 0) goto 0x40002bed;
				if (_t480 == 0) goto 0x40002bed;
				if (_t480 == _t549) goto 0x40002bed; // executed
				GetForegroundWindow(); // executed
				_t481 = _t455;
				if (_t455 == 0) goto 0x40002b53;
				_t362 = GetWindowThreadProcessId(??, ??) -  *0x4012a558;
				if (_t362 != 0) goto 0x40002b53;
				r8d = 0x20;
				GetClassNameW(??, ??, ??);
				asm("repe cmpsw");
				if (_t362 != 0) goto 0x40002b53;
				_t499 =  *0x401235a8; // 0x2990b70
				 *((char*)(_t499 + 0x128)) = 1;
				 *((intOrPtr*)(_t499 + 0x124)) =  *((intOrPtr*)(_t584 + 0x70));
				if (IsDialogMessageW(??, ??) == 0) goto 0x40002b43;
				if ( *0x40128c74 == 0) goto 0x40002b29;
				_t456 =  *0x40125128; // 0x8919e0
				if (_t456 == 0) goto 0x40002b23;
				_t502 =  !=  ?  *_t456 : 0x400ef524;
				SetCurrentDirectoryW(??);
				_t458 =  *0x401235a8; // 0x2990b70
				 *((char*)(_t458 + 0x128)) = 0;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				goto 0x40001d04;
				 *((char*)( *0x401235a8 + 0x128)) = 0;
				goto 0x40002b5a;
				if ( *0x40128ab0 == 0) goto 0x40002bac;
				_t586 = _t584 + 0x68;
				_t244 = TranslateAcceleratorW(??, ??, ??);
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r15d =  *((intOrPtr*)(_t584 + 0x44));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				r14d =  *((intOrPtr*)(_t584 + 0x40));
				if (_t244 != 0) goto 0x40001d1f;
				_t506 =  *0x401235a8;
				 *((char*)(_t506 + 0x128)) = 1;
				 *((intOrPtr*)(_t506 + 0x124)) =  *((intOrPtr*)(_t584 + 0x70));
				TranslateMessage(??);
				DispatchMessageW(??);
				 *((char*)( *0x401235a8 + 0x128)) = 0;
				goto 0x40002b37;
				 *(_t584 + 0x60) = _t588;
				goto 0x40002bf0;
				r10d = 0;
				_t459 =  *0x4012b0e0; // 0x0
				if (_t459 == 0) goto 0x40002c53;
				_t551 =  *((intOrPtr*)(_t459 + 8));
				 *(_t583 - 0x50) = _t551;
				if (_t551 == 0) goto 0x40002c23;
				if ( *((intOrPtr*)(_t551 + 0x28)) == r13d) goto 0x40002c29;
				_t552 =  *((intOrPtr*)(_t551 + 0x38));
				 *(_t583 - 0x50) = _t552;
				if (_t552 != 0) goto 0x40002c10;
				_t460 =  *((intOrPtr*)(_t459 + 0x30));
				goto 0x40002bf7;
				_t570 =  *((intOrPtr*)(_t552 + 0x10));
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				if ( *((intOrPtr*)(_t552 + 0x10)) == 0) goto 0x40001cea;
				r12d =  *((intOrPtr*)(_t552 + 0x2c));
				goto 0x40003089;
				 *(_t583 - 0x50) = _t588;
				r15d =  *((intOrPtr*)(_t584 + 0x44));
				r14d =  *((intOrPtr*)(_t584 + 0x40));
				if (_t590 - _t460 >= 0) goto 0x40001cbc;
				_t461 =  *0x401296a0; // 0x0
				_t600 =  *((intOrPtr*)(_t461 + _t590 * 8));
				 *((long long*)(_t583 + 0x30)) = _t600;
				if ( *(_t600 + 0x20) == 0) goto 0x40002cd7;
				E000000011400149A0(_t481,  *(_t600 + 0x20));
				 *(_t583 - 0x58) = _t461;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				if (_t461 == 0) goto 0x40001cde;
				_t312 =  *( *(_t600 + 0x20)) & 0x000000ff;
				if (_t312 == 1) goto 0x40002cd1;
				if (_t312 == 3) goto 0x40002cd1;
				 *(_t583 - 0x58) = _t601;
				goto 0x40002cdd;
				 *(_t583 - 0x58) = _t588;
				E0000000114001A210(0, _t335, _t461, _t481, _t600,  *(_t583 - 0x80), _t570, _t600);
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				if ( *((intOrPtr*)(_t600 + 0x18)) != _t601) goto 0x40001cde;
				if ( *((intOrPtr*)(_t600 + 0x3e)) == r15b) goto 0x40002d1b;
				 *0x4012b0fc =  *(_t583 - 0x80) & 0x0000ffff;
				goto 0x40002d22;
				 *0x4012b0fc = 0;
				r12d =  *((intOrPtr*)(_t600 + 0x28));
				r14d =  *((intOrPtr*)(_t584 + 0x70));
				goto 0x40003080;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				if ( *0x4012b0c0 != r10b) goto 0x40001ca7;
				_t573 =  ==  ?  *0x4012ac28 :  *0x4012b0a8;
				r12d = r10d;
				goto 0x40003080;
				_t512 = _t590;
				E00000001140054990( *(_t583 - 0x80) & 0x0000ffff, _t512);
				 *(_t583 - 0x48) = _t461;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				r14d =  *((intOrPtr*)(_t584 + 0x40));
				if (_t461 == 0) goto 0x40001cfd;
				r12d = 0;
				r14d =  *((intOrPtr*)(_t584 + 0x70));
				goto 0x40003080;
				_t554 =  *0x40129600;
				 *(_t583 - 0x48) = _t554;
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				if (_t554 == 0) goto 0x40001ca0;
				if (_t554 == _t590) goto 0x40002dfc;
				_t555 =  *((intOrPtr*)(_t554 + 8));
				 *(_t583 - 0x48) = _t555;
				if (_t555 != 0) goto 0x40002de0;
				r15d =  *((intOrPtr*)(_t584 + 0x44));
				goto 0x40002787;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				if (_t555 == 0) goto 0x40001ca7;
				if (r14d != 0x41c) goto 0x40002e31;
				goto 0x40002e4a;
				if (r14d != 0x41e) goto 0x40002e43;
				goto 0x40002e4a;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t555 + 0x10)) + 0x390)) + 0x3a0)) + 0x398)) == 0) goto 0x40001cea;
				r12d = r10d;
				goto 0x40003080;
				if ((r12w & 0x7fff) -  *((intOrPtr*)( *0x40125138)) >= 0) goto 0x40001cb3;
				_t531 =  *((intOrPtr*)( *0x40129678 + _t512 * 8));
				 *((long long*)(_t583 - 0x18)) = _t531;
				_t392 = r12w;
				if (_t392 == 0) goto 0x40002ed7;
				r12w = r12w + 0xffff;
				_t482 =  *((intOrPtr*)(_t531 + 0x28));
				 *(_t583 - 0x40) = _t482;
				if (_t392 == 0) goto 0x40002ece;
				_t483 =  *((intOrPtr*)(_t482 + 0x10));
				r12w = r12w + 0xffff;
				if (_t392 != 0) goto 0x40002ec0;
				 *(_t583 - 0x40) = _t483;
				if (_t483 != 0) goto 0x40002fdf;
				if (r14d != 0x400) goto 0x40002ef1;
				goto 0x40002ef4;
				if ( *((intOrPtr*)(_t531 + 0x19)) != r10b) goto 0x40002f0a;
				 *(_t583 - 0x40) = _t588;
				r15d =  *((intOrPtr*)(_t584 + 0x44));
				goto 0x40002787;
				 *(_t583 - 0x58) = _t588;
				_t484 =  *((intOrPtr*)(_t531 + 0x28));
				 *(_t583 - 0x40) = _t484;
				if (_t484 == 0) goto 0x40002fb3;
				if ( *((intOrPtr*)(_t484 + 0x28)) == r15b) goto 0x40002f91;
				if ( *0x40128c15 == r15b) goto 0x40002f41;
				if (E000000011400B1840( *0x40128c15 - r15b, _t484, _t531) == 0) goto 0x40002f91;
				if (0x3c2c17 - 0x66 > 0) goto 0x40002f5d;
				goto 0x40002f62;
				if (0x65 - ( *(_t484 + 0x24) & 0x000000ff) <= 0) goto 0x40002f91;
				if ( *((intOrPtr*)(_t484 + 8)) == 0) goto 0x40002f88;
				E000000011400149A0(_t484,  *((intOrPtr*)(_t484 + 8)));
				 *(_t583 - 0x58) = 0x3c2c17;
				if (0x3c2c17 + _t555 == 0) goto 0x40002f91;
				if ( *((intOrPtr*)(_t484 + 8)) != _t601) goto 0x40002fa7;
				_t485 =  *((intOrPtr*)(_t484 + 0x10));
				 *(_t583 - 0x40) = _t485;
				if (_t485 == 0) goto 0x40002fae;
				goto 0x40002f22;
				r14d =  *((intOrPtr*)(_t584 + 0x70));
				goto 0x40002fba;
				r14d =  *((intOrPtr*)(_t584 + 0x70));
				_t486 = _t484;
				 *(_t583 - 0x40) = _t486;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				if (_t486 == 0) goto 0x40001cde;
				r10d = 0;
				_t557 =  *_t486;
				_t407 = E000000011400B1790(_t557,  *((intOrPtr*)(_t583 - 0x18)));
				if (_t407 == 0) goto 0x40002ff2;
				if (_t407 != 0) goto 0x40003000;
				if ( *((intOrPtr*)(_t557 + 0x10)) == 0) goto 0x40003000;
				goto 0x40003002;
				if ( *((intOrPtr*)(_t486 + 0x22)) - ( *(_t486 + 0x23) & 0x000000ff) < 0) goto 0x40003050;
				if (0 == 0xe0) goto 0x40003050;
				if (0 == 0xcc) goto 0x40003050;
				if (0 == 0xda) goto 0x40003050;
				if (0 == 0xdb) goto 0x40003050;
				if (0 == 0xd6) goto 0x40003050;
				if (0 == 0xd7) goto 0x40003050;
				if (0 == 0xd8) goto 0x40003050;
				if (0 == 0xd9) goto 0x40003050;
				if ( *((intOrPtr*)(_t486 + 0x26)) == r15b) goto 0x4000303d;
				 *((char*)(_t486 + 0x27)) = 1;
				 *(_t486 + 0x18) = GetTickCount();
				r15d =  *((intOrPtr*)(_t584 + 0x44));
				goto 0x40002787;
				_t467 =  *((intOrPtr*)(_t486 + 8));
				if (_t467 == 0) goto 0x40003075;
				_t264 =  *_t467 & 0x000000ff;
				if (_t264 == 2) goto 0x40003075;
				if (_t264 == 4) goto 0x40003075;
				if (_t264 - 5 < 0) goto 0x40003079;
				 *(_t583 - 0x58) =  *0x40128c50;
				goto 0x40003079;
				 *(_t583 - 0x58) = _t588;
				_t582 =  *_t486;
				r12d =  *((intOrPtr*)(_t486 + 0x1c));
				_t558 =  *(_t583 - 0x50);
				_t423 = E000000011400B1790(_t582,  *((intOrPtr*)(_t583 - 0x18)));
				if (_t423 == 0) goto 0x40003099;
				if (_t423 != 0) goto 0x400030a7;
				if ( *((intOrPtr*)(_t582 + 0x10)) == 0) goto 0x400030a7;
				goto 0x400030a9;
				_t299 =  *0x40128c28; // 0x2
				_t267 =  *0x4012357c; // 0xa
				if (_t299 - _t267 < 0) goto 0x400030e8;
				if (_t299 - _t267 + 2 >= 0) goto 0x400030f5;
				if (0 == 0xe0) goto 0x400030e8;
				if (0 == 0xcc) goto 0x400030e8;
				if (0 == 0xda) goto 0x400030e8;
				if (0 == 0xdb) goto 0x400030e8;
				if (0 == 0xd6) goto 0x400030e8;
				if (0 == 0xd7) goto 0x400030e8;
				if (0 == 0xd8) goto 0x400030e8;
				if (0 != 0xd9) goto 0x400030f5;
				_t470 =  *0x401235a8; // 0x2990b70
				if (r12d -  *((intOrPtr*)(_t470 + 0x3c)) >= 0) goto 0x40003170;
				if (_t601 == 0) goto 0x40003113;
				DragFinish(??);
				 *((long long*)( *(_t584 + 0x60) + 0xa0)) = _t558;
				r14d =  *((intOrPtr*)(_t584 + 0x70));
				goto 0x40003115;
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r15d =  *((intOrPtr*)(_t584 + 0x44));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				r14d =  *((intOrPtr*)(_t584 + 0x40));
				if (r14d != 0x41b) goto 0x40001d1f;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *(_t583 - 0x48) + 0x10)))) + 0x10))();
				r15d =  *((intOrPtr*)(_t584 + 0x44));
				r12d =  *((intOrPtr*)(_t583 + 0x1410));
				r13d =  *(_t583 + 0x1420) & 0x000000ff;
				goto 0x40001d1f;
				 *((char*)(_t584 + 0x44)) = 1;
				if (r14d == 0x402) goto 0x400031f4;
				if (r14d - 0x413 <= 0) goto 0x400031aa;
				if (r14d - 0x415 <= 0) goto 0x40003241;
				if (r14d - 0x41a <= 0) goto 0x400031aa;
				if (r14d - 0x41e <= 0) goto 0x40003241;
				_t473 =  *0x4012b050; // 0x1400ef524
				 *0x4012b058 = _t473;
				_t270 =  *0x4012b0f4; // 0x0
				 *0x4012b0f8 = _t270;
				if (r14d != 0x401) goto 0x400031d7;
				goto 0x400031df;
				 *0x4012b050 =  *((intOrPtr*)( *((intOrPtr*)(_t583 - 0x18)) + 0x20));
				 *0x4012b0f4 = GetTickCount();
				goto 0x40003241;
				r8d = 0x104;
				E000000011400D8154(_t299, _t335, 0x4012ac38,  *_t558, _t558, _t586);
				r14d = 0;
				 *0x4012ae40 = r14w;
				r8d = 0x104;
				E000000011400D8154(_t299, _t335, 0x4012ae42,  *((intOrPtr*)( *((intOrPtr*)(_t558 + 0x20)))), _t558, _t586);
				 *0x4012b04a = r14w;
				 *0x4012ac30 = _t558;
				goto 0x40003244;
				r14d = 0;
				_t559 =  *0x401295f8; // 0x2980f00
				if ( *((char*)(_t559 + 0x23)) != 0) goto 0x40003255;
				_t560 =  *((intOrPtr*)(_t559 + 0x10));
				if (( *(_t560 + 0x21) & 0x00000008) == 0) goto 0x40003263;
				0x40001130();
				if (( *(_t560 + 0x23) & 0x000000ff) != 1) goto 0x40003286;
				if (( *(_t560 + 0x21) & 0x00000004) == 0) goto 0x40003280;
				_t275 = E0000000114004E240(_t334, 0x4012ae42, _t486, 0x4012a580, _t560, _t560, _t583, _t586, _t587, _t590 >> 0x10,  *(_t584 + 0x60));
				goto 0x400032e9;
				if (_t275 != 2) goto 0x400032e2;
				_t540 =  *0x4012b1f0; // 0x0
				if (_t540 != 0) goto 0x400032e9;
				if (IsClipboardFormatAvailable(??) != 0) goto 0x400032c2;
				IsClipboardFormatAvailable(??);
				_t542 =  !=  ? L"<<>>" : 0x400ef524;
				goto 0x400032e9;
				E00000001140006A20(L"<<>>", _t486, 0x4012a580, _t583, _t590 >> 0x10);
				_t544 =  !=  ?  *0x4012b1e8 : 0x400ef524;
				goto 0x400032e9;
				r8d = 0x7f;
				E000000011400D8154(0xffffffff, _t335, _t583 + 0x1f0, 0x4012a488, _t560, _t586);
				 *((intOrPtr*)(_t583 + 0x2ee)) = r14w;
				r9d = 0;
				r8b = 1;
				E00000001140004C60(r12d, 0, _t486, _t560, _t582, _t583);
				_t281 = GetTickCount();
				 *0x4012b154 = _t281;
				 *0x4012b150 = _t281;
				if ( *((intOrPtr*)(_t584 + 0x70)) + 0xfffffbff - 0x1d > 0) goto 0x4000422e;
				goto __rcx;
			}

0x140002825
0x140002830
0x140002838
0x140002842
0x140002844
0x140002849
0x140002851
0x140002857
0x14000285c
0x140002860
0x140002864
0x14000286c
0x14000286f
0x140002877
0x140002879
0x14000287d
0x140002887
0x14000288a
0x14000288f
0x140002893
0x140002899
0x1400028a1
0x1400028a3
0x1400028a6
0x1400028aa
0x1400028ae
0x1400028ba
0x1400028c0
0x1400028c9
0x1400028d1
0x1400028d9
0x1400028e1
0x1400028e6
0x1400028f7
0x1400028fd
0x140002902
0x140002911
0x14000291e
0x140002926
0x14000292e
0x140002934
0x14000293d
0x140002943
0x14000294a
0x140002956
0x14000295c
0x140002968
0x140002972
0x14000297b
0x140002985
0x14000298e
0x140002994
0x140002998
0x14000299f
0x1400029a4
0x1400029ab
0x1400029b1
0x1400029b3
0x1400029c1
0x1400029c6
0x1400029cd
0x1400029d2
0x1400029d5
0x1400029db
0x1400029de
0x1400029e9
0x1400029f1
0x1400029f8
0x1400029fa
0x1400029ff
0x140002a02
0x140002a05
0x140002a0d
0x140002a14
0x140002a25
0x140002a2e
0x140002a34
0x140002a3b
0x140002a40
0x140002a4a
0x140002a53
0x140002a58
0x140002a60
0x140002a69
0x140002a72
0x140002a78
0x140002a7e
0x140002a84
0x140002a95
0x140002a9b
0x140002aa1
0x140002ab1
0x140002aca
0x140002acd
0x140002ad3
0x140002ada
0x140002ae5
0x140002afb
0x140002b04
0x140002b06
0x140002b17
0x140002b1f
0x140002b23
0x140002b29
0x140002b30
0x140002b37
0x140002b3e
0x140002b4a
0x140002b51
0x140002b64
0x140002b66
0x140002b72
0x140002b7a
0x140002b81
0x140002b86
0x140002b8e
0x140002b9f
0x140002ba5
0x140002bac
0x140002bb7
0x140002bc2
0x140002bcd
0x140002bda
0x140002be1
0x140002be6
0x140002beb
0x140002bed
0x140002bf0
0x140002bfa
0x140002bfc
0x140002c00
0x140002c07
0x140002c14
0x140002c16
0x140002c1a
0x140002c21
0x140002c23
0x140002c27
0x140002c29
0x140002c30
0x140002c37
0x140002c3f
0x140002c45
0x140002c4e
0x140002c53
0x140002c57
0x140002c6a
0x140002c76
0x140002c7c
0x140002c83
0x140002c87
0x140002c92
0x140002c98
0x140002c9d
0x140002ca4
0x140002cab
0x140002cb6
0x140002cc0
0x140002cc6
0x140002ccb
0x140002ccd
0x140002cd5
0x140002cd7
0x140002ce3
0x140002cec
0x140002cf3
0x140002d02
0x140002d0c
0x140002d12
0x140002d19
0x140002d1b
0x140002d25
0x140002d29
0x140002d2e
0x140002d3a
0x140002d41
0x140002d50
0x140002d60
0x140002d68
0x140002d6b
0x140002d70
0x140002d73
0x140002d78
0x140002d7f
0x140002d86
0x140002d8e
0x140002d9a
0x140002dad
0x140002db0
0x140002db5
0x140002dba
0x140002dc1
0x140002dc8
0x140002dd7
0x140002de3
0x140002de5
0x140002de9
0x140002df0
0x140002df2
0x140002df7
0x140002dff
0x140002e06
0x140002e15
0x140002e26
0x140002e2f
0x140002e38
0x140002e41
0x140002e4d
0x140002e54
0x140002e5c
0x140002e62
0x140002e65
0x140002e87
0x140002e97
0x140002e9b
0x140002ea3
0x140002ea7
0x140002eae
0x140002eb2
0x140002eb6
0x140002eba
0x140002ec0
0x140002ec4
0x140002ec8
0x140002eca
0x140002ed1
0x140002ede
0x140002eef
0x140002efa
0x140002efc
0x140002f00
0x140002f05
0x140002f0a
0x140002f11
0x140002f15
0x140002f1c
0x140002f26
0x140002f2f
0x140002f3b
0x140002f52
0x140002f5b
0x140002f68
0x140002f71
0x140002f77
0x140002f7f
0x140002f86
0x140002f8c
0x140002f91
0x140002f95
0x140002f9c
0x140002fa2
0x140002fa7
0x140002fac
0x140002fae
0x140002fb3
0x140002fb6
0x140002fbd
0x140002fc4
0x140002fd6
0x140002fdc
0x140002fdf
0x140002fea
0x140002fec
0x140002ff0
0x140002ff9
0x140002ffe
0x140003009
0x14000300e
0x140003013
0x140003018
0x14000301d
0x140003022
0x140003027
0x14000302c
0x140003031
0x140003037
0x140003039
0x140003043
0x140003046
0x14000304b
0x140003050
0x140003057
0x140003059
0x14000305e
0x140003062
0x140003066
0x14000306f
0x140003073
0x140003075
0x140003079
0x14000307c
0x140003085
0x140003091
0x140003093
0x140003097
0x1400030a0
0x1400030a5
0x1400030a9
0x1400030af
0x1400030b7
0x1400030be
0x1400030c3
0x1400030c8
0x1400030cd
0x1400030d2
0x1400030d7
0x1400030dc
0x1400030e1
0x1400030e6
0x1400030e8
0x1400030f3
0x1400030f8
0x1400030fd
0x140003105
0x14000310c
0x140003111
0x14000311c
0x140003123
0x140003128
0x140003130
0x14000313c
0x14000314d
0x140003150
0x140003155
0x14000315c
0x14000316b
0x140003170
0x14000317c
0x140003185
0x14000318e
0x14000319b
0x1400031a4
0x1400031aa
0x1400031b1
0x1400031b8
0x1400031be
0x1400031cb
0x1400031d5
0x1400031df
0x1400031ec
0x1400031f2
0x1400031f4
0x140003204
0x140003209
0x14000320c
0x140003218
0x14000322b
0x140003230
0x140003238
0x14000323f
0x140003241
0x140003244
0x14000324f
0x140003251
0x140003259
0x14000325e
0x140003269
0x14000326f
0x14000327b
0x140003284
0x140003288
0x14000328a
0x140003294
0x1400032a1
0x1400032a6
0x1400032bc
0x1400032c0
0x1400032c4
0x1400032d8
0x1400032e0
0x1400032e9
0x1400032f6
0x1400032fb
0x140003303
0x140003307
0x14000330f
0x14000331b
0x140003321
0x140003327
0x140003339
0x140003358

APIs

GetTickCount.KERNEL32 ref: 0000000140001D1F
GetTickCount.KERNEL32 ref: 0000000140001D7A
GetMessageW.USER32 ref: 0000000140001DBD
GetTickCount.KERNEL32 ref: 0000000140001DCC
ShowWindow.USER32 ref: 000000014000292E
GetForegroundWindow.USER32(?,?,?,Unk,?,?,AutoHotkey v1.1.33.10,?,00000001400BEDE9), ref: 0000000140002A78
GetWindowThreadProcessId.USER32 ref: 0000000140002A8F
GetClassNameW.USER32 ref: 0000000140002AB1
IsDialogMessageW.USER32 ref: 0000000140002AF3
SetCurrentDirectoryW.KERNEL32(?,?,?,Unk,?,?,AutoHotkey v1.1.33.10,?,00000001400BEDE9), ref: 0000000140002B23
DragFinish.SHELL32 ref: 00000001400030FD
GetTickCount.KERNEL32 ref: 00000001400031E6
wcsncpy.LIBCMT ref: 0000000140003204
wcsncpy.LIBCMT ref: 000000014000322B
IsClipboardFormatAvailable.USER32 ref: 0000000140003299
IsClipboardFormatAvailable.USER32 ref: 00000001400032A6
wcsncpy.LIBCMT ref: 00000001400032F6
GetTickCount.KERNEL32 ref: 000000014000331B

Part of subcall function 0000000140006A20: IsClipboardFormatAvailable.USER32 ref: 0000000140006A48
Part of subcall function 0000000140006A20: IsClipboardFormatAvailable.USER32 ref: 0000000140006A57

Strings

#32770, xrefs: 0000000140002ABE
<<>>, xrefs: 00000001400032B5

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$AvailableClipboardFormat$Windowwcsncpy$Message$ClassCurrentDialogDirectoryDragFinishForegroundNameProcessShowThread
String ID: #32770$<<>>
API String ID: 1535399247-841325503
Opcode ID: cbfecf1ff422bd44c791bbee963b430e5b32c55483aa08b1c5dc10e33de65b74
Instruction ID: 6125f3b008797c1b4bd787c2c73ba375ba1216ef0df276650489a9fc8c5a7d5c
Opcode Fuzzy Hash: cbfecf1ff422bd44c791bbee963b430e5b32c55483aa08b1c5dc10e33de65b74
Instruction Fuzzy Hash: E8327AB2605A908AFB67CF27A8407E937A5F78DBD4F544116EB4A17BB4DB38C885C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008C940 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 203
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E0000000114008C940(void* __ecx, void* __eflags, void* __rax, long long __rbx, signed int __rcx, signed int __rdx, long long __r14, long long __r15) {
				void* __rdi;
				signed char _t66;
				signed char _t69;
				long _t79;
				int _t84;
				void* _t100;
				void* _t101;
				void* _t102;
				long long _t115;
				long long _t116;
				signed long long _t125;
				signed long long _t129;
				intOrPtr _t142;
				WCHAR* _t153;
				void* _t156;
				void* _t157;
				long _t160;
				intOrPtr* _t161;
				WCHAR* _t163;
				void* _t164;
				void* _t166;
				void* _t167;
				void* _t171;
				void* _t172;
				long _t173;
				WCHAR* _t176;
				long long _t182;

				_t101 = __eflags;
				 *((long long*)(_t166 + 0x18)) = __rbx;
				 *((intOrPtr*)(_t166 + 0x20)) = r9b;
				_t164 = _t166 - 0x203d0;
				E000000011400E12F0(0x204d0, __rax, _t171, _t172);
				_t167 = _t166 - __rax;
				r13d = r8b & 0xffffffff;
				r9d = 0;
				GetFullPathNameW(_t176, _t173);
				asm("repne scasw");
				_t125 =  !(__rcx | 0xffffffff) - 1;
				if (_t101 == 0) goto 0x4008c9af;
				_t102 =  *((short*)(_t164 + 0x3ce + _t125 * 2)) - 0x5c;
				if (_t102 != 0) goto 0x4008c9af;
				 *((short*)(_t164 + 0x3ce + _t125 * 2)) = 0;
				r9d = 0;
				GetFullPathNameW(_t153, _t160);
				asm("repne scasw");
				_t129 =  !(__rdx | 0xffffffff) - 1;
				if (_t102 == 0) goto 0x4008c9f2;
				if ( *((short*)(_t164 + 0x103ce + _t129 * 2)) != 0x5c) goto 0x4008c9f2;
				 *((short*)(_t164 + 0x103ce + _t129 * 2)) = 0;
				_t66 = GetFileAttributesW(_t163); // executed
				if (_t66 == 0xffffffff) goto 0x4008ca2e;
				if ((_t66 & 0x00000010) == 0) goto 0x4008ca2e;
				_t156 = _t164 + 0x3d0;
				asm("repne scasw");
				_t115 = L"\\*.*"; // 0x2a002e002a005c
				 *((long long*)(_t156 - 2)) = _t115;
				 *((short*)(_t156 + 6)) =  *0x400fd428 & 0x0000ffff;
				_t69 = GetFileAttributesW(??); // executed
				if (_t69 == 0xffffffff) goto 0x4008ca6a;
				if ((_t69 & 0x00000010) == 0) goto 0x4008ca6a;
				_t157 = _t164 + 0x103d0;
				asm("repne scasw");
				_t116 = L"\\*.*"; // 0x2a002e002a005c
				 *((long long*)(_t157 - 2)) = _t116;
				 *((short*)(_t157 + 6)) =  *0x400fd428 & 0x0000ffff;
				FindFirstFileW(??, ??); // executed
				if (_t116 != 0xffffffff) goto 0x4008ca9b;
				 *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x20420)))) = GetLastError();
				goto 0x4008cbc2;
				_t161 =  *((intOrPtr*)(_t164 + 0x20420));
				_t37 = _t157 + 0x5c; // 0x5c
				 *((long long*)(_t167 + 0x20500)) = __r14;
				 *((long long*)(_t167 + 0x20508)) = __r15;
				 *_t161 = 0;
				E000000011400D53D8(_t37, _t164 + 0x3d0, _t164 + 0x103d0);
				_t40 = _t157 + 0x5c; // 0x5c
				_t182 = _t116;
				E000000011400D53D8(_t40, _t164 + 0x103d0, _t164 + 0x103d0);
				_t42 = _t182 + 2; // 0x2
				r8d = 0x103;
				_t44 = _t116 + 2; // 0x105
				 *((long long*)(_t167 + 0x30)) = _t164 + 0x3d0 - (_t42 - _t164 + 0x3d0 >> 1);
				E000000011400D8154(__ecx, _t100, _t164 + 0x1c0, _t44, _t157, _t164 + 0x103d0);
				 *((short*)(_t164 + 0x3c6)) = 0;
				_t79 = GetTickCount();
				_t142 =  *0x401235a8; // 0x2990b70
				if (_t79 -  *0x4012b154 -  *((intOrPtr*)(_t142 + 0x118)) <= 0) goto 0x4008cb66;
				r9d = 0;
				r8d = 0;
				 *((intOrPtr*)(_t167 + 0x20)) = 0;
				if (PeekMessageW(??, ??, ??, ??, ??) == 0) goto 0x4008cb5a;
				0x40001b20();
				 *0x4012b154 = GetTickCount();
				if (( *(_t167 + 0x70) & 0x00000010) != 0) goto 0x4008cb91;
				asm("repne scasw");
				if ( !(_t167 + 0x00000038 | 0xffffffff) - 1 -  *((intOrPtr*)(_t167 + 0x30)) <= 0) goto 0x4008cbd9;
				 *_t161 = 0x6f;
				_t84 = FindNextFileW(??, ??); // executed
				if (_t84 != 0) goto 0x4008cb17;
				FindClose(??);
				return 1;
			}

0x14008c940
0x14008c940
0x14008c945
0x14008c951
0x14008c95e
0x14008c963
0x14008c966
0x14008c974
0x14008c97c
0x14008c991
0x14008c997
0x14008c99a
0x14008c99c
0x14008c9a5
0x14008c9a7
0x14008c9b6
0x14008c9c1
0x14008c9d4
0x14008c9da
0x14008c9dd
0x14008c9e8
0x14008c9ea
0x14008c9f9
0x14008ca02
0x14008ca06
0x14008ca0a
0x14008ca15
0x14008ca18
0x14008ca1f
0x14008ca2a
0x14008ca35
0x14008ca3e
0x14008ca42
0x14008ca46
0x14008ca51
0x14008ca54
0x14008ca5b
0x14008ca66
0x14008ca76
0x14008ca83
0x14008ca92
0x14008ca96
0x14008ca9b
0x14008caab
0x14008caae
0x14008cab6
0x14008cabe
0x14008cac0
0x14008cac5
0x14008cacf
0x14008cad2
0x14008cad7
0x14008cadb
0x14008caf3
0x14008cb04
0x14008cb09
0x14008cb0e
0x14008cb17
0x14008cb1d
0x14008cb30
0x14008cb37
0x14008cb3a
0x14008cb3f
0x14008cb4b
0x14008cb55
0x14008cb60
0x14008cb6b
0x14008cb77
0x14008cb85
0x14008cb87
0x14008cb99
0x14008cba1
0x14008cbaa
0x14008cbd8

APIs

GetFullPathNameW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008C97C
GetFullPathNameW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008C9C1
GetFileAttributesW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008C9F9
GetFileAttributesW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008CA35
FindFirstFileW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008CA76
GetLastError.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008CA85
wcsncpy.LIBCMT ref: 000000014008CB09
GetTickCount.KERNEL32 ref: 000000014008CB17
PeekMessageW.USER32 ref: 000000014008CB43
GetTickCount.KERNEL32 ref: 000000014008CB5A
FindNextFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140044305), ref: 000000014008CB99
FindClose.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140044305), ref: 000000014008CBAA
MoveFileW.KERNEL32 ref: 000000014008CC2C
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140044305), ref: 000000014008CC46
MoveFileW.KERNEL32 ref: 000000014008CC5E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140044305), ref: 000000014008CC6C
CopyFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140044305), ref: 000000014008CC85
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140044305), ref: 000000014008CC93

Strings

\*.*, xrefs: 000000014008CA18, 000000014008CA54

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCountFullMoveNamePathTick$CloseCopyDeleteFirstMessageNextPeekwcsncpy
String ID: \*.*
API String ID: 1382292860-1173974218
Opcode ID: 93ad471921eafe7816c1af4627e324ff7383117325cec5e03f151b724c005d2d
Instruction ID: e60ec737be68cdb534010b622d86d69de11ae3cd3de5d12abe8ecca18e8dfd7b
Opcode Fuzzy Hash: 93ad471921eafe7816c1af4627e324ff7383117325cec5e03f151b724c005d2d
Instruction Fuzzy Hash: 72916032210A8086E7628F76E841BE973B4F748BE9F405316FB69676E4DB74C649C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140029859 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 305
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 39%

			E00000001140029859(void* __eax, void* __esi, void* __rax, long long __rbx, void* __rcx, signed int* __rdx, intOrPtr* __rdi, void* __rsi, void* __r8, void* __r9, long long __r12, long long __r13, char _a32, intOrPtr _a48, long long _a64, intOrPtr _a80, char _a96, intOrPtr _a350, void* _a384, void* _a392, void* _a400) {
				void* _t39;
				void* _t45;
				void* _t46;
				signed int _t47;
				void* _t48;
				void* _t51;
				void* _t52;
				void* _t61;
				intOrPtr* _t62;
				long long _t64;
				long long _t65;
				long long _t68;
				long long _t69;
				void* _t76;
				long long _t77;
				long long* _t78;
				long long _t79;
				long long* _t80;
				intOrPtr* _t88;
				void* _t96;

				_t96 = __r9;
				_t95 = __r8;
				_t90 = __rsi;
				_t88 = __rdi;
				_t61 = __rax;
				_t45 = __esi;
				 *__rdi =  *__rdi + 0xbb0;
				_t47 =  *__rdx & 0x00000bb0;
				 *((intOrPtr*)(__rax - 0x75)) =  *((intOrPtr*)(__rax - 0x75)) + 0xbb0;
				 *((long long*)(__rax + 8)) = __rbx;
				 *0x4012c514 = r8d;
				r8d = 0;
				 *((long long*)(__rax + 0x10)) = __r12;
				 *((long long*)(__rax + 0x18)) = __r13;
				_t8 = _t95 + 1; // 0x1
				E00000001140001820(_t8, __rbx, __rcx, __rsi);
				r8d = 0x7f;
				E000000011400D8154(0xbb0, _t46,  &_a96, _t61, __rdi, __r8);
				_t68 =  *0x401235a8; // 0x2990b70
				 *0x40128c28 =  *0x40128c28 + 1;
				_t69 = _t68 + 0x150;
				r13d = 0;
				r8d = 0x150;
				_a350 = r13w;
				 *0x401235a8 = _t69;
				E000000011400D5880(0xbb0, _t47, _t69, 0x40127520, __r8);
				 *((intOrPtr*)(_t69 + 0x3c)) = r13d;
				0x40028e60();
				_t48 =  *0x40128c74 - r13d; // 0x0
				 *0x4012b140 = __r13;
				if (_t48 == 0) goto 0x4002991f;
				_t62 =  *0x40125128; // 0x8919e0
				if (_t62 == 0) goto 0x40029919;
				_t76 =  !=  ?  *_t62 : 0x400ef524;
				SetCurrentDirectoryW(??);
				_t77 =  *0x4012a4b8; // 0x8941d0
				r12d =  *0x40123574; // 0x0
				 *0x4012b3bb = 1;
				_t51 = _t77 -  *0x4012a4c0; // 0x894db8
				 *0x40123574 = r13d;
				if (_t51 != 0) goto 0x40029950;
				E00000001140007350();
				_t78 =  *0x4012a4b8; // 0x8941d0
				_t52 = _t78 -  *0x4012a4b0; // 0x8941d0
				if (_t52 < 0) goto 0x4002996a;
				_t64 =  *0x4012ac20; // 0x2981df0
				 *_t78 = _t64;
				_t79 =  *0x4012a4b8; // 0x8941d0
				_t80 = _t79 + 0x18;
				_t65 = L"OnExit";
				 *0x4012a4b8 = _t80;
				 *((long long*)(_t80 + 8)) = _t65;
				 *_t80 = __r13;
				 *((intOrPtr*)(_t80 + 0x10)) = r13d;
				 *0x40125664 = r13b;
				if ( *((intOrPtr*)(_t88 + 0xb30)) == 0) goto 0x400299b3;
				if (E00000001140001930(_t69,  *((intOrPtr*)(_t88 + 0xb30)), _t96) == 0) goto 0x400299b3;
				_t39 =  ==  ? r13d : 1;
				 *0x40125664 = 1;
				if (1 == 0) goto 0x40029a10;
				_a48 = r13d;
				0x40074fb0();
				r9d = r13d;
				_a32 = _t65;
				r9b =  *((intOrPtr*)(_t88 + 0xb30)) == _t96;
				r8d = 2;
				_a64 =  *0x4012c514;
				_a80 = 1;
				E000000011400B1910(_t69, _t88 + 0xae0,  &_a32, _t90);
				_t41 =  ==  ? r13d : 1;
				 *0x4012a4b8 =  *0x4012a4b8 - 0x18;
				 *0x4012b3bb = r13b;
				_t59 =  ==  ? r13d : 1;
				if (( ==  ? r13d : 1) != 0) goto 0x40029a61;
				if (_t45 - 0xffffffff <= 0) goto 0x40029a61;
				0x40004db0();
				 *0x40123574 = r12d;
				return 8;
			}

0x140029859
0x140029859
0x140029859
0x140029859
0x140029859
0x140029859
0x14002985e
0x140029860
0x140029864
0x14002986c
0x140029870
0x140029877
0x14002987a
0x14002987e
0x140029882
0x140029886
0x140029890
0x140029899
0x14002989e
0x1400298a5
0x1400298ab
0x1400298b9
0x1400298bf
0x1400298c5
0x1400298ce
0x1400298d5
0x1400298e3
0x1400298e7
0x1400298ec
0x1400298f3
0x1400298fa
0x1400298fc
0x14002990d
0x140029915
0x140029919
0x14002991f
0x140029926
0x14002992d
0x140029934
0x14002993b
0x140029942
0x140029944
0x140029949
0x140029950
0x140029957
0x140029959
0x140029960
0x140029963
0x14002996a
0x14002996e
0x140029977
0x14002997e
0x140029982
0x140029985
0x140029990
0x14002999a
0x1400299a3
0x1400299af
0x1400299b3
0x1400299bc
0x1400299be
0x1400299c3
0x1400299c8
0x1400299d2
0x1400299ea
0x1400299ee
0x1400299f4
0x1400299f9
0x140029a01
0x140029a0c
0x140029a10
0x140029a18
0x140029a27
0x140029a31
0x140029a36
0x140029a3d
0x140029a42
0x140029a60

APIs

wcsncpy.LIBCMT ref: 0000000140029899

Part of subcall function 0000000140028E60: Shell_NotifyIconW.SHELL32 ref: 0000000140028F4E

SetCurrentDirectoryW.KERNEL32 ref: 0000000140029919
IsWindow.USER32 ref: 0000000140029D01
DestroyWindow.USER32 ref: 0000000140029D1E

Strings

step_out, xrefs: 0000000140029C69
run, xrefs: 0000000140029C84
step_over, xrefs: 0000000140029C72
<response command="%s" status="%s" reason="%s" transaction_id="%e"/>, xrefs: 0000000140029CD1
stopped, xrefs: 0000000140029CBF
error, xrefs: 0000000140029CAD
OnExit, xrefs: 000000014002996E
step_into, xrefs: 0000000140029C7B

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$CurrentDestroyDirectoryIconNotifyShell_wcsncpy
String ID: <response command="%s" status="%s" reason="%s" transaction_id="%e"/>$OnExit$error$run$step_into$step_out$step_over$stopped
API String ID: 1905601840-3035628982
Opcode ID: e7283f66ec6cb37837c9e0c96729dffca8c93a064c85142565b55d5d2d8bfde9
Instruction ID: 1d54c63ffe01afde971bc3960438c0f8860906b47636c887e65b35ef2c51ccc8
Opcode Fuzzy Hash: e7283f66ec6cb37837c9e0c96729dffca8c93a064c85142565b55d5d2d8bfde9
Instruction Fuzzy Hash: 25E189B2604B8086EB16DB26F8943D977A4F78CB98F98011AEB4E137B5CB7DC855C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B9160 Relevance: 19.7, APIs: 13, Instructions: 164
windowlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00000001400B9193
EnumResourceNamesW.KERNEL32 ref: 00000001400B91FB
FindResourceW.KERNEL32 ref: 00000001400B9218
LoadResource.KERNEL32 ref: 00000001400B922D
LockResource.KERNEL32 ref: 00000001400B923F
GetSystemMetrics.USER32 ref: 00000001400B925F
FindResourceW.KERNEL32 ref: 00000001400B92D5
LoadResource.KERNEL32 ref: 00000001400B92E9
LockResource.KERNEL32 ref: 00000001400B92F7
SizeofResource.KERNEL32 ref: 00000001400B930B
CreateIconFromResourceEx.USER32 ref: 00000001400B932E
ExtractIconW.SHELL32 ref: 00000001400B938A

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Resource$Load$FindIconLock$CreateEnumExtractFromLibraryMetricsNamesSizeofSystem
String ID:
API String ID: 1568753105-0
Opcode ID: 07108b429cd637a163f182f65b0a11cf5f784bc468bfc5dfba0b9df619aeb4db
Instruction ID: c2e7994522f9923cc84b52606a30eb3f5870ec2db40c22b93e1f4a189002035d
Opcode Fuzzy Hash: 07108b429cd637a163f182f65b0a11cf5f784bc468bfc5dfba0b9df619aeb4db
Instruction Fuzzy Hash: AD51B432306F9085EA6A8F57A404BA962F0BB4CFD1F484025EF5A57BB5DB3DC942C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003FB36 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 479
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0000000114003FB36() {
				signed int _t68;
				signed int _t69;
				signed int _t70;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				intOrPtr _t88;
				intOrPtr _t89;
				void* _t91;
				signed short _t115;
				void* _t120;
				void* _t121;
				signed int _t123;
				void* _t161;
				long long _t173;
				long long _t174;
				short* _t175;
				short* _t176;
				void* _t186;
				signed short* _t187;
				signed short* _t188;
				signed short* _t189;
				signed short* _t190;
				signed short* _t192;
				signed short* _t193;
				intOrPtr _t194;
				intOrPtr _t195;
				intOrPtr _t196;
				intOrPtr _t197;
				intOrPtr _t199;
				intOrPtr _t200;
				char* _t203;
				intOrPtr _t205;
				void* _t206;
				void* _t209;
				void* _t210;
				void* _t211;
				intOrPtr _t212;
				long long _t213;
				void* _t214;

				_t205 =  *((intOrPtr*)(_t214 + 0x10));
				if (_t121 == 0) goto 0x4003fb8c;
				_t173 = _t205 - 0xfffffffffffffffe;
				if (_t121 == 0) goto 0x4003fb6f;
				if (_t173 != 5) goto 0x4003fd6b;
				r9d = 0;
				r8d = 0;
				_t194 =  *0x401289c8; // 0x1400ef524
				E00000001140024950(_t91, _t186, _t194, _t205, _t209, _t211, _t213);
				 *((long long*)(_t209 - 0x10)) = _t173;
				goto 0x4003fd8b;
				r9d = 0;
				r8d = 0;
				_t195 =  *0x401289c0; // 0x1400ef524
				E00000001140024950(0, _t186, _t195, _t205, _t209, _t211, _t213);
				 *((long long*)(_t209 - 0x10)) = _t173;
				goto 0x4003fdae;
				_t123 =  *(_t214 + 1) & 0x000000ff;
				if (_t123 == 0) goto 0x4003fe31;
				if (_t123 == 0) goto 0x4003fbc5;
				_t196 =  *0x401289c0; // 0x1400ef524
				if (E000000011400D45AC(_t173, _t196) != 0) goto 0x4003fd3e;
				goto 0x4003fe36;
				_t187 =  *0x401289c0; // 0x1400ef524
				_t68 =  *_t187 & 0x0000ffff;
				if (_t68 == 0x20) goto 0x4003fbdf;
				if (_t68 != 9) goto 0x4003fbe5;
				_t188 =  &(_t187[1]);
				goto 0x4003fbd0;
				_t69 =  *_t188 & 0x0000ffff;
				if (_t69 == 0) goto 0x4003fe31;
				if (_t69 == 0x2d) goto 0x4003fbfd;
				if (_t69 != 0x2b) goto 0x4003fc01;
				_t189 =  &(_t188[1]);
				if ( *_t189 != 0x30) goto 0x4003fc31;
				_t7 =  &(_t189[1]); // 0x65004d00000000
				_t70 =  *_t7 & 0x0000ffff;
				if (_t70 == 0x78) goto 0x4003fc17;
				if (_t70 != 0x58) goto 0x4003fc31;
				_t8 =  &(_t189[2]); // 0x6e0065004d0000
				if (E000000011400D46B4(_t91,  *_t8 & 0x0000ffff) == 0) goto 0x4003fc31;
				_t190 =  &(_t189[2]);
				goto 0x4003fc35;
				 *((intOrPtr*)(_t210 + 0x70)) = 0;
				_t115 =  *_t190 & 0x0000ffff;
				 *((long long*)(_t209 - 0x80)) = _t173;
				if (_t115 == 0x20) goto 0x4003fd10;
				if (_t115 == 9) goto 0x4003fd0d;
				if (_t115 == 0) goto 0x4003fd09;
				if (_t115 != 0x2e) goto 0x4003fc7c;
				if (0 != 0) goto 0x4003fd3e;
				if (_t173 != 0) goto 0x4003fd3e;
				_t120 = _t205 - 0x2d;
				goto 0x4003fcf8;
				if (_t173 == 0) goto 0x4003fc98;
				if ((0 | E000000011400D7324(_t91, _t173, _t196, L"Read") == 0x00000000) == 0) goto 0x4003fceb;
				goto 0x4003fca0;
				if (_t205 - 0x30 - 9 <= 0) goto 0x4003fceb;
				if (E000000011400145C0(_t115 & 0x0000ffff) != 0x45) goto 0x4003fd3e;
				if (_t120 == 0) goto 0x4003fd3e;
				if ( *((intOrPtr*)(_t210 + 0x70)) == 0) goto 0x4003fd3e;
				_t16 =  &(_t190[1]); // 0x65004d00000000
				_t78 =  *_t16 & 0x0000ffff;
				if (_t78 == 0x2d) goto 0x4003fcd1;
				if (_t78 != 0x2b) goto 0x4003fcd5;
				_t17 =  &(_t190[2]); // 0x4d000000000000
				_t79 =  *_t17 & 0x0000ffff;
				if (_t79 - 0x30 < 0) goto 0x4003fd3e;
				if (_t79 - 0x39 > 0) goto 0x4003fd3e;
				goto 0x4003fcf4;
				 *((intOrPtr*)(_t210 + 0x70)) = 1;
				_t174 =  *((intOrPtr*)(_t209 - 0x80));
				_t192 =  &(_t190[2]);
				if (( *_t192 & 0x0000ffff) == 0x20) goto 0x4003fd0d;
				goto 0x4003fc50;
				goto 0x4003fd2b;
				_t80 =  *_t192 & 0x0000ffff;
				if (_t80 == 0x20) goto 0x4003fd1f;
				if (_t80 != 9) goto 0x4003fd25;
				_t193 =  &(_t192[1]);
				goto 0x4003fd10;
				if ( *_t193 != 0) goto 0x4003fd3e;
				if (1 == 0) goto 0x4003fd3e;
				if (_t120 != 0) goto 0x4003fe2c;
				r9d = 0;
				r8d = 0;
				_t197 =  *0x401289c0; // 0x1400ef524
				E00000001140024950(0, _t193, _t197, _t205, _t209, _t211, _t213);
				 *((long long*)(_t209 - 0x10)) = _t174;
				dil =  *((intOrPtr*)(_t209 - 0x10)) != _t174;
				_t206 = _t205 + 3;
				if (_t206 == 3) goto 0x4003fdea;
				if (_t206 == 4) goto 0x4003fdae;
				if (_t206 - 8 <= 0) goto 0x4003fe36;
				_t161 = _t206 - 0xa;
				if (_t161 > 0) goto 0x4003fe36;
				E00000001140027300();
				 *((intOrPtr*)(_t209 - 0x40)) = 0;
				 *((intOrPtr*)(_t209 - 0x50)) = 1;
				if (_t161 == 0) goto 0x4003fddb;
				 *((intOrPtr*)(_t209 - 0x40)) = 0;
				goto 0x4003fddb;
				_t199 =  *0x401289d0; // 0x1400ef524
				_t88 = E00000001140027290(_t199, L"Read");
				 *((intOrPtr*)(_t209 - 0x40)) = _t88;
				_t175 =  *0x401289d8; // 0x1400ef524
				if ( *_t175 != 0x31) goto 0x4003fdd7;
				 *((char*)(_t209 - 0x50)) = 1;
				if ( *((short*)(_t175 + 2)) == 0) goto 0x4003fddb;
				 *((char*)(_t209 - 0x50)) = 0;
				if (_t88 == 0) goto 0x40045760;
				goto 0x4003fe36;
				_t200 =  *0x401289c8; // 0x1400ef524
				_t89 = E00000001140027290(_t200, L"Read");
				 *((intOrPtr*)(_t209 - 0x40)) = _t89;
				if (_t89 == 0) goto 0x40045780;
				_t176 =  *0x401289d0; // 0x1400ef524
				if ( *_t176 != 0x31) goto 0x4003fe21;
				if ( *((short*)(_t176 + 2)) != 0) goto 0x4003fe21;
				 *((char*)(_t209 - 0x50)) = 1;
				goto 0x4003fe36;
				 *((char*)(_t209 - 0x50)) = 0;
				goto 0x4003fe36;
				 *((char*)(_t209 + 0xa28)) = 0;
				r9d = 0;
				 *((long long*)(_t209 - 0x70)) = _t213;
				_t203 =  *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x68)) + 0x28));
				 *((long long*)(_t209 - 0x78)) = _t203;
				if ( *_t203 != 0x6c) goto 0x4003fe5e;
				 *((long long*)(_t209 - 0x78)) =  *((intOrPtr*)(_t203 + 0x20));
				goto 0x4003fe61;
				_t212 =  *((intOrPtr*)(_t209 - 0x58));
				 *((long long*)(_t209 - 0x80)) =  *((intOrPtr*)(_t212 + 8));
				 *((long long*)(_t209 - 0x28)) =  *((intOrPtr*)(_t212 + 0x10));
				 *((long long*)(_t209 - 0x30)) =  *((intOrPtr*)(_t212 + 0x18));
				 *((long long*)(_t209 - 0x20)) =  *((intOrPtr*)(_t212 + 0x20));
				 *((long long*)(_t209 - 0x60)) =  *((intOrPtr*)(_t212 + 0x28));
				_t183 =  !=  ? _t193 :  *((intOrPtr*)(_t212 + 8));
				 *((long long*)(_t212 + 8)) =  !=  ? _t193 :  *((intOrPtr*)(_t212 + 8));
				_t60 = _t206 - 2; // 0x0
				if (_t60 - 8 > 0) goto 0x4004038b;
				goto __rax;
			}

0x14003fb36
0x14003fb40
0x14003fb42
0x14003fb46
0x14003fb4c
0x14003fb52
0x14003fb55
0x14003fb5a
0x14003fb61
0x14003fb66
0x14003fb6a
0x14003fb6f
0x14003fb72
0x14003fb77
0x14003fb7e
0x14003fb83
0x14003fb87
0x14003fb91
0x14003fb93
0x14003fb9b
0x14003fba4
0x14003fbb2
0x14003fbc0
0x14003fbc5
0x14003fbd0
0x14003fbd7
0x14003fbdd
0x14003fbdf
0x14003fbe3
0x14003fbe5
0x14003fbeb
0x14003fbf5
0x14003fbfb
0x14003fbfd
0x14003fc05
0x14003fc07
0x14003fc07
0x14003fc0f
0x14003fc15
0x14003fc17
0x14003fc22
0x14003fc29
0x14003fc2f
0x14003fc39
0x14003fc3d
0x14003fc42
0x14003fc49
0x14003fc53
0x14003fc5b
0x14003fc64
0x14003fc68
0x14003fc71
0x14003fc77
0x14003fc7a
0x14003fc7f
0x14003fc94
0x14003fc96
0x14003fc9e
0x14003fcac
0x14003fcb4
0x14003fcbf
0x14003fcc1
0x14003fcc1
0x14003fcc9
0x14003fccf
0x14003fcd5
0x14003fcd5
0x14003fcdd
0x14003fce3
0x14003fce9
0x14003fcf0
0x14003fcf4
0x14003fcf8
0x14003fd02
0x14003fd04
0x14003fd0b
0x14003fd10
0x14003fd17
0x14003fd1d
0x14003fd1f
0x14003fd23
0x14003fd29
0x14003fd2d
0x14003fd38
0x14003fd3e
0x14003fd41
0x14003fd46
0x14003fd4d
0x14003fd52
0x14003fd5e
0x14003fd67
0x14003fd6f
0x14003fd75
0x14003fd7b
0x14003fd81
0x14003fd85
0x14003fd92
0x14003fd99
0x14003fda1
0x14003fda4
0x14003fda9
0x14003fdac
0x14003fdae
0x14003fdb5
0x14003fdbc
0x14003fdbf
0x14003fdca
0x14003fdd1
0x14003fdd5
0x14003fdd7
0x14003fddd
0x14003fde8
0x14003fdea
0x14003fdf1
0x14003fdf6
0x14003fdfc
0x14003fe02
0x14003fe0d
0x14003fe14
0x14003fe16
0x14003fe1f
0x14003fe21
0x14003fe2a
0x14003fe36
0x14003fe3d
0x14003fe40
0x14003fe44
0x14003fe48
0x14003fe4f
0x14003fe58
0x14003fe5c
0x14003fe61
0x14003fe69
0x14003fe71
0x14003fe79
0x14003fe81
0x14003fe89
0x14003fe9a
0x14003fe9e
0x14003fea2
0x14003feaa
0x14003fec1

Strings

Parameter #3 invalid., xrefs: 000000014004576A
Parameter #2 invalid., xrefs: 000000014004578A
Read, xrefs: 000000014003FB9D

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID:
String ID: Parameter #2 invalid.$Parameter #3 invalid.$Read
API String ID: 0-931347957
Opcode ID: 016e779776a931fc25189027d3251cbec06b86824d534bbbd4191abc33581772
Instruction ID: 04ad3ff73bb61134b38dd27d00bc9b9e5fcd992c664dfef08d9941c6251f7b30
Opcode Fuzzy Hash: 016e779776a931fc25189027d3251cbec06b86824d534bbbd4191abc33581772
Instruction Fuzzy Hash: 04229A72A00A4486FB679B2BE8543FE23A1E74CBD4F55412AEF49536F5DB38C882D701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400914B0 Relevance: 15.9, APIs: 4, Strings: 4, Instructions: 1873
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E000000011400914B0() {
				signed int _t357;
				signed int _t360;
				void* _t388;
				signed int _t389;
				signed int _t392;
				signed char _t402;
				void* _t411;
				intOrPtr _t415;
				void* _t418;
				void* _t429;
				signed int _t431;
				signed int _t447;
				signed char _t449;
				signed int _t451;
				signed int _t455;
				signed int _t468;
				intOrPtr _t469;
				signed int _t489;
				signed int _t513;
				signed int _t522;
				void* _t549;
				void* _t550;
				void* _t566;
				void* _t572;
				long long* _t587;
				void* _t608;
				void* _t635;
				signed long long _t641;
				intOrPtr _t642;
				signed int _t644;
				signed long long _t645;
				long long _t649;
				intOrPtr _t652;
				signed int _t653;
				void* _t654;
				unsigned long long _t657;
				void* _t664;
				signed long long _t666;
				signed int _t674;
				intOrPtr* _t675;
				intOrPtr _t677;
				void* _t678;
				signed int _t680;
				signed int _t683;
				long long _t696;
				long long _t697;
				void* _t710;
				WCHAR* _t712;
				signed short* _t715;
				signed short* _t716;
				signed int** _t720;
				intOrPtr _t723;
				signed long long _t724;
				signed long long _t727;
				long long _t729;
				intOrPtr _t734;
				short* _t736;
				signed short* _t742;
				WCHAR* _t749;
				void* _t753;
				signed int* _t764;
				intOrPtr _t767;
				signed int _t770;
				signed long long _t771;
				signed long long _t776;
				long long _t789;
				long long _t791;
				intOrPtr* _t793;
				signed long long _t794;
				signed long long _t796;
				long long _t797;
				intOrPtr* _t806;
				signed int _t807;
				signed long long _t822;
				void* _t847;
				signed long long _t848;
				signed long long _t849;
				signed long long _t850;
				signed long long _t851;
				long long _t852;
				WCHAR* _t853;
				char* _t859;
				intOrPtr* _t860;
				long long* _t863;
				void* _t865;
				long long _t866;
				void* _t868;
				signed int _t869;
				WCHAR* _t870;
				intOrPtr* _t874;
				void* _t877;
				signed long long _t886;
				void* _t887;
				signed int* _t888;
				void* _t889;
				void* _t890;
				void* _t891;
				void* _t892;
				void* _t894;
				long long _t896;
				signed int _t899;
				signed int _t907;
				long long _t911;
				long long _t917;
				void* _t922;
				void* _t925;
				void* _t928;
				void* _t934;
				long long _t935;
				long long* _t936;
				long long _t937;
				signed int _t950;
				long long _t951;
				signed int _t953;
				signed long long _t955;
				signed int _t956;
				long _t957;
				signed int _t959;
				WCHAR* _t965;
				long long _t966;
				WCHAR* _t968;
				signed int _t970;
				signed long long* _t971;
				long long* _t973;

				 *((long long*)(_t889 + 0x20)) = _t917;
				 *((long long*)(_t889 + 0x18)) = _t896;
				 *(_t889 + 0x10) = _t451;
				 *((long long*)(_t889 + 8)) = _t729;
				E000000011400E12F0(0x1bb8, _t635, _t922, _t925);
				_t890 = _t889 - _t635;
				_t888 = _t890 + 0x40;
				_t888[0x26] = 0xfffffffe;
				asm("movaps [ebp+0x1b60], xmm6");
				asm("movaps [ebp+0x1b50], xmm7");
				asm("inc esp");
				asm("inc esp");
				asm("inc esp");
				asm("inc esp");
				asm("inc esp");
				asm("inc esp");
				asm("inc esp");
				_t959 =  *(_t888[0x6f8]);
				_t888[0x12] = _t959;
				r14d = 0;
				 *_t888 = r14d;
				_t888[6] = 0x400ef524;
				_t636 =  ==  ?  *0x40128920 : _t635;
				_t888[0x18] =  ==  ?  *0x40128920 : _t635;
				r8d = r14d;
				_t888[1] = r14d;
				r12d = r14d;
				_t888[5] = r14d;
				_t888[0x14] = _t965;
				_t869 =  *((intOrPtr*)((_t451 << 5) +  *((intOrPtr*)(_t729 + 8)) + 0x18));
				asm("repne inc esp");
				asm("repne inc esp");
				asm("repne inc esp");
				asm("repne inc esp");
				asm("repne inc esp");
				asm("inc bp");
				asm("repne inc esp");
				_t888[2] = _t869;
				if ( *((intOrPtr*)(_t869 + 0x10)) == 0x41) goto 0x4009383e;
				_t891 = _t890 - 0x20;
				_t970 = _t891 + 0x40;
				_t888[8] = _t970;
				 *_t970 =  *_t869;
				 *(_t970 + 8) =  *((intOrPtr*)(_t869 + 8));
				 *(_t970 + 0x10) =  *((intOrPtr*)(_t869 + 0x10));
				_t641 =  *((intOrPtr*)(_t869 + 0x18));
				 *(_t970 + 0x18) = _t641;
				_t431 =  *(_t970 + 0x10);
				if (_t431 - 8 >= 0) goto 0x40091b98;
				if (_t431 != 7) goto 0x40093402;
				_t712 =  *(_t970 + 8);
				if (_t712 == 0) goto 0x40091961;
				_t935 =  *_t970;
				_t848 = _t965;
				 *_t970 = 0x400ef524;
				 *(_t970 + 0x10) = r14d;
				if ( *_t935 != _t712) goto 0x400916bc;
				if ( *((short*)(_t712 + _t641 * 2)) != 0) goto 0x400916bc;
				if ( *((char*)(_t935 + 0x28)) == 0) goto 0x400916bc;
				_t642 =  *((intOrPtr*)(_t935 + 8));
				if ( *((char*)(_t642 + 0x23)) != 0) goto 0x40091687;
				if (( *( *((intOrPtr*)(_t642 + 0x10)) + 0x21) & 0x00000002) == 0) goto 0x400916bc;
				 *(_t970 + 0x10) = 6;
				_t734 =  *((intOrPtr*)(_t935 + 8));
				if ( *((char*)(_t734 + 0x23)) != 0) goto 0x400916a4;
				_t736 =  *((intOrPtr*)( *((intOrPtr*)(_t734 + 0x10))));
				 *_t970 = _t736;
				_t644 =  *_t736;
				 *((intOrPtr*)(_t644 + 8))();
				goto 0x40093402;
				if (_t736 == 0) goto 0x40091801;
				if (0x400ef524 - _t736 >= 0) goto 0x400916f1;
				asm("o16 nop [eax+eax]");
				if (_t848 - 0xfd >= 0) goto 0x400916fa;
				 *((short*)(_t888 + 0xa0 + _t848 * 2)) =  *0x400ef524 & 0x0000ffff;
				_t849 = _t848 + 1;
				if (0x400ef524 -  *_t935 < 0) goto 0x400916d0;
				if (_t849 - 0xfd < 0) goto 0x40091704;
				if (0x400ef524 -  *_t935 < 0) goto 0x400917fb;
				_t870 =  *((intOrPtr*)(_t935 + 8));
				_t489 = _t870[0x11] & 0x000000ff;
				if (_t489 == 0) goto 0x400917a0;
				if (_t489 == 0) goto 0x40091744;
				if (_t489 == 0) goto 0x4009172c;
				if (_t489 == 0) goto 0x40091788;
				_t870[0xc]();
				goto 0x400917ab;
				E00000001140006A20(_t644, 0x1400ef526, _t736, _t888, _t935);
				_t928 =  ==  ? _t965 : _t644;
				goto 0x400917ae;
				0x40001130();
				if ( *0x40128c20 != 0) goto 0x4009178d;
				if (_t870[8] != 0) goto 0x4009178d;
				r8d = 0;
				_t56 =  &(_t888[0x20]); // 0x60
				if (GetEnvironmentVariableW(_t968, _t965, _t957) == 0) goto 0x40091781;
				 *0x4012c158 = _t965;
				_t58 = _t644 - 1; // -1
				r11d = _t58;
				goto 0x400917ae;
				 *0x4012c158 = _t870;
				goto 0x400917ae;
				goto 0x400917ae;
				asm("o16 nop [eax+eax]");
				E000000011400BB660(0x1400ef526, _t870[8], _t56, _t870, _t934);
				_t645 = _t644 - _t849;
				if (_t644 - _t645 > 0) goto 0x400917fb;
				_t62 = _t849 * 2; // 0x80
				E000000011400BB660(0x1400ef526,  *((intOrPtr*)(_t935 + 8)), _t888 + _t62 + 0xa0, _t870, _t847);
				_t850 = _t849 + _t645;
				_t715 = 0x1400ef526 + _t645 * 2;
				_t936 = _t935 + 0x18;
				if ( *_t936 != 0) goto 0x400916c5;
				goto 0x40091801;
				goto 0x4009184b;
				_t357 =  *_t715 & 0x0000ffff;
				if (_t357 == 0) goto 0x40091830;
				if (_t850 - 0xfd >= 0) goto 0x40091839;
				 *(_t888 + 0xa0 + _t850 * 2) = _t357;
				_t851 = _t850 + 1;
				_t716 =  &(_t715[1]);
				if (( *_t716 & 0x0000ffff) != 0) goto 0x40091810;
				if (_t851 - 0xfd < 0) goto 0x4009183f;
				if ( *_t716 != 0) goto 0x4009184b;
				if (_t851 != 0) goto 0x4009186e;
				if ( *((intOrPtr*)(_t936 + 0x10)) != dil) goto 0x4009186e;
				if ( *_t936 == 0) goto 0x4009185d;
				_t937 = _t936 + 0x18;
				if ( *_t937 != 0) goto 0x40091852;
				if ( *((char*)(_t937 + 0x10)) != 0) goto 0x40093bdd;
				goto 0x4009199f;
				 *((intOrPtr*)(_t888 + 0xa0 + _t851 * 2)) = r14w;
				if ( *((char*)(_t937 + 0x10)) == 0) goto 0x400918df;
				 *(_t970 + 0x10) = r14d;
				_t80 =  &(_t888[0x28]); // 0x80
				_t742 = _t80;
				_t82 = _t851 + 2; // 0x2
				_t83 = _t851 + _t82 + 0xf; // 0x11
				if (_t83 - _t851 + _t82 > 0) goto 0x4009189b;
				E000000011400E12F0( *_t716 & 0x0000ffff, 0xffffffffffffff0, 0x140000000, _t644);
				_t892 = _t891 - 0xffffffffffffff0;
				_t852 = _t892 + 0x40;
				_t85 =  &(_t888[0x28]); // 0x80
				_t360 =  *_t742 & 0x0000ffff;
				 *(_t742 + _t852 - _t85) = _t360;
				if (_t360 != 0) goto 0x400918c0;
				 *_t970 = _t852;
				goto 0x40093402;
				if (_t888[0x28] == 0) goto 0x40093a38;
				_t88 =  &(_t888[4]); // -16
				_t649 = _t88;
				 *((long long*)(_t892 + 0x28)) = _t649;
				 *((intOrPtr*)(_t892 + 0x20)) = 3;
				_t91 =  &(_t888[0x1f]); // 0x5c
				_t92 =  &(_t888[0x28]); // 0x80
				E0000000114003B1F0(0x4012a580, _t92, _t852, _t91, _t868, _t710);
				if (_t649 != 0) goto 0x40091950;
				 *((intOrPtr*)(_t892 + 0x20)) = (r14d & 0xffffff00 | _t888[4] != 0x00000000) + 1;
				r9d = _t888[0x1f];
				_t98 =  &(_t888[0x28]); // 0x80
				E0000000114003B4F0(0x4012a580, _t98, _t852);
				if (_t649 == 0) goto 0x40093a38;
				 *_t970 = _t649;
				_t853 =  *_t970;
				_t513 = _t853[0x11] & 0x000000ff;
				if (_t513 != 0) goto 0x40091974;
				if (_t513 == 0) goto 0x400919bd;
				if (( *(_t853[8] + 0x23) & 0xff) - 1 != 3) goto 0x400919f6;
				if (_t853[0xc] != 0x140076940) goto 0x400919ab;
				_t652 =  *0x401235a8; // 0x2990b70
				 *_t970 =  *((intOrPtr*)(_t652 + 8));
				 *(_t970 + 0x10) = 1;
				goto 0x40093402;
				if (_t652 != 0x140077300) goto 0x400919f6;
				_t653 =  *0x401235a8; // 0x2990b70
				goto 0x40091994;
				if ( *0x40128c20 != 0) goto 0x40092663;
				if (_t853[0x11] != 0) goto 0x400919d6;
				goto 0x400919d9;
				_t749 = _t853;
				if ((_t749[0x10] & 0x0000000a) != 0) goto 0x40092663;
				if ((r14d & 0xffffff00 | _t749[8] != 0x00000000) != 0) goto 0x40092663;
				_t522 = _t853[0x11] & 0x000000ff;
				if (_t522 == 0) goto 0x40091a80;
				if (_t522 == 0) goto 0x40091a2e;
				if (_t522 == 0) goto 0x40091a19;
				if (_t522 == 0) goto 0x40091a6d;
				_t853[0xc]();
				goto 0x40091a8b;
				E00000001140006A20(_t653, 0x400ef524, _t749, _t888, _t937);
				_t654 =  ==  ? _t965 : _t653;
				goto 0x40091a8b;
				0x40001130();
				if ( *0x40128c20 != 0) goto 0x40091a72;
				if (_t853[8] != 0) goto 0x40091a72;
				r8d = 0;
				_t120 =  &(_t888[0x1e]); // 0x58
				if (GetEnvironmentVariableW(??, ??, ??) == 0) goto 0x40091a66;
				 *0x4012c158 = _t965;
				goto 0x40091a8b;
				 *0x4012c158 = _t853;
				goto 0x40091a8b;
				_t657 = _t853[8] >> 1;
				goto 0x40091a8b;
				E000000011400BB660(0x400ef524, _t853[8], _t120, _t888[2], _t887);
				_t124 = _t657 + 1; // 0x1
				_t822 = _t124;
				if (_t822 != 1) goto 0x40091ac4;
				_t753 =  *_t970;
				if (( *(_t753 + 0x23) & 0x000000ff) != 0) goto 0x40091aa8;
				if (( *( *((intOrPtr*)(_t753 + 0x10)) + 0x23) & 0x000000ff) != 1) goto 0x400926ff;
				 *(_t970 + 0x10) = 4;
				goto 0x40093402;
				if (_t822 - _t888[0x6fc] > 0) goto 0x40091af7;
				_t888[0x12] = _t959 + _t822 * 2;
				goto 0x40091b79;
				if (_t822 - 0x1001 >= 0) goto 0x40091b41;
				_t899 = _t888[0x14];
				if (_t899 - 0x9c40 >= 0) goto 0x40091b41;
				if (_t822 + _t822 + 0xf - _t822 + _t822 > 0) goto 0x40091b24;
				E000000011400E12F0(_t888[0x6fc], 0xfffffff0, 0x140000000, 0x140077300);
				_t888[0x14] = _t899 + _t822;
				goto 0x40091b79;
				if (r12d == 0xc8) goto 0x4009373d;
				E000000011400D4A38(0xfffffff0, 0x400ef524, _t822 + _t822, _t888[2]);
				 *((long long*)(_t888 + 0x2a0 +  *_t888 * 8)) = 0xfffffff0;
				if (0xfffffff0 == 0) goto 0x4009373d;
				r12d = r12d + 1;
				 *_t888 = r12d;
				E000000011400BB660(0x400ef524,  *_t970, 0xfffffff0, _t888[2]);
				 *_t970 = 0xfffffff0;
				 *(_t970 + 8) = _t965;
				 *(_t970 + 0x10) = 5;
				goto 0x4009199f;
				if (0xffffffff != 0x3e) goto 0x400923b4;
				_t664 =  *_t970;
				_t468 =  *(_t664 + 0x11) & 0x000000ff;
				if (_t468 - r8d > 0) goto 0x40093bdd;
				r8d = r8d - _t468;
				_t888[1] = r8d;
				_t149 = r8d * 8; // 0x8c0
				_t720 = _t888 + _t149 + 0x8e0;
				if ( *((intOrPtr*)(_t664 + 8)) != 0) goto 0x40091c5f;
				if (r8d == 0) goto 0x40093bdd;
				r8d = r8d - 1;
				_t888[1] = r8d;
				_t666 = r8d;
				_t153 = _t666 * 8; // 0x8c0
				_t874 = _t888 + _t153 + 0x8e0;
				E00000001140084840(_t666, _t720,  *_t874, _t874);
				if (_t666 != 0) goto 0x40091c4c;
				if (_t468 == 0) goto 0x40091c1c;
				r8d = _t468;
				_t155 =  &(_t720[1]); // 0x8c8
				E000000011400D5880(0xffffffff, _t468, _t155, _t720, _t899 + _t822 << 3);
				r12d = r12d + 1;
				_t888[5] = r12d;
				_t894 = _t892 - 0xfffffffffffffd0;
				_t764 = _t894 + 0x40;
				 *_t720 = _t764;
				_t764[4] = r14d;
				 *( *_t720) = 0x400ef524;
				_t469 = _t468 + 2;
				if (_t469 -  *0x140125464 >= 0) goto 0x40091c5f;
				if ( *((char*)( *_t970 + 0x10)) != 2) goto 0x40093bdd;
				_t161 =  &(_t888[0x28]); // 0x80
				 *(_t970 + 8) = _t161;
				 *(_t970 + 0x18) = _t965;
				_t888[0xc] = _t965;
				_t888[0xe] = _t965;
				_t888[0x10] = r14d;
				 *((char*)(_t894 + 0x30)) =  *_t764 & 0xffffff00 |  *((char*)( *_t970 + 0x10)) == 0x00000002;
				 *((intOrPtr*)(_t894 + 0x28)) = _t469;
				 *((long long*)(_t894 + 0x20)) = _t720 - 8;
				_t175 =  &(_t888[0xc]); // 0x10
				_t388 = E00000001140094340( *_t970, _t720 - 8, 0x40125440, _t175, _t888[0x6f4], _t970); // executed
				if (_t388 == 0) goto 0x400937ec;
				_t389 =  *0x4012a520; // 0x0
				if (_t389 == 3) goto 0x40091d00;
				if (_t389 == 5) goto 0x40091ccb;
				if (_t389 != 4) goto 0x40091d1a;
				_t767 =  *0x4012a4b8; // 0x8941d0
				_t549 = _t389 * (_t767 -  *0x4012a4b0 + 0x18) >> 0x20 -  *0x4012a52c; // 0x0
				if (_t549 >= 0) goto 0x40091d1a;
				_t550 =  *0x4012a4d8 - _t888[0x6f0]; // 0x0
				if (_t550 == 0) goto 0x40091d21;
				_t770 = _t888[0x6f0];
				E000000011400081E0(_t770);
				goto 0x40091d21;
				_t859 = _t888[0x6f0];
				 *0x4012ac20 = _t859;
				_t392 =  *(_t970 + 0x10);
				if (_t392 == 1) goto 0x40092391;
				if (_t392 == 2) goto 0x40092391;
				if (_t392 == 6) goto 0x40092391;
				_t447 = _t888[1];
				_t674 = _t888[2];
				if (_t447 != 0) goto 0x40091d6b;
				if ( *((intOrPtr*)(_t674 + 0x30)) != 0x41) goto 0x40091d6b;
				r15d = _t770 + 1;
				if ( *_t859 == 3) goto 0x4009375f;
				goto 0x40091d9c;
				r15d = r14d;
				if ( *((intOrPtr*)(_t674 + 0x30)) != 0x13) goto 0x40091d99;
				if (_t447 == 0) goto 0x40091d99;
				_t675 =  *((intOrPtr*)(_t874 - 8));
				if ( *((intOrPtr*)(_t675 + 0x10)) != 4) goto 0x40091d99;
				_t723 =  *_t675;
				if (( *(_t723 + 0x23) & 0x000000ff) != 0) goto 0x40091d95;
				if (( *( *((intOrPtr*)(_t723 + 0x10)) + 0x23) & 0x000000ff) == 1) goto 0x40091d9c;
				_t724 = _t965;
				_t860 = _t888[8];
				_t966 =  *_t860;
				if (_t724 == 0) goto 0x4009215d;
				_t677 =  *0x401235a8; // 0x2990b70
				if ( *((intOrPtr*)(_t677 + 0xd8)) != 0x40125440) goto 0x40091dca;
				if (( *(_t724 + 0x22) & 0x22) == 2) goto 0x4009215d;
				if ( *((intOrPtr*)(_t860 + 0x18)) != _t966) goto 0x40091de7;
				_t771 = _t724;
				E000000011400BBA70(_t389 * (_t767 -  *0x4012a4b0 + 0x18) >> 0x20, _t724, _t771,  *((intOrPtr*)(_t860 + 0x18)), _t874, _t888,  *((intOrPtr*)(_t860 + 8)));
				r14d = 0;
				goto 0x40092113;
				asm("repne scasw");
				_t566 = _t966 -  *0x4012a3f0; // 0x2991c90
				if (_t566 != 0) goto 0x40091e2c;
				if ( !(_t771 | 0xffffffff) - 1 - 0x40 < 0) goto 0x40091e2c;
				E000000011400BBA70(_t389 * (_t767 -  *0x4012a4b0 + 0x18) >> 0x20, _t724, _t724, _t966, _t874, _t888,  !(_t771 | 0xffffffff) - 1);
				r14d = 0;
				 *0x4012a3f0 = _t966;
				 *0x4012a3f8 = _t966;
				goto 0x40092113;
				_t455 =  *(_t724 + 0x23) & 0x000000ff;
				if (_t455 != 0) goto 0x40091e54;
				 *((char*)(_t894 + 0x20)) = 1;
				r9d = 0;
				_t776 =  *((intOrPtr*)(_t724 + 0x10));
				E000000011400BB210(_t724, _t776, _t966, _t966,  !(_t771 | 0xffffffff) - 0x00000001 | 0xffffffff);
				r14d = 0;
				goto 0x400920e0;
				r8b = 1;
				if (_t966 != 0) goto 0x40091e6d;
				r8b = 0;
				goto 0x40091e8c;
				if ( *(_t724 + 8) != 0x400ef524) goto 0x40091e7c;
				goto 0x40091e8f;
				asm("repne scasw");
				_t877 =  !(_t776 | 0xffffffff) - 1;
				_t678 = _t877 + 1;
				_t863 = _t678 + _t678;
				if (_t455 != 2) goto 0x40091eaf;
				0x40006c80();
				r14d = 0;
				goto 0x400920e0;
				_t572 = _t863 -  *0x40123580; // 0x4000000
				if (_t572 <= 0) goto 0x40091edc;
				if (_t863 -  *(_t724 + 0x18) <= 0) goto 0x40091edc;
				0x4004d730();
				r14d = 0;
				goto 0x400920e0;
				if (_t678 - 2 >= 0) goto 0x40091f01;
				r14d = 0;
				r8d = 0;
				E000000011400BB8C0((r14d & 0xffffff00 | r8b != 0x00000000) + 3, _t724, _t724, _t877, _t888);
				goto 0x40092113;
				_t402 =  *(_t724 + 0x21) & 0x000000ff;
				if ((_t402 & 0x00000002) == 0) goto 0x40091f17;
				 *(_t724 + 0x21) = _t402 & 0x0000003d;
				 *((intOrPtr*)( *((intOrPtr*)( *_t724)) + 0x10))();
				 *(_t724 + 0x21) =  *(_t724 + 0x21) & 0x00000082;
				_t907 =  *(_t724 + 0x18);
				if (_t863 - _t907 <= 0) goto 0x400920ea;
				_t449 =  *(_t724 + 0x20) & 0x000000ff;
				if (_t449 - 1 <= 0) goto 0x40091f48;
				if ((_t449 & 0x000000ff) == 2) goto 0x40091f97;
				_t680 = _t888[0x22];
				goto 0x40092097;
				if (_t863 - 0x80 > 0) goto 0x40091f97;
				if (_t863 - 8 > 0) goto 0x40091f5f;
				r12d = 8;
				goto 0x40091f72;
				r12d = 0x80;
				r12d =  <=  ? 0x10 : r12d;
				E000000011400B3FC0(_t449, _t888[0x1a]);
				_t888[0x22] = _t680;
				if (_t680 == 0) goto 0x40093791;
				 *(_t724 + 0x20) = 1;
				goto 0x40092097;
				if (_t863 - 0x20 >= 0) goto 0x40091fa8;
				r12d = 0x20;
				goto 0x4009204d;
				if (_t863 - 0x208 >= 0) goto 0x40091fbc;
				r12d = 0x208;
				goto 0x4009204d;
				if (_t863 - 0x50000 >= 0) goto 0x40092009;
				asm("pxor xmm0, xmm0");
				asm("repne dec eax");
				_t587 = _t863;
				if (_t587 >= 0) goto 0x40091fd8;
				asm("repne inc ecx");
				asm("repne inc ecx");
				asm("inc cx");
				if (_t587 <= 0) goto 0x40091fff;
				asm("repne inc ecx");
				asm("inc cx");
				if (_t587 >= 0) goto 0x40091fff;
				asm("repne dec esp");
				goto 0x4009204d;
				if (_t863 - 0x320000 >= 0) goto 0x4009201b;
				goto 0x4009204d;
				if (_t863 - 0xc80000 >= 0) goto 0x40092046;
				goto 0x4009204d;
				_t228 = _t863 + 0x20000; // 0x20000
				_t683 =  *0x40123580; // 0x4000000
				_t950 =  >  ? _t683 : _t228;
				_t888[0x1a] = _t950;
				if (_t449 != 2) goto 0x40092077;
				if (_t907 == 0) goto 0x40092077;
				dil = 1;
				E000000011400D4AF8(_t683,  *(_t724 + 8));
				goto 0x4009207a;
				dil = 0;
				if (_t950 < 0) goto 0x400920a5;
				_t411 = E000000011400D4A38(_t683, _t724, _t950, _t877);
				_t888[0x22] = _t683;
				if (_t683 == 0) goto 0x400920a5;
				 *(_t724 + 0x20) = 2;
				 *(_t724 + 8) = _t683;
				 *(_t724 + 0x18) = _t950;
				 *(_t724 + 0x21) =  *(_t724 + 0x21) & 0x0000007f;
				goto 0x400920ea;
				r14d = 0;
				if (dil == 0) goto 0x400920be;
				 *(_t724 + 0x18) = 0x400ef524;
				 *(_t724 + 8) = 0x4012a488;
				goto 0x400920c6;
				 *( *(_t724 + 8)) = r14w;
				 *((long long*)(_t724 + 0x10)) = 0x400ef524;
				0x4004d730();
				if (_t411 == 0) goto 0x40093791;
				goto 0x40092113;
				if ( *(_t724 + 8) == 0x400ef524) goto 0x400920ff;
				E000000011400D5880(_t449,  *(_t724 + 8) - 0x400ef524,  *(_t724 + 8), 0x400ef524, _t877 + _t877);
				_t789 = _t877 + _t877;
				r14d = 0;
				 *((intOrPtr*)(_t789 +  *(_t724 + 8))) = r14w;
				 *((long long*)(_t724 + 0x10)) = _t789;
				if (r15d != 0) goto 0x400937b0;
				_t888[1] = _t888[1] - 1;
				_t971 = _t888[8];
				_t971[3] =  *((intOrPtr*)(_t888[2] + 0x38));
				 *_t971 = _t724;
				_t971[2] = 4;
				if (_t888[0xc] == 0) goto 0x400916b0;
				_t255 =  &(_t888[0x10]); // 0x20
				_t256 =  &(_t888[0xe]); // 0x18
				E000000011400BBD50(_t724, _t888[0xc], _t256, _t863, _t888[2] + 0x20, _t255, _t971);
				goto 0x4009199f;
				_t791 =  *(_t863 + 0x18);
				if (_t791 == 0) goto 0x40092197;
				if (_t429 == 0xc8) goto 0x400937b2;
				r8d = 0;
				_t461 =  ==  ? r8d : 1;
				 *((long long*)(_t888 + 0x2a0 +  *_t888 * 8)) = _t791;
				 *_t888 = _t429 + 1;
				goto 0x4009219a;
				r8d = 0;
				 *(_t863 + 0x18) = _t950;
				if ( *0x400ef524 != 0) goto 0x400921e6;
				 *_t863 = 0x400ef524;
				 *(_t863 + 0x10) = 5;
				r14d = 0;
				 *((long long*)(_t863 + 8)) = 0x400ef524;
				if (_t888[0xc] == 0) goto 0x40092388;
				_t265 =  &(_t888[0x10]); // 0x20
				_t911 = _t265;
				_t266 =  &(_t888[0xe]); // 0x18
				E000000011400BBD50(0x400ef524, _t888[0xc], _t266, _t863, _t888[2] + 0x20, _t911, _t863);
				goto 0x40093402;
				if ( *L"SysListView32" == 0) goto 0x40092200;
				_t606 =  ==  ? r8d : 1;
				if (( ==  ? r8d : 1) == 0) goto 0x40092244;
				goto 0x40092244;
				_t608 = 0x400ef524 -  *0x4012a3f0; // 0x2991c90
				if (_t608 == 0) goto 0x40092210;
				goto 0x40092240;
				if (r15d != 0) goto 0x40092240;
				_t793 = _t888[2] + 0x30;
				_t415 =  *_t793;
				if (_t415 == 0x41) goto 0x40092244;
				if (_t415 == 0x3e) goto 0x40092239;
				_t794 = _t793 + 0x20;
				if ( *_t794 != 0x41) goto 0x40092227;
				goto 0x40092244;
				goto 0x40092244;
				_t973 = _t863;
				 *((long long*)(_t863 + 8)) = _t911;
				 *(_t863 + 0x10) = 5;
				if (1 == 0) goto 0x40092360;
				asm("repne scasw");
				_t796 =  !(_t794 | 0xffffffff);
				_t727 = _t796;
				_t951 = _t888[0x12];
				if (_t796 -  *(_t888[0x6fc]) - (_t951 -  *(_t888[0x6fa]) >> 1) > 0) goto 0x400922b6;
				_t865 = _t796 + _t796;
				_t797 = _t951;
				_t418 = E000000011400D5880(_t449, _t796 -  *(_t888[0x6fc]) - (_t951 -  *(_t888[0x6fa]) >> 1), _t797, 0x400ef524, _t865);
				 *_t973 = _t951;
				_t888[0x12] = _t951 + _t865;
				goto 0x40092363;
				if (_t797 - 0x1001 >= 0) goto 0x40092315;
				_t953 = _t888[0x14];
				if (_t953 - 0x9c40 >= 0) goto 0x40092315;
				if (_t797 + _t797 + 0xf - _t797 + _t797 > 0) goto 0x400922e3;
				E000000011400E12F0(_t418, 0xfffffff0, 0x140000000, 0x140077300);
				_t866 = _t894 - 0xffffffffffffff0 + 0x40;
				E000000011400D5880(_t449, _t797 + _t797 + 0xf - _t797 + _t797, _t866, 0x400ef524, _t727 + _t727);
				_t696 = _t866;
				 *_t973 = _t696;
				_t888[0x14] = _t953 + _t727;
				goto 0x40092363;
				_t955 =  *_t888;
				if (r12d == 0xc8) goto 0x400937cf;
				E000000011400D4A38(_t696, _t727, _t866 + _t866, _t888[2]);
				 *((long long*)(_t888 + 0x2a0 + _t955 * 8)) = _t696;
				if (_t696 == 0) goto 0x400937cf;
				E000000011400D5880(_t449, _t696, _t696, 0x400ef524, _t727 + _t727);
				_t697 = _t696;
				 *_t973 = _t697;
				r12d = r12d + 1;
				 *_t888 = r12d;
				goto 0x40092363;
				 *_t973 = 0x400ef524;
				if (_t888[0xc] == 0) goto 0x4009237e;
				_t293 =  &(_t888[0x10]); // 0x20
				_t294 =  &(_t888[0xe]); // 0x18
				E000000011400BBD50(_t727, _t888[0xc], _t294, _t696, _t888[2], _t293, _t973);
				goto 0x400933f8;
				r14d = 0;
				goto 0x40093402;
				 *(_t973 + 0x18) = _t955;
				if (_t888[0xc] == 0) goto 0x400923ab;
				_t298 =  &(_t888[0x10]); // 0x20
				_t299 =  &(_t888[0xe]); // 0x18
				E000000011400BBD50(0x400ef524, _t888[0xc], _t299, _t696, _t888[2], _t298, _t973);
				goto 0x4009199f;
				if (_t449 != 0x1f) goto 0x40092409;
				if (_t697 == 0) goto 0x40093734;
				if (r8d == 0) goto 0x40093734;
				r8d = r8d - 1;
				_t888[1] = r8d;
				_t806 =  *((intOrPtr*)(_t888 + 0x8e0 + r8d * 8));
				 *_t973 =  *_t806;
				 *((long long*)(_t973 + 8)) =  *((intOrPtr*)(_t806 + 8));
				 *((long long*)(_t973 + 0x10)) =  *((intOrPtr*)(_t806 + 0x10));
				 *(_t973 + 0x18) =  *((intOrPtr*)(_t806 + 0x18));
				 *(_t973 + 0x18) =  *((intOrPtr*)(_t888[2] + 0x18));
				goto 0x4009340d;
				if (r8d == 0) goto 0x40093bdd;
				r8d = r8d - 1;
				_t888[1] = r8d;
				_t956 =  *((intOrPtr*)(_t888 + 0x8e0 + r8d * 8));
				_t888[0x24] = _t956;
				if ( *(_t956 + 0x10) - 8 >= 0) goto 0x40093bdd;
				if (_t449 != 0x20) goto 0x40092482;
				_t886 =  *(_t973 + 0x18);
				if (_t886 == 0) goto 0x40093bdd;
				 *((long long*)(_t956 + 0x18)) =  *((intOrPtr*)(_t886 + 0x18));
				 *_t973 =  *_t956;
				 *((long long*)(_t973 + 8)) =  *((intOrPtr*)(_t956 + 8));
				 *((long long*)(_t973 + 0x10)) =  *(_t956 + 0x10);
				 *(_t973 + 0x18) =  *((intOrPtr*)(_t956 + 0x18));
				 *(_t956 + 0x10) = 1;
				goto 0x40093402;
				if (_t449 - 0x12 < 0) goto 0x4009249b;
				if (_t449 - 0x13 <= 0) goto 0x400924b5;
				if (_t449 == 0x1e) goto 0x400924b5;
				if (_t449 == 0x2b) goto 0x400924b5;
				if (_t449 == 0x39) goto 0x400924b5;
				_t807 = _t956;
				_t888[0xa] = E00000001140084010(_t807, _t886);
				r8d = _t888[1];
				goto 0x400924b8;
				_t888[0x16] = 0x400ef524;
				if (_t807 - 9 - 0x34 > 0) goto 0x400927f0;
				goto __rdx;
			}

0x1400914b0
0x1400914b5
0x1400914ba
0x1400914be
0x1400914d4
0x1400914d9
0x1400914dc
0x1400914e1
0x1400914ec
0x1400914f3
0x1400914fa
0x140091502
0x14009150a
0x140091512
0x14009151a
0x140091522
0x14009152a
0x14009153c
0x140091540
0x140091544
0x140091547
0x140091552
0x14009155c
0x140091564
0x140091568
0x14009156b
0x14009156f
0x140091572
0x140091581
0x140091585
0x1400915a9
0x1400915b2
0x1400915bb
0x1400915c4
0x1400915cd
0x1400915d6
0x1400915db
0x1400915e4
0x1400915ec
0x1400915f5
0x1400915f9
0x1400915fe
0x140091608
0x14009160f
0x140091617
0x14009161b
0x14009161f
0x140091623
0x14009162a
0x140091633
0x140091639
0x140091640
0x140091646
0x140091649
0x140091653
0x140091656
0x140091661
0x14009166e
0x140091676
0x140091678
0x140091681
0x14009168b
0x14009168d
0x140091695
0x14009169e
0x1400916a4
0x1400916a7
0x1400916aa
0x1400916ad
0x1400916b7
0x1400916bf
0x1400916c8
0x1400916ca
0x1400916d7
0x1400916dc
0x1400916e4
0x1400916ef
0x1400916f8
0x1400916fe
0x140091704
0x14009170d
0x14009170f
0x140091717
0x14009171b
0x14009171f
0x140091727
0x14009172a
0x14009172e
0x14009173e
0x140091742
0x140091747
0x140091753
0x14009175a
0x14009175c
0x14009175f
0x140091772
0x140091774
0x14009177b
0x14009177b
0x14009177f
0x140091781
0x14009178b
0x140091794
0x140091796
0x1400917a6
0x1400917b3
0x1400917b9
0x1400917bb
0x1400917c8
0x1400917cd
0x1400917d6
0x1400917da
0x1400917e5
0x1400917f9
0x1400917ff
0x140091801
0x140091807
0x140091817
0x140091819
0x140091821
0x140091824
0x14009182e
0x140091837
0x14009183d
0x140091842
0x140091849
0x140091850
0x140091852
0x14009185b
0x140091863
0x140091869
0x14009186e
0x14009187d
0x14009187f
0x140091883
0x140091883
0x14009188a
0x14009188f
0x140091896
0x1400918a2
0x1400918a7
0x1400918aa
0x1400918af
0x1400918c0
0x1400918c3
0x1400918ce
0x1400918d0
0x1400918da
0x1400918e7
0x1400918ed
0x1400918ed
0x1400918f1
0x1400918f6
0x1400918fe
0x140091905
0x140091913
0x14009191b
0x140091929
0x14009192d
0x140091934
0x140091942
0x14009194a
0x140091950
0x140091961
0x140091968
0x14009196a
0x140091979
0x14009197e
0x140091987
0x140091989
0x140091994
0x140091997
0x1400919a6
0x1400919ae
0x1400919b0
0x1400919bb
0x1400919c4
0x1400919ce
0x1400919d4
0x1400919d6
0x1400919dd
0x1400919f0
0x1400919fa
0x1400919fc
0x140091a04
0x140091a08
0x140091a0c
0x140091a14
0x140091a17
0x140091a1b
0x140091a28
0x140091a2c
0x140091a31
0x140091a3d
0x140091a44
0x140091a46
0x140091a49
0x140091a59
0x140091a5b
0x140091a64
0x140091a66
0x140091a70
0x140091a76
0x140091a79
0x140091a86
0x140091a8b
0x140091a8b
0x140091a93
0x140091a95
0x140091a9e
0x140091ab1
0x140091ab7
0x140091abf
0x140091ae4
0x140091aee
0x140091af2
0x140091afe
0x140091b00
0x140091b0b
0x140091b18
0x140091b2b
0x140091b3b
0x140091b3f
0x140091b4c
0x140091b56
0x140091b61
0x140091b6c
0x140091b72
0x140091b75
0x140091b7f
0x140091b84
0x140091b87
0x140091b8b
0x140091b93
0x140091b9b
0x140091ba1
0x140091ba8
0x140091baf
0x140091bb5
0x140091bb8
0x140091bbf
0x140091bc7
0x140091bcd
0x140091bd6
0x140091bdc
0x140091bdf
0x140091be3
0x140091be6
0x140091be6
0x140091bf1
0x140091bfc
0x140091c00
0x140091c02
0x140091c09
0x140091c10
0x140091c15
0x140091c18
0x140091c1f
0x140091c23
0x140091c2a
0x140091c2d
0x140091c3b
0x140091c42
0x140091c50
0x140091c59
0x140091c5f
0x140091c66
0x140091c6e
0x140091c72
0x140091c76
0x140091c7a
0x140091c88
0x140091c8c
0x140091c90
0x140091ca2
0x140091ca9
0x140091cb0
0x140091cb6
0x140091cbf
0x140091cc4
0x140091cc9
0x140091ccb
0x140091cf8
0x140091cfe
0x140091d07
0x140091d0e
0x140091d10
0x140091d13
0x140091d18
0x140091d1a
0x140091d21
0x140091d28
0x140091d2f
0x140091d38
0x140091d41
0x140091d47
0x140091d4a
0x140091d50
0x140091d56
0x140091d58
0x140091d5f
0x140091d69
0x140091d6b
0x140091d72
0x140091d76
0x140091d78
0x140091d80
0x140091d82
0x140091d8b
0x140091d97
0x140091d99
0x140091d9c
0x140091da0
0x140091da6
0x140091dac
0x140091dba
0x140091dc4
0x140091dd1
0x140091dd7
0x140091dda
0x140091ddf
0x140091de2
0x140091df0
0x140091df9
0x140091e00
0x140091e06
0x140091e11
0x140091e16
0x140091e19
0x140091e20
0x140091e27
0x140091e2c
0x140091e32
0x140091e34
0x140091e39
0x140091e43
0x140091e47
0x140091e4c
0x140091e4f
0x140091e54
0x140091e61
0x140091e63
0x140091e6b
0x140091e71
0x140091e7a
0x140091e83
0x140091e8c
0x140091e8f
0x140091e93
0x140091e9a
0x140091ea2
0x140091ea7
0x140091eaa
0x140091eaf
0x140091eb6
0x140091ebc
0x140091ecf
0x140091ed4
0x140091ed7
0x140091ee0
0x140091ee2
0x140091ef1
0x140091ef7
0x140091efc
0x140091f01
0x140091f07
0x140091f0b
0x140091f14
0x140091f17
0x140091f1b
0x140091f22
0x140091f28
0x140091f32
0x140091f36
0x140091f3c
0x140091f43
0x140091f4f
0x140091f55
0x140091f57
0x140091f5d
0x140091f5f
0x140091f6e
0x140091f79
0x140091f7e
0x140091f88
0x140091f8e
0x140091f92
0x140091f9b
0x140091f9d
0x140091fa3
0x140091faf
0x140091fb1
0x140091fb7
0x140091fc3
0x140091fc5
0x140091fc9
0x140091fce
0x140091fd1
0x140091fd3
0x140091fd8
0x140091fdf
0x140091fe4
0x140091fe6
0x140091feb
0x140091ff0
0x140091fff
0x140092007
0x140092010
0x140092019
0x140092022
0x140092044
0x140092046
0x14009204d
0x140092057
0x14009205b
0x140092062
0x140092067
0x140092069
0x140092070
0x140092075
0x140092077
0x14009207d
0x140092082
0x140092087
0x140092091
0x140092093
0x140092097
0x14009209b
0x14009209f
0x1400920a3
0x1400920a5
0x1400920ab
0x1400920ad
0x1400920b8
0x1400920bc
0x1400920c2
0x1400920c6
0x1400920db
0x1400920e2
0x1400920e8
0x1400920f1
0x1400920fa
0x1400920ff
0x140092107
0x14009210a
0x14009210f
0x140092116
0x14009211c
0x14009212b
0x14009212f
0x140092133
0x140092136
0x140092145
0x14009214b
0x14009214f
0x140092153
0x140092158
0x140092162
0x140092169
0x140092175
0x14009217e
0x140092184
0x140092188
0x140092192
0x140092195
0x140092197
0x14009219a
0x1400921a6
0x1400921b2
0x1400921b5
0x1400921bc
0x1400921bf
0x1400921ca
0x1400921d0
0x1400921d0
0x1400921d4
0x1400921d8
0x1400921e1
0x1400921eb
0x1400921f1
0x1400921f3
0x1400921fe
0x140092200
0x140092207
0x14009220e
0x140092216
0x14009221c
0x140092220
0x140092225
0x14009222a
0x14009222c
0x140092235
0x140092237
0x14009223e
0x140092244
0x140092247
0x14009224b
0x140092254
0x140092263
0x140092266
0x140092269
0x14009226c
0x140092290
0x140092292
0x14009229c
0x14009229f
0x1400922a7
0x1400922ad
0x1400922b1
0x1400922bd
0x1400922bf
0x1400922ca
0x1400922d7
0x1400922ea
0x1400922f2
0x140092301
0x140092306
0x140092309
0x14009230f
0x140092313
0x140092315
0x140092320
0x140092329
0x140092331
0x14009233c
0x14009234c
0x140092351
0x140092354
0x140092357
0x14009235a
0x14009235e
0x140092360
0x14009236a
0x14009236c
0x140092370
0x140092374
0x140092379
0x14009237e
0x14009238c
0x140092391
0x14009239c
0x14009239e
0x1400923a2
0x1400923a6
0x1400923af
0x1400923b7
0x1400923bd
0x1400923c6
0x1400923cc
0x1400923cf
0x1400923d6
0x1400923e1
0x1400923e8
0x1400923f0
0x1400923f8
0x140092400
0x140092404
0x14009240c
0x140092412
0x140092415
0x14009241c
0x140092424
0x140092431
0x14009243a
0x14009243c
0x140092443
0x14009244d
0x140092456
0x14009245e
0x140092467
0x140092470
0x140092474
0x14009247d
0x140092485
0x14009248a
0x14009248f
0x140092494
0x140092499
0x14009249b
0x1400924a5
0x1400924a8
0x1400924b3
0x1400924b8
0x1400924c6
0x1400924e2

APIs

GetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,0000000140094E7F), ref: 000000014009176A
_wcstoi64.LIBCMT ref: 0000000140093589
_wcstoi64.LIBCMT ref: 000000014009362C
GetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,0000000140094E7F), ref: 0000000140091A51

Part of subcall function 00000001400D4A38: _FF_MSGBANNER.LIBCMT ref: 00000001400D4A68
Part of subcall function 00000001400D4A38: RtlAllocateHeap.NTDLL(?,?,00000000,00000001400DB8F0,?,?,00000000,00000001400D9F35,?,?,?,00000001400D9FDF,?,?,00000000,00000001400D9099), ref: 00000001400D4A8D
Part of subcall function 00000001400D4A38: _callnewh.LIBCMT ref: 00000001400D4AA6
Part of subcall function 00000001400D4A38: _errno.LIBCMT ref: 00000001400D4AB1
Part of subcall function 00000001400D4A38: _errno.LIBCMT ref: 00000001400D4ABC

Strings

, xrefs: 0000000140091F9D
Out of memory., xrefs: 00000001400920CD, 0000000140093747, 00000001400937B9, 00000001400937D6, 0000000140093EAD
Memory limit reached (see #MaxMem in the help file)., xrefs: 0000000140091EC1, 0000000140093C6B
, xrefs: 0000000140093D8B

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: EnvironmentVariable_errno_wcstoi64$AllocateHeap_callnewh
String ID: $ $Memory limit reached (see #MaxMem in the help file).$Out of memory.
API String ID: 2588181271-4280895764
Opcode ID: 86b07cdbd41c7ae6ff8899e32e398d59957e48ce1833bec6bb3720c7e362f3d9
Instruction ID: 34b9777d2e88d71ece9df1e0b33002fa58e0dd2c62c512b525fdbfffaae207f0
Opcode Fuzzy Hash: 86b07cdbd41c7ae6ff8899e32e398d59957e48ce1833bec6bb3720c7e362f3d9
Instruction Fuzzy Hash: 7403D872304A8486EB668F26D4843EC23A5FB4CBD4F458216FB6A57BF5DB38C981C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140042768 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 474windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2

Strings

Out of memory., xrefs: 0000000140042BA3
Memory limit reached (see #MaxMem in the help file)., xrefs: 00000001400429A2

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: Memory limit reached (see #MaxMem in the help file).$Out of memory.
API String ID: 1623861271-457448710
Opcode ID: 6467e963cda0c851646383a25fe71b48e92c2d648b2191ac9ada70a544f7dc64
Instruction ID: 7cf60173a9c159d700d9896f14ace4e8a629c04da86d6ed146e2a3971f9d3b7c
Opcode Fuzzy Hash: 6467e963cda0c851646383a25fe71b48e92c2d648b2191ac9ada70a544f7dc64
Instruction Fuzzy Hash: A422BA72704A4086FB639F27E4503E927A2E74CBE4F96422AFB59576F5DB38C881C344

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008D740 Relevance: 7.6, APIs: 5, Instructions: 125comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 000000014008D789
CLSIDFromString.OLE32 ref: 000000014008D7E6
CLSIDFromString.OLE32 ref: 000000014008D80A
CoCreateInstance.OLE32 ref: 000000014008D835
CoCreateInstance.OLE32 ref: 000000014008D879

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: From$CreateInstanceString$Prog
String ID:
API String ID: 3834119650-0
Opcode ID: cf16e1ba0cf44a69b94c3d4acfa667cda8a60a02a8cf7fb05d78ffc56423802d
Instruction ID: 546a43a423271b31f5f74e3110593a69c1eca23b1c40ace14ece5c09c6ac5601
Opcode Fuzzy Hash: cf16e1ba0cf44a69b94c3d4acfa667cda8a60a02a8cf7fb05d78ffc56423802d
Instruction Fuzzy Hash: 5C517A37215B45C2EB669F27E0447E973A1F788BC4F448126EB8943BA8EF39C604CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B8140 Relevance: 6.1, APIs: 4, Instructions: 137fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00000001400B824D
FindClose.KERNEL32 ref: 00000001400B8261
FindFirstFileW.KERNEL32 ref: 00000001400B82C9
FindClose.KERNEL32 ref: 00000001400B82DC

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f6ee532912a91a790e1100430ab72ae6478ba54844190db85ec01992a917e6a4
Instruction ID: d67b7a83738f87b71610341ad85ed25658bb795a7461a44aa77e8d6c6bef1884
Opcode Fuzzy Hash: f6ee532912a91a790e1100430ab72ae6478ba54844190db85ec01992a917e6a4
Instruction Fuzzy Hash: 3851CC32301A8191EA229F5695447DE63A5FB48BE4F948316AF29177F4EF78C50BC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A5770 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E000000011400A5770() {
				void* _t43;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				void* _t65;
				signed int _t78;
				void* _t80;
				void* _t90;
				long long _t96;
				signed long long _t99;
				short* _t100;
				intOrPtr _t101;
				intOrPtr _t102;
				short* _t113;
				intOrPtr* _t124;
				intOrPtr _t127;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				intOrPtr* _t135;
				long long _t136;
				intOrPtr* _t138;
				long long _t139;
				long long _t140;

				_t1 = _t129 - 0xb0; // -239
				_t128 = _t1;
				_t130 = _t129 - 0x1b0;
				_t138 = _t135;
				if (_t135 == 0) goto 0x400a579e;
				 *_t135 = 0xffffffff;
				 *((long long*)(_t130 + 0x1e8)) = _t136;
				if ( *_t100 != 0) goto 0x400a590a;
				if ( *_t113 != 0) goto 0x400a590a;
				if ( *0x4012a404 != 0) goto 0x400a58f6;
				_t101 =  *0x4012a408; // 0x2999ca0
				r8d = 0x98;
				E000000011400DB410(_t43, _t65, 0, _t101, _t113, _t131);
				GetStockObject(??);
				_t102 =  *0x4012a408; // 0x2999ca0
				 *((long long*)( *0x4012a404 * 0x98 + _t102 + 0x90)) = _t96;
				GetDC(??);
				SelectObject(??, ??);
				GetTextFaceW(??, ??, ??);
				GetTextMetricsW(??, ??);
				_t124 =  *0x4012a408; // 0x2999ca0
				_t99 =  *0x4012a404 * 0x98;
				r8d = GetDeviceCaps(??, ??);
				 *((intOrPtr*)(_t99 + _t124 + 0x84)) = MulDiv(??, ??, ??);
				_t52 =  *(_t128 + 0x2c);
				 *(_t99 + _t124 + 0x88) = _t52;
				_t53 = _t52 & 0xffffff00 |  *((char*)(_t128 + 0x44)) != 0x00000000;
				 *(_t99 + _t124 + 0x80) = _t53;
				_t54 = _t53 & 0xffffff00 |  *((char*)(_t128 + 0x45)) != 0x00000000;
				 *(_t99 + _t124 + 0x81) = _t54;
				 *((char*)(_t99 + _t124 + 0x82)) = _t54 & 0xffffff00 |  *((char*)(_t128 + 0x46)) != 0x00000000;
				SelectObject(??, ??);
				ReleaseDC(??, ??);
				 *0x4012a404 =  *0x4012a404 + 1;
				if (_t138 == 0) goto 0x400a5903;
				 *_t138 = 0xff000000;
				goto 0x400a5d5e;
				if ( *0x4012a404 * 0x98 +  *0x4012a408 != 0) goto 0x400a5923;
				_t90 =  *0x4012a404 - r8d; // 0x2
				if (_t90 <= 0) goto 0x400a59bd;
				_t127 =  *0x4012a408; // 0x2999ca0
				_t30 = _t130 + 0x70; // 0x31
				r8d = 0x98;
				 *((long long*)(_t130 + 0x1f0)) = _t139;
				E000000011400D5880(0, _t90, _t30, _t127,  *0x4012a404 * 0x98 +  *0x4012a408);
				r14d = 0;
				if ( *_t124 == r14w) goto 0x400a595d;
				_t32 = _t139 + 0x3f; // 0x3f
				r8d = _t32;
				_t33 = _t130 + 0x70; // 0x31
				E000000011400D8154(0, _t80, _t33, _t124, _t124,  *0x4012a404 * 0x98 +  *0x4012a408);
				 *((intOrPtr*)(_t128 - 0x12)) = r14w;
				r12d = r12d | 0xffffffff;
				 *((intOrPtr*)(_t128 - 4)) = 2;
				if ( *_t99 == r14w) goto 0x400a5bac;
				 *((long long*)(_t130 + 0x1f8)) = _t140;
				_t78 =  *_t99 & 0x0000ffff;
				if ((_t78 & 0xffffff80) != 0) goto 0x400a599f;
				if (E000000011400D5848(_t78, 2) == 0) goto 0x400a599f;
				if ((_t78 & 0xffdf) + 0xffffffbe - 0x15 > 0) goto 0x400a5b96;
				goto __rcx;
			}

0x1400a5777
0x1400a5777
0x1400a577f
0x1400a5786
0x1400a5795
0x1400a5797
0x1400a57a2
0x1400a57aa
0x1400a57b4
0x1400a57c1
0x1400a57c7
0x1400a57d0
0x1400a57d6
0x1400a57e0
0x1400a57e6
0x1400a57fb
0x1400a5805
0x1400a582e
0x1400a5854
0x1400a5861
0x1400a586e
0x1400a5875
0x1400a5895
0x1400a58a4
0x1400a58ab
0x1400a58ae
0x1400a58b9
0x1400a58bc
0x1400a58c7
0x1400a58ca
0x1400a58d8
0x1400a58df
0x1400a58ea
0x1400a58f0
0x1400a58f9
0x1400a58fb
0x1400a5905
0x1400a590d
0x1400a590f
0x1400a5916
0x1400a591c
0x1400a5923
0x1400a592b
0x1400a5931
0x1400a5939
0x1400a593e
0x1400a5945
0x1400a5947
0x1400a5947
0x1400a594b
0x1400a5953
0x1400a5958
0x1400a595d
0x1400a5961
0x1400a596c
0x1400a5972
0x1400a5981
0x1400a598a
0x1400a599a
0x1400a59a8
0x1400a59bb

APIs

GetStockObject.GDI32 ref: 00000001400A57E0
GetDC.USER32 ref: 00000001400A5805
SelectObject.GDI32 ref: 00000001400A582E
GetTextFaceW.GDI32 ref: 00000001400A5854
GetTextMetricsW.GDI32 ref: 00000001400A5861
GetDeviceCaps.GDI32 ref: 00000001400A5884
MulDiv.KERNEL32 ref: 00000001400A5898
SelectObject.GDI32 ref: 00000001400A58DF
ReleaseDC.USER32 ref: 00000001400A58EA
wcsncpy.LIBCMT ref: 00000001400A5953

Strings

Can't create font., xrefs: 00000001400A5D0B
Too many fonts., xrefs: 00000001400A5C72

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Object$SelectText$CapsDeviceFaceMetricsReleaseStockwcsncpy
String ID: Can't create font.$Too many fonts.
API String ID: 113413196-123602064
Opcode ID: 47fca30e4147f9914ec3fbe8349c4b8d45d44e98b2feeb45f4554505efe4384e
Instruction ID: 666fad9b36c2cb6f0e56c9bd2984476b26b1c0f1bd6a5b3c81db7b90dbefc51f
Opcode Fuzzy Hash: 47fca30e4147f9914ec3fbe8349c4b8d45d44e98b2feeb45f4554505efe4384e
Instruction Fuzzy Hash: CCB1E1726006808AEB26EF36E4047ED77A0F759B99F40421AEB5A176F9DF3CC585CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400283E0 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E000000011400283E0(signed short* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi) {
				void* __rbp;
				long _t84;
				signed int _t87;
				signed int _t89;
				long _t93;
				signed int _t111;
				void* _t121;
				signed short* _t149;
				void* _t150;
				long long _t153;
				signed short* _t155;
				void* _t157;
				signed long long _t163;
				signed short* _t166;
				signed short* _t169;
				signed long long _t175;
				signed long long _t177;
				signed long long _t186;
				signed long long _t188;
				signed short* _t194;
				long long _t199;
				WCHAR* _t209;
				short* _t223;
				WCHAR* _t226;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t232;
				void* _t239;
				void* _t243;
				void* _t244;
				void* _t245;
				long _t247;
				void* _t248;
				WCHAR* _t250;
				struct HINSTANCE__* _t252;

				_t149 = __rax;
				 *((long long*)(_t229 + 0x10)) = __rbx;
				 *((long long*)(_t229 + 0x18)) = __rsi;
				_t227 = _t229 - 0x10390;
				E000000011400E12F0(0x10490, __rax, _t243, _t244);
				_t230 = _t229 - __rax;
				r13d = 0;
				_t248 = __rcx;
				 *((intOrPtr*)(__rcx + 0xbb2)) = r8b;
				if (__rdx != 0) goto 0x400285b7;
				r8d = 0x106;
				if (GetModuleFileNameW(_t252, _t250, _t247) - 0x104 <= 0) goto 0x40028448;
				goto 0x4002881a;
				E000000011400D53D8(0x5c, _t230 + 0x50, _t232);
				_t155 = _t149;
				if (_t149 == 0) goto 0x40028441;
				E000000011400D53D8(0x2e, _t149, _t232);
				if (_t149 == 0) goto 0x40028441;
				_t194 = L".ahk";
				_t150 = _t149 - _t194;
				_t111 =  *_t194 & 0x0000ffff;
				 *(_t150 +  &(_t194[1]) - 2) = _t111;
				if (_t111 != 0) goto 0x40028480;
				_t84 = GetFileAttributesW(_t209); // executed
				if (_t84 != 0xffffffff) goto 0x400285b7;
				_t163 = _t227 + 0x180;
				_t223 = _t227 + 0x180;
				E000000011400756E0(_t84, _t155, _t163, _t239);
				_t245 = _t150;
				asm("repne scasw");
				if ( !(_t163 | 0xffffffff) + _t245 - 0x105 > 0) goto 0x4002881a;
				_t166 = _t155;
				asm("o16 nop [eax+eax]");
				_t87 =  *_t166 & 0x0000ffff;
				 *(_t227 + _t245 + _t245 - _t155 + 0x180 +  &(_t166[1]) - 2) = _t87;
				if (_t87 != 0) goto 0x40028500;
				if (GetFileAttributesW(_t226) != 0xffffffff) goto 0x400285b7;
				_t169 = L"\\AutoHotkey.chm";
				_t89 =  *_t169 & 0x0000ffff;
				 *(_t155 - _t169 +  &(_t169[1]) - 2) = _t89;
				if (_t89 != 0) goto 0x40028531;
				if (GetFileAttributesW(??) == 0xffffffff) goto 0x400285b7;
				E000000011400D71A4(_t245 + _t245 - _t155, _t227 + 0x390, _t227 + _t245 + _t245 - _t155 + 0x180, L"\"ms-its:%s::/docs/Welcome.htm\"", _t230 + 0x50);
				 *(_t230 + 0x48) = _t250;
				 *((intOrPtr*)(_t230 + 0x40)) = r13b;
				 *((intOrPtr*)(_t230 + 0x38)) = r13b;
				_t153 = L"Max";
				 *(_t230 + 0x30) = _t250;
				 *((long long*)(_t230 + 0x28)) = _t153;
				_t199 = L"hh.exe";
				 *((intOrPtr*)(_t230 + 0x20)) = r13b;
				if (E0000000114004EAC0(_t153, _t155 - _t169, _t248, _t199, _t227 + 0x390, _t230 + 0x50) != 0) goto 0x40028441;
				r9d = 0;
				_t93 = GetFullPathNameW(??, ??, ??, ??);
				 *((long long*)(_t227 + 0x103c0)) = _t199;
				if (_t93 == 0) goto 0x40028441;
				if ( *_t223 != 0x2a) goto 0x4002860a;
				if ( *((intOrPtr*)(_t223 + 2)) != r13w) goto 0x4002860a;
				 *0x40128bf1 = 1;
				 *0x40128c0c = 4;
				 *0x40128c20 = 1;
				goto 0x40028624;
				_t175 = _t227 + 0x390;
				 *0x40128bf1 = r13b; // executed
				E000000011400B8350(_t153, _t155 - _t169, _t175, _t227 + 0x103c0); // executed
				if ( *(_t227 + 0x390) == r13w) goto 0x40028698;
				asm("repne scasw");
				_t177 =  !(_t175 | 0xffffffff);
				_t157 = _t177 + _t177 - 2;
				E000000011400B3FC0(_t111, _t157 + 2);
				if (_t153 != 0) goto 0x4002867a;
				0x4004d730();
				goto 0x4002869b;
				if (_t177 - 1 == 0) goto 0x40028691;
				E000000011400D5880(_t111, _t177 - 1, _t153, _t227 + 0x390, _t157);
				 *((intOrPtr*)(_t157 + _t250)) = r13w;
				goto 0x4002869b;
				 *((long long*)(_t248 + 0xb80)) = 0x400ef524;
				if (0x400ef524 == 0) goto 0x40028441;
				E000000011400D53D8(0x5c, _t227 + 0x390, _t157);
				if (_t153 == 0) goto 0x400286f0;
				 *_t153 = r13w;
				E000000011400B3F00(_t153, _t157, _t227 + 0x390, _t227 + 0x00000390 | 0xffffffff, _t177 - 1);
				 *((long long*)(_t248 + 0xb88)) = _t153;
				if (_t153 == 0) goto 0x40028441;
				goto 0x400286f7;
				E000000011400B3F00(_t153, _t157, _t227 + 0x390, _t227 + 0x00000390 | 0xffffffffffffffff, _t177 - 1);
				 *((long long*)(_t248 + 0xb90)) = _t153;
				if (_t153 == 0) goto 0x40028441;
				 *((long long*)(_t230 + 0x28)) = L"AutoHotkey v1.1.33.10";
				 *((long long*)(_t230 + 0x20)) = _t153;
				E000000011400B70F0(0x8000, _t121, _t157, _t227 + 0x390, L"%s\\%s - %s",  *((intOrPtr*)(_t248 + 0xb88)));
				_t186 = _t227 + 0x390;
				E000000011400B3F00(_t153, _t157, _t186, _t227 + 0x00000390 | 0xffffffffffffffff, _t177 - 1);
				 *((long long*)(_t248 + 0xba8)) = _t153;
				if (_t153 == 0) goto 0x40028441;
				r8d = 0x7ffe;
				 *(_t227 + 0x390) = 0x22;
				if (GetModuleFileNameW(??, ??, ??) == 0) goto 0x40028815;
				asm("repne scasw");
				_t188 =  !(_t186 | 0xffffffff);
				 *((short*)(_t227 + 0x38e + _t188 * 2)) = 0x22;
				 *((intOrPtr*)(_t227 + 0x390 + _t188 * 2)) = r13w;
				E000000011400B3F00(_t153, _t157, _t227 + 0x390, _t227 + 0x00000392 | 0xffffffff, _t177 - 1);
				 *((long long*)(_t248 + 0xb98)) = _t153;
				if (_t153 == 0) goto 0x40028441;
				_t70 = _t157 + 0x3a; // 0x5c
				E000000011400D53D8(_t70, _t227 + 0x390, L"%s\\%s - %s");
				if (_t153 != 0) goto 0x400287f0;
				 *((long long*)(_t248 + 0xba0)) = 0x400ef524;
				 *_t153 = r13w;
				E000000011400B3F00(_t153, _t157, _t227 + 0x392, _t227 + 0x00000392 | 0xffffffffffffffff, _t177 - 1);
				 *((long long*)(_t248 + 0xba0)) = _t153;
				if (_t153 == 0) goto 0x40028441;
				return 1;
			}

0x1400283e0
0x1400283e0
0x1400283e5
0x1400283f2
0x1400283ff
0x140028404
0x140028407
0x14002840d
0x140028410
0x140028421
0x14002842c
0x14002843f
0x140028443
0x140028452
0x140028457
0x14002845d
0x140028467
0x14002846f
0x140028471
0x140028478
0x140028480
0x140028487
0x14002848f
0x14002849b
0x1400284a4
0x1400284aa
0x1400284b4
0x1400284bb
0x1400284c7
0x1400284cc
0x1400284dd
0x1400284e7
0x1400284f5
0x140028500
0x140028507
0x14002850f
0x140028521
0x140028527
0x140028531
0x140028538
0x140028540
0x140028550
0x14002856a
0x14002856f
0x140028574
0x140028579
0x14002857e
0x140028585
0x14002858a
0x14002859b
0x1400285a5
0x1400285b1
0x1400285be
0x1400285c9
0x1400285d1
0x1400285da
0x1400285e4
0x1400285eb
0x1400285ed
0x1400285f4
0x1400285fe
0x140028608
0x140028611
0x140028618
0x14002861f
0x14002862c
0x14002863b
0x14002863e
0x140028641
0x14002864e
0x140028659
0x140028670
0x140028678
0x14002867d
0x14002868c
0x140028691
0x140028696
0x14002869b
0x1400286a6
0x1400286b8
0x1400286c3
0x1400286d0
0x1400286d4
0x1400286d9
0x1400286e4
0x1400286ee
0x1400286fe
0x140028703
0x14002870e
0x14002872a
0x14002873b
0x140028740
0x140028745
0x140028750
0x140028755
0x140028760
0x140028772
0x14002877a
0x140028789
0x14002879c
0x1400287a3
0x1400287a6
0x1400287ae
0x1400287be
0x1400287c3
0x1400287ce
0x1400287d4
0x1400287de
0x1400287e6
0x1400287e8
0x1400287fb
0x1400287ff
0x140028804
0x14002880f
0x140028835

APIs

GetModuleFileNameW.KERNEL32(00000000,00000000,00000000,00000000,?,000000014000620B), ref: 0000000140028434
GetFileAttributesW.KERNEL32 ref: 000000014002849B
GetFileAttributesW.KERNEL32 ref: 0000000140028518
GetFileAttributesW.KERNEL32 ref: 0000000140028547
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,?,000000014000620B), ref: 00000001400285C9
GetModuleFileNameW.KERNEL32 ref: 0000000140028781

Strings

\AutoHotkey.chm, xrefs: 0000000140028527
%s\%s - %s, xrefs: 0000000140028723
Out of memory., xrefs: 0000000140028662
.ahk, xrefs: 0000000140028471
"ms-its:%s::/docs/Welcome.htm", xrefs: 0000000140028557
hh.exe, xrefs: 000000014002859B
AutoHotkey v1.1.33.10, xrefs: 000000014002871C
Max, xrefs: 000000014002857E

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: File$AttributesName$Module$FullPath
String ID: "ms-its:%s::/docs/Welcome.htm"$%s\%s - %s$.ahk$AutoHotkey v1.1.33.10$Max$Out of memory.$\AutoHotkey.chm$hh.exe
API String ID: 837017824-2306444894
Opcode ID: 4eba2e9030db9d9bd10010dfe68a7d1af228ad390a642c876c138aa4fd795bd9
Instruction ID: cfe3b38458787925fef7843efcee708a739b1264787f171e1f0953783712eec0
Opcode Fuzzy Hash: 4eba2e9030db9d9bd10010dfe68a7d1af228ad390a642c876c138aa4fd795bd9
Instruction Fuzzy Hash: 6FB1A135201A8196EB22DF26D4147DA63A4FB087E8F944329FF6D576E8EF78CA45C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400996D0 Relevance: 22.7, APIs: 15, Instructions: 177
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E000000011400996D0(void* __ecx, void* __esp, long long __rbx, intOrPtr* __rcx, long long __rsi, long long __rbp, void* _a4, long long _a8, void* _a12, long long _a16, long long _a24) {
				void* _v4;
				int _t57;
				void* _t60;
				int _t72;
				signed int _t84;
				long long _t102;
				void* _t103;
				intOrPtr _t106;
				void* _t110;
				void* _t123;
				intOrPtr _t130;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr* _t137;
				intOrPtr* _t154;
				intOrPtr* _t164;
				signed long long _t166;
				void* _t169;
				intOrPtr _t171;
				intOrPtr _t175;
				void* _t183;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t102 =  *((long long*)(__rcx + 8));
				_t137 = __rcx;
				if (_t102 == 0) goto 0x400997ac;
				_t57 =  *0x40128c7c; // 0x0
				_t166 = _t57 - 1;
				if (_t102 < 0) goto 0x4009971f;
				_t130 =  *0x40129540; // 0x892160
				_t131 =  *((intOrPtr*)(__rcx + 8));
				_t103 =  *((intOrPtr*)( *((intOrPtr*)(_t130 + _t166 * 8)) + 0x18)) - _t131;
				if (_t103 != 0) goto 0x4009971a;
				E000000011400996D0(__ecx, __esp, __rcx,  *((intOrPtr*)(_t130 + _t166 * 8)), __rsi, __rbp);
				if (_t103 >= 0) goto 0x40099700;
				if ( *((intOrPtr*)(_t137 + 0x10)) == 0) goto 0x4009976c;
				r9d = 0;
				r8d = 0;
				_t60 = SendMessageW(??, ??, ??, ??);
				if (_t60 <= 0) goto 0x4009976c;
				r9d = 0;
				_t183 = _t166 - 1;
				SendMessageW(??, ??, ??, ??);
				_t106 = _t131;
				if (_t106 == 0) goto 0x40099764;
				DestroyIcon(??);
				if (_t106 != 0) goto 0x40099741;
				if (IsWindow(??) == 0) goto 0x400997ac;
				ShowWindow(??, ??); // executed
				SetMenu(??, ??); // executed
				if ( *((char*)(_t137 + 0x106)) != 0) goto 0x400997ac;
				 *((char*)(_t137 + 0x106)) = 1;
				DestroyWindow(??);
				r8d =  *0x40128c7c; // 0x0
				_t17 = _t183 - 1; // -1
				r9d = _t17;
				if (r9d < 0) goto 0x40099804;
				_t132 =  *0x40129540; // 0x892160
				_t110 =  *((intOrPtr*)(_t132 + r9d * 8)) - _t137;
				if (_t110 == 0) goto 0x400997d8;
				if (_t110 >= 0) goto 0x400997c2;
				goto 0x40099804;
				_t84 = __ecx - 1 + 1;
				if (_t84 - r8d >= 0) goto 0x400997fa;
				_t133 =  *0x40129540; // 0x892160
				r8d = r8d - _t84;
				_t22 = _t133 + _t84 * 8 - 8; // -8
				_t169 = _t22;
				memcpy(0, _t60, r8d);
				r8d = r9d;
				 *0x40128c7c = r9d;
				if ( *((intOrPtr*)(_t137 + 0x90)) == 0) goto 0x4009981d;
				DeleteObject(??);
				r8d =  *0x40128c7c; // 0x0
				if ( *((intOrPtr*)(_t137 + 0x98)) == 0) goto 0x40099836;
				DeleteObject(??);
				r8d =  *0x40128c7c; // 0x0
				if ( *((intOrPtr*)(_t137 + 0xa0)) == 0) goto 0x4009984f;
				DragFinish(??);
				r8d =  *0x40128c7c; // 0x0
				if ( *((intOrPtr*)(_t137 + 0x20)) <= 0) goto 0x400998c7;
				_t175 =  *((intOrPtr*)(_t137 + 0x28));
				if (( *(_t169 + _t175 + 8) & 0x000000ff) != 2) goto 0x4009988e;
				if ( *((intOrPtr*)(_t169 + _t175 + 0x20)) == 0) goto 0x4009988e;
				if (( *(_t169 + _t175 + 9) & 0x00000080) == 0) goto 0x40099886;
				DestroyIcon(??);
				goto 0x4009989c;
				_t72 = DeleteObject(??);
				goto 0x4009989c;
				if (_t72 != 0xa) goto 0x4009989c;
				E000000011400D4AF8(_t133,  *((intOrPtr*)(_t169 + _t175 + 0x20)));
				_t154 =  *((intOrPtr*)(_t169 + _t175 + 0x18));
				if (_t154 == 0) goto 0x400998ac;
				 *((intOrPtr*)( *_t154 + 0x10))();
				 *((long long*)(_t169 + _t175 + 0x18)) = 0;
				if (1 -  *((intOrPtr*)(_t137 + 0x20)) < 0) goto 0x40099860;
				r8d =  *0x40128c7c; // 0x0
				_t171 =  *((intOrPtr*)(_t137 + 0xa8));
				if (_t171 == 0) goto 0x4009991f;
				_t123 = _t171 -  *0x4012b1a0; // 0x0
				if (_t123 == 0) goto 0x4009991f;
				if (r8d <= 0) goto 0x40099908;
				_t164 =  *0x40129540; // 0x892160
				if ( *((intOrPtr*)( *_t164 + 0xa8)) == _t171) goto 0x4009991f;
				if (1 - r8d < 0) goto 0x400998f1;
				DestroyIcon(??);
				if ( *((intOrPtr*)(_t137 + 0xb0)) == _t171) goto 0x4009991f;
				DestroyIcon(??);
				if ( *((intOrPtr*)(_t137 + 0xb8)) == 0) goto 0x4009993c;
				DestroyAcceleratorTable(??);
				 *((long long*)(_t137 + 0xb8)) = 0;
				 *((long long*)(_t137 + 8)) = 0;
				 *((intOrPtr*)(_t137 + 0x20)) = 0;
				E000000011400D4AF8( *_t164,  *((intOrPtr*)(_t137 + 0x28))); // executed
				_t52 = _t137 + 0x34;
				 *_t52 =  *((intOrPtr*)(_t137 + 0x34)) - 1;
				if ( *_t52 != 0) goto 0x40099969;
				E000000011400D4AF8( *_t164,  *_t137);
				E000000011400D4AF0( *_t164, _t137);
				return 1;
			}

0x1400996d0
0x1400996d5
0x1400996da
0x1400996e4
0x1400996e9
0x1400996ec
0x1400996f2
0x1400996fa
0x1400996fd
0x140099700
0x14009970b
0x14009970f
0x140099713
0x140099715
0x14009971d
0x140099726
0x140099728
0x14009972b
0x140099733
0x14009973b
0x140099745
0x140099748
0x140099750
0x140099756
0x140099759
0x14009975e
0x14009976a
0x140099778
0x140099780
0x14009978c
0x140099799
0x14009979f
0x1400997a6
0x1400997ac
0x1400997b3
0x1400997b3
0x1400997c0
0x1400997c2
0x1400997c9
0x1400997cd
0x1400997d4
0x1400997d6
0x1400997d8
0x1400997e0
0x1400997e2
0x1400997e9
0x1400997f3
0x1400997f3
0x1400997f7
0x1400997fa
0x1400997fd
0x14009980e
0x140099810
0x140099816
0x140099827
0x140099829
0x14009982f
0x140099840
0x140099842
0x140099848
0x140099854
0x140099860
0x14009986b
0x140099875
0x14009987c
0x14009987e
0x140099884
0x140099886
0x14009988c
0x140099890
0x140099897
0x14009989c
0x1400998a4
0x1400998a9
0x1400998ac
0x1400998be
0x1400998c0
0x1400998c7
0x1400998d8
0x1400998da
0x1400998e1
0x1400998e8
0x1400998ea
0x1400998fb
0x140099906
0x14009990b
0x140099914
0x140099919
0x140099929
0x14009992b
0x140099931
0x140099940
0x140099948
0x14009994f
0x140099954
0x140099954
0x140099957
0x14009995c
0x140099964
0x140099982

APIs

SendMessageW.USER32 ref: 0000000140099733
SendMessageW.USER32 ref: 0000000140099750
DestroyIcon.USER32 ref: 000000014009975E
IsWindow.USER32 ref: 0000000140099770
ShowWindow.USER32 ref: 0000000140099780
SetMenu.USER32 ref: 000000014009978C
DestroyWindow.USER32 ref: 00000001400997A6
DeleteObject.GDI32 ref: 0000000140099810
DeleteObject.GDI32 ref: 0000000140099829
DragFinish.SHELL32 ref: 0000000140099842
DestroyIcon.USER32 ref: 000000014009987E
DeleteObject.GDI32 ref: 0000000140099886
DestroyIcon.USER32 ref: 000000014009990B
DestroyIcon.USER32 ref: 0000000140099919
DestroyAcceleratorTable.USER32 ref: 000000014009992B

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Destroy$Icon$DeleteObjectWindow$MessageSend$AcceleratorDragFinishMenuShowTable
String ID:
API String ID: 3005690943-0
Opcode ID: c177177691a526dad89deb4c29dd6e2c06adae529dc19346036b63de8d366b57
Instruction ID: f764aed848fb594d2fdbd107c038cb3753d22e1e3bdde59f56b33f154e0e285c
Opcode Fuzzy Hash: c177177691a526dad89deb4c29dd6e2c06adae529dc19346036b63de8d366b57
Instruction Fuzzy Hash: 9F817B35326A4082EB669F6BD4447E963A0FB4DFD5F084129EF5A17AB5CF39C841C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002A47 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 241
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00000001140002A47() {
				int _t178;
				signed int _t198;
				intOrPtr _t201;
				intOrPtr _t204;
				void* _t209;
				long _t215;
				intOrPtr _t233;
				signed int _t241;
				void* _t259;
				void* _t260;
				void* _t266;
				signed int _t296;
				void* _t311;
				void* _t327;
				long long _t358;
				intOrPtr* _t359;
				intOrPtr _t361;
				intOrPtr _t362;
				intOrPtr _t363;
				long long _t364;
				signed char* _t370;
				intOrPtr _t373;
				long long _t376;
				void* _t383;
				long long _t384;
				long long _t385;
				long long _t386;
				intOrPtr* _t387;
				long long _t388;
				intOrPtr* _t389;
				intOrPtr _t393;
				void* _t396;
				intOrPtr _t400;
				signed long long _t406;
				long long _t425;
				intOrPtr _t434;
				void* _t436;
				void* _t438;
				void* _t441;
				long long _t443;
				long long _t444;
				long long _t446;
				long long _t447;
				intOrPtr _t449;
				long long _t450;
				intOrPtr _t451;
				intOrPtr _t452;
				void* _t457;
				intOrPtr _t466;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				long long _t471;
				unsigned long long _t472;
				long long _t480;
				long long _t481;

				if (_t472 == 0) goto 0x40002be6;
				E00000001140096150(_t472);
				 *((long long*)(_t468 + 0x60)) = _t358;
				if (_t358 != 0) goto 0x40002bed;
				if (_t383 == 0) goto 0x40002bed;
				if (_t383 == _t441) goto 0x40002bed; // executed
				GetForegroundWindow(); // executed
				_t384 = _t358;
				if (_t358 == 0) goto 0x40002b53;
				_t266 = GetWindowThreadProcessId(??, ??) -  *0x4012a558;
				if (_t266 != 0) goto 0x40002b53;
				r8d = 0x20;
				GetClassNameW(??, ??, ??);
				asm("repe cmpsw");
				if (_t266 != 0) goto 0x40002b53;
				_t393 =  *0x401235a8; // 0x2990b70
				 *((char*)(_t393 + 0x128)) = 1;
				 *((intOrPtr*)(_t393 + 0x124)) =  *((intOrPtr*)(_t468 + 0x70));
				if (IsDialogMessageW(??, ??) == 0) goto 0x40002b43;
				if ( *0x40128c74 == 0) goto 0x40002b29;
				_t359 =  *0x40125128; // 0x8919e0
				if (_t359 == 0) goto 0x40002b23;
				_t396 =  !=  ?  *_t359 : 0x400ef524;
				SetCurrentDirectoryW(??);
				_t361 =  *0x401235a8; // 0x2990b70
				 *((char*)(_t361 + 0x128)) = 0;
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				goto 0x40001d04;
				 *((char*)( *0x401235a8 + 0x128)) = 0;
				goto 0x40002b5a;
				if ( *0x40128ab0 == 0) goto 0x40002bac;
				_t469 = _t468 + 0x68;
				_t178 = TranslateAcceleratorW(??, ??, ??);
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r15d =  *((intOrPtr*)(_t468 + 0x44));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				r14d =  *((intOrPtr*)(_t468 + 0x40));
				if (_t178 != 0) goto 0x40001d1f;
				_t400 =  *0x401235a8;
				 *((char*)(_t400 + 0x128)) = 1;
				 *((intOrPtr*)(_t400 + 0x124)) =  *((intOrPtr*)(_t468 + 0x70));
				TranslateMessage(??);
				DispatchMessageW(??);
				 *((char*)( *0x401235a8 + 0x128)) = 0;
				goto 0x40002b37;
				 *((long long*)(_t468 + 0x60)) = _t471;
				goto 0x40002bf0;
				r10d = 0;
				_t362 =  *0x4012b0e0; // 0x0
				if (_t362 == 0) goto 0x40002c53;
				_t443 =  *((intOrPtr*)(_t362 + 8));
				 *((long long*)(_t467 - 0x50)) = _t443;
				if (_t443 == 0) goto 0x40002c23;
				if ( *((intOrPtr*)(_t443 + 0x28)) == r13d) goto 0x40002c29;
				_t444 =  *((intOrPtr*)(_t443 + 0x38));
				 *((long long*)(_t467 - 0x50)) = _t444;
				if (_t444 != 0) goto 0x40002c10;
				_t363 =  *((intOrPtr*)(_t362 + 0x30));
				goto 0x40002bf7;
				_t454 =  *((intOrPtr*)(_t444 + 0x10));
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				if ( *((intOrPtr*)(_t444 + 0x10)) == 0) goto 0x40001cea;
				r12d =  *((intOrPtr*)(_t444 + 0x2c));
				goto 0x40003089;
				 *((long long*)(_t467 - 0x50)) = _t471;
				r15d =  *((intOrPtr*)(_t468 + 0x44));
				r14d =  *((intOrPtr*)(_t468 + 0x40));
				if (_t472 - _t363 >= 0) goto 0x40001cbc;
				_t364 =  *0x401296a0; // 0x0
				_t480 =  *((intOrPtr*)(_t364 + _t472 * 8));
				 *((long long*)(_t467 + 0x30)) = _t480;
				if ( *(_t480 + 0x20) == 0) goto 0x40002cd7;
				E000000011400149A0(_t384,  *(_t480 + 0x20));
				 *((long long*)(_t467 - 0x58)) = _t364;
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				if (_t364 == 0) goto 0x40001cde;
				_t241 =  *( *(_t480 + 0x20)) & 0x000000ff;
				if (_t241 == 1) goto 0x40002cd1;
				if (_t241 == 3) goto 0x40002cd1;
				 *((long long*)(_t467 - 0x58)) = _t481;
				goto 0x40002cdd;
				 *((long long*)(_t467 - 0x58)) = _t471;
				E0000000114001A210(0, _t260, _t364, _t384, _t480,  *(_t467 - 0x80), _t454, _t480);
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				if ( *((intOrPtr*)(_t480 + 0x18)) != _t481) goto 0x40001cde;
				if ( *((intOrPtr*)(_t480 + 0x3e)) == r15b) goto 0x40002d1b;
				 *0x4012b0fc =  *(_t467 - 0x80) & 0x0000ffff;
				goto 0x40002d22;
				 *0x4012b0fc = 0;
				r12d =  *((intOrPtr*)(_t480 + 0x28));
				r14d =  *((intOrPtr*)(_t468 + 0x70));
				goto 0x40003080;
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				if ( *0x4012b0c0 != r10b) goto 0x40001ca7;
				_t457 =  ==  ?  *0x4012ac28 :  *0x4012b0a8;
				r12d = r10d;
				goto 0x40003080;
				_t406 = _t472;
				E00000001140054990( *(_t467 - 0x80) & 0x0000ffff, _t406);
				 *((long long*)(_t467 - 0x48)) = _t364;
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				r14d =  *((intOrPtr*)(_t468 + 0x40));
				if (_t364 == 0) goto 0x40001cfd;
				r12d = 0;
				r14d =  *((intOrPtr*)(_t468 + 0x70));
				goto 0x40003080;
				_t446 =  *0x40129600;
				 *((long long*)(_t467 - 0x48)) = _t446;
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				if (_t446 == 0) goto 0x40001ca0;
				if (_t446 == _t472) goto 0x40002dfc;
				_t447 =  *((intOrPtr*)(_t446 + 8));
				 *((long long*)(_t467 - 0x48)) = _t447;
				if (_t447 != 0) goto 0x40002de0;
				r15d =  *((intOrPtr*)(_t468 + 0x44));
				goto 0x40002787;
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				if (_t447 == 0) goto 0x40001ca7;
				if (r14d != 0x41c) goto 0x40002e31;
				goto 0x40002e4a;
				if (r14d != 0x41e) goto 0x40002e43;
				goto 0x40002e4a;
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t447 + 0x10)) + 0x390)) + 0x3a0)) + 0x398)) == 0) goto 0x40001cea;
				r12d = r10d;
				goto 0x40003080;
				if ((r12w & 0x7fff) -  *((intOrPtr*)( *0x40125138)) >= 0) goto 0x40001cb3;
				_t425 =  *((intOrPtr*)( *0x40129678 + _t406 * 8));
				 *((long long*)(_t467 - 0x18)) = _t425;
				_t296 = r12w;
				if (_t296 == 0) goto 0x40002ed7;
				r12w = r12w + 0xffff;
				_t385 =  *((intOrPtr*)(_t425 + 0x28));
				 *((long long*)(_t467 - 0x40)) = _t385;
				if (_t296 == 0) goto 0x40002ece;
				_t386 =  *((intOrPtr*)(_t385 + 0x10));
				r12w = r12w + 0xffff;
				if (_t296 != 0) goto 0x40002ec0;
				 *((long long*)(_t467 - 0x40)) = _t386;
				if (_t386 != 0) goto 0x40002fdf;
				if (r14d != 0x400) goto 0x40002ef1;
				goto 0x40002ef4;
				if ( *((intOrPtr*)(_t425 + 0x19)) != r10b) goto 0x40002f0a;
				 *((long long*)(_t467 - 0x40)) = _t471;
				r15d =  *((intOrPtr*)(_t468 + 0x44));
				goto 0x40002787;
				 *((long long*)(_t467 - 0x58)) = _t471;
				_t387 =  *((intOrPtr*)(_t425 + 0x28));
				 *((long long*)(_t467 - 0x40)) = _t387;
				if (_t387 == 0) goto 0x40002fb3;
				if ( *((intOrPtr*)(_t387 + 0x28)) == r15b) goto 0x40002f91;
				if ( *0x40128c15 == r15b) goto 0x40002f41;
				if (E000000011400B1840( *0x40128c15 - r15b, _t387, _t425) == 0) goto 0x40002f91;
				if (0x3c2c17 - 0x66 > 0) goto 0x40002f5d;
				goto 0x40002f62;
				if (0x65 - ( *(_t387 + 0x24) & 0x000000ff) <= 0) goto 0x40002f91;
				if ( *((intOrPtr*)(_t387 + 8)) == 0) goto 0x40002f88;
				E000000011400149A0(_t387,  *((intOrPtr*)(_t387 + 8)));
				 *((long long*)(_t467 - 0x58)) = 0x3c2c17;
				if (0x3c2c17 + _t447 == 0) goto 0x40002f91;
				if ( *((intOrPtr*)(_t387 + 8)) != _t481) goto 0x40002fa7;
				_t388 =  *((intOrPtr*)(_t387 + 0x10));
				 *((long long*)(_t467 - 0x40)) = _t388;
				if (_t388 == 0) goto 0x40002fae;
				goto 0x40002f22;
				r14d =  *((intOrPtr*)(_t468 + 0x70));
				goto 0x40002fba;
				r14d =  *((intOrPtr*)(_t468 + 0x70));
				_t389 = _t387;
				 *((long long*)(_t467 - 0x40)) = _t389;
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				if (_t389 == 0) goto 0x40001cde;
				r10d = 0;
				_t449 =  *_t389;
				_t311 = E000000011400B1790(_t449,  *((intOrPtr*)(_t467 - 0x18)));
				if (_t311 == 0) goto 0x40002ff2;
				if (_t311 != 0) goto 0x40003000;
				if ( *((intOrPtr*)(_t449 + 0x10)) == 0) goto 0x40003000;
				goto 0x40003002;
				if ( *((intOrPtr*)(_t389 + 0x22)) - ( *(_t389 + 0x23) & 0x000000ff) < 0) goto 0x40003050;
				if (0 == 0xe0) goto 0x40003050;
				if (0 == 0xcc) goto 0x40003050;
				if (0 == 0xda) goto 0x40003050;
				if (0 == 0xdb) goto 0x40003050;
				if (0 == 0xd6) goto 0x40003050;
				if (0 == 0xd7) goto 0x40003050;
				if (0 == 0xd8) goto 0x40003050;
				if (0 == 0xd9) goto 0x40003050;
				if ( *((intOrPtr*)(_t389 + 0x26)) == r15b) goto 0x4000303d;
				 *((char*)(_t389 + 0x27)) = 1;
				 *(_t389 + 0x18) = GetTickCount();
				r15d =  *((intOrPtr*)(_t468 + 0x44));
				goto 0x40002787;
				_t370 =  *((intOrPtr*)(_t389 + 8));
				if (_t370 == 0) goto 0x40003075;
				_t198 =  *_t370 & 0x000000ff;
				if (_t198 == 2) goto 0x40003075;
				if (_t198 == 4) goto 0x40003075;
				if (_t198 - 5 < 0) goto 0x40003079;
				 *((long long*)(_t467 - 0x58)) =  *0x40128c50;
				goto 0x40003079;
				 *((long long*)(_t467 - 0x58)) = _t471;
				_t466 =  *_t389;
				r12d =  *((intOrPtr*)(_t389 + 0x1c));
				_t450 =  *((intOrPtr*)(_t467 - 0x50));
				_t327 = E000000011400B1790(_t466,  *((intOrPtr*)(_t467 - 0x18)));
				if (_t327 == 0) goto 0x40003099;
				if (_t327 != 0) goto 0x400030a7;
				if ( *((intOrPtr*)(_t466 + 0x10)) == 0) goto 0x400030a7;
				goto 0x400030a9;
				_t233 =  *0x40128c28; // 0x2
				_t201 =  *0x4012357c; // 0xa
				if (_t233 - _t201 < 0) goto 0x400030e8;
				if (_t233 - _t201 + 2 >= 0) goto 0x400030f5;
				if (0 == 0xe0) goto 0x400030e8;
				if (0 == 0xcc) goto 0x400030e8;
				if (0 == 0xda) goto 0x400030e8;
				if (0 == 0xdb) goto 0x400030e8;
				if (0 == 0xd6) goto 0x400030e8;
				if (0 == 0xd7) goto 0x400030e8;
				if (0 == 0xd8) goto 0x400030e8;
				if (0 != 0xd9) goto 0x400030f5;
				_t373 =  *0x401235a8; // 0x2990b70
				if (r12d -  *((intOrPtr*)(_t373 + 0x3c)) >= 0) goto 0x40003170;
				if (_t481 == 0) goto 0x40003113;
				DragFinish(??);
				 *((long long*)( *((intOrPtr*)(_t468 + 0x60)) + 0xa0)) = _t450;
				r14d =  *((intOrPtr*)(_t468 + 0x70));
				goto 0x40003115;
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r15d =  *((intOrPtr*)(_t468 + 0x44));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				r14d =  *((intOrPtr*)(_t468 + 0x40));
				if (r14d != 0x41b) goto 0x40001d1f;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t467 - 0x48)) + 0x10)))) + 0x10))();
				r15d =  *((intOrPtr*)(_t468 + 0x44));
				r12d =  *((intOrPtr*)(_t467 + 0x1410));
				r13d =  *(_t467 + 0x1420) & 0x000000ff;
				goto 0x40001d1f;
				 *((char*)(_t468 + 0x44)) = 1;
				if (r14d == 0x402) goto 0x400031f4;
				if (r14d - 0x413 <= 0) goto 0x400031aa;
				if (r14d - 0x415 <= 0) goto 0x40003241;
				if (r14d - 0x41a <= 0) goto 0x400031aa;
				if (r14d - 0x41e <= 0) goto 0x40003241;
				_t376 =  *0x4012b050; // 0x1400ef524
				 *0x4012b058 = _t376;
				_t204 =  *0x4012b0f4; // 0x0
				 *0x4012b0f8 = _t204;
				if (r14d != 0x401) goto 0x400031d7;
				goto 0x400031df;
				 *0x4012b050 =  *((intOrPtr*)( *((intOrPtr*)(_t467 - 0x18)) + 0x20));
				 *0x4012b0f4 = GetTickCount();
				goto 0x40003241;
				r8d = 0x104;
				E000000011400D8154(_t233, _t260, 0x4012ac38,  *_t450, _t450, _t469);
				r14d = 0;
				 *0x4012ae40 = r14w;
				r8d = 0x104;
				E000000011400D8154(_t233, _t260, 0x4012ae42,  *((intOrPtr*)( *((intOrPtr*)(_t450 + 0x20)))), _t450, _t469);
				 *0x4012b04a = r14w;
				 *0x4012ac30 = _t450;
				goto 0x40003244;
				r14d = 0;
				_t451 =  *0x401295f8; // 0x2980f00
				if ( *((char*)(_t451 + 0x23)) != 0) goto 0x40003255;
				_t452 =  *((intOrPtr*)(_t451 + 0x10));
				if (( *(_t452 + 0x21) & 0x00000008) == 0) goto 0x40003263;
				0x40001130();
				if (( *(_t452 + 0x23) & 0x000000ff) != 1) goto 0x40003286;
				if (( *(_t452 + 0x21) & 0x00000004) == 0) goto 0x40003280;
				_t209 = E0000000114004E240(_t259, 0x4012ae42, _t389, 0x4012a580, _t452, _t452, _t467, _t469, _t470, _t472 >> 0x10,  *((intOrPtr*)(_t468 + 0x60)));
				goto 0x400032e9;
				if (_t209 != 2) goto 0x400032e2;
				_t434 =  *0x4012b1f0; // 0x0
				if (_t434 != 0) goto 0x400032e9;
				if (IsClipboardFormatAvailable(??) != 0) goto 0x400032c2;
				IsClipboardFormatAvailable(??);
				_t436 =  !=  ? L"<<>>" : 0x400ef524;
				goto 0x400032e9;
				E00000001140006A20(L"<<>>", _t389, 0x4012a580, _t467, _t472 >> 0x10);
				_t438 =  !=  ?  *0x4012b1e8 : 0x400ef524;
				goto 0x400032e9;
				r8d = 0x7f;
				E000000011400D8154(0xffffffff, _t260, _t467 + 0x1f0, 0x4012a488, _t452, _t469);
				 *((intOrPtr*)(_t467 + 0x2ee)) = r14w;
				r9d = 0;
				r8b = 1;
				E00000001140004C60(r12d, 0, _t389, _t452, _t466, _t467);
				_t215 = GetTickCount();
				 *0x4012b154 = _t215;
				 *0x4012b150 = _t215;
				if ( *((intOrPtr*)(_t468 + 0x70)) + 0xfffffbff - 0x1d > 0) goto 0x4000422e;
				goto __rcx;
			}

0x140002a4a
0x140002a53
0x140002a58
0x140002a60
0x140002a69
0x140002a72
0x140002a78
0x140002a7e
0x140002a84
0x140002a95
0x140002a9b
0x140002aa1
0x140002ab1
0x140002aca
0x140002acd
0x140002ad3
0x140002ada
0x140002ae5
0x140002afb
0x140002b04
0x140002b06
0x140002b17
0x140002b1f
0x140002b23
0x140002b29
0x140002b30
0x140002b37
0x140002b3e
0x140002b4a
0x140002b51
0x140002b64
0x140002b66
0x140002b72
0x140002b7a
0x140002b81
0x140002b86
0x140002b8e
0x140002b9f
0x140002ba5
0x140002bac
0x140002bb7
0x140002bc2
0x140002bcd
0x140002bda
0x140002be1
0x140002be6
0x140002beb
0x140002bed
0x140002bf0
0x140002bfa
0x140002bfc
0x140002c00
0x140002c07
0x140002c14
0x140002c16
0x140002c1a
0x140002c21
0x140002c23
0x140002c27
0x140002c29
0x140002c30
0x140002c37
0x140002c3f
0x140002c45
0x140002c4e
0x140002c53
0x140002c57
0x140002c6a
0x140002c76
0x140002c7c
0x140002c83
0x140002c87
0x140002c92
0x140002c98
0x140002c9d
0x140002ca4
0x140002cab
0x140002cb6
0x140002cc0
0x140002cc6
0x140002ccb
0x140002ccd
0x140002cd5
0x140002cd7
0x140002ce3
0x140002cec
0x140002cf3
0x140002d02
0x140002d0c
0x140002d12
0x140002d19
0x140002d1b
0x140002d25
0x140002d29
0x140002d2e
0x140002d3a
0x140002d41
0x140002d50
0x140002d60
0x140002d68
0x140002d6b
0x140002d70
0x140002d73
0x140002d78
0x140002d7f
0x140002d86
0x140002d8e
0x140002d9a
0x140002dad
0x140002db0
0x140002db5
0x140002dba
0x140002dc1
0x140002dc8
0x140002dd7
0x140002de3
0x140002de5
0x140002de9
0x140002df0
0x140002df2
0x140002df7
0x140002dff
0x140002e06
0x140002e15
0x140002e26
0x140002e2f
0x140002e38
0x140002e41
0x140002e4d
0x140002e54
0x140002e5c
0x140002e62
0x140002e65
0x140002e87
0x140002e97
0x140002e9b
0x140002ea3
0x140002ea7
0x140002eae
0x140002eb2
0x140002eb6
0x140002eba
0x140002ec0
0x140002ec4
0x140002ec8
0x140002eca
0x140002ed1
0x140002ede
0x140002eef
0x140002efa
0x140002efc
0x140002f00
0x140002f05
0x140002f0a
0x140002f11
0x140002f15
0x140002f1c
0x140002f26
0x140002f2f
0x140002f3b
0x140002f52
0x140002f5b
0x140002f68
0x140002f71
0x140002f77
0x140002f7f
0x140002f86
0x140002f8c
0x140002f91
0x140002f95
0x140002f9c
0x140002fa2
0x140002fa7
0x140002fac
0x140002fae
0x140002fb3
0x140002fb6
0x140002fbd
0x140002fc4
0x140002fd6
0x140002fdc
0x140002fdf
0x140002fea
0x140002fec
0x140002ff0
0x140002ff9
0x140002ffe
0x140003009
0x14000300e
0x140003013
0x140003018
0x14000301d
0x140003022
0x140003027
0x14000302c
0x140003031
0x140003037
0x140003039
0x140003043
0x140003046
0x14000304b
0x140003050
0x140003057
0x140003059
0x14000305e
0x140003062
0x140003066
0x14000306f
0x140003073
0x140003075
0x140003079
0x14000307c
0x140003085
0x140003091
0x140003093
0x140003097
0x1400030a0
0x1400030a5
0x1400030a9
0x1400030af
0x1400030b7
0x1400030be
0x1400030c3
0x1400030c8
0x1400030cd
0x1400030d2
0x1400030d7
0x1400030dc
0x1400030e1
0x1400030e6
0x1400030e8
0x1400030f3
0x1400030f8
0x1400030fd
0x140003105
0x14000310c
0x140003111
0x14000311c
0x140003123
0x140003128
0x140003130
0x14000313c
0x14000314d
0x140003150
0x140003155
0x14000315c
0x14000316b
0x140003170
0x14000317c
0x140003185
0x14000318e
0x14000319b
0x1400031a4
0x1400031aa
0x1400031b1
0x1400031b8
0x1400031be
0x1400031cb
0x1400031d5
0x1400031df
0x1400031ec
0x1400031f2
0x1400031f4
0x140003204
0x140003209
0x14000320c
0x140003218
0x14000322b
0x140003230
0x140003238
0x14000323f
0x140003241
0x140003244
0x14000324f
0x140003251
0x140003259
0x14000325e
0x140003269
0x14000326f
0x14000327b
0x140003284
0x140003288
0x14000328a
0x140003294
0x1400032a1
0x1400032a6
0x1400032bc
0x1400032c0
0x1400032c4
0x1400032d8
0x1400032e0
0x1400032e9
0x1400032f6
0x1400032fb
0x140003303
0x140003307
0x14000330f
0x14000331b
0x140003321
0x140003327
0x140003339
0x140003358

APIs

GetTickCount.KERNEL32 ref: 0000000140001D1F
GetForegroundWindow.USER32(?,?,?,Unk,?,?,AutoHotkey v1.1.33.10,?,00000001400BEDE9), ref: 0000000140002A78
GetWindowThreadProcessId.USER32 ref: 0000000140002A8F
GetClassNameW.USER32 ref: 0000000140002AB1
IsDialogMessageW.USER32 ref: 0000000140002AF3
SetCurrentDirectoryW.KERNEL32(?,?,?,Unk,?,?,AutoHotkey v1.1.33.10,?,00000001400BEDE9), ref: 0000000140002B23
DragFinish.SHELL32 ref: 00000001400030FD

Strings

#32770, xrefs: 0000000140002ABE

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$ClassCountCurrentDialogDirectoryDragFinishForegroundMessageNameProcessThreadTick
String ID: #32770
API String ID: 1508145071-463685578
Opcode ID: 2b7300c435811573a72aeb2c5c76ec1b4e2354ecc3239b9476785e739ea5ab20
Instruction ID: fd2235f4487044c7651d28cd3ff9677ecb7c07f00dcaea29a7a346a5ca71ea28
Opcode Fuzzy Hash: 2b7300c435811573a72aeb2c5c76ec1b4e2354ecc3239b9476785e739ea5ab20
Instruction Fuzzy Hash: CEC15AB2605B809AFB67CF27A8503E937A1F78DBD8F544126EB5917AB4DB39C841C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6895 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefDlgProcW.USER32 ref: 00000001400A6FAD

Part of subcall function 00000001400AD060: DrawIconEx.USER32 ref: 00000001400AD108

FillRect.USER32 ref: 00000001400A6902
SetBkColor.GDI32 ref: 00000001400A6912
GetClassLongPtrW.USER32 ref: 00000001400A6923
FillRect.USER32 ref: 00000001400A6934
SetTextColor.GDI32 ref: 00000001400A6966
SendMessageW.USER32 ref: 00000001400A6980
SendMessageW.USER32 ref: 00000001400A6999
DrawTextW.USER32 ref: 00000001400A69CF
SetTextColor.GDI32 ref: 00000001400A69E4

Strings

%, xrefs: 00000001400A69B9

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ColorText$DrawFillMessageRectSend$ClassIconLongProc
String ID: %
API String ID: 3581072365-2567322570
Opcode ID: 5e0c92ef9508216dbc6a7c4cf399487b7a7ce6f044d9faa76b903444d7ee6ea8
Instruction ID: b163991d65dae1760c3d551ea73f0e98811eb29b7af1d044ade4128a1252361d
Opcode Fuzzy Hash: 5e0c92ef9508216dbc6a7c4cf399487b7a7ce6f044d9faa76b903444d7ee6ea8
Instruction Fuzzy Hash: 63414872610A418AEB228F36D4547D933B0F789BE9F154312EF6D577A8CF34C9868B80

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003B4F0 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsncpy.LIBCMT ref: 000000014003B571
realloc.LIBCMT ref: 000000014003B962

Strings

Variable name too long., xrefs: 000000014003B53E
Out of memory., xrefs: 000000014003B917
ErrorLevel, xrefs: 000000014003B64B
_$#@, xrefs: 000000014003B5AE
Illegal parameter name., xrefs: 000000014003B6E5
variable, xrefs: 000000014003B5D3
The following %s name contains an illegal character:"%-1.300s", xrefs: 000000014003B5DA

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: reallocwcsncpy
String ID: ErrorLevel$Illegal parameter name.$Out of memory.$The following %s name contains an illegal character:"%-1.300s"$Variable name too long.$_$#@$variable
API String ID: 3093889600-511781698
Opcode ID: b9d596e1fa5baeda9296395a62b66d02dd44081d45d8b7091965403f5a4202cd
Instruction ID: 884f5bd7a0b82f29c5b82067cdd5289451559d42066475a81d645a937ba4a567
Opcode Fuzzy Hash: b9d596e1fa5baeda9296395a62b66d02dd44081d45d8b7091965403f5a4202cd
Instruction Fuzzy Hash: 2B12D032205B8486EB62CF1AE4803EE73A5F788BD8F540216EB9D47BA9DF38C555C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400454CA Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 239
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2

Strings

ahk_default, xrefs: 0000000140045598
%s\%s, xrefs: 00000001400454F2

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: %s\%s$ahk_default
API String ID: 1623861271-75935552
Opcode ID: 3258eaca8894465841d789176901f39e6fa3be6865fcde0fdf98d39852862a45
Instruction ID: 4b0b31562cba852ca66f7389405a8358fb436fef460ba6fdd18236376b4140b6
Opcode Fuzzy Hash: 3258eaca8894465841d789176901f39e6fa3be6865fcde0fdf98d39852862a45
Instruction Fuzzy Hash: F7C17A71600A4486FB63DB27E4947EA37A1F34CBE4F55022AEB59936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043258 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 207
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Strings

UseErrorLevel, xrefs: 0000000140043258
ERROR, xrefs: 00000001400432DE

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: ERROR$UseErrorLevel
API String ID: 1623861271-2084857954
Opcode ID: 40463a27c416ac937293a0ec654d614409777263756bd76aed77455fb48f395c
Instruction ID: a9670693ef20dc3736004826566fb265b76eb09c06797e9c40d685d14df3b898
Opcode Fuzzy Hash: 40463a27c416ac937293a0ec654d614409777263756bd76aed77455fb48f395c
Instruction Fuzzy Hash: 45B1AE72604A4086FB63DB2BE8947EA37A1F34DBE4F55021AEB59936F5DB38C481C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A4D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 128stringCOMMON

Download Yara Rule

APIs

realloc.LIBCMT ref: 000000014002A56C
GetFullPathNameW.KERNEL32(00000000,00891A80,00000004,000000014002A7BD), ref: 000000014002A5B8
lstrcmpiW.KERNEL32 ref: 000000014002A5E0

Strings

#Include, xrefs: 000000014002A6BE
Out of memory., xrefs: 000000014002A66C
Too many includes., xrefs: 000000014002A538
Script, xrefs: 000000014002A6C7
%s file "%s" cannot be opened., xrefs: 000000014002A6CE

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: FullNamePathlstrcmpirealloc
String ID: #Include$%s file "%s" cannot be opened.$Out of memory.$Script$Too many includes.
API String ID: 2655359885-2811576419
Opcode ID: 9b81d80be494016ce2bd68e5925d758ca34595522c71ea2a8b984ecdeaad96f5
Instruction ID: 13dfd93eae2d59f28d06bcfcbf77feac861b78ecea8f6dfe8350a59013e1dbd9
Opcode Fuzzy Hash: 9b81d80be494016ce2bd68e5925d758ca34595522c71ea2a8b984ecdeaad96f5
Instruction Fuzzy Hash: 42518D71204B8186FA62CF46E9907EA73A0F74D7C4F84412AAF49576B6CF3CC845D740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140099A00 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 0000000140099A9F
RegisterClassExW.USER32 ref: 0000000140099AC6

Strings

RegClass, xrefs: 0000000140099ADF
P, xrefs: 0000000140099A70
AutoHotkeyGUI, xrefs: 0000000140099A2D

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: AutoHotkeyGUI$P$RegClass
API String ID: 1693014935-1255895312
Opcode ID: ce29763e139c08f0cbcdb6bc442b7c5267ab40d884f1fc2bf43fbd3ec3f3e10a
Instruction ID: 80355e1df780d17e92620cb82e58f9b91325621869624a52f4f5f3a27bdf4188
Opcode Fuzzy Hash: ce29763e139c08f0cbcdb6bc442b7c5267ab40d884f1fc2bf43fbd3ec3f3e10a
Instruction Fuzzy Hash: CA512A72219B8086E766CF26F85479AB3A0F78CB94F144129EB8D57B68DF3CC495CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400D4FE8 Relevance: 13.6, APIs: 9, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001400D5011

Part of subcall function 00000001400D9FBC: _amsg_exit.LIBCMT ref: 00000001400D9FE6

RtlDecodePointer.NTDLL(?,?,?,00000000,?,00000000,00000000,00000001400D51D5,?,?,00000000,00000001400D9FEB,?,?,00000000,00000001400D9099), ref: 00000001400D5044
DecodePointer.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000001400D51D5,?,?,00000000,00000001400D9FEB,?,?,00000000,00000001400D9099), ref: 00000001400D5062
DecodePointer.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000001400D51D5,?,?,00000000,00000001400D9FEB,?,?,00000000,00000001400D9099), ref: 00000001400D50A2
DecodePointer.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000001400D51D5,?,?,00000000,00000001400D9FEB,?,?,00000000,00000001400D9099), ref: 00000001400D50BC
DecodePointer.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000001400D51D5,?,?,00000000,00000001400D9FEB,?,?,00000000,00000001400D9099), ref: 00000001400D50CC
_initterm.LIBCMT ref: 00000001400D510C
_initterm.LIBCMT ref: 00000001400D511F
ExitProcess.KERNEL32 ref: 00000001400D5158

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3873167975-0
Opcode ID: 1c2f30262f733dc0c3b3a38e6d644fbbef908046e730df53eec02c04641976a4
Instruction ID: 80cd7c8642a517208c919ae9a7a943aa93d953ffaffb7ff1c5f5748a9b14161d
Opcode Fuzzy Hash: 1c2f30262f733dc0c3b3a38e6d644fbbef908046e730df53eec02c04641976a4
Instruction Fuzzy Hash: F1416932216B4085EA52AB17F84039D76A4FB8CBD5F140029BF8E537B6EF39C8968750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140040418 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 357clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A

Strings

Jumps cannot exit a FINALLY block., xrefs: 00000001400457EE

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ClipboardCloseCountGlobalTickUnlock
String ID: Jumps cannot exit a FINALLY block.
API String ID: 3761015043-672026804
Opcode ID: f5e78dae197c847a59aec54fa9cde467013ca59bca7159fb1ac5888ea6cfee1f
Instruction ID: b5d1621a32fe95101b16f69c05d8ea8657289c023a543d8b6c7adac443bdf09a
Opcode Fuzzy Hash: f5e78dae197c847a59aec54fa9cde467013ca59bca7159fb1ac5888ea6cfee1f
Instruction Fuzzy Hash: EF02AB72604B4486EB66DF26E4943E933A1F74DBE4F160226EB59537B6CB38C881C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140096340 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 338COMMON

Download Yara Rule

APIs

realloc.LIBCMT ref: 00000001400965B3

Strings

Parameter #1 invalid., xrefs: 00000001400963CB
Invalid Gui name., xrefs: 00000001400963A1
Out of memory., xrefs: 00000001400966AA
+LastFoundExist, xrefs: 000000014009653C
Could not create window., xrefs: 0000000140096731

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: realloc
String ID: +LastFoundExist$Could not create window.$Invalid Gui name.$Out of memory.$Parameter #1 invalid.
API String ID: 471065373-3585094845
Opcode ID: 11ce1c5de81552c2d5cb2b5603da03f97f295ed5fdd75bb4b85b49c2bf8e497f
Instruction ID: 4d7ac4c5d4ed32ee622816a61c9a1e667ea63e6746ceb01e8fb8ded44d1bc908
Opcode Fuzzy Hash: 11ce1c5de81552c2d5cb2b5603da03f97f295ed5fdd75bb4b85b49c2bf8e497f
Instruction Fuzzy Hash: 5FE15971206B4085EA67AF27E4503E963A4FB8DBC4F49402AEF4A577B5EF38C841C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003F9A4 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 295clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A

Strings

A Goto/Gosub must not jump into a block that doesn't enclose it., xrefs: 0000000140045738

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ClipboardCloseCountGlobalTickUnlock
String ID: A Goto/Gosub must not jump into a block that doesn't enclose it.
API String ID: 3761015043-1592792148
Opcode ID: 65ccb9c99bd95aca5e654afb5a243ac3254ac32c37aded31e5384de564b7098a
Instruction ID: 8b7642a1ed9ee7290deb15899483240c4c32708b236d762d177503c478fe861e
Opcode Fuzzy Hash: 65ccb9c99bd95aca5e654afb5a243ac3254ac32c37aded31e5384de564b7098a
Instruction Fuzzy Hash: A1D1AF72600B4086FB67DB2BE4947EA23E1F74CBE4F154226EB59936B5DB38C885D700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400401D1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 245windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2

Strings

Out of memory., xrefs: 00000001400402AE

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: Out of memory.
API String ID: 1623861271-4087320997
Opcode ID: d67de13641a6a82ec18487d6829fa1e0b97702f7e0266cbdf5b9ea1011f70b86
Instruction ID: 6b5ff1d7865524169b952598879cc7c2f77665ad1bf5000b195405812f5c513b
Opcode Fuzzy Hash: d67de13641a6a82ec18487d6829fa1e0b97702f7e0266cbdf5b9ea1011f70b86
Instruction Fuzzy Hash: 03C19E72604B408AEB56DF2BE4947EA37A1F74DBD4F11022AEB5993BB5CB38C491C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400441A8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 192windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2

Part of subcall function 00000001400D45AC: _errno.LIBCMT ref: 00000001400D45C4
Part of subcall function 00000001400D45AC: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D45CF

Strings

wait, xrefs: 00000001400441B5

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_errno_invalid_parameter_noinfo
String ID: wait
API String ID: 130734711-2112783333
Opcode ID: faca9944b7b2313e19216d0ee3530eafe24bf8a49bbadc704477cc96163ea565
Instruction ID: 5086ed8fb0e00b62a7f03445b4b5e8409e84676109e579afdfe44611586bbe79
Opcode Fuzzy Hash: faca9944b7b2313e19216d0ee3530eafe24bf8a49bbadc704477cc96163ea565
Instruction Fuzzy Hash: F9A18071604A4086F763DB27E8947EA37A1F34DBE4F11021AEB59936F5CB38C885DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A5A7C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

wcsncpy.LIBCMT ref: 00000001400A5A8A
GetDC.USER32 ref: 00000001400A5BB7
GetDeviceCaps.GDI32 ref: 00000001400A5BC8
wcsncpy.LIBCMT ref: 00000001400A5BE8
EnumFontFamiliesExW.GDI32 ref: 00000001400A5C13
ReleaseDC.USER32 ref: 00000001400A5C46

Strings

Too many fonts., xrefs: 00000001400A5C72

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: wcsncpy$CapsDeviceEnumFamiliesFontRelease
String ID: Too many fonts.
API String ID: 768196730-3768670983
Opcode ID: b68a2b4d5b2885f892ee8741a438b4d09289ddc16cb1346dfae4e91af29bc526
Instruction ID: 034678213f2d745cbcb9a8b1005ed94f13a8a02cff41dacc2f89082067f98c40
Opcode Fuzzy Hash: b68a2b4d5b2885f892ee8741a438b4d09289ddc16cb1346dfae4e91af29bc526
Instruction Fuzzy Hash: A641A63260069196EB229F36D4513EE33A0F7687E9F804316FB5A576F9EB38C586C710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A5B3F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D4D80: _errno.LIBCMT ref: 00000001400D4D9E
Part of subcall function 00000001400D4D80: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D4DA9

GetDC.USER32 ref: 00000001400A5BB7
GetDeviceCaps.GDI32 ref: 00000001400A5BC8
wcsncpy.LIBCMT ref: 00000001400A5BE8
EnumFontFamiliesExW.GDI32 ref: 00000001400A5C13
ReleaseDC.USER32 ref: 00000001400A5C46

Strings

Too many fonts., xrefs: 00000001400A5C72
strike, xrefs: 00000001400A5B3F

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CapsDeviceEnumFamiliesFontRelease_errno_invalid_parameter_noinfowcsncpy
String ID: Too many fonts.$strike
API String ID: 2647040997-575501622
Opcode ID: 6ab987ece8d9f9ca53bf77c0274f36fcc6cb4166d03db4b476123704094715ab
Instruction ID: abf74eb6d5889e65c4822a59a4cd8f7c77d187920231a8843eb778ad2c582ba4
Opcode Fuzzy Hash: 6ab987ece8d9f9ca53bf77c0274f36fcc6cb4166d03db4b476123704094715ab
Instruction Fuzzy Hash: F431A3726046C19AEB22EF36E4003EE77A0F7697D9F404216EB5A576F5EB38C585CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A5A1C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D4D80: _errno.LIBCMT ref: 00000001400D4D9E
Part of subcall function 00000001400D4D80: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D4DA9

GetDC.USER32 ref: 00000001400A5BB7
GetDeviceCaps.GDI32 ref: 00000001400A5BC8
wcsncpy.LIBCMT ref: 00000001400A5BE8
EnumFontFamiliesExW.GDI32 ref: 00000001400A5C13
ReleaseDC.USER32 ref: 00000001400A5C46

Strings

norm, xrefs: 00000001400A5A1C
Too many fonts., xrefs: 00000001400A5C72

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CapsDeviceEnumFamiliesFontRelease_errno_invalid_parameter_noinfowcsncpy
String ID: Too many fonts.$norm
API String ID: 2647040997-1827923053
Opcode ID: f9f0234e3c0107141028bdace5416948456241042fa548369bd28499bd231f1a
Instruction ID: 4b2a5153109e8bd33cd1bcbc1ad64c494e1bab5ae5d239b11e5e4f49268f7db9
Opcode Fuzzy Hash: f9f0234e3c0107141028bdace5416948456241042fa548369bd28499bd231f1a
Instruction Fuzzy Hash: 6C31A1726046C18AEB22EF36E4003EE77A4F7597D9F404216EB5A576B9EB38C185C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A59C5 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D4D80: _errno.LIBCMT ref: 00000001400D4D9E
Part of subcall function 00000001400D4D80: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D4DA9

GetDC.USER32 ref: 00000001400A5BB7
GetDeviceCaps.GDI32 ref: 00000001400A5BC8
wcsncpy.LIBCMT ref: 00000001400A5BE8
EnumFontFamiliesExW.GDI32 ref: 00000001400A5C13
ReleaseDC.USER32 ref: 00000001400A5C46

Strings

Too many fonts., xrefs: 00000001400A5C72
bold, xrefs: 00000001400A59C5

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CapsDeviceEnumFamiliesFontRelease_errno_invalid_parameter_noinfowcsncpy
String ID: Too many fonts.$bold
API String ID: 2647040997-2344148142
Opcode ID: c2f60197ecabcd6817958d4a8090d5ea758d1bc1daa5c7a9aa9b2188cbe763ae
Instruction ID: 6a2dae7b0f8556b88b414a8d739aac33db686797436ae5defb54d3d94d4921ed
Opcode Fuzzy Hash: c2f60197ecabcd6817958d4a8090d5ea758d1bc1daa5c7a9aa9b2188cbe763ae
Instruction Fuzzy Hash: 6631B4726006C18AEB22EF36E4043EE77A0F7597D9F404216EB5A576F5EB38C589CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A59F2 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D4D80: _errno.LIBCMT ref: 00000001400D4D9E
Part of subcall function 00000001400D4D80: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D4DA9

GetDC.USER32 ref: 00000001400A5BB7
GetDeviceCaps.GDI32 ref: 00000001400A5BC8
wcsncpy.LIBCMT ref: 00000001400A5BE8
EnumFontFamiliesExW.GDI32 ref: 00000001400A5C13
ReleaseDC.USER32 ref: 00000001400A5C46

Strings

Too many fonts., xrefs: 00000001400A5C72
italic, xrefs: 00000001400A59F2

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CapsDeviceEnumFamiliesFontRelease_errno_invalid_parameter_noinfowcsncpy
String ID: Too many fonts.$italic
API String ID: 2647040997-523413990
Opcode ID: dd290d6ff0123816b8e2d43f171e2662b81719123e72c8531047e741b31372fc
Instruction ID: 1f163d718852967401a2b4e4ff4bb98424052cfa102a98c90b62045228e28a03
Opcode Fuzzy Hash: dd290d6ff0123816b8e2d43f171e2662b81719123e72c8531047e741b31372fc
Instruction Fuzzy Hash: 6831C2726006C18AEB22EF36E4003EE77A0F7697D9F404216EB5A176F5EB78C189C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A5A52 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400D4D80: _errno.LIBCMT ref: 00000001400D4D9E
Part of subcall function 00000001400D4D80: _invalid_parameter_noinfo.LIBCMT ref: 00000001400D4DA9

GetDC.USER32 ref: 00000001400A5BB7
GetDeviceCaps.GDI32 ref: 00000001400A5BC8
wcsncpy.LIBCMT ref: 00000001400A5BE8
EnumFontFamiliesExW.GDI32 ref: 00000001400A5C13
ReleaseDC.USER32 ref: 00000001400A5C46

Strings

underline, xrefs: 00000001400A5A52
Too many fonts., xrefs: 00000001400A5C72

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CapsDeviceEnumFamiliesFontRelease_errno_invalid_parameter_noinfowcsncpy
String ID: Too many fonts.$underline
API String ID: 2647040997-4185347138
Opcode ID: d4a2647629286e50c7f13c724a7e57cecc836d8b647882945d77edbf93453349
Instruction ID: 07b86df15545602e4c0ae11ee740fe6ab8040dc513df82ff25f0cfc1e34fbc19
Opcode Fuzzy Hash: d4a2647629286e50c7f13c724a7e57cecc836d8b647882945d77edbf93453349
Instruction Fuzzy Hash: 3F31B4726046C18AEB22EF36E4003EE77A0F7697D9F404216EB5A576F5EB39C589C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044A4B Relevance: 12.2, APIs: 8, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6
IsWindow.USER32 ref: 0000000140044A57
DestroyWindow.USER32 ref: 0000000140044A68

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$Window$ClipboardCloseDestroyGlobalMessagePeekUnlock
String ID:
API String ID: 2997888913-0
Opcode ID: 728dc40a4447ea5f476e51763dbdbcd7152957769b0fbf6b3fd42cca71c9d86a
Instruction ID: 31fcdbbf58d599ae78aa3647b8bcce34610da9cc627fb7924c6012c0d59c303e
Opcode Fuzzy Hash: 728dc40a4447ea5f476e51763dbdbcd7152957769b0fbf6b3fd42cca71c9d86a
Instruction Fuzzy Hash: D7919C71600A4486F7639F2BE8947EA37A1F34DBE4F15022AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140040037 Relevance: 10.8, APIs: 7, Instructions: 265clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
GetCPInfo.KERNEL32 ref: 0000000140040083

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ClipboardCloseCountGlobalInfoTickUnlock
String ID:
API String ID: 3668674636-0
Opcode ID: 3d553be35333564331e119bb89c7e38f0636d56a61d0a93075d1ab99fdab1116
Instruction ID: b1ede3d9148ee010f2372f02fb1780ca46ce1a84893126bdcf016e248eaddc1f
Opcode Fuzzy Hash: 3d553be35333564331e119bb89c7e38f0636d56a61d0a93075d1ab99fdab1116
Instruction Fuzzy Hash: 3BD1AE72600B808AE762DF26E8847E937A1F34D7A4F10422AEB5997BF5DF38C595C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400402D3 Relevance: 10.7, APIs: 7, Instructions: 235registrywindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
RegCloseKey.ADVAPI32 ref: 000000014004037A

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CloseCountTick$ClipboardGlobalMessagePeekUnlock
String ID:
API String ID: 4107439908-0
Opcode ID: 9bd25f3c2405de312a3ba2dc8e630e52ca570d140b6b7a3289e5586a46764da2
Instruction ID: e6adec284114cc5c17311fbbf14dce33be2f169060581df543e1458c6b604dae
Opcode Fuzzy Hash: 9bd25f3c2405de312a3ba2dc8e630e52ca570d140b6b7a3289e5586a46764da2
Instruction Fuzzy Hash: 29C15E72604B448AE762DF2BE4947EA37A1F34DBE4F11022AEB5953BB5DB38C491C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400453FF Relevance: 10.7, APIs: 7, Instructions: 223registrywindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
RegCloseKey.ADVAPI32 ref: 00000001400453F0

Part of subcall function 00000001400B38E0: RegCreateKeyExW.ADVAPI32 ref: 00000001400B395C
Part of subcall function 00000001400B38E0: RegCloseKey.ADVAPI32 ref: 00000001400B3C35
Part of subcall function 00000001400B38E0: GetLastError.KERNEL32 ref: 00000001400B3C44

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Close$CountTick$ClipboardCreateErrorGlobalLastMessagePeekUnlock
String ID:
API String ID: 2674141723-0
Opcode ID: e40b699a336118465f6791b3f7c898904514726b145b12d640d22241968d424f
Instruction ID: a8f27270584beac0a0598d191ac4745e964369b731779255847b8e6bba6f02b0
Opcode Fuzzy Hash: e40b699a336118465f6791b3f7c898904514726b145b12d640d22241968d424f
Instruction Fuzzy Hash: 37B18AB1604A4086EB63DF27E4947EA37A1F34DBE4F15022AEB59936F5CB38C881C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004535D Relevance: 10.7, APIs: 7, Instructions: 209registrywindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
RegCloseKey.ADVAPI32 ref: 00000001400453F0

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CloseCountTick$ClipboardGlobalMessagePeekUnlock
String ID:
API String ID: 4107439908-0
Opcode ID: 72fbd035759c552b67910b10a5043fa35c0bc46c8d2bddac46f4ea6a420c7a9c
Instruction ID: 38ae760b67903300f171c5b2d076ad567193db56064f38ff897f7eced8492c46
Opcode Fuzzy Hash: 72fbd035759c552b67910b10a5043fa35c0bc46c8d2bddac46f4ea6a420c7a9c
Instruction Fuzzy Hash: 4FA18CB1604A4486FB67DF27A4947EA37A1F34DBE4F11022AEB59936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400443AA Relevance: 10.7, APIs: 7, Instructions: 200filewindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
MoveFileW.KERNEL32 ref: 00000001400443CD

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseFileGlobalMessageMovePeekUnlock
String ID:
API String ID: 1818255640-0
Opcode ID: 2ce2368a0c78ee1cad29aac814e55b326bc70ce8d711c3164c101da11d0bfcc2
Instruction ID: 381167884cd1d9b8d9b8900e6f698869d1bcd80b042da5b5a66f497414f893a6
Opcode Fuzzy Hash: 2ce2368a0c78ee1cad29aac814e55b326bc70ce8d711c3164c101da11d0bfcc2
Instruction Fuzzy Hash: 20A18071604A4086FB579B2BE4947EA37A1F74DBE4F11022AFB59936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044146 Relevance: 10.7, APIs: 7, Instructions: 194windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
Beep.KERNEL32 ref: 000000014004419D

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$BeepClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 3141429382-0
Opcode ID: 699cf71d5c791cfbde11a6c0181d3b96089a86249a8a4e16a1bfd75f5f2df986
Instruction ID: 784e655dadcb6f09496b092390b1cbdbea3e730b98660987ae66f994ef6905d9
Opcode Fuzzy Hash: 699cf71d5c791cfbde11a6c0181d3b96089a86249a8a4e16a1bfd75f5f2df986
Instruction Fuzzy Hash: 57A19E71600A4486F7679B2BE4947EA37A2F34DBE4F51022AEB59936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004427E Relevance: 10.7, APIs: 7, Instructions: 186windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6
SHEmptyRecycleBinW.SHELL32 ref: 0000000140044296

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseEmptyGlobalMessagePeekRecycleUnlock
String ID:
API String ID: 2387848762-0
Opcode ID: 18da8eaeab2154d7398d88fc29bf32144aab3d8fd154590a6b5819f7fe544370
Instruction ID: e22a7e9d31cc279c7c6e7dcbe4ef092791ff7888012eb5f26db51426b0880ff4
Opcode Fuzzy Hash: 18da8eaeab2154d7398d88fc29bf32144aab3d8fd154590a6b5819f7fe544370
Instruction Fuzzy Hash: 4091A071604A4086F7639B2BE4947EA37E1F34DBE4F11022AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044424 Relevance: 10.7, APIs: 7, Instructions: 186windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140071020: GetFileAttributesW.KERNEL32 ref: 000000014007104E
Part of subcall function 0000000140071020: SetLastError.KERNEL32 ref: 0000000140071060

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6
GetLastError.KERNEL32 ref: 0000000140044438

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ErrorLast$AttributesClipboardCloseFileGlobalMessagePeekUnlock
String ID:
API String ID: 3508199841-0
Opcode ID: c170e8b3c9ca03c3f9d96c8db834f8f6e1cbece220e7cb4fffaa467628fb74ba
Instruction ID: 9df10e5f5dc962a6006c5fc1490a5e11dfdc2b0838e35380646f29e25f353bde
Opcode Fuzzy Hash: c170e8b3c9ca03c3f9d96c8db834f8f6e1cbece220e7cb4fffaa467628fb74ba
Instruction Fuzzy Hash: 8791AE71604A4086F767DB2BE4947EA37A1F34DBE4F11022AEB59936F5CB38C885CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043188 Relevance: 10.7, APIs: 7, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6
SetEnvironmentVariableW.KERNEL32 ref: 0000000140043196

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseEnvironmentGlobalMessagePeekUnlockVariable
String ID:
API String ID: 2791281230-0
Opcode ID: 392eb50889002b37a362bb2e78eb8963c28b0ecebb60c39bfe95d0746aa03210
Instruction ID: 82aef1fc6412bb81cc1356f21fe02ff55fec7832cb6028d80edd8adb2b394812
Opcode Fuzzy Hash: 392eb50889002b37a362bb2e78eb8963c28b0ecebb60c39bfe95d0746aa03210
Instruction Fuzzy Hash: 24918D71604A4486F7639B2BE4947EA37A1F34DBE4F11022AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045602 Relevance: 10.7, APIs: 7, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6
OutputDebugStringW.KERNEL32 ref: 0000000140045622

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseDebugGlobalMessageOutputPeekStringUnlock
String ID:
API String ID: 1875564215-0
Opcode ID: f5ac831e158e4fe2131f7c6763a5d66de76e2962e58e5d3fec54023129841a30
Instruction ID: ba7fbaa656abb55930787e4f7c1680799fcd3ea488c733763e31f6fb933a7ec1
Opcode Fuzzy Hash: f5ac831e158e4fe2131f7c6763a5d66de76e2962e58e5d3fec54023129841a30
Instruction Fuzzy Hash: FE919E71600A4086FB679F2BE4947EA37A1F34DBE4F15021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400451DA Relevance: 10.7, APIs: 7, Instructions: 173keyboardwindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6
BlockInput.USER32 ref: 00000001400451E1

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$BlockClipboardCloseGlobalInputMessagePeekUnlock
String ID:
API String ID: 3677732381-0
Opcode ID: 5f030ac0cc7725ad70d2be7422bcc631a1170fea5e752fd546baf660cf20f777
Instruction ID: 2f9b7c30dafcf1933adf04dc28115e8cbee1d0ac29a7fec43d1504c7ac530c04
Opcode Fuzzy Hash: 5f030ac0cc7725ad70d2be7422bcc631a1170fea5e752fd546baf660cf20f777
Instruction Fuzzy Hash: EC91BE71604A4086F7639F2BE8947EA37A1F34DBE4F11022AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400451F2 Relevance: 10.7, APIs: 7, Instructions: 173keyboardwindowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6
BlockInput.USER32 ref: 00000001400451F4

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$BlockClipboardCloseGlobalInputMessagePeekUnlock
String ID:
API String ID: 3677732381-0
Opcode ID: 80b740bd76c33cced64bdddaec204b83637ad4250446710e5d36b1f951c2e577
Instruction ID: db4738dfb72672d59dc03db3017afc55108b45a08a4a5eef55a73f3f6a3a15a8
Opcode Fuzzy Hash: 80b740bd76c33cced64bdddaec204b83637ad4250446710e5d36b1f951c2e577
Instruction Fuzzy Hash: 0291AE71604A4086F7679F2BE8947EA37A1F34DBE4F11022AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A5B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00000001400A5BB7
GetDeviceCaps.GDI32 ref: 00000001400A5BC8
wcsncpy.LIBCMT ref: 00000001400A5BE8
EnumFontFamiliesExW.GDI32 ref: 00000001400A5C13
ReleaseDC.USER32 ref: 00000001400A5C46

Strings

Too many fonts., xrefs: 00000001400A5C72

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CapsDeviceEnumFamiliesFontReleasewcsncpy
String ID: Too many fonts.
API String ID: 3835324729-3768670983
Opcode ID: 7caadcdeb790410054bc4a3079551174a38e2e0664bc79fb936c26209e26905e
Instruction ID: c6a88ba00c9fc6d5d096e182c4980605156820719a3a50e050abc899512f3188
Opcode Fuzzy Hash: 7caadcdeb790410054bc4a3079551174a38e2e0664bc79fb936c26209e26905e
Instruction Fuzzy Hash: BA31B6726046C19AEB22DF36E4003EE77A0F7587E9F404216EB5A576F9EB38C589C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400027B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64threadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,Unk,?,?,AutoHotkey v1.1.33.10,?,00000001400BEDE9), ref: 0000000140002A78
GetWindowThreadProcessId.USER32 ref: 0000000140002A8F
GetClassNameW.USER32 ref: 0000000140002AB1
IsDialogMessageW.USER32 ref: 0000000140002AF3
SetCurrentDirectoryW.KERNEL32(?,?,?,Unk,?,?,AutoHotkey v1.1.33.10,?,00000001400BEDE9), ref: 0000000140002B23

Strings

#32770, xrefs: 0000000140002ABE

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$ClassCurrentDialogDirectoryForegroundMessageNameProcessThread
String ID: #32770
API String ID: 2633243691-463685578
Opcode ID: 0fc1644bd7f7534e944a750e52b3fbcfd74a947a06d10c143e027575df1bc05a
Instruction ID: ad2369f3de0e52ebf57efa14818a12ac3dce2fb5f677e15fafae45bf2dfaab57
Opcode Fuzzy Hash: 0fc1644bd7f7534e944a750e52b3fbcfd74a947a06d10c143e027575df1bc05a
Instruction Fuzzy Hash: 9A3146B1609B4486FE67CF17E8487E437A0A74CBD8F484026EB0A173B0DB7DC9868751

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400D4A38 Relevance: 10.5, APIs: 7, Instructions: 47memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00000001400D4A68
RtlAllocateHeap.NTDLL(?,?,00000000,00000001400DB8F0,?,?,00000000,00000001400D9F35,?,?,?,00000001400D9FDF,?,?,00000000,00000001400D9099), ref: 00000001400D4A8D
_callnewh.LIBCMT ref: 00000001400D4AA6
_errno.LIBCMT ref: 00000001400D4AB1
_errno.LIBCMT ref: 00000001400D4ABC
_callnewh.LIBCMT ref: 00000001400D4ACC
_errno.LIBCMT ref: 00000001400D4AD1

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: _errno$_callnewh$AllocateHeap
String ID:
API String ID: 1831131624-0
Opcode ID: 0b31c4eb5caa2c98ba639a0c89c64c00dc831566bbd37794d5ad5eb2d316d0ea
Instruction ID: 9a8f6f87e658f0323d49ad8c35eb89eab194a3fef52ed99f45d1f93714f394df
Opcode Fuzzy Hash: 0b31c4eb5caa2c98ba639a0c89c64c00dc831566bbd37794d5ad5eb2d316d0ea
Instruction Fuzzy Hash: C4113C7525074086FB57ABA7A5513ED22D09F8CBE0F054224BB29477E6DE78C842CB35

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003F3B0 Relevance: 9.3, APIs: 6, Instructions: 314windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 1bafcbaa24be045be66ac99034db58231fdfb4211136f73e1b59b9203763f5ef
Instruction ID: 4e28d3663253dfbb30dba0519e6c44cd223a12087d3b73b7b1b5433a796e75a5
Opcode Fuzzy Hash: 1bafcbaa24be045be66ac99034db58231fdfb4211136f73e1b59b9203763f5ef
Instruction Fuzzy Hash: 4CF1CE72604B848AE762CF2AE8447E937A1F74DBA4F150226EB59937B5DF38C891C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003F84A Relevance: 9.2, APIs: 6, Instructions: 244windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: d6ea5757d815749866e27e9cb1992fa3559634926241356b5d1a264099c3d160
Instruction ID: 5deeaa8d1707e294e884b1e7e655ce58d2175607dea8dc704d06a2fd82b3d605
Opcode Fuzzy Hash: d6ea5757d815749866e27e9cb1992fa3559634926241356b5d1a264099c3d160
Instruction Fuzzy Hash: 0AC1AE72600B4486FB678B2BA4947EA33E1F74C7E4F15422AEB59936F5DB38C885C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400448BE Relevance: 9.2, APIs: 6, Instructions: 240windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ClipboardCloseCountGlobalMessagePeekTickUnlock
String ID:
API String ID: 1792675829-0
Opcode ID: efa4f743b035a0361d6f758240320a7e536dc3c38d7789f830c9b1741422c01c
Instruction ID: 139f5bd980baea737c443dbacd4ba226f2d113d1f7117923014237eb8ad204b1
Opcode Fuzzy Hash: efa4f743b035a0361d6f758240320a7e536dc3c38d7789f830c9b1741422c01c
Instruction Fuzzy Hash: 88C1AB72604A4486EB639F2BE4947EA37A1F38DBD4F51022AEB59577F5CB38C881C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004475A Relevance: 9.2, APIs: 6, Instructions: 202windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2

Part of subcall function 00000001400631A0: SendMessageW.USER32(?,0000000140044755), ref: 0000000140063290
Part of subcall function 00000001400631A0: IsWindowVisible.USER32 ref: 000000014006329D
Part of subcall function 00000001400631A0: ShowWindow.USER32(?,0000000140044755), ref: 00000001400632B1
Part of subcall function 00000001400631A0: IsIconic.USER32 ref: 00000001400632BE
Part of subcall function 00000001400631A0: ShowWindow.USER32(?,0000000140044755), ref: 00000001400632D4
Part of subcall function 00000001400631A0: GetForegroundWindow.USER32(?,0000000140044755), ref: 00000001400632DA
Part of subcall function 00000001400631A0: SetForegroundWindow.USER32(?,0000000140044755), ref: 00000001400632EC
Part of subcall function 00000001400631A0: SendMessageW.USER32(?,0000000140044755), ref: 000000014006331C

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$Message$CountForegroundSendShowTick$ClipboardCloseGlobalIconicPeekUnlockVisible
String ID:
API String ID: 1768851721-0
Opcode ID: 05e5ae4f0b80ef32db8dfb4f6580827c2a461eec531e28ac0547fb875e587290
Instruction ID: fa3463e7822959cfcf2b99328a68d459502a6bd87e908b623b480802f052e959
Opcode Fuzzy Hash: 05e5ae4f0b80ef32db8dfb4f6580827c2a461eec531e28ac0547fb875e587290
Instruction Fuzzy Hash: 94A19F71604A8086F7639F2BE4947EA37A1F34D7E4F11022AEB59936F5CB38C885CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140040AC6 Relevance: 9.2, APIs: 6, Instructions: 202COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003F3B0: GlobalUnlock.KERNEL32 ref: 000000014003F47A
Part of subcall function 000000014003F3B0: CloseClipboard.USER32 ref: 000000014003F487
Part of subcall function 000000014003F3B0: GetTickCount.KERNEL32 ref: 000000014003F49A
Part of subcall function 000000014003F3B0: PeekMessageW.USER32 ref: 000000014003F4CE
Part of subcall function 000000014003F3B0: GetTickCount.KERNEL32 ref: 000000014003F4E2

GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 6699d64b15f7ad2442f56715c4415a9b3510257dc589583a5dffa5271cfabf59
Instruction ID: f470308c1b50a65e454e4188fd2c3e09787f168a0e5697566e8074651782a81c
Opcode Fuzzy Hash: 6699d64b15f7ad2442f56715c4415a9b3510257dc589583a5dffa5271cfabf59
Instruction Fuzzy Hash: 7BA1AC72604A8485F7639F2BE4947EA37A1F74DBE4F15022AEB59936F5CB38C885C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004457A Relevance: 9.2, APIs: 6, Instructions: 198windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 32d0cda4179934e23456553c1c0814e577c4c3b2c76192bda4cf8e1d79b99a7f
Instruction ID: a4942542c5368076bf32bd663d7c336d788922968b449419e03b9ee3f9d74394
Opcode Fuzzy Hash: 32d0cda4179934e23456553c1c0814e577c4c3b2c76192bda4cf8e1d79b99a7f
Instruction Fuzzy Hash: 30A19E72604A4486FB639F27E4947EA37A1F34DBE4F55022AEB59936F5CB38C881C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400449E9 Relevance: 9.2, APIs: 6, Instructions: 198windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 80d284764cbc1a17c209118da9fee93f415cddaffac0aed19b0a54d90f8bf01e
Instruction ID: e452b55e708e4a9c8265e140d714c2a67d35d33386acc1f626bdd0e2a6c74be6
Opcode Fuzzy Hash: 80d284764cbc1a17c209118da9fee93f415cddaffac0aed19b0a54d90f8bf01e
Instruction Fuzzy Hash: B0A1AE71600A4486F7639F2BE4947EA37A2F34DBE4F51022AEB59936F5CB38C881C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400440EC Relevance: 9.2, APIs: 6, Instructions: 196windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 73708a1f46c3f3831fe525bde842a04152176eea3afa68827fc8d0bfb2379aee
Instruction ID: c3e1cbd7a95a4075979271c150b4c1339850eac63f2c317ac316650d3f27fe83
Opcode Fuzzy Hash: 73708a1f46c3f3831fe525bde842a04152176eea3afa68827fc8d0bfb2379aee
Instruction Fuzzy Hash: 71A1A071604A4486F763DB2BE4947EA37A1F34DBE4F51022AEB59936F5CB38C881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004242F Relevance: 9.2, APIs: 6, Instructions: 196windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: f8beca015a2b3fac49949155695a1d1b65b6c2654556be00846578c819305b4a
Instruction ID: 8fde7c65a7b67bba3667313a3cf05aaf3d56e74402e65385c7099b1aa6129dc3
Opcode Fuzzy Hash: f8beca015a2b3fac49949155695a1d1b65b6c2654556be00846578c819305b4a
Instruction Fuzzy Hash: 56A19F71604A4486FB67DB2BE4947EA37A2F34DBE4F11022AEB59936F5CB38C485C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400444D5 Relevance: 9.2, APIs: 6, Instructions: 196windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 3e64b218a784a7af212bffccb095cddf3a9a186c39d7ed68b426b307f74ae239
Instruction ID: c8ff19a01d87f6396ad54164e7e0221a04dfdfd69c3afef1691ae6235eb30a47
Opcode Fuzzy Hash: 3e64b218a784a7af212bffccb095cddf3a9a186c39d7ed68b426b307f74ae239
Instruction Fuzzy Hash: 4FA19E71604A4486FB63DB27E4947EA37A1F34DBE4F15022AEB59936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400442D2 Relevance: 9.2, APIs: 6, Instructions: 195windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008C940: GetFullPathNameW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008C97C
Part of subcall function 000000014008C940: GetFullPathNameW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008C9C1
Part of subcall function 000000014008C940: GetFileAttributesW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008C9F9
Part of subcall function 000000014008C940: GetFileAttributesW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008CA35
Part of subcall function 000000014008C940: FindFirstFileW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008CA76
Part of subcall function 000000014008C940: GetLastError.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008CA85

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountFileTick$AttributesFullNamePath$ClipboardCloseErrorFindFirstGlobalLastMessagePeekUnlock
String ID:
API String ID: 3916726430-0
Opcode ID: 4d1ba2899d76f02d9fbc19f7f3f8be90b1be808c44e89576c1f4453325907012
Instruction ID: 4c4d5daf1211cb60b549c1c084533da8c7b66f90a1a0114e4d8c410d1082d769
Opcode Fuzzy Hash: 4d1ba2899d76f02d9fbc19f7f3f8be90b1be808c44e89576c1f4453325907012
Instruction Fuzzy Hash: BDA19E71604A4086F763DB2BE4947EA37A1F34DBE4F51022AEB69936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004445D Relevance: 9.2, APIs: 6, Instructions: 191windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Part of subcall function 000000014008C840: RemoveDirectoryW.KERNEL32 ref: 000000014008C84B

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseDirectoryGlobalMessagePeekRemoveUnlock
String ID:
API String ID: 1863380684-0
Opcode ID: 1538c4ce194167179956761960e9738037797a61c1469872b82bba98b9db0196
Instruction ID: 2935d86ef83f8916af2cf96cadc9afb3c3828a49309171058e9681ddc1d9caae
Opcode Fuzzy Hash: 1538c4ce194167179956761960e9738037797a61c1469872b82bba98b9db0196
Instruction Fuzzy Hash: EE91AF71604A4086F767DB2BE4947EA37A2F34DBE4F11022AEB59936F5CB38C885D740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400446E1 Relevance: 9.2, APIs: 6, Instructions: 191windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008BB00: CoInitialize.OLE32 ref: 000000014008BB2D
Part of subcall function 000000014008BB00: CoCreateInstance.OLE32 ref: 000000014008BB51
Part of subcall function 000000014008BB00: GetKeyboardLayout.USER32 ref: 000000014008BC41

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseCreateGlobalInitializeInstanceKeyboardLayoutMessagePeekUnlock
String ID:
API String ID: 1422310799-0
Opcode ID: 9bd943891537abc73ecd3c49be50854bba893a6b9dee91c9edac8512bc6afc86
Instruction ID: ed8131a840e6690865960ecd071953609d3b44b713890297c07d34fac7d079b9
Opcode Fuzzy Hash: 9bd943891537abc73ecd3c49be50854bba893a6b9dee91c9edac8512bc6afc86
Instruction Fuzzy Hash: A1A16C71605B4486EB639B2BE8947EA37A1F34DBE4F11021AEB59937F5CB38C491C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044367 Relevance: 9.2, APIs: 6, Instructions: 189windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008C5A0: GetFullPathNameW.KERNEL32 ref: 000000014008C5F1
Part of subcall function 000000014008C5A0: GetFullPathNameW.KERNEL32 ref: 000000014008C634
Part of subcall function 000000014008C5A0: GetFileAttributesW.KERNEL32 ref: 000000014008C66A

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$FullNamePath$AttributesClipboardCloseFileGlobalMessagePeekUnlock
String ID:
API String ID: 1989334333-0
Opcode ID: fa1528bdb65a42cee79496c1c6811b53991ba5698cb0f387641f053ad7b772c0
Instruction ID: b921deb7b0454ac6106f1f6178f0a882445ff9054d9bcee46339c71ac4950fa0
Opcode Fuzzy Hash: fa1528bdb65a42cee79496c1c6811b53991ba5698cb0f387641f053ad7b772c0
Instruction Fuzzy Hash: 9591A071604A4086FB67DB2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004342A Relevance: 9.2, APIs: 6, Instructions: 189windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: c8f4bdbeb2e0ff453ec299953fb39306db64aec2d095899fc6abb31872de2506
Instruction ID: 621882f145c46f50b71c5f5866aef816c863236c98a97daf5831f371c65ae6d6
Opcode Fuzzy Hash: c8f4bdbeb2e0ff453ec299953fb39306db64aec2d095899fc6abb31872de2506
Instruction Fuzzy Hash: 05A16C71604A4486EB639F2BE4947EA37A1F34DBE4F11022AEB59936F5CB38C495CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140040B63 Relevance: 9.2, APIs: 6, Instructions: 189windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: d1bc946973dc6d50086fcce85f62ba48a4d03fb90a1fddc6160fa24c8eee491c
Instruction ID: 6112ec3c7a7d5aae1e906d92f2fd38adf8f9bd1915022d5d5ee04f4f0dad8683
Opcode Fuzzy Hash: d1bc946973dc6d50086fcce85f62ba48a4d03fb90a1fddc6160fa24c8eee491c
Instruction Fuzzy Hash: A891D172604A4486F7639B2BE4947EA37E1F74D7E4F110226EB59936F5CB38C885C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043316 Relevance: 9.2, APIs: 6, Instructions: 188windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140055E40: GetWindowRect.USER32 ref: 0000000140055E7F
Part of subcall function 0000000140055E40: MoveWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004336A), ref: 0000000140055F63

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$Window$ClipboardCloseGlobalMessageMovePeekRectUnlock
String ID:
API String ID: 1284534901-0
Opcode ID: 0f497d27f1fe835894f2fc43b4c0351ed169be8adf6201908d266c58c5377d0f
Instruction ID: 1f80107bb18af9dd300cd167c86d65e3994d2b1c28460be5e65852c3d22fc619
Opcode Fuzzy Hash: 0f497d27f1fe835894f2fc43b4c0351ed169be8adf6201908d266c58c5377d0f
Instruction Fuzzy Hash: 37A17CB1604B4486EB639B2BE8947EA37A1F34DBE4F11021AEB59937F5CB38C491C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044323 Relevance: 9.2, APIs: 6, Instructions: 188windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008C940: GetFullPathNameW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008C97C
Part of subcall function 000000014008C940: GetFullPathNameW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008C9C1
Part of subcall function 000000014008C940: GetFileAttributesW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008C9F9
Part of subcall function 000000014008C940: GetFileAttributesW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008CA35
Part of subcall function 000000014008C940: FindFirstFileW.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008CA76
Part of subcall function 000000014008C940: GetLastError.KERNEL32(?,?,?,?,?,0000000140044305), ref: 000000014008CA85

Part of subcall function 000000014004C9E0: _itow.LIBCMT ref: 000000014004CA0E

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountFileTick$AttributesFullNamePath$ClipboardCloseErrorFindFirstGlobalLastMessagePeekUnlock_itow
String ID:
API String ID: 446227350-0
Opcode ID: 4dae26d8888d4b8773449650e6f77a47db95ddf3c0a7cdb77cfc70ff0f95aac1
Instruction ID: 763435d818ff20cfdf7ffcaf4154a1a5eadc10986f51989d68e258046a7a0c2a
Opcode Fuzzy Hash: 4dae26d8888d4b8773449650e6f77a47db95ddf3c0a7cdb77cfc70ff0f95aac1
Instruction Fuzzy Hash: 6C919E71604A4086F763DB2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044B73 Relevance: 9.2, APIs: 6, Instructions: 188windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: d3226c4b52f4fc2eab852d5182635d2c127d4831e869e8cc8a28952fd9e896b8
Instruction ID: 10ac8aef695928770b983b726e7585bf9f0068a79becb2e519d3c3de6c07a838
Opcode Fuzzy Hash: d3226c4b52f4fc2eab852d5182635d2c127d4831e869e8cc8a28952fd9e896b8
Instruction Fuzzy Hash: 36918D71600A4086F7679B2BE4947EA37A1F34DBE4F11021AEB69936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004453C Relevance: 9.2, APIs: 6, Instructions: 187windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 5f6466d4fe88b3d0d8fd986e77c95a469d57b1b56758581bbf59d5e9cb9dcea9
Instruction ID: 2be85412261b54eda6697ae07dd696cad51359231e6a6e60c6e213d12bf89758
Opcode Fuzzy Hash: 5f6466d4fe88b3d0d8fd986e77c95a469d57b1b56758581bbf59d5e9cb9dcea9
Instruction Fuzzy Hash: 5491AF71600A4486FB639F2BE4947EA37A2F34DBE4F11021AEB59936F5CB38C881C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400436B2 Relevance: 9.2, APIs: 6, Instructions: 187windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 0e1d720efd3b0d07e5b85b78313d9e6e7c9e426c4e640a87a89e96bba2c50b19
Instruction ID: 5199f717d043652f146f0cf48dbc4407d90740e6f291979f1125ab0b7dd40fe2
Opcode Fuzzy Hash: 0e1d720efd3b0d07e5b85b78313d9e6e7c9e426c4e640a87a89e96bba2c50b19
Instruction Fuzzy Hash: 45A16C71604B4486EB639B2BE8947EA37A1F34DBE4F11021AEB59937F5CB38C495CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043704 Relevance: 9.2, APIs: 6, Instructions: 187windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 54d670a463d54b6e3ede045bacadaba1a66f7bc724ba028e3397495960f23778
Instruction ID: a118395f3d1c4a3975ad4eb38793b6bef7034c9c9937422527b890b93bf265e6
Opcode Fuzzy Hash: 54d670a463d54b6e3ede045bacadaba1a66f7bc724ba028e3397495960f23778
Instruction Fuzzy Hash: DCA17D71604B4486EB639B2BE4947EA37A1F34DBE4F11021AEB59937F5CB38C491C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043788 Relevance: 9.2, APIs: 6, Instructions: 187windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140059760: wcsncpy.LIBCMT ref: 00000001400597C0
Part of subcall function 0000000140059760: _wcstoi64.LIBCMT ref: 0000000140059803

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_wcstoi64wcsncpy
String ID:
API String ID: 2569467992-0
Opcode ID: 27f83dae65f3a3ca59a046eda01b0d889fc048e2ddf8548c1335005f2672bfa8
Instruction ID: f1a5360a1ff5464989e10fbeff07c8dd538cf991d45359cd46ae136df3e8481f
Opcode Fuzzy Hash: 27f83dae65f3a3ca59a046eda01b0d889fc048e2ddf8548c1335005f2672bfa8
Instruction Fuzzy Hash: E8A16C71604A4486EB639B2BE8947EA37A1F34DBE4F11021AEB59937F5CB38C491C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400445ED Relevance: 9.2, APIs: 6, Instructions: 186windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 84991e988c909919546d32d6d620c47e26db52beb8d606da833661eb5263a5dd
Instruction ID: a3be768ad6f68e84ade6823fccd887f6b187034ebf4fbe34480c82ee2ead9680
Opcode Fuzzy Hash: 84991e988c909919546d32d6d620c47e26db52beb8d606da833661eb5263a5dd
Instruction Fuzzy Hash: 4291AFB1604A4086FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044A7C Relevance: 9.2, APIs: 6, Instructions: 186windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014004F880: wcsncpy.LIBCMT ref: 000000014004F93C

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlockwcsncpy
String ID:
API String ID: 3258626421-0
Opcode ID: d0a1556691a36a2adcec08ed6c00a3a6d75bbdab8fed6f008f7ce88bb863affd
Instruction ID: 2bd0e6e0dc1a48618aa4b7d48693b4256917653a53379b4f5e098a00a73caa35
Opcode Fuzzy Hash: d0a1556691a36a2adcec08ed6c00a3a6d75bbdab8fed6f008f7ce88bb863affd
Instruction Fuzzy Hash: E2A18C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044AC7 Relevance: 9.2, APIs: 6, Instructions: 186windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014004F880: wcsncpy.LIBCMT ref: 000000014004F93C

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlockwcsncpy
String ID:
API String ID: 3258626421-0
Opcode ID: ed050c2aa43fc419a84c6aa722bd0089713fe0dc33f1829d612fae2dd01f99b1
Instruction ID: 5a89a9e7db90b80b70d4f47da87dfb1ec6b9935d9b1f8563daa28dd540268982
Opcode Fuzzy Hash: ed050c2aa43fc419a84c6aa722bd0089713fe0dc33f1829d612fae2dd01f99b1
Instruction Fuzzy Hash: F7A17C71604A4486FB639B2BE4947EA37A1F34DBE4F11021AEB59937F5CB38C495CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400450D1 Relevance: 9.2, APIs: 6, Instructions: 185windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 72d888d0b01dcbe2b12f951dd15a343378d79ebcb49fcacc3330667ebcc759d2
Instruction ID: a6c1ddd75d738370dfb47dbcfae7f9d2a40ce1589660940e222e8971bbe09381
Opcode Fuzzy Hash: 72d888d0b01dcbe2b12f951dd15a343378d79ebcb49fcacc3330667ebcc759d2
Instruction Fuzzy Hash: 21919071604A4486F763DB27E4947EA37A1F34DBE4F11021AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400444A2 Relevance: 9.2, APIs: 6, Instructions: 185windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 6e345d8b3665eb6f52a33359c5a4dde12cf59f23178e7a2882f68332d21b6353
Instruction ID: d56b4ffc000c3466ca9e407395630e78830abb1a969dc4701f773c2708b3b794
Opcode Fuzzy Hash: 6e345d8b3665eb6f52a33359c5a4dde12cf59f23178e7a2882f68332d21b6353
Instruction Fuzzy Hash: BF91AF71604A4086FB639F2BE4947EA37A2F34DBE4F51021AEB59936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044627 Relevance: 9.2, APIs: 6, Instructions: 185windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 5e5b2ed4a172657fce4743f58e8fd870554555c3fdecd7bcbb7a1b18b7ee8411
Instruction ID: cbf0731778d13ae79efb4f32b0cb3edcbdd8c0bb487fde0dc41da531727fc6cd
Opcode Fuzzy Hash: 5e5b2ed4a172657fce4743f58e8fd870554555c3fdecd7bcbb7a1b18b7ee8411
Instruction Fuzzy Hash: CE91AF71600A4086FB639B2BE4947EA37A2F34DBE4F11021AEB59936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043632 Relevance: 9.2, APIs: 6, Instructions: 185windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140057FE0: SendMessageTimeoutW.USER32 ref: 000000014005805D

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekSendTimeoutUnlock
String ID:
API String ID: 3716859204-0
Opcode ID: b9e32efd13a4c898158ef46ded39db344533f62e19f0961820ce40667332643f
Instruction ID: 5e446333cec464f4101ef22aca39117a33d9f0c2b12c250c08602d603e8e30bc
Opcode Fuzzy Hash: b9e32efd13a4c898158ef46ded39db344533f62e19f0961820ce40667332643f
Instruction Fuzzy Hash: 86916C71604A4486FB639B2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C495CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043814 Relevance: 9.2, APIs: 6, Instructions: 185windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: f64e6b5b56c72fa430a22d4982f5f09c0c87f8f415f4466195bf06c4b9c43641
Instruction ID: a95ed2a37d0202dcd596758dcd1dfbc8187089c2d29263acf7125c7146dd7eb6
Opcode Fuzzy Hash: f64e6b5b56c72fa430a22d4982f5f09c0c87f8f415f4466195bf06c4b9c43641
Instruction Fuzzy Hash: 48916C71604A4486FB639B2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C495CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004336F Relevance: 9.2, APIs: 6, Instructions: 184windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140055E40: GetWindowRect.USER32 ref: 0000000140055E7F
Part of subcall function 0000000140055E40: MoveWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004336A), ref: 0000000140055F63

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$Window$ClipboardCloseGlobalMessageMovePeekRectUnlock
String ID:
API String ID: 1284534901-0
Opcode ID: 08dc2f40627360c30f0743cef871d40717b352e8d02b2339d7f29551d703a235
Instruction ID: 69e8e78c2a07030b6e8bfc72f5d6e4631ee06868f7c83158a0142e8b089baba7
Opcode Fuzzy Hash: 08dc2f40627360c30f0743cef871d40717b352e8d02b2339d7f29551d703a235
Instruction Fuzzy Hash: 72918B71604A4486F7639B2BA8947EA37A1F34DBE4F11021AFB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004502B Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 5c6f36cae2c63c61446bea069906b5bac6268e6b3cf97fb885c2ab603ebb5959
Instruction ID: cf1ddf8eb4ee5a1f087de558abb7505c1f065baece8887be004385f16fcaa695
Opcode Fuzzy Hash: 5c6f36cae2c63c61446bea069906b5bac6268e6b3cf97fb885c2ab603ebb5959
Instruction Fuzzy Hash: C4918E71604A4486FB63DB2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043590 Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140057300: GetWindowRect.USER32 ref: 00000001400573A6
Part of subcall function 0000000140057300: GetWindowRect.USER32 ref: 00000001400573B4

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$RectWindow$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 3440613390-0
Opcode ID: d613e9a2a95bbe8bcc1d08324bfb3c38d2a5d39fd333fb031e286764b1851702
Instruction ID: 81ea28e2df26859a22c2fc09d7a427784112838115057dcc605d792f3ffec847
Opcode Fuzzy Hash: d613e9a2a95bbe8bcc1d08324bfb3c38d2a5d39fd333fb031e286764b1851702
Instruction Fuzzy Hash: D6919E71604A4486F763DB2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C491C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043678 Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140058380: SendMessageTimeoutW.USER32 ref: 00000001400583FE

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekSendTimeoutUnlock
String ID:
API String ID: 3716859204-0
Opcode ID: 0af3f19d3b37a4058cb0c597f2747eb00f126b66add9493ba440b7f4e982ff2a
Instruction ID: 0be10c5174d95396ffd4adddc219b56331ebe5ab6b268c6a6e5aab9bddf9ed5f
Opcode Fuzzy Hash: 0af3f19d3b37a4058cb0c597f2747eb00f126b66add9493ba440b7f4e982ff2a
Instruction Fuzzy Hash: 11917C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043921 Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: dfc8085026c7cab338386d9d352f4b80c995f85f9151b3bfe763cb44a85e2ad0
Instruction ID: cc6fc856de57a89991e1b0793e8b4c92bfd234fcafab049ca3e8eb07e328937c
Opcode Fuzzy Hash: dfc8085026c7cab338386d9d352f4b80c995f85f9151b3bfe763cb44a85e2ad0
Instruction Fuzzy Hash: 9D917C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043A61 Relevance: 9.2, APIs: 6, Instructions: 183windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 5b110dbb94e0ffd020fa477d66a17bee6958860672575757cacbdcf71390449f
Instruction ID: 6c3e7662eac74ff4587b45f8659fe69612bd1ae1d5e05ed70609cf6ffecadca3
Opcode Fuzzy Hash: 5b110dbb94e0ffd020fa477d66a17bee6958860672575757cacbdcf71390449f
Instruction Fuzzy Hash: 41916D71604A4486F7639B2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400440BD Relevance: 9.2, APIs: 6, Instructions: 182windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 1059215a641e09ff8a106f3199c4096e43ff813b1c8142d7552beec8dee0fe0f
Instruction ID: 63d4a4fd247940de7022ae62522fd688a31a325de3a79b1011df44369adcce4b
Opcode Fuzzy Hash: 1059215a641e09ff8a106f3199c4096e43ff813b1c8142d7552beec8dee0fe0f
Instruction Fuzzy Hash: B5918E71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045329 Relevance: 9.2, APIs: 6, Instructions: 182windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B3420: GetFullPathNameW.KERNEL32(?,0000000140045354), ref: 00000001400B3456
Part of subcall function 00000001400B3420: WritePrivateProfileStringW.KERNEL32 ref: 00000001400B346A
Part of subcall function 00000001400B3420: WritePrivateProfileStringW.KERNEL32 ref: 00000001400B347E

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$PrivateProfileStringWrite$ClipboardCloseFullGlobalMessageNamePathPeekUnlock
String ID:
API String ID: 2214806735-0
Opcode ID: 1afd07f7d044377f6bf66bd22badf294785aad7720c71ca1eac5ecb42630cb59
Instruction ID: 90512fd70d8cec9386761fc7bc43f2aed711d7bc4c97c4f1f4611773225fd7eb
Opcode Fuzzy Hash: 1afd07f7d044377f6bf66bd22badf294785aad7720c71ca1eac5ecb42630cb59
Instruction Fuzzy Hash: 99918D71604A4486F7639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004562A Relevance: 9.2, APIs: 6, Instructions: 182windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008CFB0: GetCurrentProcess.KERNEL32 ref: 000000014008CFB8
Part of subcall function 000000014008CFB0: OpenProcessToken.ADVAPI32 ref: 000000014008CFCB

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$Process$ClipboardCloseCurrentGlobalMessageOpenPeekTokenUnlock
String ID:
API String ID: 3060718303-0
Opcode ID: cb12fdad128be1ba86db2da8fa5c580b6fe9bd352f6fd8c62355585c5d7192ff
Instruction ID: 91d24ab58dcadec350df003f3db51540e5a1fdea2871dbfbff352c1fa8da1e28
Opcode Fuzzy Hash: cb12fdad128be1ba86db2da8fa5c580b6fe9bd352f6fd8c62355585c5d7192ff
Instruction Fuzzy Hash: 7D91AF71604A4086F767DB2BE4947EA37A2F34DBE4F11022AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043860 Relevance: 9.2, APIs: 6, Instructions: 182windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005B350: SetWindowTextW.USER32 ref: 000000014005B374

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekTextUnlockWindow
String ID:
API String ID: 189804293-0
Opcode ID: 6533fd9340cf5d0273e9b33c84b333d2630c5d7265794249619da2359799ec85
Instruction ID: e630fa43b4184db35d1de4240bddfacde0d318bf3ab25af69e08ae42dc5a71bb
Opcode Fuzzy Hash: 6533fd9340cf5d0273e9b33c84b333d2630c5d7265794249619da2359799ec85
Instruction Fuzzy Hash: D9919E71604A4486F763DB2BE8947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044FF9 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 898d607e5cc67763fd238022d6922425d5324015f33df64b570b96f16cafda9e
Instruction ID: c6c730e1fbacde3162a79056a739ea665706d2c84840a40bf23d4e40238e2175
Opcode Fuzzy Hash: 898d607e5cc67763fd238022d6922425d5324015f33df64b570b96f16cafda9e
Instruction Fuzzy Hash: 4E917D71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400441FE Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: c09c35904906182455a240e9bb803675ec3bccd0485d7183dd3f6d588ae0b2fd
Instruction ID: 6d6639dc1aa7e927ff783b84f6f24e2757f4182fefa7d203a01800347c7c6b27
Opcode Fuzzy Hash: c09c35904906182455a240e9bb803675ec3bccd0485d7183dd3f6d588ae0b2fd
Instruction Fuzzy Hash: 8791AD71604A4486F763DB2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400452FB Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B32D0: GetFullPathNameW.KERNEL32(?,0000000140045324), ref: 00000001400B331C
Part of subcall function 00000001400B32D0: WritePrivateProfileStringW.KERNEL32 ref: 00000001400B334F
Part of subcall function 00000001400B32D0: WritePrivateProfileStringW.KERNEL32 ref: 00000001400B33DC

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$PrivateProfileStringWrite$ClipboardCloseFullGlobalMessageNamePathPeekUnlock
String ID:
API String ID: 2214806735-0
Opcode ID: 4cb32b72b609f31e4d7a875c86df9087a3f48b9bf174a91bf950867c815da444
Instruction ID: cc9f2541a64c6f2ebfa3dc3a71d1a153b967a3336c55248f5f6a2bdacf594a6b
Opcode Fuzzy Hash: 4cb32b72b609f31e4d7a875c86df9087a3f48b9bf174a91bf950867c815da444
Instruction Fuzzy Hash: 91919C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400435CA Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140057480: GetWindowThreadProcessId.USER32 ref: 00000001400574DD
Part of subcall function 0000000140057480: GetGUIThreadInfo.USER32 ref: 00000001400574EA
Part of subcall function 0000000140057480: GetClassNameW.USER32 ref: 000000014005751D
Part of subcall function 0000000140057480: EnumChildWindows.USER32 ref: 0000000140057547

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$Thread$ChildClassClipboardCloseEnumGlobalInfoMessageNamePeekProcessUnlockWindowWindows
String ID:
API String ID: 3620957724-0
Opcode ID: 3d09df0f4bbd6f2c6f22b67b654d0a5b231935f9987534be6de4f8dcd9edb376
Instruction ID: ae8e70644bf624391f2e3dec806791a5c42b62ab2b032d64870c4cc87a1701b9
Opcode Fuzzy Hash: 3d09df0f4bbd6f2c6f22b67b654d0a5b231935f9987534be6de4f8dcd9edb376
Instruction Fuzzy Hash: 69918C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004467D Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 07fa01e2e948d74e0a17ca86ac8a578af2c116fcf07dd70215a5cc2f00bb2ebe
Instruction ID: a8130bd31f4383c897c0de2ad7b15ff7be603f494da574d73501f14ccb9fb0b0
Opcode Fuzzy Hash: 07fa01e2e948d74e0a17ca86ac8a578af2c116fcf07dd70215a5cc2f00bb2ebe
Instruction Fuzzy Hash: CA918C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043756 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: d155f47a08ab142572dfa2e7bbfe0ed380c199a8b0c9ba252e6c381c5152b915
Instruction ID: f2b6f827e203ba1323826221a801a7aa657efb95e2df2cd14cca72f9bd099928
Opcode Fuzzy Hash: d155f47a08ab142572dfa2e7bbfe0ed380c199a8b0c9ba252e6c381c5152b915
Instruction Fuzzy Hash: 3C917C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004395B Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: bf21b7afc26fd5ffbc498caa929051417c24678a2a8dc26e32b122832fe1c261
Instruction ID: b8660e4f019a17d8244983ac5eed7b1de07593d730082193188da61c8e0d2d26
Opcode Fuzzy Hash: bf21b7afc26fd5ffbc498caa929051417c24678a2a8dc26e32b122832fe1c261
Instruction Fuzzy Hash: E9918C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140043989 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005DDC0: GetWindowRect.USER32 ref: 000000014005DE46

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekRectUnlockWindow
String ID:
API String ID: 1900757344-0
Opcode ID: 441bcd18ec068af8e3cbc2cf98d7c5b0ee67558c2fd2366bf0cdfbd3402a8725
Instruction ID: f888aff4b181bdcfb8019783e0f837d21bfe649dd5aa4e85838fd539fb46eda6
Opcode Fuzzy Hash: 441bcd18ec068af8e3cbc2cf98d7c5b0ee67558c2fd2366bf0cdfbd3402a8725
Instruction Fuzzy Hash: 6491AE71604A4486F767DB2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C891CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044B12 Relevance: 9.2, APIs: 6, Instructions: 181windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 6e75801df414fab39bfb4dc658662ec76d3e244335b05e576e13ddd8cf83a110
Instruction ID: a8b185ccfe6acb525f88416e80f25cdacecea9ad73b2ec25f551d7b6f8a27766
Opcode Fuzzy Hash: 6e75801df414fab39bfb4dc658662ec76d3e244335b05e576e13ddd8cf83a110
Instruction Fuzzy Hash: 5A918C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400451AC Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 79bf84dca7bac6fc3f0bc5d037b43a38a36c85b90643456b9ad5761e635f5b1a
Instruction ID: 3f3719a7e65558dd1ea0aa34f59adaf932ba47f4b58b937b110d176256cd38ec
Opcode Fuzzy Hash: 79bf84dca7bac6fc3f0bc5d037b43a38a36c85b90643456b9ad5761e635f5b1a
Instruction Fuzzy Hash: 69919E71600A4486F767DB2BE8947EA37A2F34DBE4F11021AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044207 Relevance: 9.2, APIs: 6, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: b76a2519c8c580f5d36fff803b9d87f541622f6835848606bca5db96a9a2eecf
Instruction ID: 8e599829df06bde0b790bd1317a8503b1884fafa88cda181d711cbb985c7ba0f
Opcode Fuzzy Hash: b76a2519c8c580f5d36fff803b9d87f541622f6835848606bca5db96a9a2eecf
Instruction Fuzzy Hash: 3B918C71604A4486F7639B2BE4947EA37E1F34DBE4F11022AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045061 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 12159448ae18764a4e4ad2fb555d697e1a7b21e0fd7847dd1df2acdc36cd0ed0
Instruction ID: 257513270334e39030b971ba7dfbfeaddd194d8f5e619602305bf54a86dc55b3
Opcode Fuzzy Hash: 12159448ae18764a4e4ad2fb555d697e1a7b21e0fd7847dd1df2acdc36cd0ed0
Instruction Fuzzy Hash: AE919D71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044080 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014006B500: wcsncpy.LIBCMT ref: 000000014006B559
Part of subcall function 000000014006B500: SetVolumeLabelW.KERNEL32 ref: 000000014006B5A4

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalLabelMessagePeekUnlockVolumewcsncpy
String ID:
API String ID: 2345973108-0
Opcode ID: c3d64db1d976e3cc32613f58db69804b2e7efaeebcf6a8d74e227d8f78956152
Instruction ID: 6ae641b9df4ddfe11e5a024bdc9aa21e401281027487628856a74b1c5f5e0870
Opcode Fuzzy Hash: c3d64db1d976e3cc32613f58db69804b2e7efaeebcf6a8d74e227d8f78956152
Instruction Fuzzy Hash: 39919D71604A4486F7639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400442B0 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400726C0: GetFullPathNameW.KERNEL32(?,00000001400442CD), ref: 000000014007271C
Part of subcall function 00000001400726C0: SetCurrentDirectoryW.KERNEL32(?,00000001400442CD), ref: 0000000140072729
Part of subcall function 00000001400726C0: CopyFileW.KERNEL32(?,00000001400442CD), ref: 0000000140072741
Part of subcall function 00000001400726C0: SetCurrentDirectoryW.KERNEL32(?,00000001400442CD), ref: 0000000140072769

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$CurrentDirectory$ClipboardCloseCopyFileFullGlobalMessageNamePathPeekUnlock
String ID:
API String ID: 1607406625-0
Opcode ID: 41cd1ed2a8e030e8d5318040bd983c7a02358f8582eb18113b978609a59f1900
Instruction ID: 9ba03bf1b00bf10e33deb5d44758bd4cb379e0564f6a3aae3e0b95c19f11a6b1
Opcode Fuzzy Hash: 41cd1ed2a8e030e8d5318040bd983c7a02358f8582eb18113b978609a59f1900
Instruction Fuzzy Hash: 18919D71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400452D5 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B2DA0: GetFullPathNameW.KERNEL32(?,?,?,00000001400452F6), ref: 00000001400B2DF9
Part of subcall function 00000001400B2DA0: GetPrivateProfileStringW.KERNEL32 ref: 00000001400B2E35

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseFullGlobalMessageNamePathPeekPrivateProfileStringUnlock
String ID:
API String ID: 3404763234-0
Opcode ID: c74bca292617853135abcc26bdbacef299b3c50fee64d754b3537490176582bd
Instruction ID: c241328e72aa95d4b3fdfb646441b8305ff816ff32172ff86bc90aa20f70f3e8
Opcode Fuzzy Hash: c74bca292617853135abcc26bdbacef299b3c50fee64d754b3537490176582bd
Instruction Fuzzy Hash: 2B918D71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400446AB Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: fa32a825f665b160b36e66ac53a3ee8bdd12c465c2334e19837bb06887bb6dde
Instruction ID: 311734fdb7854fc28282489c5c698b8b30d7b044c916d05c619fdc994ef576a2
Opcode Fuzzy Hash: fa32a825f665b160b36e66ac53a3ee8bdd12c465c2334e19837bb06887bb6dde
Instruction Fuzzy Hash: 1A919D71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400437F2 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 1eb671ec52252757c426e3bace51ca7804a1879a00bebc1fc4754af718ad9f81
Instruction ID: a3b88a18f8cdf57c4377c01610267aae0c92e94a7385dc12afc95abe1f4b0a1f
Opcode Fuzzy Hash: 1eb671ec52252757c426e3bace51ca7804a1879a00bebc1fc4754af718ad9f81
Instruction Fuzzy Hash: 7C918D71604A4486FB63DB2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400438D5 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005B390: GetWindowTextLengthW.USER32 ref: 000000014005B3BE

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalLengthMessagePeekTextUnlockWindow
String ID:
API String ID: 1215013059-0
Opcode ID: effe7452282aaa6ba973fb7e8f0f437e6cabbddea8411af824d2f98d2afdae2b
Instruction ID: 57be26af008ebf3dbfaa366f8f376cfe30a3876d5bc026013d3b7393bee4d76b
Opcode Fuzzy Hash: effe7452282aaa6ba973fb7e8f0f437e6cabbddea8411af824d2f98d2afdae2b
Instruction Fuzzy Hash: B6917C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400438FB Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: d0931d3db6d291dd5626e8c335ef3f532c38de0b32018f08511ccde02eb5b12c
Instruction ID: e762d9c7d32294e3aa849a5932c011211300a2700a64caa2f074fa0a4d9a1267
Opcode Fuzzy Hash: d0931d3db6d291dd5626e8c335ef3f532c38de0b32018f08511ccde02eb5b12c
Instruction Fuzzy Hash: 04917C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044B40 Relevance: 9.2, APIs: 6, Instructions: 179windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140051420: wcsncpy.LIBCMT ref: 00000001400514E0
Part of subcall function 0000000140051420: wcsncpy.LIBCMT ref: 0000000140051500
Part of subcall function 0000000140051420: Shell_NotifyIconW.SHELL32 ref: 0000000140051515

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$wcsncpy$ClipboardCloseGlobalIconMessageNotifyPeekShell_Unlock
String ID:
API String ID: 34998114-0
Opcode ID: 3148c41592251a4a5b4936ade8e63de8f225ba4aa5fa012710624322fd92ad00
Instruction ID: 52999952fc61bdcf6fdad325ddb8700c13c8cb7d1844636b7c52c1db9be479be
Opcode Fuzzy Hash: 3148c41592251a4a5b4936ade8e63de8f225ba4aa5fa012710624322fd92ad00
Instruction Fuzzy Hash: 48917C71604A4486FB639F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044069 Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014006B110: wcsncpy.LIBCMT ref: 000000014006B154
Part of subcall function 000000014006B110: GetDiskFreeSpaceExW.KERNEL32 ref: 000000014006B1B5

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseDiskFreeGlobalMessagePeekSpaceUnlockwcsncpy
String ID:
API String ID: 833027430-0
Opcode ID: a2920e27f794b75907525980c1ab3daae9c6847c995a06fdf5699a55445fc578
Instruction ID: c95b7040dd4d3ebca5818c2a04c0c5b17ba7affbfcd0c9db9a91c234e86f9ecc
Opcode Fuzzy Hash: a2920e27f794b75907525980c1ab3daae9c6847c995a06fdf5699a55445fc578
Instruction Fuzzy Hash: 26919D71604A4486F7639B2BE4947EA37A2F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400440A2 Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 039030016c2015454b38d29aa1a925868f811675e59611cbbd743da03430ded1
Instruction ID: 39a0285e20eea1275c19e309853e76b590607c977e923f9bc32058b09fdb0a28
Opcode Fuzzy Hash: 039030016c2015454b38d29aa1a925868f811675e59611cbbd743da03430ded1
Instruction Fuzzy Hash: BB919D71604A4486F7639B2BE4947EA37A2F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045105 Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 50fc1647432186c86b53bf39a1510bfb62ad571a793b0fe20bef0c0f4fb54adc
Instruction ID: cd49c364c66eb774e651d7ebb7d8cbe3795271f962e7fadf715b91b830ab8611
Opcode Fuzzy Hash: 50fc1647432186c86b53bf39a1510bfb62ad571a793b0fe20bef0c0f4fb54adc
Instruction Fuzzy Hash: 2491AFB1600A4086F7679F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C885C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045156 Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: dd765b119969bb06099ff0a2dc27ab5bf6a23a1c990051f7c82b908e93dafc36
Instruction ID: f14e241892f5c84bd31f482f5a9611cfeba998e896e490e32f6db161ca81d043
Opcode Fuzzy Hash: dd765b119969bb06099ff0a2dc27ab5bf6a23a1c990051f7c82b908e93dafc36
Instruction Fuzzy Hash: 1C91AFB1604A4086F7679F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045181 Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 667e4fdb9b651de3245cca6b5d2291562c299c9c50483e606e7e5b4e94a96813
Instruction ID: 573c09dea933a9a7ba313ecf8378bb03774a631ff1c4a83f789fcc46a3bdd9cc
Opcode Fuzzy Hash: 667e4fdb9b651de3245cca6b5d2291562c299c9c50483e606e7e5b4e94a96813
Instruction Fuzzy Hash: 8B91AFB1604A4086F7679F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004423B Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140071990: _wcstoi64.LIBCMT ref: 00000001400719F8

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock_wcstoi64
String ID:
API String ID: 3633153638-0
Opcode ID: 6a46b5d80e72bd02354ba2b7fd7f0e211ab66ddea75e6972b6686edc8b60b734
Instruction ID: c760aad9ea295c14dfa3f6c007008ff3a1893875cded6ff9a1524d96efa02529
Opcode Fuzzy Hash: 6a46b5d80e72bd02354ba2b7fd7f0e211ab66ddea75e6972b6686edc8b60b734
Instruction Fuzzy Hash: 37919D71604A4486F7639B2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004524D Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 0afca24040dc8a45b5caa3910f1fae2577fa395e4061279735dae84bb9b82a65
Instruction ID: 76a9528926300d2d84bc616fc6e5f55799c95bef9fbfe12c74e6c534bb91181c
Opcode Fuzzy Hash: 0afca24040dc8a45b5caa3910f1fae2577fa395e4061279735dae84bb9b82a65
Instruction Fuzzy Hash: 84919E71604A4486F7639B2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045267 Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: a89b4ff284056af9105c8e2c0c6a5f2ad8e0ec82c69f35baa47b174449e995a3
Instruction ID: 62e60db12eb6f9d53829956ec85d1ce3523910665171a35393699c0aa5a0601f
Opcode Fuzzy Hash: a89b4ff284056af9105c8e2c0c6a5f2ad8e0ec82c69f35baa47b174449e995a3
Instruction Fuzzy Hash: 72919E71604A4486F763DB2BE4947EA37A1F34DBE4F11022AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045281 Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 3ae329e5e3264d4dc695c95914d533280aac62ec6c069dde8f40d6adec001f82
Instruction ID: f6f93a55606edda96040b3c483252f7ff2a6f5e8612af4bc804de6edfd677cd6
Opcode Fuzzy Hash: 3ae329e5e3264d4dc695c95914d533280aac62ec6c069dde8f40d6adec001f82
Instruction Fuzzy Hash: BB918E71604A4486F7639B2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400437DE Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400598C0: SendMessageTimeoutW.USER32 ref: 0000000140059A6C

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekSendTimeoutUnlock
String ID:
API String ID: 3716859204-0
Opcode ID: 9cb7049fbf957c2a1bc5291ae462bcb865d5f9a85a09ef6789b578cd5cc412e6
Instruction ID: 09ad275482c27d42e603d2c3469601d1b5ee9e98a50131c168c3315fe959fc45
Opcode Fuzzy Hash: 9cb7049fbf957c2a1bc5291ae462bcb865d5f9a85a09ef6789b578cd5cc412e6
Instruction Fuzzy Hash: DC91AD72604A4486F763DB2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400439B7 Relevance: 9.2, APIs: 6, Instructions: 178windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 256e3fdc8e2c552eca2c71828949a3d5b1f481f4b6d65b23a0df95ab2e85522d
Instruction ID: 581755f35d91da76c5f9c784220bca8949d235cb8cad9e25e9086ff20a1f9f22
Opcode Fuzzy Hash: 256e3fdc8e2c552eca2c71828949a3d5b1f481f4b6d65b23a0df95ab2e85522d
Instruction Fuzzy Hash: 3291AD71600A4086F7639B2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C881CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045211 Relevance: 9.2, APIs: 6, Instructions: 177windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: a3df5c3369ba7f27da62c798fdb41e1801aa6f117213c64181fea01a88bf1a32
Instruction ID: aed5a1de392acc7fa5a838eba6ebc11bb80150f5d3f15ae4191cecc9a3919f19
Opcode Fuzzy Hash: a3df5c3369ba7f27da62c798fdb41e1801aa6f117213c64181fea01a88bf1a32
Instruction Fuzzy Hash: 8991ACB1600A4486F7639B2BE4947EA37E1F34DBE4F11021AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044227 Relevance: 9.2, APIs: 6, Instructions: 177windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 66b8061c66ee36ba5a530e847b8f4982cad5b24ab77d1e4df13618535e61e5b0
Instruction ID: 96e0f790694d51d47001f0a849dc7136d533d7a086b9c26410e903e74d243474
Opcode Fuzzy Hash: 66b8061c66ee36ba5a530e847b8f4982cad5b24ab77d1e4df13618535e61e5b0
Instruction Fuzzy Hash: 0E91AD71604A4486F763DB2BE4947EA37A2F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044256 Relevance: 9.2, APIs: 6, Instructions: 177windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400725E0: SetLastError.KERNEL32 ref: 000000014007264A
Part of subcall function 00000001400725E0: DeleteFileW.KERNEL32 ref: 0000000140072653
Part of subcall function 00000001400725E0: GetLastError.KERNEL32 ref: 000000014007265E

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ErrorLast$ClipboardCloseDeleteFileGlobalMessagePeekUnlock
String ID:
API String ID: 3770565981-0
Opcode ID: c9519b61147124621267d77a857db7ee75d92f8e4d27c714e55ad3802b6d04cd
Instruction ID: 82003541e72ae313a6a20d1176be6bf3db7ef3a42f4c970b4c08b45f79d44601
Opcode Fuzzy Hash: c9519b61147124621267d77a857db7ee75d92f8e4d27c714e55ad3802b6d04cd
Instruction Fuzzy Hash: C991AD71604A4486F763DB2BE4947EA37A2F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004426A Relevance: 9.2, APIs: 6, Instructions: 177windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008C040: GetFullPathNameW.KERNEL32 ref: 000000014008C079
Part of subcall function 000000014008C040: SHFileOperationW.SHELL32 ref: 000000014008C0F1

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseFileFullGlobalMessageNameOperationPathPeekUnlock
String ID:
API String ID: 1286959346-0
Opcode ID: 541a136897cd7e371efedd8c0afcf806f4e666332520a7b86969dc06251a4fc8
Instruction ID: 9b18ee78597b235463c416ec7cadef2ab7ed3503312a7c29244efb7c41d0df99
Opcode Fuzzy Hash: 541a136897cd7e371efedd8c0afcf806f4e666332520a7b86969dc06251a4fc8
Instruction Fuzzy Hash: 5191BD71604A4486F763DB2BE4947EA37A2F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400446CD Relevance: 9.2, APIs: 6, Instructions: 177windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008A730: CoInitialize.OLE32 ref: 000000014008A837
Part of subcall function 000000014008A730: CoCreateInstance.OLE32 ref: 000000014008A85B

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseCreateGlobalInitializeInstanceMessagePeekUnlock
String ID:
API String ID: 2299052934-0
Opcode ID: 416cc68442c7cfc9fb11cae542e8745e87594d5820d3a1835b61bf783378d8af
Instruction ID: d8372dfbee7c2263b650f16736994df249fd2ed0f394469f7a46fc7445b1d753
Opcode Fuzzy Hash: 416cc68442c7cfc9fb11cae542e8745e87594d5820d3a1835b61bf783378d8af
Instruction Fuzzy Hash: 5F91AE71604A4486F763DB2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045130 Relevance: 9.2, APIs: 6, Instructions: 176windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 2f89f60305cc92dc47114853ec763dc5c81c71638c72ee95b4e853176c203195
Instruction ID: 12b84d3319e06b942e6929d1ab4729105cb414b4a60cae571f473a771654caeb
Opcode Fuzzy Hash: 2f89f60305cc92dc47114853ec763dc5c81c71638c72ee95b4e853176c203195
Instruction Fuzzy Hash: 70919F71600A4486F767DB2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004474B Relevance: 9.2, APIs: 6, Instructions: 176windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400631A0: SendMessageW.USER32(?,0000000140044755), ref: 0000000140063290
Part of subcall function 00000001400631A0: IsWindowVisible.USER32 ref: 000000014006329D
Part of subcall function 00000001400631A0: ShowWindow.USER32(?,0000000140044755), ref: 00000001400632B1
Part of subcall function 00000001400631A0: IsIconic.USER32 ref: 00000001400632BE
Part of subcall function 00000001400631A0: ShowWindow.USER32(?,0000000140044755), ref: 00000001400632D4
Part of subcall function 00000001400631A0: GetForegroundWindow.USER32(?,0000000140044755), ref: 00000001400632DA
Part of subcall function 00000001400631A0: SetForegroundWindow.USER32(?,0000000140044755), ref: 00000001400632EC
Part of subcall function 00000001400631A0: SendMessageW.USER32(?,0000000140044755), ref: 000000014006331C

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$CountMessageTick$ForegroundSendShow$ClipboardCloseGlobalIconicPeekUnlockVisible
String ID:
API String ID: 119457330-0
Opcode ID: 07c9008c1878a871d8f15c47abcfae271f091a77f9c63a70b617bc4909f6fa1d
Instruction ID: 1d52e0224e98cf1fa2f7960626cafa7c4080953492216d8a5a9e3b66fb2b80d7
Opcode Fuzzy Hash: 07c9008c1878a871d8f15c47abcfae271f091a77f9c63a70b617bc4909f6fa1d
Instruction Fuzzy Hash: 3591AF71604A4486F7639B2BE4947EA37E2F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400447C5 Relevance: 9.2, APIs: 6, Instructions: 176windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400631A0: SendMessageW.USER32(?,0000000140044755), ref: 0000000140063290
Part of subcall function 00000001400631A0: IsWindowVisible.USER32 ref: 000000014006329D
Part of subcall function 00000001400631A0: ShowWindow.USER32(?,0000000140044755), ref: 00000001400632B1
Part of subcall function 00000001400631A0: IsIconic.USER32 ref: 00000001400632BE
Part of subcall function 00000001400631A0: ShowWindow.USER32(?,0000000140044755), ref: 00000001400632D4
Part of subcall function 00000001400631A0: GetForegroundWindow.USER32(?,0000000140044755), ref: 00000001400632DA
Part of subcall function 00000001400631A0: SetForegroundWindow.USER32(?,0000000140044755), ref: 00000001400632EC
Part of subcall function 00000001400631A0: SendMessageW.USER32(?,0000000140044755), ref: 000000014006331C

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$CountMessageTick$ForegroundSendShow$ClipboardCloseGlobalIconicPeekUnlockVisible
String ID:
API String ID: 119457330-0
Opcode ID: 89e9fc90c9ed8d491c3d1e4dc158a9d1252b256a3d3fa4955889a9e716db5788
Instruction ID: 40438daa353a56e3107639598dd1b776bcd804aca97f268a6f7ab9b7978da1a3
Opcode Fuzzy Hash: 89e9fc90c9ed8d491c3d1e4dc158a9d1252b256a3d3fa4955889a9e716db5788
Instruction Fuzzy Hash: 9191AF71604A4486F7639B2BE4947EA37E2F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400447D4 Relevance: 9.2, APIs: 6, Instructions: 176windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400631A0: SendMessageW.USER32(?,0000000140044755), ref: 0000000140063290
Part of subcall function 00000001400631A0: IsWindowVisible.USER32 ref: 000000014006329D
Part of subcall function 00000001400631A0: ShowWindow.USER32(?,0000000140044755), ref: 00000001400632B1
Part of subcall function 00000001400631A0: IsIconic.USER32 ref: 00000001400632BE
Part of subcall function 00000001400631A0: ShowWindow.USER32(?,0000000140044755), ref: 00000001400632D4
Part of subcall function 00000001400631A0: GetForegroundWindow.USER32(?,0000000140044755), ref: 00000001400632DA
Part of subcall function 00000001400631A0: SetForegroundWindow.USER32(?,0000000140044755), ref: 00000001400632EC
Part of subcall function 00000001400631A0: SendMessageW.USER32(?,0000000140044755), ref: 000000014006331C

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$CountMessageTick$ForegroundSendShow$ClipboardCloseGlobalIconicPeekUnlockVisible
String ID:
API String ID: 119457330-0
Opcode ID: 5333d73bc49fe91b54eadd4a73069693f290e1d0a838b67f7022e1d01067bb13
Instruction ID: 5132c833a8b4cb59de6dd0606dffad4d3f636f49df3fac214edd0b33689be571
Opcode Fuzzy Hash: 5333d73bc49fe91b54eadd4a73069693f290e1d0a838b67f7022e1d01067bb13
Instruction Fuzzy Hash: CE91AF71604A4486F7639B2BE4947EA37E2F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140044B66 Relevance: 9.2, APIs: 6, Instructions: 176windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140053790: PostMessageW.USER32 ref: 0000000140053819

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$Message$ClipboardCloseGlobalPeekPostUnlock
String ID:
API String ID: 2416748954-0
Opcode ID: a7eed25a60f7fad78addb9392bb025e296b6e62ed2e1f5afb50937362765321a
Instruction ID: b57a53f365b44fc70f10d5cc2077883dd0a83f9214b74f6d2c5c6c15315f0fa6
Opcode Fuzzy Hash: a7eed25a60f7fad78addb9392bb025e296b6e62ed2e1f5afb50937362765321a
Instruction Fuzzy Hash: B3919D71604A4486F7639B2BE4947EA37A1F34DBE4F11022AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400452AC Relevance: 9.2, APIs: 6, Instructions: 173windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: e9b663988dd6db36ca82d77dd3c2546e6ff9236e7b8548e46ffdb489f6090a86
Instruction ID: 55f8e1bf35f6d984cedd388d39efe66bde75696acb41272218f541b4d272fcb1
Opcode Fuzzy Hash: e9b663988dd6db36ca82d77dd3c2546e6ff9236e7b8548e46ffdb489f6090a86
Instruction Fuzzy Hash: A591AD71600A4486F7639F2BE4947EA37A2F34DBE4F51021AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004529B Relevance: 9.2, APIs: 6, Instructions: 172windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140029570: GetClassNameW.USER32 ref: 00000001400295FF

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClassClipboardCloseGlobalMessageNamePeekUnlock
String ID:
API String ID: 2021685357-0
Opcode ID: fe660ebd621d8278769cd81e969fa00682996bc1f14627a6a47dfe2baa52f6a6
Instruction ID: cdab9d06d4894079b374a86a2877d81a4dbe65c58f40c0e474fc845f8f790173
Opcode Fuzzy Hash: fe660ebd621d8278769cd81e969fa00682996bc1f14627a6a47dfe2baa52f6a6
Instruction Fuzzy Hash: 5E91AD71600A4486F7639B2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045206 Relevance: 9.2, APIs: 6, Instructions: 171windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 3fe2772c71d9f05fe141fd78a1c1d89d94fb88ba8f522bddcf274270618ad8f5
Instruction ID: 2cc5985d62ca314a7823dfde3736ca00c5af41e92291f5a6edd3aa5676018a45
Opcode Fuzzy Hash: 3fe2772c71d9f05fe141fd78a1c1d89d94fb88ba8f522bddcf274270618ad8f5
Instruction Fuzzy Hash: 9791AEB1600A4486F7679F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140045241 Relevance: 9.2, APIs: 6, Instructions: 171windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: d192ad3d4b3a85b6ece5ba1e4ecfe18cc6b28224d5cfdc4a3dcd8119bf2177a5
Instruction ID: 6b195d0d729e3d5a0f70eeb71e8db4896bd44e58e2b40e5feb8794b7ceb51a8b
Opcode Fuzzy Hash: d192ad3d4b3a85b6ece5ba1e4ecfe18cc6b28224d5cfdc4a3dcd8119bf2177a5
Instruction Fuzzy Hash: DA919DB1600A4486F7679F2BE4947EA37A1F34DBE4F11021AEB59936F5CB38C895CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140040AB5 Relevance: 9.2, APIs: 6, Instructions: 164windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 000000014003F47A
CloseClipboard.USER32 ref: 000000014003F487
GetTickCount.KERNEL32 ref: 000000014003F49A
PeekMessageW.USER32 ref: 000000014003F4CE
GetTickCount.KERNEL32 ref: 000000014003F4E2
GetTickCount.KERNEL32 ref: 000000014003F5B6

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 074b70447041e1598c70ac7a12dab49aa55f0bda9032cc3273d81128fd801258
Instruction ID: eab5e86093ef7e0906ed5d6823f7bead9eccec9809c7ffdd6255e2123fe1c24a
Opcode Fuzzy Hash: 074b70447041e1598c70ac7a12dab49aa55f0bda9032cc3273d81128fd801258
Instruction Fuzzy Hash: F6818CB1600A4086F7679B2BE4947EA37A2F34DBE4F11021AEB59936F5CB38C895C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014009C2D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 000000014009C2C0
SelectObject.GDI32 ref: 000000014009DA8C
ReleaseDC.USER32 ref: 000000014009DA9D
SendMessageW.USER32 ref: 000000014009DB9B
SendMessageW.USER32 ref: 000000014009DBB7
GetClientRect.USER32 ref: 000000014009DBF5
SetWindowLongW.USER32 ref: 000000014009DC1F
SendMessageW.USER32 ref: 000000014009DC41

Strings

SysLink, xrefs: 000000014009C2D3
Can't create control., xrefs: 000000014009DAB0

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessageSend$Window$ClientCreateLongObjectRectReleaseSelect
String ID: Can't create control.$SysLink
API String ID: 2656910855-3028581624
Opcode ID: f7c926cbe34678f75a853599aad1396085e2223561964ccb3bfc91b67215b9cb
Instruction ID: 423c40a6f40966dc1e84fad09eb8275d6da2fb548e18e19a95e8ef4e1f166678
Opcode Fuzzy Hash: f7c926cbe34678f75a853599aad1396085e2223561964ccb3bfc91b67215b9cb
Instruction Fuzzy Hash: 2921D776615B808AEB52CF66E8407D973B0F74C798F144126EF4D57B28EB38C995C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014009C272 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 000000014009C2C0
SelectObject.GDI32 ref: 000000014009DA8C
ReleaseDC.USER32 ref: 000000014009DA9D
SendMessageW.USER32 ref: 000000014009DB9B
SendMessageW.USER32 ref: 000000014009DBB7
GetClientRect.USER32 ref: 000000014009DBF5
SetWindowLongW.USER32 ref: 000000014009DC1F
SendMessageW.USER32 ref: 000000014009DC41

Strings

Can't create control., xrefs: 000000014009DAB0
static, xrefs: 000000014009C272

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessageSend$Window$ClientCreateLongObjectRectReleaseSelect
String ID: Can't create control.$static
API String ID: 2656910855-3511495095
Opcode ID: 14f1ac14a5c7b89165c3e3540ebec6df2bc7d9a10d730f96d9257b7f638ed704
Instruction ID: dd0e6fb2d67c2160dbf7a8bc0c5c53808281c9f72a702538a0a296da67c9b177
Opcode Fuzzy Hash: 14f1ac14a5c7b89165c3e3540ebec6df2bc7d9a10d730f96d9257b7f638ed704
Instruction Fuzzy Hash: 1321E676615B848AEB52CF6AE84079973B0F74C7D8F144126EF4D97B28EB38C991C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140071020 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 000000014007104E
SetLastError.KERNEL32 ref: 0000000140071060
CreateDirectoryW.KERNEL32 ref: 0000000140071128
SetLastError.KERNEL32 ref: 0000000140071143

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: fc1b328c9116381d558c50483d8b715662dca6d4ddf2f8e7082a465ef389e036
Instruction ID: cf2b7896f2c603988d5dd51dd90a25e7e3cd5f81349de61dd569585fbd8b8f19
Opcode Fuzzy Hash: fc1b328c9116381d558c50483d8b715662dca6d4ddf2f8e7082a465ef389e036
Instruction Fuzzy Hash: 0731983271175045EB169F3798043ED62A0EB8DBF5F498234BF2E577E4DA38C5868340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6A14 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 00000001400A6A76
EnumChildWindows.USER32 ref: 00000001400A6AA4
GetDlgCtrlID.USER32 ref: 00000001400A6AB1
PostMessageW.USER32 ref: 00000001400A6F7C
DefDlgProcW.USER32 ref: 00000001400A6FAD

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ChildClientCtrlEnumMessagePostProcScreenWindows
String ID:
API String ID: 3343987823-0
Opcode ID: 38003e0a7115220c44571e0c037ea4cdc5e6641a9e08cdb6e8cb330f80a90a37
Instruction ID: 5eb9fdd58a5b02128e2f42a338464a2c2a414871fc46d2e5cf7a3ee21cdbf674
Opcode Fuzzy Hash: 38003e0a7115220c44571e0c037ea4cdc5e6641a9e08cdb6e8cb330f80a90a37
Instruction Fuzzy Hash: 07219F362146818AEB228B37B4103D963A0F79DBE5F540626FF69537B4CF38C486CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062907 Relevance: 7.5, APIs: 5, Instructions: 44timeclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32 ref: 0000000140062920
CloseClipboard.USER32 ref: 000000014006292D
GetCurrentProcessId.KERNEL32 ref: 0000000140062941
EnumWindows.USER32 ref: 0000000140062959
SetTimer.USER32 ref: 0000000140062996

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ClipboardCloseCurrentEnumGlobalProcessTimerUnlockWindows
String ID:
API String ID: 555064778-0
Opcode ID: 7ee9caf3e14f3929fee68d52f8caa330102e6b728ff0119919396e642a21c7aa
Instruction ID: 6414ffe121d38236525f3c02d1d9f38d4ed7786a07af44c8f7eee4bb8368de05
Opcode Fuzzy Hash: 7ee9caf3e14f3929fee68d52f8caa330102e6b728ff0119919396e642a21c7aa
Instruction Fuzzy Hash: B61116B1215B4184EB52DF23BC80BD833A5B78CB95F58482A9F5963634CF38C196C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008F9C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 347memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014008F240: VariantClear.OLEAUT32 ref: 000000014008F261

SysAllocString.OLEAUT32 ref: 000000014008FB6F
SysFreeString.OLEAUT32 ref: 000000014008FB99

Strings

_NewEnum, xrefs: 000000014008FADB

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: String$AllocClearFreeVariant
String ID: _NewEnum
API String ID: 1665868789-1628654690
Opcode ID: b70eca964d3c2b729ecc88a8fc0c85bd882665cc1d58de60bf57da90ec93c224
Instruction ID: 296730e8ad3c7d54c0f41d1a78c6074e5e9c9d534e8052e00fd84ab3385c8cf6
Opcode Fuzzy Hash: b70eca964d3c2b729ecc88a8fc0c85bd882665cc1d58de60bf57da90ec93c224
Instruction Fuzzy Hash: 3EF16977200B818AD766CF36D8407EA37A5F788BD8F148126EB5D87BA9EB34C645D340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015330 Relevance: 4.6, APIs: 3, Instructions: 64windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(?,?,?,0000000140029D2C,?,?,?,?,?,?,?,?,?,0000000140029AB2), ref: 0000000140015342

Part of subcall function 0000000140013B00: CreateThread.KERNEL32 ref: 0000000140013B72
Part of subcall function 0000000140013B00: SetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000004,00000000,0000000140015351,?,?,?), ref: 0000000140013B8F
Part of subcall function 0000000140013B00: PostThreadMessageW.USER32 ref: 0000000140013BD1
Part of subcall function 0000000140013B00: Sleep.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000004,00000000,0000000140015351,?,?,?), ref: 0000000140013BDE
Part of subcall function 0000000140013B00: GetTickCount.KERNEL32 ref: 0000000140013BED
Part of subcall function 0000000140013B00: PeekMessageW.USER32 ref: 0000000140013C1A

UnhookWindowsHookEx.USER32 ref: 000000014001535D
UnregisterHotKey.USER32(?,?,?,0000000140029D2C,?,?,?,?,?,?,?,?,?,0000000140029AB2), ref: 00000001400153C1

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessageThread$Post$CountCreateHookPeekPriorityQuitSleepTickUnhookUnregisterWindows
String ID:
API String ID: 3108639398-0
Opcode ID: 73239ef0fde7bf81c9183e7eea3117b95504a6666cd41c791e15c0f26d57224c
Instruction ID: 459cf2bf15db50542eacae51603acf30599b1aee8711be92fce27c1be9acacc6
Opcode Fuzzy Hash: 73239ef0fde7bf81c9183e7eea3117b95504a6666cd41c791e15c0f26d57224c
Instruction Fuzzy Hash: 4F212C76211B8482EB1AAF63A8443D977A0F74CFD5F18442AAF8A1B774DE3DC481C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A64B4 Relevance: 4.6, APIs: 3, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 00000001400A64EA
ScreenToClient.USER32 ref: 00000001400A6508
SendMessageW.USER32 ref: 00000001400A651F

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Message$ClientScreenSend
String ID:
API String ID: 1901011154-0
Opcode ID: c5f4f645e7a27baa6ea2988c3842c7c8639f4c1ac27a16911720d04726a1c02e
Instruction ID: 63bd0a56e169cdff169385ef64f6258ad344dee0147c19602807dd14523dcb28
Opcode Fuzzy Hash: c5f4f645e7a27baa6ea2988c3842c7c8639f4c1ac27a16911720d04726a1c02e
Instruction Fuzzy Hash: 0E21743361469087E772873AA454BEA67A1F79D7A4F240312FB5943AF5CB39C8C28F00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400725E0 Relevance: 4.6, APIs: 3, Instructions: 53fileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000000014007264A
DeleteFileW.KERNEL32 ref: 0000000140072653
GetLastError.KERNEL32 ref: 000000014007265E

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ErrorLast$DeleteFile
String ID:
API String ID: 2815225636-0
Opcode ID: 3d214a94c339aebfcf7e63670552e2397f34f4dc79b8aad24da3479b20b513ab
Instruction ID: 84e0e731b6d95120086f910b6d56585483e9ed59406ff31e6c194f90d2cb56ac
Opcode Fuzzy Hash: 3d214a94c339aebfcf7e63670552e2397f34f4dc79b8aad24da3479b20b513ab
Instruction Fuzzy Hash: CA11BF7660065182EB6A9F12E5117B9B3A1FB4CBC4F048026EF55477B0DB3EC951C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400DC200 Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001400DC223
RtlAllocateHeap.NTDLL(?,?,00000000,00000001400DB973,?,?,00000000,00000001400D912B,?,?,00000000,00000001400D9187,?,?,?,00000001400D441B), ref: 00000001400DC257
_callnewh.LIBCMT ref: 00000001400DC26E

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: AllocateHeap_callnewh_errno
String ID:
API String ID: 638267422-0
Opcode ID: 7112f43f78029ff45610200f14e065274b72b55be4fc1f553c00aa5dbc61051d
Instruction ID: 0cf582438d5c4325ab5edcd7dc3e4261d7c1d95d959d517acb282e708e3ad7d6
Opcode Fuzzy Hash: 7112f43f78029ff45610200f14e065274b72b55be4fc1f553c00aa5dbc61051d
Instruction Fuzzy Hash: 4011847532524185FF574BA7D644BFD63E19F5CBE4F084624EF15076E8DA3C88828620

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6808 Relevance: 4.5, APIs: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetClipBox.GDI32 ref: 00000001400A6830
FillRect.USER32 ref: 00000001400A6844
DefDlgProcW.USER32 ref: 00000001400A6FAD

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ClipFillProcRect
String ID:
API String ID: 3467838497-0
Opcode ID: 7b1a16e25cecf8b2a498b1b3452459798c4679e93af34d2df2e32c894d12950c
Instruction ID: 630359b99924ca1e0325ddc9babff5508552f2a38f5c6137ce5f587709964b11
Opcode Fuzzy Hash: 7b1a16e25cecf8b2a498b1b3452459798c4679e93af34d2df2e32c894d12950c
Instruction Fuzzy Hash: 36F06236605B8189EB26CB23B5143D96360FB4EBE9F880412AF0D27365CF38D9C6C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400D4AF0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlReleasePrivilege.NTDLL(?,?,00000000,00000001400D9164,?,?,00000000,00000001400D9187,?,?,?,00000001400D441B,?,?,00000000,00000001400DA97B), ref: 00000001400D4B0E
_errno.LIBCMT ref: 00000001400D4B18
GetLastError.KERNEL32(?,?,00000000,00000001400D9164,?,?,00000000,00000001400D9187,?,?,?,00000001400D441B,?,?,00000000,00000001400DA97B), ref: 00000001400D4B20

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ErrorLastPrivilegeRelease_errno
String ID:
API String ID: 2402844488-0
Opcode ID: 11674b42622700e2a0bad51798850c6e70fecc94622d331a034e70f3703e934f
Instruction ID: 16228e35dc8dc243f1b17139111f2bc322d9444716a8e1a4d36fe68125019887
Opcode Fuzzy Hash: 11674b42622700e2a0bad51798850c6e70fecc94622d331a034e70f3703e934f
Instruction Fuzzy Hash: 51E0867060170442FF175BF354443ED12D05F9CBD1F044418BB155B2B1DE38C4834760

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400D4AF8 Relevance: 4.5, APIs: 3, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlReleasePrivilege.NTDLL(?,?,00000000,00000001400D9164,?,?,00000000,00000001400D9187,?,?,?,00000001400D441B,?,?,00000000,00000001400DA97B), ref: 00000001400D4B0E
_errno.LIBCMT ref: 00000001400D4B18
GetLastError.KERNEL32(?,?,00000000,00000001400D9164,?,?,00000000,00000001400D9187,?,?,?,00000001400D441B,?,?,00000000,00000001400DA97B), ref: 00000001400D4B20

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ErrorLastPrivilegeRelease_errno
String ID:
API String ID: 2402844488-0
Opcode ID: bdb5412cc3fa5d04397c6cdc2466e890d9365acf9d02294b8c7b003c7d8c8648
Instruction ID: 2fcfbcb77f22b40b96586b696b8c8e189618a56370ba3c7f0071a2ae548b67ea
Opcode Fuzzy Hash: bdb5412cc3fa5d04397c6cdc2466e890d9365acf9d02294b8c7b003c7d8c8648
Instruction Fuzzy Hash: 86E0ECB4A1260486FF176BF368457ED16D05F9CBE5F444424AB19AB2B1EE38C8828760

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400B4A60 Relevance: 3.1, APIs: 2, Instructions: 106COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,000000014002A63F), ref: 00000001400B4A96
GetCPInfo.KERNEL32(?,?,?,000000014002A63F), ref: 00000001400B4B4B

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: d3a332e9dcaec54fc4b6f9b187ae9f80056114b94d7274afd9ef63c2daa94c9c
Instruction ID: d3c913e6c5a809e076a0094a97ed1027e95e2ec73abbcb6aace73d76ca08c692
Opcode Fuzzy Hash: d3a332e9dcaec54fc4b6f9b187ae9f80056114b94d7274afd9ef63c2daa94c9c
Instruction Fuzzy Hash: 44419D72600B4085EB66CFA7E45479977B1E399FA4F48811AEB59077F8CB38CA41C741

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A779 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000000014002A780
CloseHandle.KERNEL32 ref: 000000014002A808

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CloseHandleInfo
String ID:
API String ID: 3915322455-0
Opcode ID: 1c3b19eefdc7409cc1debc07c5d8675ce18bc39bd435bbe9b720a2b77af729af
Instruction ID: 4a5dd27fb2acda4d7e16307d241e3a14aad35f65e431cc102e66b751f982263f
Opcode Fuzzy Hash: 1c3b19eefdc7409cc1debc07c5d8675ce18bc39bd435bbe9b720a2b77af729af
Instruction Fuzzy Hash: E4213437B00A409AE726DB7694547ED3361E3097B8F40471AEF7963AE8CF38C95A8340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A61FA Relevance: 3.0, APIs: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400A6223
SendMessageW.USER32 ref: 00000001400A623D

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c9195e8c070a9aaeef1a2ec0472db566ac5a8c148cb47f3e4f026e1300dfb253
Instruction ID: 0d45a166c45cc5c51aeb896d2822955590b5b20072837529f40d462a3f1d98c1
Opcode Fuzzy Hash: c9195e8c070a9aaeef1a2ec0472db566ac5a8c148cb47f3e4f026e1300dfb253
Instruction Fuzzy Hash: 801191326047D486E7328626A4447AA6761E799BF5F184301FF7947BE5CB38C8C28B40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006288A Relevance: 3.0, APIs: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00000001400628E2
DefWindowProcW.USER32 ref: 0000000140062B97

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessagePostProcWindow
String ID:
API String ID: 1517762806-0
Opcode ID: 290b3c2a9cd7e5a4d15b476088541851afbbf80be81236424e39c135d4b8aae4
Instruction ID: a1bcfb3559faba20248541445674d08430c99811d2320a39100380a83d6351c8
Opcode Fuzzy Hash: 290b3c2a9cd7e5a4d15b476088541851afbbf80be81236424e39c135d4b8aae4
Instruction Fuzzy Hash: 9711AD72710A8281EB77AB37AD457AA1392E78DBD4F344C11EF0E577B0CA38C8828710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6412 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400A643B
SendMessageW.USER32 ref: 00000001400A6455

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a79a008dfcdf5e72f85181868a093ea10711ecf0d35592385e111e1ee45f7913
Instruction ID: 19ebb31648e5ced252933cfde2f93fdabc5e6796ee594a5d7d992e8b55a357b9
Opcode Fuzzy Hash: a79a008dfcdf5e72f85181868a093ea10711ecf0d35592385e111e1ee45f7913
Instruction Fuzzy Hash: 5C11A33370479443D7668B26E450B9A67A5EB9DBE4F144211FF49037E4CB38CCD28B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062A85 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32 ref: 0000000140062A9F
DefWindowProcW.USER32 ref: 0000000140062B97

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ProcWindowioctlsocket
String ID:
API String ID: 2905713935-0
Opcode ID: a7b271eb30af4c5a60ff45f2c3ec247f174911e8834685d5ee51810778c95020
Instruction ID: a640e097fd6041946abdcb8c4b86ade96dfabc3cd1b82225df1909a4772feec4
Opcode Fuzzy Hash: a7b271eb30af4c5a60ff45f2c3ec247f174911e8834685d5ee51810778c95020
Instruction Fuzzy Hash: 80F06232610A8181EA62DB62BC007D52356B79CBF9F940612EF6E636F5DB38C946C301

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006219E Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 00000001400621B2
DefWindowProcW.USER32 ref: 0000000140062B97

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: FocusProcWindow
String ID:
API String ID: 1691694861-0
Opcode ID: 91c8e2cfea8c7e7a5f14ed3ebd91756381f65fa06e74ad00536b3d653c84699d
Instruction ID: 1362932c45d3e1c1ac776cb7899a711a54fb70e84e104b61265c9c6b662fca3f
Opcode Fuzzy Hash: 91c8e2cfea8c7e7a5f14ed3ebd91756381f65fa06e74ad00536b3d653c84699d
Instruction Fuzzy Hash: 39E01A3661498180E663AB13BD047966355B78CBE9F540402DF1E67B34CF38C4878300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062A22 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 0000000140062A25
GetWindowTextW.USER32 ref: 0000000140062A3B

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$Text
String ID:
API String ID: 848690642-0
Opcode ID: 17ca25c9dbf4f067cb349c6a30d10f2589140d312961c725578d9f38832d9dec
Instruction ID: f321046318443710827a59dbaaae24c5dc63c7f34906224a8de07b289ee11176
Opcode Fuzzy Hash: 17ca25c9dbf4f067cb349c6a30d10f2589140d312961c725578d9f38832d9dec
Instruction Fuzzy Hash: D5E04632318A8080EA72DB23BA00BAA6352A749BE5F0804128E1917A64CF39C4D7C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140048A40 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003F3B0: GlobalUnlock.KERNEL32 ref: 000000014003F47A
Part of subcall function 000000014003F3B0: CloseClipboard.USER32 ref: 000000014003F487
Part of subcall function 000000014003F3B0: GetTickCount.KERNEL32 ref: 000000014003F49A
Part of subcall function 000000014003F3B0: PeekMessageW.USER32 ref: 000000014003F4CE
Part of subcall function 000000014003F3B0: GetTickCount.KERNEL32 ref: 000000014003F4E2

GetTickCount.KERNEL32 ref: 0000000140048B4D

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID:
API String ID: 1623861271-0
Opcode ID: 6db527235d33d94fcdf4954326947d3e8edbfda7660bc00922e292ef6136d9bd
Instruction ID: 900a027e7a6b4d795be7f63ebc9baa30ee2b998cf73e5b7112e53e44878d5b33
Opcode Fuzzy Hash: 6db527235d33d94fcdf4954326947d3e8edbfda7660bc00922e292ef6136d9bd
Instruction Fuzzy Hash: A8418371604A8089EB73DB17A8403ED77A0F38DBE4F154626EF99437B5DB38C4518744

Uniqueness

Uniqueness Score: -1.00%

Function 000000014008D510 Relevance: 1.6, APIs: 1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32 ref: 000000014008D650

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 6f720268696d70903884234e627e4833449998c5722787f11827475c53ac30ba
Instruction ID: 71d511a77d4638fdedc04c8b6c194b6714c18488cae88c319c7e5dae9889e627
Opcode Fuzzy Hash: 6f720268696d70903884234e627e4833449998c5722787f11827475c53ac30ba
Instruction Fuzzy Hash: 3A41F17B204B4882EB199F2AD0903A977B0F788F98F540616DF8E47B64DF39D9A4C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400755A0 Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 000000014007567D

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 099928a540b8ba9a8119ac6395d923b2c94e2662fecb0f69f5a7939750ba5a3c
Instruction ID: cd03c1b6d3e42212063b57d9d210c676753ce06bddb7f0e46e01d9c72f2638f0
Opcode Fuzzy Hash: 099928a540b8ba9a8119ac6395d923b2c94e2662fecb0f69f5a7939750ba5a3c
Instruction Fuzzy Hash: C831093261468083EB71AB16E4507EE72F1F7487E1FA44226FB99C76E0EB7CC9418740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6780 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32 ref: 00000001400A6FAD

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Proc
String ID:
API String ID: 2346855178-0
Opcode ID: d185e45852bb615bfb64545c8d57bc4c674bbf347b4029ea1a3dff9d85bef1a3
Instruction ID: e35f7abd44f687445940a2555f9e785a13a7abc5f98ac6cf7e877192dcaa7ffe
Opcode Fuzzy Hash: d185e45852bb615bfb64545c8d57bc4c674bbf347b4029ea1a3dff9d85bef1a3
Instruction Fuzzy Hash: 5A11BF3362C9518AE6728636A504BED22A1E3697FCF240322BF69437F4D775C8C68F40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6018 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32 ref: 00000001400A6FAD

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Proc
String ID:
API String ID: 2346855178-0
Opcode ID: 4c561bd81ca83eb048d406a9f5c6b6b6968bd4cb5a55ed70cdca7152e05d6328
Instruction ID: f0a6ad6c58c7d01d6795eed778b6441c1b0770093c53c75e82a04c6b34f51cfc
Opcode Fuzzy Hash: 4c561bd81ca83eb048d406a9f5c6b6b6968bd4cb5a55ed70cdca7152e05d6328
Instruction Fuzzy Hash: 95111C727062428EE72ACF32A1607EA37B1E79CBC9F158539AF0A47354D734D8828F44

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6080 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32 ref: 00000001400A6FAD

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Proc
String ID:
API String ID: 2346855178-0
Opcode ID: 2ba06657b98f5ff8cef67c3c71b5396948e8bec2ca6492e2bc3e825a667b8ab5
Instruction ID: 778973e0266c155c76c422e16b39c5dbe83113281e4eae85234e2d536d0af009
Opcode Fuzzy Hash: 2ba06657b98f5ff8cef67c3c71b5396948e8bec2ca6492e2bc3e825a667b8ab5
Instruction Fuzzy Hash: 8711A073508A918AD712CB26A4107D9BB74F788BD8F4A4612FB4C27365CB38E986CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A636C Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fe4f6606cd0638958e199ba6795f603d23d5b9e9aa8b47670f4da293a1b79b
Instruction ID: b9007ee44b7e9c43dbc25894d8720809758d7d4eb28fefc7672f32362b1b7507
Opcode Fuzzy Hash: 43fe4f6606cd0638958e199ba6795f603d23d5b9e9aa8b47670f4da293a1b79b
Instruction Fuzzy Hash: 6401D6336191804BE3268626A8547E92760E76D7E8F148612FF19937E1C639DCC14B40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A824 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 000000014002A86A

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d01d7e9cfe91a5c8994e62d2d950a44e0f40d140152f49d27eb5411fd37a809d
Instruction ID: 2928398c119a6dccc3b3809ca2fb16af89c57b1c904bb8ed46a5872515e56eef
Opcode Fuzzy Hash: d01d7e9cfe91a5c8994e62d2d950a44e0f40d140152f49d27eb5411fd37a809d
Instruction Fuzzy Hash: 4A010537710A408AE766CF6AD4447EC23A5E7097B8F44071AEF7953AE8CE38C9968740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6248 Relevance: 1.5, APIs: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400A625A

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c90f8375cc772bef3abca15a9e3179cfe630505ad012ebf593df58010ea3e774
Instruction ID: 4fc3f7c52ca4d93867f68f91cec65e0c3fd2c1b4796600f8926333b4cd19b530
Opcode Fuzzy Hash: c90f8375cc772bef3abca15a9e3179cfe630505ad012ebf593df58010ea3e774
Instruction Fuzzy Hash: 1701843320868086D6328627B44079A63A1E799BF4F180701FF79477E9CB38C4C28B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A626C Relevance: 1.5, APIs: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400A6280

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc399506390e94b4806bd420d934600cf03e0484aaf8a1583693aae435351d81
Instruction ID: 7b62d52e5eb835bfa6bab2a906e45b45df355dffec5c44db73c3fa00a3d47940
Opcode Fuzzy Hash: bc399506390e94b4806bd420d934600cf03e0484aaf8a1583693aae435351d81
Instruction Fuzzy Hash: 000144376086808AE7328A26B45079A6761E799BF4F184715FF79477E9CB78C8C28B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A62B3 Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400A62A5
DefDlgProcW.USER32 ref: 00000001400A6FAD

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessageProcSend
String ID:
API String ID: 650375871-0
Opcode ID: c49d1e79457d991a5f8dc430b52ac998055ab57f8ca8461b683a564c61b2f49c
Instruction ID: f0b6f6ba53efd0fcc5c2eb4d99998b97266ece65b6d164c666e0aa236964e101
Opcode Fuzzy Hash: c49d1e79457d991a5f8dc430b52ac998055ab57f8ca8461b683a564c61b2f49c
Instruction Fuzzy Hash: C4F03C376086808AE7368A26A5507DA6361E799BB4F184711FE79077E9CB38D8868B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A60F7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af68956ee2e0aa27ddaecf4f9ddbf68d1c51e36ce8d2dffdece67b115c4bc666
Instruction ID: 6c9b574fb131a12a1aeda296a0ba566ddc2dc1d048b29c003fd1e5a5c81597c5
Opcode Fuzzy Hash: af68956ee2e0aa27ddaecf4f9ddbf68d1c51e36ce8d2dffdece67b115c4bc666
Instruction Fuzzy Hash: DFF0F6779082808BD7228B26E8547E83360F70DBE8F484621FF29533E4C738C9C28B01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6291 Relevance: 1.5, APIs: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400A62A5
DefDlgProcW.USER32 ref: 00000001400A6FAD

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: MessageProcSend
String ID:
API String ID: 650375871-0
Opcode ID: 8cfc0df23f7fd15458e7b699a79070029c7602d2fd0123a781348d40acbb71a3
Instruction ID: 6fdf424d3e07a1dd862a8049430a40897dc930b149bd0110ec7c380d190ea6a6
Opcode Fuzzy Hash: 8cfc0df23f7fd15458e7b699a79070029c7602d2fd0123a781348d40acbb71a3
Instruction Fuzzy Hash: 15F04F376086808AD7368B26B5507DA6361F799BB4F180711FE79077E9CB38D8828B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6854 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32 ref: 00000001400A6FAD

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Proc
String ID:
API String ID: 2346855178-0
Opcode ID: b82fda783f41fd8536b9f099d1dc3cfa5738fed78744af949b0029878d8c149d
Instruction ID: 1d26d6475576d8038a0288eefea1ddd7f0c6fa595aa517a9814747d4c4f8eca7
Opcode Fuzzy Hash: b82fda783f41fd8536b9f099d1dc3cfa5738fed78744af949b0029878d8c149d
Instruction Fuzzy Hash: 90F0FE326052824DEB67973375207D66360EB9DBD8F4C4526BF09173A5CA38D9C69B01

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006216B Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 0000000140062B97

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: 11a21d24d86ebda8e5e3f1412a545a7d40ce04d60f988ea3c833db0a3cb09e7a
Instruction ID: 0e4043a9f15c707a97b1afa713334db23d9806f7404c4e0575cb72191c150ede
Opcode Fuzzy Hash: 11a21d24d86ebda8e5e3f1412a545a7d40ce04d60f988ea3c833db0a3cb09e7a
Instruction Fuzzy Hash: ABF08C32620A8180E6A3EB23BD007D62351AB4DBE4F984906DF2D636B5CF38C4868310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6AF8 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32 ref: 00000001400A6FAD

Part of subcall function 00000001400996D0: SendMessageW.USER32 ref: 0000000140099733
Part of subcall function 00000001400996D0: SendMessageW.USER32 ref: 0000000140099750
Part of subcall function 00000001400996D0: DestroyIcon.USER32 ref: 000000014009975E
Part of subcall function 00000001400996D0: IsWindow.USER32 ref: 0000000140099770
Part of subcall function 00000001400996D0: ShowWindow.USER32 ref: 0000000140099780
Part of subcall function 00000001400996D0: SetMenu.USER32 ref: 000000014009978C
Part of subcall function 00000001400996D0: DestroyWindow.USER32 ref: 00000001400997A6
Part of subcall function 00000001400996D0: DeleteObject.GDI32 ref: 0000000140099810
Part of subcall function 00000001400996D0: DeleteObject.GDI32 ref: 0000000140099829
Part of subcall function 00000001400996D0: DragFinish.SHELL32 ref: 0000000140099842

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Window$DeleteDestroyMessageObjectSend$DragFinishIconMenuProcShow
String ID:
API String ID: 4213792195-0
Opcode ID: be16516d571e6b54ddf46bc1d375d0c159b8dfb910ceb1f0db6fed062fbeb340
Instruction ID: 55c21d00771dbd1f18c2b56c9a5895418536a8c78a480f6d4633c02bffdc2842
Opcode Fuzzy Hash: be16516d571e6b54ddf46bc1d375d0c159b8dfb910ceb1f0db6fed062fbeb340
Instruction Fuzzy Hash: 3CF01C326092C14DEB23C72274203EA67A0EB9DBD8F4C8466AF49133A6CA3895D68711

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400629A3 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140005170: GetTickCount.KERNEL32 ref: 00000001400051A8

PostMessageW.USER32 ref: 00000001400629B8

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CountMessagePostTick
String ID:
API String ID: 1233319983-0
Opcode ID: b42a2e9cf0dff7278fd1ae56c069b34a70a2811757d8340a58288a0938b31d62
Instruction ID: 2116a07d743479673151cbf6111f119dcb3b881482e476ee129ca40f3626d963
Opcode Fuzzy Hash: b42a2e9cf0dff7278fd1ae56c069b34a70a2811757d8340a58288a0938b31d62
Instruction Fuzzy Hash: 04E092326049C080E262A7237D067D66312A78C7E4F244902BF6D176EACF38C4868310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A69EF Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32 ref: 00000001400A6FAD

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Proc
String ID:
API String ID: 2346855178-0
Opcode ID: 4d40d4595c4f3bb9c5d05adde5f9539b28ca23806e3186c14c62d1345b2dcb21
Instruction ID: 0398a17a4fb6ca93b5896eb24e50d7e816629bb1371447e334bac6dbf0c82fe4
Opcode Fuzzy Hash: 4d40d4595c4f3bb9c5d05adde5f9539b28ca23806e3186c14c62d1345b2dcb21
Instruction Fuzzy Hash: 37E039326092C24CE623872275103DA52A0AB8DBD8F4C4422AF0923366CA38D9C68A00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400A6AD8 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32 ref: 00000001400A6FAD

Part of subcall function 00000001400A2A10: ShowWindow.USER32 ref: 00000001400A2A26

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: ProcShowWindow
String ID:
API String ID: 402548696-0
Opcode ID: c4d3f8ed762119bca33e14ef80ed3dc156e7f7e49e1fd8e475cab6c5a848232c
Instruction ID: d063bfeb7270edb542ea747837c41e62782f6b69401efe5c25e3aa9099f480c4
Opcode Fuzzy Hash: c4d3f8ed762119bca33e14ef80ed3dc156e7f7e49e1fd8e475cab6c5a848232c
Instruction Fuzzy Hash: CFE06D3260528149DA23872375203D56350FB8DBE4F480922BF0A23366CF38C5868A00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062A48 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0000000140062A48

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: 63ae8f3faa0eebcf068a1be083eadb1ace8b0e9d413c71280792420c8615be0c
Instruction ID: 4961c52b09e4b383aabc04546dae063fdd922a8665f3edf357fbda1921abd28b
Opcode Fuzzy Hash: 63ae8f3faa0eebcf068a1be083eadb1ace8b0e9d413c71280792420c8615be0c
Instruction Fuzzy Hash: 50D0C937604BC081D2728B16B80079A6315F34CBB5F0844129F5D53728CB38C4D7C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005840 Relevance: 1.3, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00000001400058A0

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6b27694e6dff4fd5a478885e9dc1bf9b0cec98e019ec40e496ba242dcb989d1f
Instruction ID: 5691a438d5b6873a869434180bc15ae720f588c9477be5d18e571e7a55988835
Opcode Fuzzy Hash: 6b27694e6dff4fd5a478885e9dc1bf9b0cec98e019ec40e496ba242dcb989d1f
Instruction Fuzzy Hash: 0A116132211B4085EB66DF2AE4407597364EB49BF4F548316EBB9576F8DF39C442C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400DB940 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400DC200: _errno.LIBCMT ref: 00000001400DC223

Sleep.KERNEL32(?,?,00000000,00000001400D912B,?,?,00000000,00000001400D9187,?,?,?,00000001400D441B,?,?,00000000,00000001400DA97B), ref: 00000001400DB985

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: dce45986cddfd7374921c9a4fec526c732f3328621a102c48a9870579179fbd5
Instruction ID: 2f85b14e3b3282f4d4ea6326cdf302d30a3a92067dfae617f20f346073102c2e
Opcode Fuzzy Hash: dce45986cddfd7374921c9a4fec526c732f3328621a102c48a9870579179fbd5
Instruction Fuzzy Hash: 06016D36720B84C6EA969F27985039DB6A1F7CDFE0F094125EF5913BA0CB38D892C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400DB8C0 Relevance: 1.3, APIs: 1, Instructions: 35sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400D4A38: _FF_MSGBANNER.LIBCMT ref: 00000001400D4A68
Part of subcall function 00000001400D4A38: RtlAllocateHeap.NTDLL(?,?,00000000,00000001400DB8F0,?,?,00000000,00000001400D9F35,?,?,?,00000001400D9FDF,?,?,00000000,00000001400D9099), ref: 00000001400D4A8D
Part of subcall function 00000001400D4A38: _callnewh.LIBCMT ref: 00000001400D4AA6
Part of subcall function 00000001400D4A38: _errno.LIBCMT ref: 00000001400D4AB1
Part of subcall function 00000001400D4A38: _errno.LIBCMT ref: 00000001400D4ABC

Sleep.KERNEL32(?,?,00000000,00000001400D9F35,?,?,?,00000001400D9FDF,?,?,00000000,00000001400D9099,?,?,00000000,00000001400D9150), ref: 00000001400DB8FE

Memory Dump Source

Source File: 00000002.00000002.350218252.0000000140001000.00000020.00000001.01000000.00000004.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000002.00000002.350201545.0000000140000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350674986.00000001400EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350698532.0000000140101000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350761180.0000000140121000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350769672.0000000140124000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350773673.0000000140125000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350788491.000000014012E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350795293.0000000140137000.00000010.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.350800822.000000014013A000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_140000000_FME.jbxd

Similarity

API ID: _errno$AllocateHeapSleep_callnewh
String ID:
API String ID: 2909274935-0
Opcode ID: c7a924d95828014384466a036a3147a9f96c87da08426e5906c6da2a0106af84
Instruction ID: e46aa681a39d25908da516618c78c6c37b3cda4ce4457133d09f2fb994b01f62
Opcode Fuzzy Hash: c7a924d95828014384466a036a3147a9f96c87da08426e5906c6da2a0106af84
Instruction Fuzzy Hash: 4D016D36610B8886E6529F17A41039DB7A0FB8CFD0F990118FF591B7A4DF35E882C784

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9ISNeRdj1B.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\file[1]

C:\Users\user\AppData\Local\Temp\7zS01A5A97E\7zS01A5A97E.exe

C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.ahk

C:\Users\user\AppData\Local\Temp\7zS01A5A97E\FME.exe

C:\Users\user\AppData\Local\Temp\7zS01A5A97E\file

C:\Users\user\AppData\Roaming\FMEV2\FME.exe

C:\Users\user\AppData\Roaming\FMEV2\FME.html

C:\Users\user\AppData\Roaming\FMEV2\FME.jpg

C:\Users\user\AppData\Roaming\FMEV2\FME.json

C:\Users\user\AppData\Roaming\FMEV2\Lang.json

C:\Users\user\AppData\Roaming\FMEV2\bootstrap.bundle.min.js

C:\Users\user\AppData\Roaming\FMEV2\bootstrap.min.css

C:\Users\user\AppData\Roaming\FMEV2\bootstrap.min.js

C:\Users\user\AppData\Roaming\FMEV2\bootstrap4-toggle.min.css

C:\Users\user\AppData\Roaming\FMEV2\bootstrap4-toggle.min.js

C:\Users\user\AppData\Roaming\FMEV2\changelog.json

C:\Users\user\AppData\Roaming\FMEV2\crosshair.png

C:\Users\user\AppData\Roaming\FMEV2\jquery.min.js

C:\Users\user\AppData\Roaming\FMEV2\pro.svg

Windows Analysis Report
9ISNeRdj1B.exe

Function 0040BD85 Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 864
COMMONCrypto

Function 00404B47 Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Function 00401014 Relevance: 49.6, APIs: 8, Strings: 20, Instructions: 609
COMMON

Function 0041910C Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 0040492E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98
threadCOMMON

Function 00406018 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47
libraryloaderCOMMON

Function 0040A53F Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Function 0040BA18 Relevance: 7.6, APIs: 5, Instructions: 97
COMMON

Function 0040B88B Relevance: 7.5, APIs: 5, Instructions: 37
windowtimeCOMMON

Function 00404DAF Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 295
COMMON

Function 0040EBB1 Relevance: 6.2, APIs: 4, Instructions: 154
COMMON

Function 004019F5 Relevance: 6.1, APIs: 4, Instructions: 130
COMMON

Function 00409DAD Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 418
COMMON

Function 004026C1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre